-
-
[原创]签到题 身在何处
-
发表于: 2021-11-15 13:05 2317
-
签到题 身在何处
将题目丢入ida, shift + F12 定位至关键字符串
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | int __cdecl sub_401340(HWND hDlg) { UINT DlgItemTextA; / / ebx int v2; / / ebx int v3; / / ecx int v4; / / eax signed int v6; / / [esp + Ch] [ebp - 260h ] char v7[ 200 ]; / / [esp + 10h ] [ebp - 25Ch ] BYREF CHAR String[ 200 ]; / / [esp + D8h] [ebp - 194h ] BYREF CHAR Str [ 200 ]; / / [esp + 1A0h ] [ebp - CCh] BYREF memset(String, 0 , sizeof(String)); memset(v7, 0 , sizeof(v7)); memset( Str , 0 , sizeof( Str )); DlgItemTextA = GetDlgItemTextA(hDlg, 1000 , String, 201 ); if ( DlgItemTextA && (v6 = GetDlgItemTextA(hDlg, 1001 , Str , 201 ), v2 = sub_401260(String, DlgItemTextA), strspn( Str , "0123456789" ) = = strlen( Str )) && v6 < = 10 && (v4 = sub_40307F(v3, ( int ) Str )) ! = 0 && (unknown_libname_13(v2 ^ v4, v7, 16 ), sub_401260(v7, 8 ) = = 330861687 ) ) { SetDlgItemTextA(hDlg, 1001 , "Success!" ); return 1 ; } else { SetDlgItemTextA(hDlg, 1001 , "Wrong Serial!" ); return 0 ; } } |
动调可以发现其中变量 String 为用户名, 即KCTF
而 Str 是需验证的 Serial, 假设输入1234
v2 = sub_401260("KCTF", DlgItemTextA) == 0x5EE54F4C
v4 = 1234
v7 = v2 ^ v4
而如果 sub_401260(v7, 8) == 330861687 就输出 Success
于是将 sub_401260 抄下来,并将其中初始化部分分离出来
进行一个 32位的爆破
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 | #include <stdio.h> #include <stdlib.h> #include <string.h> int v16[ 256 ]; / / [esp + 0h ] [ebp - 404h ] int __cdecl sub_221260(char * a1, int a2) { int v11; / / edx unsigned int j; / / ecx char v14; / / al v11 = a2; for ( j = - 1 ; v11; - - v11 ) { v14 = * a1 + + ; j = v16[(unsigned __int8)(j ^ v14)] ^ (j >> 8 ); } return ~j; } void init() { unsigned int v3; / / eax unsigned int v4; / / eax unsigned int v5; / / eax unsigned int v6; / / eax unsigned int v7; / / eax unsigned int v8; / / eax unsigned int v9; / / eax unsigned int v10; / / eax int i; / / ecx for ( i = 0 ; i < 256 ; + + i ) { v3 = (unsigned int )i >> 1 ; if ( (i & 1 ) ! = 0 ) v3 ^ = 0xEDB88320 ; if ( (v3 & 1 ) ! = 0 ) v4 = (v3 >> 1 ) ^ 0xEDB88320 ; else v4 = v3 >> 1 ; if ( (v4 & 1 ) ! = 0 ) v5 = (v4 >> 1 ) ^ 0xEDB88320 ; else v5 = v4 >> 1 ; if ( (v5 & 1 ) ! = 0 ) v6 = (v5 >> 1 ) ^ 0xEDB88320 ; else v6 = v5 >> 1 ; if ( (v6 & 1 ) ! = 0 ) v7 = (v6 >> 1 ) ^ 0xEDB88320 ; else v7 = v6 >> 1 ; if ( (v7 & 1 ) ! = 0 ) v8 = (v7 >> 1 ) ^ 0xEDB88320 ; else v8 = v7 >> 1 ; if ( (v8 & 1 ) ! = 0 ) v9 = (v8 >> 1 ) ^ 0xEDB88320 ; else v9 = v8 >> 1 ; if ( (v9 & 1 ) ! = 0 ) v10 = (v9 >> 1 ) ^ 0xEDB88320 ; else v10 = v9 >> 1 ; v16[i] = v10; } } int main() { init(); for (unsigned int i = 1 ; i < 0x7fffffff ; + + i) { int g = i ^ 0x5EE54F4C ; char * str = (char * )malloc( 20 ); memset( str , 0 , 20 ); itoa(g, str , 16 ); / / printf( "%s\n" , str ); int a = sub_221260( str , 8 ); / / printf( "%x\n" ,a); / / exit( 0 ); if ( a = = 0x13B88C77 ) { printf( "%d\n" , i); } free( str ); } } |
爆破结果为
205824534
810586746
提交第一个 结果正确
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
- [原创]2023腾讯游戏安全竞赛决赛题解(安卓) 38504
- [原创]2023腾讯游戏安全竞赛初赛题解(安卓) 40643
- [原创]签到题 身在何处 2318
- [原创]第六题 寻回宝剑 12039
- [原创]第四题 英雄救美 8155
看原图
赞赏
雪币:
留言: