1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
| 00401545 |. 50 push eax ; kernel32.BaseThreadInitThunk
00401546 |. 68 E8030000 push 0x3E8
0040154B |. 8B8D 40FEFFFF mov ecx,[local.112] ; Brad_Sob.<ModuleEntryPoint>
00401551 |. E8 34080000 call <jmp.&MFC42.#CWnd::GetDlgItemTextA_> //读取name
00401556 |. 8D4D E8 lea ecx,[local.6]
00401559 |. 51 push ecx
0040155A |. 68 E9030000 push 0x3E9
0040155F |. 8B8D 40FEFFFF mov ecx,[local.112] ; Brad_Sob.<ModuleEntryPoint>
00401565 |. E8 20080000 call <jmp.&MFC42.#CWnd::GetDlgItemTextA_> //读取serial
0040156A |. 8D4D EC lea ecx,[local.5]
0040156D |. E8 DE020000 call Brad_Sob.00401850
00401572 |. 8945 E4 mov [local.7],eax ; kernel32.BaseThreadInitThunk
00401575 |. 837D E4 05 cmp [local.7],0x5 //name长度比较
00401579 |. 7D 43 jge short Brad_Sob.004015BE
0040157B |. 6A 40 push 0x40
0040157D |. 68 20404000 push Brad_Sob.00404020 ; CrackMe
00401582 |. 68 28404000 push Brad_Sob.00404028 ; User Name must have at least 5 characters.
00401587 |. 8B8D 40FEFFFF mov ecx,[local.112] ; Brad_Sob.<ModuleEntryPoint>
0040158D |. E8 F2070000 call <jmp.&MFC42.#CWnd::MessageBoxA_4224>
00401592 |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00401596 |. 8D4D DC lea ecx,[local.9]
00401599 |. E8 C2070000 call <jmp.&MFC42.#CString::~CString_800>
0040159E |. C645 FC 00 mov byte ptr ss:[ebp-0x4],0x0
004015A2 |. 8D4D E8 lea ecx,[local.6]
004015A5 |. E8 B6070000 call <jmp.&MFC42.#CString::~CString_800>
004015AA |. C745 FC FFFFF>mov [local.1],-0x1
004015B1 |. 8D4D EC lea ecx,[local.5]
004015B4 |. E8 A7070000 call <jmp.&MFC42.#CString::~CString_800>
004015B9 |. E9 F9010000 jmp Brad_Sob.004017B7 //开始处理
004015BE |> C745 E0 00000>mov [local.8],0x0 //序号赋0
004015C5 |. EB 09 jmp short Brad_Sob.004015D0
004015C7 |> 8B55 E0 /mov edx,[local.8]
004015CA |. 83C2 01 |add edx,0x1
004015CD |. 8955 E0 |mov [local.8],edx ; Brad_Sob.<ModuleEntryPoint>
004015D0 |> 8B45 E0 mov eax,[local.8]
004015D3 |. 3B45 E4 |cmp eax,[local.7] //比较序号与name长度
004015D6 |. 7D 42 |jge short Brad_Sob.0040161A //大于等于跳转
004015D8 |. 8B4D E0 |mov ecx,[local.8] //ecx记录序号
004015DB |. 51 |push ecx //序号作为参数入栈 ; /Arg1 = 00000000
004015DC |. 8D4D EC |lea ecx,[local.5] ; |
004015DF |. E8 1C030000 |call Brad_Sob.00401900 ; \Brad_Sob.00401900
004015E4 |. 0FBED0 |movsx edx,al //子程序将所指字符转换为assic码
004015E7 |. 8B45 F0 |mov eax,[local.4] //常量
004015EA |. 03C2 |add eax,edx ; Brad_Sob.<ModuleEntryPoint>
004015EC |. 8945 F0 |mov [local.4],eax kernel32.BaseThreadInitThunk
004015EF |. 8B4D E0 |mov ecx,[local.8]
004015F2 |. C1E1 08 |shl ecx,0x8 //序号左移8位
004015F5 |. 8B55 F0 |mov edx,[local.4]
004015F8 |. 33D1 |xor edx,ecx //异或
004015FA |. 8955 F0 |mov [local.4],edx ; Brad_Sob.<ModuleEntryPoint>
004015FD |. 8B45 E0 |mov eax,[local.8]
00401600 |. 83C0 01 |add eax,0x1 //序号加一
00401603 |. 8B4D E4 |mov ecx,[local.7]
00401606 |. 0FAF4D E0 |imul ecx,[local.8] //相乘
0040160A |. F7D1 |not ecx //取反
0040160C |. 0FAFC1 |imul eax,ecx
0040160F |. 8B55 F0 |mov edx,[local.4]
00401612 |. 0FAFD0 |imul edx,eax ; kernel32.BaseThreadInitThunk
00401615 |. 8955 F0 |mov [local.4],edx ; Brad_Sob.<ModuleEntryPoint>
00401618 |.^ EB AD \jmp short Brad_Sob.004015C7
0040161A |> 8B45 F0 mov eax,[local.4]
0040161D |. 50 push eax ; kernel32.BaseThreadInitThunk
0040161E |. 68 54404000 push Brad_Sob.00404054 ; %lu
00401623 |. 8D4D DC lea ecx,[local.9]
00401626 |. 51 push ecx
00401627 |. E8 52070000 call <jmp.&MFC42.#CString::Format_2818> //格式化字符串
0040162C |. 83C4 0C add esp,0xC
0040162F |. 8D4D DC lea ecx,[local.9]
00401632 |. E8 79020000 call Brad_Sob.004018B0 //字符串比较
00401637 |. 50 push eax ; /Arg1 = 76F033B8
00401638 |. 8D4D E8 lea ecx,[local.6] ; |
0040163B |. E8 80020000 call Brad_Sob.004018C0 ; \Brad_Sob.004018C0
00401640 |. 85C0 test eax,eax ; kernel32.BaseThreadInitThunk
00401642 |. 0F85 FF000000 jnz Brad_Sob.00401747
00401648 |. 8D8D ACFEFFFF lea ecx,[local.85]
0040164E |. E8 19070000 call <jmp.&MFC42.#CString::CString_540>
00401653 |. C645 FC 03 mov byte ptr ss:[ebp-0x4],0x3
00401657 |. 6A 66 push 0x66
00401659 |. 8D8D ACFEFFFF lea ecx,[local.85]
0040165F |. E8 02070000 call <jmp.&MFC42.#CString::LoadStringA_4>
00401664 |. B9 07000000 mov ecx,0x7
00401669 |. BE 58404000 mov esi,Brad_Sob.00404058 ; Correct!!
0040166E |. 8DBD 48FEFFFF lea edi,[local.110]
00401674 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
00401676 |. 66:A5 movs word ptr es:[edi],word ptr ds:[esi]
00401678 |. A4 movs byte ptr es:[edi],byte ptr ds:[esi]
00401679 |. B9 11000000 mov ecx,0x11
0040167E |. 33C0 xor eax,eax ; kernel32.BaseThreadInitThunk
00401680 |. 8DBD 67FEFFFF lea edi,dword ptr ss:[ebp-0x199]
00401686 |. F3:AB rep stos dword ptr es:[edi]
00401688 |. AA stos byte ptr es:[edi]
00401689 |. B9 07000000 mov ecx,0x7
0040168E |. BE 78404000 mov esi,Brad_Sob.00404078 ; <BrD-SoB>
00401693 |. 8DBD 14FFFFFF lea edi,[local.59]
00401699 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
0040169B |. 66:A5 movs word ptr es:[edi],word ptr ds:[esi]
0040169D |. B9 11000000 mov ecx,0x11
004016A2 |. 33C0 xor eax,eax ; kernel32.BaseThreadInitThunk
004016A4 |. 8DBD 32FFFFFF lea edi,dword ptr ss:[ebp-0xCE]
004016AA |. F3:AB rep stos dword ptr es:[edi]
004016AC |. 66:AB stos word ptr es:[edi]
004016AE |. B9 06000000 mov ecx,0x6
004016B3 |. BE 98404000 mov esi,Brad_Sob.00404098 ; Incorrect!!, Try Again.
|
