srm-50
下载之后,打开运行一下,发现是让输入邮箱和序号,先随便输入一堆a,会提示我们邮箱错误,如果按照正常的邮箱格式进行输入会报错注册失败,查壳,发现是32位无壳的文件,拖入ida中,发现一个winmain的函数,反编译进去在进入DialogFunc中,发现了报错的字符串。
BOOL __stdcall DialogFunc(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4)
{
HMODULE v5; // eax
HICON v6; // eax
HMODULE v7; // eax
HCURSOR v8; // ST20_4
HWND v9; // eax
CHAR String; // [esp+8h] [ebp-340h]
CHAR v11[4]; // [esp+108h] [ebp-240h]
char v12; // [esp+10Ch] [ebp-23Ch]
char v13; // [esp+10Dh] [ebp-23Bh]
char v14; // [esp+10Eh] [ebp-23Ah]
char v15; // [esp+10Fh] [ebp-239h]
char v16; // [esp+110h] [ebp-238h]
char v17; // [esp+111h] [ebp-237h]
char v18; // [esp+112h] [ebp-236h]
char v19; // [esp+113h] [ebp-235h]
char v20; // [esp+114h] [ebp-234h]
char v21; // [esp+115h] [ebp-233h]
char v22; // [esp+116h] [ebp-232h]
char v23; // [esp+117h] [ebp-231h]
CHAR Text; // [esp+208h] [ebp-140h]
char Src[16]; // [esp+308h] [ebp-40h]
__int128 v26; // [esp+318h] [ebp-30h]
int v27; // [esp+328h] [ebp-20h]
__int128 v28; // [esp+32Ch] [ebp-1Ch]
int v29; // [esp+33Ch] [ebp-Ch]
__int16 v30; // [esp+340h] [ebp-8h]
if ( a2 == 16 )
{
EndDialog(hDlg, 0);
return 0;
}
if ( a2 == 272 )
{
v5 = GetModuleHandleW(0);
v6 = LoadIconW(v5, (LPCWSTR)0x67);
SetClassLongA(hDlg, -14, (LONG)v6);
v7 = GetModuleHandleW(0);
v8 = LoadCursorW(v7, (LPCWSTR)0x66);
v9 = GetDlgItem(hDlg, 1);
SetClassLongA(v9, -12, (LONG)v8);
return 1;
}
if ( a2 != 273 || (unsigned __int16)a3 != 1 )
return 0;
memset(&String, (unsigned __int16)a3 - 1, 0x100u);
memset(v11, 0, 0x100u);
memset(&Text, 0, 0x100u);
GetDlgItemTextA(hDlg, 1001, &String, 256);
GetDlgItemTextA(hDlg, 1002, v11, 256);
if ( strstr(&String, "@") && strstr(&String, ".") && strstr(&String, ".")[1] && strstr(&String, "@")[1] != 46 )
{
v28 = xmmword_410AA0;
v29 = 1701999980;
*(_OWORD *)Src = xmmword_410A90;
v30 = 46;
v26 = xmmword_410A80;
v27 = 3830633;
if ( strlen(v11) != 16
|| v11[0] != 67
|| v23 != 88
|| v11[1] != 90
|| v11[1] + v22 != 155
|| v11[2] != 57
|| v11[2] + v21 != 155
|| v11[3] != 100
|| v20 != 55
|| v12 != 109
|| v19 != 71
|| v13 != 113
|| v13 + v18 != 170
|| v14 != 52
|| v17 != 103
|| v15 != 99
|| v16 != 56 )
{
strcpy_s(&Text, 0x100u, (const char *)&v28);
}
else
{
strcpy_s(&Text, 0x100u, Src);
strcat_s(&Text, 0x100u, v11);
}
}
else
{
strcpy_s(&Text, 0x100u, "Your E-mail address in not valid.");
}
MessageBoxA(hDlg, &Text, "Registeration", 0x40u);
return 1;
}
这里查找了,@和.如果有,进入下一个if,如果没有直接输出Your E-mail address in not valid.相当于邮箱没有什么要求,主要是在密码上,在邮箱上只需要有.和@即可,之后就是主要密码,密码的为位置在。
if ( strlen(v11) != 16
|| v11[0] != 67
|| v23 != 88
|| v11[1] != 90
|| v11[1] + v22 != 155
|| v11[2] != 57
|| v11[2] + v21 != 155
|| v11[3] != 100
|| v20 != 55
|| v12 != 109
|| v19 != 71
|| v13 != 113
|| v13 + v18 != 170
|| v14 != 52
|| v17 != 103
|| v15 != 99
|| v16 != 56 )
{
strcpy_s(&Text, 0x100u, (const char *)&v28);
}
else
{
strcpy_s(&Text, 0x100u, Src);
strcat_s(&Text, 0x100u, v11);
}
}
是在这一片是跟密码有关的,那么分析,中间那些都知道,其他的经过计算,可以的出来v22 = A,v21 = b,v18 = 9,其他的都翻译过来组成的是CXZA9bd7mGq94gc8,按照顺序排列:CZ9dmq4c8g9G7bAX,最后flag就是CZ9dmq4c8g9G7bAX