0040106A |$ 55 PUSH EBP
0040106B |. 8BEC MOV EBP,ESP
0040106D |. 83C4 F8 ADD ESP,-8
00401070 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /String
00401073 |. E8 94010000 CALL <JMP.&kernel32.lstrlenA> ; \lstrlenA
00401078 |. 8BC8 MOV ECX,EAX
0040107A |. 83F9 06 CMP ECX,6
0040107D |. 75 7E JNZ SHORT Butland'.004010FD
0040107F |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; /String
00401082 |. E8 85010000 CALL <JMP.&kernel32.lstrlenA> ; \lstrlenA
00401087 |. 8BC8 MOV ECX,EAX
00401089 |. 83F9 06 CMP ECX,6
0040108C |. 75 6F JNZ SHORT Butland'.004010FD
0040108E |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] ; ESI指向用户名
00401091 |. B9 04000000 MOV ECX,4
00401096 |. 33FF XOR EDI,EDI
00401098 |> 8A06 /MOV AL,BYTE PTR DS:[ESI]
0040109A |. 8A5E 01 |MOV BL,BYTE PTR DS:[ESI+1]
0040109D |. 32C3 |XOR AL,BL
0040109F |. 3E:88443D F8 |MOV BYTE PTR DS:[EBP+EDI-8],AL
004010A4 |. 83C6 02 |ADD ESI,2
004010A7 |. 47 |INC EDI
004010A8 |.^ E2 EE \LOOPD SHORT Butland'.00401098
004010AA |. 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C] ; ESI指向口令
004010AD |. B9 04000000 MOV ECX,4
004010B2 |. 33FF XOR EDI,EDI
004010B4 |> 8A06 /MOV AL,BYTE PTR DS:[ESI]
004010B6 |. 8A5E 01 |MOV BL,BYTE PTR DS:[ESI+1]
004010B9 |. 32C3 |XOR AL,BL
004010BB |. 3E:88443D FC |MOV BYTE PTR DS:[EBP+EDI-4],AL
004010C0 |. 83C6 02 |ADD ESI,2
004010C3 |. 47 |INC EDI
004010C4 |.^ E2 EE \LOOPD SHORT Butland'.004010B4
004010C6 |. B9 03000000 MOV ECX,3
004010CB |. 33FF XOR EDI,EDI
004010CD |> 36:8A442F F8 /MOV AL,BYTE PTR SS:[EDI+EBP-8]
004010D2 |. 36:8A5C2F FC |MOV BL,BYTE PTR SS:[EDI+EBP-4]
004010D7 |. 32C3 |XOR AL,BL
004010D9 |. 88442F F8 |MOV BYTE PTR DS:[EDI+EBP-8],AL
004010DD |. 47 |INC EDI
004010DE |.^ E2 ED \LOOPD SHORT Butland'.004010CD
004010E0 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004010E3 |. 2D 0E151C00 SUB EAX,1C150E ; 1C150E是XOR后的值
004010E8 75 13 JNZ SHORT Butland'.004010FD ; 不相等就跳走
004010EA |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
004010EC |. 68 15304000 PUSH Butland'.00403015 ; |Title = "祝贺你!"
004010F1 |. 68 15304000 PUSH Butland'.00403015 ; |Text = "祝贺你!"
004010F6 |. 6A 00 PUSH 0 ; |hOwner = NULL
004010F8 |. E8 27010000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004010FD |> C9 LEAVE
004010FE \. C2 0800 RETN 8
这个CrackMe的流程到是挺简单的,但是我不知道怎么能算出正确的密码。把输入的用户进行XOR后,在跟1C150E进行XOR能得到密码XOR后的值,那么怎么能得到正确的密码?
[课程]Android-CTF解题方法汇总!