-
-
HellBound Hackers app11 破解
-
发表于: 2014-8-18 11:13
-
app 下载: app11.zip
或者:https://www.hellboundhackers.org/challenges/app/ 的Application Cracking 11
1、使用OD打开分析,进入app11领空,如下图所示:
代码好像有点麻烦,难道加壳了?那使用PEID看看
2、使用PEID打开app,如下图所示:
很明显不是加壳作怪,而是该程序使用的c#开发,故这个使用od打开后会出现上述情况,那使用IL DASM分析
3、使用IL DASM打开app,如图所示:
那接下来需要找到密码存放在何处?那个方法中?根据程序界面:
猜测:应该是点击“Check Password”button 后进行比较,然后根据比较结果弹出相应的对话框?
4、分别点开几个click方法,发现Command1_Click_1方法中有大批的代码,难道是这个页面?大概浏览下代码,发现有下面的片段代码:
很明显这个地方应该就是密码附近的位置。
5、仔细分析4处的代码:
IL_01e7: ldc.i4.0
IL_01e8: bne.un.s IL_0205
IL_01ea: ldstr "Congratulations: The password for HBH is: "
IL_01ef: ldloc.s V_26 //将V_26存储的字符串 存至堆栈上
IL_01f1: call string [mscorlib]System.String::Concat(string,
string) //字符串连接
IL_01f6: ldc.i4.s 64
IL_01f8: ldstr "Correct!"
IL_01fd: call valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxResult [Microsoft.VisualBasic]Microsoft.VisualBasic.Interaction::MsgBox(object,
valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxStyle,
object) //弹出对话框
上述代码是:弹出一个对话框,显示内容是:"Congratulations: The password for HBH is: "+v_26(存储的字符串),那接下来就需要分析v _26存储的内容是什么?
往上分析代码:
IL_0000: nop
IL_0001: ldstr "YOUR LOOKING IN THE WRONG PLACE: FROM saxible"
IL_0006: stloc.s V_27 //将YOUR LOOKING IN THE WRONG PLACE: FROM saxible存入 V_27
IL_0008: ldstr "n"
IL_000d: stloc.0 //将字符n存入变量0中
IL_000e: ldstr "o"
IL_0013: stloc.s V_11 //将字符o存入V_11中,后续的代码段相同
IL_0015: ldstr "p"
IL_001a: stloc.s V_19
IL_001c: ldstr "q"
IL_0021: stloc.s V_20
IL_0023: ldstr "r"
IL_0028: stloc.s V_21
IL_002a: ldstr "s"
IL_002f: stloc.s V_22
IL_0031: ldstr "t"
IL_0036: stloc.s V_23
IL_0038: ldstr "u"
IL_003d: stloc.s V_24
IL_003f: ldstr "v"
IL_0044: stloc.s V_25
IL_0046: ldstr "w"
IL_004b: stloc.1
IL_004c: ldstr "x"
IL_0051: stloc.2
IL_0052: ldstr "y"
IL_0057: stloc.3
IL_0058: ldstr "z"
IL_005d: stloc.s V_4
IL_005f: ldstr "a"
IL_0064: stloc.s V_5
IL_0066: ldstr "b"
IL_006b: stloc.s V_6
IL_006d: ldstr "c"
IL_0072: stloc.s V_7
IL_0074: ldstr "d"
IL_0079: stloc.s V_8
IL_007b: ldstr "e"
IL_0080: stloc.s V_9
IL_0082: ldstr "f"
IL_0087: stloc.s V_10
IL_0089: ldstr "g"
IL_008e: stloc.s V_12
IL_0090: ldstr "h"
IL_0095: stloc.s V_13
IL_0097: ldstr "i"
IL_009c: stloc.s V_14
IL_009e: ldstr "j"
IL_00a3: stloc.s V_15
IL_00a5: ldstr "k"
IL_00aa: stloc.s V_16
IL_00ac: ldstr "l"
IL_00b1: stloc.s V_17
IL_00b3: ldstr "m"
IL_00b8: stloc.s V_18 //截止此处,完成V_0 - V_25变量的赋值
IL_00ba: ldc.i4.s 15
IL_00bc: newarr [mscorlib]System.String //创建 15长度的字符串
IL_00c1: stloc.s V_29 //v_29指向刚创建的字符串
IL_00c3: ldloc.s V_29
IL_00c5: ldc.i4.0 //将整数0 存入栈中
IL_00c6: ldloc.s V_23
IL_00c8: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string) //将V_23代表的字符转化为大写
IL_00cd: stelem.ref //将转化后的字符存入V_29[0] 中( T )
IL_00ce: nop
IL_00cf: ldloc.s V_29
IL_00d1: ldc.i4.1
IL_00d2: ldloc.s V_11
IL_00d4: stelem.ref //将V_11表示的字符存入V_29[1]中 [ o ]
IL_00d5: nop
IL_00d6: ldloc.s V_29
IL_00d8: ldc.i4.2
IL_00d9: ldstr " "
IL_00de: stelem.ref ////将空格存入V_29[2]中 [ ]
IL_00df: nop
IL_00e0: ldloc.s V_29
IL_00e2: ldc.i4.3
IL_00e3: ldloc.s V_8
IL_00e5: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_00ea: stelem.ref // V_29[3]=D
IL_00eb: nop
IL_00ec: ldloc.s V_29
IL_00ee: ldc.i4.4
IL_00ef: ldloc.s V_9
IL_00f1: stelem.ref//V_29[4]=e
IL_00f2: nop
IL_00f3: ldloc.s V_29
IL_00f5: ldc.i4.5
IL_00f6: ldloc.s V_5
IL_00f8: stelem.ref //V_29[5]=a
IL_00f9: nop
IL_00fa: ldloc.s V_29
IL_00fc: ldc.i4.6
IL_00fd: ldloc.s V_8
IL_00ff: stelem.ref V_29[6]=d
IL_0100: nop
IL_0101: ldloc.s V_29
IL_0103: ldc.i4.7
IL_0104: ldstr " "
IL_0109: stelem.ref //V_29[7]=" "
IL_010a: nop
IL_010b: ldloc.s V_29
IL_010d: ldc.i4.8
IL_010e: ldloc.s V_23
IL_0110: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_0115: stelem.ref// V_29[8]=T
IL_0116: nop
IL_0117: ldloc.s V_29
IL_0119: ldc.i4.s 9
IL_011b: ldloc.s V_11
IL_011d: stelem.ref
IL_011e: nop
IL_011f: ldloc.s V_29
IL_0121: ldc.i4.s 10
IL_0123: ldstr " "
IL_0128: stelem.ref
IL_0129: nop
IL_012a: ldloc.s V_29
IL_012c: ldc.i4.s 11
IL_012e: ldloc.s V_13
IL_0130: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_0135: stelem.ref
IL_0136: nop
IL_0137: ldloc.s V_29
IL_0139: ldc.i4.s 12
IL_013b: ldloc.s V_14
IL_013d: stelem.ref
IL_013e: nop
IL_013f: ldloc.s V_29
IL_0141: ldc.i4.s 13
IL_0143: ldloc.s V_8
IL_0145: stelem.ref
IL_0146: nop
IL_0147: ldloc.s V_29
IL_0149: ldc.i4.s 14
IL_014b: ldloc.s V_9
IL_014d: stelem.ref //V_29[14]=e
IL_014e: nop
IL_014f: ldloc.s V_29
IL_0151: call string [mscorlib]System.String::Concat(string[])
IL_0156: stloc.s V_28 //V_28=V_29="To Dead To Hide"
IL_0158: ldc.i4.s 13
IL_015a: newarr [mscorlib]System.String
IL_015f: stloc.s V_29 //重新创建了一个13长度的数组 为V_29
IL_0161: ldloc.s V_29
IL_0163: ldc.i4.0 //将整数0存入栈
IL_0164: ldloc.s V_22 //v_22 表示的字符存入栈
IL_0166: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_016b: stelem.ref //V_29[0]=S
IL_016c: nop
IL_016d: ldloc.s V_29
IL_016f: ldc.i4.1
IL_0170: ldloc.s V_23
IL_0172: stelem.ref
IL_0173: nop
IL_0174: ldloc.s V_29
IL_0176: ldc.i4.2
IL_0177: ldloc.s V_21
IL_0179: stelem.ref
IL_017a: nop
IL_017b: ldloc.s V_29
IL_017d: ldc.i4.3
IL_017e: ldloc.s V_11
IL_0180: stelem.ref
IL_0181: nop
IL_0182: ldloc.s V_29
IL_0184: ldc.i4.4
IL_0185: ldloc.0
IL_0186: stelem.ref
IL_0187: nop
IL_0188: ldloc.s V_29
IL_018a: ldc.i4.5
IL_018b: ldloc.s V_12
IL_018d: stelem.ref
IL_018e: nop
IL_018f: ldloc.s V_29
IL_0191: ldc.i4.6
IL_0192: ldstr " "
IL_0197: stelem.ref
IL_0198: nop
IL_0199: ldloc.s V_29
IL_019b: ldc.i4.7
IL_019c: ldloc.1
IL_019d: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_01a2: stelem.ref
IL_01a3: nop
IL_01a4: ldloc.s V_29
IL_01a6: ldc.i4.8
IL_01a7: ldloc.s V_14
IL_01a9: stelem.ref
IL_01aa: nop
IL_01ab: ldloc.s V_29
IL_01ad: ldc.i4.s 9
IL_01af: ldloc.s V_23
IL_01b1: stelem.ref
IL_01b2: nop
IL_01b3: ldloc.s V_29
IL_01b5: ldc.i4.s 10
IL_01b7: ldloc.s V_23
IL_01b9: stelem.ref
IL_01ba: nop
IL_01bb: ldloc.s V_29
IL_01bd: ldc.i4.s 11
IL_01bf: ldloc.s V_9
IL_01c1: stelem.ref
IL_01c2: nop
IL_01c3: ldloc.s V_29
IL_01c5: ldc.i4.s 12
IL_01c7: ldloc.s V_8
IL_01c9: stelem.ref
IL_01ca: nop
IL_01cb: ldloc.s V_29
IL_01cd: call string [mscorlib]System.String::Concat(string[])
IL_01d2: stloc.s V_26 // V_26="Strong Witted"
IL_01d4: ldarg.0
IL_01d5: callvirt instance class [System.Windows.Forms]System.Windows.Forms.TextBox HBHAppChallenge.Form1::get_txtPassword()
IL_01da: callvirt instance string [System.Windows.Forms]System.Windows.Forms.TextBox::get_Text()
IL_01df: ldloc.s V_28
IL_01e1: ldc.i4.0
IL_01e2: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::StrCmp(string,
string,
bool) //使用V_28与输入的密码比较
经过分析发现:需要输入的密码为To Dead To Hide,HBH需要的密码为Strong Witted
那验证下:
参考文档:
1、http://www.cnblogs.com/xiaoxiangfeizi/archive/2011/08/08/2130768.html
2、http://www.cnblogs.com/xuanhun/archive/2012/05/24/2516346.html
3、http://wenku.baidu.com/link?url=FTy2dQuvOLwwB2TVRpCG-ECxefeAhyWYMpRHKt2R3irEzZpTi-evk2DESTJq2Bzdc0cqs7amaUZtH7XJTjHGEdcleea_Lz1LKuPBnD8C3zC
或者:https://www.hellboundhackers.org/challenges/app/ 的Application Cracking 11
1、使用OD打开分析,进入app11领空,如下图所示:
代码好像有点麻烦,难道加壳了?那使用PEID看看
2、使用PEID打开app,如下图所示:
很明显不是加壳作怪,而是该程序使用的c#开发,故这个使用od打开后会出现上述情况,那使用IL DASM分析
3、使用IL DASM打开app,如图所示:
那接下来需要找到密码存放在何处?那个方法中?根据程序界面:
猜测:应该是点击“Check Password”button 后进行比较,然后根据比较结果弹出相应的对话框?
4、分别点开几个click方法,发现Command1_Click_1方法中有大批的代码,难道是这个页面?大概浏览下代码,发现有下面的片段代码:
很明显这个地方应该就是密码附近的位置。
5、仔细分析4处的代码:
IL_01e7: ldc.i4.0
IL_01e8: bne.un.s IL_0205
IL_01ea: ldstr "Congratulations: The password for HBH is: "
IL_01ef: ldloc.s V_26 //将V_26存储的字符串 存至堆栈上
IL_01f1: call string [mscorlib]System.String::Concat(string,
string) //字符串连接
IL_01f6: ldc.i4.s 64
IL_01f8: ldstr "Correct!"
IL_01fd: call valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxResult [Microsoft.VisualBasic]Microsoft.VisualBasic.Interaction::MsgBox(object,
valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxStyle,
object) //弹出对话框
上述代码是:弹出一个对话框,显示内容是:"Congratulations: The password for HBH is: "+v_26(存储的字符串),那接下来就需要分析v _26存储的内容是什么?
往上分析代码:
IL_0000: nop
IL_0001: ldstr "YOUR LOOKING IN THE WRONG PLACE: FROM saxible"
IL_0006: stloc.s V_27 //将YOUR LOOKING IN THE WRONG PLACE: FROM saxible存入 V_27
IL_0008: ldstr "n"
IL_000d: stloc.0 //将字符n存入变量0中
IL_000e: ldstr "o"
IL_0013: stloc.s V_11 //将字符o存入V_11中,后续的代码段相同
IL_0015: ldstr "p"
IL_001a: stloc.s V_19
IL_001c: ldstr "q"
IL_0021: stloc.s V_20
IL_0023: ldstr "r"
IL_0028: stloc.s V_21
IL_002a: ldstr "s"
IL_002f: stloc.s V_22
IL_0031: ldstr "t"
IL_0036: stloc.s V_23
IL_0038: ldstr "u"
IL_003d: stloc.s V_24
IL_003f: ldstr "v"
IL_0044: stloc.s V_25
IL_0046: ldstr "w"
IL_004b: stloc.1
IL_004c: ldstr "x"
IL_0051: stloc.2
IL_0052: ldstr "y"
IL_0057: stloc.3
IL_0058: ldstr "z"
IL_005d: stloc.s V_4
IL_005f: ldstr "a"
IL_0064: stloc.s V_5
IL_0066: ldstr "b"
IL_006b: stloc.s V_6
IL_006d: ldstr "c"
IL_0072: stloc.s V_7
IL_0074: ldstr "d"
IL_0079: stloc.s V_8
IL_007b: ldstr "e"
IL_0080: stloc.s V_9
IL_0082: ldstr "f"
IL_0087: stloc.s V_10
IL_0089: ldstr "g"
IL_008e: stloc.s V_12
IL_0090: ldstr "h"
IL_0095: stloc.s V_13
IL_0097: ldstr "i"
IL_009c: stloc.s V_14
IL_009e: ldstr "j"
IL_00a3: stloc.s V_15
IL_00a5: ldstr "k"
IL_00aa: stloc.s V_16
IL_00ac: ldstr "l"
IL_00b1: stloc.s V_17
IL_00b3: ldstr "m"
IL_00b8: stloc.s V_18 //截止此处,完成V_0 - V_25变量的赋值
IL_00ba: ldc.i4.s 15
IL_00bc: newarr [mscorlib]System.String //创建 15长度的字符串
IL_00c1: stloc.s V_29 //v_29指向刚创建的字符串
IL_00c3: ldloc.s V_29
IL_00c5: ldc.i4.0 //将整数0 存入栈中
IL_00c6: ldloc.s V_23
IL_00c8: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string) //将V_23代表的字符转化为大写
IL_00cd: stelem.ref //将转化后的字符存入V_29[0] 中( T )
IL_00ce: nop
IL_00cf: ldloc.s V_29
IL_00d1: ldc.i4.1
IL_00d2: ldloc.s V_11
IL_00d4: stelem.ref //将V_11表示的字符存入V_29[1]中 [ o ]
IL_00d5: nop
IL_00d6: ldloc.s V_29
IL_00d8: ldc.i4.2
IL_00d9: ldstr " "
IL_00de: stelem.ref ////将空格存入V_29[2]中 [ ]
IL_00df: nop
IL_00e0: ldloc.s V_29
IL_00e2: ldc.i4.3
IL_00e3: ldloc.s V_8
IL_00e5: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_00ea: stelem.ref // V_29[3]=D
IL_00eb: nop
IL_00ec: ldloc.s V_29
IL_00ee: ldc.i4.4
IL_00ef: ldloc.s V_9
IL_00f1: stelem.ref//V_29[4]=e
IL_00f2: nop
IL_00f3: ldloc.s V_29
IL_00f5: ldc.i4.5
IL_00f6: ldloc.s V_5
IL_00f8: stelem.ref //V_29[5]=a
IL_00f9: nop
IL_00fa: ldloc.s V_29
IL_00fc: ldc.i4.6
IL_00fd: ldloc.s V_8
IL_00ff: stelem.ref V_29[6]=d
IL_0100: nop
IL_0101: ldloc.s V_29
IL_0103: ldc.i4.7
IL_0104: ldstr " "
IL_0109: stelem.ref //V_29[7]=" "
IL_010a: nop
IL_010b: ldloc.s V_29
IL_010d: ldc.i4.8
IL_010e: ldloc.s V_23
IL_0110: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_0115: stelem.ref// V_29[8]=T
IL_0116: nop
IL_0117: ldloc.s V_29
IL_0119: ldc.i4.s 9
IL_011b: ldloc.s V_11
IL_011d: stelem.ref
IL_011e: nop
IL_011f: ldloc.s V_29
IL_0121: ldc.i4.s 10
IL_0123: ldstr " "
IL_0128: stelem.ref
IL_0129: nop
IL_012a: ldloc.s V_29
IL_012c: ldc.i4.s 11
IL_012e: ldloc.s V_13
IL_0130: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_0135: stelem.ref
IL_0136: nop
IL_0137: ldloc.s V_29
IL_0139: ldc.i4.s 12
IL_013b: ldloc.s V_14
IL_013d: stelem.ref
IL_013e: nop
IL_013f: ldloc.s V_29
IL_0141: ldc.i4.s 13
IL_0143: ldloc.s V_8
IL_0145: stelem.ref
IL_0146: nop
IL_0147: ldloc.s V_29
IL_0149: ldc.i4.s 14
IL_014b: ldloc.s V_9
IL_014d: stelem.ref //V_29[14]=e
IL_014e: nop
IL_014f: ldloc.s V_29
IL_0151: call string [mscorlib]System.String::Concat(string[])
IL_0156: stloc.s V_28 //V_28=V_29="To Dead To Hide"
IL_0158: ldc.i4.s 13
IL_015a: newarr [mscorlib]System.String
IL_015f: stloc.s V_29 //重新创建了一个13长度的数组 为V_29
IL_0161: ldloc.s V_29
IL_0163: ldc.i4.0 //将整数0存入栈
IL_0164: ldloc.s V_22 //v_22 表示的字符存入栈
IL_0166: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_016b: stelem.ref //V_29[0]=S
IL_016c: nop
IL_016d: ldloc.s V_29
IL_016f: ldc.i4.1
IL_0170: ldloc.s V_23
IL_0172: stelem.ref
IL_0173: nop
IL_0174: ldloc.s V_29
IL_0176: ldc.i4.2
IL_0177: ldloc.s V_21
IL_0179: stelem.ref
IL_017a: nop
IL_017b: ldloc.s V_29
IL_017d: ldc.i4.3
IL_017e: ldloc.s V_11
IL_0180: stelem.ref
IL_0181: nop
IL_0182: ldloc.s V_29
IL_0184: ldc.i4.4
IL_0185: ldloc.0
IL_0186: stelem.ref
IL_0187: nop
IL_0188: ldloc.s V_29
IL_018a: ldc.i4.5
IL_018b: ldloc.s V_12
IL_018d: stelem.ref
IL_018e: nop
IL_018f: ldloc.s V_29
IL_0191: ldc.i4.6
IL_0192: ldstr " "
IL_0197: stelem.ref
IL_0198: nop
IL_0199: ldloc.s V_29
IL_019b: ldc.i4.7
IL_019c: ldloc.1
IL_019d: call string [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::UCase(string)
IL_01a2: stelem.ref
IL_01a3: nop
IL_01a4: ldloc.s V_29
IL_01a6: ldc.i4.8
IL_01a7: ldloc.s V_14
IL_01a9: stelem.ref
IL_01aa: nop
IL_01ab: ldloc.s V_29
IL_01ad: ldc.i4.s 9
IL_01af: ldloc.s V_23
IL_01b1: stelem.ref
IL_01b2: nop
IL_01b3: ldloc.s V_29
IL_01b5: ldc.i4.s 10
IL_01b7: ldloc.s V_23
IL_01b9: stelem.ref
IL_01ba: nop
IL_01bb: ldloc.s V_29
IL_01bd: ldc.i4.s 11
IL_01bf: ldloc.s V_9
IL_01c1: stelem.ref
IL_01c2: nop
IL_01c3: ldloc.s V_29
IL_01c5: ldc.i4.s 12
IL_01c7: ldloc.s V_8
IL_01c9: stelem.ref
IL_01ca: nop
IL_01cb: ldloc.s V_29
IL_01cd: call string [mscorlib]System.String::Concat(string[])
IL_01d2: stloc.s V_26 // V_26="Strong Witted"
IL_01d4: ldarg.0
IL_01d5: callvirt instance class [System.Windows.Forms]System.Windows.Forms.TextBox HBHAppChallenge.Form1::get_txtPassword()
IL_01da: callvirt instance string [System.Windows.Forms]System.Windows.Forms.TextBox::get_Text()
IL_01df: ldloc.s V_28
IL_01e1: ldc.i4.0
IL_01e2: call int32 [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::StrCmp(string,
string,
bool) //使用V_28与输入的密码比较
经过分析发现:需要输入的密码为To Dead To Hide,HBH需要的密码为Strong Witted
那验证下:
参考文档:
1、http://www.cnblogs.com/xiaoxiangfeizi/archive/2011/08/08/2130768.html
2、http://www.cnblogs.com/xuanhun/archive/2012/05/24/2516346.html
3、http://wenku.baidu.com/link?url=FTy2dQuvOLwwB2TVRpCG-ECxefeAhyWYMpRHKt2R3irEzZpTi-evk2DESTJq2Bzdc0cqs7amaUZtH7XJTjHGEdcleea_Lz1LKuPBnD8C3zC
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
