首页
论坛
专栏
课程
3

[原创]第五题

EricAzhe 2017-6-10 14:56 482

1、首先pass DebugPort清零反调试,驱动vmxdrv.sys里ida反编译代码如下:

PEPROCESS sub_10486()
{
  PEPROCESS result; // eax@1
  struct _EPROCESS *v1; // edx@1

  result = IoGetCurrentProcess();
  v1 = result;
  while ( result != (PEPROCESS)dword_114E0 )
  {
    result = (PEPROCESS)(*((_DWORD *)result + 34) - 0x88);
    if ( result == v1 )
      return result;
  }
  *((_DWORD *)result + 0x2F) = 0;   //DebugPort清零 ,对应地址.text:000104A9                 and     dword ptr [eax+0BCh], 0

  return result;
}

用ResScope资源编辑修改exe里面的vmxdrv.sys,把text:000104A9                 and     dword ptr [eax+0BCh], 0  全部nop,

vmxdrv.sys文件偏移0x4A9: 83 A0 BC 00 00 00 00 为 90 90 90 90 90 90 90

然后在修改效验和为0x2813,vmxdrv.sys文件偏移0x2A0:13 28

最后保存,驱动反调试已经pass


2、加密算法 
key-》判断key长度是不是6位-》key字符倒序-》传到vmxdrv.sys,key[0]+1,key[1]+1,key[2]+2,key[3]+3,key[4]+4 ,key[5]+5,在做一次MD5计算-》exe把MD5在做一次MD5

-》判断MD5字符串第3到12位是不是等于888aeda4ab,具体爆破算法如下:

#include "stdafx.h"
#include "Md5A.h"

int _tmain(int argc, _TCHAR* argv[])
{
    CMd5A md5;
    char szResult[]={0x88,0x8a,0xed,0xa4,0xab};
    unsigned char szString[]="0123456789abcdefghijklmnopqrstuvwxyz";

    unsigned char szkey[10]={NULL};
    char szMd5[16];
    int a,b,c,d,e,f;
    int len=strlen((char*)szString);
    char* lpMd5=NULL;
    memset(szkey,0,sizeof(szkey));

    for (a=0;a<len;a++)
    {
        szkey[0]=szString[a]+1;
        for (b=0;b<len;b++)
        {
            szkey[1]=szString[b]+1;
            for (c=0;c<len;c++)
            {
                szkey[2]=szString[c]+2;
                for (d=0;d<len;d++)
                {
                    szkey[3]=szString[d]+3;
                    for (e=0;e<len;e++)
                    {
                        szkey[4]=szString[e]+4;
                        for (f=0;f<len;f++)
                        {
                            szkey[5]=szString[f]+5;

                            lpMd5=md5.MDString((char*)szkey);
                            lpMd5=md5.MDBuffer(lpMd5,32);
                            if (memcmp(&lpMd5[1],szResult,5)==0)
                            {
                                szkey[0] = szkey[0] - 1;
                                szkey[1] = szkey[1] - 1;
                                szkey[2] = szkey[2] - 2;
                                szkey[3] = szkey[3] - 3;
                                szkey[4] = szkey[4] - 4;
                                szkey[5] = szkey[5] - 5;
                                printf("key:");
                                for (int i=5;i>=0;i--)
                                {
                                    printf("%c",szkey[i]);
                                }   
                                getchar();                             
                                return 0;
                            }
                        }
                    }
                }
            }
        }
    }
    return 0;
}

输出结果:su1986





快讯:看雪智能设备漏洞挖掘公开课招生中!

最新回复 (0)
返回