• [反汇编练习] 160个CrackMe之021


    [反汇编练习] 160个CrackMe之021.

    本系列文章的目的是从一个没有任何经验的新手的角度(其实就是我自己),一步步尝试将160个CrackMe全部破解,如果可以,通过任何方式写出一个类似于注册机的东西。

    其中,文章中按照如下逻辑编排(解决如下问题):

    1、使用什么环境和工具

    2、程序分析

    3、思路分析和破解流程

    4、注册机的探索

    ----------------------------------

    提醒各位看客: 如果文章中的逻辑看不明白,那你一定是没有亲手操刀!OD中的跳转提示很强大,只要你跟踪了,不用怎么看代码就理解了!

    ----------------------------------

    1、工具和环境:

    WinXP SP3 + 52Pojie六周年纪念版OD + PEID + 汇编金手指。

    160个CrackMe的打包文件。

    下载地址: http://pan.baidu.com/s/1xUWOY  密码: jbnq

    注:

    1、Win7系统对于模块和程序开启了随机初始地址的功能,会给分析带来很大的负担,所以不建议使用Win7进行分析。

    2、以上工具都是在52PoJie论坛下的原版程序,NOD32不报毒,个人承诺绝对不会进行任何和木马病毒相关内容。

    wps_clip_image-142827

     

    2、程序分析:

    想要破解一个程序,必须先了解这个程序。所以,在破解过程中,对最初程序的分析很重要,他可以帮助我们理解作者的目的和意图,特别是对于注册码的处理细节,从而方便我们反向跟踪和推导。

    和上一节一样,打开CHM,选择第21个Cabeca.exe,保存下来。运行程序,程序界面如下:

    0

    3、思路分析和破解流程

    有信息框,老办法。

    PEID查看: Borland Delphi 3.0

    和以前的一样,直接上步骤:

    1、打开OD,将exe拖到OD窗口中,等程序暂停后,直接点击运行按钮(F9),不用理会。

    2、在exe中输入伪码:bbdxf   12345 67890。点击OK按钮,弹出错误信息框,不要关闭。

    3、在OD中点击暂停按钮(Ctrl+F12),再点击堆栈K按钮(Ctrl+K),可以看到当前堆栈情况。

    然后,。。。。。

    不对,它是Delphi程序,虽然定位到了位置,但问题是大部分函数和Call根本不知道什么意思。所以,应该是这样子的:

    1、使用IDR打开程序分析:

    窗口信息:
    1

    按钮事件信息:

    2

     Unit1::TForm1.Button1Click
     0042D3C4    push       ebp
     0042D3C5    mov        ebp,esp
     0042D3C7    xor        ecx,ecx
     0042D3C9    push       ecx
     0042D3CA    push       ecx
     0042D3CB    push       ecx
     0042D3CC    push       ecx
     0042D3CD    push       ebx
     0042D3CE    mov        ebx,eax
     0042D3D0    xor        eax,eax
     0042D3D2    push       ebp
     0042D3D3    push       42D5AD
     0042D3D8    push       dword ptr fs:[eax]
     0042D3DB    mov        dword ptr fs:[eax],esp
     0042D3DE    cmp        dword ptr ds:[42F714],0; gvar_0042F714
    >0042D3E5    je         0042D42C
     0042D3E7    cmp        dword ptr ds:[42F718],0; gvar_0042F718
    >0042D3EE    je         0042D42C
     0042D3F0    lea        edx,[ebp-4]
     0042D3F3    mov        eax,dword ptr [ebx+1E0]; TForm1.Edit1:TEdit
     0042D3F9    call       TControl.GetText
     0042D3FE    cmp        dword ptr [ebp-4],0
    >0042D402    je         0042D42C
     0042D404    lea        edx,[ebp-8]
     0042D407    mov        eax,dword ptr [ebx+1E4]; TForm1.Edit2:TEdit
     0042D40D    call       TControl.GetText
     0042D412    cmp        dword ptr [ebp-8],0
    >0042D416    je         0042D42C
     0042D418    lea        edx,[ebp-0C]
     0042D41B    mov        eax,dword ptr [ebx+1EC]; TForm1.Edit3:TEdit
     0042D421    call       TControl.GetText
     0042D426    cmp        dword ptr [ebp-0C],0
    >0042D42A    jne        0042D470
     0042D42C    mov        eax,42D5C4; 'Fill all boxes first dumb!'
     0042D431    call       ShowMessage
     0042D436    xor        eax,eax
     0042D438    mov        [0042F714],eax; gvar_0042F714
     0042D43D    xor        eax,eax
     0042D43F    mov        [0042F718],eax; gvar_0042F718
     0042D444    xor        edx,edx
     0042D446    mov        eax,dword ptr [ebx+1E0]; TForm1.Edit1:TEdit
     0042D44C    call       TControl.SetText
     0042D451    xor        edx,edx
     0042D453    mov        eax,dword ptr [ebx+1E4]; TForm1.Edit2:TEdit
     0042D459    call       TControl.SetText
     0042D45E    xor        edx,edx
     0042D460    mov        eax,dword ptr [ebx+1EC]; TForm1.Edit3:TEdit
     0042D466    call       TControl.SetText
    >0042D46B    jmp        0042D58A
     0042D470    cmp        dword ptr ds:[42F714],0; gvar_0042F714
    >0042D477    je         0042D4E5
     0042D479    cmp        dword ptr ds:[42F718],0; gvar_0042F718
    >0042D480    je         0042D4E5
     0042D482    lea        edx,[ebp-10]
     0042D485    mov        eax,[0042F714]; 0x0 gvar_0042F714
     0042D48A    call       IntToStr
     0042D48F    mov        eax,dword ptr [ebp-10]
     0042D492    push       eax
     0042D493    lea        edx,[ebp-4]
     0042D496    mov        eax,dword ptr [ebx+1E4]; TForm1.Edit2:TEdit
     0042D49C    call       TControl.GetText
     0042D4A1    mov        edx,dword ptr [ebp-4]
     0042D4A4    pop        eax
     0042D4A5    call       @LStrCmp
    >0042D4AA    jne        0042D4E5
     0042D4AC    lea        edx,[ebp-10]
     0042D4AF    mov        eax,[0042F718]; 0x0 gvar_0042F718
     0042D4B4    call       IntToStr
     0042D4B9    mov        eax,dword ptr [ebp-10]
     0042D4BC    push       eax
     0042D4BD    lea        edx,[ebp-4]
     0042D4C0    mov        eax,dword ptr [ebx+1EC]; TForm1.Edit3:TEdit
     0042D4C6    call       TControl.GetText
     0042D4CB    mov        edx,dword ptr [ebp-4]
     0042D4CE    pop        eax
     0042D4CF    call       @LStrCmp
    >0042D4D4    jne        0042D4E5
     0042D4D6    mov        eax,42D5E8; 'Hmmm.... Cracked... Congratulations idiot! :-)'
     0042D4DB    call       ShowMessage
    >0042D4E0    jmp        0042D58A
     0042D4E5    cmp        dword ptr ds:[42F714],0; gvar_0042F714
    >0042D4EC    je         0042D521
     0042D4EE    cmp        dword ptr ds:[42F718],0; gvar_0042F718
    >0042D4F5    je         0042D521
     0042D4F7    lea        edx,[ebp-10]
     0042D4FA    mov        eax,[0042F714]; 0x0 gvar_0042F714
     0042D4FF    call       IntToStr
     0042D504    mov        eax,dword ptr [ebp-10]
     0042D507    push       eax
     0042D508    lea        edx,[ebp-4]
     0042D50B    mov        eax,dword ptr [ebx+1E4]; TForm1.Edit2:TEdit
     0042D511    call       TControl.GetText
     0042D516    mov        edx,dword ptr [ebp-4]
     0042D519    pop        eax
     0042D51A    call       @LStrCmp
    >0042D51F    jne        0042D54B
     0042D521    lea        edx,[ebp-10]
     0042D524    mov        eax,[0042F718]; 0x0 gvar_0042F718
     0042D529    call       IntToStr
     0042D52E    mov        eax,dword ptr [ebp-10]
     0042D531    push       eax
     0042D532    lea        edx,[ebp-4]
     0042D535    mov        eax,dword ptr [ebx+1EC]; TForm1.Edit3:TEdit
     0042D53B    call       TControl.GetText
     0042D540    mov        edx,dword ptr [ebp-4]
     0042D543    pop        eax
     0042D544    call       @LStrCmp
    >0042D549    je         0042D58A
     0042D54B    mov        eax,42D620; 'Nice try... but is incorrect... Dumb..'
     0042D550    call       ShowMessage
     0042D555    xor        eax,eax
     0042D557    mov        [0042F714],eax; gvar_0042F714
     0042D55C    xor        eax,eax
     0042D55E    mov        [0042F718],eax; gvar_0042F718
     0042D563    xor        edx,edx
     0042D565    mov        eax,dword ptr [ebx+1E0]; TForm1.Edit1:TEdit
     0042D56B    call       TControl.SetText
     0042D570    xor        edx,edx
     0042D572    mov        eax,dword ptr [ebx+1E4]; TForm1.Edit2:TEdit
     0042D578    call       TControl.SetText
     0042D57D    xor        edx,edx
     0042D57F    mov        eax,dword ptr [ebx+1EC]; TForm1.Edit3:TEdit
     0042D585    call       TControl.SetText
     0042D58A    xor        eax,eax
     0042D58C    pop        edx
     0042D58D    pop        ecx
     0042D58E    pop        ecx
     0042D58F    mov        dword ptr fs:[eax],edx
     0042D592    push       42D5B4
     0042D597    lea        eax,[ebp-10]
     0042D59A    call       @LStrClr
     0042D59F    lea        eax,[ebp-0C]
     0042D5A2    mov        edx,3
     0042D5A7    call       @LStrArrayClr
     0042D5AC    ret
    <0042D5AD    jmp        @HandleFinally
    <0042D5B2    jmp        0042D597
     0042D5B4    pop        ebx
     0042D5B5    mov        esp,ebp
     0042D5B7    pop        ebp
     0042D5B8    ret

    我们在OD中进行分析:

    0042D3C4  /.  55            push ebp                                 ;  // Try按钮点击
    0042D3C5  |.  8BEC          mov ebp,esp
    0042D3C7  |.  33C9          xor ecx,ecx
    0042D3C9  |.  51            push ecx
    0042D3CA  |.  51            push ecx
    0042D3CB  |.  51            push ecx
    0042D3CC  |.  51            push ecx
    0042D3CD  |.  53            push ebx
    0042D3CE  |.  8BD8          mov ebx,eax
    0042D3D0  |.  33C0          xor eax,eax
    0042D3D2  |.  55            push ebp
    0042D3D3  |.  68 ADD54200   push 0042D5AD
    0042D3D8  |.  64:FF30       push dword ptr fs:[eax]
    0042D3DB  |.  64:8920       mov dword ptr fs:[eax],esp
    0042D3DE  |.  833D 14F74200>cmp dword ptr ds:[0x42F714],0x0
    0042D3E5  |.  74 45         je short 0042D42C
    0042D3E7  |.  833D 18F74200>cmp dword ptr ds:[0x42F718],0x0
    0042D3EE  |.  74 3C         je short 0042D42C
    0042D3F0  |.  8D55 FC       lea edx,[local.1]
    0042D3F3  |.  8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]         ;  TForm1.Edit1:TEdit
    0042D3F9  |.  E8 E2C9FEFF   call 00419DE0                            ;  TControl.GetText
    0042D3FE  |.  837D FC 00    cmp [local.1],0x0                        ;  // "bbdxf"
    0042D402  |.  74 28         je short 0042D42C
    0042D404  |.  8D55 F8       lea edx,[local.2]
    0042D407  |.  8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4]         ;  TForm1.Edit2:TEdit
    0042D40D  |.  E8 CEC9FEFF   call 00419DE0                            ;  TControl.GetText
    0042D412  |.  837D F8 00    cmp [local.2],0x0                        ;  // "12345"
    0042D416  |.  74 14         je short 0042D42C
    0042D418  |.  8D55 F4       lea edx,[local.3]
    0042D41B  |.  8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC]         ;  TForm1.Edit3:TEdit
    0042D421  |.  E8 BAC9FEFF   call 00419DE0                            ;  TControl.GetText
    0042D426  |.  837D F4 00    cmp [local.3],0x0                        ;  // "67890"
    0042D42A  |.  75 44         jnz short 0042D470
    0042D42C  |>  B8 C4D54200   mov eax,0042D5C4                         ;  ASCII 46,"ill all boxes first dumb!"
    0042D431  |.  E8 56F6FFFF   call 0042CA8C
    0042D436  |.  33C0          xor eax,eax
    0042D438  |.  A3 14F74200   mov dword ptr ds:[0x42F714],eax
    0042D43D  |.  33C0          xor eax,eax
    0042D43F  |.  A3 18F74200   mov dword ptr ds:[0x42F718],eax
    0042D444  |.  33D2          xor edx,edx
    0042D446  |.  8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]         ;  TForm1.Edit1:TEdit
    0042D44C  |.  E8 BFC9FEFF   call 00419E10                            ;  TControl.SetText
    0042D451  |.  33D2          xor edx,edx
    0042D453  |.  8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4]         ;  TForm1.Edit2:TEdit
    0042D459  |.  E8 B2C9FEFF   call 00419E10                            ;  TControl.SetText
    0042D45E  |.  33D2          xor edx,edx
    0042D460  |.  8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC]         ;  TForm1.Edit3:TEdit
    0042D466  |.  E8 A5C9FEFF   call 00419E10                            ;  TControl.SetText
    0042D46B  |.  E9 1A010000   jmp 0042D58A
    0042D470  |>  833D 14F74200>cmp dword ptr ds:[0x42F714],0x0          ;  ds:[0042F714]=00005F2A
    0042D477  |.  74 6C         je short 0042D4E5
    0042D479  |.  833D 18F74200>cmp dword ptr ds:[0x42F718],0x0          ;  ds:[0042F718]=0000040B
    0042D480  |.  74 63         je short 0042D4E5
    0042D482  |.  8D55 F0       lea edx,[local.4]                        ;  // edx = 0x0012F9A0
    0042D485  |.  A1 14F74200   mov eax,dword ptr ds:[0x42F714]          ;  ds:[0042F714]=00005F2A
    0042D48A  |.  E8 C190FDFF   call 00406550                            ;  IntToStr
    0042D48F  |.  8B45 F0       mov eax,[local.4]                        ;  0x5F2A 转换为 (ASCII "24362")
    0042D492  |.  50            push eax
    0042D493  |.  8D55 FC       lea edx,[local.1]                        ;  // "bbdxf"
    0042D496  |.  8B83 E4010000 mov eax,dword ptr ds:[ebx+0x1E4]         ;  TForm1.Edit2:TEdit
    0042D49C  |.  E8 3FC9FEFF   call 00419DE0                            ;  TControl.GetText
    0042D4A1  |.  8B55 FC       mov edx,[local.1]                        ;  // "12345"
    0042D4A4  |.  58            pop eax                                  ;  // eax = "24362"
    0042D4A5  |.  E8 2664FDFF   call 004038D0                            ;  @LStrCmp
    0042D4AA      90            nop                                      ;  // 第一个关键跳转
    0042D4AB      90            nop
    0042D4AC  |.  8D55 F0       lea edx,[local.4]                        ;  // "24362"
    0042D4AF  |.  A1 18F74200   mov eax,dword ptr ds:[0x42F718]          ;  [0042F718]=0000040B = 1035
    0042D4B4  |.  E8 9790FDFF   call 00406550                            ;  IntToStr
    0042D4B9  |.  8B45 F0       mov eax,[local.4]                        ;  // eax = (ASCII "1035")
    0042D4BC  |.  50            push eax
    0042D4BD  |.  8D55 FC       lea edx,[local.1]                        ;  // "12345"
    0042D4C0  |.  8B83 EC010000 mov eax,dword ptr ds:[ebx+0x1EC]         ;  TForm1.Edit3:TEdit
    0042D4C6  |.  E8 15C9FEFF   call 00419DE0                            ;  TControl.GetText
    0042D4CB  |.  8B55 FC       mov edx,[local.1]                        ;  // edx = "67890"
    0042D4CE  |.  58            pop eax                                  ;  // eax = "1035"
    0042D4CF  |.  E8 FC63FDFF   call 004038D0                            ;  @LStrCmp
    0042D4D4  |.  75 0F         jnz short 0042D4E5                       ;  // 第二个关键跳转
    0042D4D6  |.  B8 E8D54200   mov eax,0042D5E8                         ;  ASCII 48,"mmm.... Cracked... Congratulations idiot! :-)"
    0042D4DB  |.  E8 ACF5FFFF   call 0042CA8C                            ;  ShowMessage

    发现,文本比较的位置是:

    0042D51A    call       @LStrCmp
    0042D544    call       @LStrCmp

    之后有两个关键跳转,我们如果爆破就很简单,修改两个关键跳转,使用NOP填充:
    jnz short 0042D4E5
    jnz short 0042D4E5

    3

    4、注册机的探索

    在OD分析的时候其实已经把注册码的生成算法弄出来了,但是我们发现,其中涉及到好几个【常量值】,但是这些【常量】都很特殊,当我们将Name改变时,这些【常量值】也发生了变化,SO,说明【常量】也不是固定的,应该是通过Name算出来的。

    继续查看IDR分析,找到了一个Name的事件:

     Unit1::TForm1.Edit1KeyPress
     0042CE30    xor        edx,edx
     0042CE32    mov        dl,byte ptr [ecx]
     0042CE34    add        edx,0FFFFFFF8
     0042CE37    cmp        edx,72
    >0042CE3A    ja         0042D3C0
     0042CE40    mov        dl,byte ptr [edx+42CE4D]
     0042CE46    jmp        dword ptr [edx*4+42CEC0]
     0042CE4D    db         53
     0042CE4E    db         0
     0042CE4F    db         0
     0042CE50    db         0
     0042CE51    db         0
     0042CE52    db         0
     0042CE53    db         0
     0042CE54    db         0
     0042CE55    db         0
     0042CE56    db         0
     0042CE57    db         0
     0042CE58    db         0
     0042CE59    db         0
     0042CE5A    db         0
     0042CE5B    db         0
     0042CE5C    db         0
     0042CE5D    db         0
     0042CE5E    db         0
     0042CE5F    db         0
     0042CE60    db         0
     0042CE61    db         0
     0042CE62    db         0
     0042CE63    db         0
     0042CE64    db         0
     0042CE65    db         0
     0042CE66    db         0
     0042CE67    db         0
     0042CE68    db         0
     0042CE69    db         0
     0042CE6A    db         0
     0042CE6B    db         0
     0042CE6C    db         0
     0042CE6D    db         0
     0042CE6E    db         0
     0042CE6F    db         0
     0042CE70    db         0
     0042CE71    db         0
     0042CE72    db         0
     0042CE73    db         0
     0042CE74    db         0
     0042CE75    db         0
     0042CE76    db         0
     0042CE77    db         0
     0042CE78    db         0
     0042CE79    db         0
     0042CE7A    db         0
     0042CE7B    db         0
     0042CE7C    db         0
     0042CE7D    db         0
     0042CE7E    db         0
     0042CE7F    db         0
     0042CE80    db         0
     0042CE81    db         0
     0042CE82    db         0
     0042CE83    db         0
     0042CE84    db         0
     0042CE85    db         0
     0042CE86    db         27
     0042CE87    db         28
     0042CE88    db         29
     0042CE89    db         30
     0042CE8A    db         31
     0042CE8B    db         32
     0042CE8C    db         33
     0042CE8D    db         34
     0042CE8E    db         35
     0042CE8F    db         36
     0042CE90    db         37
     0042CE91    db         38
     0042CE92    db         39
     0042CE93    db         40
     0042CE94    db         41
     0042CE95    db         42
     0042CE96    db         43
     0042CE97    db         44
     0042CE98    db         45
     0042CE99    db         46
     0042CE9A    db         47
     0042CE9B    db         48
     0042CE9C    db         50
     0042CE9D    db         49
     0042CE9E    db         51
     0042CE9F    db         52
     0042CEA0    db         0
     0042CEA1    db         0
     0042CEA2    db         0
     0042CEA3    db         0
     0042CEA4    db         0
     0042CEA5    db         0
     0042CEA6    db         1
     0042CEA7    db         2
     0042CEA8    db         3
     0042CEA9    db         4
     0042CEAA    db         5
     0042CEAB    db         6
     0042CEAC    db         7
     0042CEAD    db         8
     0042CEAE    db         9
     0042CEAF    db         10
     0042CEB0    db         11
     0042CEB1    db         12
     0042CEB2    db         13
     0042CEB3    db         14
     0042CEB4    db         15
     0042CEB5    db         16
     0042CEB6    db         17
     0042CEB7    db         18
     0042CEB8    db         19
     0042CEB9    db         20
     0042CEBA    db         21
     0042CEBB    db         22
     0042CEBC    db         24
     0042CEBD    db         23
     0042CEBE    db         25
     0042CEBF    db         26
     0042CEC0    dd         42D3C0
     0042CEC4    dd         42CF98
     0042CEC8    dd         42CFAA
     0042CECC    dd         42CFBC
     0042CED0    dd         42CFD1
     0042CED4    dd         42CFE6
     0042CED8    dd         42CFF8
     0042CEDC    dd         42D00A
     0042CEE0    dd         42D01C
     0042CEE4    dd         42D02E
     0042CEE8    dd         42D040
     0042CEEC    dd         42D055
     0042CEF0    dd         42D067
     0042CEF4    dd         42D07C
     0042CEF8    dd         42D08E
     0042CEFC    dd         42D0A0
     0042CF00    dd         42D0B5
     0042CF04    dd         42D0CA
     0042CF08    dd         42D0DF
     0042CF0C    dd         42D0F4
     0042CF10    dd         42D105
     0042CF14    dd         42D117
     0042CF18    dd         42D129
     0042CF1C    dd         42D13B
     0042CF20    dd         42D14D
     0042CF24    dd         42D15F
     0042CF28    dd         42D171
     0042CF2C    dd         42D186
     0042CF30    dd         42D19B
     0042CF34    dd         42D1AD
     0042CF38    dd         42D1C2
     0042CF3C    dd         42D1D7
     0042CF40    dd         42D1EC
     0042CF44    dd         42D201
     0042CF48    dd         42D216
     0042CF4C    dd         42D22B
     0042CF50    dd         42D240
     0042CF54    dd         42D255
     0042CF58    dd         42D26A
     0042CF5C    dd         42D27F
     0042CF60    dd         42D294
     0042CF64    dd         42D2A9
     0042CF68    dd         42D2BE
     0042CF6C    dd         42D2D3
     0042CF70    dd         42D2E8
     0042CF74    dd         42D2FD
     0042CF78    dd         42D312
     0042CF7C    dd         42D327
     0042CF80    dd         42D33C
     0042CF84    dd         42D351
     0042CF88    dd         42D366
     0042CF8C    dd         42D37B
     0042CF90    dd         42D390
     0042CF94    dd         42D3A5
     0042CF98    add        dword ptr ds:[42F714],427; gvar_0042F714
     0042CFA2    add        dword ptr ds:[42F718],79; gvar_0042F718
     0042CFA9    ret
     0042CFAA    add        dword ptr ds:[42F714],6BC; gvar_0042F714
     0042CFB4    add        dword ptr ds:[42F718],6F; gvar_0042F718
     0042CFBB    ret
     0042CFBC    add        dword ptr ds:[42F714],491; gvar_0042F714
     0042CFC6    add        dword ptr ds:[42F718],2E2; gvar_0042F718
     0042CFD0    ret
     0042CFD1    add        dword ptr ds:[42F714],474D; gvar_0042F714
     0042CFDB    add        dword ptr ds:[42F718],2FA; gvar_0042F718
     0042CFE5    ret
     0042CFE6    add        dword ptr ds:[42F714],400; gvar_0042F714
     0042CFF0    add        dword ptr ds:[42F718],0E; gvar_0042F718
     0042CFF7    ret
     0042CFF8    add        dword ptr ds:[42F714],6D0; gvar_0042F714
     0042D002    add        dword ptr ds:[42F718],0D; gvar_0042F718
     0042D009    ret
     0042D00A    add        dword ptr ds:[42F714],67D; gvar_0042F714
     0042D014    add        dword ptr ds:[42F718],0C; gvar_0042F718
     0042D01B    ret
     0042D01C    add        dword ptr ds:[42F714],750; gvar_0042F714
     0042D026    add        dword ptr ds:[42F718],0B; gvar_0042F718
     0042D02D    ret
     0042D02E    add        dword ptr ds:[42F714],43C; gvar_0042F714
     0042D038    add        dword ptr ds:[42F718],63; gvar_0042F718
     0042D03F    ret
     0042D040    add        dword ptr ds:[42F714],764; gvar_0042F714
     0042D04A    add        dword ptr ds:[42F718],378; gvar_0042F718
     0042D054    ret
     0042D055    add        dword ptr ds:[42F714],0C0; gvar_0042F714
     0042D05F    add        dword ptr ds:[42F718],4D; gvar_0042F718
     0042D066    ret
     0042D067    add        dword ptr ds:[42F714],277D; gvar_0042F714
     0042D071    add        dword ptr ds:[42F718],22B; gvar_0042F718
     0042D07B    ret
     0042D07C    add        dword ptr ds:[42F714],81E; gvar_0042F714
     0042D086    add        dword ptr ds:[42F718],5A; gvar_0042F718
     0042D08D    ret
     0042D08E    add        dword ptr ds:[42F714],0E07; gvar_0042F714
     0042D098    add        dword ptr ds:[42F718],62; gvar_0042F718
     0042D09F    ret
     0042D0A0    add        dword ptr ds:[42F714],8E; gvar_0042F714
     0042D0AA    add        dword ptr ds:[42F718],1D2C; gvar_0042F718
     0042D0B4    ret
     0042D0B5    add        dword ptr ds:[42F714],9A670; gvar_0042F714
     0042D0BF    add        dword ptr ds:[42F718],8C7F3; gvar_0042F718
     0042D0C9    ret
     0042D0CA    add        dword ptr ds:[42F714],0D57; gvar_0042F714
     0042D0D4    add        dword ptr ds:[42F718],288; gvar_0042F718
     0042D0DE    ret
     0042D0DF    add        dword ptr ds:[42F714],5FEB; gvar_0042F714
     0042D0E9    add        dword ptr ds:[42F718],21A; gvar_0042F718
     0042D0F3    ret
     0042D0F4    add        dword ptr ds:[42F714],8B0; gvar_0042F714
     0042D0FE    inc        dword ptr ds:[42F718]; gvar_0042F718
     0042D104    ret
     0042D105    add        dword ptr ds:[42F714],4BB; gvar_0042F714
     0042D10F    add        dword ptr ds:[42F718],40; gvar_0042F718
     0042D116    ret
     0042D117    add        dword ptr ds:[42F714],8C2; gvar_0042F714
     0042D121    add        dword ptr ds:[42F718],4B; gvar_0042F718
     0042D128    ret
     0042D129    add        dword ptr ds:[42F714],1CA6; gvar_0042F714
     0042D133    add        dword ptr ds:[42F718],4E; gvar_0042F718
     0042D13A    ret
     0042D13B    add        dword ptr ds:[42F714],395; gvar_0042F714
     0042D145    add        dword ptr ds:[42F718],26; gvar_0042F718
     0042D14C    ret
     0042D14D    add        dword ptr ds:[42F714],251E; gvar_0042F714
     0042D157    add        dword ptr ds:[42F718],5; gvar_0042F718
     0042D15E    ret
     0042D15F    add        dword ptr ds:[42F714],2D13; gvar_0042F714
     0042D169    add        dword ptr ds:[42F718],8; gvar_0042F718
     0042D170    ret
     0042D171    add        dword ptr ds:[42F714],1900; gvar_0042F714
     0042D17B    add        dword ptr ds:[42F718],1C8; gvar_0042F718
     0042D185    ret
     0042D186    add        dword ptr ds:[42F714],428; gvar_0042F714
     0042D190    add        dword ptr ds:[42F718],1610; gvar_0042F718
     0042D19A    ret
     0042D19B    add        dword ptr ds:[42F714],0B1630; gvar_0042F714
     0042D1A5    add        dword ptr ds:[42F718],2; gvar_0042F718
     0042D1AC    ret
     0042D1AD    add        dword ptr ds:[42F714],0D86; gvar_0042F714
     0042D1B7    add        dword ptr ds:[42F718],270F; gvar_0042F718
     0042D1C1    ret
     0042D1C2    add        dword ptr ds:[42F714],11A4; gvar_0042F714
     0042D1CC    add        dword ptr ds:[42F718],46FF33C; gvar_0042F718
     0042D1D6    ret
     0042D1D7    add        dword ptr ds:[42F714],11F0A; gvar_0042F714
     0042D1E1    add        dword ptr ds:[42F718],8B3C; gvar_0042F718
     0042D1EB    ret
     0042D1EC    add        dword ptr ds:[42F714],3CC2; gvar_0042F714
     0042D1F6    add        dword ptr ds:[42F718],8618; gvar_0042F718
     0042D200    ret
     0042D201    add        dword ptr ds:[42F714],3E1A8; gvar_0042F714
     0042D20B    add        dword ptr ds:[42F718],6C81C; gvar_0042F718
     0042D215    ret
     0042D216    add        dword ptr ds:[42F714],91E4; gvar_0042F714
     0042D220    add        dword ptr ds:[42F718],27E945; gvar_0042F718
     0042D22A    ret
     0042D22B    add        dword ptr ds:[42F714],6B42; gvar_0042F714
     0042D235    add        dword ptr ds:[42F718],2FC7C3; gvar_0042F718
     0042D23F    ret
     0042D240    add        dword ptr ds:[42F714],516A4; gvar_0042F714
     0042D24A    add        dword ptr ds:[42F718],0B8F47C; gvar_0042F718
     0042D254    ret
     0042D255    add        dword ptr ds:[42F714],4345A; gvar_0042F714
     0042D25F    add        dword ptr ds:[42F718],115C7; gvar_0042F718
     0042D269    ret
     0042D26A    add        dword ptr ds:[42F714],1BFDD9; gvar_0042F714
     0042D274    add        dword ptr ds:[42F718],12B54; gvar_0042F718
     0042D27E    ret
     0042D27F    add        dword ptr ds:[42F714],286D; gvar_0042F714
     0042D289    add        dword ptr ds:[42F718],0B348C; gvar_0042F718
     0042D293    ret
     0042D294    add        dword ptr ds:[42F714],401; gvar_0042F714
     0042D29E    add        dword ptr ds:[42F718],357CE174; gvar_0042F718
     0042D2A8    ret
     0042D2A9    add        dword ptr ds:[42F714],674; gvar_0042F714
     0042D2B3    add        dword ptr ds:[42F718],317CD7; gvar_0042F718
     0042D2BD    ret
     0042D2BE    add        dword ptr ds:[42F714],9C; gvar_0042F714
     0042D2C8    add        dword ptr ds:[42F718],7DD834; gvar_0042F718
     0042D2D2    ret
     0042D2D3    add        dword ptr ds:[42F714],156; gvar_0042F714
     0042D2DD    add        dword ptr ds:[42F718],39CD0; gvar_0042F718
     0042D2E7    ret
     0042D2E8    add        dword ptr ds:[42F714],8627; gvar_0042F714
     0042D2F2    add        dword ptr ds:[42F718],0BF44A; gvar_0042F718
     0042D2FC    ret
     0042D2FD    add        dword ptr ds:[42F714],748190; gvar_0042F714
     0042D307    add        dword ptr ds:[42F718],854686; gvar_0042F718
     0042D311    ret
     0042D312    add        dword ptr ds:[42F714],0A568; gvar_0042F714
     0042D31C    add        dword ptr ds:[42F718],13220; gvar_0042F718
     0042D326    ret
     0042D327    add        dword ptr ds:[42F714],15592; gvar_0042F714
     0042D331    add        dword ptr ds:[42F718],302E; gvar_0042F718
     0042D33B    ret
     0042D33C    add        dword ptr ds:[42F714],1DD9; gvar_0042F714
     0042D346    add        dword ptr ds:[42F718],1C43; gvar_0042F718
     0042D350    ret
     0042D351    add        dword ptr ds:[42F714],266A; gvar_0042F714
     0042D35B    add        dword ptr ds:[42F718],2BA96C08; gvar_0042F718
     0042D365    ret
     0042D366    add        dword ptr ds:[42F714],3CC0; gvar_0042F714
     0042D370    add        dword ptr ds:[42F718],4EFC8; gvar_0042F718
     0042D37A    ret
     0042D37B    add        dword ptr ds:[42F714],8311; gvar_0042F714
     0042D385    add        dword ptr ds:[42F718],1C46; gvar_0042F718
     0042D38F    ret
     0042D390    add        dword ptr ds:[42F714],0CE1B; gvar_0042F714
     0042D39A    add        dword ptr ds:[42F718],0B1664; gvar_0042F718
     0042D3A4    ret
     0042D3A5    xor        edx,edx
     0042D3A7    mov        eax,dword ptr [eax+1E0]; TForm1.Edit1:TEdit
     0042D3AD    call       TControl.SetText
     0042D3B2    xor        eax,eax
     0042D3B4    mov        [0042F714],eax; gvar_0042F714
     0042D3B9    xor        eax,eax
     0042D3BB    mov        [0042F718],eax; gvar_0042F718
     0042D3C0    ret

    这看起来很乱,不管他,到OD中分析一下:

    0042CE30   .  33D2          xor edx,edx                              ;  // 每输入一个字符就进行处理
    0042CE32   .  8A11          mov dl,byte ptr ds:[ecx]                 ;  // dl 存放字符的ANSII
    0042CE34   .  83C2 F8       add edx,-0x8                             ;  Switch (cases 8..7A)
    0042CE37   .  83FA 72       cmp edx,0x72
    0042CE3A   .  0F87 80050000 ja 0042D3C0                              ;  // ANSII码值大于0x80则直接返回
    0042CE40   .  8A92 4DCE4200 mov dl,byte ptr ds:[edx+0x42CE4D]
    0042CE46   .  FF2495 C0CE42>jmp dword ptr ds:[edx*4+0x42CEC0]        ;  Cabeca.0042CFF8
    

    头部,进行了一个Switch(),然后跟踪[edx+0x42CE4D]的指针,对应不同的操作,edx范围从8到0x7A,看下0x42CE4D的内容:

    db 0x42ce4d
    db 0x42cebf

    0042CE4D  35 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  5...............
    0042CE5D  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0042CE6D  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    0042CE7D  00 00 00 00 00 00 00 00 00 1B 1C 1D 1E 1F 20 21  ......... !
    0042CE8D  22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 32  "#$%&'()*+,-./02
    0042CE9D  31 33 34 00 00 00 00 00 00 01 02 03 04 05 06 07  134......
    0042CEAD  08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 18  .. ..
    0042CEBD  17 19 1A                                        

    这些应该是一个数组,存放着递增的值,然后根据计算后的指针,指向下面的跳转:

    0042CEC0   . /C0D34200      dd Cabeca.0042D3C0                       ;  Switch table used at 0042CE46
    0042CEC4   . |98CF4200      dd Cabeca.0042CF98
    0042CEC8   . |AACF4200      dd Cabeca.0042CFAA
    0042CECC   . |BCCF4200      dd Cabeca.0042CFBC
    0042CED0   . |D1CF4200      dd Cabeca.0042CFD1
    0042CED4   . |E6CF4200      dd Cabeca.0042CFE6
    0042CED8   . |F8CF4200      dd Cabeca.0042CFF8
    0042CEDC   . |0AD04200      dd Cabeca.0042D00A
    0042CEE0   . |1CD04200      dd Cabeca.0042D01C
    0042CEE4   . |2ED04200      dd Cabeca.0042D02E
    0042CEE8   . |40D04200      dd Cabeca.0042D040
    0042CEEC   . |55D04200      dd Cabeca.0042D055
    0042CEF0   . |67D04200      dd Cabeca.0042D067
    0042CEF4   . |7CD04200      dd Cabeca.0042D07C
    0042CEF8   . |8ED04200      dd Cabeca.0042D08E
    0042CEFC   . |A0D04200      dd Cabeca.0042D0A0
    0042CF00   . |B5D04200      dd Cabeca.0042D0B5
    0042CF04   . |CAD04200      dd Cabeca.0042D0CA
    0042CF08   . |DFD04200      dd Cabeca.0042D0DF
    0042CF0C   . |F4D04200      dd Cabeca.0042D0F4
    0042CF10   . |05D14200      dd Cabeca.0042D105
    0042CF14   . |17D14200      dd Cabeca.0042D117
    0042CF18   . |29D14200      dd Cabeca.0042D129
    0042CF1C   . |3BD14200      dd Cabeca.0042D13B
    0042CF20   . |4DD14200      dd Cabeca.0042D14D
    0042CF24   . |5FD14200      dd Cabeca.0042D15F
    0042CF28   . |71D14200      dd Cabeca.0042D171
    0042CF2C   . |86D14200      dd Cabeca.0042D186
    0042CF30   . |9BD14200      dd Cabeca.0042D19B
    0042CF34   . |ADD14200      dd Cabeca.0042D1AD
    0042CF38   . |C2D14200      dd Cabeca.0042D1C2
    0042CF3C   . |D7D14200      dd Cabeca.0042D1D7
    0042CF40   . |ECD14200      dd Cabeca.0042D1EC
    0042CF44   . |01D24200      dd Cabeca.0042D201
    0042CF48   . |16D24200      dd Cabeca.0042D216
    0042CF4C   . |2BD24200      dd Cabeca.0042D22B
    0042CF50   . |40D24200      dd Cabeca.0042D240
    0042CF54   . |55D24200      dd Cabeca.0042D255
    0042CF58   . |6AD24200      dd Cabeca.0042D26A
    0042CF5C   . |7FD24200      dd Cabeca.0042D27F
    0042CF60   . |94D24200      dd Cabeca.0042D294
    0042CF64   . |A9D24200      dd Cabeca.0042D2A9
    0042CF68   . |BED24200      dd Cabeca.0042D2BE
    0042CF6C   . |D3D24200      dd Cabeca.0042D2D3
    0042CF70   . |E8D24200      dd Cabeca.0042D2E8
    0042CF74   . |FDD24200      dd Cabeca.0042D2FD
    0042CF78   . |12D34200      dd Cabeca.0042D312
    0042CF7C   . |27D34200      dd Cabeca.0042D327
    0042CF80   . |3CD34200      dd Cabeca.0042D33C
    0042CF84   . |51D34200      dd Cabeca.0042D351
    0042CF88   . |66D34200      dd Cabeca.0042D366
    0042CF8C   . |7BD34200      dd Cabeca.0042D37B
    0042CF90   . |90D34200      dd Cabeca.0042D390
    0042CF94   . |A5D34200      dd Cabeca.0042D3A5
    0042CF98   > 8105 14F74200>add dword ptr ds:[0x42F714],0x427        ;  Case 61 of switch 0042CE34
    0042CFA2   .  8305 18F74200>add dword ptr ds:[0x42F718],0x79
    0042CFA9   .  C3            retn
    0042CFAA   >  8105 14F74200>add dword ptr ds:[0x42F714],0x6BC        ;  Case 62 of switch 0042CE34
    0042CFB4   .  8305 18F74200>add dword ptr ds:[0x42F718],0x6F
    0042CFBB   .  C3            retn
    0042CFBC   >  8105 14F74200>add dword ptr ds:[0x42F714],0x491        ;  Case 63 of switch 0042CE34
    0042CFC6   .  8105 18F74200>add dword ptr ds:[0x42F718],0x2E2
    0042CFD0   .  C3            retn
    0042CFD1   >  8105 14F74200>add dword ptr ds:[0x42F714],0x474D       ;  Case 64 of switch 0042CE34
    0042CFDB   .  8105 18F74200>add dword ptr ds:[0x42F718],0x2FA
    0042CFE5   .  C3            retn
    0042CFE6   >  8105 14F74200>add dword ptr ds:[0x42F714],0x400        ;  Case 65 of switch 0042CE34
    0042CFF0   .  8305 18F74200>add dword ptr ds:[0x42F718],0xE
    0042CFF7   .  C3            retn
    0042CFF8   >  8105 14F74200>add dword ptr ds:[0x42F714],0x6D0        ;  Case 66 of switch 0042CE34
    0042D002   .  8305 18F74200>add dword ptr ds:[0x42F718],0xD
    0042D009   .  C3            retn
    0042D00A   >  8105 14F74200>add dword ptr ds:[0x42F714],0x67D        ;  Case 67 of switch 0042CE34
    0042D014   .  8305 18F74200>add dword ptr ds:[0x42F718],0xC
    0042D01B   .  C3            retn
    0042D01C   >  8105 14F74200>add dword ptr ds:[0x42F714],0x750        ;  Case 68 of switch 0042CE34
    0042D026   .  8305 18F74200>add dword ptr ds:[0x42F718],0xB
    0042D02D   .  C3            retn
    0042D02E   >  8105 14F74200>add dword ptr ds:[0x42F714],0x43C        ;  Case 69 of switch 0042CE34
    0042D038   .  8305 18F74200>add dword ptr ds:[0x42F718],0x63
    0042D03F   .  C3            retn
    0042D040   >  8105 14F74200>add dword ptr ds:[0x42F714],0x764        ;  Case 6A of switch 0042CE34
    0042D04A   .  8105 18F74200>add dword ptr ds:[0x42F718],0x378
    0042D054   .  C3            retn
    0042D055   >  8105 14F74200>add dword ptr ds:[0x42F714],0xC0         ;  Case 6B of switch 0042CE34
    0042D05F   .  8305 18F74200>add dword ptr ds:[0x42F718],0x4D
    0042D066   .  C3            retn
    0042D067   >  8105 14F74200>add dword ptr ds:[0x42F714],0x277D       ;  Case 6C of switch 0042CE34
    0042D071   .  8105 18F74200>add dword ptr ds:[0x42F718],0x22B
    0042D07B   .  C3            retn
    0042D07C   >  8105 14F74200>add dword ptr ds:[0x42F714],0x81E        ;  Case 6D of switch 0042CE34
    0042D086   .  8305 18F74200>add dword ptr ds:[0x42F718],0x5A
    0042D08D   .  C3            retn
    0042D08E   >  8105 14F74200>add dword ptr ds:[0x42F714],0xE07        ;  Case 6E of switch 0042CE34
    0042D098   .  8305 18F74200>add dword ptr ds:[0x42F718],0x62
    0042D09F   .  C3            retn
    0042D0A0   >  8105 14F74200>add dword ptr ds:[0x42F714],0x8E         ;  Case 6F of switch 0042CE34
    0042D0AA   .  8105 18F74200>add dword ptr ds:[0x42F718],0x1D2C
    0042D0B4   .  C3            retn
    0042D0B5   >  8105 14F74200>add dword ptr ds:[0x42F714],0x9A670      ;  Case 70 of switch 0042CE34
    0042D0BF   .  8105 18F74200>add dword ptr ds:[0x42F718],0x8C7F3
    0042D0C9   .  C3            retn
    0042D0CA   >  8105 14F74200>add dword ptr ds:[0x42F714],0xD57        ;  Case 71 of switch 0042CE34
    0042D0D4   .  8105 18F74200>add dword ptr ds:[0x42F718],0x288
    0042D0DE   .  C3            retn
    0042D0DF   >  8105 14F74200>add dword ptr ds:[0x42F714],0x5FEB       ;  Case 72 of switch 0042CE34
    0042D0E9   .  8105 18F74200>add dword ptr ds:[0x42F718],0x21A
    0042D0F3   .  C3            retn
    0042D0F4   >  8105 14F74200>add dword ptr ds:[0x42F714],0x8B0        ;  Case 73 of switch 0042CE34
    0042D0FE   .  FF05 18F74200 inc dword ptr ds:[0x42F718]
    0042D104   .  C3            retn
    0042D105   >  8105 14F74200>add dword ptr ds:[0x42F714],0x4BB        ;  Case 74 of switch 0042CE34
    0042D10F   .  8305 18F74200>add dword ptr ds:[0x42F718],0x40
    0042D116   .  C3            retn
    0042D117   >  8105 14F74200>add dword ptr ds:[0x42F714],0x8C2        ;  Case 75 of switch 0042CE34
    0042D121   .  8305 18F74200>add dword ptr ds:[0x42F718],0x4B
    0042D128   .  C3            retn
    0042D129   >  8105 14F74200>add dword ptr ds:[0x42F714],0x1CA6       ;  Case 76 of switch 0042CE34
    0042D133   .  8305 18F74200>add dword ptr ds:[0x42F718],0x4E
    0042D13A   .  C3            retn
    0042D13B   >  8105 14F74200>add dword ptr ds:[0x42F714],0x395        ;  Case 78 of switch 0042CE34
    0042D145   .  8305 18F74200>add dword ptr ds:[0x42F718],0x26
    0042D14C   .  C3            retn
    0042D14D   >  8105 14F74200>add dword ptr ds:[0x42F714],0x251E       ;  Case 77 of switch 0042CE34
    0042D157   .  8305 18F74200>add dword ptr ds:[0x42F718],0x5
    0042D15E   .  C3            retn
    0042D15F   >  8105 14F74200>add dword ptr ds:[0x42F714],0x2D13       ;  Case 79 of switch 0042CE34
    0042D169   .  8305 18F74200>add dword ptr ds:[0x42F718],0x8
    0042D170   .  C3            retn
    0042D171   >  8105 14F74200>add dword ptr ds:[0x42F714],0x1900       ;  Case 7A of switch 0042CE34
    0042D17B   .  8105 18F74200>add dword ptr ds:[0x42F718],0x1C8
    0042D185   .  C3            retn
    0042D186   >  8105 14F74200>add dword ptr ds:[0x42F714],0x428        ;  Case 41 of switch 0042CE34
    0042D190   .  8105 18F74200>add dword ptr ds:[0x42F718],0x1610
    0042D19A   .  C3            retn
    0042D19B   >  8105 14F74200>add dword ptr ds:[0x42F714],0xB1630      ;  Case 42 of switch 0042CE34
    0042D1A5   .  8305 18F74200>add dword ptr ds:[0x42F718],0x2
    0042D1AC   .  C3            retn
    0042D1AD   >  8105 14F74200>add dword ptr ds:[0x42F714],0xD86        ;  Case 43 of switch 0042CE34
    0042D1B7   .  8105 18F74200>add dword ptr ds:[0x42F718],0x270F
    0042D1C1   .  C3            retn
    0042D1C2   >  8105 14F74200>add dword ptr ds:[0x42F714],0x11A4       ;  Case 44 of switch 0042CE34
    0042D1CC   .  8105 18F74200>add dword ptr ds:[0x42F718],0x46FF33C
    0042D1D6   .  C3            retn
    0042D1D7   >  8105 14F74200>add dword ptr ds:[0x42F714],0x11F0A      ;  Case 45 of switch 0042CE34
    0042D1E1   .  8105 18F74200>add dword ptr ds:[0x42F718],0x8B3C
    0042D1EB   .  C3            retn
    0042D1EC   >  8105 14F74200>add dword ptr ds:[0x42F714],0x3CC2       ;  Case 46 of switch 0042CE34
    0042D1F6   .  8105 18F74200>add dword ptr ds:[0x42F718],0x8618
    0042D200   .  C3            retn
    0042D201   >  8105 14F74200>add dword ptr ds:[0x42F714],0x3E1A8      ;  Case 47 of switch 0042CE34
    0042D20B   .  8105 18F74200>add dword ptr ds:[0x42F718],0x6C81C
    0042D215   .  C3            retn
    0042D216   >  8105 14F74200>add dword ptr ds:[0x42F714],0x91E4       ;  Case 48 of switch 0042CE34
    0042D220   .  8105 18F74200>add dword ptr ds:[0x42F718],0x27E945
    0042D22A   .  C3            retn
    0042D22B   >  8105 14F74200>add dword ptr ds:[0x42F714],0x6B42       ;  Case 49 of switch 0042CE34
    0042D235   .  8105 18F74200>add dword ptr ds:[0x42F718],0x2FC7C3
    0042D23F   .  C3            retn
    0042D240   >  8105 14F74200>add dword ptr ds:[0x42F714],0x516A4      ;  Case 4A of switch 0042CE34
    0042D24A   .  8105 18F74200>add dword ptr ds:[0x42F718],0xB8F47C
    0042D254   .  C3            retn
    0042D255   >  8105 14F74200>add dword ptr ds:[0x42F714],0x4345A      ;  Case 4B of switch 0042CE34
    0042D25F   .  8105 18F74200>add dword ptr ds:[0x42F718],0x115C7
    0042D269   .  C3            retn
    0042D26A   >  8105 14F74200>add dword ptr ds:[0x42F714],0x1BFDD9     ;  Case 4C of switch 0042CE34
    0042D274   .  8105 18F74200>add dword ptr ds:[0x42F718],0x12B54
    0042D27E   .  C3            retn
    0042D27F   >  8105 14F74200>add dword ptr ds:[0x42F714],0x286D       ;  Case 4D of switch 0042CE34
    0042D289   .  8105 18F74200>add dword ptr ds:[0x42F718],0xB348C
    0042D293   .  C3            retn
    0042D294   >  8105 14F74200>add dword ptr ds:[0x42F714],0x401        ;  Case 4E of switch 0042CE34
    0042D29E   .  8105 18F74200>add dword ptr ds:[0x42F718],0x357CE174
    0042D2A8   .  C3            retn
    0042D2A9   >  8105 14F74200>add dword ptr ds:[0x42F714],0x674        ;  Case 4F of switch 0042CE34
    0042D2B3   .  8105 18F74200>add dword ptr ds:[0x42F718],0x317CD7
    0042D2BD   .  C3            retn
    0042D2BE   >  8105 14F74200>add dword ptr ds:[0x42F714],0x9C         ;  Case 50 of switch 0042CE34
    0042D2C8   .  8105 18F74200>add dword ptr ds:[0x42F718],0x7DD834
    0042D2D2   .  C3            retn
    0042D2D3   >  8105 14F74200>add dword ptr ds:[0x42F714],0x156        ;  Case 51 of switch 0042CE34
    0042D2DD   .  8105 18F74200>add dword ptr ds:[0x42F718],0x39CD0
    0042D2E7   .  C3            retn
    0042D2E8   >  8105 14F74200>add dword ptr ds:[0x42F714],0x8627       ;  Case 52 of switch 0042CE34
    0042D2F2   .  8105 18F74200>add dword ptr ds:[0x42F718],0xBF44A
    0042D2FC   .  C3            retn
    0042D2FD   >  8105 14F74200>add dword ptr ds:[0x42F714],0x748190     ;  Case 53 of switch 0042CE34
    0042D307   .  8105 18F74200>add dword ptr ds:[0x42F718],0x854686
    0042D311   .  C3            retn
    0042D312   >  8105 14F74200>add dword ptr ds:[0x42F714],0xA568       ;  Case 54 of switch 0042CE34
    0042D31C   .  8105 18F74200>add dword ptr ds:[0x42F718],0x13220
    0042D326   .  C3            retn
    0042D327   >  8105 14F74200>add dword ptr ds:[0x42F714],0x15592      ;  Case 55 of switch 0042CE34
    0042D331   .  8105 18F74200>add dword ptr ds:[0x42F718],0x302E
    0042D33B   .  C3            retn
    0042D33C   >  8105 14F74200>add dword ptr ds:[0x42F714],0x1DD9       ;  Case 56 of switch 0042CE34
    0042D346   .  8105 18F74200>add dword ptr ds:[0x42F718],0x1C43
    0042D350   .  C3            retn
    0042D351   >  8105 14F74200>add dword ptr ds:[0x42F714],0x266A       ;  Case 58 of switch 0042CE34
    0042D35B   .  8105 18F74200>add dword ptr ds:[0x42F718],0x2BA96C08
    0042D365   .  C3            retn
    0042D366   >  8105 14F74200>add dword ptr ds:[0x42F714],0x3CC0       ;  Case 57 of switch 0042CE34
    0042D370   .  8105 18F74200>add dword ptr ds:[0x42F718],0x4EFC8
    0042D37A   .  C3            retn
    0042D37B   >  8105 14F74200>add dword ptr ds:[0x42F714],0x8311       ;  Case 59 of switch 0042CE34
    0042D385   .  8105 18F74200>add dword ptr ds:[0x42F718],0x1C46
    0042D38F   .  C3            retn
    0042D390   >  8105 14F74200>add dword ptr ds:[0x42F714],0xCE1B       ;  Case 5A of switch 0042CE34
    0042D39A   .  8105 18F74200>add dword ptr ds:[0x42F718],0xB1664
    0042D3A4   .  C3            retn
    0042D3A5   >  33D2          xor edx,edx                              ;  Case 8 of switch 0042CE34
    0042D3A7   .  8B80 E0010000 mov eax,dword ptr ds:[eax+0x1E0]
    0042D3AD   .  E8 5ECAFEFF   call 00419E10
    0042D3B2   .  33C0          xor eax,eax
    0042D3B4   .  A3 14F74200   mov dword ptr ds:[0x42F714],eax
    0042D3B9   .  33C0          xor eax,eax
    0042D3BB   .  A3 18F74200   mov dword ptr ds:[0x42F718],eax
    0042D3C0   >  C3            retn                                     ;  Default case of switch 0042CE34

    到这里就悲剧了!这么多case,虽然每个都执行的加法,但是每个加的值都不同,然后将计算后的值作为后面那个算法的常量值处理。

    它大概就是这样的:

    int na,nb;
    char cInput = xx;
    swith( cInput )
    {
    	case 8:
    	na+=10;
    	nb+=34;
    	break;
    
    	....
    
    	case 0x71:
    	na+=10;
    	nb+=34;
    	break;
    	
    	default
    	break;
    
    }
    

    大概就是这样了,又被耍了!

    BY  笨笨D幸福

  • 相关阅读:
    lucene .NET 搜索图片 功能实现
    (转)权威支持: 选择正确的 WebSphere 诊断工具
    (转)WebSphere 中池资源调优
    (转)使用 DB2 HADR 选择用于灾难恢复的 SUPERASYNC 模式
    (转) DB2 HADR
    (转)DB2 HADR 监控详解
    (转)python高级FTP
    (转)Python的web服务器
    (转)python通过paramiko实现,ssh功能
    (转)request模拟知乎登录(无验证码机制
  • 原文地址:https://www.cnblogs.com/bbdxf/p/3813869.html
Copyright © 2020-2023  润新知