运行, OD附加
前往401000, 看着挺像处理代码的
下断运行, 输入sn后断下(运气挺好)
这个应该是初始化lua bytecode(看后面字符串, 功能应该是xor)
0040103D 885C24 36 mov byte ptr ss:[esp+36],bl
00401041 884424 37 mov byte ptr ss:[esp+37],al
00401045 C64424 38 07 mov byte ptr ss:[esp+38],7
0040104A 885C24 39 mov byte ptr ss:[esp+39],bl
...
初始化的栈信息
0012FA4E 00 10 92 7C 00 00 00 00 00 00 1B 4C 4A 02 02 3B .�抾......�LJ��;
0012FA5E 00 02 07 00 03 00 09 36 02 00 00 39 02 01 02 36 .��.�..6�..9���6
0012FA6E 03 00 00 39 03 02 03 12 04 00 00 12 05 01 00 12 �..9�����..���.�
0012FA7E 06 01 00 42 03 04 00 43 02 00 00 08 73 75 62 09 ��.B��.C�..�sub.
0012FA8E 62 79 74 65 0B 73 74 72 69 6E 67 F3 03 00 01 19 byte�string?.��
0012FA9E 00 05 01 75 36 01 00 00 39 01 01 01 12 02 00 00 .��u6�..9�����..
0012FAAE 42 01 02 02 08 01 00 00 58 01 02 80 29 01 00 00 B�����..X��€)�..
0012FABE 4C 01 02 00 36 01 02 00 39 01 03 01 36 02 04 00 L��.6��.9���6��.
0012FACE 12 03 00 00 29 04 01 00 42 02 03 02 29 03 70 00 ��..)��.B���)�p.
0012FADE 42 01 03 02 36 02 02 00 39 02 03 02 36 03 04 00 B���6��.9���6��.
0012FAEE 12 04 00 00 29 05 02 00 42 03 03 02 29 04 65 00 ��..)��.B���)�e.
0012FAFE 42 02 03 02 36 03 02 00 39 03 03 03 36 04 04 00 B���6��.9���6��.
0012FB0E 12 05 00 00 29 06 03 00 42 04 03 02 29 05 64 00 ��..)��.B���)�d.
0012FB1E 42 03 03 02 36 04 02 00 39 04 03 04 36 05 04 00 B���6��.9���6��.
0012FB2E 12 06 00 00 29 07 04 00 42 05 03 02 29 06 69 00 ��..)��.B���)�i.
0012FB3E 42 04 03 02 36 05 02 00 39 05 03 05 36 06 04 00 B���6��.9���6��.
0012FB4E 12 07 00 00 29 08 05 00 42 06 03 02 29 07 79 00 ��..)��.B���)�y.
0012FB5E 42 05 03 02 36 06 02 00 39 06 03 06 36 07 04 00 B���6��.9���6��.
0012FB6E 12 08 00 00 29 09 06 00 42 07 03 02 29 08 31 00 ��..).�.B���)�1.
0012FB7E 42 06 03 02 36 07 02 00 39 07 03 07 36 08 04 00 B���6��.9���6��.
0012FB8E 12 09 00 00 29 0A 07 00 42 08 03 02 29 09 32 00 �...).�.B���).2.
0012FB9E 42 07 03 02 36 08 02 00 39 08 03 08 36 09 04 00 B���6��.9���6.�.
0012FBAE 12 0A 00 00 29 0B 08 00 42 09 03 02 29 0A 33 00 �...)��.B.��).3.
0012FBBE 42 08 03 02 36 09 02 00 39 09 03 09 36 0A 04 00 B���6.�.9.�.6.�.
0012FBCE 12 0B 00 00 29 0C 09 00 42 0A 03 02 29 0B 34 00 ��..)...B.��)�4.
0012FBDE 42 09 03 02 36 0A 02 00 39 0A 03 0A 36 0B 04 00 B.��6.�.9.�.6��.
0012FBEE 12 0C 00 00 29 0D 0A 00 42 0B 03 02 29 0C 35 00 �...)...B���).5.
0012FBFE 42 0A 03 02 36 0B 02 00 39 0B 03 0B 36 0C 04 00 B.��6��.9���6.�.
0012FC0E 12 0D 00 00 29 0E 0B 00 42 0C 03 02 29 0D 36 00 �...)��.B.��).6.
0012FC1E 42 0B 03 02 36 0C 02 00 39 0C 03 0C 36 0D 04 00 B���6.�.9.�.6.�.
0012FC2E 12 0E 00 00 29 0F 0C 00 42 0D 03 02 29 0E 37 00 ��..)�..B.��)�7.
0012FC3E 42 0C 03 02 12 0D 01 00 12 0E 02 00 12 0F 03 00 B.���.�.���.���.
0012FC4E 12 10 04 00 12 11 05 00 12 12 06 00 12 13 07 00 ���.���.���.���.
0012FC5E 12 14 08 00 12 15 09 00 12 16 0A 00 12 17 0B 00 ���.��..��..���.
0012FC6E 12 18 0C 00 4A 0D 0D 00 07 62 79 09 62 78 6F 72 ��..J...�by.bxor
0012FC7E 08 62 69 74 08 6C 65 6E 0B 73 74 72 69 6E 67 18 �bit�len�string�
0012FC8E 3D 03 00 02 00 06 00 08 36 00 00 00 27 01 01 00 =�.�.�.�6...'��.
0012FC9E 42 00 02 01 33 00 02 00 37 00 03 00 33 00 04 00 B.��3.�.7.�.3.�.
0012FCAE 37 00 05 00 4B 00 01 00 09 6D 61 69 6E 00 07 62 7.�.K.�..main.�b
0012FCBE 79 00 08 62 69 74 0C 72 65 71 75 69 72 65 00 02 y.�bit.require.�
0012FCCE 00 00 FE 55 F9 EA EB D1 5D 00 31 32 33 34 35 36 ..胙].123456
0012FCDE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0012FCEE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0012FCFE 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
lua初始化
004021C7 E8 64FE0000 call CrackMe.00412030
004021CC 8BF0 mov esi,eax
004021CE 56 push esi
004021CF E8 9C000100 call CrackMe.00412270
004021D4 53 push ebx
004021D5 68 75020000 push 275
004021DA 8D4424 3C lea eax,dword ptr ss:[esp+3C]
004021DE 50 push eax
004021DF 56 push esi
004021E0 E8 5B040100 call CrackMe.00412640
004021E5 53 push ebx
004021E6 56 push esi
004021E7 E8 C41B0100 call CrackMe.00413DB0
004021EC 68 883E4800 push CrackMe.00483E88 ; ASCII "main"
004021F1 68 EED8FFFF push -2712
004021F6 56 push esi
004021F7 E8 84130100 call CrackMe.00413580
004021FC 57 push edi
004021FD 56 push esi
004021FE E8 DD0E0100 call CrackMe.004130E0
00402203 6A 01 push 1
00402205 56 push esi
00402206 E8 A51B0100 call CrackMe.00413DB0
0040220B 83C4 38 add esp,38
0040220E 85C0 test eax,eax
00402210 74 1A je short CrackMe.0040222C
xor每个字符(恩, 虽然是猜的, 但是后面证明猜对了)
lua_xor(sn[i])
xor 05 12 0A 29 42 41 75 61 35 83 55 94
0040222C 55 push ebp
0040222D 6A F4 push -0C
0040222F 56 push esi
00402230 E8 AB0A0100 call CrackMe.00412CE0
00402235 8BF8 mov edi,eax
00402237 6A F5 push -0B
00402239 56 push esi
0040223A 83F7 05 xor edi,5
0040223D E8 9E0A0100 call CrackMe.00412CE0
00402242 8BD8 mov ebx,eax
00402244 6A F6 push -0A
00402246 56 push esi
00402247 83F3 12 xor ebx,12
0040224A E8 910A0100 call CrackMe.00412CE0
0040224F 8BE8 mov ebp,eax
00402251 6A F7 push -9
00402253 56 push esi
00402254 83F5 0A xor ebp,0A
00402257 E8 840A0100 call CrackMe.00412CE0
0040225C 83F0 29 xor eax,29
0040225F 6A F8 push -8
00402261 56 push esi
00402262 894424 58 mov dword ptr ss:[esp+58],eax
00402266 E8 750A0100 call CrackMe.00412CE0
0040226B 83F0 42 xor eax,42
0040226E 6A F9 push -7
00402270 56 push esi
00402271 894424 48 mov dword ptr ss:[esp+48],eax
00402275 E8 660A0100 call CrackMe.00412CE0
0040227A 83F0 41 xor eax,41
0040227D 6A FA push -6
0040227F 56 push esi
00402280 894424 60 mov dword ptr ss:[esp+60],eax
00402284 E8 570A0100 call CrackMe.00412CE0
00402289 83F0 75 xor eax,75
0040228C 6A FB push -5
0040228E 56 push esi
0040228F 894424 60 mov dword ptr ss:[esp+60],eax
00402293 E8 480A0100 call CrackMe.00412CE0
00402298 83C4 40 add esp,40
0040229B 83F0 61 xor eax,61
0040229E 6A FC push -4
004022A0 56 push esi
004022A1 894424 18 mov dword ptr ss:[esp+18],eax
004022A5 E8 360A0100 call CrackMe.00412CE0
004022AA 83F0 35 xor eax,35
004022AD 6A FD push -3
004022AF 56 push esi
004022B0 894424 24 mov dword ptr ss:[esp+24],eax
004022B4 E8 270A0100 call CrackMe.00412CE0
004022B9 35 83000000 xor eax,83
004022BE 6A FE push -2
004022C0 56 push esi
004022C1 894424 34 mov dword ptr ss:[esp+34],eax
004022C5 E8 160A0100 call CrackMe.00412CE0
004022CA 83F0 55 xor eax,55
004022CD 6A FF push -1
004022CF 56 push esi
004022D0 894424 44 mov dword ptr ss:[esp+44],eax
004022D4 E8 070A0100 call CrackMe.00412CE0
004022D9 35 94000000 xor eax,94
结果必须为: 18 16 1E 2F 48 11 21 37 33 86 52 94
004022F3 83FF 18 cmp edi, 18
004022F6 75 54 jnz short 0040234C
004022F8 83FB 16 cmp ebx, 16
004022FB 75 4F jnz short 0040234C
004022FD 83FD 1E cmp ebp, 1E
00402300 75 4A jnz short 0040234C
00402302 837C24 30 2F cmp dword ptr [esp+30], 2F
00402307 75 43 jnz short 0040234C
00402309 837C24 18 48 cmp dword ptr [esp+18], 48
0040230E 75 3C jnz short 0040234C
00402310 837C24 28 11 cmp dword ptr [esp+28], 11
00402315 75 35 jnz short 0040234C
00402317 837C24 20 21 cmp dword ptr [esp+20], 21
0040231C 75 2E jnz short 0040234C
0040231E 837C24 10 37 cmp dword ptr [esp+10], 37
00402323 75 27 jnz short 0040234C
00402325 837C24 14 33 cmp dword ptr [esp+14], 33
0040232A 75 20 jnz short 0040234C
0040232C 817C24 1C 86000>cmp dword ptr [esp+1C], 86
00402334 75 16 jnz short 0040234C
00402336 837C24 24 52 cmp dword ptr [esp+24], 52
0040233B 75 0F jnz short 0040234C
0040233D 817C24 2C 94000>cmp dword ptr [esp+2C], 94
00402345 75 05 jnz short 0040234C
00402347 8D47 E9 lea eax, dword ptr [edi-17]
0040234A EB 02 jmp short 0040234E
0040234C 33C0 xor eax, eax
没看lua代码, 直接试了下
void test()
{
BYTE key1[12];
// 123456789012
BYTE buf1[12] = {
0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31, 0x32
};
// call 00412CE0的结果
BYTE buf2[12] = {
0x41, 0x57, 0x57, 0x5D, 0x4C, 0x07, 0x05, 0x0B, 0x0D, 0x05, 0x07, 0x05
};
BYTE key2[12] = {
0x05, 0x12, 0x0A, 0x29, 0x42, 0x41, 0x75, 0x61, 0x35, 0x83, 0x55, 0x94
};
BYTE expected[12] = {
0x18, 0x16, 0x1E, 0x2F, 0x48, 0x11, 0x21, 0x37, 0x33, 0x86, 0x52, 0x94
};
for (int i =0; i < 12; i++)
{
key1[i] = buf1[i] ^ buf2[i];
}
BYTE sn[13] = {0};
for (int i =0; i < 12; i++)
{
sn[i] = key1[i] ^ key2[i] ^ expected[i];
}
printf("%s\n", sn);
}>>> maposafe2017
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
