-
-
HellBound Hackers app11 破解
-
发表于: 2014-8-18 11:13
-
app 下载: app11.zip
或者:841K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2Z5k6h3I4D9j5X3!0#2L8X3c8Z5j5h3y4C8k6i4u0K6i4K6u0W2L8%4u0Y4i4K6u0r3j5$3S2S2L8r3I4W2L8X3N6W2M7#2)9J5c8X3q4H3M7q4)9J5c8W2)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4@1f1%4i4K6W2m8i4K6R3@1b7i4m8H3L8r3W2U0j5i4c8A6L8$3&6Q4x3U0k6F1j5Y4y4H3i4K6y4n7b7%4u0S2j5$3E0A6L8X3N6Q4x3U0k6F1j5Y4y4H3i4K6y4n7x3e0p5`.
1、使用OD打开分析,进入app11领空,如下图所示:
代码好像有点麻烦,难道加壳了?那使用PEID看看
2、使用PEID打开app,如下图所示:
很明显不是加壳作怪,而是该程序使用的c#开发,故这个使用od打开后会出现上述情况,那使用IL DASM分析
3、使用IL DASM打开app,如图所示:
那接下来需要找到密码存放在何处?那个方法中?根据程序界面:
猜测:应该是点击“Check Password”button 后进行比较,然后根据比较结果弹出相应的对话框?
4、分别点开几个click方法,发现Command1_Click_1方法中有大批的代码,难道是这个页面?大概浏览下代码,发现有下面的片段代码:
很明显这个地方应该就是密码附近的位置。
5、仔细分析4处的代码:
IL_01e7: ldc.i4.0
IL_01e8: bne.un.s IL_0205
IL_01ea: ldstr "Congratulations: The password for HBH is: "
IL_01ef: ldloc.s V_26 //将V_26存储的字符串 存至堆栈上
IL_01f1: call string [mscorlib]System.String::Concat(string,
string) //字符串连接
IL_01f6: ldc.i4.s 64
IL_01f8: ldstr "Correct!"
IL_01fd: call valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxResult [Microsoft.VisualBasic]Microsoft.VisualBasic.Interaction::MsgBox(object,
valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxStyle,
object) //弹出对话框
上述代码是:弹出一个对话框,显示内容是:"Congratulations: The password for HBH is: "+v_26(存储的字符串),那接下来就需要分析v _26存储的内容是什么?
往上分析代码:
IL_0000: nop
IL_0001: ldstr "YOUR LOOKING IN THE WRONG PLACE: FROM saxible"
IL_0006: stloc.s V_27 //将YOUR LOOKING IN THE WRONG PLACE: FROM saxible存入 V_27
IL_0008: ldstr "n"
IL_000d: stloc.0 //将字符n存入变量0中
IL_000e: ldstr "o"
IL_0013: stloc.s V_11 //将字符o存入V_11中,后续的代码段相同
IL_0015: ldstr "p"
IL_001a: stloc.s V_19
IL_001c: ldstr "q"
IL_0021: stloc.s V_20
IL_0023: ldstr "r"
IL_0028: stloc.s V_21
IL_002a: ldstr "s"
IL_002f: stloc.s V_22
IL_0031: ldstr "t"
IL_0036: stloc.s V_23
IL_0038: ldstr "u"
IL_003d: stloc.s V_24
IL_003f: ldstr "v"
IL_0044: stloc.s V_25
IL_0046: ldstr "w"
IL_004b: stloc.1
IL_004c: ldstr "x"
IL_0051: stloc.2
IL_0052: ldstr "y"
IL_0057: stloc.3
IL_0058: ldstr "z"
IL_005d: stloc.s V_4
IL_005f: ldstr "a"
IL_0064: stloc.s V_5
IL_0066: ldstr "b"
IL_006b: stloc.s V_6
IL_006d: ldstr "c"
IL_0072: stloc.s V_7
IL_0074: ldstr "d"
IL_0079: stloc.s V_8
IL_007b: ldstr "e"
IL_0080: stloc.s V_9
IL_0082: ldstr "f"
IL_0087: stloc.s V_10
IL_0089: ldstr "g"
IL_008e: stloc.s V_12
IL_0090: ldstr "h"
IL_0095: stloc.s V_13
IL_0097: ldstr "i"
IL_009c: stloc.s V_14
IL_009e: ldstr "j"
IL_00a3: stloc.s V_15
IL_00a5: ldstr "k"
IL_00aa: stloc.s V_16
IL_00ac: ldstr "l"
IL_00b1: stloc.s V_17
IL_00b3: ldstr "m"
IL_00b8: stloc.s V_18 //截止此处,完成V_0 - V_25变量的赋值
IL_00ba: ldc.i4.s 15
IL_00bc: newarr [mscorlib]System.String //创建 15长度的字符串
IL_00c1: stloc.s V_29 //v_29指向刚创建的字符串
IL_00c3: ldloc.s V_29
IL_00c5: ldc.i4.0 //将整数0 存入栈中
IL_00c6: ldloc.s V_23
IL_00c8: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string) //将V_23代表的字符转化为大写
IL_00cd: stelem.ref //将转化后的字符存入V_29[0] 中( T )
IL_00ce: nop
IL_00cf: ldloc.s V_29
IL_00d1: ldc.i4.1
IL_00d2: ldloc.s V_11
IL_00d4: stelem.ref //将V_11表示的字符存入V_29[1]中 [ o ]
IL_00d5: nop
IL_00d6: ldloc.s V_29
IL_00d8: ldc.i4.2
IL_00d9: ldstr " "
IL_00de: stelem.ref ////将空格存入V_29[2]中 [ ]
IL_00df: nop
IL_00e0: ldloc.s V_29
IL_00e2: ldc.i4.3
IL_00e3: ldloc.s V_8
IL_00e5: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_00ea: stelem.ref // V_29[3]=D
IL_00eb: nop
IL_00ec: ldloc.s V_29
IL_00ee: ldc.i4.4
IL_00ef: ldloc.s V_9
IL_00f1: stelem.ref//V_29[4]=e
IL_00f2: nop
IL_00f3: ldloc.s V_29
IL_00f5: ldc.i4.5
IL_00f6: ldloc.s V_5
IL_00f8: stelem.ref //V_29[5]=a
IL_00f9: nop
IL_00fa: ldloc.s V_29
IL_00fc: ldc.i4.6
IL_00fd: ldloc.s V_8
IL_00ff: stelem.ref V_29[6]=d
IL_0100: nop
IL_0101: ldloc.s V_29
IL_0103: ldc.i4.7
IL_0104: ldstr " "
IL_0109: stelem.ref //V_29[7]=" "
IL_010a: nop
IL_010b: ldloc.s V_29
IL_010d: ldc.i4.8
IL_010e: ldloc.s V_23
IL_0110: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_0115: stelem.ref// V_29[8]=T
IL_0116: nop
IL_0117: ldloc.s V_29
IL_0119: ldc.i4.s 9
IL_011b: ldloc.s V_11
IL_011d: stelem.ref
IL_011e: nop
IL_011f: ldloc.s V_29
IL_0121: ldc.i4.s 10
IL_0123: ldstr " "
IL_0128: stelem.ref
IL_0129: nop
IL_012a: ldloc.s V_29
IL_012c: ldc.i4.s 11
IL_012e: ldloc.s V_13
IL_0130: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_0135: stelem.ref
IL_0136: nop
IL_0137: ldloc.s V_29
IL_0139: ldc.i4.s 12
IL_013b: ldloc.s V_14
IL_013d: stelem.ref
IL_013e: nop
IL_013f: ldloc.s V_29
IL_0141: ldc.i4.s 13
IL_0143: ldloc.s V_8
IL_0145: stelem.ref
IL_0146: nop
IL_0147: ldloc.s V_29
IL_0149: ldc.i4.s 14
IL_014b: ldloc.s V_9
IL_014d: stelem.ref //V_29[14]=e
IL_014e: nop
IL_014f: ldloc.s V_29
IL_0151: call string [mscorlib]System.String::Concat(string[])
IL_0156: stloc.s V_28 //V_28=V_29="To Dead To Hide"
IL_0158: ldc.i4.s 13
IL_015a: newarr [mscorlib]System.String
IL_015f: stloc.s V_29 //重新创建了一个13长度的数组 为V_29
IL_0161: ldloc.s V_29
IL_0163: ldc.i4.0 //将整数0存入栈
IL_0164: ldloc.s V_22 //v_22 表示的字符存入栈
IL_0166: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_016b: stelem.ref //V_29[0]=S
IL_016c: nop
IL_016d: ldloc.s V_29
IL_016f: ldc.i4.1
IL_0170: ldloc.s V_23
IL_0172: stelem.ref
IL_0173: nop
IL_0174: ldloc.s V_29
IL_0176: ldc.i4.2
IL_0177: ldloc.s V_21
IL_0179: stelem.ref
IL_017a: nop
IL_017b: ldloc.s V_29
IL_017d: ldc.i4.3
IL_017e: ldloc.s V_11
IL_0180: stelem.ref
IL_0181: nop
IL_0182: ldloc.s V_29
IL_0184: ldc.i4.4
IL_0185: ldloc.0
IL_0186: stelem.ref
IL_0187: nop
IL_0188: ldloc.s V_29
IL_018a: ldc.i4.5
IL_018b: ldloc.s V_12
IL_018d: stelem.ref
IL_018e: nop
IL_018f: ldloc.s V_29
IL_0191: ldc.i4.6
IL_0192: ldstr " "
IL_0197: stelem.ref
IL_0198: nop
IL_0199: ldloc.s V_29
IL_019b: ldc.i4.7
IL_019c: ldloc.1
IL_019d: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_01a2: stelem.ref
IL_01a3: nop
IL_01a4: ldloc.s V_29
IL_01a6: ldc.i4.8
IL_01a7: ldloc.s V_14
IL_01a9: stelem.ref
IL_01aa: nop
IL_01ab: ldloc.s V_29
IL_01ad: ldc.i4.s 9
IL_01af: ldloc.s V_23
IL_01b1: stelem.ref
IL_01b2: nop
IL_01b3: ldloc.s V_29
IL_01b5: ldc.i4.s 10
IL_01b7: ldloc.s V_23
IL_01b9: stelem.ref
IL_01ba: nop
IL_01bb: ldloc.s V_29
IL_01bd: ldc.i4.s 11
IL_01bf: ldloc.s V_9
IL_01c1: stelem.ref
IL_01c2: nop
IL_01c3: ldloc.s V_29
IL_01c5: ldc.i4.s 12
IL_01c7: ldloc.s V_8
IL_01c9: stelem.ref
IL_01ca: nop
IL_01cb: ldloc.s V_29
IL_01cd: call string [mscorlib]System.String::Concat(string[])
IL_01d2: stloc.s V_26 // V_26="Strong Witted"
IL_01d4: ldarg.0
IL_01d5: callvirt instance class [System.Windows.Forms]System.Windows.Forms.TextBox HBHAppChallenge.Form1::get_txtPassword()
IL_01da: callvirt instance string [System.Windows.Forms]System.Windows.Forms.TextBox::get_Text()
IL_01df: ldloc.s V_28
IL_01e1: ldc.i4.0
IL_01e2: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::StrCmp(string,
string,
bool) //使用V_28与输入的密码比较
经过分析发现:需要输入的密码为To Dead To Hide,HBH需要的密码为Strong Witted
那验证下:
参考文档:
1、92eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4F1j5X3I4G2k6%4y4Q4x3X3g2U0L8$3#2Q4x3V1k6^5K9h3q4G2P5r3W2S2L8X3N6X3k6h3W2*7K9g2)9J5c8X3q4J5j5$3S2A6N6X3g2Q4x3V1j5J5x3o6p5I4i4K6u0r3x3o6S2Q4x3V1j5H3z5q4)9J5c8U0t1I4x3K6l9%4y4U0S2Q4x3X3g2Z5N6r3#2D9
2、781K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4F1j5X3I4G2k6%4y4Q4x3X3g2U0L8$3#2Q4x3V1k6^5N6h3q4F1K9s2g2F1i4K6u0r3j5i4u0U0K9r3W2$3k6g2)9J5c8U0t1H3x3e0u0Q4x3V1j5H3y4g2)9J5c8U0t1@1i4K6u0r3x3U0f1I4y4U0x3@1y4W2)9J5k6h3S2@1L8h3H3`.
3、c75K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6W2L8X3E0#2i4K6u0W2j5X3q4A6k6s2g2Q4x3X3g2U0L8$3#2Q4x3V1k6D9K9h3&6C8i4K6y4r3N6i4u0D9i4K6y4p5c8W2c8&6x3X3c8c8N6i4k6a6e0s2N6%4b7U0u0f1g2W2u0H3b7@1N6Q4x3X3c8q4b7%4S2W2k6X3g2m8K9s2W2i4h3f1#2H3f1V1S2w2N6o6u0d9x3$3W2J5c8i4A6K9M7q4c8A6i4K6u0V1k6i4k6C8x3V1c8q4f1#2c8v1M7e0u0n7P5X3c8U0x3r3y4I4M7K6N6S2L8h3q4g2h3Y4c8t1y4#2S2v1g2r3A6t1c8@1g2V1j5$3I4W2k6h3q4Q4y4h3k6x3P5U0q4x3d9%4g2b7b7X3&6p5z5p5x3K6P5V1x3`.
或者:841K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2Z5k6h3I4D9j5X3!0#2L8X3c8Z5j5h3y4C8k6i4u0K6i4K6u0W2L8%4u0Y4i4K6u0r3j5$3S2S2L8r3I4W2L8X3N6W2M7#2)9J5c8X3q4H3M7q4)9J5c8W2)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4@1f1%4i4K6W2m8i4K6R3@1b7i4m8H3L8r3W2U0j5i4c8A6L8$3&6Q4x3U0k6F1j5Y4y4H3i4K6y4n7b7%4u0S2j5$3E0A6L8X3N6Q4x3U0k6F1j5Y4y4H3i4K6y4n7x3e0p5`.
1、使用OD打开分析,进入app11领空,如下图所示:
代码好像有点麻烦,难道加壳了?那使用PEID看看
2、使用PEID打开app,如下图所示:
很明显不是加壳作怪,而是该程序使用的c#开发,故这个使用od打开后会出现上述情况,那使用IL DASM分析
3、使用IL DASM打开app,如图所示:
那接下来需要找到密码存放在何处?那个方法中?根据程序界面:
猜测:应该是点击“Check Password”button 后进行比较,然后根据比较结果弹出相应的对话框?
4、分别点开几个click方法,发现Command1_Click_1方法中有大批的代码,难道是这个页面?大概浏览下代码,发现有下面的片段代码:
很明显这个地方应该就是密码附近的位置。
5、仔细分析4处的代码:
IL_01e7: ldc.i4.0
IL_01e8: bne.un.s IL_0205
IL_01ea: ldstr "Congratulations: The password for HBH is: "
IL_01ef: ldloc.s V_26 //将V_26存储的字符串 存至堆栈上
IL_01f1: call string [mscorlib]System.String::Concat(string,
string) //字符串连接
IL_01f6: ldc.i4.s 64
IL_01f8: ldstr "Correct!"
IL_01fd: call valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxResult [Microsoft.VisualBasic]Microsoft.VisualBasic.Interaction::MsgBox(object,
valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxStyle,
object) //弹出对话框
上述代码是:弹出一个对话框,显示内容是:"Congratulations: The password for HBH is: "+v_26(存储的字符串),那接下来就需要分析v _26存储的内容是什么?
往上分析代码:
IL_0000: nop
IL_0001: ldstr "YOUR LOOKING IN THE WRONG PLACE: FROM saxible"
IL_0006: stloc.s V_27 //将YOUR LOOKING IN THE WRONG PLACE: FROM saxible存入 V_27
IL_0008: ldstr "n"
IL_000d: stloc.0 //将字符n存入变量0中
IL_000e: ldstr "o"
IL_0013: stloc.s V_11 //将字符o存入V_11中,后续的代码段相同
IL_0015: ldstr "p"
IL_001a: stloc.s V_19
IL_001c: ldstr "q"
IL_0021: stloc.s V_20
IL_0023: ldstr "r"
IL_0028: stloc.s V_21
IL_002a: ldstr "s"
IL_002f: stloc.s V_22
IL_0031: ldstr "t"
IL_0036: stloc.s V_23
IL_0038: ldstr "u"
IL_003d: stloc.s V_24
IL_003f: ldstr "v"
IL_0044: stloc.s V_25
IL_0046: ldstr "w"
IL_004b: stloc.1
IL_004c: ldstr "x"
IL_0051: stloc.2
IL_0052: ldstr "y"
IL_0057: stloc.3
IL_0058: ldstr "z"
IL_005d: stloc.s V_4
IL_005f: ldstr "a"
IL_0064: stloc.s V_5
IL_0066: ldstr "b"
IL_006b: stloc.s V_6
IL_006d: ldstr "c"
IL_0072: stloc.s V_7
IL_0074: ldstr "d"
IL_0079: stloc.s V_8
IL_007b: ldstr "e"
IL_0080: stloc.s V_9
IL_0082: ldstr "f"
IL_0087: stloc.s V_10
IL_0089: ldstr "g"
IL_008e: stloc.s V_12
IL_0090: ldstr "h"
IL_0095: stloc.s V_13
IL_0097: ldstr "i"
IL_009c: stloc.s V_14
IL_009e: ldstr "j"
IL_00a3: stloc.s V_15
IL_00a5: ldstr "k"
IL_00aa: stloc.s V_16
IL_00ac: ldstr "l"
IL_00b1: stloc.s V_17
IL_00b3: ldstr "m"
IL_00b8: stloc.s V_18 //截止此处,完成V_0 - V_25变量的赋值
IL_00ba: ldc.i4.s 15
IL_00bc: newarr [mscorlib]System.String //创建 15长度的字符串
IL_00c1: stloc.s V_29 //v_29指向刚创建的字符串
IL_00c3: ldloc.s V_29
IL_00c5: ldc.i4.0 //将整数0 存入栈中
IL_00c6: ldloc.s V_23
IL_00c8: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string) //将V_23代表的字符转化为大写
IL_00cd: stelem.ref //将转化后的字符存入V_29[0] 中( T )
IL_00ce: nop
IL_00cf: ldloc.s V_29
IL_00d1: ldc.i4.1
IL_00d2: ldloc.s V_11
IL_00d4: stelem.ref //将V_11表示的字符存入V_29[1]中 [ o ]
IL_00d5: nop
IL_00d6: ldloc.s V_29
IL_00d8: ldc.i4.2
IL_00d9: ldstr " "
IL_00de: stelem.ref ////将空格存入V_29[2]中 [ ]
IL_00df: nop
IL_00e0: ldloc.s V_29
IL_00e2: ldc.i4.3
IL_00e3: ldloc.s V_8
IL_00e5: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_00ea: stelem.ref // V_29[3]=D
IL_00eb: nop
IL_00ec: ldloc.s V_29
IL_00ee: ldc.i4.4
IL_00ef: ldloc.s V_9
IL_00f1: stelem.ref//V_29[4]=e
IL_00f2: nop
IL_00f3: ldloc.s V_29
IL_00f5: ldc.i4.5
IL_00f6: ldloc.s V_5
IL_00f8: stelem.ref //V_29[5]=a
IL_00f9: nop
IL_00fa: ldloc.s V_29
IL_00fc: ldc.i4.6
IL_00fd: ldloc.s V_8
IL_00ff: stelem.ref V_29[6]=d
IL_0100: nop
IL_0101: ldloc.s V_29
IL_0103: ldc.i4.7
IL_0104: ldstr " "
IL_0109: stelem.ref //V_29[7]=" "
IL_010a: nop
IL_010b: ldloc.s V_29
IL_010d: ldc.i4.8
IL_010e: ldloc.s V_23
IL_0110: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_0115: stelem.ref// V_29[8]=T
IL_0116: nop
IL_0117: ldloc.s V_29
IL_0119: ldc.i4.s 9
IL_011b: ldloc.s V_11
IL_011d: stelem.ref
IL_011e: nop
IL_011f: ldloc.s V_29
IL_0121: ldc.i4.s 10
IL_0123: ldstr " "
IL_0128: stelem.ref
IL_0129: nop
IL_012a: ldloc.s V_29
IL_012c: ldc.i4.s 11
IL_012e: ldloc.s V_13
IL_0130: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_0135: stelem.ref
IL_0136: nop
IL_0137: ldloc.s V_29
IL_0139: ldc.i4.s 12
IL_013b: ldloc.s V_14
IL_013d: stelem.ref
IL_013e: nop
IL_013f: ldloc.s V_29
IL_0141: ldc.i4.s 13
IL_0143: ldloc.s V_8
IL_0145: stelem.ref
IL_0146: nop
IL_0147: ldloc.s V_29
IL_0149: ldc.i4.s 14
IL_014b: ldloc.s V_9
IL_014d: stelem.ref //V_29[14]=e
IL_014e: nop
IL_014f: ldloc.s V_29
IL_0151: call string [mscorlib]System.String::Concat(string[])
IL_0156: stloc.s V_28 //V_28=V_29="To Dead To Hide"
IL_0158: ldc.i4.s 13
IL_015a: newarr [mscorlib]System.String
IL_015f: stloc.s V_29 //重新创建了一个13长度的数组 为V_29
IL_0161: ldloc.s V_29
IL_0163: ldc.i4.0 //将整数0存入栈
IL_0164: ldloc.s V_22 //v_22 表示的字符存入栈
IL_0166: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_016b: stelem.ref //V_29[0]=S
IL_016c: nop
IL_016d: ldloc.s V_29
IL_016f: ldc.i4.1
IL_0170: ldloc.s V_23
IL_0172: stelem.ref
IL_0173: nop
IL_0174: ldloc.s V_29
IL_0176: ldc.i4.2
IL_0177: ldloc.s V_21
IL_0179: stelem.ref
IL_017a: nop
IL_017b: ldloc.s V_29
IL_017d: ldc.i4.3
IL_017e: ldloc.s V_11
IL_0180: stelem.ref
IL_0181: nop
IL_0182: ldloc.s V_29
IL_0184: ldc.i4.4
IL_0185: ldloc.0
IL_0186: stelem.ref
IL_0187: nop
IL_0188: ldloc.s V_29
IL_018a: ldc.i4.5
IL_018b: ldloc.s V_12
IL_018d: stelem.ref
IL_018e: nop
IL_018f: ldloc.s V_29
IL_0191: ldc.i4.6
IL_0192: ldstr " "
IL_0197: stelem.ref
IL_0198: nop
IL_0199: ldloc.s V_29
IL_019b: ldc.i4.7
IL_019c: ldloc.1
IL_019d: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_01a2: stelem.ref
IL_01a3: nop
IL_01a4: ldloc.s V_29
IL_01a6: ldc.i4.8
IL_01a7: ldloc.s V_14
IL_01a9: stelem.ref
IL_01aa: nop
IL_01ab: ldloc.s V_29
IL_01ad: ldc.i4.s 9
IL_01af: ldloc.s V_23
IL_01b1: stelem.ref
IL_01b2: nop
IL_01b3: ldloc.s V_29
IL_01b5: ldc.i4.s 10
IL_01b7: ldloc.s V_23
IL_01b9: stelem.ref
IL_01ba: nop
IL_01bb: ldloc.s V_29
IL_01bd: ldc.i4.s 11
IL_01bf: ldloc.s V_9
IL_01c1: stelem.ref
IL_01c2: nop
IL_01c3: ldloc.s V_29
IL_01c5: ldc.i4.s 12
IL_01c7: ldloc.s V_8
IL_01c9: stelem.ref
IL_01ca: nop
IL_01cb: ldloc.s V_29
IL_01cd: call string [mscorlib]System.String::Concat(string[])
IL_01d2: stloc.s V_26 // V_26="Strong Witted"
IL_01d4: ldarg.0
IL_01d5: callvirt instance class [System.Windows.Forms]System.Windows.Forms.TextBox HBHAppChallenge.Form1::get_txtPassword()
IL_01da: callvirt instance string [System.Windows.Forms]System.Windows.Forms.TextBox::get_Text()
IL_01df: ldloc.s V_28
IL_01e1: ldc.i4.0
IL_01e2: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::StrCmp(string,
string,
bool) //使用V_28与输入的密码比较
经过分析发现:需要输入的密码为To Dead To Hide,HBH需要的密码为Strong Witted
那验证下:
参考文档:
1、92eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4F1j5X3I4G2k6%4y4Q4x3X3g2U0L8$3#2Q4x3V1k6^5K9h3q4G2P5r3W2S2L8X3N6X3k6h3W2*7K9g2)9J5c8X3q4J5j5$3S2A6N6X3g2Q4x3V1j5J5x3o6p5I4i4K6u0r3x3o6S2Q4x3V1j5H3z5q4)9J5c8U0t1I4x3K6l9%4y4U0S2Q4x3X3g2Z5N6r3#2D9
2、781K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4F1j5X3I4G2k6%4y4Q4x3X3g2U0L8$3#2Q4x3V1k6^5N6h3q4F1K9s2g2F1i4K6u0r3j5i4u0U0K9r3W2$3k6g2)9J5c8U0t1H3x3e0u0Q4x3V1j5H3y4g2)9J5c8U0t1@1i4K6u0r3x3U0f1I4y4U0x3@1y4W2)9J5k6h3S2@1L8h3H3`.
3、c75K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6W2L8X3E0#2i4K6u0W2j5X3q4A6k6s2g2Q4x3X3g2U0L8$3#2Q4x3V1k6D9K9h3&6C8i4K6y4r3N6i4u0D9i4K6y4p5c8W2c8&6x3X3c8c8N6i4k6a6e0s2N6%4b7U0u0f1g2W2u0H3b7@1N6Q4x3X3c8q4b7%4S2W2k6X3g2m8K9s2W2i4h3f1#2H3f1V1S2w2N6o6u0d9x3$3W2J5c8i4A6K9M7q4c8A6i4K6u0V1k6i4k6C8x3V1c8q4f1#2c8v1M7e0u0n7P5X3c8U0x3r3y4I4M7K6N6S2L8h3q4g2h3Y4c8t1y4#2S2v1g2r3A6t1c8@1g2V1j5$3I4W2k6h3q4Q4y4h3k6x3P5U0q4x3d9%4g2b7b7X3&6p5z5p5x3K6P5V1x3`.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
