这段时间毕业事宜较多,之前的破文会一一补上
声明下:这题破解的快纯粹运气好,6阶幻方我百度的第一个就是题目中解码的那个...我猜时间主要花在找6阶幻方上
28题首先把PE的基地址随机化取消掉
注:
1.下面的地址都是基地址随机化取消后的地址
2.下标是以0开始为第一个
3.下面所有数字都是16进制
4.输入字符串设为Input
5.样本会有2个lua文件,我上传在附件中了
401000是个解密函数调了3次,3次解密都正确即破解成功一半了
第1次调用是解密PE格式,用Input[28]当密钥,穷举即可,必须是'I'
到这里可以把这个PE格式dump出来,用lordpe查看导出表,导出表最关键
然后把4012EE这个函数看明白,这个函数就是在getprocaddress,通过上面得到的导出表把序号和函数名对应上
进入第2次解密
第2次调用是解密lua字节码,用Input[1E],Input[2E],Input[3A]当密钥,也可穷举,看下面的luaL_loadbufferx返回值,也可以试出来,因为4012EE唯独缺3,4,6项没填,一个个试即可
把解密的数据直接拷贝出来,用winhex最好,保存为一个.lua的文件,但注意这是字节码要转化为lua文本就要用到lua反编译工具,百度吧那个网页我没保存,还是在3dm上面找到的工具...工具名为UnluacGUi 6_13,有人做了GUI
转换后命名为1.lua,1.lua其实就是在对Input全部进行base64的解码(注意我们不输入后面的两个==号,程序帮我们加上),这里就清楚了,我们输入的是base64的编码(没有等号的)
解码后看长度是否是2E,先取出前面的10个字节看是不是.try2crack注意有个点,是则进行第3次解码
第3次调用也是解密lua字节码,这时候用try2crack算的一个md5值进行解密,所以穷举这个md5就掉坑里了,.try2crack可以网上随便找个在线base64看编码效果,试出来第3次调用的正确密钥
lua字节码解密再用工具转换得到2.lua,他其实就是在找一个6阶幻方,用到了1.lua中得到的那个2E位字符串的后面0x24位,正好是一个6阶幻方,我运气好第一个就找到网址如下:
http://www.zybang.com/question/1a73d61683e62ffd205739ce14fd3db7.html
怎么通过.try2crack组合幻方的值算出正确sn,源码如下(base64编码和解码的源码网上找的,网址忘了...):
static const char *codes =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static const unsigned char map[256] = {
255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 253, 255,
255, 253, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255, 253, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 62, 255, 255, 255, 63,
52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 255, 255,
255, 254, 255, 255, 255, 0, 1, 2, 3, 4, 5, 6,
7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18,
19, 20, 21, 22, 23, 24, 25, 255, 255, 255, 255, 255,
255, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36,
37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48,
49, 50, 51, 255, 255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
255, 255, 255, 255 };
int base64_encode(const unsigned char *in, unsigned long len,
unsigned char *out)
{
unsigned long i, len2, leven;
unsigned char *p;
/* valid output size ? */
len2 = 4 * ((len + 2) / 3);
p = out;
leven = 3*(len / 3);
for (i = 0; i < leven; i += 3) {
*p++ = codes[in[0] >> 2];
*p++ = codes[((in[0] & 3) << 4) + (in[1] >> 4)];
*p++ = codes[((in[1] & 0xf) << 2) + (in[2] >> 6)];
*p++ = codes[in[2] & 0x3f];
in += 3;
}
/* Pad it if necessary... */
if (i < len) {
unsigned a = in[0];
unsigned b = (i+1 < len) ? in[1] : 0;
unsigned c = 0;
*p++ = codes[a >> 2];
*p++ = codes[((a & 3) << 4) + (b >> 4)];
*p++ = (i+1 < len) ? codes[((b & 0xf) << 2) + (c >> 6)] : '=';
*p++ = '=';
}
/* append a NULL byte */
*p = '\0';
return p - out;
}
int base64_decode(const unsigned char *in, unsigned char *out)
{
unsigned long t, x, y, z;
unsigned char c;
int g = 3;
for (x = y = z = t = 0; in[x]!=0;) {
c = map[in[x++]];
if (c == 255) return -1;
if (c == 253) continue;
if (c == 254) { c = 0; g--; }
t = (t<<6)|c;
if (++y == 4) {
// if (z + g > *outlen) { return CRYPT_BUFFER_OVERFLOW; }
out[z++] = (unsigned char)((t>>16)&255);
if (g > 1) out[z++] = (unsigned char)((t>>8)&255);
if (g > 2) out[z++] = (unsigned char)(t&255);
y = t = 0;
}
}
// if (y != 0) {
// return -1;
// }
return z;
}
//6阶幻方
BYTE g_ary_Test[36] = {
35, 1 , 6 , 26, 19, 24,
3 , 32, 7 , 21, 23, 25,
31, 9 , 2 , 22, 27, 20,
8 , 28, 33, 17, 10, 15,
30, 5 , 34, 12, 14, 16,
4, 36, 29, 13, 18, 11
};
#define MY_BASE 0
void mySort(BYTE* pszArg)
{
DWORD dwIndex = 0;
if (MY_BASE <= 219) {
do {
g_ary_Test[dwIndex] = g_ary_Test[dwIndex] + MY_BASE;
dwIndex++;
} while (dwIndex < 36);
}
BYTE szBuf[47] = ".try2crack ////// ......aaaaaa";
//开始实验幻方
memcpy(szBuf + 10, g_ary_Test, 36);
BYTE szBufEncode[0x100] = "\0";
base64_encode(szBuf, 46, szBufEncode);
if (szBufEncode[30] == '8' && szBufEncode[40] == 'I' && szBufEncode[46] == '4' && szBufEncode[58] == '0') {
int nTmp = 0;
memcpy(pszArg, szBufEncode, 0x99);
return;
}
}
int main(int argc, char* argv[])
{
BYTE szBuf1[0x100] = "\0";
mySort(szBuf1);
printf("%s\n", szBuf1);
return 0;
}
最终得到正确sn为LnRyeTJjcmFjayMBBhoTGAMgBxUXGR8JAhYbFAgcIREKDx4FIgwOEAQkHQ0SCw
[峰会]看雪.第八届安全开发者峰会10月23日上海龙之梦大酒店举办!