[讨论]我也来个CrackMe-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

最新回复 (5)
easystone 雪币： 27 活跃值： (12) 能力值： ( LV4，RANK：50 ) 在线值：发帖 7 回帖 35 粉丝 0 关注私信	easystone 1 2 楼看来没多少人玩哦我把自己写的分析和keygen写出来参考参考吧... 因为是写到crackmes.de 所以是英文的 -------------------------------lined by aneasystone----------------------------------------- use the exception of DividedByZero. at first, the username and sn is requested to be length of 6. second, we need to know the steps of calculation; and the process is like following: (for example: username = "easyst") and the result = (((('e'^0xc+'a')^0xc+'s')^0xc+'y')^0xc+'s')^0xc+'t' = 0x028d (for example: sn = "123456") and then the result of sn is : (((('1'^0x1a+'2')^0x1a+'3')^0x1a+'4')^0x1a+'5')^0x1a+'6' = 0x???? plz look at here: 00401148 . 83F9 06 cmp ecx, 6 0040114B . 7D 23 jge short 00401170 0040114D . 0FBEB40D D8FE>movsx esi, byte ptr [ebp+ecx-128]-------- username 00401155 . 83F0 0C xor eax, 0C 00401158 . 03C6 add eax, esi 0040115A . 8945 DC mov [ebp-24], eax 0040115D . 0FBEB40D D8FD>movsx esi, byte ptr [ebp+ecx-228]-------- sn 00401165 . 83F2 1A xor edx, 1A 00401168 . 03D6 add edx, esi 0040116A . 8955 D8 mov [ebp-28], edx 0040116D . 41 inc ecx 0040116E .^ EB D5 jmp short 00401145 00401170 > 8BC8 mov ecx, eax 00401172 . 2BCA sub ecx, edx--------------------------- ecx=ecx-edx 00401174 . 99 cdq 00401175 . F7F9 idiv ecx-------------------------------- eax=eax/ecx ;HOW ABOUT ECX=0 ! when i began to crack this, i tried so many times, at the end i found that whatever i input, the result is same. i failed. and then i realized the importance of the word EXCEPTION! i tried to find an exception,so easy one: DividedByZero and now the question is how to find a sn whose result after calculting is equal to the result of username then i take a try to make a keygen like following but i know it is not the unique one. the keygen is not so good, shame on myself... --------------------------------------lined by aneasystone------------------------------------ //keygen.cpp #include <stdio.h> #include <stdlib.h> int main() { char username[20] = {0}; char sn[7] = {0}; printf("plz input your name (must length of 6):"); gets(username); long resultofname = 0; for(int i = 0; i < 6; i++) resultofname = (resultofname + username[i]) ^ 0xC; resultofname ^= 0xC; long s = resultofname; for(i = 0; i < 6; i++) { if(s > 0x100) { s -= 'z'; sn[5-i] = 'z'; s ^= 0x1a; } else { if(i == 5) sn[5-i] = s; else { s -= 'A'; sn[5-i] = 'A'; s ^= 0x1a; } } } printf("the sn is not unique.\nthe sn for you is: %s\n",sn); return 0; } 2008-4-11 18:31 0
kanghtta 雪币： 420 活跃值： (77) 能力值： ( LV13，RANK：500 ) 在线值：发帖 54 回帖 225 粉丝 3 关注私信	kanghtta 12 3 楼嘿嘿.. 我下到电脑了!抽时间玩！支持你下; 2008-4-11 18:46 0
puzzle 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 6 粉丝 0 关注私信	puzzle 4 楼不错，支持一下，顺便出来冒个泡～～ 2008-4-15 20:14 0
红尘岁月雪币： 517 活跃值： (64) 能力值： ( LV8，RANK：130 ) 在线值：发帖 23 回帖 476 粉丝 2 关注私信	红尘岁月 2 5 楼我来注释 name:ccbszh sn:654321 004010E8 .>PUSH EDI ; /Count => FF (255.) 004010E9 .>LEA EAX, DWORD PTR SS:[EBP-128] ; \| 004010EF .>PUSH EAX ; \|Buffer 004010F0 .>PUSH 3ED ; \|ControlID = 3ED (1005.) 004010F5 .>PUSH DWORD PTR SS:[EBP+8] ; \|hWnd 004010F8 .>MOV ESI, DWORD PTR DS:[4050D0] ; \|USER32.GetDlgItemTextA 004010FE .>CALL ESI ; \GetDlgItemTextA 00401100 .>PUSH EDI ; /Count => FF (255.) 00401101 .>LEA EAX, DWORD PTR SS:[EBP-228] ; \| 00401107 .>PUSH EAX ; \|Buffer 00401108 .>PUSH 3EE ; \|ControlID = 3EE (1006.) 0040110D .>PUSH DWORD PTR SS:[EBP+8] ; \|hWnd 00401110 .>CALL ESI ; \GetDlgItemTextA 00401112 .>LEA EAX, DWORD PTR SS:[EBP-128] ; EAX=0x12FA60;//EAX=EBP-128 (字符串"ccbszh") 00401118 .>PUSH EAX ; 0x12FA60进栈;//EAX ("ccbszh") 00401119 .>CALL 00401240 ; 00401240 0040111E .>POP ECX ; ECX=0x12FA60; //出栈到ECX ("ccbszh") 0040111F .>CMP EAX, 6 ; ZF=1;//EAX=0x6 00401122 .>JNZ 004011AA ; 不跳 //ZF=1;当比较结果是不等于时,才跳 00401128 .>LEA EAX, DWORD PTR SS:[EBP-228] ; EAX=0x12F960;//EAX=EBP-228 (字符串"654321") 0040112E .>PUSH EAX ; 0x12F960进栈;//EAX ("654321") 0040112F .>CALL 00401240 ; 00401240 00401134 .>POP ECX ; ECX=0x12F960; //出栈到ECX ("654321") 00401135 .>CMP EAX, 6 ; ZF=1;//EAX=0x6 00401138 .>JNZ SHORT 004011AA ; 不跳 //ZF=1;当比较结果是不等于时,才跳 0040113A .>PUSH 0C ; 0xC进栈 (字符串"654321") 0040113C .>POP EAX ; EAX=0xC; //出栈到EAX 0040113D .>PUSH 1A ; 0x1A进栈 0040113F .>POP EDX ; EDX=0x1A; //出栈到EDX 00401140 .>MOV DWORD PTR SS:[EBP-4], EBX ; SS段[12FB84]=0x0; 00401143 .>XOR ECX, ECX ; ECX=0,CF=0;//自身xor运算结果为0,CF=0 00401145 >>MOV DWORD PTR SS:[EBP-20], ECX ; SS段[12FB68]=0x0; 00401148 .>CMP ECX, 6 ; ZF=0;//ECX=0x0 0040114B .>JGE SHORT 00401170 ; 不跳 //ZF=0;当比较结果是大于或等于时,才跳 0040114D .>MOVSX ESI, BYTE PTR SS:[EBP+ECX-128] ; ESI=0x63; ('c')//SS段[12FA60]; ("ccbszh") 00401155 .>XOR EAX, 0C ; EAX=0x0;//EAX=0xC^0xC 00401158 .>ADD EAX, ESI ; EAX=0x63;//EAX=EAX+ESI; 0040115A .>MOV DWORD PTR SS:[EBP-24], EAX ; SS段[12FB64]=0x63; 0040115D .>MOVSX ESI, BYTE PTR SS:[EBP+ECX-228] ; ESI=0x36; ('6')//SS段[12F960]; ("654321") 00401165 .>XOR EDX, 1A ; EDX=0x0;//EDX=0x1A^0x1A 00401168 .>ADD EDX, ESI ; EDX=0x36;//EDX=EDX+ESI; 0040116A .>MOV DWORD PTR SS:[EBP-28], EDX ; SS段[12FB60]=0x36; 0040116D .>INC ECX ; ECX=(0x0)++ 0040116E .>JMP SHORT 00401145 ; 跳转到00401145 00401170 >>MOV ECX, EAX ; ECX=0x289;//ECX=EAX 00401172 .>SUB ECX, EDX ; ECX=0x11A;//ECX=0x289-0x16F; 00401174 .>CDQ ; 将EAX中的最高位符号扩展到EDX中 00401175 .>IDIV ECX ; EAX=0x2;EDX=0x55; //除法运算,商在EAX中,余数在EDX中 00401177 .>MOV DWORD PTR SS:[EBP-24], EAX ; SS段[12FB64]=0x2; 0040117A .>ADD DWORD PTR SS:[EBP-1C], 1F ; SS段[12FB6C]=1f; //SS段[12FB6C]=0x0+0x1F 0040117E .>JMP SHORT 0040119B ; 跳转到0040119B 00401180 .>MOV EAX, DWORD PTR SS:[EBP-14] 00401183 .>MOV EAX, DWORD PTR DS:[EAX] 00401185 .>MOV EAX, DWORD PTR DS:[EAX] 00401187 .>XOR ECX, ECX 00401189 .>CMP EAX, C0000094 0040118E .>SETE CL 00401191 .>MOV EAX, ECX 00401193 .>RETN 00401194 .>MOV ESP, DWORD PTR SS:[EBP-18] 00401197 .>ADD DWORD PTR SS:[EBP-1C], 4E 0040119B >>OR DWORD PTR SS:[EBP-4], FFFFFFFF ; SS段[12FB84]=0xffffffff; //SS段[12FB84]=0xffffffff\|0x0 0040119F .>PUSH DWORD PTR SS:[EBP-1C] ; 0x1F进栈;//SS段[12FB6C] ("") 004011A2 .>CALL 00401000 ; 00401000 //CALL 00401000 00401000 /$>PUSH ESI ; 0x31进栈;//ESI ("") 00401001 \|.>MOV ESI, DWORD PTR SS:[ESP+8] ; ESI=0x1F;//SS段[12F910]; 00401005 \|.>SUB ESI, 15 ; ESI=0xA;//ESI=0x1F-0x15; 00401008 \|.>TEST ESI, ESI ; ZF=0;//ESI=0xA;ESI自身TEST运算时,ESI为0则ZF=1;否则ZF=0 0040100A \|.>PUSH EDI ; 0xFF进栈;//EDI 0040100B \|.>JLE SHORT 00401019 ; 不跳 //ZF=0;当比较结果是小于或等于时,才跳 0040100D \|.>SUB ESI, 5A ; ESI=0xFFFFFFB0;//ESI=0xA-0x5A; 00401010 \|.>TEST ESI, ESI ; ZF=0;//ESI=0xFFFFFFB0;ESI自身TEST运算时,ESI为0则ZF=1;否则ZF=0 00401012 \|.>JLE SHORT 00401019 ; 跳到00401019 //ZF=1,SF!=OF 00401014 \|.>SHL ESI, 3 00401017 \|.>TEST ESI, ESI 00401019 \|>>JGE SHORT 0040101E ; 不跳 //ZF=0;当比较结果是大于或等于时,才跳 0040101B \|.>ADD ESI, 3B ; ESI=0xffffffeb;//ESI=ESI+3B; 0040101E \|>>CMP ESI, -15 ; ZF=1;ESI=0xffffffeb与-0x15(0xFFFFFFEB)比较 00401021 \|.>MOV EDI, DWORD PTR DS:[4050E4] ; EDI=0x77DF3D81;//DS段[4050E4]; 00401027 \|.>JNZ SHORT 00401039 ; 不跳 //ZF=1;当比较结果是不等于时,才跳 00401029 \|.>PUSH 0 ; /Style = MB_OK\|MB_APPLMODAL 0040102B \|.>PUSH 405110 ; \|Title = "Naaaah" 00401030 \|.>PUSH 405104 ; \|Text = "Sorry dear" 00401035 \|.>PUSH 0 ; \|hOwner = NULL 00401037 \|.>CALL EDI ; \MessageBoxA 2008-4-16 11:39 0
wuditom 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	wuditom 6 楼 00401170 >>MOV ECX, EAX ; ECX=0x289;//ECX=EAX 00401172 .>SUB ECX, EDX ; ECX=0x11A;//ECX=0x289-0x16F; 00401174 .>CDQ ; 将EAX中的最高位符号扩展到EDX中 00401175 .>IDIV ECX EDX的值要等于EAX的值,否则不幸 2008-4-17 13:53 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

easystone

雪币： 27

活跃值： (12)

能力值：

( LV4，RANK：50 )

在线值：

发帖

7

回帖

35

粉丝

0

关注

私信

easystone 1: 2 楼

看来没多少人玩哦

我把自己写的分析和keygen写出来参考参考吧...
因为是写到crackmes.de 所以是英文的

-------------------------------lined by aneasystone-----------------------------------------

use the exception of DividedByZero.
at first, the username and sn is requested to be length of 6.
second, we need to know the steps of calculation;
and the process is like following:
(for example: username = "easyst")
and the result = (((('e'^0xc+'a')^0xc+'s')^0xc+'y')^0xc+'s')^0xc+'t' = 0x028d
(for example: sn = "123456")
and then the result of sn is : (((('1'^0x1a+'2')^0x1a+'3')^0x1a+'4')^0x1a+'5')^0x1a+'6' = 0x????

plz look at here:
00401148   .  83F9 06       cmp     ecx, 6
0040114B   .  7D 23         jge     short 00401170
0040114D   .  0FBEB40D D8FE>movsx   esi, byte ptr [ebp+ecx-128]-------- username
00401155   .  83F0 0C       xor     eax, 0C
00401158   .  03C6          add     eax, esi
0040115A   .  8945 DC       mov     [ebp-24], eax
0040115D   .  0FBEB40D D8FD>movsx   esi, byte ptr [ebp+ecx-228]-------- sn
00401165   .  83F2 1A       xor     edx, 1A
00401168   .  03D6          add     edx, esi
0040116A   .  8955 D8       mov     [ebp-28], edx
0040116D   .  41            inc     ecx
0040116E   .^ EB D5         jmp     short 00401145
00401170   >  8BC8          mov     ecx, eax
00401172   .  2BCA          sub     ecx, edx--------------------------- ecx=ecx-edx 
00401174   .  99            cdq
00401175   .  F7F9          idiv    ecx-------------------------------- eax=eax/ecx ;HOW ABOUT ECX=0 !

when i began to crack this, i tried so many times, 
at the end i found that whatever i input, the result is same. i failed.
and then i realized the importance of the word
EXCEPTION!
i tried to find an exception,so easy one: DividedByZero

and now the question is how to find a sn
whose result after calculting is equal to the result of username
then i take a try to make a keygen like following
but i know it is not the unique one.
the keygen is not so good, shame on myself...

--------------------------------------lined by aneasystone------------------------------------

//keygen.cpp

#include <stdio.h>
#include <stdlib.h>

int main()
{
	char username[20] = {0};
	char sn[7] = {0};

	printf("plz input your name (must length of 6):");
	gets(username);

	long resultofname = 0;
	for(int i = 0; i < 6; i++)
		resultofname = (resultofname + username[i]) ^ 0xC;

	resultofname ^= 0xC;
	
	long s = resultofname;
	for(i = 0; i < 6; i++)
	{
		if(s > 0x100)
		{
			s -= 'z';
			sn[5-i] = 'z';
			s ^= 0x1a;
		}
		else
		{
			if(i == 5)
				sn[5-i] = s;
			else
			{
				s -= 'A';
				sn[5-i] = 'A';
				s ^= 0x1a;
			}
		}
	}

	printf("the sn is not unique.\nthe sn for you is: %s\n",sn);
	return 0;
}

2008-4-11 18:31

0

kanghtta

雪币： 420

活跃值： (77)

能力值：

( LV13，RANK：500 )

在线值：

发帖

54

回帖

225

粉丝

3

关注

私信

kanghtta 12: 3 楼

嘿嘿..
我下到电脑了!抽时间玩！

支持你下;

2008-4-11 18:46

0

puzzle

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

6

粉丝

0

关注

私信

puzzle: 4 楼

不错，支持一下，顺便出来冒个泡～～

2008-4-15 20:14

0

红尘岁月

雪币： 517

活跃值： (64)

能力值：

( LV8，RANK：130 )

在线值：

发帖

23

回帖

476

粉丝

2

关注

私信

红尘岁月 2: 5 楼

我来注释
name:ccbszh
sn:654321

004010E8 .>PUSH EDI                               ; /Count => FF (255.)
004010E9 .>LEA EAX, DWORD PTR SS:[EBP-128]       ; |
004010EF .>PUSH EAX                               ; |Buffer
004010F0 .>PUSH 3ED                               ; |ControlID = 3ED (1005.)
004010F5 .>PUSH DWORD PTR SS:[EBP+8]             ; |hWnd
004010F8 .>MOV ESI, DWORD PTR DS:[4050D0]          ; |USER32.GetDlgItemTextA
004010FE .>CALL ESI                               ; \GetDlgItemTextA
00401100 .>PUSH EDI                               ; /Count => FF (255.)
00401101 .>LEA EAX, DWORD PTR SS:[EBP-228]       ; |
00401107 .>PUSH EAX                               ; |Buffer
00401108 .>PUSH 3EE                               ; |ControlID = 3EE (1006.)
0040110D .>PUSH DWORD PTR SS:[EBP+8]             ; |hWnd
00401110 .>CALL ESI                               ; \GetDlgItemTextA
00401112 .>LEA EAX, DWORD PTR SS:[EBP-128]       ;  EAX=0x12FA60;//EAX=EBP-128 (字符串"ccbszh")
00401118 .>PUSH EAX                               ;  0x12FA60进栈;//EAX ("ccbszh")
00401119 .>CALL 00401240                         ;  00401240
0040111E .>POP ECX                               ;  ECX=0x12FA60;  //出栈到ECX ("ccbszh")
0040111F .>CMP EAX, 6                            ;  ZF=1;//EAX=0x6
00401122 .>JNZ 004011AA                            ;  不跳 //ZF=1;当比较结果是不等于时,才跳
00401128 .>LEA EAX, DWORD PTR SS:[EBP-228]       ;  EAX=0x12F960;//EAX=EBP-228 (字符串"654321")
0040112E .>PUSH EAX                               ;  0x12F960进栈;//EAX ("654321")
0040112F .>CALL 00401240                         ;  00401240
00401134 .>POP ECX                               ;  ECX=0x12F960;  //出栈到ECX ("654321")
00401135 .>CMP EAX, 6                            ;  ZF=1;//EAX=0x6
00401138 .>JNZ SHORT 004011AA                      ;  不跳 //ZF=1;当比较结果是不等于时,才跳
0040113A .>PUSH 0C                               ;  0xC进栈 (字符串"654321")
0040113C .>POP EAX                               ;  EAX=0xC;  //出栈到EAX
0040113D .>PUSH 1A                               ;  0x1A进栈
0040113F .>POP EDX                               ;  EDX=0x1A;  //出栈到EDX
00401140 .>MOV DWORD PTR SS:[EBP-4], EBX          ;  SS段[12FB84]=0x0;
00401143 .>XOR ECX, ECX                            ;  ECX=0,CF=0;//自身xor运算结果为0,CF=0
00401145 >>MOV DWORD PTR SS:[EBP-20], ECX          ;  SS段[12FB68]=0x0;
00401148 .>CMP ECX, 6                            ;  ZF=0;//ECX=0x0
0040114B .>JGE SHORT 00401170                      ;  不跳 //ZF=0;当比较结果是大于或等于时,才跳
0040114D .>MOVSX ESI, BYTE PTR SS:[EBP+ECX-128]    ;  ESI=0x63; ('c')//SS段[12FA60]; ("ccbszh")
00401155 .>XOR EAX, 0C                            ;  EAX=0x0;//EAX=0xC^0xC
00401158 .>ADD EAX, ESI                            ;  EAX=0x63;//EAX=EAX+ESI;
0040115A .>MOV DWORD PTR SS:[EBP-24], EAX          ;  SS段[12FB64]=0x63;
0040115D .>MOVSX ESI, BYTE PTR SS:[EBP+ECX-228]    ;  ESI=0x36; ('6')//SS段[12F960]; ("654321")
00401165 .>XOR EDX, 1A                            ;  EDX=0x0;//EDX=0x1A^0x1A
00401168 .>ADD EDX, ESI                            ;  EDX=0x36;//EDX=EDX+ESI;
0040116A .>MOV DWORD PTR SS:[EBP-28], EDX          ;  SS段[12FB60]=0x36;
0040116D .>INC ECX                               ;  ECX=(0x0)++
0040116E .>JMP SHORT 00401145                      ;  跳转到00401145
00401170 >>MOV ECX, EAX                            ;  ECX=0x289;//ECX=EAX
00401172 .>SUB ECX, EDX                            ;  ECX=0x11A;//ECX=0x289-0x16F;
00401174 .>CDQ                                     ;  将EAX中的最高位符号扩展到EDX中
00401175 .>IDIV ECX                               ;  EAX=0x2;EDX=0x55; //除法运算,商在EAX中,余数在EDX中
00401177 .>MOV DWORD PTR SS:[EBP-24], EAX          ;  SS段[12FB64]=0x2;
0040117A .>ADD DWORD PTR SS:[EBP-1C], 1F          ;  SS段[12FB6C]=1f; //SS段[12FB6C]=0x0+0x1F
0040117E .>JMP SHORT 0040119B                      ;  跳转到0040119B
00401180 .>MOV EAX, DWORD PTR SS:[EBP-14]
00401183 .>MOV EAX, DWORD PTR DS:[EAX]
00401185 .>MOV EAX, DWORD PTR DS:[EAX]
00401187 .>XOR ECX, ECX
00401189 .>CMP EAX, C0000094
0040118E .>SETE CL
00401191 .>MOV EAX, ECX
00401193 .>RETN
00401194 .>MOV ESP, DWORD PTR SS:[EBP-18]
00401197 .>ADD DWORD PTR SS:[EBP-1C], 4E
0040119B >>OR DWORD PTR SS:[EBP-4], FFFFFFFF       ;  SS段[12FB84]=0xffffffff; //SS段[12FB84]=0xffffffff|0x0
0040119F .>PUSH DWORD PTR SS:[EBP-1C]             ;  0x1F进栈;//SS段[12FB6C] ("")
004011A2 .>CALL 00401000                         ;  00401000

//CALL 00401000
00401000  /$>PUSH ESI                               ;  0x31进栈;//ESI ("")
00401001  |.>MOV ESI, DWORD PTR SS:[ESP+8]          ;  ESI=0x1F;//SS段[12F910];
00401005  |.>SUB ESI, 15                            ;  ESI=0xA;//ESI=0x1F-0x15;
00401008  |.>TEST ESI, ESI                         ;  ZF=0;//ESI=0xA;ESI自身TEST运算时,ESI为0则ZF=1;否则ZF=0
0040100A  |.>PUSH EDI                               ;  0xFF进栈;//EDI
0040100B  |.>JLE SHORT 00401019                      ;  不跳 //ZF=0;当比较结果是小于或等于时,才跳
0040100D  |.>SUB ESI, 5A                            ;  ESI=0xFFFFFFB0;//ESI=0xA-0x5A;
00401010  |.>TEST ESI, ESI                         ;  ZF=0;//ESI=0xFFFFFFB0;ESI自身TEST运算时,ESI为0则ZF=1;否则ZF=0
00401012  |.>JLE SHORT 00401019                      ;  跳到00401019  //ZF=1,SF!=OF
00401014  |.>SHL ESI, 3
00401017  |.>TEST ESI, ESI
00401019  |>>JGE SHORT 0040101E                      ;  不跳 //ZF=0;当比较结果是大于或等于时,才跳
0040101B  |.>ADD ESI, 3B                            ;  ESI=0xffffffeb;//ESI=ESI+3B;
0040101E  |>>CMP ESI, -15                            ;  ZF=1;ESI=0xffffffeb与-0x15(0xFFFFFFEB)比较
00401021  |.>MOV EDI, DWORD PTR DS:[4050E4]          ;  EDI=0x77DF3D81;//DS段[4050E4];
00401027  |.>JNZ SHORT 00401039                      ;  不跳 //ZF=1;当比较结果是不等于时,才跳
00401029  |.>PUSH 0                                  ; /Style = MB_OK|MB_APPLMODAL
0040102B  |.>PUSH 405110                            ; |Title = "Naaaah"
00401030  |.>PUSH 405104                            ; |Text = "Sorry dear"
00401035  |.>PUSH 0                                  ; |hOwner = NULL
00401037  |.>CALL EDI                               ; \MessageBoxA

2008-4-16 11:39

0

wuditom

雪币： 200

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

0

回帖

1

粉丝

0

关注

私信

wuditom: 6 楼

00401170 >>MOV ECX, EAX                            ;  ECX=0x289;//ECX=EAX
00401172 .>SUB ECX, EDX                            ;  ECX=0x11A;//ECX=0x289-0x16F;
00401174 .>CDQ                                     ;  将EAX中的最高位符号扩展到EDX中
00401175 .>IDIV ECX

EDX的值要等于EAX的值,否则不幸

2008-4-17 13:53

0