-
-
[原创]看雪CTF2017第5题
-
2017-6-9 17:23 2880
-
1. 去除驱动反调试
.text:0001071A ; int __stdcall fn_DeviceControl(int, PIRP Irp) ... .text:00010731 mov eax, [eax+0Ch] .text:00010734 sub eax, 222004h .text:00010739 mov ecx, [esi+0Ch] .text:0001073C jz short loc_1076A ... .text:0001076A mov dword_114D8, 1 .text:00010774 call ds:IoGetCurrentProcess .text:0001077A mov g_process, eax .text:0001077F call sub_10486 // nop掉并更新pe的checksum即可 ...
2. 驱动处理逻辑
memset32(DriverObject->MajorFunction, (int)fn_common, 0x1Bu); DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)fn_null; DriverObject->MajorFunction[3] = (PDRIVER_DISPATCH)fn_read; DriverObject->MajorFunction[4] = (PDRIVER_DISPATCH)fn_write; DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)fn_DeviceControl; DriverObject->MajorFunction[18] = (PDRIVER_DISPATCH)fn_null; DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)fn_null; DriverObject->DriverUnload = (PDRIVER_UNLOAD)fn_unload;
fn_write(应用层WriteFile): 简单处理sn, 计算md5保存到g_digest
.text:0001067F push offset g_digest .text:00010684 push ebx .text:00010685 call sub_104B6 .text:0001050D inc [ebp+sn] .text:00010510 cmp esi, eax .text:00010512 jle short loc_1051D .text:00010514 add [ebp+eax+sn], al .text:00010518 inc eax .text:00010519 cmp eax, esi .text:0001051B jl short loc_10514 .text:0001051D lea eax, [ebp+digest] .text:00010520 push eax .text:00010521 call md5_init .text:00010526 lea eax, [ebp+sn] .text:00010529 lea edx, [eax+1] .text:0001052C mov cl, [eax] .text:0001052E inc eax .text:0001052F test cl, cl .text:00010531 jnz short loc_1052C .text:00010533 sub eax, edx .text:00010535 push eax .text:00010536 lea eax, [ebp+sn] .text:00010539 push eax .text:0001053A lea eax, [ebp+digest] .text:0001053D push eax .text:0001053E call md5_update .text:00010543 push ebx .text:00010544 lea eax, [ebp+digest] .text:00010547 push eax .text:00010548 call md5_final
fn_read(应用层ReadFile): 输出g_digest
3. 应用层逻辑
.rdata:0042381C dd offset CXXDlg__OnInitDialog .rdata:00423824 dd offset CXXDlg__OnOK
CXXDlg::OnInitDialog: 释放并加载驱动
CXXDlg::OnOK
sn转小写逆序
.text:004017A2 lea ecx, [esp+2Ch+sn] .text:004017A6 mov [esp+2Ch+var_8], 1 .text:004017AB call lower .text:004017B0 lea ecx, [esp+2Ch+sn] .text:004017B4 call reverse
sn长度6位
.text:004017BE mov ecx, [esp+2Ch+sn] .text:004017C2 mov eax, [eax+4] .text:004017C5 cmp dword ptr [ecx-8], 6 .text:004017C9 jnz loc_4018C2
与驱动通信处理sn
.text:004017E5 mov edx, [esp+2Ch+sn] .text:004017E9 lea ecx, [esp+2Ch+sn] .text:004017ED mov eax, [edx-8] .text:004017F0 push eax ; size_t .text:004017F1 push 0 .text:004017F3 call sub_418263 .text:004017F8 push eax ; char * .text:004017F9 mov ecx, esi .text:004017FB call drv_comm
返回后再计算一次md5
.text:00401829 call md5
取md5第2-12位与888aeda4ab比较
.text:0040182E push 0Ah .text:00401830 lea eax, [esp+30h+var_18] .text:00401834 push 2 .text:00401836 push eax .text:00401837 lea ecx, [esp+38h+var_1C] .text:0040183B call sub_415A78 ... .text:00401872 mov ecx, [esp+30h+var_1C] .text:00401876 push offset a888aeda4ab .text:0040187B push ecx .text:0040187C call __mbsicmp
4. 穷举(跑了40分钟左右)
import hashlib def md5(s): d=hashlib.md5() d.update(s.encode('utf8')) return d.hexdigest() m='0123456789abcdefghijklmnopqrstuvwxyz' #print(len(m)) def revert(s): a=[] for i in range(6): a.append(ord(s[i])) a[0]=a[0]-1 for i in range(6): a[i]=a[i]-i r='' for i in range(6): r+=chr(a[i]) return r[::-1] def solve(): for k1 in range(36): for k2 in range(36): for k3 in range(36): for k4 in range(36): for k5 in range(36): for k6 in range(36): f=chr(ord(m[k1])+1)+chr(ord(m[k2])+1)+chr(ord(m[k3])+2)+chr(ord(m[k4])+3)+chr(ord(m[k5])+4)+chr(ord(m[k6])+5) #print(f) s=md5(md5(f)) if (s[2:12]=='888aeda4ab'): print(revert(f)) return print('start') solve() print('end')
>>> su1986
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
KCTF2022春季赛 第三题 石像病毒
8257
KCTF2022春季赛 第二题 末日邀请
15382
KCTF2021秋季赛 第二题 迷失丛林
17916
KCTF2020秋季赛 第十题 终焉之战
8088
KCTF2020秋季赛 第九题 命悬一线
5816
看原图