本人菜鸟,刚入门几天,这是第一个弄出来的crackMe,所以很happy呀,就发出来得瑟一下
要是有错误的话还望指正
00401010 |> \55 PUSH EBP
00401011 |. 8BEC MOV EBP,ESP
00401013 |. 83EC 64 SUB ESP,64
00401016 |. 53 PUSH EBX
00401017 |. 56 PUSH ESI
00401018 |. 57 PUSH EDI
00401019 |. 8D7D 9C LEA EDI,DWORD PTR SS:[EBP-64]
0040101C |. B9 19000000 MOV ECX,19
00401021 |. B8 CCCCCCCC MOV EAX,CCCCCCCC
00401026 |. F3:AB REP STOS DWORD PTR ES:[EDI]
//上面的代码就是建立新的栈帧,保存可能用到的寄存器,int3填充申请的栈空间,所以应该是debug版的
00401028 |. 68 B8814200 PUSH 1.004281B8 ; /Arg1 = 004281B8
0040102D |. E8 DE020000 CALL 1.00401310 ; \1.00401310
00401032 |. 83C4 04 ADD ESP,4
//打印出第一行那个独头蒜
00401035 |. 68 40704200 PUSH 1.00427040 ; /Arg1 = 00427040
0040103A |. E8 D1020000 CALL 1.00401310 ; \1.00401310
0040103F |. 83C4 04 ADD ESP,4
//打印第二行的输入提示
00401042 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00401045 |. 50 PUSH EAX ; /Arg2
00401046 |. 68 3C704200 PUSH 1.0042703C ; |Arg1 = 0042703C ASCII "%d"
0040104B |. E8 60020000 CALL 1.004012B0 ; \1.004012B0
00401050 |. 83C4 08 ADD ESP,8
//调用scanf函数接受输入的密码
//下面的代码就是主要的部分了,有很多变量,可以把EBP-4命名为var4,按此则有
00401053 |. C745 F8 C8000>MOV DWORD PTR SS:[EBP-8],0C8
//var8 = 200(十进制,下同)
0040105A |. C745 F4 2C010>MOV DWORD PTR SS:[EBP-C],12C
//varc = 300
00401061 |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
//var4是输入的密码,不妨设为X
00401064 |. 034D F8 ADD ECX,DWORD PTR SS:[EBP-8]
00401067 |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
//var10 = var4+var8 = x+200
0040106A |. 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
0040106D |. 0355 F4 ADD EDX,DWORD PTR SS:[EBP-C]
00401070 |. 8955 EC MOV DWORD PTR SS:[EBP-14],EDX
//var14 = var8+varc = 500
00401073 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00401076 |. 0345 F4 ADD EAX,DWORD PTR SS:[EBP-C]
00401079 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
//var18 = var4+varc = x+300
0040107C |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0040107F |. 83C1 32 ADD ECX,32
00401082 |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
//var10 = var10+50 = 250+x
00401085 |. 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18]
00401088 |. 83EA 32 SUB EDX,32
0040108B |. 8955 E8 MOV DWORD PTR SS:[EBP-18],EDX
//var18 = var18-50 = 250+x
0040108E |. C745 E4 00000>MOV DWORD PTR SS:[EBP-1C],0
//之后的就没感觉有什么用了
00401095 |. C645 E0 4B MOV BYTE PTR SS:[EBP-20],4B
00401099 |. C645 DC 4E MOV BYTE PTR SS:[EBP-24],4E
0040109D |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004010A0 |. 3B45 F4 CMP EAX,DWORD PTR SS:[EBP-C]
004010A3 |. 75 0D JNZ SHORT 1.004010B2
//var8和varc不相等,所以一定会跳
004010A5 |. 68 38704200 PUSH 1.00427038 ; /Arg1 = 00427038 ASCII "NO"
004010AA |. E8 61020000 CALL 1.00401310 ; \1.00401310
004010AF |. 83C4 04 ADD ESP,4
004010B2 |> 50 PUSH EAX
004010B3 |. 58 POP EAX
004010B4 |. 51 PUSH ECX
004010B5 |. 59 POP ECX
004010B6 |. B8 64000000 MOV EAX,64
004010BB |. 05 C8000000 ADD EAX,0C8
004010C0 |. 2D E6000000 SUB EAX,0E6
004010C5 |. 83C0 03 ADD EAX,3
004010C8 |. BB 04000000 MOV EBX,4
004010CD |. 03C3 ADD EAX,EBX
004010CF |. 33C9 XOR ECX,ECX
004010D1 |. 85C9 TEST ECX,ECX
004010D3 |. 74 0D JE SHORT 1.004010E2
//同上面的跳转,先把ECX清0再TEST一定会跳的
004010D5 |. 68 34704200 PUSH 1.00427034 ; /Arg1 = 00427034 ASCII "OK"
004010DA |. E8 31020000 CALL 1.00401310 ; \1.00401310
004010DF |. 83C4 04 ADD ESP,4
004010E2 |> 03C3 ADD EAX,EBX
//跳到这里,然后下面的命令感觉也没什么用处
004010E4 |. BB 0A000000 MOV EBX,0A
004010E9 |. 40 INC EAX
004010EA |. 43 INC EBX
004010EB |. 90 NOP
004010EC |. 90 NOP
004010ED |. 90 NOP
004010EE |. 83C0 0A ADD EAX,0A
004010F1 |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
//从这里开始有用了
004010F4 |. 3B55 EC CMP EDX,DWORD PTR SS:[EBP-14]
004010F7 |. 75 28 JNZ SHORT 1.00401121
//比较var10与var14是否相等
004010F9 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
004010FC |. 3B45 E8 CMP EAX,DWORD PTR SS:[EBP-18]
004010FF |. 75 20 JNZ SHORT 1.00401121
//比较var10与var18是否相等
00401101 |. 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
00401104 |. 3B4D E8 CMP ECX,DWORD PTR SS:[EBP-18]
00401107 |. 75 18 JNZ SHORT 1.00401121
//比较var18与var14是否相等
//上面三个跳转应该是所谓的关键跳转了,而且都跳到同一个位置,会不会是switch?嘿嘿
//根据上面,就是 var10 = var14 = var18 即 250+x = 250+x = 500 所以密码是250 ~
//下面就是输出了
00401109 |. 0FBE55 E0 MOVSX EDX,BYTE PTR SS:[EBP-20]
0040110D |. 52 PUSH EDX ; /Arg3
0040110E |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] ; |
00401111 |. 50 PUSH EAX ; |Arg2
00401112 |. 68 2C704200 PUSH 1.0042702C ; |Arg1 = 0042702C ASCII " %d%c "
00401117 |. E8 F4010000 CALL 1.00401310 ; \1.00401310
0040111C |. 83C4 0C ADD ESP,0C
0040111F |. EB 16 JMP SHORT 1.00401137
00401121 |> 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C]
00401124 |. 51 PUSH ECX ; /Arg3
00401125 |. 0FBE55 DC MOVSX EDX,BYTE PTR SS:[EBP-24] ; |
00401129 |. 52 PUSH EDX ; |Arg2
0040112A |. 68 24704200 PUSH 1.00427024 ; |Arg1 = 00427024 ASCII " %c%d "
0040112F |. E8 DC010000 CALL 1.00401310 ; \1.00401310
00401134 |. 83C4 0C ADD ESP,0C
00401137 |> 68 1C704200 PUSH 1.0042701C ; /Arg1 = 0042701C ASCII "pause"
0040113C |. E8 5F000000 CALL 1.004011A0 ; \1.004011A0
00401141 |. 83C4 04 ADD ESP,4
00401144 |. 5F POP EDI
00401145 |. 5E POP ESI
00401146 |. 5B POP EBX
00401147 |. 83C4 64 ADD ESP,64
0040114A |. 3BEC CMP EBP,ESP
0040114C |. E8 3F020000 CALL 1.00401390
00401151 |. 8BE5 MOV ESP,EBP
00401153 |. 5D POP EBP
00401154 \. C3 RETN
第一次在看雪发言,见笑~