System : Windows xp

Program : cztria~1

Program download address :http://pan.baidu.com/s/1slUwmVr

requirement : Blast

Using tools : OD

You can find some broken articles about this program in the snow forum : Portal

I don't say much nonsense , Query string directly :“            you did it!”, Double click to locate :

0040137B |. 6A push ; /Count = 40 (64.)
0040137D |. push ; |pediy
|. FF35 push dword ptr [] ; |hWnd = 000405D8 (class='Edit',parent=000505C0)
|. E8 A3080000 call <jmp.&USER32.GetWindowTextA> ; \GetWindowTextA
0040138D |. 83F8 cmp eax, ; Less than or equal to 4?
|. 0F8E 9F000000 jle
|. 6A push ; /Count = 40 (64.)
|. push ; |12345
0040139D |. B90B0000 push 0BB9 ; |ControlID = BB9 (3001.)
004013A2 |. FF75 push dword ptr [ebp+] ; |hWnd
004013A5 |. E8 6E080000 call <jmp.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
004013AA |. 83F8 cmp eax, ; Less than or equal to 4?
004013AD |. 0F8E jle
004013B3 |. A3 mov dword ptr [], eax
004013B8 |. FF35 push dword ptr [] ; /hWnd = 000405D8 (class='Edit',parent=000505C0)
004013BE |. E8 AF080000 call <jmp.&USER32.SetFocus> ; \SetFocus
004013C3 |. BF mov edi, ; pediy
004013C8 |. BE mov esi, ; pediy
004013CD |> AC /lods byte ptr [esi] ; Loop through the user name string
004013CE |. 0C |or al,
004013D0 |. |je short 004013D7
004013D2 |. 0C |or al,
004013D4 |. AA |stos byte ptr es:[edi]
004013D5 |.^ EB F6 \jmp short 004013CD
004013D7 |> BF A0324000 mov edi, 004032A0
004013DC |. BE mov esi, ;
004013E1 |. 8D1D lea ebx, dword ptr []
004013E7 |. 33C9 xor ecx, ecx
004013E9 |> AC /lods byte ptr [esi] ; Loop iteration password
004013EA |. 0C |or al,
004013EC |. |je short
004013EE |. 8A13 |mov dl, byte ptr [ebx] ; Loop iteration user name
004013F0 |. 2AD0 |sub dl, al ; The user name character - Password characters
004013F2 |. 80CA |or dl, ; If the same , Jump error
004013F5 |. 3E |je short
004013F7 |. 8AC2 |mov al, dl
004013F9 |. 0F |and al, 0F
004013FB |. 0C |or al, ; al by 0?
004013FD |. |je short ; by 0 Jump error
004013FF |. AA |stos byte ptr es:[edi] ; preservation al Tabulation
|. 02C8 |add cl, al ; The results add up
|. |inc ebx
|.^ EB E4 \jmp short 004013E9
|> 890D 6A324000 mov dword ptr [40326A], ecx ; Save the accumulated results
0040140B |. E8 call ; The key call
|. BE A0324000 mov esi, 004032A0
|. 8B15 mov edx, dword ptr [] ; Take the length of the password
0040141B |. C1EA shr edx, ; Logical shift right
0040141E |. 03F2 add esi, edx
|. 8A06 mov al, byte ptr [esi] ; The values in the table are
|. 33D2 xor edx, edx
|. 8B15 6E324000 mov edx, dword ptr [40326E]
0040142A |. 2BD0 sub edx, eax
0040142C |. A1 6A324000 mov eax, dword ptr [40326A]
|. 3BC2 cmp eax, edx
jz short
|> push ; /Style = MB_OK|MB_TASKMODAL
0040143A |. D1314000 push 004031D1 ; | error
0040143F |. F9314000 push 004031F9 ; | sorry cracker, wrong.
|. FF75 push dword ptr [ebp+] ; |hOwner
|. E8 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
0040144C |. 6A push ; /Length = 40 (64.)
0040144E |. E0324000 push 004032E0 ; |Destination = cztria~1.004032E0
|. E8 call <jmp.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
|. 6A push ; /Length = 40 (64.)
0040145A |. A0334000 push 004033A0 ; |Destination = cztria~1.004033A0
0040145F |. E8 4A080000 call <jmp.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
|. EB 2F jmp short
|> push ; /Style = MB_OK|MB_TASKMODAL
0040146B |. E5314000 push 004031E5 ; | <registered>
|. push ; | you did it!
|. FF75 push dword ptr [ebp+] ; |hOwner
|. E8 D1070000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
0040147D |. 6A push ; /Length = 40 (64.)
0040147F |. E0324000 push 004032E0 ; |Destination = cztria~1.004032E0
|. E8 call <jmp.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
|. 6A push ; /Length = 40 (64.)
0040148B |. A0334000 push 004033A0 ; |Destination = cztria~1.004033A0
|. E8 call <jmp.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory

With the 0040140B |. E8 27020000 call 00401637 ; The key call

 /$ BE A0324000 mov esi, 004032A0
0040163C |. 8B15 mov edx, dword ptr [] ; Take the length of the password
|. push edx
|. 33C0 xor eax, eax
|. 83EA sub edx,
|. 03F2 add esi, edx
0040164A |. 8A06 mov al, byte ptr [esi] ; The values in the table are
0040164C |. F7E0 mul eax
0040164E |. 5A pop edx
0040164F |. 83EA sub edx,
|. F7E2 mul edx
|. B9 mov ecx,
|> 2BC1 /sub eax, ecx
0040165B |. 83F8 |cmp eax, ; eax by 0?
0040165E |. 7E |jle short
|. 83C2 |add edx,
|. 83C1 |add ecx,
|.^ EB F1 \jmp short
|> push edx ; preservation edx
|. BE A0324000 mov esi, 004032A0
0040166E |. 8BFE mov edi, esi
|. 8B15 mov edx, dword ptr [] ; Take the length of the password
|. 33C0 xor eax, eax
|. 83EA sub edx,
0040167B |. 03F2 add esi, edx
0040167D |. 8A06 mov al, byte ptr [esi] ; The values in the table are
0040167F |. 83C0 add eax,
|. 5A pop edx
|. 03C2 add eax, edx
|. D1E8 shr eax,
|. 8B15 mov edx, dword ptr [] ; Take the length of the password
0040168D |. 03FA add edi, edx
0040168F |. AA stos byte ptr es:[edi]
|. F7E0 mul eax
|. 8B15 mov edx, dword ptr [] ; Take the length of the password
|. 83EA sub edx,
0040169B |. F7E2 mul edx
0040169D |. B9 mov ecx,
004016A2 |> 2BC1 /sub eax, ecx
004016A4 |. 83F8 |cmp eax, ; eax by 0?
004016A7 |. 7E |jle short 004016B1
004016A9 |. 83C2 |add edx,
004016AC |. 83C1 |add ecx,
004016AF |.^ EB F1 \jmp short 004016A2
004016B1 |> push edx
004016B2 |. BE A0324000 mov esi, 004032A0
004016B7 |. 8B15 mov edx, dword ptr [] ; Take the length of the password
004016BD |. 33C0 xor eax, eax
004016BF |. 03F2 add esi, edx
004016C1 |. 8A06 mov al, byte ptr [esi] ; Take the last place in the table
004016C3 |. 83C0 add eax,
004016C6 |. 5A pop edx
004016C7 |. 03C2 add eax, edx
004016C9 |. D1E8 shr eax,
004016CB |. A3 6E324000 mov dword ptr [40326E], eax ; Save results
004016D0 \. C3 retn

This is a typical binary function encryption , Generate a table from the difference between the user name and password and Cumulative value . Then two special values are generated according to the table .

The difference between the input results should be consistent with the Special values 1 - Special values 2 == Cumulative results

We can directly change the condition of judgment to :

00401433 /75 31 jnz short 00401466

Then we can finish blasting .

Blow up a binary function to encrypt cm More articles about

  1. Android A journey in reverse --- Based on the so In the function encryption technology implementation so strengthening

    One . Preface Today we continue to introduce so Reinforcement method , In the previous article, we introduced to so The segment specified in (section) Encrypts to implement the encryption of so strengthening http://blog.csdn.net/jiangwei0910410 ...

  2. Oracle Custom function &amp; encryption

    stay sql Features frequently used in ( Logic . Encryption, etc ) Can be written as a custom function to encapsulate , Then call it again . CREATE OR REPLACE FUNCTION " Function name " ( Parameter name Parameter type Parameter data ...

  3. Realize a notebook with fingerprint encryption function (Android) The first part

    I often forget some passwords , Want to save these passwords , But other people's software always feels a little insecure , So I made a notebook with fingerprint encryption . Here are some third party packages used in this project compile 'org.gree ...

  4. python Provides a way to hash Encrypted module :hashlib

    python Provides a way to hash Encrypted module :hashlib Here are some of them md5 encryption import hashlib data1 = 'sada' ##### Letters and numbers m = hashlib ...

  5. C++ Advanced STL(2) the second day One yuan / Binary function objects 、 One yuan / two-place predicate 、stack Containers 、queue Containers 、list Containers ( Double linked list )、set Containers 、 Pair up 、map Containers

    01 Last course review Yesterday we talked about three containers string  string It's right char* The packaging that's going on vector Single port container The dynamic array deque( deque ) Function object / The predicate : Unary function object : for_each ...

  6. Java Realization Blue Bridge Cup VIP Algorithm training Dual function

    Problem description Let a function of two variables f(x,y)=ax+by,a and b Integers , Find an expression S Value . Only expressions that satisfy the following requirements are legal : 1. Any integer x It's a legal expression : 2. If A and B They're all legal expressions , be f(A,B ...

  7. Java Realize the Blue Bridge Cup VIP Algorithm training Dual function

    test questions Algorithm training Dual function Resource constraints The time limit :1.0s Memory limit :256.0MB Problem description Let a function of two variables f(x,y)=ax+by,a and b Integers , Find an expression S Value . Only expressions that satisfy the following requirements are legal : ...

  8. Please write one. php function , Any number of parameters can be accepted

    Please write one. php function , Any number of parameters can be accepted This is an interview question . How to write this function ? function fun(......) { } ----------------------------------- ...

  9. stay String() Customize one when the constructor doesn't exist MyString() function , Implement the following built-in String() Methods and properties :

    stay String() Customize one when the constructor doesn't exist MyString() function , Implement the following built-in String() Methods and properties : var s = new MyString("hello"); s ...

Random recommendation

  1. To raise APP

    To raise APP Get involved in this APP It's also a coincidence , A month ago , I'm still busy with telecom operators , The superior came over and asked me if I had used it in my previous company html css js these . When I was in vicu , But it's all inclusive from the front desk to the backstage , Because of the project ...

  2. Spring+Mybatis Multi data source configuration

    One . The configuration file properties ds1.driverClassName=com.mysql.jdbc.Driver ds1.url=jdbc:mysql://192.168.200.130:330 ...

  3. HtmlEncode and JavaScriptEncode( The prevention of XSS)

    Add data to DOM When , We can need to change the content HtmlEncode or JavaScriptEncode, To prevent XSS attack . JavaScriptEncode Use “\” Escape special characters , In addition to numbers and letters ...

  4. Android To solve the problem caused by image decoding OOM problem

    Android To solve the problem caused by image decoding OOM problem Link to the original text :http://blog.csdn.net/zjl5211314/article/details/7042017

  5. Php output buffering Cache and program cache

        stay php Sometimes in order to control the order of program output display , Provides output buffering cache (php Self caching mechanism ). if Ob Cache on , What needs to be output exists first ob In the cache , And then into the program cache . If it's not turned on , Direct access ...

  6. Commonly used cl Command parameter interpretation

    Following the previous article , first line cl The order is as follows : 1> cl /c /IC:\...\include /ZI /nologo- /W3 /WX- /sdl /Od /Oy- /D WIN32 /D _DEBUG ...

  7. android in uri and url The difference between

    URI : It starts with the virtual root path URI, yes uniform resource identifier URL: It's the whole link  URI, yes uniform resource location uri:file: ...

  8. spring mvc And @requestmapping

    introduction : It was used in the project some time ago REST Style to develop programs , But when used POST.PUT When mode submits data , Found that the server can not accept the submitted data ( The server side parameter binding is not annotated ), The submitted method is application/j ...

  9. SSH Frame building detailed graphic tutorial ( turn )

    This article gives me a deep feeling , It's better than when I was an undergraduate SSH framework Be clear several times   I feel very much that this blogger's article The link to the article is :http://blog.sina.com.cn/s/blog_a6a6b3cd01017 ...

  10. js Greedy Algorithm --- knapsack problem

    /* * @param {Object} capacity Backpack Capacity 6 * @param {Object} weights Item weight [2,3,4] * @param {Object} values ...