首页
论坛
课程
招聘
[原创]第三题 破解自坑
2017-10-28 22:35 1090

[原创]第三题 破解自坑

2017-10-28 22:35
1090
工具ollyice,变种ollyice

crackMe.exe无壳

刚开始调试,调试器各种错误和自动关闭。有反调试机制,换变种ollyice ,顺利启动程序。

查看字符串,果然存在很多调试器的关键标志,如下图:

顺便看了一下,更可怕的是这些:

感觉像莫尔斯码(求证),里面有decode这类字符,真假难辨~

跑了一遍,输入伪代码没有错误提示,直接下了断点 GetWindowTextA,直接可以定位到验证按钮后的关键CALL 如下图:



0043507C   .  3BF4          cmp esi,esp
0043507E   .  E8 CE8DFFFF   call crackMe.0042DE51
00435083   .  8985 E0FBFFFF mov dword ptr ss:[ebp-0x420],eax
00435089   .  C685 C8EFFFFF>mov byte ptr ss:[ebp-0x1038],0x0
00435090   .  68 FF030000   push 0x3FF
00435095   .  6A 00         push 0x0
00435097   .  8D85 C9EFFFFF lea eax,dword ptr ss:[ebp-0x1037]
0043509D   .  50            push eax
0043509E   .  E8 4385FFFF   call crackMe.0042D5E6
004350A3   .  83C4 0C       add esp,0xC
004350A6   .  8D85 D0F3FFFF lea eax,dword ptr ss:[ebp-0xC30]
004350AC   .  50            push eax
004350AD   .  68 00040000   push 0x400
004350B2   .  8D8D D8F7FFFF lea ecx,dword ptr ss:[ebp-0x828]
004350B8   .  51            push ecx                                 ;  user32.77D321CC
004350B9   .  E8 A981FFFF   call crackMe.0042D267
004350BE   .  83C4 0C       add esp,0xC
004350C1   .  C685 C0EBFFFF>mov byte ptr ss:[ebp-0x1440],0x0
004350C8   .  68 FF030000   push 0x3FF
004350CD   .  6A 00         push 0x0
004350CF   .  8D85 C1EBFFFF lea eax,dword ptr ss:[ebp-0x143F]
004350D5   .  50            push eax
004350D6   .  E8 0B85FFFF   call crackMe.0042D5E6
004350DB   .  83C4 0C       add esp,0xC
004350DE   .  8D85 C8EFFFFF lea eax,dword ptr ss:[ebp-0x1038]
004350E4   .  50            push eax
004350E5   .  68 00040000   push 0x400
004350EA   .  8D8D D0F3FFFF lea ecx,dword ptr ss:[ebp-0xC30]
004350F0   .  51            push ecx                                 ;  user32.77D321CC
004350F1   .  E8 7181FFFF   call crackMe.0042D267
004350F6   .  83C4 0C       add esp,0xC
004350F9   .  68 00040000   push 0x400
004350FE   .  8D85 C0EBFFFF lea eax,dword ptr ss:[ebp-0x1440]
00435104   .  50            push eax
00435105   .  8D8D C8EFFFFF lea ecx,dword ptr ss:[ebp-0x1038]
0043510B   .  51            push ecx                                 ;  user32.77D321CC
0043510C   .  E8 5988FFFF   call crackMe.0042D96A
00435111   .  83C4 0C       add esp,0xC
00435114   .  C785 B4EBFFFF>mov dword ptr ss:[ebp-0x144C],0x3
0043511E   .  8D85 8CEBFFFF lea eax,dword ptr ss:[ebp-0x1474]
00435124   .  50            push eax
00435125   .  8B8D B4EBFFFF mov ecx,dword ptr ss:[ebp-0x144C]
0043512B   .  51            push ecx                                 ;  user32.77D321CC
0043512C   .  8D95 C8EFFFFF lea edx,dword ptr ss:[ebp-0x1038]
00435132   .  52            push edx
00435133   .  E8 4089FFFF   call crackMe.0042DA78
00435138   .  83C4 0C       add esp,0xC
0043513B   .  C785 78E7FFFF>mov dword ptr ss:[ebp-0x1888],0x0
00435145   .  EB 0F         jmp short crackMe.00435156
00435147   >  8B85 78E7FFFF mov eax,dword ptr ss:[ebp-0x1888]
0043514D   .  83C0 01       add eax,0x1
00435150   .  8985 78E7FFFF mov dword ptr ss:[ebp-0x1888],eax
00435156   >  83BD 78E7FFFF>cmp dword ptr ss:[ebp-0x1888],0x20
0043515D   .  7D 2C         jge short crackMe.0043518B
0043515F   .  8B85 78E7FFFF mov eax,dword ptr ss:[ebp-0x1888]
00435165   .  0FB68C05 8CEB>movzx ecx,byte ptr ss:[ebp+eax-0x1474]
0043516D   .  51            push ecx                                 ;  user32.77D321CC
0043516E   .  68 A4B14800   push crackMe.0048B1A4                    ;  %02x
00435173   .  8B95 78E7FFFF mov edx,dword ptr ss:[ebp-0x1888]
00435179   .  8D8455 84E7FF>lea eax,dword ptr ss:[ebp+edx*2-0x187C]
00435180   .  50            push eax
00435181   .  E8 7F8DFFFF   call crackMe.0042DF05
00435186   .  83C4 0C       add esp,0xC
00435189   .^ EB BC         jmp short crackMe.00435147
0043518B   >  8D85 84E7FFFF lea eax,dword ptr ss:[ebp-0x187C]
00435191   .  50            push eax
00435192   .  E8 FD85FFFF   call crackMe.0042D794
00435197   .  83C4 04       add esp,0x4
0043519A   .  50            push eax
0043519B   .  8D8D D8F7FFFF lea ecx,dword ptr ss:[ebp-0x828]
004351A1   .  51            push ecx                                 ;  user32.77D321CC
004351A2   .  E8 ED85FFFF   call crackMe.0042D794
004351A7   .  83C4 04       add esp,0x4
004351AA   .  8DB405 D8F7FF>lea esi,dword ptr ss:[ebp+eax-0x828]
004351B1   .  8D95 84E7FFFF lea edx,dword ptr ss:[ebp-0x187C]
004351B7   .  52            push edx
004351B8   .  E8 D785FFFF   call crackMe.0042D794
004351BD   .  83C4 04       add esp,0x4
004351C0   .  2BF0          sub esi,eax
004351C2   .  56            push esi
004351C3   .  8D85 84E7FFFF lea eax,dword ptr ss:[ebp-0x187C]
004351C9   .  50            push eax
004351CA   .  E8 5889FFFF   call crackMe.0042DB27
004351CF   .  83C4 0C       add esp,0xC
004351D2   .  85C0          test eax,eax
004351D4   .  75 3E         jnz short crackMe.00435214
004351D6   .  E8 D97EFFFF   call crackMe.0042D0B4
004351DB   .  8D85 C0EBFFFF lea eax,dword ptr ss:[ebp-0x1440]
004351E1   .  50            push eax
004351E2   .  68 00B04900   push crackMe.0049B000
004351E7   .  E8 BF87FFFF   call crackMe.0042D9AB
004351EC   .  83C4 08       add esp,0x8
004351EF   .  0FB6C8        movzx ecx,al
004351F2   .  83F9 01       cmp ecx,0x1
004351F5   .  75 1D         jnz short crackMe.00435214
004351F7   .  8BF4          mov esi,esp
004351F9   .  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
004351FB   .  68 98B14800   push crackMe.0048B198                    ; |CrackMe
00435200   .  68 94B14800   push crackMe.0048B194                    ; |ok
00435205   .  6A 00         push 0x0                                 ; |hOwner = NULL
00435207   .  FF15 88F54900 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA



其中可以看到大致流程,有调用MessageBoxA 进行消息提示:

那么往上面下CALL的断点,进行分析如下:

004351B8   .  E8 D785FFFF   call crackMe.0042D794                    ;  //取出伪码和一个字符串要搞什么
004351BD   .  83C4 04       add esp,0x4
004351C0   .  2BF0          sub esi,eax
004351C2   .  56            push esi
004351C3   .  8D85 84E7FFFF lea eax,dword ptr ss:[ebp-0x187C]
004351C9   .  50            push eax
004351CA   .  E8 5889FFFF   call crackMe.0042DB27
004351CF   .  83C4 0C       add esp,0xC
004351D2   .  85C0          test eax,eax
004351D4   .  75 3E         jnz short crackMe.00435214
004351D6   .  E8 D97EFFFF   call crackMe.0042D0B4
004351DB   .  8D85 C0EBFFFF lea eax,dword ptr ss:[ebp-0x1440]
004351E1   .  50            push eax
004351E2   .  68 00B04900   push crackMe.0049B000
004351E7   .  E8 BF87FFFF   call crackMe.0042D9AB
004351EC   .  83C4 08       add esp,0x8
004351EF   .  0FB6C8        movzx ecx,al
004351F2   .  83F9 01       cmp ecx,0x1
004351F5   .  75 1D         jnz short crackMe.00435214               ;  //关键jnz
004351F7   .  8BF4          mov esi,esp
004351F9   .  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
004351FB   .  68 98B14800   push crackMe.0048B198                    ; |CrackMe
00435200   .  68 94B14800   push crackMe.0048B194                    ; |ok
00435205   .  6A 00         push 0x0                                 ; |hOwner = NULL
00435207   .  FF15 88F54900 call dword ptr ds:[<&USER32.MessageBoxA>>; \弹出注册成功的消息!



跟踪下来,在004351B8 这个CALL 这里,寄存器情况如下

EAX 00000014
ECX 0012F16C ASCII "12345678901234657980"
EDX 0012E118 ASCII "183920f00e15a0433ee3a8fc90dd9ac164c4142ccf63ca189a8f645ec96ff8de"
EBX 00000000
ESP 0012DF40
EBP 0012F994
ESI 0012F180
EDI 0012F994
EIP 004351B8 crackMe.004351B8
C 0  ES 0023 32位 0(FFFFFFFF)
P 1  CS 001B 32位 0(FFFFFFFF)
A 0  SS 0023 32位 0(FFFFFFFF)
Z 0  DS 0023 32位 0(FFFFFFFF)
S 0  FS 003B 32位 7FFDD000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_INVALID_HANDLE (00000006)
EFL 00000206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty 0.0000000156560127760e-4933
ST1 empty 9.7995518123247349760e-163
ST2 empty -1.0035814415065585664e-632
ST3 empty +UNORM 0001 000053F7 BAF64B4C
ST4 empty +UNORM 024A 0000040F 0072E1F4
ST5 empty +UNORM 4C78 00000000 00000257
ST6 empty 2.4045632356348871680e-2620
ST7 empty 4.9108275470228848640e-4932
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 027F  Prec NEAR,53  掩码    1 1 1 1 1 1

其中看到
伪注册码:

12345678901234657980

神奇字符串:

183920f00e15a0433ee3a8fc90dd9ac164c4142ccf63ca189a8f645ec96ff8de

这两个在一起,是要搞点什么事情???

直接复制出来神奇字符串取程序,呵呵,程序 提示 OK !!


别以为我的做玩了!!!!!自坑之路才开始!

我用IE 登陆ctf 提交答案,浏览器提示答案不对!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

于是。。。。。。。。。。。。。从早上12点开题,一直到下午6点左右,反复研究神奇字符串是咋个来的!

以及可能的字符串的各种算法尝试,就在要放弃的情况,神不知鬼不觉的情况,换了个浏览器。神奇字符串一输入,点提交居然验证成功!

另外,我是不会和你说,我搞了莫尔斯代码与神奇字符串二进制转换脚本!!!!



[培训]12月3日2020京麒网络安全大会《物联网安全攻防实战》训练营,正在火热报名中!地点:北京 · 新云南皇冠假日酒店

收藏
点赞0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回