-
-
[原创]菜鸟只能签个到
-
发表于:
2019-12-12 18:55
2135
-
首先 ida查看strings定位 答对了字符串在text:00401780
f5代码如下,函数名修改为right
BOOL right()
{
HANDLE hProcess; // ST5C_4
MessageBoxA(0, Text, "恭喜!", 0);
hProcess = GetCurrentProcess();
return TerminateProcess(hProcess, 0);
}
查找right的引用text:0040180E call right
f5
函数名修改为right_or
BOOL __cdecl right_or(char *Str1)
{
BOOL result; // eax
if ( !strcmp(Str1, "goluck!") )
result = right();
else
result = sub_4017B0();
return result;
}
看到传入参数与
"goluck!"
做比较,寻找上层函数与传入参数
int __thiscall sub_401830(CWnd *this)
{
struct CString *v1; // ST08_4
CWnd *v2; // eax
int v3; // eax
char Str1[8]; // [esp+4Ch] [ebp-18h]
int i; // [esp+54h] [ebp-10h]
const char *v7; // [esp+58h] [ebp-Ch]
char *Str; // [esp+5Ch] [ebp-8h]
CWnd *v9; // [esp+60h] [ebp-4h]
v9 = this;
v1 = (this + 100);
v2 = CWnd::GetDlgItem(this, 1002);
CWnd::GetWindowTextA(v2, v1);
v3 = sub_401970(v9 + 100);
Str = CString::GetBuffer((v9 + 100), v3);
if ( !strlen(Str) )
return CWnd::MessageBoxA(v9, "请输入password!", 0, 0);
v7 = "cuk!ogl";
for ( i = 0; Str[i]; ++i )
{
if ( Str[i] > 57 || Str[i] < 48 )
sub_4017B0();
else
Str1[i] = v7[Str[i] - 48];
}
Str1[i] = 0;
return right_or(Str1);
}
很明显
Str = CString::GetBuffer((v9 + 100), v3);
获得缓冲区字符串,然后取字符串str每一位作为v7字符串得下标,最后用0结束字符串
而v7 = "cuk!ogl";
对比
right_or
函数与
"goluck!"
做比较
,可知str=5461023
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
