[原创]签到题分析-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]签到题分析

发表于: 2021-11-16 01:18 1771

[原创]签到题分析

西门侠

2021-11-16 01:18

1771

没壳直接上IDA,因为程序是C++写的直接看DialogFunc然后F5
sub_401340(hWnd);为按钮执行函数。以下直接在他函数上备注了。

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

int __cdecl sub_401340(HWND hDlg)
{
  int v1; // ebx
  int v2; // ebx
  int v3; // ecx
  int v4; // eax
  int result; // eax
  signed int v6; // [esp+Ch] [ebp-260h]
  char v7; // [esp+10h] [ebp-25Ch]
  CHAR s1; // [esp+D8h] [ebp-194h]
  CHAR s2; // [esp+1A0h] [ebp-CCh]
 
  memset(&s1, 0, 0xC8u);
  memset(&v7, 0, 0xC8u);
  memset(&s2, 0, 0xC8u);
  v1 = GetDlgItemTextA(hDlg, 1000, &s1, 201); //获取Name
  if ( v1 //判断Name是否输入
    && (v6 = GetDlgItemTextA(hDlg, 1001, &s2, 201), v2 = sub_401260(&s1, v1), strspn(&s2, "0123456789") == strlen(&s2)) //判断SN是否输入以及判断SN是否为纯数字 sub_401260 下面贴上
    && v6 <= 10 //判断SN位数
    && (v4 = sub_40307F(v3, (int)&s2)) != 0 //sub_40307F下面标注
    && (unknown_libname_13(v2 ^ v4, &v7, 16), sub_401260(&v7, 8) == 330861687) ) //unknown_libname_13下面标注
  {
    SetDlgItemTextA(hDlg, 1001, "Success!");
    result = 1;
  }
  else
  {
    SetDlgItemTextA(hDlg, 1001, "Wrong Serial!");
    result = 0;
  }
  return result;
}
int __cdecl sub_401260(char *a1, int a2) //明显计算CRC32。。。
{
  signed int v2; // ecx
  unsigned int v3; // eax
  unsigned int v4; // eax
  unsigned int v5; // eax
  unsigned int v6; // eax
  unsigned int v7; // eax
  unsigned int v8; // eax
  unsigned int v9; // eax
  unsigned int v10; // eax
  int v11; // edx
  unsigned int v12; // ecx
  char *v13; // esi
  char v14; // al
  int v16[256]; // [esp+0h] [ebp-404h]
 
  v2 = 0;
  do
  {
    v3 = (unsigned int)v2 >> 1;
    if ( v2 & 1 )
      v3 ^= 0xEDB88320;
    if ( v3 & 1 )
      v4 = (v3 >> 1) ^ 0xEDB88320;
    else
      v4 = v3 >> 1;
    if ( v4 & 1 )
      v5 = (v4 >> 1) ^ 0xEDB88320;
    else
      v5 = v4 >> 1;
    if ( v5 & 1 )
      v6 = (v5 >> 1) ^ 0xEDB88320;
    else
      v6 = v5 >> 1;
    if ( v6 & 1 )
      v7 = (v6 >> 1) ^ 0xEDB88320;
    else
      v7 = v6 >> 1;
    if ( v7 & 1 )
      v8 = (v7 >> 1) ^ 0xEDB88320;
    else
      v8 = v7 >> 1;
    if ( v8 & 1 )
      v9 = (v8 >> 1) ^ 0xEDB88320;
    else
      v9 = v8 >> 1;
    if ( v9 & 1 )
      v10 = (v9 >> 1) ^ 0xEDB88320;
    else
      v10 = v9 >> 1;
    v16[v2++] = v10;
  }
  while ( v2 < 256 );
  v11 = a2;
  v12 = -1;
  if ( a2 )
  {
    v13 = a1;
    do
    {
      v14 = *v13++;
      v12 = v16[(unsigned __int8)(v12 ^ v14)] ^ (v12 >> 8);
      --v11;
    }
    while ( v11 );
  }
  return ~v12;
}
// Microsoft VisualC universal runtime
int __cdecl unknown_libname_13(int a1, int a2, int a3)
{
  // 虽然未识别，，，但是调用common_xtox肯定是itoa了
  char v4; // [esp+0h] [ebp-4h]
 
  if ( a3 != 10 || (v4 = 1, a1 >= 0) )
    v4 = 0;
  common_xtox<unsigned long,char>(a1, a2, -1, a3, v4);
  return a2;
}
int __cdecl sub_40307F(int a1)
{
  //字符串转为数字不备注了
  int v1; // ecx
  int v3; // [esp-14h] [ebp-14h]
  int v4; // [esp-10h] [ebp-10h]
  int v5; // [esp-Ch] [ebp-Ch]
  signed int v6; // [esp-8h] [ebp-8h]
  int v7; // [esp-4h] [ebp-4h]
 
  v7 = v1;
  v6 = 1;
  v5 = 10;
  v4 = v1;
  v3 = v1;
  unknown_libname_6(&v3, a1, 0);
  return __crt_strtox::parse_integer<unsigned long,__crt_strtox::c_string_character_source<char>>(0, v3, v4, v5, v6);
}

整个过程代码都有了，下面简单白话下他的过程
1.取Name计算CRC32
2.SN为纯数字小于等于10
3.将SN转为数字
4.将计算的crc32 ^ SN 的CRC32等于330861687即为验证成功.

下面为SN生成器
动态分析1386343770(52a1ed5a)的CRC32为330861687,所以直接用户名的crc32 ^ 1386343770 即可得出SN。

uint32_t crc32(void const* data, int n) {
    uint32_t r = 0xFFFFFFFF;
 
    for (int i = 0; i < n; ++i) {
        r ^= ((char const*)data)[i];
 
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
    }
    return r ^ 0xFFFFFFFF;
}
uint32_t c32 = crc32((char*)"KCTF", strlen((char*)"KCTF"));
printf("SN:%d\n", c32 ^ 1386343770);
输出结果：SN:205824534