好友 阅读权限 40
听众 最后登录 1970-1-1
我是用户
发表于 2013-12-15 00:52
CM是什么?Crackme是什么?这是什么东西?楼主发的什么?
他们都是一些公开给别人尝试破解的小程序,制作 Crackme 的人可能是程序员,想测试一下自己的软件保护技术,也可能是一位 Cracker,想挑战一下其它 Cracker 的破解实力,也可能是一些正在学习破解的人,自己编一些小程序给自己破解,KeyGenMe是要求别人做出它的 keygen (序号产生器), ReverseMe 要求别人把它的算法做出逆向分析, UnpackMe 是要求别人把它成功脱壳,本版块禁止回复非技术无关水贴。
本帖最后由 我是用户 于 2013-12-15 14:11 编辑 【软件名称】: 【吾爱2013CM大赛解答】-- +乐乐+零度x 【作者邮箱】: 2714608453@qq.com 【下载地址】: 见论坛 【软件语言】: Microsoft Visual C++ 8.0 * 【使用工具】: OD 【操作平台】: XP SP2 【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教! Microsoft Visual C++ 8.0 *。 [C++] 纯文本查看 复制代码
004029A0 > . 55 push ebp ; sub_4029A0
004029A1 . 8BEC mov ebp, esp
004029A3 . 81EC 1C040000 sub esp, 0x41C
004029A9 . A1 30915A00 mov eax, dword ptr [<___security_coo>
004029AE . 33C5 xor eax, ebp
004029B0 . 8945 FC mov dword ptr [ebp-0x4], eax
004029B3 . 53 push ebx
004029B4 . 56 push esi
004029B5 . 57 push edi
004029B6 . 8BD9 mov ebx, ecx
004029B8 . 6A 01 push 0x1
004029BA . 899D E8FBFFFF mov dword ptr [ebp-0x418], ebx
004029C0 . E8 08820100 call <获取用户名和密码>
004029C5 . 68 FF030000 push 0x3FF ; /n = 3FF (1023.)
004029CA . 8D85 FDFBFFFF lea eax, dword ptr [ebp-0x403] ; |
004029D0 . 6A 00 push 0x0 ; |c = 00
004029D2 . 50 push eax ; |s
004029D3 . C685 FCFBFFFF>mov byte ptr [ebp-0x404], 0x0 ; |
004029DA . E8 814E1200 call <_memset> ; \1024大小的局部变量清0
004029DF . 8B83 C0000000 mov eax, dword ptr [ebx+0xC0]
004029E5 . 8DBB C0000000 lea edi, dword ptr [ebx+0xC0]
004029EB . C785 F8FBFFFF>mov dword ptr [ebp-0x408], 0x0
004029F5 . 8B50 F4 mov edx, dword ptr [eax-0xC]
004029F8 . 83C4 0C add esp, 0xC
004029FB . 85D2 test edx, edx
004029FD . 0F88 E0030000 js <loc_402DE3>
00402A03 . BE 01000000 mov esi, 0x1
00402A08 . 8BCE mov ecx, esi
00402A0A . 2B48 FC sub ecx, dword ptr [eax-0x4]
00402A0D . 8B40 F8 mov eax, dword ptr [eax-0x8]
00402A10 . 2BC2 sub eax, edx
00402A12 . 0BC8 or ecx, eax
00402A14 . 7D 08 jge short <loc_402A1E>
00402A16 . 52 push edx
00402A17 . 8BCF mov ecx, edi
00402A19 . E8 72F6FFFF call <sub_402090>
00402A1E > > 8B1F mov ebx, dword ptr [edi] ; loc_402A1E
00402A20 . 85DB test ebx, ebx
00402A22 . 74 6B je short <loc_402A8F>
00402A24 . 8BCB mov ecx, ebx
00402A26 . 8D51 02 lea edx, dword ptr [ecx+0x2]
00402A29 . 8DA424 000000>lea esp, dword ptr [esp]
00402A30 > > 66:8B01 mov ax, word ptr [ecx] ; loc_402A30
00402A33 . 83C1 02 add ecx, 0x2
00402A36 . 66:85C0 test ax, ax
00402A39 .^ 75 F5 jnz short <loc_402A30>
00402A3B . 2BCA sub ecx, edx
00402A3D . D1F9 sar ecx, 1
00402A3F . 8D41 01 lea eax, dword ptr [ecx+0x1]
00402A42 . 8985 F4FBFFFF mov dword ptr [ebp-0x40C], eax ; 长度给40C
00402A48 . 3D FFFFFF3F cmp eax, 0x3FFFFFFF
00402A4D . 7F 40 jg short <loc_402A8F>
00402A4F . 03C0 add eax, eax
00402A51 . E8 CA8F1200 call <__alloca_probe_16>
00402A56 . 8BF4 mov esi, esp
00402A58 . 85F6 test esi, esi
00402A5A . 74 2E je short <loc_402A8A>
00402A5C . 8B8D F4FBFFFF mov ecx, dword ptr [ebp-0x40C]
00402A62 . 6A 00 push 0x0 ; /pDefaultCharUsed = NULL
00402A64 . 6A 00 push 0x0 ; |pDefaultChar = NULL
00402A66 . 8D0409 lea eax, dword ptr [ecx+ecx] ; |
00402A69 . 50 push eax ; |MultiByteCount
00402A6A . 56 push esi ; |MultiByteStr
00402A6B . 6A FF push -0x1 ; |WideCharCount = FFFFFFFF (-1.)
00402A6D . 53 push ebx ; |WideCharStr
00402A6E . 6A 00 push 0x0 ; |Options = 0
00402A70 . 6A 03 push 0x3 ; |CodePage = 0x3
00402A72 . C606 00 mov byte ptr [esi], 0x0 ; |
00402A75 . FF15 14345500 call dword ptr [<&KERNEL32.WideCharTo>; \WideCharToMultiByte
00402A7B . 8BC8 mov ecx, eax ; 转成ANSI
00402A7D . F7D9 neg ecx
00402A7F . 1BC9 sbb ecx, ecx
00402A81 . 23CE and ecx, esi
00402A83 . BE 01000000 mov esi, 0x1
00402A88 . EB 07 jmp short <loc_402A91>
00402A8A > > BE 01000000 mov esi, 0x1 ; loc_402A8A
00402A8F > > 33C9 xor ecx, ecx ; loc_402A8F
00402A91 > > 8D51 01 lea edx, dword ptr [ecx+0x1] ; loc_402A91
00402A94 > > 8A01 mov al, byte ptr [ecx] ; loc_402A94
00402A96 . 41 inc ecx
00402A97 . 84C0 test al, al
00402A99 .^ 75 F9 jnz short <loc_402A94>
00402A9B . 2BCA sub ecx, edx
00402A9D . 8D41 01 lea eax, dword ptr [ecx+0x1]
00402AA0 . 50 push eax
00402AA1 . E8 82080000 call <sub_403328> ; 申请一段空间,将地址给变量40C
00402AA6 . 83C4 04 add esp, 0x4
00402AA9 . 8985 F4FBFFFF mov dword ptr [ebp-0x40C], eax
00402AAF . 85C0 test eax, eax
00402AB1 . 75 01 jnz short <loc_402AB4>
00402AB3 . CC int3
00402AB4 > > 8B07 mov eax, dword ptr [edi]
00402AB6 . 8B50 F4 mov edx, dword ptr [eax-0xC]
00402AB9 . 85D2 test edx, edx
00402ABB . 0F88 2C030000 js <loc_402DED>
00402AC1 . 8BCE mov ecx, esi
00402AC3 . 2B48 FC sub ecx, dword ptr [eax-0x4]
00402AC6 . 8B40 F8 mov eax, dword ptr [eax-0x8]
00402AC9 . 2BC2 sub eax, edx
00402ACB . 0BC8 or ecx, eax
00402ACD . 7D 08 jge short <loc_402AD7>
00402ACF . 52 push edx
00402AD0 . 8BCF mov ecx, edi
00402AD2 . E8 B9F5FFFF call <sub_402090>
00402AD7 > > 8B37 mov esi, dword ptr [edi] ; loc_402AD7
00402AD9 . 85F6 test esi, esi
00402ADB . 74 5A je short <loc_402B37>
00402ADD . 8BCE mov ecx, esi
00402ADF . 8D51 02 lea edx, dword ptr [ecx+0x2]
00402AE2 > > 66:8B01 mov ax, word ptr [ecx] ; loc_402AE2
00402AE5 . 83C1 02 add ecx, 0x2
00402AE8 . 66:85C0 test ax, ax
00402AEB .^ 75 F5 jnz short <loc_402AE2>
00402AED . 2BCA sub ecx, edx
00402AEF . D1F9 sar ecx, 1
00402AF1 . 8D41 01 lea eax, dword ptr [ecx+0x1]
00402AF4 . 8985 F0FBFFFF mov dword ptr [ebp-0x410], eax
00402AFA . 3D FFFFFF3F cmp eax, 0x3FFFFFFF
00402AFF . 7F 36 jg short <loc_402B37>
00402B01 . 03C0 add eax, eax
00402B03 . E8 188F1200 call <__alloca_probe_16>
00402B08 . 8BDC mov ebx, esp
00402B0A . 85DB test ebx, ebx
00402B0C . 74 29 je short <loc_402B37>
00402B0E . 8B8D F0FBFFFF mov ecx, dword ptr [ebp-0x410]
00402B14 . 6A 00 push 0x0 ; /pDefaultCharUsed = NULL
00402B16 . 6A 00 push 0x0 ; |pDefaultChar = NULL
00402B18 . 8D0409 lea eax, dword ptr [ecx+ecx] ; |
00402B1B . 50 push eax ; |MultiByteCount
00402B1C . 53 push ebx ; |MultiByteStr
00402B1D . 6A FF push -0x1 ; |WideCharCount = FFFFFFFF (-1.)
00402B1F . 56 push esi ; |WideCharStr
00402B20 . 6A 00 push 0x0 ; |Options = 0
00402B22 . 6A 03 push 0x3 ; |CodePage = 0x3
00402B24 . C603 00 mov byte ptr [ebx], 0x0 ; |
00402B27 . FF15 14345500 call dword ptr [<&KERNEL32.WideCharTo>; \WideCharToMultiByte
00402B2D . 8BF0 mov esi, eax
00402B2F . F7DE neg esi
00402B31 . 1BF6 sbb esi, esi
00402B33 . 23F3 and esi, ebx
00402B35 . EB 02 jmp short <loc_402B39>
00402B37 > > 33F6 xor esi, esi ; loc_402B37
00402B39 > > 8B9D E8FBFFFF mov ebx, dword ptr [ebp-0x418] ; loc_402B39
00402B3F . 81C3 BC000000 add ebx, 0xBC
00402B45 . 8B03 mov eax, dword ptr [ebx]
00402B47 . 8B50 F4 mov edx, dword ptr [eax-0xC]
00402B4A . 85D2 test edx, edx
00402B4C . 0F88 A5020000 js <loc_402DF7>
00402B52 . B9 01000000 mov ecx, 0x1
00402B57 . 2B48 FC sub ecx, dword ptr [eax-0x4]
00402B5A . 8B40 F8 mov eax, dword ptr [eax-0x8]
00402B5D . 2BC2 sub eax, edx
00402B5F . 0BC8 or ecx, eax
00402B61 . 7D 08 jge short <loc_402B6B>
00402B63 . 52 push edx
00402B64 . 8BCB mov ecx, ebx
00402B66 . E8 25F5FFFF call <sub_402090>
00402B6B > > 8B03 mov eax, dword ptr [ebx] ; loc_402B6B
00402B6D . 8985 E4FBFFFF mov dword ptr [ebp-0x41C], eax ; 用户名给变量41C
00402B73 . 85C0 test eax, eax
00402B75 . 74 6B je short <loc_402BE2>
00402B77 . 8BC8 mov ecx, eax
00402B79 . 8D51 02 lea edx, dword ptr [ecx+0x2]
00402B7C . 8D6424 00 lea esp, dword ptr [esp]
00402B80 > > 66:8B01 mov ax, word ptr [ecx] ; loc_402B80
00402B83 . 83C1 02 add ecx, 0x2
00402B86 . 66:85C0 test ax, ax
00402B89 .^ 75 F5 jnz short <loc_402B80>
00402B8B . 2BCA sub ecx, edx
00402B8D . D1F9 sar ecx, 1
00402B8F . 8D41 01 lea eax, dword ptr [ecx+0x1]
00402B92 . 8985 F0FBFFFF mov dword ptr [ebp-0x410], eax
00402B98 . 3D FFFFFF3F cmp eax, 0x3FFFFFFF
00402B9D . 7F 43 jg short <loc_402BE2>
00402B9F . 03C0 add eax, eax
00402BA1 . E8 7A8E1200 call <__alloca_probe_16>
00402BA6 . 8BC4 mov eax, esp
00402BA8 . 8985 ECFBFFFF mov dword ptr [ebp-0x414], eax
00402BAE . 85C0 test eax, eax
00402BB0 . 74 30 je short <loc_402BE2>
00402BB2 . 8B95 F0FBFFFF mov edx, dword ptr [ebp-0x410]
00402BB8 . 6A 00 push 0x0 ; /pDefaultCharUsed = NULL
00402BBA . 6A 00 push 0x0 ; |pDefaultChar = NULL
00402BBC . 8D0C12 lea ecx, dword ptr [edx+edx] ; |
00402BBF . 51 push ecx ; |MultiByteCount
00402BC0 . 50 push eax ; |MultiByteStr
00402BC1 . 6A FF push -0x1 ; |WideCharCount = FFFFFFFF (-1.)
00402BC3 . FFB5 E4FBFFFF push dword ptr [ebp-0x41C] ; |WideCharStr
00402BC9 . C600 00 mov byte ptr [eax], 0x0 ; |
00402BCC . 6A 00 push 0x0 ; |Options = 0
00402BCE . 6A 03 push 0x3 ; |CodePage = 0x3
00402BD0 . FF15 14345500 call dword ptr [<&KERNEL32.WideCharTo>; \WideCharToMultiByte
00402BD6 . F7D8 neg eax
00402BD8 . 1BC0 sbb eax, eax
00402BDA . 2385 ECFBFFFF and eax, dword ptr [ebp-0x414]
00402BE0 . EB 02 jmp short <loc_402BE4>
00402BE2 > > 33C0 xor eax, eax ; loc_402BE2
00402BE4 > > 56 push esi ; loc_402BE4
00402BE5 . 50 push eax
00402BE6 . 68 EC685800 push offset <aSS> ; %s %s
00402BEB . 8D85 FCFBFFFF lea eax, dword ptr [ebp-0x404]
00402BF1 . 68 00040000 push 0x400
00402BF6 . 50 push eax
00402BF7 . E8 02411200 call <_sprintf_s> ; 格式化用户名和密码,中间用空格连接(0x20)
00402BFC . 8B03 mov eax, dword ptr [ebx]
00402BFE . 83C4 14 add esp, 0x14
00402C01 . 8B48 F0 mov ecx, dword ptr [eax-0x10]
00402C04 . 8D50 F0 lea edx, dword ptr [eax-0x10]
00402C07 . 83CE FF or esi, -0x1
00402C0A . 837A 04 00 cmp dword ptr [edx+0x4], 0x0
00402C0E . 898D ECFBFFFF mov dword ptr [ebp-0x414], ecx
00402C14 . 74 46 je short <loc_402C5C>
00402C16 . 837A 0C 00 cmp dword ptr [edx+0xC], 0x0
00402C1A . 8D4A 0C lea ecx, dword ptr [edx+0xC]
00402C1D . 7D 1A jge short <loc_402C39>
00402C1F . 8378 F8 00 cmp dword ptr [eax-0x8], 0x0
00402C23 . 0F8C D8010000 jl <loc_402E01>
00402C29 . C740 F4 00000>mov dword ptr [eax-0xC], 0x0
00402C30 . 8B03 mov eax, dword ptr [ebx]
00402C32 . 33C9 xor ecx, ecx
00402C34 . 66:8908 mov word ptr [eax], cx
00402C37 . EB 23 jmp short <loc_402C5C>
00402C39 > > 8BC6 mov eax, esi ; loc_402C39
00402C3B . F0:0FC101 lock xadd dword ptr [ecx], eax
00402C3F . 48 dec eax
00402C40 . 85C0 test eax, eax
00402C42 . 7F 08 jg short <loc_402C4C>
00402C44 . 8B0A mov ecx, dword ptr [edx]
00402C46 . 52 push edx
00402C47 . 8B01 mov eax, dword ptr [ecx]
00402C49 . FF50 04 call dword ptr [eax+0x4]
00402C4C > > 8B8D ECFBFFFF mov ecx, dword ptr [ebp-0x414] ; loc_402C4C
00402C52 . 8B01 mov eax, dword ptr [ecx]
00402C54 . FF50 0C call dword ptr [eax+0xC]
00402C57 . 83C0 10 add eax, 0x10
00402C5A . 8903 mov dword ptr [ebx], eax
00402C5C > > 8B07 mov eax, dword ptr [edi] ; loc_402C5C
00402C5E . 8378 F4 00 cmp dword ptr [eax-0xC], 0x0
00402C62 . 8B58 F0 mov ebx, dword ptr [eax-0x10]
00402C65 . 8D50 F0 lea edx, dword ptr [eax-0x10]
00402C68 . 74 40 je short <loc_402CAA>
00402C6A . 837A 0C 00 cmp dword ptr [edx+0xC], 0x0
00402C6E . 8D4A 0C lea ecx, dword ptr [edx+0xC]
00402C71 . 7D 1A jge short <loc_402C8D>
00402C73 . 8378 F8 00 cmp dword ptr [eax-0x8], 0x0
00402C77 . 0F8C 8E010000 jl <loc_402E0B>
00402C7D . C740 F4 00000>mov dword ptr [eax-0xC], 0x0
00402C84 . 8B07 mov eax, dword ptr [edi]
00402C86 . 33C9 xor ecx, ecx
00402C88 . 66:8908 mov word ptr [eax], cx
00402C8B . EB 1D jmp short <loc_402CAA>
00402C8D > > F0:0FC131 lock xadd dword ptr [ecx], esi ; loc_402C8D
00402C91 . 4E dec esi
00402C92 . 85F6 test esi, esi
00402C94 . 7F 08 jg short <loc_402C9E>
00402C96 . 8B0A mov ecx, dword ptr [edx]
00402C98 . 52 push edx
00402C99 . 8B01 mov eax, dword ptr [ecx]
00402C9B . FF50 04 call dword ptr [eax+0x4]
00402C9E > > 8B03 mov eax, dword ptr [ebx] ; loc_402C9E
00402CA0 . 8BCB mov ecx, ebx
00402CA2 . FF50 0C call dword ptr [eax+0xC]
00402CA5 . 83C0 10 add eax, 0x10
00402CA8 . 8907 mov dword ptr [edi], eax
00402CAA > > 8B8D E8FBFFFF mov ecx, dword ptr [ebp-0x418] ; loc_402CAA
00402CB0 . 6A 00 push 0x0
00402CB2 . E8 167F0100 call <获取用户名和密码>
00402CB7 . 8B9D F4FBFFFF mov ebx, dword ptr [ebp-0x40C]
00402CBD . 53 push ebx
00402CBE . E8 60060000 call <j__free> ; free空间
00402CC3 . 83C4 04 add esp, 0x4
00402CC6 . B8 23810000 mov eax, 0x8123 ; eax=0x8123
00402CCB . 85DB test ebx, ebx
00402CCD . 8D8D FCFBFFFF lea ecx, dword ptr [ebp-0x404]
00402CD3 . 0F45D8 cmovne ebx, eax ; eax与ebx比较,不等ebx=eax
00402CD6 . 899D F4FBFFFF mov dword ptr [ebp-0x40C], ebx
00402CDC . 8D51 01 lea edx, dword ptr [ecx+0x1]
00402CDF . 90 nop
00402CE0 > > 8A01 mov al, byte ptr [ecx]
00402CE2 . 41 inc ecx
00402CE3 . 84C0 test al, al
00402CE5 .^ 75 F9 jnz short <loc_402CE0>
00402CE7 . 6A 00 push 0x0 ; /pOverlapped = NULL
00402CE9 . 8D85 F8FBFFFF lea eax, dword ptr [ebp-0x408] ; |
00402CEF . 50 push eax ; |pBytesWritten
00402CF0 . 2BCA sub ecx, edx ; |
00402CF2 . 51 push ecx ; |nBytesToWrite
00402CF3 . 8D85 FCFBFFFF lea eax, dword ptr [ebp-0x404] ; |
00402CF9 . 50 push eax ; |Buffer
00402CFA . FF35 740C5B00 push dword ptr [<dword_5B0C74>] ; |′
00402D00 . FF15 10345500 call dword ptr [<&KERNEL32.WriteFile>>; \WriteFile
00402D06 . 85C0 test eax, eax ; 写入管道
00402D08 . 0F84 BE000000 je <失败>
00402D0E . 68 00040000 push 0x400 ; /n = 400 (1024.)
00402D13 . 8D85 FCFBFFFF lea eax, dword ptr [ebp-0x404] ; |
00402D19 . 6A 00 push 0x0 ; |c = 00
00402D1B . 50 push eax ; |s
00402D1C . E8 3F4B1200 call <_memset> ; \清除格式后的用户名加密码
00402D21 . 8B07 mov eax, dword ptr [edi]
00402D23 . 83C4 0C add esp, 0xC
00402D26 . 8B48 F4 mov ecx, dword ptr [eax-0xC]
00402D29 . 85C9 test ecx, ecx
00402D2B . 0F88 E4000000 js <loc_402E15>
00402D31 . BA 01000000 mov edx, 0x1
00402D36 . 2B50 FC sub edx, dword ptr [eax-0x4]
00402D39 . 8B40 F8 mov eax, dword ptr [eax-0x8]
00402D3C . 2BC1 sub eax, ecx
00402D3E . 0BD0 or edx, eax
00402D40 . 7D 08 jge short <loc_402D4A>
00402D42 . 51 push ecx
00402D43 . 8BCF mov ecx, edi
00402D45 . E8 46F3FFFF call <sub_402090>
00402D4A > > 8B3F mov edi, dword ptr [edi]
00402D4C . 85FF test edi, edi
00402D4E . 75 04 jnz short <loc_402D54>
00402D50 . 33C9 xor ecx, ecx
00402D52 . EB 5D jmp short <loc_402DB1>
00402D54 > > 8BCF mov ecx, edi
00402D56 . 8D51 02 lea edx, dword ptr [ecx+0x2]
00402D59 . 8DA424 000000>lea esp, dword ptr [esp]
00402D60 > > 66:8B01 mov ax, word ptr [ecx]
00402D63 . 83C1 02 add ecx, 0x2
00402D66 . 66:85C0 test ax, ax
00402D69 .^ 75 F5 jnz short <loc_402D60>
00402D6B . 2BCA sub ecx, edx
00402D6D . D1F9 sar ecx, 1
00402D6F . 8D59 01 lea ebx, dword ptr [ecx+0x1]
00402D72 . 81FB FFFFFF3F cmp ebx, 0x3FFFFFFF
00402D78 . 7F 2F jg short <loc_402DA9>
00402D7A . 03DB add ebx, ebx
00402D7C . 8BC3 mov eax, ebx
00402D7E . E8 9D8C1200 call <__alloca_probe_16>
00402D83 . 8BF4 mov esi, esp
00402D85 . 85F6 test esi, esi
00402D87 . 74 20 je short <loc_402DA9>
00402D89 . 6A 00 push 0x0 ; /pDefaultCharUsed = NULL
00402D8B . 6A 00 push 0x0 ; |pDefaultChar = NULL
00402D8D . 53 push ebx ; |MultiByteCount
00402D8E . 56 push esi ; |MultiByteStr
00402D8F . 6A FF push -0x1 ; |WideCharCount = FFFFFFFF (-1.)
00402D91 . 57 push edi ; |WideCharStr
00402D92 . 6A 00 push 0x0 ; |Options = 0
00402D94 . 6A 03 push 0x3 ; |CodePage = 0x3
00402D96 . C606 00 mov byte ptr [esi], 0x0 ; |
00402D99 . FF15 14345500 call dword ptr [<&KERNEL32.WideCharTo>; \WideCharToMultiByte
00402D9F . 8BC8 mov ecx, eax
00402DA1 . F7D9 neg ecx
00402DA3 . 1BC9 sbb ecx, ecx
00402DA5 . 23CE and ecx, esi
00402DA7 . EB 02 jmp short <loc_402DAB>
00402DA9 > > 33C9 xor ecx, ecx
00402DAB > > 8B9D F4FBFFFF mov ebx, dword ptr [ebp-0x40C]
00402DB1 > > 8D51 01 lea edx, dword ptr [ecx+0x1]
00402DB4 > > 8A01 mov al, byte ptr [ecx]
00402DB6 . 41 inc ecx
00402DB7 . 84C0 test al, al
00402DB9 .^ 75 F9 jnz short <loc_402DB4>
00402DBB . 2BCA sub ecx, edx
00402DBD . 8D41 01 lea eax, dword ptr [ecx+0x1]
00402DC0 . 50 push eax ; /n
00402DC1 . 6A 00 push 0x0 ; |c = 00
00402DC3 . 53 push ebx ; |s
00402DC4 . E8 974A1200 call <_memset> ; \_memset
00402DC9 . 83C4 0C add esp, 0xC ; 此处触发异常
00402DCC > > 8DA5 D8FBFFFF lea esp, dword ptr [ebp-0x428]
00402DD2 . 5F pop edi
00402DD3 . 5E pop esi
00402DD4 . 5B pop ebx
00402DD5 . 8B4D FC mov ecx, dword ptr [ebp-0x4]
00402DD8 . 33CD xor ecx, ebp
00402DDA . E8 69381200 call <__security_check_cookie(x)>
00402DDF . 8BE5 mov esp, ebp
00402DE1 . 5D pop ebp
00402DE2 . C3 retn
00402DE3 > > 68 57000780 push 0x80070057 ; loc_402DE3
00402DE8 . E8 53F3FFFF call <sub_402140>
00402DED > > 68 57000780 push 0x80070057 ; loc_402DED
00402DF2 . E8 49F3FFFF call <sub_402140>
00402DF7 > > 68 57000780 push 0x80070057 ; loc_402DF7
00402DFC . E8 3FF3FFFF call <sub_402140>
00402E01 > > 68 57000780 push 0x80070057 ; loc_402E01
00402E06 . E8 35F3FFFF call <sub_402140>
00402E0B > > 68 57000780 push 0x80070057 ; loc_402E0B
00402E10 . E8 2BF3FFFF call <sub_402140>
00402E15 > > 68 57000780 push 0x80070057 ; loc_402E15
00402E1A . E8 21F3FFFF call <sub_402140>
[C++] 纯文本查看 复制代码
00402DC4 . E8 974A1200 call <_memset> ; \_memset [C++] 纯文本查看 复制代码
00402DC0 . 50 push eax ; /n=0x1
00402DC1 . 6A 00 push 0x0 ; |c = 00
00402DC3 . 53 push ebx ; |s=8123
00402DC4 . E8 974A1200 call <_memset> ; \_memset [C++] 纯文本查看 复制代码
00402DAB > > \8B9D F4FBFFFF mov ebx, dword ptr [ebp-0x40C] [C++] 纯文本查看 复制代码
00402CC6 . B8 23810000 mov eax, 0x8123 ; eax=0x8123
00402CCB . 85DB test ebx, ebx
00402CCD . 8D8D FCFBFFFF lea ecx, dword ptr [ebp-0x404]
00402CD3 . 0F45D8 cmovne ebx, eax ; eax与ebx比较,不等ebx=eax
00402CD6 . 899D F4FBFFFF mov dword ptr [ebp-0x40C], ebx [C++] 纯文本查看 复制代码
00402AA0 . 50 push eax
00402AA1 . E8 82080000 call <sub_403328> ; 申请一段空间,将地址给变量40C
00402AA6 . 83C4 04 add esp, 0x4
00402AA9 . 8985 F4FBFFFF mov dword ptr [ebp-0x40C], eax [C++] 纯文本查看 复制代码
00402CE7 . 6A 00 push 0x0 ; /pOverlapped = NULL
00402CE9 . 8D85 F8FBFFFF lea eax, dword ptr [ebp-0x408] ; |
00402CEF . 50 push eax ; |pBytesWritten
00402CF0 . 2BCA sub ecx, edx ; |
00402CF2 . 51 push ecx ; |nBytesToWrite
00402CF3 . 8D85 FCFBFFFF lea eax, dword ptr [ebp-0x404] ; |
00402CF9 . 50 push eax ; |Buffer
00402CFA . FF35 740C5B00 push dword ptr [<dword_5B0C74>] ; |′
00402D00 . FF15 10345500 call dword ptr [<&KERNEL32.WriteFile>>; \WriteFile [C++] 纯文本查看 复制代码
0012F3BC 000000B4 |hFile = 000000B4 (window)
0012F3C0 0012F420 |Buffer = 0012F420
0012F3C4 00000004 |nBytesToWrite = 0x4
0012F3C8 0012F41C |pBytesWritten = 0012F41C
0012F3CC 00000000 \pOverlapped = NULL [C++] 纯文本查看 复制代码
00402602 6A 00 push 0x0
00402604 8D85 D8F3FFFF lea eax, dword ptr [ebp-0xC28]
0040260A 50 push eax
0040260B 68 00040000 push 0x400
00402610 8D85 DCF7FFFF lea eax, dword ptr [ebp-0x824]
00402616 50 push eax
00402617 FF35 780C5B00 push dword ptr [<hFile>] ; °
0040261D FF15 2C345500 call dword ptr [<&KERNEL32.ReadFile>] ; kernel32.ReadFile
00402623 85C0 test eax, eax
00402625 0F84 A0000000 je <loc_4026CB>
0040262B 68 00040000 push 0x400
00402630 8D85 DCFBFFFF lea eax, dword ptr [ebp-0x424]
00402636 50 push eax
00402637 68 00040000 push 0x400
0040263C 8D85 DCF3FFFF lea eax, dword ptr [ebp-0xC24]
00402642 50 push eax
00402643 8D85 DCF7FFFF lea eax, dword ptr [ebp-0x824]
00402649 68 EC685800 push offset <aSS> ; %s %s
0040264E 50 push eax
0040264F E8 23451200 call <unknown_libname_316>
00402654 68 00040000 push 0x400
00402659 8D85 DCF7FFFF lea eax, dword ptr [ebp-0x824]
0040265F 6A 00 push 0x0
00402661 50 push eax
00402662 E8 F9511200 call <_memset> ; 清0
00402667 83C4 24 add esp, 0x24
0040266A 8D55 DC lea edx, dword ptr [ebp-0x24]
0040266D 8D8D DCF3FFFF lea ecx, dword ptr [ebp-0xC24]
00402673 E8 78F2FFFF call <MD5> ; 取用户名进行MD5加密
00402678 8D4D EC lea ecx, dword ptr [ebp-0x14]
0040267B 8D55 DC lea edx, dword ptr [ebp-0x24]
0040267E BE 0C000000 mov esi, 0xC
00402683 > 8B01 mov eax, dword ptr [ecx] ; loc_402683
00402685 3B02 cmp eax, dword ptr [edx] ; 与设计定值进行比较
00402687 75 41 jnz short <loc_4026CA>
00402689 83C1 04 add ecx, 0x4
0040268C 83C2 04 add edx, 0x4
0040268F 83EE 04 sub esi, 0x4
00402692 ^ 73 EF jnb short <loc_402683>
00402694 8A85 DCFBFFFF mov al, byte ptr [ebp-0x424]
0040269A 8A9D DDFBFFFF mov bl, byte ptr [ebp-0x423]
004026A0 8A8D DEFBFFFF mov cl, byte ptr [ebp-0x422]
004026A6 8A95 DFFBFFFF mov dl, byte ptr [ebp-0x421]
004026AC 8AA5 E0FBFFFF mov ah, byte ptr [ebp-0x420]
004026B2 8ABD E1FBFFFF mov bh, byte ptr [ebp-0x41F]
004026B8 8AAD E2FBFFFF mov ch, byte ptr [ebp-0x41E]
004026BE 8AB5 E3FBFFFF mov dh, byte ptr [ebp-0x41D]
004026C4 33F6 xor esi, esi
004026C6 F7F6 div esi
004026C8 EB 01 jmp short <loc_4026CB>
004026CA > CC int3 ; loc_4026CA
004026CB > FF75 0C push dword ptr [ebp+0xC] ; loc_4026CB
004026CE FF75 08 push dword ptr [ebp+0x8]
004026D1 FF15 680C5B00 call dword ptr [<dword_5B0C68>]
004026D7 8B4D FC mov ecx, dword ptr [ebp-0x4]
004026DA 5E pop esi
004026DB 33CD xor ecx, ebp
004026DD 5B pop ebx
004026DE E8 653F1200 call <__security_check_cookie(x)>
004026E3 8BE5 mov esp, ebp
004026E5 5D pop ebp
004026E6 C2 0800 retn 0x8 [C++] 纯文本查看 复制代码
00402500 > 55 push ebp ; sub_402500
00402501 8BEC mov ebp, esp
00402503 81EC 2C0C0000 sub esp, 0xC2C
00402509 A1 30915A00 mov eax, dword ptr [<___security_coo>
0040250E 33C5 xor eax, ebp
00402510 8945 FC mov dword ptr [ebp-0x4], eax
00402513 53 push ebx
00402514 56 push esi
00402515 68 FF030000 push 0x3FF
0040251A 8D85 DDF7FFFF lea eax, dword ptr [ebp-0x823]
00402520 6A 00 push 0x0
00402522 50 push eax
00402523 C745 EC CC9B798>mov dword ptr [ebp-0x14], 0x8B799BCC 传入MD5设定值
0040252A C745 F0 A68B1CE>mov dword ptr [ebp-0x10], 0xEA1C8BA6
00402531 C745 F4 889BA11>mov dword ptr [ebp-0xC], 0x18A19B88
00402538 C745 F8 7403B4D>mov dword ptr [ebp-0x8], 0xD6B40374
0040253F C785 D4F3FFFF 0>mov dword ptr [ebp-0xC2C], 0x0
00402549 C685 DCF7FFFF 0>mov byte ptr [ebp-0x824], 0x0
00402550 E8 0B531200 call <_memset>
00402555 68 FF030000 push 0x3FF
0040255A 8D85 DDF3FFFF lea eax, dword ptr [ebp-0xC23]
00402560 6A 00 push 0x0
00402562 50 push eax
00402563 C785 D8F3FFFF 0>mov dword ptr [ebp-0xC28], 0x0
0040256D C685 DCF3FFFF 0>mov byte ptr [ebp-0xC24], 0x0
00402574 E8 E7521200 call <_memset>
00402579 68 FF030000 push 0x3FF
0040257E 8D85 DDFBFFFF lea eax, dword ptr [ebp-0x423]
00402584 6A 00 push 0x0
00402586 50 push eax
00402587 C685 DCFBFFFF 0>mov byte ptr [ebp-0x424], 0x0
0040258E E8 CD521200 call <_memset>
00402593 0F57C0 xorps xmm0, xmm0
00402596 83C4 24 add esp, 0x24
00402599 C645 DC 00 mov byte ptr [ebp-0x24], 0x0
0040259D 66:0FD6 ??? ; 未知命令
004025A0 45 inc ebp
004025A1 DDC7 ffree st(7)
004025A3 45 inc ebp
004025A4 E5 00 in eax, 0x0
004025A6 0000 add byte ptr [eax], al
004025A8 0066 C7 add byte ptr [esi-0x39], ah
004025AB 45 inc ebp
004025AC - E9 0000C645 jmp 460625B1
004025B1 EB 00 jmp short 004025B3
004025B3 50 push eax
004025B4 8BC5 mov eax, ebp
004025B6 8B00 mov eax, dword ptr [eax]
004025B8 8B00 mov eax, dword ptr [eax]
004025BA 83C0 04 add eax, 0x4
004025BD 8B00 mov eax, dword ptr [eax]
004025BF 8985 D4F3FFFF mov dword ptr [ebp-0xC2C], eax
004025C5 58 pop eax
004025C6 6A 00 push 0x0
004025C8 FF15 38345500 call dword ptr [<&KERNEL32.GetModuleH>; kernel32.GetModuleHandleW
004025CE 8BB5 D4F3FFFF mov esi, dword ptr [ebp-0xC2C]
004025D4 3BF0 cmp esi, eax
004025D6 0F86 EF000000 jbe <loc_4026CB>
004025DC B9 4D5A0000 mov ecx, 0x5A4D
004025E1 33D2 xor edx, edx
004025E3 66:3908 cmp word ptr [eax], cx
004025E6 75 10 jnz short <loc_4025F8>
004025E8 8B48 3C mov ecx, dword ptr [eax+0x3C]
004025EB 813C01 50450000 cmp dword ptr [ecx+eax], 0x4550
004025F2 75 04 jnz short <loc_4025F8>
004025F4 8B5401 50 mov edx, dword ptr [ecx+eax+0x50]
004025F8 > 03C2 add eax, edx ; loc_4025F8
004025FA 3BF0 cmp esi, eax
004025FC 0F83 C9000000 jnb <loc_4026CB> [C++] 纯文本查看 复制代码
004026C4 33F6 xor esi, esi
004026C6 F7F6 div esi
004026C8 EB 01 jmp short <loc_4026CB>
004026CA > CC int3 ; loc_4026CA [C++] 纯文本查看 复制代码
00402400 > 55 push ebp ; sub_402400
00402401 8BEC mov ebp, esp
00402403 53 push ebx
00402404 8B5D 08 mov ebx, dword ptr [ebp+0x8]
00402407 57 push edi
00402408 8B03 mov eax, dword ptr [ebx]
0040240A 8B7D 0C mov edi, dword ptr [ebp+0xC]
0040240D 3D 940000C0 cmp eax, 0xC0000094 ; 除0异常
00402412 75 48 jnz short <loc_40245C>
00402414 B8 6C640000 mov eax, 0x646C
00402419 66:3987 B000000>cmp word ptr [edi+0xB0], ax ; 判断密码第1,5位
00402420 75 2B jnz short <loc_40244D>
00402422 B8 69750000 mov eax, 0x7569
00402427 66:3987 A400000>cmp word ptr [edi+0xA4], ax ; 判断密码第2,6位
0040242E 75 1D jnz short <loc_40244D>
00402430 B8 6E780000 mov eax, 0x786E
00402435 66:3987 AC00000>cmp word ptr [edi+0xAC], ax ; 判断密码第3,7位
0040243C 75 0F jnz short <loc_40244D>
0040243E 66:83BF A800000>cmp word ptr [edi+0xA8], 0x67 ; 判断密码第4位
00402446 75 05 jnz short <loc_40244D>
00402448 E8 63FFFFFF call <sub_4023B0> ; 成功
0040244D > CC int3 ; loc_40244D
0040244E 57 push edi
0040244F 53 push ebx
00402450 FF15 6C0C5B00 call dword ptr [<dword_5B0C6C>]
00402456 5F pop edi
00402457 5B pop ebx
00402458 5D pop ebp
00402459 C2 0800 retn 0x8
0040245C > 3D 050000C0 cmp eax, 0xC0000005 ; 无效地址
00402461 75 19 jnz short <loc_40247C>
00402463 68 E8030000 push 0x3E8
00402468 FF15 3C345500 call dword ptr [<&KERNEL32.Sleep>] ; 第一次memset触发,Sleep 1秒,用于读管道
0040246E 57 push edi
0040246F 53 push ebx
00402470 FF15 6C0C5B00 call dword ptr [<dword_5B0C6C>]
00402476 5F pop edi
00402477 5B pop ebx
00402478 5D pop ebp
00402479 C2 0800 retn 0x8
0040247C > 56 push esi ; 默认异常(int3)
0040247D C745 0C 0000000>mov dword ptr [ebp+0xC], 0x0
00402484 C745 08 0000000>mov dword ptr [ebp+0x8], 0x0
0040248B 8965 0C mov dword ptr [ebp+0xC], esp
0040248E 8BC5 mov eax, ebp
00402490 > 8B00 mov eax, dword ptr [eax] ; loc_402490
00402492 8038 00 cmp byte ptr [eax], 0x0
00402495 ^ 75 F9 jnz short <loc_402490>
00402497 8945 08 mov dword ptr [ebp+0x8], eax
0040249A 8B4D 0C mov ecx, dword ptr [ebp+0xC]
0040249D 8B45 08 mov eax, dword ptr [ebp+0x8]
004024A0 2BC1 sub eax, ecx
004024A2 50 push eax
004024A3 6A 00 push 0x0
004024A5 51 push ecx
004024A6 E8 B5531200 call <_memset>
004024AB 83C4 0C add esp, 0xC
004024AE 68 CC685800 push offset <aNtdll> ; ntdll
004024B3 FF15 38345500 call dword ptr [<&KERNEL32.GetModuleH>; kernel32.GetModuleHandleW
004024B9 68 D8685800 push offset <aZwterminatepro> ; ZwTerminateProcess
004024BE 50 push eax
004024BF FF15 34345500 call dword ptr [<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
004024C5 6A 00 push 0x0
004024C7 8BF0 mov esi, eax
004024C9 FF15 30345500 call dword ptr [<&KERNEL32.GetCurrent>; kernel32.GetCurrentProcess
004024CF 50 push eax
004024D0 FFD6 call esi ; ZwTerminateProcess
004024D2 5E pop esi
004024D3 57 push edi
004024D4 53 push ebx
004024D5 FF15 6C0C5B00 call dword ptr [<dword_5B0C6C>]
004024DB 5F pop edi
004024DC 5B pop ebx
004024DD 5D pop ebp
004024DE C2 0800 retn 0x8 [C++] 纯文本查看 复制代码
ASCII码: 64 6C 75 69 78 6E 67
对应的字符: d l u i x n g
输入的注册码:
1234567
对应的注册码:
15 ld
26 iu
37 nx
4 g
真注册码:lingdux txke 提供的MD5值,为52Pojie. 52PoJie
查看全部评分
[复制链接]
发表于 2013-12-15 00:52
发表于 2013-12-15 01:19
发表于 2013-12-15 11:09
|
发表于 2013-12-15 11:14
发表于 2013-12-15 14:16
发表于 2015-7-4 02:21
