11

[原创]看雪CTF2017第5题

风间仁 2017-6-9 17:23 949

1. 去除驱动反调试

.text:0001071A ; int __stdcall fn_DeviceControl(int, PIRP Irp)
...
.text:00010731                 mov     eax, [eax+0Ch]
.text:00010734                 sub     eax, 222004h
.text:00010739                 mov     ecx, [esi+0Ch]
.text:0001073C                 jz      short loc_1076A
...
.text:0001076A                 mov     dword_114D8, 1
.text:00010774                 call    ds:IoGetCurrentProcess
.text:0001077A                 mov     g_process, eax
.text:0001077F                 call    sub_10486 // nop掉并更新pe的checksum即可
...

2. 驱动处理逻辑

memset32(DriverObject->MajorFunction, (int)fn_common, 0x1Bu);
DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)fn_null;
DriverObject->MajorFunction[3] = (PDRIVER_DISPATCH)fn_read;
DriverObject->MajorFunction[4] = (PDRIVER_DISPATCH)fn_write;
DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)fn_DeviceControl;
DriverObject->MajorFunction[18] = (PDRIVER_DISPATCH)fn_null;
DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)fn_null;
DriverObject->DriverUnload = (PDRIVER_UNLOAD)fn_unload;


fn_write(应用层WriteFile): 简单处理sn, 计算md5保存到g_digest

.text:0001067F                 push    offset g_digest
.text:00010684                 push    ebx
.text:00010685                 call    sub_104B6
.text:0001050D                 inc     [ebp+sn]                                   
.text:00010510                 cmp     esi, eax                                   
.text:00010512                 jle     short loc_1051D
.text:00010514                 add     [ebp+eax+sn], al                           
.text:00010518                 inc     eax
.text:00010519                 cmp     eax, esi
.text:0001051B                 jl      short loc_10514
.text:0001051D                 lea     eax, [ebp+digest]
.text:00010520                 push    eax
.text:00010521                 call    md5_init
.text:00010526                 lea     eax, [ebp+sn]
.text:00010529                 lea     edx, [eax+1]
.text:0001052C                 mov     cl, [eax]
.text:0001052E                 inc     eax
.text:0001052F                 test    cl, cl
.text:00010531                 jnz     short loc_1052C
.text:00010533                 sub     eax, edx
.text:00010535                 push    eax
.text:00010536                 lea     eax, [ebp+sn]
.text:00010539                 push    eax
.text:0001053A                 lea     eax, [ebp+digest]
.text:0001053D                 push    eax
.text:0001053E                 call    md5_update
.text:00010543                 push    ebx
.text:00010544                 lea     eax, [ebp+digest]
.text:00010547                 push    eax
.text:00010548                 call    md5_final


fn_read(应用层ReadFile): 输出g_digest


3. 应用层逻辑

.rdata:0042381C                 dd offset CXXDlg__OnInitDialog
.rdata:00423824                 dd offset CXXDlg__OnOK


CXXDlg::OnInitDialog: 释放并加载驱动


CXXDlg::OnOK


sn转小写逆序

.text:004017A2                 lea     ecx, [esp+2Ch+sn]
.text:004017A6                 mov     [esp+2Ch+var_8], 1
.text:004017AB                 call    lower
.text:004017B0                 lea     ecx, [esp+2Ch+sn]
.text:004017B4                 call    reverse


sn长度6位

.text:004017BE                 mov     ecx, [esp+2Ch+sn]
.text:004017C2                 mov     eax, [eax+4]
.text:004017C5                 cmp     dword ptr [ecx-8], 6
.text:004017C9                 jnz     loc_4018C2


与驱动通信处理sn

.text:004017E5                 mov     edx, [esp+2Ch+sn]
.text:004017E9                 lea     ecx, [esp+2Ch+sn]
.text:004017ED                 mov     eax, [edx-8]
.text:004017F0                 push    eax             ; size_t
.text:004017F1                 push    0
.text:004017F3                 call    sub_418263
.text:004017F8                 push    eax             ; char *
.text:004017F9                 mov     ecx, esi
.text:004017FB                 call    drv_comm


返回后再计算一次md5

.text:00401829                 call    md5


取md5第2-12位与888aeda4ab比较 

.text:0040182E                 push    0Ah
.text:00401830                 lea     eax, [esp+30h+var_18]
.text:00401834                 push    2
.text:00401836                 push    eax
.text:00401837                 lea     ecx, [esp+38h+var_1C]
.text:0040183B                 call    sub_415A78
...
.text:00401872                 mov     ecx, [esp+30h+var_1C]
.text:00401876                 push    offset a888aeda4ab
.text:0040187B                 push    ecx
.text:0040187C                 call    __mbsicmp


4. 穷举(跑了40分钟左右)

import hashlib
def md5(s):
        d=hashlib.md5() 
        d.update(s.encode('utf8')) 
        return d.hexdigest()
m='0123456789abcdefghijklmnopqrstuvwxyz'
#print(len(m))
def revert(s):
        a=[]
        for i in range(6):
                a.append(ord(s[i]))
        a[0]=a[0]-1
        for i in range(6):
                a[i]=a[i]-i
        r=''
        for i in range(6):
                r+=chr(a[i])
        return r[::-1]   
def solve():
        for k1 in range(36):
                for k2 in range(36):
                        for k3 in range(36):
                                for k4 in range(36):
                                        for k5 in range(36):
                                                for k6 in range(36):
                                                        f=chr(ord(m[k1])+1)+chr(ord(m[k2])+1)+chr(ord(m[k3])+2)+chr(ord(m[k4])+3)+chr(ord(m[k5])+4)+chr(ord(m[k6])+5)
                                                        #print(f)
                                                        s=md5(md5(f))
                                                        if (s[2:12]=='888aeda4ab'):
                                                                print(revert(f))
                                                                return        
print('start')
solve()
print('end')

>>> su1986



快讯:[看雪招聘]十八年来,看雪平台输出了大量安全人才,影响三代安全人才!

最新回复 (0)
返回