C写的第五个cm（xp可运行）

审判者压缩 发表于 2021-11-15 22:35

新手一个，
用c写了一个cm，
希望破掉的各位，可以告诉下爆破位置和思路。
先谢为敬。

solly 发表于 2021-11-16 08:43

本帖最后由 solly 于 2021-11-16 09:12 编辑

断下 WriteConsoleW 和 WriteConsoleA 就可以找到下面的 main()了。00401530 55          push ebp
00401531 89E5          mov ebp,esp
00401533 57          push edi
00401534 56          push esi
00401535 53          push ebx
00401536 83E4 F0       and esp,-0x10
00401539 83EC 20       sub esp,0x20
0040153C E8 2F020000 call cm-5-202.00401770
00401541 C70424 00404000 mov dword ptr ss:,cm-5-202.00404000 ; ASCII "input answer"
00401548 E8 EF110000 call <jmp.&msvcrt.puts>
0040154D 8D4424 1C    lea eax,dword ptr ss:
00401551 894424 04    mov dword ptr ss:,eax
00401555 C70424 0D404000 mov dword ptr ss:,cm-5-202.0040400D ; ASCII "%d"
0040155C E8 D3110000 call <jmp.&msvcrt.scanf>
00401561 8B4C24 1C    mov ecx,dword ptr ss:
00401565 81F9 F3010000 cmp ecx,0x1F3
0040156B 7E 7B       jle short cm-5-202.004015E8
0040156D 81F9 C0912100 cmp ecx,0x2191C0
00401573 0F8F 80000000 jg cm-5-202.004015F9
00401579 81F9 F6711500 cmp ecx,0x1571F6
0040157F 0F8F E9000000 jg cm-5-202.0040166E
00401585 81F9 DC000000 cmp ecx,0xDC
0040158B 74 7D       je short cm-5-202.0040160A
0040158D 81F9 DE000000 cmp ecx,0xDE
00401593 0F84 A3000000 je cm-5-202.0040163C
00401599 83F9 42       cmp ecx,0x42
0040159C^ 74 DB       je short cm-5-202.00401579
0040159E BB 79000000 mov ebx,0x79
004015A3 89C8          mov eax,ecx                               ; msvcrt.77C2FCA0
004015A5 99          cdq
004015A6 F7FB          idiv ebx
004015A8 85D2          test edx,edx                               ; msvcrt.77C31B78
004015AA 0F84 05010000 je cm-5-202.004016B5
004015B0 BE 6E000000 mov esi,0x6E
004015B5 BB 65000000 mov ebx,0x65
004015BA 89C8          mov eax,ecx                               ; msvcrt.77C2FCA0
004015BC 99          cdq
004015BD F7FB          idiv ebx
004015BF 85D2          test edx,edx                               ; msvcrt.77C31B78
004015C1 0F84 F8000000 je cm-5-202.004016BF
004015C7 BB 6F000000 mov ebx,0x6F
004015CC BF 73000000 mov edi,0x73
004015D1 89C8          mov eax,ecx                               ; msvcrt.77C2FCA0
004015D3 99          cdq
004015D4 F7FF          idiv edi
004015D6 85D2          test edx,edx                               ; msvcrt.77C31B78
004015D8 0F84 EB000000 je cm-5-202.004016C9
004015DE BF 21000000 mov edi,0x21
004015E3 E9 95000000 jmp cm-5-202.0040167D
004015E8 C70424 10404000 mov dword ptr ss:,cm-5-202.00404010 ; ASCII "no!"
004015EF E8 48110000 call <jmp.&msvcrt.puts>
004015F4 E9 A8000000 jmp cm-5-202.004016A1
004015F9 C70424 10404000 mov dword ptr ss:,cm-5-202.00404010 ; ASCII "no!"
00401600 E8 37110000 call <jmp.&msvcrt.puts>
00401605 E9 97000000 jmp cm-5-202.004016A1
0040160A C70424 6E000000 mov dword ptr ss:,0x6E
00401611 E8 2E110000 call <jmp.&msvcrt.putchar>
00401616 C70424 6F000000 mov dword ptr ss:,0x6F
0040161D E8 22110000 call <jmp.&msvcrt.putchar>
00401622 C70424 21000000 mov dword ptr ss:,0x21
00401629 E8 16110000 call <jmp.&msvcrt.putchar>
0040162E C70424 0A000000 mov dword ptr ss:,0xA
00401635 E8 0A110000 call <jmp.&msvcrt.putchar>
0040163A EB 65       jmp short cm-5-202.004016A1
0040163C C70424 6E000000 mov dword ptr ss:,0x6E
00401643 E8 FC100000 call <jmp.&msvcrt.putchar>
00401648 C70424 6F000000 mov dword ptr ss:,0x6F
0040164F E8 F0100000 call <jmp.&msvcrt.putchar>
00401654 C70424 21000000 mov dword ptr ss:,0x21
0040165B E8 E4100000 call <jmp.&msvcrt.putchar>
00401660 C70424 0A000000 mov dword ptr ss:,0xA
00401667 E8 D8100000 call <jmp.&msvcrt.putchar>
0040166C EB 33       jmp short cm-5-202.004016A1
0040166E BF 21000000 mov edi,0x21
00401673 BB 6F000000 mov ebx,0x6F
00401678 BE 6E000000 mov esi,0x6E
0040167D 893424       mov dword ptr ss:,esi
00401680 E8 BF100000 call <jmp.&msvcrt.putchar>
00401685 891C24       mov dword ptr ss:,ebx
00401688 E8 B7100000 call <jmp.&msvcrt.putchar>
0040168D 893C24       mov dword ptr ss:,edi
00401690 E8 AF100000 call <jmp.&msvcrt.putchar>
00401695 C70424 0A000000 mov dword ptr ss:,0xA
0040169C E8 A3100000 call <jmp.&msvcrt.putchar>
004016A1 C70424 14404000 mov dword ptr ss:,cm-5-202.00404014 ; ASCII "pause"
004016A8 E8 67100000 call <jmp.&msvcrt.system>
004016AD 8D65 F4       lea esp,dword ptr ss:
004016B0 5B          pop ebx
004016B1 5E          pop esi
004016B2 5F          pop edi
004016B3 5D          pop ebp
004016B4 C3          retn
004016B5 BE 79000000 mov esi,0x79
004016BA^ E9 F6FEFFFF jmp cm-5-202.004015B5
004016BF BB 65000000 mov ebx,0x65
004016C4^ E9 03FFFFFF jmp cm-5-202.004015CC
004016C9 BF 73000000 mov edi,0x73
004016CE^ EB AD       jmp short cm-5-202.0040167D

结果是一个乘积：'y' * 'e' * 's'

weikun444 发表于 2021-11-16 21:48

放到IDA里容易看到，代码实质是让求121.101.115的公倍数，应该是最小公倍数！

if ( v3 % 121 )
   v0 = 110;                               // n的asc
else
   v0 = 121;                               // y的asc
if ( v3 % 101 )
   v1 = 111;                               // o的asc
else
   v1 = 101;                               // e的asc
if ( v3 % 115 )
   v2 = 33;                               // !的asc
else
   v2 = 115;                               // s的asc
loop2:
putchar(v0);
putchar(v1);
putchar(v2);
putchar(10);                            // 换行的asc

93244 发表于 2021-11-15 22:54

DaJB 发表于 2021-11-15 23:10

yiyuesheng84 发表于 2021-11-16 00:03

艾莉希雅 发表于 2021-11-16 00:05

谢谢大佬，学习了
感谢分享
1405415
思路：
值要小于1405430且大于499
%121与%101与%115都要为0

cydiansu 发表于 2021-11-16 07:32

kennie611 发表于 2021-11-16 09:08

DJWLBJ 发表于 2021-11-16 09:25

伞兵一号卢本伟 发表于 2021-11-16 10:39

页: [1] 2 3

吾爱破解 - 52pojie.cn's Archiver

C写的第五个cm（xp可运行）