本帖最后由 SeriousSnow 于 2017-8-10 15:52 编辑
具体算法没咋看,,,大概就是先输入七次,,好像如果输入一样直接GG(试出来的不是看出来的,,,,,)
然后看到了SUCCESS和cout,,爆破的话应该就是看这附近了(我都不知道我这样是不是算破解,,,,,,见谅)
[Asm] 纯文本查看 复制代码 00401404 > \B9 70414000 mov ecx,CM.00404170 ; Success
00401409 . E8 42FCFFFF call CM.00401050 ;根据下面对输出参数的观察,,这里我直接重构代码伪代码: REP MOVSB EXC->EDX
0040140E . 85C0 test eax,eax ; msvcr100.78B53028
00401410 90 nop ; 这些杂七杂八的跳转不知道检测了啥但都是跳过cout的
00401411 90 nop
00401412 . 83FE 07 cmp esi,0x7
00401415 90 nop
00401416 90 nop
00401417 . 83FE 07 cmp esi,0x7
0040141A . 0F95C0 setne al
0040141D . 85C0 test eax,eax ; msvcr100.78B53028
0040141F 90 nop
00401420 90 nop
00401421 . 8B0D 6C404000 mov ecx,dword ptr ds:[<&MSVCP100.std::cout>] ; msvcp100.std::cout
00401427 . 8D4424 14 lea eax,dword ptr ss:[esp+0x14] ; EDX == SS:[ESP+0X14]
0040142B . 50 push eax ; EDX
0040142C . 51 push ecx ; STD::OUT
0040142D . E8 1E0C0000 call CM.00402050
00401432 . 83C4 08 add esp,0x8
00401435 . 397C24 28 cmp dword ptr ss:[esp+0x28],edi
00401439 . 72 0E jb short CM.00401449
0040143B . 8B5424 14 mov edx,dword ptr ss:[esp+0x14]
0040143F . 52 push edx
00401440 . FF15 D4404000 call dword ptr ds:[<&MSVCR100.operator delete>] ; msvcr100.operator delete
00401446 . 83C4 04 add esp,0x4
00401449 > 8B4C24 38 mov ecx,dword ptr ss:[esp+0x38] ; msvcr100.78B532A0
0040144D . 64:890D 00000>mov dword ptr fs:[0],ecx ; msvcr100.78B53028
00401454 . 59 pop ecx ; ntdll.7C92DACC
00401455 . 5F pop edi ; ntdll.7C92DACC
00401456 . 5E pop esi ; ntdll.7C92DACC
00401457 . 8B4C24 24 mov ecx,dword ptr ss:[esp+0x24] ; kernel32.7C872931
0040145B . 33CC xor ecx,esp
0040145D . E8 36160000 call CM.00402A98
00401462 . 8BE5 mov esp,ebp
00401464 . 5D pop ebp ; ntdll.7C92DACC
00401465 . C3 retn
|