Reverse Question of the greatest challenge of geeks in the fifth quarter (2)

Obtain the dialog box data and determine the length:

004011b5 |. 6a 14 push 0x14;/COUNT = 14 (20 .) 004011b7 |. 51 push ECx; | buffer = 0018f8b8004011b8 |. 66: 894424 2D mov word PTR [esp + 0x2d], ax; | 004011bd |. 68 e8030000 push 0x3e8; | controlid = 3e8 (1000 .) 004011c2 |. 52 push edX; | hwnd004011c3 |. c64424 20 00 mov byte PTR [esp + 0x20], 0x0; | 004011c8 |. 884424 37 mov byte PTR [esp + 0x37], Al; | 004011cc |. 33ed xor ebp, EBP; | 004011ce |. ff15 b8504000 call dword ptr [<& user32.getdlgitemte>; \ getdlgitemtexta004011d4 |. 8d7c24 10 Lea EDI, dword ptr [esp + 0x10]; stack address = 0018f8b8, (ASCII "crack_qs") 004011d8 |. 83c9 FF or ECX, 0xffffffff004011db |. 33c0 XOR eax, eax004011dd |. f2: AE repne SCAs byte PTR ES: [EDI]; Key Length: 004011df |. f7d1 not ecx004011e1 |. 49 dec ecx004011e2 |. 83f9 0d CMP ECx, 0xd; Determine whether the key length is 13004011e5 |. 0f85 f0000000 jnz 004012db; skip to the end of the function if it is not 13 BITs

Next, check whether there are non-numbers in the key content:

004011ED  |> /8A440C 10     /mov     al, byte ptr [esp+ecx+0x10]004011F1  |. |3C 30         |cmp     al, 0x30004011F3  |. |0F8C E2000000 |jl      004012DB004011F9  |. |3C 39         |cmp     al, 0x39004011FB  |. |0F8F DA000000 |jg      004012DB00401201  |. |41            |inc     ecx00401202  |. |83F9 0D       |cmp     ecx, 0xD00401205  |.^\7C E6         \jl      short 004011ED

First verification key:

00401207 |. 0fbe7c24 16 movsx EDI, byte PTR [esp + 0x16]; keybuffer start address [esp + 0x10] 0040120c |. 0fbe4c24 10 movsx ECx, byte PTR [esp + 0x10] 00401211 |. 0fbe5424 19 movsx edX, byte PTR [esp + 0x19] 00401216 |. 8d4439 A0 Lea eax, dword ptr [ECx + edi-0x60]; key [0] + key [6]-0x60 (sum of two numbers to get the int value) 0040121a |. 83ea 26 sub edX, 0x26; key [9]-0x30 + 0xa0040121d |. 3bc2 CMP eax, EDX; judge whether key [0] (INT) + key [6] (INT) is equal to key [9] (INT) + 0xa0040121f |. 0f85 b6000000 jnz 004012db

Second verification key:

00401225 |. 8a5c24 17 mov BL, byte PTR [esp + 0x17]; key [7] 00401229 |. 8d41 D0 Lea eax, dword ptr [ecx-0x30]; key [0] (INT) 0040122c |. 99 cdq0040122d |. 0fbef3 movsx ESI, BL; ESI = Key [7] 00401230 |. 83e2 03 and EDX, 0x300401233 |. 03c2 add eax, EDX; (0 & 0x3) + key [0] (INT) 00401235 |. 8d56 D0 Lea edX, dword ptr [esi-0x30]; key [7] (INT) 00401238 |. c1f8 02 SAR eax, 0x2; (0 & 0x30) + key [0] (INT)> 20040123b |. 3bc2 CMP eax, EDX; Judge (0 & 0x3) + key [0] (INT)> 2 is equal to key [7] (INT) 0040123d |. 0f85 98000000 jnz 004012db

The third verification key:

00401243 |. 385c24 14 CMP byte PTR [esp + 0x14], BL; judge whether key [4] (INT) is equal to key [7] (INT) 00401247 |. 0f85 8e000000 jnz 004012db

The fourth verification key:

0040124d |. 0fbe4424 11 movsx eax, byte PTR [esp + 0x11]; key [1] 00401252 |. 8d1430 Lea edX, dword ptr [eax + esi]; key [1] + key [7] 00401255 |. 03d1 add edX, ECx; key [1] + key [7] + key [0] 00401257 |. 03d7 add edX, EDI; key [1] + key [7] + key [0] + key [6] 00401259 |. 81fa d4000000 CMP edX, 0xd4; judge whether key [1] + key [7] + key [0] + key [6] is equal to 0xd40040125f |. 75 7A jnz short 004012db

The fifth verification key:

00401261 |. 0fbe5424 12 movsx edX, byte PTR [esp + 0x12]; key [2] 00401266 |. 0fbe7424 15 movsx ESI, byte PTR [esp + 0x15]; key [5] 0040126b |. 03f2 add ESI, EDX; key [2] + key [5] 0040126d |. 03c1 add eax, ECx; key [0] + key [1] 0040126f |. 3bc6 CMP eax, ESI; judge whether the key [0] + key [1] is equal to the key [2] + key [5] 00401271 |. 75 68 jnz short 004012db

The sixth verification key:

00401273 |. 0fbe4424 13 movsx eax, byte PTR [esp + 0x13]; key [3] 00401278 |. 42 Inc edX; key [2] + 100401279 |. 3bd0 CMP edX, eax; judge whether key [2] + 1 is equal to key [3] 00401_ B |. 75 5E jnz short 004012db

Verification key in Section 9:

0040127d |. 807c24 16 38 CMP byte PTR [esp + 0x16], 0x38; judge whether key [6] is equal to '8' 00401282 |. 75 57 jnz short 004012db00401284 |. 807c24 10 39 CMP byte PTR [esp + 0x10], 0x39; Determine whether key [0] is equal to '9' 00401289 |. 75 50 jnz short 004012db0040128b |. 807c24 18 30 CMP byte PTR [esp + 0x18], 0x30; judge whether key [8] is equal to '0' 00401290 |. 75 49 jnz short 004012db

Check the key for the tenth time (check whether there are three '2' in the key '):

00401292  |.  33C0          xor     eax, eax00401294  |.  B1 32         mov     cl, 0x3200401296  |>  384C04 10     /cmp     byte ptr [esp+eax+0x10], cl     ;  if(key[i] == ‘2‘)0040129A  |.  75 01         |jnz     short 0040129D0040129C  |.  45            |inc     ebp                             ;  j++0040129D  |>  40            |inc     eax0040129E  |.  83F8 0D       |cmp     eax, 0xD004012A1  |.^ 7C F3         \jl      short 00401296004012A3  |.  83FD 03       cmp     ebp, 0x3004012A6  |.  75 33         jnz     short 004012DB

11th verification key:

004012A8  |.  0FBE4424 1B   movsx   eax, byte ptr [esp+0x1B]         ;  key[11]004012AD  |.  0FBE4C24 1A   movsx   ecx, byte ptr [esp+0x1A]         ;  key[10]004012B2  |.  8D50 FF       lea     edx, dword ptr [eax-0x1]         ;  key[11]-1004012B5  |.  3BCA          cmp     ecx, edx                         ;  key[10] == key[11]-1004012B7  |.  75 22         jnz     short 004012DB

12th verification key:

004012B9  |.  83C1 D0       add     ecx, -0x30                       ;  key[10](int)004012BC  |.  83C0 D0       add     eax, -0x30                       ;  key[11](int)004012BF  |.  0FAFC8        imul    ecx, eax                         ;  key[10](int)*key[11](int)004012C2  |.  0FBE4424 1C   movsx   eax, byte ptr [esp+0x1C]         ;  key[c]004012C7  |.  83E8 30       sub     eax, 0x30                        ;  key[c](int)004012CA  |.  33D2          xor     edx, edx004012CC  |.  3BC8          cmp     ecx, eax                         ;  key[10](int)*key[11](int) == key[c](int)

Key: 9156258207236.

Bin download link: http://pan.baidu.com/s/1mgA4Kje password: vvmi

Reverse Question of the greatest challenge of geeks in the fifth quarter (2)