-
-
[求助]算法已弄明,但不知如何构造出两个参数
-
发表于:
2006-7-3 15:19
6120
-
【文章作者】: bxm
【使用工具】: peid,OD
--------------------------------------------------------------------------------
【详细过程】
用peid查壳,无壳,用OD载入,运行,下断点GetDlgItemTextA,输入两个参数,断在下面:
004012B5 |. E8 F2010000 call <jmp.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
004012BA |. 6A 0A push 0A ; /Count = A (10.)
004012BC |. 8D45 F6 lea eax, [ebp-A] ; |
004012BF |. 50 push eax ; |Buffer
004012C0 |. 6A 66 push 66 ; |ControlID = 66 (102.)
004012C2 |. FF75 08 push dword ptr [ebp+8] ; |hWnd
004012C5 |. E8 E2010000 call <jmp.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
004012CA |. 8D45 F6 lea eax, [ebp-A]
004012CD |. 50 push eax
004012CE |. 8D45 EC lea eax, [ebp-14]
004012D1 |. 50 push eax
004012D2 |. E8 73000000 call 0040134A ; 关键call,跟进
004012D7 |. 83C4 08 add esp, 8
004012DA |. 09C0 or eax, eax
004012DC |. 74 16 je short 004012F4 ; 跳走就完蛋
004012DE |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004012E0 |. 68 26324000 push 00403226 ; |Title = "Great !!!"
004012E5 |. 68 30324000 push 00403230 ; |Text = "Congratulations, you have cracked the Zebra Crackme ver 1.1"
004012EA |. FF75 08 push dword ptr [ebp+8] ; |hOwner
004012ED |. E8 C6010000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
004012F2 |. EB 14 jmp short 00401308
004012F4 |> 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004012F6 |. 68 F8314000 push 004031F8 ; |Title = "Hmmmm :P"
004012FB |. 68 01324000 push 00403201 ; |Text = "Sorry... The Serial isn't correct :?
00401300 |. FF75 08 push dword ptr [ebp+8] ; |hOwner
00401303 |. E8 B0010000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
=================================================================================================
关键call
0040134A /$ 55 push ebp
0040134B |. 89E5 mov ebp, esp
0040134D |. 83EC 68 sub esp, 68
00401350 |. FF75 08 push dword ptr [ebp+8] ; /参数1
00401353 |. E8 78010000 call <jmp.&CRTDLL.atof> ; \转换为double型浮点数
00401358 |. DD55 E8 fst qword ptr [ebp-18]
0040135B |. 83EC 08 sub esp, 8
0040135E |. DD1C24 fstp qword ptr [esp]
00401361 |. E8 82010000 call <jmp.&CRTDLL.floor> ; floor(参数1)
00401366 |. DD5D F8 fstp qword ptr [ebp-8]
00401369 |. FF75 0C push dword ptr [ebp+C] ; /参数2
0040136C |. E8 5F010000 call <jmp.&CRTDLL.atof> ; \atof
00401371 |. DD55 D8 fst qword ptr [ebp-28]
00401374 |. 83EC 08 sub esp, 8
00401377 |. DD1C24 fstp qword ptr [esp]
0040137A |. E8 69010000 call <jmp.&CRTDLL.floor> ; floor(参数2)
0040137F |. 83C4 18 add esp, 18
00401382 |. DD55 F0 fst qword ptr [ebp-10] ; 保存floor(参数2)到[ebp-10]
00401385 |. DC4D F8 fmul qword ptr [ebp-8] ; 与floor(参数1)相乘
00401388 |. D9EE fldz
0040138A |. DED9 fcompp ; floor(参数1)*floor(参数2)=0 ?
0040138C |. DFE0 fstsw ax
0040138E |. 9E sahf
0040138F 75 07 jnz short 00401398 ; 是,则完蛋
00401391 |. 31C0 xor eax, eax
00401393 |. E9 96000000 jmp 0040142E
00401398 |> DD45 F8 fld qword ptr [ebp-8]
0040139B |. DC5D F0 fcomp qword ptr [ebp-10] ; floor(参数1)=floor(参数2) ?
0040139E |. DFE0 fstsw ax
004013A0 |. 9E sahf
004013A1 |. 75 07 jnz short 004013AA ; 是,则完蛋
004013A3 |. 31C0 xor eax, eax
004013A5 |. E9 84000000 jmp 0040142E
004013AA |> DD45 F8 fld qword ptr [ebp-8]
004013AD |. DD5D C8 fstp qword ptr [ebp-38]
004013B0 |. D9E8 fld1
004013B2 |. DD55 C0 fst qword ptr [ebp-40]
004013B5 |. DC5D C8 fcomp qword ptr [ebp-38] ; floor(参数1)<1 ?
004013B8 |. DFE0 fstsw ax
004013BA |. 9E sahf
004013BB |. 77 2D ja short 004013EA ; 是,则完蛋
004013BD |. DF2D 38304000 fild qword ptr [403038]
004013C3 |. DD55 B8 fst qword ptr [ebp-48]
004013C6 |. DC5D C8 fcomp qword ptr [ebp-38] ; floor(参数1)>10^10 ?
004013C9 |. DFE0 fstsw ax
004013CB |. 9E sahf
004013CC |. 72 1C jb short 004013EA ; 是,则完蛋
004013CE |. DD45 F0 fld qword ptr [ebp-10]
004013D1 |. DD5D B0 fstp qword ptr [ebp-50]
004013D4 |. DD45 C0 fld qword ptr [ebp-40]
004013D7 |. DC5D B0 fcomp qword ptr [ebp-50] ; floor(参数2)<1 ?
004013DA |. DFE0 fstsw ax
004013DC |. 9E sahf
004013DD |. 77 0B ja short 004013EA ; 是,则完蛋
004013DF |. DD45 B8 fld qword ptr [ebp-48]
004013E2 |. DC5D B0 fcomp qword ptr [ebp-50] ; floor(参数2)>10^10 ?
004013E5 |. DFE0 fstsw ax
004013E7 |. 9E sahf
004013E8 |. 73 04 jnb short 004013EE ; 是,则完蛋
004013EA |> 31C0 xor eax, eax
004013EC |. EB 40 jmp short 0040142E
004013EE |> DD45 F8 fld qword ptr [ebp-8]
004013F1 |. D9FE fsin ; sin(floor(参数1))
004013F3 |. DD5D A8 fstp qword ptr [ebp-58]
004013F6 |. DD45 F0 fld qword ptr [ebp-10]
004013F9 |. D9FE fsin ; sin(floor(参数2))
004013FB |. DD5D A0 fstp qword ptr [ebp-60]
004013FE |. DD45 A8 fld qword ptr [ebp-58]
00401401 |. DC4D A0 fmul qword ptr [ebp-60] ; sin(floor(参数1))*sin(floor(参数2))
00401404 |. DF2D 30304000 fild qword ptr [403030]
0040140A |. DEC9 fmulp st(1), st ; 10^16*sin(floor(参数1))*sin(floor(参数2))
0040140C |. 83EC 08 sub esp, 8
0040140F |. DD1C24 fstp qword ptr [esp]
00401412 |. E8 D1000000 call <jmp.&CRTDLL.floor> ; floor(10^16*sin(floor(参数1))*sin(floor(参数2)))
00401417 |. 83C4 08 add esp, 8
0040141A |. DD5D 98 fstp qword ptr [ebp-68]
0040141D |. D9EE fldz
0040141F |. DC5D 98 fcomp qword ptr [ebp-68] ; floor(10^16*sin(floor(参数1))*sin(floor(参数2)))=0 ?
00401422 |. DFE0 fstsw ax
00401424 |. 9E sahf
00401425 75 05 jnz short 0040142C ; 不等于0就完蛋
00401427 |. 31C0 xor eax, eax
00401429 |. 40 inc eax
0040142A |. EB 02 jmp short 0040142E
0040142C |> 31C0 xor eax, eax
0040142E |> C9 leave
0040142F \. C3 retn
算法总结:
1、两个参数取整后的乘积不能等于0。
2、两个参数取整后不能相等。
3、两个参数取整后的每一个数都不能小于1,也不能大于10^10。
4、正确的两个参数应符合floor(10^16*sin(floor(参数1))*sin(floor(参数2)))等于0。可是我无法构造这样的两个参数。
请高手指教!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年07月03日 下午 03:17:45
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)