写在前面:最近特忙,不太可能每题都有空参加,能做一题是一题了,文章争取写清楚,论坛有些文字乱码我也不知道怎么办。
下载地址:https://ctf.pediy.com/attach-download-86.htm
一、侦查:无壳 Microsoft Visual C/C++(6.0)[libc],有明确提示成功和失败信息。
二、出坑:OD加载,查找字符,定位到:“You get it!”
三、溢出:测试不同输入长度,发现当输入15个字符时就已经可以覆盖CALL 00401050的返回地址,将断点设在401083观察:
比如输入:123456781111AAA
四、破解:上文已经做好了一切破解的准备,因合法字符要求,现在我们寻找0x413030-0x417a7a之间的可疑过程或函数入口,删除OD模块分析:
很快就看到了0x413131这个位置很可疑,花指令一大堆,此处无银三百两嘛,对应溢出字符“11A”,现在我们输入“Just0for0fun11A”(为避免啰嗦,直接用正确注册码阐述
):
地址 反汇编 文本字符串
00401000 PUSH ctf2017_.0041B06C \n Crackme for CTF2017 @Pediy.\n
0040102F PUSH ctf2017_.0041B05C You get it!\n
0040103F PUSH ctf2017_.0041B038 Bad register-code, keep trying.\n
00401053 PUSH ctf2017_.0041B0AC Coded by Fpc.\n\n
00401060 PUSH ctf2017_.0041B090 Please input your code:
00401072 PUSH ctf2017_.0041B08C %s
00401000 /$ 68 6CB04100 PUSH ctf2017_.0041B06C ; \n Crackme for CTF2017 @Pediy.\n
00401005 |. E8 382D0100 CALL ctf2017_.00413D42
0040100A |. 83C4 04 ADD ESP,0x4
0040100D |. C705 34B04100>MOV DWORD PTR DS:[0x41B034],0x2 ; 2
00401017 |. E8 34000000 CALL ctf2017_.00401050 ; input
0040101C |. E8 6F000000 CALL ctf2017_.00401090 ; check1
00401021 |. E8 BA000000 CALL ctf2017_.004010E0 ; check2
00401026 |. A1 34B04100 MOV EAX,DWORD PTR DS:[0x41B034] ; 0
0040102B |. 85C0 TEST EAX,EAX
0040102D |. 75 10 JNZ Xctf2017_.0040103F
0040102F |. 68 5CB04100 PUSH ctf2017_.0041B05C ; You get it!\n
00401034 |. E8 092D0100 CALL ctf2017_.00413D42
00401039 |. 83C4 04 ADD ESP,0x4
0040103C |. 33C0 XOR EAX,EAX
0040103E |. C3 RETN
0040103F |> 68 38B04100 PUSH ctf2017_.0041B038 ; Bad register-code, keep trying.\n
00401044 |. E8 F92C0100 CALL ctf2017_.00413D42
00401049 |. 83C4 04 ADD ESP,0x4
0040104C |. 33C0 XOR EAX,EAX
0040104E \. C3 RETN
0040104F 90 NOP
00401050 /$ 83EC 0C SUB ESP,0xC
00401053 |. 68 ACB04100 PUSH ctf2017_.0041B0AC ; Coded by Fpc.\n\n
00401058 |. E8 E52C0100 CALL ctf2017_.00413D42
0040105D |. 83C4 04 ADD ESP,0x4
00401060 |. 68 90B04100 PUSH ctf2017_.0041B090 ; Please input your code:
00401065 |. E8 D82C0100 CALL ctf2017_.00413D42
0040106A |. 83C4 04 ADD ESP,0x4
0040106D |. 8D4424 00 LEA EAX,DWORD PTR SS:[ESP]
00401071 |. 50 PUSH EAX
00401072 |. 68 8CB04100 PUSH ctf2017_.0041B08C ; %s
00401077 |. E8 F72C0100 CALL ctf2017_.00413D73
0040107C |. 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+0x8]
00401080 |. 83C4 14 ADD ESP,0x14
00401083 \. C3 RETN
简单跟踪几步发现 401090、4010E0 为显性算法比较,分析 401090、4010E0:
void sub_401090()
{
int l32; // [esp+4h] [ebp-8h]
int h32; // [esp+8h] [ebp-4h]
if ( h32 && l32 && h32 != l32 && 5 * (h32 - l32) + h32 == 0x8F503A42 && 0xD * (h32 - l32) + l32 == 0xEF503A42 )
--dword_41B034;
}
void sub_4010E0()
{
int l32; // [esp+4h] [ebp-8h]
int h32; // [esp+8h] [ebp-4h]
if ( h32 && l32 && h32 != l32 && 0x11 * (h32 - l32) + h32 == 0xF3A94883 && 7 * (h32 - l32) + l32 == 0x33A94883 )
--dword_41B034;
}
把输入每4个字符ASCII作为十六进制赋值计算,假设为a,b则:
⑴:0x5 * ( a - b ) + a == 0x8F503A42
⑵:0xD * ( a - b ) + b == 0xEF503A42
⑶:0x11 * ( a - b ) + a == 0xF3A94883
⑷:0x7 * ( a - b ) + b == 0x33A94883
考虑该显性算法未随机打乱数值,低位特征依然继承到计算结果,因此先尝试求解低位,再逐个往高位求解,避免穷举范围过大:
00401000 /$ 68 6CB04100 PUSH ctf2017_.0041B06C ; \n Crackme for CTF2017 @Pediy.\n
00401005 |. E8 382D0100 CALL ctf2017_.00413D42
0040100A |. 83C4 04 ADD ESP,0x4
0040100D |. C705 34B04100>MOV DWORD PTR DS:[0x41B034],0x2 ; 2
00401017 |. E8 34000000 CALL ctf2017_.00401050 ; input
0040101C |. E8 6F000000 CALL ctf2017_.00401090 ; check1
00401021 |. E8 BA000000 CALL ctf2017_.004010E0 ; check2
00401026 |. A1 34B04100 MOV EAX,DWORD PTR DS:[0x41B034] ; 0
0040102B |. 85C0 TEST EAX,EAX
0040102D |. 75 10 JNZ Xctf2017_.0040103F
0040102F |. 68 5CB04100 PUSH ctf2017_.0041B05C ; You get it!\n
00401034 |. E8 092D0100 CALL ctf2017_.00413D42
00401039 |. 83C4 04 ADD ESP,0x4
0040103C |. 33C0 XOR EAX,EAX
0040103E |. C3 RETN
0040103F |> 68 38B04100 PUSH ctf2017_.0041B038 ; Bad register-code, keep trying.\n
00401044 |. E8 F92C0100 CALL ctf2017_.00413D42
00401049 |. 83C4 04 ADD ESP,0x4
0040104C |. 33C0 XOR EAX,EAX
0040104E \. C3 RETN
0040104F 90 NOP
00401050 /$ 83EC 0C SUB ESP,0xC
00401053 |. 68 ACB04100 PUSH ctf2017_.0041B0AC ; Coded by Fpc.\n\n
00401058 |. E8 E52C0100 CALL ctf2017_.00413D42
0040105D |. 83C4 04 ADD ESP,0x4
00401060 |. 68 90B04100 PUSH ctf2017_.0041B090 ; Please input your code:
00401065 |. E8 D82C0100 CALL ctf2017_.00413D42
0040106A |. 83C4 04 ADD ESP,0x4
0040106D |. 8D4424 00 LEA EAX,DWORD PTR SS:[ESP]
00401071 |. 50 PUSH EAX
00401072 |. 68 8CB04100 PUSH ctf2017_.0041B08C ; %s
00401077 |. E8 F72C0100 CALL ctf2017_.00413D73
0040107C |. 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+0x8]
00401080 |. 83C4 14 ADD ESP,0x14
00401083 \. C3 RETN
简单跟踪几步发现 401090、4010E0 为显性算法比较,分析 401090、4010E0:
void sub_401090()
{
int l32; // [esp+4h] [ebp-8h]
int h32; // [esp+8h] [ebp-4h]
if ( h32 && l32 && h32 != l32 && 5 * (h32 - l32) + h32 == 0x8F503A42 && 0xD * (h32 - l32) + l32 == 0xEF503A42 )
--dword_41B034;
}
void sub_4010E0()
{
int l32; // [esp+4h] [ebp-8h]
int h32; // [esp+8h] [ebp-4h]
if ( h32 && l32 && h32 != l32 && 0x11 * (h32 - l32) + h32 == 0xF3A94883 && 7 * (h32 - l32) + l32 == 0x33A94883 )
--dword_41B034;
}
把输入每4个字符ASCII作为十六进制赋值计算,假设为a,b则:
⑴:0x5 * ( a - b ) + a == 0x8F503A42
⑵:0xD * ( a - b ) + b == 0xEF503A42
⑶:0x11 * ( a - b ) + a == 0xF3A94883
⑷:0x7 * ( a - b ) + b == 0x33A94883
def solve_false():
start_time = time.clock()
for a1 in range(0x30,0x7b):
for b1 in range(0x30,0x7b):
if (0x5 * (a1 - b1) + a1) & 0xff == 0x42:
if (0xd * (a1 - b1) + b1) & 0xff == 0x42:
if (0x11 *(a1 - b1) + a1) & 0xff == 0x83:
if (0x7 * (a1 - b1) + b1) & 0xff == 0x83:
print ("found sn a1 : %x" % a1)
print ("found sn b1 : %x" % b1)
print ('use time: %.3f second' % (time.clock()-start_time))
return
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
