160 - 18 Brad Soblesky.1

环境：

windows xp sp3

工具：

Ollydbg，exeinfope

用exeinfope查壳：

   没有壳，vc编译的

运行后第一步，随便输入个”12345“，弹出一个错误消息框。

OD载入后直接搜索错误消息框的字符串，发现字符串也不多

文本字串参考位于 Brad_Sob:.text
地址       反汇编                                    文本字串
00401571   push Brad_Sob.0040302C                    ASCII "CrackMe"
00401576   push Brad_Sob.00403034                    ASCII "Enter Registration Number"
00401595   jnz XBrad_Sob.004015AD                    (初始 CPU 选择)
00401599   push Brad_Sob.00403050                    ASCII "CrackMe"
0040159E   push Brad_Sob.00403058                    ASCII "Correct way to go!!"
004015AF   push Brad_Sob.0040306C                    ASCII "CrackMe"
004015B4   push Brad_Sob.00403074                    ASCII "Incorrect try again!!"
00401CE5   push 0x10000                              UNICODE "=::=::\"

一眼看到错误信息所在位置，在反汇编窗口跟随。

00401512  /.  55            push ebp
00401513  |.  8BEC          mov ebp,esp
00401515  |.  83EC 20       sub esp,0x20
00401518  |.  894D E0       mov [local.8],ecx
0040151B  |.  66:A1 5C31400>mov ax,word ptr ds:[0x40315C]
00401521  |.  66:8945 F4    mov word ptr ss:[ebp-0xC],ax
00401525  |.  33C9          xor ecx,ecx
00401527  |.  894D F6       mov dword ptr ss:[ebp-0xA],ecx
0040152A  |.  894D FA       mov dword ptr ss:[ebp-0x6],ecx
0040152D  |.  8B15 20304000 mov edx,dword ptr ds:[0x403020]
00401533  |.  8955 E4       mov [local.7],edx
00401536  |.  A1 24304000   mov eax,dword ptr ds:[0x403024]
0040153B  |.  8945 E8       mov [local.6],eax
0040153E  |.  66:8B0D 28304>mov cx,word ptr ds:[0x403028]
00401545  |.  66:894D EC    mov word ptr ss:[ebp-0x14],cx
00401549  |.  6A 0A         push 0xA
0040154B  |.  8D55 F4       lea edx,[local.3]
0040154E  |.  52            push edx
0040154F  |.  68 E8030000   push 0x3E8
00401554  |.  8B4D E0       mov ecx,[local.8]
00401557  |.  E8 A8050000   call <jmp.&MFC42.#3098>                  ;  这里是读取输入的serial
0040155C  |.  8D45 F4       lea eax,[local.3]
0040155F  |.  50            push eax                                 ; /String
00401560  |.  FF15 04204000 call dword ptr ds:[<&KERNEL32.lstrlenA>] ; \lstrlenA
00401566  |.  8945 F0       mov [local.4],eax
00401569  |.  837D F0 01    cmp [local.4],0x1                        ;  比较输入的serial长度
0040156D  |.  73 16         jnb XBrad_Sob.00401585
0040156F  |.  6A 40         push 0x40
00401571  |.  68 2C304000   push Brad_Sob.0040302C                   ;  ASCII "CrackMe"
00401576  |.  68 34304000   push Brad_Sob.00403034                   ;  ASCII "Enter Registration Number"
0040157B  |.  8B4D E0       mov ecx,[local.8]
0040157E  |.  E8 7B050000   call <jmp.&MFC42.#4224>
00401583  |.  EB 3C         jmp XBrad_Sob.004015C1
00401585  |>  8D4D E4       lea ecx,[local.7]                        ;  直接就是字符串明文比较
00401588  |.  51            push ecx                                 ; /String2
00401589  |.  8D55 F4       lea edx,[local.3]                        ; |
0040158C  |.  52            push edx                                 ; |String1
0040158D  |.  FF15 00204000 call dword ptr ds:[<&KERNEL32.lstrcmpA>] ; \lstrcmpA
00401593  |.  85C0          test eax,eax
00401595  |.  75 16         jnz XBrad_Sob.004015AD
00401597  |.  6A 40         push 0x40
00401599  |.  68 50304000   push Brad_Sob.00403050                   ;  ASCII "CrackMe"
0040159E  |.  68 58304000   push Brad_Sob.00403058                   ;  ASCII "Correct way to go!!"
004015A3  |.  8B4D E0       mov ecx,[local.8]
004015A6  |.  E8 53050000   call <jmp.&MFC42.#4224>
004015AB  |.  EB 14         jmp XBrad_Sob.004015C1
004015AD  |>  6A 40         push 0x40
004015AF  |.  68 6C304000   push Brad_Sob.0040306C                   ;  ASCII "CrackMe"
004015B4  |.  68 74304000   push Brad_Sob.00403074                   ;  ASCII "Incorrect try again!!"
004015B9  |.  8B4D E0       mov ecx,[local.8]
004015BC  |.  E8 3D050000   call <jmp.&MFC42.#4224>
004015C1  |>  8BE5          mov esp,ebp
004015C3  |.  5D            pop ebp
004015C4  \.  C3            retn

单步跟一下就可以发现真正的serial了。

serial：<BrD-SoB>