http://bbs.pediy.com/showthread.php?t=21330
运行程序
点击check没反应,发现验证码错误没反应
在API上下断点,考虑GetWindowText和GetDlgItemText。
查找–>当前模块中的名称,发现GetWindowText,右键,在每个参考上设置断点。check it
00401316 |. 6A 28 push 0x28 ; /Count = 28 (40.)
00401318 |. 68 C4334000 push 004033C4 ; |Buffer = CrackHea.004033C4
0040131D |. FF35 90314000 push dword ptr ds:[0x403190] ; |hWnd = 00CC03BE (class='Edit',parent=001F02B8)
00401323 |. E8 4C010000 call <jmp.&USER32.GetWindowTextA> ; \GetWindowTextA
00401328 |. E8 A5000000 call 004013D2 ; 关键函数
0040132D |. 3BC6 cmp eax,esi ; eax要和esi相等
0040132F |. 75 42 jnz short 00401373 ; 不能跳
00401331 |. EB 2C jmp short 0040135F
00401333 |. 4E 6F 77 20 7>ascii "Now write a keyg"
00401343 |. 65 6E 20 61 6>ascii "en and tut and y"
00401353 |. 6F 75 27 72 6>ascii "ou're done.",0
0040135F |> 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
00401361 |. 68 0F304000 push 0040300F ; |Title = "Crudd's Crack Head"
00401366 |. 68 33134000 push 00401333 ; |Text = "Now write a keygen and tut and you're done."
0040136B |. FF75 08 push [arg.1] ; |hOwner
0040136E |. E8 19010000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00401373 |> EB 15 jmp short 0040138A
00401375 |> FF75 14 push [arg.4] ; /lParam
00401378 |. FF75 10 push [arg.3] ; |wParam
0040137B |. FF75 0C push [arg.2] ; |Message
0040137E |. FF75 08 push [arg.1] ; |hWnd
00401381 |. E8 D6000000 call <jmp.&USER32.DefWindowProcA> ; \DefWindowProcA
00401386 |. C9 leave
00401387 |. C2 1000 retn 0x10
0040138A |> 33C0 xor eax,eax
0040138C |. C9 leave
0040138D \. C2 1000 retn 0x10
发现输入数据存储在 00401318 |. 68 C4334000 push 004033C4 ; |Buffer = CrackHea.004033C4
发现关键的比较函数 00401328 |. E8 A5000000 call 004013D2 ; 关键函数
进入
004013D2 /$ 56 push esi
004013D3 |. 33C0 xor eax,eax
004013D5 |. 8D35 C4334000 lea esi,dword ptr ds:[0x4033C4] ; esi 字符串指针
004013DB |. 33C9 xor ecx,ecx
004013DD |. 33D2 xor edx,edx
004013DF |. 8A06 mov al,byte ptr ds:[esi] ; al获得第一个字符
004013E1 |. 46 inc esi
004013E2 |. 3C 2D cmp al,0x2D
004013E4 |. 75 08 jnz short 004013EE ; 不是 0x2d就跳走
004013E6 |. BA FFFFFFFF mov edx,-0x1 ; edx = -1
004013EB |. 8A06 mov al,byte ptr ds:[esi]
004013ED |. 46 inc esi
004013EE |> EB 0B jmp short 004013FB
004013F0 |> 2C 30 /sub al,0x30 ; 每个数字减30 变成数值型数据
004013F2 |. 8D0C89 |lea ecx,dword ptr ds:[ecx+ecx*4] ; ecx = ecx*5
004013F5 |. 8D0C48 |lea ecx,dword ptr ds:[eax+ecx*2] ; ecx = eax + ecx*2
004013F8 |. 8A06 |mov al,byte ptr ds:[esi] ; 取最低位继续
004013FA |. 46 |inc esi
004013FB |> 0AC0 or al,al
004013FD |.^ 75 F1 \jnz short 004013F0
004013FF |. 8D040A lea eax,dword ptr ds:[edx+ecx] ; eax = edx + ecx
00401402 |. 33C2 xor eax,edx ; eax = eax ^ edx
00401404 |. 5E pop esi
00401405 |. 81F6 53757A79 xor esi,0x797A7553 ; esi = esi ^ 0x797a7553
0040140B \. C3 retn ; 最后要保证eax=esi
这段函数的功能是 先判断是不是负数,如果是则edx=-1,在最后取反。
随后把数字字符串转换为它对应的数值
比如 “12345677” 转换后就是数字 12345677 存在ecx中,最后esi重置为0x797a7553,
因为要保持eax与esi相等,所以eax应该等于0x797a7553,对应的十进制是 2038068563
所以答案就是 2038068563
这道题告诉我们当没有可用的字符串搜索的时,可以考虑在API上下断点找到关键函数。