1 RE-Crc-300
1.1 题目
win32程序,无壳,直接ida打开
1.2 分析
1.2.1 WinMain
int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
dword_DA2F58 = (int)hInstance;
DialogBoxParamA(hInstance, (LPCSTR)0x65, 0, DialogFunc, 0);
GetLastError();
return 0;
}
这种程序的调用过程是从WinMain开始,然后调用DialogFunc,于是查看DialogFunc
1.2.2 DialogFunc
查看判断函数sub_D91190
1.2.3 sub_D91190
signed int __thiscall sub_D91190(const char *this)
{
...
v1 = this;
v2 = strlen(this);
result = 0;
if ( v2 == 20 ) // 判断长度是否为20
{
while ( byte_D9FD48[result] == (v1[result + 10] ^ 7) )// 简单的异或校验,11位之后为c program!
{
if ( ++result >= 10 )
{
v4 = -1;
byte_DA20C0[0] = *v1; //把输入替换原始的置换表,替换10位
byte_DA20D1 = v1[1];
byte_DA20E2 = v1[2];
byte_DA20F3 = v1[3];
byte_DA2104 = v1[4];
byte_DA2115 = v1[5];
byte_DA2126 = v1[6];
byte_DA2137 = v1[7];
byte_DA2148 = v1[8];
v5 = v1[9];
v6 = -1;
byte_DA2159 = v5;
v7 = 0;
do
{
v6 = dword_D9FD60[2 * (unsigned __int8)(v6 ^ byte_DA20C0[v7])] ^ (v6 >> 8);//根据内容两次索引数组
v4 = dword_D9FD64[2 * (unsigned __int8)(v4 ^ byte_DA20C1[v7])] ^ (v4 >> 8);
v7 += 2;
}
while ( v7 < 256 ); //替换256次
v8 = ~v4;
if ( ~v6 == 0xBA56C4F9 && v8 == 0xE89BA203 ) //取反,验证两个结果
return 1;
break;
}
}
result = 0;
}
return result;
}
byte_DA20C0数组如下:
00DB20C0 53 6F 20 74 68 69 73 20 69 73 20 61 20 6E 6F 74 So this is a not
00DB20D0 20 64 69 66 66 63 75 6C 74 20 70 72 6F 62 6C 65 diffcult proble
00DB20E0 6D 20 69 66 20 79 6F 75 20 68 61 76 65 20 61 20 m if you have a
00DB20F0 76 65 72 79 20 67 6F 6F 64 20 63 6F 6D 70 75 74 very good comput
00DB2100 65 2E 42 75 74 20 69 66 20 79 6F 75 20 64 6F 20 e.But if you do
00DB2110 6E 6F 74 20 68 61 76 65 20 61 20 67 6F 6F 64 20 not have a good
00DB2120 63 6F 6D 70 75 74 65 72 2E 49 74 20 73 65 65 6D computer.It seem
00DB2130 73 20 74 68 61 74 20 74 68 69 73 20 70 72 6F 62 s that this prob
00DB2140 6C 65 6D 20 77 69 6C 6C 20 74 61 6B 65 20 61 20 lem will take a
00DB2150 6C 6F 74 20 6F 66 20 74 69 6D 65 2E 42 75 74 20 lot of time.But
00DB2160 6E 6F 74 20 74 68 69 6E 67 20 69 73 20 69 6D 70 not thing is imp
00DB2170 6F 73 73 69 62 6C 65 2E 53 6F 20 6A 75 73 74 20 ossible.So just
00DB2180 74 72 79 20 69 74 21 21 53 6F 6D 65 20 74 69 6D try it!!Some tim
00DB2190 65 73 2C 54 68 65 20 74 68 69 6E 67 20 77 65 20 es,The thing we
00DB21A0 73 65 65 6D 20 69 73 20 6E 6F 74 20 72 65 61 6C seem is not real
00DB21B0 6C 20 5B 5D 5B 5D 28 29 28 29 3C 3E 3C 3E 2E 2E l [][]()()<><>..
1.判断长度是否为20
2.异或校验
3.单表替换,求和,进行奇偶循环校验,奇数偶数使用同一套体系,但是两个结果
4.取反,判断两个结果是否为预置的两个值
1.3 解题
破解思路,两部分,异或一部分求逆,另一部分爆破
1.3.1 求逆部分
data = "d'wuh`ufj&"
flag = ''
for i in data:
flag+=chr(ord(i)^7)
print flag
结果为:c program!
1.3.2 爆破部分
replace=[0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x96,0x30,0x07,0x77,0x03,0x83,0x6B,0xF2
,0x2C,0x61,0x0E,0xEE,0xF7,0x70,0x3B,0xE1,0xBA,0x51,0x09,0x99,0xF4,0xF3,0x50,0x13
,0x19,0xC4,0x6D,0x07,0x1F,0x97,0x9A,0xC7,0x8F,0xF4,0x6A,0x70,0x1C,0x14,0xF1,0x35
,0x35,0xA5,0x63,0xE9,0xE8,0xE7,0xA1,0x26,0xA3,0x95,0x64,0x9E,0xEB,0x64,0xCA,0xD4
,0x32,0x88,0xDB,0x0E,0xCF,0x58,0xD9,0x8A,0xA4,0xB8,0xDC,0x79,0xCC,0xDB,0xB2,0x78
,0x1E,0xE9,0xD5,0xE0,0x38,0x28,0xE2,0x6B,0x88,0xD9,0xD2,0x97,0x3B,0xAB,0x89,0x99
,0x2B,0x4C,0xB6,0x09,0xD0,0xCF,0x43,0x4D,0xBD,0x7C,0xB1,0x7E,0xD3,0x4C,0x28,0xBF
,0x07,0x2D,0xB8,0xE7,0x27,0xBF,0x78,0xAC,0x91,0x1D,0xBF,0x90,0x24,0x3C,0x13,0x5E
,0x64,0x10,0xB7,0x1D,0x6F,0xC7,0x5E,0x10,0xF2,0x20,0xB0,0x6A,0x6C,0x44,0x35,0xE2
,0x48,0x71,0xB9,0xF3,0x98,0xB7,0x65,0xF1,0xDE,0x41,0xBE,0x84,0x9B,0x34,0x0E,0x03
,0x7D,0xD4,0xDA,0x1A,0x70,0x50,0xC4,0xD7,0xEB,0xE4,0xDD,0x6D,0x73,0xD3,0xAF,0x25
,0x51,0xB5,0xD4,0xF4,0x87,0x20,0xFF,0x36,0xC7,0x85,0xD3,0x83,0x84,0xA3,0x94,0xC4
,0x56,0x98,0x6C,0x13,0xA0,0x9F,0x87,0x9A,0xC0,0xA8,0x6B,0x64,0xA3,0x1C,0xEC,0x68
,0x7A,0xF9,0x62,0xFD,0x57,0xEF,0xBC,0x7B,0xEC,0xC9,0x65,0x8A,0x54,0x6C,0xD7,0x89
,0x4F,0x5C,0x01,0x14,0xBF,0x08,0x1D,0x5D,0xD9,0x6C,0x06,0x63,0xBC,0x8B,0x76,0xAF
,0x63,0x3D,0x0F,0xFA,0x48,0x78,0x26,0xBC,0xF5,0x0D,0x08,0x8D,0x4B,0xFB,0x4D,0x4E
,0xC8,0x20,0x6E,0x3B,0xDE,0x8E,0xBD,0x20,0x5E,0x10,0x69,0x4C,0xDD,0x0D,0xD6,0xD2
,0xE4,0x41,0x60,0xD5,0x29,0xFE,0x86,0xC1,0x72,0x71,0x67,0xA2,0x2A,0x7D,0xED,0x33
,0xD1,0xE4,0x03,0x3C,0xC1,0x19,0x27,0xE7,0x47,0xD4,0x04,0x4B,0xC2,0x9A,0x4C,0x15
,0xFD,0x85,0x0D,0xD2,0x36,0x69,0x1C,0x06,0x6B,0xB5,0x0A,0xA5,0x35,0xEA,0x77,0xF4
,0xFA,0xA8,0xB5,0x35,0x11,0xD6,0x64,0xAA,0x6C,0x98,0xB2,0x42,0x12,0x55,0x0F,0x58
,0xD6,0xC9,0xBB,0xDB,0xE6,0xA6,0x5F,0x4B,0x40,0xF9,0xBC,0xAC,0xE5,0x25,0x34,0xB9
,0xE3,0x6C,0xD8,0x32,0x0E,0x41,0xFE,0x6D,0x75,0x5C,0xDF,0x45,0x0D,0xC2,0x95,0x9F
,0xCF,0x0D,0xD6,0xDC,0xF9,0x31,0xC5,0x8C,0x59,0x3D,0xD1,0xAB,0xFA,0xB2,0xAE,0x7E
,0xAC,0x30,0xD9,0x26,0xB1,0x49,0xE3,0x30,0x3A,0x00,0xDE,0x51,0xB2,0xCA,0x88,0xC2
,0x80,0x51,0xD7,0xC8,0x46,0x39,0xD8,0xD1,0x16,0x61,0xD0,0xBF,0x45,0xBA,0xB3,0x23
,0xB5,0xF4,0xB4,0x21,0xAE,0xDE,0x79,0xF7,0x23,0xC4,0xB3,0x56,0xAD,0x5D,0x12,0x05
,0x99,0x95,0xBA,0xCF,0x59,0xAE,0x42,0x16,0x0F,0xA5,0xBD,0xB8,0x5A,0x2D,0x29,0xE4
,0x9E,0xB8,0x02,0x28,0x7E,0x11,0x3A,0xBA,0x08,0x88,0x05,0x5F,0x7D,0x92,0x51,0x48
,0xB2,0xD9,0x0C,0xC6,0x89,0x61,0x01,0x5B,0x24,0xE9,0x0B,0xB1,0x8A,0xE2,0x6A,0xA9
,0x87,0x7C,0x6F,0x2F,0x61,0x86,0xA0,0x7D,0x11,0x4C,0x68,0x58,0x62,0x05,0xCB,0x8F
,0xAB,0x1D,0x61,0xC1,0x96,0xF6,0x9B,0x9C,0x3D,0x2D,0x66,0xB6,0x95,0x75,0xF0,0x6E
,0x90,0x41,0xDC,0x76,0xBC,0x1D,0x7B,0x41,0x06,0x71,0xDB,0x01,0xBF,0x9E,0x10,0xB3
,0xBC,0x20,0xD2,0x98,0x4B,0x6D,0x40,0xA0,0x2A,0x10,0xD5,0xEF,0x48,0xEE,0x2B,0x52
,0x89,0x85,0xB1,0x71,0xA3,0x8A,0xE1,0x86,0x1F,0xB5,0xB6,0x06,0xA0,0x09,0x8A,0x74
,0xA5,0xE4,0xBF,0x9F,0x54,0xFA,0xDA,0x67,0x33,0xD4,0xB8,0xE8,0x57,0x79,0xB1,0x95
,0xA2,0xC9,0x07,0x78,0x73,0x45,0xA2,0xCB,0x34,0xF9,0x00,0x0F,0x70,0xC6,0xC9,0x39
,0x8E,0xA8,0x09,0x96,0x84,0x35,0x99,0x2A,0x18,0x98,0x0E,0xE1,0x87,0xB6,0xF2,0xD8
,0xBB,0x0D,0x6A,0x7F,0x6C,0xD2,0x38,0x0C,0x2D,0x3D,0x6D,0x08,0x6F,0x51,0x53,0xFE
,0x97,0x6C,0x64,0x91,0x9B,0xA2,0x03,0xED,0x01,0x5C,0x63,0xE6,0x98,0x21,0x68,0x1F
,0xF4,0x51,0x6B,0x6B,0xD3,0xDA,0x25,0x51,0x62,0x61,0x6C,0x1C,0xD0,0x59,0x4E,0xA3
,0xD8,0x30,0x65,0x85,0x24,0xAA,0x1E,0xB0,0x4E,0x00,0x62,0xF2,0x27,0x29,0x75,0x42
,0xED,0x95,0x06,0x6C,0xCC,0x4D,0xBF,0x96,0x7B,0xA5,0x01,0x1B,0xCF,0xCE,0xD4,0x64
,0xC1,0xF4,0x08,0x82,0x3B,0x3D,0x84,0x77,0x57,0xC4,0x0F,0xF5,0x38,0xBE,0xEF,0x85
,0xC6,0xD9,0xB0,0x65,0x1C,0x82,0xFC,0xDB,0x50,0xE9,0xB7,0x12,0x1F,0x01,0x97,0x29
,0xEA,0xB8,0xBE,0x8B,0xEB,0xF2,0xC7,0x3A,0x7C,0x88,0xB9,0xFC,0xE8,0x71,0xAC,0xC8
,0xDF,0x1D,0xDD,0x62,0x03,0x15,0x66,0x1C,0x49,0x2D,0xDA,0x15,0x00,0x96,0x0D,0xEE
,0xF3,0x7C,0xD3,0x8C,0xF4,0x65,0x5D,0xFD,0x65,0x4C,0xD4,0xFB,0xF7,0xE6,0x36,0x0F
,0x58,0x61,0xB2,0x4D,0x62,0x93,0xC6,0x61,0xCE,0x51,0xB5,0x3A,0x61,0x10,0xAD,0x93
,0x74,0x00,0xBC,0xA3,0x95,0xE3,0xFD,0x80,0xE2,0x30,0xBB,0xD4,0x96,0x60,0x96,0x72
,0x41,0xA5,0xDF,0x4A,0x7D,0x04,0x5C,0xA6,0xD7,0x95,0xD8,0x3D,0x7E,0x87,0x37,0x54
,0x6D,0xC4,0xD1,0xA4,0x8A,0x74,0x67,0x47,0xFB,0xF4,0xD6,0xD3,0x89,0xF7,0x0C,0xB5
,0x6A,0xE9,0x69,0x43,0xAD,0xCB,0x1F,0xEB,0xFC,0xD9,0x6E,0x34,0xAE,0x48,0x74,0x19
,0x46,0x88,0x67,0xAD,0x5A,0xBB,0x24,0x0A,0xD0,0xB8,0x60,0xDA,0x59,0x38,0x4F,0xF8
,0x73,0x2D,0x04,0x44,0xB2,0x5C,0x85,0x2C,0xE5,0x1D,0x03,0x33,0xB1,0xDF,0xEE,0xDE
,0x5F,0x4C,0x0A,0xAA,0x45,0x2C,0xBE,0xCD,0xC9,0x7C,0x0D,0xDD,0x46,0xAF,0xD5,0x3F
,0x3C,0x71,0x05,0x50,0x0D,0x54,0x98,0x71,0xAA,0x41,0x02,0x27,0x0E,0xD7,0xF3,0x83
,0x10,0x10,0x0B,0xBE,0xFA,0x24,0xA3,0x90,0x86,0x20,0x0C,0xC9,0xF9,0xA7,0xC8,0x62
,0x25,0xB5,0x68,0x57,0x12,0xC3,0x02,0xB6,0xB3,0x85,0x6F,0x20,0x11,0x40,0x69,0x44
,0x09,0xD4,0x66,0xB9,0xE5,0xB3,0x39,0x57,0x9F,0xE4,0x61,0xCE,0xE6,0x30,0x52,0xA5
,0x0E,0xF9,0xDE,0x5E,0xC2,0x0C,0x41,0xFB,0x98,0xC9,0xD9,0x29,0xC1,0x8F,0x2A,0x09
,0x22,0x98,0xD0,0xB0,0x35,0x7C,0x7A,0x1A,0xB4,0xA8,0xD7,0xC7,0x36,0xFF,0x11,0xE8
,0x17,0x3D,0xB3,0x59,0xDD,0x9B,0xDB,0x3C,0x81,0x0D,0xB4,0x2E,0xDE,0x18,0xB0,0xCE
,0x3B,0x5C,0xBD,0xB7,0x2A,0xEB,0xE0,0xDD,0xAD,0x6C,0xBA,0xC0,0x29,0x68,0x8B,0x2F
,0x20,0x83,0xB8,0xED,0x78,0x3B,0xF6,0x82,0xB6,0xB3,0xBF,0x9A,0x7B,0xB8,0x9D,0x70
,0x0C,0xE2,0xB6,0x03,0x8F,0x4B,0xCD,0x63,0x9A,0xD2,0xB1,0x74,0x8C,0xC8,0xA6,0x91
,0x39,0x47,0xD5,0xEA,0x67,0xAC,0x6C,0x45,0xAF,0x77,0xD2,0x9D,0x64,0x2F,0x07,0xB7
,0x15,0x26,0xDB,0x04,0x90,0xDC,0x57,0xA4,0x83,0x16,0xDC,0x73,0x93,0x5F,0x3C,0x56
,0x12,0x0B,0x63,0xE3,0xB7,0x63,0x2F,0x08,0x84,0x3B,0x64,0x94,0xB4,0xE0,0x44,0xFA
,0x3E,0x6A,0x6D,0x0D,0x40,0x13,0x14,0xE9,0xA8,0x5A,0x6A,0x7A,0x43,0x90,0x7F,0x1B
,0x0B,0xCF,0x0E,0xE4,0xA8,0xF4,0xB5,0xCF,0x9D,0xFF,0x09,0x93,0xAB,0x77,0xDE,0x3D
,0x27,0xAE,0x00,0x0A,0x5F,0x84,0x8E,0x2E,0xB1,0x9E,0x07,0x7D,0x5C,0x07,0xE5,0xDC
,0x44,0x93,0x0F,0xF0,0x17,0xFC,0xA8,0x92,0xD2,0xA3,0x08,0x87,0x14,0x7F,0xC3,0x60
,0x68,0xF2,0x01,0x1E,0xE0,0x8C,0x93,0x73,0xFE,0xC2,0x06,0x69,0xE3,0x0F,0xF8,0x81
,0x5D,0x57,0x62,0xF7,0x08,0x6B,0x32,0x55,0xCB,0x67,0x65,0x80,0x0B,0xE8,0x59,0xA7
,0x71,0x36,0x6C,0x19,0xFF,0x1B,0x09,0xB4,0xE7,0x06,0x6B,0x6E,0xFC,0x98,0x62,0x46
,0x76,0x1B,0xD4,0xFE,0xD8,0xA4,0x71,0x18,0xE0,0x2B,0xD3,0x89,0xDB,0x27,0x1A,0xEA
,0x5A,0x7A,0xDA,0x10,0x2F,0xD4,0x4A,0xF9,0xCC,0x4A,0xDD,0x67,0x2C,0x57,0x21,0x0B
,0x6F,0xDF,0xB9,0xF9,0xC7,0x33,0xEB,0xDF,0xF9,0xEF,0xBE,0x8E,0xC4,0xB0,0x80,0x2D
,0x43,0xBE,0xB7,0x17,0x30,0x43,0xD0,0x3E,0xD5,0x8E,0xB0,0x60,0x33,0xC0,0xBB,0xCC
,0xE8,0xA3,0xD6,0xD6,0xA6,0xB5,0x4B,0xA2,0x7E,0x93,0xD1,0xA1,0xA5,0x36,0x20,0x50
,0xC4,0xC2,0xD8,0x38,0x51,0xC5,0x70,0x43,0x52,0xF2,0xDF,0x4F,0x52,0x46,0x1B,0xB1
,0xF1,0x67,0xBB,0xD1,0xB9,0x22,0xD1,0x65,0x67,0x57,0xBC,0xA6,0xBA,0xA1,0xBA,0x97
,0xDD,0x06,0xB5,0x3F,0x4E,0x52,0xEA,0x84,0x4B,0x36,0xB2,0x48,0x4D,0xD1,0x81,0x76
,0xDA,0x2B,0x0D,0xD8,0x69,0xED,0x92,0x28,0x4C,0x1B,0x0A,0xAF,0x6A,0x6E,0xF9,0xDA
,0xF6,0x4A,0x03,0x36,0x9E,0x9D,0xA9,0xC9,0x60,0x7A,0x04,0x41,0x9D,0x1E,0xC2,0x3B
,0xC3,0xEF,0x60,0xDF,0x76,0x7A,0x08,0xEF,0x55,0xDF,0x67,0xA8,0x75,0xF9,0x63,0x1D
,0xEF,0x8E,0x6E,0x31,0x81,0x0A,0x33,0x0E,0x79,0xBE,0x69,0x46,0x82,0x89,0x58,0xFC
,0x8C,0xB3,0x61,0xCB,0xC9,0x72,0x15,0xB2,0x1A,0x83,0x66,0xBC,0xCA,0xF1,0x7E,0x40
,0xA0,0xD2,0x6F,0x25,0x3E,0x02,0x2E,0x53,0x36,0xE2,0x68,0x52,0x3D,0x81,0x45,0xA1
,0x95,0x77,0x0C,0xCC,0xD6,0xE5,0x8F,0x75,0x03,0x47,0x0B,0xBB,0xD5,0x66,0xE4,0x87
,0xB9,0x16,0x02,0x22,0x21,0x95,0xB4,0x94,0x2F,0x26,0x05,0x55,0x22,0x16,0xDF,0x66
,0xBE,0x3B,0xBA,0xC5,0x06,0x2A,0xCC,0x38,0x28,0x0B,0xBD,0xB2,0x05,0xA9,0xA7,0xCA
,0x92,0x5A,0xB4,0x2B,0xF1,0x5A,0xF7,0xD9,0x04,0x6A,0xB3,0x5C,0xF2,0xD9,0x9C,0x2B
,0xA7,0xFF,0xD7,0xC2,0x19,0xBD,0x56,0xFF,0x31,0xCF,0xD0,0xB5,0x1A,0x3E,0x3D,0x0D
,0x8B,0x9E,0xD9,0x2C,0xEE,0xCD,0x6D,0x1E,0x1D,0xAE,0xDE,0x5B,0xED,0x4E,0x06,0xEC
,0xB0,0xC2,0x64,0x9B,0xC4,0x26,0x8D,0xC3,0x26,0xF2,0x63,0xEC,0xC7,0xA5,0xE6,0x31
,0x9C,0xA3,0x6A,0x75,0x33,0x56,0xB6,0x22,0x0A,0x93,0x6D,0x02,0x30,0xD5,0xDD,0xD0
,0xA9,0x06,0x09,0x9C,0xDB,0xB1,0x17,0x04,0x3F,0x36,0x0E,0xEB,0xD8,0x32,0x7C,0xF6
,0x85,0x67,0x07,0x72,0x2C,0xC1,0x2C,0xE5,0x13,0x57,0x00,0x05,0x2F,0x42,0x47,0x17
,0x82,0x4A,0xBF,0x95,0x0B,0x7E,0x54,0x49,0x14,0x7A,0xB8,0xE2,0x08,0xFD,0x3F,0xBB
,0xAE,0x2B,0xB1,0x7B,0xFC,0x0E,0x6F,0xA8,0x38,0x1B,0xB6,0x0C,0xFF,0x8D,0x04,0x5A
,0x9B,0x8E,0xD2,0x92,0x14,0xE9,0xCE,0x8E,0x0D,0xBE,0xD5,0xE5,0x17,0x6A,0xA5,0x7C
,0xB7,0xEF,0xDC,0x7C,0xE3,0x99,0xF5,0x6F,0x21,0xDF,0xDB,0x0B,0xE0,0x1A,0x9E,0x9D
,0xD4,0xD2,0xD3,0x86,0xAB,0xE1,0xD3,0xD3,0x42,0xE2,0xD4,0xF1,0xA8,0x62,0xB8,0x21
,0xF8,0xB3,0xDD,0x68,0x5C,0x91,0xE8,0x32,0x6E,0x83,0xDA,0x1F,0x5F,0x12,0x83,0xC0
,0xCD,0x16,0xBE,0x81,0xB4,0x76,0x49,0x14,0x5B,0x26,0xB9,0xF6,0xB7,0xF5,0x22,0xE6
,0xE1,0x77,0xB0,0x6F,0x43,0x06,0x72,0xF5,0x77,0x47,0xB7,0x18,0x40,0x85,0x19,0x07
,0xE6,0x5A,0x08,0x88,0x64,0xB9,0x0A,0x59,0x70,0x6A,0x0F,0xFF,0x67,0x3A,0x61,0xAB
,0xCA,0x3B,0x06,0x66,0x93,0xC9,0x31,0xB8,0x5C,0x0B,0x01,0x11,0x90,0x4A,0x5A,0x4A
,0xFF,0x9E,0x65,0x8F,0x7B,0x2E,0x90,0x9E,0x69,0xAE,0x62,0xF8,0x78,0xAD,0xFB,0x6C
,0xD3,0xFF,0x6B,0x61,0x8C,0x5E,0xAB,0x7F,0x45,0xCF,0x6C,0x16,0x8F,0xDD,0xC0,0x8D
,0x78,0xE2,0x0A,0xA0,0x1A,0xA8,0x30,0xE3,0xEE,0xD2,0x0D,0xD7,0x19,0x2B,0x5B,0x11
,0x54,0x83,0x04,0x4E,0xED,0xD8,0x0B,0x02,0xC2,0xB3,0x03,0x39,0xEE,0x5B,0x60,0xF0
,0x61,0x26,0x67,0xA7,0x05,0x3F,0xAA,0x24,0xF7,0x16,0x60,0xD0,0x06,0xBC,0xC1,0xD6
,0x4D,0x47,0x69,0x49,0xF2,0x4F,0x91,0xC5,0xDB,0x77,0x6E,0x3E,0xF1,0xCC,0xFA,0x37
,0x4A,0x6A,0xD1,0xAE,0xD5,0xF0,0xE9,0x69,0xDC,0x5A,0xD6,0xD9,0xD6,0x73,0x82,0x9B
,0x66,0x0B,0xDF,0x40,0x22,0x80,0xD2,0x88,0xF0,0x3B,0xD8,0x37,0x21,0x03,0xB9,0x7A
,0x53,0xAE,0xBC,0xA9,0xCA,0x67,0x73,0xAE,0xC5,0x9E,0xBB,0xDE,0xC9,0xE4,0x18,0x5C
,0x7F,0xCF,0xB2,0x47,0x3D,0x17,0x48,0x4F,0xE9,0xFF,0xB5,0x30,0x3E,0x94,0x23,0xBD
,0x1C,0xF2,0xBD,0xBD,0x75,0x6F,0x6E,0xF3,0x8A,0xC2,0xBA,0xCA,0x76,0xEC,0x05,0x01
,0x30,0x93,0xB3,0x53,0x82,0x1F,0x55,0x12,0xA6,0xA3,0xB4,0x24,0x81,0x9C,0x3E,0xE0
,0x05,0x36,0xD0,0xBA,0x6A,0xF8,0xF4,0x34,0x93,0x06,0xD7,0xCD,0x69,0x7B,0x9F,0xC6
,0x29,0x57,0xDE,0x54,0x9D,0x88,0xCF,0xD5,0xBF,0x67,0xD9,0x23,0x9E,0x0B,0xA4,0x27
,0x2E,0x7A,0x66,0xB3,0xBA,0x37,0xB7,0x79,0xB8,0x4A,0x61,0xC4,0xB9,0xB4,0xDC,0x8B
,0x02,0x1B,0x68,0x5D,0x4D,0x47,0x8C,0x98,0x94,0x2B,0x6F,0x2A,0x4E,0xC4,0xE7,0x6A
,0x37,0xBE,0x0B,0xB4,0xA5,0xA0,0x2D,0xBE,0xA1,0x8E,0x0C,0xC3,0xA6,0x23,0x46,0x4C
,0x1B,0xDF,0x05,0x5A,0x52,0xD0,0x16,0x5F,0x8D,0xEF,0x02,0x2D,0x51,0x53,0x7D,0xAD]
sn=[0x53,0x6F,0x20,0x74,0x68,0x69,0x73,0x20,0x69,0x73,0x20,0x61,0x20,0x6E,0x6F,0x74
,0x20,0x64,0x69,0x66,0x66,0x63,0x75,0x6C,0x74,0x20,0x70,0x72,0x6F,0x62,0x6C,0x65
,0x6D,0x20,0x69,0x66,0x20,0x79,0x6F,0x75,0x20,0x68,0x61,0x76,0x65,0x20,0x61,0x20
,0x76,0x65,0x72,0x79,0x20,0x67,0x6F,0x6F,0x64,0x20,0x63,0x6F,0x6D,0x70,0x75,0x74
,0x65,0x2E,0x42,0x75,0x74,0x20,0x69,0x66,0x20,0x79,0x6F,0x75,0x20,0x64,0x6F,0x20
,0x6E,0x6F,0x74,0x20,0x68,0x61,0x76,0x65,0x20,0x61,0x20,0x67,0x6F,0x6F,0x64,0x20
,0x63,0x6F,0x6D,0x70,0x75,0x74,0x65,0x72,0x2E,0x49,0x74,0x20,0x73,0x65,0x65,0x6D
,0x73,0x20,0x74,0x68,0x61,0x74,0x20,0x74,0x68,0x69,0x73,0x20,0x70,0x72,0x6F,0x62
,0x6C,0x65,0x6D,0x20,0x77,0x69,0x6C,0x6C,0x20,0x74,0x61,0x6B,0x65,0x20,0x61,0x20
,0x6C,0x6F,0x74,0x20,0x6F,0x66,0x20,0x74,0x69,0x6D,0x65,0x2E,0x42,0x75,0x74,0x20
,0x6E,0x6F,0x74,0x20,0x74,0x68,0x69,0x6E,0x67,0x20,0x69,0x73,0x20,0x69,0x6D,0x70
,0x6F,0x73,0x73,0x69,0x62,0x6C,0x65,0x2E,0x53,0x6F,0x20,0x6A,0x75,0x73,0x74,0x20
,0x74,0x72,0x79,0x20,0x69,0x74,0x21,0x21,0x53,0x6F,0x6D,0x65,0x20,0x74,0x69,0x6D
,0x65,0x73,0x2C,0x54,0x68,0x65,0x20,0x74,0x68,0x69,0x6E,0x67,0x20,0x77,0x65,0x20
,0x73,0x65,0x65,0x6D,0x20,0x69,0x73,0x20,0x6E,0x6F,0x74,0x20,0x72,0x65,0x61,0x6C
,0x6C,0x20,0x5B,0x5D,0x5B,0x5D,0x28,0x29,0x28,0x29,0x3C,0x3E,0x3C,0x3E,0x2E,0x2E]
result0=result1=0xffffffff
# print hex(sn[1]^result1 & 0xff)
# print hex(replace[(sn[1]^result1 & 0xff)*8+4])
# print hex(replace[(sn[1]^result1 & 0xff)*8+5])
# print hex(replace[(sn[1]^result1 & 0xff)*8+6])
# print hex(replace[(sn[1]^result1 & 0xff)*8+7])
# print hex(result1>>8)
# result1=result1>>8
# result1 = result1^(replace[(sn[1]^result1 & 0xff)*8+7]<<24)^(replace[(sn[1]^result1 & 0xff)*8+6]<<16)^(replace[(sn[1]^result1 & 0xff)*8+5]<<8)^(replace[(sn[1]^result1 & 0xff)*8+4])
# result0=result0>>8
# result0 = result0^(replace[(sn[0]^result0 & 0xff)*8+3]<<24)^(replace[(sn[0]^result0 & 0xff)*8+2]<<16)^(replace[(sn[0]^result0 & 0xff)*8+1]<<8)^(replace[(sn[0]^result0 & 0xff)*8])
# print hex(result1)
# print hex(result0)
def cacl(sn):
result0=result1=0xffffffff
for i in range(0,256,2):
s1=sn[i+1]
s1=s1^result1
result1=result1>>8
s1=s1&0xff
result1=result1^(replace[s1*8+7]<<24)^(replace[s1*8+6]<<16^(replace[s1*8+5]<<8)^(replace[s1*8+4]))
# print hex(result1)
s2=sn[i]
s2=s2^result0
result0=result0>>8
s2=s2&0xff
result0=result0^(replace[s2*8+3]<<24)^(replace[s2*8+2]<<16^(replace[s2*8+1]<<8)^(replace[s2*8]))
# print hex(result0)
return result0,result1
for a in range(33,128):
for b in range(33,128):
for c in range(33,128):
for d in range(33,128):
for e in range(33,128):
sn[0],sn[0+0x11*2],sn[0+0x11*4],sn[0+0x11*6],sn[0+0x11*8]=a,b,c,d,e
print hex(cacl(sn)[0]),a,b,c,d,e
if(cacl(sn)[0]==0x17645dfc):
print a,b,c,d,e
爆破速度较慢,理解算法就行,最后结果为hctf{It is a crc program!}
2 zorropub
2.1 题目
64位的elf文件,使用ida+linuxserver64动态调试
2.2 分析
2.2.1 main
关键步骤:
1.对i进行与操作,判断与的次数是否为10次
2.30次md5,比较最后的值
2.3 解题
首先,为了减少逆向的工作量,drink_number肯定是设置为1的
通过分析可以发现,第一次对drink_id的校验导致了drink_id的范围很小,(0x16,0xffff)之间,我们可以通过脚本穷举出1对应的能通过第一层检验的drink_id。脚本如下
def cacl(i):
count=0
while(i):
count+=1
i=i&(i-1)
return count
res=[]
for i in range(16,0xffff):
if(cacl(i)==10):
res.append(i)
print res
# print len(res)
总共只有8008个数。
然后可以尝试通过穷举的方式,完成破解,因为每次输入错误的数字与正确的数字,得到的返回值不同,利用这一点,可以写脚本如下:
#!/usr/bin/env python
#-*- coding: utf-8 -*-
import sys
import subprocess
def cacl(i):
count=0
while(i):
count+=1
i=i&(i-1)
return count
def cacl1():
res=[]
for i in range(16,0xffff):
if(cacl(i)==10):
res.append(i)
return res
result=cacl1()
for i in result:
p = subprocess.Popen("/home/gxk/桌面/3ab716004ef04c018451860b94b52af7", stdin=subprocess.PIPE, stdout=subprocess.PIPE)
p.stdin.write('1' + '\n')
p.stdin.write(str(i) + '\n')
p.stdin.close()
ret = p.wait()
if(ret!=255): //错误返回的是255
print i
最后得到了一个结果为59306,也就是drink_id,输入之后得到flag
gxk@gxk-virtual-machine:~/桌面$ ./3ab716004ef04c018451860b94b52af7
Welcome to Pub Zorro!!
Straight to the point. How many drinks you want?1
OK. I need details of all the drinks. Give me 1 drink ids:59306
You choose right mix and here is your reward: The flag is nullcon{nu11c0n_s4yz_x0r1n6_1s_4m4z1ng}
3 serial-150
3.1 题目
64位elf文件,静态分析代码有错,使用动态调试
3.2 分析
由于代码被混淆过,main函数无法被完全的反编译成伪代码,需要直接看汇编语言,对text段分析。
主要的方法是主要通过调试分析每一段的功能,频繁的设置断点,重复运行程序,慢慢的就能分析出来
3.2.1 .text:000000000040099C
.text:000000000040099C
.text:000000000040099C ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:000000000040099C public main
.text:000000000040099C main: ; DATA XREF: _start+1D↑o
.text:000000000040099C ; __unwind { // ___gxx_personality_v0
.text:000000000040099C push rbp
.text:000000000040099D mov rbp, rsp
.text:00000000004009A0 sub rsp, 200h
.text:00000000004009A7 lea rsi, [rbp-200h]
.text:00000000004009AE mov eax, 0
.text:00000000004009B3 mov edx, 20h
.text:00000000004009B8 mov rdi, rsi
.text:00000000004009BB mov rcx, rdx
.text:00000000004009BE rep stosq
.text:00000000004009C1 lea rsi, [rbp-100h]
.text:00000000004009C8 mov eax, 0
.text:00000000004009CD mov edx, 20h
.text:00000000004009D2 mov rdi, rsi
.text:00000000004009D5 mov rcx, rdx
.text:00000000004009D8 rep stosq
.text:00000000004009D8 ; ---------------------------------------------------------------------------
.text:00000000004009DB db 66h
.text:00000000004009DC db 0B8h
.text:00000000004009DD ; ---------------------------------------------------------------------------
.text:00000000004009DD jmp short loc_4009E4
.text:00000000004009DD ; ---------------------------------------------------------------------------
.text:00000000004009DF db 31h
.text:00000000004009E0 db 0C0h
.text:00000000004009E1 db 74h
.text:00000000004009E2 db 0FAh
.text:00000000004009E3 db 0E8h
.text:00000000004009E4 ; ---------------------------------------------------------------------------
.text:00000000004009E4
.text:00000000004009E4 loc_4009E4: ; CODE XREF: .text:00000000004009DD↑j
.text:00000000004009E4 mov esi, offset aPleaseEnterThe ; "Please Enter the valid key!\n"
.text:00000000004009E9 mov edi, offset _ZSt4cout@@GLIBCXX_3_4
.text:00000000004009EE ; try {
.text:00000000004009EE call __ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc ; std::operator<<<std::char_traits<char>>(std::basic_ostream<char,std::char_traits<char>> &,char const*)
这一段有花指令,通过ida动态调试可以分析出这些指令。主要完成了程序序言,也就是初始化,初始化一些参数,然后输出提示
3.2.2 .text:00000000004009F3
.text:00000000004009F3 loc_4009F3: ; CODE XREF: .text:00000000004009F9↓j
.text:00000000004009F3 mov ax, 5EBh
.text:00000000004009F7 xor eax, eax
.text:00000000004009F9 jz short near ptr loc_4009F3+2
.text:00000000004009F9 ; ---------------------------------------------------------------------------
.text:00000000004009FB db 0E8h
.text:00000000004009FC ; ---------------------------------------------------------------------------
.text:00000000004009FC lea rax, [rbp-200h]
.text:0000000000400A03 mov rsi, rax
.text:0000000000400A06 mov edi, offset _ZSt3cin@@GLIBCXX_3_4
.text:0000000000400A0B call __ZStrsIcSt11char_traitsIcEERSt13basic_istreamIT_T0_ES6_PS3_ ; std::operator>><char,std::char_traits<char>>(std::basic_istream<char,std::char_traits<char>> &,char*)
.
这一段也有花指令,主要的功能就是调用输入函数。
3.2.3 .text:0000000000400A10
.text:0000000000400A10 loc_400A10: ; CODE XREF: .text:0000000000400A16↓j
.text:0000000000400A10 mov ax, 5EBh
.text:0000000000400A14 xor eax, eax
.text:0000000000400A16 jz short near ptr loc_400A10+2
.text:0000000000400A16 ; ---------------------------------------------------------------------------
.text:0000000000400A18 db 0E8h
.text:0000000000400A19 ; ---------------------------------------------------------------------------
.text:0000000000400A19 lea rax, [rbp-200h]
.text:0000000000400A20 mov rdi, rax
.text:0000000000400A23 call _strlen
.text:0000000000400A28 cmp rax, 10h
.text:0000000000400A2C jz short loc_400A3C
这一段的功能是判断输入长度是否为 0x10h
3.2.4 .text:0000000000400A2E
.text:0000000000400A2E loc_400A2E: ; CODE XREF: .text:0000000000400A34↓j
.text:0000000000400A2E mov ax, 5EBh
.text:0000000000400A32 xor eax, eax
.text:0000000000400A34 jz short near ptr loc_400A2E+2
.text:0000000000400A34 ; ---------------------------------------------------------------------------
.text:0000000000400A36 db 0E8h
.text:0000000000400A37 ; ---------------------------------------------------------------------------
.text:0000000000400A37 jmp near ptr unk_400C7B
.text:0000000000400A3C ; ---------------------------------------------------------------------------
.text:0000000000400A3C
.text:0000000000400A3C loc_400A3C: ; CODE XREF: .text:0000000000400A2C↑j
.text:0000000000400A3C movzx eax, byte ptr [rbp-200h]
.text:0000000000400A43 cmp al, 45h
.text:0000000000400A45 jz short loc_400A55
判断输入的第一个字符是否为chr(0x45),也就是E。
3.2.5 .text:0000000000400A47
.text:0000000000400A47 loc_400A47: ; CODE XREF: .text:0000000000400A4D↓j
.text:0000000000400A47 mov ax, 5EBh
.text:0000000000400A4B xor eax, eax
.text:0000000000400A4D jz short near ptr loc_400A47+2
.text:0000000000400A4D ; ---------------------------------------------------------------------------
.text:0000000000400A4F db 0E8h
.text:0000000000400A50 ; ---------------------------------------------------------------------------
.text:0000000000400A50 jmp near ptr unk_400C7B
.text:0000000000400A55 ; ---------------------------------------------------------------------------
.text:0000000000400A55
.text:0000000000400A55 loc_400A55: ; CODE XREF: .text:0000000000400A45↑j
.text:0000000000400A55 movzx eax, byte ptr [rbp-200h]
.text:0000000000400A5C movsx edx, al
.text:0000000000400A5F movzx eax, byte ptr [rbp-1F1h]
.text:0000000000400A66 movsx eax, al
.text:0000000000400A69 add eax, edx
.text:0000000000400A6B cmp eax, 9Bh
.text:0000000000400A70 jz short loc_400A80
这一段判断输入的第一个字符和最后一个字符的ascii之和是否为0x9b,可以解出最后一个字符为V
同样的下面还有类似的几段汇编代码,相似的逻辑
3.2.6 总体流程
总共输入16个字符,第1,16字符求和于一个固定值比较,第2,15字符求和于一个固定值比较,以此类推,通过调试可以得到结果。
3.3 解题
以下是调试日志,可以得出flag
gxk@gxk-virtual-machine:~/桌面$ ./linux_server64
IDA Linux 64-bit remote debug server(ST) v1.22. Hex-Rays (c) 2004-2017
Listening on 0.0.0.0:23946...
=========================================================
[1] Accepting connection from 192.168.222.1...
Please Enter the valid key!
AAAAAAAAAAAAAAAAAA
Serial number is not valid!
Looking for GNU DWARF file at "/lib/x86_64-linux-gnu/libc-2.23.so"... found!
[1] Closing connection from 192.168.222.1...
=========================================================
[2] Accepting connection from 192.168.222.1...
Please Enter the valid key!
AAAAAAAAAAAAAAAA
Serial number is not valid!
[2] Closing connection from 192.168.222.1...
=========================================================
[3] Accepting connection from 192.168.222.1...
Eaaaaaaaaaaaaaaa
Please Enter the valid key!
Eaaaaaaaaaaaaaaa
^CInterrupt: terminating the server
gxk@gxk-virtual-machine:~/桌面$ ./linux_server64
IDA Linux 64-bit remote debug server(ST) v1.22. Hex-Rays (c) 2004-2017
Listening on 0.0.0.0:23946...
=========================================================
[1] Accepting connection from 192.168.222.1...
Please Enter the valid key!
[1] Closing connection from 192.168.222.1...
=========================================================
[2] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EVaaaaaaaaaaaaaa
[2] Closing connection from 192.168.222.1...
=========================================================
[3] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EVAAAEVAAAEVAAAA
[3] Closing connection from 192.168.222.1...
=========================================================
[4] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EaaaaEaaaaEaaaaV
Serial number is not valid!
[4] Closing connection from 192.168.222.1...
=========================================================
[5] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EaaaaEaaaaEaaaaV
^CInterrupt: terminating the server
gxk@gxk-virtual-machine:~/桌面$ ./linux_server64
IDA Linux 64-bit remote debug server(ST) v1.22. Hex-Rays (c) 2004-2017
Listening on 0.0.0.0:23946...
=========================================================
[1] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZaaaEaaaaEaaaaV
[1] Closing connection from 192.168.222.1...
=========================================================
[2] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZaaaEaaaaEaaaAV
[2] Closing connection from 192.168.222.1...
=========================================================
[3] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9aaEaaaaEaaaAV
[3] Closing connection from 192.168.222.1...
=========================================================
[4] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9EZ9aaEaaaaEaabAV
Serial number is not valid!
[4] Closing connection from 192.168.222.1...
=========================================================
[5] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9aaEaaaaEaabAV
[5] Closing connection from 192.168.222.1...
=========================================================
[6] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9daEaaaaEa7bAV
Serial number is not valid!
[6] Closing connection from 192.168.222.1...
=========================================================
[7] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9daEaaaaEa7bAV
Serial number is not valid!
[7] Closing connection from 192.168.222.1...
=========================================================
[8] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9dmEaaaaE.7bAV
Serial number is not valid!
[8] Closing connection from 192.168.222.1...
=========================================================
[9] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9dmEaaaaEG7bAV
[9] Closing connection from 192.168.222.1...
=========================================================
[10] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9dmqaaaaEG7bAV
Serial number is not valid!
[10] Closing connection from 192.168.222.1...
=========================================================
[11] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9dmqaaaa9G7bAV
Serial number is not valid!
[11] Closing connection from 192.168.222.1...
=========================================================
[12] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9dmq4aaa9G7bAV
Serial number is not valid!
[12] Closing connection from 192.168.222.1...
=========================================================
[13] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9dmq4aag9G7bAV
Serial number is not valid!
[13] Closing connection from 192.168.222.1...
=========================================================
[14] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9dmq4cag9G7bAV
Serial number is not valid!
[14] Closing connection from 192.168.222.1...
=========================================================
[15] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9dmq4cag9G7bAV
Serial number is not valid!
[15] Closing connection from 192.168.222.1...
=========================================================
[16] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9dmq4cag9G7bAV
Serial number is not valid!
[16] Closing connection from 192.168.222.1...
=========================================================
[17] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9dmq4cag9G7bAV
[17] Closing connection from 192.168.222.1...
=========================================================
[18] Accepting connection from 192.168.222.1...
Please Enter the valid key!
EZ9dmq4c8g9G7bAV
Serial number is valid :)
Looking for GNU DWARF file at "/lib/x86_64-linux-gnu/libc-2.23.so"... found!
[18] Closing connection from 192.168.222.1...
