-
-
[原创] 签到题 身在何处
-
发表于: 2021-11-19 18:34 2349
-
拖入IDA中一顿分析得到了下图:
通过分析得到: if ( Name_size \\检测name是否为空 && (key_size = GetDlgItemTextA(hDlg, 1001, key, 201), \\获取key name_hash = hash(Name, Name_size), \\获取name的hash strspn(key, "0123456789") == strlen(key)) \\限制key只能由0-9组成 && key_size <= 10 \\限制key长度 && (key_number = str_to_number((int)key)) != 0 \\将key转化为数字 && (hex_to_str(name_hash ^ key_number, re, 16), hash(re, 8) == 0x13B88C77) ) \\把name的hash与key的数字形式异或,并且进行hash
最后把IDA反汇编的hash函数复制下来,开始漫长的跑密码.
unsigned int __cdecl hash(char* text, int size) { int i; // ecx unsigned int v3; // eax unsigned int v4; // eax unsigned int v5; // eax unsigned int v6; // eax unsigned int v7; // eax unsigned int v8; // eax unsigned int v9; // eax unsigned int v10; // eax int v11; // edx unsigned int j; // ecx char v14; // al int v16[256]; // [esp+0h] [ebp-404h] for (i = 0; i < 256; ++i) { v3 = (unsigned int)i >> 1; if ((i & 1) != 0) v3 ^= 0xEDB88320; if ((v3 & 1) != 0) v4 = (v3 >> 1) ^ 0xEDB88320; else v4 = v3 >> 1; if ((v4 & 1) != 0) v5 = (v4 >> 1) ^ 0xEDB88320; else v5 = v4 >> 1; if ((v5 & 1) != 0) v6 = (v5 >> 1) ^ 0xEDB88320; else v6 = v5 >> 1; if ((v6 & 1) != 0) v7 = (v6 >> 1) ^ 0xEDB88320; else v7 = v6 >> 1; if ((v7 & 1) != 0) v8 = (v7 >> 1) ^ 0xEDB88320; else v8 = v7 >> 1; if ((v8 & 1) != 0) v9 = (v8 >> 1) ^ 0xEDB88320; else v9 = v8 >> 1; if ((v9 & 1) != 0) v10 = (v9 >> 1) ^ 0xEDB88320; else v10 = v9 >> 1; v16[i] = v10; } v11 = size; for (j = -1; v11; --v11) { v14 = *text++; j = v16[(unsigned __int8)(j ^ v14)] ^ (j >> 8); } return ~j; } int main() { char name[]{"KCTF"}; int name_hash = hash(name, 4); char buff[9]{}; for (size_t i = 999999999; i > 0; i--) { memset(buff, 0, 9); sprintf(buff, "%x", (i ^ name_hash)); if (hash(buff, 8) == 0x13B88C77) { printf("%d", i); getchar(); } } printf("Not Fount"); getchar(); }
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
- [原创]第一题-失控的AI-韦达定理的逆定理 2675
- [原创] 签到题 身在何处 2350
- [下载]Bandizip v7.19部分破解 4488
看原图
赞赏
雪币:
留言: