160个练手CrackMe-037
来源:互联网 发布:php处理高并发 编辑:程序博客网 时间:2024/06/07 10:44
1、VB,无壳
2、VB Decompiler + OD
定位Check按钮事件,搜索字符串,找到“Correct password”。
0040E137 . 66:85FF test di,di0040E13A . 0F84 2C010000 je CyberBla.0040E26C ; 关键跳转0040E140 . BB 04000280 mov ebx,0x800200040040E145 . BF 0A000000 mov edi,0xA0040E14A . BE 08000000 mov esi,0x80040E14F . 8D55 80 lea edx,dword ptr ss:[ebp-0x80]0040E152 . 8D4D C0 lea ecx,dword ptr ss:[ebp-0x40]0040E155 . 895D A8 mov dword ptr ss:[ebp-0x58],ebx0040E158 . 897D A0 mov dword ptr ss:[ebp-0x60],edi0040E15B . 895D B8 mov dword ptr ss:[ebp-0x48],ebx0040E15E . 897D B0 mov dword ptr ss:[ebp-0x50],edi0040E161 . C745 88 5C354>mov dword ptr ss:[ebp-0x78],CyberBla.004>; Correct password0040E168 . 8975 80 mov dword ptr ss:[ebp-0x80],esi0040E16B . FF15 78114100 call dword ptr ds:[<&MSVBVM50.__vbaVarDu>; MSVBVM50.__vbaVarDup0040E171 . 8D55 90 lea edx,dword ptr ss:[ebp-0x70]0040E174 . 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]0040E177 . C745 98 FC344>mov dword ptr ss:[ebp-0x68],CyberBla.004>; Not bad, you have found the correct password.0040E17E . 8975 90 mov dword ptr ss:[ebp-0x70],esi0040E181 . FF15 78114100 call dword ptr ds:[<&MSVBVM50.__vbaVarDu>; MSVBVM50.__vbaVarDup0040E187 . 8D55 A0 lea edx,dword ptr ss:[ebp-0x60]
di != 0 则弹出成功信息框。
向上查找004E11E处,有赋值。
0040E0E8 > \8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]0040E0EB . 51 push ecx ; 输入的Serial转为浮点数0040E0EC . FF15 5C114100 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; MSVBVM50.__vbaR8Str0040E0F2 . DB43 4C fild dword ptr ds:[ebx+0x4C] ; push正确的key0040E0F5 . DD9D 38FFFFFF fstp qword ptr ss:[ebp-0xC8]0040E0FB . DCA5 38FFFFFF fsub qword ptr ss:[ebp-0xC8] ; Serial - key0040E101 . DFE0 fstsw ax0040E103 . A8 0D test al,0xD0040E105 . 0F85 EB030000 jnz CyberBla.0040E4F60040E10B . FF15 14114100 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>>; MSVBVM50.__vbaFpR80040E111 . DC1D 08104000 fcomp qword ptr ds:[0x401008] ; 与0.0比较0040E117 . DFE0 fstsw ax0040E119 . F6C4 40 test ah,0x40 ; 相应位是1则对edi赋值0040E11C . 74 05 je XCyberBla.0040E1230040E11E . BF 01000000 mov edi,0x1 ; edi赋值0040E123 > 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]0040E126 . FF15 8C114100 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; MSVBVM50.__vbaFreeStr0040E12C . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]0040E12F . FF15 90114100 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>; MSVBVM50.__vbaFreeObj0040E135 . F7DF neg edi0040E137 . 66:85FF test di,di0040E13A . 0F84 2C010000 je CyberBla.0040E26C ; 关键跳转0040E140 . BB 04000280 mov ebx,0x80020004
在0040E0F2下断,运行到这,查看提示信息,十进制 3157561288,就是密码。
阅读全文
0 0
- 160个练手CrackMe-037
- 160个练手CrackMe-001
- 160个练手CrackMe-002
- 160个练手CrackMe-003
- 160个练手CrackMe-004
- 160个练手CrackMe-005
- 160个练手CrackMe-006
- 160个练手CrackMe-007
- 160个练手CrackMe-008
- 160个练手CrackMe-009
- 160个练手CrackMe-010
- 160个练手CrackMe-011
- 160个练手CrackMe-012
- 160个练手CrackMe-013
- 160个练手CrackMe-014
- 160个练手CrackMe-015
- 160个练手CrackMe-016
- 160个练手CrackMe-017
- linux CentOS6.5 yum安装mysql 5.6
- iOS-Touch ID验证<指纹检测以及识别>
- Recursion of Template Element in Angular2(ng2递归组件)
- MySql 主从配置教程
- android studio 和夜神模拟器连接
- 160个练手CrackMe-037
- JAVA中“...”三个点
- 设计模式--原型模式
- Error: could not open `C:\Java\jre7\lib\amd64\jvm.cfg'的解决方案
- Unity HTC VIVE 手柄 接入(手柄上的按键都有说明)
- Linux运维之ntpdate同步网络时间
- 如何建立DBlink
- “技术天才”李一男已出狱:曾被视为华为接班人!华中科大少年班,27岁华为副总裁,曾任百度CTO...
- QT 定时器demo