main:
00401250 push ebp
00401251 mov ebp,esp
00401253 sub esp,50h;16字节的参数
00401256 push ebx
00401257 push esi
00401258 push edi
00401259 lea edi,[ebp-50h]
0040125C mov ecx,14h
00401261 mov eax,0CCCCCCCCh
00401266 rep stos dword ptr [edi]
00401268 push offset string "\xc7\xeb\xca\xe4\xc8\xeb\xc4\xea\xd4\xc2\xc8\xd5\n" (00425030)
0040126D call printf (00401390)
00401272 add esp,4
00401275 lea eax,[ebp-0Ch]
00401278 push eax
00401279 lea ecx,[ebp-8]
0040127C push ecx
0040127D lea edx,[ebp-4]
00401280 push edx
00401281 push offset string "%d%d%d" (00425028)
00401286 call scanf (00401330);键盘输入为 scanf("%d%d%d",&[ebp-4], &[ebp-8], &[ebp-0Ch])赋值
0040128B add esp,10h
0040128E mov eax,dword ptr [ebp-0Ch]
00401291 push eax
00401292 mov ecx,dword ptr [ebp-8]
00401295 push ecx
00401296 mov edx,dword ptr [ebp-4]
00401299 push edx
0040129A call @ILT+0(number) (00401005);number([ebp-4],[ebp-8], [ebp-0Ch]);
0040129F add esp,0Ch
004012A2 mov dword ptr [ebp-10h],eax
004012A5 mov eax,dword ptr [ebp-10h]
004012A8 push eax
004012A9 push offset string "\xb5\xda%d\xcc\xec\n" (0042501c)
004012AE call printf (00401390)
004012B3 add esp,8
004012B6 pop edi
004012B7 pop esi
004012B8 pop ebx
004012B9 add esp,50h
004012BC cmp ebp,esp
004012BE call __chkesp (004012f0)
004012C3 mov esp,ebp
004012C5 pop ebp
number:
004010A0 push ebp
004010A1 mov ebp,esp
004010A3 sub esp,0B0h
004010A9 push ebx
004010AA push esi
004010AB push edi
004010AC lea edi,[ebp-0B0h]
004010B2 mov ecx,2Ch
004010B7 mov eax,0CCCCCCCCh
004010BC rep stos dword ptr [edi]
004010BE mov dword ptr [ebp-4],0;[ebp-4]=0
004010C5 mov dword ptr [ebp-40h],1Fh
004010CC mov dword ptr [ebp-3Ch],1Ch
004010D3 mov dword ptr [ebp-38h],1Fh
004010DA mov dword ptr [ebp-34h],1Eh
004010E1 mov dword ptr [ebp-30h],1Fh
004010E8 mov dword ptr [ebp-2Ch],1Eh
004010EF mov dword ptr [ebp-28h],1Fh
004010F6 mov dword ptr [ebp-24h],1Fh
004010FD mov dword ptr [ebp-20h],1Eh
00401104 mov dword ptr [ebp-1Ch],1Fh
0040110B mov dword ptr [ebp-18h],1Eh
00401112 mov dword ptr [ebp-14h],1Fh;int arry[12]{31,28,31,30,31,30,31,30,31,30,31,30}
00401119 mov dword ptr [ebp-70h],1Fh
00401120 mov dword ptr [ebp-6Ch],1Dh
00401127 mov dword ptr [ebp-68h],1Fh
0040112E mov dword ptr [ebp-64h],1Eh
00401135 mov dword ptr [ebp-60h],1Fh
0040113C mov dword ptr [ebp-5Ch],1Eh
00401143 mov dword ptr [ebp-58h],1Fh
0040114A mov dword ptr [ebp-54h],1Fh
00401151 mov dword ptr [ebp-50h],1Eh
00401158 mov dword ptr [ebp-4Ch],1Fh
0040115F mov dword ptr [ebp-48h],1Eh
00401166 mov dword ptr [ebp-44h],1Fh;int arry2[12]{31,29,31,30,31,30,31,30,31,30,31,30}
0040116D mov eax,dword ptr [ebp+8];将第一个参数取出放入eax
00401170 push eax
00401171 call @ILT+5(leap) (0040100a);调用函数leap (0040100a)
00401176 add esp,4
00401179 cmp eax,1
0040117C jne number+109h (004011a9);eax与1不相等则跳转
for([ebp-8]=0;[ebp-8]<[ebp+0Ch];[ebp-8]++) 循环
{
0040117E mov dword ptr [ebp-8],0;[ebp-8]=0
00401185 jmp number+0F0h (00401190)
00401187 mov ecx,dword ptr [ebp-8]
0040118A add ecx,1
0040118D mov dword ptr [ebp-8],ecx
00401190 mov edx,dword ptr [ebp-8];edx=[ebp-8]
00401193 cmp edx,dword ptr [ebp+0Ch]
00401196 jge number+107h (004011a7);[ebp-8] >= [ebp+0Ch] 跳转
00401198 mov eax,dword ptr [ebp-8]
0040119B mov ecx,dword ptr [ebp-4]
0040119E add ecx,dword ptr [ebp+eax*4-70h];相当于伪代码 sum([ebp-4])+=a[i]([ebp-8]==i) [ebp+ecx*4-40h]获取arry[i]的值(int型数组所以偏移要*4)
004011A2 mov dword ptr [ebp-4],ecx
004011A5 jmp number+0E7h (00401187)
004011A7 jmp number+132h (004011d2)
}
for([ebp-8]=0;[ebp-8]<[ebp+0Ch];[ebp-8]++) 循环
{
004011A9 mov dword ptr [ebp-8],0;[ebp-8]=0
004011B0 jmp number+11Bh (004011bb)
004011B2 mov edx,dword ptr [ebp-8]
004011B5 add edx,1
004011B8 mov dword ptr [ebp-8],edx
004011BB mov eax,dword ptr [ebp-8];eax=[ebp-8]
004011BE cmp eax,dword ptr [ebp+0Ch];比较eax(0)与[ebp+0Ch](第三个参数)
004011C1 jge number+132h (004011d2);如果eax>=[ebp+0Ch]则转移
004011C3 mov ecx,dword ptr [ebp-8]
004011C6 mov edx,dword ptr [ebp-4]
004011C9 add edx,dword ptr [ebp+ecx*4-40h];相当于伪代码 sum([ebp-4])+=a[i]([ebp-8]==i) [ebp+ecx*4-40h]获取arry2[i]的值(int型数组所以偏移要*4)
004011CD mov dword ptr [ebp-4],edx
004011D0 jmp number+112h (004011b2)
}
004011D2 mov eax,dword ptr [ebp-4];eax=[ebp-4]
004011D5 add eax,dword ptr [ebp+10h];eax=eax+[ebp+10]
004011D8 mov dword ptr [ebp-4],eax;[ebp-4]=eax
004011DB mov eax,dword ptr [ebp-4];返回值[ebp-4]
004011DE pop edi
004011DF pop esi
004011E0 pop ebx
004011E1 add esp,0B0h
004011E7 cmp ebp,esp
004011E9 call __chkesp (004012f0)
004011EE mov esp,ebp
004011F0 pop ebp
leap:
00401030 push ebp
00401031 mov ebp,esp
00401033 sub esp,40h
00401036 push ebx
00401037 push esi
00401038 push edi
00401039 lea edi,[ebp-40h]
0040103C mov ecx,10h
00401041 mov eax,0CCCCCCCCh
00401046 rep stos dword ptr [edi]
00401048 mov eax,dword ptr [ebp+8];取出第一个参数
0040104B and eax,80000003h;
00401050 jns leap+27h (00401057);符号位不为1就跳转
00401052 dec eax
00401053 or eax,0FCh
00401056 inc eax
00401057 test eax,eax;做AND操作但不改变eax结果
00401059 jne leap+3Ah (0040106a);jne 如果ZF=0则不跳转
0040105B mov eax,dword ptr [ebp+8]
0040105E cdq;把EDX的所有位都设成EAX最高位的值. 也就是说,当EAX <80000000,MOV EDX,00000000h; 当EAX >= 80000000, EDX 则为FFFFFFFF
0040105F mov ecx,64h
00401064 idiv eax,ecx;除法
00401066 test edx,edx
00401068 jne leap+49h (00401079)
0040106A mov eax,dword ptr [ebp+8]
0040106D cdq
0040106E mov ecx,190h
00401073 idiv eax,ecx;32位被除数放在DX,AX中。其中DX为高位字,16位除数为源操作数,结果的16位端在AX中,16位余数在DX中
00401075 test edx,edx;检测商是否为0
00401077 jne leap+50h (00401080);jne 为0则不跳转
00401079 mov eax,1;返回值
0040107E jmp leap+52h (00401082)
00401080 xor eax,eax
00401082 pop edi
00401083 pop esi
00401084 pop ebx
00401085 mov esp,ebp
00401087 pop ebp
第一次发逆向源码有错请指教
[课程]FART 脱壳王!加量不加价!FART作者讲授!
