160CM1

首先随便输入 然后按Check it baby按钮框

弹出一个信息框
然后按k按钮77D开头的地址太大 选择0042A1AE右键显示调用

Alt+9返回用户代码到了

0042A170  /$  55            push ebp
0042A171  |.  8BEC          mov ebp,esp
0042A173  |.  83C4 F4       add esp,-0xC
0042A176  |.  53            push ebx
0042A177  |.  56            push esi                                 ;  Acid_bur.0042FB80
0042A178  |.  57            push edi                                 ;  Acid_bur.0042FB74
0042A179  |.  8BF9          mov edi,ecx                              ;  ntdll.7C93003D
0042A17B  |.  8BF2          mov esi,edx
0042A17D  |.  8BD8          mov ebx,eax
0042A17F  |.  E8 7CB4FDFF   call <jmp.&user32.GetActiveWindow>       ; [GetActiveWindow
0042A184  |.  8945 F8       mov [local.2],eax
0042A187  |.  33C0          xor eax,eax
0042A189  |.  E8 12A0FFFF   call Acid_bur.004241A0
0042A18E  |.  8945 F4       mov [local.3],eax
0042A191  |.  33C0          xor eax,eax
0042A193  |.  55            push ebp
0042A194  |.  68 D0A14200   push Acid_bur.0042A1D0
0042A199  |.  64:FF30       push dword ptr fs:[eax]
0042A19C  |.  64:8920       mov dword ptr fs:[eax],esp
0042A19F  |.  8B45 08       mov eax,[arg.1]
0042A1A2  |.  50            push eax                                 ; /Style = MB_OKCANCEL|MB_APPLMODAL
0042A1A3  |.  57            push edi                                 ; |Title = "Try Again!"
0042A1A4  |.  56            push esi                                 ; |Text = "Sorry , The serial is incorect !"
0042A1A5  |.  8B43 24       mov eax,dword ptr ds:[ebx+0x24]          ; |
0042A1A8  |.  50            push eax                                 ; |hOwner = 00000001
0042A1A9  |.  E8 FAB5FDFF   call <jmp.&user32.MessageBoxA>           ; \MessageBoxA
0042A1AE  |.  8945 FC       mov [local.1],eax
0042A1B1  |.  33C0          xor eax,eax
0042A1B3  |.  5A            pop edx                                  ;  0012F97C
0042A1B4  |.  59            pop ecx                                  ;  0012F97C
0042A1B5  |.  59            pop ecx                                  ;  0012F97C
0042A1B6  |.  64:8910       mov dword ptr fs:[eax],edx
0042A1B9  |.  68 D7A14200   push Acid_bur.0042A1D7
0042A1BE  |>  8B45 F4       mov eax,[local.3]
0042A1C1  |.  E8 8AA0FFFF   call Acid_bur.00424250
0042A1C6  |.  8B45 F8       mov eax,[local.2]
0042A1C9  |.  50            push eax                                 ; /hWnd = 00000001
0042A1CA  |.  E8 59B6FDFF   call <jmp.&user32.SetActiveWindow>       ; \SetActiveWindow
0042A1CF  \.  C3            retn


因为看不到任何跳 继续往出走

0042FAFE  |.  E8 F93EFDFF   call Acid_bur.004039FC
0042FB03  |.  75 1A         jnz short Acid_bur.0042FB1F
0042FB05  |.  6A 00         push 0x0
0042FB07  |.  B9 CCFB4200   mov ecx,Acid_bur.0042FBCC                ;  Congratz !!
0042FB0C  |.  BA D8FB4200   mov edx,Acid_bur.0042FBD8                ;  Good job dude =)
0042FB11  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48]
0042FB16  |.  8B00          mov eax,dword ptr ds:[eax]
0042FB18  |.  E8 53A6FFFF   call Acid_bur.0042A170
0042FB1D  |.  EB 18         jmp short Acid_bur.0042FB37
0042FB1F  |>  6A 00         push 0x0
0042FB21  |.  B9 74FB4200   mov ecx,Acid_bur.0042FB74                ;  Try Again!
0042FB26  |.  BA 80FB4200   mov edx,Acid_bur.0042FB80                ;  Sorry , The serial is incorect !
0042FB2B  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48]
0042FB30  |.  8B00          mov eax,dword ptr ds:[eax]
0042FB32  |.  E8 39A6FFFF   call Acid_bur.0042A170  刚才出来的call
0042FB37  |>  33C0          xor eax,eax


可以判断0042FB03 |. 75 1A jnz short Acid_bur.0042FB1F是关键跳
直接nop可以完成任务

接下来我们尝试分析算法
在段首下段 往下慢慢走在

0042FA79  |> \8D55 F0       lea edx,[local.4]
0042FA7C  |.  8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA82  |.  E8 D1AFFEFF   call Acid_bur.0041AA58
0042FA87  |.  8B45 F0       mov eax,[local.4]
0042FA8A  |.  0FB600        movzx eax,byte ptr ds:[eax]
0042FA8D  |.  F72D 50174300 imul dword ptr ds:[0x431750]
0042FA93  |.  A3 50174300   mov dword ptr ds:[0x431750],eax          ;  Acid_bur.0042FAEA
0042FA98  |.  A1 50174300   mov eax,dword ptr ds:[0x431750]
0042FA9D  |.  0105 50174300 add dword ptr ds:[0x431750],eax          ;  Acid_bur.0042FAEA
0042FAA3  |.  8D45 FC       lea eax,[local.1]
0042FAA6  |.  BA ACFB4200   mov edx,Acid_bur.0042FBAC                ;  CW
0042FAAB  |.  E8 583CFDFF   call Acid_bur.00403708
0042FAB0  |.  8D45 F8       lea eax,[local.2]
0042FAB3  |.  BA B8FB4200   mov edx,Acid_bur.0042FBB8                ;  CRACKED
0042FAB8  |.  E8 4B3CFDFF   call Acid_bur.00403708
0042FABD  |.  FF75 FC       push [local.1]                           ;  Acid_bur.0042FBAC
0042FAC0  |.  68 C8FB4200   push Acid_bur.0042FBC8                   ;  -
0042FAC5  |.  8D55 E8       lea edx,[local.6]
0042FAC8  |.  A1 50174300   mov eax,dword ptr ds:[0x431750]
0042FACD  |.  E8 466CFDFF   call Acid_bur.00406718
0042FAD2  |.  FF75 E8       push [local.6]
0042FAD5  |.  68 C8FB4200   push Acid_bur.0042FBC8                   ;  -
0042FADA  |.  FF75 F8       push [local.2]                           ;  Acid_bur.0042FBB8
0042FADD  |.  8D45 F4       lea eax,[local.3]
0042FAE0  |.  BA 05000000   mov edx,0x5
0042FAE5  |.  E8 C23EFDFF   call Acid_bur.004039AC
0042FAEA  |.  8D55 F0       lea edx,[local.4]
0042FAED  |.  8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]


在0042FAEA处时堆栈出现了0012F99C 009D1BC4 ASCII “CW-6642-CRACKED”
CW和CRACKED都是固定的
通过分析可以知道“`
0042FA8A |. 0FB600 movzx eax,byte ptr ds:[eax] ; 把第一个字母eax
0042FA8D |. F72D 50174300 imul dword ptr ds:[0x431750] ; eax乘以0x29
0042FA93 |. A3 50174300 mov dword ptr ds:[0x431750],eax ; 把eax放到431750
0042FA98 |. A1 50174300 mov eax,dword ptr ds:[0x431750]
0042FA9D |. 0105 50174300 add dword ptr ds:[0x431750],eax ; 倍乘

附上代码
```cpp
#include <iostream>
#include <string>
using namespace std;
int main() {
    string user;
    cin >> user;
    cout << "CW-"+to_string(user[0] * 41 * 2)+"-CRACKED";

    cin.get();
    cin.get();
    return 0;
}

第二个与上同理 可以从堆栈区看出密码为固定字符串Hello Dude!

0042F470  /.  55            push ebp
0042F471  |.  8BEC          mov ebp,esp
0042F473  |.  33C9          xor ecx,ecx
0042F475  |.  51            push ecx
0042F476  |.  51            push ecx
0042F477  |.  51            push ecx
0042F478  |.  51            push ecx
0042F479  |.  53            push ebx
0042F47A  |.  8BD8          mov ebx,eax
0042F47C  |.  33C0          xor eax,eax
0042F47E  |.  55            push ebp
0042F47F  |.  68 2CF54200   push Acid_bur.0042F52C
0042F484  |.  64:FF30       push dword ptr fs:[eax]
0042F487  |.  64:8920       mov dword ptr fs:[eax],esp
0042F48A  |.  8D45 FC       lea eax,[local.1]
0042F48D  |.  BA 40F54200   mov edx,Acid_bur.0042F540                ;  Hello
0042F492  |.  E8 7142FDFF   call Acid_bur.00403708
0042F497  |.  8D45 F8       lea eax,[local.2]
0042F49A  |.  BA 50F54200   mov edx,Acid_bur.0042F550                ;  Dude!
0042F49F  |.  E8 6442FDFF   call Acid_bur.00403708
0042F4A4  |.  FF75 FC       push [local.1]                           ;  Acid_bur.0042F540
0042F4A7  |.  68 60F54200   push Acid_bur.0042F560
0042F4AC  |.  FF75 F8       push [local.2]                           ;  Acid_bur.0042F550
0042F4AF  |.  8D45 F4       lea eax,[local.3]
0042F4B2  |.  BA 03000000   mov edx,0x3
0042F4B7  |.  E8 F044FDFF   call Acid_bur.004039AC
0042F4BC  |.  8D55 F0       lea edx,[local.4]
0042F4BF  |.  8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]
0042F4C5  |.  E8 8EB5FEFF   call Acid_bur.0041AA58
0042F4CA  |.  8B45 F0       mov eax,[local.4]
0042F4CD  |.  8B55 F4       mov edx,[local.3]
0042F4D0  |.  E8 2745FDFF   call Acid_bur.004039FC
0042F4D5  |.  75 1A         jnz short Acid_bur.0042F4F1
0042F4D7  |.  6A 00         push 0x0
0042F4D9  |.  B9 64F54200   mov ecx,Acid_bur.0042F564                ;  Congratz!
0042F4DE  |.  BA 70F54200   mov edx,Acid_bur.0042F570                ;  God Job dude !! =)
0042F4E3  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48]
0042F4E8  |.  8B00          mov eax,dword ptr ds:[eax]
0042F4EA  |.  E8 81ACFFFF   call Acid_bur.0042A170
0042F4EF  |.  EB 18         jmp short Acid_bur.0042F509
0042F4F1  |>  6A 00         push 0x0
0042F4F3  |.  B9 84F54200   mov ecx,Acid_bur.0042F584                ;  Failed!
0042F4F8  |.  BA 8CF54200   mov edx,Acid_bur.0042F58C                ;  Try Again!!
0042F4FD  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48]
0042F502  |.  8B00          mov eax,dword ptr ds:[eax]
0042F504  |.  E8 67ACFFFF   call Acid_bur.0042A170
0042F509  |>  33C0          xor eax,eax
0042F50B  |.  5A            pop edx                                  ;  0012FA98
0042F50C  |.  59            pop ecx                                  ;  0012FA98
0042F50D  |.  59            pop ecx                                  ;  0012FA98
0042F50E  |.  64:8910       mov dword ptr fs:[eax],edx               ;  ntdll.KiFastSystemCallRet
0042F511  |.  68 33F54200   push Acid_bur.0042F533
0042F516  |>  8D45 F0       lea eax,[local.4]
0042F519  |.  E8 5241FDFF   call Acid_bur.00403670
0042F51E  |.  8D45 F4       lea eax,[local.3]
0042F521  |.  BA 03000000   mov edx,0x3
0042F526  |.  E8 6941FDFF   call Acid_bur.00403694
0042F52B  \.  C3            retn


留下评论