-
-
爱情测试小软件分析
-
发表于:
2005-10-28 15:16
6091
-
【破文作者】lnn1123
【所属组织】[BCG][DCM][DFCG]
【 E-mail 】lnn11231123@163.com
【文章题目】爱情测试小软件分析
【软件名称】缘分测试
【下载地址】天空软件
=======================================================================================================
【软件简介】
缘分小测试...
=======================================================================================================
【文章简介】
这些天实在郁闷,有人云"赌场失意,情场得意",发现一个关于爱情测试的小软件
=======================================================================================================
【解密过程】
00401780 > 6A FF
PUSH -1
00401782 . 68 180E4200
PUSH 200401.00420E18
; SE handler installation
00401787 . 64:A1 00000000
MOV EAX,
DWORD PTR FS:[0]
0040178D . 50
PUSH EAX
0040178E . 64:8925 000000>
MOV DWORD PTR FS:[0],
ESP
00401795 . 83EC 0C
SUB ESP,0C
00401798 . 53
PUSH EBX
00401799 . 55
PUSH EBP
0040179A . 56
PUSH ESI
0040179B . 57
PUSH EDI
0040179C . 8BF1
MOV ESI,
ECX
0040179E . 6A 01
PUSH 1
004017A0 . E8 2BF20100
CALL <JMP.&MFC42.#6334>
004017A5 . 8B56 60
MOV EDX,
DWORD PTR DS:[
ESI+60]
; 得到boy.name
004017A8 . 33FF
XOR EDI,
EDI
004017AA . 33DB
XOR EBX,
EBX
004017AC . 33C0
XOR EAX,
EAX
004017AE . 8B4A F8
MOV ECX,
DWORD PTR DS:[
EDX-8]
; length(boy.name)
004017B1 . 897C24 14
MOV DWORD PTR SS:[
ESP+14],
EDI
004017B5 . 85C9
TEST ECX,
ECX ; 是否输入boy.name
004017B7 . 895C24 18
MOV DWORD PTR SS:[
ESP+18],
EBX
004017BB . 7E 0F
JLE SHORT 200401.004017CC
; 没输入就跳
004017BD > 0FBE2C02
MOVSX EBP,
BYTE PTR DS:[
EDX+
EAX]
; 依次取boy.name的一个字节
004017C1 . 03FD
ADD EDI,
EBP ; 累加到EDI
004017C3 . 40
INC EAX ; 计算器加1
004017C4 . 3BC1
CMP EAX,
ECX
004017C6 .^7C F5
JL SHORT 200401.004017BD
; 循环
004017C8 . 897C24 14
MOV DWORD PTR SS:[
ESP+14],
EDI ; 保存boy.name各个字符累加结果记为B
004017CC > 8B4E 64
MOV ECX,
DWORD PTR DS:[
ESI+64]
; girl.name
004017CF . 33C0
XOR EAX,
EAX
004017D1 . 8B79 F8
MOV EDI,
DWORD PTR DS:[
ECX-8]
; length(girl.name)
004017D4 . 85FF
TEST EDI,
EDI ; 是否输入?
004017D6 . 7E 0F
JLE SHORT 200401.004017E7
; 没输入就跳
004017D8 > 0FBE2C01
MOVSX EBP,
BYTE PTR DS:[
ECX+
EAX]
; 依次取girl.name的一个字节
004017DC . 03DD
ADD EBX,
EBP ; 累加到EBX
004017DE . 40
INC EAX ; 计数器加1
004017DF . 3BC7
CMP EAX,
EDI
004017E1 .^7C F5
JL SHORT 200401.004017D8
; 循环
004017E3 . 895C24 18
MOV DWORD PTR SS:[
ESP+18],
EBX ; 保存结果记为G
004017E7 > 8B3D 24234200
MOV EDI,
DWORD PTR DS:[<&MSVCRT._mbscmp>]
; MSVCRT._mbscmp
004017ED . 68 E4974200
PUSH 200401.004297E4
; /s2 = ""
004017F2 . 52
PUSH EDX ; |s1
004017F3 . FFD7
CALL EDI ; \_mbscmp
004017F5 . 83C4 08
ADD ESP,8
004017F8 . 85C0
TEST EAX,
EAX ; 比较boy.name输入是空
004017FA . 0F84 8C010000
JE 200401.0040198C
00401800 . 8B46 64
MOV EAX,
DWORD PTR DS:[
ESI+64]
; girl.name
00401803 . 68 E4974200
PUSH 200401.004297E4
; 这里的值是00
00401808 . 50
PUSH EAX
00401809 . FFD7
CALL EDI ; 比较girl.name是否为空
0040180B . 83C4 08
ADD ESP,8
0040180E . 85C0
TEST EAX,
EAX ; EAX是返回的值
00401810 . 0F84 76010000
JE 200401.0040198C
; 没输入girl.name就跳
00401816 . DB4424 14
FILD DWORD PTR SS:[
ESP+14]
; 装入整数B到st(0)
0040181A . DC05 D8284200
FADD QWORD PTR DS:[4228D8]
00401820 . DA4C24 18
FIMUL DWORD PTR SS:[
ESP+18]
; st0=st0 * G
00401824 . D9FE
FSIN ; st(0) <- SIN( st(0) )
00401826 . DC05 D0284200
FADD QWORD PTR DS:[4228D0]
; st0=st0+[4228D0],[4228D0]=1
0040182C . DC0D C8284200
FMUL QWORD PTR DS:[4228C8]
; st0=st0 * [4228C8],[4228C8]=50
00401832 . E8 F9F10100
CALL <JMP.&MSVCRT._ftol>
00401837 . 8BD8
MOV EBX,
EAX ; EAX为得分的16进制
00401839 . 8B46 60
MOV EAX,
DWORD PTR DS:[
ESI+60]
; boy.name
0040183C . 68 48924200
PUSH 200401.00429248
; ASCII "Romeo"
00401841 . 50
PUSH EAX
00401842 . FFD7
CALL EDI ; boy.name与 "Romeo"比较
00401844 . 83C4 08
ADD ESP,8
00401847 . 85C0
TEST EAX,
EAX ; EAX为返回结果
00401849 . 75 19
JNZ SHORT 200401.00401864
; 不等跳
0040184B . 8B46 64
MOV EAX,
DWORD PTR DS:[
ESI+64]
0040184E . 68 40924200
PUSH 200401.00429240
; ASCII "Julia"
00401853 . 50
PUSH EAX
00401854 . FFD7
CALL EDI
00401856 . 83C4 08
ADD ESP,8
00401859 . 85C0
TEST EAX,
EAX
0040185B . 75 07
JNZ SHORT 200401.00401864
0040185D . BB 64000000
MOV EBX,64
00401862 . EB 54
JMP SHORT 200401.004018B8
00401864 > 8B46 60
MOV EAX,
DWORD PTR DS:[
ESI+60]
; boy.name
00401867 . 68 38924200
PUSH 200401.00429238
; ASCII "romeo"
0040186C . 50
PUSH EAX
0040186D . FFD7
CALL EDI ; 又是比较函数
0040186F . 83C4 08
ADD ESP,8
00401872 . 85C0
TEST EAX,
EAX ; EAX为返回结果
00401874 . 75 19
JNZ SHORT 200401.0040188F
00401876 . 8B46 64
MOV EAX,
DWORD PTR DS:[
ESI+64]
00401879 . 68 30924200
PUSH 200401.00429230
; ASCII "julia"
0040187E . 50
PUSH EAX
0040187F . FFD7
CALL EDI ; 是否是"julia"
00401881 . 83C4 08
ADD ESP,8
00401884 . 85C0
TEST EAX,
EAX
00401886 . 75 07
JNZ SHORT 200401.0040188F
00401888 . BB 64000000
MOV EBX,64
0040188D . EB 29
JMP SHORT 200401.004018B8
0040188F > 8B46 60
MOV EAX,
DWORD PTR DS:[
ESI+60]
; boy.name
00401892 . 68 28924200
PUSH 200401.00429228
00401897 . 50
PUSH EAX
00401898 . FFD7
CALL EDI ; mbscmp函数
0040189A . 83C4 08
ADD ESP,8
0040189D . 85C0
TEST EAX,
EAX
0040189F . 75 17
JNZ SHORT 200401.004018B8
004018A1 . 8B46 64
MOV EAX,
DWORD PTR DS:[
ESI+64]
004018A4 . 68 20924200
PUSH 200401.00429220
004018A9 . 50
PUSH EAX
004018AA . FFD7
CALL EDI
004018AC . 83C4 08
ADD ESP,8
004018AF . 85C0
TEST EAX,
EAX
004018B1 . 75 05
JNZ SHORT 200401.004018B8
004018B3 . BB 63000000
MOV EBX,63
004018B8 > 53
PUSH EBX ; 浮点运算后得到的整数
004018B9 . 8D46 68
LEA EAX,
DWORD PTR DS:[
ESI+68]
004018BC . 68 1C924200
PUSH 200401.0042921C
; ASCII "%d"
004018C1 . 50
PUSH EAX
004018C2 . E8 03F10100
CALL <JMP.&MFC42.#2818>
004018C7 . 83C4 0C
ADD ESP,0C
004018CA . 8BCE
MOV ECX,
ESI
004018CC . 6A 00
PUSH 0
004018CE . E8 FDF00100
CALL <JMP.&MFC42.#6334>
004018D3 . 8B4E 20
MOV ECX,
DWORD PTR DS:[
ESI+20]
004018D6 . 6A 01
PUSH 1
; /Erase = TRUE
004018D8 . 6A 00
PUSH 0
; |pRect = NULL
004018DA . 51
PUSH ECX ; |hWnd
004018DB . FF15 14254200
CALL DWORD PTR DS:[<&USER32.InvalidateRe>
; \InvalidateRect
004018E1 . 8D4B 05
LEA ECX,
DWORD PTR DS:[
EBX+5]
; 得分加5
004018E4 . B8 67666666
MOV EAX,66666667
004018E9 . F7E9
IMUL ECX ; EAX=EAX * ECX
004018EB . C1FA 02
SAR EDX,2
; 右移2位
004018EE . 8BC2
MOV EAX,
EDX
004018F0 . 8D4C24 10
LEA ECX,
DWORD PTR SS:[
ESP+10]
004018F4 . C1E8 1F
SHR EAX,1F
; 右移31位
004018F7 . 03D0
ADD EDX,
EAX ; EDX=EDX+EAX
004018F9 . 8BFA
MOV EDI,
EDX ; 004018E1-004018F7之间的运算应该是四舍五入
004018FB . E8 6AF00100
CALL <JMP.&MFC42.#540>
00401900 . 83FF 0A
CMP EDI,0A
; 等级大于A?; Switch (cases 0..A)
00401903 . C74424 24 0000>
MOV DWORD PTR SS:[
ESP+24],0
0040190B . 77 5B
JA SHORT 200401.00401968
0040190D . FF24BD A019400>
JMP DWORD PTR DS:[
EDI*4+4019A0]
00401914 > 68 04924200
PUSH 200401.00429204
; Case 0 of switch 00401900
00401919 . EB 44
JMP SHORT 200401.0040195F
0040191B > 68 F0914200
PUSH 200401.004291F0
; Case 1 of switch 00401900
00401920 . EB 3D
JMP SHORT 200401.0040195F
00401922 > 68 D8914200
PUSH 200401.004291D8
; Case 2 of switch 00401900
00401927 . EB 36
JMP SHORT 200401.0040195F
00401929 > 68 C0914200
PUSH 200401.004291C0
; Case 3 of switch 00401900
0040192E . EB 2F
JMP SHORT 200401.0040195F
00401930 > 68 78914200
PUSH 200401.00429178
; Case 4 of switch 00401900
00401935 . EB 28
JMP SHORT 200401.0040195F
00401937 > 68 50914200
PUSH 200401.00429150
; Case 5 of switch 00401900
0040193C . EB 21
JMP SHORT 200401.0040195F
0040193E > 68 10914200
PUSH 200401.00429110
; Case 6 of switch 00401900
00401943 . EB 1A
JMP SHORT 200401.0040195F
00401945 > 68 E0904200
PUSH 200401.004290E0
; Case 7 of switch 00401900
0040194A . EB 13
JMP SHORT 200401.0040195F
0040194C > 68 B0904200
PUSH 200401.004290B0
; Case 8 of switch 00401900
00401951 . EB 0C
JMP SHORT 200401.0040195F
00401953 > 68 78904200
PUSH 200401.00429078
; Case 9 of switch 00401900
00401958 . EB 05
JMP SHORT 200401.0040195F
0040195A > 68 68904200
PUSH 200401.00429068
; Case A of switch 00401900
0040195F > 8D4C24 14
LEA ECX,
DWORD PTR SS:[
ESP+14]
00401963 . E8 FCEF0100
CALL <JMP.&MFC42.#860>
00401968 > 8B4C24 10
MOV ECX,
DWORD PTR SS:[
ESP+10]
; Default case of switch 00401900
0040196C . 6A 00
PUSH 0
0040196E . 68 5C904200
PUSH 200401.0042905C
00401973 . 51
PUSH ECX
00401974 . 8BCE
MOV ECX,
ESI
00401976 . E8 49F00100
CALL <JMP.&MFC42.#4224>
; 提示信息
0040197B . 8D4C24 10
LEA ECX,
DWORD PTR SS:[
ESP+10]
0040197F . C74424 24 FFFF>
MOV DWORD PTR SS:[
ESP+24],-1
00401987 . E8 F4EE0100
CALL <JMP.&MFC42.#800>
0040198C > 8B4C24 1C
MOV ECX,
DWORD PTR SS:[
ESP+1C]
00401990 . 5F
POP EDI
00401991 . 5E
POP ESI
00401992 . 5D
POP EBP
00401993 . 5B
POP EBX
00401994 . 64:890D 000000>
MOV DWORD PTR FS:[0],
ECX
0040199B . 83C4 18
ADD ESP,18
0040199E . C3
RETN
0040199F 90
NOP
004019A0 . 14194000
DD 200401.00401914
; Switch table used at 0040190D
004019A4 . 1B194000
DD 200401.0040191B
; 对应表
004019A8 . 22194000
DD 200401.00401922
004019AC . 29194000
DD 200401.00401929
004019B0 . 30194000
DD 200401.00401930
004019B4 . 37194000
DD 200401.00401937
004019B8 . 3E194000
DD 200401.0040193E
004019BC . 45194000
DD 200401.00401945
004019C0 . 4C194000
DD 200401.0040194C
004019C4 . 53194000
DD 200401.00401953
004019C8 . 5A194000
DD 200401.0040195A
=======================================================================================================
【解密心得】
累加boy.name字符结果为B;累加girl.name字符结果为G,
{Sin[(B+3.76793)*G]+1}*50
即为最终分数
然后分数四舍五入获得等级(一共有11个等级,对应0-A),不同等级有不同评语
=======================================================================================================
【破解声明】我是一个小小菜虫子,文章如有错误,请高手指正!
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
=======================================================================================================
文章完成于2005-10-28 欣?网吧 4:04:27
[课程]Android-CTF解题方法汇总!
