-
-
[原创]看雪.京东 2018CTF 第四题 密界寻踪 writeup
-
发表于: 2018-6-22 17:44
-
有大数运算和AES算法。
- 2.分析流程
.text:0045C106 _main_0_0: ; CODE XREF: _main_0j .text:0045C106 jz short loc_45C10C .text:0045C108 jnz short loc_45C10C .text:0045C10A jmp short loc_45C10E .text:0045C10C ; --------------------------------------------------------------------------- .text:0045C10C .text:0045C10C loc_45C10C: ; CODE XREF: .text:_main_0_0j .text:0045C10C ; .text:0045C108j .text:0045C10C jmp short near ptr loc_45C10E+1 .text:0045C10E ; --------------------------------------------------------------------------- .text:0045C10E .text:0045C10E loc_45C10E: ; CODE XREF: .text:0045C10Aj .text:0045C10E ; .text:loc_45C10Cj .text:0045C10E adc dword ptr [ebp+74h], 0E8027504h .text:0045C115 add ch, bl .text:0045C117 add [ecx+370EC8Bh], eax .text:0045C11D jno short near ptr loc_45C11F+1 .text:0045C11F .text:0045C11F loc_45C11F: ; CODE XREF: .text:0045C11Dj .text:0045C11F ; .text:0045C125j .text:0045C11F call near ptr 0E9C2ADA7h .text:0045C124 push cs .text:0045C125 jo short near ptr loc_45C11F+2 .text:0045C127 call dword ptr [eax+0]
入口处做了乱套。比较少也没什么影响,直接f7单步步过即可。
.text:0045C106 _main_0_0: ; CODE XREF: _main_0j .text:0045C106 jz short loc_45C10C .text:0045C108 jnz short loc_45C10C .text:0045C10A jmp short loc_45C10E .text:0045C10C ; --------------------------------------------------------------------------- .text:0045C10C .text:0045C10C loc_45C10C: ; CODE XREF: .text:_main_0_0j .text:0045C10C ; .text:0045C108j .text:0045C10C jmp short near ptr loc_45C10E+1 .text:0045C10E ; --------------------------------------------------------------------------- .text:0045C10E .text:0045C10E loc_45C10E: ; CODE XREF: .text:0045C10Aj .text:0045C10E ; .text:loc_45C10Cj .text:0045C10E adc dword ptr [ebp+74h], 0E8027504h .text:0045C115 add ch, bl .text:0045C117 add [ecx+370EC8Bh], eax .text:0045C11D jno short near ptr loc_45C11F+1 .text:0045C11F .text:0045C11F loc_45C11F: ; CODE XREF: .text:0045C11Dj .text:0045C11F ; .text:0045C125j .text:0045C11F call near ptr 0E9C2ADA7h .text:0045C124 push cs .text:0045C125 jo short near ptr loc_45C11F+2 .text:0045C127 call dword ptr [eax+0]
入口处做了乱套。比较少也没什么影响,直接f7单步步过即可。
.text:0045C106 _main_0_0: ; CODE XREF: _main_0j .text:0045C106 jz short loc_45C10C .text:0045C108 jnz short loc_45C10C .text:0045C10A jmp short loc_45C10E .text:0045C10C ; --------------------------------------------------------------------------- .text:0045C10C .text:0045C10C loc_45C10C: ; CODE XREF: .text:_main_0_0j .text:0045C10C ; .text:0045C108j .text:0045C10C jmp short near ptr loc_45C10E+1 .text:0045C10E ; --------------------------------------------------------------------------- .text:0045C10E .text:0045C10E loc_45C10E: ; CODE XREF: .text:0045C10Aj .text:0045C10E ; .text:loc_45C10Cj .text:0045C10E adc dword ptr [ebp+74h], 0E8027504h .text:0045C115 add ch, bl .text:0045C117 add [ecx+370EC8Bh], eax .text:0045C11D jno short near ptr loc_45C11F+1 .text:0045C11F .text:0045C11F loc_45C11F: ; CODE XREF: .text:0045C11Dj .text:0045C11F ; .text:0045C125j .text:0045C11F call near ptr 0E9C2ADA7h .text:0045C124 push cs .text:0045C125 jo short near ptr loc_45C11F+2 .text:0045C127 call dword ptr [eax+0]
入口处做了乱套。比较少也没什么影响,直接f7单步步过即可。
反调试:
int sub_4023E0()
{
int result; // eax@3
char v1; // [sp+Ch] [bp-2C0h]@1
struct _PROCESS_INFORMATION ProcessInformation; // [sp+4Ch] [bp-280h]@2
struct _STARTUPINFOA StartupInfo; // [sp+5Ch] [bp-270h]@2
void *v4; // [sp+A0h] [bp-22Ch]@1
char v5; // [sp+A4h] [bp-228h]@1
char v6; // [sp+A5h] [bp-227h]@1
char v7; // [sp+D5h] [bp-1F7h]@1
CHAR ApplicationName; // [sp+D8h] [bp-1F4h]@1
memset(&v1, 0xCCu, 0x2C0u);
v5 = 0;
memset(&v6, 0, 0x30u);
v7 = 0;
v4 = GetModuleFileName_401064();
memcpy(&ApplicationName, v4, 0x1F4u);
if ( CheckDbg_4010C8() )
{
result = dword_495728++ + 1;
}
else
{
memcpy(&v5, &unk_495640, 0x32u);
memset(&StartupInfo, 0, 0x44u);
StartupInfo.cb = 68;
StartupInfo.dwFlags = 1;
StartupInfo.wShowWindow = 1;
if ( CreateProcessA(&ApplicationName, 0, 0, 0, 0, 0x10u, 0, 0, &StartupInfo, &ProcessInformation) )
{
dword_495728 = 2;
CloseHandle(ProcessInformation.hProcess);
result = CloseHandle(ProcessInformation.hThread);
}
else
{
result = printf("error");
}
}
return result;
}
主要是检测父进程名称,是explorer.exe则关闭当前进程,然后另外启动一个进程。
int sub_4023E0()
{
int result; // eax@3
char v1; // [sp+Ch] [bp-2C0h]@1
struct _PROCESS_INFORMATION ProcessInformation; // [sp+4Ch] [bp-280h]@2
struct _STARTUPINFOA StartupInfo; // [sp+5Ch] [bp-270h]@2
void *v4; // [sp+A0h] [bp-22Ch]@1
char v5; // [sp+A4h] [bp-228h]@1
char v6; // [sp+A5h] [bp-227h]@1
char v7; // [sp+D5h] [bp-1F7h]@1
CHAR ApplicationName; // [sp+D8h] [bp-1F4h]@1
memset(&v1, 0xCCu, 0x2C0u);
v5 = 0;
memset(&v6, 0, 0x30u);
v7 = 0;
v4 = GetModuleFileName_401064();
memcpy(&ApplicationName, v4, 0x1F4u);
if ( CheckDbg_4010C8() )
{
result = dword_495728++ + 1;
}
else
{
memcpy(&v5, &unk_495640, 0x32u);
memset(&StartupInfo, 0, 0x44u);
StartupInfo.cb = 68;
StartupInfo.dwFlags = 1;
StartupInfo.wShowWindow = 1;
if ( CreateProcessA(&ApplicationName, 0, 0, 0, 0, 0x10u, 0, 0, &StartupInfo, &ProcessInformation) )
{
dword_495728 = 2;
CloseHandle(ProcessInformation.hProcess);
result = CloseHandle(ProcessInformation.hThread);
}
else
{
result = printf("error");
}
}
return result;
}
主要是检测父进程名称,是explorer.exe则关闭当前进程,然后另外启动一个进程。
直接改跳转跳过。
主要验证流程:
.text:004031D2 call j_print_ctf_403040 .text:004031D7 call sub_40100A .text:004031DC lea edx, [ebp-14h] .text:004031DF push edx .text:004031E0 call decode_string_401078 ; successs .text:004031E5 add esp, 4 .text:004031E8 lea eax, [ebp-20h] .text:004031EB push eax .text:004031EC call decode_string_401078 ; error .text:004031F1 add esp, 4 .text:004031F4 push 18h .text:004031F6 lea ecx, [ebp-38h] .text:004031F9 push ecx .text:004031FA push offset aS_0 ; "%s" .text:004031FF call _scanf .text:00403204 add esp, 0Ch .text:00403207 lea edx, [ebp-38h] .text:0040320A push edx ; char * .text:0040320B call _strlen .text:00403210 add esp, 4 .text:00403213 cmp eax, 17h ; 长度17 .text:00403216 jbe short loc_40322B .text:00403218 lea eax, [ebp-20h] .text:0040321B push eax ; char * .text:0040321C call _printf .text:00403221 add esp, 4 .text:00403224 push 0 ; int .text:00403226 call _exit .text:0040322B ; --------------------------------------------------------------------------- .text:0040322B .text:0040322B loc_40322B: ; CODE XREF: sub_40315C+BAj .text:0040322B lea ecx, [ebp-35h] .text:0040322E push ecx ; char * .text:0040322F call _strlen .text:00403234 add esp, 4 .text:00403237 push eax .text:00403238 push offset unk_495660 ; 放在这里 .text:0040323D lea edx, [ebp-35h] .text:00403240 push edx .text:00403241 call j_Covert_string_to_hex_string_402220 .text:00403246 add esp, 0Ch .text:00403249 call check1_40125D ; 大数运算 .text:0040324E mov [ebp-4], eax .text:00403251 push 3 ; size_t .text:00403253 lea eax, [ebp-38h] .text:00403256 push eax ; void * .text:00403257 lea ecx, [ebp-3Ch] .text:0040325A push ecx ; void * .text:0040325B call _memcpy .text:00403260 add esp, 0Ch .text:00403263 lea edx, [ebp-3Ch] .text:00403266 push edx .text:00403267 call check_isdigit_40108C .text:0040326C add esp, 4 .text:0040326F and eax, 0FFh .text:00403274 test eax, eax .text:00403276 jz short loc_403289 .text:00403278 lea eax, [ebp-3Ch] .text:0040327B push eax .text:0040327C call check2_40128F .text:00403281 add esp, 4 .text:00403284 mov [ebp-8], eax .text:00403287 jmp short loc_403299 .text:00403289 ; --------------------------------------------------------------------------- .text:00403289 .text:00403289 loc_403289: ; CODE XREF: sub_40315C+11Aj .text:00403289 lea ecx, [ebp-20h] .text:0040328C push ecx ; char * .text:0040328D call _printf .text:00403292 add esp, 4 .text:00403295 xor eax, eax .text:00403297 jmp short loc_4032CD .text:00403299 ; --------------------------------------------------------------------------- .text:00403299 .text:00403299 loc_403299: ; CODE XREF: sub_40315C+12Bj .text:00403299 mov edx, [ebp-4] .text:0040329C add edx, [ebp-8] .text:0040329F cmp edx, 2 .text:004032A2 jnz short loc_4032B2 .text:004032A4 lea eax, [ebp-14h] .text:004032A7 push eax ; char * .text:004032A8 call _printf .text:004032AD add esp, 4 .text:004032B0 jmp short loc_4032BE .text:004032B2 ; --------------------------------------------------------------------------- .text:004032B2 .text:004032B2 loc_4032B2: ; CODE XREF: sub_40315C+146j .text:004032B2 lea ecx, [ebp-20h] .text:004032B5 push ecx ; char * .text:004032B6 call _printf
两个check函数比较长,中间也加了乱序代码感染分析 。
.text:004031D2 call j_print_ctf_403040 .text:004031D7 call sub_40100A .text:004031DC lea edx, [ebp-14h] .text:004031DF push edx .text:004031E0 call decode_string_401078 ; successs .text:004031E5 add esp, 4 .text:004031E8 lea eax, [ebp-20h] .text:004031EB push eax .text:004031EC call decode_string_401078 ; error .text:004031F1 add esp, 4 .text:004031F4 push 18h .text:004031F6 lea ecx, [ebp-38h] .text:004031F9 push ecx .text:004031FA push offset aS_0 ; "%s" .text:004031FF call _scanf .text:00403204 add esp, 0Ch .text:00403207 lea edx, [ebp-38h] .text:0040320A push edx ; char * .text:0040320B call _strlen .text:00403210 add esp, 4 .text:00403213 cmp eax, 17h ; 长度17 .text:00403216 jbe short loc_40322B .text:00403218 lea eax, [ebp-20h] .text:0040321B push eax ; char * .text:0040321C call _printf .text:00403221 add esp, 4 .text:00403224 push 0 ; int .text:00403226 call _exit .text:0040322B ; --------------------------------------------------------------------------- .text:0040322B .text:0040322B loc_40322B: ; CODE XREF: sub_40315C+BAj .text:0040322B lea ecx, [ebp-35h] .text:0040322E push ecx ; char * .text:0040322F call _strlen .text:00403234 add esp, 4 .text:00403237 push eax .text:00403238 push offset unk_495660 ; 放在这里 .text:0040323D lea edx, [ebp-35h] .text:00403240 push edx .text:00403241 call j_Covert_string_to_hex_string_402220 .text:00403246 add esp, 0Ch .text:00403249 call check1_40125D ; 大数运算 .text:0040324E mov [ebp-4], eax .text:00403251 push 3 ; size_t .text:00403253 lea eax, [ebp-38h] .text:00403256 push eax ; void * .text:00403257 lea ecx, [ebp-3Ch] .text:0040325A push ecx ; void * .text:0040325B call _memcpy .text:00403260 add esp, 0Ch .text:00403263 lea edx, [ebp-3Ch] .text:00403266 push edx .text:00403267 call check_isdigit_40108C .text:0040326C add esp, 4 .text:0040326F and eax, 0FFh .text:00403274 test eax, eax .text:00403276 jz short loc_403289 .text:00403278 lea eax, [ebp-3Ch] .text:0040327B push eax .text:0040327C call check2_40128F .text:00403281 add esp, 4 .text:00403284 mov [ebp-8], eax .text:00403287 jmp short loc_403299 .text:00403289 ; --------------------------------------------------------------------------- .text:00403289 .text:00403289 loc_403289: ; CODE XREF: sub_40315C+11Aj .text:00403289 lea ecx, [ebp-20h] .text:0040328C push ecx ; char * .text:0040328D call _printf .text:00403292 add esp, 4 .text:00403295 xor eax, eax .text:00403297 jmp short loc_4032CD .text:00403299 ; --------------------------------------------------------------------------- .text:00403299 .text:00403299 loc_403299: ; CODE XREF: sub_40315C+12Bj .text:00403299 mov edx, [ebp-4] .text:0040329C add edx, [ebp-8] .text:0040329F cmp edx, 2 .text:004032A2 jnz short loc_4032B2 .text:004032A4 lea eax, [ebp-14h] .text:004032A7 push eax ; char * .text:004032A8 call _printf .text:004032AD add esp, 4 .text:004032B0 jmp short loc_4032BE .text:004032B2 ; --------------------------------------------------------------------------- .text:004032B2 .text:004032B2 loc_4032B2: ; CODE XREF: sub_40315C+146j .text:004032B2 lea ecx, [ebp-20h] .text:004032B5 push ecx ; char * .text:004032B6 call _printf
两个check函数比较长,中间也加了乱序代码感染分析 。
check1 是一个rsa算法。
.text:00402630 .text:00402630 push ebp .text:00402631 mov ebp, esp .text:00402633 sub esp, 374h .text:00402639 push ebx .text:0040263A push esi .text:0040263B push edi .text:0040263C lea edi, [ebp+var_374] .text:00402642 mov ecx, 0DDh .text:00402647 mov eax, 0CCCCCCCCh .text:0040264C rep stosd .text:0040264E push 10h .text:00402650 push 1F4h .text:00402655 call mirsys_4095A0 .text:0040265A add esp, 8 .text:0040265D mov [ebp+var_4], eax .text:00402660 mov [ebp+var_CC], 33h .text:00402667 mov [ebp+var_CB], 32h .text:0040266E mov [ebp+var_CA], 3Bh .text:00402675 mov [ebp+var_C9], 47h .text:0040267C mov [ebp+var_C8], 47h .text:00402683 mov [ebp+var_C7], 44h .text:0040268A mov [ebp+var_C6], 30h .text:00402691 mov [ebp+var_C5], 4Bh .text:00402698 mov [ebp+var_C4], 4Dh .text:0040269F mov [ebp+var_C3], 3Ch .text:004026A6 mov [ebp+var_C2], 4Eh .text:004026AD mov [ebp+var_C1], 4Fh .text:004026B4 mov [ebp+var_C0], 4Eh .text:004026BB mov [ebp+var_BF], 38h .text:004026C2 mov [ebp+var_BE], 3Bh .text:004026C9 mov [ebp+var_BD], 25h .text:004026D0 mov [ebp+var_BC], 20h .text:004026D7 mov [ebp+var_BB], 24h .text:004026DE mov [ebp+var_BA], 57h .text:004026E5 mov [ebp+var_B9], 24h .text:004026EC mov [ebp+var_B8], 22h .text:004026F3 mov [ebp+var_B7], 52h .text:004026FA mov [ebp+var_B6], 2Eh .text:00402701 mov [ebp+var_B5], 2Fh .text:00402708 mov [ebp+var_B4], 21h .text:0040270F mov [ebp+var_B3], 5Ch .text:00402716 mov [ebp+var_B2], 2Eh .text:0040271D mov [ebp+var_B1], 5Ah .text:00402724 mov [ebp+var_B0], 2Dh .text:0040272B mov [ebp+var_AF], 28h .text:00402732 mov [ebp+var_AE], 27h .text:00402739 mov [ebp+var_AD], 11h .text:00402740 mov [ebp+var_AC], 67h .text:00402747 mov [ebp+var_AB], 17h .text:0040274E mov [ebp+var_AA], 10h .text:00402755 mov [ebp+var_A9], 10h .text:0040275C mov [ebp+var_A8], 60h .text:00402763 mov [ebp+var_A7], 67h .text:0040276A mov [ebp+var_A6], 63h .text:00402771 mov [ebp+var_A5], 1Ah .text:00402778 mov [ebp+var_A4], 1Ah .text:0040277F mov [ebp+var_A3], 1Fh .text:00402786 mov [ebp+var_A2], 6Fh .text:0040278D mov [ebp+var_A1], 19h .text:00402794 mov [ebp+var_A0], 6Eh .text:0040279B mov [ebp+var_9F], 1Ah .text:004027A2 mov [ebp+var_9E], 16h .text:004027A9 mov [ebp+var_9D], 71h .text:004027B0 mov [ebp+var_9C], 75h .text:004027B7 mov [ebp+var_9B], 76h .text:004027BE mov [ebp+var_9A], 4 .text:004027C5 mov [ebp+var_99], 6 .text:004027CC mov [ebp+var_98], 71h .text:004027D3 mov [ebp+var_97], 4 .text:004027DA mov [ebp+var_96], 73h .text:004027E1 mov [ebp+var_95], 7Ah .text:004027E8 mov [ebp+var_94], 1 .text:004027EF mov [ebp+var_93], 0Eh .text:004027F6 mov [ebp+var_92], 0Bh .text:004027FD mov [ebp+var_91], 78h .text:00402804 mov [ebp+var_90], 8 .text:0040280B mov [ebp+var_8F], 0Dh .text:00402812 mov [ebp+var_8E], 0Fh .text:00402819 mov [ebp+var_8D], 74h .text:00402820 mov ecx, 22h .text:00402825 xor eax, eax .text:00402827 lea edi, [ebp+var_8C] .text:0040282D rep stosd .text:0040282F mov [ebp+var_194], 0 .text:00402836 mov ecx, 31h .text:0040283B xor eax, eax .text:0040283D lea edi, [ebp+var_193] .text:00402843 rep stosd .text:00402845 stosw .text:00402847 stosb .text:00402848 mov [ebp+var_25C], 0 .text:0040284F mov ecx, 31h .text:00402854 xor eax, eax .text:00402856 lea edi, [ebp+var_25B] .text:0040285C rep stosd .text:0040285E stosw .text:00402860 stosb .text:00402861 mov [ebp+var_324], 36h .text:00402868 mov [ebp+var_323], 66h .text:0040286F mov [ebp+var_322], 62h .text:00402876 mov [ebp+var_321], 37h .text:0040287D mov [ebp+var_320], 3Ch .text:00402884 mov [ebp+var_31F], 62h .text:0040288B mov [ebp+var_31E], 62h .text:00402892 mov [ebp+var_31D], 3Eh .text:00402899 mov [ebp+var_31C], 3Fh .text:004028A0 mov [ebp+var_31B], 3Ah .text:004028A7 mov [ebp+var_31A], 3Ah .text:004028AE mov [ebp+var_319], 3Ah .text:004028B5 mov [ebp+var_318], 39h .text:004028BC mov [ebp+var_317], 39h .text:004028C3 mov [ebp+var_316], 38h .text:004028CA mov [ebp+var_315], 72h .text:004028D1 mov [ebp+var_314], 20h .text:004028D8 mov [ebp+var_313], 73h .text:004028DF mov [ebp+var_312], 75h .text:004028E6 mov [ebp+var_311], 77h .text:004028ED mov [ebp+var_310], 26h .text:004028F4 mov [ebp+var_30F], 72h .text:004028FB mov [ebp+var_30E], 74h .text:00402902 mov [ebp+var_30D], 20h .text:00402909 mov [ebp+var_30C], 7Ch .text:00402910 mov [ebp+var_30B], 29h .text:00402917 mov [ebp+var_30A], 2Bh .text:0040291E mov [ebp+var_309], 25h .text:00402925 mov [ebp+var_308], 79h .text:0040292C mov [ebp+var_307], 7Dh .text:00402933 mov [ebp+var_306], 2Bh .text:0040293A mov [ebp+var_305], 12h .text:00402941 mov [ebp+var_304], 18h .text:00402948 mov [ebp+var_303], 40h .text:0040294F mov [ebp+var_302], 16h .text:00402956 mov [ebp+var_301], 40h .text:0040295D mov [ebp+var_300], 40h .text:00402964 mov [ebp+var_2FF], 1Eh .text:0040296B mov [ebp+var_2FE], 12h .text:00402972 mov [ebp+var_2FD], 1Dh .text:00402979 mov [ebp+var_2FC], 4Fh .text:00402980 mov [ebp+var_2FB], 1Ah .text:00402987 mov [ebp+var_2FA], 4Fh .text:0040298E mov [ebp+var_2F9], 1Ah .text:00402995 mov [ebp+var_2F8], 1Ch .text:0040299C mov [ebp+var_2F7], 18h .text:004029A3 mov [ebp+var_2F6], 4Bh .text:004029AA mov [ebp+var_2F5], 2 .text:004029B1 mov [ebp+var_2F4], 3 .text:004029B8 mov [ebp+var_2F3], 7 .text:004029BF mov [ebp+var_2F2], 51h .text:004029C6 mov [ebp+var_2F1], 1 .text:004029CD mov [ebp+var_2F0], 2 .text:004029D4 mov [ebp+var_2EF], 6 .text:004029DB mov [ebp+var_2EE], 55h .text:004029E2 mov [ebp+var_2ED], 0Eh .text:004029E9 mov [ebp+var_2EC], 1 .text:004029F0 mov [ebp+var_2EB], 58h .text:004029F7 mov [ebp+var_2EA], 3 .text:004029FE mov [ebp+var_2E9], 4 .text:00402A05 mov [ebp+var_2E8], 5Ch .text:00402A0C mov [ebp+var_2E7], 0Bh .text:00402A13 mov [ebp+var_2E6], 7 .text:00402A1A mov [ebp+var_2E5], 75h .text:00402A21 mov ecx, 22h .text:00402A26 xor eax, eax .text:00402A28 lea edi, [ebp+var_2E4] .text:00402A2E rep stosd .text:00402A30 call sub_402A3A .text:00402A35 .text:00402A35 loc_402A35: ; CODE XREF: sub_402A3Ap .text:00402A35 call near ptr 12B3225h .text:00402A35 sub_402630 endp ; sp-analysis failed .text:00402A35 .text:00402A3A .text:00402A3A ; =============== S U B R O U T I N E ======================================= .text:00402A3A .text:00402A3A .text:00402A3A sub_402A3A proc near ; CODE XREF: sub_402630+400p .text:00402A3A call near ptr loc_402A35+1 .text:00402A3F add esp, 8 .text:00402A42 lea eax, [ebp-0CCh] .text:00402A48 push eax .text:00402A49 call decode_string_401078 .text:00402A4E add esp, 4 .text:00402A51 lea ecx, [ebp-324h] .text:00402A57 push ecx .text:00402A58 call decode_string_401078 .text:00402A5D add esp, 4 .text:00402A60 mov edx, [ebp-4] .text:00402A63 mov dword ptr [edx+234h], 16 ; mip->IOBASE=16; //将原来的10进制改为16进制模式 .text:00402A6D push 0 .text:00402A6F call mirsys_func1_409350 .text:00402A74 add esp, 4 .text:00402A77 mov [ebp-328h], eax .text:00402A7D push 0 .text:00402A7F call mirsys_func1_409350 .text:00402A84 add esp, 4 .text:00402A87 mov [ebp-32Ch], eax .text:00402A8D push 0 .text:00402A8F call mirsys_func1_409350 .text:00402A94 add esp, 4 .text:00402A97 mov [ebp-334h], eax .text:00402A9D push 0 .text:00402A9F call mirsys_func1_409350 .text:00402AA4 add esp, 4 .text:00402AA7 mov [ebp-330h], eax .text:00402AAD push offset unk_495660 .text:00402AB2 mov eax, [ebp-334h] .text:00402AB8 push eax .text:00402AB9 call mirsys_cinstr_40D1E0 .text:00402ABE add esp, 8 .text:00402AC1 lea ecx, [ebp-324h] .text:00402AC7 push ecx .text:00402AC8 mov edx, [ebp-328h] .text:00402ACE push edx .text:00402ACF call mirsys_cinstr_40D1E0 .text:00402AD4 add esp, 8 .text:00402AD7 push offset a3e9 ; "3e9" .text:00402ADC mov eax, [ebp-32Ch] .text:00402AE2 push eax .text:00402AE3 call mirsys_cinstr_40D1E0 .text:00402AE8 add esp, 8 .text:00402AEB mov ecx, [ebp-328h] .text:00402AF1 push ecx .text:00402AF2 mov edx, [ebp-334h] .text:00402AF8 push edx .text:00402AF9 call mirsys_compare_40A2C0 ; 函数原型: int compare(big x, big y); .text:00402AF9 ; .text:00402AF9 ; 功能说明: 比较两个大数的大小 .text:00402AF9 ; .text:00402AF9 ; 返回值: x>y时返回+1, x=y时返回0, x<y时返回-1 .text:00402AFE add esp, 8 .text:00402B01 cmp eax, 0FFFFFFFFh .text:00402B04 jnz loc_402BD4 .text:00402B0A mov eax, [ebp-330h] .text:00402B10 push eax .text:00402B11 mov ecx, [ebp-328h] .text:00402B17 push ecx .text:00402B18 mov edx, [ebp-32Ch] .text:00402B1E push edx .text:00402B1F mov eax, [ebp-334h] .text:00402B25 push eax .text:00402B26 call mirsys_powmod_40C110 ; 函数原型: void powmod(big x, big y,big z, big w); .text:00402B26 ; .text:00402B26 ; 功能说明: 模幂运算,w=xy mod z .text:00402B2B add esp, 10h .text:00402B2E push 0 .text:00402B30 lea ecx, [ebp-194h] .text:00402B36 push ecx .text:00402B37 mov edx, [ebp-330h] .text:00402B3D push edx .text:00402B3E push 0 .text:00402B40 call mirsys_get_40B280 .text:00402B45 add esp, 10h .text:00402B48 mov eax, [ebp-328h] .text:00402B4E push eax .text:00402B4F call mirsys_mirkill_409CA0 .text:00402B54 add esp, 4 .text:00402B57 mov ecx, [ebp-32Ch] .text:00402B5D push ecx .text:00402B5E call mirsys_mirkill_409CA0 .text:00402B63 add esp, 4 .text:00402B66 mov edx, [ebp-334h] .text:00402B6C push edx .text:00402B6D call mirsys_mirkill_409CA0 .text:00402B72 add esp, 4 .text:00402B75 mov eax, [ebp-330h] .text:00402B7B push eax .text:00402B7C call mirsys_mirkill_409CA0 .text:00402B81 add esp, 4 .text:00402B84 call sub_409CC0 .text:00402B89 lea ecx, [ebp-194h] .text:00402B8F push ecx ; char * .text:00402B90 call _strlen .text:00402B95 add esp, 4 .text:00402B98 push eax .text:00402B99 lea edx, [ebp-25Ch] .text:00402B9F push edx .text:00402BA0 lea eax, [ebp-194h] .text:00402BA6 push eax .text:00402BA7 call charAry2String_40100F .text:00402BAC add esp, 0Ch .text:00402BAF lea ecx, [ebp-25Ch] .text:00402BB5 push ecx ; char * .text:00402BB6 lea edx, [ebp-0CCh] .text:00402BBC push edx ; char * .text:00402BBD call _strcmp .text:00402BC2 add esp, 8 .text:00402BC5 test eax, eax .text:00402BC7 jnz short loc_402BD0 .text:00402BC9 mov eax, 1 .text:00402BCE jmp short loc_402BD6 .text:00402BD0 ; --------------------------------------------------------------------------- .text:00402BD0 .text:00402BD0 loc_402BD0: ; CODE XREF: sub_402A3A+18Dj .text:00402BD0 xor eax, eax .text:00402BD2 jmp short loc_402BD6 .text:00402BD4 ; --------------------------------------------------------------------------- .text:00402BD4 .text:00402BD4 loc_402BD4: ; CODE XREF: sub_402A3A+CAj .text:00402BD4 xor eax, eax .text:00402BD6 .text:00402BD6 loc_402BD6: ; CODE XREF: sub_402A3A+194j .text:00402BD6 ; sub_402A3A+198j .text:00402BD6 pop edi .text:00402BD7 pop esi .text:00402BD8 pop ebx .text:00402BD9 add esp, 374h .text:00402BDF cmp ebp, esp .text:00402BE1 call __chkesp .text:00402BE6 mov esp, ebp .text:00402BE8 pop ebp .text:00402BE9 retn .text:00402BE9 sub_402A3A endp ; sp-analysis failed
主要过程:
.text:00402630 .text:00402630 push ebp .text:00402631 mov ebp, esp .text:00402633 sub esp, 374h .text:00402639 push ebx .text:0040263A push esi .text:0040263B push edi .text:0040263C lea edi, [ebp+var_374] .text:00402642 mov ecx, 0DDh .text:00402647 mov eax, 0CCCCCCCCh .text:0040264C rep stosd .text:0040264E push 10h .text:00402650 push 1F4h .text:00402655 call mirsys_4095A0 .text:0040265A add esp, 8 .text:0040265D mov [ebp+var_4], eax .text:00402660 mov [ebp+var_CC], 33h .text:00402667 mov [ebp+var_CB], 32h .text:0040266E mov [ebp+var_CA], 3Bh .text:00402675 mov [ebp+var_C9], 47h .text:0040267C mov [ebp+var_C8], 47h .text:00402683 mov [ebp+var_C7], 44h .text:0040268A mov [ebp+var_C6], 30h .text:00402691 mov [ebp+var_C5], 4Bh .text:00402698 mov [ebp+var_C4], 4Dh .text:0040269F mov [ebp+var_C3], 3Ch .text:004026A6 mov [ebp+var_C2], 4Eh .text:004026AD mov [ebp+var_C1], 4Fh .text:004026B4 mov [ebp+var_C0], 4Eh .text:004026BB mov [ebp+var_BF], 38h .text:004026C2 mov [ebp+var_BE], 3Bh .text:004026C9 mov [ebp+var_BD], 25h .text:004026D0 mov [ebp+var_BC], 20h .text:004026D7 mov [ebp+var_BB], 24h .text:004026DE mov [ebp+var_BA], 57h .text:004026E5 mov [ebp+var_B9], 24h .text:004026EC mov [ebp+var_B8], 22h .text:004026F3 mov [ebp+var_B7], 52h .text:004026FA mov [ebp+var_B6], 2Eh .text:00402701 mov [ebp+var_B5], 2Fh .text:00402708 mov [ebp+var_B4], 21h .text:0040270F mov [ebp+var_B3], 5Ch .text:00402716 mov [ebp+var_B2], 2Eh .text:0040271D mov [ebp+var_B1], 5Ah .text:00402724 mov [ebp+var_B0], 2Dh .text:0040272B mov [ebp+var_AF], 28h .text:00402732 mov [ebp+var_AE], 27h .text:00402739 mov [ebp+var_AD], 11h .text:00402740 mov [ebp+var_AC], 67h .text:00402747 mov [ebp+var_AB], 17h .text:0040274E mov [ebp+var_AA], 10h .text:00402755 mov [ebp+var_A9], 10h .text:0040275C mov [ebp+var_A8], 60h .text:00402763 mov [ebp+var_A7], 67h .text:0040276A mov [ebp+var_A6], 63h .text:00402771 mov [ebp+var_A5], 1Ah .text:00402778 mov [ebp+var_A4], 1Ah .text:0040277F mov [ebp+var_A3], 1Fh .text:00402786 mov [ebp+var_A2], 6Fh .text:0040278D mov [ebp+var_A1], 19h .text:00402794 mov [ebp+var_A0], 6Eh .text:0040279B mov [ebp+var_9F], 1Ah .text:004027A2 mov [ebp+var_9E], 16h .text:004027A9 mov [ebp+var_9D], 71h .text:004027B0 mov [ebp+var_9C], 75h .text:004027B7 mov [ebp+var_9B], 76h .text:004027BE mov [ebp+var_9A], 4 .text:004027C5 mov [ebp+var_99], 6 .text:004027CC mov [ebp+var_98], 71h .text:004027D3 mov [ebp+var_97], 4 .text:004027DA mov [ebp+var_96], 73h .text:004027E1 mov [ebp+var_95], 7Ah .text:004027E8 mov [ebp+var_94], 1 .text:004027EF mov [ebp+var_93], 0Eh .text:004027F6 mov [ebp+var_92], 0Bh .text:004027FD mov [ebp+var_91], 78h .text:00402804 mov [ebp+var_90], 8 .text:0040280B mov [ebp+var_8F], 0Dh .text:00402812 mov [ebp+var_8E], 0Fh .text:00402819 mov [ebp+var_8D], 74h .text:00402820 mov ecx, 22h .text:00402825 xor eax, eax .text:00402827 lea edi, [ebp+var_8C] .text:0040282D rep stosd .text:0040282F mov [ebp+var_194], 0 .text:00402836 mov ecx, 31h .text:0040283B xor eax, eax .text:0040283D lea edi, [ebp+var_193] .text:00402843 rep stosd .text:00402845 stosw .text:00402847 stosb .text:00402848 mov [ebp+var_25C], 0 .text:0040284F mov ecx, 31h .text:00402854 xor eax, eax .text:00402856 lea edi, [ebp+var_25B] .text:0040285C rep stosd .text:0040285E stosw .text:00402860 stosb .text:00402861 mov [ebp+var_324], 36h .text:00402868 mov [ebp+var_323], 66h .text:0040286F mov [ebp+var_322], 62h .text:00402876 mov [ebp+var_321], 37h .text:0040287D mov [ebp+var_320], 3Ch .text:00402884 mov [ebp+var_31F], 62h .text:0040288B mov [ebp+var_31E], 62h .text:00402892 mov [ebp+var_31D], 3Eh .text:00402899 mov [ebp+var_31C], 3Fh .text:004028A0 mov [ebp+var_31B], 3Ah .text:004028A7 mov [ebp+var_31A], 3Ah .text:004028AE mov [ebp+var_319], 3Ah .text:004028B5 mov [ebp+var_318], 39h .text:004028BC mov [ebp+var_317], 39h .text:004028C3 mov [ebp+var_316], 38h .text:004028CA mov [ebp+var_315], 72h .text:004028D1 mov [ebp+var_314], 20h .text:004028D8 mov [ebp+var_313], 73h .text:004028DF mov [ebp+var_312], 75h .text:004028E6 mov [ebp+var_311], 77h .text:004028ED mov [ebp+var_310], 26h .text:004028F4 mov [ebp+var_30F], 72h .text:004028FB mov [ebp+var_30E], 74h .text:00402902 mov [ebp+var_30D], 20h .text:00402909 mov [ebp+var_30C], 7Ch .text:00402910 mov [ebp+var_30B], 29h .text:00402917 mov [ebp+var_30A], 2Bh .text:0040291E mov [ebp+var_309], 25h .text:00402925 mov [ebp+var_308], 79h .text:0040292C mov [ebp+var_307], 7Dh .text:00402933 mov [ebp+var_306], 2Bh .text:0040293A mov [ebp+var_305], 12h .text:00402941 mov [ebp+var_304], 18h .text:00402948 mov [ebp+var_303], 40h .text:0040294F mov [ebp+var_302], 16h .text:00402956 mov [ebp+var_301], 40h .text:0040295D mov [ebp+var_300], 40h .text:00402964 mov [ebp+var_2FF], 1Eh .text:0040296B mov [ebp+var_2FE], 12h .text:00402972 mov [ebp+var_2FD], 1Dh .text:00402979 mov [ebp+var_2FC], 4Fh .text:00402980 mov [ebp+var_2FB], 1Ah .text:00402987 mov [ebp+var_2FA], 4Fh .text:0040298E mov [ebp+var_2F9], 1Ah .text:00402995 mov [ebp+var_2F8], 1Ch .text:0040299C mov [ebp+var_2F7], 18h .text:004029A3 mov [ebp+var_2F6], 4Bh .text:004029AA mov [ebp+var_2F5], 2 .text:004029B1 mov [ebp+var_2F4], 3 .text:004029B8 mov [ebp+var_2F3], 7 .text:004029BF mov [ebp+var_2F2], 51h .text:004029C6 mov [ebp+var_2F1], 1 .text:004029CD mov [ebp+var_2F0], 2 .text:004029D4 mov [ebp+var_2EF], 6 .text:004029DB mov [ebp+var_2EE], 55h .text:004029E2 mov [ebp+var_2ED], 0Eh .text:004029E9 mov [ebp+var_2EC], 1 .text:004029F0 mov [ebp+var_2EB], 58h .text:004029F7 mov [ebp+var_2EA], 3 .text:004029FE mov [ebp+var_2E9], 4 .text:00402A05 mov [ebp+var_2E8], 5Ch .text:00402A0C mov [ebp+var_2E7], 0Bh .text:00402A13 mov [ebp+var_2E6], 7 .text:00402A1A mov [ebp+var_2E5], 75h .text:00402A21 mov ecx, 22h .text:00402A26 xor eax, eax .text:00402A28 lea edi, [ebp+var_2E4] .text:00402A2E rep stosd .text:00402A30 call sub_402A3A .text:00402A35 .text:00402A35 loc_402A35: ; CODE XREF: sub_402A3Ap .text:00402A35 call near ptr 12B3225h .text:00402A35 sub_402630 endp ; sp-analysis failed .text:00402A35 .text:00402A3A .text:00402A3A ; =============== S U B R O U T I N E ======================================= .text:00402A3A .text:00402A3A .text:00402A3A sub_402A3A proc near ; CODE XREF: sub_402630+400p .text:00402A3A call near ptr loc_402A35+1 .text:00402A3F add esp, 8 .text:00402A42 lea eax, [ebp-0CCh] .text:00402A48 push eax .text:00402A49 call decode_string_401078 .text:00402A4E add esp, 4 .text:00402A51 lea ecx, [ebp-324h] .text:00402A57 push ecx .text:00402A58 call decode_string_401078 .text:00402A5D add esp, 4 .text:00402A60 mov edx, [ebp-4] .text:00402A63 mov dword ptr [edx+234h], 16 ; mip->IOBASE=16; //将原来的10进制改为16进制模式 .text:00402A6D push 0 .text:00402A6F call mirsys_func1_409350 .text:00402A74 add esp, 4 .text:00402A77 mov [ebp-328h], eax .text:00402A7D push 0 .text:00402A7F call mirsys_func1_409350 .text:00402A84 add esp, 4 .text:00402A87 mov [ebp-32Ch], eax .text:00402A8D push 0 .text:00402A8F call mirsys_func1_409350 .text:00402A94 add esp, 4 .text:00402A97 mov [ebp-334h], eax .text:00402A9D push 0 .text:00402A9F call mirsys_func1_409350 .text:00402AA4 add esp, 4 .text:00402AA7 mov [ebp-330h], eax .text:00402AAD push offset unk_495660 .text:00402AB2 mov eax, [ebp-334h] .text:00402AB8 push eax .text:00402AB9 call mirsys_cinstr_40D1E0 .text:00402ABE add esp, 8 .text:00402AC1 lea ecx, [ebp-324h] .text:00402AC7 push ecx .text:00402AC8 mov edx, [ebp-328h] .text:00402ACE push edx .text:00402ACF call mirsys_cinstr_40D1E0 .text:00402AD4 add esp, 8 .text:00402AD7 push offset a3e9 ; "3e9" .text:00402ADC mov eax, [ebp-32Ch] .text:00402AE2 push eax .text:00402AE3 call mirsys_cinstr_40D1E0 .text:00402AE8 add esp, 8 .text:00402AEB mov ecx, [ebp-328h] .text:00402AF1 push ecx .text:00402AF2 mov edx, [ebp-334h] .text:00402AF8 push edx .text:00402AF9 call mirsys_compare_40A2C0 ; 函数原型: int compare(big x, big y); .text:00402AF9 ; .text:00402AF9 ; 功能说明: 比较两个大数的大小 .text:00402AF9 ; .text:00402AF9 ; 返回值: x>y时返回+1, x=y时返回0, x<y时返回-1 .text:00402AFE add esp, 8 .text:00402B01 cmp eax, 0FFFFFFFFh .text:00402B04 jnz loc_402BD4 .text:00402B0A mov eax, [ebp-330h] .text:00402B10 push eax .text:00402B11 mov ecx, [ebp-328h] .text:00402B17 push ecx .text:00402B18 mov edx, [ebp-32Ch] .text:00402B1E push edx .text:00402B1F mov eax, [ebp-334h] .text:00402B25 push eax .text:00402B26 call mirsys_powmod_40C110 ; 函数原型: void powmod(big x, big y,big z, big w); .text:00402B26 ; .text:00402B26 ; 功能说明: 模幂运算,w=xy mod z .text:00402B2B add esp, 10h .text:00402B2E push 0 .text:00402B30 lea ecx, [ebp-194h] .text:00402B36 push ecx .text:00402B37 mov edx, [ebp-330h] .text:00402B3D push edx .text:00402B3E push 0 .text:00402B40 call mirsys_get_40B280 .text:00402B45 add esp, 10h .text:00402B48 mov eax, [ebp-328h] .text:00402B4E push eax .text:00402B4F call mirsys_mirkill_409CA0 .text:00402B54 add esp, 4 .text:00402B57 mov ecx, [ebp-32Ch] .text:00402B5D push ecx .text:00402B5E call mirsys_mirkill_409CA0 .text:00402B63 add esp, 4 .text:00402B66 mov edx, [ebp-334h] .text:00402B6C push edx .text:00402B6D call mirsys_mirkill_409CA0 .text:00402B72 add esp, 4 .text:00402B75 mov eax, [ebp-330h] .text:00402B7B push eax .text:00402B7C call mirsys_mirkill_409CA0 .text:00402B81 add esp, 4 .text:00402B84 call sub_409CC0 .text:00402B89 lea ecx, [ebp-194h] .text:00402B8F push ecx ; char * .text:00402B90 call _strlen .text:00402B95 add esp, 4 .text:00402B98 push eax .text:00402B99 lea edx, [ebp-25Ch] .text:00402B9F push edx .text:00402BA0 lea eax, [ebp-194h] .text:00402BA6 push eax .text:00402BA7 call charAry2String_40100F .text:00402BAC add esp, 0Ch .text:00402BAF lea ecx, [ebp-25Ch] .text:00402BB5 push ecx ; char * .text:00402BB6 lea edx, [ebp-0CCh] .text:00402BBC push edx ; char * .text:00402BBD call _strcmp .text:00402BC2 add esp, 8 .text:00402BC5 test eax, eax .text:00402BC7 jnz short loc_402BD0 .text:00402BC9 mov eax, 1 .text:00402BCE jmp short loc_402BD6 .text:00402BD0 ; --------------------------------------------------------------------------- .text:00402BD0 .text:00402BD0 loc_402BD0: ; CODE XREF: sub_402A3A+18Dj .text:00402BD0 xor eax, eax .text:00402BD2 jmp short loc_402BD6 .text:00402BD4 ; --------------------------------------------------------------------------- .text:00402BD4 .text:00402BD4 loc_402BD4: ; CODE XREF: sub_402A3A+CAj .text:00402BD4 xor eax, eax .text:00402BD6 .text:00402BD6 loc_402BD6: ; CODE XREF: sub_402A3A+194j .text:00402BD6 ; sub_402A3A+198j .text:00402BD6 pop edi .text:00402BD7 pop esi .text:00402BD8 pop ebx .text:00402BD9 add esp, 374h .text:00402BDF cmp ebp, esp .text:00402BE1 call __chkesp .text:00402BE6 mov esp, ebp .text:00402BE8 pop ebp .text:00402BE9 retn .text:00402BE9 sub_402A3A endp ; sp-analysis failed
主要过程:
1.取注册码的第4位后边的字符串,转成16进制字符串。
2.利用 mirsys 计算
powmod:
函数原型: void powmod(big x, big y,big z, big w); 功能说明: 模幂运算,w=xy mod z
X就是输入的字符串
函数原型: void powmod(big x, big y,big z, big w); 功能说明: 模幂运算,w=xy mod z
X就是输入的字符串
Y是0x3e9
Z是7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585 上边解密出来的字符串
计算出来的值W与208CBB7CD6ECC6450019FDF016D07D978F5F0681F534EAD235D5C49ADD72D2DB840D5304比较,相等既成功。
等于就是一个RSA加密过程。
其中E=0x3e9
N= 0x7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585
M= 0x208CBB7CD6ECC6450019FDF016D07D978F5F0681F534EAD235D5C49ADD72D2DB840D5304 密文。
利用在线网站http://www.factordb.com/index.php?query=56828191929550499896142468009756520490526164668720784286547535509684830643589
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
