-
-
[原创]看雪.京东 2018CTF 第十二题 破解之道 WriteUp
-
发表于: 2018-7-9 11:01
-
x64的程序。
以上为获取注册码长度的,注册码长度0x18,即30个字符。
000000013FEE61A0 | 48 8B C4 | mov rax,rsp | 000000013FEE61A3 | 55 | push rbp | 000000013FEE61A4 | 57 | push rdi | 000000013FEE61A5 | 41 56 | push r14 | 000000013FEE61A7 | 48 8D 68 A1 | lea rbp,qword ptr ds:[rax-5F] | 000000013FEE61AB | 48 81 EC B0 00 00 00 | sub rsp,B0 | 000000013FEE61B2 | 48 C7 45 1F FE FF FF FF | mov qword ptr ss:[rbp+1F],FFFFFFFFFFFFFFFE | 000000013FEE61BA | 48 89 58 10 | mov qword ptr ds:[rax+10],rbx | 000000013FEE61BE | 48 89 70 20 | mov qword ptr ds:[rax+20],rsi | 000000013FEE61C2 | 83 F9 02 | cmp ecx,2 | 命令行参数 000000013FEE61C5 | 0F 84 23 08 00 00 | je crackme.13FEE69EE | 000000013FEE61CB | 8B 0D 4F 1E 03 00 | mov ecx,dword ptr ds:[13FF18020] | 这里是显示怎么输入flag的 。。。。。。。。。。。。。。。。 000000013FEE69EE | 41 B9 04 01 00 00 | mov r9d,104 | 000000013FEE69F4 | 4C 8B 42 08 | mov r8,qword ptr ds:[rdx+8] | 000000013FEE69F8 | 41 8B D1 | mov edx,r9d | 000000013FEE69FB | 48 8D 0D FE 28 03 00 | lea rcx,qword ptr ds:[13FF19300] | 这里出现注册码 13F739300:"KXCTF20189NTDLL9DbgUiContinue9" 000000013FEE6A02 | E8 55 7B 00 00 | call crackme.13FEEE55C | 000000013FEE6A07 | 48 BA 00 00 00 00 06 00 | movabs rdx,600000000 | 000000013FEE6A11 | 48 8D 4D 77 | lea rcx,qword ptr ss:[rbp+77] | 000000013FEE6A15 | E8 E6 C3 FF FF | call crackme.13FEE2E00 | 正确流程 000000013FEE6A1A | 33 C0 | xor eax,eax | 000000013FEE6A1C | 4C 8D 9C 24 B0 00 00 00 | lea r11,qword ptr ss:[rsp+B0] | 000000013FEE6A24 | 49 8B 5B 28 | mov rbx,qword ptr ds:[r11+28] | 000000013FEE6A28 | 49 8B 73 38 | mov rsi,qword ptr ds:[r11+38] | 000000013FEE6A2C | 49 8B E3 | mov rsp,r11 | 000000013FEE6A2F | 41 5E | pop r14 | 000000013FEE6A31 | 5F | pop rdi | 000000013FEE6A32 | 5D | pop rbp | 000000013FEE6A33 | C3 | ret |
000000013FEE61A0 | 48 8B C4 | mov rax,rsp | 000000013FEE61A3 | 55 | push rbp | 000000013FEE61A4 | 57 | push rdi | 000000013FEE61A5 | 41 56 | push r14 | 000000013FEE61A7 | 48 8D 68 A1 | lea rbp,qword ptr ds:[rax-5F] | 000000013FEE61AB | 48 81 EC B0 00 00 00 | sub rsp,B0 | 000000013FEE61B2 | 48 C7 45 1F FE FF FF FF | mov qword ptr ss:[rbp+1F],FFFFFFFFFFFFFFFE | 000000013FEE61BA | 48 89 58 10 | mov qword ptr ds:[rax+10],rbx | 000000013FEE61BE | 48 89 70 20 | mov qword ptr ds:[rax+20],rsi | 000000013FEE61C2 | 83 F9 02 | cmp ecx,2 | 命令行参数 000000013FEE61C5 | 0F 84 23 08 00 00 | je crackme.13FEE69EE | 000000013FEE61CB | 8B 0D 4F 1E 03 00 | mov ecx,dword ptr ds:[13FF18020] | 这里是显示怎么输入flag的 。。。。。。。。。。。。。。。。 000000013FEE69EE | 41 B9 04 01 00 00 | mov r9d,104 | 000000013FEE69F4 | 4C 8B 42 08 | mov r8,qword ptr ds:[rdx+8] | 000000013FEE69F8 | 41 8B D1 | mov edx,r9d | 000000013FEE69FB | 48 8D 0D FE 28 03 00 | lea rcx,qword ptr ds:[13FF19300] | 这里出现注册码 13F739300:"KXCTF20189NTDLL9DbgUiContinue9" 000000013FEE6A02 | E8 55 7B 00 00 | call crackme.13FEEE55C | 000000013FEE6A07 | 48 BA 00 00 00 00 06 00 | movabs rdx,600000000 | 000000013FEE6A11 | 48 8D 4D 77 | lea rcx,qword ptr ss:[rbp+77] | 000000013FEE6A15 | E8 E6 C3 FF FF | call crackme.13FEE2E00 | 正确流程 000000013FEE6A1A | 33 C0 | xor eax,eax | 000000013FEE6A1C | 4C 8D 9C 24 B0 00 00 00 | lea r11,qword ptr ss:[rsp+B0] | 000000013FEE6A24 | 49 8B 5B 28 | mov rbx,qword ptr ds:[r11+28] | 000000013FEE6A28 | 49 8B 73 38 | mov rsi,qword ptr ds:[r11+38] | 000000013FEE6A2C | 49 8B E3 | mov rsp,r11 | 000000013FEE6A2F | 41 5E | pop r14 | 000000013FEE6A31 | 5F | pop rdi | 000000013FEE6A32 | 5D | pop rbp | 000000013FEE6A33 | C3 | ret |
程序首先判断命令行参数个数,如果是1个则显示提示:
input like this:crackme.exe mykey
命令行参数个数大于等于2,则获取到输入的flag,进入call 0x13fee2e00。
input like this:crackme.exe mykey
命令行参数个数大于等于2,则获取到输入的flag,进入call 0x13fee2e00。
X64传参:
//VS X64程序传参: //前四个参数 rcx,rdx,r8,r9,之后的用栈传参。 //https://www.chinapyg.com/forum.php?mod=viewthread&tid=75685 //GCC X64 (Linux)传参: //前6个参数优先按顺序按排到rdi,rsi,rdx,rcx,r8和r9。浮点参数按顺序优先安排在xmm0,xmm1。。。。。 //剩余的用栈传参
进入主函数之后有大段大段的无效指令,这些指令除了影响流程外,基本没什么用,有用的都是call调用。
//VS X64程序传参: //前四个参数 rcx,rdx,r8,r9,之后的用栈传参。 //https://www.chinapyg.com/forum.php?mod=viewthread&tid=75685 //GCC X64 (Linux)传参: //前6个参数优先按顺序按排到rdi,rsi,rdx,rcx,r8和r9。浮点参数按顺序优先安排在xmm0,xmm1。。。。。 //剩余的用栈传参
进入主函数之后有大段大段的无效指令,这些指令除了影响流程外,基本没什么用,有用的都是call调用。
000000013F9033A6 | 48 8D 05 53 5F 03 00 | lea rax,qword ptr ds:[13F939300] | 获取注册码 000000013F9033AD | 4D 8B CE | mov r9,r14 | 000000013F9033B0 | 49 FF C1 | inc r9 | 000000013F9033B3 | 46 38 24 08 | cmp byte ptr ds:[rax+r9],r12b | 000000013F9033B7 | 75 F7 | jne crackme.13F9033B0 | 判断是否为空 000000013F9033B9 | 49 8B C1 | mov rax,r9 | 000000013F9033BC | 48 C1 E8 20 | shr rax,20 | 000000013F9033C0 | 41 8B CB | mov ecx,r11d | 000000013F9033C3 | 2B C8 | sub ecx,eax | 000000013F9033C5 | 41 8B D1 | mov edx,r9d | 长度 ......................................... ........................................ 000000013F903458 | 49 83 F8 1E | cmp r8,1E | 000000013F90345C | 74 3D | je crackme.13F90349B |
以上为获取注册码长度的,注册码长度0x18,即30个字符。
000000013F903F2A | 0F B6 05 CF 53 03 00 | movzx eax,byte ptr ds:[13F939300] | 13F939300:"KXCTF20189NTDLL9DbgUiContinue9" 000000013F903F31 | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F903F35 | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F903F3A | E8 81 EB FF FF | call <crackme.FnvHash> | 000000013F903F3F | 48 B9 EA 33 02 86 4C 06 | movabs rcx,AF64064C860233EA | rcx:L"K+" 000000013F903F49 | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F903F4C | 74 15 | je crackme.13F903F63 | 000000013F903F4E | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F903F58 | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F903F5E | E9 CB 01 00 00 | jmp crackme.13F90412E | 000000013F903F63 | 0F B6 05 97 53 03 00 | movzx eax,byte ptr ds:[13F939301] | 13F939301:"XCTF20189NTDLL9DbgUiContinue9" 000000013F903F6A | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F903F6E | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F903F73 | E8 48 EB FF FF | call <crackme.FnvHash> | 000000013F903F78 | 48 B9 67 4D 02 86 4C 15 | movabs rcx,AF64154C86024D67 | rcx:L"K+" 000000013F903F82 | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F903F85 | 74 15 | je crackme.13F903F9C | 000000013F903F87 | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F903F91 | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F903F97 | E9 92 01 00 00 | jmp crackme.13F90412E | 000000013F903F9C | 0F B6 05 5F 53 03 00 | movzx eax,byte ptr ds:[13F939302] | 13F939302:"CTF20189NTDLL9DbgUiContinue9" 000000013F903FA3 | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F903FA7 | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F903FAC | E8 0F EB FF FF | call <crackme.FnvHash> | 000000013F903FB1 | 48 B9 52 26 02 86 4C FE | movabs rcx,AF63FE4C86022652 | rcx:L"K+" 000000013F903FBB | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F903FBE | 74 15 | je crackme.13F903FD5 | 000000013F903FC0 | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F903FCA | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F903FD0 | E9 59 01 00 00 | jmp crackme.13F90412E | 000000013F903FD5 | 0F B6 05 27 53 03 00 | movzx eax,byte ptr ds:[13F939303] | 13F939303:"TF20189NTDLL9DbgUiContinue9" 000000013F903FDC | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F903FE0 | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F903FE5 | E8 D6 EA FF FF | call <crackme.FnvHash> | 000000013F903FEA | 48 B9 03 39 02 86 4C 09 | movabs rcx,AF64094C86023903 | rcx:L"K+" 000000013F903FF4 | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F903FF7 | 74 15 | je crackme.13F90400E | 000000013F903FF9 | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F904003 | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F904009 | E9 20 01 00 00 | jmp crackme.13F90412E | 000000013F90400E | 0F B6 05 EF 52 03 00 | movzx eax,byte ptr ds:[13F939304] | 13F939304:"F20189NTDLL9DbgUiContinue9" 000000013F904015 | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F904019 | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F90401E | E8 9D EA FF FF | call <crackme.FnvHash> | 000000013F904023 | 48 B9 39 21 02 86 4C FB | movabs rcx,AF63FB4C86022139 | rcx:L"K+" 000000013F90402D | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F904030 | 74 15 | je crackme.13F904047 | 000000013F904032 | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F90403C | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F904042 | E9 E7 00 00 00 | jmp crackme.13F90412E | 000000013F904047 | 0F B6 05 B7 52 03 00 | movzx eax,byte ptr ds:[13F939305] | 13F939305:"20189NTDLL9DbgUiContinue9" 000000013F90404E | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F904052 | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F904057 | E8 64 EA FF FF | call <crackme.FnvHash> | 000000013F90405C | 48 B9 15 A0 01 86 4C AF | movabs rcx,AF63AF4C8601A015 | rcx:L"K+" 000000013F904066 | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F904069 | 74 15 | je crackme.13F904080 | 000000013F90406B | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F904075 | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F90407B | E9 AE 00 00 00 | jmp crackme.13F90412E | 000000013F904080 | 0F B6 05 7F 52 03 00 | movzx eax,byte ptr ds:[13F939306] | 13F939306:"0189NTDLL9DbgUiContinue9" 000000013F904087 | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F90408B | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F904090 | E8 2B EA FF FF | call <crackme.FnvHash> | 000000013F904095 | 48 B9 AF 9C 01 86 4C AD | movabs rcx,AF63AD4C86019CAF | rcx:L"K+" 000000013F90409F | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F9040A2 | 74 12 | je crackme.13F9040B6 | 000000013F9040A4 | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F9040AE | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F9040B4 | EB 78 | jmp crackme.13F90412E | 000000013F9040B6 | 0F B6 05 4A 52 03 00 | movzx eax,byte ptr ds:[13F939307] | 13F939307:"189NTDLL9DbgUiContinue9" 000000013F9040BD | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F9040C1 | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F9040C6 | E8 F5 E9 FF FF | call <crackme.FnvHash> | 000000013F9040CB | 48 B9 FC 9A 01 86 4C AC | movabs rcx,AF63AC4C86019AFC | rcx:L"K+" 000000013F9040D5 | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F9040D8 | 74 12 | je crackme.13F9040EC | 000000013F9040DA | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F9040E4 | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F9040EA | EB 42 | jmp crackme.13F90412E | 000000013F9040EC | 0F B6 05 15 52 03 00 | movzx eax,byte ptr ds:[13F939308] | 13F939308:"89NTDLL9DbgUiContinue9" 000000013F9040F3 | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F9040F7 | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F9040FC | E8 BF E9 FF FF | call <crackme.FnvHash> | 000000013F904101 | 48 B9 47 AA 01 86 4C B5 | movabs rcx,AF63B54C8601AA47 | rcx:L"K+" 000000013F90410B | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F90410E | 74 12 | je crackme.13F904122 |
这一段是将输入的注册码的前8位,每次传入一个字符,计算一个值,然后与已知值比较。
经过搜索发现是fnvhash,https://blog.csdn.net/u013137970/article/details/79020095
前八位的hash值已知,直接爆破即可。
#movabs rcx, 0xaf64064c860233ea ##movabs rcx, 0xaf64154c86024d67 ##movabs rcx, 0xaf63fe4c86022652 ##movabs rcx, 0xaf64094c86023903 ##movabs rcx, 0xaf63fb4c86022139 ##movabs rcx, 0xaf63af4c8601a015 ##movabs rcx, 0xaf63ad4c86019caf ##movabs rcx, 0xaf63ac4c86019afc ##000000013FA34101 movabs rcx,AF63B54C8601AA47 resultList=[0xaf64064c860233ea,0xaf64154c86024d67,0xaf63fe4c86022652,0xaf64094c86023903,0xaf63fb4c86022139, 0xaf63af4c8601a015,0xaf63ad4c86019caf,0xaf63ac4c86019afc,0xAF63B54C8601AA47] def list_index(myList,value): for i,v in enumerate(myList): if v==value: return i return -1 def FnvHash_1(cX): rax=0xcbf29ce484222325 r8=0x100000001b3 rax=rax^ord(cX) rax=(rax*r8)&0xffffffffffffffff return rax def FnvHash(string_xx): rax=0xcbf29ce484222325 r8=0x100000001b3 for i in string_xx: rax=rax^ord(i) rax=(rax*r8)&0xffffffffffffffff return rax def Crake_1(): xStrList=['1','1','1','1','1','1','1','1','1'] for i in "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz": nRet=FnvHash_1(i) nIndex=list_index(resultList,nRet) if nIndex!=-1: print "index:",nIndex,"Char:",i xStrList[nIndex]=i print xStrList Crake_1()
计算结果:
index: 6 Char: 0 index: 7 Char: 1 index: 5 Char: 2 index: 8 Char: 8 index: 2 Char: C index: 4 Char: F index: 0 Char: K index: 3 Char: T index: 1 Char: X ['K', 'X', 'C', 'T', 'F', '2', '0', '1', '8']
接着,程序计算了整个flag的hash值:
000000013F9044C4 | 48 8D 0D 35 4E 03 00 | lea rcx,qword ptr ds:[13F939300] | rcx:"KXCTF20189NTDLL9DbgUiContinue9", 13F939300:"KXCTF20189NTDLL9DbgUiContinue9" 000000013F9044CB | E8 F0 E5 FF FF | call <crackme.FnvHash> | 全部计算 000000013F9044D0 | 48 B9 FF C0 99 74 58 75 | movabs rcx,4F8075587499C0FF | rcx:"KXCTF20189NTDLL9DbgUiContinue9" 000000013F9044DA | 49 BA CD CC CC CC CC CC | movabs r10,CCCCCCCCCCCCCCCD | 000000013F9044E4 | 48 3B C1 | cmp rax,rcx | rcx:"KXCTF20189NTDLL9DbgUiContinue9" 000000013F9044E7 | 75 0A | jne crackme.13F9044F3 |
fnvhash(input_flag)==0x4f8075587499c0ff
这个很有用,下边再说。
000000013F904F94 | 44 8D 47 04 | lea r8d,dword ptr ds:[rdi+4] | 000000013F904F98 | 48 8D 8D F0 0A 00 00 | lea rcx,qword ptr ss:[rbp+AF0] | 000000013F904F9F | E8 2C 68 00 00 | call <crackme.maybe_memeset> | memset 000000013F904FA4 | 48 8D 15 8D F8 01 00 | lea rdx,qword ptr ds:[13F924838] | 000000013F904FAB | 48 8D 0D 4E 43 03 00 | lea rcx,qword ptr ds:[13F939300] | rcx:"DbgUiContinue", 13F939300:"KXCTF20189NTDLL9DbgUiContinue" 000000013F904FB2 | E8 21 6E 00 00 | call <crackme.maybe_strstr> | 000000013F904FB7 | 48 8B D8 | mov rbx,rax | rbx:"9DbgUiContinue" 000000013F904FBA | 0F B6 40 01 | movzx eax,byte ptr ds:[rax+1] | 000000013F904FBE | 88 85 F0 0A 00 00 | mov byte ptr ss:[rbp+AF0],al | 000000013F904FC4 | 0F B6 43 02 | movzx eax,byte ptr ds:[rbx+2] | rbx+2:"bgUiContinue" 000000013F904FC8 | 88 85 F1 0A 00 00 | mov byte ptr ss:[rbp+AF1],al | 000000013F904FCE | 0F B6 43 03 | movzx eax,byte ptr ds:[rbx+3] | rbx+3:"gUiContinue" 000000013F904FD2 | 88 85 F2 0A 00 00 | mov byte ptr ss:[rbp+AF2],al | 000000013F904FD8 | 0F B6 43 04 | movzx eax,byte ptr ds:[rbx+4] | rbx+4:"UiContinue" 000000013F904FDC | 88 85 F3 0A 00 00 | mov byte ptr ss:[rbp+AF3],al | 000000013F904FE2 | 0F B6 43 05 | movzx eax,byte ptr ds:[rbx+5] | rbx+5:"iContinue" 000000013F904FE6 | 88 85 F4 0A 00 00 | mov byte ptr ss:[rbp+AF4],al | 000000013F904FEC | 41 B9 04 01 00 00 | mov r9d,104 | 000000013F904FF2 | 4C 8D 05 43 F8 01 00 | lea r8,qword ptr ds:[13F92483C] | 13F92483C:".DLL" 000000013F904FF9 | 41 8B D1 | mov edx,r9d | 000000013F904FFC | 48 8D 8D F0 0A 00 00 | lea rcx,qword ptr ss:[rbp+AF0] | 000000013F905003 | E8 64 94 00 00 | call <crackme.maybe_strcat_s> | 000000013F905008 | 48 8D 15 29 F8 01 00 | lea rdx,qword ptr ds:[13F924838] | 000000013F90500F | 48 8D 4B 01 | lea rcx,qword ptr ds:[rbx+1] | rcx:"DbgUiContinue", rbx+1:"DbgUiContinue" 000000013F905013 | E8 C0 6D 00 00 | call <crackme.maybe_strstr> | 000000013F905018 | 48 8B D8 | mov rbx,rax | rbx:"9DbgUiContinue" 000000013F90501B | 48 8D 15 16 F8 01 00 | lea rdx,qword ptr ds:[13F924838] | 000000013F905022 | 48 8D 48 01 | lea rcx,qword ptr ds:[rax+1] | rcx:"DbgUiContinue" 000000013F905026 | E8 AD 6D 00 00 | call <crackme.maybe_strstr> | 000000013F90502B | C6 00 00 | mov byte ptr ds:[rax],0 | 000000013F90502E | 33 D2 | xor edx,edx | 000000013F905030 | 44 8D 47 04 | lea r8d,dword ptr ds:[rdi+4] | 000000013F905034 | 48 8D 8D 00 0C 00 00 | lea rcx,qword ptr ss:[rbp+C00] | 000000013F90503B | E8 90 67 00 00 | call <crackme.maybe_memset> | 000000013F905040 | 41 B9 04 01 00 00 | mov r9d,104 | 000000013F905046 | 4C 8D 43 01 | lea r8,qword ptr ds:[rbx+1] | rbx+1:"DbgUiContinue" 000000013F90504A | 41 8B D1 | mov edx,r9d | 000000013F90504D | 48 8D 8D 00 0C 00 00 | lea rcx,qword ptr ss:[rbp+C00] | 000000013F905054 | E8 03 95 00 00 | call crackme.13F90E55C |
这段是关键。
C语言大概是这样:
char szBuf[]={0};
char* retString=strstr(input_flag,"9");
szBuf[0]=retString[1];
szBuf[1]=retString[2];
szBuf[2]=retString[3];
szBuf[3]=retString[4];
szBuf[4]=retString[5];
memcat_s(szBuf,0x104,".DLL",4);
char* retString1=strstr(retString+1,"9");
char* retString2=strstr(retString1+1,"9");
retString2[0]='\0';
char szbuf2[]={0};
memcpy(szbuf2,retString1+1);
经过这一步运算,大概是在buf1中生成了一个dll的名字,buf2中存放了一个字符串。
flag中是用9分割,大概分成3段。第一段KXCTF2018 第二段 dll名,第三段 一个字符串。
整体形式 : KXCTF20189[dll_name]9[unk_string]9
000000013F4F5334 | 65 48 8B 14 25 30 00 00 | mov rdx,qword ptr gs:[30] | 000000013F4F533D | 49 C1 E1 20 | shl r9,20 | 000000013F4F5341 | 8B C1 | mov eax,ecx | ecx:"A_SHAFinal" 000000013F4F5343 | 4C 03 C8 | add r9,rax | 000000013F4F5346 | 48 8B 42 60 | mov rax,qword ptr ds:[rdx+60] | 000000013F4F534A | 48 8B 48 18 | mov rcx,qword ptr ds:[rax+18] | rcx:"A_SHAFinal" 000000013F4F534E | 48 8B 71 10 | mov rsi,qword ptr ds:[rcx+10] | rcx+10:"Init" 000000013F4F5352 | 0F 84 98 00 00 00 | je crackme.13F4F53F0 | 000000013F4F5358 | 0F 1F 84 00 00 00 00 00 | nop dword ptr ds:[rax+rax] | 000000013F4F5360 | 4C 8B 4E 30 | mov r9,qword ptr ds:[rsi+30] | 000000013F4F5364 | 49 63 41 3C | movsxd rax,dword ptr ds:[r9+3C] | 000000013F4F5368 | 42 8B BC 08 88 00 00 00 | mov edi,dword ptr ds:[rax+r9+88] | 000000013F4F5370 | 49 03 F9 | add rdi,r9 | 000000013F4F5373 | 49 3B F9 | cmp rdi,r9 | 000000013F4F5376 | 74 64 | je crackme.13F4F53DC | 000000013F4F5378 | 44 8B C3 | mov r8d,ebx | 000000013F4F537B | 44 8B 5F 18 | mov r11d,dword ptr ds:[rdi+18] | 000000013F4F537F | 45 85 DB | test r11d,r11d | 000000013F4F5382 | 74 58 | je crackme.13F4F53DC | 000000013F4F5384 | 8B 5F 20 | mov ebx,dword ptr ds:[rdi+20] | 000000013F4F5387 | 66 0F 1F 84 00 00 00 00 | nop word ptr ds:[rax+rax] | 000000013F4F5390 | 45 8B D0 | mov r10d,r8d | 000000013F4F5393 | 4A 8D 04 93 | lea rax,qword ptr ds:[rbx+r10*4] | 000000013F4F5397 | 42 8B 0C 08 | mov ecx,dword ptr ds:[rax+r9] | ecx:"A_SHAFinal" 000000013F4F539B | 49 03 C9 | add rcx,r9 | rcx:"A_SHAFinal" 000000013F4F539E | BA C5 9D 1C 81 | mov edx,811C9DC5 | 000000013F4F53A3 | 0F B6 01 | movzx eax,byte ptr ds:[rcx] | rcx:"A_SHAFinal" 000000013F4F53A6 | 84 C0 | test al,al | 000000013F4F53A8 | 74 28 | je crackme.13F4F53D2 | 000000013F4F53AA | 66 0F 1F 44 00 00 | nop word ptr ds:[rax+rax] | 000000013F4F53B0 | 0F BE C0 | movsx eax,al | 000000013F4F53B3 | 33 C2 | xor eax,edx | 000000013F4F53B5 | 69 D0 93 01 00 01 | imul edx,eax,1000193 | 000000013F4F53BB | 48 8D 49 01 | lea rcx,qword ptr ds:[rcx+1] | rcx:"A_SHAFinal", rcx+1:"_SHAFinal" 000000013F4F53BF | 0F B6 01 | movzx eax,byte ptr ds:[rcx] | rcx:"A_SHAFinal" 000000013F4F53C2 | 84 C0 | test al,al | 000000013F4F53C4 | 75 EA | jne crackme.13F4F53B0 | 查找函数 000000013F4F53C6 | 81 FA 0F 07 B2 53 | cmp edx,53B2070F | 000000013F4F53CC | 0F 84 9B 00 00 00 | je crackme.13F4F546D | 000000013F4F53D2 | 41 FF C0 | inc r8d | 000000013F4F53D5 | 45 3B C3 | cmp r8d,r11d | 000000013F4F53D8 | 72 B6 | jb crackme.13F4F5390 | 000000013F4F53DA | 33 DB | xor ebx,ebx | 000000013F4F53DC | 48 8B 36 | mov rsi,qword ptr ds:[rsi] | 000000013F4F53DF | E9 7C FF FF FF | jmp crackme.13F4F5360 |
通过gs:[30] 获取当前模块中加载的dll,然后转到导入表,计算每个API的fnvhash,查找等于0x53b2070f的API,这里找到的是LoadLibraryExA
000000013F4F546D | 8B 47 24 | mov eax,dword ptr ds:[rdi+24] | 000000013F4F5470 | 49 03 C1 | add rax,r9 | 000000013F4F5473 | 8B 4F 1C | mov ecx,dword ptr ds:[rdi+1C] | ecx:"NTDLL.DLL" 000000013F4F5476 | 42 0F B7 04 50 | movzx eax,word ptr ds:[rax+r10*2] | 000000013F4F547B | 49 03 C9 | add rcx,r9 | rcx:"NTDLL.DLL" 000000013F4F547E | 8B 14 81 | mov edx,dword ptr ds:[rcx+rax*4] | 000000013F4F5481 | 48 8D 8D F0 0A 00 00 | lea rcx,qword ptr ss:[rbp+AF0] | 000000013F4F5488 | 49 03 D1 | add rdx,r9 | 000000013F4F548B | FF D2 | call rdx | rdx:LoadLibraryA
接着就调用之前buf1中的dll.
根据上边的信息以及这里的信息。
dLL名字长度大概是5个字符。连接的.DLL是大写,dll名字多半也是大写。 5个字符的dll名,很可能是NTDLL。
000000013F4F5497 | 65 48 8B 04 25 30 00 00 | mov rax,qword ptr gs:[30] | 000000013F4F54A0 | 48 8B 48 60 | mov rcx,qword ptr ds:[rax+60] | 000000013F4F54A4 | 48 8B 41 18 | mov rax,qword ptr ds:[rcx+18] | 000000013F4F54A8 | 48 8B 70 10 | mov rsi,qword ptr ds:[rax+10] | 000000013F4F54AC | 45 33 F6 | xor r14d,r14d | 000000013F4F54AF | 90 | nop | 000000013F4F54B0 | 4C 8B 4E 30 | mov r9,qword ptr ds:[rsi+30] | 000000013F4F54B4 | 49 63 41 3C | movsxd rax,dword ptr ds:[r9+3C] | 000000013F4F54B8 | 42 8B BC 08 88 00 00 00 | mov edi,dword ptr ds:[rax+r9+88] | 000000013F4F54C0 | 49 03 F9 | add rdi,r9 | 000000013F4F54C3 | 49 3B F9 | cmp rdi,r9 | 000000013F4F54C6 | 74 5E | je crackme.13F4F5526 | 000000013F4F54C8 | 45 8B C6 | mov r8d,r14d | 000000013F4F54CB | 44 8B 5F 18 | mov r11d,dword ptr ds:[rdi+18] | 000000013F4F54CF | 45 85 DB | test r11d,r11d | 000000013F4F54D2 | 74 52 | je crackme.13F4F5526 | 000000013F4F54D4 | 8B 5F 20 | mov ebx,dword ptr ds:[rdi+20] | 000000013F4F54D7 | 66 0F 1F 84 00 00 00 00 | nop word ptr ds:[rax+rax] | 000000013F4F54E0 | 45 8B D0 | mov r10d,r8d | 000000013F4F54E3 | 4A 8D 04 93 | lea rax,qword ptr ds:[rbx+r10*4] | 000000013F4F54E7 | 42 8B 0C 08 | mov ecx,dword ptr ds:[rax+r9] | 000000013F4F54EB | 49 03 C9 | add rcx,r9 | 000000013F4F54EE | BA C5 9D 1C 81 | mov edx,811C9DC5 | 000000013F4F54F3 | 0F B6 01 | movzx eax,byte ptr ds:[rcx] | 000000013F4F54F6 | 84 C0 | test al,al | 000000013F4F54F8 | 74 24 | je crackme.13F4F551E | 000000013F4F54FA | 66 0F 1F 44 00 00 | nop word ptr ds:[rax+rax] | 000000013F4F5500 | 0F BE C0 | movsx eax,al | 000000013F4F5503 | 33 C2 | xor eax,edx | 000000013F4F5505 | 69 D0 93 01 00 01 | imul edx,eax,1000193 | 000000013F4F550B | 48 8D 49 01 | lea rcx,qword ptr ds:[rcx+1] | 000000013F4F550F | 0F B6 01 | movzx eax,byte ptr ds:[rcx] | 000000013F4F5512 | 84 C0 | test al,al | 000000013F4F5514 | 75 EA | jne crackme.13F4F5500 | 000000013F4F5516 | 81 FA 25 57 F4 F8 | cmp edx,F8F45725 | 000000013F4F551C | 74 0D | je crackme.13F4F552B | 000000013F4F551E | 41 FF C0 | inc r8d | 000000013F4F5521 | 45 3B C3 | cmp r8d,r11d | 000000013F4F5524 | 72 BA | jb crackme.13F4F54E0 | 000000013F4F5526 | 48 8B 36 | mov rsi,qword ptr ds:[rsi] | 000000013F4F5529 | EB 85 | jmp crackme.13F4F54B0 |
故技重施,查找到函数GetProcessAffinityMask
000000013F4F552B | 8B 4F 1C | mov ecx,dword ptr ds:[rdi+1C] | 000000013F4F552E | 49 03 C9 | add rcx,r9 | 000000013F4F5531 | 8B 47 24 | mov eax,dword ptr ds:[rdi+24] | 000000013F4F5534 | 49 03 C1 | add rax,r9 | 000000013F4F5537 | 42 0F B7 04 50 | movzx eax,word ptr ds:[rax+r10*2] | 000000013F4F553C | 44 8B 04 81 | mov r8d,dword ptr ds:[rcx+rax*4] | 000000013F4F5540 | 4D 03 C1 | add r8,r9 | 000000013F4F5543 | 48 8D 95 00 0C 00 00 | lea rdx,qword ptr ss:[rbp+C00] | 第二个buf中的函数 000000013F4F554A | 49 8B CD | mov rcx,r13 | 000000013F4F554D | 41 FF D0 | call r8 | r8:GetProcAddress
这一段结合上边的就是
GetProcAddress(LoadLibraryExA(strcat(dll_name,".DLL")),unk_string);
紧接着检测获取到的函数指针不为空的话就直接调用了。
由以上信息可知,这个函数在NTDLL中,函数名未知。
又知道整个flag的hash值。直接吧ntdll中所有的函数找出来遍历爆破就可以了。
def Crack():
file = open("api.txt")
while 1:
lines = file.readlines(100000)
if not lines:
break
for line in lines:
api=line.strip()
str_in="KXCTF20189NTDLL9"+api+"9"
nRet=FnvHash(str_in)
if nRet==0x4f8075587499c0ff:
print str_in
raw_input("find it!")
file.close()
Crack()完整脚本见附件。
000000013F9033A6 | 48 8D 05 53 5F 03 00 | lea rax,qword ptr ds:[13F939300] | 获取注册码 000000013F9033AD | 4D 8B CE | mov r9,r14 | 000000013F9033B0 | 49 FF C1 | inc r9 | 000000013F9033B3 | 46 38 24 08 | cmp byte ptr ds:[rax+r9],r12b | 000000013F9033B7 | 75 F7 | jne crackme.13F9033B0 | 判断是否为空 000000013F9033B9 | 49 8B C1 | mov rax,r9 | 000000013F9033BC | 48 C1 E8 20 | shr rax,20 | 000000013F9033C0 | 41 8B CB | mov ecx,r11d | 000000013F9033C3 | 2B C8 | sub ecx,eax | 000000013F9033C5 | 41 8B D1 | mov edx,r9d | 长度 ......................................... ........................................ 000000013F903458 | 49 83 F8 1E | cmp r8,1E | 000000013F90345C | 74 3D | je crackme.13F90349B |
000000013F903F2A | 0F B6 05 CF 53 03 00 | movzx eax,byte ptr ds:[13F939300] | 13F939300:"KXCTF20189NTDLL9DbgUiContinue9" 000000013F903F31 | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F903F35 | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F903F3A | E8 81 EB FF FF | call <crackme.FnvHash> | 000000013F903F3F | 48 B9 EA 33 02 86 4C 06 | movabs rcx,AF64064C860233EA | rcx:L"K+" 000000013F903F49 | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F903F4C | 74 15 | je crackme.13F903F63 | 000000013F903F4E | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F903F58 | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F903F5E | E9 CB 01 00 00 | jmp crackme.13F90412E | 000000013F903F63 | 0F B6 05 97 53 03 00 | movzx eax,byte ptr ds:[13F939301] | 13F939301:"XCTF20189NTDLL9DbgUiContinue9" 000000013F903F6A | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F903F6E | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F903F73 | E8 48 EB FF FF | call <crackme.FnvHash> | 000000013F903F78 | 48 B9 67 4D 02 86 4C 15 | movabs rcx,AF64154C86024D67 | rcx:L"K+" 000000013F903F82 | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F903F85 | 74 15 | je crackme.13F903F9C | 000000013F903F87 | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F903F91 | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F903F97 | E9 92 01 00 00 | jmp crackme.13F90412E | 000000013F903F9C | 0F B6 05 5F 53 03 00 | movzx eax,byte ptr ds:[13F939302] | 13F939302:"CTF20189NTDLL9DbgUiContinue9" 000000013F903FA3 | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F903FA7 | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F903FAC | E8 0F EB FF FF | call <crackme.FnvHash> | 000000013F903FB1 | 48 B9 52 26 02 86 4C FE | movabs rcx,AF63FE4C86022652 | rcx:L"K+" 000000013F903FBB | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F903FBE | 74 15 | je crackme.13F903FD5 | 000000013F903FC0 | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F903FCA | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F903FD0 | E9 59 01 00 00 | jmp crackme.13F90412E | 000000013F903FD5 | 0F B6 05 27 53 03 00 | movzx eax,byte ptr ds:[13F939303] | 13F939303:"TF20189NTDLL9DbgUiContinue9" 000000013F903FDC | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F903FE0 | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F903FE5 | E8 D6 EA FF FF | call <crackme.FnvHash> | 000000013F903FEA | 48 B9 03 39 02 86 4C 09 | movabs rcx,AF64094C86023903 | rcx:L"K+" 000000013F903FF4 | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F903FF7 | 74 15 | je crackme.13F90400E | 000000013F903FF9 | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F904003 | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F904009 | E9 20 01 00 00 | jmp crackme.13F90412E | 000000013F90400E | 0F B6 05 EF 52 03 00 | movzx eax,byte ptr ds:[13F939304] | 13F939304:"F20189NTDLL9DbgUiContinue9" 000000013F904015 | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F904019 | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F90401E | E8 9D EA FF FF | call <crackme.FnvHash> | 000000013F904023 | 48 B9 39 21 02 86 4C FB | movabs rcx,AF63FB4C86022139 | rcx:L"K+" 000000013F90402D | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F904030 | 74 15 | je crackme.13F904047 | 000000013F904032 | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F90403C | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F904042 | E9 E7 00 00 00 | jmp crackme.13F90412E | 000000013F904047 | 0F B6 05 B7 52 03 00 | movzx eax,byte ptr ds:[13F939305] | 13F939305:"20189NTDLL9DbgUiContinue9" 000000013F90404E | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F904052 | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F904057 | E8 64 EA FF FF | call <crackme.FnvHash> | 000000013F90405C | 48 B9 15 A0 01 86 4C AF | movabs rcx,AF63AF4C8601A015 | rcx:L"K+" 000000013F904066 | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F904069 | 74 15 | je crackme.13F904080 | 000000013F90406B | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F904075 | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F90407B | E9 AE 00 00 00 | jmp crackme.13F90412E | 000000013F904080 | 0F B6 05 7F 52 03 00 | movzx eax,byte ptr ds:[13F939306] | 13F939306:"0189NTDLL9DbgUiContinue9" 000000013F904087 | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F90408B | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F904090 | E8 2B EA FF FF | call <crackme.FnvHash> | 000000013F904095 | 48 B9 AF 9C 01 86 4C AD | movabs rcx,AF63AD4C86019CAF | rcx:L"K+" 000000013F90409F | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F9040A2 | 74 12 | je crackme.13F9040B6 | 000000013F9040A4 | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F9040AE | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F9040B4 | EB 78 | jmp crackme.13F90412E | 000000013F9040B6 | 0F B6 05 4A 52 03 00 | movzx eax,byte ptr ds:[13F939307] | 13F939307:"189NTDLL9DbgUiContinue9" 000000013F9040BD | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F9040C1 | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F9040C6 | E8 F5 E9 FF FF | call <crackme.FnvHash> | 000000013F9040CB | 48 B9 FC 9A 01 86 4C AC | movabs rcx,AF63AC4C86019AFC | rcx:L"K+" 000000013F9040D5 | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F9040D8 | 74 12 | je crackme.13F9040EC | 000000013F9040DA | 48 B8 00 00 00 00 01 00 | movabs rax,100000000 | 000000013F9040E4 | 41 B9 00 3B 39 00 | mov r9d,393B00 | 000000013F9040EA | EB 42 | jmp crackme.13F90412E | 000000013F9040EC | 0F B6 05 15 52 03 00 | movzx eax,byte ptr ds:[13F939308] | 13F939308:"89NTDLL9DbgUiContinue9" 000000013F9040F3 | 88 44 24 20 | mov byte ptr ss:[rsp+20],al | 000000013F9040F7 | 48 8D 4C 24 20 | lea rcx,qword ptr ss:[rsp+20] | 000000013F9040FC | E8 BF E9 FF FF | call <crackme.FnvHash> | 000000013F904101 | 48 B9 47 AA 01 86 4C B5 | movabs rcx,AF63B54C8601AA47 | rcx:L"K+" 000000013F90410B | 48 3B C1 | cmp rax,rcx | rcx:L"K+" 000000013F90410E | 74 12 | je crackme.13F904122 |
这一段是将输入的注册码的前8位,每次传入一个字符,计算一个值,然后与已知值比较。
经过搜索发现是fnvhash,https://blog.csdn.net/u013137970/article/details/79020095
前八位的hash值已知,直接爆破即可。
#movabs rcx, 0xaf64064c860233ea ##movabs rcx, 0xaf64154c86024d67 ##movabs rcx, 0xaf63fe4c86022652 ##movabs rcx, 0xaf64094c86023903 ##movabs rcx, 0xaf63fb4c86022139 ##movabs rcx, 0xaf63af4c8601a015 ##movabs rcx, 0xaf63ad4c86019caf ##movabs rcx, 0xaf63ac4c86019afc ##000000013FA34101 movabs rcx,AF63B54C8601AA47 resultList=[0xaf64064c860233ea,0xaf64154c86024d67,0xaf63fe4c86022652,0xaf64094c86023903,0xaf63fb4c86022139, 0xaf63af4c8601a015,0xaf63ad4c86019caf,0xaf63ac4c86019afc,0xAF63B54C8601AA47] def list_index(myList,value): for i,v in enumerate(myList): if v==value: return i return -1 def FnvHash_1(cX): rax=0xcbf29ce484222325 r8=0x100000001b3 rax=rax^ord(cX) rax=(rax*r8)&0xffffffffffffffff return rax def FnvHash(string_xx): rax=0xcbf29ce484222325 r8=0x100000001b3 for i in string_xx: rax=rax^ord(i) rax=(rax*r8)&0xffffffffffffffff return rax def Crake_1(): xStrList=['1','1','1','1','1','1','1','1','1'] for i in "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz": nRet=FnvHash_1(i) nIndex=list_index(resultList,nRet) if nIndex!=-1: print "index:",nIndex,"Char:",i xStrList[nIndex]=i print xStrList Crake_1()
计算结果:
#movabs rcx, 0xaf64064c860233ea ##movabs rcx, 0xaf64154c86024d67 ##movabs rcx, 0xaf63fe4c86022652 ##movabs rcx, 0xaf64094c86023903 ##movabs rcx, 0xaf63fb4c86022139 ##movabs rcx, 0xaf63af4c8601a015 ##movabs rcx, 0xaf63ad4c86019caf ##movabs rcx, 0xaf63ac4c86019afc ##000000013FA34101 movabs rcx,AF63B54C8601AA47 resultList=[0xaf64064c860233ea,0xaf64154c86024d67,0xaf63fe4c86022652,0xaf64094c86023903,0xaf63fb4c86022139, 0xaf63af4c8601a015,0xaf63ad4c86019caf,0xaf63ac4c86019afc,0xAF63B54C8601AA47] def list_index(myList,value): for i,v in enumerate(myList): if v==value: return i return -1 def FnvHash_1(cX): rax=0xcbf29ce484222325 r8=0x100000001b3 rax=rax^ord(cX) rax=(rax*r8)&0xffffffffffffffff return rax def FnvHash(string_xx): rax=0xcbf29ce484222325 r8=0x100000001b3 for i in string_xx: rax=rax^ord(i) rax=(rax*r8)&0xffffffffffffffff return rax def Crake_1(): xStrList=['1','1','1','1','1','1','1','1','1'] for i in "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz": nRet=FnvHash_1(i) nIndex=list_index(resultList,nRet) if nIndex!=-1: print "index:",nIndex,"Char:",i xStrList[nIndex]=i print xStrList Crake_1()
计算结果:
index: 6 Char: 0 index: 7 Char: 1 index: 5 Char: 2 index: 8 Char: 8 index: 2 Char: C index: 4 Char: F index: 0 Char: K index: 3 Char: T index: 1 Char: X ['K', 'X', 'C', 'T', 'F', '2', '0', '1', '8']
index: 6 Char: 0 index: 7 Char: 1 index: 5 Char: 2 index: 8 Char: 8 index: 2 Char: C index: 4 Char: F index: 0 Char: K index: 3 Char: T index: 1 Char: X ['K', 'X', 'C', 'T', 'F', '2', '0', '1', '8']
接着,程序计算了整个flag的hash值:
000000013F9044C4 | 48 8D 0D 35 4E 03 00 | lea rcx,qword ptr ds:[13F939300] | rcx:"KXCTF20189NTDLL9DbgUiContinue9", 13F939300:"KXCTF20189NTDLL9DbgUiContinue9" 000000013F9044CB | E8 F0 E5 FF FF | call <crackme.FnvHash> | 全部计算 000000013F9044D0 | 48 B9 FF C0 99 74 58 75 | movabs rcx,4F8075587499C0FF | rcx:"KXCTF20189NTDLL9DbgUiContinue9" 000000013F9044DA | 49 BA CD CC CC CC CC CC | movabs r10,CCCCCCCCCCCCCCCD | 000000013F9044E4 | 48 3B C1 | cmp rax,rcx | rcx:"KXCTF20189NTDLL9DbgUiContinue9" 000000013F9044E7 | 75 0A | jne crackme.13F9044F3 |
fnvhash(input_flag)==0x4f8075587499c0ff
000000013F9044C4 | 48 8D 0D 35 4E 03 00 | lea rcx,qword ptr ds:[13F939300] | rcx:"KXCTF20189NTDLL9DbgUiContinue9", 13F939300:"KXCTF20189NTDLL9DbgUiContinue9" 000000013F9044CB | E8 F0 E5 FF FF | call <crackme.FnvHash> | 全部计算 000000013F9044D0 | 48 B9 FF C0 99 74 58 75 | movabs rcx,4F8075587499C0FF | rcx:"KXCTF20189NTDLL9DbgUiContinue9" 000000013F9044DA | 49 BA CD CC CC CC CC CC | movabs r10,CCCCCCCCCCCCCCCD | 000000013F9044E4 | 48 3B C1 | cmp rax,rcx | rcx:"KXCTF20189NTDLL9DbgUiContinue9" 000000013F9044E7 | 75 0A | jne crackme.13F9044F3 |
fnvhash(input_flag)==0x4f8075587499c0ff
这个很有用,下边再说。
000000013F904F94 | 44 8D 47 04 | lea r8d,dword ptr ds:[rdi+4] | 000000013F904F98 | 48 8D 8D F0 0A 00 00 | lea rcx,qword ptr ss:[rbp+AF0] | 000000013F904F9F | E8 2C 68 00 00 | call <crackme.maybe_memeset> | memset 000000013F904FA4 | 48 8D 15 8D F8 01 00 | lea rdx,qword ptr ds:[13F924838] | 000000013F904FAB | 48 8D 0D 4E 43 03 00 | lea rcx,qword ptr ds:[13F939300] | rcx:"DbgUiContinue", 13F939300:"KXCTF20189NTDLL9DbgUiContinue" 000000013F904FB2 | E8 21 6E 00 00 | call <crackme.maybe_strstr> | 000000013F904FB7 | 48 8B D8 | mov rbx,rax | rbx:"9DbgUiContinue" 000000013F904FBA | 0F B6 40 01 | movzx eax,byte ptr ds:[rax+1] | 000000013F904FBE | 88 85 F0 0A 00 00 | mov byte ptr ss:[rbp+AF0],al | 000000013F904FC4 | 0F B6 43 02 | movzx eax,byte ptr ds:[rbx+2] | rbx+2:"bgUiContinue" 000000013F904FC8 | 88 85 F1 0A 00 00 | mov byte ptr ss:[rbp+AF1],al | 000000013F904FCE | 0F B6 43 03 | movzx eax,byte ptr ds:[rbx+3] | rbx+3:"gUiContinue" 000000013F904FD2 | 88 85 F2 0A 00 00 | mov byte ptr ss:[rbp+AF2],al | 000000013F904FD8 | 0F B6 43 04 | movzx eax,byte ptr ds:[rbx+4] | rbx+4:"UiContinue" 000000013F904FDC | 88 85 F3 0A 00 00 | mov byte ptr ss:[rbp+AF3],al | 000000013F904FE2 | 0F B6 43 05 | movzx eax,byte ptr ds:[rbx+5] | rbx+5:"iContinue" 000000013F904FE6 | 88 85 F4 0A 00 00 | mov byte ptr ss:[rbp+AF4],al | 000000013F904FEC | 41 B9 04 01 00 00 | mov r9d,104 | 000000013F904FF2 | 4C 8D 05 43 F8 01 00 | lea r8,qword ptr ds:[13F92483C] | 13F92483C:".DLL" 000000013F904FF9 | 41 8B D1 | mov edx,r9d | 000000013F904FFC | 48 8D 8D F0 0A 00 00 | lea rcx,qword ptr ss:[rbp+AF0] | 000000013F905003 | E8 64 94 00 00 | call <crackme.maybe_strcat_s> | 000000013F905008 | 48 8D 15 29 F8 01 00 | lea rdx,qword ptr ds:[13F924838] | 000000013F90500F | 48 8D 4B 01 | lea rcx,qword ptr ds:[rbx+1] | rcx:"DbgUiContinue", rbx+1:"DbgUiContinue" 000000013F905013 | E8 C0 6D 00 00 | call <crackme.maybe_strstr> | 000000013F905018 | 48 8B D8 | mov rbx,rax | rbx:"9DbgUiContinue" 000000013F90501B | 48 8D 15 16 F8 01 00 | lea rdx,qword ptr ds:[13F924838] | 000000013F905022 | 48 8D 48 01 | lea rcx,qword ptr ds:[rax+1] | rcx:"DbgUiContinue" 000000013F905026 | E8 AD 6D 00 00 | call <crackme.maybe_strstr> | 000000013F90502B | C6 00 00 | mov byte ptr ds:[rax],0 | 000000013F90502E | 33 D2 | xor edx,edx | 000000013F905030 | 44 8D 47 04 | lea r8d,dword ptr ds:[rdi+4] | 000000013F905034 | 48 8D 8D 00 0C 00 00 | lea rcx,qword ptr ss:[rbp+C00] | 000000013F90503B | E8 90 67 00 00 | call <crackme.maybe_memset> | 000000013F905040 | 41 B9 04 01 00 00 | mov r9d,104 | 000000013F905046 | 4C 8D 43 01 | lea r8,qword ptr ds:[rbx+1] | rbx+1:"DbgUiContinue" 000000013F90504A | 41 8B D1 | mov edx,r9d | 000000013F90504D | 48 8D 8D 00 0C 00 00 | lea rcx,qword ptr ss:[rbp+C00] | 000000013F905054 | E8 03 95 00 00 | call crackme.13F90E55C |
000000013F904F94 | 44 8D 47 04 | lea r8d,dword ptr ds:[rdi+4] | 000000013F904F98 | 48 8D 8D F0 0A 00 00 | lea rcx,qword ptr ss:[rbp+AF0] | 000000013F904F9F | E8 2C 68 00 00 | call <crackme.maybe_memeset> | memset 000000013F904FA4 | 48 8D 15 8D F8 01 00 | lea rdx,qword ptr ds:[13F924838] | 000000013F904FAB | 48 8D 0D 4E 43 03 00 | lea rcx,qword ptr ds:[13F939300] | rcx:"DbgUiContinue", 13F939300:"KXCTF20189NTDLL9DbgUiContinue" 000000013F904FB2 | E8 21 6E 00 00 | call <crackme.maybe_strstr> | 000000013F904FB7 | 48 8B D8 | mov rbx,rax | rbx:"9DbgUiContinue" 000000013F904FBA | 0F B6 40 01 | movzx eax,byte ptr ds:[rax+1] | 000000013F904FBE | 88 85 F0 0A 00 00 | mov byte ptr ss:[rbp+AF0],al | 000000013F904FC4 | 0F B6 43 02 | movzx eax,byte ptr ds:[rbx+2] | rbx+2:"bgUiContinue" 000000013F904FC8 | 88 85 F1 0A 00 00 | mov byte ptr ss:[rbp+AF1],al | 000000013F904FCE | 0F B6 43 03 | movzx eax,byte ptr ds:[rbx+3] | rbx+3:"gUiContinue" 000000013F904FD2 | 88 85 F2 0A 00 00 | mov byte ptr ss:[rbp+AF2],al | 000000013F904FD8 | 0F B6 43 04 | movzx eax,byte ptr ds:[rbx+4] | rbx+4:"UiContinue" 000000013F904FDC | 88 85 F3 0A 00 00 | mov byte ptr ss:[rbp+AF3],al | 000000013F904FE2 | 0F B6 43 05 | movzx eax,byte ptr ds:[rbx+5] | rbx+5:"iContinue" 000000013F904FE6 | 88 85 F4 0A 00 00 | mov byte ptr ss:[rbp+AF4],al | 000000013F904FEC | 41 B9 04 01 00 00 | mov r9d,104 | 000000013F904FF2 | 4C 8D 05 43 F8 01 00 | lea r8,qword ptr ds:[13F92483C] | 13F92483C:".DLL" 000000013F904FF9 | 41 8B D1 | mov edx,r9d | 000000013F904FFC | 48 8D 8D F0 0A 00 00 | lea rcx,qword ptr ss:[rbp+AF0] | 000000013F905003 | E8 64 94 00 00 | call <crackme.maybe_strcat_s> | 000000013F905008 | 48 8D 15 29 F8 01 00 | lea rdx,qword ptr ds:[13F924838] | 000000013F90500F | 48 8D 4B 01 | lea rcx,qword ptr ds:[rbx+1] | rcx:"DbgUiContinue", rbx+1:"DbgUiContinue" 000000013F905013 | E8 C0 6D 00 00 | call <crackme.maybe_strstr> | 000000013F905018 | 48 8B D8 | mov rbx,rax | rbx:"9DbgUiContinue" 000000013F90501B | 48 8D 15 16 F8 01 00 | lea rdx,qword ptr ds:[13F924838] | 000000013F905022 | 48 8D 48 01 | lea rcx,qword ptr ds:[rax+1] | rcx:"DbgUiContinue" 000000013F905026 | E8 AD 6D 00 00 | call <crackme.maybe_strstr> | 000000013F90502B | C6 00 00 | mov byte ptr ds:[rax],0 | 000000013F90502E | 33 D2 | xor edx,edx | 000000013F905030 | 44 8D 47 04 | lea r8d,dword ptr ds:[rdi+4] | 000000013F905034 | 48 8D 8D 00 0C 00 00 | lea rcx,qword ptr ss:[rbp+C00] | 000000013F90503B | E8 90 67 00 00 | call <crackme.maybe_memset> | 000000013F905040 | 41 B9 04 01 00 00 | mov r9d,104 | 000000013F905046 | 4C 8D 43 01 | lea r8,qword ptr ds:[rbx+1] | rbx+1:"DbgUiContinue" 000000013F90504A | 41 8B D1 | mov edx,r9d | 000000013F90504D | 48 8D 8D 00 0C 00 00 | lea rcx,qword ptr ss:[rbp+C00] | 000000013F905054 | E8 03 95 00 00 | call crackme.13F90E55C |
这段是关键。
C语言大概是这样:
char szBuf[]={0};
char* retString=strstr(input_flag,"9");
szBuf[0]=retString[1];
szBuf[1]=retString[2];
szBuf[2]=retString[3];
szBuf[3]=retString[4];
szBuf[4]=retString[5];
memcat_s(szBuf,0x104,".DLL",4);
char* retString1=strstr(retString+1,"9");
char* retString2=strstr(retString1+1,"9");
retString2[0]='\0';
char szbuf2[]={0};
memcpy(szbuf2,retString1+1);
char szBuf[]={0};
char* retString=strstr(input_flag,"9");
szBuf[0]=retString[1];
szBuf[1]=retString[2];
szBuf[2]=retString[3];
szBuf[3]=retString[4];
szBuf[4]=retString[5];
memcat_s(szBuf,0x104,".DLL",4);
char* retString1=strstr(retString+1,"9");
char* retString2=strstr(retString1+1,"9");
retString2[0]='\0';
char szbuf2[]={0};
memcpy(szbuf2,retString1+1);
经过这一步运算,大概是在buf1中生成了一个dll的名字,buf2中存放了一个字符串。
flag中是用9分割,大概分成3段。第一段KXCTF2018 第二段 dll名,第三段 一个字符串。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2018-7-9 11:05
被lacoucou编辑
,原因:
|
|
|---|---|
