首页
社区
课程
招聘
[原创]签到题 身在何处
发表于: 2021-11-15 13:05 2317

[原创]签到题 身在何处

2021-11-15 13:05
2317

签到题 身在何处

将题目丢入ida, shift + F12 定位至关键字符串

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
int __cdecl sub_401340(HWND hDlg)
{
  UINT DlgItemTextA; // ebx
  int v2; // ebx
  int v3; // ecx
  int v4; // eax
  signed int v6; // [esp+Ch] [ebp-260h]
  char v7[200]; // [esp+10h] [ebp-25Ch] BYREF
  CHAR String[200]; // [esp+D8h] [ebp-194h] BYREF
  CHAR Str[200]; // [esp+1A0h] [ebp-CCh] BYREF
 
  memset(String, 0, sizeof(String));
  memset(v7, 0, sizeof(v7));
  memset(Str, 0, sizeof(Str));
  DlgItemTextA = GetDlgItemTextA(hDlg, 1000, String, 201);
  if ( DlgItemTextA
    && (v6 = GetDlgItemTextA(hDlg, 1001, Str, 201),
        v2 = sub_401260(String, DlgItemTextA),
        strspn(Str, "0123456789") == strlen(Str))
    && v6 <= 10
    && (v4 = sub_40307F(v3, (int)Str)) != 0
    && (unknown_libname_13(v2 ^ v4, v7, 16), sub_401260(v7, 8) == 330861687) )
  {
    SetDlgItemTextA(hDlg, 1001, "Success!");
    return 1;
  }
  else
  {
    SetDlgItemTextA(hDlg, 1001, "Wrong Serial!");
    return 0;
  }
}

动调可以发现其中变量 String 为用户名, 即KCTF

 

而 Str 是需验证的 Serial, 假设输入1234

 

v2 = sub_401260("KCTF", DlgItemTextA) == 0x5EE54F4C

 

v4 = 1234

 

v7 = v2 ^ v4

 

而如果 sub_401260(v7, 8) == 330861687 就输出 Success

 

于是将 sub_401260 抄下来,并将其中初始化部分分离出来

 

进行一个 32位的爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
int v16[256]; // [esp+0h] [ebp-404h]
 
int __cdecl sub_221260(char *a1, int a2)
{
    int v11; // edx
    unsigned int j; // ecx
    char v14; // al
    v11 = a2;
    for ( j = -1; v11; --v11 )
    {
        v14 = *a1++;
        j = v16[(unsigned __int8)(j ^ v14)] ^ (j >> 8);
    }
    return ~j;
}
 
 
void init()
{
    unsigned int v3; // eax
    unsigned int v4; // eax
    unsigned int v5; // eax
    unsigned int v6; // eax
    unsigned int v7; // eax
    unsigned int v8; // eax
    unsigned int v9; // eax
    unsigned int v10; // eax
    int i; // ecx
    for ( i = 0; i < 256; ++i )
    {
        v3 = (unsigned int)i >> 1;
        if ( (i & 1) != 0 )
            v3 ^= 0xEDB88320;
        if ( (v3 & 1) != 0 )
            v4 = (v3 >> 1) ^ 0xEDB88320;
        else
            v4 = v3 >> 1;
        if ( (v4 & 1) != 0 )
            v5 = (v4 >> 1) ^ 0xEDB88320;
        else
            v5 = v4 >> 1;
        if ( (v5 & 1) != 0 )
            v6 = (v5 >> 1) ^ 0xEDB88320;
        else
            v6 = v5 >> 1;
        if ( (v6 & 1) != 0 )
            v7 = (v6 >> 1) ^ 0xEDB88320;
        else
            v7 = v6 >> 1;
        if ( (v7 & 1) != 0 )
            v8 = (v7 >> 1) ^ 0xEDB88320;
        else
            v8 = v7 >> 1;
        if ( (v8 & 1) != 0 )
            v9 = (v8 >> 1) ^ 0xEDB88320;
        else
            v9 = v8 >> 1;
        if ( (v9 & 1) != 0 )
            v10 = (v9 >> 1) ^ 0xEDB88320;
        else
            v10 = v9 >> 1;
        v16[i] = v10;
    }
 
}
 
int main()
{
    init();
    for(unsigned int i = 1; i < 0x7fffffff; ++i)
    {
        int g = i ^ 0x5EE54F4C;
        char *str = (char*)malloc(20);
        memset(str, 0, 20);
        itoa(g, str, 16);
        //printf("%s\n",str);
        int a = sub_221260(str, 8);
        //printf("%x\n",a);
        //exit(0);
        if ( a == 0x13B88C77 )
        {
            printf("%d\n", i);
        }
        free(str);
    }
}

爆破结果为

 

205824534
810586746

 

提交第一个 结果正确


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//