先用IDA看看main部分
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
__int64 result; // rax@2
char s1; // [sp+0h] [bp-110h]@1
void *v5; // [sp+108h] [bp-8h]@3
sub_400930(a1, a2, a3);
puts("input you passcode:");
gets(&s1);
if ( !strcmp(&s1, "xx xx xx xx xx xx") )
{
v5 = &unk_6030C0;
((void (__fastcall *)(signed __int64, const char *))unk_6030C0)(2LL, "xx xx xx xx xx xx");
result = 0LL;
}
else
{
result = 0LL;
}
return result;
}
首先程序让你输入passcode,就是”xx xx xx xx xx xx”,接下来调用unk_6030C0处的函数(注意那个参数2)。所以跳到此处看。
.data:00000000006030C0 unk_6030C0 db 55h ; U ; DATA XREF: main:loc_401126o
.data:00000000006030C1 db 48h ; H
.data:00000000006030C2 db 89h ;
.data:00000000006030C3 db 0E5h ;
.data:00000000006030C4 db 48h ; H
.data:00000000006030C5 db 81h ;
.data:00000000006030C6 db 0ECh ;
出现这样的东西,说明IDA没有将其当作函数。按一下P创建函数,再按F5即可。
int __fastcall sub_6030C0(unsigned int a1) //注意这里a1=2
{
int result; // eax@12
char v2[112]; // [sp+10h] [bp-1B0h]@1
signed int v3; // [sp+14h] [bp-1ACh]@1
signed int v4; // [sp+18h] [bp-1A8h]@1
signed int v5; // [sp+1Ch] [bp-1A4h]@1
int v6; // [sp+20h] [bp-1A0h]@1
char v7[268]; // [sp+80h] [bp-140h]@1
char v8[268]; // [sp+87h] [bp-139h]@12 //注意这个+87h和上面的+80h
int v9; // [sp+18Ch] [bp-34h]@1
char *v10; // [sp+190h] [bp-30h]@1
int (__fastcall *v11)(char *, _QWORD); // [sp+198h] [bp-28h]@1
void (__fastcall *v12)(char *); // [sp+1A0h] [bp-20h]@1
void (__fastcall *v13)(char *); // [sp+1A8h] [bp-18h]@1
void (__fastcall *v14)(char *); // [sp+1B0h] [bp-10h]@1
int i; // [sp+1B8h] [bp-8h]@1
char v16; // [sp+1BFh] [bp-1h]@1
v14 = (void (__fastcall *)(char *))((((signed int)a1 + 3752700333LL) ^ 0xDEADBEEFLL) >> 2);//4005d0 - puts (以后经常出现这样的语句,请写个脚本来计算)
v13 = (void (__fastcall *)(char *))((((signed int)a1 + 3752699821LL) ^ 0xDEADBEEFLL) >> 2);//400650 - gets (计算完后及时注释上去)
v12 = (void (__fastcall *)(char *))((((signed int)a1 + 3752697657LL) ^ 0xDEADBEEFLL) >> 2);//400875 - 跳到此处按P创建函数
v11 = (int (__fastcall *)(char *, _QWORD))((((signed int)a1 + 3744295917LL) ^ 0xDEADBEEFLL) >> 2);//603540 - 跳到此处按P创建函数
v10 = v2;
*(_DWORD *)v2 = 1773735261;
v3 = 499976301;
v4 = -111343463;
v5 = 961141164;
v6 = 0;
v12(v2);
v14(v2);
v13(v7); //获取用户的输入
*(_DWORD *)v10 = 1228499401;
*((_DWORD *)v10 + 1) = 15571229;
v12(v2);
v16 =