IDA Ponce插件使用示例
https://github.com/illera88/Ponce
- 配置Debugger,选Local debugger
- Debugger - Process option, 参数填aaaaa
- 按图配置 ①②下断点!
- F9运行,在③处跳转
- 找到④,选中6161616161,右击Symbolic - Symbolize Memory
- F9运行到 判断跳转处
- 右击汇编语句 => SMT Solver => Solve Formula
解出来
- SymVar_2: 0x7d (})
- SymVar_1: 0x5e (^)
- SymVar_3: 0x41 (A)
- SymVar_4: 0x48 (H)
- SymVar_0: 0x11 ()
按01234排个序
git bash中运行
./crackme_hash.exe "`python -c "print('\x11\x5e\x7d\x41\x48')"`"
crackme_hash.cpp
#include <stdio.h>
#include <stdlib.h>
const char *serial = "\x31\x3e\x3d\x26\x31";
int check(char *ptr)
{
int i;
int hash = 0xABCD;
for (i = 0; ptr[i]; i++)
hash += ptr[i] ^ serial[i % 5];
return hash;
}
int main(int ac, char **av)
{
int ret;
if (ac != 2)
return -1;
ret = check(av[1]);
if (ret == 0xad6d)
printf("Win\n");
else
printf("fail\n");
return 0;
}
参考文章
