- UID
- 9912
注册时间2006-3-22
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
发表于 2006-3-27 17:04:47
|
显示全部楼层
0040156D |. E8 DE020000 call 00401850 ; 取用户名
00401572 |. 8945 E4 mov [ebp-1C], eax ; 把用户名长度放进[ebp-1C]
00401575 |. 837D E4 05 cmp dword ptr [ebp-1C], 5 ; 检测用户名是否大与或等与5
00401579 |. 7D 43 jge short 004015BE ; 不跳则挂
0040157B |. 6A 40 push 40
0040157D |. 68 20404000 push 00404020 ; ASCII "CrackMe"
00401582 |. 68 28404000 push 00404028 ; ASCII "User Name must have at least 5 characters."
00401587 |. 8B8D 40FEFFFF mov ecx, [ebp-1C0]
0040158D |. E8 F2070000 call <jmp.&MFC42.#4224_CWnd::>
00401592 |. C645 FC 01 mov byte ptr [ebp-4], 1
00401596 |. 8D4D DC lea ecx, [ebp-24]
00401599 |. E8 C2070000 call <jmp.&MFC42.#800_CString>
0040159E |. C645 FC 00 mov byte ptr [ebp-4], 0
004015A2 |. 8D4D E8 lea ecx, [ebp-18]
004015A5 |. E8 B6070000 call <jmp.&MFC42.#800_CString>
004015AA |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
004015B1 |. 8D4D EC lea ecx, [ebp-14]
004015B4 |. E8 A7070000 call <jmp.&MFC42.#800_CString>
004015B9 |. E9 F9010000 jmp 004017B7
004015BE |> C745 E0 00000>mov dword ptr [ebp-20], 0
004015C5 |. EB 09 jmp short 004015D0
004015C7 |> 8B55 E0 /mov edx, [ebp-20]
004015CA |. 83C2 01 |add edx, 1 ; 次数+1
004015CD |. 8955 E0 |mov [ebp-20], edx
004015D0 |> 8B45 E0 mov eax, [ebp-20]
004015D3 |. 3B45 E4 |cmp eax, [ebp-1C] ; 次数和8比较,大或等则跳(取完所有用户名就跳走)
004015D6 |. 7D 42 |jge short 0040161A ; 取完就跳走
004015D8 |. 8B4D E0 |mov ecx, [ebp-20]
004015DB |. 51 |push ecx ; /Arg1
004015DC |. 8D4D EC |lea ecx, [ebp-14] ; |
004015DF |. E8 1C030000 |call 00401900 ; \再取用户名
004015E4 |. 0FBED0 |movsx edx, al ; 依次把用户名16进制码放进edx
004015E7 |. 8B45 F0 |mov eax, [ebp-10] ; eax=[ebp-10]
004015EA |. 03C2 |add eax, edx ; eax=[ebp-10]+73(我的第一位用户名ascii码为73)
004015EC |. 8945 F0 |mov [ebp-10], eax ; 把计算结果放进[]
004015EF |. 8B4D E0 |mov ecx, [ebp-20]
004015F2 |. C1E1 08 |shl ecx, 8 ; 逻辑左移8位
004015F5 |. 8B55 F0 |mov edx, [ebp-10] ; 计算结果放回edx
004015F8 |. 33D1 |xor edx, ecx ; edx=edx xor ecx
004015FA |. 8955 F0 |mov [ebp-10], edx
004015FD |. 8B45 E0 |mov eax, [ebp-20]
00401600 |. 83C0 01 |add eax, 1 ; 计数器+1
00401603 |. 8B4D E4 |mov ecx, [ebp-1C] ; 用户名长度放进ecx
00401606 |. 0FAF4D E0 |imul ecx, [ebp-20] ; ecx=ecx*[ebp-20]
0040160A |. F7D1 |not ecx ; 取反
0040160C |. 0FAFC1 |imul eax, ecx ; eax=eax*ecx
0040160F |. 8B55 F0 |mov edx, [ebp-10]
00401612 |. 0FAFD0 |imul edx, eax ; edx=eax*edx=7ED89C48
00401615 |. 8955 F0 |mov [ebp-10], edx ; 计算结果放回[]
00401618 |.^ EB AD \jmp short 004015C7 ; 继续取下一位用户名计算
0040161A |> 8B45 F0 mov eax, [ebp-10]
0040161D |. 50 push eax
0040161E |. 68 54404000 push 00404054 ; ASCII "%lu"
00401623 |. 8D4D DC lea ecx, [ebp-24]
00401626 |. 51 push ecx
00401627 |. E8 52070000 call <jmp.&MFC42.#2818_CStrin>
0040162C |. 83C4 0C add esp, 0C
0040162F |. 8D4D DC lea ecx, [ebp-24]
00401632 |. E8 79020000 call 004018B0
00401637 |. 50 push eax ; /真码入栈
00401638 |. 8D4D E8 lea ecx, [ebp-18] ; |
0040163B |. E8 80020000 call 004018C0 ; \crackme3.004018C0
00401640 |. 85C0 test eax, eax ; 真假比较
00401642 |. 0F85 FF000000 jnz 00401747 ; 不正确则跳,跳向死亡
00401648 |. 8D8D ACFEFFFF lea ecx, [ebp-154]
0040164E |. E8 19070000 call <jmp.&MFC42.#540_CString>
00401653 |. C645 FC 03 mov byte ptr [ebp-4], 3
00401657 |. 6A 66 push 66
00401659 |. 8D8D ACFEFFFF lea ecx, [ebp-154]
0040165F |. E8 02070000 call <jmp.&MFC42.#4160_CStrin>
00401664 |. B9 07000000 mov ecx, 7
00401669 |. BE 58404000 mov esi, 00404058 ; ASCII "Correct!! "
0040166E |. 8DBD 48FEFFFF lea edi, [ebp-1B8]
00401674 |. F3:A5 rep movs dword ptr es:[edi],>
00401676 |. 66:A5 movs word ptr es:[edi], word >
00401678 |. A4 movs byte ptr es:[edi], byte >
00401679 |. B9 11000000 mov ecx, 11
0040167E |. 33C0 xor eax, eax
00401680 |. 8DBD 67FEFFFF lea edi, [ebp-199]
00401686 |. F3:AB rep stos dword ptr es:[edi]
00401688 |. AA stos byte ptr es:[edi]
00401689 |. B9 07000000 mov ecx, 7
0040168E |. BE 78404000 mov esi, 00404078 ; ASCII "<BrD-SoB> "
00401693 |. 8DBD 14FFFFFF lea edi, [ebp-EC]
00401699 |. F3:A5 rep movs dword ptr es:[edi],>
0040169B |. 66:A5 movs word ptr es:[edi], word >
0040169D |. B9 11000000 mov ecx, 11
004016A2 |. 33C0 xor eax, eax
004016A4 |. 8DBD 32FFFFFF lea edi, [ebp-CE]
004016AA |. F3:AB rep stos dword ptr es:[edi]
004016AC |. 66:AB stos word ptr es:[edi]
004016AE |. B9 06000000 mov ecx, 6
004016B3 |. BE 98404000 mov esi, 00404098 ; ASCII "Incorrect!!, Try Again."
004016B8 |. 8DBD 78FFFFFF lea edi, [ebp-88]
004016BE |. F3:A5 rep movs dword ptr es:[edi],>
004016C0 |. B9 13000000 mov ecx, 13
004016C5 |. 33C0 xor eax, eax
004016C7 |. 8D7D 90 lea edi, [ebp-70]
004016CA |. F3:AB rep stos dword ptr es:[edi]
004016CC |. B9 07000000 mov ecx, 7
004016D1 |. BE B0404000 mov esi, 004040B0 ; ASCII "Correct way to go, You Got It."
004016D6 |. 8DBD B0FEFFFF lea edi, [ebp-150]
004016DC |. F3:A5 rep movs dword ptr es:[edi],>
004016DE |. 66:A5 movs word ptr es:[edi], word >
004016E0 |. A4 movs byte ptr es:[edi], byte >
004016E1 |. B9 11000000 mov ecx, 11
004016E6 |. 33C0 xor eax, eax
004016E8 |. 8DBD CFFEFFFF lea edi, [ebp-131]
004016EE |. F3:AB rep stos dword ptr es:[edi]
004016F0 |. AA stos byte ptr es:[edi]
004016F1 |. 6A 40 push 40
004016F3 |. 68 D0404000 push 004040D0 ; ASCII "CrackMe"
004016F8 |. 8D8D ACFEFFFF lea ecx, [ebp-154]
004016FE |. E8 AD010000 call 004018B0
00401703 |. 50 push eax
00401704 |. 8B8D 40FEFFFF mov ecx, [ebp-1C0]
0040170A |. E8 75060000 call <jmp.&MFC42.#4224_CWnd::>
0040170F |. C645 FC 02 mov byte ptr [ebp-4], 2
00401713 |. 8D8D ACFEFFFF lea ecx, [ebp-154]
00401719 |. E8 42060000 call <jmp.&MFC42.#800_CString>
0040171E |. C645 FC 01 mov byte ptr [ebp-4], 1
00401722 |. 8D4D DC lea ecx, [ebp-24]
00401725 |. E8 36060000 call <jmp.&MFC42.#800_CString>
0040172A |. C645 FC 00 mov byte ptr [ebp-4], 0
0040172E |. 8D4D E8 lea ecx, [ebp-18]
00401731 |. E8 2A060000 call <jmp.&MFC42.#800_CString>
00401736 |. C745 FC FFFFF>mov dword ptr [ebp-4], -1
0040173D |. 8D4D EC lea ecx, [ebp-14]
00401740 |. E8 1B060000 call <jmp.&MFC42.#800_CString>
00401745 |. EB 70 jmp short 004017B7
00401747 |> 8D8D 44FEFFFF lea ecx, [ebp-1BC] 跳到这里
0040174D |. E8 1A060000 call <jmp.&MFC42.#540_CString>
00401752 |. C645 FC 04 mov byte ptr [ebp-4], 4
00401756 |. 6A 67 push 67
00401758 |. 8D8D 44FEFFFF lea ecx, [ebp-1BC]
0040175E |. E8 03060000 call <jmp.&MFC42.#4160_CStrin>
00401763 |. 6A 40 push 40
00401765 |. 68 D8404000 push 004040D8 ; ASCII "CrackMe"
0040176A |. 8D8D 44FEFFFF lea ecx, [ebp-1BC]
00401770 |. E8 3B010000 call 004018B0
00401775 |. 50 push
00401776 |. 8B8D 40FEFFFF mov ecx, [ebp-1C0]
0040177C |. E8 03060000 call <jmp.&MFC42.#4224_CWnd::>
name:snetluck
code:21034816
汗,第一次算法分析,不完整,希望高手指出错误! |
|
楼主: 飘云
IP卡
显身卡
发表于 2006-3-27 00:13:09
发表于 2006-4-20 00:54:14
