環境:
Windows xp sp3
查殼,這次不用脫殼了,但是還是Delphi程序。
打開后看隨便輸點東西進去,發現Nome什么都能輸入,但最多10個字符,而
Codice可以是數字或者是“$”,在輸入“$”后就可以輸入“a,b,c,d,e,f",大小寫都行或者輸入“x”也可以輸入“abcdef”了。點一下Cancella,清零了。
嗯?難道這個是用來清空的?
OK又點不了。點一下About-help看看有什么用。
發現原來這次程序的要求是使得下面兩個按鈕都消失,可以看到那張logo。
OD載入,有了前兩次對付Delphi的程序的經驗,查字符串,看看有什么事件:
0044297C . /782C4400 dd aLoNg3x_.00442C78
00442980 . |0C db 0C
00442981 . |43 6F 64 69 6>ascii "CodiceChange"
0044298D |0E db 0E
0044298E |00 db 00
0044298F . |642D4400 dd aLoNg3x_.00442D64
00442993 . |07 db 07
00442994 . |4F 6B 43 6C 6>ascii "OkClick"
0044299B |11 db 11
0044299C |00 db 00
0044299D . |042E4400 dd aLoNg3x_.00442E04
004429A1 . |0A db 0A
004429A2 . |4E 6F 6D 65 4>ascii "NomeChange"
004429AC |14 db 14
004429AD |00 db 00
004429AE . |A82E4400 dd aLoNg3x_.00442EA8
004429B2 . |0D db 0D
004429B3 . |43 61 6E 63 6>ascii "CancellaClick"
004429C0 |11 db 11
004429C1 |00 db 00
004429C2 . |4C2F4400 dd aLoNg3x_.00442F4C
004429C6 . |0A db 0A
004429C7 . |41 62 6F 75 7>ascii "AboutClick"最后一個AboutClick我猜就是不用跟進去的,它就是幫助文檔。
先跟CodiceChange進去看看:
根據名字猜測,這段函數如果下了斷點每次輸入都會運行。
00442C78 /. 55 push ebp
00442C79 |. 8BEC mov ebp,esp
00442C7B |. 33C9 xor ecx,ecx
00442C7D |. 51 push ecx
00442C7E |. 51 push ecx
00442C7F |. 51 push ecx
00442C80 |. 51 push ecx
00442C81 |. 53 push ebx
00442C82 |. 56 push esi
00442C83 |. 8BD8 mov ebx,eax
00442C85 |. 33C0 xor eax,eax
00442C87 |. 55 push ebp
00442C88 |. 68 562D4400 push aLoNg3x_.00442D56
00442C8D |. 64:FF30 push dword ptr fs:[eax]
00442C90 |. 64:8920 mov dword ptr fs:[eax],esp
00442C93 |. 8D55 F8 lea edx,[local.2] ; 這里應該是選擇輸入的codies保存的位置
00442C96 |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]
00442C9C |. E8 1F06FEFF call aLoNg3x_.004232C0 ; 這個函數應該是獲得輸入codies
00442CA1 |. 8B45 F8 mov eax,[local.2] ; 出來后可以看到輸入的Codies在[local.2]
00442CA4 |. 8D55 FC lea edx,[local.1]
00442CA7 |. E8 ACFCFBFF call aLoNg3x_.00402958 ; 這個是計算輸入的Codies的
00442CAC |. 8BF0 mov esi,eax ; 發現[00402958]將輸入的內容轉為16進制
00442CAE |. 837D FC 00 cmp [local.1],0x0
00442CB2 |. 74 18 je XaLoNg3x_.00442CCC
00442CB4 |. 8D55 F4 lea edx,[local.3]
00442CB7 |. 8BC6 mov eax,esi
00442CB9 |. E8 8249FCFF call aLoNg3x_.00407640
00442CBE |. 8B55 F4 mov edx,[local.3]
00442CC1 |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]
00442CC7 |. E8 2406FEFF call aLoNg3x_.004232F0
00442CCC |> 8B83 D0020000 mov eax,dword ptr ds:[ebx+0x2D0]
00442CD2 |. 8078 47 00 cmp byte ptr ds:[eax+0x47],0x0
00442CD6 |. 75 0F jnz XaLoNg3x_.00442CE7
00442CD8 |. B2 01 mov dl,0x1
00442CDA |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]
00442CE0 |. 8B08 mov ecx,dword ptr ds:[eax]
00442CE2 |. FF51 60 call dword ptr ds:[ecx+0x60]
00442CE5 |. EB 49 jmp XaLoNg3x_.00442D30
00442CE7 |> 8D55 F8 lea edx,[local.2]
00442CEA |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]
00442CF0 |. E8 CB05FEFF call aLoNg3x_.004232C0
00442CF5 |. 8B45 F8 mov eax,[local.2] ;
00442CF8 |. 50 push eax
00442CF9 |. 8D55 F0 lea edx,[local.4] ; 用戶名保存位置
00442CFC |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442D02 |. E8 B905FEFF call aLoNg3x_.004232C0 ; 這里調用的函數和上面的一樣,也是[4232C0]
00442D07 |. 8B45 F0 mov eax,[local.4] ; 這樣輸入的Nmae就在Local.4里面了
00442D0A |. 5A pop edx
00442D0B |. E8 2CFDFFFF call aLoNg3x_.00442A3C ; 這里有個call,下面有個跳轉,跟進去看一看
00442D10 |. 84C0 test al,al
00442D12 |. 74 0F je XaLoNg3x_.00442D23
00442D14 |. B2 01 mov dl,0x1
00442D16 |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]
00442D1C |. 8B08 mov ecx,dword ptr ds:[eax]
00442D1E |. FF51 60 call dword ptr ds:[ecx+0x60]
00442D21 |. EB 0D jmp XaLoNg3x_.00442D30
00442D23 |> 33D2 xor edx,edx
00442D25 |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]
00442D2B |. 8B08 mov ecx,dword ptr ds:[eax]
00442D2D |. FF51 60 call dword ptr ds:[ecx+0x60]
00442D30 |> 33C0 xor eax,eax
00442D32 |. 5A pop edx
00442D33 |. 59 pop ecx
00442D34 |. 59 pop ecx
00442D35 |. 64:8910 mov dword ptr fs:[eax],edx
00442D38 |. 68 5D2D4400 push aLoNg3x_.00442D5D
00442D3D |> 8D45 F0 lea eax,[local.4]
00442D40 |. E8 730AFCFF call aLoNg3x_.004037B8
00442D45 |. 8D45 F4 lea eax,[local.3]
00442D48 |. E8 6B0AFCFF call aLoNg3x_.004037B8
00442D4D |. 8D45 F8 lea eax,[local.2]
00442D50 |. E8 630AFCFF call aLoNg3x_.004037B8
00442D55 \. C3 retn跟到這里來:
00442A3C /$ 55 push ebp ; 計算第一個要求使得ok顯示
00442A3D |. 8BEC mov ebp,esp
00442A3F |. 83C4 F8 add esp,-0x8
00442A42 |. 53 push ebx
00442A43 |. 56 push esi
00442A44 |. 8955 F8 mov [local.2],edx
00442A47 |. 8945 FC mov [local.1],eax
00442A4A |. 8B45 FC mov eax,[local.1]
00442A4D |. E8 9611FCFF call aLoNg3x_.00403BE8
00442A52 |. 8B45 F8 mov eax,[local.2]
00442A55 |. E8 8E11FCFF call aLoNg3x_.00403BE8
00442A5A |. 33C0 xor eax,eax
00442A5C |. 55 push ebp
00442A5D |. 68 E52A4400 push aLoNg3x_.00442AE5
00442A62 |. 64:FF30 push dword ptr fs:[eax]
00442A65 |. 64:8920 mov dword ptr fs:[eax],esp
00442A68 |. 8B45 FC mov eax,[local.1]
00442A6B |. E8 C40FFCFF call aLoNg3x_.00403A34 ; 猜這里是獲得Name的長度
00442A70 |. 83F8 05 cmp eax,0x5 ; 用戶名長度不能小于等于5
00442A73 |. 7E 53 jle XaLoNg3x_.00442AC8
00442A75 |. 8B45 FC mov eax,[local.1]
00442A78 |. E8 B70FFCFF call aLoNg3x_.00403A34 ; 這里和上面是同一個函數,所以也是獲得長度
00442A7D |. 8BD8 mov ebx,eax ; 把長度記錄下來
00442A7F |. 8B45 FC mov eax,[local.1]
00442A82 |. E8 AD0FFCFF call aLoNg3x_.00403A34 ; 同上
00442A87 |. 8BD0 mov edx,eax ; 將長度L給edx
00442A89 |. 4A dec edx ; edx = edx - 1
00442A8A |. 85D2 test edx,edx
00442A8C |. 7E 20 jle XaLoNg3x_.00442AAE
00442A8E |. B8 01000000 mov eax,0x1 ; eax賦值為1
00442A93 |> 8B4D FC /mov ecx,[local.1]
00442A96 |. 0FB64C01 FF |movzx ecx,byte ptr ds:[ecx+eax-0x1] ; 這里有個計算
00442A9B |. 8B75 FC |mov esi,[local.1] ;
00442A9E |. 0FB63406 |movzx esi,byte ptr ds:[esi+eax] ;
00442AA2 |. 0FAFCE |imul ecx,esi ;
00442AA5 |. 0FAFC8 |imul ecx,eax
00442AA8 |. 03D9 |add ebx,ecx
00442AAA |. 40 |inc eax
00442AAB |. 4A |dec edx
00442AAC |.^ 75 E5 \jnz XaLoNg3x_.00442A93
00442AAE |> 8B45 F8 mov eax,[local.2]
00442AB1 |. E8 BA4BFCFF call aLoNg3x_.00407670 ; 將輸入的Codies轉成16進制,保存在eax中
00442AB6 |. 2BD8 sub ebx,eax ; 將上面計算出來的結果相減
00442AB8 |. 81FB 9A020000 cmp ebx,0x29A ;比較差值是不是0x29A
00442ABE |. 75 04 jnz XaLoNg3x_.00442AC4
00442AC0 |. B3 01 mov bl,0x1
00442AC2 |. EB 06 jmp XaLoNg3x_.00442ACA
00442AC4 |> 33DB xor ebx,ebx
00442AC6 |. EB 02 jmp XaLoNg3x_.00442ACA
00442AC8 |> 33DB xor ebx,ebx
00442ACA |> 33C0 xor eax,eax
00442ACC |. 5A pop edx
00442ACD |. 59 pop ecx
00442ACE |. 59 pop ecx
00442ACF |. 64:8910 mov dword ptr fs:[eax],edx
00442AD2 |. 68 EC2A4400 push aLoNg3x_.00442AEC
00442AD7 |> 8D45 F8 lea eax,[local.2]
00442ADA |. BA 02000000 mov edx,0x2
00442ADF |. E8 F80CFCFF call aLoNg3x_.004037DC
00442AE4 \. C3 retn分析上面計算過程就是:
設:
輸入的Nome為數組name
輸入的name的長度為L,即:
strlen(name) == L
sum 為計算結果,有:
sum += name[i-1]*name[i]*(i+1) i的取值范圍是[0,L)
最后記得sum+=L,因為一開始計算的時候ebx的值是L
得出來的sum -= 0x29A,得到的結果填到Codice里面
填進去之后發現OK亮了,懷著緊張激動的心情點一下,發現回到原點。。。。
那點Cancella呢?也是一樣。那就跟到CancellaClick看一看
00442EA8 /. 55 push ebp
00442EA9 |. 8BEC mov ebp,esp
00442EAB |. 6A 00 push 0x0
00442EAD |. 53 push ebx
00442EAE |. 8BD8 mov ebx,eax
00442EB0 |. 33C0 xor eax,eax
00442EB2 |. 55 push ebp
00442EB3 |. 68 322F4400 push aLoNg3x_.00442F32
00442EB8 |. 64:FF30 push dword ptr fs:[eax]
00442EBB |. 64:8920 mov dword ptr fs:[eax],esp
00442EBE |. 8D55 FC lea edx,[local.1]
00442EC1 |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]
00442EC7 |. E8 F403FEFF call aLoNg3x_.004232C0 ; 將輸入的讀到local.1
00442ECC |. 8B45 FC mov eax,[local.1]
00442ECF |. E8 9C47FCFF call aLoNg3x_.00407670
00442ED4 |. 50 push eax ; 轉成內容
00442ED5 |. 8D55 FC lea edx,[local.1]
00442ED8 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442EDE |. E8 DD03FEFF call aLoNg3x_.004232C0 ; 讀name
00442EE3 |. 8B45 FC mov eax,[local.1]
00442EE6 |. 5A pop edx
00442EE7 |. E8 08FCFFFF call aLoNg3x_.00442AF4 ; 這個和上面那個差不多,call完就test,后面就接著跳,跟進去看一看
00442EEC |. 84C0 test al,al
00442EEE |. 74 1C je XaLoNg3x_.00442F0C ; 輸入的內容不符合要求就跳,那就看看怎樣使得它不跳
00442EF0 |. 33D2 xor edx,edx
00442EF2 |. 8B83 D0020000 mov eax,dword ptr ds:[ebx+0x2D0]
00442EF8 |. E8 B302FEFF call aLoNg3x_.004231B0
00442EFD |. B2 01 mov dl,0x1
00442EFF |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]
00442F05 |. 8B08 mov ecx,dword ptr ds:[eax]
00442F07 |. FF51 60 call dword ptr ds:[ecx+0x60]
00442F0A |. EB 10 jmp XaLoNg3x_.00442F1C
00442F0C |> BA 482F4400 mov edx,aLoNg3x_.00442F48 ; 0
00442F11 |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]
00442F17 |. E8 D403FEFF call aLoNg3x_.004232F0
00442F1C |> 33C0 xor eax,eax
00442F1E |. 5A pop edx
00442F1F |. 59 pop ecx
00442F20 |. 59 pop ecx
00442F21 |. 64:8910 mov dword ptr fs:[eax],edx
00442F24 |. 68 392F4400 push aLoNg3x_.00442F39
00442F29 |> 8D45 FC lea eax,[local.1]
00442F2C |. E8 8708FCFF call aLoNg3x_.004037B8
00442F31 \. C3 retn00442AF4:
00442AF4 /$ 55 push ebp ; 發現和剛才的差不多,也是有個計算
00442AF5 |. 8BEC mov ebp,esp
00442AF7 |. 83C4 F8 add esp,-0x8
00442AFA |. 53 push ebx
00442AFB |. 56 push esi
00442AFC |. 8955 F8 mov [local.2],edx ;local.2是Codies的16進制
00442AFF |. 8945 FC mov [local.1],eax ;local.1是Nome
00442B02 |. 8B45 FC mov eax,[local.1]
00442B05 |. E8 DE10FCFF call aLoNg3x_.00403BE8
00442B0A |. 33C0 xor eax,eax
00442B0C |. 55 push ebp
00442B0D |. 68 902B4400 push aLoNg3x_.00442B90
00442B12 |. 64:FF30 push dword ptr fs:[eax]
00442B15 |. 64:8920 mov dword ptr fs:[eax],esp
00442B18 |. 8B45 FC mov eax,[local.1]
00442B1B |. E8 140FFCFF call aLoNg3x_.00403A34 ; 取長度
00442B20 |. 83F8 05 cmp eax,0x5
00442B23 |. 7E 53 jle XaLoNg3x_.00442B78
00442B25 |. 8B45 FC mov eax,[local.1]
00442B28 |. 0FB640 04 movzx eax,byte ptr ds:[eax+0x4] ; 拿到第5個字符
00442B2C |. B9 07000000 mov ecx,0x7
00442B31 |. 33D2 xor edx,edx
00442B33 |. F7F1 div ecx
00442B35 |. 8BC2 mov eax,edx ; 除以0x7的余數給eax
00442B37 |. 83C0 02 add eax,0x2 ; 余數加上2
00442B3A |. E8 E1FEFFFF call aLoNg3x_.00442A20 ; 計算余數的階乘
00442B3F |. 8BF0 mov esi,eax
00442B41 |. 33DB xor ebx,ebx
00442B43 |. 8B45 FC mov eax,[local.1]
00442B46 |. E8 E90EFCFF call aLoNg3x_.00403A34 ; 取長度
00442B4B |. 85C0 test eax,eax
00442B4D |. 7E 16 jle XaLoNg3x_.00442B65
00442B4F |. BA 01000000 mov edx,0x1
00442B54 |> 8B4D FC /mov ecx,[local.1]
00442B57 |. 0FB64C11 FF |movzx ecx,byte ptr ds:[ecx+edx-0x1]
00442B5C |. 0FAFCE |imul ecx,esi ; 余數的階乘乘以每一個位上的值
00442B5F |. 03D9 |add ebx,ecx
00442B61 |. 42 |inc edx
00442B62 |. 48 |dec eax
00442B63 |.^ 75 EF \jnz XaLoNg3x_.00442B54
00442B65 |> 2B5D F8 sub ebx,[local.2] ; 減去它的16進制的值
00442B68 |. 81FB 697A0000 cmp ebx,0x7A69 ; 和0x7A69比較
00442B6E |. 75 04 jnz XaLoNg3x_.00442B74
00442B70 |. B3 01 mov bl,0x1
00442B72 |. EB 06 jmp XaLoNg3x_.00442B7A
00442B74 |> 33DB xor ebx,ebx
00442B76 |. EB 02 jmp XaLoNg3x_.00442B7A
00442B78 |> 33DB xor ebx,ebx
00442B7A |> 33C0 xor eax,eax
00442B7C |. 5A pop edx
00442B7D |. 59 pop ecx
00442B7E |. 59 pop ecx
00442B7F |. 64:8910 mov dword ptr fs:[eax],edx
00442B82 |. 68 972B4400 push aLoNg3x_.00442B97
00442B87 |> 8D45 FC lea eax,[local.1]
00442B8A |. E8 290CFCFF call aLoNg3x_.004037B8
00442B8F \. C3 retn計算過程如下:
有:Name[4](這個是第5個字符)
x = Name[4]%7+2
x = x!(這里是x的階乘)
sum += x*Name[i] ? ?i的取值是[0,L)
sum -= 0x7A69
上次是0x29A,這次是0x7A69。難道輸入的Nome和Codice都要符合要求?
寫個程序出來看看能不能猜出來,猜了一會發現沒這個技術,那就窮舉吧。
舉了好一會,都沒有出結果。會不會是猜錯了?
反正Cancella的要求是0x7A69,搞個符合要求的就好了。
按照上面的計算過程,得到:
Nome:goodname
Codice::4212343
點一下Cancella,居然消失,哈哈哈!
那我在點一下Ok,沒反應。。。
那看來,Ok的要求又不一樣了。那就跟到OkClick看一看:
00442D64 /. 55 push ebp ; OK click
00442D65 |. 8BEC mov ebp,esp
00442D67 |. 6A 00 push 0x0
00442D69 |. 53 push ebx
00442D6A |. 8BD8 mov ebx,eax
00442D6C |. 33C0 xor eax,eax
00442D6E |. 55 push ebp
00442D6F |. 68 ED2D4400 push aLoNg3x_.00442DED
00442D74 |. 64:FF30 push dword ptr fs:[eax]
00442D77 |. 64:8920 mov dword ptr fs:[eax],esp
00442D7A |. 8B83 D0020000 mov eax,dword ptr ds:[ebx+0x2D0]
00442D80 |. 8078 47 01 cmp byte ptr ds:[eax+0x47],0x1 ; 判斷后面那個按鈕是否隱藏了
00442D84 |. 75 12 jnz XaLoNg3x_.00442D98
00442D86 |. BA 002E4400 mov edx,aLoNg3x_.00442E00 ; 0
00442D8B |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]
00442D91 |. E8 5A05FEFF call aLoNg3x_.004232F0
00442D96 |. EB 3F jmp XaLoNg3x_.00442DD7
00442D98 |> 8D55 FC lea edx,[local.1]
00442D9B |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]
00442DA1 |. E8 1A05FEFF call aLoNg3x_.004232C0 ;這里使得local.1的內容是輸入的Codeis
00442DA6 |. 8B45 FC mov eax,[local.1]
00442DA9 |. E8 C248FCFF call aLoNg3x_.00407670 ;這里是轉成16進制
00442DAE |. 50 push eax
00442DAF |. 8D55 FC lea edx,[local.1] ;
00442DB2 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC] ;
00442DB8 |. E8 0305FEFF call aLoNg3x_.004232C0 ; 這里是讀到輸入的Nome
00442DBD |. 8B45 FC mov eax,[local.1]
00442DC0 |. 5A pop edx ; pop出來的內容是Codies的16進制
00442DC1 |. E8 DAFDFFFF call aLoNg3x_.00442BA0 ; 這里還是有個test,這個call的后面的格式,讓人不跟進去都難啊
00442DC6 |. 84C0 test al,al
00442DC8 |. 74 0D je XaLoNg3x_.00442DD7
00442DCA |. 33D2 xor edx,edx
00442DCC |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]
00442DD2 |. E8 D903FEFF call aLoNg3x_.004231B0
00442DD7 |> 33C0 xor eax,eax
00442DD9 |. 5A pop edx
00442DDA |. 59 pop ecx
00442DDB |. 59 pop ecx
00442DDC |. 64:8910 mov dword ptr fs:[eax],edx
00442DDF |. 68 F42D4400 push aLoNg3x_.00442DF4
00442DE4 |> 8D45 FC lea eax,[local.1]
00442DE7 |. E8 CC09FCFF call aLoNg3x_.004037B8
00442DEC \. C3 retn
[442BA0]跟進去看一看:
00442BA0 /$ 55 push ebp ;
00442BA1 |. 8BEC mov ebp,esp
00442BA3 |. 6A 00 push 0x0
00442BA5 |. 6A 00 push 0x0
00442BA7 |. 6A 00 push 0x0
00442BA9 |. 53 push ebx
00442BAA |. 56 push esi
00442BAB |. 8BF2 mov esi,edx
00442BAD |. 8945 FC mov [local.1],eax
00442BB0 |. 8B45 FC mov eax,[local.1]
00442BB3 |. E8 3010FCFF call aLoNg3x_.00403BE8
00442BB8 |. 33C0 xor eax,eax
00442BBA |. 55 push ebp
00442BBB |. 68 672C4400 push aLoNg3x_.00442C67
00442BC0 |. 64:FF30 push dword ptr fs:[eax]
00442BC3 |. 64:8920 mov dword ptr fs:[eax],esp
00442BC6 |. 33DB xor ebx,ebx
00442BC8 |. 8D55 F8 lea edx,[local.2]
00442BCB |. 8BC6 mov eax,esi
00442BCD |. E8 6E4AFCFF call aLoNg3x_.00407640 ; 這里將輸入的Codies保存在local.2中
00442BD2 |. 8D45 F4 lea eax,[local.3]
00442BD5 |. 8B55 F8 mov edx,[local.2]
00442BD8 |. E8 730CFCFF call aLoNg3x_.00403850
00442BDD |. 8B45 F8 mov eax,[local.2]
00442BE0 |. E8 4F0EFCFF call aLoNg3x_.00403A34 ;這個是拿到輸入Codies的長度
00442BE5 |. 83F8 05 cmp eax,0x5 ; 長度要大于5
00442BE8 |. 7E 60 jle XaLoNg3x_.00442C4A
00442BEA |. 8B45 F8 mov eax,[local.2]
00442BED |. E8 420EFCFF call aLoNg3x_.00403A34 ; 繼續拿到Codies的長度
00442BF2 |. 8BF0 mov esi,eax
00442BF4 |. 83FE 01 cmp esi,0x1
00442BF7 |. 7C 2F jl XaLoNg3x_.00442C28
00442BF9 |> 8D45 F4 /lea eax,[local.3]
00442BFC |. E8 0310FCFF |call aLoNg3x_.00403C04
00442C01 |. 8D4430 FF |lea eax,dword ptr ds:[eax+esi-0x1]
00442C05 |. 50 |push eax
00442C06 |. 8B45 F8 |mov eax,[local.2]
00442C09 |. 0FB64430 FF |movzx eax,byte ptr ds:[eax+esi-0x1]
00442C0E |. F7E8 |imul eax ; eax*eax
00442C10 |. 0FBFC0 |movsx eax,ax ; 取后4位
00442C13 |. F7EE |imul esi ; *esi
00442C15 |. B9 19000000 |mov ecx,0x19
00442C1A |. 99 |cdq
00442C1B |. F7F9 |idiv ecx ; /0x19
00442C1D |. 83C2 41 |add edx,0x41 ; 余數+0x41
00442C20 |. 58 |pop eax
00442C21 |. 8810 |mov byte ptr ds:[eax],dl
00442C23 |. 4E |dec esi
00442C24 |. 85F6 |test esi,esi
00442C26 |.^ 75 D1 \jnz XaLoNg3x_.00442BF9
00442C28 |> 8B45 F4 mov eax,[local.3] ;經過上面的計算local.3生成一個字符串
00442C2B |. 8B55 FC mov edx,[local.1] ;local.1是輸入的Nome
00442C2E |. E8 110FFCFF call aLoNg3x_.00403B44 :這個是比較
00442C33 |. 75 17 jnz XaLoNg3x_.00442C4C ;不等就跳
00442C35 |. 8B45 FC mov eax,[local.1]
00442C38 |. 8B55 F4 mov edx,[local.3]
00442C3B |. E8 040FFCFF call aLoNg3x_.00403B44
00442C40 |. 75 04 jnz XaLoNg3x_.00442C46
00442C42 |. B3 01 mov bl,0x1
00442C44 |. EB 06 jmp XaLoNg3x_.00442C4C
00442C46 |> 33DB xor ebx,ebx
00442C48 |. EB 02 jmp XaLoNg3x_.00442C4C
00442C4A |> 33DB xor ebx,ebx
00442C4C |> 33C0 xor eax,eax
00442C4E |. 5A pop edx
00442C4F |. 59 pop ecx
00442C50 |. 59 pop ecx
00442C51 |. 64:8910 mov dword ptr fs:[eax],edx
00442C54 |. 68 6E2C4400 push aLoNg3x_.00442C6E
00442C59 |> 8D45 F4 lea eax,[local.3]
00442C5C |. BA 03000000 mov edx,0x3
00442C61 |. E8 760BFCFF call aLoNg3x_.004037DC
00442C66 \. C3 retn上面的計算過程是:
設:
首先將輸入的Codice轉為字符串ss
計算最終會生成一個字符串與輸入的字符串進行比較,
所以設N為生成的字符串。
ss的長度為L(這個L不等于上面的L)
sum為結果
這次是從后往前計算:
sum = ss[i] * ss[i] *(i+1) % 0x19 + 0x41
N[i] = sum
i的取值范圍是[0,L-1)
這樣就生成了一個N了,這次這個N是由Codies生成的。
輸入個什么鬼東西會生成個goodname呢?
不可能,因為那個求余0x19+0x41使得取值范圍在[65,90],所以Nome都是大寫字母來的
找出符合要求的Nome和Codies,
Nome:BADQUV
Codice:123456
輸入完后點擊Ok,這樣Ok也不見了。可以看到RingZer0這個logo了
這里有個問題:
首先輸入個Nome和Codice(稱它們為X),這個X是符合CancellaClick的要求的,這樣就可以把Cancella隱藏了
但是這個X未必是符合OkClick的要求的,但是在Cancella隱藏后,X是可以更改的,將它們改為符合Y(即符合OkClick事件)
的要求就行了。
那有沒有都符合CancellaClick事件的要求也符合OkClick事件的要求呢?寫個程序,由于CPU太菜且作者太懶
這里只有Nome為6位符合要求的Nome和Codies:
AADQAE ? ?-21425
AAIAUG ? ? -28793
ACMQFA ? ?-30487
這個是窮舉出來的,代碼根據上面的計算過程可以寫出。
 不跟框架集成的版本)
![[PALAPALA] 無題 - 外來的和尚會念經](http://pic.xiahunao.cn/[PALAPALA] 無題 - 外來的和尚會念經)
 緩存)
)
)
)