环境:
Windows xp sp3
工具:
exeinfope
ollydbg
查壳:
拿到程序后查壳,发现程序无壳,为Delphi写的。
程序长成这个样
输入:
Name:GNUBD
Serial:1234567
Serial:7654321
尝试看看出现什么错误。
OD载入字符串搜索、跟随。
0042D3C4 /. 55 push ebp
0042D3C5 |. 8BEC mov ebp,esp
0042D3C7 |. 33C9 xor ecx,ecx
0042D3C9 |. 51 push ecx
0042D3CA |. 51 push ecx
0042D3CB |. 51 push ecx
0042D3CC |. 51 push ecx
0042D3CD |. 53 push ebx
0042D3CE |. 8BD8 mov ebx,eax
0042D3D0 |. 33C0 xor eax,eax
0042D3D2 |. 55 push ebp
0042D3D3 |. 68 ADD54200 push Cabeca.0042D5AD
0042D3D8 |. 64:FF30 push dword ptr fs:[eax]
0042D3DB |. 64:8920 mov dword ptr fs:[eax],esp
0042D3DE |. 833D 14F74200>cmp dword ptr ds:[0x42F714],0x0 ; 用于判断输入的name是否全为数字
0042D3E5 |. 74 45 je XCabeca.0042D42C
0042D3E7 |. 833D 18F74200>cmp dword ptr ds:[0x42F718],0x0
0042D3EE |. 74 3C je XCabeca.0042D42C
0042D3F0 |. 8D55 FC lea edx,[local.1]
0042D3F3 |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]
0042D3F9 |. E8 E2C9FEFF call Cabeca.00419DE0 ; 读入输入内容
0042D3FE |. 837D FC 00 cmp [local.1],0x0
0042D402 |. 74 28 je XCabeca.0042D42C
0042D404 |. 8D55 F8 lea edx,[local.2]
0042D407 |. 8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4]
0042D40D |. E8 CEC9FEFF call Cabeca.00419DE0 ; 读入输入内容
0042D412 |. 837D F8 00 cmp [local.2],0x0
0042D416 |. 74 14 je XCabeca.0042D42C
0042D418 |. 8D55 F4 lea edx,[local.3]
0042D41B |. 8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC]
0042D421 |. E8 BAC9FEFF call Cabeca.00419DE0 ; 读入输入内容
0042D426 |. 837D F4 00 cmp [local.3],0x0 ; 任意一个为空都会弹出错误
0042D42A |. 75 44 jnz XCabeca.0042D470
0042D42C |> B8 C4D54200 mov eax,Cabeca.0042D5C4 ; ASCII "Fill all boxes first dumb!"
0042D431 |. E8 56F6FFFF call Cabeca.0042CA8C
0042D436 |. 33C0 xor eax,eax
0042D438 |. A3 14F74200 mov dword ptr ds:[0x42F714],eax
0042D43D |. 33C0 xor eax,eax
0042D43F |. A3 18F74200 mov dword ptr ds:[0x42F718],eax
0042D444 |. 33D2 xor edx,edx
0042D446 |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]
0042D44C |. E8 BFC9FEFF call Cabeca.00419E10
0042D451 |. 33D2 xor edx,edx
0042D453 |. 8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4]
0042D459 |. E8 B2C9FEFF call Cabeca.00419E10
0042D45E |. 33D2 xor edx,edx
0042D460 |. 8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC]
0042D466 |. E8 A5C9FEFF call Cabeca.00419E10
0042D46B |. E9 1A010000 jmp Cabeca.0042D58A
0042D470 |> 833D 14F74200>cmp dword ptr ds:[0x42F714],0x0
0042D477 |. 74 6C je XCabeca.0042D4E5
0042D479 |. 833D 18F74200>cmp dword ptr ds:[0x42F718],0x0
0042D480 |. 74 63 je XCabeca.0042D4E5
0042D482 |. 8D55 F0 lea edx,[local.4]
0042D485 |. A1 14F74200 mov eax,dword ptr ds:[0x42F714]
0042D48A |. E8 C190FDFF call Cabeca.00406550 ; 将[0x42f714]的值转成10进制表示
0042D48F |. 8B45 F0 mov eax,[local.4]
0042D492 |. 50 push eax
0042D493 |. 8D55 FC lea edx,[local.1]
0042D496 |. 8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4]
0042D49C |. E8 3FC9FEFF call Cabeca.00419DE0
0042D4A1 |. 8B55 FC mov edx,[local.1]
0042D4A4 |. 58 pop eax
0042D4A5 |. E8 2664FDFF call Cabeca.004038D0 ; 比较
0042D4AA |. 75 39 jnz XCabeca.0042D4E5
0042D4AC |. 8D55 F0 lea edx,[local.4]
0042D4AF |. A1 18F74200 mov eax,dword ptr ds:[0x42F718]
0042D4B4 |. E8 9790FDFF call Cabeca.00406550 ; 将[0x42f718]的值转成10进制表示
0042D4B9 |. 8B45 F0 mov eax,[local.4]
0042D4BC |. 50 push eax
0042D4BD |. 8D55 FC lea edx,[local.1]
0042D4C0 |. 8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC]
0042D4C6 |. E8 15C9FEFF call Cabeca.00419DE0
0042D4CB |. 8B55 FC mov edx,[local.1]
0042D4CE |. 58 pop eax
0042D4CF |. E8 FC63FDFF call Cabeca.004038D0 ; 比较,两个比较就是两个serial的比较了
0042D4D4 |. 75 0F jnz XCabeca.0042D4E5
0042D4D6 |. B8 E8D54200 mov eax,Cabeca.0042D5E8 ; ASCII "Hmmm.... Cracked... Congratulations idiot! :-)"
0042D4DB |. E8 ACF5FFFF call Cabeca.0042CA8C
0042D4E0 |. E9 A5000000 jmp Cabeca.0042D58A
0042D4E5 |> 833D 14F74200>cmp dword ptr ds:[0x42F714],0x0
0042D4EC |. 74 33 je XCabeca.0042D521
0042D4EE |. 833D 18F74200>cmp dword ptr ds:[0x42F718],0x0
0042D4F5 |. 74 2A je XCabeca.0042D521
0042D4F7 |. 8D55 F0 lea edx,[local.4]
0042D4FA |. A1 14F74200 mov eax,dword ptr ds:[0x42F714]
0042D4FF |. E8 4C90FDFF call Cabeca.00406550
0042D504 |. 8B45 F0 mov eax,[local.4]
0042D507 |. 50 push eax
0042D508 |. 8D55 FC lea edx,[local.1]
0042D50B |. 8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4]
0042D511 |. E8 CAC8FEFF call Cabeca.00419DE0
0042D516 |. 8B55 FC mov edx,[local.1]
0042D519 |. 58 pop eax
0042D51A |. E8 B163FDFF call Cabeca.004038D0
0042D51F |. 75 2A jnz XCabeca.0042D54B
0042D521 |> 8D55 F0 lea edx,[local.4]
0042D524 |. A1 18F74200 mov eax,dword ptr ds:[0x42F718]
0042D529 |. E8 2290FDFF call Cabeca.00406550
0042D52E |. 8B45 F0 mov eax,[local.4]
0042D531 |. 50 push eax
0042D532 |. 8D55 FC lea edx,[local.1]
0042D535 |. 8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC]
0042D53B |. E8 A0C8FEFF call Cabeca.00419DE0
0042D540 |. 8B55 FC mov edx,[local.1]
0042D543 |. 58 pop eax
0042D544 |. E8 8763FDFF call Cabeca.004038D0
0042D549 |. 74 3F je XCabeca.0042D58A
0042D54B |> B8 20D64200 mov eax,Cabeca.0042D620 ; ASCII "Nice try... but is incorrect... Dumb.."
0042D550 |. E8 37F5FFFF call Cabeca.0042CA8C
0042D555 |. 33C0 xor eax,eax
0042D557 |. A3 14F74200 mov dword ptr ds:[0x42F714],eax
0042D55C |. 33C0 xor eax,eax
0042D55E |. A3 18F74200 mov dword ptr ds:[0x42F718],eax
0042D563 |. 33D2 xor edx,edx
0042D565 |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]
0042D56B |. E8 A0C8FEFF call Cabeca.00419E10
0042D570 |. 33D2 xor edx,edx
0042D572 |. 8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4]
0042D578 |. E8 93C8FEFF call Cabeca.00419E10
0042D57D |. 33D2 xor edx,edx
0042D57F |. 8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC]
0042D585 |. E8 86C8FEFF call Cabeca.00419E10
0042D58A |> 33C0 xor eax,eax
0042D58C |. 5A pop edx
0042D58D |. 59 pop ecx
0042D58E |. 59 pop ecx
0042D58F |. 64:8910 mov dword ptr fs:[eax],edx
0042D592 |. 68 B4D54200 push Cabeca.0042D5B4
0042D597 |> 8D45 F0 lea eax,[local.4]
0042D59A |. E8 A55FFDFF call Cabeca.00403544
0042D59F |. 8D45 F4 lea eax,[local.3]
0042D5A2 |. BA 03000000 mov edx,0x3
0042D5A7 |. E8 BC5FFDFF call Cabeca.00403568
0042D5AC \. C3 retn程序思路很简单,就是将[0x42F714]和[0x42F718]两个地址的值的10进制和输入的两个serial分别比较
具体[0x42F714]和[0x42F718]的值是怎么得到的呢?
可以通过下内存写入断点来找到。其实就是上面那段代码的上面那段。
0042CF98 > \8105 14F74200>add dword ptr ds:[0x42F714],0x427 ; Case 61 of switch 0042CE34
0042CFA2 . 8305 18F74200>add dword ptr ds:[0x42F718],0x79
0042CFA9 . C3 retn
0042CFAA > 8105 14F74200>add dword ptr ds:[0x42F714],0x6BC ; Case 62 of switch 0042CE34
0042CFB4 . 8305 18F74200>add dword ptr ds:[0x42F718],0x6F
0042CFBB . C3 retn
0042CFBC > 8105 14F74200>add dword ptr ds:[0x42F714],0x491 ; Case 63 of switch 0042CE34
0042CFC6 . 8105 18F74200>add dword ptr ds:[0x42F718],0x2E2
0042CFD0 . C3 retn
0042CFD1 > 8105 14F74200>add dword ptr ds:[0x42F714],0x474D ; Case 64 of switch 0042CE34
0042CFDB . 8105 18F74200>add dword ptr ds:[0x42F718],0x2FA
0042CFE5 . C3 retn
0042CFE6 > 8105 14F74200>add dword ptr ds:[0x42F714],0x400 ; Case 65 of switch 0042CE34
0042CFF0 . 8305 18F74200>add dword ptr ds:[0x42F718],0xE
0042CFF7 . C3 retn
0042CFF8 > 8105 14F74200>add dword ptr ds:[0x42F714],0x6D0 ; Case 66 of switch 0042CE34
0042D002 . 8305 18F74200>add dword ptr ds:[0x42F718],0xD
0042D009 . C3 retn
0042D00A > 8105 14F74200>add dword ptr ds:[0x42F714],0x67D ; Case 67 of switch 0042CE34
0042D014 . 8305 18F74200>add dword ptr ds:[0x42F718],0xC
0042D01B . C3 retn
0042D01C > 8105 14F74200>add dword ptr ds:[0x42F714],0x750 ; Case 68 of switch 0042CE34
0042D026 . 8305 18F74200>add dword ptr ds:[0x42F718],0xB
0042D02D . C3 retn
0042D02E > 8105 14F74200>add dword ptr ds:[0x42F714],0x43C ; Case 69 of switch 0042CE34
0042D038 . 8305 18F74200>add dword ptr ds:[0x42F718],0x63
0042D03F . C3 retn
0042D040 > 8105 14F74200>add dword ptr ds:[0x42F714],0x764 ; Case 6A of switch 0042CE34
0042D04A . 8105 18F74200>add dword ptr ds:[0x42F718],0x378
0042D054 . C3 retn
0042D055 > 8105 14F74200>add dword ptr ds:[0x42F714],0xC0 ; Case 6B of switch 0042CE34
0042D05F . 8305 18F74200>add dword ptr ds:[0x42F718],0x4D
0042D066 . C3 retn
0042D067 > 8105 14F74200>add dword ptr ds:[0x42F714],0x277D ; Case 6C of switch 0042CE34
0042D071 . 8105 18F74200>add dword ptr ds:[0x42F718],0x22B
0042D07B . C3 retn
0042D07C > 8105 14F74200>add dword ptr ds:[0x42F714],0x81E ; Case 6D of switch 0042CE34
0042D086 . 8305 18F74200>add dword ptr ds:[0x42F718],0x5A
0042D08D . C3 retn
0042D08E > 8105 14F74200>add dword ptr ds:[0x42F714],0xE07 ; Case 6E of switch 0042CE34
0042D098 . 8305 18F74200>add dword ptr ds:[0x42F718],0x62
0042D09F . C3 retn
0042D0A0 > 8105 14F74200>add dword ptr ds:[0x42F714],0x8E ; Case 6F of switch 0042CE34
0042D0AA . 8105 18F74200>add dword ptr ds:[0x42F718],0x1D2C
0042D0B4 . C3 retn
0042D0B5 > 8105 14F74200>add dword ptr ds:[0x42F714],0x9A670 ; Case 70 of switch 0042CE34
0042D0BF . 8105 18F74200>add dword ptr ds:[0x42F718],0x8C7F3
0042D0C9 . C3 retn
0042D0CA > 8105 14F74200>add dword ptr ds:[0x42F714],0xD57 ; Case 71 of switch 0042CE34
0042D0D4 . 8105 18F74200>add dword ptr ds:[0x42F718],0x288
0042D0DE . C3 retn
0042D0DF > 8105 14F74200>add dword ptr ds:[0x42F714],0x5FEB ; Case 72 of switch 0042CE34
0042D0E9 . 8105 18F74200>add dword ptr ds:[0x42F718],0x21A
0042D0F3 . C3 retn
0042D0F4 > 8105 14F74200>add dword ptr ds:[0x42F714],0x8B0 ; Case 73 of switch 0042CE34
0042D0FE . FF05 18F74200 inc dword ptr ds:[0x42F718]
0042D104 . C3 retn
0042D105 > 8105 14F74200>add dword ptr ds:[0x42F714],0x4BB ; Case 74 of switch 0042CE34
0042D10F . 8305 18F74200>add dword ptr ds:[0x42F718],0x40
0042D116 . C3 retn
0042D117 > 8105 14F74200>add dword ptr ds:[0x42F714],0x8C2 ; Case 75 of switch 0042CE34
0042D121 . 8305 18F74200>add dword ptr ds:[0x42F718],0x4B
0042D128 . C3 retn
0042D129 > 8105 14F74200>add dword ptr ds:[0x42F714],0x1CA6 ; Case 76 of switch 0042CE34
0042D133 . 8305 18F74200>add dword ptr ds:[0x42F718],0x4E
0042D13A . C3 retn
0042D13B > 8105 14F74200>add dword ptr ds:[0x42F714],0x395 ; Case 78 of switch 0042CE34
0042D145 . 8305 18F74200>add dword ptr ds:[0x42F718],0x26
0042D14C . C3 retn
0042D14D > 8105 14F74200>add dword ptr ds:[0x42F714],0x251E ; Case 77 of switch 0042CE34
0042D157 . 8305 18F74200>add dword ptr ds:[0x42F718],0x5
0042D15E . C3 retn
0042D15F > 8105 14F74200>add dword ptr ds:[0x42F714],0x2D13 ; Case 79 of switch 0042CE34
0042D169 . 8305 18F74200>add dword ptr ds:[0x42F718],0x8
0042D170 . C3 retn
0042D171 > 8105 14F74200>add dword ptr ds:[0x42F714],0x1900 ; Case 7A of switch 0042CE34
0042D17B . 8105 18F74200>add dword ptr ds:[0x42F718],0x1C8
0042D185 . C3 retn
0042D186 > 8105 14F74200>add dword ptr ds:[0x42F714],0x428 ; Case 41 of switch 0042CE34
0042D190 . 8105 18F74200>add dword ptr ds:[0x42F718],0x1610
0042D19A . C3 retn
0042D19B > 8105 14F74200>add dword ptr ds:[0x42F714],0xB1630 ; Case 42 of switch 0042CE34
0042D1A5 . 8305 18F74200>add dword ptr ds:[0x42F718],0x2
0042D1AC . C3 retn
0042D1AD > 8105 14F74200>add dword ptr ds:[0x42F714],0xD86 ; Case 43 of switch 0042CE34
0042D1B7 . 8105 18F74200>add dword ptr ds:[0x42F718],0x270F
0042D1C1 . C3 retn
0042D1C2 > 8105 14F74200>add dword ptr ds:[0x42F714],0x11A4 ; Case 44 of switch 0042CE34
0042D1CC . 8105 18F74200>add dword ptr ds:[0x42F718],0x46FF33C
0042D1D6 . C3 retn
0042D1D7 > 8105 14F74200>add dword ptr ds:[0x42F714],0x11F0A ; Case 45 of switch 0042CE34
0042D1E1 . 8105 18F74200>add dword ptr ds:[0x42F718],0x8B3C
0042D1EB . C3 retn
0042D1EC > 8105 14F74200>add dword ptr ds:[0x42F714],0x3CC2 ; Case 46 of switch 0042CE34
0042D1F6 . 8105 18F74200>add dword ptr ds:[0x42F718],0x8618
0042D200 . C3 retn
0042D201 > 8105 14F74200>add dword ptr ds:[0x42F714],0x3E1A8 ; Case 47 of switch 0042CE34
0042D20B . 8105 18F74200>add dword ptr ds:[0x42F718],0x6C81C
0042D215 . C3 retn
0042D216 > 8105 14F74200>add dword ptr ds:[0x42F714],0x91E4 ; Case 48 of switch 0042CE34
0042D220 . 8105 18F74200>add dword ptr ds:[0x42F718],0x27E945
0042D22A . C3 retn
0042D22B > 8105 14F74200>add dword ptr ds:[0x42F714],0x6B42 ; Case 49 of switch 0042CE34
0042D235 . 8105 18F74200>add dword ptr ds:[0x42F718],0x2FC7C3
0042D23F . C3 retn
0042D240 > 8105 14F74200>add dword ptr ds:[0x42F714],0x516A4 ; Case 4A of switch 0042CE34
0042D24A . 8105 18F74200>add dword ptr ds:[0x42F718],0xB8F47C
0042D254 . C3 retn
0042D255 > 8105 14F74200>add dword ptr ds:[0x42F714],0x4345A ; Case 4B of switch 0042CE34
0042D25F . 8105 18F74200>add dword ptr ds:[0x42F718],0x115C7
0042D269 . C3 retn
0042D26A > 8105 14F74200>add dword ptr ds:[0x42F714],0x1BFDD9 ; Case 4C of switch 0042CE34
0042D274 . 8105 18F74200>add dword ptr ds:[0x42F718],0x12B54
0042D27E . C3 retn
0042D27F > 8105 14F74200>add dword ptr ds:[0x42F714],0x286D ; Case 4D of switch 0042CE34
0042D289 . 8105 18F74200>add dword ptr ds:[0x42F718],0xB348C
0042D293 . C3 retn
0042D294 > 8105 14F74200>add dword ptr ds:[0x42F714],0x401 ; Case 4E of switch 0042CE34
0042D29E . 8105 18F74200>add dword ptr ds:[0x42F718],0x357CE174
0042D2A8 . C3 retn
0042D2A9 > 8105 14F74200>add dword ptr ds:[0x42F714],0x674 ; Case 4F of switch 0042CE34
0042D2B3 . 8105 18F74200>add dword ptr ds:[0x42F718],0x317CD7 ; ASCII "?5E??6E??7E??8E??9E??:E??;E??<E??=E??>E???E??@E??AE??BE??CE??DE??EE??FE??GE??HE??IE??JE??KE??LE??ME??NE??OE??PE??QE??RE??SE??TE??UE??VE??WE??XE??YE??ZE??[E??\E??]E??^E??_E??`E??aE??bE??cE??dE??eE??fE??gE??hE??iE??jE??kE??lE??mE??nE??oE??"...
0042D2BD . C3 retn
0042D2BE > 8105 14F74200>add dword ptr ds:[0x42F714],0x9C ; Case 50 of switch 0042CE34
0042D2C8 . 8105 18F74200>add dword ptr ds:[0x42F718],0x7DD834
0042D2D2 . C3 retn
0042D2D3 > 8105 14F74200>add dword ptr ds:[0x42F714],0x156 ; Case 51 of switch 0042CE34
0042D2DD . 8105 18F74200>add dword ptr ds:[0x42F718],0x39CD0
0042D2E7 . C3 retn
0042D2E8 > 8105 14F74200>add dword ptr ds:[0x42F714],0x8627 ; Case 52 of switch 0042CE34
0042D2F2 . 8105 18F74200>add dword ptr ds:[0x42F718],0xBF44A
0042D2FC . C3 retn
0042D2FD > 8105 14F74200>add dword ptr ds:[0x42F714],0x748190 ; Case 53 of switch 0042CE34
0042D307 . 8105 18F74200>add dword ptr ds:[0x42F718],0x854686
0042D311 . C3 retn
0042D312 > 8105 14F74200>add dword ptr ds:[0x42F714],0xA568 ; Case 54 of switch 0042CE34
0042D31C . 8105 18F74200>add dword ptr ds:[0x42F718],0x13220
0042D326 . C3 retn
0042D327 > 8105 14F74200>add dword ptr ds:[0x42F714],0x15592 ; Case 55 of switch 0042CE34
0042D331 . 8105 18F74200>add dword ptr ds:[0x42F718],0x302E
0042D33B . C3 retn
0042D33C > 8105 14F74200>add dword ptr ds:[0x42F714],0x1DD9 ; Case 56 of switch 0042CE34
0042D346 . 8105 18F74200>add dword ptr ds:[0x42F718],0x1C43
0042D350 . C3 retn
0042D351 > 8105 14F74200>add dword ptr ds:[0x42F714],0x266A ; Case 58 of switch 0042CE34
0042D35B . 8105 18F74200>add dword ptr ds:[0x42F718],0x2BA96C08
0042D365 . C3 retn
0042D366 > 8105 14F74200>add dword ptr ds:[0x42F714],0x3CC0 ; Case 57 of switch 0042CE34
0042D370 . 8105 18F74200>add dword ptr ds:[0x42F718],0x4EFC8
0042D37A . C3 retn
0042D37B > 8105 14F74200>add dword ptr ds:[0x42F714],0x8311 ; Case 59 of switch 0042CE34
0042D385 . 8105 18F74200>add dword ptr ds:[0x42F718],0x1C46
0042D38F . C3 retn
0042D390 > 8105 14F74200>add dword ptr ds:[0x42F714],0xCE1B ; Case 5A of switch 0042CE34
0042D39A . 8105 18F74200>add dword ptr ds:[0x42F718],0xB1664
0042D3A4 . C3 retn
0042D3A5 > 33D2 xor edx,edx ; Case 8 of switch 0042CE34
0042D3A7 . 8B80 E0010000 mov eax,dword ptr ds:[eax+0x1E0]
0042D3AD . E8 5ECAFEFF call Cabeca.00419E10
0042D3B2 . 33C0 xor eax,eax
0042D3B4 . A3 14F74200 mov dword ptr ds:[0x42F714],eax
0042D3B9 . 33C0 xor eax,eax
0042D3BB . A3 18F74200 mov dword ptr ds:[0x42F718],eax
0042D3C0 > C3 retn ; Default case of switch 0042CE34这里可以根据case后的值来查ascii表所对应的字符,这样就知道了两个内存地址的值的来源了。可以写出注册机了。
:搜索范围)
)
 - 12-26没有弄完 - 暂停)
![[C++]搞清楚类中构造与析构的顺序](http://pic.xiahunao.cn/[C++]搞清楚类中构造与析构的顺序)
...)
大全 建立你自己的菜单)
![[BZOJ 2165] 大楼 【DP + 倍增 + 二进制】](http://pic.xiahunao.cn/[BZOJ 2165] 大楼 【DP + 倍增 + 二进制】)