107 lines
7.1 KiB
Markdown
Raw Normal View History

2024-09-22 14:31:50 +08:00
VT 10/73
会不会有别的猫腻?
判断逻辑:(已简化整理代码)
```c#
int serial1 = "user input"; // ebp-10
int serial2 = "user input"; // ebp-14
int a = 0x539; // ebp-4
int c = 2; //ebp-C
while(a!=0){
serial2 ^= c++;
a--;
}
if(serial1==serial2){
//SUCCESS
}else{
//FAIL
}
```
Main: 00401390
```assembly
00401390 | 55 | push ebp |
00401391 | 89E5 | mov ebp,esp |
00401393 | 83EC 28 | sub esp,28 |
00401396 | 83E4 F0 | and esp,FFFFFFF0 |
00401399 | B8 00000000 | mov eax,0 |
0040139E | 83C0 0F | add eax,F |
004013A1 | 83C0 0F | add eax,F |
004013A4 | C1E8 04 | shr eax,4 |
004013A7 | C1E0 04 | shl eax,4 |
004013AA | 8945 E8 | mov dword ptr ss:[ebp-18],eax |
004013AD | 8B45 E8 | mov eax,dword ptr ss:[ebp-18] |
004013B0 | E8 F3BD0000 | call ac1d.materie.40D1A8 |
004013B5 | E8 2EBA0000 | call ac1d.materie.40CDE8 |
004013BA | C745 FC 39050000 | mov dword ptr ss:[ebp-4],539 |
004013C1 | C745 F8 00CA9A3B | mov dword ptr ss:[ebp-8],3B9ACA00 |
004013C8 | C745 F4 02000000 | mov dword ptr ss:[ebp-C],2 | [ebp-0C]:&"ALLUSERSPROFILE=C:\\ProgramData"
004013CF | C74424 04 00004400 | mov dword ptr ss:[esp+4],ac1d.materie.440000 | 440000:"############################\n"
004013D7 | C70424 C0334400 | mov dword ptr ss:[esp],ac1d.materie.4433C0 |
004013DE | E8 2DAB0300 | call <ac1d.materie.Cout> |
004013E3 | C74424 04 1E004400 | mov dword ptr ss:[esp+4],ac1d.materie.44001E | 44001E:"#____[ AC1D Materie#1 ]____#\n"
004013EB | C70424 C0334400 | mov dword ptr ss:[esp],ac1d.materie.4433C0 |
004013F2 | E8 19AB0300 | call <ac1d.materie.Cout> |
004013F7 | C74424 04 3C004400 | mov dword ptr ss:[esp+4],ac1d.materie.44003C | 44003C:"#__[ by #ParadoxX[AC1D] ]__#\n"
004013FF | C70424 C0334400 | mov dword ptr ss:[esp],ac1d.materie.4433C0 |
00401406 | E8 05AB0300 | call <ac1d.materie.Cout> |
0040140B | C74424 04 5C004400 | mov dword ptr ss:[esp+4],ac1d.materie.44005C | 44005C:"############################\n\n"
00401413 | C70424 C0334400 | mov dword ptr ss:[esp],ac1d.materie.4433C0 |
0040141A | E8 F1AA0300 | call <ac1d.materie.Cout> |
0040141F | C74424 04 7B004400 | mov dword ptr ss:[esp+4],ac1d.materie.44007B | 44007B:"First Serial: "
00401427 | C70424 C0334400 | mov dword ptr ss:[esp],ac1d.materie.4433C0 |
0040142E | E8 DDAA0300 | call <ac1d.materie.Cout> |
00401433 | 8D45 F0 | lea eax,dword ptr ss:[ebp-10] |
00401436 | 894424 04 | mov dword ptr ss:[esp+4],eax | serial1
0040143A | C70424 60344400 | mov dword ptr ss:[esp],ac1d.materie.443460 |
00401441 | E8 926B0200 | call <ac1d.materie.Cin> |
00401446 | C74424 04 8A004400 | mov dword ptr ss:[esp+4],ac1d.materie.44008A | 44008A:"\nSecond Serial: "
0040144E | C70424 C0334400 | mov dword ptr ss:[esp],ac1d.materie.4433C0 |
00401455 | E8 B6AA0300 | call <ac1d.materie.Cout> |
0040145A | 8D45 EC | lea eax,dword ptr ss:[ebp-14] | [ebp-14]:__get_image_app_type+1B
0040145D | 894424 04 | mov dword ptr ss:[esp+4],eax | serial2
00401461 | C70424 60344400 | mov dword ptr ss:[esp],ac1d.materie.443460 |
00401468 | E8 6B6B0200 | call <ac1d.materie.Cin> |
0040146D | 837D FC 00 | cmp dword ptr ss:[ebp-4],0 | init ebp-4:539 计算serial
00401471 | 74 14 | je ac1d.materie.401487 |
00401473 | 8B55 F4 | mov edx,dword ptr ss:[ebp-C] |
00401476 | 8D45 EC | lea eax,dword ptr ss:[ebp-14] |
00401479 | 3110 | xor dword ptr ds:[eax],edx |
0040147B | 8D45 F4 | lea eax,dword ptr ss:[ebp-C] |
0040147E | FF00 | inc dword ptr ds:[eax] |
00401480 | 8D45 FC | lea eax,dword ptr ss:[ebp-4] |
00401483 | FF08 | dec dword ptr ds:[eax] |
00401485 | EB E6 | jmp ac1d.materie.40146D |
00401487 | C74424 04 9B004400 | mov dword ptr ss:[esp+4],ac1d.materie.44009B | 44009B:"\nChecking...\n"
0040148F | C70424 C0334400 | mov dword ptr ss:[esp],ac1d.materie.4433C0 |
00401496 | E8 75AA0300 | call <ac1d.materie.Cout> |
0040149B | C70424 E8030000 | mov dword ptr ss:[esp],3E8 |
004014A2 | E8 C9F30000 | call <JMP.&_SleepStub@4> |
004014A7 | 83EC 04 | sub esp,4 |
004014AA | 8B45 F0 | mov eax,dword ptr ss:[ebp-10] |
004014AD | 3B45 EC | cmp eax,dword ptr ss:[ebp-14] | 检查
004014B0 | 74 22 | je ac1d.materie.4014D4 |
004014B2 | C74424 04 A9004400 | mov dword ptr ss:[esp+4],ac1d.materie.4400A9 | Fail, 4400A9:"Wrong Serial!\a\n"
004014BA | C70424 C0334400 | mov dword ptr ss:[esp],ac1d.materie.4433C0 |
004014C1 | E8 4AAA0300 | call <ac1d.materie.Cout> |
004014C6 | C70424 B9004400 | mov dword ptr ss:[esp],ac1d.materie.4400B9 | 4400B9:"pause"
004014CD | E8 66F20000 | call <JMP.&_system> |
004014D2 | EB 34 | jmp ac1d.materie.401508 |
004014D4 | C74424 04 C0004400 | mov dword ptr ss:[esp+4],ac1d.materie.4400C0 | Success, 4400C0:"Solved! Show me your resolution at Crackmes.de + KeyGen!\n"
004014DC | C70424 C0334400 | mov dword ptr ss:[esp],ac1d.materie.4433C0 |
004014E3 | E8 28AA0300 | call <ac1d.materie.Cout> |
004014E8 | C74424 04 FC004400 | mov dword ptr ss:[esp+4],ac1d.materie.4400FC | 4400FC:"Powered by #ParadoxX[AC1D] and Crackmes.de\n\n"
004014F0 | C70424 C0334400 | mov dword ptr ss:[esp],ac1d.materie.4433C0 |
004014F7 | E8 14AA0300 | call <ac1d.materie.Cout> |
004014FC | C70424 B9004400 | mov dword ptr ss:[esp],ac1d.materie.4400B9 | 4400B9:"pause"
00401503 | E8 30F20000 | call <JMP.&_system> |
00401508 | B8 00000000 | mov eax,0 |
0040150D | C9 | leave |
0040150E | C3 | ret |
```