In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-12 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Ruhua.CrackMe
I studied it for several days.
Required to enter account password
The error is prompted after random input.
Load OD mainline tasks
00401410. 53 push ebx
00401411. 55 push ebp
00401412. 56 push esi
00401413. 57 push edi
00401414. 8BF9 mov edi,ecx
00401416. 6A 01 push 0x1
00401418. E8 93030000 call; allocate memory
0040141D. 83C4 04 add esp,0x4
00401420. 85C0 test eax,eax
00401422. 74 07 je Xruhua.0040142B; eax
00401424. C600 18 mov byte ptr ds: [eax], 0x18; eax is a heap address [eax] = 18
00401427. 8BD8 mov ebx,eax; move the stack
00401429. EB 02 jmp Xruhua.0040142D
0040142B > 33DB xor ebx,ebx
0040142D > 6A 01 push 0x1
0040142F. E8 7C030000 call
00401434. 83C4 04 add esp,0x4
00401437. 85C0 test eax,eax
00401439. 74 07 je Xruhua.00401442
0040143B. C600 18 mov byte ptr ds: [eax], 0x18
0040143E. 8BF0 mov esi,eax
00401440. EB 02 jmp Xruhua.00401444
00401442 > 33F6 xor esi,esi
00401444 > 6A 14 push 0x14
00401446. 53 push ebx
00401447. 8D8F A0000000 lea ecx,dword ptr ds: [edi+0xA0]
0040144D. E8 58030000 call; GetDlgItemText gets the account number
00401452. 6A 14 push 0x14
00401454. 56 push esi
00401455. 8D4F 60 lea ecx,dword ptr ds: [edi+0x60]
00401458. E8 4D030000 call; GetDlgItemText gets the password
0040145D. 8BFB mov edi,ebx
0040145F. 83C9 FF or ecx,0xFFFFFFFF
00401462. 33C0 xor eax,eax
00401464. F2:AE repne scas byte ptr es: [edi]; string search
00401466. F7D1 not ecx
00401468. 49 dec ecx; ecx = 6
00401469. 8BFE mov edi,esi
0040146B. 8BE9 mov ebp,ecx; account number
0040146D. 83C9 FF or ecx,0xFFFFFFFF
00401470. F2:AE repne scas byte ptr es: [edi]
00401472. F7D1 not ecx
00401474. 49 dec ecx
00401475. 83FD 0A cmp ebp,0xA; account length > 10 ends
00401478. 77 60 ja Xruhua.004014DA
0040147A. 83F9 0A cmp ecx,0xA; password length > 10 ends
0040147D. 77 5B ja Xruhua.004014DA
0040147F. 53 push ebx
00401480. E8 7B000000 call ruhua.00401500; account each element xor 3-0x14
00401485. 56 push esi
00401486. E8 A5000000 call ruhua.00401530; password per element add 2 xor 0x10
0040148B. 83C4 08 add esp,0x8
0040148E > 8A0B mov cl,byte ptr ds: [ebx]; cl encrypted account
00401490. 8A16 mov dl,byte ptr ds: [esi]; dl stores encrypted passwords
00401492. 8AC1 mov al,cl
00401494. 3ACA cmp cl,dl
00401496 75 1E jnz Xruhua.004014B6; key hop
00401498. 84C0 test al,al
0040149A. 74 16 je Xruhua.004014B2; al = 0 hop
0040149C. 8A53 01 mov dl,byte ptr ds: [ebx+0x1]
0040149F. 8A4E 01 mov cl,byte ptr ds: [esi+0x1]
004014A2. 8AC2 mov al,dl
004014A4. 3AD1 cmp dl,cl
004014A6. 75 0E jnz Xruhua.004014B6
004014A8. 83C3 02 add ebx,0x2
004014AB. 83C6 02 add esi,0x2
004014AE. 84C0 test al,al; al = 0
004014B0 ^ 75 DC jnz Xruhua.0040148E; while
004014B2 > 33C0 xor eax,eax
004014B4. EB 05 jmp Xruhua.004014BB
004014B6 > 1BC0 sbb eax,eax
004014B8. 83D8 FF sbb eax,-0x1
004014BB > 85C0 test eax,eax; eax=0?
004014BD 75 1B jnz Xruhua.004014DA; ZF = 0
004014BF. 85ED test ebp,ebp
004014C1 74 17 je Xruhua.004014DA
004014C3. 50 push eax; / Style
004014C4. 68 50304000 push ruhua.00403050; | Ok
004014C9. 68 2C304000 push ruhua.0040302C; | contexts this is the key!
004014CE. 50 push eax; | hOwner
004014CF. FF15 D8214000 call dword ptr ds: [>;\ MessageBoxA
004014D5. 5F pop edi
004014D6. 5E pop esi
004014D7. 5D pop ebp
004014D8. 5B pop ebx
004014D9. C3 retn
004014DA > 6A 00 push 0x0; / Style = MB_OK | MB_APPLMODAL
004014DC. 68 28304000 push ruhua.00403028; | Msg
004014E1. 68 20304000 push ruhua.00403020; | Wrong!
004014E6. 6A 00 push 0x0; | hOwner = NULL
004014E8. FF15 D8214000 call dword ptr ds: [>;\ MessageBoxA
004014EE. 5F pop edi
004014EF. 5E pop esi
004014F0. 5D pop ebp
004014F1. 5B pop ebx
004014F2. C3 retn
The basic process is to enter the account password, enter the account encryption subroutine, and enter the password encryption subroutine.
The picture above is the subroutine of the account password.
The picture above shows the account encryption process.
The picture above shows the password encryption process.
This paragraph is relatively vague, do not understand very well, finally look at IDA and finally know that it is strcmp () operation, that is, the original encrypted account and encrypted password are compared, if the same, then OK.
The code after IDA XX is really the strongest king-level reverse tool.
Int _ _ thiscall sub_401410 (void * this)
{
Void * v1; / / edi@1
Int v2; / / eax@1
Char * v3; / / ebx@2
Int v4; / / eax@4
Char * v5; / / esi@5
Unsigned int v6; / / kr04_4@7
Unsigned int v7; / / kr0C_4@7
Int result; / / eax@11
V1 = this
V2 = operator new ()
If (v2)
{
* (_ BYTE *) v2 = 24
V3 = (char *) v2
}
Else
{
V3 = 0
}
V4 = operator new ()
If (v4)
{
* (_ BYTE *) v4 = 24
V5 = (char *) v4
}
Else
{
V5 = 0
}
CWnd::GetWindowTextA ((CWnd *) ((char *) v1 + 160), v3,20)
CWnd::GetWindowTextA ((CWnd *) ((char *) v1 + 96), v5,20)
V6 = strlen (v3) + 1; / / V6 account
/ / v7 password
V7 = strlen (v5) + 1
If (v6-1 > 0xA | | v7-1 > 0xA | | (sub_401500 (v3), sub_401530 (v5), strcmp (v3, v5)) | | v6 = = 1)
Result = MessageBoxA (0, "Wrong!", "Msg", 0)
Else
Result = MessageBoxA (0, "contexts this is the key!", "Ok", 0)
Return result
}
Attachment: http://down.51cto.com/data/2365085
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
