-
-
[原创]看雪CTF2016 第10题分析-10-liuwan
-
发表于: 2016-11-21 13:21 3353
-
这道题还是比较简单,只是加了点反调试(关闭和禁用前台窗口,设置线程来禁止调试事件).
分析见注释:
00F520A0 /$ 55 push ebp
00F520A1 |. 8BEC mov ebp, esp
00F520A3 |. 6A FE push -2
00F520A5 |. 68 4044F700 push 00F74440
00F520AA |. 68 F0D6F500 push 00F5D6F0 ; 入口点
00F520AF |. 64:A1 00000000 mov eax, fs:[0]
00F520B5 |. 50 push eax
00F520B6 |. 83EC 14 sub esp, 14
00F520B9 |. A1 DC65F700 mov eax, [0F765DC]
00F520BE |. 3145 F8 xor [ebp-8], eax
00F520C1 |. 33C5 xor eax, ebp
00F520C3 |. 8945 E4 mov [ebp-1C], eax
00F520C6 |. 53 push ebx
00F520C7 |. 56 push esi
00F520C8 |. 57 push edi
00F520C9 |. 50 push eax
00F520CA |. 8D45 F0 lea eax, [ebp-10]
00F520CD |. 64:A3 00000000 mov fs:[0], eax
00F520D3 |. E8 88FEFFFF call 00F51F60 ; //调用反调试程序,关闭和禁用前台窗口(如被调试,前台窗口是调试器窗口)
00F520D8 |. 3BF4 cmp esi, esp
00F520DA |. E8 B1FCFFFF call 00F51D90 ; [CrackMe.00F51D90, //输出"password:",并读取输入SN
00F520DF |. 8BF0 mov esi, eax
00F520E1 |. 3BF5 cmp esi, ebp
00F520E3 |. C745 DC 54727573 mov dword ptr [ebp-24], 73757254
00F520EA |. C745 E0 744D6500 mov dword ptr [ebp-20], 654D74
00F520F1 |. 8D45 DC lea eax, [ebp-24]
00F520F4 |. 50 push eax ; /Arg2
00F520F5 |. 56 push esi ; |Arg1
00F520F6 |. E8 353E0000 call 00F55F30 ; \CrackMe.00F55F30, //strstr(SN,"TrustMe")
00F520FB |. 83C4 08 add esp, 8
00F520FE |. 85C0 test eax, eax
00F52100 |.- 75 07 jnz short 00F52109
00F52102 |. 8BCE mov ecx, esi ; //SN中必须有"TrustMe",否则提示"error!"
00F52104 |. E8 87FDFFFF call 00F51E90
00F52109 |> 68 2438F700 push 00F73824 ; /Procname = "ZwSetInformationThread"
00F5210E |. 68 3C38F700 push 00F7383C ; |/FileName = "ntdll.dll"
00F52113 |. 8B3D 20D0F600 mov edi, [0F6D020] ; ||
00F52119 |. FFD7 call edi ; |\KERNEL32.LoadLibraryW
00F5211B |. 50 push eax ; |hModule
00F5211C |. 8B1D 24D0F600 mov ebx, [0F6D024] ; |
00F52122 |. FFD3 call ebx ; \KERNEL32.GetProcAddress
00F52124 |. 8BF0 mov esi, eax
00F52126 |. 6A 00 push 0
00F52128 |. 6A 00 push 0
00F5212A |. 6A 11 push 11 ; //ThreadHideFromDebugger,禁止调试事件
00F5212C |. FF15 1CD0F600 call [0F6D01C] ; [KERNEL32.GetCurrentThread
00F52132 |. 50 push eax
00F52133 |. FFD6 call esi ; //Call ZwSetInformationThread,禁止调试事件
00F52135 |. C745 FC 00000000 mov dword ptr [ebp-4], 0
00F5213C |. A1 38D1F600 mov eax, [0F6D138]
00F52141 |. A3 4C8CF700 mov [0F78C4C], eax
00F52146 |. C745 FC FEFFFFFF mov dword ptr [ebp-4], -2
00F5214D |. E8 21000000 call 00F52173 ; [CrackMe.00F52173
00F52152 |. A1 4C8CF700 mov eax, [0F78C4C]
00F52157 |. 3B05 40D1F600 cmp eax, [0F6D140]
00F5215D |.- 75 35 jne short 00F52194
00F5215F |. 6A 00 push 0 ; /ExitCode = 0
00F52161 |. FF15 14D0F600 call [0F6D014] ; \KERNEL32.ExitProcess
00F52167 |. 8B1D 24D0F600 mov ebx, [0F6D024]
00F5216D |. 8B3D 20D0F600 mov edi, [0F6D020]
00F52173 |$ 68 2438F700 push 00F73824 ; ASCII "ZwSetInformationThread"
00F52178 |. 68 3C38F700 push 00F7383C ; UNICODE "ntdll.dll"
00F5217D |. FFD7 call edi
00F5217F |. 50 push eax
00F52180 |. FFD3 call ebx
00F52182 |. 8BF0 mov esi, eax
00F52184 |. 6A 00 push 0
00F52186 |. 6A 00 push 0
00F52188 |. 6A 11 push 11 ; //ThreadHideFromDebugger,禁止调试事件
00F5218A |. FF15 1CD0F600 call [0F6D01C] ; [KERNEL32.GetCurrentThread
00F52190 |. 50 push eax
00F52191 |. FFD6 call esi ; //Call ZwSetInformationThread,禁止调试事件
00F52193 |. C3 retn
00F52194 |> E8 47FEFFFF call 00F51FE0 ; //判断后8位是否为"20161018",是,则返回1表示成功
00F52199 |. 85C0 test eax, eax
00F5219B |.- 74 32 jz short 00F521CF
00F5219D |. 6A 09 push 9 ; //注册码为"TrustMe20161018",则提示成功
00F5219F |. E8 FB300000 call 00F5529F
00F521A4 |. C700 73756363 mov dword ptr [eax], 63637573
00F521AA |. C740 04 65737321 mov dword ptr [eax+4], 21737365
00F521B1 |. C640 08 00 mov byte ptr [eax+8], 0
00F521B5 |. 8BD0 mov edx, eax
00F521B7 |. E8 D4120000 call 00F53490 ; [CrackMe.00F53490
00F521BC |. 50 push eax
00F521BD |. E8 BE170000 call 00F53980
00F521C2 |. 68 5038F700 push 00F73850 ; ASCII "pause"
00F521C7 |. E8 E43F0000 call 00F561B0
00F521CC |. 83C4 0C add esp, 0C
00F521CF |> 33C0 xor eax, eax
00F521D1 |. 8B4D F0 mov ecx, [ebp-10]
00F521D4 |. 64:890D 00000000 mov fs:[0], ecx
00F521DB |. 59 pop ecx
00F521DC |. 5F pop edi
00F521DD |. 5E pop esi
00F521DE |. 5B pop ebx
00F521DF |. 8B4D E4 mov ecx, [ebp-1C]
00F521E2 |. 33CD xor ecx, ebp
00F521E4 |. E8 B6340000 call 00F5569F
00F521E9 |. 8BE5 mov esp, ebp
00F521EB |. 5D pop ebp
00F521EC \. C3 retn
关闭,禁用窗口的反调试:
00F51F60 $ 55 push ebp
00F51F61 . 8BEC mov ebp, esp
00F51F63 . 51 push ecx
00F51F64 . 53 push ebx
00F51F65 . 56 push esi
00F51F66 . 57 push edi
00F51F67 . C745 FC 00000000 mov dword ptr [ebp-4], 0
00F51F6E . FF15 1CD0F600 call [0F6D01C] ; [KERNEL32.GetCurrentThread
00F51F74 . FF15 18D0F600 call [0F6D018] ; [KERNEL32.GetCommandLineW
00F51F7A . 85C0 test eax, eax
00F51F7C .- 75 09 jne short 00F51F87
00F51F7E . 1F pop ds ; 修改段寄存器
00F51F7F E8 db E8
00F51F80 /. 5F pop edi
00F51F81 |. 5E pop esi
00F51F82 |. 5B pop ebx
00F51F83 |. 8BE5 mov esp, ebp
00F51F85 |. 5D pop ebp
00F51F86 \. C3 retn
00F51F87 > 60 pushad
00F51F88 . 6A 00 push 0
00F51F8A . A1 E075F700 mov eax, [0F775E0] ; 入口点
00F51F8F .- EB 02 jmp short 00F51F93
00F51F91 E8 db E8
00F51F92 79 db 79 ; char 'y'
00F51F93 > 6A 00 push 0
00F51F95 . 0305 608CF700 add eax, [0F78C60]
00F51F9B . FFD0 call eax ; //USER32.GetForegroundWindow
00F51F9D . 8945 FC mov [ebp-4], eax
00F51FA0 . 33C0 xor eax, eax
00F51FA2 . 8B15 E075F700 mov edx, [0F775E0] ; 入口点
00F51FA8 . 6A 02 push 2
00F51FAA . 3D 90EEAB0F cmp eax, 0FABEE90
00F51FAF .- 75 02 jne short 00F51FB3
00F51FB1 E8 db E8
00F51FB2 79 db 79 ; char 'y'
00F51FB3 /> FF75 FC push dword ptr [ebp-4]
00F51FB6 |. 0315 648CF700 add edx, [0F78C64]
00F51FBC |. FFD2 call edx ; //SendMessageW WM_DESTROY 关闭前台窗口,如果开着调试器,调试器就退出了
00F51FBE |. 61 popad
00F51FBF |. 6A 00 push 0 ; /Enable = FALSE
00F51FC1 |. FF75 FC push dword ptr [ebp-4] ; |hWnd, //禁用 前台窗口
00F51FC4 |. FF15 48D1F600 call [0F6D148] ; \USER32.EnableWindow
00F51FCA |. 5F pop edi
00F51FCB |. 5E pop esi
00F51FCC |. 5B pop ebx
00F51FCD |. 8BE5 mov esp, ebp
00F51FCF |. 5D pop ebp
00F51FD0 \. C3 retn
后8位判断:
00F51FE0 /$ 55 push ebp
00F51FE1 |. 8BEC mov ebp, esp
00F51FE3 |. 83E4 F8 and esp, FFFFFFF8 ; qword (8-字节)堆栈对齐方式
00F51FE6 |. 83EC 1C sub esp, 1C
00F51FE9 |. A1 DC65F700 mov eax, [0F765DC]
00F51FEE |. 33C4 xor eax, esp
00F51FF0 |. 894424 18 mov [esp+18], eax
00F51FF4 |. 8B15 588CF700 mov edx, [0F78C58] ; ASCII "12345678"
00F51FFA |. 56 push esi
00F51FFB |. C74424 18 0F00000 mov dword ptr [esp+18], 0F
00F52003 |. C74424 14 0000000 mov dword ptr [esp+14], 0
00F5200B |. 803A 00 cmp byte ptr [edx], 0
00F5200E |. C64424 04 00 mov byte ptr [esp+4], 0
00F52013 |.- 75 04 jne short 00F52019
00F52015 |. 33C9 xor ecx, ecx
00F52017 |.- EB 10 jmp short 00F52029
00F52019 |> 8BCA mov ecx, edx
00F5201B |. 8D71 01 lea esi, [ecx+1]
00F5201E |. 8BFF mov edi, edi
00F52020 |> 8A01 /mov al, [ecx]
00F52022 |. 41 |inc ecx
00F52023 |. 84C0 |test al, al
00F52025 |.- 75 F9 \jnz short 00F52020
00F52027 |. 2BCE sub ecx, esi
00F52029 |> 51 push ecx
00F5202A |. 52 push edx
00F5202B |. 8D4C24 0C lea ecx, [esp+0C]
00F5202F |. E8 BC070000 call 00F527F0
00F52034 |. 837C24 14 0F cmp dword ptr [esp+14], 0F ; //判断SN长度,一定要15位
00F52039 |.- 75 24 jne short 00F5205F
00F5203B |. A1 588CF700 mov eax, [0F78C58] ; ASCII "12345678"
00F52040 |. 83C0 07 add eax, 7
00F52043 |. 50 push eax ; /Arg1, //后8位转数字
00F52044 |. A3 588CF700 mov [0F78C58], eax ; |
00F52049 |. E8 45410000 call 00F56193 ; \CrackMe.00F56193, //atoi
00F5204E |. 83C4 04 add esp, 4
00F52051 |. 3D FAA13301 cmp eax, 133A1FA ; //比较SN后8位是否为十进制 20161018
00F52056 |.- 75 07 jne short 00F5205F
00F52058 |. BE 01000000 mov esi, 1 ; //后8位为"20161018",返回1
00F5205D |.- EB 02 jmp short 00F52061
00F5205F |> 33F6 xor esi, esi
00F52061 |> 837C24 18 10 cmp dword ptr [esp+18], 10
00F52066 |.- 72 0C jb short 00F52074
00F52068 |. FF7424 04 push dword ptr [esp+4] ; /Arg1
00F5206C |. E8 5F440000 call 00F564D0 ; \CrackMe.00F55E64
00F52071 |. 83C4 04 add esp, 4
00F52074 |> 8B4C24 1C mov ecx, [esp+1C]
00F52078 |. 8BC6 mov eax, esi
00F5207A |. 5E pop esi
00F5207B |. 33CC xor ecx, esp
00F5207D |. E8 1D360000 call 00F5569F
00F52082 |. 8BE5 mov esp, ebp
00F52084 |. 5D pop ebp
00F52085 \. C3 retn
分析见注释:
00F520A0 /$ 55 push ebp
00F520A1 |. 8BEC mov ebp, esp
00F520A3 |. 6A FE push -2
00F520A5 |. 68 4044F700 push 00F74440
00F520AA |. 68 F0D6F500 push 00F5D6F0 ; 入口点
00F520AF |. 64:A1 00000000 mov eax, fs:[0]
00F520B5 |. 50 push eax
00F520B6 |. 83EC 14 sub esp, 14
00F520B9 |. A1 DC65F700 mov eax, [0F765DC]
00F520BE |. 3145 F8 xor [ebp-8], eax
00F520C1 |. 33C5 xor eax, ebp
00F520C3 |. 8945 E4 mov [ebp-1C], eax
00F520C6 |. 53 push ebx
00F520C7 |. 56 push esi
00F520C8 |. 57 push edi
00F520C9 |. 50 push eax
00F520CA |. 8D45 F0 lea eax, [ebp-10]
00F520CD |. 64:A3 00000000 mov fs:[0], eax
00F520D3 |. E8 88FEFFFF call 00F51F60 ; //调用反调试程序,关闭和禁用前台窗口(如被调试,前台窗口是调试器窗口)
00F520D8 |. 3BF4 cmp esi, esp
00F520DA |. E8 B1FCFFFF call 00F51D90 ; [CrackMe.00F51D90, //输出"password:",并读取输入SN
00F520DF |. 8BF0 mov esi, eax
00F520E1 |. 3BF5 cmp esi, ebp
00F520E3 |. C745 DC 54727573 mov dword ptr [ebp-24], 73757254
00F520EA |. C745 E0 744D6500 mov dword ptr [ebp-20], 654D74
00F520F1 |. 8D45 DC lea eax, [ebp-24]
00F520F4 |. 50 push eax ; /Arg2
00F520F5 |. 56 push esi ; |Arg1
00F520F6 |. E8 353E0000 call 00F55F30 ; \CrackMe.00F55F30, //strstr(SN,"TrustMe")
00F520FB |. 83C4 08 add esp, 8
00F520FE |. 85C0 test eax, eax
00F52100 |.- 75 07 jnz short 00F52109
00F52102 |. 8BCE mov ecx, esi ; //SN中必须有"TrustMe",否则提示"error!"
00F52104 |. E8 87FDFFFF call 00F51E90
00F52109 |> 68 2438F700 push 00F73824 ; /Procname = "ZwSetInformationThread"
00F5210E |. 68 3C38F700 push 00F7383C ; |/FileName = "ntdll.dll"
00F52113 |. 8B3D 20D0F600 mov edi, [0F6D020] ; ||
00F52119 |. FFD7 call edi ; |\KERNEL32.LoadLibraryW
00F5211B |. 50 push eax ; |hModule
00F5211C |. 8B1D 24D0F600 mov ebx, [0F6D024] ; |
00F52122 |. FFD3 call ebx ; \KERNEL32.GetProcAddress
00F52124 |. 8BF0 mov esi, eax
00F52126 |. 6A 00 push 0
00F52128 |. 6A 00 push 0
00F5212A |. 6A 11 push 11 ; //ThreadHideFromDebugger,禁止调试事件
00F5212C |. FF15 1CD0F600 call [0F6D01C] ; [KERNEL32.GetCurrentThread
00F52132 |. 50 push eax
00F52133 |. FFD6 call esi ; //Call ZwSetInformationThread,禁止调试事件
00F52135 |. C745 FC 00000000 mov dword ptr [ebp-4], 0
00F5213C |. A1 38D1F600 mov eax, [0F6D138]
00F52141 |. A3 4C8CF700 mov [0F78C4C], eax
00F52146 |. C745 FC FEFFFFFF mov dword ptr [ebp-4], -2
00F5214D |. E8 21000000 call 00F52173 ; [CrackMe.00F52173
00F52152 |. A1 4C8CF700 mov eax, [0F78C4C]
00F52157 |. 3B05 40D1F600 cmp eax, [0F6D140]
00F5215D |.- 75 35 jne short 00F52194
00F5215F |. 6A 00 push 0 ; /ExitCode = 0
00F52161 |. FF15 14D0F600 call [0F6D014] ; \KERNEL32.ExitProcess
00F52167 |. 8B1D 24D0F600 mov ebx, [0F6D024]
00F5216D |. 8B3D 20D0F600 mov edi, [0F6D020]
00F52173 |$ 68 2438F700 push 00F73824 ; ASCII "ZwSetInformationThread"
00F52178 |. 68 3C38F700 push 00F7383C ; UNICODE "ntdll.dll"
00F5217D |. FFD7 call edi
00F5217F |. 50 push eax
00F52180 |. FFD3 call ebx
00F52182 |. 8BF0 mov esi, eax
00F52184 |. 6A 00 push 0
00F52186 |. 6A 00 push 0
00F52188 |. 6A 11 push 11 ; //ThreadHideFromDebugger,禁止调试事件
00F5218A |. FF15 1CD0F600 call [0F6D01C] ; [KERNEL32.GetCurrentThread
00F52190 |. 50 push eax
00F52191 |. FFD6 call esi ; //Call ZwSetInformationThread,禁止调试事件
00F52193 |. C3 retn
00F52194 |> E8 47FEFFFF call 00F51FE0 ; //判断后8位是否为"20161018",是,则返回1表示成功
00F52199 |. 85C0 test eax, eax
00F5219B |.- 74 32 jz short 00F521CF
00F5219D |. 6A 09 push 9 ; //注册码为"TrustMe20161018",则提示成功
00F5219F |. E8 FB300000 call 00F5529F
00F521A4 |. C700 73756363 mov dword ptr [eax], 63637573
00F521AA |. C740 04 65737321 mov dword ptr [eax+4], 21737365
00F521B1 |. C640 08 00 mov byte ptr [eax+8], 0
00F521B5 |. 8BD0 mov edx, eax
00F521B7 |. E8 D4120000 call 00F53490 ; [CrackMe.00F53490
00F521BC |. 50 push eax
00F521BD |. E8 BE170000 call 00F53980
00F521C2 |. 68 5038F700 push 00F73850 ; ASCII "pause"
00F521C7 |. E8 E43F0000 call 00F561B0
00F521CC |. 83C4 0C add esp, 0C
00F521CF |> 33C0 xor eax, eax
00F521D1 |. 8B4D F0 mov ecx, [ebp-10]
00F521D4 |. 64:890D 00000000 mov fs:[0], ecx
00F521DB |. 59 pop ecx
00F521DC |. 5F pop edi
00F521DD |. 5E pop esi
00F521DE |. 5B pop ebx
00F521DF |. 8B4D E4 mov ecx, [ebp-1C]
00F521E2 |. 33CD xor ecx, ebp
00F521E4 |. E8 B6340000 call 00F5569F
00F521E9 |. 8BE5 mov esp, ebp
00F521EB |. 5D pop ebp
00F521EC \. C3 retn
关闭,禁用窗口的反调试:
00F51F60 $ 55 push ebp
00F51F61 . 8BEC mov ebp, esp
00F51F63 . 51 push ecx
00F51F64 . 53 push ebx
00F51F65 . 56 push esi
00F51F66 . 57 push edi
00F51F67 . C745 FC 00000000 mov dword ptr [ebp-4], 0
00F51F6E . FF15 1CD0F600 call [0F6D01C] ; [KERNEL32.GetCurrentThread
00F51F74 . FF15 18D0F600 call [0F6D018] ; [KERNEL32.GetCommandLineW
00F51F7A . 85C0 test eax, eax
00F51F7C .- 75 09 jne short 00F51F87
00F51F7E . 1F pop ds ; 修改段寄存器
00F51F7F E8 db E8
00F51F80 /. 5F pop edi
00F51F81 |. 5E pop esi
00F51F82 |. 5B pop ebx
00F51F83 |. 8BE5 mov esp, ebp
00F51F85 |. 5D pop ebp
00F51F86 \. C3 retn
00F51F87 > 60 pushad
00F51F88 . 6A 00 push 0
00F51F8A . A1 E075F700 mov eax, [0F775E0] ; 入口点
00F51F8F .- EB 02 jmp short 00F51F93
00F51F91 E8 db E8
00F51F92 79 db 79 ; char 'y'
00F51F93 > 6A 00 push 0
00F51F95 . 0305 608CF700 add eax, [0F78C60]
00F51F9B . FFD0 call eax ; //USER32.GetForegroundWindow
00F51F9D . 8945 FC mov [ebp-4], eax
00F51FA0 . 33C0 xor eax, eax
00F51FA2 . 8B15 E075F700 mov edx, [0F775E0] ; 入口点
00F51FA8 . 6A 02 push 2
00F51FAA . 3D 90EEAB0F cmp eax, 0FABEE90
00F51FAF .- 75 02 jne short 00F51FB3
00F51FB1 E8 db E8
00F51FB2 79 db 79 ; char 'y'
00F51FB3 /> FF75 FC push dword ptr [ebp-4]
00F51FB6 |. 0315 648CF700 add edx, [0F78C64]
00F51FBC |. FFD2 call edx ; //SendMessageW WM_DESTROY 关闭前台窗口,如果开着调试器,调试器就退出了
00F51FBE |. 61 popad
00F51FBF |. 6A 00 push 0 ; /Enable = FALSE
00F51FC1 |. FF75 FC push dword ptr [ebp-4] ; |hWnd, //禁用 前台窗口
00F51FC4 |. FF15 48D1F600 call [0F6D148] ; \USER32.EnableWindow
00F51FCA |. 5F pop edi
00F51FCB |. 5E pop esi
00F51FCC |. 5B pop ebx
00F51FCD |. 8BE5 mov esp, ebp
00F51FCF |. 5D pop ebp
00F51FD0 \. C3 retn
后8位判断:
00F51FE0 /$ 55 push ebp
00F51FE1 |. 8BEC mov ebp, esp
00F51FE3 |. 83E4 F8 and esp, FFFFFFF8 ; qword (8-字节)堆栈对齐方式
00F51FE6 |. 83EC 1C sub esp, 1C
00F51FE9 |. A1 DC65F700 mov eax, [0F765DC]
00F51FEE |. 33C4 xor eax, esp
00F51FF0 |. 894424 18 mov [esp+18], eax
00F51FF4 |. 8B15 588CF700 mov edx, [0F78C58] ; ASCII "12345678"
00F51FFA |. 56 push esi
00F51FFB |. C74424 18 0F00000 mov dword ptr [esp+18], 0F
00F52003 |. C74424 14 0000000 mov dword ptr [esp+14], 0
00F5200B |. 803A 00 cmp byte ptr [edx], 0
00F5200E |. C64424 04 00 mov byte ptr [esp+4], 0
00F52013 |.- 75 04 jne short 00F52019
00F52015 |. 33C9 xor ecx, ecx
00F52017 |.- EB 10 jmp short 00F52029
00F52019 |> 8BCA mov ecx, edx
00F5201B |. 8D71 01 lea esi, [ecx+1]
00F5201E |. 8BFF mov edi, edi
00F52020 |> 8A01 /mov al, [ecx]
00F52022 |. 41 |inc ecx
00F52023 |. 84C0 |test al, al
00F52025 |.- 75 F9 \jnz short 00F52020
00F52027 |. 2BCE sub ecx, esi
00F52029 |> 51 push ecx
00F5202A |. 52 push edx
00F5202B |. 8D4C24 0C lea ecx, [esp+0C]
00F5202F |. E8 BC070000 call 00F527F0
00F52034 |. 837C24 14 0F cmp dword ptr [esp+14], 0F ; //判断SN长度,一定要15位
00F52039 |.- 75 24 jne short 00F5205F
00F5203B |. A1 588CF700 mov eax, [0F78C58] ; ASCII "12345678"
00F52040 |. 83C0 07 add eax, 7
00F52043 |. 50 push eax ; /Arg1, //后8位转数字
00F52044 |. A3 588CF700 mov [0F78C58], eax ; |
00F52049 |. E8 45410000 call 00F56193 ; \CrackMe.00F56193, //atoi
00F5204E |. 83C4 04 add esp, 4
00F52051 |. 3D FAA13301 cmp eax, 133A1FA ; //比较SN后8位是否为十进制 20161018
00F52056 |.- 75 07 jne short 00F5205F
00F52058 |. BE 01000000 mov esi, 1 ; //后8位为"20161018",返回1
00F5205D |.- EB 02 jmp short 00F52061
00F5205F |> 33F6 xor esi, esi
00F52061 |> 837C24 18 10 cmp dword ptr [esp+18], 10
00F52066 |.- 72 0C jb short 00F52074
00F52068 |. FF7424 04 push dword ptr [esp+4] ; /Arg1
00F5206C |. E8 5F440000 call 00F564D0 ; \CrackMe.00F55E64
00F52071 |. 83C4 04 add esp, 4
00F52074 |> 8B4C24 1C mov ecx, [esp+1C]
00F52078 |. 8BC6 mov eax, esi
00F5207A |. 5E pop esi
00F5207B |. 33CC xor ecx, esp
00F5207D |. E8 1D360000 call 00F5569F
00F52082 |. 8BE5 mov esp, ebp
00F52084 |. 5D pop ebp
00F52085 \. C3 retn
赞赏
|
|
|---|---|
|
|
他的文章
赞赏
雪币:
留言: