自己写的CrackMe,感觉还是很有难度的。
脑中突然有了一个感觉有点复杂的运算步骤,于是尝试写了一个CrackMe。。 本帖最后由 忧郁小男生 于 2021-3-26 14:17 编辑coef = 201921208;
puts("please enter the key:");
scanf("%d", &key);
if ( coef >= key )// 5. 目前b本身就大于coef,那么b只能等于 key + coef,那么key = 556293022
{
a = key + coef;
b = coef - key;
}
else
{
a = key - coef;
b = key + coef;
}
coef += 674820627;
if ( a <= b )
p1 = b - a;// 4. 由str = 'p',可知p1最后一个字节为0x70,如果p1 = b - a, 那么p1 = 2coef,如果p1 = a -b,那么p1 = 2key,这两种都有可能
else
p1 = a - b;
if ( coef <= b )
p2 = b + a;// 2. 如果p2这样得出的话,那么2key = p2,或2coef = p2,不满足
else
p2 = coef + b;// 3. 那么得出 b=0x2d316e56
str = p1;
str_ptr = (char *)&p2;
for ( i = 3; i >= 0; --i )// 1. 根据此处可看出p2 = 0x61737321 内存中ascii表示为 !ssa
str = *str_ptr++;
str = 0;
print_flag = 0;
if ( str == str && str + str + str == 242 )
print_flag = 1;
if ( print_flag )
puts(str);
else
puts("fault!");
while ( 1 )
getchar();
步骤1 2 3 4 5 three 发表于 2021-3-26 17:09
直接跳帧,任意字符直接成功。
如果做个算法不想被破解,有个方法,对输入字符串要求 大小写数 ...
请问跳帧是什么意思啊? 如果不规定flag="pass!"
只满足这个条件
if ( str == str && str + str + str == 242 )
print_flag = 1;
遍历输出一下,这个太多解了
本帖最后由 weikun444 于 2021-3-26 08:53 编辑
把pass!当成运算结果显示出来,可惜本人算法水平有限啊!
coef = 201921208;
puts("please enter the key:");
scanf("%d", &key);
if ( coef >= key )
{
a = key + coef;
b = coef - key;
}
else
{
a = key - coef;
b = key + coef;
}
coef += 674820627;
if ( a <= b )
p1 = b - a;
else
p1 = a - b;
if ( coef <= b )
p2 = b + a;
else
p2 = coef + b;
str = p1;
str_ptr = (char *)&p2;
for ( i = 3; i >= 0; --i )
str = *str_ptr++;
str = 0;
print_flag = 0;
if ( str == str && str + str + str == 242 )
print_flag = 1;
if ( print_flag )
puts(str);
else
puts("fault!");
while ( 1 )
getchar(); ζs可口可乐 发表于 2021-3-26 08:40
这个破解来有什么用呢?
也没什么用,但是我自己不知道怎么破解。 可以倒推:根据题目意思,str[]里依次存放pass!0的asc码,那么str=112(p的asc码),p1也要等于112,就是 看不懂p2那个该死的指针!{:1_909:} weikun444 发表于 2021-3-26 08:42
把pass!当成运算结果显示出来,可惜本人算法水平有限啊!
coef = 201921208;
哇,我自己写的源代码看起来还没你分析出来的简明清晰。:Dweeqw CuteHamster 发表于 2021-3-26 09:10
哇,我自己写的源代码看起来还没你分析出来的简明清晰。
本人不会分析,F5简单,真正分析难啊!{:1_923:} key:556293022 output:pass!
bool CheckKey(char* str, unsigned int key)
{
unsigned int p2; // BYREF
unsigned int p1; //
unsigned int coef; //
int i; //
int print_flag; //
char* str_ptr; //
unsigned int b; //
unsigned int a; //
coef = 201921208;
if (coef >= key)
{
a = key + coef;
b = coef - key;
}
else
{
a = key - coef;
b = key + coef;
}
coef += 674820627;
if (a <= b)
p1 = b - a;
else
p1 = a - b;
if (coef <= b)
p2 = b + a;
else
p2 = coef + b;
str = p1;
str_ptr = (char*)&p2;
for (i = 3; i >= 0; --i)
str = *str_ptr++;
str = 0;
print_flag = 0;
if (str == str && str + str + str == 242)
print_flag = 1;
return print_flag;
}
int main()
{
char str;
for (UINT64 flag = 0; flag <= MAXUINT; flag++)
{
memset(str, 0, sizeof(str));
if (CheckKey(str, (UINT)flag) && strcmp(str,"pass!")==0)
{
printf("key:%d output:%s\r\n", (UINT)flag, str);
}
}
} Sweettea 发表于 2021-3-26 10:11
key:556293022 output:pass!
确实是这个密钥{:1_932:} 0000000000401550 | 55 | push rbp |
0000000000401551 | 48:89E5 | mov rbp,rsp |
0000000000401554 | 48:83EC 50 | sub rsp,50 |
0000000000401558 | E8 03020000 | call crackme.401760 |
000000000040155D | C745 E4 B812090C | mov dword ptr ss:,C0912B8|
0000000000401564 | 48:8D0D 952A0000 | lea rcx,qword ptr ds: | 0000000000404000:"please enter the key:"
000000000040156B | E8 28160000 | call <JMP.&puts> |
0000000000401570 | 48:8D45 E0 | lea rax,qword ptr ss: |
0000000000401574 | 48:89C2 | mov rdx,rax |
0000000000401577 | 48:8D0D 982A0000 | lea rcx,qword ptr ds: | 0000000000404016:L"搥昀畡瑬!畀@"
000000000040157E | E8 0D160000 | call <JMP.&scanf> |
0000000000401583 | 8B45 E0 | mov eax,dword ptr ss: |
0000000000401586 | 3945 E4 | cmp dword ptr ss:,eax |
0000000000401589 | 73 16 | jae crackme.4015A1 |
000000000040158B | 8B45 E0 | mov eax,dword ptr ss: |
000000000040158E | 2B45 E4 | sub eax,dword ptr ss: |
0000000000401591 | 8945 FC | mov dword ptr ss:,eax |
0000000000401594 | 8B55 E0 | mov edx,dword ptr ss: |
0000000000401597 | 8B45 E4 | mov eax,dword ptr ss: |
000000000040159A | 01D0 | add eax,edx |
000000000040159C | 8945 F8 | mov dword ptr ss:,eax |
000000000040159F | EB 18 | jmp crackme.4015B9 |
00000000004015A1 | 8B55 E0 | mov edx,dword ptr ss: |
00000000004015A4 | 8B45 E4 | mov eax,dword ptr ss: |
00000000004015A7 | 01D0 | add eax,edx |
00000000004015A9 | 8945 FC | mov dword ptr ss:,eax |
00000000004015AC | 8B45 E0 | mov eax,dword ptr ss: |
00000000004015AF | 8B55 E4 | mov edx,dword ptr ss: |
00000000004015B2 | 29C2 | sub edx,eax |
00000000004015B4 | 89D0 | mov eax,edx |
00000000004015B6 | 8945 F8 | mov dword ptr ss:,eax |
00000000004015B9 | 8145 E4 13F23828 | add dword ptr ss:,2838F213 |
00000000004015C0 | 8B45 FC | mov eax,dword ptr ss: |
00000000004015C3 | 3B45 F8 | cmp eax,dword ptr ss: |
00000000004015C6 | 76 0B | jbe crackme.4015D3 |
00000000004015C8 | 8B45 FC | mov eax,dword ptr ss: |
00000000004015CB | 2B45 F8 | sub eax,dword ptr ss: |
00000000004015CE | 8945 DC | mov dword ptr ss:,eax |
00000000004015D1 | EB 09 | jmp crackme.4015DC |
00000000004015D3 | 8B45 F8 | mov eax,dword ptr ss: |
00000000004015D6 | 2B45 FC | sub eax,dword ptr ss: |
00000000004015D9 | 8945 DC | mov dword ptr ss:,eax |
00000000004015DC | 8B45 E4 | mov eax,dword ptr ss: |
00000000004015DF | 3B45 F8 | cmp eax,dword ptr ss: |
00000000004015E2 | 76 0D | jbe crackme.4015F1 |
00000000004015E4 | 8B55 E4 | mov edx,dword ptr ss: |
00000000004015E7 | 8B45 F8 | mov eax,dword ptr ss: |
00000000004015EA | 01D0 | add eax,edx |
00000000004015EC | 8945 D8 | mov dword ptr ss:,eax |
00000000004015EF | EB 0B | jmp crackme.4015FC |
00000000004015F1 | 8B55 F8 | mov edx,dword ptr ss: |
00000000004015F4 | 8B45 FC | mov eax,dword ptr ss: |
00000000004015F7 | 01D0 | add eax,edx |
00000000004015F9 | 8945 D8 | mov dword ptr ss:,eax |
00000000004015FC | 48:8D45 DC | lea rax,qword ptr ss: |
0000000000401600 | 48:8945 F0 | mov qword ptr ss:,rax | :&"C:\\Users\\Administrator\\Desktop\\CrackMe.exe"
0000000000401604 | 48:8B45 F0 | mov rax,qword ptr ss: | :&"C:\\Users\\Administrator\\Desktop\\CrackMe.exe"
0000000000401608 | 0FB600 | movzx eax,byte ptr ds: |
000000000040160B | 8845 D2 | mov byte ptr ss:,al |
000000000040160E | 48:8D45 D8 | lea rax,qword ptr ss: |
0000000000401612 | 48:8945 F0 | mov qword ptr ss:,rax | :&"C:\\Users\\Administrator\\Desktop\\CrackMe.exe"
0000000000401616 | C745 E8 03000000 | mov dword ptr ss:,3 |
000000000040161D | EB 1D | jmp crackme.40163C |
000000000040161F | 8B45 E8 | mov eax,dword ptr ss: |
0000000000401622 | 8D50 01 | lea edx,qword ptr ds: |
0000000000401625 | 48:8B45 F0 | mov rax,qword ptr ss: | :&"C:\\Users\\Administrator\\Desktop\\CrackMe.exe"
0000000000401629 | 0FB600 | movzx eax,byte ptr ds: |
000000000040162C | 48:63D2 | movsxd rdx,edx |
000000000040162F | 884415 D2 | mov byte ptr ss:,al |
0000000000401633 | 48:8345 F0 01 | add qword ptr ss:,1 | :&"C:\\Users\\Administrator\\Desktop\\CrackMe.exe"
0000000000401638 | 836D E8 01 | sub dword ptr ss:,1 |
000000000040163C | 837D E8 00 | cmp dword ptr ss:,0 |
0000000000401640 | 79 DD | jns crackme.40161F | 循环5次
0000000000401642 | C645 D7 00 | mov byte ptr ss:,0 |
0000000000401646 | C745 EC 00000000 | mov dword ptr ss:,0 |
000000000040164D | 0FB655 D4 | movzx edx,byte ptr ss: |
0000000000401651 | 0FB645 D5 | movzx eax,byte ptr ss: |
0000000000401655 | 38C2 | cmp dl,al |
0000000000401657 | 75 27 | jne crackme.401680 | 这里跳了下面在判断就是失败
0000000000401659 | 0FB645 D2 | movzx eax,byte ptr ss: |
000000000040165D | 0FBED0 | movsx edx,al |
0000000000401660 | 0FB645 D3 | movzx eax,byte ptr ss: |
0000000000401664 | 0FBEC0 | movsx eax,al |
0000000000401667 | 01C2 | add edx,eax |
0000000000401669 | 0FB645 D6 | movzx eax,byte ptr ss: |
000000000040166D | 0FBEC0 | movsx eax,al |
0000000000401670 | 01D0 | add eax,edx |
0000000000401672 | 3D F2000000 | cmp eax,F2 |
0000000000401677 | 75 07 | jne crackme.401680 |
0000000000401679 | C745 EC 01000000 | mov dword ptr ss:,1 |
0000000000401680 | 837D EC 00 | cmp dword ptr ss:,0 |
0000000000401684 | 74 0E | je crackme.401694 | 这里跳了就是失败
0000000000401686 | 48:8D45 D2 | lea rax,qword ptr ss: |
000000000040168A | 48:89C1 | mov rcx,rax |
000000000040168D | E8 06150000 | call <JMP.&puts> |
0000000000401692 | EB 0C | jmp crackme.4016A0 |
0000000000401694 | 48:8D0D 7E290000 | lea rcx,qword ptr ds: | 0000000000404019:"fault!"
000000000040169B | E8 F8140000 | call <JMP.&puts> |
00000000004016A0 | E8 0B150000 | call <JMP.&getchar> |
00000000004016A5 | EB F9 | jmp crackme.4016A0 |
搞不懂是什么语言写的
算不出字符串只能得一个p
算了算了