-
-
[原创]第1、3题(补)
-
发表于: 2017-10-28 20:20 3222
-
TFMwdUxpQT0=b92a72497b685c31013347a7276f371f8cf91085ab8322009bfed2df41d94f94
五、附
里面各种函数里都穿插着很多反调试的检测,nop掉后保存下来比较好调试
完
送分题,明码比较
1 2 3 4 | 00401854 |> \68 80354000 push 00403580 ; /welcometokanxuectf201700401859 |. 8B55 F8 mov edx, dword ptr [ebp-0x8] ; |0040185C |. 52 push edx ; |s10040185D |. E8 2E060000 call <jmp.&MSVCRT.strcmp> ; \strcmp |
注册码:WelcomeToKanXueCtf2017
第三题 crackMe
一、查找字符串ok定位到
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 | 011F505F . 8BF4 mov esi, esp011F5061 . 68 01040000 push 0x401 ; /Count = 401 (1025.)011F5066 . 8D85 D8F7FFFF lea eax, dword ptr [ebp-0x828] ; |011F506C . 50 push eax ; |Buffer011F506D . 68 E9030000 push 0x3E9 ; |ControlID = 3E9 (1001.)011F5072 . 8B4D 08 mov ecx, dword ptr [ebp+0x8] ; |011F5075 . 51 push ecx ; |hWnd011F5076 . FF15 70F52501 call dword ptr [<&USER32.GetDlgItemTe>; \GetDlgItemTextA # 获取输入 sn011F507C . 3BF4 cmp esi, esp011F507E . E8 CE8DFFFF call 011EDE51011F5083 . 8985 E0FBFFFF mov dword ptr [ebp-0x420], eax011F5089 . C685 C8EFFFFF>mov byte ptr [ebp-0x1038], 0x0011F5090 . 68 FF030000 push 0x3FF011F5095 . 6A 00 push 0x0011F5097 . 8D85 C9EFFFFF lea eax, dword ptr [ebp-0x1037]011F509D . 50 push eax011F509E . E8 4385FFFF call 011ED5E6011F50A3 . 83C4 0C add esp, 0xC011F50A6 . 8D85 D0F3FFFF lea eax, dword ptr [ebp-0xC30]011F50AC . 50 push eax011F50AD . 68 00040000 push 0x400011F50B2 . 8D8D D8F7FFFF lea ecx, dword ptr [ebp-0x828]011F50B8 . 51 push ecx011F50B9 . E8 A981FFFF call 011ED267 # Base64解码sn011F50BE . 83C4 0C add esp, 0xC011F50C1 . C685 C0EBFFFF>mov byte ptr [ebp-0x1440], 0x0011F50C8 . 68 FF030000 push 0x3FF011F50CD . 6A 00 push 0x0011F50CF . 8D85 C1EBFFFF lea eax, dword ptr [ebp-0x143F]011F50D5 . 50 push eax011F50D6 . E8 0B85FFFF call 011ED5E6011F50DB . 83C4 0C add esp, 0xC011F50DE . 8D85 C8EFFFFF lea eax, dword ptr [ebp-0x1038]011F50E4 . 50 push eax011F50E5 . 68 00040000 push 0x400011F50EA . 8D8D D0F3FFFF lea ecx, dword ptr [ebp-0xC30]011F50F0 . 51 push ecx011F50F1 . E8 7181FFFF call 011ED267 # 再解一次011F50F6 . 83C4 0C add esp, 0xC011F50F9 . 68 00040000 push 0x400011F50FE . 8D85 C0EBFFFF lea eax, dword ptr [ebp-0x1440]011F5104 . 50 push eax011F5105 . 8D8D C8EFFFFF lea ecx, dword ptr [ebp-0x1038]011F510B . 51 push ecx011F510C . E8 5988FFFF call 011ED96A # 摩斯电码解码011F5111 . 83C4 0C add esp, 0xC011F5114 . C785 B4EBFFFF>mov dword ptr [ebp-0x144C], 0x3011F511E . 8D85 8CEBFFFF lea eax, dword ptr [ebp-0x1474]011F5124 . 50 push eax011F5125 . 8B8D B4EBFFFF mov ecx, dword ptr [ebp-0x144C]011F512B . 51 push ecx011F512C . 8D95 C8EFFFFF lea edx, dword ptr [ebp-0x1038]011F5132 . 52 push edx011F5133 . E8 4089FFFF call 011EDA78 # 得到hash值011F5138 . 83C4 0C add esp, 0xC011F513B . C785 78E7FFFF>mov dword ptr [ebp-0x1888], 0x0011F5145 . EB 0F jmp short 011F5156011F5147 > 8B85 78E7FFFF mov eax, dword ptr [ebp-0x1888]011F514D . 83C0 01 add eax, 0x1011F5150 . 8985 78E7FFFF mov dword ptr [ebp-0x1888], eax011F5156 > 83BD 78E7FFFF>cmp dword ptr [ebp-0x1888], 0x20011F515D . 7D 2C jge short 011F518B011F515F . 8B85 78E7FFFF mov eax, dword ptr [ebp-0x1888]011F5165 . 0FB68C05 8CEB>movzx ecx, byte ptr [ebp+eax-0x1474]011F516D . 51 push ecx011F516E . 68 A4B12401 push 0124B1A4 ; %02x011F5173 . 8B95 78E7FFFF mov edx, dword ptr [ebp-0x1888]011F5179 . 8D8455 84E7FF>lea eax, dword ptr [ebp+edx*2-0x187C>011F5180 . 50 push eax011F5181 . E8 7F8DFFFF call 011EDF05 # hash值格式化成字符串进行比较011F5186 . 83C4 0C add esp, 0xC011F5189 .^ EB BC jmp short 011F5147011F518B > 8D85 84E7FFFF lea eax, dword ptr [ebp-0x187C]011F5191 . 50 push eax011F5192 . E8 FD85FFFF call 011ED794011F5197 . 83C4 04 add esp, 0x4011F519A . 50 push eax011F519B . 8D8D D8F7FFFF lea ecx, dword ptr [ebp-0x828]011F51A1 . 51 push ecx011F51A2 . E8 ED85FFFF call 011ED794011F51A7 . 83C4 04 add esp, 0x4011F51AA . 8DB405 D8F7FF>lea esi, dword ptr [ebp+eax-0x828]011F51B1 . 8D95 84E7FFFF lea edx, dword ptr [ebp-0x187C]011F51B7 . 52 push edx011F51B8 . E8 D785FFFF call 011ED794011F51BD . 83C4 04 add esp, 0x4011F51C0 . 2BF0 sub esi, eax011F51C2 . 56 push esi011F51C3 . 8D85 84E7FFFF lea eax, dword ptr [ebp-0x187C]011F51C9 . 50 push eax011F51CA . E8 5889FFFF call 011EDB27 # strncmp,比较输入的sn的后64位和上面得到的hash字符串011F51CF . 83C4 0C add esp, 0xC011F51D2 . 85C0 test eax, eax011F51D4 . 75 3E jnz short 011F5214 # 校验成功就进入下面的迷宫011F51D6 . E8 D97EFFFF call 011ED0B4011F51DB . 8D85 C0EBFFFF lea eax, dword ptr [ebp-0x1440]011F51E1 . 50 push eax # 经过base64两次解码,摩斯电码解码后的真实注册码011F51E2 . 68 00B02501 push 0125B000 # 迷宫地图011F51E7 . E8 BF87FFFF call 011ED9AB # 走迷宫011F51EC . 83C4 08 add esp, 0x8011F51EF . 0FB6C8 movzx ecx, al011F51F2 . 83F9 01 cmp ecx, 0x1011F51F5 . 75 1D jnz short 011F5214011F51F7 . 8BF4 mov esi, esp011F51F9 . 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL011F51FB . 68 98B12401 push 0124B198 ; |crackme011F5200 . 68 94B12401 push 0124B194 ; |ok011F5205 . 6A 00 push 0x0 ; |hOwner = NULL011F5207 . FF15 88F52501 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA011F520D . 3BF4 cmp esi, esp011F520F . E8 3D8CFFFF call 011EDE51011F5214 > B8 01000000 mov eax, 0x1011F5219 . EB 02 jmp short 011F521D |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | 0125B000 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 .............0125B010 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............0125B020 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B030 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............0125B040 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B050 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B060 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ...............0125B070 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............0125B080 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 .............0125B090 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ..............0125B0A0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B0B0 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ..............0125B0C0 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ..............0125B0D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B0E0 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 .............0125B0F0 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 .............0125B100 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 .............0125B110 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ..............0125B120 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ...............0125B130 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ..............0125B140 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............0125B150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0125B160 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 .............0125B170 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............0125B180 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0125B1A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0125B1B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0125B1C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
简化后看得更清楚一点
每4个字节为一个点,10*10
0111111110
0011111000
1000001011
1111101001
1000101001
1010001011
1011111001
1000011100
1111000010
1111111000
三、走迷宫的方法
跟进11ed9ab
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 | 011F5528 |> 8B45 0C /mov eax, dword ptr [ebp+0xC]011F552B |. |0FBE08 |movsx ecx, byte ptr [eax] # 遇到sn[i] == 0x20空格的时候就停止011F552E |. |83F9 20 |cmp ecx, 0x20011F5531 |. |0F84 2C010000 |je 011F5663 # 这里有个bug?011F5537 |. |837D F8 08 |cmp dword ptr [ebp-0x8], 0x8011F553B |. |75 0A |jnz short 011F5547011F553D |. |837D EC 03 |cmp dword ptr [ebp-0x14], 0x3011F5541 |. |0F84 0E010000 |je 011F5655011F5547 |> |8B45 0C |mov eax, dword ptr [ebp+0xC]011F554A |. |0FBE08 |movsx ecx, byte ptr [eax]011F554D |. |83F9 7A |cmp ecx, 0x7A011F5550 |. |75 32 |jnz short 011F5584 # sn[i] == 'z'011F5552 |. |8B45 EC |mov eax, dword ptr [ebp-0x14]011F5555 |. |0345 D4 |add eax, dword ptr [ebp-0x2C]011F5558 |. |83F8 0A |cmp eax, 0xA011F555B |. |7D 20 |jge short 011F557D # 不能超过行011F555D |. |8B45 EC |mov eax, dword ptr [ebp-0x14]011F5560 |. |0345 D4 |add eax, dword ptr [ebp-0x2C]011F5563 |. |6BC0 28 |imul eax, eax, 0x28 # 这里就可以看出0x28/4=0x0a,10个元素为一行的地图011F5566 |. |0345 08 |add eax, dword ptr [ebp+0x8] # 定位到行011F5569 |. |8B4D F8 |mov ecx, dword ptr [ebp-0x8]011F556C |. |833C88 00 |cmp dword ptr [eax+ecx*4], 0x0 # 定位到当前格子,为0才能走,为1就失败011F5570 |. |75 09 |jnz short 011F557B011F5572 |. |8B45 EC |mov eax, dword ptr [ebp-0x14]011F5575 |. |0345 D4 |add eax, dword ptr [ebp-0x2C] # 'z'是往下011F5578 |. |8945 EC |mov dword ptr [ebp-0x14], eax011F557B |> |EB 07 |jmp short 011F5584011F557D |> |32C0 |xor al, al011F557F |. |E9 E1000000 |jmp 011F5665011F5584 |> |8B45 0C |mov eax, dword ptr [ebp+0xC]011F5587 |. |0FBE08 |movsx ecx, byte ptr [eax]011F558A |. |83F9 6C |cmp ecx, 0x6C011F558D |. |75 45 |jnz short 011F55D4 # 'l'是往右 011F558F |. |8B45 F8 |mov eax, dword ptr [ebp-0x8]011F5592 |. |0345 BC |add eax, dword ptr [ebp-0x44]011F5595 |. |83F8 0A |cmp eax, 0xA011F5598 |. |7D 3A |jge short 011F55D4011F559A |. |8B45 EC |mov eax, dword ptr [ebp-0x14]011F559D |. |6BC0 28 |imul eax, eax, 0x28011F55A0 |. |0345 08 |add eax, dword ptr [ebp+0x8]011F55A3 |. |8B4D F8 |mov ecx, dword ptr [ebp-0x8]011F55A6 |. |034D BC |add ecx, dword ptr [ebp-0x44]011F55A9 |. |833C88 00 |cmp dword ptr [eax+ecx*4], 0x0011F55AD |. |75 1E |jnz short 011F55CD011F55AF |. |8B45 EC |mov eax, dword ptr [ebp-0x14]011F55B2 |. |6BC0 28 |imul eax, eax, 0x28011F55B5 |. |0345 08 |add eax, dword ptr [ebp+0x8]011F55B8 |. |8B4D F8 |mov ecx, dword ptr [ebp-0x8]011F55BB |. |C70488 040000>|mov dword ptr [eax+ecx*4], 0x4011F55C2 |. |8B45 F8 |mov eax, dword ptr [ebp-0x8]011F55C5 |. |0345 BC |add eax, dword ptr [ebp-0x44]011F55C8 |. |8945 F8 |mov dword ptr [ebp-0x8], eax011F55CB |. |EB 07 |jmp short 011F55D4011F55CD |> |32C0 |xor al, al011F55CF |. |E9 91000000 |jmp 011F5665011F55D4 |> |8B45 0C |mov eax, dword ptr [ebp+0xC]011F55D7 |. |0FBE08 |movsx ecx, byte ptr [eax]011F55DA |. |83F9 71 |cmp ecx, 0x71 # 'q'是往上011F55DD |. |75 3F |jnz short 011F561E011F55DF |. |8B45 EC |mov eax, dword ptr [ebp-0x14]011F55E2 |. |0345 E0 |add eax, dword ptr [ebp-0x20]011F55E5 |. |78 37 |js short 011F561E011F55E7 |. |8B45 EC |mov eax, dword ptr [ebp-0x14]011F55EA |. |0345 E0 |add eax, dword ptr [ebp-0x20]011F55ED |. |6BC0 28 |imul eax, eax, 0x28011F55F0 |. |0345 08 |add eax, dword ptr [ebp+0x8]011F55F3 |. |8B4D F8 |mov ecx, dword ptr [ebp-0x8]011F55F6 |. |833C88 00 |cmp dword ptr [eax+ecx*4], 0x0011F55FA |. |75 1E |jnz short 011F561A011F55FC |. |8B45 EC |mov eax, dword ptr [ebp-0x14]011F55FF |. |6BC0 28 |imul eax, eax, 0x28011F5602 |. |0345 08 |add eax, dword ptr [ebp+0x8]011F5605 |. |8B4D F8 |mov ecx, dword ptr [ebp-0x8]011F5608 |. |C70488 040000>|mov dword ptr [eax+ecx*4], 0x4011F560F |. |8B45 EC |mov eax, dword ptr [ebp-0x14]011F5612 |. |0345 E0 |add eax, dword ptr [ebp-0x20]011F5615 |. |8945 EC |mov dword ptr [ebp-0x14], eax011F5618 |. |EB 04 |jmp short 011F561E011F561A |> |32C0 |xor al, al011F561C |. |EB 47 |jmp short 011F5665011F561E |> |8B45 0C |mov eax, dword ptr [ebp+0xC]011F5621 |. |0FBE08 |movsx ecx, byte ptr [eax]011F5624 |. |83F9 70 |cmp ecx, 0x70 # 'p'是往左011F5627 |. |75 2C |jnz short 011F5655011F5629 |. |8B45 F8 |mov eax, dword ptr [ebp-0x8]011F562C |. |0345 C8 |add eax, dword ptr [ebp-0x38]011F562F |. |78 24 |js short 011F5655011F5631 |. |8B45 EC |mov eax, dword ptr [ebp-0x14]011F5634 |. |6BC0 28 |imul eax, eax, 0x28011F5637 |. |0345 08 |add eax, dword ptr [ebp+0x8]011F563A |. |8B4D F8 |mov ecx, dword ptr [ebp-0x8]011F563D |. |034D C8 |add ecx, dword ptr [ebp-0x38]011F5640 |. |833C88 00 |cmp dword ptr [eax+ecx*4], 0x0011F5644 |. |75 0B |jnz short 011F5651011F5646 |. |8B45 F8 |mov eax, dword ptr [ebp-0x8]011F5649 |. |0345 C8 |add eax, dword ptr [ebp-0x38]011F564C |. |8945 F8 |mov dword ptr [ebp-0x8], eax011F564F |. |EB 04 |jmp short 011F5655011F5651 |> |32C0 |xor al, al011F5653 |. |EB 10 |jmp short 011F5665011F5655 |> |8B45 0C |mov eax, dword ptr [ebp+0xC]011F5658 |. |83C0 01 |add eax, 0x1011F565B |. |8945 0C |mov dword ptr [ebp+0xC], eax011F565E |.^\E9 C5FEFFFF \jmp 011F5528011F5663 |> B0 01 mov al, 0x1 # 返回1就成功了011F5665 |> 5F pop edi011F5666 |. 5E pop esi011F5667 |. 5B pop ebx011F5668 |. 81C4 14010000 add esp, 0x114011F566E |. 3BEC cmp ebp, esp011F5670 |. E8 DC87FFFF call 011EDE51011F5675 |. 8BE5 mov esp, ebp011F5677 |. 5D pop ebp011F5678 \. C3 retn |
四、最后
这不算走迷宫吧
只要不踩1就成功了,也没有长度限制,没有判断最后一定要从左上角走到右上角,只是判断了输入的位置不能为1而已
所以注册码只要一个'z'就成功了。
base64和摩斯电码都是标准的,两层base64
base64(base64(morse_code('z'))) = 'TFMwdUxpQT0='
再加上后面64位的校验值(可以通过调试得到明文比较)"b92a72497b685c31013347a7276f371f8cf91085ab8322009bfed2df41d94f94"
得到一组注册码
TFMwdUxpQT0=b92a72497b685c31013347a7276f371f8cf91085ab8322009bfed2df41d94f94
五、附
里面各种函数里都穿插着很多反调试的检测,nop掉后保存下来比较好调试
完
1 2 3 4 | 00401854 |> \68 80354000 push 00403580 ; /welcometokanxuectf201700401859 |. 8B55 F8 mov edx, dword ptr [ebp-0x8] ; |0040185C |. 52 push edx ; |s10040185D |. E8 2E060000 call <jmp.&MSVCRT.strcmp> ; \strcmp |
注册码:WelcomeToKanXueCtf2017
一、查找字符串ok定位到
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 | 011F505F . 8BF4 mov esi, esp011F5061 . 68 01040000 push 0x401 ; /Count = 401 (1025.)011F5066 . 8D85 D8F7FFFF lea eax, dword ptr [ebp-0x828] ; |011F506C . 50 push eax ; |Buffer011F506D . 68 E9030000 push 0x3E9 ; |ControlID = 3E9 (1001.)011F5072 . 8B4D 08 mov ecx, dword ptr [ebp+0x8] ; |011F5075 . 51 push ecx ; |hWnd011F5076 . FF15 70F52501 call dword ptr [<&USER32.GetDlgItemTe>; \GetDlgItemTextA # 获取输入 sn011F507C . 3BF4 cmp esi, esp011F507E . E8 CE8DFFFF call 011EDE51011F5083 . 8985 E0FBFFFF mov dword ptr [ebp-0x420], eax011F5089 . C685 C8EFFFFF>mov byte ptr [ebp-0x1038], 0x0011F5090 . 68 FF030000 push 0x3FF011F5095 . 6A 00 push 0x0011F5097 . 8D85 C9EFFFFF lea eax, dword ptr [ebp-0x1037]011F509D . 50 push eax011F509E . E8 4385FFFF call 011ED5E6011F50A3 . 83C4 0C add esp, 0xC011F50A6 . 8D85 D0F3FFFF lea eax, dword ptr [ebp-0xC30]011F50AC . 50 push eax011F50AD . 68 00040000 push 0x400011F50B2 . 8D8D D8F7FFFF lea ecx, dword ptr [ebp-0x828]011F50B8 . 51 push ecx011F50B9 . E8 A981FFFF call 011ED267 # Base64解码sn011F50BE . 83C4 0C add esp, 0xC011F50C1 . C685 C0EBFFFF>mov byte ptr [ebp-0x1440], 0x0011F50C8 . 68 FF030000 push 0x3FF011F50CD . 6A 00 push 0x0011F50CF . 8D85 C1EBFFFF lea eax, dword ptr [ebp-0x143F]011F50D5 . 50 push eax011F50D6 . E8 0B85FFFF call 011ED5E6011F50DB . 83C4 0C add esp, 0xC011F50DE . 8D85 C8EFFFFF lea eax, dword ptr [ebp-0x1038]011F50E4 . 50 push eax011F50E5 . 68 00040000 push 0x400011F50EA . 8D8D D0F3FFFF lea ecx, dword ptr [ebp-0xC30]011F50F0 . 51 push ecx011F50F1 . E8 7181FFFF call 011ED267 # 再解一次011F50F6 . 83C4 0C add esp, 0xC011F50F9 . 68 00040000 push 0x400011F50FE . 8D85 C0EBFFFF lea eax, dword ptr [ebp-0x1440]011F5104 . 50 push eax011F5105 . 8D8D C8EFFFFF lea ecx, dword ptr [ebp-0x1038]011F510B . 51 push ecx011F510C . E8 5988FFFF call 011ED96A # 摩斯电码解码011F5111 . 83C4 0C add esp, 0xC011F5114 . C785 B4EBFFFF>mov dword ptr [ebp-0x144C], 0x3011F511E . 8D85 8CEBFFFF lea eax, dword ptr [ebp-0x1474]011F5124 . 50 push eax011F5125 . 8B8D B4EBFFFF mov ecx, dword ptr [ebp-0x144C]011F512B . 51 push ecx011F512C . 8D95 C8EFFFFF lea edx, dword ptr [ebp-0x1038]011F5132 . 52 push edx011F5133 . E8 4089FFFF call 011EDA78 # 得到hash值011F5138 . 83C4 0C add esp, 0xC011F513B . C785 78E7FFFF>mov dword ptr [ebp-0x1888], 0x0011F5145 . EB 0F jmp short 011F5156011F5147 > 8B85 78E7FFFF mov eax, dword ptr [ebp-0x1888]011F514D . 83C0 01 add eax, 0x1011F5150 . 8985 78E7FFFF mov dword ptr [ebp-0x1888], eax011F5156 > 83BD 78E7FFFF>cmp dword ptr [ebp-0x1888], 0x20011F515D . 7D 2C jge short 011F518B011F515F . 8B85 78E7FFFF mov eax, dword ptr [ebp-0x1888]011F5165 . 0FB68C05 8CEB>movzx ecx, byte ptr [ebp+eax-0x1474]011F516D . 51 push ecx011F516E . 68 A4B12401 push 0124B1A4 ; %02x011F5173 . 8B95 78E7FFFF mov edx, dword ptr [ebp-0x1888]011F5179 . 8D8455 84E7FF>lea eax, dword ptr [ebp+edx*2-0x187C>011F5180 . 50 push eax011F5181 . E8 7F8DFFFF call 011EDF05 # hash值格式化成字符串进行比较011F5186 . 83C4 0C add esp, 0xC011F5189 .^ EB BC jmp short 011F5147011F518B > 8D85 84E7FFFF lea eax, dword ptr [ebp-0x187C]011F5191 . 50 push eax011F5192 . E8 FD85FFFF call 011ED794011F5197 . 83C4 04 add esp, 0x4011F519A . 50 push eax011F519B . 8D8D D8F7FFFF lea ecx, dword ptr [ebp-0x828]011F51A1 . 51 push ecx011F51A2 . E8 ED85FFFF call 011ED794011F51A7 . 83C4 04 add esp, 0x4011F51AA . 8DB405 D8F7FF>lea esi, dword ptr [ebp+eax-0x828]011F51B1 . 8D95 84E7FFFF lea edx, dword ptr [ebp-0x187C]011F51B7 . 52 push edx011F51B8 . E8 D785FFFF call 011ED794011F51BD . 83C4 04 add esp, 0x4011F51C0 . 2BF0 sub esi, eax011F51C2 . 56 push esi011F51C3 . 8D85 84E7FFFF lea eax, dword ptr [ebp-0x187C]011F51C9 . 50 push eax011F51CA . E8 5889FFFF call 011EDB27 # strncmp,比较输入的sn的后64位和上面得到的hash字符串011F51CF . 83C4 0C add esp, 0xC011F51D2 . 85C0 test eax, eax011F51D4 . 75 3E jnz short 011F5214 # 校验成功就进入下面的迷宫011F51D6 . E8 D97EFFFF call 011ED0B4011F51DB . 8D85 C0EBFFFF lea eax, dword ptr [ebp-0x1440]011F51E1 . 50 push eax # 经过base64两次解码,摩斯电码解码后的真实注册码011F51E2 . 68 00B02501 push 0125B000 # 迷宫地图011F51E7 . E8 BF87FFFF call 011ED9AB # 走迷宫011F51EC . 83C4 08 add esp, 0x8011F51EF . 0FB6C8 movzx ecx, al011F51F2 . 83F9 01 cmp ecx, 0x1011F51F5 . 75 1D jnz short 011F5214011F51F7 . 8BF4 mov esi, esp011F51F9 . 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL011F51FB . 68 98B12401 push 0124B198 ; |crackme011F5200 . 68 94B12401 push 0124B194 ; |ok011F5205 . 6A 00 push 0x0 ; |hOwner = NULL011F5207 . FF15 88F52501 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA011F520D . 3BF4 cmp esi, esp011F520F . E8 3D8CFFFF call 011EDE51011F5214 > B8 01000000 mov eax, 0x1011F5219 . EB 02 jmp short 011F521D |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 | 011F505F . 8BF4 mov esi, esp011F5061 . 68 01040000 push 0x401 ; /Count = 401 (1025.)011F5066 . 8D85 D8F7FFFF lea eax, dword ptr [ebp-0x828] ; |011F506C . 50 push eax ; |Buffer011F506D . 68 E9030000 push 0x3E9 ; |ControlID = 3E9 (1001.)011F5072 . 8B4D 08 mov ecx, dword ptr [ebp+0x8] ; |011F5075 . 51 push ecx ; |hWnd011F5076 . FF15 70F52501 call dword ptr [<&USER32.GetDlgItemTe>; \GetDlgItemTextA # 获取输入 sn011F507C . 3BF4 cmp esi, esp011F507E . E8 CE8DFFFF call 011EDE51011F5083 . 8985 E0FBFFFF mov dword ptr [ebp-0x420], eax011F5089 . C685 C8EFFFFF>mov byte ptr [ebp-0x1038], 0x0011F5090 . 68 FF030000 push 0x3FF011F5095 . 6A 00 push 0x0011F5097 . 8D85 C9EFFFFF lea eax, dword ptr [ebp-0x1037]011F509D . 50 push eax011F509E . E8 4385FFFF call 011ED5E6011F50A3 . 83C4 0C add esp, 0xC011F50A6 . 8D85 D0F3FFFF lea eax, dword ptr [ebp-0xC30]011F50AC . 50 push eax011F50AD . 68 00040000 push 0x400011F50B2 . 8D8D D8F7FFFF lea ecx, dword ptr [ebp-0x828]011F50B8 . 51 push ecx011F50B9 . E8 A981FFFF call 011ED267 # Base64解码sn011F50BE . 83C4 0C add esp, 0xC011F50C1 . C685 C0EBFFFF>mov byte ptr [ebp-0x1440], 0x0011F50C8 . 68 FF030000 push 0x3FF011F50CD . 6A 00 push 0x0011F50CF . 8D85 C1EBFFFF lea eax, dword ptr [ebp-0x143F]011F50D5 . 50 push eax011F50D6 . E8 0B85FFFF call 011ED5E6011F50DB . 83C4 0C add esp, 0xC011F50DE . 8D85 C8EFFFFF lea eax, dword ptr [ebp-0x1038]011F50E4 . 50 push eax011F50E5 . 68 00040000 push 0x400011F50EA . 8D8D D0F3FFFF lea ecx, dword ptr [ebp-0xC30]011F50F0 . 51 push ecx011F50F1 . E8 7181FFFF call 011ED267 # 再解一次011F50F6 . 83C4 0C add esp, 0xC011F50F9 . 68 00040000 push 0x400011F50FE . 8D85 C0EBFFFF lea eax, dword ptr [ebp-0x1440]011F5104 . 50 push eax011F5105 . 8D8D C8EFFFFF lea ecx, dword ptr [ebp-0x1038]011F510B . 51 push ecx011F510C . E8 5988FFFF call 011ED96A # 摩斯电码解码011F5111 . 83C4 0C add esp, 0xC011F5114 . C785 B4EBFFFF>mov dword ptr [ebp-0x144C], 0x3011F511E . 8D85 8CEBFFFF lea eax, dword ptr [ebp-0x1474]011F5124 . 50 push eax011F5125 . 8B8D B4EBFFFF mov ecx, dword ptr [ebp-0x144C]011F512B . 51 push ecx011F512C . 8D95 C8EFFFFF lea edx, dword ptr [ebp-0x1038]011F5132 . 52 push edx011F5133 . E8 4089FFFF call 011EDA78 # 得到hash值011F5138 . 83C4 0C add esp, 0xC011F513B . C785 78E7FFFF>mov dword ptr [ebp-0x1888], 0x0011F5145 . EB 0F jmp short 011F5156011F5147 > 8B85 78E7FFFF mov eax, dword ptr [ebp-0x1888]011F514D . 83C0 01 add eax, 0x1011F5150 . 8985 78E7FFFF mov dword ptr [ebp-0x1888], eax011F5156 > 83BD 78E7FFFF>cmp dword ptr [ebp-0x1888], 0x20011F515D . 7D 2C jge short 011F518B011F515F . 8B85 78E7FFFF mov eax, dword ptr [ebp-0x1888]011F5165 . 0FB68C05 8CEB>movzx ecx, byte ptr [ebp+eax-0x1474]011F516D . 51 push ecx011F516E . 68 A4B12401 push 0124B1A4 ; %02x011F5173 . 8B95 78E7FFFF mov edx, dword ptr [ebp-0x1888]011F5179 . 8D8455 84E7FF>lea eax, dword ptr [ebp+edx*2-0x187C>011F5180 . 50 push eax011F5181 . E8 7F8DFFFF call 011EDF05 # hash值格式化成字符串进行比较011F5186 . 83C4 0C add esp, 0xC011F5189 .^ EB BC jmp short 011F5147011F518B > 8D85 84E7FFFF lea eax, dword ptr [ebp-0x187C]011F5191 . 50 push eax011F5192 . E8 FD85FFFF call 011ED794011F5197 . 83C4 04 add esp, 0x4011F519A . 50 push eax011F519B . 8D8D D8F7FFFF lea ecx, dword ptr [ebp-0x828]011F51A1 . 51 push ecx011F51A2 . E8 ED85FFFF call 011ED794011F51A7 . 83C4 04 add esp, 0x4011F51AA . 8DB405 D8F7FF>lea esi, dword ptr [ebp+eax-0x828]011F51B1 . 8D95 84E7FFFF lea edx, dword ptr [ebp-0x187C]011F51B7 . 52 push edx011F51B8 . E8 D785FFFF call 011ED794011F51BD . 83C4 04 add esp, 0x4011F51C0 . 2BF0 sub esi, eax011F51C2 . 56 push esi011F51C3 . 8D85 84E7FFFF lea eax, dword ptr [ebp-0x187C]011F51C9 . 50 push eax011F51CA . E8 5889FFFF call 011EDB27 # strncmp,比较输入的sn的后64位和上面得到的hash字符串011F51CF . 83C4 0C add esp, 0xC011F51D2 . 85C0 test eax, eax011F51D4 . 75 3E jnz short 011F5214 # 校验成功就进入下面的迷宫011F51D6 . E8 D97EFFFF call 011ED0B4011F51DB . 8D85 C0EBFFFF lea eax, dword ptr [ebp-0x1440]011F51E1 . 50 push eax # 经过base64两次解码,摩斯电码解码后的真实注册码011F51E2 . 68 00B02501 push 0125B000 # 迷宫地图011F51E7 . E8 BF87FFFF call 011ED9AB # 走迷宫011F51EC . 83C4 08 add esp, 0x8011F51EF . 0FB6C8 movzx ecx, al011F51F2 . 83F9 01 cmp ecx, 0x1011F51F5 . 75 1D jnz short 011F5214011F51F7 . 8BF4 mov esi, esp011F51F9 . 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL011F51FB . 68 98B12401 push 0124B198 ; |crackme011F5200 . 68 94B12401 push 0124B194 ; |ok011F5205 . 6A 00 push 0x0 ; |hOwner = NULL011F5207 . FF15 88F52501 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA011F520D . 3BF4 cmp esi, esp011F520F . E8 3D8CFFFF call 011EDE51011F5214 > B8 01000000 mov eax, 0x1011F5219 . EB 02 jmp short 011F521D |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | 0125B000 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 .............0125B010 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............0125B020 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B030 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............0125B040 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B050 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B060 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ...............0125B070 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............0125B080 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 .............0125B090 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ..............0125B0A0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B0B0 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ..............0125B0C0 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ..............0125B0D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B0E0 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 .............0125B0F0 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 .............0125B100 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 .............0125B110 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ..............0125B120 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ...............0125B130 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ..............0125B140 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............0125B150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0125B160 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 .............0125B170 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............0125B180 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0125B1A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0125B1B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0125B1C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | 0125B000 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 .............0125B010 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............0125B020 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B030 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............0125B040 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B050 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B060 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ...............0125B070 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............0125B080 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 .............0125B090 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ..............0125B0A0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B0B0 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ..............0125B0C0 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ..............0125B0D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B0E0 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 .............0125B0F0 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 .............0125B100 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 .............0125B110 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ..............0125B120 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ...............0125B130 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ..............0125B140 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............0125B150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0125B160 01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 .............0125B170 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............0125B180 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............0125B190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0125B1A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0125B1B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0125B1C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
简化后看得更清楚一点
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
他的文章
- [原创]第十题 2917
- [原创]第一题 2914
- [原创]第1、3题(补) 3223
- [原创]CTF2017 第一题 2895
- [原创]第十八题分析 3470
赞赏
雪币:
留言:
