12

[原创]看雪.京东 2018CTF 第十二题 破解之道 WriteUp

lacoucou 2018-7-9 11:01 141
x64的程序。
000000013FEE61A0          | 48 8B C4                 | mov rax,rsp                                             |
000000013FEE61A3          | 55                       | push rbp                                                |
000000013FEE61A4          | 57                       | push rdi                                                | 
000000013FEE61A5          | 41 56                    | push r14                                                |
000000013FEE61A7          | 48 8D 68 A1              | lea rbp,qword ptr ds:[rax-5F]                           |
000000013FEE61AB          | 48 81 EC B0 00 00 00     | sub rsp,B0                                              |
000000013FEE61B2          | 48 C7 45 1F FE FF FF FF  | mov qword ptr ss:[rbp+1F],FFFFFFFFFFFFFFFE              |
000000013FEE61BA          | 48 89 58 10              | mov qword ptr ds:[rax+10],rbx                           |
000000013FEE61BE          | 48 89 70 20              | mov qword ptr ds:[rax+20],rsi                           |
000000013FEE61C2          | 83 F9 02                 | cmp ecx,2                                               | 命令行参数
000000013FEE61C5          | 0F 84 23 08 00 00        | je crackme.13FEE69EE                                    |
000000013FEE61CB          | 8B 0D 4F 1E 03 00        | mov ecx,dword ptr ds:[13FF18020]                        | 这里是显示怎么输入flag的
。。。。。。。。。。。。。。。。
000000013FEE69EE          | 41 B9 04 01 00 00        | mov r9d,104                                             |
000000013FEE69F4          | 4C 8B 42 08              | mov r8,qword ptr ds:[rdx+8]                             |
000000013FEE69F8          | 41 8B D1                 | mov edx,r9d                                             |
000000013FEE69FB          | 48 8D 0D FE 28 03 00     | lea rcx,qword ptr ds:[13FF19300]                        | 这里出现注册码  13F739300:"KXCTF20189NTDLL9DbgUiContinue9"
000000013FEE6A02          | E8 55 7B 00 00           | call crackme.13FEEE55C                                  |
000000013FEE6A07          | 48 BA 00 00 00 00 06 00  | movabs rdx,600000000                                    |
000000013FEE6A11          | 48 8D 4D 77              | lea rcx,qword ptr ss:[rbp+77]                           |
000000013FEE6A15          | E8 E6 C3 FF FF           | call crackme.13FEE2E00                                  | 正确流程
000000013FEE6A1A          | 33 C0                    | xor eax,eax                                             |
000000013FEE6A1C          | 4C 8D 9C 24 B0 00 00 00  | lea r11,qword ptr ss:[rsp+B0]                           |
000000013FEE6A24          | 49 8B 5B 28              | mov rbx,qword ptr ds:[r11+28]                           |
000000013FEE6A28          | 49 8B 73 38              | mov rsi,qword ptr ds:[r11+38]                           |
000000013FEE6A2C          | 49 8B E3                 | mov rsp,r11                                             |
000000013FEE6A2F          | 41 5E                    | pop r14                                                 |
000000013FEE6A31          | 5F                       | pop rdi                                                 | 
000000013FEE6A32          | 5D                       | pop rbp                                                 |
000000013FEE6A33          | C3                       | ret                                                     |

程序首先判断命令行参数个数,如果是1个则显示提示:
input like this:crackme.exe mykey
命令行参数个数大于等于2,则获取到输入的flag,进入call 0x13fee2e00。
X64传参
//VS  X64程序传参:
//前四个参数 rcx,rdx,r8,r9,之后的用栈传参。

//https://www.chinapyg.com/forum.php?mod=viewthread&tid=75685
//GCC X64 (Linux)传参:
//前6个参数优先按顺序按排到rdi,rsi,rdx,rcx,r8和r9。浮点参数按顺序优先安排在xmm0,xmm1。。。。。
//剩余的用栈传参
进入主函数之后有大段大段的无效指令,这些指令除了影响流程外,基本没什么用,有用的都是call调用。
000000013F9033A6          | 48 8D 05 53 5F 03 00     | lea rax,qword ptr ds:[13F939300]                        | 获取注册码
000000013F9033AD          | 4D 8B CE                 | mov r9,r14                                              |
000000013F9033B0          | 49 FF C1                 | inc r9                                                  |
000000013F9033B3          | 46 38 24 08              | cmp byte ptr ds:[rax+r9],r12b                           |
000000013F9033B7          | 75 F7                    | jne crackme.13F9033B0                                   | 判断是否为空
000000013F9033B9          | 49 8B C1                 | mov rax,r9                                              |
000000013F9033BC          | 48 C1 E8 20              | shr rax,20                                              |
000000013F9033C0          | 41 8B CB                 | mov ecx,r11d                                            |
000000013F9033C3          | 2B C8                    | sub ecx,eax                                             |
000000013F9033C5          | 41 8B D1                 | mov edx,r9d                                             | 长度
.........................................
........................................
000000013F903458          | 49 83 F8 1E              | cmp r8,1E                                               |
000000013F90345C          | 74 3D                    | je crackme.13F90349B                                    |

以上为获取注册码长度的,注册码长度0x18,即30个字符。


000000013F903F2A               | 0F B6 05 CF 53 03 00     | movzx eax,byte ptr ds:[13F939300]                       | 13F939300:"KXCTF20189NTDLL9DbgUiContinue9"
000000013F903F31               | 88 44 24 20              | mov byte ptr ss:[rsp+20],al                             |
000000013F903F35               | 48 8D 4C 24 20           | lea rcx,qword ptr ss:[rsp+20]                           |
000000013F903F3A               | E8 81 EB FF FF           | call <crackme.FnvHash>                                  |
000000013F903F3F               | 48 B9 EA 33 02 86 4C 06  | movabs rcx,AF64064C860233EA                             | rcx:L"K+"
000000013F903F49               | 48 3B C1                 | cmp rax,rcx                                             | rcx:L"K+"
000000013F903F4C               | 74 15                    | je crackme.13F903F63                                    |
000000013F903F4E               | 48 B8 00 00 00 00 01 00  | movabs rax,100000000                                    |
000000013F903F58               | 41 B9 00 3B 39 00        | mov r9d,393B00                                          |
000000013F903F5E               | E9 CB 01 00 00           | jmp crackme.13F90412E                                   |
000000013F903F63               | 0F B6 05 97 53 03 00     | movzx eax,byte ptr ds:[13F939301]                       | 13F939301:"XCTF20189NTDLL9DbgUiContinue9"
000000013F903F6A               | 88 44 24 20              | mov byte ptr ss:[rsp+20],al                             |
000000013F903F6E               | 48 8D 4C 24 20           | lea rcx,qword ptr ss:[rsp+20]                           |
000000013F903F73               | E8 48 EB FF FF           | call <crackme.FnvHash>                                  |
000000013F903F78               | 48 B9 67 4D 02 86 4C 15  | movabs rcx,AF64154C86024D67                             | rcx:L"K+"
000000013F903F82               | 48 3B C1                 | cmp rax,rcx                                             | rcx:L"K+"
000000013F903F85               | 74 15                    | je crackme.13F903F9C                                    |
000000013F903F87               | 48 B8 00 00 00 00 01 00  | movabs rax,100000000                                    |
000000013F903F91               | 41 B9 00 3B 39 00        | mov r9d,393B00                                          |
000000013F903F97               | E9 92 01 00 00           | jmp crackme.13F90412E                                   |
000000013F903F9C               | 0F B6 05 5F 53 03 00     | movzx eax,byte ptr ds:[13F939302]                       | 13F939302:"CTF20189NTDLL9DbgUiContinue9"
000000013F903FA3               | 88 44 24 20              | mov byte ptr ss:[rsp+20],al                             |
000000013F903FA7               | 48 8D 4C 24 20           | lea rcx,qword ptr ss:[rsp+20]                           |
000000013F903FAC               | E8 0F EB FF FF           | call <crackme.FnvHash>                                  |
000000013F903FB1               | 48 B9 52 26 02 86 4C FE  | movabs rcx,AF63FE4C86022652                             | rcx:L"K+"
000000013F903FBB               | 48 3B C1                 | cmp rax,rcx                                             | rcx:L"K+"
000000013F903FBE               | 74 15                    | je crackme.13F903FD5                                    |
000000013F903FC0               | 48 B8 00 00 00 00 01 00  | movabs rax,100000000                                    |
000000013F903FCA               | 41 B9 00 3B 39 00        | mov r9d,393B00                                          |
000000013F903FD0               | E9 59 01 00 00           | jmp crackme.13F90412E                                   |
000000013F903FD5               | 0F B6 05 27 53 03 00     | movzx eax,byte ptr ds:[13F939303]                       | 13F939303:"TF20189NTDLL9DbgUiContinue9"
000000013F903FDC               | 88 44 24 20              | mov byte ptr ss:[rsp+20],al                             |
000000013F903FE0               | 48 8D 4C 24 20           | lea rcx,qword ptr ss:[rsp+20]                           |
000000013F903FE5               | E8 D6 EA FF FF           | call <crackme.FnvHash>                                  |
000000013F903FEA               | 48 B9 03 39 02 86 4C 09  | movabs rcx,AF64094C86023903                             | rcx:L"K+"
000000013F903FF4               | 48 3B C1                 | cmp rax,rcx                                             | rcx:L"K+"
000000013F903FF7               | 74 15                    | je crackme.13F90400E                                    |
000000013F903FF9               | 48 B8 00 00 00 00 01 00  | movabs rax,100000000                                    |
000000013F904003               | 41 B9 00 3B 39 00        | mov r9d,393B00                                          |
000000013F904009               | E9 20 01 00 00           | jmp crackme.13F90412E                                   |
000000013F90400E               | 0F B6 05 EF 52 03 00     | movzx eax,byte ptr ds:[13F939304]                       | 13F939304:"F20189NTDLL9DbgUiContinue9"
000000013F904015               | 88 44 24 20              | mov byte ptr ss:[rsp+20],al                             |
000000013F904019               | 48 8D 4C 24 20           | lea rcx,qword ptr ss:[rsp+20]                           |
000000013F90401E               | E8 9D EA FF FF           | call <crackme.FnvHash>                                  |
000000013F904023               | 48 B9 39 21 02 86 4C FB  | movabs rcx,AF63FB4C86022139                             | rcx:L"K+"
000000013F90402D               | 48 3B C1                 | cmp rax,rcx                                             | rcx:L"K+"
000000013F904030               | 74 15                    | je crackme.13F904047                                    |
000000013F904032               | 48 B8 00 00 00 00 01 00  | movabs rax,100000000                                    |
000000013F90403C               | 41 B9 00 3B 39 00        | mov r9d,393B00                                          |
000000013F904042               | E9 E7 00 00 00           | jmp crackme.13F90412E                                   |
000000013F904047               | 0F B6 05 B7 52 03 00     | movzx eax,byte ptr ds:[13F939305]                       | 13F939305:"20189NTDLL9DbgUiContinue9"
000000013F90404E               | 88 44 24 20              | mov byte ptr ss:[rsp+20],al                             |
000000013F904052               | 48 8D 4C 24 20           | lea rcx,qword ptr ss:[rsp+20]                           |
000000013F904057               | E8 64 EA FF FF           | call <crackme.FnvHash>                                  |
000000013F90405C               | 48 B9 15 A0 01 86 4C AF  | movabs rcx,AF63AF4C8601A015                             | rcx:L"K+"
000000013F904066               | 48 3B C1                 | cmp rax,rcx                                             | rcx:L"K+"
000000013F904069               | 74 15                    | je crackme.13F904080                                    |
000000013F90406B               | 48 B8 00 00 00 00 01 00  | movabs rax,100000000                                    |
000000013F904075               | 41 B9 00 3B 39 00        | mov r9d,393B00                                          |
000000013F90407B               | E9 AE 00 00 00           | jmp crackme.13F90412E                                   |
000000013F904080               | 0F B6 05 7F 52 03 00     | movzx eax,byte ptr ds:[13F939306]                       | 13F939306:"0189NTDLL9DbgUiContinue9"
000000013F904087               | 88 44 24 20              | mov byte ptr ss:[rsp+20],al                             |
000000013F90408B               | 48 8D 4C 24 20           | lea rcx,qword ptr ss:[rsp+20]                           |
000000013F904090               | E8 2B EA FF FF           | call <crackme.FnvHash>                                  |
000000013F904095               | 48 B9 AF 9C 01 86 4C AD  | movabs rcx,AF63AD4C86019CAF                             | rcx:L"K+"
000000013F90409F               | 48 3B C1                 | cmp rax,rcx                                             | rcx:L"K+"
000000013F9040A2               | 74 12                    | je crackme.13F9040B6                                    |
000000013F9040A4               | 48 B8 00 00 00 00 01 00  | movabs rax,100000000                                    |
000000013F9040AE               | 41 B9 00 3B 39 00        | mov r9d,393B00                                          |
000000013F9040B4               | EB 78                    | jmp crackme.13F90412E                                   |
000000013F9040B6               | 0F B6 05 4A 52 03 00     | movzx eax,byte ptr ds:[13F939307]                       | 13F939307:"189NTDLL9DbgUiContinue9"
000000013F9040BD               | 88 44 24 20              | mov byte ptr ss:[rsp+20],al                             |
000000013F9040C1               | 48 8D 4C 24 20           | lea rcx,qword ptr ss:[rsp+20]                           |
000000013F9040C6               | E8 F5 E9 FF FF           | call <crackme.FnvHash>                                  |
000000013F9040CB               | 48 B9 FC 9A 01 86 4C AC  | movabs rcx,AF63AC4C86019AFC                             | rcx:L"K+"
000000013F9040D5               | 48 3B C1                 | cmp rax,rcx                                             | rcx:L"K+"
000000013F9040D8               | 74 12                    | je crackme.13F9040EC                                    |
000000013F9040DA               | 48 B8 00 00 00 00 01 00  | movabs rax,100000000                                    |
000000013F9040E4               | 41 B9 00 3B 39 00        | mov r9d,393B00                                          |
000000013F9040EA               | EB 42                    | jmp crackme.13F90412E                                   |
000000013F9040EC               | 0F B6 05 15 52 03 00     | movzx eax,byte ptr ds:[13F939308]                       | 13F939308:"89NTDLL9DbgUiContinue9"
000000013F9040F3               | 88 44 24 20              | mov byte ptr ss:[rsp+20],al                             |
000000013F9040F7               | 48 8D 4C 24 20           | lea rcx,qword ptr ss:[rsp+20]                           |
000000013F9040FC               | E8 BF E9 FF FF           | call <crackme.FnvHash>                                  |
000000013F904101               | 48 B9 47 AA 01 86 4C B5  | movabs rcx,AF63B54C8601AA47                             | rcx:L"K+"
000000013F90410B               | 48 3B C1                 | cmp rax,rcx                                             | rcx:L"K+"
000000013F90410E               | 74 12                    | je crackme.13F904122                                    |
这一段是将输入的注册码的前8位,每次传入一个字符,计算一个值,然后与已知值比较。
经过搜索发现是fnvhash,https://blog.csdn.net/u013137970/article/details/79020095
前八位的hash值已知,直接爆破即可。
#movabs rcx, 0xaf64064c860233ea
##movabs rcx, 0xaf64154c86024d67
##movabs rcx, 0xaf63fe4c86022652
##movabs rcx, 0xaf64094c86023903
##movabs rcx, 0xaf63fb4c86022139
##movabs rcx, 0xaf63af4c8601a015
##movabs rcx, 0xaf63ad4c86019caf
##movabs rcx, 0xaf63ac4c86019afc
##000000013FA34101 movabs rcx,AF63B54C8601AA47

resultList=[0xaf64064c860233ea,0xaf64154c86024d67,0xaf63fe4c86022652,0xaf64094c86023903,0xaf63fb4c86022139,
            0xaf63af4c8601a015,0xaf63ad4c86019caf,0xaf63ac4c86019afc,0xAF63B54C8601AA47]


def list_index(myList,value):
    for i,v in enumerate(myList):
        if v==value:
            return i
    return -1

def FnvHash_1(cX):
    rax=0xcbf29ce484222325
    r8=0x100000001b3
    rax=rax^ord(cX)
    rax=(rax*r8)&0xffffffffffffffff
    return rax

def FnvHash(string_xx):
    rax=0xcbf29ce484222325
    r8=0x100000001b3
    for i in string_xx:
        rax=rax^ord(i)
        rax=(rax*r8)&0xffffffffffffffff
    return rax

def Crake_1():
    xStrList=['1','1','1','1','1','1','1','1','1']
    for i in "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz":
        nRet=FnvHash_1(i)
        nIndex=list_index(resultList,nRet)
        if nIndex!=-1:
            print "index:",nIndex,"Char:",i
            xStrList[nIndex]=i
    print xStrList
Crake_1()
计算结果:
index: 6 Char: 0
index: 7 Char: 1
index: 5 Char: 2
index: 8 Char: 8
index: 2 Char: C
index: 4 Char: F
index: 0 Char: K
index: 3 Char: T
index: 1 Char: X
['K', 'X', 'C', 'T', 'F', '2', '0', '1', '8']

接着,程序计算了整个flag的hash值:
000000013F9044C4               | 48 8D 0D 35 4E 03 00     | lea rcx,qword ptr ds:[13F939300]                        | rcx:"KXCTF20189NTDLL9DbgUiContinue9", 13F939300:"KXCTF20189NTDLL9DbgUiContinue9"
000000013F9044CB               | E8 F0 E5 FF FF           | call <crackme.FnvHash>                                  | 全部计算
000000013F9044D0               | 48 B9 FF C0 99 74 58 75  | movabs rcx,4F8075587499C0FF                             | rcx:"KXCTF20189NTDLL9DbgUiContinue9"
000000013F9044DA               | 49 BA CD CC CC CC CC CC  | movabs r10,CCCCCCCCCCCCCCCD                             |
000000013F9044E4               | 48 3B C1                 | cmp rax,rcx                                             | rcx:"KXCTF20189NTDLL9DbgUiContinue9"
000000013F9044E7               | 75 0A                    | jne crackme.13F9044F3                                   |
fnvhash(input_flag)==0x4f8075587499c0ff
这个很有用,下边再说。

000000013F904F94               | 44 8D 47 04              | lea r8d,dword ptr ds:[rdi+4]                            |
000000013F904F98               | 48 8D 8D F0 0A 00 00     | lea rcx,qword ptr ss:[rbp+AF0]                          |
000000013F904F9F               | E8 2C 68 00 00           | call <crackme.maybe_memeset>                            | memset
000000013F904FA4               | 48 8D 15 8D F8 01 00     | lea rdx,qword ptr ds:[13F924838]                        |
000000013F904FAB               | 48 8D 0D 4E 43 03 00     | lea rcx,qword ptr ds:[13F939300]                        | rcx:"DbgUiContinue", 13F939300:"KXCTF20189NTDLL9DbgUiContinue"
000000013F904FB2               | E8 21 6E 00 00           | call <crackme.maybe_strstr>                             |
000000013F904FB7               | 48 8B D8                 | mov rbx,rax                                             | rbx:"9DbgUiContinue"
000000013F904FBA               | 0F B6 40 01              | movzx eax,byte ptr ds:[rax+1]                           |
000000013F904FBE               | 88 85 F0 0A 00 00        | mov byte ptr ss:[rbp+AF0],al                            |
000000013F904FC4               | 0F B6 43 02              | movzx eax,byte ptr ds:[rbx+2]                           | rbx+2:"bgUiContinue"
000000013F904FC8               | 88 85 F1 0A 00 00        | mov byte ptr ss:[rbp+AF1],al                            |
000000013F904FCE               | 0F B6 43 03              | movzx eax,byte ptr ds:[rbx+3]                           | rbx+3:"gUiContinue"
000000013F904FD2               | 88 85 F2 0A 00 00        | mov byte ptr ss:[rbp+AF2],al                            |
000000013F904FD8               | 0F B6 43 04              | movzx eax,byte ptr ds:[rbx+4]                           | rbx+4:"UiContinue"
000000013F904FDC               | 88 85 F3 0A 00 00        | mov byte ptr ss:[rbp+AF3],al                            |
000000013F904FE2               | 0F B6 43 05              | movzx eax,byte ptr ds:[rbx+5]                           | rbx+5:"iContinue"
000000013F904FE6               | 88 85 F4 0A 00 00        | mov byte ptr ss:[rbp+AF4],al                            |
000000013F904FEC               | 41 B9 04 01 00 00        | mov r9d,104                                             |
000000013F904FF2               | 4C 8D 05 43 F8 01 00     | lea r8,qword ptr ds:[13F92483C]                         | 13F92483C:".DLL"
000000013F904FF9               | 41 8B D1                 | mov edx,r9d                                             |
000000013F904FFC               | 48 8D 8D F0 0A 00 00     | lea rcx,qword ptr ss:[rbp+AF0]                          |
000000013F905003               | E8 64 94 00 00           | call <crackme.maybe_strcat_s>                           |
000000013F905008               | 48 8D 15 29 F8 01 00     | lea rdx,qword ptr ds:[13F924838]                        |
000000013F90500F               | 48 8D 4B 01              | lea rcx,qword ptr ds:[rbx+1]                            | rcx:"DbgUiContinue", rbx+1:"DbgUiContinue"
000000013F905013               | E8 C0 6D 00 00           | call <crackme.maybe_strstr>                             |
000000013F905018               | 48 8B D8                 | mov rbx,rax                                             | rbx:"9DbgUiContinue"
000000013F90501B               | 48 8D 15 16 F8 01 00     | lea rdx,qword ptr ds:[13F924838]                        |
000000013F905022               | 48 8D 48 01              | lea rcx,qword ptr ds:[rax+1]                            | rcx:"DbgUiContinue"
000000013F905026               | E8 AD 6D 00 00           | call <crackme.maybe_strstr>                             |
000000013F90502B               | C6 00 00                 | mov byte ptr ds:[rax],0                                 |
000000013F90502E               | 33 D2                    | xor edx,edx                                             |
000000013F905030               | 44 8D 47 04              | lea r8d,dword ptr ds:[rdi+4]                            |
000000013F905034               | 48 8D 8D 00 0C 00 00     | lea rcx,qword ptr ss:[rbp+C00]                          |
000000013F90503B               | E8 90 67 00 00           | call <crackme.maybe_memset>                            |
000000013F905040               | 41 B9 04 01 00 00        | mov r9d,104                                             |
000000013F905046               | 4C 8D 43 01              | lea r8,qword ptr ds:[rbx+1]                             | rbx+1:"DbgUiContinue"
000000013F90504A               | 41 8B D1                 | mov edx,r9d                                             |
000000013F90504D               | 48 8D 8D 00 0C 00 00     | lea rcx,qword ptr ss:[rbp+C00]                          |
000000013F905054               | E8 03 95 00 00           | call crackme.13F90E55C                                  |

这段是关键。
C语言大概是这样:
char szBuf[]={0};

char* retString=strstr(input_flag,"9");

szBuf[0]=retString[1];
szBuf[1]=retString[2];
szBuf[2]=retString[3];
szBuf[3]=retString[4];
szBuf[4]=retString[5];

memcat_s(szBuf,0x104,".DLL",4);

char* retString1=strstr(retString+1,"9");
char* retString2=strstr(retString1+1,"9");
retString2[0]='\0';

char szbuf2[]={0};
memcpy(szbuf2,retString1+1);

经过这一步运算,大概是在buf1中生成了一个dll的名字,buf2中存放了一个字符串。
flag中是用9分割,大概分成3段。第一段KXCTF2018 第二段 dll名,第三段 一个字符串。
整体形式 : KXCTF20189[dll_name]9[unk_string]9

000000013F4F5334               | 65 48 8B 14 25 30 00 00  | mov rdx,qword ptr gs:[30]                               |
000000013F4F533D               | 49 C1 E1 20              | shl r9,20                                               |
000000013F4F5341               | 8B C1                    | mov eax,ecx                                             | ecx:"A_SHAFinal"
000000013F4F5343               | 4C 03 C8                 | add r9,rax                                              |
000000013F4F5346               | 48 8B 42 60              | mov rax,qword ptr ds:[rdx+60]                           |
000000013F4F534A               | 48 8B 48 18              | mov rcx,qword ptr ds:[rax+18]                           | rcx:"A_SHAFinal"
000000013F4F534E               | 48 8B 71 10              | mov rsi,qword ptr ds:[rcx+10]                           | rcx+10:"Init"
000000013F4F5352               | 0F 84 98 00 00 00        | je crackme.13F4F53F0                                    |
000000013F4F5358               | 0F 1F 84 00 00 00 00 00  | nop dword ptr ds:[rax+rax]                              |
000000013F4F5360               | 4C 8B 4E 30              | mov r9,qword ptr ds:[rsi+30]                            |
000000013F4F5364               | 49 63 41 3C              | movsxd rax,dword ptr ds:[r9+3C]                         |
000000013F4F5368               | 42 8B BC 08 88 00 00 00  | mov edi,dword ptr ds:[rax+r9+88]                        |
000000013F4F5370               | 49 03 F9                 | add rdi,r9                                              |
000000013F4F5373               | 49 3B F9                 | cmp rdi,r9                                              |
000000013F4F5376               | 74 64                    | je crackme.13F4F53DC                                    |
000000013F4F5378               | 44 8B C3                 | mov r8d,ebx                                             |
000000013F4F537B               | 44 8B 5F 18              | mov r11d,dword ptr ds:[rdi+18]                          |
000000013F4F537F               | 45 85 DB                 | test r11d,r11d                                          |
000000013F4F5382               | 74 58                    | je crackme.13F4F53DC                                    |
000000013F4F5384               | 8B 5F 20                 | mov ebx,dword ptr ds:[rdi+20]                           |
000000013F4F5387               | 66 0F 1F 84 00 00 00 00  | nop word ptr ds:[rax+rax]                               |
000000013F4F5390               | 45 8B D0                 | mov r10d,r8d                                            |
000000013F4F5393               | 4A 8D 04 93              | lea rax,qword ptr ds:[rbx+r10*4]                        |
000000013F4F5397               | 42 8B 0C 08              | mov ecx,dword ptr ds:[rax+r9]                           | ecx:"A_SHAFinal"
000000013F4F539B               | 49 03 C9                 | add rcx,r9                                              | rcx:"A_SHAFinal"
000000013F4F539E               | BA C5 9D 1C 81           | mov edx,811C9DC5                                        |
000000013F4F53A3               | 0F B6 01                 | movzx eax,byte ptr ds:[rcx]                             | rcx:"A_SHAFinal"
000000013F4F53A6               | 84 C0                    | test al,al                                              |
000000013F4F53A8               | 74 28                    | je crackme.13F4F53D2                                    |
000000013F4F53AA               | 66 0F 1F 44 00 00        | nop word ptr ds:[rax+rax]                               |
000000013F4F53B0               | 0F BE C0                 | movsx eax,al                                            |
000000013F4F53B3               | 33 C2                    | xor eax,edx                                             |
000000013F4F53B5               | 69 D0 93 01 00 01        | imul edx,eax,1000193                                    |
000000013F4F53BB               | 48 8D 49 01              | lea rcx,qword ptr ds:[rcx+1]                            | rcx:"A_SHAFinal", rcx+1:"_SHAFinal"
000000013F4F53BF               | 0F B6 01                 | movzx eax,byte ptr ds:[rcx]                             | rcx:"A_SHAFinal"
000000013F4F53C2               | 84 C0                    | test al,al                                              |
000000013F4F53C4               | 75 EA                    | jne crackme.13F4F53B0                                   | 查找函数
000000013F4F53C6               | 81 FA 0F 07 B2 53        | cmp edx,53B2070F                                        |
000000013F4F53CC               | 0F 84 9B 00 00 00        | je crackme.13F4F546D                                    |
000000013F4F53D2               | 41 FF C0                 | inc r8d                                                 |
000000013F4F53D5               | 45 3B C3                 | cmp r8d,r11d                                            |
000000013F4F53D8               | 72 B6                    | jb crackme.13F4F5390                                    |
000000013F4F53DA               | 33 DB                    | xor ebx,ebx                                             |
000000013F4F53DC               | 48 8B 36                 | mov rsi,qword ptr ds:[rsi]                              |
000000013F4F53DF               | E9 7C FF FF FF           | jmp crackme.13F4F5360                                   |

通过gs:[30] 获取当前模块中加载的dll,然后转到导入表,计算每个API的fnvhash,查找等于0x53b2070f的API,这里找到的是LoadLibraryExA

000000013F4F546D               | 8B 47 24                 | mov eax,dword ptr ds:[rdi+24]                           |
000000013F4F5470               | 49 03 C1                 | add rax,r9                                              |
000000013F4F5473               | 8B 4F 1C                 | mov ecx,dword ptr ds:[rdi+1C]                           | ecx:"NTDLL.DLL"
000000013F4F5476               | 42 0F B7 04 50           | movzx eax,word ptr ds:[rax+r10*2]                       |
000000013F4F547B               | 49 03 C9                 | add rcx,r9                                              | rcx:"NTDLL.DLL"
000000013F4F547E               | 8B 14 81                 | mov edx,dword ptr ds:[rcx+rax*4]                        |
000000013F4F5481               | 48 8D 8D F0 0A 00 00     | lea rcx,qword ptr ss:[rbp+AF0]                          |
000000013F4F5488               | 49 03 D1                 | add rdx,r9                                              |
000000013F4F548B               | FF D2                    | call rdx                                                | rdx:LoadLibraryA
接着就调用之前buf1中的dll.
根据上边的信息以及这里的信息。
dLL名字长度大概是5个字符。连接的.DLL是大写,dll名字多半也是大写。 5个字符的dll名,很可能是NTDLL。
000000013F4F5497               | 65 48 8B 04 25 30 00 00  | mov rax,qword ptr gs:[30]                               |
000000013F4F54A0               | 48 8B 48 60              | mov rcx,qword ptr ds:[rax+60]                           |
000000013F4F54A4               | 48 8B 41 18              | mov rax,qword ptr ds:[rcx+18]                           |
000000013F4F54A8               | 48 8B 70 10              | mov rsi,qword ptr ds:[rax+10]                           |
000000013F4F54AC               | 45 33 F6                 | xor r14d,r14d                                           |
000000013F4F54AF               | 90                       | nop                                                     |
000000013F4F54B0               | 4C 8B 4E 30              | mov r9,qword ptr ds:[rsi+30]                            |
000000013F4F54B4               | 49 63 41 3C              | movsxd rax,dword ptr ds:[r9+3C]                         |
000000013F4F54B8               | 42 8B BC 08 88 00 00 00  | mov edi,dword ptr ds:[rax+r9+88]                        |
000000013F4F54C0               | 49 03 F9                 | add rdi,r9                                              |
000000013F4F54C3               | 49 3B F9                 | cmp rdi,r9                                              |
000000013F4F54C6               | 74 5E                    | je crackme.13F4F5526                                    |
000000013F4F54C8               | 45 8B C6                 | mov r8d,r14d                                            |
000000013F4F54CB               | 44 8B 5F 18              | mov r11d,dword ptr ds:[rdi+18]                          |
000000013F4F54CF               | 45 85 DB                 | test r11d,r11d                                          |
000000013F4F54D2               | 74 52                    | je crackme.13F4F5526                                    |
000000013F4F54D4               | 8B 5F 20                 | mov ebx,dword ptr ds:[rdi+20]                           |
000000013F4F54D7               | 66 0F 1F 84 00 00 00 00  | nop word ptr ds:[rax+rax]                               |
000000013F4F54E0               | 45 8B D0                 | mov r10d,r8d                                            |
000000013F4F54E3               | 4A 8D 04 93              | lea rax,qword ptr ds:[rbx+r10*4]                        |
000000013F4F54E7               | 42 8B 0C 08              | mov ecx,dword ptr ds:[rax+r9]                           |
000000013F4F54EB               | 49 03 C9                 | add rcx,r9                                              |
000000013F4F54EE               | BA C5 9D 1C 81           | mov edx,811C9DC5                                        |
000000013F4F54F3               | 0F B6 01                 | movzx eax,byte ptr ds:[rcx]                             |
000000013F4F54F6               | 84 C0                    | test al,al                                              |
000000013F4F54F8               | 74 24                    | je crackme.13F4F551E                                    |
000000013F4F54FA               | 66 0F 1F 44 00 00        | nop word ptr ds:[rax+rax]                               |
000000013F4F5500               | 0F BE C0                 | movsx eax,al                                            |
000000013F4F5503               | 33 C2                    | xor eax,edx                                             |
000000013F4F5505               | 69 D0 93 01 00 01        | imul edx,eax,1000193                                    |
000000013F4F550B               | 48 8D 49 01              | lea rcx,qword ptr ds:[rcx+1]                            |
000000013F4F550F               | 0F B6 01                 | movzx eax,byte ptr ds:[rcx]                             |
000000013F4F5512               | 84 C0                    | test al,al                                              |
000000013F4F5514               | 75 EA                    | jne crackme.13F4F5500                                   |
000000013F4F5516               | 81 FA 25 57 F4 F8        | cmp edx,F8F45725                                        |
000000013F4F551C               | 74 0D                    | je crackme.13F4F552B                                    |
000000013F4F551E               | 41 FF C0                 | inc r8d                                                 |
000000013F4F5521               | 45 3B C3                 | cmp r8d,r11d                                            |
000000013F4F5524               | 72 BA                    | jb crackme.13F4F54E0                                    |
000000013F4F5526               | 48 8B 36                 | mov rsi,qword ptr ds:[rsi]                              |
000000013F4F5529               | EB 85                    | jmp crackme.13F4F54B0                                   |
故技重施,查找到函数GetProcessAffinityMask
000000013F4F552B               | 8B 4F 1C                 | mov ecx,dword ptr ds:[rdi+1C]                           |
000000013F4F552E               | 49 03 C9                 | add rcx,r9                                              |
000000013F4F5531               | 8B 47 24                 | mov eax,dword ptr ds:[rdi+24]                           |
000000013F4F5534               | 49 03 C1                 | add rax,r9                                              |
000000013F4F5537               | 42 0F B7 04 50           | movzx eax,word ptr ds:[rax+r10*2]                       |
000000013F4F553C               | 44 8B 04 81              | mov r8d,dword ptr ds:[rcx+rax*4]                        |
000000013F4F5540               | 4D 03 C1                 | add r8,r9                                               |
000000013F4F5543               | 48 8D 95 00 0C 00 00     | lea rdx,qword ptr ss:[rbp+C00]                          | 第二个buf中的函数
000000013F4F554A               | 49 8B CD                 | mov rcx,r13                                             |
000000013F4F554D               | 41 FF D0                 | call r8                                                 | r8:GetProcAddress

这一段结合上边的就是
GetProcAddress(LoadLibraryExA(strcat(dll_name,".DLL")),unk_string);
紧接着检测获取到的函数指针不为空的话就直接调用了。

由以上信息可知,这个函数在NTDLL中,函数名未知。
又知道整个flag的hash值。直接吧ntdll中所有的函数找出来遍历爆破就可以了。
def Crack():
    file = open("api.txt") 
    while 1:
        lines = file.readlines(100000)
        if not lines:
            break
        for line in lines:
            api=line.strip()
            str_in="KXCTF20189NTDLL9"+api+"9"
            nRet=FnvHash(str_in)
            if nRet==0x4f8075587499c0ff:
                print str_in
                raw_input("find it!")            
    file.close()
    
Crack()


完整脚本见附件。



推荐:论坛大聚会| 看雪安全开发者峰会将于7月21号火热来袭!

最后于 2018-7-9 11:05 被lacoucou编辑 ,原因:
最新回复 (0)
返回