C++解密Chrome80版本數(shù)據(jù)庫的方法示例代碼

更新時(shí)間：2020年05月06日 11:49:19 作者：FreeBuf

這篇文章主要介紹了C++解密Chrome80版本數(shù)據(jù)庫的方法示例代碼，本文通過實(shí)例代碼給大家介紹的非常詳細(xì)，對大家的學(xué)習(xí)或工作具有一定的參考借鑒價(jià)值,需要的朋友可以參考下

谷歌瀏覽器Google Chrome 80正式版例行更新詳細(xì)版本80.0.3987.163。Google Chrome瀏覽器又稱谷歌瀏覽器采用Chromium內(nèi)核全球最受歡迎的免費(fèi)網(wǎng)頁瀏覽器追求速度、隱私安全的網(wǎng)絡(luò)瀏覽器。

先說下吧。chrome80以前的版本是直接可以通過DPAPI來進(jìn)行解密的。關(guān)于DPAPI 大家可以看這里的介紹

DPAPI是Windows系統(tǒng)級對數(shù)據(jù)進(jìn)行加解密的一種接口無需自實(shí)現(xiàn)加解密代碼微軟已經(jīng)提供了經(jīng)過驗(yàn)證的高質(zhì)量加解密算法提供了用戶態(tài)的接口對密鑰的推導(dǎo)存儲數(shù)據(jù)加解密實(shí)現(xiàn)透明并提供較高的安全保證

DPAPI提供了兩個(gè)用戶態(tài)接口`CryptProtectData`加密數(shù)據(jù)`CryptUnprotectData`解密數(shù)據(jù)加密后的數(shù)據(jù)由應(yīng)用程序負(fù)責(zé)安全存儲應(yīng)用無需解析加密后的數(shù)據(jù)格式。但是加密后的數(shù)據(jù)存儲需要一定的機(jī)制因?yàn)樵摂?shù)據(jù)可以被其他任何進(jìn)程用來解密當(dāng)然`CryptProtectData`也提供了用戶輸入額外`數(shù)據(jù)`來參與對用戶數(shù)據(jù)進(jìn)行加密的參數(shù)。

總體來說程序可以使用DPAPI來對自己敏感的數(shù)據(jù)進(jìn)行加解密也可持久化存儲程序或系統(tǒng)重啟后可解密密文獲取原文。如果應(yīng)用程序?qū)Υ嗣舾袛?shù)據(jù)只是暫存于內(nèi)存為了防止被黑客dump內(nèi)存后進(jìn)行破解也對此數(shù)據(jù)無需進(jìn)行持久化存儲微軟還提供了加解密內(nèi)存的接口`CryptProtectMemory`和`CryptUnprotectMemory`。加解密內(nèi)存的接口并可指定`Flag`對此內(nèi)存加解密的聲明周期做控制詳細(xì)見`Memory加密及優(yōu)缺點(diǎn)`章節(jié)

廢話不多說我們且來看看新版的Chrome是怎么一個(gè)加密流程。首先。我們需要大致清楚新版chrome用到的加密。無非就是2個(gè) 劃重點(diǎn)

DPAPI
AES-GCM

先給大家看一用python寫的解密吧

aes.py
import os
import sys
import sqlite3
from urllib.parse import urlencode
import json, base64
import aesgcm
import binascii
def dpapi_decrypt(encrypted):
 import ctypes
 import ctypes.wintypes

 class DATA_BLOB(ctypes.Structure):
 _fields_ = [('cbData', ctypes.wintypes.DWORD),
   ('pbData', ctypes.POINTER(ctypes.c_char))]
 p = ctypes.create_string_buffer(encrypted, len(encrypted))
 blobin = DATA_BLOB(ctypes.sizeof(p), p)
 blobout = DATA_BLOB()
 retval = ctypes.windll.crypt32.CryptUnprotectData(
 ctypes.byref(blobin), None, None, None, None, 0, ctypes.byref(blobout))
 if not retval:
 raise ctypes.WinError()
 result = ctypes.string_at(blobout.pbData, blobout.cbData)
 ctypes.windll.kernel32.LocalFree(blobout.pbData)
 return result
def aes_decrypt(encrypted_txt):
 encrypted_txt = binascii.unhexlify(encrypted_txt)
 encoded_key = "RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAFBcVfgeqrR6TWICu+11nQAAAAAAIAAAAAABBmAAAAAQAAIAAAADGFDG3ftjedfJDzI98JL+tPfbE3tgNumX5v+PGs9eEgAAAAAA6AAAAAAgAAIAAAAHMoKUPxu+eC153jdAcreqzjPCvccip33ZQPvnOZstQBMAAAAFCQh824CftlmS+gbu8NK1Gev4EVvODPwV6T33S9AXilInJ26Z09nTULJE3pF+9XtEAAAACndz8ZGF2V7IMxQDK6kFAk6wOUv/Bx9hZhZtiyu2urYfKYbCPvMSWg4e9+/oQrEL2NEG+fFjX/EP6SrLzE8Xqy"
 encrypted_key = base64.b64decode(encoded_key)
 print("encrypted_key="+encrypted_key.hex()+" Len="+str(len(encrypted_key))+"\r\n");
 encrypted_key = encrypted_key[5:]
 print("encrypted_key="+encrypted_key.hex()+"\r\n");
 key = dpapi_decrypt(encrypted_key)
 print("key="+key.hex()+"\r\n"); 
 nonce = encrypted_txt[3:15]
 print("nonce="+nonce.hex()+"\r\n");
 cipher = aesgcm.get_cipher(key)
 ##print("cipher="+cipher.hex()+"\r\n");
 print("encrypted_txt="+encrypted_txt[15:].hex()+"\r\n");
 return aesgcm.decrypt(cipher,encrypted_txt[15:],nonce)
print(aes_decrypt("76313068C3E4957EC879AD4483CBFA7476E7B77C035D8355A5D73FCFA9A87007D908896061DDD79471"))

然后是aes-gcm

import os
import sys

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.ciphers import (
 Cipher, algorithms, modes
)

NONCE_BYTE_SIZE = 12

def encrypt(cipher, plaintext, nonce):
 cipher.mode = modes.GCM(nonce)
 encryptor = cipher.encryptor()
 ciphertext = encryptor.update(plaintext)
 return (cipher, ciphertext, nonce)

def decrypt(cipher, ciphertext, nonce):
 cipher.mode = modes.GCM(nonce)
 decryptor = cipher.decryptor()
 return decryptor.update(ciphertext)

def get_cipher(key):
 cipher = Cipher(
 algorithms.AES(key),
 None,
 backend=default_backend()
 )
 return cipher

如此即可解密。說下簡單的流程吧。

大致流程從C:\Users\0ops\AppData\Local\Google\Chrome\UserData\LocalState這個(gè)Json中讀取一個(gè)值os_crypt下的encrypted_key

然后取解密秘鑰(encrypted_key)去除前5個(gè)字符再通過對其dpapi解密出這個(gè)值保存為key.并且截取15位去除前3位字符保存為Nonce.

然后使用asegcm進(jìn)行解密key最終使用aesgcm解密。

大致就是如此。為了證明我的屁眼代碼可以用。上一個(gè)圖。稍等。。我去安裝下chrome80。。。影子系統(tǒng)還原了。。。我安裝好了

取下encrypted_key和被加密的value的HEX。在這之前我們先看下加密的內(nèi)容

包含V10和V11的是chrme80的加密。好了我們來找找freebuf的值

把加密值HEX[v10mC1^?I~\`ql>t^c+EO0bJKp1YRn?F$O]一下得到7631306D43A786939231E0A4D6DC5E**BB497E5C60716CFEFDDB3E74A7ABE2E5F1BAF45EF5F163BC2BB**54F9D30624A4B708D310C168894FFEC189C8959526ECBAD46EF1D7FD224B6868FA64F83CD

然后我們用python解密一下

可看到了解密成功。下一篇用C++來實(shí)現(xiàn)自動化解密

幾個(gè)注意點(diǎn)

Cookie位于User Data/Default下的Cookies文件改名為Cookies.db即可用sqllite進(jìn)行查詢和查看

上一篇實(shí)現(xiàn)了python的簡單解密。這一次我們來用C++實(shí)現(xiàn)自動化。在這之前我們需要用到兩個(gè)C++庫

repaidjson
cryptopp

編譯環(huán)境為VS2013.這兩個(gè)庫不多做介紹，rapidjson是騰訊的一個(gè)開源json解析庫。發(fā)揮的作用不大，就是解析個(gè)json。另外就是cryptopp。嗯。。很牛逼。

解析下大致流程：

1：獲取local state文件位置

2：獲取加密的key(base64編碼)

3：解析sqllite文件

4：DPAPI解密

5：ase-gcm解密

關(guān)于Aes-gcm 需要用到 KEY IV 以及被加密的字符串梳理下這幾個(gè)參數(shù)的流程：

KEY = local state = > os_crypt => Encrypted_key => Base64Decode(encrypted_key) => 去除首位5個(gè)字符 => DPAPI解密
IV = 被加密的字符串掐頭去尾
chiper = 被加密的字符串去頭

一般來說安裝的這些配置文件都在LOCAL_APPDATA下?？梢允褂肧HGetSpecialFolderPath(NULL, szBuffer, CSIDL_LOCAL_APPDATA, FALSE);

來獲取這個(gè)路徑。然后starcat組合一下字符串得到路徑部分代碼如下：

 char szBuffer[MAX_PATH];
	if (EncryptBaseKey == "")
	{
		string jsonstr;
		SHGetSpecialFolderPath(NULL, szBuffer, CSIDL_LOCAL_APPDATA, FALSE);
		strcat(szBuffer, "\\Google\\Chrome\\User Data\\Local State");
		jsonstr = readfile(szBuffer);
		Document root;
		root.Parse(jsonstr.c_str());
		Value& infoArray = root["os_crypt"];
		EncryptBaseKey = infoArray["encrypted_key"].GetString();
	}
	return EncryptBaseKey;

這里就獲取了加密的秘鑰。但是有一點(diǎn)。如果是非80版本是不存在os_crypt的，這里使用的rapidjson就會拋出異常。但不影響。只需要在使用sqllite查詢的時(shí)候接管一下字符串，看看是不是包含v10或者v11即可。如果你使用的和我一樣代碼。請注意大小寫V10和v10的區(qū)別。

 string e_str = argv[i];
			if (strstr(e_str.c_str(), "v10") != NULL || strstr(e_str.c_str(), "v11") != NULL)
			{
				string DecryptVaule=NewDecrypt(argv[i]);
				strcpy(enc_value_a, DecryptVaule.c_str());
			}
			else{
				DecryptPass(argv[i], enc_value, 2048);
				_snprintf_s(enc_value_a, sizeof(enc_value_a), _TRUNCATE, "%S", enc_value);
			}

緊接著就是對他進(jìn)行base64解密。這里我用的是cryptopp 先放一下新版解密函數(shù)

std::string static NewDecrypt(CHAR *cryptData)
{
	string EncryptValue = cryptData;
	string Encoded,Decoded;
	string key,iv,chiper;
	string recovered;//也就是解密的KEY
	WCHAR enc_value[2048];
	char enc_value_a[2048];

	ZeroMemory(enc_value, sizeof(enc_value));
	ZeroMemory(enc_value_a, sizeof(enc_value_a));
	//-----------------------初始化幾個(gè)要用到加密字符串的變量----------------------------------//
	iv = EncryptValue;
	chiper = EncryptValue;
	//---------------------------------------------------------//
	StringSource((BYTE*)EncryptValue.c_str(), EncryptValue.size(), true,
		new HexEncoder(
		new StringSink(Encoded)));
	EncryptValue = Encoded;
	Encoded.clear();
	//---------------------------------------------------------//
	key = GetEncryptKEY();
	StringSource((BYTE*)key.c_str(), key.size(), true,
		new Base64Decoder(
		new StringSink(Decoded)));
	key = Decoded;
	key = key.substr(5);//去除首位5個(gè)字符
	Decoded.clear();
	DecryptPass((char*)key.c_str(), enc_value, 2048);
	_snprintf_s(enc_value_a, sizeof(enc_value_a), _TRUNCATE, "%S", enc_value);
	key = enc_value_a;
	StringSource((BYTE*)key.c_str(),key.size(), true,
		new HexEncoder(
		new StringSink(Encoded)));
	key = Encoded;
	Encoded.clear();
	//KEY解密完畢 開始處理Nonce 也就是IV
	iv =iv.substr(3,12);
	StringSource((BYTE*)iv.c_str(), iv.size(), true,
		new HexEncoder(
		new StringSink(Encoded)));
	iv = Encoded;
	Encoded.clear();
	//---------------------------------------------------------//
	//開始處理chiper
	if (chiper.size() < 30){ return "wu xiao zi fu chuan....."; }
	StringSource((BYTE*)chiper.c_str(), chiper.size(), true,
		new HexEncoder(
		new StringSink(Encoded)));
	chiper = Encoded;
	Encoded.clear();
	chiper = chiper.substr(30);//因?yàn)槭荋EX 占了2個(gè)字節(jié)
	//---------------------------------------------------------//
	//進(jìn)行AES_GCM
	try
	{
		StringSource((BYTE*)iv.c_str(), iv.size(), true,
			new HexDecoder(
			new StringSink(Decoded)
			) // HexEncoder
			); // StringSource
		iv = Decoded;
		Decoded.clear();
		StringSource((BYTE*)key.c_str(), key.size(), true,
			new HexDecoder(
			new StringSink(Decoded)
			) // HexEncoder
			); // StringSource
		key = Decoded;
		Decoded.clear();
		StringSource((BYTE*)chiper.c_str(), chiper.size(), true,
			new HexDecoder(
			new StringSink(Decoded)
			) // HexEncoder
			); // StringSource
		chiper = Decoded;
		Decoded.clear();
		cout << chiper << endl;
		GCM< AES >::Decryption d;
		d.SetKeyWithIV((BYTE*)key.c_str(), key.size(), (BYTE*)iv.c_str(), iv.size());
		StringSource s(chiper, true,
			new AuthenticatedDecryptionFilter(d,
			new StringSink(recovered)
			) // StreamTransformationFilter
			); // StringSource
		cout << "recovered text: " << recovered << endl;
	}
	catch (const CryptoPP::Exception& e)
	{
		cerr << e.what() << endl;
		//exit(1);
	}
	return recovered;
}

先base64解碼一下

key = GetEncryptKEY();
	StringSource((BYTE*)key.c_str(), key.size(), true,
		new Base64Decoder(
		new StringSink(Decoded)));
	key = Decoded;
	key = key.substr(5);//去除首位5個(gè)字符
	Decoded.clear();

如此可以得到這一樣一個(gè)字符串

這是沒有去除字符的情況下，這個(gè)時(shí)候去除之后即祛除了首位的DPAPI 如此便獲得了一個(gè)初步解密的KEY。但在這之后，我們還需要對這個(gè)KEY做一次解密，因?yàn)檫@個(gè)時(shí)候的KEY還不能真正算是解密的KEY 他還需要進(jìn)行一次DPAPI解密

DPAPI的解密函數(shù)部分代碼如下：

DATA_BLOB input;
 input.pbData = (BYTE*)(cryptData);
	DATA_BLOB output;
	DWORD blen;

	for(blen=128; blen<=2048; blen+=16) {
 input.cbData = blen;
		if (CryptUnprotectData(&input, NULL, NULL, NULL, NULL, 0, &output))
			break;
	}
	if (blen>=2048)
		return 0;

	CHAR *decrypted = (CHAR *)malloc(clearSize);
	if (!decrypted) {
		LocalFree(output.pbData);
		return 0;
	}

	memset(decrypted, 0, clearSize);
	memcpy(decrypted, output.pbData, (clearSize < output.cbData) ? clearSize - 1 : output.cbData);

	_snwprintf_s(clearData, clearSize, _TRUNCATE, L"%S", decrypted);

	free(decrypted);
	LocalFree(output.pbData);

	return 1;

在解密之后我們可以得到：

然后我們對加密字符串進(jìn)行處理，取出iv和chiper。再使用aes-gcm解密即可。

iv =iv.substr(3,12);
	StringSource((BYTE*)iv.c_str(), iv.size(), true,
		new HexEncoder(
		new StringSink(Encoded)));
	iv = Encoded;
	Encoded.clear();
	//---------------------------------------------------------//
	//開始處理chiper
	if (chiper.size() < 30){ return "wu xiao zi fu chuan....."; }
	StringSource((BYTE*)chiper.c_str(), chiper.size(), true,
		new HexEncoder(
		new StringSink(Encoded)));
	chiper = Encoded;
	Encoded.clear();

解密

try
	{
		StringSource((BYTE*)iv.c_str(), iv.size(), true,
			new HexDecoder(
			new StringSink(Decoded)
			) // HexEncoder
			); // StringSource
		iv = Decoded;
		Decoded.clear();
		StringSource((BYTE*)key.c_str(), key.size(), true,
			new HexDecoder(
			new StringSink(Decoded)
			) // HexEncoder
			); // StringSource
		key = Decoded;
		Decoded.clear();
		StringSource((BYTE*)chiper.c_str(), chiper.size(), true,
			new HexDecoder(
			new StringSink(Decoded)
			) // HexEncoder
			); // StringSource
		chiper = Decoded;
		Decoded.clear();
		cout << chiper << endl;
		GCM< AES >::Decryption d;
		d.SetKeyWithIV((BYTE*)key.c_str(), key.size(), (BYTE*)iv.c_str(), iv.size());
		StringSource s(chiper, true,
			new AuthenticatedDecryptionFilter(d,
			new StringSink(recovered)
			) // StreamTransformationFilter
			); // StringSource
		cout << "recovered text: " << recovered << endl;
	}
	catch (const CryptoPP::Exception& e)
	{
		cerr << e.what() << endl;
		//exit(1);
	}
	return recovered;

最終獻(xiàn)上Demo源碼

// Chrome80解密Demo.cpp : 定義控制臺應(yīng)用程序的入口點(diǎn)。
//

#include "stdafx.h"
#include <string>
#include <fstream>
#include <iostream>
/*********************************\
加密庫頭存放在這
\*********************************/
#include "cryptopp\base64.h"
using CryptoPP::Base64Decoder;
using CryptoPP::Base64Encoder;
#include "cryptopp/hex.h"
using CryptoPP::HexEncoder;
using CryptoPP::HexDecoder;
#include "cryptopp/filters.h"
using CryptoPP::StringSink;
using CryptoPP::StringSource;
using CryptoPP::AuthenticatedEncryptionFilter;
using CryptoPP::AuthenticatedDecryptionFilter;
#include "cryptopp/aes.h"
using CryptoPP::AES;
#include "cryptopp/gcm.h"
using CryptoPP::GCM;
#include "cryptopp/secblock.h"
using CryptoPP::SecByteBlock;
/*********************************\
加密庫頭加載完畢
\*********************************/
using namespace std;
#pragma comment(lib,"userenv.lib")
#pragma comment(lib,"cryptlib.lib")
#pragma comment(lib,"Crypt32.lib")
//RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAFBcVfgeqrR6TWICu+11nQAAAAAAIAAAAAABBmAAAAAQAAIAAAAJxLse8lqGAP4o493iTyljEUUF9y76AAoprRgHJwesCyAAAAAA6AAAAAAgAAIAAAAFtTd4B22Ky/x2LVgQUSaKku2rCvsv+FiMFj+lGN8LmZMAAAANBlkfPhV/zVaMALHr0gK6dM7nFsfNTv6bfFKCyKbIorgbBnjfKp+K5MVz9iizYVs0AAAACihmRGBIQ6oDkgjzCk+9AhePof4eUhB98pb7UlbGgssV2fnGRrBYQHW8Gyyp9W4pojyn9J7GQixtdCIPBwEW92
//763130954DBA6D89BBAB2FF4A4460AEA7B823BA5BAF01B2B5E2CECDED5855F6E1E7B57946599C6ACD7D60F4B03FC11D5F7C6A39FA59FBF33D7
int DecryptPass(CHAR *cryptData, WCHAR *clearData, UINT clearSize)
{
	DATA_BLOB input;
	input.pbData = (BYTE*)(cryptData);
	DATA_BLOB output;
	DWORD blen;

	for (blen = 128; blen <= 2048; blen += 16) {
		input.cbData = blen;
		if (CryptUnprotectData(&input, NULL, NULL, NULL, NULL, 0, &output))
			break;
	}
	if (blen >= 2048)
		return 0;

	CHAR *decrypted = (CHAR *)malloc(clearSize);
	if (!decrypted) {
		LocalFree(output.pbData);
		return 0;
	}

	memset(decrypted, 0, clearSize);
	memcpy(decrypted, output.pbData, (clearSize < output.cbData) ? clearSize - 1 : output.cbData);

	_snwprintf_s(clearData, clearSize, _TRUNCATE, L"%S", decrypted);

	free(decrypted);
	LocalFree(output.pbData);

	return 1;
}
int _tmain(int argc, _TCHAR* argv[])
{
	string EncryptValue;
	string key, iv, chiper, recovered;
	string Decoded, Encoded;
	WCHAR enc_value[2048];
	char enc_value_a[2048];
	ZeroMemory(enc_value, sizeof(enc_value));
	ZeroMemory(enc_value_a, sizeof(enc_value_a));
	cout << "請輸入EncryptKEY[BASE64]:" << endl;
	cin >> key;
	cout << "請輸入EncryptValue[HEX]:" << endl;
	cin >> EncryptValue;
	cout << "<---------------開始解密流程--------------->\r\n" << endl;
	//開始賦值
	iv = EncryptValue;
	chiper = EncryptValue;
	StringSource((BYTE*)key.c_str(), key.size(), true,
		new Base64Decoder(
		new StringSink(Decoded)));
	key = Decoded;
	Decoded.clear();
	cout << "1:EncryptKEY 進(jìn)行Base64解密:\r\n" << key << "\r\n" << endl;
	key = key.substr(5);
	cout << "2:EncryptKEY 去除首5個(gè)字符:\r\n" << key << "\r\n" << endl;
	DecryptPass((char*)key.c_str(), enc_value, 2048);
	_snprintf_s(enc_value_a, sizeof(enc_value_a), _TRUNCATE, "%S", enc_value);
	key = enc_value_a;
	cout << "3:EncryptKEY 進(jìn)行DPAPI解密:\r\n" << key << "\r\n" << endl;
	StringSource((BYTE*)key.c_str(), key.size(), true,
		new HexEncoder(
		new StringSink(Encoded)));
	key = Encoded;
	Encoded.clear();
	cout << "4:對已經(jīng)通過DPAPI的EncryptKEY 進(jìn)行HEX編碼:\r\n" << key << "\r\n" << endl;
	StringSource((BYTE*)iv.c_str(), iv.size(), true,
		new HexDecoder(
		new StringSink(Decoded)));
	iv = Decoded;
	Decoded.clear();
	iv=iv.substr(3, 15);
	StringSource((BYTE*)iv.c_str(), iv.size(), true,
		new HexEncoder(
		new StringSink(Encoded)));
	iv = Encoded;
	Encoded.clear();
	iv = iv.substr(0,iv.size()-6);
	cout << "5:對要解密的字符串進(jìn)行反HEX編碼 也就是解碼 并且截取之后再次 進(jìn)行HEX編碼 賦值給iv:\r\n" << iv << "\r\n" << endl;
	chiper = chiper.substr(30);
	cout << "6:對要解密的字符串進(jìn)行截取末尾15:\r\n" << chiper << "\r\n" << endl;
	try
	{
		StringSource((BYTE*)iv.c_str(), iv.size(), true,
			new HexDecoder(
			new StringSink(Decoded)
			) // HexEncoder
			); // StringSource
		iv = Decoded;
		Decoded.clear();
		StringSource((BYTE*)key.c_str(), key.size(), true,
			new HexDecoder(
			new StringSink(Decoded)
			) // HexEncoder
			); // StringSource
		key = Decoded;
		Decoded.clear();
		StringSource((BYTE*)chiper.c_str(), chiper.size(), true,
			new HexDecoder(
			new StringSink(Decoded)
			) // HexEncoder
			); // StringSource
		chiper = Decoded;
		Decoded.clear();
		cout << chiper << endl;
		GCM< AES >::Decryption d;
		d.SetKeyWithIV((BYTE*)key.c_str(), key.size(), (BYTE*)iv.c_str(), iv.size());
		StringSource s(chiper, true,
			new AuthenticatedDecryptionFilter(d,
			new StringSink(recovered)
			) // StreamTransformationFilter
			); // StringSource
		cout << "7:最終解密文本為:\r\n" << recovered << "\r\n" << endl;
	}
	catch (const CryptoPP::Exception& e)
	{
		cerr << e.what() << endl;
		//exit(1);
	}
	system("pause");
	return 0;
}

附上一張解密靚照