160 - 19 Brad Soblesky.2
2024-04-11 23:20:42
环境:
windows xp sp3
工具:
OD,exeinfope
查壳:
用exeinfope查壳,发现没有壳而且是vc编译的
随便输入一个name和serial,name = "12345" serial = "678910"
弹出错误窗口,OD载入后直接搜索字符串,然后反汇编窗口跟随
文本字串参考位于 Brad_Sob:.text
地址 反汇编 文本字串
0040157D push Brad_Sob.00404020 ASCII "CrackMe"
00401582 push Brad_Sob.00404028 ASCII "User Name must have at least 5 characters."
00401618 jmp XBrad_Sob.004015C7 (初始 CPU 选择)
0040161E push Brad_Sob.00404054 ASCII "%lu"
00401669 mov esi,Brad_Sob.00404058 ASCII "Correct!! "
0040168E mov esi,Brad_Sob.00404078 ASCII "<BrD-SoB> "
004016B3 mov esi,Brad_Sob.00404098 ASCII "Incorrect!!, Try Again."
004016D1 mov esi,Brad_Sob.004040B0 ASCII "Correct way to go, You Got It."
004016F3 push Brad_Sob.004040D0 ASCII "CrackMe"
00401765 push Brad_Sob.004040D8 ASCII "CrackMe"
00401F75 push 0x10000 UNICODE "=::=::\"
这一次看上去好像很复杂,其实仔细一分析是挺简单的
004014DF /. 55 push ebp
004014E0 |. 8BEC mov ebp,esp
004014E2 |. 6A FF push -0x1
004014E4 |. 68 8F204000 push Brad_Sob.0040208F ; SE 处理程序安装
004014E9 |. 64:A1 0000000>mov eax,dword ptr fs:[0]
004014EF |. 50 push eax
004014F0 |. 64:8925 00000>mov dword ptr fs:[0],esp
004014F7 |. 81EC B4010000 sub esp,0x1B4
004014FD |. 56 push esi
004014FE |. 57 push edi
004014FF |. 898D 40FEFFFF mov [local.112],ecx
00401505 |. C745 F0 45632>mov [local.4],0x81276345
0040150C |. 68 AC414000 push Brad_Sob.004041AC
00401511 |. 8D4D EC lea ecx,[local.5]
00401514 |. E8 77080000 call <jmp.&MFC42.#537>
00401519 |. C745 FC 00000>mov [local.1],0x0
00401520 |. 68 B0414000 push Brad_Sob.004041B0
00401525 |. 8D4D E8 lea ecx,[local.6]
00401528 |. E8 63080000 call <jmp.&MFC42.#537>
0040152D |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00401531 |. 68 B4414000 push Brad_Sob.004041B4
00401536 |. 8D4D DC lea ecx,[local.9]
00401539 |. E8 52080000 call <jmp.&MFC42.#537>
0040153E |. C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
00401542 |. 8D45 EC lea eax,[local.5]
00401545 |. 50 push eax
00401546 |. 68 E8030000 push 0x3E8
0040154B |. 8B8D 40FEFFFF mov ecx,[local.112]
00401551 |. E8 34080000 call <jmp.&MFC42.#3097> ; 读Name
00401556 |. 8D4D E8 lea ecx,[local.6]
00401559 |. 51 push ecx
0040155A |. 68 E9030000 push 0x3E9
0040155F |. 8B8D 40FEFFFF mov ecx,[local.112]
00401565 |. E8 20080000 call <jmp.&MFC42.#3097> ; 读serial
0040156A |. 8D4D EC lea ecx,[local.5]
0040156D |. E8 DE020000 call Brad_Sob.00401850 ; 读Name的长度出来
00401572 |. 8945 E4 mov [local.7],eax
00401575 |. 837D E4 05 cmp [local.7],0x5 ; serial最少5个字符
00401579 |. 7D 43 jge XBrad_Sob.004015BE
0040157B |. 6A 40 push 0x40
0040157D |. 68 20404000 push Brad_Sob.00404020 ; ASCII "CrackMe"
00401582 |. 68 28404000 push Brad_Sob.00404028 ; ASCII "User Name must have at least 5 characters."
00401587 |. 8B8D 40FEFFFF mov ecx,[local.112]
0040158D |. E8 F2070000 call <jmp.&MFC42.#4224>
00401592 |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00401596 |. 8D4D DC lea ecx,[local.9]
00401599 |. E8 C2070000 call <jmp.&MFC42.#800>
0040159E |. C645 FC 00 mov byte ptr ss:[ebp-0x4],0x0
004015A2 |. 8D4D E8 lea ecx,[local.6]
004015A5 |. E8 B6070000 call <jmp.&MFC42.#800>
004015AA |. C745 FC FFFFF>mov [local.1],-0x1
004015B1 |. 8D4D EC lea ecx,[local.5]
004015B4 |. E8 A7070000 call <jmp.&MFC42.#800>
004015B9 |. E9 F9010000 jmp Brad_Sob.004017B7
004015BE |> C745 E0 00000>mov [local.8],0x0 ; 初始化,i从0开始
004015C5 |. EB 09 jmp XBrad_Sob.004015D0
004015C7 |> 8B55 E0 /mov edx,[local.8]
004015CA |. 83C2 01 |add edx,0x1
004015CD |. 8955 E0 |mov [local.8],edx ; 取出来+1再放回去
004015D0 |> 8B45 E0 mov eax,[local.8]
004015D3 |. 3B45 E4 |cmp eax,[local.7] ; 比较次数是Name的长度
004015D6 |. 7D 42 |jge XBrad_Sob.0040161A ; 跳出循环
004015D8 |. 8B4D E0 |mov ecx,[local.8]
004015DB |. 51 |push ecx
004015DC |. 8D4D EC |lea ecx,[local.5] ; Name
004015DF |. E8 1C030000 |call Brad_Sob.00401900
004015E4 |. 0FBED0 |movsx edx,al ; al是第i个字符,i为循环次数
004015E7 |. 8B45 F0 |mov eax,[local.4]
004015EA |. 03C2 |add eax,edx ; 加上一个常量
004015EC |. 8945 F0 |mov [local.4],eax
004015EF |. 8B4D E0 |mov ecx,[local.8] ; i
004015F2 |. C1E1 08 |shl ecx,0x8 ; i*2^8
004015F5 |. 8B55 F0 |mov edx,[local.4]
004015F8 |. 33D1 |xor edx,ecx ; 异或运算
004015FA |. 8955 F0 |mov [local.4],edx
004015FD |. 8B45 E0 |mov eax,[local.8]
00401600 |. 83C0 01 |add eax,0x1 ; i+1
00401603 |. 8B4D E4 |mov ecx,[local.7] ; Name长度
00401606 |. 0FAF4D E0 |imul ecx,[local.8] ; Name长度*i
0040160A |. F7D1 |not ecx ; 取反
0040160C |. 0FAFC1 |imul eax,ecx ; *(i+1)
0040160F |. 8B55 F0 |mov edx,[local.4] ; 常量改变
00401612 |. 0FAFD0 |imul edx,eax
00401615 |. 8955 F0 |mov [local.4],edx
00401618 |.^ EB AD \jmp XBrad_Sob.004015C7
0040161A |> 8B45 F0 mov eax,[local.4]
0040161D |. 50 push eax
0040161E |. 68 54404000 push Brad_Sob.00404054 ; ASCII "%lu",这里可以看出是8进制表示
00401623 |. 8D4D DC lea ecx,[local.9]
00401626 |. 51 push ecx
00401627 |. E8 52070000 call <jmp.&MFC42.#2818>
0040162C |. 83C4 0C add esp,0xC ; ecx就是serial
0040162F |. 8D4D DC lea ecx,[local.9]
00401632 |. E8 79020000 call Brad_Sob.004018B0
00401637 |. 50 push eax ; 这是真正的serial
00401638 |. 8D4D E8 lea ecx,[local.6] ; 输入的serial
0040163B |. E8 80020000 call Brad_Sob.004018C0 ; 这里显然是比较
00401640 |. 85C0 test eax,eax
00401642 |. 0F85 FF000000 jnz Brad_Sob.00401747
00401648 |. 8D8D ACFEFFFF lea ecx,[local.85]
0040164E |. E8 19070000 call <jmp.&MFC42.#540>
00401653 |. C645 FC 03 mov byte ptr ss:[ebp-0x4],0x3
00401657 |. 6A 66 push 0x66
00401659 |. 8D8D ACFEFFFF lea ecx,[local.85]
0040165F |. E8 02070000 call <jmp.&MFC42.#4160>
00401664 |. B9 07000000 mov ecx,0x7
00401669 |. BE 58404000 mov esi,Brad_Sob.00404058 ; ASCII "Correct!! "
0040166E |. 8DBD 48FEFFFF lea edi,[local.110]
00401674 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
00401676 |. 66:A5 movs word ptr es:[edi],word ptr ds:[esi]
00401678 |. A4 movs byte ptr es:[edi],byte ptr ds:[esi]
00401679 |. B9 11000000 mov ecx,0x11
0040167E |. 33C0 xor eax,eax
00401680 |. 8DBD 67FEFFFF lea edi,dword ptr ss:[ebp-0x199]
00401686 |. F3:AB rep stos dword ptr es:[edi]
00401688 |. AA stos byte ptr es:[edi]
00401689 |. B9 07000000 mov ecx,0x7
0040168E |. BE 78404000 mov esi,Brad_Sob.00404078 ; ASCII "<BrD-SoB> "
00401693 |. 8DBD 14FFFFFF lea edi,[local.59]
00401699 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
0040169B |. 66:A5 movs word ptr es:[edi],word ptr ds:[esi]
0040169D |. B9 11000000 mov ecx,0x11
004016A2 |. 33C0 xor eax,eax
004016A4 |. 8DBD 32FFFFFF lea edi,dword ptr ss:[ebp-0xCE]
004016AA |. F3:AB rep stos dword ptr es:[edi]
004016AC |. 66:AB stos word ptr es:[edi]
004016AE |. B9 06000000 mov ecx,0x6
004016B3 |. BE 98404000 mov esi,Brad_Sob.00404098 ; ASCII "Incorrect!!, Try Again."
004016B8 |. 8DBD 78FFFFFF lea edi,[local.34]
004016BE |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
004016C0 |. B9 13000000 mov ecx,0x13
004016C5 |. 33C0 xor eax,eax
004016C7 |. 8D7D 90 lea edi,[local.28]
004016CA |. F3:AB rep stos dword ptr es:[edi]
004016CC |. B9 07000000 mov ecx,0x7
004016D1 |. BE B0404000 mov esi,Brad_Sob.004040B0 ; ASCII "Correct way to go, You Got It."
004016D6 |. 8DBD B0FEFFFF lea edi,[local.84]
004016DC |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
004016DE |. 66:A5 movs word ptr es:[edi],word ptr ds:[esi]
004016E0 |. A4 movs byte ptr es:[edi],byte ptr ds:[esi]
004016E1 |. B9 11000000 mov ecx,0x11
004016E6 |. 33C0 xor eax,eax
004016E8 |. 8DBD CFFEFFFF lea edi,dword ptr ss:[ebp-0x131]
004016EE |. F3:AB rep stos dword ptr es:[edi]
004016F0 |. AA stos byte ptr es:[edi]
004016F1 |. 6A 40 push 0x40
004016F3 |. 68 D0404000 push Brad_Sob.004040D0 ; ASCII "CrackMe"
004016F8 |. 8D8D ACFEFFFF lea ecx,[local.85]
004016FE |. E8 AD010000 call Brad_Sob.004018B0
00401703 |. 50 push eax
00401704 |. 8B8D 40FEFFFF mov ecx,[local.112]
0040170A |. E8 75060000 call <jmp.&MFC42.#4224>
0040170F |. C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
00401713 |. 8D8D ACFEFFFF lea ecx,[local.85]
00401719 |. E8 42060000 call <jmp.&MFC42.#800>
0040171E |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00401722 |. 8D4D DC lea ecx,[local.9]
00401725 |. E8 36060000 call <jmp.&MFC42.#800>
0040172A |. C645 FC 00 mov byte ptr ss:[ebp-0x4],0x0
0040172E |. 8D4D E8 lea ecx,[local.6]
00401731 |. E8 2A060000 call <jmp.&MFC42.#800>
00401736 |. C745 FC FFFFF>mov [local.1],-0x1
0040173D |. 8D4D EC lea ecx,[local.5]
00401740 |. E8 1B060000 call <jmp.&MFC42.#800>
00401745 |. EB 70 jmp XBrad_Sob.004017B7
00401747 |> 8D8D 44FEFFFF lea ecx,[local.111]
0040174D |. E8 1A060000 call <jmp.&MFC42.#540>
00401752 |. C645 FC 04 mov byte ptr ss:[ebp-0x4],0x4
00401756 |. 6A 67 push 0x67
00401758 |. 8D8D 44FEFFFF lea ecx,[local.111]
0040175E |. E8 03060000 call <jmp.&MFC42.#4160>
00401763 |. 6A 40 push 0x40
00401765 |. 68 D8404000 push Brad_Sob.004040D8 ; ASCII "CrackMe"
0040176A |. 8D8D 44FEFFFF lea ecx,[local.111]
00401770 |. E8 3B010000 call Brad_Sob.004018B0
00401775 |. 50 push eax
00401776 |. 8B8D 40FEFFFF mov ecx,[local.112]
0040177C |. E8 03060000 call <jmp.&MFC42.#4224>
00401781 |. C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
00401785 |. 8D8D 44FEFFFF lea ecx,[local.111]
0040178B |. E8 D0050000 call <jmp.&MFC42.#800>
00401790 |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00401794 |. 8D4D DC lea ecx,[local.9]
00401797 |. E8 C4050000 call <jmp.&MFC42.#800>
0040179C |. C645 FC 00 mov byte ptr ss:[ebp-0x4],0x0
004017A0 |. 8D4D E8 lea ecx,[local.6]
004017A3 |. E8 B8050000 call <jmp.&MFC42.#800>
004017A8 |. C745 FC FFFFF>mov [local.1],-0x1
004017AF |. 8D4D EC lea ecx,[local.5]
004017B2 |. E8 A9050000 call <jmp.&MFC42.#800>
004017B7 |> 8B4D F4 mov ecx,[local.3]
004017BA |. 64:890D 00000>mov dword ptr fs:[0],ecx
004017C1 |. 5F pop edi
004017C2 |. 5E pop esi
004017C3 |. 8BE5 mov esp,ebp
004017C5 |. 5D pop ebp
004017C6 \. C3 retn
算法的主要思路是根据输入的Name算出一个值,然后将这个值用8进制表示,表示结果就是serial。
具体的算法上面已经分析出。
var = 0x81276345;
for(int i = 0;i < name_len; i++){var += name[i];int k = i << 8;var ^= k;int t = name_len * i;t = ~t;t *= (i + 1);var *= t;}printf("%lu\n",var);160 - 19 Brad Soblesky.2相关推荐
- 160 - 18 Brad Soblesky.1
环境: windows xp sp3 工具: Ollydbg,exeinfope 用exeinfope查壳: 没有壳,vc编译的 运行后第一步,随便输入个"12345",弹出一个错 ...
- .Net项目分层与文件夹结构大全(最佳架子奖,吐槽奖,阴沟翻船奖揭晓)
.Net项目分层与文件夹结构大全(最佳架子奖,吐槽奖,阴沟翻船奖揭晓) 一个装X的架构师,通过建文件夹就能亮瞎你的狗眼... ...
- “ px”,“ dip”,“ dp”和“ sp”有什么区别?
Android度量单位有什么区别? 像素 蘸 dp SP #1楼 我将详细说明dp如何精确转换为px: 如果在mdpi设备上运行,则150 x 150 px图像将占用150 * 150 dp的屏幕空间 ...
- linux shell 字符串 数组,bash shell函数返回数组字符串
#!/bin/bash # script:getselfvar.sh # 每个脚本中都在末尾追加了一段特殊的域名ip序列,需要将这段序列存放到数组变量中,供 # 脚本使用,例子中的ip和域名是处理过的 ...
- C++中输入输出的十六进制八进制
1.数的进制 默认进制: 默认状态下,数据按十进制输入输出.如果要求按八进制或十六进制输入输出,在cin或cout中必须指明相应的数据形式,oct为八进制,hex为十六进制,dec为十进制. 1 in ...
- 使用node https module创建服务器遇到的mac verify failure错误消息
我的源代码: var app = require('express')(); var fs = require('fs'); var https = require('https');var http ...
- struts2--java.lang.IllegalAccessException: Class ognl.OgnlRuntime can not access a member of
这个问题是我碰到的一个比较纠结的问题,如果第一次碰到肯定能让你也很纠结,哈哈 [c-sharp] view plaincopyprint? 01.2010-10-19 18:27:22 com.ope ...
- 今天用python的turtle简单画了一副眼镜
画的不太好看,下次要继续努力鸭!!! 这个是代码~ 1 from turtle import* 2 pencolor("blue") 3 fillcolor("white ...
- python矩阵变化_用numpy改变矩阵的形状
我的问题有两个方面.我有下面的代码来处理一些矩阵.在import numpy tupleList = [(0, 122), (1, 246), (2, 157), (3, 166), (4, 315) ...
最新文章
- 吴恩达:机器学习毕业后,如何规划职业生涯?
- 看了眼大厂程序员的工资单,我酸了!
- 手机直播系统源码搭建说明
- 黑马程序员pink老师前端入门教程,零基础必看的JavaScript基础语法视频教程(DOM,事件高级)
- Spring boot实现异步
- 一个女孩为什么要努力
- LAYUI 树形表格(tree table)
- 润乾报表如何固定表头
- 【阿里云镜像】更新阿里巴巴开源镜像站镜像——Ubuntu镜像
- Java 添加Word文本框
- mysql 数据库大小写敏感(数据库的名字、表名字、字段名字、字段值)
- w7设置双显示器_win7系统设置双显示器多屏幕模式的操作方法
- GDOI2016模拟8.19数学
- android usb dwc3 gaget rndis 网卡异常断开问题。
- Box2D 实现不倒翁效果 绘制扇形
- java 开源 聊天机器人_用Java实现基于Web端的AI机器人聊天
- 5.12四川汶川等市发生8.0级大震——国难日
- 这一波再抢不到微信红包封面,就只能怪你自己了
- 推荐一款简单的页面加密网页(免费的哦)
- 5-35计算N个分式有理数的平均值