-
-
[原创]第五题
-
2017-6-10 14:56 2901
-
1、首先pass DebugPort清零反调试,驱动vmxdrv.sys里ida反编译代码如下:
PEPROCESS sub_10486()
{
PEPROCESS result; // eax@1
struct _EPROCESS *v1; // edx@1
result = IoGetCurrentProcess();
v1 = result;
while ( result != (PEPROCESS)dword_114E0 )
{
result = (PEPROCESS)(*((_DWORD *)result + 34) - 0x88);
if ( result == v1 )
return result;
}
*((_DWORD *)result + 0x2F) = 0; //DebugPort清零 ,对应地址.text:000104A9 and dword ptr [eax+0BCh], 0
return result;
}
用ResScope资源编辑修改exe里面的vmxdrv.sys,把text:000104A9 and dword ptr [eax+0BCh], 0 全部nop,
vmxdrv.sys文件偏移0x4A9: 83 A0 BC 00 00 00 00 为 90 90 90 90 90 90 90
然后在修改效验和为0x2813,vmxdrv.sys文件偏移0x2A0:13 28
最后保存,驱动反调试已经pass
2、加密算法
key-》判断key长度是不是6位-》key字符倒序-》传到vmxdrv.sys,key[0]+1,key[1]+1,key[2]+2,key[3]+3,key[4]+4 ,key[5]+5,在做一次MD5计算-》exe把MD5在做一次MD5
-》判断MD5字符串第3到12位是不是等于888aeda4ab,具体爆破算法如下:
#include "stdafx.h" #include "Md5A.h" int _tmain(int argc, _TCHAR* argv[]) { CMd5A md5; char szResult[]={0x88,0x8a,0xed,0xa4,0xab}; unsigned char szString[]="0123456789abcdefghijklmnopqrstuvwxyz"; unsigned char szkey[10]={NULL}; char szMd5[16]; int a,b,c,d,e,f; int len=strlen((char*)szString); char* lpMd5=NULL; memset(szkey,0,sizeof(szkey)); for (a=0;a<len;a++) { szkey[0]=szString[a]+1; for (b=0;b<len;b++) { szkey[1]=szString[b]+1; for (c=0;c<len;c++) { szkey[2]=szString[c]+2; for (d=0;d<len;d++) { szkey[3]=szString[d]+3; for (e=0;e<len;e++) { szkey[4]=szString[e]+4; for (f=0;f<len;f++) { szkey[5]=szString[f]+5; lpMd5=md5.MDString((char*)szkey); lpMd5=md5.MDBuffer(lpMd5,32); if (memcmp(&lpMd5[1],szResult,5)==0) { szkey[0] = szkey[0] - 1; szkey[1] = szkey[1] - 1; szkey[2] = szkey[2] - 2; szkey[3] = szkey[3] - 3; szkey[4] = szkey[4] - 4; szkey[5] = szkey[5] - 5; printf("key:"); for (int i=5;i>=0;i--) { printf("%c",szkey[i]); } getchar(); return 0; } } } } } } } return 0; }
输出结果:su1986
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开 发者可享99元/年,续费同价!