-
-
[原创]第三题 破解自坑
-
2017-10-28 22:35
-
工具ollyice,变种ollyice
跟踪下来,在004351B8 这个CALL 这里,寄存器情况如下
crackMe.exe无壳
刚开始调试,调试器各种错误和自动关闭。有反调试机制,换变种ollyice ,顺利启动程序。
查看字符串,果然存在很多调试器的关键标志,如下图:
顺便看了一下,更可怕的是这些:
感觉像莫尔斯码(求证),里面有decode这类字符,真假难辨~
跑了一遍,输入伪代码没有错误提示,直接下了断点 GetWindowTextA,直接可以定位到验证按钮后的关键CALL 如下图:
0043507C . 3BF4 cmp esi,esp 0043507E . E8 CE8DFFFF call crackMe.0042DE51 00435083 . 8985 E0FBFFFF mov dword ptr ss:[ebp-0x420],eax 00435089 . C685 C8EFFFFF>mov byte ptr ss:[ebp-0x1038],0x0 00435090 . 68 FF030000 push 0x3FF 00435095 . 6A 00 push 0x0 00435097 . 8D85 C9EFFFFF lea eax,dword ptr ss:[ebp-0x1037] 0043509D . 50 push eax 0043509E . E8 4385FFFF call crackMe.0042D5E6 004350A3 . 83C4 0C add esp,0xC 004350A6 . 8D85 D0F3FFFF lea eax,dword ptr ss:[ebp-0xC30] 004350AC . 50 push eax 004350AD . 68 00040000 push 0x400 004350B2 . 8D8D D8F7FFFF lea ecx,dword ptr ss:[ebp-0x828] 004350B8 . 51 push ecx ; user32.77D321CC 004350B9 . E8 A981FFFF call crackMe.0042D267 004350BE . 83C4 0C add esp,0xC 004350C1 . C685 C0EBFFFF>mov byte ptr ss:[ebp-0x1440],0x0 004350C8 . 68 FF030000 push 0x3FF 004350CD . 6A 00 push 0x0 004350CF . 8D85 C1EBFFFF lea eax,dword ptr ss:[ebp-0x143F] 004350D5 . 50 push eax 004350D6 . E8 0B85FFFF call crackMe.0042D5E6 004350DB . 83C4 0C add esp,0xC 004350DE . 8D85 C8EFFFFF lea eax,dword ptr ss:[ebp-0x1038] 004350E4 . 50 push eax 004350E5 . 68 00040000 push 0x400 004350EA . 8D8D D0F3FFFF lea ecx,dword ptr ss:[ebp-0xC30] 004350F0 . 51 push ecx ; user32.77D321CC 004350F1 . E8 7181FFFF call crackMe.0042D267 004350F6 . 83C4 0C add esp,0xC 004350F9 . 68 00040000 push 0x400 004350FE . 8D85 C0EBFFFF lea eax,dword ptr ss:[ebp-0x1440] 00435104 . 50 push eax 00435105 . 8D8D C8EFFFFF lea ecx,dword ptr ss:[ebp-0x1038] 0043510B . 51 push ecx ; user32.77D321CC 0043510C . E8 5988FFFF call crackMe.0042D96A 00435111 . 83C4 0C add esp,0xC 00435114 . C785 B4EBFFFF>mov dword ptr ss:[ebp-0x144C],0x3 0043511E . 8D85 8CEBFFFF lea eax,dword ptr ss:[ebp-0x1474] 00435124 . 50 push eax 00435125 . 8B8D B4EBFFFF mov ecx,dword ptr ss:[ebp-0x144C] 0043512B . 51 push ecx ; user32.77D321CC 0043512C . 8D95 C8EFFFFF lea edx,dword ptr ss:[ebp-0x1038] 00435132 . 52 push edx 00435133 . E8 4089FFFF call crackMe.0042DA78 00435138 . 83C4 0C add esp,0xC 0043513B . C785 78E7FFFF>mov dword ptr ss:[ebp-0x1888],0x0 00435145 . EB 0F jmp short crackMe.00435156 00435147 > 8B85 78E7FFFF mov eax,dword ptr ss:[ebp-0x1888] 0043514D . 83C0 01 add eax,0x1 00435150 . 8985 78E7FFFF mov dword ptr ss:[ebp-0x1888],eax 00435156 > 83BD 78E7FFFF>cmp dword ptr ss:[ebp-0x1888],0x20 0043515D . 7D 2C jge short crackMe.0043518B 0043515F . 8B85 78E7FFFF mov eax,dword ptr ss:[ebp-0x1888] 00435165 . 0FB68C05 8CEB>movzx ecx,byte ptr ss:[ebp+eax-0x1474] 0043516D . 51 push ecx ; user32.77D321CC 0043516E . 68 A4B14800 push crackMe.0048B1A4 ; %02x 00435173 . 8B95 78E7FFFF mov edx,dword ptr ss:[ebp-0x1888] 00435179 . 8D8455 84E7FF>lea eax,dword ptr ss:[ebp+edx*2-0x187C] 00435180 . 50 push eax 00435181 . E8 7F8DFFFF call crackMe.0042DF05 00435186 . 83C4 0C add esp,0xC 00435189 .^ EB BC jmp short crackMe.00435147 0043518B > 8D85 84E7FFFF lea eax,dword ptr ss:[ebp-0x187C] 00435191 . 50 push eax 00435192 . E8 FD85FFFF call crackMe.0042D794 00435197 . 83C4 04 add esp,0x4 0043519A . 50 push eax 0043519B . 8D8D D8F7FFFF lea ecx,dword ptr ss:[ebp-0x828] 004351A1 . 51 push ecx ; user32.77D321CC 004351A2 . E8 ED85FFFF call crackMe.0042D794 004351A7 . 83C4 04 add esp,0x4 004351AA . 8DB405 D8F7FF>lea esi,dword ptr ss:[ebp+eax-0x828] 004351B1 . 8D95 84E7FFFF lea edx,dword ptr ss:[ebp-0x187C] 004351B7 . 52 push edx 004351B8 . E8 D785FFFF call crackMe.0042D794 004351BD . 83C4 04 add esp,0x4 004351C0 . 2BF0 sub esi,eax 004351C2 . 56 push esi 004351C3 . 8D85 84E7FFFF lea eax,dword ptr ss:[ebp-0x187C] 004351C9 . 50 push eax 004351CA . E8 5889FFFF call crackMe.0042DB27 004351CF . 83C4 0C add esp,0xC 004351D2 . 85C0 test eax,eax 004351D4 . 75 3E jnz short crackMe.00435214 004351D6 . E8 D97EFFFF call crackMe.0042D0B4 004351DB . 8D85 C0EBFFFF lea eax,dword ptr ss:[ebp-0x1440] 004351E1 . 50 push eax 004351E2 . 68 00B04900 push crackMe.0049B000 004351E7 . E8 BF87FFFF call crackMe.0042D9AB 004351EC . 83C4 08 add esp,0x8 004351EF . 0FB6C8 movzx ecx,al 004351F2 . 83F9 01 cmp ecx,0x1 004351F5 . 75 1D jnz short crackMe.00435214 004351F7 . 8BF4 mov esi,esp 004351F9 . 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL 004351FB . 68 98B14800 push crackMe.0048B198 ; |CrackMe 00435200 . 68 94B14800 push crackMe.0048B194 ; |ok 00435205 . 6A 00 push 0x0 ; |hOwner = NULL 00435207 . FF15 88F54900 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
其中可以看到大致流程,有调用MessageBoxA 进行消息提示:
那么往上面下CALL的断点,进行分析如下:
004351B8 . E8 D785FFFF call crackMe.0042D794 ; //取出伪码和一个字符串要搞什么 004351BD . 83C4 04 add esp,0x4 004351C0 . 2BF0 sub esi,eax 004351C2 . 56 push esi 004351C3 . 8D85 84E7FFFF lea eax,dword ptr ss:[ebp-0x187C] 004351C9 . 50 push eax 004351CA . E8 5889FFFF call crackMe.0042DB27 004351CF . 83C4 0C add esp,0xC 004351D2 . 85C0 test eax,eax 004351D4 . 75 3E jnz short crackMe.00435214 004351D6 . E8 D97EFFFF call crackMe.0042D0B4 004351DB . 8D85 C0EBFFFF lea eax,dword ptr ss:[ebp-0x1440] 004351E1 . 50 push eax 004351E2 . 68 00B04900 push crackMe.0049B000 004351E7 . E8 BF87FFFF call crackMe.0042D9AB 004351EC . 83C4 08 add esp,0x8 004351EF . 0FB6C8 movzx ecx,al 004351F2 . 83F9 01 cmp ecx,0x1 004351F5 . 75 1D jnz short crackMe.00435214 ; //关键jnz 004351F7 . 8BF4 mov esi,esp 004351F9 . 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL 004351FB . 68 98B14800 push crackMe.0048B198 ; |CrackMe 00435200 . 68 94B14800 push crackMe.0048B194 ; |ok 00435205 . 6A 00 push 0x0 ; |hOwner = NULL 00435207 . FF15 88F54900 call dword ptr ds:[<&USER32.MessageBoxA>>; \弹出注册成功的消息!
EAX 00000014
ECX 0012F16C ASCII "12345678901234657980"
EDX 0012E118 ASCII "183920f00e15a0433ee3a8fc90dd9ac164c4142ccf63ca189a8f645ec96ff8de"
EBX 00000000
ESP 0012DF40
EBP 0012F994
ESI 0012F180
EDI 0012F994
EIP 004351B8 crackMe.004351B8
C 0 ES 0023 32位 0(FFFFFFFF)
P 1 CS 001B 32位 0(FFFFFFFF)
A 0 SS 0023 32位 0(FFFFFFFF)
Z 0 DS 0023 32位 0(FFFFFFFF)
S 0 FS 003B 32位 7FFDD000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_INVALID_HANDLE (00000006)
EFL 00000206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty 0.0000000156560127760e-4933
ST1 empty 9.7995518123247349760e-163
ST2 empty -1.0035814415065585664e-632
ST3 empty +UNORM 0001 000053F7 BAF64B4C
ST4 empty +UNORM 024A 0000040F 0072E1F4
ST5 empty +UNORM 4C78 00000000 00000257
ST6 empty 2.4045632356348871680e-2620
ST7 empty 4.9108275470228848640e-4932
3 2 1 0 E S P U O Z D I
FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 掩码 1 1 1 1 1 1
其中看到
伪注册码:12345678901234657980
神奇字符串:
183920f00e15a0433ee3a8fc90dd9ac164c4142ccf63ca189a8f645ec96ff8de
这两个在一起,是要搞点什么事情???直接复制出来神奇字符串取程序,呵呵,程序 提示 OK !!
别以为我的做玩了!!!!!自坑之路才开始!
我用IE 登陆ctf 提交答案,浏览器提示答案不对!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
于是。。。。。。。。。。。。。从早上12点开题,一直到下午6点左右,反复研究神奇字符串是咋个来的!
以及可能的字符串的各种算法尝试,就在要放弃的情况,神不知鬼不觉的情况,换了个浏览器。神奇字符串一输入,点提交居然验证成功!
另外,我是不会和你说,我搞了莫尔斯代码与神奇字符串二进制转换脚本!!!!
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
|
|
|---|---|
