OD载入
00401293 . E8 B8FEFFFF call game.00401150 跟入
00401246 |. E8 F5000000 call game.00401340 输出函数 也跟入
在输出完一些说明字符之后 后面还有一个call
00401394 |. E8 57FFFFFF call game.004012F0 决定跟入
一步一步往下走 便发现了一些猫腻
004012F0 /$ 55 push ebp
004012F1 |. 89E5 mov ebp,esp
004012F3 |. 57 push edi
004012F4 |. 53 push ebx
004012F5 |. 83EC 10 sub esp,0x10
004012F8 |. C70424 280000>mov dword ptr ss:[esp],0x28 ; |
004012FF |. E8 2C060000 call <jmp.&msvcrt.malloc> ; \malloc
00401304 |. FC cld
00401305 |. 89C3 mov ebx,eax
00401307 |. B9 0A000000 mov ecx,0xA
0040130C |. 31C0 xor eax,eax
0040130E |. 89DF mov edi,ebx
00401310 |. F3:AB rep stos dword ptr es:[edi]
00401312 |. 31FF xor edi,edi
00401314 |. EB 0D jmp short game.00401323 进入循环
00401316 |> 0FB687 003040>/movzx eax,byte ptr ds:[edi+0x403000]
0040131D |. 34 55 |xor al,0x55 进行异或运算(开始不懂异或运算,自己专门计算了一下)
0040131F |. 88041F |mov byte ptr ds:[edi+ebx],al 将转换后的ascii码存入移位存入ebx中
00401322 |. 47 |inc edi edi++
00401323 |> C70424 003040> mov dword ptr ss:[esp],game.00403000 ; |>0,u<&ue6gm6`7ag0e`6a61c30dfac364a0c030 这就是需要进行异或运算的字符
0040132A |. E8 F9050000 |call <jmp.&msvcrt.strlen> ; \strlen 计算的字串的长度
0040132F |. 39C7 |cmp edi,eax 判断是否计算完毕
00401331 |.^ 72 E3 \jb short game.00401316
00401333 |. 83C4 10 add esp,0x10
00401336 |. 89D8 mov eax,ebx 循环结束之后ebx储存的就是转换后的key
00401338 |. 5B pop ebx
00401339 |. 5F pop edi
0040133A |. 5D pop ebp
0040133B \. C3 retn
运行一下c程序,进行27次异或 0x55运算即可
#include <stdio.h>
#include <string.h>
int main(){
int i; char key[40] ={};
char str[] = ">0,u<&ue6gm6`7ag0e`6a61c30dfac364a0c030";
for ( i = 0; i < strlen(str); ++i )
key[i] = str[i] ^ 0x55; printf("%s",key); return 0;
}