-
-
[原创]看雪.京东 2018CTF 第十三题 NeuralCrackme WriteUp
-
发表于: 2018-7-12 00:09
-
1.浮点运算的题目。
60fD00 key1 60fD08 key2
0000000000403880 | 57 | push rdi | rdi:"%lf" 0000000000403881 | 56 | push rsi | rsi:"9.998681" 0000000000403882 | 53 | push rbx | rbx:"Congratuur KEY:" 0000000000403883 | 48:81EC A0010000 | sub rsp,1A0 | 000000000040388A | E8 71E6FFFF | call nncrackme.401F00 | 000000000040388F | 48:8DB424 90000000 | lea rsi,qword ptr ss:[rsp+90] | 0000000000403897 | 31C0 | xor eax,eax | 0000000000403899 | B9 20000000 | mov ecx,20 | 20:' ' 000000000040389E | 48:89F7 | mov rdi,rsi | rdi:"%lf", rsi:"9.998681" 00000000004038A1 | C64424 24 00 | mov byte ptr ss:[rsp+24],0 | 00000000004038A6 | F348:AB | rep stosq | 00000000004038A9 | C64424 34 00 | mov byte ptr ss:[rsp+34],0 | 00000000004038AE | 48:8D5C24 70 | lea rbx,qword ptr ss:[rsp+70] | 00000000004038B3 | 48:C74424 50 00000000 | mov qword ptr ss:[rsp+50],0 | 00000000004038BC | 48:C74424 58 00000000 | mov qword ptr ss:[rsp+58],0 | 00000000004038C5 | 48:C74424 60 00000000 | mov qword ptr ss:[rsp+60],0 | 00000000004038CE | 48:C74424 68 00000000 | mov qword ptr ss:[rsp+68],0 | 00000000004038D7 | 48:C74424 40 00000000 | mov qword ptr ss:[rsp+40],0 | 00000000004038E0 | C707 00000000 | mov dword ptr ds:[rdi],0 | rdi:"%lf" 00000000004038E6 | C74424 20 00000000 | mov dword ptr ss:[rsp+20],0 | 00000000004038EE | C74424 30 00000000 | mov dword ptr ss:[rsp+30],0 | 00000000004038F6 | 48:C74424 70 00000000 | mov qword ptr ss:[rsp+70],0 | 00000000004038FF | 48:C74424 78 00000000 | mov qword ptr ss:[rsp+78],0 | 0000000000403908 | 48:C78424 80000000 00 | mov qword ptr ss:[rsp+80],0 | 0000000000403914 | 48:C78424 88000000 00 | mov qword ptr ss:[rsp+88],0 | 0000000000403920 | E8 6BDEFFFF | call nncrackme.401790 | 0000000000403925 | B9 FC000000 | mov ecx,FC | 000000000040392A | E8 21E3FFFF | call nncrackme.401C50 | 000000000040392F | 48:8D0D CA530000 | lea rcx,qword ptr ds:[408D00] | 0000000000403936 | 31C0 | xor eax,eax | 0000000000403938 | 0F1F8400 00000000 | nop dword ptr ds:[rax+rax],eax | 0000000000403940 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] | 0000000000403944 | 83F2 19 | xor edx,19 | 0000000000403947 | 29C2 | sub edx,eax | 0000000000403949 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:" 000000000040394C | 48:83C0 01 | add rax,1 | 0000000000403950 | 48:83F8 10 | cmp rax,10 | 0000000000403954 | 75 EA | jne nncrackme.403940 | 0000000000403956 | 48:8D7C24 30 | lea rdi,qword ptr ss:[rsp+30] | 000000000040395B | 48:89D9 | mov rcx,rbx | rbx:"Congratuur KEY:" 000000000040395E | E8 75FDFFFF | call <JMP.&printf> | 0000000000403963 | 0FB605 06540000 | movzx eax,byte ptr ds:[408D70] | 000000000040396A | 48:89F2 | mov rdx,rsi | rsi:"9.998681" 000000000040396D | 48:89F9 | mov rcx,rdi | rdi:"%lf" 0000000000403970 | 83F0 25 | xor eax,25 | 0000000000403973 | 884424 30 | mov byte ptr ss:[rsp+30],al | 0000000000403977 | 0FB605 F3530000 | movzx eax,byte ptr ds:[408D71] | 000000000040397E | 83F0 25 | xor eax,25 | 0000000000403981 | 83E8 01 | sub eax,1 | 0000000000403984 | 884424 31 | mov byte ptr ss:[rsp+31],al | 0000000000403988 | E8 3BFDFFFF | call <JMP.&scanf> | 000000000040398D | 48:89F2 | mov rdx,rsi | rsi:"9.998681" 0000000000403990 | 8B0A | mov ecx,dword ptr ds:[rdx] | 0000000000403992 | 48:83C2 04 | add rdx,4 | 0000000000403996 | 8D81 FFFEFEFE | lea eax,qword ptr ds:[rcx-1010101] | 000000000040399C | F7D1 | not ecx | 000000000040399E | 21C8 | and eax,ecx | 00000000004039A0 | 25 80808080 | and eax,80808080 | 00000000004039A5 | 74 E9 | je nncrackme.403990 | 00000000004039A7 | 89C1 | mov ecx,eax | 00000000004039A9 | C1E9 10 | shr ecx,10 | 00000000004039AC | A9 80800000 | test eax,8080 | 00000000004039B1 | 0F44C1 | cmove eax,ecx | 00000000004039B4 | 48:8D4A 02 | lea rcx,qword ptr ds:[rdx+2] | 00000000004039B8 | 48:0F44D1 | cmove rdx,rcx | 00000000004039BC | 89C1 | mov ecx,eax | 00000000004039BE | 00C1 | add cl,al | 00000000004039C0 | 48:83DA 03 | sbb rdx,3 | 00000000004039C4 | 48:29F2 | sub rdx,rsi | rsi:"9.998681" 00000000004039C7 | 48:83FA 0A | cmp rdx,A | 比较输入字符个数 要求10个字符 00000000004039CB | 74 3E | je nncrackme.403A0B | 00000000004039CD | 48:8D0D 3C530000 | lea rcx,qword ptr ds:[408D10] | 00000000004039D4 | 31C0 | xor eax,eax | 00000000004039D6 | 662E:0F1F8400 0000000 | nop word ptr cs:[rax+rax],ax | 00000000004039E0 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] | 00000000004039E4 | 83F2 0F | xor edx,F | 00000000004039E7 | 29C2 | sub edx,eax | 00000000004039E9 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:" 00000000004039EC | 48:83C0 01 | add rax,1 | 00000000004039F0 | 48:83F8 10 | cmp rax,10 | 00000000004039F4 | 75 EA | jne nncrackme.4039E0 | 00000000004039F6 | 48:89D9 | mov rcx,rbx | rbx:"Congratuur KEY:" 00000000004039F9 | E8 DAFCFFFF | call <JMP.&printf> | 00000000004039FE | 31C0 | xor eax,eax | 0000000000403A00 | 48:81C4 A0010000 | add rsp,1A0 | 0000000000403A07 | 5B | pop rbx | rbx:"Congratuur KEY:" 0000000000403A08 | 5E | pop rsi | rsi:"9.998681" 0000000000403A09 | 5F | pop rdi | rdi:"%lf" 0000000000403A0A | C3 | ret | 0000000000403A0B | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] | 0000000000403A10 | 41:B8 0A000000 | mov r8d,A | A:'\n' 0000000000403A16 | 48:89F1 | mov rcx,rsi | rsi:"9.998681" 0000000000403A19 | E8 C2E2FFFF | call <nncrackme.is_key_ok> | 检查输入字符的组成是否是由0-9 A-F组成 0000000000403A1E | 83F8 05 | cmp eax,5 | 0000000000403A21 | 74 25 | je nncrackme.403A48 | 0000000000403A23 | 48:8D0D F6520000 | lea rcx,qword ptr ds:[408D20] | 0000000000403A2A | 31C0 | xor eax,eax | 0000000000403A2C | 0F1F40 00 | nop dword ptr ds:[rax],eax | 0000000000403A30 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] | 0000000000403A34 | 83F2 21 | xor edx,21 | 0000000000403A37 | 29C2 | sub edx,eax | 0000000000403A39 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:" 0000000000403A3C | 48:83C0 01 | add rax,1 | 0000000000403A40 | 48:83F8 10 | cmp rax,10 | 0000000000403A44 | 75 EA | jne nncrackme.403A30 | 0000000000403A46 | EB AE | jmp nncrackme.4039F6 | 0000000000403A48 | 0FB64424 20 | movzx eax,byte ptr ss:[rsp+20] | 0000000000403A4D | 48:8D5424 40 | lea rdx,qword ptr ss:[rsp+40] | 0000000000403A52 | 48:8D4C24 50 | lea rcx,qword ptr ss:[rsp+50] | 0000000000403A57 | 884424 56 | mov byte ptr ss:[rsp+56],al | 0000000000403A5B | 0FB64424 21 | movzx eax,byte ptr ss:[rsp+21] | 0000000000403A60 | 884424 57 | mov byte ptr ss:[rsp+57],al | 0000000000403A64 | 0FB64424 22 | movzx eax,byte ptr ss:[rsp+22] | 0000000000403A69 | F2:0F104424 50 | movsd xmm0,qword ptr ss:[rsp+50] | 0000000000403A6F | F2:0F114424 60 | movsd qword ptr ss:[rsp+60],xmm0 | 0000000000403A75 | 884424 5D | mov byte ptr ss:[rsp+5D],al | 0000000000403A79 | 0FB64424 23 | movzx eax,byte ptr ss:[rsp+23] | 0000000000403A7E | 884424 5E | mov byte ptr ss:[rsp+5E],al | 0000000000403A82 | 0FB64424 24 | movzx eax,byte ptr ss:[rsp+24] | 0000000000403A87 | 884424 5F | mov byte ptr ss:[rsp+5F],al | 0000000000403A8B | F2:0F104424 58 | movsd xmm0,qword ptr ss:[rsp+58] | 0000000000403A91 | F2:0F114424 68 | movsd qword ptr ss:[rsp+68],xmm0 | 0000000000403A97 | E8 44DBFFFF | call <nncrackme.maybe_add> | 0000000000403A9C | 0FB605 CF520000 | movzx eax,byte ptr ds:[408D72] | 0000000000403AA3 | 48:89FA | mov rdx,rdi | rdi:"%lf" 0000000000403AA6 | 48:89F1 | mov rcx,rsi | rsi:"9.998681" 0000000000403AA9 | F2:0F104424 40 | movsd xmm0,qword ptr ss:[rsp+40] | 0000000000403AAF | 66:0F28D0 | movapd xmm2,xmm0 | 0000000000403AB3 | 6649:0F7EC0 | movq r8,xmm0 | 0000000000403AB8 | 83F0 12 | xor eax,12 | 0000000000403ABB | 884424 30 | mov byte ptr ss:[rsp+30],al | 0000000000403ABF | 0FB605 AD520000 | movzx eax,byte ptr ds:[408D73] | 0000000000403AC6 | 83F0 12 | xor eax,12 | 0000000000403AC9 | 83E8 01 | sub eax,1 | 0000000000403ACC | 884424 31 | mov byte ptr ss:[rsp+31],al | 0000000000403AD0 | 0FB605 9D520000 | movzx eax,byte ptr ds:[408D74] | 0000000000403AD7 | 83F0 12 | xor eax,12 | 0000000000403ADA | 83E8 02 | sub eax,2 | 0000000000403ADD | 884424 32 | mov byte ptr ss:[rsp+32],al | 0000000000403AE1 | E8 D2FBFFFF | call <JMP.&sprintf> | 0000000000403AE6 | 80BC24 91000000 2E | cmp byte ptr ss:[rsp+91],2E | 2E:'.' 0000000000403AEE | 74 24 | je nncrackme.403B14 | 0000000000403AF0 | 48:8D0D 49520000 | lea rcx,qword ptr ds:[408D40] | 0000000000403AF7 | 31C0 | xor eax,eax | 0000000000403AF9 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] | 0000000000403AFD | 83F2 3F | xor edx,3F | 0000000000403B00 | 29C2 | sub edx,eax | 0000000000403B02 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:" 0000000000403B05 | 48:83C0 01 | add rax,1 | 0000000000403B09 | 48:83F8 10 | cmp rax,10 | 0000000000403B0D | 75 EA | jne nncrackme.403AF9 | 0000000000403B0F | E9 E2FEFFFF | jmp nncrackme.4039F6 | 0000000000403B14 | 0FBE8424 90000000 | movsx eax,byte ptr ss:[rsp+90] | 0000000000403B1C | 66:0FEFC0 | pxor xmm0,xmm0 | 0000000000403B20 | 66:0FEFD2 | pxor xmm2,xmm2 | 0000000000403B24 | 66:0FEFC9 | pxor xmm1,xmm1 | 0000000000403B28 | 83E8 30 | sub eax,30 | 0000000000403B2B | F2:0F2AC0 | cvtsi2sd xmm0,eax | 0000000000403B2F | 0FBE8424 92000000 | movsx eax,byte ptr ss:[rsp+92] | 0000000000403B37 | F2:0F59C0 | mulsd xmm0,xmm0 | 0000000000403B3B | 83E8 30 | sub eax,30 | 0000000000403B3E | F2:0F2AD0 | cvtsi2sd xmm2,eax | 0000000000403B42 | 0FBE8424 93000000 | movsx eax,byte ptr ss:[rsp+93] | 0000000000403B4A | F2:0F59D2 | mulsd xmm2,xmm2 | 0000000000403B4E | 83E8 30 | sub eax,30 | 0000000000403B51 | F2:0F2AC8 | cvtsi2sd xmm1,eax | 0000000000403B55 | F2:0F59C9 | mulsd xmm1,xmm1 | 0000000000403B59 | F2:0F58C2 | addsd xmm0,xmm2 | 0000000000403B5D | F2:0F58C1 | addsd xmm0,xmm1 | 0000000000403B61 | E8 FAF7FFFF | call <nncrackme.maybe_sqrt> | (szBuf[0]-'0')*(szBuf[0]-'0')*+(szBuf[2]-'2')*(szBuf[2]-'0')*+(szBuf[3]-'0')*(szBuf[3]-'0')* 0000000000403B66 | 66:0F2E05 02550000 | ucomisd xmm0,qword ptr ds:[409070] | [409070]=15.5 0000000000403B6E | 76 53 | jbe nncrackme.403BC3 | xmm0小于15.5跳到错误 0000000000403B70 | F64424 22 0F | test byte ptr ss:[rsp+22],F | 测试输入的第6个字符是否为0 0000000000403B75 | 75 4C | jne nncrackme.403BC3 | 0000000000403B77 | F2:0F100D 11550000 | movsd xmm1,qword ptr ds:[409090] | 0000000000403B7F | 31C0 | xor eax,eax | 0000000000403B81 | F2:0F104424 60 | movsd xmm0,qword ptr ss:[rsp+60] | 0000000000403B87 | F2:0F584424 68 | addsd xmm0,qword ptr ss:[rsp+68] | 0000000000403B8D | F2:0F5C4424 40 | subsd xmm0,qword ptr ss:[rsp+40] | 0000000000403B93 | 66:0F5405 E5540000 | andpd xmm0,xmmword ptr ds:[409080] | 0000000000403B9B | 66:0F2EC8 | ucomisd xmm1,xmm0 | 0000000000403B9F | 76 24 | jbe nncrackme.403BC5 | 0000000000403BA1 | 48:8D0D A8510000 | lea rcx,qword ptr ds:[408D50] | 0000000000403BA8 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] | 0000000000403BAC | 83F2 47 | xor edx,47 | 0000000000403BAF | 29C2 | sub edx,eax | 0000000000403BB1 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:" 0000000000403BB4 | 48:83C0 01 | add rax,1 | 0000000000403BB8 | 48:83F8 10 | cmp rax,10 | 0000000000403BBC | 75 EA | jne nncrackme.403BA8 | 0000000000403BBE | E9 33FEFFFF | jmp nncrackme.4039F6 | 0000000000403BC3 | 31C0 | xor eax,eax | 0000000000403BC5 | 48:8D0D 94510000 | lea rcx,qword ptr ds:[408D60] | 0000000000403BCC | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] | 0000000000403BD0 | 83F2 37 | xor edx,37 | 0000000000403BD3 | 29C2 | sub edx,eax | 0000000000403BD5 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:" 0000000000403BD8 | 48:83C0 01 | add rax,1 | 0000000000403BDC | 48:83F8 10 | cmp rax,10 | 0000000000403BE0 | 75 EA | jne nncrackme.403BCC | 0000000000403BE2 | E9 0FFEFFFF | jmp nncrackme.4039F6 |
0000000000403880 | 57 | push rdi | rdi:"%lf" 0000000000403881 | 56 | push rsi | rsi:"9.998681" 0000000000403882 | 53 | push rbx | rbx:"Congratuur KEY:" 0000000000403883 | 48:81EC A0010000 | sub rsp,1A0 | 000000000040388A | E8 71E6FFFF | call nncrackme.401F00 | 000000000040388F | 48:8DB424 90000000 | lea rsi,qword ptr ss:[rsp+90] | 0000000000403897 | 31C0 | xor eax,eax | 0000000000403899 | B9 20000000 | mov ecx,20 | 20:' ' 000000000040389E | 48:89F7 | mov rdi,rsi | rdi:"%lf", rsi:"9.998681" 00000000004038A1 | C64424 24 00 | mov byte ptr ss:[rsp+24],0 | 00000000004038A6 | F348:AB | rep stosq | 00000000004038A9 | C64424 34 00 | mov byte ptr ss:[rsp+34],0 | 00000000004038AE | 48:8D5C24 70 | lea rbx,qword ptr ss:[rsp+70] | 00000000004038B3 | 48:C74424 50 00000000 | mov qword ptr ss:[rsp+50],0 | 00000000004038BC | 48:C74424 58 00000000 | mov qword ptr ss:[rsp+58],0 | 00000000004038C5 | 48:C74424 60 00000000 | mov qword ptr ss:[rsp+60],0 | 00000000004038CE | 48:C74424 68 00000000 | mov qword ptr ss:[rsp+68],0 | 00000000004038D7 | 48:C74424 40 00000000 | mov qword ptr ss:[rsp+40],0 | 00000000004038E0 | C707 00000000 | mov dword ptr ds:[rdi],0 | rdi:"%lf" 00000000004038E6 | C74424 20 00000000 | mov dword ptr ss:[rsp+20],0 | 00000000004038EE | C74424 30 00000000 | mov dword ptr ss:[rsp+30],0 | 00000000004038F6 | 48:C74424 70 00000000 | mov qword ptr ss:[rsp+70],0 | 00000000004038FF | 48:C74424 78 00000000 | mov qword ptr ss:[rsp+78],0 | 0000000000403908 | 48:C78424 80000000 00 | mov qword ptr ss:[rsp+80],0 | 0000000000403914 | 48:C78424 88000000 00 | mov qword ptr ss:[rsp+88],0 | 0000000000403920 | E8 6BDEFFFF | call nncrackme.401790 | 0000000000403925 | B9 FC000000 | mov ecx,FC | 000000000040392A | E8 21E3FFFF | call nncrackme.401C50 | 000000000040392F | 48:8D0D CA530000 | lea rcx,qword ptr ds:[408D00] | 0000000000403936 | 31C0 | xor eax,eax | 0000000000403938 | 0F1F8400 00000000 | nop dword ptr ds:[rax+rax],eax | 0000000000403940 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] | 0000000000403944 | 83F2 19 | xor edx,19 | 0000000000403947 | 29C2 | sub edx,eax | 0000000000403949 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:" 000000000040394C | 48:83C0 01 | add rax,1 | 0000000000403950 | 48:83F8 10 | cmp rax,10 | 0000000000403954 | 75 EA | jne nncrackme.403940 | 0000000000403956 | 48:8D7C24 30 | lea rdi,qword ptr ss:[rsp+30] | 000000000040395B | 48:89D9 | mov rcx,rbx | rbx:"Congratuur KEY:" 000000000040395E | E8 75FDFFFF | call <JMP.&printf> | 0000000000403963 | 0FB605 06540000 | movzx eax,byte ptr ds:[408D70] | 000000000040396A | 48:89F2 | mov rdx,rsi | rsi:"9.998681" 000000000040396D | 48:89F9 | mov rcx,rdi | rdi:"%lf" 0000000000403970 | 83F0 25 | xor eax,25 | 0000000000403973 | 884424 30 | mov byte ptr ss:[rsp+30],al | 0000000000403977 | 0FB605 F3530000 | movzx eax,byte ptr ds:[408D71] | 000000000040397E | 83F0 25 | xor eax,25 | 0000000000403981 | 83E8 01 | sub eax,1 | 0000000000403984 | 884424 31 | mov byte ptr ss:[rsp+31],al | 0000000000403988 | E8 3BFDFFFF | call <JMP.&scanf> | 000000000040398D | 48:89F2 | mov rdx,rsi | rsi:"9.998681" 0000000000403990 | 8B0A | mov ecx,dword ptr ds:[rdx] | 0000000000403992 | 48:83C2 04 | add rdx,4 | 0000000000403996 | 8D81 FFFEFEFE | lea eax,qword ptr ds:[rcx-1010101] | 000000000040399C | F7D1 | not ecx | 000000000040399E | 21C8 | and eax,ecx | 00000000004039A0 | 25 80808080 | and eax,80808080 | 00000000004039A5 | 74 E9 | je nncrackme.403990 | 00000000004039A7 | 89C1 | mov ecx,eax | 00000000004039A9 | C1E9 10 | shr ecx,10 | 00000000004039AC | A9 80800000 | test eax,8080 | 00000000004039B1 | 0F44C1 | cmove eax,ecx | 00000000004039B4 | 48:8D4A 02 | lea rcx,qword ptr ds:[rdx+2] | 00000000004039B8 | 48:0F44D1 | cmove rdx,rcx | 00000000004039BC | 89C1 | mov ecx,eax | 00000000004039BE | 00C1 | add cl,al | 00000000004039C0 | 48:83DA 03 | sbb rdx,3 | 00000000004039C4 | 48:29F2 | sub rdx,rsi | rsi:"9.998681" 00000000004039C7 | 48:83FA 0A | cmp rdx,A | 比较输入字符个数 要求10个字符 00000000004039CB | 74 3E | je nncrackme.403A0B | 00000000004039CD | 48:8D0D 3C530000 | lea rcx,qword ptr ds:[408D10] | 00000000004039D4 | 31C0 | xor eax,eax | 00000000004039D6 | 662E:0F1F8400 0000000 | nop word ptr cs:[rax+rax],ax | 00000000004039E0 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] | 00000000004039E4 | 83F2 0F | xor edx,F | 00000000004039E7 | 29C2 | sub edx,eax | 00000000004039E9 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:" 00000000004039EC | 48:83C0 01 | add rax,1 | 00000000004039F0 | 48:83F8 10 | cmp rax,10 | 00000000004039F4 | 75 EA | jne nncrackme.4039E0 | 00000000004039F6 | 48:89D9 | mov rcx,rbx | rbx:"Congratuur KEY:" 00000000004039F9 | E8 DAFCFFFF | call <JMP.&printf> | 00000000004039FE | 31C0 | xor eax,eax | 0000000000403A00 | 48:81C4 A0010000 | add rsp,1A0 | 0000000000403A07 | 5B | pop rbx | rbx:"Congratuur KEY:" 0000000000403A08 | 5E | pop rsi | rsi:"9.998681" 0000000000403A09 | 5F | pop rdi | rdi:"%lf" 0000000000403A0A | C3 | ret | 0000000000403A0B | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] | 0000000000403A10 | 41:B8 0A000000 | mov r8d,A | A:'\n' 0000000000403A16 | 48:89F1 | mov rcx,rsi | rsi:"9.998681" 0000000000403A19 | E8 C2E2FFFF | call <nncrackme.is_key_ok> | 检查输入字符的组成是否是由0-9 A-F组成 0000000000403A1E | 83F8 05 | cmp eax,5 | 0000000000403A21 | 74 25 | je nncrackme.403A48 | 0000000000403A23 | 48:8D0D F6520000 | lea rcx,qword ptr ds:[408D20] | 0000000000403A2A | 31C0 | xor eax,eax | 0000000000403A2C | 0F1F40 00 | nop dword ptr ds:[rax],eax | 0000000000403A30 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] | 0000000000403A34 | 83F2 21 | xor edx,21 | 0000000000403A37 | 29C2 | sub edx,eax | 0000000000403A39 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:" 0000000000403A3C | 48:83C0 01 | add rax,1 | 0000000000403A40 | 48:83F8 10 | cmp rax,10 | 0000000000403A44 | 75 EA | jne nncrackme.403A30 | 0000000000403A46 | EB AE | jmp nncrackme.4039F6 | 0000000000403A48 | 0FB64424 20 | movzx eax,byte ptr ss:[rsp+20] | 0000000000403A4D | 48:8D5424 40 | lea rdx,qword ptr ss:[rsp+40] | 0000000000403A52 | 48:8D4C24 50 | lea rcx,qword ptr ss:[rsp+50] | 0000000000403A57 | 884424 56 | mov byte ptr ss:[rsp+56],al | 0000000000403A5B | 0FB64424 21 | movzx eax,byte ptr ss:[rsp+21] | 0000000000403A60 | 884424 57 | mov byte ptr ss:[rsp+57],al | 0000000000403A64 | 0FB64424 22 | movzx eax,byte ptr ss:[rsp+22] | 0000000000403A69 | F2:0F104424 50 | movsd xmm0,qword ptr ss:[rsp+50] | 0000000000403A6F | F2:0F114424 60 | movsd qword ptr ss:[rsp+60],xmm0 | 0000000000403A75 | 884424 5D | mov byte ptr ss:[rsp+5D],al | 0000000000403A79 | 0FB64424 23 | movzx eax,byte ptr ss:[rsp+23] | 0000000000403A7E | 884424 5E | mov byte ptr ss:[rsp+5E],al | 0000000000403A82 | 0FB64424 24 | movzx eax,byte ptr ss:[rsp+24] | 0000000000403A87 | 884424 5F | mov byte ptr ss:[rsp+5F],al | 0000000000403A8B | F2:0F104424 58 | movsd xmm0,qword ptr ss:[rsp+58] | 0000000000403A91 | F2:0F114424 68 | movsd qword ptr ss:[rsp+68],xmm0 | 0000000000403A97 | E8 44DBFFFF | call <nncrackme.maybe_add> | 0000000000403A9C | 0FB605 CF520000 | movzx eax,byte ptr ds:[408D72] | 0000000000403AA3 | 48:89FA | mov rdx,rdi | rdi:"%lf" 0000000000403AA6 | 48:89F1 | mov rcx,rsi | rsi:"9.998681" 0000000000403AA9 | F2:0F104424 40 | movsd xmm0,qword ptr ss:[rsp+40] | 0000000000403AAF | 66:0F28D0 | movapd xmm2,xmm0 | 0000000000403AB3 | 6649:0F7EC0 | movq r8,xmm0 | 0000000000403AB8 | 83F0 12 | xor eax,12 | 0000000000403ABB | 884424 30 | mov byte ptr ss:[rsp+30],al | 0000000000403ABF | 0FB605 AD520000 | movzx eax,byte ptr ds:[408D73] | 0000000000403AC6 | 83F0 12 | xor eax,12 | 0000000000403AC9 | 83E8 01 | sub eax,1 | 0000000000403ACC | 884424 31 | mov byte ptr ss:[rsp+31],al | 0000000000403AD0 | 0FB605 9D520000 | movzx eax,byte ptr ds:[408D74] | 0000000000403AD7 | 83F0 12 | xor eax,12 | 0000000000403ADA | 83E8 02 | sub eax,2 | 0000000000403ADD | 884424 32 | mov byte ptr ss:[rsp+32],al | 0000000000403AE1 | E8 D2FBFFFF | call <JMP.&sprintf> | 0000000000403AE6 | 80BC24 91000000 2E | cmp byte ptr ss:[rsp+91],2E | 2E:'.' 0000000000403AEE | 74 24 | je nncrackme.403B14 | 0000000000403AF0 | 48:8D0D 49520000 | lea rcx,qword ptr ds:[408D40] | 0000000000403AF7 | 31C0 | xor eax,eax | 0000000000403AF9 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] | 0000000000403AFD | 83F2 3F | xor edx,3F | 0000000000403B00 | 29C2 | sub edx,eax | 0000000000403B02 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:" 0000000000403B05 | 48:83C0 01 | add rax,1 | 0000000000403B09 | 48:83F8 10 | cmp rax,10 | 0000000000403B0D | 75 EA | jne nncrackme.403AF9 | 0000000000403B0F | E9 E2FEFFFF | jmp nncrackme.4039F6 | 0000000000403B14 | 0FBE8424 90000000 | movsx eax,byte ptr ss:[rsp+90] | 0000000000403B1C | 66:0FEFC0 | pxor xmm0,xmm0 | 0000000000403B20 | 66:0FEFD2 | pxor xmm2,xmm2 | 0000000000403B24 | 66:0FEFC9 | pxor xmm1,xmm1 | 0000000000403B28 | 83E8 30 | sub eax,30 | 0000000000403B2B | F2:0F2AC0 | cvtsi2sd xmm0,eax | 0000000000403B2F | 0FBE8424 92000000 | movsx eax,byte ptr ss:[rsp+92] | 0000000000403B37 | F2:0F59C0 | mulsd xmm0,xmm0 | 0000000000403B3B | 83E8 30 | sub eax,30 | 0000000000403B3E | F2:0F2AD0 | cvtsi2sd xmm2,eax | 0000000000403B42 | 0FBE8424 93000000 | movsx eax,byte ptr ss:[rsp+93] | 0000000000403B4A | F2:0F59D2 | mulsd xmm2,xmm2 | 0000000000403B4E | 83E8 30 | sub eax,30 | 0000000000403B51 | F2:0F2AC8 | cvtsi2sd xmm1,eax | 0000000000403B55 | F2:0F59C9 | mulsd xmm1,xmm1 | 0000000000403B59 | F2:0F58C2 | addsd xmm0,xmm2 | 0000000000403B5D | F2:0F58C1 | addsd xmm0,xmm1 | 0000000000403B61 | E8 FAF7FFFF | call <nncrackme.maybe_sqrt> | (szBuf[0]-'0')*(szBuf[0]-'0')*+(szBuf[2]-'2')*(szBuf[2]-'0')*+(szBuf[3]-'0')*(szBuf[3]-'0')* 0000000000403B66 | 66:0F2E05 02550000 | ucomisd xmm0,qword ptr ds:[409070] | [409070]=15.5 0000000000403B6E | 76 53 | jbe nncrackme.403BC3 | xmm0小于15.5跳到错误 0000000000403B70 | F64424 22 0F | test byte ptr ss:[rsp+22],F | 测试输入的第6个字符是否为0 0000000000403B75 | 75 4C | jne nncrackme.403BC3 | 0000000000403B77 | F2:0F100D 11550000 | movsd xmm1,qword ptr ds:[409090] | 0000000000403B7F | 31C0 | xor eax,eax | 0000000000403B81 | F2:0F104424 60 | movsd xmm0,qword ptr ss:[rsp+60] | 0000000000403B87 | F2:0F584424 68 | addsd xmm0,qword ptr ss:[rsp+68] | 0000000000403B8D | F2:0F5C4424 40 | subsd xmm0,qword ptr ss:[rsp+40] | 0000000000403B93 | 66:0F5405 E5540000 | andpd xmm0,xmmword ptr ds:[409080] | 0000000000403B9B | 66:0F2EC8 | ucomisd xmm1,xmm0 | 0000000000403B9F | 76 24 | jbe nncrackme.403BC5 | 0000000000403BA1 | 48:8D0D A8510000 | lea rcx,qword ptr ds:[408D50] | 0000000000403BA8 | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] | 0000000000403BAC | 83F2 47 | xor edx,47 | 0000000000403BAF | 29C2 | sub edx,eax | 0000000000403BB1 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:" 0000000000403BB4 | 48:83C0 01 | add rax,1 | 0000000000403BB8 | 48:83F8 10 | cmp rax,10 | 0000000000403BBC | 75 EA | jne nncrackme.403BA8 | 0000000000403BBE | E9 33FEFFFF | jmp nncrackme.4039F6 | 0000000000403BC3 | 31C0 | xor eax,eax | 0000000000403BC5 | 48:8D0D 94510000 | lea rcx,qword ptr ds:[408D60] | 0000000000403BCC | 0FB61401 | movzx edx,byte ptr ds:[rcx+rax] | 0000000000403BD0 | 83F2 37 | xor edx,37 | 0000000000403BD3 | 29C2 | sub edx,eax | 0000000000403BD5 | 881403 | mov byte ptr ds:[rbx+rax],dl | rbx+rax*1:"ur KEY:" 0000000000403BD8 | 48:83C0 01 | add rax,1 | 0000000000403BDC | 48:83F8 10 | cmp rax,10 | 0000000000403BE0 | 75 EA | jne nncrackme.403BCC | 0000000000403BE2 | E9 0FFEFFFF | jmp nncrackme.4039F6 |
整体代码就这么多。
要求我们输入的是一个由0-9 A-Z 组成的10个字符的字符串。
长度计算和判断:
000000000040398D | 48:89F2 | mov rdx,rsi | rsi:"9.998681" 0000000000403990 | 8B0A | mov ecx,dword ptr ds:[rdx] | 0000000000403992 | 48:83C2 04 | add rdx,4 | 0000000000403996 | 8D81 FFFEFEFE | lea eax,qword ptr ds:[rcx-1010101] | 000000000040399C | F7D1 | not ecx | 000000000040399E | 21C8 | and eax,ecx | 00000000004039A0 | 25 80808080 | and eax,80808080 | 00000000004039A5 | 74 E9 | je nncrackme.403990 | 00000000004039A7 | 89C1 | mov ecx,eax | 00000000004039A9 | C1E9 10 | shr ecx,10 | 00000000004039AC | A9 80800000 | test eax,8080 | 00000000004039B1 | 0F44C1 | cmove eax,ecx | 00000000004039B4 | 48:8D4A 02 | lea rcx,qword ptr ds:[rdx+2] | 00000000004039B8 | 48:0F44D1 | cmove rdx,rcx | 00000000004039BC | 89C1 | mov ecx,eax | 00000000004039BE | 00C1 | add cl,al | 00000000004039C0 | 48:83DA 03 | sbb rdx,3 | 00000000004039C4 | 48:29F2 | sub rdx,rsi | rsi:"9.998681" 00000000004039C7 | 48:83FA 0A | cmp rdx,A | 比较输入字符个数 要求10个字符
不满足条件,则直接往下执行,解密输出字符串key len error.
000000000040398D | 48:89F2 | mov rdx,rsi | rsi:"9.998681" 0000000000403990 | 8B0A | mov ecx,dword ptr ds:[rdx] | 0000000000403992 | 48:83C2 04 | add rdx,4 | 0000000000403996 | 8D81 FFFEFEFE | lea eax,qword ptr ds:[rcx-1010101] | 000000000040399C | F7D1 | not ecx | 000000000040399E | 21C8 | and eax,ecx | 00000000004039A0 | 25 80808080 | and eax,80808080 | 00000000004039A5 | 74 E9 | je nncrackme.403990 | 00000000004039A7 | 89C1 | mov ecx,eax | 00000000004039A9 | C1E9 10 | shr ecx,10 | 00000000004039AC | A9 80800000 | test eax,8080 | 00000000004039B1 | 0F44C1 | cmove eax,ecx | 00000000004039B4 | 48:8D4A 02 | lea rcx,qword ptr ds:[rdx+2] | 00000000004039B8 | 48:0F44D1 | cmove rdx,rcx | 00000000004039BC | 89C1 | mov ecx,eax | 00000000004039BE | 00C1 | add cl,al | 00000000004039C0 | 48:83DA 03 | sbb rdx,3 | 00000000004039C4 | 48:29F2 | sub rdx,rsi | rsi:"9.998681" 00000000004039C7 | 48:83FA 0A | cmp rdx,A | 比较输入字符个数 要求10个字符
不满足条件,则直接往下执行,解密输出字符串key len error.
再往下检查字符:
0000000000403A0B | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] | 0000000000403A10 | 41:B8 0A000000 | mov r8d,A | A:'\n' 0000000000403A16 | 48:89F1 | mov rcx,rsi | rsi:"9.998681" 0000000000403A19 | E8 C2E2FFFF | call <nncrackme.is_key_ok> | 检查输入字符的组成是否是由0-9 A-F组成
必须是0-9 A-Z相关字符组成,否则失败显示key char error
0000000000403A0B | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] | 0000000000403A10 | 41:B8 0A000000 | mov r8d,A | A:'\n' 0000000000403A16 | 48:89F1 | mov rcx,rsi | rsi:"9.998681" 0000000000403A19 | E8 C2E2FFFF | call <nncrackme.is_key_ok> | 检查输入字符的组成是否是由0-9 A-F组成
必须是0-9 A-Z相关字符组成,否则失败显示key char error
再往下:
0000000000403A97 | E8 44DBFFFF | call <nncrackme.maybe_add> |
这个函数函数挺复杂的,跟了几次,但是没有还原他。
0000000000403A97 | E8 44DBFFFF | call <nncrackme.maybe_add> |
这个函数函数挺复杂的,跟了几次,但是没有还原他。
函数参数在rcx中:
进函数之前,栈中情况:
60fcf0 key1 60fcf8 key2
60fD00 key1 60fD08 key2
此题答案:F13FE02140
这里作为我们的输入。 在函数之前的代码中,会把key分成两部分,前4位key1(F13E),后6位key2(
E02140
)
其实这两部分是一个double数值的16进制的高位部分。
此函数执行完成之后,会把一个和(double(key1)+double(key2))放在栈中,之后会通过sprintf(szBuf,"%lf",r8) 打印出来
0000000000403AA9 | F2:0F104424 40 | movsd xmm0,qword ptr ss:[rsp+40] | 0000000000403AAF | 66:0F28D0 | movapd xmm2,xmm0 | 0000000000403AB3 | 6649:0F7EC0 | movq r8,xmm0 | 0000000000403AE1 | E8 D2FBFFFF | call <JMP.&sprintf> |
0000000000403AA9 | F2:0F104424 40 | movsd xmm0,qword ptr ss:[rsp+40] | 0000000000403AAF | 66:0F28D0 | movapd xmm2,xmm0 | 0000000000403AB3 | 6649:0F7EC0 | movq r8,xmm0 | 0000000000403AE1 | E8 D2FBFFFF | call <JMP.&sprintf> |
函数执行之后,栈中情况如上。
在函数中有一个判断:
v14 = *(double *)(v6 + 16);
if ( v14 <= 1.0 || v14 >= 10.0 || (v15 = *(double *)(v6 + 24), v15 <= 1.0) || v15 >= 10.0 )
{
*(double *)qword_40CD00 = *(double *)qword_40CD00 * *(double *)qword_40CD00;
*(_QWORD *)v7 = 0x4024000000000000i64;
}
v14即key1的值,v15即key2的值。
v14 = *(double *)(v6 + 16);
if ( v14 <= 1.0 || v14 >= 10.0 || (v15 = *(double *)(v6 + 24), v15 <= 1.0) || v15 >= 10.0 )
{
*(double *)qword_40CD00 = *(double *)qword_40CD00 * *(double *)qword_40CD00;
*(_QWORD *)v7 = 0x4024000000000000i64;
}
v14即key1的值,v15即key2的值。
两个值都是大于1.0 小于10.0 .
这里格式化之后是9.998681 比我们输入的两数字之和(1.0625+8.9375=10.0) 要稍微小一点,其他输入也可能会稍微大一点,这个函数功能暂时不清楚。。。。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
