我需要使用汇编代码跟踪密码,任何猜测,我认为应该有用的代码部分如下所示。
0x080484e9 89542404 mov dword [esp + 4], edx
0x080484ed 890424 mov dword [esp], eax
0x080484f0 e8fbfeffff call sym.imp.__isoc99_scanf ;[2]
0x080484f5 c74424200000. mov dword [esp + 0x20], 0
,=< 0x080484fd eb3f jmp 0x804853e ;[3]
.--> 0x080484ff 8b442420 mov eax, dword [esp + 0x20] ; [0x20:4]=0x115c ; "\." 0x00000020 ; "\." @ 0x20
|| 0x08048503 0520a00408 add eax, str.5tr0vZBrX:xTyR_P_
|| 0x08048508 0fb610 movzx edx, byte [eax]
|| 0x0804850b 8b442420 mov eax, dword [esp + 0x20] ; [0x20:4]=0x115c ; "\." 0x00000020 ; "\." @ 0x20
|| 0x0804850f 31d0 xor eax, edx
|| 0x08048511 88442427 mov byte [esp + 0x27], al
|| 0x08048515 8d442428 lea eax, [esp + 0x28] ; 0x28 ; '(' ; "4" @ 0x28
|| 0x08048519 03442420 add eax, dword [esp + 0x20]
|| 0x0804851d 0fb600 movzx eax, byte [eax]
|| 0x08048520 3a442427 cmp al, byte [esp + 0x27] ; [0x27:1]=0 ; '''
,===< 0x08048524 7413 je 0x8048539 ;[4]
||| 0x08048526 c70424848604. mov dword [esp], str.Wrong_ ; [0x8048684:4]=0x6e6f7257 LEA str.Wrong_ ; "Wrong!" @ 0x8048684
||| 0x0804852d e88efeffff call sym.imp.puts ;[5]
||| 0x08048532 b801000000 mov eax, 1
,====< 0x08048537 eb41 jmp 0x804857a ;[6]
|`---> 0x08048539 8344242001 add dword [esp + 0x20], 1
| |`-> 0x0804853e 8b5c2420 mov ebx, dword [esp + 0x20] ; [0x20:4]=0x115c ; "\." 0x00000020 ; "\." @ 0x20
| | 0x08048542 b820a00408 mov eax, str.5tr0vZBrX:xTyR_P_ ; "5tr0vZBrX:xTyR-P!" @ 0x804a020
| | 0x08048547 c744241cffff. mov dword [esp + 0x1c], 0xffffffff ; [0xffffffff:4]=-1 ; -1 ; -1
| | 0x0804854f 89c2 mov edx, eax
| | 0x08048551 b800000000 mov eax, 0
| | 0x08048556 8b4c241c mov ecx, dword [esp + 0x1c] ; [0x1c:4]=52 ; "4" @ 0x1c
| | 0x0804855a 89d7 mov edi, edx
| | 0x0804855c f2ae repne scasb al, byte es:[edi]
| | 0x0804855e 89c8 mov eax, ecx
| | 0x08048560 f7d0 not eax
| | 0x08048562 83e801 sub eax, 1
| | 0x08048565 39c3 cmp ebx, eax
| `==< 0x08048567 7296 jb 0x80484ff ;[7]
| 0x08048569 c704248b8604. mov dword [esp], str._nSuccess___Too_easy. ; [0x804868b:4]=0x6375530a LEA str._nSuccess___Too_easy. ; str._nSuccess___Too_easy.
| 0x08048570 e84bfeffff call sym.imp.puts ;[5]
| 0x08048575 b800000000 mov eax, 0
`----> 0x0804857a 8b54243c mov edx, dword [esp + 0x3c] ; [0x3c:4]=0x8048034 section_end.ehdr ; '<' ; "4...4... ." @ 0x3c
0x0804857e 653315140000. xor edx, dword gs:[0x14]
任何想法,可能的密码,我在主要部分找不到任何cmp语句来检查密码。虽然其他部分确实有一个可能有用的cmp语句。
答案 0 :(得分:0)
如果您有IDA进行静态分析,那么您可以弄清楚程序是如何工作的。
从这个地址开始: 0x08048569 ,因为你可以看到字符串:str._nSuccess ___ Too_easy
这里也一样** 0x08048526 ** string:str.Wrong _
并不总是简单的cmp检查密码是否正确。