【吾爱破解2014CrackMe大赛】【第二组】
本帖最后由 L4Nce 于 2014-10-24 22:31 编辑不会分析算法,只能爆破,,
虚拟机有毒,请谨慎杀毒
od 下 万能断点,,断下后 Alt +f9 返回到用户代码
0041222C 8379 68 00 cmp dword ptr ds:,0x0
00412230 75 16 jnz short CrackMe.00412248
00412232 FF75 10 push dword ptr ss:
00412235 FF75 0C push dword ptr ss:
00412238 FF75 08 push dword ptr ss:
0041223B FF71 20 push dword ptr ds:
0041223E FF15 A8575200 call dword ptr ds:[<&USER32.GetDlgItemTe>; //这个很明显就是获取输入框里面的数据,,
user32.GetDlgItemTextA
00412244 5D pop ebp ; 0012F7E0
00412245 C2 0C00 retn 0xC
00412248 8B49 68 mov ecx,dword ptr ds:
0041224B 8B01 mov eax,dword ptr ds:
0041224D 5D pop ebp
0041224E FF60 7C jmp dword ptr ds:
00412251 8BFF mov edi,edi
00412253 55 push ebp
00412254 8BEC mov ebp,esp
00412256 56 push esi
一路向下
00401BF9 68 04010000 push 0x104//来到这里,向下看
00401BFE 8D9424 A8060000 lea edx,dword ptr ss:
00401C05 52 push edx
00401C06 8BF8 mov edi,eax
00401C08 68 EC030000 push 0x3EC
00401C0D 8BCE mov ecx,esi
00401C0F 897C24 20 mov dword ptr ss:,edi
00401C13 E8 0F060100 call CrackMe.00412227
00401C18 8BF0 mov esi,eax
00401C1A 897424 10 mov dword ptr ss:,esi
00401C1E FF7424 14 push dword ptr ss:
00401C22 FF7424 14 push dword ptr ss:
00401C26 8F4424 28 pop dword ptr ss:
00401C2A 8F4424 20 pop dword ptr ss:
00401C2E 83F7 04 xor edi,0x4
00401C31 83F6 04 xor esi,0x4
00401C34 83C7 FC add edi,-0x4
00401C37 897424 10 mov dword ptr ss:,esi
00401C3B 83FF 03 cmp edi,0x3
00401C3E 77 1B ja short CrackMe.00401C5B
00401C40 8D46 FC lea eax,dword ptr ds:
00401C43 83F8 03 cmp eax,0x3
00401C46 77 13 ja short CrackMe.00401C5B
00401C48 68 50214000 push CrackMe.00402150
00401C4D 6A 51 push 0x51
00401C4F 6A 14 push 0x14
00401C51 8D4C24 48 lea ecx,dword ptr ss:
00401C55 51 push ecx
00401C56 E9 1E020000 jmp CrackMe.00401E79
00401C5B 8D4424 3C lea eax,dword ptr ss:
00401C5F E8 4C020000 call CrackMe.00401EB0
00401C64 8B5C24 20 mov ebx,dword ptr ss:
00401C68 33FF xor edi,edi
00401C6A 85DB test ebx,ebx
00401C6C 7E 5E jle short CrackMe.00401CCC
00401C6E 8BFF mov edi,edi
00401C70 0FBE843C 980600>movsx eax,byte ptr ss:
00401C78 8BC8 mov ecx,eax
00401C7A C1F9 04 sar ecx,0x4
00401C7D 83E1 0F and ecx,0xF
00401C80 83E0 0F and eax,0xF
00401C83 8BF0 mov esi,eax
00401C85 83F9 09 cmp ecx,0x9
00401C88 76 0E jbe short CrackMe.00401C98
00401C8A B8 398EE338 mov eax,0x38E38E39
00401C8F F7E1 mul ecx
00401C91 D1EA shr edx,1
00401C93 6BD2 F7 imul edx,edx,-0x9
00401C96 03CA add ecx,edx
00401C98 83FE 09 cmp esi,0x9
00401C9B 76 0E jbe short CrackMe.00401CAB
00401C9D B8 398EE338 mov eax,0x38E38E39
00401CA2 F7E6 mul esi
00401CA4 D1EA shr edx,1
00401CA6 6BD2 F7 imul edx,edx,-0x9
00401CA9 03F2 add esi,edx
00401CAB 8D04CE lea eax,dword ptr ds:
00401CAE 03C1 add eax,ecx
00401CB0 47 inc edi
00401CB1 8D1480 lea edx,dword ptr ds:
00401CB4 894C24 30 mov dword ptr ss:,ecx
00401CB8 897424 34 mov dword ptr ss:,esi
00401CBC C74494 3C FFEEF>mov dword ptr ss:,0xEEFF>
00401CC4 3BFB cmp edi,ebx
00401CC6^ 7C A8 jl short CrackMe.00401C70
00401CC8 8B7424 10 mov esi,dword ptr ss:
00401CCC 33FF xor edi,edi
00401CCE 85F6 test esi,esi
00401CD0 0F8E BD000000 jle CrackMe.00401D93
00401CD6 BB FEFEFEFE mov ebx,0xFEFEFEFE
00401CDB EB 03 jmp short CrackMe.00401CE0
00401CDD 8D49 00 lea ecx,dword ptr ds:
00401CE0 0FBE843C A40600>movsx eax,byte ptr ss:
00401CE8 8BC8 mov ecx,eax
00401CEA C1F9 04 sar ecx,0x4
00401CED 83E1 0F and ecx,0xF
00401CF0 83E0 0F and eax,0xF
00401CF3 8BF0 mov esi,eax
00401CF5 83F9 09 cmp ecx,0x9
00401CF8 76 0E jbe short CrackMe.00401D08
00401CFA B8 398EE338 mov eax,0x38E38E39
00401CFF F7E1 mul ecx
00401D01 D1EA shr edx,1
00401D03 6BD2 F7 imul edx,edx,-0x9
00401D06 03CA add ecx,edx
00401D08 83FE 09 cmp esi,0x9
00401D0B 76 0E jbe short CrackMe.00401D1B
00401D0D B8 398EE338 mov eax,0x38E38E39
00401D12 F7E6 mul esi
00401D14 D1EA shr edx,1
00401D16 6BD2 F7 imul edx,edx,-0x9
00401D19 03F2 add esi,edx
00401D1B 8D04CE lea eax,dword ptr ds:
00401D1E 03C1 add eax,ecx
00401D20 8D0C80 lea ecx,dword ptr ds:
00401D23 03C9 add ecx,ecx
00401D25 03C9 add ecx,ecx
00401D27 395C0C 40 cmp dword ptr ss:,ebx
00401D2B 74 10 je short CrackMe.00401D3D
00401D2D 8D5480 D3 lea edx,dword ptr ds:
00401D31 817494 3C 11111>xor dword ptr ss:,0x1111>
00401D39 8D5494 3C lea edx,dword ptr ss:
00401D3D 395C0C 44 cmp dword ptr ss:,ebx
00401D41 74 15 je short CrackMe.00401D58
00401D43 8D5480 D3 lea edx,dword ptr ds:
00401D47 8B5494 3C mov edx,dword ptr ss:
00401D4B 81F2 11111111 xor edx,0x11111111
00401D51 89940C F0000000 mov dword ptr ss:,edx
00401D58 395C0C 48 cmp dword ptr ss:,ebx
00401D5C 74 12 je short CrackMe.00401D70
00401D5E 8D5480 D3 lea edx,dword ptr ds:
00401D62 8B5494 3C mov edx,dword ptr ss:
00401D66 81F2 11111111 xor edx,0x11111111
00401D6C 89540C 28 mov dword ptr ss:,edx
00401D70 395C0C 4C cmp dword ptr ss:,ebx
00401D74 74 12 je short CrackMe.00401D88
00401D76 8D4480 D3 lea eax,dword ptr ds:
00401D7A 8B5484 3C mov edx,dword ptr ss:
00401D7E 81F2 11111111 xor edx,0x11111111
00401D84 89540C 50 mov dword ptr ss:,edx
00401D88 47 inc edi
00401D89 3B7C24 10 cmp edi,dword ptr ss:
00401D8D^ 0F8C 4DFFFFFF jl CrackMe.00401CE0
00401D93 33C9 xor ecx,ecx //这附近肯定是算法
00401D95 8D8424 C8000000 lea eax,dword ptr ss:
00401D9C 8D51 03 lea edx,dword ptr ds:
00401D9F 90 nop
00401DA0 8BB0 74FFFFFF mov esi,dword ptr ds:
00401DA6 0370 88 add esi,dword ptr ds:
00401DA9 05 1C020000 add eax,0x21C
00401DAE 03B0 80FDFFFF add esi,dword ptr ds:
00401DB4 03B0 94FDFFFF add esi,dword ptr ds:
00401DBA 03B0 A8FDFFFF add esi,dword ptr ds:
00401DC0 03B0 BCFDFFFF add esi,dword ptr ds:
00401DC6 03B0 D0FDFFFF add esi,dword ptr ds:
00401DCC 03B0 F8FDFFFF add esi,dword ptr ds:
00401DD2 03B0 E4FDFFFF add esi,dword ptr ds:
00401DD8 03CE add ecx,esi
00401DDA 8BB0 ACFEFFFF mov esi,dword ptr ds:
00401DE0 03B0 98FEFFFF add esi,dword ptr ds:
00401DE6 03B0 84FEFFFF add esi,dword ptr ds:
00401DEC 03B0 70FEFFFF add esi,dword ptr ds:
00401DF2 03B0 5CFEFFFF add esi,dword ptr ds:
00401DF8 03B0 48FEFFFF add esi,dword ptr ds:
00401DFE 03B0 34FEFFFF add esi,dword ptr ds:
00401E04 03B0 20FEFFFF add esi,dword ptr ds:
00401E0A 03B0 0CFEFFFF add esi,dword ptr ds:
00401E10 03CE add ecx,esi
00401E12 8BB0 60FFFFFF mov esi,dword ptr ds:
00401E18 03B0 4CFFFFFF add esi,dword ptr ds:
00401E1E 03B0 38FFFFFF add esi,dword ptr ds:
00401E24 03B0 24FFFFFF add esi,dword ptr ds:
00401E2A 03B0 10FFFFFF add esi,dword ptr ds:
00401E30 03B0 FCFEFFFF add esi,dword ptr ds:
00401E36 03B0 E8FEFFFF add esi,dword ptr ds:
00401E3C 03B0 D4FEFFFF add esi,dword ptr ds:
00401E42 03B0 C0FEFFFF add esi,dword ptr ds:
00401E48 03CE add ecx,esi
00401E4A 4A dec edx
00401E4B^ 0F85 4FFFFFFF jnz CrackMe.00401DA0
00401E51 81F9 4EFA9EFA cmp ecx,0xFA9EFA4E
00401E57 75 12 jnz short CrackMe.00401E6B //此处nop掉 就会弹出good 对话诓
00401E59 52 push edx
00401E5A 68 70D95400 push CrackMe.0054D970 ; 0
00401E5F 68 74D95400 push CrackMe.0054D974 ; good
00401E64 52 push edx
00401E65 FF15 40585200 call dword ptr ds:[<&USER32.MessageBoxA>>; user32.MessageBoxA
00401E6B 68 50214000 push CrackMe.00402150
最后成绩:80*70%*50%=28分
评委评价:爆破有效。
谢谢参与,请继续加油。
页:
[1]