zcc1414

博客园 首页 联系 订阅 管理

这个CRACKME:


00401262  |.  8D4424 04     lea eax,dword ptr ss:[esp+0x4]
00401266  |.  6A 0A         push 0xA                                   ; /Count = A (10.)
00401268  |.  50            push eax                                   ; |Buffer
00401269  |.  51            push ecx                                   ; |hWnd => 02F5035E (class='Edit',parent=028E0306)
0040126A  |.  FF15 64204000 call dword ptr ds:[<&USER32.GetWindowTextA>; \GetWindowTextA
00401270  |.  68 10304000   push CrackMe3.00403010                     ;  Iceberg
00401275  |.  E8 96FEFFFF   call CrackMe3.00401110			;加密 Iceberg 得到

  • 00401110 /$ 8B5424 04 mov edx,dword ptr ss:[esp+0x4] 算法
  • 00401114 |. 33C0 xor eax,eax
  • 00401116 |. 8A0A mov cl,byte ptr ds:[edx]
  • 00401118 |. 84C9 test cl,cl
  • 0040111A |. 74 1A je XCrackMe3.00401136
  • 0040111C |> 80F9 41 /cmp cl,0x41
  • 0040111F |. 7C 15 |jl XCrackMe3.00401136
  • 00401121 |. 80F9 5A |cmp cl,0x5A
  • 00401124 |. 0FBEC9 |movsx ecx,cl
  • 00401127 |. 7E 03 |jle XCrackMe3.0040112C
  • 00401129 |. 83E9 20 |sub ecx,0x20
  • 0040112C |> 03C1 |add eax,ecx
  • 0040112E |. 8A4A 01 |mov cl,byte ptr ds:[edx+0x1]
  • 00401131 |. 42 |inc edx
  • 00401132 |. 84C9 |test cl,cl
  • 00401134 |.^ 75 E6 \jnz XCrackMe3.0040111C
  • 00401136 |> 35 78560000 xor eax,0x5678
00401261  |.  56            push esi
00401262  |.  8D4424 04     lea eax,dword ptr ss:[esp+0x4]
00401266  |.  6A 0A         push 0xA                                   ; /Count = A (10.)
00401268  |.  50            push eax                                   ; |Buffer
00401269  |.  51            push ecx                                   ; |hWnd => 02F5035E (class='Edit',parent=028E0306)
0040126A  |.  FF15 64204000 call dword ptr ds:[<&USER32.GetWindowTextA>; \GetWindowTextA
00401270  |.  68 10304000   push CrackMe3.00403010                     ;  Iceberg
00401275  |.  E8 96FEFFFF   call CrackMe3.00401110
0040127A  |.  8D5424 08     lea edx,dword ptr ss:[esp+0x8]
0040127E  |.  8BF0          mov esi,eax
00401280  |.  52            push edx
00401281  |.  E8 BAFEFFFF   call CrackMe3.00401140
00401286  |.  83C4 08       add esp,0x8
00401289  |.  3BF0          cmp esi,eax
0040128B  |.  5E            pop esi
0040128C  |.  75 0E         jnz XCrackMe3.0040129C
0040128E  |.  A1 20304000   mov eax,dword ptr ds:[0x403020]
00401293  |.  6A 01         push 0x1                                   ; /Enable = TRUE
00401295  |.  50            push eax                                   ; |hWnd => NULL
00401296  |.  FF15 5C204000 call dword ptr ds:[<&USER32.EnableWindow>] ; \EnableWindow



16进制转10进制算法:

00401140  /$  8B5424 04     mov edx,dword ptr ss:[esp+0x4]
00401144  |.  33C0          xor eax,eax
00401146  |.  8A0A          mov cl,byte ptr ds:[edx]
00401148  |.  84C9          test cl,cl
0040114A  |.  74 11         je XCrackMe3.0040115D
0040114C  |>  0FBEC9        /movsx ecx,cl
0040114F  |.  8D0480        |lea eax,dword ptr ds:[eax+eax*4]
00401152  |.  42            |inc edx
00401153  |.  8D4441 D0     |lea eax,dword ptr ds:[ecx+eax*2-0x30]
00401157  |.  8A0A          |mov cl,byte ptr ds:[edx]
00401159  |.  84C9          |test cl,cl
0040115B  |.^ 75 EF         \jnz XCrackMe3.0040114C
这个明显就是算法 草  我居然没看出来···················

int __cdecl sub_401140(int a1)
{
  int v1; // edx@1
  int v2; // eax@1
  char i; // cl@1


  v1 = a1;
  v2 = 0;
  for ( i = *(_BYTE *)a1; *(_BYTE *)v1; i = *(_BYTE *)v1 )
  {
    ++v1;
    v2 = i + 10 * v2 - 48;
  }
  return v2 ^ 0x1234;
}





posted on 2013-08-06 21:26  zcc1414  阅读(324)  评论(0编辑  收藏  举报