重庆分公司,新征程启航
为企业提供网站建设、域名注册、服务器等服务
为岳西等地区用户提供了全套网页设计制作服务,及岳西网站建设行业解决方案。主营业务为成都网站建设、网站制作、岳西网站设计,以传统方式定制建设网站,并提供域名空间备案等一条龙服务,秉承以专业、用心的态度为用户提供真诚的服务。我们深信只要达到每一位用户的要求,就会得到认可,从而选择与我们长期合作。这样,我们也可以走得更远!
研究了几天....
要求输入帐号 密码
随意输入 后 提示错误。
00401410 . 53 push ebx
00401411 . 55 push ebp
00401412 . 56 push esi
00401413 . 57 push edi
00401414 . 8BF9 mov edi,ecx
00401416 . 6A 01 push 0x1
00401418 . E8 93030000 call
0040141D . 83C4 04 add esp,0x4
00401420 . 85C0 test eax,eax
00401422 . 74 07 je Xruhua.0040142B ; eax
00401424 . C600 18 mov byte ptr ds:[eax],0x18 ; eax为一个堆地址 [eax]=18
00401427 . 8BD8 mov ebx,eax ; 移栈
00401429 . EB 02 jmp Xruhua.0040142D
0040142B > 33DB xor ebx,ebx
0040142D > 6A 01 push 0x1
0040142F . E8 7C030000 call
00401434 . 83C4 04 add esp,0x4
00401437 . 85C0 test eax,eax
00401439 . 74 07 je Xruhua.00401442
0040143B . C600 18 mov byte ptr ds:[eax],0x18
0040143E . 8BF0 mov esi,eax
00401440 . EB 02 jmp Xruhua.00401444
00401442 > 33F6 xor esi,esi
00401444 > 6A 14 push 0x14
00401446 . 53 push ebx
00401447 . 8D8F A0000000 lea ecx,dword ptr ds:[edi+0xA0]
0040144D . E8 58030000 call
00401452 . 6A 14 push 0x14
00401454 . 56 push esi
00401455 . 8D4F 60 lea ecx,dword ptr ds:[edi+0x60]
00401458 . E8 4D030000 call
0040145D . 8BFB mov edi,ebx
0040145F . 83C9 FF or ecx,0xFFFFFFFF
00401462 . 33C0 xor eax,eax
00401464 . F2:AE repne scas byte ptr es:[edi] ; 串搜索
00401466 . F7D1 not ecx
00401468 . 49 dec ecx ; ecx = 6
00401469 . 8BFE mov edi,esi
0040146B . 8BE9 mov ebp,ecx ; 帐号
0040146D . 83C9 FF or ecx,0xFFFFFFFF
00401470 . F2:AE repne scas byte ptr es:[edi]
00401472 . F7D1 not ecx
00401474 . 49 dec ecx
00401475 . 83FD 0A cmp ebp,0xA ; 帐号长度>10 结束
00401478 . 77 60 ja Xruhua.004014DA
0040147A . 83F9 0A cmp ecx,0xA ; 密码长度>10 结束
0040147D . 77 5B ja Xruhua.004014DA
0040147F . 53 push ebx
00401480 . E8 7B000000 call ruhua.00401500 ; 账户 每个元素 xor 3 - 0x14
00401485 . 56 push esi
00401486 . E8 A5000000 call ruhua.00401530 ; 密码 每个元素 add 2 xor 0x10
0040148B . 83C4 08 add esp,0x8
0040148E > 8A0B mov cl,byte ptr ds:[ebx] ; cl存加密后的账户
00401490 . 8A16 mov dl,byte ptr ds:[esi] ; dl 存加密后的密码
00401492 . 8AC1 mov al,cl
00401494 . 3ACA cmp cl,dl
00401496 75 1E jnz Xruhua.004014B6 ; 关键跳
00401498 . 84C0 test al,al
0040149A . 74 16 je Xruhua.004014B2 ; al = 0 跳
0040149C . 8A53 01 mov dl,byte ptr ds:[ebx+0x1]
0040149F . 8A4E 01 mov cl,byte ptr ds:[esi+0x1]
004014A2 . 8AC2 mov al,dl
004014A4 . 3AD1 cmp dl,cl
004014A6 . 75 0E jnz Xruhua.004014B6
004014A8 . 83C3 02 add ebx,0x2
004014AB . 83C6 02 add esi,0x2
004014AE . 84C0 test al,al ; al = 0
004014B0 ^ 75 DC jnz Xruhua.0040148E ; while
004014B2 > 33C0 xor eax,eax
004014B4 . EB 05 jmp Xruhua.004014BB
004014B6 > 1BC0 sbb eax,eax
004014B8 . 83D8 FF sbb eax,-0x1
004014BB > 85C0 test eax,eax ; eax=0?
004014BD 75 1B jnz Xruhua.004014DA ; ZF = 0
004014BF . 85ED test ebp,ebp
004014C1 74 17 je Xruhua.004014DA
004014C3 . 50 push eax ; /Style
004014C4 . 68 50304000 push ruhua.00403050 ; |Ok
004014C9 . 68 2C304000 push ruhua.0040302C ; |Congratulations!This is the key!
004014CE . 50 push eax ; |hOwner
004014CF . FF15 D8214000 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
004014D5 . 5F pop edi
004014D6 . 5E pop esi
004014D7 . 5D pop ebp
004014D8 . 5B pop ebx
004014D9 . C3 retn
004014DA > 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
004014DC . 68 28304000 push ruhua.00403028 ; |Msg
004014E1 . 68 20304000 push ruhua.00403020 ; |Wrong!
004014E6 . 6A 00 push 0x0 ; |hOwner = NULL
004014E8 . FF15 D8214000 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
004014EE . 5F pop edi
004014EF . 5E pop esi
004014F0 . 5D pop ebp
004014F1 . 5B pop ebx
004014F2 . C3 retn
基本流程就是 输入帐号密码,进入帐号加密子程序,进入密码加密子程序
上图是帐号密码的子程序
上图为帐号加密过程
上图为密码加密过程
这一段比较模糊,不是很懂,最后翻看IDA 最后得知是strcmp()操作,也即将原来加密后的帐号与加密后的密码进行比较,若相同则OK.
IDA XX后的代码,果然是最强王者级别逆向工具。
int __thiscall sub_401410(void *this)
{
void *v1; // edi@1
int v2; // eax@1
char *v3; // ebx@2
int v4; // eax@4
char *v5; // esi@5
unsigned int v6; // kr04_4@7
unsigned int v7; // kr0C_4@7
int result; // eax@11
v1 = this;
v2 = operator new();
if ( v2 )
{
*(_BYTE *)v2 = 24;
v3 = (char *)v2;
}
else
{
v3 = 0;
}
v4 = operator new();
if ( v4 )
{
*(_BYTE *)v4 = 24;
v5 = (char *)v4;
}
else
{
v5 = 0;
}
CWnd::GetWindowTextA((CWnd *)((char *)v1 + 160), v3, 20);
CWnd::GetWindowTextA((CWnd *)((char *)v1 + 96), v5, 20);
v6 = strlen(v3) + 1; // v6 帐号
// v7 密码
v7 = strlen(v5) + 1;
if ( v6 - 1 > 0xA || v7 - 1 > 0xA || (sub_401500(v3), sub_401530(v5), strcmp(v3, v5)) || v6 == 1 )
result = MessageBoxA(0, "Wrong!", "Msg", 0);
else
result = MessageBoxA(0, "Congratulations!This is the key!", "Ok", 0);
return result;
}