注册失败提示信息:error!,拉进OD,利用字符串参考快速定位到验证代码。
004011F4 $ 55 PUSH EBP
004011F5 . 8BEC MOV EBP,ESP
004011F7 . 83EC 1C SUB ESP,1C
004011FA . 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004011FD . 6A 15 PUSH 15 ; /Count = 15 (21.)
004011FF . 50 PUSH EAX ; |Buffer
00401200 . 68 E9030000 PUSH 3E9 ; |ControlID = 3E9 (1001.)
00401205 . FF35 38AA4000 PUSH DWORD PTR DS:[40AA38] ; |hWnd = NULL
0040120B . FF15 A8704000 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \GetDlgItemTextA
00401211 . 68 F4010000 PUSH 1F4 ; /Timeout = 500. ms
00401216 . FF15 00704000 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
0040121C . 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
0040121F . 50 PUSH EAX
00401220 . E8 DB000000 CALL WannaLOL.00401300 ; 获取长度
00401225 . 83F8 04 CMP EAX,4
00401228 . 59 POP ECX
00401229 . 0F85 A0000000 JNZ WannaLOL.004012CF ; 要求注册码长度为4,设为abcd
0040122F . 6A 30 PUSH 30
00401231 . 59 POP ECX ; ecx=0x30 ascii=0
00401232 . 384D E4 CMP BYTE PTR SS:[EBP-1C],CL
00401235 . 0F84 94000000 JE WannaLOL.004012CF
0040123B . 384D E5 CMP BYTE PTR SS:[EBP-1B],CL
0040123E . 0F84 8B000000 JE WannaLOL.004012CF
00401244 . 384D E6 CMP BYTE PTR SS:[EBP-1A],CL
00401247 . 0F84 82000000 JE WannaLOL.004012CF
0040124D . 384D E7 CMP BYTE PTR SS:[EBP-19],CL ; 四位都不能为0
00401250 . 74 7D JE SHORT WannaLOL.004012CF
00401252 . 807D E4 31 CMP BYTE PTR SS:[EBP-1C],31 ; a为1
00401256 . 75 77 JNZ SHORT WannaLOL.004012CF
00401258 . 807D E5 35 CMP BYTE PTR SS:[EBP-1B],35 ; b为5
0040125C . 75 71 JNZ SHORT WannaLOL.004012CF
0040125E . 74 03 JE SHORT WannaLOL.00401263
00401260 . 75 01 JNZ SHORT WannaLOL.00401263
00401262 E8 DB E8
00401263 > 66:B8 0800 MOV AX,8
00401267 . 66:35 0700 XOR AX,7
0040126B . 0FBE45 E6 MOVSX EAX,BYTE PTR SS:[EBP-1A] ; eax=3th
0040126F . 2BC1 SUB EAX,ECX ; eax-0x30
00401271 . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00401274 . 0FBE45 E4 MOVSX EAX,BYTE PTR SS:[EBP-1C]
00401278 . DB45 FC FILD DWORD PTR SS:[EBP-4] ; c转化为数字再转化为浮点数压到st0
0040127B . 2BC1 SUB EAX,ECX
0040127D . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00401280 . 0FBE45 E5 MOVSX EAX,BYTE PTR SS:[EBP-1B]
00401284 . DB45 FC FILD DWORD PTR SS:[EBP-4] ; a转化为浮点再压到st0,st1=c
00401287 . 2BC1 SUB EAX,ECX
00401289 . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ; b转化为数字保存到ebp-4
0040128C . DA75 FC FIDIV DWORD PTR SS:[EBP-4] ; st0=a/b,st1=c
0040128F . 0FBE45 E7 MOVSX EAX,BYTE PTR SS:[EBP-19]
00401293 . 2BC1 SUB EAX,ECX
00401295 . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ; d转化为数字保存到ebp-4
00401298 . DEE9 FSUBP ST(1),ST ; st0=c-a/b
0040129A . DA4D FC FIMUL DWORD PTR SS:[EBP-4] ; st0*=d
0040129D . D80D 1C714000 FMUL DWORD PTR DS:[40711C] ; st0乘以40711c处保存着float类型的值,为16
004012A3 . D95D FC FSTP DWORD PTR SS:[EBP-4]
004012A6 . 74 03 JE SHORT WannaLOL.004012AB
004012A8 . 75 01 JNZ SHORT WannaLOL.004012AB
004012AA E8 DB E8
004012AB > 66:B8 0800 MOV AX,8
004012AF . 66:35 0700 XOR AX,7
004012B3 . D945 FC FLD DWORD PTR SS:[EBP-4]
004012B6 . D81D 18714000 FCOMP DWORD PTR DS:[407118] ; 判断乘法结果是否为384,是则注册成功
004012BC . 6A 00 PUSH 0
004012BE . 68 78804000 PUSH WannaLOL.00408078 ; CrackMe 2017 CTF
004012C3 . DFE0 FSTSW AX
004012C5 . 9E SAHF
004012C6 . 75 0E JNZ SHORT WannaLOL.004012D6
004012C8 . 68 5C804000 PUSH WannaLOL.0040805C ; Registration successful !
004012CD . EB 0C JMP SHORT WannaLOL.004012DB
004012CF > 6A 00 PUSH 0
004012D1 . 68 48804000 PUSH WannaLOL.00408048 ; CrackMe 2017 CTF v2
004012D6 > 68 40804000 PUSH WannaLOL.00408040 ; error !
004012DB > FF35 34AA4000 PUSH DWORD PTR DS:[40AA34] ; |hOwner = NULL
004012E1 . FF15 AC704000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
004012E7 . C9 LEAVE
004012E8 . C3 RETN
得到公式:(c-0.2)*d=384/16=24,考虑到c和d都应该都是十进制数字,写个python代码段跑一下
for c in range(10):
for d in range(10):
if (c-0.2)*d==24:
print(c,"-",d)
5 - 5
得到注册码1555
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
