*附件中的CrackMe是把混淆修复后的idb和exe,CrackMe - original是原题提供的exe
首先程序有简单的call call jmp/ jne+je跳转混淆,前者在ida里手动修复成push push jmp,后者直接拼回去
修复后的效果可以直接看idb
修复后的main函数关键代码:
scanf("%s", &v10, 24);
if ( strlen(&v10) > 23 )
{
printf(v18);
exit(0);
}
v6 = strlen(&v11[2]);
sub_402220(&v11[2], a32323232333366, v6);
v23 = sub_402630();
memcpy(&v8, &v10, 3u);
if ( sub_402FC0((int)&v8) )
{
v22 = sub_402D60(&v8);
if ( v22 + v23 == 2 )
printf(v20); //成功
v23+v22==2说明sub_402630和sub_402d60都成功才行,先看第一个
子函数简单过一遍,结合题目标题,目测是个加密算法,一个函数一个函数找关键常量
在sub_4095A0 找到 0x55555555 0x12345678 0x1379BDF1,丢给google得到结论:miracl
结合这篇文章的思路,把miracl的函数都标出来:https://bbs.pediy.com/thread-222568.htm
得到关键逻辑:
v5 = mirvar(0);
v4 = mirvar(0);
v2 = mirvar(0);
v3 = mirvar(0);
cinstr((int)v2, (int)a32323232333366);
cinstr((int)v5, (int)&v6);
cinstr((int)v4, (int)"3e9");
if ( mr_compare(v2, v5) != -1 )
return 0;
powmod((int)v2, (int)v4, (int)v5, (int)v3);
big_to_bytes(0, v3, &v75, 0);
cleanup((int)v5);
cleanup((int)v4);
cleanup((int)v2);
cleanup((int)v3);
sub_409CC0();
v0 = strlen(&v75);
sub_40100F((int)&v75, (int)&v71, v0);
return strcmp(&v79, &v71) == 0;
这对应的是RSA加密逻辑(input是输入字符串第四位开始到最后)
mod(pow(input, e), n) == v79
将明文rsa加密的结果与目标结果比较
调试得到
n = 7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585
密文c = 208CBB7CD6ECC64516D07D978F5F0681F534EAD235D5C49ADD72D2DB840D5304
3e9是常见rsa的e值
把n丢给factordb.com得到
p = 273086345401562743300402731618892888991
q = 208096057845685678782766058500526476379
用这套代码取模逆https://gist.github.com/ofaurax/6103869014c246f962ab30a513fb5b49得到d
在这里用n d e解密密文c http://extranet.cryptomathic.com/rsacalc/index
得到明文iamahandsomeguyhaha1(flag的后几位)
rsa部分结束看后面:
看sub_402FC0:简单的判断了一下输入前三位是不是数字
sub_402D60通过输入内容运算,返回值判断是否成功
因为三位数字最多也就1000种可能性,直接注入dll暴力算
dll代码:
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls(hModule);
{
int(*sub_402D60)(char *a1);
*(uintptr_t*)&sub_402D60 = (uintptr_t)GetModuleHandleW(0) + 0x2D60;
char test[4] = { "000" };
for (; test[0] <= '9'; test[0]++) {
for (; test[1] <= '9'; test[1]++) {
for (; test[2] <= '9'; test[2]++) {
if (sub_402D60(test)) {
MessageBoxA(0, test, 0, 0);
break;
}
}
test[2] = '0';
}
test[1] = '0';
}
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
得到前三位520
最终结果:
520iamahandsomeguyhaha1
PS1:PWN占比好高啊
PS2:老了,加班+解题肝不动了
v5 = mirvar(0);
v4 = mirvar(0);
v2 = mirvar(0);
v3 = mirvar(0);
cinstr((int)v2, (int)a32323232333366);
cinstr((int)v5, (int)&v6);
cinstr((int)v4, (int)"3e9");
if ( mr_compare(v2, v5) != -1 )
return 0;
powmod((int)v2, (int)v4, (int)v5, (int)v3);
big_to_bytes(0, v3, &v75, 0);
cleanup((int)v5);
cleanup((int)v4);
cleanup((int)v2);
cleanup((int)v3);
sub_409CC0();
v0 = strlen(&v75);
sub_40100F((int)&v75, (int)&v71, v0);
return strcmp(&v79, &v71) == 0;
这对应的是RSA加密逻辑(input是输入字符串第四位开始到最后)
mod(pow(input, e), n) == v79
将明文rsa加密的结果与目标结果比较
调试得到
n = 7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585
密文c = 208CBB7CD6ECC64516D07D978F5F0681F534EAD235D5C49ADD72D2DB840D5304
3e9是常见rsa的e值
把n丢给factordb.com得到
p = 273086345401562743300402731618892888991
q = 208096057845685678782766058500526476379
用这套代码取模逆https://gist.github.com/ofaurax/6103869014c246f962ab30a513fb5b49得到d
在这里用n d e解密密文c http://extranet.cryptomathic.com/rsacalc/index
得到明文iamahandsomeguyhaha1(flag的后几位)
rsa部分结束看后面:
看sub_402FC0:简单的判断了一下输入前三位是不是数字
sub_402D60通过输入内容运算,返回值判断是否成功
因为三位数字最多也就1000种可能性,直接注入dll暴力算
dll代码:
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls(hModule);
{
int(*sub_402D60)(char *a1);
*(uintptr_t*)&sub_402D60 = (uintptr_t)GetModuleHandleW(0) + 0x2D60;
char test[4] = { "000" };
for (; test[0] <= '9'; test[0]++) {
for (; test[1] <= '9'; test[1]++) {
for (; test[2] <= '9'; test[2]++) {
if (sub_402D60(test)) {
MessageBoxA(0, test, 0, 0);
break;
}
}
test[2] = '0';
}
test[1] = '0';
}
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
得到前三位520
最终结果:
520iamahandsomeguyhaha1
PS1:PWN占比好高啊
PS2:老了,加班+解题肝不动了
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课