-
-
[原创]看雪.京东 2018CTF 第四题 密界寻踪 writeup
-
2018-6-22 17:44 2352
-
- 1.查加密算法:
有大数运算和AES算法。
- 2.分析流程
.text:0045C106 _main_0_0: ; CODE XREF: _main_0j .text:0045C106 jz short loc_45C10C .text:0045C108 jnz short loc_45C10C .text:0045C10A jmp short loc_45C10E .text:0045C10C ; --------------------------------------------------------------------------- .text:0045C10C .text:0045C10C loc_45C10C: ; CODE XREF: .text:_main_0_0j .text:0045C10C ; .text:0045C108j .text:0045C10C jmp short near ptr loc_45C10E+1 .text:0045C10E ; --------------------------------------------------------------------------- .text:0045C10E .text:0045C10E loc_45C10E: ; CODE XREF: .text:0045C10Aj .text:0045C10E ; .text:loc_45C10Cj .text:0045C10E adc dword ptr [ebp+74h], 0E8027504h .text:0045C115 add ch, bl .text:0045C117 add [ecx+370EC8Bh], eax .text:0045C11D jno short near ptr loc_45C11F+1 .text:0045C11F .text:0045C11F loc_45C11F: ; CODE XREF: .text:0045C11Dj .text:0045C11F ; .text:0045C125j .text:0045C11F call near ptr 0E9C2ADA7h .text:0045C124 push cs .text:0045C125 jo short near ptr loc_45C11F+2 .text:0045C127 call dword ptr [eax+0]
入口处做了乱套。比较少也没什么影响,直接f7单步步过即可。
反调试:
int sub_4023E0() { int result; // eax@3 char v1; // [sp+Ch] [bp-2C0h]@1 struct _PROCESS_INFORMATION ProcessInformation; // [sp+4Ch] [bp-280h]@2 struct _STARTUPINFOA StartupInfo; // [sp+5Ch] [bp-270h]@2 void *v4; // [sp+A0h] [bp-22Ch]@1 char v5; // [sp+A4h] [bp-228h]@1 char v6; // [sp+A5h] [bp-227h]@1 char v7; // [sp+D5h] [bp-1F7h]@1 CHAR ApplicationName; // [sp+D8h] [bp-1F4h]@1 memset(&v1, 0xCCu, 0x2C0u); v5 = 0; memset(&v6, 0, 0x30u); v7 = 0; v4 = GetModuleFileName_401064(); memcpy(&ApplicationName, v4, 0x1F4u); if ( CheckDbg_4010C8() ) { result = dword_495728++ + 1; } else { memcpy(&v5, &unk_495640, 0x32u); memset(&StartupInfo, 0, 0x44u); StartupInfo.cb = 68; StartupInfo.dwFlags = 1; StartupInfo.wShowWindow = 1; if ( CreateProcessA(&ApplicationName, 0, 0, 0, 0, 0x10u, 0, 0, &StartupInfo, &ProcessInformation) ) { dword_495728 = 2; CloseHandle(ProcessInformation.hProcess); result = CloseHandle(ProcessInformation.hThread); } else { result = printf("error"); } } return result; }
主要是检测父进程名称,是explorer.exe则关闭当前进程,然后另外启动一个进程。
直接改跳转跳过。
主要验证流程:
.text:004031D2 call j_print_ctf_403040 .text:004031D7 call sub_40100A .text:004031DC lea edx, [ebp-14h] .text:004031DF push edx .text:004031E0 call decode_string_401078 ; successs .text:004031E5 add esp, 4 .text:004031E8 lea eax, [ebp-20h] .text:004031EB push eax .text:004031EC call decode_string_401078 ; error .text:004031F1 add esp, 4 .text:004031F4 push 18h .text:004031F6 lea ecx, [ebp-38h] .text:004031F9 push ecx .text:004031FA push offset aS_0 ; "%s" .text:004031FF call _scanf .text:00403204 add esp, 0Ch .text:00403207 lea edx, [ebp-38h] .text:0040320A push edx ; char * .text:0040320B call _strlen .text:00403210 add esp, 4 .text:00403213 cmp eax, 17h ; 长度17 .text:00403216 jbe short loc_40322B .text:00403218 lea eax, [ebp-20h] .text:0040321B push eax ; char * .text:0040321C call _printf .text:00403221 add esp, 4 .text:00403224 push 0 ; int .text:00403226 call _exit .text:0040322B ; --------------------------------------------------------------------------- .text:0040322B .text:0040322B loc_40322B: ; CODE XREF: sub_40315C+BAj .text:0040322B lea ecx, [ebp-35h] .text:0040322E push ecx ; char * .text:0040322F call _strlen .text:00403234 add esp, 4 .text:00403237 push eax .text:00403238 push offset unk_495660 ; 放在这里 .text:0040323D lea edx, [ebp-35h] .text:00403240 push edx .text:00403241 call j_Covert_string_to_hex_string_402220 .text:00403246 add esp, 0Ch .text:00403249 call check1_40125D ; 大数运算 .text:0040324E mov [ebp-4], eax .text:00403251 push 3 ; size_t .text:00403253 lea eax, [ebp-38h] .text:00403256 push eax ; void * .text:00403257 lea ecx, [ebp-3Ch] .text:0040325A push ecx ; void * .text:0040325B call _memcpy .text:00403260 add esp, 0Ch .text:00403263 lea edx, [ebp-3Ch] .text:00403266 push edx .text:00403267 call check_isdigit_40108C .text:0040326C add esp, 4 .text:0040326F and eax, 0FFh .text:00403274 test eax, eax .text:00403276 jz short loc_403289 .text:00403278 lea eax, [ebp-3Ch] .text:0040327B push eax .text:0040327C call check2_40128F .text:00403281 add esp, 4 .text:00403284 mov [ebp-8], eax .text:00403287 jmp short loc_403299 .text:00403289 ; --------------------------------------------------------------------------- .text:00403289 .text:00403289 loc_403289: ; CODE XREF: sub_40315C+11Aj .text:00403289 lea ecx, [ebp-20h] .text:0040328C push ecx ; char * .text:0040328D call _printf .text:00403292 add esp, 4 .text:00403295 xor eax, eax .text:00403297 jmp short loc_4032CD .text:00403299 ; --------------------------------------------------------------------------- .text:00403299 .text:00403299 loc_403299: ; CODE XREF: sub_40315C+12Bj .text:00403299 mov edx, [ebp-4] .text:0040329C add edx, [ebp-8] .text:0040329F cmp edx, 2 .text:004032A2 jnz short loc_4032B2 .text:004032A4 lea eax, [ebp-14h] .text:004032A7 push eax ; char * .text:004032A8 call _printf .text:004032AD add esp, 4 .text:004032B0 jmp short loc_4032BE .text:004032B2 ; --------------------------------------------------------------------------- .text:004032B2 .text:004032B2 loc_4032B2: ; CODE XREF: sub_40315C+146j .text:004032B2 lea ecx, [ebp-20h] .text:004032B5 push ecx ; char * .text:004032B6 call _printf
两个check函数比较长,中间也加了乱序代码感染分析 。
check1 是一个rsa算法。
.text:00402630 .text:00402630 push ebp .text:00402631 mov ebp, esp .text:00402633 sub esp, 374h .text:00402639 push ebx .text:0040263A push esi .text:0040263B push edi .text:0040263C lea edi, [ebp+var_374] .text:00402642 mov ecx, 0DDh .text:00402647 mov eax, 0CCCCCCCCh .text:0040264C rep stosd .text:0040264E push 10h .text:00402650 push 1F4h .text:00402655 call mirsys_4095A0 .text:0040265A add esp, 8 .text:0040265D mov [ebp+var_4], eax .text:00402660 mov [ebp+var_CC], 33h .text:00402667 mov [ebp+var_CB], 32h .text:0040266E mov [ebp+var_CA], 3Bh .text:00402675 mov [ebp+var_C9], 47h .text:0040267C mov [ebp+var_C8], 47h .text:00402683 mov [ebp+var_C7], 44h .text:0040268A mov [ebp+var_C6], 30h .text:00402691 mov [ebp+var_C5], 4Bh .text:00402698 mov [ebp+var_C4], 4Dh .text:0040269F mov [ebp+var_C3], 3Ch .text:004026A6 mov [ebp+var_C2], 4Eh .text:004026AD mov [ebp+var_C1], 4Fh .text:004026B4 mov [ebp+var_C0], 4Eh .text:004026BB mov [ebp+var_BF], 38h .text:004026C2 mov [ebp+var_BE], 3Bh .text:004026C9 mov [ebp+var_BD], 25h .text:004026D0 mov [ebp+var_BC], 20h .text:004026D7 mov [ebp+var_BB], 24h .text:004026DE mov [ebp+var_BA], 57h .text:004026E5 mov [ebp+var_B9], 24h .text:004026EC mov [ebp+var_B8], 22h .text:004026F3 mov [ebp+var_B7], 52h .text:004026FA mov [ebp+var_B6], 2Eh .text:00402701 mov [ebp+var_B5], 2Fh .text:00402708 mov [ebp+var_B4], 21h .text:0040270F mov [ebp+var_B3], 5Ch .text:00402716 mov [ebp+var_B2], 2Eh .text:0040271D mov [ebp+var_B1], 5Ah .text:00402724 mov [ebp+var_B0], 2Dh .text:0040272B mov [ebp+var_AF], 28h .text:00402732 mov [ebp+var_AE], 27h .text:00402739 mov [ebp+var_AD], 11h .text:00402740 mov [ebp+var_AC], 67h .text:00402747 mov [ebp+var_AB], 17h .text:0040274E mov [ebp+var_AA], 10h .text:00402755 mov [ebp+var_A9], 10h .text:0040275C mov [ebp+var_A8], 60h .text:00402763 mov [ebp+var_A7], 67h .text:0040276A mov [ebp+var_A6], 63h .text:00402771 mov [ebp+var_A5], 1Ah .text:00402778 mov [ebp+var_A4], 1Ah .text:0040277F mov [ebp+var_A3], 1Fh .text:00402786 mov [ebp+var_A2], 6Fh .text:0040278D mov [ebp+var_A1], 19h .text:00402794 mov [ebp+var_A0], 6Eh .text:0040279B mov [ebp+var_9F], 1Ah .text:004027A2 mov [ebp+var_9E], 16h .text:004027A9 mov [ebp+var_9D], 71h .text:004027B0 mov [ebp+var_9C], 75h .text:004027B7 mov [ebp+var_9B], 76h .text:004027BE mov [ebp+var_9A], 4 .text:004027C5 mov [ebp+var_99], 6 .text:004027CC mov [ebp+var_98], 71h .text:004027D3 mov [ebp+var_97], 4 .text:004027DA mov [ebp+var_96], 73h .text:004027E1 mov [ebp+var_95], 7Ah .text:004027E8 mov [ebp+var_94], 1 .text:004027EF mov [ebp+var_93], 0Eh .text:004027F6 mov [ebp+var_92], 0Bh .text:004027FD mov [ebp+var_91], 78h .text:00402804 mov [ebp+var_90], 8 .text:0040280B mov [ebp+var_8F], 0Dh .text:00402812 mov [ebp+var_8E], 0Fh .text:00402819 mov [ebp+var_8D], 74h .text:00402820 mov ecx, 22h .text:00402825 xor eax, eax .text:00402827 lea edi, [ebp+var_8C] .text:0040282D rep stosd .text:0040282F mov [ebp+var_194], 0 .text:00402836 mov ecx, 31h .text:0040283B xor eax, eax .text:0040283D lea edi, [ebp+var_193] .text:00402843 rep stosd .text:00402845 stosw .text:00402847 stosb .text:00402848 mov [ebp+var_25C], 0 .text:0040284F mov ecx, 31h .text:00402854 xor eax, eax .text:00402856 lea edi, [ebp+var_25B] .text:0040285C rep stosd .text:0040285E stosw .text:00402860 stosb .text:00402861 mov [ebp+var_324], 36h .text:00402868 mov [ebp+var_323], 66h .text:0040286F mov [ebp+var_322], 62h .text:00402876 mov [ebp+var_321], 37h .text:0040287D mov [ebp+var_320], 3Ch .text:00402884 mov [ebp+var_31F], 62h .text:0040288B mov [ebp+var_31E], 62h .text:00402892 mov [ebp+var_31D], 3Eh .text:00402899 mov [ebp+var_31C], 3Fh .text:004028A0 mov [ebp+var_31B], 3Ah .text:004028A7 mov [ebp+var_31A], 3Ah .text:004028AE mov [ebp+var_319], 3Ah .text:004028B5 mov [ebp+var_318], 39h .text:004028BC mov [ebp+var_317], 39h .text:004028C3 mov [ebp+var_316], 38h .text:004028CA mov [ebp+var_315], 72h .text:004028D1 mov [ebp+var_314], 20h .text:004028D8 mov [ebp+var_313], 73h .text:004028DF mov [ebp+var_312], 75h .text:004028E6 mov [ebp+var_311], 77h .text:004028ED mov [ebp+var_310], 26h .text:004028F4 mov [ebp+var_30F], 72h .text:004028FB mov [ebp+var_30E], 74h .text:00402902 mov [ebp+var_30D], 20h .text:00402909 mov [ebp+var_30C], 7Ch .text:00402910 mov [ebp+var_30B], 29h .text:00402917 mov [ebp+var_30A], 2Bh .text:0040291E mov [ebp+var_309], 25h .text:00402925 mov [ebp+var_308], 79h .text:0040292C mov [ebp+var_307], 7Dh .text:00402933 mov [ebp+var_306], 2Bh .text:0040293A mov [ebp+var_305], 12h .text:00402941 mov [ebp+var_304], 18h .text:00402948 mov [ebp+var_303], 40h .text:0040294F mov [ebp+var_302], 16h .text:00402956 mov [ebp+var_301], 40h .text:0040295D mov [ebp+var_300], 40h .text:00402964 mov [ebp+var_2FF], 1Eh .text:0040296B mov [ebp+var_2FE], 12h .text:00402972 mov [ebp+var_2FD], 1Dh .text:00402979 mov [ebp+var_2FC], 4Fh .text:00402980 mov [ebp+var_2FB], 1Ah .text:00402987 mov [ebp+var_2FA], 4Fh .text:0040298E mov [ebp+var_2F9], 1Ah .text:00402995 mov [ebp+var_2F8], 1Ch .text:0040299C mov [ebp+var_2F7], 18h .text:004029A3 mov [ebp+var_2F6], 4Bh .text:004029AA mov [ebp+var_2F5], 2 .text:004029B1 mov [ebp+var_2F4], 3 .text:004029B8 mov [ebp+var_2F3], 7 .text:004029BF mov [ebp+var_2F2], 51h .text:004029C6 mov [ebp+var_2F1], 1 .text:004029CD mov [ebp+var_2F0], 2 .text:004029D4 mov [ebp+var_2EF], 6 .text:004029DB mov [ebp+var_2EE], 55h .text:004029E2 mov [ebp+var_2ED], 0Eh .text:004029E9 mov [ebp+var_2EC], 1 .text:004029F0 mov [ebp+var_2EB], 58h .text:004029F7 mov [ebp+var_2EA], 3 .text:004029FE mov [ebp+var_2E9], 4 .text:00402A05 mov [ebp+var_2E8], 5Ch .text:00402A0C mov [ebp+var_2E7], 0Bh .text:00402A13 mov [ebp+var_2E6], 7 .text:00402A1A mov [ebp+var_2E5], 75h .text:00402A21 mov ecx, 22h .text:00402A26 xor eax, eax .text:00402A28 lea edi, [ebp+var_2E4] .text:00402A2E rep stosd .text:00402A30 call sub_402A3A .text:00402A35 .text:00402A35 loc_402A35: ; CODE XREF: sub_402A3Ap .text:00402A35 call near ptr 12B3225h .text:00402A35 sub_402630 endp ; sp-analysis failed .text:00402A35 .text:00402A3A .text:00402A3A ; =============== S U B R O U T I N E ======================================= .text:00402A3A .text:00402A3A .text:00402A3A sub_402A3A proc near ; CODE XREF: sub_402630+400p .text:00402A3A call near ptr loc_402A35+1 .text:00402A3F add esp, 8 .text:00402A42 lea eax, [ebp-0CCh] .text:00402A48 push eax .text:00402A49 call decode_string_401078 .text:00402A4E add esp, 4 .text:00402A51 lea ecx, [ebp-324h] .text:00402A57 push ecx .text:00402A58 call decode_string_401078 .text:00402A5D add esp, 4 .text:00402A60 mov edx, [ebp-4] .text:00402A63 mov dword ptr [edx+234h], 16 ; mip->IOBASE=16; //将原来的10进制改为16进制模式 .text:00402A6D push 0 .text:00402A6F call mirsys_func1_409350 .text:00402A74 add esp, 4 .text:00402A77 mov [ebp-328h], eax .text:00402A7D push 0 .text:00402A7F call mirsys_func1_409350 .text:00402A84 add esp, 4 .text:00402A87 mov [ebp-32Ch], eax .text:00402A8D push 0 .text:00402A8F call mirsys_func1_409350 .text:00402A94 add esp, 4 .text:00402A97 mov [ebp-334h], eax .text:00402A9D push 0 .text:00402A9F call mirsys_func1_409350 .text:00402AA4 add esp, 4 .text:00402AA7 mov [ebp-330h], eax .text:00402AAD push offset unk_495660 .text:00402AB2 mov eax, [ebp-334h] .text:00402AB8 push eax .text:00402AB9 call mirsys_cinstr_40D1E0 .text:00402ABE add esp, 8 .text:00402AC1 lea ecx, [ebp-324h] .text:00402AC7 push ecx .text:00402AC8 mov edx, [ebp-328h] .text:00402ACE push edx .text:00402ACF call mirsys_cinstr_40D1E0 .text:00402AD4 add esp, 8 .text:00402AD7 push offset a3e9 ; "3e9" .text:00402ADC mov eax, [ebp-32Ch] .text:00402AE2 push eax .text:00402AE3 call mirsys_cinstr_40D1E0 .text:00402AE8 add esp, 8 .text:00402AEB mov ecx, [ebp-328h] .text:00402AF1 push ecx .text:00402AF2 mov edx, [ebp-334h] .text:00402AF8 push edx .text:00402AF9 call mirsys_compare_40A2C0 ; 函数原型: int compare(big x, big y); .text:00402AF9 ; .text:00402AF9 ; 功能说明: 比较两个大数的大小 .text:00402AF9 ; .text:00402AF9 ; 返回值: x>y时返回+1, x=y时返回0, x<y时返回-1 .text:00402AFE add esp, 8 .text:00402B01 cmp eax, 0FFFFFFFFh .text:00402B04 jnz loc_402BD4 .text:00402B0A mov eax, [ebp-330h] .text:00402B10 push eax .text:00402B11 mov ecx, [ebp-328h] .text:00402B17 push ecx .text:00402B18 mov edx, [ebp-32Ch] .text:00402B1E push edx .text:00402B1F mov eax, [ebp-334h] .text:00402B25 push eax .text:00402B26 call mirsys_powmod_40C110 ; 函数原型: void powmod(big x, big y,big z, big w); .text:00402B26 ; .text:00402B26 ; 功能说明: 模幂运算,w=xy mod z .text:00402B2B add esp, 10h .text:00402B2E push 0 .text:00402B30 lea ecx, [ebp-194h] .text:00402B36 push ecx .text:00402B37 mov edx, [ebp-330h] .text:00402B3D push edx .text:00402B3E push 0 .text:00402B40 call mirsys_get_40B280 .text:00402B45 add esp, 10h .text:00402B48 mov eax, [ebp-328h] .text:00402B4E push eax .text:00402B4F call mirsys_mirkill_409CA0 .text:00402B54 add esp, 4 .text:00402B57 mov ecx, [ebp-32Ch] .text:00402B5D push ecx .text:00402B5E call mirsys_mirkill_409CA0 .text:00402B63 add esp, 4 .text:00402B66 mov edx, [ebp-334h] .text:00402B6C push edx .text:00402B6D call mirsys_mirkill_409CA0 .text:00402B72 add esp, 4 .text:00402B75 mov eax, [ebp-330h] .text:00402B7B push eax .text:00402B7C call mirsys_mirkill_409CA0 .text:00402B81 add esp, 4 .text:00402B84 call sub_409CC0 .text:00402B89 lea ecx, [ebp-194h] .text:00402B8F push ecx ; char * .text:00402B90 call _strlen .text:00402B95 add esp, 4 .text:00402B98 push eax .text:00402B99 lea edx, [ebp-25Ch] .text:00402B9F push edx .text:00402BA0 lea eax, [ebp-194h] .text:00402BA6 push eax .text:00402BA7 call charAry2String_40100F .text:00402BAC add esp, 0Ch .text:00402BAF lea ecx, [ebp-25Ch] .text:00402BB5 push ecx ; char * .text:00402BB6 lea edx, [ebp-0CCh] .text:00402BBC push edx ; char * .text:00402BBD call _strcmp .text:00402BC2 add esp, 8 .text:00402BC5 test eax, eax .text:00402BC7 jnz short loc_402BD0 .text:00402BC9 mov eax, 1 .text:00402BCE jmp short loc_402BD6 .text:00402BD0 ; --------------------------------------------------------------------------- .text:00402BD0 .text:00402BD0 loc_402BD0: ; CODE XREF: sub_402A3A+18Dj .text:00402BD0 xor eax, eax .text:00402BD2 jmp short loc_402BD6 .text:00402BD4 ; --------------------------------------------------------------------------- .text:00402BD4 .text:00402BD4 loc_402BD4: ; CODE XREF: sub_402A3A+CAj .text:00402BD4 xor eax, eax .text:00402BD6 .text:00402BD6 loc_402BD6: ; CODE XREF: sub_402A3A+194j .text:00402BD6 ; sub_402A3A+198j .text:00402BD6 pop edi .text:00402BD7 pop esi .text:00402BD8 pop ebx .text:00402BD9 add esp, 374h .text:00402BDF cmp ebp, esp .text:00402BE1 call __chkesp .text:00402BE6 mov esp, ebp .text:00402BE8 pop ebp .text:00402BE9 retn .text:00402BE9 sub_402A3A endp ; sp-analysis failed
主要过程:
1.取注册码的第4位后边的字符串,转成16进制字符串。
2.利用 mirsys 计算
powmod:
函数原型: void powmod(big x, big y,big z, big w); 功能说明: 模幂运算,w=xy mod z
X就是输入的字符串
Y是0x3e9
Z是7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585 上边解密出来的字符串
计算出来的值W与208CBB7CD6ECC6450019FDF016D07D978F5F0681F534EAD235D5C49ADD72D2DB840D5304比较,相等既成功。
等于就是一个RSA加密过程。
其中E=0x3e9
N= 0x7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585
M= 0x208CBB7CD6ECC6450019FDF016D07D978F5F0681F534EAD235D5C49ADD72D2DB840D5304 密文。
利用在线网站http://www.factordb.com/index.php?query=56828191929550499896142468009756520490526164668720784286547535509684830643589
分解N得到P,Q
用工具计算处D
D=21005425588345339621950762401208703877439204233991217052799016669569632540401
之后即可解出明文,详细见脚本。
2.check2是一个rsa算法。
.text:00402D60 push ebp .text:00402D61 mov ebp, esp .text:00402D63 sub esp, 570h .text:00402D69 push ebx .text:00402D6A push esi .text:00402D6B push edi .text:00402D6C lea edi, [ebp+var_570] .text:00402D72 mov ecx, 15Ch .text:00402D77 mov eax, 0CCCCCCCCh .text:00402D7C rep stosd .text:00402D7E mov [ebp+var_2C4], 0 .text:00402D85 mov ecx, 31h .text:00402D8A xor eax, eax .text:00402D8C lea edi, [ebp+var_2C3] .text:00402D92 rep stosd .text:00402D94 stosw .text:00402D96 stosb .text:00402D97 mov ecx, 8 .text:00402D9C mov esi, offset a831gd47?k2m8UV ; "831GD47;?K2M=8:&U#$V#T\"-+\\*)*X'e" .text:00402DA1 lea edi, [ebp+var_38C] .text:00402DA7 rep movsd .text:00402DA9 movsb .text:00402DAA mov ecx, 29h .text:00402DAF xor eax, eax .text:00402DB1 lea edi, [ebp+var_36B] .text:00402DB7 rep stosd .text:00402DB9 stosw .text:00402DBB stosb .text:00402DBC mov [ebp+var_454], 70h .text:00402DC3 mov [ebp+var_453], 65h .text:00402DCA mov [ebp+var_452], 64h .text:00402DD1 mov [ebp+var_451], 69h .text:00402DD8 mov [ebp+var_450], 79h .text:00402DDF mov ecx, 30h .text:00402DE4 xor eax, eax .text:00402DE6 lea edi, [ebp+var_44F] .text:00402DEC rep stosd .text:00402DEE stosw .text:00402DF0 stosb .text:00402DF1 mov [ebp+var_51C], 0 .text:00402DF8 mov ecx, 31h .text:00402DFD xor eax, eax .text:00402DFF lea edi, [ebp+var_51B] .text:00402E05 rep stosd .text:00402E07 stosw .text:00402E09 stosb .text:00402E0A mov [ebp+var_530], 0 .text:00402E11 xor eax, eax .text:00402E13 mov [ebp+var_52F], eax .text:00402E19 mov [ebp+var_52B], eax .text:00402E1F mov [ebp+var_527], eax .text:00402E25 mov [ebp+var_523], eax .text:00402E2B push 0Fh ; size_t .text:00402E2D push offset a123567389? ; "123567389:;<=>?" .text:00402E32 lea ecx, [ebp+var_530] .text:00402E38 push ecx ; void * .text:00402E39 call _memcpy .text:00402E3E add esp, 0Ch .text:00402E41 mov byte ptr [ebp+var_523+2], 20h .text:00402E48 call sub_402E52 .text:00402E4D .text:00402E4D loc_402E4D: ; CODE XREF: sub_402E52p .text:00402E4D call near ptr 0EC28363Dh .text:00402E4D sub_402D60 endp ; sp-analysis failed .text:00402E4D .text:00402E52 .text:00402E52 ; =============== S U B R O U T I N E ======================================= .text:00402E52 .text:00402E52 .text:00402E52 sub_402E52 proc near ; CODE XREF: sub_402D60+E8p .text:00402E52 call near ptr loc_402E4D+1 .text:00402E57 add esp, 8 .text:00402E5A lea edx, [ebp-38Ch] .text:00402E60 push edx .text:00402E61 call decode_string_401078 .text:00402E66 add esp, 4 .text:00402E69 lea eax, [ebp-530h] .text:00402E6F push eax .text:00402E70 call decode_string_401078 .text:00402E75 add esp, 4 .text:00402E78 mov ecx, [ebp+8] .text:00402E7B mov dl, [ecx] .text:00402E7D mov [ebp-530h], dl .text:00402E83 mov eax, [ebp+8] .text:00402E86 mov cl, [eax+1] .text:00402E89 mov [ebp-52Fh], cl .text:00402E8F mov edx, [ebp+8] .text:00402E92 movsx eax, byte ptr [edx+2] .text:00402E96 add eax, dword_495728 .text:00402E9C mov [ebp-52Eh], al .text:00402EA2 push 1FCh ; size_t .text:00402EA7 push 0 ; int .text:00402EA9 lea ecx, [ebp-1FCh] .text:00402EAF push ecx ; void * .text:00402EB0 call _memset .text:00402EB5 add esp, 0Ch .text:00402EB8 push 0 .text:00402EBA lea edx, [ebp-530h] .text:00402EC0 push edx .text:00402EC1 push 10h .text:00402EC3 push 0 .text:00402EC5 lea eax, [ebp-1FCh] .text:00402ECB push eax .text:00402ECC call aes_KeyExpansion_40D760 .text:00402ED1 add esp, 14h .text:00402ED4 lea ecx, [ebp-454h] .text:00402EDA push ecx .text:00402EDB lea edx, [ebp-1FCh] .text:00402EE1 push edx .text:00402EE2 call AES_Cipher_40DC40 .text:00402EE7 add esp, 8 .text:00402EEA lea eax, [ebp-454h] .text:00402EF0 push eax ; char * .text:00402EF1 call _strlen .text:00402EF6 add esp, 4 .text:00402EF9 push eax .text:00402EFA lea ecx, [ebp-2C4h] .text:00402F00 push ecx .text:00402F01 lea edx, [ebp-454h] .text:00402F07 push edx .text:00402F08 call charAry2String_40100F .text:00402F0D add esp, 0Ch .text:00402F10 lea eax, [ebp-2C4h] .text:00402F16 push eax ; char * .text:00402F17 lea ecx, [ebp-38Ch] .text:00402F1D push ecx ; char * .text:00402F1E call _strcmp .text:00402F23 add esp, 8 .text:00402F26 test eax, eax .text:00402F28 jnz short loc_402F31 .text:00402F2A mov eax, 1 .text:00402F2F jmp short loc_402F33 .text:00402F31 ; --------------------------------------------------------------------------- .text:00402F31 .text:00402F31 loc_402F31: ; CODE XREF: sub_402E52+D6j .text:00402F31 xor eax, eax .text:00402F33 .text:00402F33 loc_402F33: ; CODE XREF: sub_402E52+DDj .text:00402F33 pop edi .text:00402F34 pop esi .text:00402F35 pop ebx .text:00402F36 add esp, 570h .text:00402F3C cmp ebp, esp .text:00402F3E call __chkesp .text:00402F43 mov esp, ebp .text:00402F45 pop ebp .text:00402F46 retn
key的前三个为我们输入的数值+1,后边的13位为固定的1314000000000
然后加密字符串pediy,结果要求为:912CA2036A9A0656D17B6B552F157F8E
根据这些条件,爆破即可。
脚本如下:
# -*- coding: cp936 -*- import sys from Crypto.Cipher import AES from binascii import b2a_hex, a2b_hex import math class prpcrypt(): def __init__(self, key): self.key = key self.mode = AES.MODE_ECB def encrypt(self, text): #print "encrypt" cryptor = AES.new(self.key, self.mode) #这里密钥key 长度必须为16(AES-128)、24(AES-192)、或32(AES-256)Bytes 长度.目前AES-128足够用 length = 16 count = len(text) if(count % length != 0) : #print "encrypt22" add = length - (count % length) else: #print "encrypt11" add = 0 text = text + ('\0' * add) #print text self.ciphertext = cryptor.encrypt(text) #因为AES加密时候得到的字符串不一定是ascii字符集的,输出到终端或者保存时候可能存在问题 #所以这里统一把加密后的字符串转化为16进制字符串 return b2a_hex(self.ciphertext) #解密后,去掉补足的空格用strip() 去掉 def decrypt(self, text): cryptor = AES.new(self.key, self.mode) plain_text = cryptor.decrypt(a2b_hex(text)) return plain_text.rstrip('\0') def __multi(array, bin_array): result = 1 for index in range(len(array)): a = array[index] if not int(bin_array[index]): continue result *= a return result def exp_mode(base, exponent, n): bin_array = bin(exponent)[2:][::-1] r = len(bin_array) base_array = [] pre_base = base base_array.append(pre_base) for _ in range(r - 1): next_base = (pre_base * pre_base) % n base_array.append(next_base) pre_base = next_base a_w_b = __multi(base_array, bin_array) return a_w_b % n # 加密 m是被加密的信息 加密成为c def encrypt(m, n,e): c = exp_mode(m, e, n) return c # 解密 c是密文,解密为明文m def decrypt(c, n,d): m = exp_mode(c, d, n) return m #前3位 def Crack_1(): #print "912CA2036A9A0656D17B6B552F157F8E".lower() #raw_input() pc = prpcrypt('1121314000000000') #初始化密钥 e = pc.encrypt("pediy") d = pc.decrypt(e) print e ,d crypt_str="912ca2036a9a0656d17b6b552f157f8e" for i in range(0,9+1): for j in range(0,9+1): for k in range(0,9+1): in_str=str(i)+str(j)+str(k) key_str=in_str+"1314000000000" AES_func=prpcrypt(key_str) #初始化密钥 e = AES_func.encrypt("pediy") #print key_str,e if crypt_str == e: print key_str raw_input("ok") break print "over" def Crack_2(): #print "hello" N=0x7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585 C=0x208CBB7CD6ECC64516D07D978F5F0681F534EAD235D5C49ADD72D2DB840D5304 Y=0x3e9 D=21005425588345339621950762401208703877439204233991217052799016669569632540401 x=decrypt(C,N,D) #print hex(pow(x,Y,N)) #print hex(x) x_str=hex(x) x_str=x_str[2:len(x_str)-1] print x_str.decode('hex') print "69616d6168616e64736f6d656775796861686131".decode('hex') if __name__ == '__main__': Crack_2()
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
赞赏
他的文章
看原图