首页
论坛
课程
招聘
[原创]Q2第一题wp
2019-6-11 11:10 506

[原创]Q2第一题wp

2019-6-11 11:10
506
代码写的很清楚了,直接IDA即可看到(难点是异常,其实也没什么难点的,因为只是个try而已,还在本过程中而已):
答案是:401353

.text:00401298                 push    offset asc_41C6F8 ; "请输入序列号:\n"
.text:0040129D                 call    sub_401410
.text:004012A2                 lea     eax, [ebp+var_3C]
.text:004012A5                 push    eax
.text:004012A6                 push    offset aS       ; "%s"
.text:004012AB                 call    sub_4013D0
.text:004012B0                 add     esp, 0Ch
.text:004012B3                 lea     edx, [ebp+var_3C]
.text:004012B6                 lea     ecx, [edx+1]
.text:004012B9                 nop     dword ptr [eax+00000000h]
.text:004012C0
.text:004012C0 loc_4012C0:                             ; CODE XREF: _main+65↓j
.text:004012C0                 mov     al, [edx]
.text:004012C2                 inc     edx
.text:004012C3                 test    al, al
.text:004012C5                 jnz     short loc_4012C0
.text:004012C7                 sub     edx, ecx
.text:004012C9                 cmp     edx, 7
.text:004012CC                 jb      short loc_4012F9
.text:004012CE
.text:004012CE loc_4012CE:                             ; CODE XREF: _main+9D↓j
.text:004012CE                                         ; _main+A3↓j ...
.text:004012CE                 push    offset aError   ; "error\n"
.text:004012D3                 call    sub_401410
.text:004012D8                 add     esp, 4
.text:004012DB                 xor     eax, eax
.text:004012DD                 mov     ecx, [ebp+ms_exc.registration.Next]
.text:004012E0                 mov     large fs:0, ecx
.text:004012E7                 pop     ecx
.text:004012E8                 pop     edi
.text:004012E9                 pop     esi
.text:004012EA                 pop     ebx
.text:004012EB                 mov     ecx, [ebp+var_1C]
.text:004012EE                 xor     ecx, ebp
.text:004012F0                 call    @__security_check_cookie@4 ; __security_check_cookie(x)
.text:004012F5                 mov     esp, ebp
.text:004012F7                 pop     ebp
.text:004012F8                 retn
.text:004012F9 ; ---------------------------------------------------------------------------
.text:004012F9
.text:004012F9 loc_4012F9:                             ; CODE XREF: _main+6C↑j
.text:004012F9                 cmp     [ebp+var_37], 33h
.text:004012FD                 jnz     short loc_4012CE
.text:004012FF                 cmp     [ebp+var_38], 35h
.text:00401303                 jnz     short loc_4012CE
.text:00401305                 cmp     [ebp+var_39], 33h
.text:00401309                 jnz     short loc_4012CE
.text:0040130B                 movzx   ecx, [ebp+var_3C]
.text:0040130F                 movzx   eax, [ebp+var_3B]
.text:00401313                 add     ecx, eax
.text:00401315                 movzx   eax, [ebp+var_3A]
.text:00401319                 add     ecx, eax
.text:0040131B                 cmp     ecx, 95h
.text:00401321                 jnz     short loc_4012CE
.text:00401323                 xor     ecx, ecx
.text:00401325                 test    edx, edx
.text:00401327                 jz      short loc_401342
.text:00401329                 nop     dword ptr [eax+00000000h]
.text:00401330
.text:00401330 loc_401330:                             ; CODE XREF: _main+E0↓j
.text:00401330                 movzx   eax, [ebp+ecx+var_3C]
.text:00401335                 shl     esi, 4
.text:00401338                 add     esi, 0FFFFFFD0h
.text:0040133B                 add     esi, eax
.text:0040133D                 inc     ecx
.text:0040133E                 cmp     ecx, edx
.text:00401340                 jb      short loc_401330
.text:00401342
.text:00401342 loc_401342:                             ; CODE XREF: _main+C7↑j
.text:00401342 ;   __try { // __except at loc_401379
.text:00401342                 mov     [ebp+ms_exc.registration.TryLevel], 0
.text:00401349                 test    esi, esi
.text:0040134B                 jz      short loc_40135D
.text:0040134D                 push    eax
.text:0040134E                 call    loc_401354
.text:0040134E ; ---------------------------------------------------------------------------
.text:00401353                 db 0EBh
.text:00401354 ; ---------------------------------------------------------------------------
.text:00401354
.text:00401354 loc_401354:                             ; CODE XREF: _main+EE↑j
.text:00401354                 pop     eax
.text:00401355                 sub     eax, 0
.text:00401358                 sub     esi, eax
.text:0040135A                 div     esi
.text:0040135C                 pop     eax
.text:0040135D
.text:0040135D loc_40135D:                             ; CODE XREF: _main+EB↑j
.text:0040135D                 nop
.text:0040135E                 nop
.text:0040135F                 nop
.text:00401360                 nop
.text:00401361                 nop
.text:00401362                 nop
.text:00401363                 nop
.text:00401364                 push    offset aError_0 ; "error!\n"
.text:00401369                 call    sub_401410
.text:0040136E                 add     esp, 4
.text:00401371
.text:00401371 loc_401371:                             ; CODE XREF: _main:loc_401371↓j
.text:00401371                 jmp     short loc_401371
.text:00401373 ; ---------------------------------------------------------------------------
.text:00401373
.text:00401373 loc_401373:                             ; DATA XREF: .rdata:stru_41CC98↓o
.text:00401373 ;   __except filter // owned by 401342
.text:00401373                 mov     eax, 1
.text:00401378                 retn
.text:00401379 ; ---------------------------------------------------------------------------
.text:00401379
.text:00401379 loc_401379:                             ; DATA XREF: .rdata:stru_41CC98↓o
.text:00401379 ;   __except(loc_401373) // owned by 401342
.text:00401379                 mov     esp, [ebp+ms_exc.old_esp]
.text:0040137C                 lea     edx, [ebp+var_3C]
.text:0040137F                 lea     ecx, [edx+1]
.text:00401382
.text:00401382 loc_401382:                             ; CODE XREF: _main+127↓j
.text:00401382                 mov     al, [edx]
.text:00401384                 inc     edx
.text:00401385                 test    al, al
.text:00401387                 jnz     short loc_401382
.text:00401389                 sub     edx, ecx
.text:0040138B                 xor     ecx, ecx
.text:0040138D                 test    edx, edx
.text:0040138F                 jle     short loc_4013A7
.text:00401391
.text:00401391 loc_401391:                             ; CODE XREF: _main+145↓j
.text:00401391                 movzx   eax, [ebp+ecx+var_3C]
.text:00401396                 add     ax, 9
.text:0040139A                 mov     word_41F300[ecx*2], ax
.text:004013A2                 inc     ecx
.text:004013A3                 cmp     ecx, edx
.text:004013A5                 jl      short loc_401391
.text:004013A7
.text:004013A7 loc_4013A7:                             ; CODE XREF: _main+12F↑j
.text:004013A7                 push    offset aSuccess ; "success!\n"
.text:004013AC                 call    sub_401410



看雪学院推出的专业资质证书《看雪安卓应用安全能力认证 v1.0》(中级和高级)!

收藏
点赞0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回