网络验证Crackme
本帖最后由 ERFZE 于 2020-2-21 22:29 编辑## 0x00 前言
该CrackMe是网络验证。故首先在本地运行Sever端程序:
!(https://s2.ax1x.com/2020/02/21/3KEKWd.png)
## 0x01 发送
首先分析程序发送数据包的内容。于`send()`函数处设断后,F9运行程序并输入内容:
!(https://s2.ax1x.com/2020/02/21/3KE1yt.png)
点击Register按钮,来到断点处:
!(https://s2.ax1x.com/2020/02/21/3KElQI.png)
Ctrl+F9来到主函数:
!(https://s2.ax1x.com/2020/02/21/3KEQSA.png)
向上查看,于第二处`GetDlgItemText()`函数后设断:
!(https://s2.ax1x.com/2020/02/21/3KEGef.png)
----
打开IDA Pro,从第二处`GetDlgItemText()`函数后面开始分析:
!(https://s2.ax1x.com/2020/02/21/3KEJw8.png)
图中注释详尽,不再赘述。
!(https://s2.ax1x.com/2020/02/21/3KENFg.png)
上图取模运算的判断由优化公式而来:
- `x>=0`:x%(2^n) = x&(2^n-1)
- `x<0`:x%(2^n) = (x&(2^n-1))-1 | (~(2^n-1))+1
!(https://s2.ax1x.com/2020/02/21/3KEUYQ.png)
上图红色方框内指令是将`Len(Name)`、`Len(Key)`、`Rand()%256`依次写入某一处内存区域,名之为`SendMes`。绿色方框与蓝色方框内指令是将`Name`、`Key`依次写入到`SendMes`之后。
!(https://s2.ax1x.com/2020/02/21/3KEaWj.png)
根据左边的三处箭头可以判断是`for`循环,粗略写出C代码如下:
```
int tmp; //var_238
int KeyLength_NameLength_3; //Len(Key)+Len(Name)+3
int b;
char SendMes[]; //Len(Name)+Len(Key)+Rnd(Time)+Name+Key
for(tmp=0;tmp<KeyLength_NameLength_3;tmp++)
{
b=SendMes;
b^=0xA6;
SendMes=(b&0xFF);
}
```
----
由上述分析可以得知发送数据内容,验证之:
!(https://s2.ax1x.com/2020/02/21/3KEwSs.png)
## 0x02 接收
清除之前所设断点,于`recv()`处设断,F9运行程序并输入内容后点击Register按钮,来到断点。Ctrl+F9来到主函数:
!(https://s2.ax1x.com/2020/02/21/3KEByq.png)
查看缓冲区内容:
!(https://s2.ax1x.com/2020/02/21/3KEDO0.png)
既然是加密数据,那么下面一定会有解密操作:
!(https://s2.ax1x.com/2020/02/21/3KEsmV.png)
根据上图粗略写出C代码如下:
```
int tmp; //var_238
char Recv[]; //Data from server
char Decrypt[]; //0x41AE68
for(tmp=0;tmp<Len(Recv);tmp++) //Len(Recv)=0x5A
Decrypt=Recv^0x6E;
```
`0x41AE68`处存放解密后数据,长度为90 Bytes,跟进查看:
!(https://s2.ax1x.com/2020/02/21/3KEywT.png)
## 0X03 判断
!(https://s2.ax1x.com/2020/02/21/3KE6TU.png)
上图红色方框中指令处理解密后数据。《加密与解密》随书文件中给出一Python脚本如下:
```
#coding=utf-8
##《加密与解密》第四版
##code by DarkNess0ut
import os
import sys
def Getasm(ea_from, ea_to, range1, range2):
fp = open("code.txt","w")
ea = ea_from
while ea < ea_to:
cmd = GetMnem(ea)
if cmd == "mov" or cmd == "lea":
opcode = Dword(NextNotTail(ea)-4)
if opcode < 0: #opcode < 0,处理 movedx, 指令,否则处理movedx,
opcode = (~opcode + 1)
Message("-> %08X %08X\n" % (ea, opcode))
if range1 <= opcode <= range2:
delta = opcode - range1
MakeComm(ea, "// +0x%04X" % delta) # 加注释到IDA中
fp.write("%08X %s\n" % (ea, GetDisasm(ea)))
ea = NextNotTail(ea)
fp.close()
Message("OK!")
Getasm(0x401000,0x40F951,0x41AE68,0x41AEC1);
```
该脚本功能是将某块指令(该例中为`0x401000`——`0x40F951`)内访问指定内存区域(该例中为`0x41AE68`——`0x41AEC1`)的指令其后添加注释并拷贝到一TXT中。笔者对其稍加修改如下:
```
import os
import sys
def Getasm(ea_from, ea_to, range1, range2):
fp = open("E:\\code.txt","w")
ea = ea_from
while ea < ea_to:
cmd = GetMnem(ea)
if cmd == "mov" or cmd == "lea":
opcode = Dword(NextNotTail(ea)-4)
if opcode > 0x7fffffff: #opcode < 0,处理 movedx, 指令,否则处理movedx, 。原作者此处逻辑虽正确,但判断表达式错误
opcode = 0x100000000-opcode
Message("--> %08X %08X\n" % (ea, opcode))
if range1 <= opcode <= range2:
delta = opcode - range1
fp.write("%08X %s\n" % (ea, GetDisasm(ea)))
MakeComm(ea, "// +0x%04X" % delta) # 加注释到IDA中,注释内容为访问内存相对于起始内存偏移量
ea=NextNotTail(ea)
while ea<ea_to:
cmd=GetMnem(ea)
if cmd!="jnz":
fp.write("%08X %s\n"%(ea,GetDisasm(ea)))
else:
break
ea=NextNotTail(ea)
fp.write("--------------------------------\n")
ea = NextNotTail(ea)
fp.close()
Message("OK!")
```
Alt+F7执行该脚本,Shift+F2:
!(https://s2.ax1x.com/2020/02/21/3KEgkF.png)
TXT内容如下:
!(https://s2.ax1x.com/2020/02/21/3KE2Y4.png)
负责判断相关指令如上,可根据指令修改相应内存的内容以完成验证。同样可以修改`004016BE`处指令为`EB 63`达到目的:
!(https://s2.ax1x.com/2020/02/21/3KE3OP.png) 谢谢楼主分享 谢谢楼主 除了看懂python,其他都没懂,硬核{:301_971:} wocdalao! 网络验证的比较多,有时间也学习一下 谢谢楼主 谢谢,学习了 顶一下一起学习