-
-
[原创]看雪CTF2016 第五题
-
发表于: 2016-11-10 15:14
-
终于迎来一个正常的普通的CM。
直接扔进IDA, 然后F5,在DialogFunc函数中:
直接抠出 sub_401000() 的汇编代码,和 sub_4010C0()的F5后的伪代码,然后就得到了暴力的注册码计算器:
编译,运行得到注册码:
771535
直接扔进IDA, 然后F5,在DialogFunc函数中:
v6 = SendMessageA(v5, 0xDu, 0xFFu, (LPARAM)lParam);
v7 = 0;
if ( v6 )
{
while ( 1 )
{
v8 = lParam[v7];
if ( v8 < 48 || v8 > 57 ) // 只能输入数字
break;
++v7;
if ( v7 >= v6 )
goto LABEL_11;
}
v4 = 0;
}
LABEL_11:
if ( v6 == 6 && v4 ) //长度为4
{
sub_401000((int)lParam, 6); // 一些计算
if ( sub_4010C0() ) //检测
{
v9 = GetDlgItem(hDlg, 1001);
EnableWindow(v9, 0);
v10 = GetDlgItem(hDlg, 1002);
EnableWindow(v10, 0);
((void (__cdecl *)(HWND, LRESULT (__stdcall *)(HWND, UINT, WPARAM, LPARAM)))byte_406030)(hDlg, SendMessageA);
}
sub_401000((int)lParam, 6); //还原Table
直接抠出 sub_401000() 的汇编代码,和 sub_4010C0()的F5后的伪代码,然后就得到了暴力的注册码计算器:
#include <stdio.h>
#include <string.h>
unsigned char byte_406030[1000]="\xF4\x12\x9D\x60\x45\xF8\x20\x6A\x6F\x67\x04\x71\xC0\x9B\x0C\x5A"
"\x1D\x18\x6C\x96\x69\x01\x1C\xF4\x7F\x28\x5A\xFB\x29\x07\x40\x8B"
"\xD3\xE1\xB1\x12\xFB\xCA\x7C\x89\xB9\x5A\x30\x70\x9D\x95\x2B\x95"
"\x3C\x8D\x2E\x45\xEF\x70\xC6\xA3\xB9\xB2\x5A\x63\x5F\x03\x33\xB8"
"\x64\x4A\x8F\xBC\xF7\x91\x69\x6A\x56\x2E\xD4\x6E\x82\x93\xE9\x76"
"\xDC\xA3\x6C\x5E\x6B\x72\x64\x37\xE7\x15\x17\xAC\x64\x78\xD5\x4A"
"\x60\x2D\xF0\x54\xA6\xF3\xE8\xE0\xE0\xB9\x8F\x85\x90\xE4\xEA\xD6"
"\xBB\xB7\x15\x9E\x2A\x44\xE7\x31\x63\xAC\x80\x6C\x34\x82\xE9\xCF";
signed int __cdecl sub_401000(char * a1, int a2)
{
__asm{
pop edi ;栈平行
pop esi ;栈平行
pop ebx ;栈平行
add esp,40h ;栈平行
cmp ebp,esp ;栈平行
mov esp,ebp ;栈平行
pop ebp ;栈平行
sub esp,0x108 ;以下是从sub_40100抠出的汇编代码
push ebx
push ebp
push esi
push edi
xor edx,edx
mov ecx,0x3F
xor eax,eax
lea edi,dword ptr ss:[esp+0x19]
mov byte ptr ss:[esp+0x18],dl
rep stos dword ptr es:[edi]
stos word ptr es:[edi]
stos byte ptr es:[edi]
lea edi,dword ptr ss:[esp+0x18]
xor eax,eax
_00401026: mov byte ptr ss:[esp+eax+0x18],al
inc eax
cmp eax,0x100
jl short _00401026
mov ebp,dword ptr ss:[esp+0x120]
xor eax,eax
mov dword ptr ss:[esp+0x10],0x100
_00401043:mov esi,dword ptr ss:[esp+0x11C]
mov cl,byte ptr ds:[edi]
mov bl,byte ptr ds:[eax+esi]
add bl,cl
add dl,bl
inc eax
mov byte ptr ss:[esp+0x14],dl
mov esi,dword ptr ss:[esp+0x14]
and esi,0xFF
cmp eax,ebp
mov bl,byte ptr ss:[esp+esi+0x18]
lea esi,dword ptr ss:[esp+esi+0x18]
mov byte ptr ds:[edi],bl
mov byte ptr ds:[esi],cl
jnz short _00401074
xor eax,eax
_00401074:
mov ecx,dword ptr ss:[esp+0x10]
inc edi
dec ecx
mov dword ptr ss:[esp+0x10],ecx
jnz short _00401043
xor eax,eax
lea ecx,dword ptr ss:[esp+0x117]
_00401089:
mov dl,byte ptr ss:[esp+eax+0x18]
mov bl,byte ptr ds:[ecx]
add dl,bl
mov bl,byte ptr ds:[eax+byte_406030]
xor bl,dl
mov byte ptr ds:[eax+byte_406030],bl
inc eax
dec ecx
cmp eax,0x80
jl short _00401089
pop edi
pop esi
pop ebp
pop ebx
add esp,0x108
retn
}
}
//sub_4010c0直接从IDA 里的F5出来的代码
int sub_4010c0()
{
__int64 v0; // rdi@1
signed int v1; // ecx@1
v0 = 0i64;
v1 = 0;
do
v0 += (unsigned __int8)byte_406030[v1++];
while ( v1 < 128 );
return (v0 == 10617);
}
int main(void)
{
char str[256]="\x00";
int i=0;
for(i=0;i<999999;i++)
{
sprintf(str,"%06d",i);
sub_401000(str,6);
if(sub_4010c0())
{
printf("sn: %s\n",str);
break;
}
sub_401000(str, 6);
}
return 0;
}
编译,运行得到注册码:
771535
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
