app1

Hint:HEX

app2

Hint:HEX

app4

Hint:VB反編譯，OD修改 Hint:OD窗口插件

app5

Hint:觀察ebp附近也存在答案

0040109C 8B4D E0 mov ecx,dword ptr ss:[ebp-20] ; 算法開始
0040109F 83C1 04 add ecx,4
004010A2 894D E0 mov dword ptr ss:[ebp-20],ecx
004010A5 8B55 DC mov edx,dword ptr ss:[ebp-24]
004010A8 83EA 01 sub edx,1
004010AB 8955 DC mov dword ptr ss:[ebp-24],edx
004010AE 837D E0 0D cmp dword ptr ss:[ebp-20],0D
004010B2 73 28 jnb short app5win.004010DC
004010B4 8B45 E0 mov eax,dword ptr ss:[ebp-20]
004010B7 C1E8 02 shr eax,2
004010BA 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
004010BD 8B55 DC mov edx,dword ptr ss:[ebp-24]
004010C0 8B0481 mov eax,dword ptr ds:[ecx+eax*4]
004010C3 3B4495 E8 cmp eax,dword ptr ss:[ebp+edx*4-18] ; 比較ascii,注意堆棧
004010C7 74 11 je short app5win.004010DA
004010C9 68 4C704000 push app5win.0040704C ; invalid password
004010CE E8 20000000 call app5win.004010F3
004010D3 83C4 04 add esp,4
004010D6 33C0 xor eax,eax
004010D8 EB 15 jmp short app5win.004010EF
004010DA ^ EB C0 jmp short app5win.0040109C ; loop跳回
004010DC 8D4D CC lea ecx,dword ptr ss:[ebp-34]
004010DF 51 push ecx
004010E0 68 60704000 push app5win.00407060 ; the password is %s\n

app6

Hint:同app5

app7

http://zqyves.blogspot.tw/2008/05/hackthissite-application-7-solution.html

app8

Hint: bp __vbaVarTstEq

app9

Hint:100,500,1000

app10

Hint: VB Decompile ，click

app11

Hint: 讓視窗變長巴

app12

Hint: bp __vbaVarTstEq

app1#

app2#

app4#

app5#

app6#

app7#

app8#

app9#

app10#

app11#

app12#

app1

app2

app4

app5

app6

app7

app8

app9

app10

app11

app12