[原创]看雪.京东 2018CTF 第四题密界寻踪 writeup-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]看雪.京东 2018CTF 第四题密界寻踪 writeup

2018-6-22 17:44 2352

[原创]看雪.京东 2018CTF 第四题密界寻踪 writeup

lacoucou

2018-6-22 17:44

2352

1.查加密算法：

有大数运算和AES算法。

2.分析流程

.text:0045C106 _main_0_0:                              ; CODE XREF: _main_0j
.text:0045C106                 jz      short loc_45C10C
.text:0045C108                 jnz     short loc_45C10C
.text:0045C10A                 jmp     short loc_45C10E
.text:0045C10C ; ---------------------------------------------------------------------------
.text:0045C10C
.text:0045C10C loc_45C10C:                             ; CODE XREF: .text:_main_0_0j
.text:0045C10C                                         ; .text:0045C108j
.text:0045C10C                 jmp     short near ptr loc_45C10E+1
.text:0045C10E ; ---------------------------------------------------------------------------
.text:0045C10E
.text:0045C10E loc_45C10E:                             ; CODE XREF: .text:0045C10Aj
.text:0045C10E                                         ; .text:loc_45C10Cj
.text:0045C10E                 adc     dword ptr [ebp+74h], 0E8027504h
.text:0045C115                 add     ch, bl
.text:0045C117                 add     [ecx+370EC8Bh], eax
.text:0045C11D                 jno     short near ptr loc_45C11F+1
.text:0045C11F
.text:0045C11F loc_45C11F:                             ; CODE XREF: .text:0045C11Dj
.text:0045C11F                                         ; .text:0045C125j
.text:0045C11F                 call    near ptr 0E9C2ADA7h
.text:0045C124                 push    cs
.text:0045C125                 jo      short near ptr loc_45C11F+2
.text:0045C127                 call    dword ptr [eax+0]

入口处做了乱套。比较少也没什么影响，直接f7单步步过即可。

反调试：

int sub_4023E0()
{
  int result; // eax@3
  char v1; // [sp+Ch] [bp-2C0h]@1
  struct _PROCESS_INFORMATION ProcessInformation; // [sp+4Ch] [bp-280h]@2
  struct _STARTUPINFOA StartupInfo; // [sp+5Ch] [bp-270h]@2
  void *v4; // [sp+A0h] [bp-22Ch]@1
  char v5; // [sp+A4h] [bp-228h]@1
  char v6; // [sp+A5h] [bp-227h]@1
  char v7; // [sp+D5h] [bp-1F7h]@1
  CHAR ApplicationName; // [sp+D8h] [bp-1F4h]@1

  memset(&v1, 0xCCu, 0x2C0u);
  v5 = 0;
  memset(&v6, 0, 0x30u);
  v7 = 0;
  v4 = GetModuleFileName_401064();
  memcpy(&ApplicationName, v4, 0x1F4u);
  if ( CheckDbg_4010C8() )
  {
    result = dword_495728++ + 1;
  }
  else
  {
    memcpy(&v5, &unk_495640, 0x32u);
    memset(&StartupInfo, 0, 0x44u);
    StartupInfo.cb = 68;
    StartupInfo.dwFlags = 1;
    StartupInfo.wShowWindow = 1;
    if ( CreateProcessA(&ApplicationName, 0, 0, 0, 0, 0x10u, 0, 0, &StartupInfo, &ProcessInformation) )
    {
      dword_495728 = 2;
      CloseHandle(ProcessInformation.hProcess);
      result = CloseHandle(ProcessInformation.hThread);
    }
    else
    {
      result = printf("error");
    }
  }
  return result;
}

主要是检测父进程名称，是explorer.exe则关闭当前进程，然后另外启动一个进程。

直接改跳转跳过。

主要验证流程：

.text:004031D2                 call    j_print_ctf_403040
.text:004031D7                 call    sub_40100A
.text:004031DC                 lea     edx, [ebp-14h]
.text:004031DF                 push    edx
.text:004031E0                 call    decode_string_401078 ; successs
.text:004031E5                 add     esp, 4
.text:004031E8                 lea     eax, [ebp-20h]
.text:004031EB                 push    eax
.text:004031EC                 call    decode_string_401078 ; error
.text:004031F1                 add     esp, 4
.text:004031F4                 push    18h
.text:004031F6                 lea     ecx, [ebp-38h]
.text:004031F9                 push    ecx
.text:004031FA                 push    offset aS_0     ; "%s"
.text:004031FF                 call    _scanf
.text:00403204                 add     esp, 0Ch
.text:00403207                 lea     edx, [ebp-38h]
.text:0040320A                 push    edx             ; char *
.text:0040320B                 call    _strlen
.text:00403210                 add     esp, 4
.text:00403213                 cmp     eax, 17h        ; 长度17
.text:00403216                 jbe     short loc_40322B
.text:00403218                 lea     eax, [ebp-20h]
.text:0040321B                 push    eax             ; char *
.text:0040321C                 call    _printf
.text:00403221                 add     esp, 4
.text:00403224                 push    0               ; int
.text:00403226                 call    _exit
.text:0040322B ; ---------------------------------------------------------------------------
.text:0040322B
.text:0040322B loc_40322B:                             ; CODE XREF: sub_40315C+BAj
.text:0040322B                 lea     ecx, [ebp-35h]
.text:0040322E                 push    ecx             ; char *
.text:0040322F                 call    _strlen
.text:00403234                 add     esp, 4
.text:00403237                 push    eax
.text:00403238                 push    offset unk_495660 ; 放在这里
.text:0040323D                 lea     edx, [ebp-35h]
.text:00403240                 push    edx
.text:00403241                 call    j_Covert_string_to_hex_string_402220
.text:00403246                 add     esp, 0Ch
.text:00403249                 call    check1_40125D   ; 大数运算
.text:0040324E                 mov     [ebp-4], eax
.text:00403251                 push    3               ; size_t
.text:00403253                 lea     eax, [ebp-38h]
.text:00403256                 push    eax             ; void *
.text:00403257                 lea     ecx, [ebp-3Ch]
.text:0040325A                 push    ecx             ; void *
.text:0040325B                 call    _memcpy
.text:00403260                 add     esp, 0Ch
.text:00403263                 lea     edx, [ebp-3Ch]
.text:00403266                 push    edx
.text:00403267                 call    check_isdigit_40108C
.text:0040326C                 add     esp, 4
.text:0040326F                 and     eax, 0FFh
.text:00403274                 test    eax, eax
.text:00403276                 jz      short loc_403289
.text:00403278                 lea     eax, [ebp-3Ch]
.text:0040327B                 push    eax
.text:0040327C                 call    check2_40128F
.text:00403281                 add     esp, 4
.text:00403284                 mov     [ebp-8], eax
.text:00403287                 jmp     short loc_403299
.text:00403289 ; ---------------------------------------------------------------------------
.text:00403289
.text:00403289 loc_403289:                             ; CODE XREF: sub_40315C+11Aj
.text:00403289                 lea     ecx, [ebp-20h]
.text:0040328C                 push    ecx             ; char *
.text:0040328D                 call    _printf
.text:00403292                 add     esp, 4
.text:00403295                 xor     eax, eax
.text:00403297                 jmp     short loc_4032CD
.text:00403299 ; ---------------------------------------------------------------------------
.text:00403299
.text:00403299 loc_403299:                             ; CODE XREF: sub_40315C+12Bj
.text:00403299                 mov     edx, [ebp-4]
.text:0040329C                 add     edx, [ebp-8]
.text:0040329F                 cmp     edx, 2
.text:004032A2                 jnz     short loc_4032B2
.text:004032A4                 lea     eax, [ebp-14h]
.text:004032A7                 push    eax             ; char *
.text:004032A8                 call    _printf
.text:004032AD                 add     esp, 4
.text:004032B0                 jmp     short loc_4032BE
.text:004032B2 ; ---------------------------------------------------------------------------
.text:004032B2
.text:004032B2 loc_4032B2:                             ; CODE XREF: sub_40315C+146j
.text:004032B2                 lea     ecx, [ebp-20h]
.text:004032B5                 push    ecx             ; char *
.text:004032B6              call    _printf

两个check函数比较长，中间也加了乱序代码感染分析。

check1 是一个rsa算法。

.text:00402630
.text:00402630                 push    ebp
.text:00402631                 mov     ebp, esp
.text:00402633                 sub     esp, 374h
.text:00402639                 push    ebx
.text:0040263A                 push    esi
.text:0040263B                 push    edi
.text:0040263C                 lea     edi, [ebp+var_374]
.text:00402642                 mov     ecx, 0DDh
.text:00402647                 mov     eax, 0CCCCCCCCh
.text:0040264C                 rep stosd
.text:0040264E                 push    10h
.text:00402650                 push    1F4h
.text:00402655                 call    mirsys_4095A0
.text:0040265A                 add     esp, 8
.text:0040265D                 mov     [ebp+var_4], eax
.text:00402660                 mov     [ebp+var_CC], 33h
.text:00402667                 mov     [ebp+var_CB], 32h
.text:0040266E                 mov     [ebp+var_CA], 3Bh
.text:00402675                 mov     [ebp+var_C9], 47h
.text:0040267C                 mov     [ebp+var_C8], 47h
.text:00402683                 mov     [ebp+var_C7], 44h
.text:0040268A                 mov     [ebp+var_C6], 30h
.text:00402691                 mov     [ebp+var_C5], 4Bh
.text:00402698                 mov     [ebp+var_C4], 4Dh
.text:0040269F                 mov     [ebp+var_C3], 3Ch
.text:004026A6                 mov     [ebp+var_C2], 4Eh
.text:004026AD                 mov     [ebp+var_C1], 4Fh
.text:004026B4                 mov     [ebp+var_C0], 4Eh
.text:004026BB                 mov     [ebp+var_BF], 38h
.text:004026C2                 mov     [ebp+var_BE], 3Bh
.text:004026C9                 mov     [ebp+var_BD], 25h
.text:004026D0                 mov     [ebp+var_BC], 20h
.text:004026D7                 mov     [ebp+var_BB], 24h
.text:004026DE                 mov     [ebp+var_BA], 57h
.text:004026E5                 mov     [ebp+var_B9], 24h
.text:004026EC                 mov     [ebp+var_B8], 22h
.text:004026F3                 mov     [ebp+var_B7], 52h
.text:004026FA                 mov     [ebp+var_B6], 2Eh
.text:00402701                 mov     [ebp+var_B5], 2Fh
.text:00402708                 mov     [ebp+var_B4], 21h
.text:0040270F                 mov     [ebp+var_B3], 5Ch
.text:00402716                 mov     [ebp+var_B2], 2Eh
.text:0040271D                 mov     [ebp+var_B1], 5Ah
.text:00402724                 mov     [ebp+var_B0], 2Dh
.text:0040272B                 mov     [ebp+var_AF], 28h
.text:00402732                 mov     [ebp+var_AE], 27h
.text:00402739                 mov     [ebp+var_AD], 11h
.text:00402740                 mov     [ebp+var_AC], 67h
.text:00402747                 mov     [ebp+var_AB], 17h
.text:0040274E                 mov     [ebp+var_AA], 10h
.text:00402755                 mov     [ebp+var_A9], 10h
.text:0040275C                 mov     [ebp+var_A8], 60h
.text:00402763                 mov     [ebp+var_A7], 67h
.text:0040276A                 mov     [ebp+var_A6], 63h
.text:00402771                 mov     [ebp+var_A5], 1Ah
.text:00402778                 mov     [ebp+var_A4], 1Ah
.text:0040277F                 mov     [ebp+var_A3], 1Fh
.text:00402786                 mov     [ebp+var_A2], 6Fh
.text:0040278D                 mov     [ebp+var_A1], 19h
.text:00402794                 mov     [ebp+var_A0], 6Eh
.text:0040279B                 mov     [ebp+var_9F], 1Ah
.text:004027A2                 mov     [ebp+var_9E], 16h
.text:004027A9                 mov     [ebp+var_9D], 71h
.text:004027B0                 mov     [ebp+var_9C], 75h
.text:004027B7                 mov     [ebp+var_9B], 76h
.text:004027BE                 mov     [ebp+var_9A], 4
.text:004027C5                 mov     [ebp+var_99], 6
.text:004027CC                 mov     [ebp+var_98], 71h
.text:004027D3                 mov     [ebp+var_97], 4
.text:004027DA                 mov     [ebp+var_96], 73h
.text:004027E1                 mov     [ebp+var_95], 7Ah
.text:004027E8                 mov     [ebp+var_94], 1
.text:004027EF                 mov     [ebp+var_93], 0Eh
.text:004027F6                 mov     [ebp+var_92], 0Bh
.text:004027FD                 mov     [ebp+var_91], 78h
.text:00402804                 mov     [ebp+var_90], 8
.text:0040280B                 mov     [ebp+var_8F], 0Dh
.text:00402812                 mov     [ebp+var_8E], 0Fh
.text:00402819                 mov     [ebp+var_8D], 74h
.text:00402820                 mov     ecx, 22h
.text:00402825                 xor     eax, eax
.text:00402827                 lea     edi, [ebp+var_8C]
.text:0040282D                 rep stosd
.text:0040282F                 mov     [ebp+var_194], 0
.text:00402836                 mov     ecx, 31h
.text:0040283B                 xor     eax, eax
.text:0040283D                 lea     edi, [ebp+var_193]
.text:00402843                 rep stosd
.text:00402845                 stosw
.text:00402847                 stosb
.text:00402848                 mov     [ebp+var_25C], 0
.text:0040284F                 mov     ecx, 31h
.text:00402854                 xor     eax, eax
.text:00402856                 lea     edi, [ebp+var_25B]
.text:0040285C                 rep stosd
.text:0040285E                 stosw
.text:00402860                 stosb
.text:00402861                 mov     [ebp+var_324], 36h
.text:00402868                 mov     [ebp+var_323], 66h
.text:0040286F                 mov     [ebp+var_322], 62h
.text:00402876                 mov     [ebp+var_321], 37h
.text:0040287D                 mov     [ebp+var_320], 3Ch
.text:00402884                 mov     [ebp+var_31F], 62h
.text:0040288B                 mov     [ebp+var_31E], 62h
.text:00402892                 mov     [ebp+var_31D], 3Eh
.text:00402899                 mov     [ebp+var_31C], 3Fh
.text:004028A0                 mov     [ebp+var_31B], 3Ah
.text:004028A7                 mov     [ebp+var_31A], 3Ah
.text:004028AE                 mov     [ebp+var_319], 3Ah
.text:004028B5                 mov     [ebp+var_318], 39h
.text:004028BC                 mov     [ebp+var_317], 39h
.text:004028C3                 mov     [ebp+var_316], 38h
.text:004028CA                 mov     [ebp+var_315], 72h
.text:004028D1                 mov     [ebp+var_314], 20h
.text:004028D8                 mov     [ebp+var_313], 73h
.text:004028DF                 mov     [ebp+var_312], 75h
.text:004028E6                 mov     [ebp+var_311], 77h
.text:004028ED                 mov     [ebp+var_310], 26h
.text:004028F4                 mov     [ebp+var_30F], 72h
.text:004028FB                 mov     [ebp+var_30E], 74h
.text:00402902                 mov     [ebp+var_30D], 20h
.text:00402909                 mov     [ebp+var_30C], 7Ch
.text:00402910                 mov     [ebp+var_30B], 29h
.text:00402917                 mov     [ebp+var_30A], 2Bh
.text:0040291E                 mov     [ebp+var_309], 25h
.text:00402925                 mov     [ebp+var_308], 79h
.text:0040292C                 mov     [ebp+var_307], 7Dh
.text:00402933                 mov     [ebp+var_306], 2Bh
.text:0040293A                 mov     [ebp+var_305], 12h
.text:00402941                 mov     [ebp+var_304], 18h
.text:00402948                 mov     [ebp+var_303], 40h
.text:0040294F                 mov     [ebp+var_302], 16h
.text:00402956                 mov     [ebp+var_301], 40h
.text:0040295D                 mov     [ebp+var_300], 40h
.text:00402964                 mov     [ebp+var_2FF], 1Eh
.text:0040296B                 mov     [ebp+var_2FE], 12h
.text:00402972                 mov     [ebp+var_2FD], 1Dh
.text:00402979                 mov     [ebp+var_2FC], 4Fh
.text:00402980                 mov     [ebp+var_2FB], 1Ah
.text:00402987                 mov     [ebp+var_2FA], 4Fh
.text:0040298E                 mov     [ebp+var_2F9], 1Ah
.text:00402995                 mov     [ebp+var_2F8], 1Ch
.text:0040299C                 mov     [ebp+var_2F7], 18h
.text:004029A3                 mov     [ebp+var_2F6], 4Bh
.text:004029AA                 mov     [ebp+var_2F5], 2
.text:004029B1                 mov     [ebp+var_2F4], 3
.text:004029B8                 mov     [ebp+var_2F3], 7
.text:004029BF                 mov     [ebp+var_2F2], 51h
.text:004029C6                 mov     [ebp+var_2F1], 1
.text:004029CD                 mov     [ebp+var_2F0], 2
.text:004029D4                 mov     [ebp+var_2EF], 6
.text:004029DB                 mov     [ebp+var_2EE], 55h
.text:004029E2                 mov     [ebp+var_2ED], 0Eh
.text:004029E9                 mov     [ebp+var_2EC], 1
.text:004029F0                 mov     [ebp+var_2EB], 58h
.text:004029F7                 mov     [ebp+var_2EA], 3
.text:004029FE                 mov     [ebp+var_2E9], 4
.text:00402A05                 mov     [ebp+var_2E8], 5Ch
.text:00402A0C                 mov     [ebp+var_2E7], 0Bh
.text:00402A13                 mov     [ebp+var_2E6], 7
.text:00402A1A                 mov     [ebp+var_2E5], 75h
.text:00402A21                 mov     ecx, 22h
.text:00402A26                 xor     eax, eax
.text:00402A28                 lea     edi, [ebp+var_2E4]
.text:00402A2E                 rep stosd
.text:00402A30                 call    sub_402A3A
.text:00402A35
.text:00402A35 loc_402A35:                             ; CODE XREF: sub_402A3Ap
.text:00402A35                 call    near ptr 12B3225h
.text:00402A35 sub_402630      endp ; sp-analysis failed
.text:00402A35
.text:00402A3A
.text:00402A3A ; =============== S U B R O U T I N E =======================================
.text:00402A3A
.text:00402A3A
.text:00402A3A sub_402A3A      proc near               ; CODE XREF: sub_402630+400p
.text:00402A3A                 call    near ptr loc_402A35+1
.text:00402A3F                 add     esp, 8
.text:00402A42                 lea     eax, [ebp-0CCh]
.text:00402A48                 push    eax
.text:00402A49                 call    decode_string_401078
.text:00402A4E                 add     esp, 4
.text:00402A51                 lea     ecx, [ebp-324h]
.text:00402A57                 push    ecx
.text:00402A58                 call    decode_string_401078
.text:00402A5D                 add     esp, 4
.text:00402A60                 mov     edx, [ebp-4]
.text:00402A63                 mov     dword ptr [edx+234h], 16 ;  mip->IOBASE=16;      //将原来的10进制改为16进制模式
.text:00402A6D                 push    0
.text:00402A6F                 call    mirsys_func1_409350
.text:00402A74                 add     esp, 4
.text:00402A77                 mov     [ebp-328h], eax
.text:00402A7D                 push    0
.text:00402A7F                 call    mirsys_func1_409350
.text:00402A84                 add     esp, 4
.text:00402A87                 mov     [ebp-32Ch], eax
.text:00402A8D                 push    0
.text:00402A8F                 call    mirsys_func1_409350
.text:00402A94                 add     esp, 4
.text:00402A97                 mov     [ebp-334h], eax
.text:00402A9D                 push    0
.text:00402A9F                 call    mirsys_func1_409350
.text:00402AA4                 add     esp, 4
.text:00402AA7                 mov     [ebp-330h], eax
.text:00402AAD                 push    offset unk_495660
.text:00402AB2                 mov     eax, [ebp-334h]
.text:00402AB8                 push    eax
.text:00402AB9                 call    mirsys_cinstr_40D1E0
.text:00402ABE                 add     esp, 8
.text:00402AC1                 lea     ecx, [ebp-324h]
.text:00402AC7                 push    ecx
.text:00402AC8                 mov     edx, [ebp-328h]
.text:00402ACE                 push    edx
.text:00402ACF                 call    mirsys_cinstr_40D1E0
.text:00402AD4                 add     esp, 8
.text:00402AD7                 push    offset a3e9     ; "3e9"
.text:00402ADC                 mov     eax, [ebp-32Ch]
.text:00402AE2                 push    eax
.text:00402AE3                 call    mirsys_cinstr_40D1E0
.text:00402AE8                 add     esp, 8
.text:00402AEB                 mov     ecx, [ebp-328h]
.text:00402AF1                 push    ecx
.text:00402AF2                 mov     edx, [ebp-334h]
.text:00402AF8                 push    edx
.text:00402AF9                 call    mirsys_compare_40A2C0 ; 函数原型: int compare(big x, big y);
.text:00402AF9                                         ;
.text:00402AF9                                         ; 功能说明: 比较两个大数的大小
.text:00402AF9                                         ;
.text:00402AF9                                         ; 返回值: x>y时返回+1, x=y时返回0, x<y时返回-1
.text:00402AFE                 add     esp, 8
.text:00402B01                 cmp     eax, 0FFFFFFFFh
.text:00402B04                 jnz     loc_402BD4
.text:00402B0A                 mov     eax, [ebp-330h]
.text:00402B10                 push    eax
.text:00402B11                 mov     ecx, [ebp-328h]
.text:00402B17                 push    ecx
.text:00402B18                 mov     edx, [ebp-32Ch]
.text:00402B1E                 push    edx
.text:00402B1F                 mov     eax, [ebp-334h]
.text:00402B25                 push    eax
.text:00402B26                 call    mirsys_powmod_40C110 ; 函数原型: void powmod(big x, big y,big z, big w);
.text:00402B26                                         ;
.text:00402B26                                         ; 功能说明: 模幂运算，w=xy mod z
.text:00402B2B                 add     esp, 10h
.text:00402B2E                 push    0
.text:00402B30                 lea     ecx, [ebp-194h]
.text:00402B36                 push    ecx
.text:00402B37                 mov     edx, [ebp-330h]
.text:00402B3D                 push    edx
.text:00402B3E                 push    0
.text:00402B40                 call    mirsys_get_40B280
.text:00402B45                 add     esp, 10h
.text:00402B48                 mov     eax, [ebp-328h]
.text:00402B4E                 push    eax
.text:00402B4F                 call    mirsys_mirkill_409CA0
.text:00402B54                 add     esp, 4
.text:00402B57                 mov     ecx, [ebp-32Ch]
.text:00402B5D                 push    ecx
.text:00402B5E                 call    mirsys_mirkill_409CA0
.text:00402B63                 add     esp, 4
.text:00402B66                 mov     edx, [ebp-334h]
.text:00402B6C                 push    edx
.text:00402B6D                 call    mirsys_mirkill_409CA0
.text:00402B72                 add     esp, 4
.text:00402B75                 mov     eax, [ebp-330h]
.text:00402B7B                 push    eax
.text:00402B7C                 call    mirsys_mirkill_409CA0
.text:00402B81                 add     esp, 4
.text:00402B84                 call    sub_409CC0
.text:00402B89                 lea     ecx, [ebp-194h]
.text:00402B8F                 push    ecx             ; char *
.text:00402B90                 call    _strlen
.text:00402B95                 add     esp, 4
.text:00402B98                 push    eax
.text:00402B99                 lea     edx, [ebp-25Ch]
.text:00402B9F                 push    edx
.text:00402BA0                 lea     eax, [ebp-194h]
.text:00402BA6                 push    eax
.text:00402BA7                 call    charAry2String_40100F
.text:00402BAC                 add     esp, 0Ch
.text:00402BAF                 lea     ecx, [ebp-25Ch]
.text:00402BB5                 push    ecx             ; char *
.text:00402BB6                 lea     edx, [ebp-0CCh]
.text:00402BBC                 push    edx             ; char *
.text:00402BBD                 call    _strcmp
.text:00402BC2                 add     esp, 8
.text:00402BC5                 test    eax, eax
.text:00402BC7                 jnz     short loc_402BD0
.text:00402BC9                 mov     eax, 1
.text:00402BCE                 jmp     short loc_402BD6
.text:00402BD0 ; ---------------------------------------------------------------------------
.text:00402BD0
.text:00402BD0 loc_402BD0:                             ; CODE XREF: sub_402A3A+18Dj
.text:00402BD0                 xor     eax, eax
.text:00402BD2                 jmp     short loc_402BD6
.text:00402BD4 ; ---------------------------------------------------------------------------
.text:00402BD4
.text:00402BD4 loc_402BD4:                             ; CODE XREF: sub_402A3A+CAj
.text:00402BD4                 xor     eax, eax
.text:00402BD6
.text:00402BD6 loc_402BD6:                             ; CODE XREF: sub_402A3A+194j
.text:00402BD6                                         ; sub_402A3A+198j
.text:00402BD6                 pop     edi
.text:00402BD7                 pop     esi
.text:00402BD8                 pop     ebx
.text:00402BD9                 add     esp, 374h
.text:00402BDF                 cmp     ebp, esp
.text:00402BE1                 call    __chkesp
.text:00402BE6                 mov     esp, ebp
.text:00402BE8                 pop     ebp
.text:00402BE9                 retn
.text:00402BE9 sub_402A3A      endp ; sp-analysis failed

主要过程：

1.取注册码的第4位后边的字符串，转成16进制字符串。

2.利用 mirsys 计算 powmod：

函数原型: void powmod(big x, big y,big z, big w);

功能说明: 模幂运算，w=xy mod z

X就是输入的字符串

Y是0x3e9

Z是7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585 上边解密出来的字符串

计算出来的值W与208CBB7CD6ECC6450019FDF016D07D978F5F0681F534EAD235D5C49ADD72D2DB840D5304比较，相等既成功。

等于就是一个RSA加密过程。

其中E=0x3e9

N= 0x7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585

M= 0x208CBB7CD6ECC6450019FDF016D07D978F5F0681F534EAD235D5C49ADD72D2DB840D5304 密文。

利用在线网站http://www.factordb.com/index.php?query=56828191929550499896142468009756520490526164668720784286547535509684830643589

分解N得到P，Q

用工具计算处D

D=21005425588345339621950762401208703877439204233991217052799016669569632540401

之后即可解出明文，详细见脚本。

2.check2是一个rsa算法。

.text:00402D60                 push    ebp
.text:00402D61                 mov     ebp, esp
.text:00402D63                 sub     esp, 570h
.text:00402D69                 push    ebx
.text:00402D6A                 push    esi
.text:00402D6B                 push    edi
.text:00402D6C                 lea     edi, [ebp+var_570]
.text:00402D72                 mov     ecx, 15Ch
.text:00402D77                 mov     eax, 0CCCCCCCCh
.text:00402D7C                 rep stosd
.text:00402D7E                 mov     [ebp+var_2C4], 0
.text:00402D85                 mov     ecx, 31h
.text:00402D8A                 xor     eax, eax
.text:00402D8C                 lea     edi, [ebp+var_2C3]
.text:00402D92                 rep stosd
.text:00402D94                 stosw
.text:00402D96                 stosb
.text:00402D97                 mov     ecx, 8
.text:00402D9C                 mov     esi, offset a831gd47?k2m8UV ; "831GD47;?K2M=8:&U#$V#T\"-+\\*)*X'e"
.text:00402DA1                 lea     edi, [ebp+var_38C]
.text:00402DA7                 rep movsd
.text:00402DA9                 movsb
.text:00402DAA                 mov     ecx, 29h
.text:00402DAF                 xor     eax, eax
.text:00402DB1                 lea     edi, [ebp+var_36B]
.text:00402DB7                 rep stosd
.text:00402DB9                 stosw
.text:00402DBB                 stosb
.text:00402DBC                 mov     [ebp+var_454], 70h
.text:00402DC3                 mov     [ebp+var_453], 65h
.text:00402DCA                 mov     [ebp+var_452], 64h
.text:00402DD1                 mov     [ebp+var_451], 69h
.text:00402DD8                 mov     [ebp+var_450], 79h
.text:00402DDF                 mov     ecx, 30h
.text:00402DE4                 xor     eax, eax
.text:00402DE6                 lea     edi, [ebp+var_44F]
.text:00402DEC                 rep stosd
.text:00402DEE                 stosw
.text:00402DF0                 stosb
.text:00402DF1                 mov     [ebp+var_51C], 0
.text:00402DF8                 mov     ecx, 31h
.text:00402DFD                 xor     eax, eax
.text:00402DFF                 lea     edi, [ebp+var_51B]
.text:00402E05                 rep stosd
.text:00402E07                 stosw
.text:00402E09                 stosb
.text:00402E0A                 mov     [ebp+var_530], 0
.text:00402E11                 xor     eax, eax
.text:00402E13                 mov     [ebp+var_52F], eax
.text:00402E19                 mov     [ebp+var_52B], eax
.text:00402E1F                 mov     [ebp+var_527], eax
.text:00402E25                 mov     [ebp+var_523], eax
.text:00402E2B                 push    0Fh             ; size_t
.text:00402E2D                 push    offset a123567389? ; "123567389:;<=>?"
.text:00402E32                 lea     ecx, [ebp+var_530]
.text:00402E38                 push    ecx             ; void *
.text:00402E39                 call    _memcpy
.text:00402E3E                 add     esp, 0Ch
.text:00402E41                 mov     byte ptr [ebp+var_523+2], 20h
.text:00402E48                 call    sub_402E52
.text:00402E4D
.text:00402E4D loc_402E4D:                             ; CODE XREF: sub_402E52p
.text:00402E4D                 call    near ptr 0EC28363Dh
.text:00402E4D sub_402D60      endp ; sp-analysis failed
.text:00402E4D
.text:00402E52
.text:00402E52 ; =============== S U B R O U T I N E =======================================
.text:00402E52
.text:00402E52
.text:00402E52 sub_402E52      proc near               ; CODE XREF: sub_402D60+E8p
.text:00402E52                 call    near ptr loc_402E4D+1
.text:00402E57                 add     esp, 8
.text:00402E5A                 lea     edx, [ebp-38Ch]
.text:00402E60                 push    edx
.text:00402E61                 call    decode_string_401078
.text:00402E66                 add     esp, 4
.text:00402E69                 lea     eax, [ebp-530h]
.text:00402E6F                 push    eax
.text:00402E70                 call    decode_string_401078
.text:00402E75                 add     esp, 4
.text:00402E78                 mov     ecx, [ebp+8]
.text:00402E7B                 mov     dl, [ecx]
.text:00402E7D                 mov     [ebp-530h], dl
.text:00402E83                 mov     eax, [ebp+8]
.text:00402E86                 mov     cl, [eax+1]
.text:00402E89                 mov     [ebp-52Fh], cl
.text:00402E8F                 mov     edx, [ebp+8]
.text:00402E92                 movsx   eax, byte ptr [edx+2]
.text:00402E96                 add     eax, dword_495728
.text:00402E9C                 mov     [ebp-52Eh], al
.text:00402EA2                 push    1FCh            ; size_t
.text:00402EA7                 push    0               ; int
.text:00402EA9                 lea     ecx, [ebp-1FCh]
.text:00402EAF                 push    ecx             ; void *
.text:00402EB0                 call    _memset
.text:00402EB5                 add     esp, 0Ch
.text:00402EB8                 push    0
.text:00402EBA                 lea     edx, [ebp-530h]
.text:00402EC0                 push    edx
.text:00402EC1                 push    10h
.text:00402EC3                 push    0
.text:00402EC5                 lea     eax, [ebp-1FCh]
.text:00402ECB                 push    eax
.text:00402ECC                 call    aes_KeyExpansion_40D760
.text:00402ED1                 add     esp, 14h
.text:00402ED4                 lea     ecx, [ebp-454h]
.text:00402EDA                 push    ecx
.text:00402EDB                 lea     edx, [ebp-1FCh]
.text:00402EE1                 push    edx
.text:00402EE2                 call    AES_Cipher_40DC40
.text:00402EE7                 add     esp, 8
.text:00402EEA                 lea     eax, [ebp-454h]
.text:00402EF0                 push    eax             ; char *
.text:00402EF1                 call    _strlen
.text:00402EF6                 add     esp, 4
.text:00402EF9                 push    eax
.text:00402EFA                 lea     ecx, [ebp-2C4h]
.text:00402F00                 push    ecx
.text:00402F01                 lea     edx, [ebp-454h]
.text:00402F07                 push    edx
.text:00402F08                 call    charAry2String_40100F
.text:00402F0D                 add     esp, 0Ch
.text:00402F10                 lea     eax, [ebp-2C4h]
.text:00402F16                 push    eax             ; char *
.text:00402F17                 lea     ecx, [ebp-38Ch]
.text:00402F1D                 push    ecx             ; char *
.text:00402F1E                 call    _strcmp
.text:00402F23                 add     esp, 8
.text:00402F26                 test    eax, eax
.text:00402F28                 jnz     short loc_402F31
.text:00402F2A                 mov     eax, 1
.text:00402F2F                 jmp     short loc_402F33
.text:00402F31 ; ---------------------------------------------------------------------------
.text:00402F31
.text:00402F31 loc_402F31:                             ; CODE XREF: sub_402E52+D6j
.text:00402F31                 xor     eax, eax
.text:00402F33
.text:00402F33 loc_402F33:                             ; CODE XREF: sub_402E52+DDj
.text:00402F33                 pop     edi
.text:00402F34                 pop     esi
.text:00402F35                 pop     ebx
.text:00402F36                 add     esp, 570h
.text:00402F3C                 cmp     ebp, esp
.text:00402F3E                 call    __chkesp
.text:00402F43                 mov     esp, ebp
.text:00402F45                 pop     ebp
.text:00402F46                 retn

key的前三个为我们输入的数值+1，后边的13位为固定的1314000000000

然后加密字符串pediy，结果要求为：912CA2036A9A0656D17B6B552F157F8E

根据这些条件，爆破即可。

脚本如下：

# -*- coding: cp936 -*-
import sys  
from Crypto.Cipher import AES  
from binascii import b2a_hex, a2b_hex  
import math
class prpcrypt():  
    def __init__(self, key):  
        self.key = key  
        self.mode = AES.MODE_ECB 
       

    def encrypt(self, text):
        #print "encrypt"
        cryptor = AES.new(self.key, self.mode)  
        #这里密钥key 长度必须为16（AES-128）、24（AES-192）、或32（AES-256）Bytes 长度.目前AES-128足够用  
        length = 16  
        count = len(text)  
        if(count % length != 0) :
            #print "encrypt22"
            add = length - (count % length)  
        else:
            #print "encrypt11"
            add = 0  
        text = text + ('\0' * add)
        #print text
        self.ciphertext = cryptor.encrypt(text)  
        #因为AES加密时候得到的字符串不一定是ascii字符集的，输出到终端或者保存时候可能存在问题  
        #所以这里统一把加密后的字符串转化为16进制字符串  
        return b2a_hex(self.ciphertext)  
       
    #解密后，去掉补足的空格用strip() 去掉  
    def decrypt(self, text):  
        cryptor = AES.new(self.key, self.mode)
        plain_text = cryptor.decrypt(a2b_hex(text))  
        return plain_text.rstrip('\0')  
def __multi(array, bin_array):  
    result = 1  
    for index in range(len(array)):  
        a = array[index]  
        if not int(bin_array[index]):  
            continue  
        result *= a  
    return result  
  
def exp_mode(base, exponent, n):  
    bin_array = bin(exponent)[2:][::-1]  
    r = len(bin_array)  
    base_array = []  
      
    pre_base = base  
    base_array.append(pre_base)  
      
    for _ in range(r - 1):  
        next_base = (pre_base * pre_base) % n   
        base_array.append(next_base)  
        pre_base = next_base  
          
    a_w_b = __multi(base_array, bin_array)  
    return a_w_b % n  
  
# 加密 m是被加密的信息 加密成为c  
def encrypt(m, n,e):    
    c = exp_mode(m, e, n)  
    return c  
  
# 解密 c是密文，解密为明文m  
def decrypt(c, n,d):      
    m = exp_mode(c, d, n)  
    return m

#前3位
def  Crack_1():
    #print "912CA2036A9A0656D17B6B552F157F8E".lower()
    #raw_input()
    pc = prpcrypt('1121314000000000')      #初始化密钥  
    e = pc.encrypt("pediy")  
    d = pc.decrypt(e)                       
    print e ,d
    crypt_str="912ca2036a9a0656d17b6b552f157f8e"
    for i in range(0,9+1):
        for j in range(0,9+1):
            for k in range(0,9+1):
                in_str=str(i)+str(j)+str(k)
                key_str=in_str+"1314000000000"                
                AES_func=prpcrypt(key_str)      #初始化密钥
                e = AES_func.encrypt("pediy")
                #print key_str,e
                if crypt_str == e:
                    print key_str
                    raw_input("ok")
                    break
    print "over"
def Crack_2():
    #print "hello"
    N=0x7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585
    C=0x208CBB7CD6ECC64516D07D978F5F0681F534EAD235D5C49ADD72D2DB840D5304
    Y=0x3e9
    D=21005425588345339621950762401208703877439204233991217052799016669569632540401
    x=decrypt(C,N,D)
    #print hex(pow(x,Y,N))
    #print hex(x)
    x_str=hex(x)
    x_str=x_str[2:len(x_str)-1]
    print x_str.decode('hex')
    print "69616d6168616e64736f6d656775796861686131".decode('hex')
    
if __name__ == '__main__':
    Crack_2()