首页
论坛
课程
招聘
[看雪CTF2016]第3题简要分析
2016-11-6 17:11 1884

[看雪CTF2016]第3题简要分析

2016-11-6 17:11
1884
1.大概过了一遍,创建了3个线程,只有一个线程是有用的
01193120    55              push    ebp                              ; Thread3
01193121    8BEC            mov     ebp, esp
01193123    6A FF           push    -0x1
01193125    68 C4D91B01     push    011BD9C4
0119312A    64:A1 00000000  mov     eax, dword ptr fs:[0]
01193130    50              push    eax
01193131    81EC D4000000   sub     esp, 0xD4
01193137    A1 C0D11C01     mov     eax, dword ptr [0x11CD1C0]
0119313C    33C5            xor     eax, ebp
0119313E    8945 F0         mov     dword ptr [ebp-0x10], eax
01193141    53              push    ebx
01193142    50              push    eax
01193143    8D45 F4         lea     eax, dword ptr [ebp-0xC]
01193146    64:A3 00000000  mov     dword ptr fs:[0], eax
0119314C    68 F5856DAE     push    0xAE6D85F5

地址可能每个系统不一样。

2. SHA256计算“Kanxue-Crackme-CTF2016”作为后面AES加密的key

001A1420 55 push ebp
001A1421 8BEC mov ebp, esp
001A1423 6A FF push -0x1
001A1425 68 C7D61C00 push 001CD6C7
001A142A 64:A1 00000000 mov eax, dword ptr fs:[0]
001A1430 50 push eax
001A1431 81EC 38010000 sub esp, 0x138
001A1437 A1 C0D11D00 mov eax, dword ptr [0x1DD1C0]
001A143C 33C5 xor eax, ebp
001A143E 8945 F0 mov dword ptr [ebp-0x10], eax
001A1441 57 push edi
001A1442 50 push eax
001A1443 8D45 F4 lea eax, dword ptr [ebp-0xC]
001A1446 64:A3 00000000 mov dword ptr fs:[0], eax
001A144C C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
001A1453 C785 C0FEFFFF 0>mov dword ptr [ebp-0x140], 0x0
001A145D 8B4D 08 mov ecx, dword ptr [ebp+0x8]
001A1460 E8 DB060000 call 001A1B40
001A1465 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
001A146C 8B85 C0FEFFFF mov eax, dword ptr [ebp-0x140]
001A1472 83C8 01 or eax, 0x1
001A1475 8985 C0FEFFFF mov dword ptr [ebp-0x140], eax
001A147B FF7424 28 push dword ptr [esp+0x28]
001A147F 68 842F58AB push 0xAB582F84
001A1484 68 02396FB2 push 0xB26F3902
001A1489 68 A12C21D2 push 0xD2212CA1
001A148E 57 push edi
001A148F FF7424 24 push dword ptr [esp+0x24]
001A1493 83EC 38 sub esp, 0x38
001A1496 E8 01000000 call 001A149C
001A149B B8 873C2481 mov eax, 0x81243C87
001A14A0 EF out dx, eax
001A14A1 E4 1B in al, 0x1B
001A14A3 6A 3E push 0x3E
001A14A5 81C7 001C6A3E add edi, 0x3E6A1C00
001A14AB 74 08 je short 001A14B5
001A14AD 873C24 xchg dword ptr [esp], edi
001A14B0 C2 5000 retn 0x50
001A14B3 81B3 81A78B0D F>xor dword ptr [ebx+0xD8BA781], 0x1CE>
001A14BD 51 push ecx
001A14BE E8 D1050100 call 001B1A94
001A14C3 83C4 04 add esp, 0x4
001A14C6 8985 BCFEFFFF mov dword ptr [ebp-0x144], eax
001A14CC 8B95 BCFEFFFF mov edx, dword ptr [ebp-0x144]
001A14D2 8995 C4FEFFFF mov dword ptr [ebp-0x13C], edx
001A14D8 8D85 C8FEFFFF lea eax, dword ptr [ebp-0x138]
001A14DE 50 push eax
001A14DF E8 8C390000 call <Sha_Init>
001A14E4 83C4 04 add esp, 0x4
001A14E7 68 F8E51D00 push 001DE5F8
001A14EC 8D4D D8 lea ecx, dword ptr [ebp-0x28]
001A14EF E8 1C060000 call 001A1B10
001A14F4 C745 FC 0100000>mov dword ptr [ebp-0x4], 0x1
001A14FB 8D4D D8 lea ecx, dword ptr [ebp-0x28]
001A14FE E8 FD080000 call 001A1E00
001A1503 50 push eax
001A1504 8D4D D8 lea ecx, dword ptr [ebp-0x28]
001A1507 E8 E4080000 call 001A1DF0
001A150C 50 push eax
001A150D 8D8D C8FEFFFF lea ecx, dword ptr [ebp-0x138]
001A1513 51 push ecx
001A1514 E8 573A0000 call <Sha_Update>
001A1519 83C4 0C add esp, 0xC
001A151C 8B95 C4FEFFFF mov edx, dword ptr [ebp-0x13C]
001A1522 52 push edx
001A1523 8D85 C8FEFFFF lea eax, dword ptr [ebp-0x138]
001A1529 50 push eax
001A152A E8 013B0000 call <Sha_Final>
001A152F 83C4 08 add esp, 0x8
001A1532 6A 20 push 0x20
001A1534 8B8D C4FEFFFF mov ecx, dword ptr [ebp-0x13C]
001A153A 51 push ecx
001A153B B9 10E61D00 mov ecx, 001DE610
001A1540 E8 5B070000 call 001A1CA0
001A1545 B9 10E61D00 mov ecx, 001DE610
001A154A E8 B1080000 call 001A1E00
001A154F D1E0 shl eax, 1
001A1551 50 push eax
001A1552 8B55 0C mov edx, dword ptr [ebp+0xC]
001A1555 52 push edx
001A1556 8B4D 08 mov ecx, dword ptr [ebp+0x8]
001A1559 E8 42070000 call 001A1CA0
001A155E C645 FC 00 mov byte ptr [ebp-0x4], 0x0
001A1562 8D4D D8 lea ecx, dword ptr [ebp-0x28]
001A1565 E8 C6060000 call 001A1C30
001A156A 8B45 08 mov eax, dword ptr [ebp+0x8]
001A156D 8B4D F4 mov ecx, dword ptr [ebp-0xC]
001A1570 64:890D 0000000>mov dword ptr fs:[0], ecx
001A1577 59 pop ecx
001A1578 5F pop edi
001A1579 8B4D F0 mov ecx, dword ptr [ebp-0x10]
001A157C 33CD xor ecx, ebp
001A157E E8 1E1D0100 call 001B32A1
001A1583 8BE5 mov esp, ebp
001A1585 5D pop ebp
001A1586 C3 retn


3. MD5计算“Kanxue-Crackme-CTF2016”作为最后的比较结果
01191590 55 push ebp
01191591 8BEC mov ebp, esp
01191593 6A FF push -0x1
01191595 68 17D71B01 push 011BD717
0119159A 64:A1 00000000 mov eax, dword ptr fs:[0]
011915A0 50 push eax
011915A1 81EC 38010000 sub esp, 0x138
011915A7 A1 C0D11C01 mov eax, dword ptr [0x11CD1C0]
011915AC 33C5 xor eax, ebp
011915AE 8945 F0 mov dword ptr [ebp-0x10], eax
011915B1 50 push eax
011915B2 8D45 F4 lea eax, dword ptr [ebp-0xC]
011915B5 64:A3 00000000 mov dword ptr fs:[0], eax
011915BB C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
011915C2 C785 C0FEFFFF 0>mov dword ptr [ebp-0x140], 0x0
011915CC 8B4D 08 mov ecx, dword ptr [ebp+0x8]
011915CF E8 6C050000 call 01191B40
011915D4 C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
011915DB 8B85 C0FEFFFF mov eax, dword ptr [ebp-0x140]
011915E1 83C8 01 or eax, 0x1
011915E4 8985 C0FEFFFF mov dword ptr [ebp-0x140], eax
011915EA 68 5593A0B4 push 0xB4A09355
011915EF FF7424 14 push dword ptr [esp+0x14]
011915F3 FF7424 08 push dword ptr [esp+0x8]
011915F7 FF7424 34 push dword ptr [esp+0x34]
011915FB 68 967EA0CB push 0xCBA07E96
01191600 83EC 48 sub esp, 0x48
01191603 E8 02000000 call 0119160A
01191608 81AF 87142481 E>sub dword ptr [edi+0x81241487], 0x27>
01191612 6381 C2480D27 arpl word ptr [ecx+0x270D48C2], ax
01191618 637408 87 arpl word ptr [eax+ecx-0x79], si
0119161C 14 24 adc al, 0x24
0119161E C2 5C00 retn 0x5C
01191621 81F4 81808B0D xor esp, 0xD8B8081
01191627 60 pushad
01191628 2D 1C0151E8 sub eax, 0xE851011C
0119162D 630401 arpl word ptr [ecx+eax], ax
01191630 0083 C4048985 add byte ptr [ebx+0x858904C4], al
01191636 BC FEFFFF8B mov esp, 0x8BFFFFFE
0119163B 95 xchg eax, ebp
0119163C BC FEFFFF89 mov esp, 0x89FFFFFE
01191641 95 xchg eax, ebp
01191642 C4FE les edi, esi ; 非法使用寄存器
01191644 FFFF ??? ; 未知命令
01191646 8D85 C8FEFFFF lea eax, dword ptr [ebp-0x138]
0119164C 50 push eax
0119164D E8 9EAB0000 call <MD5_INIT>
01191652 83C4 04 add esp, 0x4
01191655 68 F8E51C01 push 011CE5F8
0119165A 8D4D D8 lea ecx, dword ptr [ebp-0x28]
0119165D E8 AE040000 call 01191B10
01191662 C745 FC 0100000>mov dword ptr [ebp-0x4], 0x1
01191669 8D4D D8 lea ecx, dword ptr [ebp-0x28]
0119166C E8 8F070000 call 01191E00
01191671 50 push eax
01191672 8D4D D8 lea ecx, dword ptr [ebp-0x28]
01191675 E8 76070000 call 01191DF0
0119167A 50 push eax
0119167B 8D8D C8FEFFFF lea ecx, dword ptr [ebp-0x138]
01191681 51 push ecx
01191682 E8 29AC0000 call <MD5_Update>
01191687 83C4 0C add esp, 0xC
0119168A 8B95 C4FEFFFF mov edx, dword ptr [ebp-0x13C]
01191690 52 push edx
01191691 8D85 C8FEFFFF lea eax, dword ptr [ebp-0x138]
01191697 50 push eax
01191698 E8 D3AC0000 call <MD5_Final>
0119169D 83C4 08 add esp, 0x8
011916A0 6A 10 push 0x10
011916A2 8B8D C4FEFFFF mov ecx, dword ptr [ebp-0x13C]
011916A8 51 push ecx
011916A9 B9 28E61C01 mov ecx, 011CE628
011916AE E8 ED050000 call 01191CA0
011916B3 B9 28E61C01 mov ecx, 011CE628
011916B8 E8 43070000 call 01191E00
011916BD C1E0 02 shl eax, 0x2
011916C0 50 push eax
011916C1 8B55 0C mov edx, dword ptr [ebp+0xC]
011916C4 52 push edx
011916C5 8B4D 08 mov ecx, dword ptr [ebp+0x8]
011916C8 E8 D3050000 call 01191CA0
011916CD C645 FC 00 mov byte ptr [ebp-0x4], 0x0
011916D1 8D4D D8 lea ecx, dword ptr [ebp-0x28]
011916D4 E8 57050000 call 01191C30
011916D9 8B45 08 mov eax, dword ptr [ebp+0x8]
011916DC 8B4D F4 mov ecx, dword ptr [ebp-0xC]
011916DF 64:890D 0000000>mov dword ptr fs:[0], ecx
011916E6 59 pop ecx
011916E7 8B4D F0 mov ecx, dword ptr [ebp-0x10]
011916EA 33CD xor ecx, ebp
011916EC E8 B01B0100 call 011A32A1
011916F1 8BE5 mov esp, ebp
011916F3 5D pop ebp
011916F4 C3 retn


4.输入结果8个一组转换成16禁止,然后做RSA加密
011932BF E8 3CE7FFFF call 01191A00
011932C4 83C4 08 add esp, 0x8
011932C7 C645 FC 03 mov byte ptr [ebp-0x4], 0x3
011932CB 8D4D D8 lea ecx, dword ptr [ebp-0x28]
011932CE E8 6DE8FFFF call 01191B40
011932D3 C645 FC 04 mov byte ptr [ebp-0x4], 0x4
011932D7 8D45 D8 lea eax, dword ptr [ebp-0x28]
011932DA 50 push eax
011932DB 8D4D A8 lea ecx, dword ptr [ebp-0x58]
011932DE 51 push ecx
011932DF E8 1CE4FFFF call 01191700 ==========RSA加密
011932E4 83C4 08 add esp, 0x8
011932E7 8985 24FFFFFF mov dword ptr [ebp-0xDC], eax
011932ED 57 push edi
011932EE FF7424 20 push dword ptr [esp+0x20]
011932F2 FF7424 18 push dword ptr [esp+0x18]
011932F6 FF7424 20 push dword ptr [esp+0x20]
011932FA FF7424 24 push dword ptr [esp+0x24]
011932FE 83EC 68 sub esp, 0x68
01193301 E8 01000000 call 01193307
01193306 25 872C2481 and eax, 0x81242C87


RSA加密后取后面2个字节保存起来

01191700跟进去后发现是RSA,这个地方是我猜的,因为看到了个常量10001
并得到n=F574FD11,这个也是一步一步跟出来的。

用rsatool分解后计算出2个因子(F863,FCFB ), d = 2BBE7481

5.AES加密比较结果
01193404 8985 3CFFFFFF mov dword ptr [ebp-0xC4], eax
0119340A 8B8D 3CFFFFFF mov ecx, dword ptr [ebp-0xC4]
01193410 898D 20FFFFFF mov dword ptr [ebp-0xE0], ecx
01193416 C645 FC 06 mov byte ptr [ebp-0x4], 0x6
0119341A 83EC 18 sub esp, 0x18
0119341D 8BCC mov ecx, esp
0119341F 89A5 2CFFFFFF mov dword ptr [ebp-0xD4], esp
01193425 8D55 C0 lea edx, dword ptr [ebp-0x40]
01193428 52 push edx
01193429 E8 E2E6FFFF call 01191B10
0119342E 8985 34FFFFFF mov dword ptr [ebp-0xCC], eax
01193434 8D45 90 lea eax, dword ptr [ebp-0x70]
01193437 50 push eax
01193438 C645 FC 05 mov byte ptr [ebp-0x4], 0x5
0119343C E8 1FE4FFFF call 01191860 ===============AES加密
01193441 83C4 34 add esp, 0x34
01193444 8985 30FFFFFF mov dword ptr [ebp-0xD0], eax
0119344A 68 28E61C01 push 011CE628
0119344F 8D4D 90 lea ecx, dword ptr [ebp-0x70]
01193452 E8 C9060000 call 01193B20
01193457 85C0 test eax, eax
01193459 75 0A jnz short 01193465
          最终比较

7.计算注册码

from Crypto.Cipher import AES
from Crypto.Hash import MD5, SHA256


cipher = AES.new(SHA256.new('Kanxue-Crackme-CTF2016').hexdigest().decode('hex'), AES.MODE_ECB)
print cipher.decrypt(MD5.new('Kanxue-Crackme-CTF2016').hexdigest().decode('hex')).encode('hex')


计算得到 AES解密的数据 :0d48ed5ef769e2abd68bfd6c76dd795d

将其4个一组进行RSA解密
import struct

a = '0d48ed5ef769e2abd68bfd6c76dd795d'.decode('hex')

b = struct.unpack('>8H', a)
c = ''
for i in b:
    c += hex(pow(i, 0x2BBE7481, 0xF574FD11)).replace('0x', '').replace('L', '').upper()

print c


得到最终KEY:3C4F963B039A2C377E02291E3C157AE591BCC1CA0A8F528EB2700AC021FB958D

看雪招聘平台创建简历并且简历完整度达到90%及以上可获得500看雪币~

收藏
点赞0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回