首页
论坛
课程
招聘
[原创]签到题分析
2021-11-16 01:18 458

[原创]签到题分析

2021-11-16 01:18
458

没壳直接上IDA,因为程序是C++写的直接看DialogFunc然后F5
sub_401340(hWnd);为按钮执行函数。 以下直接在他函数上备注了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
int __cdecl sub_401340(HWND hDlg)
{
  int v1; // ebx
  int v2; // ebx
  int v3; // ecx
  int v4; // eax
  int result; // eax
  signed int v6; // [esp+Ch] [ebp-260h]
  char v7; // [esp+10h] [ebp-25Ch]
  CHAR s1; // [esp+D8h] [ebp-194h]
  CHAR s2; // [esp+1A0h] [ebp-CCh]
 
  memset(&s1, 0, 0xC8u);
  memset(&v7, 0, 0xC8u);
  memset(&s2, 0, 0xC8u);
  v1 = GetDlgItemTextA(hDlg, 1000, &s1, 201); //获取Name
  if ( v1 //判断Name是否输入
    && (v6 = GetDlgItemTextA(hDlg, 1001, &s2, 201), v2 = sub_401260(&s1, v1), strspn(&s2, "0123456789") == strlen(&s2)) //判断SN是否输入以及判断SN是否为纯数字 sub_401260 下面贴上
    && v6 <= 10 //判断SN位数
    && (v4 = sub_40307F(v3, (int)&s2)) != 0 //sub_40307F下面标注
    && (unknown_libname_13(v2 ^ v4, &v7, 16), sub_401260(&v7, 8) == 330861687) ) //unknown_libname_13下面标注
  {
    SetDlgItemTextA(hDlg, 1001, "Success!");
    result = 1;
  }
  else
  {
    SetDlgItemTextA(hDlg, 1001, "Wrong Serial!");
    result = 0;
  }
  return result;
}
int __cdecl sub_401260(char *a1, int a2) //明显计算CRC32。。。
{
  signed int v2; // ecx
  unsigned int v3; // eax
  unsigned int v4; // eax
  unsigned int v5; // eax
  unsigned int v6; // eax
  unsigned int v7; // eax
  unsigned int v8; // eax
  unsigned int v9; // eax
  unsigned int v10; // eax
  int v11; // edx
  unsigned int v12; // ecx
  char *v13; // esi
  char v14; // al
  int v16[256]; // [esp+0h] [ebp-404h]
 
  v2 = 0;
  do
  {
    v3 = (unsigned int)v2 >> 1;
    if ( v2 & 1 )
      v3 ^= 0xEDB88320;
    if ( v3 & 1 )
      v4 = (v3 >> 1) ^ 0xEDB88320;
    else
      v4 = v3 >> 1;
    if ( v4 & 1 )
      v5 = (v4 >> 1) ^ 0xEDB88320;
    else
      v5 = v4 >> 1;
    if ( v5 & 1 )
      v6 = (v5 >> 1) ^ 0xEDB88320;
    else
      v6 = v5 >> 1;
    if ( v6 & 1 )
      v7 = (v6 >> 1) ^ 0xEDB88320;
    else
      v7 = v6 >> 1;
    if ( v7 & 1 )
      v8 = (v7 >> 1) ^ 0xEDB88320;
    else
      v8 = v7 >> 1;
    if ( v8 & 1 )
      v9 = (v8 >> 1) ^ 0xEDB88320;
    else
      v9 = v8 >> 1;
    if ( v9 & 1 )
      v10 = (v9 >> 1) ^ 0xEDB88320;
    else
      v10 = v9 >> 1;
    v16[v2++] = v10;
  }
  while ( v2 < 256 );
  v11 = a2;
  v12 = -1;
  if ( a2 )
  {
    v13 = a1;
    do
    {
      v14 = *v13++;
      v12 = v16[(unsigned __int8)(v12 ^ v14)] ^ (v12 >> 8);
      --v11;
    }
    while ( v11 );
  }
  return ~v12;
}
// Microsoft VisualC universal runtime
int __cdecl unknown_libname_13(int a1, int a2, int a3)
{
  // 虽然未识别,,,但是调用common_xtox肯定是itoa了
  char v4; // [esp+0h] [ebp-4h]
 
  if ( a3 != 10 || (v4 = 1, a1 >= 0) )
    v4 = 0;
  common_xtox<unsigned long,char>(a1, a2, -1, a3, v4);
  return a2;
}
int __cdecl sub_40307F(int a1)
{
  //字符串转为数字不备注了
  int v1; // ecx
  int v3; // [esp-14h] [ebp-14h]
  int v4; // [esp-10h] [ebp-10h]
  int v5; // [esp-Ch] [ebp-Ch]
  signed int v6; // [esp-8h] [ebp-8h]
  int v7; // [esp-4h] [ebp-4h]
 
  v7 = v1;
  v6 = 1;
  v5 = 10;
  v4 = v1;
  v3 = v1;
  unknown_libname_6(&v3, a1, 0);
  return __crt_strtox::parse_integer<unsigned long,__crt_strtox::c_string_character_source<char>>(0, v3, v4, v5, v6);
}

整个过程代码都有了,下面简单白话下他的过程
1.取Name计算CRC32
2.SN为纯数字小于等于10
3.将SN转为数字
4.将计算的crc32 ^ SN 的CRC32等于330861687即为验证成功.

 

下面为SN生成器
动态分析1386343770(52a1ed5a)的CRC32为330861687,所以直接用户名的crc32 ^ 1386343770 即可得出SN。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
uint32_t crc32(void const* data, int n) {
    uint32_t r = 0xFFFFFFFF;
 
    for (int i = 0; i < n; ++i) {
        r ^= ((char const*)data)[i];
 
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
        if ((r & 0x1) != 0) { r = (r >> 1) ^ 0xEDB88320; }
        else { r = r >> 1; }
    }
    return r ^ 0xFFFFFFFF;
}
uint32_t c32 = crc32((char*)"KCTF", strlen((char*)"KCTF"));
printf("SN:%d\n", c32 ^ 1386343770);
输出结果:SN:205824534

文章编写能力差。。。语句可能有些不通,望理解。。


恭喜ID[飞翔的猫咪]获看雪安卓应用安全能力认证高级安全工程师!!

收藏
点赞0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回