環(huán)境：
Windows xp sp3

工具：
ollydbg
exeinfope

0x00 查殼

無殼的程序

0x01 分析

運(yùn)行后隨便輸入點東西，

OD載入：

00401127 > /6A 00 push 0x0 ; /lParam = 0 00401129 . |6A 00 push 0x0 ; |wParam = 0 0040112B . |6A 0E push 0xE ; |Message = WM_GETTEXTLENGTH 0040112D . |6A 03 push 0x3 ; |ControlID = 3 0040112F . |FF75 08 push dword ptr ss:[ebp+0x8] ; |hWnd 00401132 . |E8 41020000 call <jmp.&USER32.SendDlgItemMessageA> ; \SendDlgItemMessageA 00401137 . |A3 AF214000 mov dword ptr ds:[0x4021AF],eax 0040113C . |83F8 00 cmp eax,0x0 ; 不能為空 0040113F . |0F84 D5000000 je DueList_.0040121A 00401145 . |83F8 08 cmp eax,0x8 ; 大于8個就跳 00401148 . |0F8F CC000000 jg DueList_.0040121A 0040114E . |8BF0 mov esi,eax 00401150 . |6A 00 push 0x0 ; /lParam = 0 00401152 . |6A 00 push 0x0 ; |wParam = 0 00401154 . |6A 0E push 0xE ; |Message = WM_GETTEXTLENGTH 00401156 . |6A 04 push 0x4 ; |ControlID = 4 00401158 . |FF75 08 push dword ptr ss:[ebp+0x8] ; |hWnd 0040115B . |E8 18020000 call <jmp.&USER32.SendDlgItemMessageA> ; \SendDlgItemMessageA 00401160 . |83F8 00 cmp eax,0x0 00401163 . |0F84 B1000000 je DueList_.0040121A 00401169 . |3BF0 cmp esi,eax 0040116B . |0F85 A9000000 jnz DueList_.0040121A ; serial與name的長度不同就跳 00401171 . |68 60214000 push DueList_.00402160 ; /lParam = 402160 00401176 . |6A 08 push 0x8 ; |wParam = 8 00401178 . |6A 0D push 0xD ; |Message = WM_GETTEXT 0040117A . |6A 03 push 0x3 ; |ControlID = 3 0040117C . |FF75 08 push dword ptr ss:[ebp+0x8] ; |hWnd 0040117F . |E8 F4010000 call <jmp.&USER32.SendDlgItemMessageA> ; \SendDlgItemMessageA 00401184 . |68 79214000 push DueList_.00402179 ; /lParam = 402179 00401189 . |6A 10 push 0x10 ; |wParam = 10 0040118B . |6A 0D push 0xD ; |Message = WM_GETTEXT 0040118D . |6A 04 push 0x4 ; |ControlID = 4 0040118F . |FF75 08 push dword ptr ss:[ebp+0x8] ; |hWnd 00401192 . |E8 E1010000 call <jmp.&USER32.SendDlgItemMessageA> ; \SendDlgItemMessageA 00401197 . |B9 FFFFFFFF mov ecx,-0x1 0040119C > |41 inc ecx 0040119D . |0FBE81 602140>movsx eax,byte ptr ds:[ecx+0x402160] 004011A4 . |83F8 00 cmp eax,0x0 ; Switch (cases 0..7A) 004011A7 . |74 32 je XDueList_.004011DB 004011A9 . |BE FFFFFFFF mov esi,-0x1 004011AE . |83F8 41 cmp eax,0x41 004011B1 . |7C 67 jl XDueList_.0040121A ; 小于0x41的直接錯誤 004011B3 . |83F8 7A cmp eax,0x7A 004011B6 . |77 62 ja XDueList_.0040121A ; 大于0x7a的就直接錯誤 004011B8 . |83F8 5A cmp eax,0x5A 004011BB . |7C 03 jl XDueList_.004011C0 004011BD . |83E8 20 sub eax,0x20 ; Cases 5A ('Z'),5B ('['),5C ('\'),5D (']'),5E ('^'),5F ('_'),60 ('`'),61 ('a'),62 ('b'),63 ('c'),64 ('d'),65 ('e'),66 ('f'),67 ('g'),68 ('h'),69 ('i'),6A ('j'),6B ('k'),6C ('l'),6D ('m')... of switch 004011A4 004011C0 > |46 inc esi ; Cases 41 ('A'),42 ('B'),43 ('C'),44 ('D'),45 ('E'),46 ('F'),47 ('G'),48 ('H'),49 ('I'),4A ('J'),4B ('K'),4C ('L'),4D ('M'),4E ('N'),4F ('O'),50 ('P'),51 ('Q'),52 ('R'),53 ('S'),54 ('T')... of switch 004011A4 004011C1 . |0FBE96 172040>movsx edx,byte ptr ds:[esi+0x402017] ; 找到相同的值 004011C8 . |3BC2 cmp eax,edx 004011CA .^|75 F4 jnz XDueList_.004011C0 004011CC |0FBE86 3C2040>movsx eax,byte ptr ds:[esi+0x40203C] ; 在另一個字符串中找到對應(yīng)位置的值 004011D3 . |8981 94214000 mov dword ptr ds:[ecx+0x402194],eax ; 這里就是正確的serial 004011D9 .^|EB C1 jmp XDueList_.0040119C 004011DB > |FF35 AF214000 push dword ptr ds:[0x4021AF] ; Case 0 of switch 004011A4 004011E1 . |68 94214000 push DueList_.00402194 004011E6 . |68 79214000 push DueList_.00402179 004011EB . |E8 54000000 call DueList_.00401244 ; 比較 004011F0 . |83F8 01 cmp eax,0x1 004011F3 .^|0F84 DEFEFFFF je DueList_.004010D7

搜一下錯誤信息的字符串，往上翻一翻就有了。下個斷點觀察一下，不難看出這里就是算法了。

0x02 算法分析

這個算法也是比較簡單的，將輸入的內(nèi)容轉(zhuǎn)為大寫字母，與：

A1LSK2DJF4HGP3QWO5EIR6UTYZ8MXN7CBV9

比較，找到相同字符的位置，然后再從：

SU7CSJKF09NCSDO9SDF09SDRLVK7809S4NF

找到對應(yīng)位置的字符，就是所求的serial

存在一個問題就是如果輸入的內(nèi)容在a(0x61)和Z(0x5A)之間的話，程序會錯誤，因為在上面的字符串中找不到對應(yīng)的字符，所以會沒有正確的serial

總結(jié)

以上是生活随笔為你收集整理的160 - 49 DueList.4的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。