进入main函数,首先对输入及长度进行限定
长度为6 后三位为:353 前三位和为149
.text:004012C7 ; 12: if ( lens < 7
.text:004012C7 ; 13: && str[5] == '3'
.text:004012C7 ; 14: && str[4] == '5'
.text:004012C7 ; 15: && str[3] == '3'
.text:004012C7 ; 16: && (unsigned __int8)str[2] + (unsigned __int8)str[1] + (unsigned __int8)str[0] == 149 )
.text:004012C7 sub edx, ecx
.text:004012C9 cmp edx, 7
.text:004012CC jb short loc_4012F9
.text:004012CE ; 30: sub_401410("error\n");
.text:004012CE
.text:004012CE loc_4012CE: ; CODE XREF: _main+9D↓j
.text:004012CE ; _main+A3↓j ...
.text:004012CE push offset aError ; "error\n"
.text:004012D3 call sub_401410
.text:004012D8 ; 31: return 0;
loc_4012F9: ; CODE XREF: _main+6C↑j
.text:004012F9 cmp [ebp+str+5], '3'
.text:004012FD jnz short loc_4012CE
.text:004012FF cmp [ebp+str+4], '5'
.text:00401303 jnz short loc_4012CE
.text:00401305 cmp [ebp+str+3], '3'
.text:00401309 jnz short loc_4012CE
.text:0040130B movzx ecx, [ebp+str]
.text:0040130F movzx eax, [ebp+str+1]
.text:00401313 add ecx, eax
.text:00401315 movzx eax, [ebp+str+2]
.text:00401319 add ecx, eax
.text:0040131B cmp ecx, 95h
.text:00401321 jnz short loc_4012CE
然后将输入的字符串转成数字表示 数值存到esi中
.text:00401325 ; 19: if ( lens )
.text:00401325 test edx, edx
.text:00401327 jz short loc_401342
.text:00401329 nop dword ptr [eax+00000000h]
.text:00401330 ; 22: t = (unsigned __int8)str[j++] + 16 * t - 48;// 将输入的字符串转成数字
.text:00401330
.text:00401330 loc_401330: ; CODE XREF: _main+E0↓j
.text:00401330 movzx eax, [ebp+ecx+str]
.text:00401335 shl esi, 4
.text:00401338 add esi, 0FFFFFFD0h
.text:0040133B add esi, eax //esi最终保存输入的数值
.text:0040133D ; 23: while ( j < lens );
.text:0040133D inc ecx
.text:0040133E cmp ecx, edx
.text:00401340 jb short loc_401330
.text:00401342 ; 25: ms_exc.registration.TryLevel = 0;
.text:00401342
.text:00401342 loc_401342: ; CODE XREF: _main+C7↑j
.text:00401342 ; __try { // __except at loc_401379
.text:00401342 mov [ebp+ms_exc.registration.TryLevel], 0
.text:00401349 test esi, esi
.text:0040134B jz short loc_40135D
.text:0040134D push eax
.text:0040134E call loc_401354 ; try (call之后将下一条指令地址入栈)
.text:0040134E ; ---------------------------------------------------------------------------
.text:00401353 db 0EBh
.text:00401354 ; ---------------------------------------------------------------------------
.text:00401354
.text:00401354 loc_401354: ; CODE XREF: _main+EE↑j
.text:00401354 pop eax ; 取栈顶,即返回地址 eax=401353
.text:00401355 sub eax, 0
.text:00401358 sub esi, eax ; esi=eax时触发除0异常
.text:0040135A div esi
.text:0040135C pop eax
使esi==eax即可完成验证,
结果:401353
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
