crackme的地址:
http://www.pediy.com/tutorial/chap6/Exercise/section01/chap6-1-1-01.zip
就里面那段xor,那段我看不懂,整个程序大体我看懂了.可是算法那段xor..不知是怎么设计的
怎么老是用xor,这个命令到底起什么作用呢?谁能帮我注释下,谢谢了.
00401000 >/$ 6A 00 push 0 ; /pModule = NULL
00401002 |. E8 93010000 call <jmp.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
00401007 |. A3 50304000 mov dword ptr [403050], eax
0040100C |. 6A 0A push 0A
0040100E |. 6A 00 push 0
00401010 |. 6A 00 push 0
00401012 |. FF35 50304000 push dword ptr [403050]
00401018 |. E8 06000000 call 00401023
0040101D |. 50 push eax ; /ExitCode
0040101E \. E8 71010000 call <jmp.&KERNEL32.ExitProcess> ; \ExitProcess
00401023 /$ 55 push ebp
00401024 |. 8BEC mov ebp, esp
00401026 |. B8 41104000 mov eax, 00401041
0040102B |. 6A 00 push 0 ; /lParam = NULL
0040102D |. 50 push eax ; |DlgProc => crackme.00401041
0040102E |. 6A 00 push 0 ; |hOwner = NULL
00401030 |. 68 00304000 push 00403000 ; |pTemplate = "dialog1"
00401035 |. FF75 08 push dword ptr [ebp+8] ; |hInst
00401038 |. E8 33010000 call <jmp.&USER32.DialogBoxParamA> ; \DialogBoxParamA
0040103D |. C9 leave
0040103E \. C2 1000 retn 10
00401041 /. 55 push ebp
00401042 |. 8BEC mov ebp, esp
00401044 |. 8B45 08 mov eax, dword ptr [ebp+8]
00401047 |. A3 54304000 mov dword ptr [403054], eax
0040104C |. 8B45 0C mov eax, dword ptr [ebp+C]
0040104F |. 3D 10010000 cmp eax, 110 ; Switch (cases 10..111)
00401054 |. 75 1A jnz short 00401070
00401056 |. 68 B80B0000 push 0BB8 ; /ControlID = BB8 (3000.); Case 110 (WM_INITDIALOG) of switch 0040104F
0040105B |. FF75 08 push dword ptr [ebp+8] ; |hWnd
0040105E |. E8 19010000 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
00401063 |. A3 58304000 mov dword ptr [403058], eax
00401068 |. 50 push eax ; /hWnd
00401069 |. E8 1A010000 call <jmp.&USER32.SetFocus> ; \SetFocus
0040106E |. EB 50 jmp short 004010C0
00401070 |> 83F8 10 cmp eax, 10
00401073 |. 75 0C jnz short 00401081
00401075 |. 6A 00 push 0 ; /Result = 0; Case 10 (WM_CLOSE) of switch 0040104F
00401077 |. FF75 08 push dword ptr [ebp+8] ; |hWnd
0040107A |. E8 F7000000 call <jmp.&USER32.EndDialog> ; \EndDialog
0040107F |. EB 3F jmp short 004010C0
00401081 |> 3D 11010000 cmp eax, 111
00401086 |. 75 2F jnz short 004010B7
00401088 |. 8B45 10 mov eax, dword ptr [ebp+10] ; Case 111 (WM_COMMAND) of switch 0040104F
0040108B |. 66:3D B90B cmp ax, 0BB9
0040108F |. 75 2F jnz short 004010C0
00401091 |. C1E8 10 shr eax, 10
00401094 |. 66:0BC0 or ax, ax
00401097 |. 75 1C jnz short 004010B5
00401099 |. 6A 0A push 0A ; /Count = A (10.)
0040109B |. 68 44304000 push 00403044 ; |Buffer = crackme.00403044
004010A0 |. 68 B80B0000 push 0BB8 ; |ControlID = BB8 (3000.)
004010A5 |. FF35 54304000 push dword ptr [403054] ; |hWnd = NULL
004010AB |. E8 D2000000 call <jmp.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
004010B0 |. E8 14000000 call 004010C9
004010B5 |> EB 09 jmp short 004010C0
004010B7 |> B8 00000000 mov eax, 0 ; Default case of switch 0040104F
004010BC |. C9 leave
004010BD |. C2 1000 retn 10
004010C0 |> B8 01000000 mov eax, 1
004010C5 |. C9 leave
004010C6 \. C2 1000 retn 10
004010C9 /$ 56 push esi
004010CA |. 57 push edi
004010CB |. 51 push ecx
004010CC |. 33F6 xor esi, esi
004010CE |. 33FF xor edi, edi
//就是从这里开始的xor命令,太多了不用干什么用的
004010D0 |. B9 08000000 mov ecx, 8
004010D5 |. BE 44304000 mov esi, 00403044
004010DA |> 8036 32 /xor byte ptr [esi], 32
004010DD |. 46 |inc esi
004010DE |.^ E2 FA \loopd short 004010DA
004010E0 |. BE 44304000 mov esi, 00403044
004010E5 |. B9 04000000 mov ecx, 4
004010EA |> 8A06 /mov al, byte ptr [esi]
004010EC |. 8A5E 01 |mov bl, byte ptr [esi+1]
004010EF |. 32C3 |xor al, bl
004010F1 |. 8887 4C304000 |mov byte ptr [edi+40304C], al
004010F7 |. 83C6 02 |add esi, 2
004010FA |. 47 |inc edi
004010FB |.^ E2 ED \loopd short 004010EA
004010FD |. BE 4C304000 mov esi, 0040304C
00401102 |. 8A06 mov al, byte ptr [esi]
00401104 |. 8A5E 01 mov bl, byte ptr [esi+1]
00401107 |. 32C3 xor al, bl
00401109 |. 8A5E 02 mov bl, byte ptr [esi+2]
0040110C |. 8A4E 03 mov cl, byte ptr [esi+3]
0040110F |. 32D9 xor bl, cl
00401111 |. 32C3 xor al, bl
00401113 |. B9 08000000 mov ecx, 8
00401118 |. BE 44304000 mov esi, 00403044
0040111D |> 3006 /xor byte ptr [esi], al
0040111F |. 46 |inc esi
00401120 |.^ E2 FB \loopd short 0040111D
00401122 |. B9 08000000 mov ecx, 8
//我想知道最后这两个哪一个是注册码,哪一个是我们输入的?我被绕晕了.
00401127 |. BE 44304000 mov esi, 00403044
0040112C |. BF 08304000 mov edi, 00403008
00401131 |> 8A06 /mov al, byte ptr [esi]
00401133 |. 3A07 |cmp al, byte ptr [edi]
00401135 |. 75 1D |jnz short 00401154
00401137 |. 46 |inc esi
00401138 |. 47 |inc edi
00401139 |.^ E2 F6 \loopd short 00401131
0040113B |. 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
0040113D |. 68 35304000 push 00403035 ; |Title = "Crackme 1.0"
00401142 |. 68 10304000 push 00403010 ; |Text = "Good Work Cracker"
00401147 |. FF35 54304000 push dword ptr [403054] ; |hOwner = NULL
0040114D |. E8 3C000000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00401152 |. EB 17 jmp short 0040116B
00401154 |> 6A 30 push 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00401156 |. 68 35304000 push 00403035 ; |Title = "Crackme 1.0"
0040115B |. 68 22304000 push 00403022 ; |Text = "Bad Serial, Sorry!"
00401160 |. FF35 54304000 push dword ptr [403054] ; |hOwner = NULL
00401166 |. E8 23000000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
0040116B |> 5F pop edi
0040116C |. 5E pop esi
0040116D |. 59 pop ecx
0040116E \. C3 retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
