-
-
[原创] ctf2018 第四题wp
-
发表于: 2018-6-24 07:49 2643
-
先看整体结构
004031FA |. 68 1861480>push CrackMe-.00486118 ; /format = "%s"
004031FF |. E8 BCB1020>call <CrackMe-._scanf> ; \_scanf
00403204 |. 83C4 0C add esp,0xC
00403207 |. 8D55 C8 lea edx,[local.14]
0040320A |. 52 push edx ; /s = "U嬱jh@廐"
0040320B |. E8 B0A4020>call <CrackMe-._strlen> ; \_strlen
00403210 |. 83C4 04 add esp,0x4
00403213 |. 83F8 17 cmp eax,0x17
00403216 |. 76 13 jbe short CrackMe-.0040322B ; 判断输入长度
00403218 |. 8D45 E0 lea eax,[local.8]
0040321B |. 50 push eax ; |format = 4CD141CD ???
0040321C |. E8 1FA5020>call <CrackMe-._printf> ; \_printf
00403221 |. 83C4 04 add esp,0x4
00403224 |. 6A 00 push 0x0 ; /status = 0x0
00403226 |. E8 05B0020>call <CrackMe-._exit> ; \_exit
0040322B |> 8D4D CB lea ecx,dword ptr ss:[ebp-0x35]
0040322E |. 51 push ecx ; /s = "U嬱jh@廐"
0040322F |. E8 8CA4020>call <CrackMe-._strlen> ; \_strlen
00403234 |. 83C4 04 add esp,0x4
00403237 |. 50 push eax
00403238 |. 68 6056490>push CrackMe-.00495660
0040323D |. 8D55 CB lea edx,dword ptr ss:[ebp-0x35]
00403240 |. 52 push edx ; CrackMe-.<ModuleEntryPoint>
00403241 |. E8 2CDFFFF>call CrackMe-.00401172 ; 去掉前3字节,剩下转换成strhex串
00403246 |. 83C4 0C add esp,0xC
00403249 |. E8 0FE0FFF>call CrackMe-.0040125D ; 计算1
0040324E |. 8945 FC mov [local.1],eax
00403251 |. 6A 03 push 0x3 ; /n = 0x3
00403253 |. 8D45 C8 lea eax,[local.14] ; |
00403256 |. 50 push eax ; |src = 4CD141CD
00403257 |. 8D4D C4 lea ecx,[local.15] ; |
0040325A |. 51 push ecx ; |dest = CrackMe-.<ModuleEntryPoint>
0040325B |. E8 60A5020>call <CrackMe-._memcpy> ; \前面复制了个头?
00403260 |. 83C4 0C add esp,0xC
00403263 |. 8D55 C4 lea edx,[local.15]
00403266 |. 52 push edx ; CrackMe-.<ModuleEntryPoint>
00403267 |. E8 20DEFFF>call <CrackMe-.CheckDec> ; 检查前3字节
0040326C |. 83C4 04 add esp,0x4
0040326F |. 25 FF00000>and eax,0xFF
00403274 |. 85C0 test eax,eax
00403276 |. 74 11 je short CrackMe-.00403289 ; 前3个只能是数字
00403278 |. 8D45 C4 lea eax,[local.15]
0040327B |. 50 push eax
0040327C |. E8 0EE0FFF>call CrackMe-.0040128F ; 计算2
00403281 >|. 83C4 04 add esp,0x4
00403284 8945 F8 mov dword ptr ss:[ebp-0x8],eax
00403287 EB 10 jmp short CrackMe-.00403299
00403289 |> 8D4D E0 lea ecx,[local.8]
0040328C |. 51 push ecx ; |format = "U嬱jh@廐"
0040328D |. E8 AEA4020>call <CrackMe-._printf> ; \error
00403292 |. 83C4 04 add esp,0x4
00403295 |. 33C0 xor eax,eax
00403297 |. EB 34 jmp short CrackMe-.004032CD
00403299 |> 8B55 FC mov edx,[local.1]
0040329C |. 0355 F8 add edx,[local.2] ; 计算1 + 计算2 == 2 则满足条件
0040329F |. 83FA 02 cmp edx,0x2
004032A2 |. 75 0E jnz short CrackMe-.004032B2
004032A4 |. 8D45 EC lea eax,[local.5]
004032A7 |. 50 push eax ; |format = 4CD141CD ???
004032A8 |. E8 93A4020>call <CrackMe-._printf> ; \_printf
004032AD |. 83C4 04 add esp,0x4
004032B0 |. EB 0C jmp short CrackMe-.004032BE
004032B2 |> 8D4D E0 lea ecx,[local.8]
004032B5 |. 51 push ecx ; |format = "U嬱jh@廐"
004032B6 |. E8 85A4020>call <CrackMe-._printf> ; \_printf
004032BB |. 83C4 04 add esp,0x4
004032BE |> 68 1061480>push CrackMe-.00486110 ; /command = "pause"
004032C3 |. E8 18AE020>call <CrackMe-._system> ; \_system
004031FF |. E8 BCB1020>call <CrackMe-._scanf> ; \_scanf
00403204 |. 83C4 0C add esp,0xC
00403207 |. 8D55 C8 lea edx,[local.14]
0040320A |. 52 push edx ; /s = "U嬱jh@廐"
0040320B |. E8 B0A4020>call <CrackMe-._strlen> ; \_strlen
00403210 |. 83C4 04 add esp,0x4
00403213 |. 83F8 17 cmp eax,0x17
00403216 |. 76 13 jbe short CrackMe-.0040322B ; 判断输入长度
00403218 |. 8D45 E0 lea eax,[local.8]
0040321B |. 50 push eax ; |format = 4CD141CD ???
0040321C |. E8 1FA5020>call <CrackMe-._printf> ; \_printf
00403221 |. 83C4 04 add esp,0x4
00403224 |. 6A 00 push 0x0 ; /status = 0x0
00403226 |. E8 05B0020>call <CrackMe-._exit> ; \_exit
0040322B |> 8D4D CB lea ecx,dword ptr ss:[ebp-0x35]
0040322E |. 51 push ecx ; /s = "U嬱jh@廐"
0040322F |. E8 8CA4020>call <CrackMe-._strlen> ; \_strlen
00403234 |. 83C4 04 add esp,0x4
00403237 |. 50 push eax
00403238 |. 68 6056490>push CrackMe-.00495660
0040323D |. 8D55 CB lea edx,dword ptr ss:[ebp-0x35]
00403240 |. 52 push edx ; CrackMe-.<ModuleEntryPoint>
00403241 |. E8 2CDFFFF>call CrackMe-.00401172 ; 去掉前3字节,剩下转换成strhex串
00403246 |. 83C4 0C add esp,0xC
00403249 |. E8 0FE0FFF>call CrackMe-.0040125D ; 计算1
0040324E |. 8945 FC mov [local.1],eax
00403251 |. 6A 03 push 0x3 ; /n = 0x3
00403253 |. 8D45 C8 lea eax,[local.14] ; |
00403256 |. 50 push eax ; |src = 4CD141CD
00403257 |. 8D4D C4 lea ecx,[local.15] ; |
0040325A |. 51 push ecx ; |dest = CrackMe-.<ModuleEntryPoint>
0040325B |. E8 60A5020>call <CrackMe-._memcpy> ; \前面复制了个头?
00403260 |. 83C4 0C add esp,0xC
00403263 |. 8D55 C4 lea edx,[local.15]
00403266 |. 52 push edx ; CrackMe-.<ModuleEntryPoint>
00403267 |. E8 20DEFFF>call <CrackMe-.CheckDec> ; 检查前3字节
0040326C |. 83C4 04 add esp,0x4
0040326F |. 25 FF00000>and eax,0xFF
00403274 |. 85C0 test eax,eax
00403276 |. 74 11 je short CrackMe-.00403289 ; 前3个只能是数字
00403278 |. 8D45 C4 lea eax,[local.15]
0040327B |. 50 push eax
0040327C |. E8 0EE0FFF>call CrackMe-.0040128F ; 计算2
00403281 >|. 83C4 04 add esp,0x4
00403284 8945 F8 mov dword ptr ss:[ebp-0x8],eax
00403287 EB 10 jmp short CrackMe-.00403299
00403289 |> 8D4D E0 lea ecx,[local.8]
0040328C |. 51 push ecx ; |format = "U嬱jh@廐"
0040328D |. E8 AEA4020>call <CrackMe-._printf> ; \error
00403292 |. 83C4 04 add esp,0x4
00403295 |. 33C0 xor eax,eax
00403297 |. EB 34 jmp short CrackMe-.004032CD
00403299 |> 8B55 FC mov edx,[local.1]
0040329C |. 0355 F8 add edx,[local.2] ; 计算1 + 计算2 == 2 则满足条件
0040329F |. 83FA 02 cmp edx,0x2
004032A2 |. 75 0E jnz short CrackMe-.004032B2
004032A4 |. 8D45 EC lea eax,[local.5]
004032A7 |. 50 push eax ; |format = 4CD141CD ???
004032A8 |. E8 93A4020>call <CrackMe-._printf> ; \_printf
004032AD |. 83C4 04 add esp,0x4
004032B0 |. EB 0C jmp short CrackMe-.004032BE
004032B2 |> 8D4D E0 lea ecx,[local.8]
004032B5 |. 51 push ecx ; |format = "U嬱jh@廐"
004032B6 |. E8 85A4020>call <CrackMe-._printf> ; \_printf
004032BB |. 83C4 04 add esp,0x4
004032BE |> 68 1061480>push CrackMe-.00486110 ; /command = "pause"
004032C3 |. E8 18AE020>call <CrackMe-._system> ; \_system
-------------------------------------------------------------------------------------------------
流程很清楚,算法1判断后面的字符,计算2 判断前3个数字
xxxyyyyyy 结构
scanf
if(strlen(str)<=0x17){
k1 = 算法1() //yyyyyy
k2 = 算法2() //xxx 数字
if(k1 + k2 == 2){
//成功
}
}
----------------------------------------------------------------------------------------------------
算法1:
0040125D
初始化之类的都不用看,直接看处理输入部分
00402AAD |. 68 6056490>push CrackMe-.00495660 ; ASCII "34353637"
00402AB2 |. 8B85 CCFCF>mov eax,[local.205]
00402AB8 |. 50 push eax
00402AB9 |. E8 22A7000>call <CrackMe-.setBigNum> ; 倒序-->设置大数对象
00402ABE |. 83C4 08 add esp,0x8
00402AC1 |. 8D8D DCFCF>lea ecx,[local.201]
00402AC7 |. 51 push ecx
00402AC8 |. 8B95 D8FCF>mov edx,[local.202]
00402ACE |. 52 push edx
00402ACF |. E8 0CA7000>call <CrackMe-.setBigNum> ; "7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585"
00402AD4 |. 83C4 08 add esp,0x8 ; 倒序存入结构体
00402AD7 |. 68 A060480>push CrackMe-.004860A0 ; 3E9 = 1001
00402ADC |. 8B85 D4FCF>mov eax,[local.203]
00402AE2 |. 50 push eax
00402AE3 |. E8 F8A6000>call <CrackMe-.setBigNum>
00402AE8 |. 83C4 08 add esp,0x8
00402AEB |. 8B8D D8FCF>mov ecx,[local.202]
00402AF1 |. 51 push ecx
00402AF2 |. 8B95 CCFCF>mov edx,[local.205]
00402AF8 |. 52 push edx
00402AF9 |. E8 C277000>call CrackMe-.0040A2C0 ; 比较大小 , N = 7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585
00402AFE |. 83C4 08 add esp,0x8 ; 也即256位的rsa
00402B01 |. 83F8 FF cmp eax,-0x1
00402B04 |. 0F85 CA000>jnz CrackMe-.00402BD4
00402B0A |. 8B85 D0FCF>mov eax,[local.204]
00402B10 |. 50 push eax ; 0
00402B11 |. 8B8D D8FCF>mov ecx,[local.202]
00402B17 |. 51 push ecx
00402B18 |. 8B95 D4FCF>mov edx,[local.203]
00402B1E |. 52 push edx ; 3E9 = 1001 ,rsa常用这个公钥之一
00402B1F |. 8B85 CCFCF>mov eax,[local.205]
00402B25 |. 50 push eax ; x 输入的数据
00402B26 |. E8 E595000>call <CrackMe-.RsaEncrypt> ; 公钥加密(x,E,N,0)
00402AB2 |. 8B85 CCFCF>mov eax,[local.205]
00402AB8 |. 50 push eax
00402AB9 |. E8 22A7000>call <CrackMe-.setBigNum> ; 倒序-->设置大数对象
00402ABE |. 83C4 08 add esp,0x8
00402AC1 |. 8D8D DCFCF>lea ecx,[local.201]
00402AC7 |. 51 push ecx
00402AC8 |. 8B95 D8FCF>mov edx,[local.202]
00402ACE |. 52 push edx
00402ACF |. E8 0CA7000>call <CrackMe-.setBigNum> ; "7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585"
00402AD4 |. 83C4 08 add esp,0x8 ; 倒序存入结构体
00402AD7 |. 68 A060480>push CrackMe-.004860A0 ; 3E9 = 1001
00402ADC |. 8B85 D4FCF>mov eax,[local.203]
00402AE2 |. 50 push eax
00402AE3 |. E8 F8A6000>call <CrackMe-.setBigNum>
00402AE8 |. 83C4 08 add esp,0x8
00402AEB |. 8B8D D8FCF>mov ecx,[local.202]
00402AF1 |. 51 push ecx
00402AF2 |. 8B95 CCFCF>mov edx,[local.205]
00402AF8 |. 52 push edx
00402AF9 |. E8 C277000>call CrackMe-.0040A2C0 ; 比较大小 , N = 7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585
00402AFE |. 83C4 08 add esp,0x8 ; 也即256位的rsa
00402B01 |. 83F8 FF cmp eax,-0x1
00402B04 |. 0F85 CA000>jnz CrackMe-.00402BD4
00402B0A |. 8B85 D0FCF>mov eax,[local.204]
00402B10 |. 50 push eax ; 0
00402B11 |. 8B8D D8FCF>mov ecx,[local.202]
00402B17 |. 51 push ecx
00402B18 |. 8B95 D4FCF>mov edx,[local.203]
00402B1E |. 52 push edx ; 3E9 = 1001 ,rsa常用这个公钥之一
00402B1F |. 8B85 CCFCF>mov eax,[local.205]
00402B25 |. 50 push eax ; x 输入的数据
00402B26 |. E8 E595000>call <CrackMe-.RsaEncrypt> ; 公钥加密(x,E,N,0)
...
附近的明显特征
1. 3E9 (=1001常被当成RSA的公钥之一)
2. 倒序存入街头提(BigNum) 大数计算类常用
struct BigNum{
dword nSize; // 位长,1表示32位置,即占DWORD * 1
dword *pdata;
byte data[]; //大数都是小端模式, 高位在又边
}
3.输入数比较
00402AF9 |. E8 C277000>call CrackMe-.0040A2C0 ; 比较大小 ,如此估计 N = 7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585
猜测是RSA的加密解密函数
//还可以用PEID查看算法,定位,这样更快
(利用第四点验证猜测)
4.加密的时候, X ** E % N == Y (X就是自己输入的数据,Y是结果)
数很大,太难看清楚了,我们可以把结构体改成最小的RSA组合
我们用来测试的小RSA组 原始的
N 3016 BC8 7da39de66016477b1afc3dc8e309dc429b5de855f0d616d225b570b68b88a585E 3 3 (公钥) 3E9
D 2011 7DB (私钥) 未知
X= 2 我们输入的
Y= 8
2 的 3次方 mod 3016 = 8
//还可以用大数计算器来算的.
确定了是RSA加密后,知道N,那就是分解N 这里是256位的RSA
//最近忙,晚上2点才开始搞,发现是RSA吓我一跳,以前没暴力解过RSA,不知道大概时间,怕跑不出来,以前的电脑龟速,
(还好我上月换了新电脑)
//找工具浪费不少时间 (没有收集工具的好习惯)
从论坛下在工具,1小时内跑出结果 //工具名:RDLP
N = 9C8DD7C90A888F7374BFE3C485448C5B * CD72845A310C5CC5FF08D546717DBB9F
那么
T =
(9C8DD7C90A888F7374BFE3C485448C5B - 1) * (CD72845A310C5CC5FF08D546717DBB9F
- 1)
又∵
E = 3E9
通过 D * E mod T = 1 (RSA) 计算
D = 2E70A649E6A648F78A9D2C1074A7D51F0099C13F7F9BCBB78BAD2C1B1B1D96F1 (使用工具RSA-TOOL)
-----
00402BA7 |. E8 63E4FFF>call <CrackMe-.CharsToHexString_40100F>
00402BAC |. 83C4 0C add esp,0xC
00402BAF |. 8D8D A4FDF>lea ecx,[local.151]
00402BB5 |. 51 push ecx
00402BB6 |. 8D95 34FFF>lea edx,[local.51]
00402BBC |. 52 push edx
00402BBD |. E8 9EB0020>call <CrackMe-._strcmp> ; 比较 == "208CBB7CD6ECC64516D07D978F5F0681F534EAD235D5C49ADD72D2DB840D5304"
00402BAC |. 83C4 0C add esp,0xC
00402BAF |. 8D8D A4FDF>lea ecx,[local.151]
00402BB5 |. 51 push ecx
00402BB6 |. 8D95 34FFF>lea edx,[local.51]
00402BBC |. 52 push edx
00402BBD |. E8 9EB0020>call <CrackMe-._strcmp> ; 比较 == "208CBB7CD6ECC64516D07D978F5F0681F534EAD235D5C49ADD72D2DB840D5304"
求X
X ** E % N == Y
Y ** D % N == X
---------------------------
算法2:
0040128F
3个数字,用他自己的函数,直接循环跑一下就可以出来
//原始指令
00403278 |. 8D45 C4 lea eax,[local.15]
0040327B |. 50 push eax
0040327C |. E8 0EE0FFF>call CrackMe-.0040128F ; 计算2
00403281 >|. 83C4 04 add esp,0x4
00403284 8945 F8 mov dword ptr ss:[ebp-0x8],e>
0040327B |. 50 push eax
0040327C |. E8 0EE0FFF>call CrackMe-.0040128F ; 计算2
00403281 >|. 83C4 04 add esp,0x4
00403284 8945 F8 mov dword ptr ss:[ebp-0x8],e>
// 直接在OD上
手动汇编修改指令 (2行指令) , 这方法最快了
00403278 |. 8D45 C4 lea eax,[local.15]
0040327B |. 50 push eax
0040327C |. E8 0EE0FFF>call CrackMe-.0040128F ; 计算2
00403281 |. 83C4 04 add esp,0x4 //下条件断点 eax==1
00403284 FF45 C4 inc dword ptr ss:[ebp-0x3C]
00403287 ^ EB EF jmp short CrackMe-.00403278
0040327B |. 50 push eax
0040327C |. E8 0EE0FFF>call CrackMe-.0040128F ; 计算2
00403281 |. 83C4 04 add esp,0x4 //下条件断点 eax==1
00403284 FF45 C4 inc dword ptr ss:[ebp-0x3C]
00403287 ^ EB EF jmp short CrackMe-.00403278
输入 "000"
//下条件断点 EAX == 1 (如果无解会卡死,哈哈)
//秒出结果 "520"
---------------------------
∴结果是 520iamahandsomeguyhaha1
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2018-6-24 08:05
被瞧红尘编辑
,原因:
赞赏
他的文章
- [原创] 2018国庆题叹息之墙WP 3871
- [原创]看雪 2018CTF 第7题 wp 3349
- [原创] ctf2018 第四题wp 2644
- [原创] 第二题wp 4028
看原图
赞赏
雪币:
留言: