工具:IDA、Python
代码错误时:输出error
程序整理的逻辑结构清晰,最终通过 if ( v14 && v13 ) 之后,才判断正确
构造序列号为:XXXXXKCTFYYYYY
直接采取爆破的方式,分别获取前后的5个数字字符。
5位数值依次传给种子,逐个生成,并与内置数值比较,成功即记录并退出循环。
C:\Users\surface>C:\Users\surface\OneDrive\Crack\CTF\Kanxue2022KCTFAutumn\06\CrackMe\CrackMe.exe
please input :
0123456789
error
请按任意键继续. . .
C:\Users\surface>
C:\Users\surface>C:\Users\surface\OneDrive\Crack\CTF\Kanxue2022KCTFAutumn\06\CrackMe\CrackMe.exe
please input :
0123456789
error
请按任意键继续. . .
C:\Users\surface>
int __cdecl main(int argc, const char **argv, const char **envp)
{
int preValue; // eax
unsigned int preValueCopy; // ebx
int sufValue; // eax
unsigned int sufValueCopy; // edi
int *v7; // esi
int *v8; // esi
char inputSN[128]; // [esp+4h] [ebp-A0h] BYREF
char sufStr[8]; // [esp+84h] [ebp-20h] BYREF
char preStr[8]; // [esp+8Ch] [ebp-18h] BYREF
int v13; // [esp+94h] [ebp-10h]
int v14; // [esp+98h] [ebp-Ch]
int v15; // [esp+9Ch] [ebp-8h]
memset(inputSN, 0, sizeof(inputSN));
printf("please input :\n");
scanf_s("%s", inputSN);
if ( sub_B91000(inputSN) != 0xE )
goto LABEL_19;
preStr[5] = 0; // 字符串截断符:只允许5个字节
*(_DWORD *)preStr = *(_DWORD *)inputSN;
preStr[4] = inputSN[4];
preValue = atoi(preStr);
v15 = *(_DWORD *)&inputSN[5];
sufStr[5] = 0; // 字符串截断符:只允许5个字节
*(_DWORD *)sufStr = *(_DWORD *)&inputSN[9];
preValueCopy = preValue;
sufStr[4] = inputSN[0xD];
sufValue = atoi(sufStr);
v13 = 0;
sufValueCopy = sufValue;
v14 = 1; // 需保证为1
srand(preValueCopy);
v7 = dword_B9F000;
while ( rand() == *v7 ) // 依次获取的随机值需与内置全局数组相等
{
if ( (int)++v7 >= (int)dword_B9F050 )
goto LABEL_7; // 要跳出来。避开 v14=0
}
v14 = 0; // 执行了这一步就错
LABEL_7:
srand(sufValueCopy);
v8 = dword_B9F050;
while ( rand() == *v8 ) // 依次获取的随机值需与内置全局数组相等
{
if ( (int)++v8 >= (int)&dword_B9F0A0 )
goto LABEL_12; // 要跳出来。避开 v14=0
}
v14 = 0; // 执行了这一步就错
LABEL_12:
if ( (_BYTE)v15 == 'K' && *(_WORD *)((char *)&v15 + 1) == 'TC' && HIBYTE(v15) == 'F' )// KCTF
v13 = 1;
if ( v14 && v13 )
{
printf("success : %s\n", inputSN);
system("pause");
}
else
{
LABEL_19:
printf("error\n");
system("pause");
}
return 0;
}
int __cdecl main(int argc, const char **argv, const char **envp)
{
int preValue; // eax
unsigned int preValueCopy; // ebx
int sufValue; // eax
unsigned int sufValueCopy; // edi
int *v7; // esi
int *v8; // esi
char inputSN[128]; // [esp+4h] [ebp-A0h] BYREF
char sufStr[8]; // [esp+84h] [ebp-20h] BYREF
char preStr[8]; // [esp+8Ch] [ebp-18h] BYREF
int v13; // [esp+94h] [ebp-10h]
int v14; // [esp+98h] [ebp-Ch]
int v15; // [esp+9Ch] [ebp-8h]
memset(inputSN, 0, sizeof(inputSN));
printf("please input :\n");
scanf_s("%s", inputSN);
if ( sub_B91000(inputSN) != 0xE )
goto LABEL_19;
preStr[5] = 0; // 字符串截断符:只允许5个字节
*(_DWORD *)preStr = *(_DWORD *)inputSN;
preStr[4] = inputSN[4];
preValue = atoi(preStr);
v15 = *(_DWORD *)&inputSN[5];
sufStr[5] = 0; // 字符串截断符:只允许5个字节
*(_DWORD *)sufStr = *(_DWORD *)&inputSN[9];
preValueCopy = preValue;
sufStr[4] = inputSN[0xD];
sufValue = atoi(sufStr);
v13 = 0;
sufValueCopy = sufValue;
v14 = 1; // 需保证为1
srand(preValueCopy);
v7 = dword_B9F000;
while ( rand() == *v7 ) // 依次获取的随机值需与内置全局数组相等
{
if ( (int)++v7 >= (int)dword_B9F050 )
goto LABEL_7; // 要跳出来。避开 v14=0
}
v14 = 0; // 执行了这一步就错
LABEL_7:
srand(sufValueCopy);
v8 = dword_B9F050;
while ( rand() == *v8 ) // 依次获取的随机值需与内置全局数组相等
{
if ( (int)++v8 >= (int)&dword_B9F0A0 )
goto LABEL_12; // 要跳出来。避开 v14=0
}
v14 = 0; // 执行了这一步就错
LABEL_12:
if ( (_BYTE)v15 == 'K' && *(_WORD *)((char *)&v15 + 1) == 'TC' && HIBYTE(v15) == 'F' )// KCTF
v13 = 1;
if ( v14 && v13 )
{
printf("success : %s\n", inputSN);
system("pause");
}
else
{
LABEL_19:
printf("error\n");
system("pause");
}
return 0;
}
void __cdecl srand(unsigned int Seed)
{
*(_DWORD *)(_getptd() + 0x14) = Seed;
}
void __cdecl srand(unsigned int Seed)
{
*(_DWORD *)(_getptd() + 0x14) = Seed;
}
int __cdecl rand()
{
int v0; // ecx
unsigned int v1; // eax
v0 = _getptd();
v1 = 0x343FD * *(_DWORD *)(v0 + 0x14) + 0x269EC3;
*(_DWORD *)(v0 + 0x14) = v1;
return HIWORD(v1) & 0x7FFF;
}
int __cdecl rand()
{
int v0; // ecx
unsigned int v1; // eax
v0 = _getptd();
v1 = 0x343FD * *(_DWORD *)(v0 + 0x14) + 0x269EC3;
*(_DWORD *)(v0 + 0x14) = v1;
return HIWORD(v1) & 0x7FFF;
}
if ( sub_B91000(inputSN) != 0xE )
if ( sub_B91000(inputSN) != 0xE )
preStr[5] = 0; // 字符串截断符:只允许5个字节
*(_DWORD *)preStr = *(_DWORD *)inputSN;
preStr[4] = inputSN[4];
preValue = atoi(preStr);
preStr[5] = 0; // 字符串截断符:只允许5个字节
*(_DWORD *)preStr = *(_DWORD *)inputSN;
preStr[4] = inputSN[4];
preValue = atoi(preStr);
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
