第一关运行sendpacket.exe,使用wpe选择进程sendpacket.exe,监听数据包发送,查看数据包内容,找到地址。第二关和第三关自己用python写了一个脚本#-*-coding:utf-8-*-importurllib2file1=open('pass.txt','r')num=0forpasswdinfile1:passwd2=repr(passwd)[1:-3]#printrepr(passwd)printpasswd2#='=urllib.urlencode([('password',passwd2)])req=urllib2.Request(url)o=urllib2.urlopen(req,passwd)a=repr(o.read())[1:-1]num+=1printstr(num)+'::'+aprinto.getcode()ifa!=rscriptlanguage=javascriptalert('\xc3\xdc\xc2\xeb\xb4\xed\xce\xf3');history.back();/script:printpasswd2breakfile1.close()这个是第三关的,与第二关的没有太大区别,就是把判断是否是正确密码的语句修改一下。下面说说这个语句的查找:随便输入一个密码,抓包,得到提交信息和响应信息,响应信息就是判断的依据,这里没有判断302跳转,第三关一样。第三关字典的生成脚本:#-*-coding:utf-8-*-str1='f9ck'defpermute(seq):new_list=[]seqn=[seq.pop()]whileseq:newseq=[]new=seq.pop()#printseq:,seq,'seqn',seqn,'new',newforiinrange(len(seqn)):item=seqn[i]forjinrange(len(item)+1):#printu'left:',item[:j],u'midle:',new,u'right:',item[j:]#print''.join([item[:j],new,item[j:]])newseq.append(''.join([item[:j],new,item[j:]]))seqn=newseq#print'newseq',newseqreturnseqnfile2=open('p00.txt','w+')foriinrange(10):str2=str1+str(i)seq=list(str2)thelist=permute(seq)passwdlist=[]forpasswdinthelist:newpasswd=passwd+'\n'passwdlist.append(newpasswd)file2.writelines(passwdlist)printlen(passwdlist)#file1.close()file2.close()第四关Od载入文件,查找字符串,找到字符串,双击进入,设置断点。然后运行,到断点输入一个密码,F8单步跟踪。是在004010F2|.3B4DECCMPECX,DWORDPTRSS:[EBP-14]这一步,进行比较然后跳转输出no,004010FA|.3B55E8CMPEDX,DWORDPTRSS:[EBP-18]00401102|.3B45E8CMPEAX,DWORDPTRSS:[EBP-18]这三句都是比较两个数后,跳转JNZSHORTcrackme.0040111F,然后输出no。只有当相等时,才会向下执行,输出OK。向上找堆栈操作,找到堆栈中存储的数据:DWORDPTRSS:[EBP-10]DWORDPTRSS:[EBP-14]DWORDPTRSS:[EBP-18]DWORDPTRSS:[EBP-10]00401061|.8B4DFCMOVECX,DWORDPTRSS:[EBP-4]00401064|.034DF8ADDECX,DWORDPTRSS:[EBP-8]00401067|.894DF0MOVDWORDPTRSS:[EBP-10],ECXDWORDPTRSS:[EBP-4]是输入的值,DWORDPTRSS:[EBP-8]是语句直接赋值7D0。0040107F|.81C1F4010000ADDECX,1F400401085|.894DF0MOVDWORDPTRSS:[EBP-10],ECX后面又将,加1F4赋值给他,DWORDPTRSS:[EBP-14]0040106A|.8B55F8MOVEDX,DWORDPTRSS:[EBP-8]0040106D|.0355F4ADDEDX,DWORDPTRSS:[EBP-C]00401070|.8955ECMOVDWORDPTRSS:[EBP-14],EDX也是两个数的和,都是赋值:7d0和0BB8DWORDPTRSS:[EBP-18]00401073|.8B45F4MOVEAX,DWORDPTRSS:[EBP-C]00401076|.0345FCADDEAX,DWORDPTRSS:[EBP-4]00401079|.8945E8MOVDWORDPTRSS:[EBP-18],EAX同样两个数的和。。⊙﹏⊙b汗,用到上面的DWORDPTRSS:[EBP-4]00401088|.8B55E8MOVEDX,DWORDPTRSS:[EBP-18]0040108B|.81EAF4010000SUBEDX,1F400401091|.8955E8MOVDWORDPTRSS:[EBP-18],EDX后面又将,减去1F4,赋值给他,A4=2000+密码+500A10=2000+3000A18=密码+3000-500可以得到输入的密码为2500.,测试一下成功输出ok。