http://bbs.pediy.com/showthread.php?t=21330
運行程序
點擊check沒反應,發現驗證碼錯誤沒反應
在API上下斷點,考慮GetWindowText和GetDlgItemText。
查找–>當前模塊中的名稱,發現GetWindowText,右鍵,在每個參考上設置斷點。check it
00401316 |. 6A 28 push 0x28 ; /Count = 28 (40.)
00401318 |. 68 C4334000 push 004033C4 ; |Buffer = CrackHea.004033C4
0040131D |. FF35 90314000 push dword ptr ds:[0x403190] ; |hWnd = 00CC03BE (class='Edit',parent=001F02B8)
00401323 |. E8 4C010000 call <jmp.&USER32.GetWindowTextA> ; \GetWindowTextA
00401328 |. E8 A5000000 call 004013D2 ; 關鍵函數
0040132D |. 3BC6 cmp eax,esi ; eax要和esi相等
0040132F |. 75 42 jnz short 00401373 ; 不能跳
00401331 |. EB 2C jmp short 0040135F
00401333 |. 4E 6F 77 20 7>ascii "Now write a keyg"
00401343 |. 65 6E 20 61 6>ascii "en and tut and y"
00401353 |. 6F 75 27 72 6>ascii "ou're done.",0
0040135F |> 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
00401361 |. 68 0F304000 push 0040300F ; |Title = "Crudd's Crack Head"
00401366 |. 68 33134000 push 00401333 ; |Text = "Now write a keygen and tut and you're done."
0040136B |. FF75 08 push [arg.1] ; |hOwner
0040136E |. E8 19010000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00401373 |> EB 15 jmp short 0040138A
00401375 |> FF75 14 push [arg.4] ; /lParam
00401378 |. FF75 10 push [arg.3] ; |wParam
0040137B |. FF75 0C push [arg.2] ; |Message
0040137E |. FF75 08 push [arg.1] ; |hWnd
00401381 |. E8 D6000000 call <jmp.&USER32.DefWindowProcA> ; \DefWindowProcA
00401386 |. C9 leave
00401387 |. C2 1000 retn 0x10
0040138A |> 33C0 xor eax,eax
0040138C |. C9 leave
0040138D \. C2 1000 retn 0x10
發現輸入數據存儲在 00401318 |. 68 C4334000 push 004033C4 ; |Buffer = CrackHea.004033C4
發現關鍵的比較函數 00401328 |. E8 A5000000 call 004013D2 ; 關鍵函數
進入
004013D2 /$ 56 push esi
004013D3 |. 33C0 xor eax,eax
004013D5 |. 8D35 C4334000 lea esi,dword ptr ds:[0x4033C4] ; esi 字符串指針
004013DB |. 33C9 xor ecx,ecx
004013DD |. 33D2 xor edx,edx
004013DF |. 8A06 mov al,byte ptr ds:[esi] ; al獲得第一個字符
004013E1 |. 46 inc esi
004013E2 |. 3C 2D cmp al,0x2D
004013E4 |. 75 08 jnz short 004013EE ; 不是 0x2d就跳走
004013E6 |. BA FFFFFFFF mov edx,-0x1 ; edx = -1
004013EB |. 8A06 mov al,byte ptr ds:[esi]
004013ED |. 46 inc esi
004013EE |> EB 0B jmp short 004013FB
004013F0 |> 2C 30 /sub al,0x30 ; 每個數字減30 變成數值型數據
004013F2 |. 8D0C89 |lea ecx,dword ptr ds:[ecx+ecx*4] ; ecx = ecx*5
004013F5 |. 8D0C48 |lea ecx,dword ptr ds:[eax+ecx*2] ; ecx = eax + ecx*2
004013F8 |. 8A06 |mov al,byte ptr ds:[esi] ; 取最低位繼續
004013FA |. 46 |inc esi
004013FB |> 0AC0 or al,al
004013FD |.^ 75 F1 \jnz short 004013F0
004013FF |. 8D040A lea eax,dword ptr ds:[edx+ecx] ; eax = edx + ecx
00401402 |. 33C2 xor eax,edx ; eax = eax ^ edx
00401404 |. 5E pop esi
00401405 |. 81F6 53757A79 xor esi,0x797A7553 ; esi = esi ^ 0x797a7553
0040140B \. C3 retn ; 最後要保證eax=esi
這段函數的功能是 先判斷是不是負數,如果是則edx=-1,在最後取反。
隨後把數字字符串轉換爲它對應的數值
比如 “12345677” 轉換後就是數字 12345677 存在ecx中,最後esi重置爲0x797a7553,
因爲要保持eax與esi相等,所以eax應該等於0x797a7553,對應的十進制是 2038068563
所以答案就是 2038068563
這道題告訴我們當沒有可用的字符串搜索的時,可以考慮在API上下斷點找到關鍵函數。