逆向--- crackme6
关键代码段分析:
00401528 |. 68 00010000 PUSH 100 ; /Count = 100 (256.)
0040152D |. 8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100] ; | eax = ebp -100; // 在栈上申请100DWord的数组空间,存放name
00401533 |. 50 PUSH EAX
00401534 |. 6A 65 PUSH 65 ; |ControlID = 65 (101.)
00401536 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401539 |. E8 FA010000 CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
// 把参数压入栈中,调用 GetDlgItemTextA 函数 转换成高级语言是:
// GetDlgItemTextA(hwnd, 0x65/*IDC_BUTTON*/, buffer, 100/*sizeof(bufffer)*/ );
0040153E |. 89C3 MOV EBX,EAX //ebx = eax = GetDlgItemTextA的返回值 , 取得的字符串的长度
00401540 |. 09DB OR EBX,EBX //判断长度是否为空
00401542 |. 75 04 JNZ SHORT unpacked.00401548 //用户名不空就跳,否则就挂
00401544 |. 31C0 XOR EAX,EAX //
00401546 |. EB 50 JMP SHORT unpacked.00401598 //函数结束的地址。
00401548 |> BF BC020000 MOV EDI,2BC
0040154D |. BE 30000000 MOV ESI,30
00401552 |. B8 48000000 MOV EAX,48
00401557 |. 99 CDQ
00401558 |. F7FB IDIV EBX //ebx 存放的是Namelength
0040155A |. 29C6 SUB ESI,EAX
0040155C |. 8D34B6 LEA ESI,DWORD PTR DS:[ESI+ESI*4]
0040155F |. 29F7 SUB EDI,ESI
00401561 |. 6BFF 6B IMUL EDI,EDI,6B
00401564 |. 81EF 6CCF0000 SUB EDI,0CF6C
//EDI=(2bc-(30-48/namelen)*5)*6b-cf6c,得出的EDI必须在190-2300之间,否则就挂
0040156A |. 81FF 00230000 CMP EDI,2300
00401570 |. 7F 08 JG SHORT unpacked.0040157A .
00401572 |. 81FF 90010000 CMP EDI,190
00401578 |. 7D 04 JGE SHORT unpacked.0040157E
0040157A |> 31C0 XOR EAX,EAX
// edi > 190 && edi <=2300
明天继续