-
-
[原创]看雪CTF2016 第23题分析
-
发表于: 2016-12-16 21:12
-
1、定位校验位置
上静态分析,sub函数逐个浏览,没有加壳比较容易读懂。发现如下疑似校验的关键代码。
动态分析进行确认,修改输入观察cmp [esi+4], 0xe361c2c 处使用的比较参数是否发生变化。经确认该位置确实用来校验。
2、确认数据关系
通过观察,校验函数内容,内存[esi]区域(连续18个字节)与输入数据存在一一对应关系,字符‘0’~‘9’依次对应十进制0~9,字符‘a’~’z’依次对应十进制10~35, 字符‘A’~’Z’依次对应十进制36~61;通过其中4个cmp可以确定初前4个之外的字符为IsSerialNumber。看到这么整齐的字符串就猜想前4个字符是“This”,可惜验证失败,也曾想过是”this”,但没有去验证(好后悔!!!!),于是继续往下分析。
3、确定前4个字符
上述校验函数返回之后,将返回值与0xa466eeef比较。
反回值的计算在校验函数里,根据前4个字符输入映射到 [esi] 内存中的值计算,此外还涉及到查表取dword_4121c0内存数组中的值参与运输,如下图所示位置的代码,将这段代码写成C代码,穷举前4个字符检测符合条件的输入。
输出结果:thisIsSerialNumber
上静态分析,sub函数逐个浏览,没有加壳比较容易读懂。发现如下疑似校验的关键代码。
动态分析进行确认,修改输入观察cmp [esi+4], 0xe361c2c 处使用的比较参数是否发生变化。经确认该位置确实用来校验。
2、确认数据关系
通过观察,校验函数内容,内存[esi]区域(连续18个字节)与输入数据存在一一对应关系,字符‘0’~‘9’依次对应十进制0~9,字符‘a’~’z’依次对应十进制10~35, 字符‘A’~’Z’依次对应十进制36~61;通过其中4个cmp可以确定初前4个之外的字符为IsSerialNumber。看到这么整齐的字符串就猜想前4个字符是“This”,可惜验证失败,也曾想过是”this”,但没有去验证(好后悔!!!!),于是继续往下分析。
3、确定前4个字符
上述校验函数返回之后,将返回值与0xa466eeef比较。
反回值的计算在校验函数里,根据前4个字符输入映射到 [esi] 内存中的值计算,此外还涉及到查表取dword_4121c0内存数组中的值参与运输,如下图所示位置的代码,将这段代码写成C代码,穷举前4个字符检测符合条件的输入。
int main()
{
unsigned int table[256] = {
0x281888d5 ,0x255ed026 ,0x583e486d ,0x2dc6ccf6 ,0x6ce8c0c2 ,0x22ce4c5c ,0xdf8a2ef8 ,0xf0d8cec5 ,
0xc1304c16 ,0xf0b0c4a3 ,0x75f4c22c ,0x524e9463 ,0x955a20e2 ,0xb07a3c85 ,0x59e49600 ,0x1218f645,
0xc8646ed4 ,0xc6007c74 ,0xe41c58b7 ,0x4d282c92 ,0x88ca5a87 ,0xf132984c ,0x475369cd ,0x97e7136f ,
0x574b93db ,0x4d8febad ,0x935d29d9 ,0x3349d3b7 ,0xd2783361 ,0x43575e4e ,0x2ca8846c ,0x71e77cf4,
0x8e284cda ,0x634d8c36 ,0x4438bb05 ,0x6f21a8f2 ,0x6ed03fad ,0xf56176a8 ,0x543c3b2f ,0x7dad64c6 ,
0x64b4f197 ,0x87cf7ade ,0x123aed87 ,0x554928ba ,0x96fa1dd3 ,0x6b4daeb6 ,0x1c663404 ,0xc208c6da,
0x2a4eecc0 ,0x046aea3e ,0x05b95b91 ,0x0543f1d9 ,0xdf17a5a9 ,0xcf3f5b2f ,0xc96b17d9 ,0xe911bd47 ,
0xc0005439 ,0x2372a4d0 ,0x347c0a10 ,0x0862106c ,0x513e4ec6 ,0xaa9c6ccd ,0x7bea78ea ,0x2a643cd5,
0x754f4b4d ,0xa8fa8c52 ,0x8a07cd5b ,0x6d407e70 ,0x04ec975f ,0x8dd5c8e4 ,0xe8a8d07d ,0xc14b6b52 ,
0xd4204aac ,0x83c3b30b ,0xac84b6b0 ,0x8e28c04e ,0x2eb26a2e ,0x304a8862 ,0x3f0389ab ,0xe12bd17b,
0x59a5b7d3 ,0xe51793bf ,0x17cb2b5d ,0x73350763 ,0x1ae25e8b ,0xc536d2e8 ,0x243214d6 ,0x2a88dcaa ,
0x5bf43274 ,0x8c5ee815 ,0x03a3772f ,0x4c56209d ,0x147ab1a5 ,0x5e507ef2 ,0x1a987b67 ,0x80f852a2,
0xa7a3190f ,0x8a4a44d5 ,0xfd33f5cd ,0xb0041049 ,0x4f0d70ea ,0xde1432bd ,0xdaacf4a8 ,0x0e2084f4 ,
0x0c56e218 ,0x2be4a04a ,0x7b77d1ed ,0x77fb878f ,0x870709d7 ,0x074f2349 ,0x7d57e955 ,0x61e70525,
0xb287e18b ,0x4b160ae4 ,0xf85e4d07 ,0xb934904e ,0xae2a2f3f ,0x819ec66a ,0x06bcce53 ,0xfb58d64a ,
0xb868d20f ,0x2bc66aa6 ,0xcee06e9c ,0xb7781656 ,0x74102488 ,0x54c66252 ,0xce00d498 ,0xd66292d6,
0x7729f341 ,0x4bca1656 ,0x32c0a77d ,0xa0404e5e ,0xa09663cb ,0xaa0cec90 ,0xefcfd7ef ,0xd5cb5bb1 ,
0x655d6d65 ,0x499139b1 ,0xd1037121 ,0xa38163fd ,0x8ae8285e ,0xb0265898 ,0xa038f864 ,0x440c34f8,
0x2396c6b0 ,0xbfd3319b ,0x633cf238 ,0x6d8d0bb9 ,0x5e4aa412 ,0xbbc0faf2 ,0xce9844a4 ,0x242254c0 ,
0xf3ddc519 ,0x48e2cadf ,0x4bad3d69 ,0x0478f631 ,0x0bbb6268 ,0xa48e6ac1 ,0x109e10d8 ,0xd2a61e80,
0x48e666b1 ,0xb5766a48 ,0x0753c3c5 ,0x1bbdad59 ,0x29895317 ,0x7f059541 ,0x99dd0f51 ,0xcfd3cd0f,
0x28b7e36f ,0x0ab88e64 ,0xb6c0b3cf ,0x96fec262 ,0x021670dd ,0x9f0d2b0e ,0xb8ac0c5a ,0xab6ffd8f,
0xe60250ce ,0x159a6844 ,0x563c7a20 ,0x4e144aca ,0x40e05cc2 ,0x8ed40241 ,0x0f70502a ,0x4aa6f9a5 ,
0x1856409e ,0x6a5e0c95 ,0xf2e474f5 ,0xcedeeee0 ,0x925e99c1 ,0x591cf630 ,0x5bddc935 ,0x71efd309,
0x838bbdd5 ,0x6beddfc5 ,0x2d3b55ad ,0xd52b05c7 ,0x888e6458 ,0x0a1c365e ,0x0efce0c2 ,0x04841e58 ,
0xcdacb434 ,0x24bc8c6d ,0xd90f617b ,0xca9ad6cb ,0x9de57f31 ,0x27ea0e42 ,0x63615599 ,0x3decbec2,
0x5b1d07cb ,0xa91a76ba ,0x680957d3 ,0xebcb9ae4 ,0x10f163c3 ,0x27115a86 ,0x60d77bad ,0x31fb64a6 ,
0x1cac4de7 ,0xbd094388 ,0x25b1b92f ,0x39410955 ,0x5beb9baf ,0x630b572d ,0x67875103 ,0xd3cfd32f,
0x145ececb ,0x1f6aa8ce ,0x26c6667c ,0xc6b67eee ,0x19ec6c96 ,0xa006ac87 ,0xf7307ade ,0xa8ea1449 ,
0x2e14b442 ,0xaa2646a2 ,0x609adc00 ,0x18ee7e92 ,0xb9a0daea ,0x646a0661 ,0x8f1afe14 ,0x8c80daa7,
0x91ba2e3a ,0x78b8eaf1 ,0x082e7e40 ,0xdaac4444 ,0x2acaa699 ,0x1780fa34 ,0x354d6709 ,0xd1ad9765 ,
0x3193fb8b ,0x9d5f73cd ,0x7bd5254f ,0x9d398913 ,0xccd41dbf ,0xdb583640 ,0x2e1cc423 ,0x623c424c
};
int a,b,c,d;
unsigned int tempa, tempb, tempc, tempd;
int i;
int myarr[62];
for( i = 0; i < 10; i++ )
myarr[i] = '0' + i;
for( i = 10; i < 36; i++ )
myarr[i] = 'a' + i - 10;
for( i = 36; i< 62; i++ )
myarr[i] = 'A' + i -36;
for( a = 0; a < 62; a++ )
for( b = 0; b < 62; b++ )
for( c = 0; c < 62; c++ )
for( d = 0; d < 62; d++ )
{
tempa = (~a)&0xff;
if( tempa >= 256 )
__asm int 3
tempb = table[tempa];
tempb = tempb ^ 0xfff;
tempa = tempb & 0xff;
tempd = b;
tempd = tempd ^ tempa;
tempb = tempb >> 8;
if( tempd >= 256 )
__asm int 3
tempb = tempb ^ table[tempd];
tempa = tempb & 0xff;
tempc = c;
tempc = tempc ^tempa;
tempb = tempb >> 8;
if( tempc >= 256 )
__asm int 3
tempb = tempb ^ table[tempc];
tempc = d;
tempa = tempb & 0xff;
tempc = tempc ^ tempa;
tempb = tempb >> 8;
if( tempc >= 256 )
__asm int 3
tempb = tempb ^ table[tempc];
tempb = ~tempb;
if( tempb == 0xa466eeef ){
printf("%c%c%c%c", myarr[a], myarr[b], myarr[c], myarr[d]);
}
}
printf("%c%c%c%c", myarr[0x2c], myarr[0x1c], myarr[0x36],myarr[0xe] );
printf("%c%c%c%c", myarr[0x1b],myarr[0x12], myarr[0x0a],myarr[0x15] );
printf("%c%c%c%c", myarr[0x31], myarr[0x1e], myarr[0x16] ,myarr[0xb]);
printf("%c%c\n", myarr[0xe],myarr[0x1b]);
system("pause");
return 1;
}
输出结果:thisIsSerialNumber
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
