-
-
[原创]菜鸟的某比赛CM详细分析
-
2015-8-4 22:06
-
来看雪这么长时间了,以前练习CM都是爆破
这次去参加比赛,遇到了这个CM,爆破神马的都行不通了
所以以后还是要多学习学习如何计算出key
而不是一味的去爆破,那样学习不到任何知识
如果有错误的地方,希望各位前辈不吝指出,感谢万分!!
Filename:CM_250
听说PEID没人维护了
拿到这个题
故用ExeinfoPE查看信息
得出程序由VC++ v.10版本开发
无壳无保护
flyOD
搜索字符串,得出一些有用的信息You are right!等
运行到关键代码
关键代码如下
第一波验证(输入字符串长度验证)
004011D1 |. FF15 54304000 call dword ptr ds:[<&MSVCP100.?getline@?>; 要求输入 004011D7 |. 8D8424 840000>lea eax,dword ptr ss:[esp+0x84] 004011DE |. 8D50 01 lea edx,dword ptr ds:[eax+0x1] ; 计数长度 004011E1 |> 8A08 /mov cl,byte ptr ds:[eax] 004011E3 |. 40 |inc eax 004011E4 |. 84C9 |test cl,cl 004011E6 |.^ 75 F9 \jnz short CM_250.004011E1 004011E8 |. 2BC2 sub eax,edx 004011EA |. 48 dec eax ; 长度减一 004011EB |. 83F8 1C cmp eax,0x1C ; 比较长度是否大于0X1C 004011EE |. 0F87 7F030000 ja CM_250.00401573
继续走
第二波验证(输入字符头五个字符)
004011F4 |. A1 80314000 mov eax,dword ptr ds:[0x403180] ; CUIT{
004011F9 |. 66:8B0D 84314>mov cx,word ptr ds:[0x403184] ; {
00401200 |. 894424 78 mov dword ptr ss:[esp+0x78],eax
00401204 |. 8D4424 78 lea eax,dword ptr ss:[esp+0x78]
00401208 |. 66:894C24 7C mov word ptr ss:[esp+0x7C],cx
0040120D |. 8D50 01 lea edx,dword ptr ds:[eax+0x1]
00401210 |> 8A08 /mov cl,byte ptr ds:[eax]
00401212 |. 40 |inc eax
00401213 |. 84C9 |test cl,cl
00401215 |.^ 75 F9 \jnz short CM_250.00401210
00401217 |. 2BC2 sub eax,edx
00401219 |. 33C9 xor ecx,ecx ; ecx置0
0040121B |. 48 dec eax
0040121C |. 78 14 js short CM_250.00401232
0040121E |. 8BFF mov edi,edi ; CM_250.004043C8
00401220 |> 8A540C 78 /mov dl,byte ptr ss:[esp+ecx+0x78]
00401224 |. 3A940C 840000>|cmp dl,byte ptr ss:[esp+ecx+0x84] ; 与 CUIT{ 进行比较
0040122B |. 75 70 |jnz short CM_250.0040129D ; 不相等则jump到error
0040122D |. 41 |inc ecx ; ecx+1
0040122E |. 3BC8 |cmp ecx,eax
00401230 |.^ 7E EE \jle short CM_250.00401220 ; 循环,不大于eax时跳转
继续跟下去
第三波验证(输入字符末尾验证)
00401232 |> 80BC24 A00000>cmp byte ptr ss:[esp+0xA0],0x7D ; 输入字符的末尾是否为} 0040123A |. 0F85 33030000 jnz CM_250.00401573 ; 若不为}则error
第四波验证(输入字符特定位置验证,不相等则jmp到error)
00401240 |. B0 5F mov al,0x5F ; AL 数据为 _ 00401242 |. 388424 8C0000>cmp byte ptr ss:[esp+0x8C],al ; 输入数据第九位与_比较 00401249 |. 75 52 jnz short CM_250.0040129D 0040124B |. 388424 920000>cmp byte ptr ss:[esp+0x92],al ; 输入数据第十五位与_比较 00401252 |. 75 49 jnz short CM_250.0040129D 00401254 |. 388424 950000>cmp byte ptr ss:[esp+0x95],al ; 输入数据第十八位与_比较 0040125B |. 75 40 jnz short CM_250.0040129D 0040125D |. 388424 990000>cmp byte ptr ss:[esp+0x99],al ; 输入数据第二十二位与_比较 00401264 |. 75 37 jnz short CM_250.0040129D 00401266 |. 80BC24 8B0000>cmp byte ptr ss:[esp+0x8B],0x75 ; 输入数据第八位是否为u 0040126E |. 74 45 je short CM_250.004012B5 00401270 |. 80BC24 890000>cmp byte ptr ss:[esp+0x89],0x59 ; 输入数据第六位是否为Y 00401278 |. 74 3B je short CM_250.004012B5 0040127A |. 80BC24 8A0000>cmp byte ptr ss:[esp+0x8A],0x30 ; 输入数据第气位是否为0 00401282 |. 74 31 je short CM_250.004012B5
接下来是后面的验证的伏笔
004012B5 |> \B8 88314000 mov eax,CM_250.00403188 ; v2kpn 004012BA |. 8D4C24 48 lea ecx,dword ptr ss:[esp+0x48] 004012BE |. C74424 64 010>mov dword ptr ss:[esp+0x64],0x1 ; 关键的计算数据 004012C6 |. C74424 68 020>mov dword ptr ss:[esp+0x68],0x2 004012CE |. C74424 6C 030>mov dword ptr ss:[esp+0x6C],0x3 004012D6 |. C74424 70 040>mov dword ptr ss:[esp+0x70],0x4 004012DE |. C74424 74 050>mov dword ptr ss:[esp+0x74],0x5 004012E6 |. E8 05030000 call CM_250.004015F0 004012EB |. B8 90314000 mov eax,CM_250.00403190 ; AAAAA 004012F0 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] ; 以下代码为将AAAAA变为你输入的第十到十四位 004012F4 |. C78424 180100>mov dword ptr ss:[esp+0x118],0x0 004012FF |. E8 EC020000 call CM_250.004015F0 00401304 |. C68424 180100>mov byte ptr ss:[esp+0x118],0x1 0040130C |. 8B4424 10 mov eax,dword ptr ss:[esp+0x10] ; ntdll.7C932CAE 00401310 |. B9 10000000 mov ecx,0x10 00401315 |. 394C24 24 cmp dword ptr ss:[esp+0x24],ecx 00401319 |. 73 04 jnb short CM_250.0040131F 0040131B |. 8D4424 10 lea eax,dword ptr ss:[esp+0x10] 0040131F |> 8A9424 8D0000>mov dl,byte ptr ss:[esp+0x8D] 00401326 |. 8810 mov byte ptr ds:[eax],dl 00401328 |. 8B4424 10 mov eax,dword ptr ss:[esp+0x10] ; ntdll.7C932CAE 0040132C |. 394C24 24 cmp dword ptr ss:[esp+0x24],ecx 00401330 |. 73 04 jnb short CM_250.00401336 00401332 |. 8D4424 10 lea eax,dword ptr ss:[esp+0x10] 00401336 |> 8A9424 8E0000>mov dl,byte ptr ss:[esp+0x8E] 0040133D |. 8850 01 mov byte ptr ds:[eax+0x1],dl 00401340 |. 8B4424 10 mov eax,dword ptr ss:[esp+0x10] ; ntdll.7C932CAE 00401344 |. 394C24 24 cmp dword ptr ss:[esp+0x24],ecx 00401348 |. 73 04 jnb short CM_250.0040134E 0040134A |. 8D4424 10 lea eax,dword ptr ss:[esp+0x10] 0040134E |> 8A9424 8F0000>mov dl,byte ptr ss:[esp+0x8F] 00401355 |. 8850 02 mov byte ptr ds:[eax+0x2],dl 00401358 |. 8B4424 10 mov eax,dword ptr ss:[esp+0x10] ; ntdll.7C932CAE 0040135C |. 394C24 24 cmp dword ptr ss:[esp+0x24],ecx 00401360 |. 73 04 jnb short CM_250.00401366 00401362 |. 8D4424 10 lea eax,dword ptr ss:[esp+0x10] 00401366 |> 8A9424 900000>mov dl,byte ptr ss:[esp+0x90] 0040136D |. 8850 03 mov byte ptr ds:[eax+0x3],dl 00401370 |. 8B4424 10 mov eax,dword ptr ss:[esp+0x10] ; ntdll.7C932CAE 00401374 |. 394C24 24 cmp dword ptr ss:[esp+0x24],ecx 00401378 |. 73 04 jnb short CM_250.0040137E 0040137A |. 8D4424 10 lea eax,dword ptr ss:[esp+0x10] 0040137E |> 8A8C24 910000>mov cl,byte ptr ss:[esp+0x91] 00401385 |. 8848 04 mov byte ptr ds:[eax+0x4],cl 00401388 |. 8D4424 10 lea eax,dword ptr ss:[esp+0x10] ; AAAAA成为了你输入的字符 0040138C |. 8D7424 2C lea esi,dword ptr ss:[esp+0x2C] 00401390 |. E8 2B020000 call CM_250.004015C0 00401395 |. 83EC 1C sub esp,0x1C 00401398 |. C68424 340100>mov byte ptr ss:[esp+0x134],0x2 004013A0 |. 8D4424 64 lea eax,dword ptr ss:[esp+0x64] 004013A4 |. 8BF4 mov esi,esp 004013A6 |. 8DBC24 800000>lea edi,dword ptr ss:[esp+0x80] 004013AD |. 896424 28 mov dword ptr ss:[esp+0x28],esp 004013B1 |. E8 0A020000 call CM_250.004015C0 004013B6 |. 83EC 1C sub esp,0x1C 004013B9 |. C68424 500100>mov byte ptr ss:[esp+0x150],0x3 004013C1 |. 8D4424 64 lea eax,dword ptr ss:[esp+0x64] 004013C5 |. 8BF4 mov esi,esp 004013C7 |. 89A424 B00000>mov dword ptr ss:[esp+0xB0],esp 004013CE |. E8 ED010000 call CM_250.004015C0 004013D3 |. C68424 500100>mov byte ptr ss:[esp+0x150],0x2 004013DB |. E8 60FCFFFF call CM_250.00401040 ; 验证第十位至十四位是否正确的call,此call跟进代码如下
第五波验证(第十位到第十四位的运算)
重点代码如下
发现之前的v2kpn是输入字符串经过运算后出现的数据
分析汇编代码可得出
输入的字符分别-1-2-3-4-5之后得出v2kpn不会跳到error
那么v2kpn分别+1+2+3+4+5就为第十位到十四位正确的字符
00401050 |> /8B75 08 /mov esi,[arg.1] 00401053 |. |83FB 10 |cmp ebx,0x10 00401056 |. |73 03 |jnb short CM_250.0040105B 00401058 |. |8D75 08 |lea esi,[arg.1] 0040105B |> |837D 38 10 |cmp [arg.13],0x10 0040105F |. |8B4D 24 |mov ecx,[arg.8] 00401062 |. |73 03 |jnb short CM_250.00401067 00401064 |. |8D4D 24 |lea ecx,[arg.8] 00401067 |> |0FBE0C01 |movsx ecx,byte ptr ds:[ecx+eax] ; 输入的第十位到十四位分别进行十位-1十一位-2十二位-3十三位-4十四位-5运算 0040106B |. |0FBE3406 |movsx esi,byte ptr ds:[esi+eax] ; 若减之后的值为v2kpn则正确 0040106F |. |2BF1 |sub esi,ecx ; 推出正确的值为w4nts 00401071 |. |3B3487 |cmp esi,dword ptr ds:[edi+eax*4] 00401074 |75 40 |jnz short CM_250.004010B6 00401076 |. |40 |inc eax 00401077 |. |3BC2 |cmp eax,edx 00401079 |.^\7E D5 \jle short CM_250.00401050
继续分析,关键代码如下
第六波验证(第十九位到二十一位的字符验证)
0040142A |> \8A8424 980000>mov al,byte ptr ss:[esp+0x98] ; al,cl,dl分别置为t34 00401431 |. 8A8C24 960000>mov cl,byte ptr ss:[esp+0x96] 00401438 |. 8A9424 970000>mov dl,byte ptr ss:[esp+0x97] 0040143F |. 884424 0E mov byte ptr ss:[esp+0xE],al 00401443 |. 8D4424 0C lea eax,dword ptr ss:[esp+0xC] 00401447 |. 884C24 0C mov byte ptr ss:[esp+0xC],cl 0040144B |. 885424 0D mov byte ptr ss:[esp+0xD],dl 0040144F |. C64424 0F 00 mov byte ptr ss:[esp+0xF],0x0 00401454 |. E8 A7FCFFFF call CM_250.00401100 ; 关键call,跟进此call 00401459 |. 84C0 test al,al 0040145B |. 75 16 jnz short CM_250.00401473 ; 不跳转则error
关键call代码如下:
00401110 |> /8A10 /mov dl,byte ptr ds:[eax] ; 此循环验证第十九位到二十一位是否为34t 00401112 |. |3A11 |cmp dl,byte ptr ds:[ecx] ; 得出第十九到二十一位的值为34t 00401114 |75 21 |jnz short CM_250.00401137 00401116 |. |84D2 |test dl,dl 00401118 |. |74 12 |je short CM_250.0040112C 0040111A |. |8A50 01 |mov dl,byte ptr ds:[eax+0x1] 0040111D |. |3A51 01 |cmp dl,byte ptr ds:[ecx+0x1] 00401120 |75 15 |jnz short CM_250.00401137 00401122 |. |83C0 02 |add eax,0x2 00401125 |. |83C1 02 |add ecx,0x2 00401128 |. |84D2 |test dl,dl 0040112A |.^\75 E4 \jnz short CM_250.00401110
继续分析
第七波验证(给定字符串的拆分验证
00401473 |> \0FB68424 9300>movzx eax,byte ptr ss:[esp+0x93] 0040147B |. 0FB68C24 9F00>movzx ecx,byte ptr ss:[esp+0x9F] 00401483 |. 0FB69424 9E00>movzx edx,byte ptr ss:[esp+0x9E] 0040148B |. 884424 78 mov byte ptr ss:[esp+0x78],al 0040148F |. 0FB68424 9D00>movzx eax,byte ptr ss:[esp+0x9D] 00401497 |. 884C24 7F mov byte ptr ss:[esp+0x7F],cl 0040149B |. 0FB68C24 9C00>movzx ecx,byte ptr ss:[esp+0x9C] 004014A3 |. 884424 7D mov byte ptr ss:[esp+0x7D],al 004014A7 |. 0FB68424 9A00>movzx eax,byte ptr ss:[esp+0x9A] 004014AF |. 884C24 7C mov byte ptr ss:[esp+0x7C],cl 004014B3 |. 0FB68C24 9400>movzx ecx,byte ptr ss:[esp+0x94] 004014BB |. 885424 7E mov byte ptr ss:[esp+0x7E],dl 004014BF |. 0FB69424 9B00>movzx edx,byte ptr ss:[esp+0x9B] 004014C7 |. 884424 7A mov byte ptr ss:[esp+0x7A],al 004014CB |. 884C24 79 mov byte ptr ss:[esp+0x79],cl 004014CF |. 885424 7B mov byte ptr ss:[esp+0x7B],dl 004014D3 |. C68424 800000>mov byte ptr ss:[esp+0x80],0x0 004014DB |. B9 98314000 mov ecx,CM_250.00403198 ; T0L41t17 004014E0 |. 8D4424 78 lea eax,dword ptr ss:[esp+0x78] 004014E4 |> 8A10 /mov dl,byte ptr ds:[eax] 004014E6 |. 3A11 |cmp dl,byte ptr ds:[ecx] ; 特定位置与T0L41t17比较 004014E8 75 1A |jnz short CM_250.00401504 ; 发现T0与第十六位和十七位比较 004014EA |. 84D2 |test dl,dl ; L41t17与第二十三位到二十八位比较 004014EC |. 74 12 |je short CM_250.00401500 004014EE |. 8A50 01 |mov dl,byte ptr ds:[eax+0x1] 004014F1 |. 3A51 01 |cmp dl,byte ptr ds:[ecx+0x1] 004014F4 75 0E |jnz short CM_250.00401504 004014F6 |. 83C0 02 |add eax,0x2 004014F9 |. 83C1 02 |add ecx,0x2 004014FC |. 84D2 |test dl,dl 004014FE |.^ 75 E4 \jnz short CM_250.004014E4 00401500 |> 33C0 xor eax,eax 00401502 |. EB 05 jmp short CM_250.00401509 00401504 |> 1BC0 sbb eax,eax 00401506 |. 83D8 FF sbb eax,-0x1 00401509 |> 85C0 test eax,eax 0040150B |. 75 15 jnz short CM_250.00401522 ; error判断
分析到下列代码
发现所有验证结束
出现you are right!提示成功
0040150B |. /75 15 jnz short CM_250.00401522 ; error判断 0040150D |. |8B15 44304000 mov edx,dword ptr ds:[<&MSVCP100.?endl@s>; msvcp100.?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z 00401513 |. |A1 70304000 mov eax,dword ptr ds:[<&MSVCP100.?cout@s> 00401518 |. |52 push edx 00401519 |. |51 push ecx 0040151A |. |68 A4314000 push CM_250.004031A4 ; You are right! 0040151F |. |50 push eax 00401520 |. |EB 14 jmp short CM_250.00401536 00401522 |> \8B0D 44304000 mov ecx,dword ptr ds:[<&MSVCP100.?endl@s>; msvcp100.?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z 00401528 |. 8B15 70304000 mov edx,dword ptr ds:[<&MSVCP100.?cout@s>; msvcp100.?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A 0040152E |. 51 push ecx 0040152F |. 51 push ecx 00401530 |. 68 78314000 push CM_250.00403178 ; Error!
总结出key为 CUIT{Y0u_w4nts_T0_34t_L41t17}
这个题其实也不难,比较考耐心,大多都是寄存器里面的值进行比较
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
