065:
pe查看LCC win32,即没有加壳
od载入查看,分析关键点如下:
0040134F |. /EB 15 jmp short figugegl.00401366
00401351 |> |0FBE443D D6 /movsx eax,byte ptr ss:[ebp+edi-0x2A]
00401356 |. |0FBE543D EB |movsx edx,byte ptr ss:[ebp+edi-0x15]
0040135B |. |29FA |sub edx,edi ; figugegl.<ModuleEntryPoint>
0040135D |. |39D0 |cmp eax,edx ; figugegl.<ModuleEntryPoint>
0040135F |. |74 04 |je short figugegl.00401365
00401361 |. |31C0 |xor eax,eax
00401363 |. |EB 1A |jmp short figugegl.0040137F
00401365 |> |47 |inc edi ; figugegl.<ModuleEntryPoint>
00401366 |> \39F7 cmp edi,esi ; figugegl.<ModuleEntryPoint>
00401368 |.^ 7C E7 \jl short figugegl.00401351
分析一下,得出如下代码:
name = "foyjog"
jj = 0
for i in name:
print chr(ord(i) - jj),
jj +=1答案为f n w g k b
066:
od载入,找到关键代码:
004013C6 |> /C64435 EB 20 /mov byte ptr ss:[ebp+esi-0x15],0x20
004013CB |. |46 |inc esi
004013CC |> |83FE 14 cmp esi,0x14
004013CF |.^\7C F5 \jl short figugegl.004013C6
004013D1 |. 31F6 xor esi,esi
004013D3 |> 0FB67C35 EB /movzx edi,byte ptr ss:[ebp+esi-0x15]
004013D8 |. 0FB65435 F5 |movzx edx,byte ptr ss:[ebp+esi-0xB]
004013DD |. 89F8 |mov eax,edi
004013DF |. 31D0 |xor eax,edx
004013E1 |. B9 0A000000 |mov ecx,0xA
004013E6 |. 99 |cdq
004013E7 |. F7F9 |idiv ecx
004013E9 |. 83C2 30 |add edx,0x30
004013EC |. 885435 D6 |mov byte ptr ss:[ebp+esi-0x2A],dl
004013F0 |. 46 |inc esi
004013F1 |. 39CE |cmp esi,ecx
004013F3 |.^ 7C DE \jl short figugegl.004013D3
004013F5 |. 6A 0A push 0xA ; /radix = A (10.)
004013F7 |. 8D45 CC lea eax,[local.13] ; |
004013FA |. 50 push eax ; |endptr = NULL
004013FB |. 8D45 D6 lea eax,dword ptr ss:[ebp-0x2A] ; |
004013FE |. 50 push eax ; |s = NULL
004013FF |. E8 80020000 call <jmp.&CRTDLL.strtoul> ; \strtoul
分析如下:
name="figugegl"
for i in range(len(name),0x14):
name += chr(0x20)
for j in range(0,(len(name)/2)):
eax = ord(name[j]) ^ ord(name[j+10])
edx = eax%0xA + 0x30
print hex(edx)答案为315191600
扫一扫
1206
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
