-
-
ctf2018-第8题
-
发表于: 2018-7-1 13:54 2820
-
进制转换36/62/64/256
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | struct buf { BYTE len0; BYTE len0_1; // len0_1 ==len0+4 BYTE len1; BYTE len2; BYTE r0[len0+4]; BYTE r1[len1]; BYTE r2[len2];};.text:00401A19 mov al, [edx].text:00401A1B cmp al, 1.text:00401A1D jb loc_4023E6.text:00401A23 cmp al, 18h.text:00401A25 ja loc_4023E6.text:00401A2B mov cl, [edx+1].text:00401A2E cmp cl, 1.text:00401A31 mov byte ptr [ebp+var_14], cl.text:00401A34 jb loc_4023E6.text:00401A3A cmp cl, 18h.text:00401A3D ja loc_4023E6.text:00401A43 mov bl, [edx+2].text:00401A46 cmp bl, 1.text:00401A49 jb loc_4023E6.text:00401A4F cmp bl, 18h.text:00401A52 ja loc_4023E6.text:00401A58 mov cl, [edx+3].text:00401A5B cmp cl, 1.text:00401A5E jb loc_4023E6.text:00401A64 cmp cl, 18h.text:00401A67 ja loc_4023E6.text:00401A6D mov esi, [ebp+var_14].text:00401A70 and eax, 0FFh.text:00401A75 and esi, 0FFh.text:00401A7B lea edx, [eax+4].text:00401A7E cmp edx, esi.text:00401A80 jnz loc_4023E6.text:00401A86 and ecx, 0FFh.text:00401A8C and ebx, 0FFh.text:00401A92 add eax, ecx.text:00401A94 mov ecx, [ebp+var_2C].text:00401A97 mov edx, [ecx+8].text:00401A9A lea eax, [ebx+eax+8].text:00401A9E cmp eax, edx.text:00401AA0 jnz loc_4023E6 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | struct buf { BYTE len0; BYTE len0_1; // len0_1 ==len0+4 BYTE len1; BYTE len2; BYTE r0[len0+4]; BYTE r1[len1]; BYTE r2[len2];};.text:00401A19 mov al, [edx].text:00401A1B cmp al, 1.text:00401A1D jb loc_4023E6.text:00401A23 cmp al, 18h.text:00401A25 ja loc_4023E6.text:00401A2B mov cl, [edx+1].text:00401A2E cmp cl, 1.text:00401A31 mov byte ptr [ebp+var_14], cl.text:00401A34 jb loc_4023E6.text:00401A3A cmp cl, 18h.text:00401A3D ja loc_4023E6.text:00401A43 mov bl, [edx+2].text:00401A46 cmp bl, 1.text:00401A49 jb loc_4023E6.text:00401A4F cmp bl, 18h.text:00401A52 ja loc_4023E6.text:00401A58 mov cl, [edx+3].text:00401A5B cmp cl, 1.text:00401A5E jb loc_4023E6.text:00401A64 cmp cl, 18h.text:00401A67 ja loc_4023E6.text:00401A6D mov esi, [ebp+var_14].text:00401A70 and eax, 0FFh.text:00401A75 and esi, 0FFh.text:00401A7B lea edx, [eax+4].text:00401A7E cmp edx, esi.text:00401A80 jnz loc_4023E6.text:00401A86 and ecx, 0FFh.text:00401A8C and ebx, 0FFh.text:00401A92 add eax, ecx.text:00401A94 mov ecx, [ebp+var_2C].text:00401A97 mov edx, [ecx+8].text:00401A9A lea eax, [ebx+eax+8].text:00401A9E cmp eax, edx.text:00401AA0 jnz loc_4023E6 |
v1=g_bn1, v2=g_bn2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | .text:00401D21 push offset aWelcomeToBbsPe ; "welcome to bbs.pediy.com.".text:00401D26 push offset g_bn1.text:00401D2B call x_from_basen.text:00401D30 mov edi, offset a0123456789abcd_0 ; .text:00401D35 or ecx, 0FFFFFFFFh.text:00401D38 xor eax, eax.text:00401D3A push 2Bh.text:00401D3C repne scasb.text:00401D3E not ecx.text:00401D40 push 2Dh.text:00401D42 dec ecx.text:00401D43 push offset a0123456789abcd_0 ; .text:00401D48 push ecx.text:00401D49 mov edi, offset aAuthorByLookhc ; "Author by Lookhc".text:00401D4E or ecx, 0FFFFFFFFh.text:00401D51 repne scasb.text:00401D53 not ecx.text:00401D55 dec ecx.text:00401D56 push ecx.text:00401D57 push offset aAuthorByLookhc ; "Author by Lookhc".text:00401D5C push offset g_bn2.text:00401D61 call x_from_basen |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | .text:00401D21 push offset aWelcomeToBbsPe ; "welcome to bbs.pediy.com.".text:00401D26 push offset g_bn1.text:00401D2B call x_from_basen.text:00401D30 mov edi, offset a0123456789abcd_0 ; .text:00401D35 or ecx, 0FFFFFFFFh.text:00401D38 xor eax, eax.text:00401D3A push 2Bh.text:00401D3C repne scasb.text:00401D3E not ecx.text:00401D40 push 2Dh.text:00401D42 dec ecx.text:00401D43 push offset a0123456789abcd_0 ; .text:00401D48 push ecx.text:00401D49 mov edi, offset aAuthorByLookhc ; "Author by Lookhc".text:00401D4E or ecx, 0FFFFFFFFh.text:00401D51 repne scasb.text:00401D53 not ecx.text:00401D55 dec ecx.text:00401D56 push ecx.text:00401D57 push offset aAuthorByLookhc ; "Author by Lookhc".text:00401D5C push offset g_bn2.text:00401D61 call x_from_basen |
校验r0[len0]
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | .text:00401DEB mov edx, [ebp+var_38].text:00401DEE lea eax, [ebp+var_44] ; must return 1.text:00401DF1 lea ecx, [ebp+var_3C] ; must return 0.text:00401DF4 push eax.text:00401DF5 push ecx.text:00401DF6 mov edi, edx.text:00401DF8 or ecx, 0FFFFFFFFh.text:00401DFB xor eax, eax.text:00401DFD mov [ebp+var_3C], 64h.text:00401E04 mov [ebp+var_44], 0.text:00401E0B repne scasb.text:00401E0D not ecx.text:00401E0F dec ecx.text:00401E10 push 5.text:00401E12 push ecx.text:00401E13 push edx.text:00401E14 call sub_4010A0 ; must return 1 |
校验buf的crc
1 2 3 4 5 6 7 8 9 | .text:00401E29 push ecx.text:00401E2A push edx.text:00401E2B push offset loc_401ABF.text:00401E30 push 6780h.text:00401E35 push 13114F0Dh.text:00401E3A push 1F6E1EA0h.text:00401E3F call sub_404A60 ; crc32(buf, 0) == 0.text:00401E44 add esp, 1Ch.text:00401E47 mov [ebp+lpMem], eax ; must be 0 |
这个循环会校验 r0^n == r1^n+r2^n (n: 3~9), 这个肯定不成立
1 2 3 4 5 6 7 8 | .text:00401EF2 cmp eax, 0Ah.text:00401EF5 jge loc_40210F.text:00401EFB test eax, eax.text:00401EFD jnz short loc_401F30....text:004020FF call bn_compare.text:00402104 test eax, eax.text:00402106 jnz loc_4022E9 ; always jmp |
异常处理
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | .text:004022E9 mov eax, [ebp+var_3C] ; must be 0.text:004022EC test eax, eax.text:004022EE jnz short loc_402305.text:004022F0 lea eax, [ebp+var_48].text:004022F3 push offset __TI1H ; throw info for 'int'.text:004022F8 push eax.text:004022F9 mov [ebp+var_48], 1.text:00402300 call __CxxThrowException@8 ; _CxxThrowException(x,x).text:00402367 ; catch(...) // owned by 401EE8.text:00402367 mov dword ptr [ebp-30h], 2.text:0040236E mov eax, offset loc_40211C.text:00402373 retn.text:0040211C mov eax, [ebp-30h].text:0040211F mov [ebp+var_4], 0FFFFFFFFh.text:00402126 cmp eax, 2.text:00402129 jnz loc_402399 |
r1-r2=bn2
2*r1+4*r2=bn1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | .text:00402189 call bn_add....text:004021BB call bn_compare.text:004021CE push 4.text:004021D0 push edx.text:004021D1 call bn_int....text:004021F5 call bn_mul.text:004021FA lea ecx, [ebp+var_1970].text:00402200 push 2.text:00402202 push ecx.text:00402203 call bn_int....text:00402226 call bn_mul.text:0040222B mov ecx, 84h.text:00402230 mov esi, offset g_bn1....text:0040225F call bn_add....text:0040228D call bn_rebase |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 | crc32_table = [ 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 0x2d02ef8dL]crc32_table_highest_byte_map = [-1] * 256for i in range(256): crc32_table_highest_byte_map[(crc32_table[i] >> 24) & 0xFF] = idef array_to_int(k, base): v = 0 n = 1 for _ in k: v += n * _ n *= base return vdef int_to_array(v, base): r = [] while v != 0: r.append(v % base) v = v / base return rdef str_to_int(s, char_map): # type:(str,str) -> int r = [] for _ in s: r.append(char_map.find(_)) return array_to_int(r, len(char_map))def int_to_str(v, char_map): # type:(int,str) -> str r = int_to_array(v, len(char_map)) s = '' for _ in r: s = char_map[_] + s return sdef print_array(r): s = '' for _ in r: s += ('%x' % _).zfill(2) + ' ' print s returndef print_int(v, base): r = int_to_array(v, base) print_array(r) returndef array_to_str(k): s = '' for _ in k: s += chr(_) return sdef str_to_array(s): k = [] for _ in s: k.append(ord(s)) return kdef crc32_update(k, crc): for b in k: crc = (crc >> 8) ^ crc32_table[b ^ (crc & 0xFF)] return crcdef get_crc32_update_init_value(k, crc): z = len(k) - 1 while z >= 0: idx = crc32_table_highest_byte_map[(crc >> 24) & 0xFF] crc = ((crc32_table[idx] ^ crc) << 8) | (idx ^ k[z]) z -= 1 return crcdef crc32(k, crc_init=0): crc = crc_init crc = (~crc) & 0xFFFFFFFF crc = crc32_update(k, crc) crc = (~crc) & 0xFFFFFFFF return crcdef crc_RF(x): return crc32_table_highest_byte_map[x]def crc_F(x): return (crc32_table[x] >> 24) & 0xFFdef crc_G(x): return (crc32_table[x] >> 16) & 0xFFdef crc_H(x): return (crc32_table[x] >> 8) & 0xFFdef crc_I(x): return (crc32_table[x] >> 0) & 0xFFdef crack_crc(s_head, s_tail, crc_init, crc_final): crc1 = (~crc_init) & 0xFFFFFFFF crc1 = crc32_update(s_head, crc1) crc2 = (~crc_final) & 0xFFFFFFFF crc2 = get_crc32_update_init_value(s_tail, crc2) # hxxps://bbs.pediy.com/thread-8699.htm W = (crc2 >> 24) & 0xFF X = (crc2 >> 16) & 0xFF Y = (crc2 >> 8) & 0xFF Z = (crc2 >> 0) & 0xFF A = (crc1 >> 24) & 0xFF B = (crc1 >> 16) & 0xFF C = (crc1 >> 8) & 0xFF D = (crc1 >> 0) & 0xFF p = crc_RF(W) o = crc_RF(X ^ crc_G(p)) n = crc_RF(Y ^ crc_G(o) ^ crc_H(p)) m = crc_RF(Z ^ crc_G(n) ^ crc_H(o) ^ crc_I(p)) d = m ^ D c = n ^ C ^ crc_I(m) b = o ^ B ^ crc_H(m) ^ crc_I(n) a = p ^ A ^ crc_G(m) ^ crc_H(n) ^ crc_I(o) return [d, c, b, a]def check_crc_table(): print('xxstart') k3 = [0] * 256 k2 = [0] * 256 k1 = [0] * 256 k0 = [0] * 256 for _ in range(256): k3[(crc32_table[_] >> 24) & 0xFF] += 1 k2[(crc32_table[_] >> 16) & 0xFF] += 1 k1[(crc32_table[_] >> 8) & 0xFF] += 1 k0[(crc32_table[_] >> 0) & 0xFF] += 1 for _ in range(256): if k3[_] != 1: print('k3[%s]=%s' % (_, k3[_])) # if k2[_] != 1: # print('k2[%s]=%s' % (_, k2[_])) # if k1[_] != 1: # print('k1[%s]=%s' % (_, k1[_])) # if k0[_] != 1: # print('k0[%s]=%s' % (_, k0[_])) print('xxend') returndef x_401080(v): if v == 0: return 0 r = 1 while (v & 1) == 0: v >>= 1 r *= 2 if v == 0: return 0 return rdef x_4010A0(buf, bits): a1 = 0 buf_len = (1 << bits) - 1 v_cnt0 = buf_len v_cnt1 = 0 v_cnt2 = 0 _ = 0 for _ in range(buf_len): c = buf[_] v_cnt0_v = x_401080(v_cnt0) v_cnt1_v = x_401080(v_cnt1) v_cnt2_v = x_401080(v_cnt2) _v_cnt0_v = v_cnt0_v if v_cnt0_v != 0 else 100 _v_cnt1_v = v_cnt1_v if v_cnt1_v != 0 else 100 _v_cnt2_v = v_cnt2_v if v_cnt2_v != 0 else 100 if c == 0: if _v_cnt0_v >= _v_cnt1_v: break v_cnt0 -= v_cnt0_v v_cnt1 += v_cnt0_v a1 = v_cnt0_v elif c == 1: if _v_cnt0_v >= _v_cnt2_v: break v_cnt0 -= v_cnt0_v v_cnt2 += v_cnt0_v a1 = v_cnt0_v elif c == 2: if _v_cnt1_v >= _v_cnt0_v: break v_cnt0 += v_cnt1_v v_cnt1 -= v_cnt1_v a1 = v_cnt1_v elif c == 3: if _v_cnt1_v >= _v_cnt2_v: break v_cnt1 -= v_cnt1_v v_cnt2 += v_cnt1_v a1 = v_cnt1_v elif c == 4: if _v_cnt2_v >= _v_cnt0_v: break v_cnt0 += v_cnt2_v v_cnt2 -= v_cnt2_v a1 = v_cnt2_v elif c == 5: if _v_cnt2_v >= _v_cnt1_v: break v_cnt1 += v_cnt2_v v_cnt2 -= v_cnt2_v a1 = v_cnt2_v r = False a0 = v_cnt0 if _ == (buf_len - 1) and a0 == 0 and a1 == 1: r = True return [r, a0, a1]def x_crack_part1_raw(buf, offset, cond0, cond1, vct_max, strict=False): bits = 5 # buf[(1 << bits) - 1] == 0 i7_end = 6 if (offset != 0x18) else 1 vct = [] for i0 in range(6): for i1 in range(6): for i2 in range(6): for i3 in range(6): for i4 in range(6): for i5 in range(6): for i6 in range(6): for i7 in range(i7_end): buf[offset + 0] = i0 buf[offset + 1] = i1 buf[offset + 2] = i2 buf[offset + 3] = i3 buf[offset + 4] = i4 buf[offset + 5] = i5 buf[offset + 6] = i6 buf[offset + 7] = i7 r, a_0, a_1 = x_4010A0(buf, bits) if strict: ok = r else: ok = a_0 <= cond0 and (cond1 < 0 or a_1 <= cond1) if ok: v = [i0, i1, i2, i3, i4, i5, i6, i7] if strict: print('(%s): %s' % (len(vct), v)) vct.append(v) if (vct_max > 0) and (len(vct) >= vct_max): return vct return vctdef x_crack_part1(count, use_cache=True): buf = [0] * 32 print('crack_part1 0:8') offset = 0 if use_cache: vct0 = [[0, 1, 3, 0, 4, 5, 0, 1], ] else: vct0 = x_crack_part1_raw(buf, offset, 0x10, -1, 1) print vct0 for _ in range(8): buf[offset + _] = vct0[0][_] print('crack_part1 8:0x10') offset += 8 if use_cache: vct1 = [[2, 1, 2, 4, 3, 0, 1, 3], ] else: vct1 = x_crack_part1_raw(buf, offset, 0x0F, -1, 1) print vct1 for _ in range(8): buf[offset + _] = vct1[0][_] print('crack_part1 0x10:0x18') offset += 8 if use_cache: vct2 = [[0, 2, 0, 2, 0, 2, 0, 4], ] else: vct2 = x_crack_part1_raw(buf, offset, 0, 1, 1) print vct2 for _ in range(8): buf[offset + _] = vct2[0][_] print('crack_part1 0x18:0x20') offset += 8 vct3 = x_crack_part1_raw(buf, offset, 0, 1, count, strict=True) r = [] for a in range(len(vct3)): v = [_ for _ in buf] for b in range(8): v[offset + b] = vct3[a][b] # print_array(v) r.append(v) return rdef x_gen_sn(k): # char_map36 = 'abcdefghijklmnopqrstuvwxyz0123456789' char_map62 = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' char_map64 = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz. ' r0_0 = [] for _ in range(0, len(k), 2): r0_0 = [k[_ + 1] * 6 + k[_], ] + r0_0 v = array_to_int(r0_0, 36) # print_int(v, 36) # print int_to_str(v, char_map36) r0_0 = int_to_array(v, 256) r0_1 = [-1] * 4 r0 = r0_0 + r0_1 v1 = str_to_int('welcome to bbs.pediy.com.'[::-1], char_map64) v2 = str_to_int('Author by Lookhc'[::-1], char_map64) y = (v1 - v2 * 2) / 6 x = y + v2 r1 = int_to_array(x, 256) r2 = int_to_array(y, 256) k = [len(r0) - 4, len(r0), len(r1), len(r2)] + r0 + r1 + r2 r0_1 = crack_crc(k[0:len(r0)], k[4 + len(r0):], 0, 0) r0 = r0_0 + r0_1 k = [len(r0) - 4, len(r0), len(r1), len(r2)] + r0 + r1 + r2 print int_to_str(array_to_int(k, 256), char_map62) returndef test(): # count = 256 count = 2 ks = x_crack_part1(count, use_cache=True) for _ in range(len(ks)): x_gen_sn(ks[_]) returntest() |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | .text:00401DEB mov edx, [ebp+var_38].text:00401DEE lea eax, [ebp+var_44] ; must return 1.text:00401DF1 lea ecx, [ebp+var_3C] ; must return 0.text:00401DF4 push eax.text:00401DF5 push ecx.text:00401DF6 mov edi, edx.text:00401DF8 or ecx, 0FFFFFFFFh.text:00401DFB xor eax, eax.text:00401DFD mov [ebp+var_3C], 64h.text:00401E04 mov [ebp+var_44], 0.text:00401E0B repne scasb.text:00401E0D not ecx.text:00401E0F dec ecx.text:00401E10 push 5.text:00401E12 push ecx.text:00401E13 push edx.text:00401E14 call sub_4010A0 ; must return 1 |
校验buf的crc
1 2 3 4 5 6 7 8 9 | .text:00401E29 push ecx.text:00401E2A push edx.text:00401E2B push offset loc_401ABF.text:00401E30 push 6780h.text:00401E35 push 13114F0Dh.text:00401E3A push 1F6E1EA0h.text:00401E3F call sub_404A60 ; crc32(buf, 0) == 0.text:00401E44 add esp, 1Ch.text:00401E47 mov [ebp+lpMem], eax ; must be 0 |
1 2 3 4 5 6 7 8 9 | .text:00401E29 push ecx.text:00401E2A push edx.text:00401E2B push offset loc_401ABF.text:00401E30 push 6780h.text:00401E35 push 13114F0Dh.text:00401E3A push 1F6E1EA0h.text:00401E3F call sub_404A60 ; crc32(buf, 0) == 0.text:00401E44 add esp, 1Ch.text:00401E47 mov [ebp+lpMem], eax ; must be 0 |
这个循环会校验 r0^n == r1^n+r2^n (n: 3~9), 这个肯定不成立
1 2 3 4 5 6 7 8 | .text:00401EF2 cmp eax, 0Ah.text:00401EF5 jge loc_40210F.text:00401EFB test eax, eax.text:00401EFD jnz short loc_401F30....text:004020FF call bn_compare.text:00402104 test eax, eax.text:00402106 jnz loc_4022E9 ; always jmp |
异常处理
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | .text:004022E9 mov eax, [ebp+var_3C] ; must be 0.text:004022EC test eax, eax.text:004022EE jnz short loc_402305.text:004022F0 lea eax, [ebp+var_48].text:004022F3 push offset __TI1H ; throw info for 'int'.text:004022F8 push eax.text:004022F9 mov [ebp+var_48], 1.text:00402300 call __CxxThrowException@8 ; _CxxThrowException(x,x).text:00402367 ; catch(...) // owned by 401EE8.text:00402367 mov dword ptr [ebp-30h], 2.text:0040236E mov eax, offset loc_40211C.text:00402373 retn.text:0040211C mov eax, [ebp-30h].text:0040211F mov [ebp+var_4], 0FFFFFFFFh.text:00402126 cmp eax, 2.text:00402129 jnz loc_402399 |
r1-r2=bn2
2*r1+4*r2=bn1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | .text:00402189 call bn_add....text:004021BB call bn_compare.text:004021CE push 4.text:004021D0 push edx.text:004021D1 call bn_int....text:004021F5 call bn_mul.text:004021FA lea ecx, [ebp+var_1970].text:00402200 push 2.text:00402202 push ecx.text:00402203 call bn_int....text:00402226 call bn_mul.text:0040222B mov ecx, 84h.text:00402230 mov esi, offset g_bn1....text:0040225F call bn_add....text:0040228D call bn_rebase |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 | crc32_table = [ 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 0x2d02ef8dL]crc32_table_highest_byte_map = [-1] * 256for i in range(256): crc32_table_highest_byte_map[(crc32_table[i] >> 24) & 0xFF] = idef array_to_int(k, base): v = 0 n = 1 for _ in k: v += n * _ n *= base return vdef int_to_array(v, base): r = [] while v != 0: r.append(v % base) v = v / base return rdef str_to_int(s, char_map): # type:(str,str) -> int r = [] for _ in s: r.append(char_map.find(_)) return array_to_int(r, len(char_map))def int_to_str(v, char_map): # type:(int,str) -> str r = int_to_array(v, len(char_map)) s = '' for _ in r: s = char_map[_] + s return sdef print_array(r): s = '' for _ in r: s += ('%x' % _).zfill(2) + ' ' print s returndef print_int(v, base): r = int_to_array(v, base) print_array(r) returndef array_to_str(k): s = '' for _ in k: s += chr(_) return sdef str_to_array(s): k = [] for _ in s: k.append(ord(s)) return kdef crc32_update(k, crc): for b in k: crc = (crc >> 8) ^ crc32_table[b ^ (crc & 0xFF)] return crcdef get_crc32_update_init_value(k, crc): z = len(k) - 1 while z >= 0: idx = crc32_table_highest_byte_map[(crc >> 24) & 0xFF] crc = ((crc32_table[idx] ^ crc) << 8) | (idx ^ k[z]) z -= 1 return crcdef crc32(k, crc_init=0): crc = crc_init crc = (~crc) & 0xFFFFFFFF crc = crc32_update(k, crc) crc = (~crc) & 0xFFFFFFFF return crcdef crc_RF(x): return crc32_table_highest_byte_map[x]def crc_F(x): return (crc32_table[x] >> 24) & 0xFFdef crc_G(x): return (crc32_table[x] >> 16) & 0xFFdef crc_H(x): return (crc32_table[x] >> 8) & 0xFFdef crc_I(x): return (crc32_table[x] >> 0) & 0xFFdef crack_crc(s_head, s_tail, crc_init, crc_final): crc1 = (~crc_init) & 0xFFFFFFFF crc1 = crc32_update(s_head, crc1) crc2 = (~crc_final) & 0xFFFFFFFF crc2 = get_crc32_update_init_value(s_tail, crc2) # hxxps://bbs.pediy.com/thread-8699.htm W = (crc2 >> 24) & 0xFF X = (crc2 >> 16) & 0xFF Y = (crc2 >> 8) & 0xFF Z = (crc2 >> 0) & 0xFF A = (crc1 >> 24) & 0xFF B = (crc1 >> 16) & 0xFF C = (crc1 >> 8) & 0xFF D = (crc1 >> 0) & 0xFF p = crc_RF(W) o = crc_RF(X ^ crc_G(p)) n = crc_RF(Y ^ crc_G(o) ^ crc_H(p)) m = crc_RF(Z ^ crc_G(n) ^ crc_H(o) ^ crc_I(p)) d = m ^ D c = n ^ C ^ crc_I(m) b = o ^ B ^ crc_H(m) ^ crc_I(n) a = p ^ A ^ crc_G(m) ^ crc_H(n) ^ crc_I(o) return [d, c, b, a]def check_crc_table(): print('xxstart') k3 = [0] * 256 k2 = [0] * 256 k1 = [0] * 256 k0 = [0] * 256 for _ in range(256): k3[(crc32_table[_] >> 24) & 0xFF] += 1 k2[(crc32_table[_] >> 16) & 0xFF] += 1 k1[(crc32_table[_] >> 8) & 0xFF] += 1 k0[(crc32_table[_] >> 0) & 0xFF] += 1 for _ in range(256): if k3[_] != 1: print('k3[%s]=%s' % (_, k3[_])) # if k2[_] != 1: # print('k2[%s]=%s' % (_, k2[_])) # if k1[_] != 1: # print('k1[%s]=%s' % (_, k1[_])) # if k0[_] != 1: # print('k0[%s]=%s' % (_, k0[_])) print('xxend') returndef x_401080(v): if v == 0: return 0 r = 1 while (v & 1) == 0: v >>= 1 r *= 2 if v == 0: return 0 return rdef x_4010A0(buf, bits): a1 = 0 buf_len = (1 << bits) - 1 v_cnt0 = buf_len v_cnt1 = 0 v_cnt2 = 0 _ = 0 for _ in range(buf_len): c = buf[_] v_cnt0_v = x_401080(v_cnt0) v_cnt1_v = x_401080(v_cnt1) v_cnt2_v = x_401080(v_cnt2) _v_cnt0_v = v_cnt0_v if v_cnt0_v != 0 else 100 _v_cnt1_v = v_cnt1_v if v_cnt1_v != 0 else 100 _v_cnt2_v = v_cnt2_v if v_cnt2_v != 0 else 100 if c == 0: if _v_cnt0_v >= _v_cnt1_v: break v_cnt0 -= v_cnt0_v v_cnt1 += v_cnt0_v a1 = v_cnt0_v elif c == 1: if _v_cnt0_v >= _v_cnt2_v: break v_cnt0 -= v_cnt0_v v_cnt2 += v_cnt0_v a1 = v_cnt0_v elif c == 2: if _v_cnt1_v >= _v_cnt0_v: break v_cnt0 += v_cnt1_v v_cnt1 -= v_cnt1_v a1 = v_cnt1_v elif c == 3: if _v_cnt1_v >= _v_cnt2_v: break v_cnt1 -= v_cnt1_v v_cnt2 += v_cnt1_v a1 = v_cnt1_v elif c == 4: if _v_cnt2_v >= _v_cnt0_v: break v_cnt0 += v_cnt2_v v_cnt2 -= v_cnt2_v a1 = v_cnt2_v elif c == 5: if _v_cnt2_v >= _v_cnt1_v: break v_cnt1 += v_cnt2_v v_cnt2 -= v_cnt2_v a1 = v_cnt2_v r = False a0 = v_cnt0 if _ == (buf_len - 1) and a0 == 0 and a1 == 1: r = True return [r, a0, a1]def x_crack_part1_raw(buf, offset, cond0, cond1, vct_max, strict=False): bits = 5 # buf[(1 << bits) - 1] == 0 i7_end = 6 if (offset != 0x18) else 1 vct = [] for i0 in range(6): for i1 in range(6): for i2 in range(6): for i3 in range(6): for i4 in range(6): for i5 in range(6): for i6 in range(6): for i7 in range(i7_end): buf[offset + 0] = i0 buf[offset + 1] = i1 buf[offset + 2] = i2 buf[offset + 3] = i3 buf[offset + 4] = i4 buf[offset + 5] = i5 buf[offset + 6] = i6 buf[offset + 7] = i7 r, a_0, a_1 = x_4010A0(buf, bits) if strict: ok = r else: ok = a_0 <= cond0 and (cond1 < 0 or a_1 <= cond1) if ok: v = [i0, i1, i2, i3, i4, i5, i6, i7] if strict: print('(%s): %s' % (len(vct), v)) vct.append(v) if (vct_max > 0) and (len(vct) >= vct_max): return vct return vctdef x_crack_part1(count, use_cache=True): buf = [0] * 32 print('crack_part1 0:8') offset = 0 if use_cache: vct0 = [[0, 1, 3, 0, 4, 5, 0, 1], ] else: vct0 = x_crack_part1_raw(buf, offset, 0x10, -1, 1) print vct0 for _ in range(8): buf[offset + _] = vct0[0][_] print('crack_part1 8:0x10') offset += 8 if use_cache: vct1 = [[2, 1, 2, 4, 3, 0, 1, 3], ] else: vct1 = x_crack_part1_raw(buf, offset, 0x0F, -1, 1) print vct1 for _ in range(8): buf[offset + _] = vct1[0][_] print('crack_part1 0x10:0x18') offset += 8 if use_cache: vct2 = [[0, 2, 0, 2, 0, 2, 0, 4], ] else: vct2 = x_crack_part1_raw(buf, offset, 0, 1, 1) print vct2 for _ in range(8): buf[offset + _] = vct2[0][_] print('crack_part1 0x18:0x20') offset += 8 vct3 = x_crack_part1_raw(buf, offset, 0, 1, count, strict=True) r = [] for a in range(len(vct3)): v = [_ for _ in buf] for b in range(8): v[offset + b] = vct3[a][b] # print_array(v) r.append(v) return rdef x_gen_sn(k): # char_map36 = 'abcdefghijklmnopqrstuvwxyz0123456789' char_map62 = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' char_map64 = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz. ' r0_0 = [] for _ in range(0, len(k), 2): r0_0 = [k[_ + 1] * 6 + k[_], ] + r0_0 v = array_to_int(r0_0, 36) # print_int(v, 36) # print int_to_str(v, char_map36) r0_0 = int_to_array(v, 256) r0_1 = [-1] * 4 r0 = r0_0 + r0_1 v1 = str_to_int('welcome to bbs.pediy.com.'[::-1], char_map64) v2 = str_to_int('Author by Lookhc'[::-1], char_map64) y = (v1 - v2 * 2) / 6 x = y + v2 r1 = int_to_array(x, 256) r2 = int_to_array(y, 256) k = [len(r0) - 4, len(r0), len(r1), len(r2)] + r0 + r1 + r2 r0_1 = crack_crc(k[0:len(r0)], k[4 + len(r0):], 0, 0) r0 = r0_0 + r0_1 k = [len(r0) - 4, len(r0), len(r1), len(r2)] + r0 + r1 + r2 print int_to_str(array_to_int(k, 256), char_map62) returndef test(): # count = 256 count = 2 ks = x_crack_part1(count, use_cache=True) for _ in range(len(ks)): x_gen_sn(ks[_]) returntest() |
1 2 3 4 5 6 7 8 | .text:00401EF2 cmp eax, 0Ah.text:00401EF5 jge loc_40210F.text:00401EFB test eax, eax.text:00401EFD jnz short loc_401F30....text:004020FF call bn_compare.text:00402104 test eax, eax.text:00402106 jnz loc_4022E9 ; always jmp |
异常处理
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | .text:004022E9 mov eax, [ebp+var_3C] ; must be 0.text:004022EC test eax, eax.text:004022EE jnz short loc_402305.text:004022F0 lea eax, [ebp+var_48].text:004022F3 push offset __TI1H ; throw info for 'int'.text:004022F8 push eax.text:004022F9 mov [ebp+var_48], 1.text:00402300 call __CxxThrowException@8 ; _CxxThrowException(x,x).text:00402367 ; catch(...) // owned by 401EE8.text:00402367 mov dword ptr [ebp-30h], 2.text:0040236E mov eax, offset loc_40211C.text:00402373 retn.text:0040211C mov eax, [ebp-30h].text:0040211F mov [ebp+var_4], 0FFFFFFFFh.text:00402126 cmp eax, 2.text:00402129 jnz loc_402399 |
r1-r2=bn2
2*r1+4*r2=bn1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | .text:00402189 call bn_add....text:004021BB call bn_compare.text:004021CE push 4.text:004021D0 push edx.text:004021D1 call bn_int....text:004021F5 call bn_mul.text:004021FA lea ecx, [ebp+var_1970].text:00402200 push 2.text:00402202 push ecx.text:00402203 call bn_int....text:00402226 call bn_mul.text:0040222B mov ecx, 84h.text:00402230 mov esi, offset g_bn1....text:0040225F call bn_add....text:0040228D call bn_rebase |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 | crc32_table = [ 0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 0x706af48fL, 0xe963a535L, 0x9e6495a3L, 0x0edb8832L, 0x79dcb8a4L, 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 0x90bf1d91L, 0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L, 0x136c9856L, 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 0xfa0f3d63L, 0x8d080df5L, 0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL, 0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L, 0x26d930acL, 0x51de003aL, 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 0xb8bda50fL, 0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL, 0x76dc4190L, 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 0x9fbfe4a5L, 0xe8b8d433L, 0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L, 0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L, 0x65b0d9c6L, 0x12b7e950L, 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 0xfbd44c65L, 0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL, 0x4369e96aL, 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 0xaa0a4c5fL, 0xdd0d7cc9L, 0x5005713cL, 0x270241aaL, 0xbe0b1010L, 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL, 0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL, 0xedb88320L, 0x9abfb3b6L, 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 0x73dc1683L, 0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L, 0xf00f9344L, 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 0x196c3671L, 0x6e6b06e7L, 0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L, 0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL, 0xd80d2bdaL, 0xaf0a1b4cL, 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 0x4669be79L, 0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL, 0xc5ba3bbeL, 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 0x2cd99e8bL, 0x5bdeae1dL, 0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L, 0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L, 0x86d3d2d4L, 0xf1d4e242L, 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 0x18b74777L, 0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L, 0xa00ae278L, 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 0x4969474dL, 0x3e6e77dbL, 0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L, 0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 0xcdd70693L, 0x54de5729L, 0x23d967bfL, 0xb3667a2eL, 0xc4614ab8L, 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 0x2d02ef8dL]crc32_table_highest_byte_map = [-1] * 256for i in range(256): crc32_table_highest_byte_map[(crc32_table[i] >> 24) & 0xFF] = idef array_to_int(k, base): v = 0 n = 1 for _ in k: v += n * _ n *= base return vdef int_to_array(v, base): r = [] while v != 0: r.append(v % base) v = v / base return rdef str_to_int(s, char_map): # type:(str,str) -> int r = [] for _ in s: r.append(char_map.find(_)) return array_to_int(r, len(char_map))def int_to_str(v, char_map): # type:(int,str) -> str r = int_to_array(v, len(char_map)) s = '' for _ in r: s = char_map[_] + s return sdef print_array(r): s = '' for _ in r: s += ('%x' % _).zfill(2) + ' ' print s returndef print_int(v, base): r = int_to_array(v, base) print_array(r) returndef array_to_str(k): s = '' for _ in k: s += chr(_) return sdef str_to_array(s): k = [] for _ in s: k.append(ord(s)) return kdef crc32_update(k, crc): for b in k: crc = (crc >> 8) ^ crc32_table[b ^ (crc & 0xFF)] return crcdef get_crc32_update_init_value(k, crc): z = len(k) - 1 while z >= 0: idx = crc32_table_highest_byte_map[(crc >> 24) & 0xFF] crc = ((crc32_table[idx] ^ crc) << 8) | (idx ^ k[z]) z -= 1 return crcdef crc32(k, crc_init=0): crc = crc_init crc = (~crc) & 0xFFFFFFFF crc = crc32_update(k, crc) crc = (~crc) & 0xFFFFFFFF return crcdef crc_RF(x): return crc32_table_highest_byte_map[x]def crc_F(x): return (crc32_table[x] >> 24) & 0xFFdef crc_G(x): return (crc32_table[x] >> 16) & 0xFFdef crc_H(x): return (crc32_table[x] >> 8) & 0xFFdef crc_I(x): return (crc32_table[x] >> 0) & 0xFFdef crack_crc(s_head, s_tail, crc_init, crc_final): crc1 = (~crc_init) & 0xFFFFFFFF crc1 = crc32_update(s_head, crc1) crc2 = (~crc_final) & 0xFFFFFFFF crc2 = get_crc32_update_init_value(s_tail, crc2) # hxxps://bbs.pediy.com/thread-8699.htm W = (crc2 >> 24) & 0xFF X = (crc2 >> 16) & 0xFF Y = (crc2 >> 8) & 0xFF Z = (crc2 >> 0) & 0xFF A = (crc1 >> 24) & 0xFF B = (crc1 >> 16) & 0xFF C = (crc1 >> 8) & 0xFF D = (crc1 >> 0) & 0xFF p = crc_RF(W) o = crc_RF(X ^ crc_G(p)) n = crc_RF(Y ^ crc_G(o) ^ crc_H(p)) m = crc_RF(Z ^ crc_G(n) ^ crc_H(o) ^ crc_I(p)) d = m ^ D c = n ^ C ^ crc_I(m) b = o ^ B ^ crc_H(m) ^ crc_I(n) a = p ^ A ^ crc_G(m) ^ crc_H(n) ^ crc_I(o) return [d, c, b, a]def check_crc_table(): print('xxstart') k3 = [0] * 256 k2 = [0] * 256 k1 = [0] * 256 k0 = [0] * 256 for _ in range(256): k3[(crc32_table[_] >> 24) & 0xFF] += 1 k2[(crc32_table[_] >> 16) & 0xFF] += 1 k1[(crc32_table[_] >> 8) & 0xFF] += 1 k0[(crc32_table[_] >> 0) & 0xFF] += 1 for _ in range(256): if k3[_] != 1: print('k3[%s]=%s' % (_, k3[_])) # if k2[_] != 1: # print('k2[%s]=%s' % (_, k2[_])) # if k1[_] != 1: # print('k1[%s]=%s' % (_, k1[_])) # if k0[_] != 1: # print('k0[%s]=%s' % (_, k0[_])) print('xxend') returndef x_401080(v): if v == 0: return 0 r = 1 while (v & 1) == 0: v >>= 1 r *= 2 if v == 0: return 0 return rdef x_4010A0(buf, bits): a1 = 0 buf_len = (1 << bits) - 1 v_cnt0 = buf_len v_cnt1 = 0 v_cnt2 = 0 _ = 0 for _ in range(buf_len): c = buf[_] v_cnt0_v = x_401080(v_cnt0) v_cnt1_v = x_401080(v_cnt1) v_cnt2_v = x_401080(v_cnt2) _v_cnt0_v = v_cnt0_v if v_cnt0_v != 0 else 100 _v_cnt1_v = v_cnt1_v if v_cnt1_v != 0 else 100 _v_cnt2_v = v_cnt2_v if v_cnt2_v != 0 else 100 if c == 0: if _v_cnt0_v >= _v_cnt1_v: break v_cnt0 -= v_cnt0_v v_cnt1 += v_cnt0_v a1 = v_cnt0_v elif c == 1: if _v_cnt0_v >= _v_cnt2_v: break v_cnt0 -= v_cnt0_v v_cnt2 += v_cnt0_v a1 = v_cnt0_v elif c == 2: if _v_cnt1_v >= _v_cnt0_v: break v_cnt0 += v_cnt1_v v_cnt1 -= v_cnt1_v a1 = v_cnt1_v elif c == 3: if _v_cnt1_v >= _v_cnt2_v: break v_cnt1 -= v_cnt1_v v_cnt2 += v_cnt1_v a1 = v_cnt1_v elif c == 4: if _v_cnt2_v >= _v_cnt0_v: break v_cnt0 += v_cnt2_v v_cnt2 -= v_cnt2_v a1 = v_cnt2_v elif c == 5: if _v_cnt2_v >= _v_cnt1_v: break v_cnt1 += v_cnt2_v v_cnt2 -= v_cnt2_v a1 = v_cnt2_v r = False a0 = v_cnt0 if _ == (buf_len - 1) and a0 == 0 and a1 == 1: r = True return [r, a0, a1]def x_crack_part1_raw(buf, offset, cond0, cond1, vct_max, strict=False): bits = 5 # buf[(1 << bits) - 1] == 0 i7_end = 6 if (offset != 0x18) else 1 vct = [] for i0 in range(6): for i1 in range(6): for i2 in range(6): for i3 in range(6): for i4 in range(6): for i5 in range(6): for i6 in range(6): for i7 in range(i7_end): buf[offset + 0] = i0 buf[offset + 1] = i1 buf[offset + 2] = i2 buf[offset + 3] = i3 buf[offset + 4] = i4 buf[offset + 5] = i5 buf[offset + 6] = i6 buf[offset + 7] = i7 r, a_0, a_1 = x_4010A0(buf, bits) if strict: ok = r else: ok = a_0 <= cond0 and (cond1 < 0 or a_1 <= cond1) if ok: v = [i0, i1, i2, i3, i4, i5, i6, i7] if strict: print('(%s): %s' % (len(vct), v)) vct.append(v) if (vct_max > 0) and (len(vct) >= vct_max): return vct return vctdef x_crack_part1(count, use_cache=True): buf = [0] * 32 print('crack_part1 0:8') offset = 0 if use_cache: vct0 = [[0, 1, 3, 0, 4, 5, 0, 1], ] else: vct0 = x_crack_part1_raw(buf, offset, 0x10, -1, 1) print vct0 for _ in range(8): buf[offset + _] = vct0[0][_] print('crack_part1 8:0x10') offset += 8 if use_cache: vct1 = [[2, 1, 2, 4, 3, 0, 1, 3], ] else: vct1 = x_crack_part1_raw(buf, offset, 0x0F, -1, 1) print vct1 for _ in range(8): buf[offset + _] = vct1[0][_] print('crack_part1 0x10:0x18') offset += 8 if use_cache: vct2 = [[0, 2, 0, 2, 0, 2, 0, 4], ] else: vct2 = x_crack_part1_raw(buf, offset, 0, 1, 1) print vct2 for _ in range(8): buf[offset + _] = vct2[0][_] print('crack_part1 0x18:0x20') offset += 8 vct3 = x_crack_part1_raw(buf, offset, 0, 1, count, strict=True) r = [] for a in range(len(vct3)): v = [_ for _ in buf] for b in range(8): v[offset + b] = vct3[a][b] # print_array(v) r.append(v) return rdef x_gen_sn(k): # char_map36 = 'abcdefghijklmnopqrstuvwxyz0123456789' char_map62 = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' char_map64 = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz. ' r0_0 = [] for _ in range(0, len(k), 2): r0_0 = [k[_ + 1] * 6 + k[_], ] + r0_0 v = array_to_int(r0_0, 36) # print_int(v, 36) # print int_to_str(v, char_map36) r0_0 = int_to_array(v, 256) r0_1 = [-1] * 4 r0 = r0_0 + r0_1 v1 = str_to_int('welcome to bbs.pediy.com.'[::-1], char_map64) v2 = str_to_int('Author by Lookhc'[::-1], char_map64) y = (v1 - v2 * 2) / 6 x = y + v2 r1 = int_to_array(x, 256) r2 = int_to_array(y, 256) k = [len(r0) - 4, len(r0), len(r1), len(r2)] + r0 + r1 + r2 r0_1 = crack_crc(k[0:len(r0)], k[4 + len(r0):], 0, 0) r0 = r0_0 + r0_1 k = [len(r0) - 4, len(r0), len(r1), len(r2)] + r0 + r1 + r2 print int_to_str(array_to_int(k, 256), char_map62) returndef test(): # count = 256 count = 2 ks = x_crack_part1(count, use_cache=True) for _ in range(len(ks)): x_gen_sn(ks[_]) returntest() |
1 2 3 4 5 6 7 8 | .text:00401EF2 cmp eax, 0Ah.text:00401EF5 jge loc_40210F.text:00401EFB test eax, eax.text:00401EFD jnz short loc_401F30....text:004020FF call bn_compare.text:00402104 test eax, eax.text:00402106 jnz loc_4022E9 ; always jmp |
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
他的文章
- KCTF2022春季赛 第三题 石像病毒 9066
- KCTF2022春季赛 第二题 末日邀请 16388
- KCTF2021秋季赛 第二题 迷失丛林 19114
- KCTF2020秋季赛 第十题 终焉之战 9145
- KCTF2020秋季赛 第九题 命悬一线 6649
赞赏
雪币:
留言:
