看雪题库_re_举步维艰wp
```
题中出现的相关base64解码,对照如下:
"R2V0UHJvY0FkZHJlc3M=" GetProcAddress
"TG9hZExpYnJhcnlB" LoadLibraryA
"VXNlcjMyLmRsbA==" User32.dll
"bXN2Y3J0LmRsbA==" msvcrt.dll
"c2hsd2FwaS5kbGw=" shlwapi.dll
"cHJpbnRm" printf
"TWVzc2FnZUJveEE=" MessageBoxA
"RmFpbCE=" Fail!
"U3VjY2VzcyE=" Success!
"S2V5IE9LIQ==" Key OK!
"S2V5IHdyb25nIQ==" Key wrong!
V0hAdCFGbGFnPSg= WH@t!Flag=(
AAhBQkNERUZHSA== ABCDEFGH
Q1RHTU5TUUdUKQ== CTGMNSQGT)
QUJDREVGRw== ABCDEFG
QUIyNDFBQw== AB241AC
....U3RyQ21wVw== StrCmpW
....U3RyQ3B5Vw== StrCpyW
下面是函数所有代码以及注释
00261530/$ push ebp
00261531|. mov ebp,esp
00261533|. push -0x1
00261535|. push jbwj.00262DBA
0026153A|.>mov eax,dword ptr fs:
00261540|. push eax
00261541|. sub esp,0x53C
00261547|. mov eax,dword ptr ds:
0026154C|. xor eax,ebp
0026154E|. mov ,eax
00261551|. push eax
00261552|. lea eax,
00261555|.>mov dword ptr fs:,eax
0026155B|.>mov ,0x0
00261565|.>mov ,0x0
0026156C|.>mov ,0x0
00261576|.>mov ,0x0
00261580|.>mov byte ptr ss:,0x0
00261587|. push 0x103 ; /n = 103 (259.)
0026158C|. push 0x0 ; |c = 00
0026158E|. lea eax,dword ptr ss: ; |
00261594|. push eax ; |s = NULL
00261595|. call <jmp.&MSVCR90.memset> ; \memset
0026159A|. add esp,0xC
0026159D|. mov ecx,dword ptr ds:
002615A3|. mov ,ecx
002615A9|. mov edx,dword ptr ds:
002615AF|. mov ,edx
002615B5|. mov eax,dword ptr ds:
002615BA|. mov ,eax
002615C0|. mov ecx,dword ptr ds:
002615C6|. mov ,ecx
002615CC|. mov dl,byte ptr ds:
002615D2|. mov byte ptr ss:,dl
002615D8|. push 0xF3 ; /n = F3 (243.)
002615DD|. push 0x0 ; |c = 00
002615DF|. lea eax,dword ptr ss: ; |
002615E5|. push eax ; |s = NULL
002615E6|. call <jmp.&MSVCR90.memset> ; \memset
002615EB|. add esp,0xC
002615EE|. mov ecx,dword ptr ds:
002615F4|. mov ,ecx
002615FA|. mov edx,dword ptr ds:
00261600|. mov ,edx
00261606|. mov eax,dword ptr ds:
0026160B|. mov ,eax
00261611|. mov ecx,dword ptr ds:
00261617|. mov ,ecx
0026161D|. mov dl,byte ptr ds:
00261623|. mov byte ptr ss:,dl
00261629|. push 0xF3 ; /n = F3 (243.)
0026162E|. push 0x0 ; |c = 00
00261630|. lea eax,dword ptr ss: ; |
00261636|. push eax ; |s = NULL
00261637|. call <jmp.&MSVCR90.memset> ; \memset
0026163C|. add esp,0xC
0026163F|. mov ecx,dword ptr ds:
00261645|. mov ,ecx
0026164B|. mov edx,dword ptr ds:
00261651|. mov ,edx
00261657|. mov eax,dword ptr ds:
0026165C|. mov ,eax
00261662|. mov cl,byte ptr ds:
00261668|. mov byte ptr ss:,cl
0026166E|. push 0xF7 ; /n = F7 (247.)
00261673|. push 0x0 ; |c = 00
00261675|. lea edx,dword ptr ss: ; |
0026167B|. push edx ; |s = 00683020
0026167C|. call <jmp.&MSVCR90.memset> ; \memset
00261681|. add esp,0xC
00261684|.>mov ,jbwj.00263190 ;ASCII "R2V0UHJvY0FkZHJlc3M="
0026168B|.>mov ,jbwj.002631A8 ;ASCII "TG9hZExpYnJhcnlB"
00261695|.>mov ,jbwj.002631BC ;ASCII "VXNlcjMyLmRsbA=="
0026169C|.>mov ,jbwj.002631D0 ;ASCII "bXN2Y3J0LmRsbA=="
002616A6|.>mov ,jbwj.002631E4 ;ASCII "c2hsd2FwaS5kbGw="
002616B0|.>mov ,jbwj.002631F8 ;ASCII "cHJpbnRm"
002616BA|.>mov ,jbwj.00263204 ;ASCII "TWVzc2FnZUJveEE="
002616C1|.>mov ,jbwj.00263218 ;ASCII 52,"mFpbCE="
002616CB|.>mov ,jbwj.00263224 ;ASCII 55,"3VjY2VzcyE="
002616D2|.>mov ,jbwj.00263234 ;ASCII 53,"2V5IE9LIQ=="
002616DC|.>mov ,jbwj.00263244 ;ASCII 53,"2V5IHdyb25nIQ=="
002616E6|.>mov dword ptr ds:,0x0
002616F0|.>mov dword ptr ds:,0x0
002616FA|.>mov dword ptr ds:,0x0
00261704|. lea eax,
0026170A|. push eax
0026170B|. push 0x0
0026170D|. call jbwj.00261CA0
00261712|. add esp,0x8
00261715|. mov ,eax
0026171B|. mov ecx, ;kernel32.74FE0000
00261721|. mov dword ptr ds:,ecx
00261727|. mov edx,dword ptr ds: ;kernel32.74FE0000
0026172D|. push edx
0026172E|. mov eax,
00261734|. push eax
00261735|. mov ecx, ;GetProcAddress
00261738|. push ecx
00261739|. call jbwj.00261E20
0026173E|. add esp,0xC
00261741|. mov dword ptr ds:,eax
00261746|. mov edx,dword ptr ds: ;kernel32.74FE0000
0026174C|. push edx
0026174D|. mov eax, ;LoadLibraryA
00261753|. push eax
00261754|. call jbwj.002620F0
00261759|. add esp,0x8
0026175C|. mov dword ptr ds:,eax
00261761|.>cmp dword ptr ds:,0x0
00261768|. jnz short jbwj.00261772
0026176A|. or eax,-0x1
0026176D|. jmp jbwj.00261C87
00261772|> mov ecx, ;msvcrt.dll
00261778|. push ecx
00261779|. call jbwj.00261FD0
0026177E|. add esp,0x4
00261781|. mov ,eax
00261784|. cmp ,0x0
00261788|. jnz short jbwj.00261792
0026178A|. or eax,-0x1
0026178D|. jmp jbwj.00261C87
00261792|> mov edx, ;msvcrt.76E60000
00261795|. push edx
00261796|. mov eax, ;printf
0026179C|. push eax
0026179D|. call jbwj.002620F0
002617A2|. add esp,0x8
002617A5|. mov ,eax
002617AB|.>cmp ,0x0
002617B2|. jnz short jbwj.002617BC
002617B4|. or eax,-0x1
002617B7|. jmp jbwj.00261C87
002617BC|> mov ecx, ;User32.dll
002617BF|. push ecx
002617C0|. call jbwj.00261FD0
002617C5|. add esp,0x4
002617C8|. mov dword ptr ds:,eax
002617CD|.>cmp dword ptr ds:,0x0
002617D4|. jnz short jbwj.002617F4
002617D6|. mov edx, ;msvcrt.printf
002617DC|. push edx
002617DD|. mov eax, ;jbwj.00263244
002617E3|. push eax
002617E4|. call jbwj.002622D0
002617E9|. add esp,0x8
002617EC|. or eax,-0x1
002617EF|. jmp jbwj.00261C87
002617F4|> mov ecx, ;shlwapi.dll
002617FA|. push ecx
002617FB|. call jbwj.00261FD0
00261800|. add esp,0x4
00261803|. mov ,eax
00261809|.>cmp ,0x0
00261810|. jnz short jbwj.00261830
00261812|. mov edx, ;msvcrt.printf
00261818|. push edx
00261819|. mov eax, ;jbwj.00263244
0026181F|. push eax
00261820|. call jbwj.002622D0
00261825|. add esp,0x8
00261828|. or eax,-0x1
0026182B|. jmp jbwj.00261C87
00261830|> cmp ,0x2
00261834|. jg short jbwj.0026183C
00261836|. cmp ,0x2
0026183A|. jge short jbwj.0026185A
0026183C|> mov ecx, ;msvcrt.printf
00261842|. push ecx
00261843|. mov edx, ;jbwj.00263244
00261849|. push edx
0026184A|. call jbwj.002622D0
0026184F|. add esp,0x8
00261852|. or eax,-0x1
00261855|. jmp jbwj.00261C87
0026185A|> push 0xB
0026185C|. mov eax,
0026185F|. mov ecx,dword ptr ds: ;param key < <
00261862|. push ecx
00261863|. lea edx,
00261866|. push edx
00261867|. call jbwj.00261040
0026186C|. add esp,0xC
0026186F|.>mov ,0x0
00261876|. mov eax, ;shlwapi.74DE0000
0026187C|. push eax
0026187D|. lea ecx,
00261880|. call dword ptr ds:[<&MSVCP90.std::basic_>;msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::data
00261886|. push eax
00261887|. lea ecx, ;base64 key
0026188D|. push ecx
0026188E|. call jbwj.00262290
00261893|. add esp,0xC
00261896|. mov edx, ;shlwapi.74DE0000
0026189C|. push edx
0026189D|. lea eax, ;V0hAdCFGbGFnPSg=
002618A3|. push eax
002618A4|. lea ecx,
002618AA|. push ecx
002618AB|. call jbwj.00262200
002618B0|. add esp,0xC
002618B3|. test eax,eax
002618B5|. je short jbwj.002618F2 ; yi yang
002618B7|. mov edx, ;msvcrt.printf
002618BD|. push edx
002618BE|. mov eax, ;jbwj.00263244
002618C4|. push eax
002618C5|. call jbwj.002622D0
002618CA|. add esp,0x8
002618CD|.>mov ,-0x1
002618D7|.>mov ,-0x1
002618DE|. lea ecx,
002618E1|. call dword ptr ds:[<&MSVCP90.std::basic_>;
002618E7|. mov eax,
002618ED|. jmp jbwj.00261C87
002618F2|> push 0x104
002618F7|. call jbwj.002623C3
002618FC|. add esp,0x4
002618FF|. mov ,eax
00261905|. mov ecx,
0026190B|. mov ,ecx
00261911|. mov edx, ;shlwapi.74DE0000
00261917|. push edx
00261918|. mov eax,
0026191B|. mov ecx,dword ptr ds: ;key
0026191E|. push ecx
0026191F|. mov edx,
00261925|. push edx
00261926|. call jbwj.00262290
0026192B|. add esp,0xC
0026192E|. push 0xA
00261930|. mov eax,
00261936|. add eax,0x12
00261939|. push eax
0026193A|. lea ecx,
00261940|. push ecx
00261941|. call jbwj.00261040
00261946|. add esp,0xC
00261949|. mov ,eax
0026194F|. mov edx,
00261955|. mov ,edx
0026195B|. mov byte ptr ss:,0x1
0026195F|. mov eax,
00261965|. push eax
00261966|. lea ecx,
00261969|. call dword ptr ds:[<&MSVCP90.std::basic_>;msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::operator=
0026196F|. mov byte ptr ss:,0x0
00261973|. lea ecx, ;ABCDEFGH
00261979|. call dword ptr ds:[<&MSVCP90.std::basic_>;
0026197F|. mov ecx, ;shlwapi.74DE0000
00261985|. push ecx
00261986|. lea ecx,
00261989|. call dword ptr ds:[<&MSVCP90.std::basic_>;msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::data
0026198F|. push eax ;ABCDEFGH
00261990|. lea edx, ;key
00261996|. push edx
00261997|. call jbwj.00262290
0026199C|. add esp,0xC
0026199F|. mov eax,
002619A5|. mov ,eax
002619AB|. mov ecx,
002619B1|. push ecx
002619B2|. call <jmp.&MSVCR90.operator delete[]>
002619B7|. add esp,0x4
002619BA|. mov edx, ;shlwapi.74DE0000
002619C0|. push edx
002619C1|. lea eax, ;Q1RHTU5TUUdUKQ==
002619C7|. push eax
002619C8|. lea ecx,
002619CE|. push ecx
002619CF|. call jbwj.00262200
002619D4|. add esp,0xC
002619D7|. test eax,eax
002619D9|. je short jbwj.00261A16 ;yiyang
002619DB|. mov edx, ;msvcrt.printf
002619E1|. push edx
002619E2|. mov eax, ;jbwj.00263244
002619E8|. push eax
002619E9|. call jbwj.002622D0
002619EE|. add esp,0x8
002619F1|.>mov ,-0x1
002619FB|.>mov ,-0x1
00261A02|. lea ecx,
00261A05|. call dword ptr ds:[<&MSVCP90.std::basic_>;
00261A0B|. mov eax,
00261A11|. jmp jbwj.00261C87
00261A16|> mov ecx,
00261A19|. mov edx,dword ptr ds:
00261A1C|. mov ,edx
00261A22|. mov eax,
00261A28|. add eax,0x1
00261A2B|. mov ,eax
00261A31|> /mov ecx,
00261A37|. |mov dl,byte ptr ds:
00261A39|. |mov byte ptr ss:,dl
00261A3F|.>|add ,0x1
00261A46|.>|cmp byte ptr ss:,0x0
00261A4D|. \jnz short jbwj.00261A31
00261A4F|. mov eax,
00261A55|. sub eax,
00261A5B|. mov ,eax
00261A61|.>cmp ,0x1C ;0x1c
00261A68|. jbe short jbwj.00261AA5
00261A6A|. mov ecx, ;msvcrt.printf
00261A70|. push ecx
00261A71|. mov edx, ;KeyOk
00261A77|. push edx
00261A78|. call jbwj.002622D0
00261A7D|. add esp,0x8
00261A80|.>mov ,-0x1
00261A8A|.>mov ,-0x1
00261A91|. lea ecx,
00261A94|. call dword ptr ds:[<&MSVCP90.std::basic_>;
00261A9A|. mov eax,
00261AA0|. jmp jbwj.00261C87
00261AA5|> push 0x104
00261AAA|. call jbwj.002623C3
00261AAF|. add esp,0x4
00261AB2|. mov ,eax
00261AB8|. mov eax,
00261ABE|. mov ,eax
00261AC1|. mov ecx, ;shlwapi.74DE0000
00261AC7|. push ecx
00261AC8|. mov edx,
00261ACB|. mov eax,dword ptr ds: ;key
00261ACE|. push eax
00261ACF|. mov ecx,
00261AD2|. push ecx
00261AD3|. call jbwj.00262290
00261AD8|. add esp,0xC
00261ADB|. push 0x7
00261ADD|. mov edx,
00261AE0|. add edx,0xB
00261AE3|. push edx
00261AE4|. lea eax,
00261AEA|. push eax
00261AEB|. call jbwj.00261040
00261AF0|. add esp,0xC
00261AF3|. mov ,eax
00261AF9|. mov ecx,
00261AFF|. mov ,ecx
00261B05|. mov byte ptr ss:,0x2
00261B09|. mov edx,
00261B0F|. push edx
00261B10|. lea ecx,
00261B13|. call dword ptr ds:[<&MSVCP90.std::basic_>;msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::operator=
00261B19|. mov byte ptr ss:,0x0
00261B1D|. lea ecx, ;ABCDEFG
00261B23|. call dword ptr ds:[<&MSVCP90.std::basic_>;
00261B29|. lea eax,
00261B2C|. push eax
00261B2D|. lea ecx,
00261B30|. push ecx
00261B31|. call jbwj.00261280
00261B36|. add esp,0x8
00261B39|. mov byte ptr ss:,0x3
00261B3D|. lea edx, ;key
00261B43|. mov ,edx
00261B49|. mov eax,
00261B4F|. add eax,0x1
00261B52|. mov ,eax
00261B58|> /mov ecx,
00261B5E|. |mov dl,byte ptr ds:
00261B60|. |mov byte ptr ss:,dl
00261B66|.>|add ,0x1
00261B6D|.>|cmp byte ptr ss:,0x0
00261B74|. \jnz short jbwj.00261B58
00261B76|. mov eax,
00261B7C|. sub eax,
00261B82|. mov ,eax
00261B88|. push 0x0 ; /n = 0x0
00261B8A|. mov ecx, ; |
00261B90|. push ecx ; |c = F2
00261B91|. lea edx, ; |
00261B97|. push edx ; |s = 00683020
00261B98|. call <jmp.&MSVCR90.memset> ; \memset
00261B9D|. add esp,0xC
00261BA0|. mov eax, ;shlwapi.74DE0000
00261BA6|. push eax
00261BA7|. lea ecx,
00261BAA|. call dword ptr ds:[<&MSVCP90.std::basic_>;msvcp90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::data
00261BB0|. push eax
00261BB1|. lea ecx,
00261BB7|. push ecx
00261BB8|. call jbwj.00262290
00261BBD|. add esp,0xC
00261BC0|. mov edx, ;key
00261BC3|. mov ,edx
00261BC9|. mov eax,
00261BCF|. push eax
00261BD0|. call <jmp.&MSVCR90.operator delete[]>
00261BD5|. add esp,0x4
00261BD8|. mov ecx, ;shlwapi.74DE0000
00261BDE|. push ecx
00261BDF|. lea edx, ;AB241AC
00261BE5|. push edx
00261BE6|. lea eax,
00261BEC|. push eax
00261BED|. call jbwj.00262200
00261BF2|. add esp,0xC
00261BF5|. test eax,eax
00261BF7|. je short jbwj.00261C3E
00261BF9|. mov ecx, ;msvcrt.printf
00261BFF|. push ecx
00261C00|. mov edx, ;jbwj.00263244
00261C06|. push edx
00261C07|. call jbwj.002622D0
00261C0C|. add esp,0x8
00261C0F|.>mov ,-0x1
00261C19|. mov byte ptr ss:,0x0
00261C1D|. lea ecx,
00261C20|. call dword ptr ds:[<&MSVCP90.std::basic_>;
00261C26|.>mov ,-0x1
00261C2D|. lea ecx,
00261C30|. call dword ptr ds:[<&MSVCP90.std::basic_>;
00261C36|. mov eax, ;ntdll_12.77322C35
00261C3C|. jmp short jbwj.00261C87
00261C3E|> mov eax, ;msvcrt.printf
00261C44|. push eax
00261C45|. mov ecx, ;key ok
00261C4B|. push ecx
00261C4C|. call jbwj.002622D0
00261C51|. add esp,0x8
00261C54|. call dword ptr ds:[<&MSVCR90._getch>] ; [_getch
00261C5A|.>mov ,0x0
00261C64|. mov byte ptr ss:,0x0
00261C68|. lea ecx,
00261C6B|. call dword ptr ds:[<&MSVCP90.std::basic_>;
00261C71|.>mov ,-0x1
00261C78|. lea ecx,
00261C7B|. call dword ptr ds:[<&MSVCP90.std::basic_>;
00261C81|. mov eax, ;ntdll_12.7732303D
00261C87|> mov ecx,
00261C8A|.>mov dword ptr fs:,ecx
00261C91|. pop ecx
00261C92|. mov ecx,
00261C95|. xor ecx,ebp
00261C97|. call jbwj.002623CE
00261C9C|. mov esp,ebp
00261C9E|. pop ebp
00261C9F\. retn
可以看出程序中直接出现key:
```
V0hAdCFGbGFnPSg= WH@t!Flag=(
QUIyNDFBQw== AB241AC
Q1RHTU5TUUdUKQ== CTGMNSQGT)
页:
[1]