这个CRACKME:
00401262 |. 8D4424 04 lea eax,dword ptr ss:[esp+0x4] 00401266 |. 6A 0A push 0xA ; /Count = A (10.) 00401268 |. 50 push eax ; |Buffer 00401269 |. 51 push ecx ; |hWnd => 02F5035E (class='Edit',parent=028E0306) 0040126A |. FF15 64204000 call dword ptr ds:[<&USER32.GetWindowTextA>; \GetWindowTextA 00401270 |. 68 10304000 push CrackMe3.00403010 ; Iceberg 00401275 |. E8 96FEFFFF call CrackMe3.00401110 ;加密 Iceberg 得到
- 00401110 /$ 8B5424 04 mov edx,dword ptr ss:[esp+0x4] 算法
- 00401114 |. 33C0 xor eax,eax
- 00401116 |. 8A0A mov cl,byte ptr ds:[edx]
- 00401118 |. 84C9 test cl,cl
- 0040111A |. 74 1A je XCrackMe3.00401136
- 0040111C |> 80F9 41 /cmp cl,0x41
- 0040111F |. 7C 15 |jl XCrackMe3.00401136
- 00401121 |. 80F9 5A |cmp cl,0x5A
- 00401124 |. 0FBEC9 |movsx ecx,cl
- 00401127 |. 7E 03 |jle XCrackMe3.0040112C
- 00401129 |. 83E9 20 |sub ecx,0x20
- 0040112C |> 03C1 |add eax,ecx
- 0040112E |. 8A4A 01 |mov cl,byte ptr ds:[edx+0x1]
- 00401131 |. 42 |inc edx
- 00401132 |. 84C9 |test cl,cl
- 00401134 |.^ 75 E6 \jnz XCrackMe3.0040111C
- 00401136 |> 35 78560000 xor eax,0x5678
00401261 |. 56 push esi 00401262 |. 8D4424 04 lea eax,dword ptr ss:[esp+0x4] 00401266 |. 6A 0A push 0xA ; /Count = A (10.) 00401268 |. 50 push eax ; |Buffer 00401269 |. 51 push ecx ; |hWnd => 02F5035E (class='Edit',parent=028E0306) 0040126A |. FF15 64204000 call dword ptr ds:[<&USER32.GetWindowTextA>; \GetWindowTextA 00401270 |. 68 10304000 push CrackMe3.00403010 ; Iceberg 00401275 |. E8 96FEFFFF call CrackMe3.00401110 0040127A |. 8D5424 08 lea edx,dword ptr ss:[esp+0x8] 0040127E |. 8BF0 mov esi,eax 00401280 |. 52 push edx 00401281 |. E8 BAFEFFFF call CrackMe3.00401140 00401286 |. 83C4 08 add esp,0x8 00401289 |. 3BF0 cmp esi,eax 0040128B |. 5E pop esi 0040128C |. 75 0E jnz XCrackMe3.0040129C 0040128E |. A1 20304000 mov eax,dword ptr ds:[0x403020] 00401293 |. 6A 01 push 0x1 ; /Enable = TRUE 00401295 |. 50 push eax ; |hWnd => NULL 00401296 |. FF15 5C204000 call dword ptr ds:[<&USER32.EnableWindow>] ; \EnableWindow
16进制转10进制算法:
00401140 /$ 8B5424 04 mov edx,dword ptr ss:[esp+0x4] 00401144 |. 33C0 xor eax,eax 00401146 |. 8A0A mov cl,byte ptr ds:[edx] 00401148 |. 84C9 test cl,cl 0040114A |. 74 11 je XCrackMe3.0040115D 0040114C |> 0FBEC9 /movsx ecx,cl 0040114F |. 8D0480 |lea eax,dword ptr ds:[eax+eax*4] 00401152 |. 42 |inc edx 00401153 |. 8D4441 D0 |lea eax,dword ptr ds:[ecx+eax*2-0x30] 00401157 |. 8A0A |mov cl,byte ptr ds:[edx] 00401159 |. 84C9 |test cl,cl 0040115B |.^ 75 EF \jnz XCrackMe3.0040114C这个明显就是算法 草 我居然没看出来···················
int __cdecl sub_401140(int a1) { int v1; // edx@1 int v2; // eax@1 char i; // cl@1 v1 = a1; v2 = 0; for ( i = *(_BYTE *)a1; *(_BYTE *)v1; i = *(_BYTE *)v1 ) { ++v1; v2 = i + 10 * v2 - 48; } return v2 ^ 0x1234; }