[原创]第五题-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]第五题

2017-6-10 14:56 2901

[原创]第五题

EricAzhe

2017-6-10 14:56

2901

1、首先pass DebugPort清零反调试，驱动vmxdrv.sys里ida反编译代码如下：

PEPROCESS sub_10486()
{
PEPROCESS result; // eax@1
struct _EPROCESS *v1; // edx@1

result = IoGetCurrentProcess();
v1 = result;
while ( result != (PEPROCESS)dword_114E0 )
{
    result = (PEPROCESS)(*((_DWORD *)result + 34) - 0x88);
    if ( result == v1 )
      return result;
}
*((_DWORD *)result + 0x2F) = 0;   //DebugPort清零，对应地址.text:000104A9                 and     dword ptr [eax+0BCh], 0

return result;
}

用ResScope资源编辑修改exe里面的vmxdrv.sys，把text:000104A9 and dword ptr [eax+0BCh], 0 全部nop，

vmxdrv.sys文件偏移0x4A9： 83 A0 BC 00 00 00 00 为 90 90 90 90 90 90 90

然后在修改效验和为0x2813，vmxdrv.sys文件偏移0x2A0：13 28

最后保存，驱动反调试已经pass

2、加密算法
key-》判断key长度是不是6位-》key字符倒序-》传到vmxdrv.sys，key[0]+1,key[1]+1,key[2]+2,key[3]+3,key[4]+4 ,key[5]+5,在做一次MD5计算-》exe把MD5在做一次MD5

-》判断MD5字符串第3到12位是不是等于888aeda4ab，具体爆破算法如下：

#include "stdafx.h"
#include "Md5A.h"

int _tmain(int argc, _TCHAR* argv[])
{
    CMd5A md5;
    char szResult[]={0x88,0x8a,0xed,0xa4,0xab};
    unsigned char szString[]="0123456789abcdefghijklmnopqrstuvwxyz";

    unsigned char szkey[10]={NULL};
    char szMd5[16];
    int a,b,c,d,e,f;
    int len=strlen((char*)szString);
    char* lpMd5=NULL;
    memset(szkey,0,sizeof(szkey));

    for (a=0;a<len;a++)
    {
        szkey[0]=szString[a]+1;
        for (b=0;b<len;b++)
        {
            szkey[1]=szString[b]+1;
            for (c=0;c<len;c++)
            {
                szkey[2]=szString[c]+2;
                for (d=0;d<len;d++)
                {
                    szkey[3]=szString[d]+3;
                    for (e=0;e<len;e++)
                    {
                        szkey[4]=szString[e]+4;
                        for (f=0;f<len;f++)
                        {
                            szkey[5]=szString[f]+5;

                            lpMd5=md5.MDString((char*)szkey);
                            lpMd5=md5.MDBuffer(lpMd5,32);
                            if (memcmp(&lpMd5[1],szResult,5)==0)
                            {
                                szkey[0] = szkey[0] - 1;
                                szkey[1] = szkey[1] - 1;
                                szkey[2] = szkey[2] - 2;
                                szkey[3] = szkey[3] - 3;
                                szkey[4] = szkey[4] - 4;
                                szkey[5] = szkey[5] - 5;
                                printf("key:");
                                for (int i=5;i>=0;i--)
                                {
                                    printf("%c",szkey[i]);
                                }   
                                getchar();                             
                                return 0;
                            }
                        }
                    }
                }
            }
        }
    }
    return 0;
}

输出结果：su1986

阿里云助力开发者！2核2G 3M带宽不限流量！6.18限时价，开发者可享99元/年，续费同价！

收藏・0

点赞・1

打赏