-
-
[原创]第1、3题(补)
-
发表于: 2017-10-28 20:20 3129
-
TFMwdUxpQT0=b92a72497b685c31013347a7276f371f8cf91085ab8322009bfed2df41d94f94
五、附
里面各种函数里都穿插着很多反调试的检测,nop掉后保存下来比较好调试
完
送分题,明码比较
00401854 |> \68 80354000 push 00403580 ; /welcometokanxuectf2017 00401859 |. 8B55 F8 mov edx, dword ptr [ebp-0x8] ; | 0040185C |. 52 push edx ; |s1 0040185D |. E8 2E060000 call <jmp.&MSVCRT.strcmp> ; \strcmp
注册码:WelcomeToKanXueCtf2017
第三题 crackMe
一、查找字符串ok定位到
011F505F . 8BF4 mov esi, esp 011F5061 . 68 01040000 push 0x401 ; /Count = 401 (1025.) 011F5066 . 8D85 D8F7FFFF lea eax, dword ptr [ebp-0x828] ; | 011F506C . 50 push eax ; |Buffer 011F506D . 68 E9030000 push 0x3E9 ; |ControlID = 3E9 (1001.) 011F5072 . 8B4D 08 mov ecx, dword ptr [ebp+0x8] ; | 011F5075 . 51 push ecx ; |hWnd 011F5076 . FF15 70F52501 call dword ptr [<&USER32.GetDlgItemTe>; \GetDlgItemTextA # 获取输入 sn 011F507C . 3BF4 cmp esi, esp 011F507E . E8 CE8DFFFF call 011EDE51 011F5083 . 8985 E0FBFFFF mov dword ptr [ebp-0x420], eax 011F5089 . C685 C8EFFFFF>mov byte ptr [ebp-0x1038], 0x0 011F5090 . 68 FF030000 push 0x3FF 011F5095 . 6A 00 push 0x0 011F5097 . 8D85 C9EFFFFF lea eax, dword ptr [ebp-0x1037] 011F509D . 50 push eax 011F509E . E8 4385FFFF call 011ED5E6 011F50A3 . 83C4 0C add esp, 0xC 011F50A6 . 8D85 D0F3FFFF lea eax, dword ptr [ebp-0xC30] 011F50AC . 50 push eax 011F50AD . 68 00040000 push 0x400 011F50B2 . 8D8D D8F7FFFF lea ecx, dword ptr [ebp-0x828] 011F50B8 . 51 push ecx 011F50B9 . E8 A981FFFF call 011ED267 # Base64解码sn 011F50BE . 83C4 0C add esp, 0xC 011F50C1 . C685 C0EBFFFF>mov byte ptr [ebp-0x1440], 0x0 011F50C8 . 68 FF030000 push 0x3FF 011F50CD . 6A 00 push 0x0 011F50CF . 8D85 C1EBFFFF lea eax, dword ptr [ebp-0x143F] 011F50D5 . 50 push eax 011F50D6 . E8 0B85FFFF call 011ED5E6 011F50DB . 83C4 0C add esp, 0xC 011F50DE . 8D85 C8EFFFFF lea eax, dword ptr [ebp-0x1038] 011F50E4 . 50 push eax 011F50E5 . 68 00040000 push 0x400 011F50EA . 8D8D D0F3FFFF lea ecx, dword ptr [ebp-0xC30] 011F50F0 . 51 push ecx 011F50F1 . E8 7181FFFF call 011ED267 # 再解一次 011F50F6 . 83C4 0C add esp, 0xC 011F50F9 . 68 00040000 push 0x400 011F50FE . 8D85 C0EBFFFF lea eax, dword ptr [ebp-0x1440] 011F5104 . 50 push eax 011F5105 . 8D8D C8EFFFFF lea ecx, dword ptr [ebp-0x1038] 011F510B . 51 push ecx 011F510C . E8 5988FFFF call 011ED96A # 摩斯电码解码 011F5111 . 83C4 0C add esp, 0xC 011F5114 . C785 B4EBFFFF>mov dword ptr [ebp-0x144C], 0x3 011F511E . 8D85 8CEBFFFF lea eax, dword ptr [ebp-0x1474] 011F5124 . 50 push eax 011F5125 . 8B8D B4EBFFFF mov ecx, dword ptr [ebp-0x144C] 011F512B . 51 push ecx 011F512C . 8D95 C8EFFFFF lea edx, dword ptr [ebp-0x1038] 011F5132 . 52 push edx 011F5133 . E8 4089FFFF call 011EDA78 # 得到hash值 011F5138 . 83C4 0C add esp, 0xC 011F513B . C785 78E7FFFF>mov dword ptr [ebp-0x1888], 0x0 011F5145 . EB 0F jmp short 011F5156 011F5147 > 8B85 78E7FFFF mov eax, dword ptr [ebp-0x1888] 011F514D . 83C0 01 add eax, 0x1 011F5150 . 8985 78E7FFFF mov dword ptr [ebp-0x1888], eax 011F5156 > 83BD 78E7FFFF>cmp dword ptr [ebp-0x1888], 0x20 011F515D . 7D 2C jge short 011F518B 011F515F . 8B85 78E7FFFF mov eax, dword ptr [ebp-0x1888] 011F5165 . 0FB68C05 8CEB>movzx ecx, byte ptr [ebp+eax-0x1474] 011F516D . 51 push ecx 011F516E . 68 A4B12401 push 0124B1A4 ; %02x 011F5173 . 8B95 78E7FFFF mov edx, dword ptr [ebp-0x1888] 011F5179 . 8D8455 84E7FF>lea eax, dword ptr [ebp+edx*2-0x187C> 011F5180 . 50 push eax 011F5181 . E8 7F8DFFFF call 011EDF05 # hash值格式化成字符串进行比较 011F5186 . 83C4 0C add esp, 0xC 011F5189 .^ EB BC jmp short 011F5147 011F518B > 8D85 84E7FFFF lea eax, dword ptr [ebp-0x187C] 011F5191 . 50 push eax 011F5192 . E8 FD85FFFF call 011ED794 011F5197 . 83C4 04 add esp, 0x4 011F519A . 50 push eax 011F519B . 8D8D D8F7FFFF lea ecx, dword ptr [ebp-0x828] 011F51A1 . 51 push ecx 011F51A2 . E8 ED85FFFF call 011ED794 011F51A7 . 83C4 04 add esp, 0x4 011F51AA . 8DB405 D8F7FF>lea esi, dword ptr [ebp+eax-0x828] 011F51B1 . 8D95 84E7FFFF lea edx, dword ptr [ebp-0x187C] 011F51B7 . 52 push edx 011F51B8 . E8 D785FFFF call 011ED794 011F51BD . 83C4 04 add esp, 0x4 011F51C0 . 2BF0 sub esi, eax 011F51C2 . 56 push esi 011F51C3 . 8D85 84E7FFFF lea eax, dword ptr [ebp-0x187C] 011F51C9 . 50 push eax 011F51CA . E8 5889FFFF call 011EDB27 # strncmp,比较输入的sn的后64位和上面得到的hash字符串 011F51CF . 83C4 0C add esp, 0xC 011F51D2 . 85C0 test eax, eax 011F51D4 . 75 3E jnz short 011F5214 # 校验成功就进入下面的迷宫 011F51D6 . E8 D97EFFFF call 011ED0B4 011F51DB . 8D85 C0EBFFFF lea eax, dword ptr [ebp-0x1440] 011F51E1 . 50 push eax # 经过base64两次解码,摩斯电码解码后的真实注册码 011F51E2 . 68 00B02501 push 0125B000 # 迷宫地图 011F51E7 . E8 BF87FFFF call 011ED9AB # 走迷宫 011F51EC . 83C4 08 add esp, 0x8 011F51EF . 0FB6C8 movzx ecx, al 011F51F2 . 83F9 01 cmp ecx, 0x1 011F51F5 . 75 1D jnz short 011F5214 011F51F7 . 8BF4 mov esi, esp 011F51F9 . 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL 011F51FB . 68 98B12401 push 0124B198 ; |crackme 011F5200 . 68 94B12401 push 0124B194 ; |ok 011F5205 . 6A 00 push 0x0 ; |hOwner = NULL 011F5207 . FF15 88F52501 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA 011F520D . 3BF4 cmp esi, esp 011F520F . E8 3D8CFFFF call 011EDE51 011F5214 > B8 01000000 mov eax, 0x1 011F5219 . EB 02 jmp short 011F521D
0125B000 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............. 0125B010 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............ 0125B020 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B030 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............ 0125B040 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B050 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B060 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ............... 0125B070 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............ 0125B080 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ............. 0125B090 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 .............. 0125B0A0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B0B0 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 .............. 0125B0C0 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 .............. 0125B0D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B0E0 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ............. 0125B0F0 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ............. 0125B100 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ............. 0125B110 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 .............. 0125B120 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ............... 0125B130 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 .............. 0125B140 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............ 0125B150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0125B160 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ............. 0125B170 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............ 0125B180 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0125B1A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0125B1B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0125B1C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
简化后看得更清楚一点
每4个字节为一个点,10*10
0111111110
0011111000
1000001011
1111101001
1000101001
1010001011
1011111001
1000011100
1111000010
1111111000
三、走迷宫的方法
跟进11ed9ab
011F5528 |> 8B45 0C /mov eax, dword ptr [ebp+0xC] 011F552B |. |0FBE08 |movsx ecx, byte ptr [eax] # 遇到sn[i] == 0x20空格的时候就停止 011F552E |. |83F9 20 |cmp ecx, 0x20 011F5531 |. |0F84 2C010000 |je 011F5663 # 这里有个bug? 011F5537 |. |837D F8 08 |cmp dword ptr [ebp-0x8], 0x8 011F553B |. |75 0A |jnz short 011F5547 011F553D |. |837D EC 03 |cmp dword ptr [ebp-0x14], 0x3 011F5541 |. |0F84 0E010000 |je 011F5655 011F5547 |> |8B45 0C |mov eax, dword ptr [ebp+0xC] 011F554A |. |0FBE08 |movsx ecx, byte ptr [eax] 011F554D |. |83F9 7A |cmp ecx, 0x7A 011F5550 |. |75 32 |jnz short 011F5584 # sn[i] == 'z' 011F5552 |. |8B45 EC |mov eax, dword ptr [ebp-0x14] 011F5555 |. |0345 D4 |add eax, dword ptr [ebp-0x2C] 011F5558 |. |83F8 0A |cmp eax, 0xA 011F555B |. |7D 20 |jge short 011F557D # 不能超过行 011F555D |. |8B45 EC |mov eax, dword ptr [ebp-0x14] 011F5560 |. |0345 D4 |add eax, dword ptr [ebp-0x2C] 011F5563 |. |6BC0 28 |imul eax, eax, 0x28 # 这里就可以看出0x28/4=0x0a,10个元素为一行的地图 011F5566 |. |0345 08 |add eax, dword ptr [ebp+0x8] # 定位到行 011F5569 |. |8B4D F8 |mov ecx, dword ptr [ebp-0x8] 011F556C |. |833C88 00 |cmp dword ptr [eax+ecx*4], 0x0 # 定位到当前格子,为0才能走,为1就失败 011F5570 |. |75 09 |jnz short 011F557B 011F5572 |. |8B45 EC |mov eax, dword ptr [ebp-0x14] 011F5575 |. |0345 D4 |add eax, dword ptr [ebp-0x2C] # 'z'是往下 011F5578 |. |8945 EC |mov dword ptr [ebp-0x14], eax 011F557B |> |EB 07 |jmp short 011F5584 011F557D |> |32C0 |xor al, al 011F557F |. |E9 E1000000 |jmp 011F5665 011F5584 |> |8B45 0C |mov eax, dword ptr [ebp+0xC] 011F5587 |. |0FBE08 |movsx ecx, byte ptr [eax] 011F558A |. |83F9 6C |cmp ecx, 0x6C 011F558D |. |75 45 |jnz short 011F55D4 # 'l'是往右 011F558F |. |8B45 F8 |mov eax, dword ptr [ebp-0x8] 011F5592 |. |0345 BC |add eax, dword ptr [ebp-0x44] 011F5595 |. |83F8 0A |cmp eax, 0xA 011F5598 |. |7D 3A |jge short 011F55D4 011F559A |. |8B45 EC |mov eax, dword ptr [ebp-0x14] 011F559D |. |6BC0 28 |imul eax, eax, 0x28 011F55A0 |. |0345 08 |add eax, dword ptr [ebp+0x8] 011F55A3 |. |8B4D F8 |mov ecx, dword ptr [ebp-0x8] 011F55A6 |. |034D BC |add ecx, dword ptr [ebp-0x44] 011F55A9 |. |833C88 00 |cmp dword ptr [eax+ecx*4], 0x0 011F55AD |. |75 1E |jnz short 011F55CD 011F55AF |. |8B45 EC |mov eax, dword ptr [ebp-0x14] 011F55B2 |. |6BC0 28 |imul eax, eax, 0x28 011F55B5 |. |0345 08 |add eax, dword ptr [ebp+0x8] 011F55B8 |. |8B4D F8 |mov ecx, dword ptr [ebp-0x8] 011F55BB |. |C70488 040000>|mov dword ptr [eax+ecx*4], 0x4 011F55C2 |. |8B45 F8 |mov eax, dword ptr [ebp-0x8] 011F55C5 |. |0345 BC |add eax, dword ptr [ebp-0x44] 011F55C8 |. |8945 F8 |mov dword ptr [ebp-0x8], eax 011F55CB |. |EB 07 |jmp short 011F55D4 011F55CD |> |32C0 |xor al, al 011F55CF |. |E9 91000000 |jmp 011F5665 011F55D4 |> |8B45 0C |mov eax, dword ptr [ebp+0xC] 011F55D7 |. |0FBE08 |movsx ecx, byte ptr [eax] 011F55DA |. |83F9 71 |cmp ecx, 0x71 # 'q'是往上 011F55DD |. |75 3F |jnz short 011F561E 011F55DF |. |8B45 EC |mov eax, dword ptr [ebp-0x14] 011F55E2 |. |0345 E0 |add eax, dword ptr [ebp-0x20] 011F55E5 |. |78 37 |js short 011F561E 011F55E7 |. |8B45 EC |mov eax, dword ptr [ebp-0x14] 011F55EA |. |0345 E0 |add eax, dword ptr [ebp-0x20] 011F55ED |. |6BC0 28 |imul eax, eax, 0x28 011F55F0 |. |0345 08 |add eax, dword ptr [ebp+0x8] 011F55F3 |. |8B4D F8 |mov ecx, dword ptr [ebp-0x8] 011F55F6 |. |833C88 00 |cmp dword ptr [eax+ecx*4], 0x0 011F55FA |. |75 1E |jnz short 011F561A 011F55FC |. |8B45 EC |mov eax, dword ptr [ebp-0x14] 011F55FF |. |6BC0 28 |imul eax, eax, 0x28 011F5602 |. |0345 08 |add eax, dword ptr [ebp+0x8] 011F5605 |. |8B4D F8 |mov ecx, dword ptr [ebp-0x8] 011F5608 |. |C70488 040000>|mov dword ptr [eax+ecx*4], 0x4 011F560F |. |8B45 EC |mov eax, dword ptr [ebp-0x14] 011F5612 |. |0345 E0 |add eax, dword ptr [ebp-0x20] 011F5615 |. |8945 EC |mov dword ptr [ebp-0x14], eax 011F5618 |. |EB 04 |jmp short 011F561E 011F561A |> |32C0 |xor al, al 011F561C |. |EB 47 |jmp short 011F5665 011F561E |> |8B45 0C |mov eax, dword ptr [ebp+0xC] 011F5621 |. |0FBE08 |movsx ecx, byte ptr [eax] 011F5624 |. |83F9 70 |cmp ecx, 0x70 # 'p'是往左 011F5627 |. |75 2C |jnz short 011F5655 011F5629 |. |8B45 F8 |mov eax, dword ptr [ebp-0x8] 011F562C |. |0345 C8 |add eax, dword ptr [ebp-0x38] 011F562F |. |78 24 |js short 011F5655 011F5631 |. |8B45 EC |mov eax, dword ptr [ebp-0x14] 011F5634 |. |6BC0 28 |imul eax, eax, 0x28 011F5637 |. |0345 08 |add eax, dword ptr [ebp+0x8] 011F563A |. |8B4D F8 |mov ecx, dword ptr [ebp-0x8] 011F563D |. |034D C8 |add ecx, dword ptr [ebp-0x38] 011F5640 |. |833C88 00 |cmp dword ptr [eax+ecx*4], 0x0 011F5644 |. |75 0B |jnz short 011F5651 011F5646 |. |8B45 F8 |mov eax, dword ptr [ebp-0x8] 011F5649 |. |0345 C8 |add eax, dword ptr [ebp-0x38] 011F564C |. |8945 F8 |mov dword ptr [ebp-0x8], eax 011F564F |. |EB 04 |jmp short 011F5655 011F5651 |> |32C0 |xor al, al 011F5653 |. |EB 10 |jmp short 011F5665 011F5655 |> |8B45 0C |mov eax, dword ptr [ebp+0xC] 011F5658 |. |83C0 01 |add eax, 0x1 011F565B |. |8945 0C |mov dword ptr [ebp+0xC], eax 011F565E |.^\E9 C5FEFFFF \jmp 011F5528 011F5663 |> B0 01 mov al, 0x1 # 返回1就成功了 011F5665 |> 5F pop edi 011F5666 |. 5E pop esi 011F5667 |. 5B pop ebx 011F5668 |. 81C4 14010000 add esp, 0x114 011F566E |. 3BEC cmp ebp, esp 011F5670 |. E8 DC87FFFF call 011EDE51 011F5675 |. 8BE5 mov esp, ebp 011F5677 |. 5D pop ebp 011F5678 \. C3 retn
四、最后
这不算走迷宫吧
只要不踩1就成功了,也没有长度限制,没有判断最后一定要从左上角走到右上角,只是判断了输入的位置不能为1而已
所以注册码只要一个'z'就成功了。
base64和摩斯电码都是标准的,两层base64
base64(base64(morse_code('z'))) = 'TFMwdUxpQT0='
再加上后面64位的校验值(可以通过调试得到明文比较)"b92a72497b685c31013347a7276f371f8cf91085ab8322009bfed2df41d94f94"
得到一组注册码
TFMwdUxpQT0=b92a72497b685c31013347a7276f371f8cf91085ab8322009bfed2df41d94f94
五、附
里面各种函数里都穿插着很多反调试的检测,nop掉后保存下来比较好调试
完
00401854 |> \68 80354000 push 00403580 ; /welcometokanxuectf2017 00401859 |. 8B55 F8 mov edx, dword ptr [ebp-0x8] ; | 0040185C |. 52 push edx ; |s1 0040185D |. E8 2E060000 call <jmp.&MSVCRT.strcmp> ; \strcmp
注册码:WelcomeToKanXueCtf2017
一、查找字符串ok定位到
011F505F . 8BF4 mov esi, esp 011F5061 . 68 01040000 push 0x401 ; /Count = 401 (1025.) 011F5066 . 8D85 D8F7FFFF lea eax, dword ptr [ebp-0x828] ; | 011F506C . 50 push eax ; |Buffer 011F506D . 68 E9030000 push 0x3E9 ; |ControlID = 3E9 (1001.) 011F5072 . 8B4D 08 mov ecx, dword ptr [ebp+0x8] ; | 011F5075 . 51 push ecx ; |hWnd 011F5076 . FF15 70F52501 call dword ptr [<&USER32.GetDlgItemTe>; \GetDlgItemTextA # 获取输入 sn 011F507C . 3BF4 cmp esi, esp 011F507E . E8 CE8DFFFF call 011EDE51 011F5083 . 8985 E0FBFFFF mov dword ptr [ebp-0x420], eax 011F5089 . C685 C8EFFFFF>mov byte ptr [ebp-0x1038], 0x0 011F5090 . 68 FF030000 push 0x3FF 011F5095 . 6A 00 push 0x0 011F5097 . 8D85 C9EFFFFF lea eax, dword ptr [ebp-0x1037] 011F509D . 50 push eax 011F509E . E8 4385FFFF call 011ED5E6 011F50A3 . 83C4 0C add esp, 0xC 011F50A6 . 8D85 D0F3FFFF lea eax, dword ptr [ebp-0xC30] 011F50AC . 50 push eax 011F50AD . 68 00040000 push 0x400 011F50B2 . 8D8D D8F7FFFF lea ecx, dword ptr [ebp-0x828] 011F50B8 . 51 push ecx 011F50B9 . E8 A981FFFF call 011ED267 # Base64解码sn 011F50BE . 83C4 0C add esp, 0xC 011F50C1 . C685 C0EBFFFF>mov byte ptr [ebp-0x1440], 0x0 011F50C8 . 68 FF030000 push 0x3FF 011F50CD . 6A 00 push 0x0 011F50CF . 8D85 C1EBFFFF lea eax, dword ptr [ebp-0x143F] 011F50D5 . 50 push eax 011F50D6 . E8 0B85FFFF call 011ED5E6 011F50DB . 83C4 0C add esp, 0xC 011F50DE . 8D85 C8EFFFFF lea eax, dword ptr [ebp-0x1038] 011F50E4 . 50 push eax 011F50E5 . 68 00040000 push 0x400 011F50EA . 8D8D D0F3FFFF lea ecx, dword ptr [ebp-0xC30] 011F50F0 . 51 push ecx 011F50F1 . E8 7181FFFF call 011ED267 # 再解一次 011F50F6 . 83C4 0C add esp, 0xC 011F50F9 . 68 00040000 push 0x400 011F50FE . 8D85 C0EBFFFF lea eax, dword ptr [ebp-0x1440] 011F5104 . 50 push eax 011F5105 . 8D8D C8EFFFFF lea ecx, dword ptr [ebp-0x1038] 011F510B . 51 push ecx 011F510C . E8 5988FFFF call 011ED96A # 摩斯电码解码 011F5111 . 83C4 0C add esp, 0xC 011F5114 . C785 B4EBFFFF>mov dword ptr [ebp-0x144C], 0x3 011F511E . 8D85 8CEBFFFF lea eax, dword ptr [ebp-0x1474] 011F5124 . 50 push eax 011F5125 . 8B8D B4EBFFFF mov ecx, dword ptr [ebp-0x144C] 011F512B . 51 push ecx 011F512C . 8D95 C8EFFFFF lea edx, dword ptr [ebp-0x1038] 011F5132 . 52 push edx 011F5133 . E8 4089FFFF call 011EDA78 # 得到hash值 011F5138 . 83C4 0C add esp, 0xC 011F513B . C785 78E7FFFF>mov dword ptr [ebp-0x1888], 0x0 011F5145 . EB 0F jmp short 011F5156 011F5147 > 8B85 78E7FFFF mov eax, dword ptr [ebp-0x1888] 011F514D . 83C0 01 add eax, 0x1 011F5150 . 8985 78E7FFFF mov dword ptr [ebp-0x1888], eax 011F5156 > 83BD 78E7FFFF>cmp dword ptr [ebp-0x1888], 0x20 011F515D . 7D 2C jge short 011F518B 011F515F . 8B85 78E7FFFF mov eax, dword ptr [ebp-0x1888] 011F5165 . 0FB68C05 8CEB>movzx ecx, byte ptr [ebp+eax-0x1474] 011F516D . 51 push ecx 011F516E . 68 A4B12401 push 0124B1A4 ; %02x 011F5173 . 8B95 78E7FFFF mov edx, dword ptr [ebp-0x1888] 011F5179 . 8D8455 84E7FF>lea eax, dword ptr [ebp+edx*2-0x187C> 011F5180 . 50 push eax 011F5181 . E8 7F8DFFFF call 011EDF05 # hash值格式化成字符串进行比较 011F5186 . 83C4 0C add esp, 0xC 011F5189 .^ EB BC jmp short 011F5147 011F518B > 8D85 84E7FFFF lea eax, dword ptr [ebp-0x187C] 011F5191 . 50 push eax 011F5192 . E8 FD85FFFF call 011ED794 011F5197 . 83C4 04 add esp, 0x4 011F519A . 50 push eax 011F519B . 8D8D D8F7FFFF lea ecx, dword ptr [ebp-0x828] 011F51A1 . 51 push ecx 011F51A2 . E8 ED85FFFF call 011ED794 011F51A7 . 83C4 04 add esp, 0x4 011F51AA . 8DB405 D8F7FF>lea esi, dword ptr [ebp+eax-0x828] 011F51B1 . 8D95 84E7FFFF lea edx, dword ptr [ebp-0x187C] 011F51B7 . 52 push edx 011F51B8 . E8 D785FFFF call 011ED794 011F51BD . 83C4 04 add esp, 0x4 011F51C0 . 2BF0 sub esi, eax 011F51C2 . 56 push esi 011F51C3 . 8D85 84E7FFFF lea eax, dword ptr [ebp-0x187C] 011F51C9 . 50 push eax 011F51CA . E8 5889FFFF call 011EDB27 # strncmp,比较输入的sn的后64位和上面得到的hash字符串 011F51CF . 83C4 0C add esp, 0xC 011F51D2 . 85C0 test eax, eax 011F51D4 . 75 3E jnz short 011F5214 # 校验成功就进入下面的迷宫 011F51D6 . E8 D97EFFFF call 011ED0B4 011F51DB . 8D85 C0EBFFFF lea eax, dword ptr [ebp-0x1440] 011F51E1 . 50 push eax # 经过base64两次解码,摩斯电码解码后的真实注册码 011F51E2 . 68 00B02501 push 0125B000 # 迷宫地图 011F51E7 . E8 BF87FFFF call 011ED9AB # 走迷宫 011F51EC . 83C4 08 add esp, 0x8 011F51EF . 0FB6C8 movzx ecx, al 011F51F2 . 83F9 01 cmp ecx, 0x1 011F51F5 . 75 1D jnz short 011F5214 011F51F7 . 8BF4 mov esi, esp 011F51F9 . 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL 011F51FB . 68 98B12401 push 0124B198 ; |crackme 011F5200 . 68 94B12401 push 0124B194 ; |ok 011F5205 . 6A 00 push 0x0 ; |hOwner = NULL 011F5207 . FF15 88F52501 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA 011F520D . 3BF4 cmp esi, esp 011F520F . E8 3D8CFFFF call 011EDE51 011F5214 > B8 01000000 mov eax, 0x1 011F5219 . EB 02 jmp short 011F521D
011F505F . 8BF4 mov esi, esp 011F5061 . 68 01040000 push 0x401 ; /Count = 401 (1025.) 011F5066 . 8D85 D8F7FFFF lea eax, dword ptr [ebp-0x828] ; | 011F506C . 50 push eax ; |Buffer 011F506D . 68 E9030000 push 0x3E9 ; |ControlID = 3E9 (1001.) 011F5072 . 8B4D 08 mov ecx, dword ptr [ebp+0x8] ; | 011F5075 . 51 push ecx ; |hWnd 011F5076 . FF15 70F52501 call dword ptr [<&USER32.GetDlgItemTe>; \GetDlgItemTextA # 获取输入 sn 011F507C . 3BF4 cmp esi, esp 011F507E . E8 CE8DFFFF call 011EDE51 011F5083 . 8985 E0FBFFFF mov dword ptr [ebp-0x420], eax 011F5089 . C685 C8EFFFFF>mov byte ptr [ebp-0x1038], 0x0 011F5090 . 68 FF030000 push 0x3FF 011F5095 . 6A 00 push 0x0 011F5097 . 8D85 C9EFFFFF lea eax, dword ptr [ebp-0x1037] 011F509D . 50 push eax 011F509E . E8 4385FFFF call 011ED5E6 011F50A3 . 83C4 0C add esp, 0xC 011F50A6 . 8D85 D0F3FFFF lea eax, dword ptr [ebp-0xC30] 011F50AC . 50 push eax 011F50AD . 68 00040000 push 0x400 011F50B2 . 8D8D D8F7FFFF lea ecx, dword ptr [ebp-0x828] 011F50B8 . 51 push ecx 011F50B9 . E8 A981FFFF call 011ED267 # Base64解码sn 011F50BE . 83C4 0C add esp, 0xC 011F50C1 . C685 C0EBFFFF>mov byte ptr [ebp-0x1440], 0x0 011F50C8 . 68 FF030000 push 0x3FF 011F50CD . 6A 00 push 0x0 011F50CF . 8D85 C1EBFFFF lea eax, dword ptr [ebp-0x143F] 011F50D5 . 50 push eax 011F50D6 . E8 0B85FFFF call 011ED5E6 011F50DB . 83C4 0C add esp, 0xC 011F50DE . 8D85 C8EFFFFF lea eax, dword ptr [ebp-0x1038] 011F50E4 . 50 push eax 011F50E5 . 68 00040000 push 0x400 011F50EA . 8D8D D0F3FFFF lea ecx, dword ptr [ebp-0xC30] 011F50F0 . 51 push ecx 011F50F1 . E8 7181FFFF call 011ED267 # 再解一次 011F50F6 . 83C4 0C add esp, 0xC 011F50F9 . 68 00040000 push 0x400 011F50FE . 8D85 C0EBFFFF lea eax, dword ptr [ebp-0x1440] 011F5104 . 50 push eax 011F5105 . 8D8D C8EFFFFF lea ecx, dword ptr [ebp-0x1038] 011F510B . 51 push ecx 011F510C . E8 5988FFFF call 011ED96A # 摩斯电码解码 011F5111 . 83C4 0C add esp, 0xC 011F5114 . C785 B4EBFFFF>mov dword ptr [ebp-0x144C], 0x3 011F511E . 8D85 8CEBFFFF lea eax, dword ptr [ebp-0x1474] 011F5124 . 50 push eax 011F5125 . 8B8D B4EBFFFF mov ecx, dword ptr [ebp-0x144C] 011F512B . 51 push ecx 011F512C . 8D95 C8EFFFFF lea edx, dword ptr [ebp-0x1038] 011F5132 . 52 push edx 011F5133 . E8 4089FFFF call 011EDA78 # 得到hash值 011F5138 . 83C4 0C add esp, 0xC 011F513B . C785 78E7FFFF>mov dword ptr [ebp-0x1888], 0x0 011F5145 . EB 0F jmp short 011F5156 011F5147 > 8B85 78E7FFFF mov eax, dword ptr [ebp-0x1888] 011F514D . 83C0 01 add eax, 0x1 011F5150 . 8985 78E7FFFF mov dword ptr [ebp-0x1888], eax 011F5156 > 83BD 78E7FFFF>cmp dword ptr [ebp-0x1888], 0x20 011F515D . 7D 2C jge short 011F518B 011F515F . 8B85 78E7FFFF mov eax, dword ptr [ebp-0x1888] 011F5165 . 0FB68C05 8CEB>movzx ecx, byte ptr [ebp+eax-0x1474] 011F516D . 51 push ecx 011F516E . 68 A4B12401 push 0124B1A4 ; %02x 011F5173 . 8B95 78E7FFFF mov edx, dword ptr [ebp-0x1888] 011F5179 . 8D8455 84E7FF>lea eax, dword ptr [ebp+edx*2-0x187C> 011F5180 . 50 push eax 011F5181 . E8 7F8DFFFF call 011EDF05 # hash值格式化成字符串进行比较 011F5186 . 83C4 0C add esp, 0xC 011F5189 .^ EB BC jmp short 011F5147 011F518B > 8D85 84E7FFFF lea eax, dword ptr [ebp-0x187C] 011F5191 . 50 push eax 011F5192 . E8 FD85FFFF call 011ED794 011F5197 . 83C4 04 add esp, 0x4 011F519A . 50 push eax 011F519B . 8D8D D8F7FFFF lea ecx, dword ptr [ebp-0x828] 011F51A1 . 51 push ecx 011F51A2 . E8 ED85FFFF call 011ED794 011F51A7 . 83C4 04 add esp, 0x4 011F51AA . 8DB405 D8F7FF>lea esi, dword ptr [ebp+eax-0x828] 011F51B1 . 8D95 84E7FFFF lea edx, dword ptr [ebp-0x187C] 011F51B7 . 52 push edx 011F51B8 . E8 D785FFFF call 011ED794 011F51BD . 83C4 04 add esp, 0x4 011F51C0 . 2BF0 sub esi, eax 011F51C2 . 56 push esi 011F51C3 . 8D85 84E7FFFF lea eax, dword ptr [ebp-0x187C] 011F51C9 . 50 push eax 011F51CA . E8 5889FFFF call 011EDB27 # strncmp,比较输入的sn的后64位和上面得到的hash字符串 011F51CF . 83C4 0C add esp, 0xC 011F51D2 . 85C0 test eax, eax 011F51D4 . 75 3E jnz short 011F5214 # 校验成功就进入下面的迷宫 011F51D6 . E8 D97EFFFF call 011ED0B4 011F51DB . 8D85 C0EBFFFF lea eax, dword ptr [ebp-0x1440] 011F51E1 . 50 push eax # 经过base64两次解码,摩斯电码解码后的真实注册码 011F51E2 . 68 00B02501 push 0125B000 # 迷宫地图 011F51E7 . E8 BF87FFFF call 011ED9AB # 走迷宫 011F51EC . 83C4 08 add esp, 0x8 011F51EF . 0FB6C8 movzx ecx, al 011F51F2 . 83F9 01 cmp ecx, 0x1 011F51F5 . 75 1D jnz short 011F5214 011F51F7 . 8BF4 mov esi, esp 011F51F9 . 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL 011F51FB . 68 98B12401 push 0124B198 ; |crackme 011F5200 . 68 94B12401 push 0124B194 ; |ok 011F5205 . 6A 00 push 0x0 ; |hOwner = NULL 011F5207 . FF15 88F52501 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA 011F520D . 3BF4 cmp esi, esp 011F520F . E8 3D8CFFFF call 011EDE51 011F5214 > B8 01000000 mov eax, 0x1 011F5219 . EB 02 jmp short 011F521D
0125B000 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............. 0125B010 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............ 0125B020 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B030 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............ 0125B040 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B050 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B060 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ............... 0125B070 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............ 0125B080 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ............. 0125B090 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 .............. 0125B0A0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B0B0 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 .............. 0125B0C0 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 .............. 0125B0D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B0E0 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ............. 0125B0F0 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ............. 0125B100 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ............. 0125B110 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 .............. 0125B120 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ............... 0125B130 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 .............. 0125B140 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............ 0125B150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0125B160 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ............. 0125B170 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............ 0125B180 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0125B1A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0125B1B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0125B1C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0125B000 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............. 0125B010 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............ 0125B020 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B030 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............ 0125B040 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B050 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B060 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ............... 0125B070 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............ 0125B080 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ............. 0125B090 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 .............. 0125B0A0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B0B0 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 .............. 0125B0C0 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 .............. 0125B0D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B0E0 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ............. 0125B0F0 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ............. 0125B100 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ............. 0125B110 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 .............. 0125B120 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ............... 0125B130 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 .............. 0125B140 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............ 0125B150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0125B160 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ............. 0125B170 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............ 0125B180 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 0125B190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0125B1A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0125B1B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0125B1C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
简化后看得更清楚一点
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
- [原创]第十题 2804
- [原创]第一题 2796
- [原创]第1、3题(补) 3130
- [原创]CTF2017 第一题 2813
- [原创]第十八题分析 3399
看原图
赞赏
雪币:
留言: