00401666 . 8B65 E8 mov esp,dword ptr ss:[ebp-0x18]
00401669 . 8B85 C4FEFFFF mov eax,dword ptr ss:[ebp-0x13C]
0040166F . 8B48 64 mov ecx,dword ptr ds:[eax+0x64]
00401672 . 898D D0FEFFFF mov dword ptr ss:[ebp-0x130],ecx
00401678 . 8B95 D0FEFFFF mov edx,dword ptr ss:[ebp-0x130]
0040167E . 8995 BCFEFFFF mov dword ptr ss:[ebp-0x144],edx
00401684 . 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-0x11C]
0040168A . 8985 B8FEFFFF mov dword ptr ss:[ebp-0x148],eax
00401690 > 8B8D B8FEFFFF mov ecx,dword ptr ss:[ebp-0x148]
00401696 . 8A11 mov dl,byte ptr ds:[ecx]
00401698 . 8895 B7FEFFFF mov byte ptr ss:[ebp-0x149],dl
0040169E . 8B85 BCFEFFFF mov eax,dword ptr ss:[ebp-0x144]
004016A4 . 3A10 cmp dl,byte ptr ds:[eax] ; 这里是最后跳到这里 同学们先看后面的分析,最后SEH调回来 进行的最后验证
004016A6 . 75 46 jnz XCrackMe2.004016EE ; 验证3 直接NOP掉
004016A8 . 80BD B7FEFFFF>cmp byte ptr ss:[ebp-0x149],0x0 ; 这里有点难理解 大家可以调试看看就明白了
004016AF . 74 31 je XCrackMe2.004016E2
004016B1 . 8B8D B8FEFFFF mov ecx,dword ptr ss:[ebp-0x148]
004016B7 . 8A51 01 mov dl,byte ptr ds:[ecx+0x1]
004016BA . 8895 B6FEFFFF mov byte ptr ss:[ebp-0x14A],dl
004016C0 . 8B85 BCFEFFFF mov eax,dword ptr ss:[ebp-0x144]
004016C6 . 3A50 01 cmp dl,byte ptr ds:[eax+0x1]
004016C9 . 75 23 jnz XCrackMe2.004016EE ; 验证4 直接NOP掉
004016CB . 8385 B8FEFFFF>add dword ptr ss:[ebp-0x148],0x2
004016D2 . 8385 BCFEFFFF>add dword ptr ss:[ebp-0x144],0x2
004016D9 . 80BD B6FEFFFF>cmp byte ptr ss:[ebp-0x14A],0x0
004016E0 .^ 75 AE jnz XCrackMe2.00401690
004016E2 > C785 B0FEFFFF>mov dword ptr ss:[ebp-0x150],0x0
004016EC . EB 0B jmp XCrackMe2.004016F9
004016EE > 1BC9 sbb ecx,ecx
004016F0 . 83D9 FF sbb ecx,-0x1
004016F3 . 898D B0FEFFFF mov dword ptr ss:[ebp-0x150],ecx
004016F9 > 8B95 B0FEFFFF mov edx,dword ptr ss:[ebp-0x150]
004016FF . 8995 ACFEFFFF mov dword ptr ss:[ebp-0x154],edx
00401705 . 83BD ACFEFFFF>cmp dword ptr ss:[ebp-0x154],0x0
0040170C . 75 1E jnz XCrackMe2.0040172C
0040170E . 8D85 D8FEFFFF lea eax,dword ptr ss:[ebp-0x128]
00401714 . 50 push eax
00401715 . 68 EA030000 push 0x3EA
0040171A . 8B8D C4FEFFFF mov ecx,dword ptr ss:[ebp-0x13C]
00401720 . E8 79060000 call <jmp.&MFC42.#3092>
00401725 . 8BC8 mov ecx,eax
00401727 . E8 6C060000 call <jmp.&MFC42.#6199> ; 这里是设置成功标志
0040172C > C745 FC FFFFF>mov dword ptr ss:[ebp-0x4],-0x1
00401733 . E9 FA000000 jmp CrackMe2.00401832
00401738 > E8 23010000 call CrackMe2.00401860
0040173D . E9 F0000000 jmp CrackMe2.00401832
00401742 > 6A 01 push 0x1
00401744 . 8B8D C4FEFFFF mov ecx,dword ptr ss:[ebp-0x13C]
0040174A . E8 43060000 call <jmp.&MFC42.#6334>
0040174F . 6A 00 push 0x0
00401751 . 8B8D C4FEFFFF mov ecx,dword ptr ss:[ebp-0x13C]
00401757 . E8 36060000 call <jmp.&MFC42.#6334>
0040175C . 8B8D C4FEFFFF mov ecx,dword ptr ss:[ebp-0x13C]
00401762 . 8B51 60 mov edx,dword ptr ds:[ecx+0x60]
00401765 . 8995 CCFEFFFF mov dword ptr ss:[ebp-0x134],edx
0040176B . 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-0x11C]
00401771 . 50 push eax
00401772 . 8B8D CCFEFFFF mov ecx,dword ptr ss:[ebp-0x134]
00401778 . 51 push ecx
00401779 . E8 92FDFFFF call CrackMe2.00401510 ; 根据用户名得到密码
0040177E . 83C4 08 add esp,0x8 ; 在这里可以看到堆栈中有正确的密码
00401781 . 8B95 C4FEFFFF mov edx,dword ptr ss:[ebp-0x13C]
00401787 . 8B42 64 mov eax,dword ptr ds:[edx+0x64]
0040178A . 8985 C8FEFFFF mov dword ptr ss:[ebp-0x138],eax
00401790 . 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-0x138]
00401796 . 898D A8FEFFFF mov dword ptr ss:[ebp-0x158],ecx
0040179C . 8D95 E4FEFFFF lea edx,dword ptr ss:[ebp-0x11C]
004017A2 . 8995 A4FEFFFF mov dword ptr ss:[ebp-0x15C],edx
004017A8 > 8B85 A4FEFFFF mov eax,dword ptr ss:[ebp-0x15C]
004017AE . 8A08 mov cl,byte ptr ds:[eax]
004017B0 . 888D A3FEFFFF mov byte ptr ss:[ebp-0x15D],cl
004017B6 . 8B95 A8FEFFFF mov edx,dword ptr ss:[ebp-0x158]
004017BC . 3A0A cmp cl,byte ptr ds:[edx]
004017BE . 75 46 jnz XCrackMe2.00401806 ; 验证1 直接NOP掉
004017C0 . 80BD A3FEFFFF>cmp byte ptr ss:[ebp-0x15D],0x0
004017C7 . 74 31 je XCrackMe2.004017FA
004017C9 . 8B85 A4FEFFFF mov eax,dword ptr ss:[ebp-0x15C]
004017CF . 8A48 01 mov cl,byte ptr ds:[eax+0x1]
004017D2 . 888D A2FEFFFF mov byte ptr ss:[ebp-0x15E],cl
004017D8 . 8B95 A8FEFFFF mov edx,dword ptr ss:[ebp-0x158]
004017DE . 3A4A 01 cmp cl,byte ptr ds:[edx+0x1]
004017E1 . 75 23 jnz XCrackMe2.00401806 ; 验证2 直接NOP掉
004017E3 . 8385 A4FEFFFF>add dword ptr ss:[ebp-0x15C],0x2
004017EA . 8385 A8FEFFFF>add dword ptr ss:[ebp-0x158],0x2
004017F1 . 80BD A2FEFFFF>cmp byte ptr ss:[ebp-0x15E],0x0
004017F8 .^ 75 AE jnz XCrackMe2.004017A8
004017FA > C785 9CFEFFFF>mov dword ptr ss:[ebp-0x164],0x0
00401804 . EB 0B jmp XCrackMe2.00401811
00401806 > 1BC0 sbb eax,eax
00401808 . 83D8 FF sbb eax,-0x1
0040180B . 8985 9CFEFFFF mov dword ptr ss:[ebp-0x164],eax
00401811 > 8B8D 9CFEFFFF mov ecx,dword ptr ss:[ebp-0x164]
00401817 . 898D 98FEFFFF mov dword ptr ss:[ebp-0x168],ecx
0040181D . 83BD 98FEFFFF>cmp dword ptr ss:[ebp-0x168],0x0
00401824 . 75 07 jnz XCrackMe2.0040182D ;这里不跳
00401826 .^ E9 11FEFFFF jmp CrackMe2.0040163C ; 这里调向上面的SEH 进入SEH最后再进入上面的验证3
0040182B . EB 05 jmp XCrackMe2.00401832
0040182D >^ E9 06FFFFFF jmp CrackMe2.00401738 ; 调向失败
00401832 > 8B4D F0 mov ecx,dword ptr ss:[ebp-0x10]
00401835 . 64:890D 00000>mov dword ptr fs:[0],ecx
0040183C . 5F pop edi
0040183D . 5E pop esi
0040183E . 5B pop ebx
0040183F . 8BE5 mov esp,ebp
00401841 . 5D pop ebp
00401842 . C3 retn