160个练手CrackMe-033
来源:互联网 发布:男女合唱网络流行歌曲 编辑:程序博客网 时间:2024/05/20 05:06
1、汇编级程序
2、OD载入
搜索字符串,定位“Good work!”对话框,查找参考。
00401241 . 3BC3 cmp eax,ebx00401243 . 74 07 je XCruehead.0040124C00401245 . E8 18010000 call Cruehead.00401362 ; No luck0040124A .^ EB 9A jmp XCruehead.004011E60040124C > E8 FC000000 call Cruehead.0040134D ; Good work00401251 .^ EB 93 jmp XCruehead.004011E6
直接条件是判断 eax == ebx;
eax, ebx 分别来至于:
00401228 . 68 8E214000 push Cruehead.0040218E ; Name0040122D . E8 4C010000 call Cruehead.0040137E ; 返回eax00401232 . 50 push eax00401233 . 68 7E214000 push Cruehead.0040217E ; Serial00401238 . E8 9B010000 call Cruehead.004013D8 ; 返回ebx0040123D . 83C4 04 add esp,0x400401240 . 58 pop eax00401241 . 3BC3 cmp eax,ebx
call 0040137E(Name):
0040137E /$ 8B7424 04 mov esi,dword ptr ss:[esp+0x4]00401382 |. 56 push esi00401383 |> 8A06 /mov al,byte ptr ds:[esi]00401385 |. 84C0 |test al,al00401387 |. 74 13 |je XCruehead.0040139C00401389 |. 3C 41 |cmp al,0x41 ; 'A'0040138B |. 72 1F |jb XCruehead.004013AC ; ord(Name[i]) < 'A' 跳向失败0040138D |. 3C 5A |cmp al,0x5A ; 'Z'0040138F |. 73 03 |jnb XCruehead.00401394 ; ord(Name[i]) > 'Z' -> Name[i] -= 0x20 即小写转换成大写00401391 |. 46 |inc esi00401392 |.^ EB EF |jmp XCruehead.0040138300401394 |> E8 39000000 |call Cruehead.004013D200401399 |. 46 |inc esi0040139A |.^ EB E7 \jmp XCruehead.004013830040139C |> 5E pop esi0040139D |. E8 20000000 call Cruehead.004013C2 ; 求和 sum(Name[i])004013A2 |. 81F7 78560000 xor edi,0x5678004013A8 |. 8BC7 mov eax,edi004013AA |. EB 15 jmp XCruehead.004013C1004013AC |> 5E pop esi004013AD |. 6A 30 push 0x30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL004013AF |. 68 60214000 push Cruehead.00402160 ; |No luck!004013B4 |. 68 69214000 push Cruehead.00402169 ; |No luck there, mate!004013B9 |. FF75 08 push [arg.1] ; |hOwner004013BC |. E8 79000000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA004013C1 \> C3 retn
原型:
int call_0040137E(char *Name){ int sum = 0; for(int i = 0; Name[i] != 0; i++){ if(Name[i] < 'A'){ MessageBox("No luck!"); return 0; }else if(Name[i] > 'Z'){ Name[i] -= 0x20; } sum += Name[i]; } return sum ^ 0x5678;}
Name只能是字母。
call 004013D8(Serial):
004013D8 /$ 33C0 xor eax,eax004013DA |. 33FF xor edi,edi004013DC |. 33DB xor ebx,ebx004013DE |. 8B7424 04 mov esi,dword ptr ss:[esp+0x4]004013E2 |> B0 0A /mov al,0xA004013E4 |. 8A1E |mov bl,byte ptr ds:[esi]004013E6 |. 84DB |test bl,bl004013E8 |. 74 0B |je XCruehead.004013F5004013EA |. 80EB 30 |sub bl,0x30 ; int(Serial[i])004013ED |. 0FAFF8 |imul edi,eax004013F0 |. 03FB |add edi,ebx ; sum += sum * 0x0A + Serial[i]004013F2 |. 46 |inc esi004013F3 |.^ EB ED \jmp XCruehead.004013E2004013F5 |> 81F7 34120000 xor edi,0x1234004013FB |. 8BDF mov ebx,edi004013FD \. C3 retn
原型
int call_004013D8(char *Serial){ int al = 0x0A, ret = 0; for(int i = 0; Serial[i] != 0; i++){ Serial[i] -= 0x30; ret *= al; ret += Serial[i]; } return ret ^ 0x1234;}
就是把字符串转为整形
3、注册机
>>> def keygen(Serial): Serial.upper() eax = sum([ord(i) for i in Serial]) ^ 0x5678 return eax ^ 0x1234>>> >>> keygen('ABC')17546
阅读全文
0 0
- 160个练手CrackMe-033
- 160个练手CrackMe-001
- 160个练手CrackMe-002
- 160个练手CrackMe-003
- 160个练手CrackMe-004
- 160个练手CrackMe-005
- 160个练手CrackMe-006
- 160个练手CrackMe-007
- 160个练手CrackMe-008
- 160个练手CrackMe-009
- 160个练手CrackMe-010
- 160个练手CrackMe-011
- 160个练手CrackMe-012
- 160个练手CrackMe-013
- 160个练手CrackMe-014
- 160个练手CrackMe-015
- 160个练手CrackMe-016
- 160个练手CrackMe-017
- 全排列
- Android图片加载之Glide使用
- 本地主机与虚拟机连接配置
- Ubuntu 16.04安装有道词典(完全版)
- PAT
- 160个练手CrackMe-033
- Spring MVC 教程,快速入门,深入分析
- c#单链表基础操作
- LCD Mipi 调试方法及问题汇总
- 网---一个小画面
- 8.9 Pattern类和Matcher类
- 并查集(union-find sets)
- Chrome插件中 popup,background,contantscript消息传递机制
- 域名解析