总述:
使用od调试,对GetDlgItemTextA下断,很容易跟到输入的判断部分,结合ida来看,不难分析出输入有4位,前两位为15,第三位和第四位存在着浮点运算,姑且记作15cd。后面会出现不少浮点运算,经过分析,个人认为关键点在.text:0040129A,需要满足浮点数乘(c-'0'-0.2)*(d-'0')=24,在输入都为数字的情况下解得c为5,d为5。因而得解1555。
ida_code:
.text:004011F4 loc_4011F4: ; CODE XREF: DialogFunc+42�p
.text:004011F4 push ebp
.text:004011F5 mov ebp, esp
.text:004011F7 sub esp, 1Ch
.text:004011FA lea eax, [ebp-1Ch]
.text:004011FD push 15h
.text:004011FF push eax
.text:00401200 push 3E9h
.text:00401205 push hDlg
.text:0040120B call ds:GetDlgItemTextA
.text:00401211 push 1F4h
.text:00401216 call ds:Sleep
.text:0040121C lea eax, [ebp-1Ch]
.text:0040121F push eax
.text:00401220 call _strlen
.text:00401225 cmp eax, 4
.text:00401228 pop ecx
.text:00401229 jnz loc_4012CF
.text:0040122F push '0'
.text:00401231 pop ecx
.text:00401232 cmp [ebp-1Ch], cl
.text:00401235 jz loc_4012CF
.text:0040123B cmp [ebp-1Bh], cl
.text:0040123E jz loc_4012CF
.text:00401244 cmp [ebp-1Ah], cl
.text:00401247 jz loc_4012CF
.text:0040124D cmp [ebp-19h], cl
.text:00401250 jz short loc_4012CF
.text:00401252 cmp byte ptr [ebp-1Ch], '1'
.text:00401256 jnz short loc_4012CF
.text:00401258 cmp byte ptr [ebp-1Bh], '5' ; 15cd
.text:0040125C jnz short loc_4012CF
.text:0040125E jz short loc_401263
.text:00401260 jnz short loc_401263
.text:00401260 ; ---------------------------------------------------------------------------
.text:00401262 db 0E8h
.text:00401263 ; ---------------------------------------------------------------------------
.text:00401263
.text:00401263 loc_401263: ; CODE XREF: .text:0040125E�j
.text:00401263 ; .text:00401260�j
.text:00401263 mov ax, 8
.text:00401267 xor ax, 7
.text:0040126B movsx eax, byte ptr [ebp-1Ah] ; c
.text:0040126F sub eax, ecx ; c-'0'
.text:00401271 mov [ebp-4], eax
.text:00401274 movsx eax, byte ptr [ebp-1Ch]
.text:00401278 fild dword ptr [ebp-4]
.text:0040127B sub eax, ecx
.text:0040127D mov [ebp-4], eax
.text:00401280 movsx eax, byte ptr [ebp-1Bh]
.text:00401284 fild dword ptr [ebp-4]
.text:00401287 sub eax, ecx
.text:00401289 mov [ebp-4], eax
.text:0040128C fidiv dword ptr [ebp-4]
.text:0040128F movsx eax, byte ptr [ebp-19h]
.text:00401293 sub eax, ecx
.text:00401295 mov [ebp-4], eax
.text:00401298 fsubp st(1), st
.text:0040129A fimul dword ptr [ebp-4] ;(c-'0'-0.2)*(d-'0')=24
.text:0040129D fmul ds:flt_40711C ; 16
.text:004012A3 fstp dword ptr [ebp-4] ; 384
.text:004012A6 jz short loc_4012AB
.text:004012A8 jnz short loc_4012AB
.text:004012A8 ; ---------------------------------------------------------------------------
.text:004012AA db 0E8h
.text:004012AB ; ---------------------------------------------------------------------------
.text:004012AB
.text:004012AB loc_4012AB: ; CODE XREF: .text:004012A6�j
.text:004012AB ; .text:004012A8�j
.text:004012AB mov ax, 8
.text:004012AF xor ax, 7
.text:004012B3 fld dword ptr [ebp-4]
.text:004012B6 fcomp ds:flt_407118
.text:004012BC push 0
.text:004012BE push offset aCrackme2017Ctf ; "CrackMe 2017 CTF"
.text:004012C3 fnstsw ax
.text:004012C5 sahf
.text:004012C6 jnz short loc_4012D6
.text:004012C8 push offset aRegistrationSu ; "Registration successful !"
.text:004012CD jmp short loc_4012DB
python_code:
求解: (5x-1)*y=120
for x in xrange(1,10):
for y in xrange(1,10):
if((5*x-1)*y==120):
print(x,y)
输出:
(5,5)
部分指令说明:
fild D9 /0 FLD m32fp Push m32fp onto the FPU register stack.
fidiv DA /6 FIDIV m32int Divide ST(0) by m32int and store result in ST(0).
fsubp DE E8+i FSUBP ST(i), ST(0) Subtract ST(0) from ST(i), store result in ST(i), and pop register stack.
fimul DA /1 FIMUL m32int Multiply ST(0) by m32int and store result in ST(0)
fmul D8 /1 FMUL m32fp Multiply ST(0) by m32fp and store result in ST(0)
fstp D9 /2 FST m32fp Copy ST(0) to m32fp.
fld D9 /0 FLD m32fp Push m32fp onto the FPU register stack.
fcomp D8 /2 FCOM m32fp Compare ST(0) with m32fp.
fnstsw 9B DF E0 FSTSW AX Store FPU status word in AX register after checking for pending unmasked floating-point exceptions.
sahf 9E SAHF Load SF, ZF, AF, PF, and CF from AH into EFLAGS register.
参考:
http://x86.renejeschke.de/
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
