好友
阅读权限10
听众
最后登录1970-1-1
|
本帖最后由 L4Nce 于 2014-10-24 22:26 编辑
小弟不才,由于时间和能力有限,只能爆破,故将简单分析贴上:
1. bp GetDlgItemTextA下断,F9,然后输入NAME和KEY,来到下图1:
1
图1
2.Alt + F9跳出来到下图2:
图2
3.继续F8一步步走下去来到关键地方图3:
3
图3
4.找到关键代码:
00401C0F |. 897C24 20 mov dword ptr [esp+20], edi
00401C13 |. E8 0F060100 call 00412227 ; 获取字符串的函数
00401C18 |. 8BF0 mov esi, eax
00401C1A |. 897424 10 mov dword ptr [esp+10], esi
00401C1E |. FF7424 14 push dword ptr [esp+14]
00401C22 |. FF7424 14 push dword ptr [esp+14]
00401C26 |. 8F4424 28 pop dword ptr [esp+28]
00401C2A |. 8F4424 20 pop dword ptr [esp+20]
00401C2E |. 83F7 04 xor edi, 4
00401C31 |. 83F6 04 xor esi, 4
00401C34 |. 83C7 FC add edi, -4
00401C37 |. 897424 10 mov dword ptr [esp+10], esi
00401C3B 83FF 00 cmp edi, 0 ; EDI 用户名字符串的长度
00401C3E |. 77 1B ja short 00401C5B
00401C40 |. 8D46 FC lea eax, dword ptr [esi-4]
00401C43 83F8 00 cmp eax, 0 ; EAX 密码字符串的长度
00401C46 |. 77 13 ja short 00401C5B
00401C48 |. 68 50214000 push 00402150 ; 如果字符串长度小于3,是要压四个参数的
00401C4D |. 6A 51 push 51
00401C4F |. 6A 14 push 14
00401C51 |. 8D4C24 48 lea ecx, dword ptr [esp+48]
00401C55 |. 51 push ecx
00401C56 E9 1E020000 jmp 00401E79 ; 跳转到失败信息
00401C5B |> 8D4424 3C lea eax, dword ptr [esp+3C]
00401C5F |. E8 4C020000 call 00401EB0 ; 堆栈不会变化
00401C64 |. 8B5C24 20 mov ebx, dword ptr [esp+20]
00401C68 |. 33FF xor edi, edi
00401C6A |. 85DB test ebx, ebx
00401C6C |. 7E 5E jle short 00401CCC
00401C6E |. 8BFF mov edi, edi
00401C70 |> 0FBE843C 9806>/movsx eax, byte ptr [esp+edi+698]
00401C78 |. 8BC8 |mov ecx, eax
00401C7A |. C1F9 04 |sar ecx, 4
00401C7D |. 83E1 0F |and ecx, 0F
00401C80 |. 83E0 0F |and eax, 0F
00401C83 |. 8BF0 |mov esi, eax
00401C85 |. 83F9 09 |cmp ecx, 9
00401C88 |. 76 0E |jbe short 00401C98
00401C8A |. B8 398EE338 |mov eax, 38E38E39
00401C8F |. F7E1 |mul ecx
00401C91 |. D1EA |shr edx, 1
00401C93 |. 6BD2 F7 |imul edx, edx, -9
00401C96 |. 03CA |add ecx, edx
00401C98 |> 83FE 09 |cmp esi, 9
00401C9B |. 76 0E |jbe short 00401CAB
00401C9D |. B8 398EE338 |mov eax, 38E38E39
00401CA2 |. F7E6 |mul esi
00401CA4 |. D1EA |shr edx, 1
00401CA6 |. 6BD2 F7 |imul edx, edx, -9
00401CA9 |. 03F2 |add esi, edx
00401CAB |> 8D04CE |lea eax, dword ptr [esi+ecx*8]
00401CAE |. 03C1 |add eax, ecx
00401CB0 |. 47 |inc edi
00401CB1 |. 8D1480 |lea edx, dword ptr [eax+eax*4]
00401CB4 |. 894C24 30 |mov dword ptr [esp+30], ecx
00401CB8 |. 897424 34 |mov dword ptr [esp+34], esi
00401CBC |. C74494 3C FFE>|mov dword ptr [esp+edx*4+3C], EEFFE>
00401CC4 >|. 3BFB |cmp edi, ebx
00401CC6 |.^ 7C A8 \jl short 00401C70
00401CC8 |. 8B7424 10 mov esi, dword ptr [esp+10]
00401CCC |> 33FF xor edi, edi
00401CCE |. 85F6 test esi, esi
00401CD0 |. 0F8E BD000000 jle 00401D93
00401CD6 |. BB FEFEFEFE mov ebx, FEFEFEFE
00401CDB |. EB 03 jmp short 00401CE0
00401CDD | 8D49 00 lea ecx, dword ptr [ecx]
00401CE0 |> 0FBE843C A406>/movsx eax, byte ptr [esp+edi+6A4]
00401CE8 |. 8BC8 |mov ecx, eax
00401CEA |. C1F9 04 |sar ecx, 4
00401CED |. 83E1 0F |and ecx, 0F
00401CF0 |. 83E0 0F |and eax, 0F
00401CF3 |. 8BF0 |mov esi, eax
00401CF5 |. 83F9 09 |cmp ecx, 9
00401CF8 |. 76 0E |jbe short 00401D08
00401CFA |. B8 398EE338 |mov eax, 38E38E39
00401CFF |. F7E1 |mul ecx
00401D01 |. D1EA |shr edx, 1
00401D03 |. 6BD2 F7 |imul edx, edx, -9
00401D06 |. 03CA |add ecx, edx
00401D08 |> 83FE 09 |cmp esi, 9
00401D0B |. 76 0E |jbe short 00401D1B
00401D0D |. B8 398EE338 |mov eax, 38E38E39
00401D12 |. F7E6 |mul esi
00401D14 |. D1EA |shr edx, 1
00401D16 |. 6BD2 F7 |imul edx, edx, -9
00401D19 |. 03F2 |add esi, edx
00401D1B |> 8D04CE |lea eax, dword ptr [esi+ecx*8]
00401D1E |. 03C1 |add eax, ecx
00401D20 |. 8D0C80 |lea ecx, dword ptr [eax+eax*4]
00401D23 |. 03C9 |add ecx, ecx
00401D25 |. 03C9 |add ecx, ecx
00401D27 |. 395C0C 40 |cmp dword ptr [esp+ecx+40], ebx
00401D2B |. 74 10 |je short 00401D3D
00401D2D |. 8D5480 D3 |lea edx, dword ptr [eax+eax*4-2D]
00401D31 |. 817494 3C 111>|xor dword ptr [esp+edx*4+3C], 11111>
00401D39 |. 8D5494 3C |lea edx, dword ptr [esp+edx*4+3C]
00401D3D |> 395C0C 44 |cmp dword ptr [esp+ecx+44], ebx
00401D41 |. 74 15 |je short 00401D58
00401D43 |. 8D5480 D3 |lea edx, dword ptr [eax+eax*4-2D]
00401D47 |. 8B5494 3C |mov edx, dword ptr [esp+edx*4+3C]
00401D4B |. 81F2 11111111 |xor edx, 11111111
00401D51 |. 89940C F00000>|mov dword ptr [esp+ecx+F0], edx
00401D58 |> 395C0C 48 |cmp dword ptr [esp+ecx+48], ebx
00401D5C |. 74 12 |je short 00401D70
00401D5E |. 8D5480 D3 |lea edx, dword ptr [eax+eax*4-2D]
00401D62 |. 8B5494 3C |mov edx, dword ptr [esp+edx*4+3C]
00401D66 |. 81F2 11111111 |xor edx, 11111111
00401D6C |. 89540C 28 |mov dword ptr [esp+ecx+28], edx
00401D70 |> 395C0C 4C |cmp dword ptr [esp+ecx+4C], ebx
00401D74 |. 74 12 |je short 00401D88
00401D76 |. 8D4480 D3 |lea eax, dword ptr [eax+eax*4-2D]
00401D7A |. 8B5484 3C |mov edx, dword ptr [esp+eax*4+3C]
00401D7E |. 81F2 11111111 |xor edx, 11111111
00401D84 |. 89540C 50 |mov dword ptr [esp+ecx+50], edx
00401D88 |> 47 |inc edi
00401D89 >|. 3B7C24 10 |cmp edi, dword ptr [esp+10]
00401D8D |.^ 0F8C 4DFFFFFF \jl 00401CE0
00401D93 |> 33C9 xor ecx, ecx
00401D95 |. 8D8424 C80000>lea eax, dword ptr [esp+C8]
00401D9C |. 8D51 03 lea edx, dword ptr [ecx+3]
00401D9F |. 90 nop
00401DA0 |> 8BB0 74FFFFFF /mov esi, dword ptr [eax-8C]
00401DA6 |. 0370 88 |add esi, dword ptr [eax-78]
00401DA9 |. 05 1C020000 |add eax, 21C
00401DAE |. 03B0 80FDFFFF |add esi, dword ptr [eax-280]
00401DB4 |. 03B0 94FDFFFF |add esi, dword ptr [eax-26C]
00401DBA |. 03B0 A8FDFFFF |add esi, dword ptr [eax-258]
00401DC0 |. 03B0 BCFDFFFF |add esi, dword ptr [eax-244]
00401DC6 |. 03B0 D0FDFFFF |add esi, dword ptr [eax-230]
00401DCC |. 03B0 F8FDFFFF |add esi, dword ptr [eax-208]
00401DD2 |. 03B0 E4FDFFFF |add esi, dword ptr [eax-21C]
00401DD8 |. 03CE |add ecx, esi
00401DDA |. 8BB0 ACFEFFFF |mov esi, dword ptr [eax-154]
00401DE0 |. 03B0 98FEFFFF |add esi, dword ptr [eax-168]
00401DE6 |. 03B0 84FEFFFF |add esi, dword ptr [eax-17C]
00401DEC |. 03B0 70FEFFFF |add esi, dword ptr [eax-190]
00401DF2 |. 03B0 5CFEFFFF |add esi, dword ptr [eax-1A4]
00401DF8 |. 03B0 48FEFFFF |add esi, dword ptr [eax-1B8]
00401DFE |. 03B0 34FEFFFF |add esi, dword ptr [eax-1CC]
00401E04 |. 03B0 20FEFFFF |add esi, dword ptr [eax-1E0]
00401E0A |. 03B0 0CFEFFFF |add esi, dword ptr [eax-1F4]
00401E10 |. 03CE |add ecx, esi
00401E12 |. 8BB0 60FFFFFF |mov esi, dword ptr [eax-A0]
00401E18 |. 03B0 4CFFFFFF |add esi, dword ptr [eax-B4]
00401E1E |. 03B0 38FFFFFF |add esi, dword ptr [eax-C8]
00401E24 |. 03B0 24FFFFFF |add esi, dword ptr [eax-DC]
00401E2A |. 03B0 10FFFFFF |add esi, dword ptr [eax-F0]
00401E30 |. 03B0 FCFEFFFF |add esi, dword ptr [eax-104]
00401E36 |. 03B0 E8FEFFFF |add esi, dword ptr [eax-118]
00401E3C |. 03B0 D4FEFFFF |add esi, dword ptr [eax-12C]
00401E42 |. 03B0 C0FEFFFF |add esi, dword ptr [eax-140]
00401E48 |. 03CE |add ecx, esi
00401E4A |. 4A |dec edx
00401E4B |.^ 0F85 4FFFFFFF \jnz 00401DA0
00401E51 |. 81F9 4EFA9EFA cmp ecx, FA9EFA4E
00401E57 90 nop ; 将jmp指令nop掉,修改处
00401E58 90 nop
00401E59 |. 52 push edx ; /Style
00401E5A |. 68 70D95400 push 0054D970 ; |Title = "0"
00401E5F |. 68 74D95400 push 0054D974 ; |Text = "good"
00401E64 |. 52 push edx ; |hOwner
00401E65 |. FF15 40585200 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00401E6B |> 68 50214000 push 00402150
00401E70 |. 6A 51 push 51
00401E72 |. 6A 14 push 14
00401E74 |. 8D4424 48 lea eax, dword ptr [esp+48]
00401E78 |. 50 push eax
00401E79 |> C78424 D00700>mov dword ptr [esp+7D0], -1
00401E84 |. E8 BFEC0F00 call 00500B48 ; 为了调用这个函数是要压四个参数进栈的
CrackMe-爆破文件.rar
(686.64 KB, 下载次数: 14)
|
免费评分
-
查看全部评分
|
发表于 2014-10-24 14:46
