-
-
[原创]看雪.京东 2018CTF 第十三题 NeuralCrackme WriteUp
-
发表于: 2018-7-12 00:09
-
1.浮点运算的题目。
60fD00 key1 60fD08 key2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 | 0000000000403880 | 57 | push rdi | rdi:"%lf"0000000000403881 | 56 | push rsi | rsi:"9.998681"0000000000403882 | 53 | push rbx | rbx:"Congratuur KEY:"0000000000403883 | 48:81EC A0010000 | sub rsp,1A0 |000000000040388A | E8 71E6FFFF | call nncrackme.401F00 |000000000040388F | 48:8DB424 90000000 | lea rsi,qword ptr ss:[rsp+90] |0000000000403897 | 31C0 | xor eax,eax |0000000000403899 | B9 20000000 | mov ecx,20 | 20:' '000000000040389E | 48:89F7 | mov rdi,rsi | rdi:"%lf", rsi:"9.998681"00000000004038A1 | C64424 24 00 | mov byte ptr ss:[rsp+24],0 |00000000004038A6 | F348:AB | rep stosq |00000000004038A9 | C64424 34 00 | mov byte ptr ss:[rsp+34],0 |00000000004038AE | 48:8D5C24 70 | lea rbx,qword ptr ss:[rsp+70] |00000000004038B3 | 48:C74424 50 00000000 | mov qword ptr ss:[rsp+50],0 |00000000004038BC | 48:C74424 58 00000000 | mov qword ptr ss:[rsp+58],0 |00000000004038C5 | 48:C74424 60 00000000 | mov qword ptr ss:[rsp+60],0 |00000000004038CE | 48:C74424 68 00000000 | mov qword ptr ss:[rsp+68],0 |00000000004038D7 | 48:C74424 40 00000000 | mov qword ptr ss:[rsp+40],0 |00000000004038E0 | C707 00000000 | mov dword ptr ds:[rdi],0 | rdi:"%lf"00000000004038E6 | C74424 20 00000000 | mov dword ptr ss:[rsp+20],0 |00000000004038EE | C74424 30 00000000 | mov dword ptr ss:[rsp+30],0 |00000000004038F6 | 48:C74424 70 00000000 | mov qword ptr ss:[rsp+70],0 |00000000004038FF | 48:C74424 78 00000000 | mov qword ptr ss:[rsp+78],0 |0000000000403908 | 48:C78424 80000000 00 | mov qword ptr ss:[rsp+80],0 |0000000000403914 | 48:C78424 88000000 00 | mov qword ptr ss:[rsp+88],0 |0000000000403920 | E8 6BDEFFFF | call nncrackme.401790 |0000000000403925 | B9 FC000000 | mov ecx,FC |000000000040392A | E8 21E3FFFF | call nncrackme.401C50 |000000000040392F | 48:8D0D CA530000 | lea rcx,qword ptr ds:[408D00] |0000000000403936 | 31C0 | xor eax,eax |0000000000403938 | 0F1F8400 00000000 | nop dword ptr ds:[rax+rax],eax |0000000000403940 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] |0000000000403944 | 83F2 19 | xor edx,19 |0000000000403947 | 29C2 | sub edx,eax |0000000000403949 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:"000000000040394C | 48:83C0 01 | add rax,1 |0000000000403950 | 48:83F8 10 | cmp rax,10 |0000000000403954 | 75 EA | jne nncrackme.403940 |0000000000403956 | 48:8D7C24 30 | lea rdi,qword ptr ss:[rsp+30] |000000000040395B | 48:89D9 | mov rcx,rbx | rbx:"Congratuur KEY:"000000000040395E | E8 75FDFFFF | call <JMP.&printf> |0000000000403963 | 0FB605 06540000 | movzx eax,byte ptr ds:[408D70] |000000000040396A | 48:89F2 | mov rdx,rsi | rsi:"9.998681"000000000040396D | 48:89F9 | mov rcx,rdi | rdi:"%lf"0000000000403970 | 83F0 25 | xor eax,25 |0000000000403973 | 884424 30 | mov byte ptr ss:[rsp+30],al |0000000000403977 | 0FB605 F3530000 | movzx eax,byte ptr ds:[408D71] |000000000040397E | 83F0 25 | xor eax,25 |0000000000403981 | 83E8 01 | sub eax,1 |0000000000403984 | 884424 31 | mov byte ptr ss:[rsp+31],al |0000000000403988 | E8 3BFDFFFF | call <JMP.&scanf> |000000000040398D | 48:89F2 | mov rdx,rsi | rsi:"9.998681"0000000000403990 | 8B0A | mov ecx,dword ptr ds:[rdx] |0000000000403992 | 48:83C2 04 | add rdx,4 |0000000000403996 | 8D81 FFFEFEFE | lea eax,qword ptr ds:[rcx-1010101] |000000000040399C | F7D1 | not ecx |000000000040399E | 21C8 | and eax,ecx |00000000004039A0 | 25 80808080 | and eax,80808080 |00000000004039A5 | 74 E9 | je nncrackme.403990 |00000000004039A7 | 89C1 | mov ecx,eax |00000000004039A9 | C1E9 10 | shr ecx,10 |00000000004039AC | A9 80800000 | test eax,8080 |00000000004039B1 | 0F44C1 | cmove eax,ecx |00000000004039B4 | 48:8D4A 02 | lea rcx,qword ptr ds:[rdx+2] |00000000004039B8 | 48:0F44D1 | cmove rdx,rcx |00000000004039BC | 89C1 | mov ecx,eax |00000000004039BE | 00C1 | add cl,al |00000000004039C0 | 48:83DA 03 | sbb rdx,3 |00000000004039C4 | 48:29F2 | sub rdx,rsi | rsi:"9.998681"00000000004039C7 | 48:83FA 0A | cmp rdx,A | 比较输入字符个数 要求10个字符00000000004039CB | 74 3E | je nncrackme.403A0B |00000000004039CD | 48:8D0D 3C530000 | lea rcx,qword ptr ds:[408D10] |00000000004039D4 | 31C0 | xor eax,eax |00000000004039D6 | 662E:0F1F8400 0000000 | nop word ptr cs:[rax+rax],ax |00000000004039E0 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] |00000000004039E4 | 83F2 0F | xor edx,F |00000000004039E7 | 29C2 | sub edx,eax |00000000004039E9 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:"00000000004039EC | 48:83C0 01 | add rax,1 |00000000004039F0 | 48:83F8 10 | cmp rax,10 |00000000004039F4 | 75 EA | jne nncrackme.4039E0 |00000000004039F6 | 48:89D9 | mov rcx,rbx | rbx:"Congratuur KEY:"00000000004039F9 | E8 DAFCFFFF | call <JMP.&printf> |00000000004039FE | 31C0 | xor eax,eax |0000000000403A00 | 48:81C4 A0010000 | add rsp,1A0 |0000000000403A07 | 5B | pop rbx | rbx:"Congratuur KEY:"0000000000403A08 | 5E | pop rsi | rsi:"9.998681"0000000000403A09 | 5F | pop rdi | rdi:"%lf"0000000000403A0A | C3 | ret |0000000000403A0B | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] |0000000000403A10 | 41:B8 0A000000 | mov r8d,A | A:'\n'0000000000403A16 | 48:89F1 | mov rcx,rsi | rsi:"9.998681"0000000000403A19 | E8 C2E2FFFF | call <nncrackme.is_key_ok> | 检查输入字符的组成是否是由0-9 A-F组成0000000000403A1E | 83F8 05 | cmp eax,5 |0000000000403A21 | 74 25 | je nncrackme.403A48 |0000000000403A23 | 48:8D0D F6520000 | lea rcx,qword ptr ds:[408D20] |0000000000403A2A | 31C0 | xor eax,eax |0000000000403A2C | 0F1F40 00 | nop dword ptr ds:[rax],eax |0000000000403A30 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] |0000000000403A34 | 83F2 21 | xor edx,21 |0000000000403A37 | 29C2 | sub edx,eax |0000000000403A39 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:"0000000000403A3C | 48:83C0 01 | add rax,1 |0000000000403A40 | 48:83F8 10 | cmp rax,10 |0000000000403A44 | 75 EA | jne nncrackme.403A30 |0000000000403A46 | EB AE | jmp nncrackme.4039F6 |0000000000403A48 | 0FB64424 20 | movzx eax,byte ptr ss:[rsp+20] |0000000000403A4D | 48:8D5424 40 | lea rdx,qword ptr ss:[rsp+40] |0000000000403A52 | 48:8D4C24 50 | lea rcx,qword ptr ss:[rsp+50] |0000000000403A57 | 884424 56 | mov byte ptr ss:[rsp+56],al |0000000000403A5B | 0FB64424 21 | movzx eax,byte ptr ss:[rsp+21] |0000000000403A60 | 884424 57 | mov byte ptr ss:[rsp+57],al |0000000000403A64 | 0FB64424 22 | movzx eax,byte ptr ss:[rsp+22] |0000000000403A69 | F2:0F104424 50 | movsd xmm0,qword ptr ss:[rsp+50] |0000000000403A6F | F2:0F114424 60 | movsd qword ptr ss:[rsp+60],xmm0 |0000000000403A75 | 884424 5D | mov byte ptr ss:[rsp+5D],al |0000000000403A79 | 0FB64424 23 | movzx eax,byte ptr ss:[rsp+23] |0000000000403A7E | 884424 5E | mov byte ptr ss:[rsp+5E],al |0000000000403A82 | 0FB64424 24 | movzx eax,byte ptr ss:[rsp+24] |0000000000403A87 | 884424 5F | mov byte ptr ss:[rsp+5F],al |0000000000403A8B | F2:0F104424 58 | movsd xmm0,qword ptr ss:[rsp+58] |0000000000403A91 | F2:0F114424 68 | movsd qword ptr ss:[rsp+68],xmm0 |0000000000403A97 | E8 44DBFFFF | call <nncrackme.maybe_add> |0000000000403A9C | 0FB605 CF520000 | movzx eax,byte ptr ds:[408D72] |0000000000403AA3 | 48:89FA | mov rdx,rdi | rdi:"%lf"0000000000403AA6 | 48:89F1 | mov rcx,rsi | rsi:"9.998681"0000000000403AA9 | F2:0F104424 40 | movsd xmm0,qword ptr ss:[rsp+40] |0000000000403AAF | 66:0F28D0 | movapd xmm2,xmm0 |0000000000403AB3 | 6649:0F7EC0 | movq r8,xmm0 |0000000000403AB8 | 83F0 12 | xor eax,12 |0000000000403ABB | 884424 30 | mov byte ptr ss:[rsp+30],al |0000000000403ABF | 0FB605 AD520000 | movzx eax,byte ptr ds:[408D73] |0000000000403AC6 | 83F0 12 | xor eax,12 |0000000000403AC9 | 83E8 01 | sub eax,1 |0000000000403ACC | 884424 31 | mov byte ptr ss:[rsp+31],al |0000000000403AD0 | 0FB605 9D520000 | movzx eax,byte ptr ds:[408D74] |0000000000403AD7 | 83F0 12 | xor eax,12 |0000000000403ADA | 83E8 02 | sub eax,2 |0000000000403ADD | 884424 32 | mov byte ptr ss:[rsp+32],al |0000000000403AE1 | E8 D2FBFFFF | call <JMP.&sprintf> |0000000000403AE6 | 80BC24 91000000 2E | cmp byte ptr ss:[rsp+91],2E | 2E:'.'0000000000403AEE | 74 24 | je nncrackme.403B14 |0000000000403AF0 | 48:8D0D 49520000 | lea rcx,qword ptr ds:[408D40] |0000000000403AF7 | 31C0 | xor eax,eax |0000000000403AF9 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] |0000000000403AFD | 83F2 3F | xor edx,3F |0000000000403B00 | 29C2 | sub edx,eax |0000000000403B02 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:"0000000000403B05 | 48:83C0 01 | add rax,1 |0000000000403B09 | 48:83F8 10 | cmp rax,10 |0000000000403B0D | 75 EA | jne nncrackme.403AF9 |0000000000403B0F | E9 E2FEFFFF | jmp nncrackme.4039F6 |0000000000403B14 | 0FBE8424 90000000 | movsx eax,byte ptr ss:[rsp+90] |0000000000403B1C | 66:0FEFC0 | pxor xmm0,xmm0 |0000000000403B20 | 66:0FEFD2 | pxor xmm2,xmm2 |0000000000403B24 | 66:0FEFC9 | pxor xmm1,xmm1 |0000000000403B28 | 83E8 30 | sub eax,30 |0000000000403B2B | F2:0F2AC0 | cvtsi2sd xmm0,eax |0000000000403B2F | 0FBE8424 92000000 | movsx eax,byte ptr ss:[rsp+92] |0000000000403B37 | F2:0F59C0 | mulsd xmm0,xmm0 |0000000000403B3B | 83E8 30 | sub eax,30 |0000000000403B3E | F2:0F2AD0 | cvtsi2sd xmm2,eax |0000000000403B42 | 0FBE8424 93000000 | movsx eax,byte ptr ss:[rsp+93] |0000000000403B4A | F2:0F59D2 | mulsd xmm2,xmm2 |0000000000403B4E | 83E8 30 | sub eax,30 |0000000000403B51 | F2:0F2AC8 | cvtsi2sd xmm1,eax |0000000000403B55 | F2:0F59C9 | mulsd xmm1,xmm1 |0000000000403B59 | F2:0F58C2 | addsd xmm0,xmm2 |0000000000403B5D | F2:0F58C1 | addsd xmm0,xmm1 |0000000000403B61 | E8 FAF7FFFF | call <nncrackme.maybe_sqrt> | (szBuf[0]-'0')*(szBuf[0]-'0')*+(szBuf[2]-'2')*(szBuf[2]-'0')*+(szBuf[3]-'0')*(szBuf[3]-'0')*0000000000403B66 | 66:0F2E05 02550000 | ucomisd xmm0,qword ptr ds:[409070] | [409070]=15.50000000000403B6E | 76 53 | jbe nncrackme.403BC3 | xmm0小于15.5跳到错误0000000000403B70 | F64424 22 0F | test byte ptr ss:[rsp+22],F | 测试输入的第6个字符是否为00000000000403B75 | 75 4C | jne nncrackme.403BC3 |0000000000403B77 | F2:0F100D 11550000 | movsd xmm1,qword ptr ds:[409090] |0000000000403B7F | 31C0 | xor eax,eax |0000000000403B81 | F2:0F104424 60 | movsd xmm0,qword ptr ss:[rsp+60] |0000000000403B87 | F2:0F584424 68 | addsd xmm0,qword ptr ss:[rsp+68] |0000000000403B8D | F2:0F5C4424 40 | subsd xmm0,qword ptr ss:[rsp+40] |0000000000403B93 | 66:0F5405 E5540000 | andpd xmm0,xmmword ptr ds:[409080] |0000000000403B9B | 66:0F2EC8 | ucomisd xmm1,xmm0 |0000000000403B9F | 76 24 | jbe nncrackme.403BC5 |0000000000403BA1 | 48:8D0D A8510000 | lea rcx,qword ptr ds:[408D50] |0000000000403BA8 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] |0000000000403BAC | 83F2 47 | xor edx,47 |0000000000403BAF | 29C2 | sub edx,eax |0000000000403BB1 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:"0000000000403BB4 | 48:83C0 01 | add rax,1 |0000000000403BB8 | 48:83F8 10 | cmp rax,10 |0000000000403BBC | 75 EA | jne nncrackme.403BA8 |0000000000403BBE | E9 33FEFFFF | jmp nncrackme.4039F6 |0000000000403BC3 | 31C0 | xor eax,eax |0000000000403BC5 | 48:8D0D 94510000 | lea rcx,qword ptr ds:[408D60] |0000000000403BCC | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] |0000000000403BD0 | 83F2 37 | xor edx,37 |0000000000403BD3 | 29C2 | sub edx,eax |0000000000403BD5 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:"0000000000403BD8 | 48:83C0 01 | add rax,1 |0000000000403BDC | 48:83F8 10 | cmp rax,10 |0000000000403BE0 | 75 EA | jne nncrackme.403BCC |0000000000403BE2 | E9 0FFEFFFF | jmp nncrackme.4039F6 | |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 | 0000000000403880 | 57 | push rdi | rdi:"%lf"0000000000403881 | 56 | push rsi | rsi:"9.998681"0000000000403882 | 53 | push rbx | rbx:"Congratuur KEY:"0000000000403883 | 48:81EC A0010000 | sub rsp,1A0 |000000000040388A | E8 71E6FFFF | call nncrackme.401F00 |000000000040388F | 48:8DB424 90000000 | lea rsi,qword ptr ss:[rsp+90] |0000000000403897 | 31C0 | xor eax,eax |0000000000403899 | B9 20000000 | mov ecx,20 | 20:' '000000000040389E | 48:89F7 | mov rdi,rsi | rdi:"%lf", rsi:"9.998681"00000000004038A1 | C64424 24 00 | mov byte ptr ss:[rsp+24],0 |00000000004038A6 | F348:AB | rep stosq |00000000004038A9 | C64424 34 00 | mov byte ptr ss:[rsp+34],0 |00000000004038AE | 48:8D5C24 70 | lea rbx,qword ptr ss:[rsp+70] |00000000004038B3 | 48:C74424 50 00000000 | mov qword ptr ss:[rsp+50],0 |00000000004038BC | 48:C74424 58 00000000 | mov qword ptr ss:[rsp+58],0 |00000000004038C5 | 48:C74424 60 00000000 | mov qword ptr ss:[rsp+60],0 |00000000004038CE | 48:C74424 68 00000000 | mov qword ptr ss:[rsp+68],0 |00000000004038D7 | 48:C74424 40 00000000 | mov qword ptr ss:[rsp+40],0 |00000000004038E0 | C707 00000000 | mov dword ptr ds:[rdi],0 | rdi:"%lf"00000000004038E6 | C74424 20 00000000 | mov dword ptr ss:[rsp+20],0 |00000000004038EE | C74424 30 00000000 | mov dword ptr ss:[rsp+30],0 |00000000004038F6 | 48:C74424 70 00000000 | mov qword ptr ss:[rsp+70],0 |00000000004038FF | 48:C74424 78 00000000 | mov qword ptr ss:[rsp+78],0 |0000000000403908 | 48:C78424 80000000 00 | mov qword ptr ss:[rsp+80],0 |0000000000403914 | 48:C78424 88000000 00 | mov qword ptr ss:[rsp+88],0 |0000000000403920 | E8 6BDEFFFF | call nncrackme.401790 |0000000000403925 | B9 FC000000 | mov ecx,FC |000000000040392A | E8 21E3FFFF | call nncrackme.401C50 |000000000040392F | 48:8D0D CA530000 | lea rcx,qword ptr ds:[408D00] |0000000000403936 | 31C0 | xor eax,eax |0000000000403938 | 0F1F8400 00000000 | nop dword ptr ds:[rax+rax],eax |0000000000403940 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] |0000000000403944 | 83F2 19 | xor edx,19 |0000000000403947 | 29C2 | sub edx,eax |0000000000403949 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:"000000000040394C | 48:83C0 01 | add rax,1 |0000000000403950 | 48:83F8 10 | cmp rax,10 |0000000000403954 | 75 EA | jne nncrackme.403940 |0000000000403956 | 48:8D7C24 30 | lea rdi,qword ptr ss:[rsp+30] |000000000040395B | 48:89D9 | mov rcx,rbx | rbx:"Congratuur KEY:"000000000040395E | E8 75FDFFFF | call <JMP.&printf> |0000000000403963 | 0FB605 06540000 | movzx eax,byte ptr ds:[408D70] |000000000040396A | 48:89F2 | mov rdx,rsi | rsi:"9.998681"000000000040396D | 48:89F9 | mov rcx,rdi | rdi:"%lf"0000000000403970 | 83F0 25 | xor eax,25 |0000000000403973 | 884424 30 | mov byte ptr ss:[rsp+30],al |0000000000403977 | 0FB605 F3530000 | movzx eax,byte ptr ds:[408D71] |000000000040397E | 83F0 25 | xor eax,25 |0000000000403981 | 83E8 01 | sub eax,1 |0000000000403984 | 884424 31 | mov byte ptr ss:[rsp+31],al |0000000000403988 | E8 3BFDFFFF | call <JMP.&scanf> |000000000040398D | 48:89F2 | mov rdx,rsi | rsi:"9.998681"0000000000403990 | 8B0A | mov ecx,dword ptr ds:[rdx] |0000000000403992 | 48:83C2 04 | add rdx,4 |0000000000403996 | 8D81 FFFEFEFE | lea eax,qword ptr ds:[rcx-1010101] |000000000040399C | F7D1 | not ecx |000000000040399E | 21C8 | and eax,ecx |00000000004039A0 | 25 80808080 | and eax,80808080 |00000000004039A5 | 74 E9 | je nncrackme.403990 |00000000004039A7 | 89C1 | mov ecx,eax |00000000004039A9 | C1E9 10 | shr ecx,10 |00000000004039AC | A9 80800000 | test eax,8080 |00000000004039B1 | 0F44C1 | cmove eax,ecx |00000000004039B4 | 48:8D4A 02 | lea rcx,qword ptr ds:[rdx+2] |00000000004039B8 | 48:0F44D1 | cmove rdx,rcx |00000000004039BC | 89C1 | mov ecx,eax |00000000004039BE | 00C1 | add cl,al |00000000004039C0 | 48:83DA 03 | sbb rdx,3 |00000000004039C4 | 48:29F2 | sub rdx,rsi | rsi:"9.998681"00000000004039C7 | 48:83FA 0A | cmp rdx,A | 比较输入字符个数 要求10个字符00000000004039CB | 74 3E | je nncrackme.403A0B |00000000004039CD | 48:8D0D 3C530000 | lea rcx,qword ptr ds:[408D10] |00000000004039D4 | 31C0 | xor eax,eax |00000000004039D6 | 662E:0F1F8400 0000000 | nop word ptr cs:[rax+rax],ax |00000000004039E0 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] |00000000004039E4 | 83F2 0F | xor edx,F |00000000004039E7 | 29C2 | sub edx,eax |00000000004039E9 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:"00000000004039EC | 48:83C0 01 | add rax,1 |00000000004039F0 | 48:83F8 10 | cmp rax,10 |00000000004039F4 | 75 EA | jne nncrackme.4039E0 |00000000004039F6 | 48:89D9 | mov rcx,rbx | rbx:"Congratuur KEY:"00000000004039F9 | E8 DAFCFFFF | call <JMP.&printf> |00000000004039FE | 31C0 | xor eax,eax |0000000000403A00 | 48:81C4 A0010000 | add rsp,1A0 |0000000000403A07 | 5B | pop rbx | rbx:"Congratuur KEY:"0000000000403A08 | 5E | pop rsi | rsi:"9.998681"0000000000403A09 | 5F | pop rdi | rdi:"%lf"0000000000403A0A | C3 | ret |0000000000403A0B | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] |0000000000403A10 | 41:B8 0A000000 | mov r8d,A | A:'\n'0000000000403A16 | 48:89F1 | mov rcx,rsi | rsi:"9.998681"0000000000403A19 | E8 C2E2FFFF | call <nncrackme.is_key_ok> | 检查输入字符的组成是否是由0-9 A-F组成0000000000403A1E | 83F8 05 | cmp eax,5 |0000000000403A21 | 74 25 | je nncrackme.403A48 |0000000000403A23 | 48:8D0D F6520000 | lea rcx,qword ptr ds:[408D20] |0000000000403A2A | 31C0 | xor eax,eax |0000000000403A2C | 0F1F40 00 | nop dword ptr ds:[rax],eax |0000000000403A30 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] |0000000000403A34 | 83F2 21 | xor edx,21 |0000000000403A37 | 29C2 | sub edx,eax |0000000000403A39 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:"0000000000403A3C | 48:83C0 01 | add rax,1 |0000000000403A40 | 48:83F8 10 | cmp rax,10 |0000000000403A44 | 75 EA | jne nncrackme.403A30 |0000000000403A46 | EB AE | jmp nncrackme.4039F6 |0000000000403A48 | 0FB64424 20 | movzx eax,byte ptr ss:[rsp+20] |0000000000403A4D | 48:8D5424 40 | lea rdx,qword ptr ss:[rsp+40] |0000000000403A52 | 48:8D4C24 50 | lea rcx,qword ptr ss:[rsp+50] |0000000000403A57 | 884424 56 | mov byte ptr ss:[rsp+56],al |0000000000403A5B | 0FB64424 21 | movzx eax,byte ptr ss:[rsp+21] |0000000000403A60 | 884424 57 | mov byte ptr ss:[rsp+57],al |0000000000403A64 | 0FB64424 22 | movzx eax,byte ptr ss:[rsp+22] |0000000000403A69 | F2:0F104424 50 | movsd xmm0,qword ptr ss:[rsp+50] |0000000000403A6F | F2:0F114424 60 | movsd qword ptr ss:[rsp+60],xmm0 |0000000000403A75 | 884424 5D | mov byte ptr ss:[rsp+5D],al |0000000000403A79 | 0FB64424 23 | movzx eax,byte ptr ss:[rsp+23] |0000000000403A7E | 884424 5E | mov byte ptr ss:[rsp+5E],al |0000000000403A82 | 0FB64424 24 | movzx eax,byte ptr ss:[rsp+24] |0000000000403A87 | 884424 5F | mov byte ptr ss:[rsp+5F],al |0000000000403A8B | F2:0F104424 58 | movsd xmm0,qword ptr ss:[rsp+58] |0000000000403A91 | F2:0F114424 68 | movsd qword ptr ss:[rsp+68],xmm0 |0000000000403A97 | E8 44DBFFFF | call <nncrackme.maybe_add> |0000000000403A9C | 0FB605 CF520000 | movzx eax,byte ptr ds:[408D72] |0000000000403AA3 | 48:89FA | mov rdx,rdi | rdi:"%lf"0000000000403AA6 | 48:89F1 | mov rcx,rsi | rsi:"9.998681"0000000000403AA9 | F2:0F104424 40 | movsd xmm0,qword ptr ss:[rsp+40] |0000000000403AAF | 66:0F28D0 | movapd xmm2,xmm0 |0000000000403AB3 | 6649:0F7EC0 | movq r8,xmm0 |0000000000403AB8 | 83F0 12 | xor eax,12 |0000000000403ABB | 884424 30 | mov byte ptr ss:[rsp+30],al |0000000000403ABF | 0FB605 AD520000 | movzx eax,byte ptr ds:[408D73] |0000000000403AC6 | 83F0 12 | xor eax,12 |0000000000403AC9 | 83E8 01 | sub eax,1 |0000000000403ACC | 884424 31 | mov byte ptr ss:[rsp+31],al |0000000000403AD0 | 0FB605 9D520000 | movzx eax,byte ptr ds:[408D74] |0000000000403AD7 | 83F0 12 | xor eax,12 |0000000000403ADA | 83E8 02 | sub eax,2 |0000000000403ADD | 884424 32 | mov byte ptr ss:[rsp+32],al |0000000000403AE1 | E8 D2FBFFFF | call <JMP.&sprintf> |0000000000403AE6 | 80BC24 91000000 2E | cmp byte ptr ss:[rsp+91],2E | 2E:'.'0000000000403AEE | 74 24 | je nncrackme.403B14 |0000000000403AF0 | 48:8D0D 49520000 | lea rcx,qword ptr ds:[408D40] |0000000000403AF7 | 31C0 | xor eax,eax |0000000000403AF9 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] |0000000000403AFD | 83F2 3F | xor edx,3F |0000000000403B00 | 29C2 | sub edx,eax |0000000000403B02 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:"0000000000403B05 | 48:83C0 01 | add rax,1 |0000000000403B09 | 48:83F8 10 | cmp rax,10 |0000000000403B0D | 75 EA | jne nncrackme.403AF9 |0000000000403B0F | E9 E2FEFFFF | jmp nncrackme.4039F6 |0000000000403B14 | 0FBE8424 90000000 | movsx eax,byte ptr ss:[rsp+90] |0000000000403B1C | 66:0FEFC0 | pxor xmm0,xmm0 |0000000000403B20 | 66:0FEFD2 | pxor xmm2,xmm2 |0000000000403B24 | 66:0FEFC9 | pxor xmm1,xmm1 |0000000000403B28 | 83E8 30 | sub eax,30 |0000000000403B2B | F2:0F2AC0 | cvtsi2sd xmm0,eax |0000000000403B2F | 0FBE8424 92000000 | movsx eax,byte ptr ss:[rsp+92] |0000000000403B37 | F2:0F59C0 | mulsd xmm0,xmm0 |0000000000403B3B | 83E8 30 | sub eax,30 |0000000000403B3E | F2:0F2AD0 | cvtsi2sd xmm2,eax |0000000000403B42 | 0FBE8424 93000000 | movsx eax,byte ptr ss:[rsp+93] |0000000000403B4A | F2:0F59D2 | mulsd xmm2,xmm2 |0000000000403B4E | 83E8 30 | sub eax,30 |0000000000403B51 | F2:0F2AC8 | cvtsi2sd xmm1,eax |0000000000403B55 | F2:0F59C9 | mulsd xmm1,xmm1 |0000000000403B59 | F2:0F58C2 | addsd xmm0,xmm2 |0000000000403B5D | F2:0F58C1 | addsd xmm0,xmm1 |0000000000403B61 | E8 FAF7FFFF | call <nncrackme.maybe_sqrt> | (szBuf[0]-'0')*(szBuf[0]-'0')*+(szBuf[2]-'2')*(szBuf[2]-'0')*+(szBuf[3]-'0')*(szBuf[3]-'0')*0000000000403B66 | 66:0F2E05 02550000 | ucomisd xmm0,qword ptr ds:[409070] | [409070]=15.50000000000403B6E | 76 53 | jbe nncrackme.403BC3 | xmm0小于15.5跳到错误0000000000403B70 | F64424 22 0F | test byte ptr ss:[rsp+22],F | 测试输入的第6个字符是否为00000000000403B75 | 75 4C | jne nncrackme.403BC3 |0000000000403B77 | F2:0F100D 11550000 | movsd xmm1,qword ptr ds:[409090] |0000000000403B7F | 31C0 | xor eax,eax |0000000000403B81 | F2:0F104424 60 | movsd xmm0,qword ptr ss:[rsp+60] |0000000000403B87 | F2:0F584424 68 | addsd xmm0,qword ptr ss:[rsp+68] |0000000000403B8D | F2:0F5C4424 40 | subsd xmm0,qword ptr ss:[rsp+40] |0000000000403B93 | 66:0F5405 E5540000 | andpd xmm0,xmmword ptr ds:[409080] |0000000000403B9B | 66:0F2EC8 | ucomisd xmm1,xmm0 |0000000000403B9F | 76 24 | jbe nncrackme.403BC5 |0000000000403BA1 | 48:8D0D A8510000 | lea rcx,qword ptr ds:[408D50] |0000000000403BA8 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] |0000000000403BAC | 83F2 47 | xor edx,47 |0000000000403BAF | 29C2 | sub edx,eax |0000000000403BB1 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:"0000000000403BB4 | 48:83C0 01 | add rax,1 |0000000000403BB8 | 48:83F8 10 | cmp rax,10 |0000000000403BBC | 75 EA | jne nncrackme.403BA8 |0000000000403BBE | E9 33FEFFFF | jmp nncrackme.4039F6 |0000000000403BC3 | 31C0 | xor eax,eax |0000000000403BC5 | 48:8D0D 94510000 | lea rcx,qword ptr ds:[408D60] |0000000000403BCC | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] |0000000000403BD0 | 83F2 37 | xor edx,37 |0000000000403BD3 | 29C2 | sub edx,eax |0000000000403BD5 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:"0000000000403BD8 | 48:83C0 01 | add rax,1 |0000000000403BDC | 48:83F8 10 | cmp rax,10 |0000000000403BE0 | 75 EA | jne nncrackme.403BCC |0000000000403BE2 | E9 0FFEFFFF | jmp nncrackme.4039F6 | |
整体代码就这么多。
要求我们输入的是一个由0-9 A-Z 组成的10个字符的字符串。
长度计算和判断:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | 000000000040398D | 48:89F2 | mov rdx,rsi | rsi:"9.998681"0000000000403990 | 8B0A | mov ecx,dword ptr ds:[rdx] |0000000000403992 | 48:83C2 04 | add rdx,4 |0000000000403996 | 8D81 FFFEFEFE | lea eax,qword ptr ds:[rcx-1010101] |000000000040399C | F7D1 | not ecx |000000000040399E | 21C8 | and eax,ecx |00000000004039A0 | 25 80808080 | and eax,80808080 |00000000004039A5 | 74 E9 | je nncrackme.403990 |00000000004039A7 | 89C1 | mov ecx,eax |00000000004039A9 | C1E9 10 | shr ecx,10 |00000000004039AC | A9 80800000 | test eax,8080 |00000000004039B1 | 0F44C1 | cmove eax,ecx |00000000004039B4 | 48:8D4A 02 | lea rcx,qword ptr ds:[rdx+2] |00000000004039B8 | 48:0F44D1 | cmove rdx,rcx |00000000004039BC | 89C1 | mov ecx,eax |00000000004039BE | 00C1 | add cl,al |00000000004039C0 | 48:83DA 03 | sbb rdx,3 |00000000004039C4 | 48:29F2 | sub rdx,rsi | rsi:"9.998681"00000000004039C7 | 48:83FA 0A | cmp rdx,A | 比较输入字符个数 要求10个字符 |
不满足条件,则直接往下执行,解密输出字符串key len error.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | 000000000040398D | 48:89F2 | mov rdx,rsi | rsi:"9.998681"0000000000403990 | 8B0A | mov ecx,dword ptr ds:[rdx] |0000000000403992 | 48:83C2 04 | add rdx,4 |0000000000403996 | 8D81 FFFEFEFE | lea eax,qword ptr ds:[rcx-1010101] |000000000040399C | F7D1 | not ecx |000000000040399E | 21C8 | and eax,ecx |00000000004039A0 | 25 80808080 | and eax,80808080 |00000000004039A5 | 74 E9 | je nncrackme.403990 |00000000004039A7 | 89C1 | mov ecx,eax |00000000004039A9 | C1E9 10 | shr ecx,10 |00000000004039AC | A9 80800000 | test eax,8080 |00000000004039B1 | 0F44C1 | cmove eax,ecx |00000000004039B4 | 48:8D4A 02 | lea rcx,qword ptr ds:[rdx+2] |00000000004039B8 | 48:0F44D1 | cmove rdx,rcx |00000000004039BC | 89C1 | mov ecx,eax |00000000004039BE | 00C1 | add cl,al |00000000004039C0 | 48:83DA 03 | sbb rdx,3 |00000000004039C4 | 48:29F2 | sub rdx,rsi | rsi:"9.998681"00000000004039C7 | 48:83FA 0A | cmp rdx,A | 比较输入字符个数 要求10个字符 |
不满足条件,则直接往下执行,解密输出字符串key len error.
再往下检查字符:
1 2 3 4 | 0000000000403A0B | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] |0000000000403A10 | 41:B8 0A000000 | mov r8d,A | A:'\n'0000000000403A16 | 48:89F1 | mov rcx,rsi | rsi:"9.998681"0000000000403A19 | E8 C2E2FFFF | call <nncrackme.is_key_ok> | 检查输入字符的组成是否是由0-9 A-F组成 |
必须是0-9 A-Z相关字符组成,否则失败显示key char error
1 2 3 4 | 0000000000403A0B | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] |0000000000403A10 | 41:B8 0A000000 | mov r8d,A | A:'\n'0000000000403A16 | 48:89F1 | mov rcx,rsi | rsi:"9.998681"0000000000403A19 | E8 C2E2FFFF | call <nncrackme.is_key_ok> | 检查输入字符的组成是否是由0-9 A-F组成 |
必须是0-9 A-Z相关字符组成,否则失败显示key char error
再往下:
1 | 0000000000403A97 | E8 44DBFFFF | call <nncrackme.maybe_add> | |
这个函数函数挺复杂的,跟了几次,但是没有还原他。
1 | 0000000000403A97 | E8 44DBFFFF | call <nncrackme.maybe_add> | |
这个函数函数挺复杂的,跟了几次,但是没有还原他。
函数参数在rcx中:
进函数之前,栈中情况:
60fcf0 key1 60fcf8 key2
60fD00 key1 60fD08 key2
此题答案:F13FE02140
这里作为我们的输入。 在函数之前的代码中,会把key分成两部分,前4位key1(F13E),后6位key2(
E02140
)
其实这两部分是一个double数值的16进制的高位部分。
此函数执行完成之后,会把一个和(double(key1)+double(key2))放在栈中,之后会通过sprintf(szBuf,"%lf",r8) 打印出来
1 2 3 4 | 0000000000403AA9 | F2:0F104424 40 | movsd xmm0,qword ptr ss:[rsp+40] |0000000000403AAF | 66:0F28D0 | movapd xmm2,xmm0 |0000000000403AB3 | 6649:0F7EC0 | movq r8,xmm0 |0000000000403AE1 | E8 D2FBFFFF | call <JMP.&sprintf> | |
1 2 3 4 | 0000000000403AA9 | F2:0F104424 40 | movsd xmm0,qword ptr ss:[rsp+40] |0000000000403AAF | 66:0F28D0 | movapd xmm2,xmm0 |0000000000403AB3 | 6649:0F7EC0 | movq r8,xmm0 |0000000000403AE1 | E8 D2FBFFFF | call <JMP.&sprintf> | |
函数执行之后,栈中情况如上。
在函数中有一个判断:
1 2 3 4 5 6 | v14 = *(double *)(v6 + 16); if ( v14 <= 1.0 || v14 >= 10.0 || (v15 = *(double *)(v6 + 24), v15 <= 1.0) || v15 >= 10.0 ) { *(double *)qword_40CD00 = *(double *)qword_40CD00 * *(double *)qword_40CD00; *(_QWORD *)v7 = 0x4024000000000000i64; } |
v14即key1的值,v15即key2的值。
1 2 3 4 5 6 | v14 = *(double *)(v6 + 16); if ( v14 <= 1.0 || v14 >= 10.0 || (v15 = *(double *)(v6 + 24), v15 <= 1.0) || v15 >= 10.0 ) { *(double *)qword_40CD00 = *(double *)qword_40CD00 * *(double *)qword_40CD00; *(_QWORD *)v7 = 0x4024000000000000i64; } |
v14即key1的值,v15即key2的值。
两个值都是大于1.0 小于10.0 .
这里格式化之后是9.998681 比我们输入的两数字之和(1.0625+8.9375=10.0) 要稍微小一点,其他输入也可能会稍微大一点,这个函数功能暂时不清楚。。。。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
