📄 chap6-1-11.htm.primary
字号:
:00401162 8D4DF4
lea ecx, dword ptr [ebp-0C] <br>
:00401165 51
push ecx <br>
:00401166 E811FFFFFF
call 0040107C<----此CALL计算密码 <br>
:0040116B 59
pop ecx <br>
<br>
按F8进入00401166的CALL <br>
:0040108D B9E7030000
mov ecx, 000003E7 <br>
:00401092 81C2495F0E00 add
edx, 000E5F49<----用000E5F49加12345678(十六进制BC614E) <br>
:00401098 81C1A93E0F00 add
ecx, 000F3EA9<----用000F3EA9加上固定数字999(十六进制03e7) <br>
:0040109E 90
nop <br>
:0040109F 90
nop <br>
...................................... <br>
:004010A7 90
nop <br>
:004010A8 83C258
add edx, 00000058<----加上58(十六进制 )<br>
:004010AB 83C1A9
add ecx, -57<----减 57 (十六进制 )<br>
:004010AE 3BD1
cmp edx, ecx<----比较这两个数字 <br>
:004010B0 7518
jne 004010CA<----如不正确就跳到错误信息 <br>
:004010B2 6800100000
push 00001000 <br>
<br>
在004010AE (cmp EDX, ECX)键入: <br>
? EDX <---- 13287663 (我们输入经过计算的密码) <br>
? ECX <---- 999993 (正确的数字) <br>
下面全部以十六进制表示计算: <br>
ECX + 999 - 87 = 999993 <br>
EDX + 941897 + 88 = 13287663 <br>
<br>
因此我们反推密码: <br>
999993 - 88 - 941897 = 58008
</table>
</div>
<div id="KB8Parent" class="parent"> <a href="#" onClick="expandIt('KB8'); return false" class="p9">
4、习题四 答案</a> </div>
<div id="KB8Child" class="child">
<table width="100%" align="center" cellspacing="0">
<tr bgcolor="#EFEFEF">
<td height="952">
<p class="p9">破解chap6-1-1-04 <br>
<br>
* Reference To: USER32.DialogBoxParamA, Ord:0000h <br>
| <br>
:0040121E E87D020000
Call 004014A0 <br>
:00401223 83F800
cmp eax, 00000000 <br>
:00401226 74BE
je 004011E6 <br>
:00401228 688E214000
push 0040218E <br>
:0040122D E84C010000
call 0040137E ----通过NAME算出一个数字 <br>
:00401232 50
push eax <br>
:00401233 687E214000
push 0040217E <br>
:00401238 E89B010000
call 004013D8 ----通过输入的SERIAL算出一个数字 <br>
:0040123D 83C404
add esp, 00000004 <br>
:00401240 58
pop eax <br>
:00401241 3BC3
cmp eax, ebx ----比较两个数字是否相同
<br>
:00401243 7407
je 0040124C <br>
:00401245 E818010000
call 00401362 <br>
:0040124A EB9A
jmp 004011E6 <br>
<br>
* Referenced by a CALL at Address: <br>
|:0040122D <br>
| <br>
:0040137E 8B742404
mov esi, dword ptr [esp+04] <br>
:00401382 56
push esi <br>
:00401383 8A06
mov al, byte ptr [esi] ----ESI中放的是输入的姓名 <br>
:00401385 84C0
test al, al <br>
:00401387 7413
je 0040139C <br>
:00401389 3C41
cmp al, 41 <br>
:0040138B 721F
jb 004013AC <br>
:0040138D 3C5A
cmp al, 5A <br>
:0040138F 7303
jnb 00401394 <br>
:00401391 46
inc esi <br>
:00401392 EBEF
jmp 00401383 <br>
:00401394 E839000000
call 004013D2 ----把输入的名字变成大写 <br>
:00401399 46
inc esi <br>
:0040139A EBE7
jmp 00401383 <br>
:0040139C 5E
pop esi <br>
:0040139D E820000000
call 004013C2 ----变后的姓名算出值放入EDI (1) <br>
:004013A2 81F778560000 xor
edi, 00005678 ----再变化 (2) <br>
:004013A8 8BC7
mov eax, edi <br>
:004013AA EB15
jmp 004013C1 <br>
:004013AC 5E
pop esi <br>
:004013AD 6A30
push 00000030 <br>
:004013AF 6860214000
push 00402160 <br>
:004013B4 6869214000
push 00402169 <br>
:004013B9 FF7508
push [ebp+08] <br>
:004013BC E879000000
Call 0040143A <br>
:004013C1 C3
ret <br>
<br>
* Referenced by a CALL at Address: <br>
|:00401238 <br>
| <br>
:004013D8 33C0
xor eax, eax <br>
:004013DA 33FF
xor edi, edi <br>
:004013DC 33DB
xor ebx, ebx <br>
:004013DE 8B742404
mov esi, dword ptr [esp+04] ----把输入的的密码放入ESI <br>
:004013E2 B00A
mov al, 0A <br>
:004013E4 8A1E
mov bl, byte ptr [esi] <br>
:004013E6 84DB
test bl, bl <br>
:004013E8 740B
je 004013F5 <br>
:004013EA 80EB30
sub bl, 30 ----BL-30
<br>
:004013ED 0FAFF8
imul edi, eax ----EDI*EAX(此处EAX=0A=10!!!!!)
<br>
:004013F0 03FB
add edi, ebx ----EDI+EBX
<br>
:004013F2 46
inc esi <br>
:004013F3 EBED
jmp 004013E2 <br>
:004013F5 81F734120000 xor
edi, 00001234 <br>
:004013FB 8BDF
mov ebx, edi
----把处理后的放入EBX <br>
:004013FD C3
ret <br>
<br>
模拟运算: <br>
输入姓名:zxem <br>
输入密码:123456 <br>
我们可以看到(1)处算出的EDI=144, (2)处为EDI=573C. <br>
我们知道密码的处理中为乘10再类加.所以从EDI=573C反推真密码,如下: <br>
XOR 573C, 1234 得到4508, <br>
而4508换成10进制为17672 <br>
所以真的密码为:17672 <br>
<br>
ZXEM 2000.3.20
</table>
</div>
<div id="KB9Parent" class="parent"> <span class="p9"><a href="#" onClick="expandIt('KB9'); return false">
5、习题五 答案</a> </span></div>
<div id="KB9Child" class="child">
<table width="100%" align="center" cellspacing="0">
<tr bgcolor="#EFEFEF">
<td height="28">
<p class="p9">bpx hmemcpy设断来到: <br>
:00427B7E E80DE2FEFF
call 00415D90 <br>
:00427B83 8B45FC
mov eax, dword ptr [ebp-04] <br>
:00427B86 50
push eax <br>
:00427B87 8D55F8
lea edx, dword ptr [ebp-08] <br>
:00427B8A 8B83DC010000
mov eax, dword ptr [ebx+000001DC] <br>
:00427B90 E8FBE1FEFF
call 00415D90 <br>
:00427B95 8B45F8
mov eax, dword ptr [ebp-08] <br>
:00427B98 5A
pop edx;;在这D EDX你将看到姓名、你输入号码、正确号码
<br>
:00427B99 E882FEFFFF
call 00427A20 ;; 比较序列号设置旗标 <br>
:00427B9E 3D4E61BC00
cmp eax, 00BC614E ;; eax与BC614E比较 <br>
:00427BA3 7D1E
jge 00427BC3
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -