-
-
[原创]看雪CTF2016 第五题
-
发表于: 2016-11-10 15:14
-
终于迎来一个正常的普通的CM。
直接扔进IDA, 然后F5,在DialogFunc函数中:
直接抠出 sub_401000() 的汇编代码,和 sub_4010C0()的F5后的伪代码,然后就得到了暴力的注册码计算器:
编译,运行得到注册码:
771535
直接扔进IDA, 然后F5,在DialogFunc函数中:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | v6 = SendMessageA(v5, 0xDu, 0xFFu, (LPARAM)lParam); v7 = 0; if ( v6 ) { while ( 1 ) { v8 = lParam[v7]; if ( v8 < 48 || v8 > 57 ) // 只能输入数字 break; ++v7; if ( v7 >= v6 ) goto LABEL_11; } v4 = 0; }LABEL_11: if ( v6 == 6 && v4 ) //长度为4 { sub_401000((int)lParam, 6); // 一些计算 if ( sub_4010C0() ) //检测 { v9 = GetDlgItem(hDlg, 1001); EnableWindow(v9, 0); v10 = GetDlgItem(hDlg, 1002); EnableWindow(v10, 0); ((void (__cdecl *)(HWND, LRESULT (__stdcall *)(HWND, UINT, WPARAM, LPARAM)))byte_406030)(hDlg, SendMessageA); } sub_401000((int)lParam, 6); //还原Table |
直接抠出 sub_401000() 的汇编代码,和 sub_4010C0()的F5后的伪代码,然后就得到了暴力的注册码计算器:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 | #include <stdio.h>#include <string.h> unsigned char byte_406030[1000]="\xF4\x12\x9D\x60\x45\xF8\x20\x6A\x6F\x67\x04\x71\xC0\x9B\x0C\x5A" "\x1D\x18\x6C\x96\x69\x01\x1C\xF4\x7F\x28\x5A\xFB\x29\x07\x40\x8B" "\xD3\xE1\xB1\x12\xFB\xCA\x7C\x89\xB9\x5A\x30\x70\x9D\x95\x2B\x95" "\x3C\x8D\x2E\x45\xEF\x70\xC6\xA3\xB9\xB2\x5A\x63\x5F\x03\x33\xB8" "\x64\x4A\x8F\xBC\xF7\x91\x69\x6A\x56\x2E\xD4\x6E\x82\x93\xE9\x76" "\xDC\xA3\x6C\x5E\x6B\x72\x64\x37\xE7\x15\x17\xAC\x64\x78\xD5\x4A" "\x60\x2D\xF0\x54\xA6\xF3\xE8\xE0\xE0\xB9\x8F\x85\x90\xE4\xEA\xD6" "\xBB\xB7\x15\x9E\x2A\x44\xE7\x31\x63\xAC\x80\x6C\x34\x82\xE9\xCF";signed int __cdecl sub_401000(char * a1, int a2){__asm{ pop edi ;栈平行 pop esi ;栈平行 pop ebx ;栈平行 add esp,40h ;栈平行 cmp ebp,esp ;栈平行 mov esp,ebp ;栈平行 pop ebp ;栈平行 sub esp,0x108 ;以下是从sub_40100抠出的汇编代码 push ebx push ebp push esi push edi xor edx,edx mov ecx,0x3F xor eax,eax lea edi,dword ptr ss:[esp+0x19] mov byte ptr ss:[esp+0x18],dl rep stos dword ptr es:[edi] stos word ptr es:[edi] stos byte ptr es:[edi] lea edi,dword ptr ss:[esp+0x18] xor eax,eax _00401026: mov byte ptr ss:[esp+eax+0x18],al inc eax cmp eax,0x100 jl short _00401026 mov ebp,dword ptr ss:[esp+0x120] xor eax,eax mov dword ptr ss:[esp+0x10],0x100 _00401043:mov esi,dword ptr ss:[esp+0x11C] mov cl,byte ptr ds:[edi] mov bl,byte ptr ds:[eax+esi] add bl,cl add dl,bl inc eax mov byte ptr ss:[esp+0x14],dl mov esi,dword ptr ss:[esp+0x14] and esi,0xFF cmp eax,ebp mov bl,byte ptr ss:[esp+esi+0x18] lea esi,dword ptr ss:[esp+esi+0x18] mov byte ptr ds:[edi],bl mov byte ptr ds:[esi],cl jnz short _00401074 xor eax,eax _00401074: mov ecx,dword ptr ss:[esp+0x10] inc edi dec ecx mov dword ptr ss:[esp+0x10],ecx jnz short _00401043 xor eax,eax lea ecx,dword ptr ss:[esp+0x117] _00401089: mov dl,byte ptr ss:[esp+eax+0x18] mov bl,byte ptr ds:[ecx] add dl,bl mov bl,byte ptr ds:[eax+byte_406030] xor bl,dl mov byte ptr ds:[eax+byte_406030],bl inc eax dec ecx cmp eax,0x80 jl short _00401089 pop edi pop esi pop ebp pop ebx add esp,0x108 retn}}//sub_4010c0直接从IDA 里的F5出来的代码int sub_4010c0(){ __int64 v0; // rdi@1 signed int v1; // ecx@1 v0 = 0i64; v1 = 0; do v0 += (unsigned __int8)byte_406030[v1++]; while ( v1 < 128 ); return (v0 == 10617);}int main(void){ char str[256]="\x00"; int i=0; for(i=0;i<999999;i++) { sprintf(str,"%06d",i); sub_401000(str,6); if(sub_4010c0()) { printf("sn: %s\n",str); break; } sub_401000(str, 6); } return 0;} |
编译,运行得到注册码:
771535
|
|
|---|---|
