【reverse】buu-CrackRTF——提取PE中的resource、rtf的固定文件头
本帖最后由 hans7 于 2022-9-19 00:47 编辑### 依赖
1. IDA7.7
2. python的pefile库
**作者:(https://blog.csdn.net/hans774882968)以及(https://juejin.cn/user/1464964842528888)以及(https://www.52pojie.cn/home.php?mod=space&uid=1906177)**
本文52pojie:https://www.52pojie.cn/thread-1689683-1-1.html
本文juejin:https://juejin.cn/post/7144760578349727780
本文csdn:https://blog.csdn.net/hans774882968/article/details/126925833
### 正文
32位程序,`Section: [.text], EP: 0x00001F40`故无壳。
用IDA打开立刻定位到main函数:
```c
int __cdecl main_0(int argc, const char **argv, const char **envp)
{
DWORD v3; // eax
DWORD v4; // eax
char Str; // BYREF
int v7; //
char String1; // BYREF
char Destination; // BYREF
memset(Destination, 0, sizeof(Destination));
memset(String1, 0, sizeof(String1));
v7 = 0;
printf("pls input the first passwd(1): ");
scanf("%s", Destination);
if ( strlen(Destination) != 6 )
{
printf("Must be 6 characters!\n");
ExitProcess(0);
}
v7 = atoi(Destination);
if ( v7 < 100000 )
ExitProcess(0);
strcat(Destination, "@DBApp");
v3 = strlen(Destination);
sub_40100A((BYTE *)Destination, v3, String1);
if ( !_strcmpi(String1, "6E32D0943418C2C33385BC35A1470250DD8923A9") )
{
printf("continue...\n\n");
printf("pls input the first passwd(2): ");
memset(Str, 0, sizeof(Str));
scanf("%s", Str);
if ( strlen(Str) != 6 )
{
printf("Must be 6 characters!\n");
ExitProcess(0);
}
strcat(Str, Destination);
memset(String1, 0, sizeof(String1));
v4 = strlen(Str);
sub_401019((BYTE *)Str, v4, String1);
if ( !_strcmpi("27019e688a4e62a649fd99cadaafdb4e", String1) )
{
if ( !(unsigned __int8)sub_40100F(Str) )
{
printf("Error!!\n");
ExitProcess(0);
}
printf("bye ~~\n");
}
}
return 0;
}
```
可以看到这里要过两个密码,涉及的关键语句分别是`sub_40100A((BYTE *)Destination, v3, String1)`和`sub_401019((BYTE *)Str, v4, String1)`。
### 第一关
点击`sub_40100A`会定位到:
```c
int __cdecl sub_401230(BYTE *pbData, DWORD dwDataLen, LPSTR lpString1)
{
DWORD i; //
CHAR String2; // BYREF
BYTE v6; // BYREF
DWORD pdwDataLen; // BYREF
HCRYPTHASH phHash; // BYREF
HCRYPTPROV phProv; // BYREF
if ( !CryptAcquireContextA(&phProv, 0, 0, 1u, 0xF0000000) )
return 0;
if ( CryptCreateHash(phProv, 0x8004u, 0, 0, &phHash) )
{
if ( CryptHashData(phHash, pbData, dwDataLen, 0) )
{
CryptGetHashParam(phHash, 2u, v6, &pdwDataLen, 0);
*lpString1 = 0;
for ( i = 0; i < pdwDataLen; ++i )
{
wsprintfA(String2, "%02X", v6);
lstrcatA(lpString1, String2);
}
CryptDestroyHash(phHash);
CryptReleaseContext(phProv, 0);
return 1;
}
else
{
CryptDestroyHash(phHash);
CryptReleaseContext(phProv, 0);
return 0;
}
}
else
{
CryptReleaseContext(phProv, 0);
return 0;
}
}
```
根据参考链接1,可知`CryptCreateHash`的第二个参数是`ALG_ID`,而根据参考链接2,找到`0x8004u`表示`CALG_SHA1`。
接着梳理一下问题:要求6位数`i`满足`sha1(f'{i}@DBApp') == 某常量串`。解法很简单,枚举100000到999999即可。
#### 代码
```python
def get_tail():
for i in range(100000, 1000000):
s = f'{i}@DBApp'
bs = s.encode()
obj = hashlib.sha1(bs)
result = obj.hexdigest().upper()
if result == '6E32D0943418C2C33385BC35A1470250DD8923A9':
return bs
```
### 第二关
点击`sub_401019`会定位到:
```c
int __cdecl sub_401040(BYTE *pbData, DWORD dwDataLen, LPSTR lpString1)
{
DWORD i; //
CHAR String2; // BYREF
BYTE v6; // BYREF
DWORD pdwDataLen; // BYREF
HCRYPTHASH phHash; // BYREF
HCRYPTPROV phProv; // BYREF
if ( !CryptAcquireContextA(&phProv, 0, 0, 1u, 0xF0000000) )
return 0;
if ( CryptCreateHash(phProv, 0x8003u, 0, 0, &phHash) )
{
if ( CryptHashData(phHash, pbData, dwDataLen, 0) )
{
CryptGetHashParam(phHash, 2u, v6, &pdwDataLen, 0);
*lpString1 = 0;
for ( i = 0; i < pdwDataLen; ++i )
{
wsprintfA(String2, "%02X", v6);
lstrcatA(lpString1, String2);
}
CryptDestroyHash(phHash);
CryptReleaseContext(phProv, 0);
return 1;
}
else
{
CryptDestroyHash(phHash);
CryptReleaseContext(phProv, 0);
return 0;
}
}
else
{
CryptReleaseContext(phProv, 0);
return 0;
}
}
```
同理,在参考链接2中找到`0x8003u`表示`CALG_MD5`。
接着梳理一下问题:要求长度为6的字符串`s`满足`md5(f'{s}@DBApp') == 某常量串`。解空间过大,直接枚举不可行。
那么我们看看`sub_40100F`能给予我们哪些必要的提示。点`sub_40100F`会定位到:
```c
char __cdecl sub_4014D0(LPCSTR lpString)
{
LPCVOID lpBuffer; //
DWORD NumberOfBytesWritten; // BYREF
DWORD nNumberOfBytesToWrite; //
HGLOBAL hResData; //
HRSRC hResInfo; //
HANDLE hFile; //
hFile = 0;
hResData = 0;
nNumberOfBytesToWrite = 0;
NumberOfBytesWritten = 0;
hResInfo = FindResourceA(0, (LPCSTR)0x65, "AAA");
if ( !hResInfo )
return 0;
nNumberOfBytesToWrite = SizeofResource(0, hResInfo);
hResData = LoadResource(0, hResInfo);
if ( !hResData )
return 0;
lpBuffer = LockResource(hResData);
sub_401005(lpString, (int)lpBuffer, nNumberOfBytesToWrite);
hFile = CreateFileA("dbapp.rtf", 0x10000000u, 0, 0, 2u, 0x80u, 0);
if ( hFile == (HANDLE)-1 )
return 0;
if ( !WriteFile(hFile, lpBuffer, nNumberOfBytesToWrite, &NumberOfBytesWritten, 0) )
return 0;
CloseHandle(hFile);
return 1;
}
```
这个函数要拿一个叫`AAA`的资源,作为常量串,跑`sub_401005`的异或,最后要求生成一个合法的`.rtf`文件。
#### 提取exe中的资源
我们需要拿到`AAA`资源的内容。这里用pefile库来完成(也可以更简单地用Resource Hacker等软件来拿):
```python
import os
import sys
import string
import pefile
import hashlib
import struct
def main():
path_sample = r"CrackRTF.exe"
peobj = pefile.PE(path_sample)
print(pefile.RESOURCE_TYPE, end='\n\n\n')
for resource_type in peobj.DIRECTORY_ENTRY_RESOURCE.entries:
if resource_type.name is not None:
name = "%s" % resource_type.name
else:
name = "%s" % pefile.RESOURCE_TYPE.get(resource_type.struct.Id)
if name is None:
name = "%d" % resource_type.struct.Id
if name != 'AAA':
continue
# resource_type已经是ResourceDirEntryData类型,而非ResourceDirData类型
for resId in resource_type.directory.entries:
if hasattr(resId, 'directory'):
for resLang in resId.directory.entries:
dat = peobj.get_data(
resLang.data.struct.OffsetToData,
resLang.data.struct.Size)
print('resLang', dat)
else:
dat = peobj.get_data(
resId.data.struct.OffsetToData,
resId.data.struct.Size)
print('resId', dat)
peobj.close()
if __name__ == "__main__":
main()
```
#### RTF的固定文件头
接下来看看`sub_401005`的异或:
```c
unsigned int __cdecl sub_401420(LPCSTR lpString, int a2, unsigned int a3)
{
unsigned int result; // eax
unsigned int i; //
unsigned int v5; //
v5 = lstrlenA(lpString);
for ( i = 0; ; ++i )
{
result = i;
if ( i >= a3 )
break;
*(_BYTE *)(i + a2) ^= lpString;
}
return result;
}
```
异或方程需要知道其中两个,才能解出第三个,但只有`AAA`资源的内容是已知的,`.rtf`文件和我们要输入的密码都是未知的。此时我们需要一个隐含知识:rtf文件有固定的文件头:`b'{\\rtf1'`(6字节)。结合`AAA`资源的内容,可以解出第二关的密码。最后,拿整体的密码异或一下`AAA`资源的内容,即可得到所求的rtf文件。
#### 总结
1. 用pefile库获取资源文件。
2. **文件头、函数头拥有固定数据是常常涉及的常识**,比如:(https://www.52pojie.cn/thread-1665541-1-1.html)、[函数头固定:SCUx401CTF2021-RE2-pixpix](https://www.52pojie.cn/thread-1667202-1-1.html)。
### 完整代码
```python
import os
import struct
import hashlib
def get_tail():
for i in range(100000, 1000000):
s = f'{i}@DBApp'
bs = s.encode()
obj = hashlib.sha1(bs)
result = obj.hexdigest().upper()
if result == '6E32D0943418C2C33385BC35A1470250DD8923A9':
return bs
def main():
aaa = b'\x05}A\x15&\x01mS]@=&@CC\x05oTR(%02\x15\x04O\x12\x07A\x1c\x17RPo\x14QT\x1cc!",W\x1b\x14\x08\x1c==;Io\x19nV%*\'3\x11\x04\x11S\x13,3VEWWZF\x11ujvp^AK\x0f\x02Tq\x05\nOoE[T7/+/\x14D"TPP\x1c@P@Wo^P.#pqEB"G\x03=&C\x03\x02\x13u^P\'\x189\x0f@/3\x11A\x04\x1fvCWVlpD\'7\x1e<,\x00\x1fS>k==;2'
rtf_head = b'{\\rtf1'
passwd = bytearray()
for i in range(6):
passwd.append(aaa ^ rtf_head)
print(passwd)
passwd += get_tail()
print(passwd)
ans = b''
for i in range(len(aaa)):
ans += struct.pack('<B', aaa ^ passwd)
print(ans)
with open('ans.rtf', 'wb') as f:
f.write(ans)
if __name__ == '__main__':
main()
```
### 参考资料
1. https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptcreatehash
2. https://learn.microsoft.com/en-us/windows/win32/seccrypto/alg-id
3. https://www.52pojie.cn/thread-994588-1-1.html 看下学习一下 学习了,多谢 学习一下 学到了,谢谢分享
页:
[1]