该程序是一个软件,能做出一种文件(工业上用的),在文件中某处存放了16个16进制,这就是加密后的密码,我已经试验更改其数据,能达到我想要的密码。
下面是OD分析输入密码的过程
几经转折 程序到了这里,根据我分析(我已经输入正确的密码),这里开始密码处理,
00A26372 |> \8B45 EC |mov eax, dword ptr [ebp-14]
00A26375 |. 50 |push eax
00A26376 |. 8D8D 54FFFFFF |lea ecx, dword ptr [ebp-AC]
00A2637C |. E8 9D3F3000 |call ppvObj ; jmp 到 Instsup1.CMessageDigest::CreateFromString
00A26381 |. 83EC 20 |sub esp, 20
00A26384 |. 8BCC |mov ecx, esp
00A26386 |. 89A5 68FEFFFF |mov dword ptr [ebp-198], esp
00A2638C |. 898D 10FEFFFF |mov dword ptr [ebp-1F0], ecx
00A26392 |. 8B95 10FEFFFF |mov edx, dword ptr [ebp-1F0]
00A26398 |. 8B85 54FFFFFF |mov eax, dword ptr [ebp-AC]
00A2639E |. 8902 |mov dword ptr [edx], eax
00A263A0 |. 8B8D 58FFFFFF |mov ecx, dword ptr [ebp-A8]
00A263A6 |. 894A 04 |mov dword ptr [edx+4], ecx
00A263A9 |. 8B85 5CFFFFFF |mov eax, dword ptr [ebp-A4]
00A263AF |. 8942 08 |mov dword ptr [edx+8], eax
00A263B2 |. 8B8D 60FFFFFF |mov ecx, dword ptr [ebp-A0]
00A263B8 |. 894A 0C |mov dword ptr [edx+C], ecx
00A263BB |. 8B95 10FEFFFF |mov edx, dword ptr [ebp-1F0]
00A263C1 |. 8B85 64FFFFFF |mov eax, dword ptr [ebp-9C]
00A263C7 |. 8942 10 |mov dword ptr [edx+10], eax
00A263CA |. 8B8D 10FEFFFF |mov ecx, dword ptr [ebp-1F0]
00A263D0 |. 8B95 68FFFFFF |mov edx, dword ptr [ebp-98]
00A263D6 |. 8951 14 |mov dword ptr [ecx+14], edx
00A263D9 |. 8B85 10FEFFFF |mov eax, dword ptr [ebp-1F0]
00A263DF |. 8B8D 6CFFFFFF |mov ecx, dword ptr [ebp-94]
00A263E5 |. 8948 18 |mov dword ptr [eax+18], ecx
00A263E8 |. 8D95 70FFFFFF |lea edx, dword ptr [ebp-90]
00A263EE |. 52 |push edx
00A263EF |. 8B8D 10FEFFFF |mov ecx, dword ptr [ebp-1F0]
00A263F5 |. 83C1 1C |add ecx, 1C
00A263F8 |. E8 E5583000 |call s ; jmp 到 MFC42.#535_CString::CString
00A263FD |. 8B85 10FEFFFF |mov eax, dword ptr [ebp-1F0]
00A26403 |. 8985 E8FDFFFF |mov dword ptr [ebp-218], eax
00A26409 |. 8B4D 80 |mov ecx, dword ptr [ebp-80]
00A2640C |. 83C1 0C |add ecx, 0C
00A2640F |. E8 163F3000 |call 00D2A32A ; jmp 到 Instsup1.CMessageDigest::operator==这个CALL 我进去了 应该是比较16个加密后的密码的过程
00A26414 |. 8985 E4FDFFFF |mov dword ptr [ebp-21C], eax
00A2641A |. 83BD E4FDFFFF>|cmp dword ptr [ebp-21C], 0
00A26421 74 09 je short 00A2642Cv 这里是爆破点 破了就成功了
ppvobj
012B1890 > 83EC 58 sub esp, 58
012B1893 8D4424 00 lea eax, dword ptr [esp]
012B1897 56 push esi
012B1898 57 push edi
012B1899 8BF1 mov esi, ecx
012B189B 50 push eax
012B189C E8 BF9E0000 call 012BB760
012B18A1 8B5424 68 mov edx, dword ptr [esp+68]
012B18A5 83C9 FF or ecx, FFFFFFFF
012B18A8 8BFA mov edi, edx
012B18AA 33C0 xor eax, eax
012B18AC F2:AE repne scas byte ptr es:[edi]
012B18AE F7D1 not ecx
012B18B0 49 dec ecx
012B18B1 51 push ecx
012B18B2 8D4C24 10 lea ecx, dword ptr [esp+10]
012B18B6 52 push edx
012B18B7 51 push ecx
012B18B8 E8 D39E0000 call 012BB790
012B18BD 8D5424 18 lea edx, dword ptr [esp+18]
012B18C1 52 push edx
012B18C2 56 push esi
012B18C3 E8 889F0000 call 012BB850
012B18C8 83C4 18 add esp, 18
012B18CB 33C0 xor eax, eax
012B18CD 8946 10 mov dword ptr [esi+10], eax
012B18D0 8946 18 mov dword ptr [esi+18], eax
012B18D3 5F pop edi
012B18D4 5E pop esi
012B18D5 83C4 58 add esp, 58
012B18D8 C2 0400 retn 4
012BB760:
012BB760 8B4424 04 mov eax, dword ptr [esp+4]
012BB764 33C9 xor ecx, ecx
012BB766 8948 14 mov dword ptr [eax+14], ecx
012BB769 8948 10 mov dword ptr [eax+10], ecx
012BB76C C700 01234567 mov dword ptr [eax], 67452301
012BB772 C740 04 89ABCDE>mov dword ptr [eax+4], EFCDAB89
012BB779 C740 08 FEDCBA9>mov dword ptr [eax+8], 98BADCFE
012BB780 C740 0C 7654321>mov dword ptr [eax+C], 10325476
012BB787 C3 ret
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
