[Asm] 纯文本查看 复制代码 00401000 > $ E8 0D010000 call <jmp.&kernel32.AllocConsole> ; [AllocConsole
00401005 . 6A F6 push -0xA ; /DevType = STD_INPUT_HANDLE
00401007 . E8 0C010000 call <jmp.&kernel32.GetStdHandle> ; \GetStdHandle
0040100C . A3 18304000 mov dword ptr ds:[0x403018],eax ; 获取标准输入句柄
00401011 . 6A F5 push -0xB ; /DevType = STD_OUTPUT_HANDLE
00401013 . E8 00010000 call <jmp.&kernel32.GetStdHandle> ; \GetStdHandle
00401018 . A3 1C304000 mov dword ptr ds:[0x40301C],eax ; 获取标准输出句柄
0040101D . 6A 00 push 0x0 ; /pOverlapped = NULL
0040101F . 68 20304000 push CrackMe.00403020 ; |pBytesWritten = CrackMe.00403020
00401024 . 6A 05 push 0x5 ; |nBytesToWrite = 0x5
00401026 . 68 00304000 push CrackMe.00403000 ; |Buffer = CrackMe.00403000
0040102B . FF35 1C304000 push dword ptr ds:[0x40301C] ; |hFile = 00000007
00401031 . E8 EE000000 call <jmp.&kernel32.WriteFile> ; \WriteFile
00401036 . 6A 00 push 0x0 ; /pOverlapped = NULL
00401038 . 68 20304000 push CrackMe.00403020 ; |pBytesRead = CrackMe.00403020
0040103D . 68 00020000 push 0x200 ; |BytesToRead = 200 (512.)
00401042 . 68 28304000 push CrackMe.00403028 ; |Buffer = CrackMe.00403028
00401047 . FF35 18304000 push dword ptr ds:[0x403018] ; |hFile = 00000003
0040104D . E8 CC000000 call <jmp.&kernel32.ReadFile> ; \ReadFile
00401052 . 68 28304000 push CrackMe.00403028 ; ASCII "123456"
00401057 . E8 9D000000 call CrackMe.004010F9 ; 获取长度
0040105C . 8D1D 28304000 lea ebx,dword ptr ds:[0x403028]
00401062 . 66:C74418 FE >mov word ptr ds:[eax+ebx-0x2],0x0 ; 去换行符
00401069 . 53 push ebx
0040106A . E8 8A000000 call CrackMe.004010F9 ; 从新获取长度
0040106F . 8BC8 mov ecx,eax ; ecx = 长度
00401071 . 8D3D 28304000 lea edi,dword ptr ds:[0x403028] ; edi->字符串
00401077 . 33C0 xor eax,eax ; eax = 0
00401079 . 33DB xor ebx,ebx ; ebx=0
0040107B . 33D2 xor edx,edx ; edx=0
0040107D > 8A3C07 mov bh,byte ptr ds:[edi+eax] ; 逐个获取字符
00401080 . C1CB 08 ror ebx,0x8 ; 循环移动8位
00401083 . 03D3 add edx,ebx
00401085 . 40 inc eax
00401086 . 3BC1 cmp eax,ecx ; 是否读取完毕
00401088 . 74 02 je short CrackMe.0040108C ; 结果edx,经过and后的结果
0040108A .^ EB F1 jmp short CrackMe.0040107D ; 结果ebx保存最后四个字符顺序3214
0040108C > 33C9 xor ecx,ecx ; ecx = 0
0040108E . 8915 24304000 mov dword ptr ds:[0x403024],edx ; 存放edx到输入字符串内存-4位置
00401094 . 33F6 xor esi,esi
00401096 . EB 1A jmp short CrackMe.004010B2
00401098 > 8A81 05304000 mov al,byte ptr ds:[ecx+0x403005] ; y7!
0040109E . 3281 24304000 xor al,byte ptr ds:[ecx+0x403024] ; 刚刚的edx
004010A4 . 8881 05304000 mov byte ptr ds:[ecx+0x403005],al ; 逐个异或填充
004010AA . 25 FF000000 and eax,0xFF ; 好像没啥用
004010AF . 03F0 add esi,eax ; 累加
004010B1 . 41 inc ecx ; 循环四次
004010B2 > 83F9 04 cmp ecx,0x4 ; 判断长度是否为4 肯定不==4上面清零
004010B5 .^ 75 E1 jnz short CrackMe.00401098
004010B7 . 81FE DB020000 cmp esi,0x2DB ; 判断累加和是否等于2DB
004010BD . 74 1B je short CrackMe.004010DA ; 输出失败
004010BF . 6A 00 push 0x0 ; /pOverlapped = NULL
004010C1 . 68 20304000 push CrackMe.00403020 ; |pBytesWritten = CrackMe.00403020
004010C6 . 6A 0A push 0xA ; |nBytesToWrite = A (10.)
004010C8 . 68 0B304000 push CrackMe.0040300B ; |Buffer = CrackMe.0040300B
004010CD . FF35 1C304000 push dword ptr ds:[0x40301C] ; |hFile = 00000007
004010D3 . E8 4C000000 call <jmp.&kernel32.WriteFile> ; \WriteFile
004010D8 . EB 19 jmp short CrackMe.004010F3 ; 输出刚刚异或后的内容,,,,(ーー゛)
004010DA > 6A 00 push 0x0 ; /pOverlapped = NULL
004010DC . 68 20304000 push CrackMe.00403020 ; |pBytesWritten = CrackMe.00403020
004010E1 . 6A 06 push 0x6 ; |nBytesToWrite = 0x6
004010E3 . 68 05304000 push CrackMe.00403005 ; |Buffer = CrackMe.00403005
004010E8 . FF35 1C304000 push dword ptr ds:[0x40301C] ; |hFile = 00000007
004010EE . E8 31000000 call <jmp.&kernel32.WriteFile> ; \WriteFile
004010F3 > 68 F3104000 push CrackMe.004010F3
004010F8 . C3 retn ; RET 用作跳转到 004010F3
|