00401057 |. /0F87 B0000000 |ja 18a51cbc.0040110D
0040105D |. |33DB |xor ebx,ebx ; 清空ebx
0040105F |> |8A441C 14 |/mov al,byte ptr ss:[esp+ebx+0x14] ; 拿到假码的第一个字节
00401063 |. |84C0 ||test al,al ; 判断拿到的是否为空
00401065 |. |74 49 ||je short 18a51cbc.004010B0 ; 是的话 则跳转
00401067 |. |0FBEC8 ||movsx ecx,al ; 把假码赋值给ecx
0040106A |. |51 ||push ecx ; 把ecx压入堆栈
0040106B |. |8D5424 16 ||lea edx,dword ptr ss:[esp+0x16] ; 存储假码的地址赋值给edx
0040106F |. |68 44804000 ||push 18a51cbc.00408044 ; %x
00401074 |. |52 ||push edx
00401075 |. |E8 68020000 ||call 18a51cbc.004012E2
0040107A |. |8D7C24 1E ||lea edi,dword ptr ss:[esp+0x1E] ; 存储假码的dword字节地址赋值给edi
0040107E |. |83C9 FF ||or ecx,-0x1 ; ecx为FF
00401081 |. |33C0 ||xor eax,eax ; 清空eax
00401083 |. |83C4 0C ||add esp,0xC ; 恢复堆栈
00401086 |. |F2:AE ||repne scas byte ptr es:[edi]
00401088 |. |F7D1 ||not ecx
0040108A |. |2BF9 ||sub edi,ecx
0040108C |. |8D5424 28 ||lea edx,dword ptr ss:[esp+0x28] ; 空内存地址赋值给edx
00401090 |. |8BF7 ||mov esi,edi ; 假码赋值给esi
00401092 |. |8BE9 ||mov ebp,ecx
00401094 |. |8BFA ||mov edi,edx
00401096 |. |83C9 FF ||or ecx,-0x1
00401099 |. |F2:AE ||repne scas byte ptr es:[edi]
0040109B |. |8BCD ||mov ecx,ebp
0040109D |. |4F ||dec edi
0040109E |. |C1E9 02 ||shr ecx,0x2
004010A1 |. |F3:A5 ||rep movs dword ptr es:[edi],dword ptr ds:[esi]
004010A3 |. |8BCD ||mov ecx,ebp
004010A5 |. |83E1 03 ||and ecx,0x3
004010A8 |. |43 ||inc ebx ; 开始计数 自增1
004010A9 |. |83FB 11 ||cmp ebx,0x11 ; 比较是否为0x11
004010AC |. |F3:A4 ||rep movs byte ptr es:[edi],byte ptr ds:[esi] ; 把假码的十六进制字节赋值给edi的地址中的值
004010AE |.^|7C AF |\jl short 18a51cbc.0040105F
004010B0 |> |8D7424 4C |lea esi,dword ptr ss:[esp+0x4C] ; esi存储真码的值
004010B4 |. |8D4424 28 |lea eax,dword ptr ss:[esp+0x28] ; eax存储假码的值
004010B8 |8A10 |/mov dl,byte ptr ds:[eax] ; dl存储真码的第一个字节
004010BA |. |8A1E ||mov bl,byte ptr ds:[esi] ; bl存储假码的第一个字节
004010BC |. |8ACA ||mov cl,dl ; 假码放到cl
004010BE |. |3AD3 ||cmp dl,bl ; 比较真码和假码,都为一字节
004010C0 |. |75 1E ||jnz short 18a51cbc.004010E0 ; 错误则跳
004010C2 |. |84C9 ||test cl,cl ; 检查cl是否为空
004010C4 |. |74 16 ||je short 18a51cbc.004010DC
004010C6 |. |8A50 01 ||mov dl,byte ptr ds:[eax+0x1]
004010C9 |. |8A5E 01 ||mov bl,byte ptr ds:[esi+0x1]
004010CC |. |8ACA ||mov cl,dl
004010CE |. |3AD3 ||cmp dl,bl
004010D0 |. |75 0E ||jnz short 18a51cbc.004010E0
004010D2 |. |83C0 02 ||add eax,0x2
004010D5 |. |83C6 02 ||add esi,0x2
004010D8 |. |84C9 ||test cl,cl
004010DA |.^|75 DC |\jnz short 18a51cbc.004010B8
004010DC |> |33C0 |xor eax,eax
004010DE |. |EB 05 |jmp short 18a51cbc.004010E5
004010E0 |> |1BC0 |sbb eax,eax
004010E2 |. |83D8 FF |sbb eax,-0x1
004010E5 |> |85C0 |test eax,eax
004010E7 |. |75 12 |jnz short 18a51cbc.004010FB
004010E9 |. |68 38804000 |push 18a51cbc.00408038 ; success!\n
004010EE |. |E8 58020000 |call 18a51cbc.0040134B
004010F3 |. |83C4 04 |add esp,0x4
004010F6 |.^|E9 1FFFFFFF |jmp 18a51cbc.0040101A
004010FB |> |68 30804000 |push 18a51cbc.00408030 ; wrong!\n
00401100 |. |E8 46020000 |call 18a51cbc.0040134B
00401105 |. |83C4 04 |add esp,0x4
00401108 |.^|E9 0DFFFFFF \jmp 18a51cbc.0040101A
0040110D |> \68 30804000 push 18a51cbc.00408030 ; wrong!\n
00401112 |. E8 34020000 call 18a51cbc.0040134B
00401117 |. A1 94804000 mov eax,dword ptr ds:[0x408094]
0040111C |. 83C4 04 add esp,0x4
0040111F |. 48 dec eax
00401120 |. 5F pop edi ; ntdll.7C930228
00401121 |. 5E pop esi ; ntdll.7C930228
00401122 |. 5D pop ebp ; ntdll.7C930228
00401123 |. A3 94804000 mov dword ptr ds:[0x408094],eax
00401128 |. 5B pop ebx ; ntdll.7C930228
00401129 |. 78 0A js short 18a51cbc.00401135
0040112B |. FF05 90804000 inc dword ptr ds:[0x408090] ; 18a51cbc.0040AE89
00401131 |. 83C4 60 add esp,0x60
00401134 |. C3 retn
Pediy CTF 2018 reverse
猜你喜欢
转载自www.cnblogs.com/zpchcbd/p/12305948.html
今日推荐
周排行