-
-
[原创] 签到题 身在何处
-
2021-11-19 18:34
-
拖入IDA中一顿分析得到了下图:
通过分析得到: if ( Name_size \\检测name是否为空 && (key_size = GetDlgItemTextA(hDlg, 1001, key, 201), \\获取key name_hash = hash(Name, Name_size), \\获取name的hash strspn(key, "0123456789") == strlen(key)) \\限制key只能由0-9组成 && key_size <= 10 \\限制key长度 && (key_number = str_to_number((int)key)) != 0 \\将key转化为数字 && (hex_to_str(name_hash ^ key_number, re, 16), hash(re, 8) == 0x13B88C77) ) \\把name的hash与key的数字形式异或,并且进行hash
最后把IDA反汇编的hash函数复制下来,开始漫长的跑密码.
unsigned int __cdecl hash(char* text, int size) {
int i; // ecx
unsigned int v3; // eax
unsigned int v4; // eax
unsigned int v5; // eax
unsigned int v6; // eax
unsigned int v7; // eax
unsigned int v8; // eax
unsigned int v9; // eax
unsigned int v10; // eax
int v11; // edx
unsigned int j; // ecx
char v14; // al
int v16[256]; // [esp+0h] [ebp-404h]
for (i = 0; i < 256; ++i) {
v3 = (unsigned int)i >> 1;
if ((i & 1) != 0)
v3 ^= 0xEDB88320;
if ((v3 & 1) != 0)
v4 = (v3 >> 1) ^ 0xEDB88320;
else
v4 = v3 >> 1;
if ((v4 & 1) != 0)
v5 = (v4 >> 1) ^ 0xEDB88320;
else
v5 = v4 >> 1;
if ((v5 & 1) != 0)
v6 = (v5 >> 1) ^ 0xEDB88320;
else
v6 = v5 >> 1;
if ((v6 & 1) != 0)
v7 = (v6 >> 1) ^ 0xEDB88320;
else
v7 = v6 >> 1;
if ((v7 & 1) != 0)
v8 = (v7 >> 1) ^ 0xEDB88320;
else
v8 = v7 >> 1;
if ((v8 & 1) != 0)
v9 = (v8 >> 1) ^ 0xEDB88320;
else
v9 = v8 >> 1;
if ((v9 & 1) != 0)
v10 = (v9 >> 1) ^ 0xEDB88320;
else
v10 = v9 >> 1;
v16[i] = v10;
}
v11 = size;
for (j = -1; v11; --v11) {
v14 = *text++;
j = v16[(unsigned __int8)(j ^ v14)] ^ (j >> 8);
}
return ~j;
}
int main() {
char name[]{"KCTF"};
int name_hash = hash(name, 4);
char buff[9]{};
for (size_t i = 999999999; i > 0; i--) {
memset(buff, 0, 9);
sprintf(buff, "%x", (i ^ name_hash));
if (hash(buff, 8) == 0x13B88C77) {
printf("%d", i);
getchar();
}
}
printf("Not Fount");
getchar();
}[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
|
|
|---|---|
