4

[原创]看雪CTF2017 第5题

NearJMP 2017-6-10 18:41 667

程序中包含一个驱动文件,用vs打开查看资源可以直接拿出驱动

驱动里函数不多,根据DbgPrint里的字符能知道大部分函数作用

有反调试,可以nop掉r3程序 0x004015D4处的函数调用,保证堆栈平衡,还要nop掉 0x004015D0处的函数参数

简单分析加调试后知道整个程序流程是 r3程序接受输入,判断长度是否为6,并转为小写倒序发送给驱动。 ( 一开始没有注意到驱动接收的只会是小写字符,导致后面枚举时范围扩大...浪费不少时间。)

驱动收到数据给每一位分别加上112345后计算md5并返回

r3程序收到md5之后再次计算md5,并取2~12位,与预设的值 888aeda4ab 做比较

由以上分析编写枚举脚本如下:

import md5
import time
if __name__ == '__main__':
    ary0 = ['1','2','3','4','5','6','7','8','9', ':',\
            'b','c','d','e','f','g','h','i','j','k','l',\
            'm','n','o','p','q','r','s','t','u','v','w',\
            'x','y','z','{']
            
    ary1 = ['1','2','3','4','5','6','7','8','9', ':',\
            'b','c','d','e','f','g','h','i','j','k','l',\
            'm','n','o','p','q','r','s','t','u','v','w',\
            'x','y','z','{']
            
    ary2 = ['2','3','4','5','6','7','8','9', ':', ';',\
            'c','d','e','f','g','h','i','j','k','l',\
            'm','n','o','p','q','r','s','t','u','v','w',\
            'x','y','z','{','|']
            
    ary3 = ['3','4','5','6','7','8','9', ':', ';', '<',\
            'd','e','f','g','h','i','j','k','l',\
            'm','n','o','p','q','r','s','t','u','v','w',\
            'x','y','z','{','|','}']
            
    ary4 = ['4','5','6','7','8','9', ':', ';', '<', '=',\
            'e','f','g','h','i','j','k','l',\
            'm','n','o','p','q','r','s','t','u','v','w',\
            'x','y','z','{','|','}','~']
    
    ary5 = ['5','6','7','8','9', ':', ';', '<', '=','>',\
            'f','g','h','i','j','k','l',\
            'm','n','o','p','q','r','s','t','u','v','w',\
            'x','y','z','{','|','}','~', chr(0x7F)]
            
    print time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(time.time()))
    for i in range(0, 36):
        for j in range(0, 36):
            for k in range(0, 36):
                for l in range(0,36):
                    for m in range(0, 36):
                        for n in range(0, 36):
                            cmd5_1 = md5.new()
                            cmd5_2 = md5.new()
                            str = ary0[i]+ary1[j]+ary2[k]+ary3[l]+ary4[m]+ary5[n]
                            cmd5_1.update(str)
                            cmd5_2.update(cmd5_1.hexdigest())
                            check = cmd5_2.hexdigest()
                            if check[2:12] == '888aeda4ab':
                                print chr(ord(ary5[n]) - 5) + \
                                      chr(ord(ary4[m]) - 4) + \
                                      chr(ord(ary3[l]) - 3) + \
                                      chr(ord(ary2[k]) - 2) + \
                                      chr(ord(ary1[j]) - 1) + \
                                      chr(ord(ary0[i]) - 1)
                                raw_input()
            print time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(time.time()))
            print "i=%d, j=%d" % (i, j)

脚本第一个循环可以分6段,分别开6个cmd跑,所有结果跑完需要一个多小时,得到正解需要10分钟。(cpu: i7-6700k)

最终结果是 su1986

最新回复 (0)
返回