【吾爱2013CM大赛解答】-- Fuc kKido -- Unsped 解码CM分析
本帖最后由 xjun 于 2013-12-15 16:11 编辑文章标题】: 【吾爱2013CM大赛解答】-- Fuc kKido -- Unsped解码CM分析
【文章作者】: Xjun
【作者主页】: www.52pojie.cn
【软件名称】: Fuc kKido -- Unsped
【下载地址】: http://www.52pojie.cn/thread-228711-1-1.html
【操作平台】: win xp
【作者声明】: 失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
CM主要是里面预先写好了密文,然后要我们逆出KEY来使得解码内容为You win
载入OD 发现oepS 00401000 发现是自己改的,为易语言黑月编译的程序!
发现会弹出信息框!下MessageBoxA断点!
断下后一直回朔来到这里:
下上断点 点击按钮:
跟到
00401519 55 push ebp
0040151A 8BEC mov ebp, esp
0040151C 81EC 0C000000 sub esp, 0xC
00401522 68 04000080 push 0x80000004
00401527 6A 00 push 0x0
00401529 A1 E1524000 mov eax, dword ptr
0040152E 85C0 test eax, eax
00401530 75 05 jnz short 00401537
00401532 B8 00524000 mov eax, 00405200
00401537 50 push eax
00401538 68 01000000 push 0x1
0040153D BB 98010000 mov ebx, 0x198
00401542 E8 590C0000 call 004021A0
00401547 83C4 10 add esp, 0x10
0040154A 8945 FC mov dword ptr , eax
0040154D 8D45 FC lea eax, dword ptr
00401550 50 push eax
00401551 B8 0E524000 mov eax, 0040520E
00401556 8945 F8 mov dword ptr , eax
00401559 8D45 F8 lea eax, dword ptr
0040155C 50 push eax
0040155D E8 E5010000 call 00401747 ; //解密地方
00401562 8945 F4 mov dword ptr , eax
00401565 8B5D F8 mov ebx, dword ptr
我们下断点到 0040155D
通过看call传递的参数看到 加密的密文和你输入的key
我们来分析call的算法
00401747 55 push ebp
00401748 8BEC mov ebp, esp
0040174A 81EC 80000000 sub esp, 0x80
00401750 C745 FC 0000000>mov dword ptr , 0x0
00401757 C745 F8 0000000>mov dword ptr , 0x0
0040175E C745 F4 0000000>mov dword ptr , 0x0
00401765 C745 F0 0000000>mov dword ptr , 0x0
0040176C C745 EC 0000000>mov dword ptr , 0x0
00401773 C745 E8 0000000>mov dword ptr , 0x0
0040177A C745 E4 0000000>mov dword ptr , 0x0
00401781 C745 E0 0000000>mov dword ptr , 0x0
00401788 C745 DC 0000000>mov dword ptr , 0x0
0040178F 8B5D 08 mov ebx, dword ptr
00401792 8B03 mov eax, dword ptr
00401794 85C0 test eax, eax
00401796 74 13 je short 004017AB
00401798 50 push eax
00401799 8B40 04 mov eax, dword ptr
0040179C 83C0 08 add eax, 0x8
0040179F 50 push eax
004017A0 E8 28040000 call 00401BCD ; 申请一段内存
004017A5 59 pop ecx
004017A6 5E pop esi
004017A7 8BF8 mov edi, eax
004017A9 F3:A4 rep movs byte ptr es:, byte ptr >
004017AB 50 push eax
004017AC 8B5D FC mov ebx, dword ptr
004017AF 85DB test ebx, ebx
004017B1 74 09 je short 004017BC
004017B3 53 push ebx
004017B4 E8 02040000 call 00401BBB
004017B9 83C4 04 add esp, 0x4
004017BC 58 pop eax
004017BD 8945 FC mov dword ptr , eax
004017C0 C745 F8 0000000>mov dword ptr , 0x0
004017C7 8B5D 0C mov ebx, dword ptr
004017CA 8B03 mov eax, dword ptr
004017CC 85C0 test eax, eax
004017CE 74 13 je short 004017E3
004017D0 50 push eax
004017D1 8B40 04 mov eax, dword ptr
004017D4 83C0 08 add eax, 0x8
004017D7 50 push eax
004017D8 E8 F0030000 call 00401BCD ; 申请一段内存
004017DD 59 pop ecx
004017DE 5E pop esi
004017DF 8BF8 mov edi, eax
004017E1 F3:A4 rep movs byte ptr es:, byte ptr >
004017E3 50 push eax
004017E4 8B5D F4 mov ebx, dword ptr
004017E7 85DB test ebx, ebx
004017E9 74 09 je short 004017F4
004017EB 53 push ebx
004017EC E8 CA030000 call 00401BBB
004017F1 83C4 04 add esp, 0x4
004017F4 58 pop eax
004017F5 8945 F4 mov dword ptr , eax
004017F8 68 05000080 push 0x80000005
004017FD 6A 00 push 0x0
004017FF 8B45 FC mov eax, dword ptr
00401802 85C0 test eax, eax
00401804 75 05 jnz short 0040180B
00401806 B8 2C524000 mov eax, 0040522C
0040180B 50 push eax
0040180C 68 01000000 push 0x1
00401811 BB 94010000 mov ebx, 0x194
00401816 E8 650A0000 call 00402280
0040181B 83C4 10 add esp, 0x10
0040181E 8945 F0 mov dword ptr , eax ; 取密文长度 密文已经固定长度是7
00401821 68 05000080 push 0x80000005
00401826 6A 00 push 0x0
00401828 8B45 F4 mov eax, dword ptr
0040182B 85C0 test eax, eax
0040182D 75 05 jnz short 00401834
0040182F B8 2C524000 mov eax, 0040522C
00401834 50 push eax
00401835 68 01000000 push 0x1
0040183A BB 94010000 mov ebx, 0x194
0040183F E8 3C0A0000 call 00402280 ; 取key长度 就是编辑框输入的
00401844 83C4 10 add esp, 0x10
00401847 8945 EC mov dword ptr , eax
0040184A 8B45 F0 mov eax, dword ptr
0040184D 33C9 xor ecx, ecx
0040184F 50 push eax
00401850 8D45 E8 lea eax, dword ptr
00401853 8BD8 mov ebx, eax
00401855 58 pop eax
00401856 41 inc ecx ; 计次循环开始
00401857 51 push ecx
00401858 53 push ebx
00401859 890B mov dword ptr , ecx
0040185B 50 push eax
0040185C 3BC8 cmp ecx, eax
0040185E 0F8F 1A020000 jg 00401A7E
00401864 8B5D FC mov ebx, dword ptr
00401867 E8 CDFDFFFF call 00401639
0040186C 53 push ebx
0040186D 51 push ecx
0040186E 8B45 E8 mov eax, dword ptr
00401871 48 dec eax
00401872 79 0D jns short 00401881
00401874 68 04000000 push 0x4
00401879 E8 43030000 call 00401BC1
0040187E 83C4 04 add esp, 0x4
00401881 59 pop ecx
00401882 5B pop ebx
00401883 3BC1 cmp eax, ecx
00401885 7C 0D jl short 00401894
00401887 68 01000000 push 0x1
0040188C E8 30030000 call 00401BC1
00401891 83C4 04 add esp, 0x4
00401894 03D8 add ebx, eax
00401896 895D D8 mov dword ptr , ebx
00401899 8B5D D8 mov ebx, dword ptr
0040189C 8A03 mov al, byte ptr
0040189E 8845 E4 mov byte ptr , al
004018A1 8B5D F4 mov ebx, dword ptr
004018A4 E8 90FDFFFF call 00401639
004018A9 53 push ebx
004018AA 51 push ecx
004018AB DB45 EC fild dword ptr ; 取次数
004018AE DD5D D4 fstp qword ptr
004018B1 68 01060080 push 0x80000601
004018B6 FF75 D8 push dword ptr
004018B9 FF75 D4 push dword ptr
004018BC DB45 E8 fild dword ptr ; 第几次循环
004018BF DD5D CC fstp qword ptr
004018C2 68 01060080 push 0x80000601
004018C7 FF75 D0 push dword ptr
004018CA FF75 CC push dword ptr
004018CD 68 02000000 push 0x2
004018D2 BB 48000000 mov ebx, 0x48
004018D7 E8 B4090000 call 00402290
004018DC 83C4 1C add esp, 0x1C
004018DF 8945 C4 mov dword ptr , eax
004018E2 8955 C8 mov dword ptr , edx
004018E5 DD45 C4 fld qword ptr ; 循环次数加1
004018E8 DC05 34524000 fadd qword ptr
004018EE DD5D BC fstp qword ptr
004018F1 DD45 BC fld qword ptr
004018F4 E8 60FDFFFF call 00401659
004018F9 48 dec eax
004018FA 79 0D jns short 00401909
004018FC 68 04000000 push 0x4
00401901 E8 BB020000 call 00401BC1
00401906 83C4 04 add esp, 0x4
00401909 59 pop ecx
0040190A 5B pop ebx
0040190B 3BC1 cmp eax, ecx
0040190D 7C 0D jl short 0040191C
0040190F 68 01000000 push 0x1
00401914 E8 A8020000 call 00401BC1
00401919 83C4 04 add esp, 0x4
0040191C 03D8 add ebx, eax
0040191E 895D B8 mov dword ptr , ebx
00401921 8B5D B8 mov ebx, dword ptr
00401924 8A03 mov al, byte ptr
00401926 8845 E0 mov byte ptr , al
00401929 837D F8 01 cmp dword ptr , 0x1
0040192D B8 00000000 mov eax, 0x0
00401932 0F94C0 sete al
00401935 8945 D8 mov dword ptr , eax
00401938 8B45 E4 mov eax, dword ptr
0040193B 25 FF000000 and eax, 0xFF
00401940 8945 D0 mov dword ptr , eax
00401943 DB45 D0 fild dword ptr ; 这里依次取了密文的第1-7位的Hex值
00401946 DD5D D0 fstp qword ptr
00401949 DD45 D0 fld qword ptr
0040194C 8B45 E0 mov eax, dword ptr
0040194F 25 FF000000 and eax, 0xFF
00401954 8945 C8 mov dword ptr , eax
00401957 DB45 C8 fild dword ptr ; 从key第二位取 Hex值
0040195A DD5D C8 fstp qword ptr
0040195D DC45 C8 fadd qword ptr ; 整数相加
00401960 DD5D C0 fstp qword ptr ; 后来发现这段加法完全是不起作用的
00401963 68 01060080 push 0x80000601
00401968 68 00007040 push 0x40700000
0040196D 68 00000000 push 0x0
00401972 68 01060080 push 0x80000601
00401977 FF75 C4 push dword ptr
0040197A FF75 C0 push dword ptr
0040197D 68 02000000 push 0x2
00401982 BB 48000000 mov ebx, 0x48
00401987 E8 04090000 call 00402290
0040198C 83C4 1C add esp, 0x1C
0040198F 8945 B8 mov dword ptr , eax ; 保存了后6位
00401992 8955 BC mov dword ptr , edx
00401995 8B45 E4 mov eax, dword ptr
00401998 25 FF000000 and eax, 0xFF
0040199D 8945 B0 mov dword ptr , eax
004019A0 DB45 B0 fild dword ptr ; 继续取第一位密文Hex
004019A3 DD5D B0 fstp qword ptr
004019A6 DD45 B0 fld qword ptr
004019A9 8B45 E0 mov eax, dword ptr
004019AC 25 FF000000 and eax, 0xFF
004019B1 8945 A8 mov dword ptr , eax
004019B4 DB45 A8 fild dword ptr ; //继续从key第二位取
004019B7 DD5D A8 fstp qword ptr
004019BA DC65 A8 fsub qword ptr ; //整数相减
004019BD DD5D A0 fstp qword ptr
004019C0 68 01060080 push 0x80000601
004019C5 68 00007040 push 0x40700000
004019CA 68 00000000 push 0x0
004019CF 68 01060080 push 0x80000601
004019D4 FF75 A4 push dword ptr
004019D7 FF75 A0 push dword ptr
004019DA 68 02000000 push 0x2
004019DF BB 48000000 mov ebx, 0x48
004019E4 E8 A7080000 call 00402290
004019E9 83C4 1C add esp, 0x1C
004019EC 8945 98 mov dword ptr , eax
004019EF 8955 9C mov dword ptr , edx
004019F2 837D D8 00 cmp dword ptr , 0x0
004019F6 0F84 0B000000 je 00401A07 ; //判断字符串输入过长或者过短把
004019FC 8B55 BC mov edx, dword ptr
004019FF 8B45 B8 mov eax, dword ptr
00401A02 E9 06000000 jmp 00401A0D
00401A07 8B55 9C mov edx, dword ptr
00401A0A 8B45 98 mov eax, dword ptr
00401A0D 8945 88 mov dword ptr , eax
00401A10 8955 8C mov dword ptr , edx
00401A13 DD45 88 fld qword ptr
00401A16 E8 3EFCFFFF call 00401659
00401A1B 68 01010080 push 0x80000101
00401A20 6A 00 push 0x0
00401A22 50 push eax
00401A23 68 01000000 push 0x1
00401A28 BB 40010000 mov ebx, 0x140
00401A2D E8 8E080000 call 004022C0
00401A32 83C4 10 add esp, 0x10
00401A35 8945 84 mov dword ptr , eax ; //保存相减的结果位为解码的第一位
00401A38 FF75 84 push dword ptr
00401A3B FF75 DC push dword ptr
00401A3E B9 02000000 mov ecx, 0x2
00401A43 E8 A3FCFFFF call 004016EB
00401A48 83C4 08 add esp, 0x8
00401A4B 8945 80 mov dword ptr , eax
00401A4E 8B5D 84 mov ebx, dword ptr
00401A51 85DB test ebx, ebx
00401A53 74 09 je short 00401A5E
00401A55 53 push ebx
00401A56 E8 60010000 call 00401BBB
00401A5B 83C4 04 add esp, 0x4
00401A5E 8B45 80 mov eax, dword ptr
00401A61 50 push eax
00401A62 8B5D DC mov ebx, dword ptr
00401A65 85DB test ebx, ebx
00401A67 74 09 je short 00401A72
00401A69 53 push ebx
00401A6A E8 4C010000 call 00401BBB
00401A6F 83C4 04 add esp, 0x4
00401A72 58 pop eax
00401A73 8945 DC mov dword ptr , eax
00401A76 58 pop eax
00401A77 5B pop ebx
00401A78 59 pop ecx
00401A79^ E9 D8FDFFFF jmp 00401856 ; 继续下一次寻坏
00401A7E 83C4 0C add esp, 0xC ; 循环完成
00401A81 8B45 DC mov eax, dword ptr
00401A84 85C0 test eax, eax
00401A86 74 15 je short 00401A9D
00401A88 50 push eax
00401A89 8BD8 mov ebx, eax
00401A8B E8 F0FBFFFF call 00401680
00401A90 40 inc eax
00401A91 50 push eax
00401A92 E8 36010000 call 00401BCD
00401A97 59 pop ecx
00401A98 5E pop esi
00401A99 8BF8 mov edi, eax
00401A9B F3:A4 rep movs byte ptr es:, byte ptr >
00401A9D E9 00000000 jmp 00401AA2
00401AA2 50 push eax
00401AA3 8B5D FC mov ebx, dword ptr
00401AA6 85DB test ebx, ebx
00401AA8 74 09 je short 00401AB3
00401AAA 53 push ebx
00401AAB E8 0B010000 call 00401BBB
00401AB0 83C4 04 add esp, 0x4
00401AB3 8B5D F4 mov ebx, dword ptr
00401AB6 85DB test ebx, ebx
00401AB8 74 09 je short 00401AC3
00401ABA 53 push ebx
00401ABB E8 FB000000 call 00401BBB
00401AC0 83C4 04 add esp, 0x4
00401AC3 8B5D DC mov ebx, dword ptr
00401AC6 85DB test ebx, ebx
00401AC8 74 09 je short 00401AD3
00401ACA 53 push ebx
00401ACB E8 EB000000 call 00401BBB
00401AD0 83C4 04 add esp, 0x4
00401AD3 58 pop eax
00401AD4 8BE5 mov esp, ebp
00401AD6 5D pop ebp
00401AD7 C2 0800 retn 0x8
然后计算
第一位随便输入
第二位=CE-59=75 u
第三位=D2-6F=63 c
第四位=E0-75=6B k
第五位=40-20=20空格
第六位=A2-57=4B K
第七位=D2-69=69 i
第八位 D2-6E=64 d
发现第一位没有计算,输入什么都行。 @Unsped 不详师傅,你的菊花被爆了. 哈哈 真的很喜欢 不要B啊。。。 你们太牛了,我还是研究怎么在64位win8利用esp脱asp的壳吧 逆算法厉害 膜拜算法大神
页:
[1]