首页 > 代码库 > 爆破一个二元函数加密的cm
爆破一个二元函数加密的cm
系统 : Windows xp
程序 : cztria~1
程序下载地址 :http://pan.baidu.com/s/1slUwmVr
要求 : 爆破
使用工具 : OD
可在看雪论坛中查找关于此程序的破文:传送门
废话不多说,直接查询到字符串:“ you did it!”,双击定位:
0040137B |. 6A 40 push 40 ; /Count = 40 (64.)0040137D |. 68 20334000 push 00403320 ; |pediy00401382 |. FF35 66324000 push dword ptr [403266] ; |hWnd = 000405D8 (class=‘Edit‘,parent=000505C0)00401388 |. E8 A3080000 call <jmp.&USER32.GetWindowTextA> ; \GetWindowTextA0040138D |. 83F8 04 cmp eax, 4 ; 小于等于4?00401390 |. 0F8E 9F000000 jle 0040143500401396 |. 6A 40 push 40 ; /Count = 40 (64.)00401398 |. 68 60334000 push 00403360 ; |123450040139D |. 68 B90B0000 push 0BB9 ; |ControlID = BB9 (3001.)004013A2 |. FF75 08 push dword ptr [ebp+8] ; |hWnd004013A5 |. E8 6E080000 call <jmp.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA004013AA |. 83F8 04 cmp eax, 4 ; 小于等于4?004013AD |. 0F8E 82000000 jle 00401435004013B3 |. A3 62324000 mov dword ptr [403262], eax004013B8 |. FF35 66324000 push dword ptr [403266] ; /hWnd = 000405D8 (class=‘Edit‘,parent=000505C0)004013BE |. E8 AF080000 call <jmp.&USER32.SetFocus> ; \SetFocus004013C3 |. BF 20334000 mov edi, 00403320 ; pediy004013C8 |. BE 20334000 mov esi, 00403320 ; pediy004013CD |> AC /lods byte ptr [esi] ; 循环迭代用户名字符串004013CE |. 0C 00 |or al, 0004013D0 |. 74 05 |je short 004013D7004013D2 |. 0C 20 |or al, 20004013D4 |. AA |stos byte ptr es:[edi]004013D5 |.^ EB F6 \jmp short 004013CD004013D7 |> BF A0324000 mov edi, 004032A0004013DC |. BE 60334000 mov esi, 00403360 ; 12345004013E1 |. 8D1D 20334000 lea ebx, dword ptr [403320]004013E7 |. 33C9 xor ecx, ecx004013E9 |> AC /lods byte ptr [esi] ; 循环迭代 密码004013EA |. 0C 00 |or al, 0004013EC |. 74 17 |je short 00401405004013EE |. 8A13 |mov dl, byte ptr [ebx] ; 循环迭代 用户名004013F0 |. 2AD0 |sub dl, al ; 用户名字符 - 密码字符004013F2 |. 80CA 00 |or dl, 0 ; 如果相同,则跳转出错004013F5 |. 74 3E |je short 00401435004013F7 |. 8AC2 |mov al, dl004013F9 |. 24 0F |and al, 0F004013FB |. 0C 00 |or al, 0 ; al为0?004013FD |. 74 36 |je short 00401435 ; 为0则跳转出错004013FF |. AA |stos byte ptr es:[edi] ; 保存al成表00401400 |. 02C8 |add cl, al ; 结果累加00401402 |. 43 |inc ebx00401403 |.^ EB E4 \jmp short 004013E900401405 |> 890D 6A324000 mov dword ptr [40326A], ecx ; 保存累加结果0040140B |. E8 27020000 call 00401637 ; 关键call00401410 |. BE A0324000 mov esi, 004032A000401415 |. 8B15 62324000 mov edx, dword ptr [403262] ; 取密码长度0040141B |. C1EA 02 shr edx, 2 ; 逻辑右移0040141E |. 03F2 add esi, edx00401420 |. 8A06 mov al, byte ptr [esi] ; 表中取值00401422 |. 33D2 xor edx, edx00401424 |. 8B15 6E324000 mov edx, dword ptr [40326E]0040142A |. 2BD0 sub edx, eax0040142C |. A1 6A324000 mov eax, dword ptr [40326A]00401431 |. 3BC2 cmp eax, edx00401433 75 31 jz short 0040146600401435 |> 68 00200000 push 2000 ; /Style = MB_OK|MB_TASKMODAL0040143A |. 68 D1314000 push 004031D1 ; | error0040143F |. 68 F9314000 push 004031F9 ; | sorry cracker, wrong.00401444 |. FF75 08 push dword ptr [ebp+8] ; |hOwner00401447 |. E8 02080000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA0040144C |. 6A 40 push 40 ; /Length = 40 (64.)0040144E |. 68 E0324000 push 004032E0 ; |Destination = cztria~1.004032E000401453 |. E8 56080000 call <jmp.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory00401458 |. 6A 40 push 40 ; /Length = 40 (64.)0040145A |. 68 A0334000 push 004033A0 ; |Destination = cztria~1.004033A00040145F |. E8 4A080000 call <jmp.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory00401464 |. EB 2F jmp short 0040149500401466 |> 68 00200000 push 2000 ; /Style = MB_OK|MB_TASKMODAL0040146B |. 68 E5314000 push 004031E5 ; | <registered>00401470 |. 68 10324000 push 00403210 ; | you did it!00401475 |. FF75 08 push dword ptr [ebp+8] ; |hOwner00401478 |. E8 D1070000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA0040147D |. 6A 40 push 40 ; /Length = 40 (64.)0040147F |. 68 E0324000 push 004032E0 ; |Destination = cztria~1.004032E000401484 |. E8 25080000 call <jmp.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory00401489 |. 6A 40 push 40 ; /Length = 40 (64.)0040148B |. 68 A0334000 push 004033A0 ; |Destination = cztria~1.004033A000401490 |. E8 19080000 call <jmp.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory跟入 0040140B |. E8 27020000 call 00401637 ; 关键call
00401637 /$ BE A0324000 mov esi, 004032A00040163C |. 8B15 62324000 mov edx, dword ptr [403262] ; 取密码长度00401642 |. 52 push edx00401643 |. 33C0 xor eax, eax00401645 |. 83EA 01 sub edx, 100401648 |. 03F2 add esi, edx0040164A |. 8A06 mov al, byte ptr [esi] ; 表中取值0040164C |. F7E0 mul eax0040164E |. 5A pop edx0040164F |. 83EA 01 sub edx, 100401652 |. F7E2 mul edx00401654 |. B9 01000000 mov ecx, 100401659 |> 2BC1 /sub eax, ecx0040165B |. 83F8 00 |cmp eax, 0 ; eax为0?0040165E |. 7E 08 |jle short 0040166800401660 |. 83C2 01 |add edx, 100401663 |. 83C1 02 |add ecx, 200401666 |.^ EB F1 \jmp short 0040165900401668 |> 52 push edx ; 保存edx00401669 |. BE A0324000 mov esi, 004032A00040166E |. 8BFE mov edi, esi00401670 |. 8B15 62324000 mov edx, dword ptr [403262] ; 取密码长度00401676 |. 33C0 xor eax, eax00401678 |. 83EA 01 sub edx, 10040167B |. 03F2 add esi, edx0040167D |. 8A06 mov al, byte ptr [esi] ; 表中取值0040167F |. 83C0 01 add eax, 100401682 |. 5A pop edx00401683 |. 03C2 add eax, edx00401685 |. D1E8 shr eax, 100401687 |. 8B15 62324000 mov edx, dword ptr [403262] ; 取密码长度0040168D |. 03FA add edi, edx0040168F |. AA stos byte ptr es:[edi]00401690 |. F7E0 mul eax00401692 |. 8B15 62324000 mov edx, dword ptr [403262] ; 取密码长度00401698 |. 83EA 01 sub edx, 10040169B |. F7E2 mul edx0040169D |. B9 01000000 mov ecx, 1004016A2 |> 2BC1 /sub eax, ecx004016A4 |. 83F8 00 |cmp eax, 0 ; eax为0?004016A7 |. 7E 08 |jle short 004016B1004016A9 |. 83C2 01 |add edx, 1004016AC |. 83C1 02 |add ecx, 2004016AF |.^ EB F1 \jmp short 004016A2004016B1 |> 52 push edx004016B2 |. BE A0324000 mov esi, 004032A0004016B7 |. 8B15 62324000 mov edx, dword ptr [403262] ; 取密码长度004016BD |. 33C0 xor eax, eax004016BF |. 03F2 add esi, edx004016C1 |. 8A06 mov al, byte ptr [esi] ; 取表中末位004016C3 |. 83C0 01 add eax, 1004016C6 |. 5A pop edx004016C7 |. 03C2 add eax, edx004016C9 |. D1E8 shr eax, 1004016CB |. A3 6E324000 mov dword ptr [40326E], eax ; 保存结果004016D0 \. C3 retn这是一个典型的二元函数加密,将用户名与密码的差值生成一个表 和 累加值。再根据表生成两个特殊值。
输入的结果差值要符合 特殊值1 - 特殊值2 == 累加结果
我们可以直接将判断的条件修改成:
00401433 /75 31 jnz short 00401466
就可以完成爆破了。
爆破一个二元函数加密的cm
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。