160个CrackMe之027

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112

00401219   .  57            push edi
0040121A   .  68 9C304000   push Cosh_1.0040309C                             ;  C:\
0040121F   .  8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]
00401222   .  E8 79040000   call <jmp.&MFC42.#CString::CString_537>
00401227   .  33DB          xor ebx,ebx
00401229   .  68 98304000   push Cosh_1.00403098                             ;  D:\
0040122E   .  8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]
00401231   .  895D FC       mov dword ptr ss:[ebp-0x4],ebx
00401234   .  E8 67040000   call <jmp.&MFC42.#CString::CString_537>
00401239   .  68 94304000   push Cosh_1.00403094                             ;  E:\
0040123E   .  8D4D AC       lea ecx,dword ptr ss:[ebp-0x54]
00401241   .  C645 FC 01    mov byte ptr ss:[ebp-0x4],0x1
00401245   .  E8 56040000   call <jmp.&MFC42.#CString::CString_537>
0040124A   .  68 90304000   push Cosh_1.00403090                             ;  F:\
0040124F   .  8D4D B0       lea ecx,dword ptr ss:[ebp-0x50]
00401252   .  C645 FC 02    mov byte ptr ss:[ebp-0x4],0x2
00401256   .  E8 45040000   call <jmp.&MFC42.#CString::CString_537>
0040125B   .  68 8C304000   push Cosh_1.0040308C                             ;  G:\
00401260   .  8D4D B4       lea ecx,dword ptr ss:[ebp-0x4C]
00401263   .  C645 FC 03    mov byte ptr ss:[ebp-0x4],0x3
00401267   .  E8 34040000   call <jmp.&MFC42.#CString::CString_537>
0040126C   .  68 88304000   push Cosh_1.00403088                             ;  H:\
00401271   .  8D4D B8       lea ecx,dword ptr ss:[ebp-0x48]
00401274   .  C645 FC 04    mov byte ptr ss:[ebp-0x4],0x4
00401278   .  E8 23040000   call <jmp.&MFC42.#CString::CString_537>
0040127D   .  68 84304000   push Cosh_1.00403084                             ;  I:\
00401282   .  8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]
00401285   .  C645 FC 05    mov byte ptr ss:[ebp-0x4],0x5
00401289   .  E8 12040000   call <jmp.&MFC42.#CString::CString_537>
0040128E   .  68 80304000   push Cosh_1.00403080                             ;  J:\
00401293   .  8D4D C0       lea ecx,dword ptr ss:[ebp-0x40]
00401296   .  C645 FC 06    mov byte ptr ss:[ebp-0x4],0x6
0040129A   .  E8 01040000   call <jmp.&MFC42.#CString::CString_537>
0040129F   .  68 7C304000   push Cosh_1.0040307C                             ;  K:\
004012A4   .  8D4D C4       lea ecx,dword ptr ss:[ebp-0x3C]
004012A7   .  C645 FC 07    mov byte ptr ss:[ebp-0x4],0x7
004012AB   .  E8 F0030000   call <jmp.&MFC42.#CString::CString_537>
004012B0   .  68 78304000   push Cosh_1.00403078                             ;  L:\
004012B5   .  8D4D C8       lea ecx,dword ptr ss:[ebp-0x38]
004012B8   .  C645 FC 08    mov byte ptr ss:[ebp-0x4],0x8
004012BC   .  E8 DF030000   call <jmp.&MFC42.#CString::CString_537>
004012C1   .  68 74304000   push Cosh_1.00403074                             ;  M:\
004012C6   .  8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]
004012C9   .  C645 FC 09    mov byte ptr ss:[ebp-0x4],0x9
004012CD   .  E8 CE030000   call <jmp.&MFC42.#CString::CString_537>
004012D2   .  68 70304000   push Cosh_1.00403070                             ;  N:\
004012D7   .  8D4D D0       lea ecx,dword ptr ss:[ebp-0x30]
004012DA   .  C645 FC 0A    mov byte ptr ss:[ebp-0x4],0xA
004012DE   .  E8 BD030000   call <jmp.&MFC42.#CString::CString_537>
004012E3   .  68 6C304000   push Cosh_1.0040306C                             ;  O:\
004012E8   .  8D4D D4       lea ecx,dword ptr ss:[ebp-0x2C]
004012EB   .  C645 FC 0B    mov byte ptr ss:[ebp-0x4],0xB
004012EF   .  E8 AC030000   call <jmp.&MFC42.#CString::CString_537>
004012F4   .  68 68304000   push Cosh_1.00403068                             ;  P:\
004012F9   .  8D4D D8       lea ecx,dword ptr ss:[ebp-0x28]
004012FC   .  C645 FC 0C    mov byte ptr ss:[ebp-0x4],0xC
00401300   .  E8 9B030000   call <jmp.&MFC42.#CString::CString_537>
00401305   .  BE 9A164000   mov esi,<jmp.&MFC42.#CString::~CString_800>      ;  入口地址
0040130A   .  33C0          xor eax,eax
0040130C   .  8D7D DC       lea edi,dword ptr ss:[ebp-0x24]
0040130F   .  56            push esi                                         ;  Cosh_1.0040169A
00401310   .  C645 FC 0D    mov byte ptr ss:[ebp-0x4],0xD
00401314   .  68 94164000   push <jmp.&MFC42.#CString::CString_540>          ;  入口地址
00401319   .  AB            stos dword ptr es:[edi]
0040131A   .  6A 01         push 0x1
0040131C   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
0040131F   .  6A 04         push 0x4
00401321   .  50            push eax
00401322   .  E8 C3040000   call Cosh_1.004017EA
00401327   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
0040132A   .  C645 FC 0E    mov byte ptr ss:[ebp-0x4],0xE
0040132E   .  E8 61030000   call <jmp.&MFC42.#CString::CString_540>
00401333   .  C645 FC 0F    mov byte ptr ss:[ebp-0x4],0xF
00401337   .  895D EC       mov dword ptr ss:[ebp-0x14],ebx
0040133A   .  8D7D A4       lea edi,dword ptr ss:[ebp-0x5C]
0040133D   >  57            push edi
0040133E   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
00401341   .  E8 48030000   call <jmp.&MFC42.#CString::operator=_858>
00401346   .  FF75 E8       push dword ptr ss:[ebp-0x18]                     ; /RootPathName = NULL
00401349   .  FF15 04204000 call dword ptr ds:[<&KERNEL32.GetDriveTypeA>]    ; \GetDriveTypeA
0040134F   .  83F8 03       cmp eax,0x3
00401352   .  74 3E         je short Cosh_1.00401392
00401354   .  8D45 E8       lea eax,dword ptr ss:[ebp-0x18]
00401357   .  68 58304000   push Cosh_1.00403058                             ;  CD_CHECK.DAT
0040135C   .  50            push eax
0040135D   .  8D45 E0       lea eax,dword ptr ss:[ebp-0x20]
00401360   .  50            push eax
00401361   .  E8 22030000   call <jmp.&MFC42.#operator+_924>
00401366   .  8B00          mov eax,dword ptr ds:[eax]
00401368   .  53            push ebx                                         ; /hTemplateFile = NULL
00401369   .  53            push ebx                                         ; |Attributes = 0
0040136A   .  53            push ebx                                         ; |Mode = 0x0
0040136B   .  53            push ebx                                         ; |pSecurity = NULL
0040136C   .  6A 01         push 0x1                                         ; |ShareMode = FILE_SHARE_READ
0040136E   .  68 00000080   push 0x80000000                                  ; |Access = GENERIC_READ
00401373   .  50            push eax                                         ; |FileName = "I:\CD_CHECK.DAT"
00401374   .  FF15 00204000 call dword ptr ds:[<&KERNEL32.CreateFileA>]      ; \打开C~P的CD_CHECK.DAT文件
0040137A   .  83F8 FF       cmp eax,-0x1                                     ;  返回值用于条件判断
0040137D   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
00401380   .  0f9445 f3     sete byte ptr ss:[ebp-0xd]                       ;  如果上一个比较操作的结果为相等，则将值 1 存储到 ss:[ebp-0xd] 地址处的一个字节中，否则将值 0 存储到相同的位置。
00401384   .  E8 11030000   call <jmp.&MFC42.#CString::~CString_800>
00401389   .  385D F3       cmp byte ptr ss:[ebp-0xD],bl
0040138C      0F84 F3000000 je Cosh_1.00401485                               ;  关键的跳转
00401392   >  FF45 EC       inc dword ptr ss:[ebp-0x14]
00401395   .  83C7 04       add edi,0x4
00401398   .  837D EC 07    cmp dword ptr ss:[ebp-0x14],0x7
0040139C   .^ 75 9F         jnz short Cosh_1.0040133D
0040139E   .  53            push ebx
0040139F   .  68 4C304000   push Cosh_1.0040304C                             ;  Try again
004013A4   .  68 40304000   push Cosh_1.00403040                             ;  You lost
004013A9   >  8B4D E4       mov ecx,dword ptr ss:[ebp-0x1C]                  ;  usp10.73FF0460
004013AC   .  E8 D1020000   call <jmp.&MFC42.#CWnd::MessageBoxA_4224>        ;  错误提示窗口