助教给我们找了这么个网站,据说题目很水……
第一题Simple "crackMe"…short and easy实在是太水,于是直接上第二题了,传送门在此。
题目描述:
'lovetc' forgot his own password, maybe you can reverse it and find the encryption algorithm.... press "start" then download it. Hint: The checkin key is his password....
这是个图形化程序,首先IDA走起,然后找到消息分发函数:
int __stdcall DialogFunc(HWND hDlg, int a2, int a3, int a4)
{
HICON v4; // eax@2
UINT v5; // eax@9
unsigned int v7; // [sp-4h] [bp-8h]@11
switch ( a2 )
{
case 272:
v4 = LoadIconA(hInstance, (LPCSTR)0x1F4);
SendMessageA(hDlg, 0x80u, 0, (LPARAM)v4);
break;
case 16:
EndDialog(hDlg, 0);
break;
case 273:
switch ( a3 )
{
case 300:
MessageBoxA(
hDlg,
" +=================================+ n | Keygen-me N Created on 27/08/2003 |n +=================================+ n nTry to keygen this program, and send your solution tonwww.crackmes.de, for more informations contact me at n#eminence channel on eFnet.n Enjoy Crypto.....n n (C)2003 BytePtr [e!] n",
"AbOut",
0);
break;
case 900:
v5 = GetDlgItemTextA(hDlg, 100, String1, 300);
if ( !v5 )
return MessageBoxA(0, "Your name please !!!", "oooH input Error", 0);
v7 = v5;
if ( !GetDlgItemTextA(hDlg, 200, String, 300) )
return MessageBoxA(0, "Where is Da serial DuDe ?", "oooH input Error", 0);
lstrcatA(String1, "BytePtr [e!]");
sub_401000((int)String1, v7, (int)&unk_4056A8);
sub_401B79();
if ( lstrcmpA(String, byte_4079D0) )
{
MessageBoxA(0, "hmmm not like this DuDe Try again....", "Fatal Error", 0);
return 0;
}
MessageBoxA(0, "Good serial", "Good Work", 0);
break;
case 400:
EndDialog(hDlg, 0);
break;
}
break;
}
return 0;
}
很显然,关键应该就在sub_401000了,可是,当我们打开这个函数一看的时候,简直是长的不忍直视,虽说是好像没再调用些别的神马函数,耐着性子一步步来肯定可以搞出答案,但肯定不是个明智的选择。
然后再仔细观察程序会发现,sub_401000只对输入框中输入的Name做了处理,最后是直接拿处理得到的字符串和byte_4079D0,也就是输入的Serial做对比,那么显然我们可以debug让这个程序跑起来,输入正确的Name(lovetc),让程序停在lstrcmpA前,然后我们便可以很轻松的得到Serial。
于是,此题得以解决~~~
