发一个很简单的CrackMe 计算出正确的key
本帖最后由 cengsihan 于 2021-6-3 20:31 编辑要求
计算出正确的密码
密码正确提示 “成功” 信息框!
实在不行就爆破,直接改地址。
jy04468108 发表于 2021-6-4 09:18
实在不行就爆破,直接改地址。
计算出正确的key? 004013F0/$8B4C24 04 mov ecx,dword ptr ss: ;CrackMe.004704DE
004013F4|.8B41 08 mov eax,dword ptr ds:
004013F7|.3D 01040080 cmp eax,0x80000401 ;Switch (cases 80000101..80000601)
004013FC|.77 6E ja short CrackMe.0040146C
004013FE|.74 55 je short CrackMe.00401455
00401400|.3D 01010080 cmp eax,0x80000101
00401405|.74 35 je short CrackMe.0040143C
00401407|.3D 01020080 cmp eax,0x80000201
0040140C|.74 1C je short CrackMe.0040142A
0040140E|.3D 01030080 cmp eax,0x80000301
00401413|.0F85 86000000 jnz CrackMe.0040149F
00401419|.8B4424 08 mov eax,dword ptr ss: ;Case 80000301 of switch 004013F7
0040141D|.8B09 mov ecx,dword ptr ds:
0040141F|.50 push eax
00401420|.51 push ecx
00401421|.E8 8A8F0100 call CrackMe.0041A3B0
00401426|.83C4 08 add esp,0x8
00401429|.C3 retn
0040142A|>0FBF01 movsx eax,word ptr ds: ;Case 80000201 of switch 004013F7
0040142D|.8B5424 08 mov edx,dword ptr ss:
00401431|.52 push edx
00401432|.50 push eax
00401433|.E8 788F0100 call CrackMe.0041A3B0
00401438|.83C4 08 add esp,0x8
0040143B|.C3 retn
0040143C|>8B4424 08 mov eax,dword ptr ss: ;Case 80000101 of switch 004013F7
00401440|.33D2 xor edx,edx
00401442|.8A11 mov dl,byte ptr ds:
00401444|.52 push edx ; /<%u> = 18F654 (1635924.)
00401445|.68 98514900 push CrackMe.00495198 ; |%u
0040144A|.50 push eax ; |s = NULL
0040144B|.FF15 C8034800 call dword ptr ds:[<&USER32.wsprintfA>]; \wsprintfA
00401451|.83C4 0C add esp,0xC
00401454|.C3 retn
00401455|>8B5424 08 mov edx,dword ptr ss: ;Case 80000401 of switch 004013F7
00401459|.8B41 04 mov eax,dword ptr ds:
0040145C|.8B09 mov ecx,dword ptr ds:
0040145E|.6A 0A push 0xA
00401460|.52 push edx
00401461|.50 push eax
00401462|.51 push ecx
00401463|.E8 DD070600 call CrackMe.00461C45
00401468|.83C4 10 add esp,0x10
0040146B|.C3 retn
0040146C|>3D 01050080 cmp eax,0x80000501
00401471|.74 1C je short CrackMe.0040148F
00401473|.3D 01060080 cmp eax,0x80000601
00401478|.75 25 jnz short CrackMe.0040149F
0040147A|.8B5424 08 mov edx,dword ptr ss: ;Case 80000601 of switch 004013F7
0040147E|.8B41 04 mov eax,dword ptr ds:
00401481|.8B09 mov ecx,dword ptr ds:
00401483|.52 push edx
00401484|.50 push eax
00401485|.51 push ecx
00401486|.E8 75940100 call CrackMe.0041A900
0040148B|.83C4 0C add esp,0xC
0040148E|.C3 retn
0040148F|>8B5424 08 mov edx,dword ptr ss: ;Case 80000501 of switch 004013F7
00401493|.8B01 mov eax,dword ptr ds:
00401495|.52 push edx
00401496|.50 push eax
00401497|.E8 D4930100 call CrackMe.0041A870
0040149C|.83C4 08 add esp,0x8
0040149F\>C3 retn ;Default case of switch 004013F7
004014A0 .83EC 64 sub esp,0x64
004014A3 .53 push ebx ;CrackMe.004014A0
004014A4 .56 push esi ;CrackMe.0064F9F9
004014A5 .8B7424 78 mov esi,dword ptr ss:
004014A9 .57 push edi
004014AA .8B7E 08 mov edi,dword ptr ds:
004014AD .57 push edi
004014AE .E8 4DBF0000 call CrackMe.0040D400
004014B3 .83C4 04 add esp,0x4
004014B6 .85C0 test eax,eax
004014B8 74 10 je short CrackMe.004014CA
004014BA .8D4424 0C lea eax,dword ptr ss:
004014BE .50 push eax
004014BF .56 push esi ;CrackMe.0064F9F9
004014C0 .E8 2BFFFFFF call CrackMe.004013F0
004014C5 .83C4 08 add esp,0x8
004014C8 .EB 42 jmp short CrackMe.0040150C
004014CA >81FF 04000080 cmp edi,0x80000004 ;Switch (cases 80000002..80000004)
004014D0 75 04 jnz short CrackMe.004014D6
004014D2 .8B3E mov edi,dword ptr ds: ;Case 80000004 (SINGLE STEP) of switch 004014CA
004014D4 .EB 3A jmp short CrackMe.00401510
004014D6 >81FF 02000080 cmp edi,0x80000002
004014DC .75 12 jnz short CrackMe.004014F0
004014DE .8B16 mov edx,dword ptr ds: ;Case 80000002 (DATATYPE MISALIGNMENT) of switch 004014CA
004014E0 .8D4C24 0C lea ecx,dword ptr ss:
004014E4 .51 push ecx
004014E5 .52 push edx
004014E6 .E8 059C0100 call CrackMe.0041B0F0
004014EB .83C4 08 add esp,0x8
004014EE .EB 1C jmp short CrackMe.0040150C
004014F0 >81FF 03000080 cmp edi,0x80000003
004014F6 75 1C jnz short CrackMe.00401514
004014F8 .8B4E 04 mov ecx,dword ptr ds: ;Case 80000003 (BREAKPOINT) of switch 004014CA
004014FB .8B16 mov edx,dword ptr ds:
004014FD .8D4424 0C lea eax,dword ptr ss:
00401501 .50 push eax
00401502 .51 push ecx
00401503 .52 push edx
00401504 .E8 17950100 call CrackMe.0041AA20
00401509 .83C4 0C add esp,0xC
0040150C >8D7C24 0C lea edi,dword ptr ss:
00401510 >85FF test edi,edi
00401512 .75 09 jnz short CrackMe.0040151D
00401514 >C64424 0C 00mov byte ptr ss:,0x0 ;Default case of switch 004014CA
00401519 .8D7C24 0C lea edi,dword ptr ss:
0040151D >8B4424 78 mov eax,dword ptr ss:
00401521 .33DB xor ebx,ebx ;CrackMe.004014A0
00401523 .83F8 04 cmp eax,0x4
00401526 .7C 2C jl short CrackMe.00401554
00401528 .8B46 2C mov eax,dword ptr ds:
0040152B .3D 01000100 cmp eax,0x10001
00401530 .75 18 jnz short CrackMe.0040154A
00401532 .8B46 24 mov eax,dword ptr ds:
00401535 .53 push ebx ;CrackMe.004014A0
00401536 .50 push eax
00401537 .68 D6070000 push 0x7D6
0040153C .E8 1F150100 call CrackMe.00412A60
00401541 .85C0 test eax,eax
00401543 .74 0F je short CrackMe.00401554
00401545 .8B58 1C mov ebx,dword ptr ds:
00401548 .EB 0A jmp short CrackMe.00401554
0040154A >3D 01030080 cmp eax,0x80000301
0040154F .75 03 jnz short CrackMe.00401554
00401551 .8B5E 24 mov ebx,dword ptr ds:
00401554 >8B46 20 mov eax,dword ptr ds:
00401557 .85C0 test eax,eax
00401559 .B8 9C514900 mov eax,CrackMe.0049519C ;信息:
0040155E .74 03 je short CrackMe.00401563
00401560 .8B46 18 mov eax,dword ptr ds:
00401563 >8B76 0C mov esi,dword ptr ds:
00401566 .8BCE mov ecx,esi ;CrackMe.0064F9F9
00401568 .F7D1 not ecx
0040156A .81E1 00100000 and ecx,0x1000
00401570 .8D144E lea edx,dword ptr ds:
00401573 .52 push edx ; /Style = MB_YESNO|50|MB_DEFBUTTON3|3000|MB_NOFOCUS|184400
00401574 .50 push eax ; |Title = NULL
00401575 .57 push edi ; |Text = 000007D8 ???
00401576 .53 push ebx ; |hOwner = 004014A0
00401577 .FF15 A0034800 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
0040157D .5F pop edi ;01EEEE38
0040157E .5E pop esi ;01EEEE38
0040157F .83F8 03 cmp eax,0x3 ;Switch (cases 2..7)
00401582 .5B pop ebx ;01EEEE38
00401583 .75 0F jnz short CrackMe.00401594
00401585 .8B4C24 68 mov ecx,dword ptr ss: ;Case 3 of switch 0040157F
00401589 .B8 02000000 mov eax,0x2
0040158E .8901 mov dword ptr ds:,eax
00401590 .83C4 64 add esp,0x64
00401593 .C3 retn
00401594 >83F8 02 cmp eax,0x2
00401597 .75 0F jnz short CrackMe.004015A8
00401599 .8B5424 68 mov edx,dword ptr ss: ;Case 2 of switch 0040157F
0040159D .B8 01000000 mov eax,0x1
004015A2 .8902 mov dword ptr ds:,eax
004015A4 .83C4 64 add esp,0x64
004015A7 .C3 retn
004015A8 >83F8 05 cmp eax,0x5
004015AB .75 0F jnz short CrackMe.004015BC
004015AD .8B4C24 68 mov ecx,dword ptr ss: ;Case 5 of switch 0040157F
004015B1 .B8 04000000 mov eax,0x4
004015B6 .8901 mov dword ptr ds:,eax
004015B8 .83C4 64 add esp,0x64
004015BB .C3 retn
004015BC >83F8 07 cmp eax,0x7
004015BF .75 0F jnz short CrackMe.004015D0
004015C1 .8B5424 68 mov edx,dword ptr ss: ;Case 7 of switch 0040157F
004015C5 .B8 06000000 mov eax,0x6
004015CA .8902 mov dword ptr ds:,eax
004015CC .83C4 64 add esp,0x64
004015CF .C3 retn
004015D0 >83F8 06 cmp eax,0x6
004015D3 .75 0F jnz short CrackMe.004015E4
004015D5 .8B4C24 68 mov ecx,dword ptr ss: ;Case 6 of switch 0040157F
004015D9 .B8 05000000 mov eax,0x5
004015DE .8901 mov dword ptr ds:,eax
004015E0 .83C4 64 add esp,0x64
004015E3 .C3 retn
004015E4 >33D2 xor edx,edx ;Default case of switch 0040157F
004015E6 .8B4C24 68 mov ecx,dword ptr ss:
004015EA .83F8 04 cmp eax,0x4
004015ED .0f95c2 setne dl
004015F0 .4A dec edx
004015F1 .83E2 03 and edx,0x3
004015F4 .8BC2 mov eax,edx
004015F6 .8901 mov dword ptr ds:,eax
004015F8 .83C4 64 add esp,0x64
004015FB .C3 retn
004015FC 90 nop
004015FD 90 nop
004015FE 90 nop
004015FF 90 nop
00401600/$6A FF push -0x1
00401602|.68 1BB74700 push CrackMe.0047B71B ;SE 处理程序安装
00401607|.64:A1 0000000>mov eax,dword ptr fs:
0040160D|.50 push eax
0040160E|.64:8925 00000>mov dword ptr fs:,esp
00401615|.51 push ecx
00401616|.56 push esi ;CrackMe.0064F9F9
00401617|.8BF1 mov esi,ecx
00401619|.897424 04 mov dword ptr ss:,esi ;CrackMe.0064F9F9
0040161D|.C706 001E4800 mov dword ptr ds:,CrackMe.00481E00
00401623|.8D4E 78 lea ecx,dword ptr ds:
00401626|.C74424 10 000>mov dword ptr ss:,0x0
0040162E|.C701 FC1D4800 mov dword ptr ds:,CrackMe.00481DFC
00401634|.E8 D7020000 call CrackMe.00401910
00401639|.8D4E 58 lea ecx,dword ptr ds:
0040163C|.C74424 10 FFF>mov dword ptr ss:,-0x1
00401644|.C701 FC1D4800 mov dword ptr ds:,CrackMe.00481DFC
0040164A|.E8 C1020000 call CrackMe.00401910
0040164F|.8B4C24 08 mov ecx,dword ptr ss:
00401653|.5E pop esi ;01EEEE38
00401654|.64:890D 00000>mov dword ptr fs:,ecx
0040165B|.83C4 10 add esp,0x10
0040165E\.C3 retn
看不懂 等大佬解答 cengsihan 发表于 2021-6-4 10:56
计算出正确的key?
垃圾代码太多太多了,不想去分析。 各位大佬计算成了吗 有用留记号
页:
[1]