-
-
[原创]2017ctf秋季第三题
-
发表于: 2017-10-29 09:31 2134
-
1.首先bp GetDlgItemTextA下断点找到关键代码
int __stdcall sub_434EF0(HWND hDlg, int a2, int a3, int a4)
{
int v4; // eax@14
int v5; // edx@14
int v6; // ecx@14
int v7; // ST0C_4@17
CHAR *v8; // esi@17
int v9; // eax@17
int v10; // eax@19
int v11; // edx@19
int v12; // ecx@19
int v13; // eax@20
int v14; // edx@20
int v15; // ecx@20
int v17; // [sp+0h] [bp-1A4Ch]@14
int v18; // [sp+4h] [bp-1A48h]@18
int v19; // [sp+8h] [bp-1A44h]@18
int v20; // [sp+Ch] [bp-1A40h]@1
int i; // [sp+1C4h] [bp-1888h]@14
char v22[1032]; // [sp+1D0h] [bp-187Ch]@16
char v23[40]; // [sp+5D8h] [bp-1474h]@14
int v24; // [sp+600h] [bp-144Ch]@14
char v25; // [sp+60Ch] [bp-1440h]@14
char v26; // [sp+60Dh] [bp-143Fh]@14
char v27; // [sp+A14h] [bp-1038h]@14
char v28; // [sp+A15h] [bp-1037h]@14
char v29; // [sp+E1Ch] [bp-C30h]@14
char v30; // [sp+E1Dh] [bp-C2Fh]@14
CHAR String; // [sp+1224h] [bp-828h]@14
char v32; // [sp+1225h] [bp-827h]@14
int v33; // [sp+162Ch] [bp-420h]@14
char v34; // [sp+1638h] [bp-414h]@1
char v35; // [sp+1639h] [bp-413h]@1
int v36; // [sp+1A40h] [bp-Ch]@1
unsigned int v37; // [sp+1A48h] [bp-4h]@1
int savedregs; // [sp+1A4Ch] [bp+0h]@1
memset(&v20, 0xCCu, 0x1A40u);
v37 = (unsigned int)&savedregs ^ dword_49B344;
v36 = 0;
v34 = 0;
memset((int)&v35, 0, 1023);
v20 = a2;
if ( a2 == 16 )
ExitProcess(0);
if ( v20 == 272 )
{
v36 = sub_42D4F1();
if ( v36 == 1 )
ExitProcess(0);
v36 = 0;
v36 = sub_42E428();
if ( v36 == 1 )
ExitProcess(0);
v36 = 0;
v36 = sub_42D825();
if ( v36 == 1 )
ExitProcess(0);
sub_42D14F(hDlg, 1);
}
else if ( v20 == 273 )
{
v20 = (unsigned int16)a3;
if ( (unsigned int16)a3 == 1002 )
{
String = 0;
memset((int)&v32, 0, 1023);
v29 = 0;
memset((int)&v30, 0, 1023);
v4 = GetDlgItemTextA(hDlg, 1001, &String, 1025);
v33 = chekesp(v6, v5, &v17 == &v17, v4);
v27 = 0;
memset((int)&v28, 0, 1023);
base64decode((int)&String, 1024, (int)&v29);
v25 = 0;
memset((int)&v26, 0, 1023);
base64decode((int)&v29, 1024, (int)&v27);
morse((int)&v27, (int)&v25, 1024); 莫尔斯代码译码
v24 = 3;
sm3((int)&v27, 3, (int)v23);
for ( i = 0; i < 32; ++i )
sprintf(&v22[2 * i], "%02x", (unsigned int8)v23[i]);
v7 = strlen(v22);
v8 = &String + strlen(&String);
v9 = strlen(v22);
if ( !memcmp((int)v22, (int)&v8[-v9], v7) )
{
sub_42D0B4(v17, v18, v19);
if ( (unsigned int8)sub_42D9AB(&unk_49B000, &v25) == 1 )
{
v10 = MessageBoxA(0, "ok", "CrackMe", 0);
chekesp(v12, v11, &v17 == &v17, v10);
}
}
}
}
sub_42D65E((int)&savedregs, (int)&dword_435250);
v13 = sub_42D1E5((unsigned int)&savedregs ^ v37);
return chekesp(v15, v14, 1, v13);
}
在函数执行完解密后发现进行sm3散列与输入的后64位比较,总是无法成立。
后来相当不安作者的算法实现而是输入的话,在两次base64解码后发现解为0,莫尔斯码的解码也为0,那么memcmp比较的其实就是000的sm3散列,验证正确;
key:183920f00e15a0433ee3a8fc90dd9ac164c4142ccf63ca189a8f645ec96ff8de
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)