Still use the traceme, please refer to related content https://blog.51cto.com/181647568/2421560
Through repeated research traceme of assembly code, I guess the role of certain commands by observing the value of the assignment.
I marked on the right side of the instruction code that is doing until the last line of the call command, the call command is part of the next jump, the next figure je is our most start blasting out that the command nop , so no matter how correct serial number is out, already in the call TraceMe.00401340 in the.
Click OK hold down Enter the call can jump to this method, in order to facilitate Here I added a breakpoint, then I can skip this step quickly through the F9 key.
According View assignment I soon discovered on the end of a cycle in a Few behavioral part.
After the cycle, the program has made an operation to take a sequence number, and performs a comparison (lstrcmpA method) below. Because of the foregoing (a blog https://blog.51cto.com/181647568/2421560 ) I have been able to take the correct verification code, so in this place were I entered the correct and incorrect code, see Happening. The results show that there is a program register (the EAX) retains a value after the operation is completed, the sequence number is correct 1 error 0.
And this test is to control je commands.
So this I can confirm that the serial number is calculated in the cycle.
I can see a 0x7, I thought it was the beginning of the cycle seven times, and then I looked at the repeated cycle repeated, mov part, I can clearly see the blue part of the assignment,
The figure is the result of the first cycle, I could recognize this character is the fourth username I enter, in order to verify consistency and I think, I modified the user name several times, each time fourth bit. And are converted to digital, I guess is ascii code, a correspondence on the form, indeed ASCII code, but in hexadecimal.
And part of mov pink hexadecimal C, I did not figure out what it meant.
然后接下来的操作包含了imul,add,inc三个操作符,我特意百度了一下imul是乘法相当于edx=edx*ebx,数值是前面的用户名第四位的ASCII码和C的积。同理add就是esi=esi+edx,这个esi只在这句话里出现,而edx正好是前面乘法的结果,所以每次循环的积都会被累加到esi中。
inc ecx则是指ecx=ecx+1这个很像是计数器,所以ecx,eax都是计数器,它们都对应着一个cmp。
最后的那个cmp用ecx和edi,根据我的调试,edi永远是用户名的长度,而且这个判断是控制循环的,这个循环从4开始循环到用户名长度的那个数。
在每次循环中我反复的观察两个MOV命令,蓝色部分比较明显,永远是用户名的第N位的ASCII码,从4开始。粉红色部分就比较奇怪了,第一个是C,第二次是A第三次是13,都是16位的数字,毫无规律可循。于是我只能去理解[eax+0x405030]是什么意思了,首先eax一定指的是寄存器eax,eax的值会由一句inc eax每次都加1,而在循环第一句会判断这个eax是否会大于7,如果大于7会执行xor eax,eax,这个操作会把eax清零。(而在一开始我把这个7给理解错了,我以为这个控制循环次数的,循环从4开始,到用户名长度结束,如果用户名长度很长的话,也只会运行七次。但是后来我输入了一个较长的用户名,运行七次后并没有退出程序。)
0x405030明显是一个内存地址,我右键“数据窗口中跟随”然后查到这个内存地址
对应的ASCII码是乱码,我一开始没有理解,不过在几次循环后我发了规律,oc oa 13 09这些数字和粉红色参数的值是对应的,我立即就猜出了第四次循环的蓝色值和粉红色的值。第四次循环的结果确定了,当时还没能理解eax和这个内存地址的关系。我就用了一个比较长的用户名不停的测试,粉红色部分一直到最后的08之后并没有到D0而是回到了0C。于是我就能理解了,这是八个数字开始循环的。于是整个循环的命令差不多就能模拟出了。
From the fourth character user name began to take the ASCII code is multiplied by C, ASCII codes fifth character is multiplied by A, once on, the twelfth character began multiplying C. Until the last character. These products are combined, the sequence number is converted to decimal.