📄 lesson14021.htm
字号:
ret 0004 <br>
<br>
(1)过程分析: <br>
如果输入123456 <br>
过程:
00 00 31 00 <br>
00 31 32 00 <br>
31 32 33 00 <br>
32 33 34 31 <br>
33 34 35 32
<br>
+) 34 35 36 33 <br>
结果: CB 00 35 96 <br>
<br>
而正确的应为:8D CA F3 68 <br>
我们通过上面的模拟分析可以大致的了解运算过程,由于相加结果是如上的有很多,我们就可以大胆的假设,来推出一组数。 <br>
我就推出一组6位的:""$%=) <br>
ZXEM 2000.3.23
</table>
</div>
<div id="KB7Parent" class="parent"> <span class="p9"><a href="#" onClick="expandIt('KB7'); return false">
3、习题三 答案</a> </span></div>
<div id="KB7Child" class="child">
<table width="100%" align="center" cellspacing="0">
<tr bgcolor="#EFEFEF">
<td height="28">
<p class="p9">这题我们用函数getdlgitemtexta设断,它作用是得指定输入框输入字符串。也是一个常用的函数。 <br>
在注册框中输入:12345678 <br>
然后设断:bpx getdlgitemtexta <br>
点击OK,你将中断在SOFTICE,具体如下: <br>
* Reference To: USER32.GetDlgItemTextA, Ord:0000h <br>
| <br>
:0040115D E8E4030000
Call 00401546 <br>
:00401162 8D4DF4
lea ecx, dword ptr [ebp-0C] <br>
:00401165 51
push ecx <br>
:00401166 E811FFFFFF
call 0040107C<----此CALL计算密码 <br>
:0040116B 59
pop ecx <br>
<br>
按F8进入00401166的CALL <br>
:0040108D B9E7030000
mov ecx, 000003E7 <br>
:00401092 81C2495F0E00 add
edx, 000E5F49<----用000E5F49加12345678(十六进制BC614E) <br>
:00401098 81C1A93E0F00 add
ecx, 000F3EA9<----用000F3EA9加上固定数字999(十六进制03e7) <br>
:0040109E 90
nop <br>
:0040109F 90
nop <br>
...................................... <br>
:004010A7 90
nop <br>
:004010A8 83C258
add edx, 00000058<----加上58(十六进制 )<br>
:004010AB 83C1A9
add ecx, -57<----减 57 (十六进制 )<br>
:004010AE 3BD1
cmp edx, ecx<----比较这两个数字 <br>
:004010B0 7518
jne 004010CA<----如不正确就跳到错误信息 <br>
:004010B2 6800100000
push 00001000 <br>
<br>
在004010AE (cmp EDX, ECX)键入: <br>
? EDX <---- 13287663 (我们输入经过计算的密码) <br>
? ECX <---- 999993 (正确的数字) <br>
下面全部以十六进制表示计算: <br>
ECX + 999 - 87 = 999993 <br>
EDX + 941897 + 88 = 13287663 <br>
<br>
因此我们反推密码: <br>
999993 - 88 - 941897 = 58008
</table>
</div>
<div id="KB8Parent" class="parent"> <a href="#" onClick="expandIt('KB8'); return false" class="p9">
4、习题四 答案</a> </div>
<div id="KB8Child" class="child">
<table width="100%" align="center" cellspacing="0">
<tr bgcolor="#EFEFEF">
<td height="1199">
<p class="p9">破解lesson1402-ex-04 <br>
<br>
* Reference To: USER32.DialogBoxParamA, Ord:0000h <br>
| <br>
:0040121E E87D020000
Call 004014A0 <br>
:00401223 83F800
cmp eax, 00000000 <br>
:00401226 74BE
je 004011E6 <br>
:00401228 688E214000
push 0040218E <br>
:0040122D E84C010000
call 0040137E ----通过NAME算出一个数字 <br>
:00401232 50
push eax <br>
:00401233 687E214000
push 0040217E <br>
:00401238 E89B010000
call 004013D8 ----通过输入的SERIAL算出一个数字 <br>
:0040123D 83C404
add esp, 00000004 <br>
:00401240 58
pop eax <br>
:00401241 3BC3
cmp eax, ebx ----比较两个数字是否相同
<br>
:00401243 7407
je 0040124C <br>
:00401245 E818010000
call 00401362 <br>
:0040124A EB9A
jmp 004011E6 <br>
<br>
* Referenced by a CALL at Address: <br>
|:0040122D <br>
| <br>
:0040137E 8B742404
mov esi, dword ptr [esp+04] <br>
:00401382 56
push esi <br>
:00401383 8A06
mov al, byte ptr [esi] ----ESI中放的是输入的姓名 <br>
:00401385 84C0
test al, al <br>
:00401387 7413
je 0040139C <br>
:00401389 3C41
cmp al, 41 <br>
:0040138B 721F
jb 004013AC <br>
:0040138D 3C5A
cmp al, 5A <br>
:0040138F 7303
jnb 00401394 <br>
:00401391 46
inc esi <br>
:00401392 EBEF
jmp 00401383 <br>
:00401394 E839000000
call 004013D2 ----把输入的名字变成大写 <br>
:00401399 46
inc esi <br>
:0040139A EBE7
jmp 00401383 <br>
:0040139C 5E
pop esi <br>
:0040139D E820000000
call 004013C2 ----变后的姓名算出值放入EDI (1) <br>
:004013A2 81F778560000 xor
edi, 00005678 ----再变化 (2) <br>
:004013A8 8BC7
mov eax, edi <br>
:004013AA EB15
jmp 004013C1 <br>
:004013AC 5E
pop esi <br>
:004013AD 6A30
push 00000030 <br>
:004013AF 6860214000
push 00402160 <br>
:004013B4 6869214000
push 00402169 <br>
:004013B9 FF7508
push [ebp+08] <br>
:004013BC E879000000
Call 0040143A <br>
:004013C1 C3
ret <br>
<br>
* Referenced by a CALL at Address: <br>
|:00401238 <br>
| <br>
:004013D8 33C0
xor eax, eax <br>
:004013DA 33FF
xor edi, edi <br>
:004013DC 33DB
xor ebx, ebx <br>
:004013DE 8B742404
mov esi, dword ptr [esp+04] ----把输入的的密码放入ESI <br>
:004013E2 B00A
mov al, 0A <br>
:004013E4 8A1E
mov bl, byte ptr [esi] <br>
:004013E6 84DB
test bl, bl <br>
:004013E8 740B
je 004013F5 <br>
:004013EA 80EB30
sub bl, 30 ----BL-30
<br>
:004013ED 0FAFF8
imul edi, eax ----EDI*EAX(此处EAX=0A=10!!!!!)
<br>
:004013F0 03FB
add edi, ebx ----EDI+EBX
<br>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -