1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
|
004014FE |. 57 push edi
004014FF |. 898D 40FEFFFF mov [local.112],ecx
00401505 |. C745 F0 45632>mov [local.4],0x81276345 ; 赋值
0040150C |. 68 AC414000 push Brad_Sob.004041AC
00401511 |. 8D4D EC lea ecx,[local.5]
00401514 |. E8 77080000 call <jmp.&MFC42.#CString::CString_537>
00401519 |. C745 FC 00000>mov [local.1],0x0
00401520 |. 68 B0414000 push Brad_Sob.004041B0
00401525 |. 8D4D E8 lea ecx,[local.6]
00401528 |. E8 63080000 call <jmp.&MFC42.#CString::CString_537>
0040152D |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00401531 |. 68 B4414000 push Brad_Sob.004041B4
00401536 |. 8D4D DC lea ecx,[local.9]
00401539 |. E8 52080000 call <jmp.&MFC42.#CString::CString_537>
0040153E |. C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
00401542 |. 8D45 EC lea eax,[local.5]
00401545 |. 50 push eax
00401546 |. 68 E8030000 push 0x3E8
0040154B |. 8B8D 40FEFFFF mov ecx,[local.112] ; user32.DefDlgProcA
00401551 |. E8 34080000 call <jmp.&MFC42.#CWnd::GetDlgItemTextA_3097>
00401556 |. 8D4D E8 lea ecx,[local.6]
00401559 |. 51 push ecx
0040155A |. 68 E9030000 push 0x3E9
0040155F |. 8B8D 40FEFFFF mov ecx,[local.112] ; user32.DefDlgProcA
00401565 |. E8 20080000 call <jmp.&MFC42.#CWnd::GetDlgItemTextA_3097>
0040156A |. 8D4D EC lea ecx,[local.5]
0040156D |. E8 DE020000 call Brad_Sob.00401850
00401572 |. 8945 E4 mov [local.7],eax
00401575 |. 837D E4 05 cmp [local.7],0x5 ; local.7是输入的用户的字符长度len
00401579 |. 7D 43 jge short Brad_Sob.004015BE ; 判断长度
0040157B |. 6A 40 push 0x40
0040157D |. 68 20404000 push Brad_Sob.00404020 ; CrackMe
00401582 |. 68 28404000 push Brad_Sob.00404028 ; User Name must have at least 5 characters.
00401587 |. 8B8D 40FEFFFF mov ecx,[local.112] ; user32.DefDlgProcA
0040158D |. E8 F2070000 call <jmp.&MFC42.#CWnd::MessageBoxA_4224>
00401592 |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00401596 |. 8D4D DC lea ecx,[local.9]
00401599 |. E8 C2070000 call <jmp.&MFC42.#CString::~CString_800>
0040159E |. C645 FC 00 mov byte ptr ss:[ebp-0x4],0x0
004015A2 |. 8D4D E8 lea ecx,[local.6]
004015A5 |. E8 B6070000 call <jmp.&MFC42.#CString::~CString_800>
004015AA |. C745 FC FFFFF>mov [local.1],-0x1
004015B1 |. 8D4D EC lea ecx,[local.5]
004015B4 |. E8 A7070000 call <jmp.&MFC42.#CString::~CString_800>
004015B9 |. E9 F9010000 jmp Brad_Sob.004017B7
004015BE |> C745 E0 00000>mov [local.8],0x0 ; local.8 可以理解循环i,默认设置为0
004015C5 |. EB 09 jmp short Brad_Sob.004015D0
004015C7 |> 8B55 E0 /mov edx,[local.8]
004015CA |. 83C2 01 |add edx,0x1
004015CD |. 8955 E0 |mov [local.8],edx ; i++
004015D0 |> 8B45 E0 mov eax,[local.8] ; i = 0
004015D3 |. 3B45 E4 |cmp eax,[local.7] ; i < len
004015D6 |. 7D 42 |jge short Brad_Sob.0040161A ; 循环跳转
004015D8 |. 8B4D E0 |mov ecx,[local.8]
004015DB |. 51 |push ecx ; 输入的用户:12345
004015DC |. 8D4D EC |lea ecx,[local.5]
004015DF |. E8 1C030000 |call Brad_Sob.00401900 ; 下标操作
004015E4 |. 0FBED0 |movsx edx,al ; cname[i]
004015E7 |. 8B45 F0 |mov eax,[local.4] ; 变量初始local.4 == 0x81276345
004015EA |. 03C2 |add eax,edx ; cname[i] + local.4
004015EC |. 8945 F0 |mov [local.4],eax
004015EF |. 8B4D E0 |mov ecx,[local.8] ; ecx = i
004015F2 |. C1E1 08 |shl ecx,0x8 ; ecx >> 8: 将寄存器 ecx 的内容左移 8 位
004015F5 |. 8B55 F0 |mov edx,[local.4]
004015F8 |. 33D1 |xor edx,ecx ; local.4 ^ ecx
004015FA |. 8955 F0 |mov [local.4],edx
004015FD |. 8B45 E0 |mov eax,[local.8] ; eax = i
00401600 |. 83C0 01 |add eax,0x1 ; eax += 1
00401603 |. 8B4D E4 |mov ecx,[local.7] ; len
00401606 |. 0FAF4D E0 |imul ecx,[local.8] ; ecx = i * len
0040160A |. F7D1 |not ecx ; 进行取反操作
0040160C |. 0FAFC1 |imul eax,ecx ; eax *= ecx
0040160F |. 8B55 F0 |mov edx,[local.4]
00401612 |. 0FAFD0 |imul edx,eax ; local.4 * eax
00401615 |. 8955 F0 |mov [local.4],edx
00401618 |.^ EB AD \jmp short Brad_Sob.004015C7
0040161A |> 8B45 F0 mov eax,[local.4] ; D2E21C83
0040161D |. 50 push eax
0040161E |. 68 54404000 push Brad_Sob.00404054 ; %lu
00401623 |. 8D4D DC lea ecx,[local.9]
00401626 |. 51 push ecx
00401627 |. E8 52070000 call <jmp.&MFC42.#CString::Format_2818> ; 格式转换
0040162C |. 83C4 0C add esp,0xC
0040162F |. 8D4D DC lea ecx,[local.9]
00401632 |. E8 79020000 call Brad_Sob.004018B0
00401637 |. 50 push eax
00401638 |. 8D4D E8 lea ecx,[local.6]
0040163B |. E8 80020000 call Brad_Sob.004018C0
00401640 |. 85C0 test eax,eax
00401642 0F85 FF000000 jnz Brad_Sob.00401747 ; 关键的跳转
00401648 |. 8D8D ACFEFFFF lea ecx,[local.85]
0040164E |. E8 19070000 call <jmp.&MFC42.#CString::CString_540>
00401653 |. C645 FC 03 mov byte ptr ss:[ebp-0x4],0x3
00401657 |. 6A 66 push 0x66
00401659 |. 8D8D ACFEFFFF lea ecx,[local.85]
0040165F |. E8 02070000 call <jmp.&MFC42.#CString::LoadStringA_4160>
00401664 |. B9 07000000 mov ecx,0x7
00401669 |. BE 58404000 mov esi,Brad_Sob.00404058 ; Correct!!
0040166E |. 8DBD 48FEFFFF lea edi,[local.110]
00401674 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
00401676 |. 66:A5 movs word ptr es:[edi],word ptr ds:[esi]
00401678 |. A4 movs byte ptr es:[edi],byte ptr ds:[esi]
00401679 |. B9 11000000 mov ecx,0x11
0040167E |. 33C0 xor eax,eax
00401680 |. 8DBD 67FEFFFF lea edi,dword ptr ss:[ebp-0x199]
00401686 |. F3:AB rep stos dword ptr es:[edi]
00401688 |. AA stos byte ptr es:[edi]
00401689 |. B9 07000000 mov ecx,0x7
0040168E |. BE 78404000 mov esi,Brad_Sob.00404078 ; <BrD-SoB>
00401693 |. 8DBD 14FFFFFF lea edi,[local.59]
00401699 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
0040169B |. 66:A5 movs word ptr es:[edi],word ptr ds:[esi]
0040169D |. B9 11000000 mov ecx,0x11
004016A2 |. 33C0 xor eax,eax
004016A4 |. 8DBD 32FFFFFF lea edi,dword ptr ss:[ebp-0xCE]
004016AA |. F3:AB rep stos dword ptr es:[edi]
004016AC |. 66:AB stos word ptr es:[edi]
004016AE |. B9 06000000 mov ecx,0x6
004016B3 |. BE 98404000 mov esi,Brad_Sob.00404098 ; Incorrect!!, Try Again.
004016B8 |. 8DBD 78FFFFFF lea edi,[local.34]
004016BE |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
004016C0 |. B9 13000000 mov ecx,0x13
004016C5 |. 33C0 xor eax,eax
004016C7 |. 8D7D 90 lea edi,[local.28]
004016CA |. F3:AB rep stos dword ptr es:[edi]
004016CC |. B9 07000000 mov ecx,0x7
004016D1 |. BE B0404000 mov esi,Brad_Sob.004040B0 ; Correct way to go, You Got It.
004016D6 |. 8DBD B0FEFFFF lea edi,[local.84]
004016DC |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
004016DE |. 66:A5 movs word ptr es:[edi],word ptr ds:[esi]
004016E0 |. A4 movs byte ptr es:[edi],byte ptr ds:[esi]
004016E1 |. B9 11000000 mov ecx,0x11
004016E6 |. 33C0 xor eax,eax
004016E8 |. 8DBD CFFEFFFF lea edi,dword ptr ss:[ebp-0x131]
004016EE |. F3:AB rep stos dword ptr es:[edi]
004016F0 |. AA stos byte ptr es:[edi]
004016F1 |. 6A 40 push 0x40
004016F3 |. 68 D0404000 push Brad_Sob.004040D0 ; CrackMe
004016F8 |. 8D8D ACFEFFFF lea ecx,[local.85]
004016FE |. E8 AD010000 call Brad_Sob.004018B0
00401703 |. 50 push eax
00401704 |. 8B8D 40FEFFFF mov ecx,[local.112] ; user32.DefDlgProcA
0040170A |. E8 75060000 call <jmp.&MFC42.#CWnd::MessageBoxA_4224>
0040170F |. C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
00401713 |. 8D8D ACFEFFFF lea ecx,[local.85]
00401719 |. E8 42060000 call <jmp.&MFC42.#CString::~CString_800>
0040171E |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00401722 |. 8D4D DC lea ecx,[local.9]
00401725 |. E8 36060000 call <jmp.&MFC42.#CString::~CString_800>
0040172A |. C645 FC 00 mov byte ptr ss:[ebp-0x4],0x0
0040172E |. 8D4D E8 lea ecx,[local.6]
00401731 |. E8 2A060000 call <jmp.&MFC42.#CString::~CString_800>
00401736 |. C745 FC FFFFF>mov [local.1],-0x1
0040173D |. 8D4D EC lea ecx,[local.5]
00401740 |. E8 1B060000 call <jmp.&MFC42.#CString::~CString_800>
00401745 |. EB 70 jmp short Brad_Sob.004017B7
00401747 |> 8D8D 44FEFFFF lea ecx,[local.111]
0040174D |. E8 1A060000 call <jmp.&MFC42.#CString::CString_540>
00401752 |. C645 FC 04 mov byte ptr ss:[ebp-0x4],0x4
00401756 |. 6A 67 push 0x67
00401758 |. 8D8D 44FEFFFF lea ecx,[local.111]
0040175E |. E8 03060000 call <jmp.&MFC42.#CString::LoadStringA_4160>
00401763 |. 6A 40 push 0x40
00401765 |. 68 D8404000 push Brad_Sob.004040D8 ; CrackMe
0040176A |. 8D8D 44FEFFFF lea ecx,[local.111]
00401770 |. E8 3B010000 call Brad_Sob.004018B0
00401775 |. 50 push eax ; ASCII "Incorrect!!, Try Again."
00401776 |. 8B8D 40FEFFFF mov ecx,[local.112] ; user32.DefDlgProcA
0040177C |. E8 03060000 call <jmp.&MFC42.#CWnd::MessageBoxA_4224> ; 提示框
|