【答案提交】【吾爱破解2014CrackMe大赛】【第二组】
本帖最后由 ximo 于 2014-10-29 01:30 编辑【答案提交】【吾爱破解2014CrackMe大赛】【第二组】
0x01
1.算法入口:
00401B50/.55 PUSH EBP
00401B51|.8BEC MOV EBP, ESP
00401B53|.83E4 F8 AND ESP, FFFFFFF8
00401B56|.6A FF PUSH -1
00401B58|.68 162C5200 PUSH CrackMe.00522C16
00401B5D|.64:A1 0000000>MOV EAX, DWORD PTR FS:
00401B63|.50 PUSH EAX
00401B64|.81EC A8070000 SUB ESP, 7A8
2.读用户名:
0012F008/0012F7E0
0012F00C|00401BF9返回到 CrackMe.00401BF9 来自 CrackMe.00412227
0012F010|000003EB
0012F014|0012F6B4ASCII "tree_fly"
0012F018|0000000A
0012F01C|4E527986
读注册码:
0012F008/0012F7E0
0012F00C|00401C18返回到 CrackMe.00401C18 来自 CrackMe.00412227
0012F010|000003EC
0012F014|0012F6C0ASCII "1234567890"
0012F018|00000104
0012F01C|4E527986
3.创建内存表:
00401EB0/$56 PUSH ESI
00401EB1|.57 PUSH EDI ;ntdll.7C930228
00401EB2|.33D2 XOR EDX, EDX ;ntdll.KiFastSystemCallRet
00401EB4|.BF FEFEFEFE MOV EDI, 0xFEFEFEFE
00401EB9|.BE EFEFEFEF MOV ESI, 0xEFEFEFEF
00401EBE|.8BFF MOV EDI, EDI ;ntdll.7C930228
00401EC0|>33C9 XOR ECX, ECX
00401EC2|>C700 EEFFEEFF MOV DWORD PTR DS:, 0xFFEEFFEE
00401EC8|.85D2 TEST EDX, EDX ;ntdll.KiFastSystemCallRet
00401ECA|.75 22 JNZ SHORT CrackMe.00401EEE
00401ECC|.8978 04 MOV DWORD PTR DS:, EDI ;ntdll.7C930228
00401ECF|>8970 08 MOV DWORD PTR DS:, ESI
00401ED2|>85C9 TEST ECX, ECX
00401ED4|.75 25 JNZ SHORT CrackMe.00401EFB
00401ED6|.8978 0C MOV DWORD PTR DS:, EDI ;ntdll.7C930228
00401ED9|>8970 10 MOV DWORD PTR DS:, ESI
00401EDC|>41 INC ECX
00401EDD|.83C0 14 ADD EAX, 0x14
00401EE0|.83F9 09 CMP ECX, 0x9
00401EE3|.^ 7C DD JL SHORT CrackMe.00401EC2
00401EE5|.42 INC EDX ;ntdll.KiFastSystemCallRet
00401EE6|.83FA 09 CMP EDX, 0x9
00401EE9|.^ 7C D5 JL SHORT CrackMe.00401EC0
00401EEB|.5F POP EDI ;kernel32.7C816037
00401EEC|.5E POP ESI ;kernel32.7C816037
00401EED|.C3 RETN
00401EEE|>8970 04 MOV DWORD PTR DS:, ESI
00401EF1|.83FA 09 CMP EDX, 0x9
00401EF4|.^ 75 D9 JNZ SHORT CrackMe.00401ECF
00401EF6|.8978 08 MOV DWORD PTR DS:, EDI ;ntdll.7C930228
00401EF9|.^ EB D7 JMP SHORT CrackMe.00401ED2
00401EFB|>8970 0C MOV DWORD PTR DS:, ESI
00401EFE|.83F9 09 CMP ECX, 0x9
00401F01|.^ 75 D6 JNZ SHORT CrackMe.00401ED9
00401F03|.8978 10 MOV DWORD PTR DS:, EDI ;ntdll.7C930228
00401F06\.^ EB D4 JMP SHORT CrackMe.00401EDC
4.构建内存表:
确如作者所说,乱花渐欲迷人眼,我都快迷死了,为了视觉效果好看,我们把接下来的FEFEFEFE用00替代凸显出来。
0 FFEEFFEE00EFEFEFEF00EFEFEFEF
5 FFEEFFEE00EFEFEFEFEFEFEFEFEFEFEFEF
10FFEEFFEE00EFEFEFEFEFEFEFEFEFEFEFEF
15FFEEFFEE00EFEFEFEFEFEFEFEFEFEFEFEF
20FFEEFFEE00EFEFEFEFEFEFEFEFEFEFEFEF
25FFEEFFEE00EFEFEFEFEFEFEFEFEFEFEFEF
30FFEEFFEE00EFEFEFEFEFEFEFEFEFEFEFEF
35FFEEFFEE00EFEFEFEFEFEFEFEFEFEFEFEF
40FFEEFFEE00EFEFEFEFEFEFEFEFEFEFEFEF
45FFEEFFEEEFEFEFEFEFEFEFEF00EFEFEFEF
50FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
55FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
60FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
65FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
70FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
75FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
80FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
85FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
90FFEEFFEEEFEFEFEFEFEFEFEF00EFEFEFEF
95FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
100FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
105FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
110FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
115FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
120FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
125FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
130FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
135FFEEFFEEEFEFEFEFEFEFEFEF00EFEFEFEF
140FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
145FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
150FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
155FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
160FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
165FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
170FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
175FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
180FFEEFFEEEFEFEFEFEFEFEFEF00EFEFEFEF
185FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
190FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
195FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
200FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
205FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
210FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
215FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
220FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
225FFEEFFEEEFEFEFEFEFEFEFEF00EFEFEFEF
230FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
235FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
240FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
245FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
250FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
255FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
260FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
265FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
270FFEEFFEEEFEFEFEFEFEFEFEF00EFEFEFEF
275FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF h
280FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF i
285FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF j
290FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF k
295FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF l
300FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF m
305FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF n
310FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF o
315FFEEFFEEEFEFEFEFEFEFEFEF00EFEFEFEF p
320FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF q
325FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF r
330FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF s
335FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF t
340FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF u
345FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF v
350FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF w
355FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF x
360FFEEFFEEEFEFEFEFEFEFEFEF00EFEFEFEF y
365FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
370FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
375FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
380FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
385FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
390FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
395FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
400FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
5.处理用户名:
根据用户名每个字符的十六进制格式,取个位数,十位数用于计算,获取以上密码表中5*81组的每一行的第一个地址,赋值:0xEEFFEEFF
注意这个值与 0x1111111异或运算后是:0xFFEEFFEE。
00401C70|> /0FBE843C 9806>/MOVSX EAX, BYTE PTR SS:
00401C78|. |8BC8 |MOV ECX, EAX
00401C7A|. |C1F9 04 |SAR ECX, 0x4
00401C7D|. |83E1 0F |AND ECX, 0xF
00401C80|. |83E0 0F |AND EAX, 0xF
00401C83|. |8BF0 |MOV ESI, EAX
00401C85|. |83F9 09 |CMP ECX, 0x9
00401C88|. |76 0E |JBE SHORT CrackMe.00401C98
00401C8A|. |B8 398EE338 |MOV EAX, 0x38E38E39
00401C8F|. |F7E1 |MUL ECX
00401C91|. |D1EA |SHR EDX, 1
00401C93|. |6BD2 F7 |IMUL EDX, EDX, -0x9
00401C96|. |03CA |ADD ECX, EDX
00401C98|> |83FE 09 |CMP ESI, 0x9
00401C9B|. |76 0E |JBE SHORT CrackMe.00401CAB
00401C9D|. |B8 398EE338 |MOV EAX, 0x38E38E39
00401CA2|. |F7E6 |MUL ESI
00401CA4|. |D1EA |SHR EDX, 1
00401CA6|. |6BD2 F7 |IMUL EDX, EDX, -0x9
00401CA9|. |03F2 |ADD ESI, EDX
00401CAB|> |8D04CE |LEA EAX, DWORD PTR DS:
00401CAE|. |03C1 |ADD EAX, ECX
00401CB0|. |47 |INC EDI
00401CB1|. |8D1480 |LEA EDX, DWORD PTR DS:
00401CB4|. |894C24 30 |MOV DWORD PTR SS:, ECX
00401CB8|. |897424 34 |MOV DWORD PTR SS:, ESI
00401CBC|. |C74494 3C FFE>|MOV DWORD PTR SS:, 0xEEFFEEFF
00401CC4|. |3BFB |CMP EDI, EBX
00401CC6|.^\7C A8 \JL SHORT CrackMe.00401C70
6.事实上,这里的运算时对以上80组值得每一行第一个值累计,并与“CMP ECX, 0xFA9EFA4E”比较,
而 0xFFEEFFEE * 81d= 0x50FA9EFA4E :
00401D9F|.90 NOP
00401DA0|>8BB0 74FFFFFF /MOV ESI, DWORD PTR DS:
00401DA6|.0370 88 |ADD ESI, DWORD PTR DS:
00401DA9|.05 1C020000 |ADD EAX, 0x21C
00401DAE|.03B0 80FDFFFF |ADD ESI, DWORD PTR DS:
00401DB4|.03B0 94FDFFFF |ADD ESI, DWORD PTR DS:
00401DBA|.03B0 A8FDFFFF |ADD ESI, DWORD PTR DS:
00401DC0|.03B0 BCFDFFFF |ADD ESI, DWORD PTR DS:
00401DC6|.03B0 D0FDFFFF |ADD ESI, DWORD PTR DS:
00401DCC|.03B0 F8FDFFFF |ADD ESI, DWORD PTR DS:
00401DD2|.03B0 E4FDFFFF |ADD ESI, DWORD PTR DS:
00401DD8|.03CE |ADD ECX, ESI
00401DDA|.8BB0 ACFEFFFF |MOV ESI, DWORD PTR DS:
00401DE0|.03B0 98FEFFFF |ADD ESI, DWORD PTR DS:
00401DE6|.03B0 84FEFFFF |ADD ESI, DWORD PTR DS:
00401DEC|.03B0 70FEFFFF |ADD ESI, DWORD PTR DS:
00401DF2|.03B0 5CFEFFFF |ADD ESI, DWORD PTR DS:
00401DF8|.03B0 48FEFFFF |ADD ESI, DWORD PTR DS:
00401DFE|.03B0 34FEFFFF |ADD ESI, DWORD PTR DS:
00401E04|.03B0 20FEFFFF |ADD ESI, DWORD PTR DS:
00401E0A|.03B0 0CFEFFFF |ADD ESI, DWORD PTR DS:
00401E10|.03CE |ADD ECX, ESI
00401E12|.8BB0 60FFFFFF |MOV ESI, DWORD PTR DS:
00401E18|.03B0 4CFFFFFF |ADD ESI, DWORD PTR DS:
00401E1E|.03B0 38FFFFFF |ADD ESI, DWORD PTR DS:
00401E24|.03B0 24FFFFFF |ADD ESI, DWORD PTR DS:
00401E2A|.03B0 10FFFFFF |ADD ESI, DWORD PTR DS:
00401E30|.03B0 FCFEFFFF |ADD ESI, DWORD PTR DS:
00401E36|.03B0 E8FEFFFF |ADD ESI, DWORD PTR DS:
00401E3C|.03B0 D4FEFFFF |ADD ESI, DWORD PTR DS:
00401E42|.03B0 C0FEFFFF |ADD ESI, DWORD PTR DS:
00401E48|.03CE |ADD ECX, ESI
00401E4A|.4A |DEC EDX
00401E4B|.^ 0F85 4FFFFFFF \JNZ CrackMe.00401DA0
00401E51|.81F9 4EFA9EFA CMP ECX, 0xFA9EFA4E
00401E57|.75 12 JNZ SHORT CrackMe.00401E6B
00401E59|.52 PUSH EDX ; /Style = MB_ABORTRETRYIGNORE|MB_ICONQUESTION|MB_DEFBUTTON2|MB_APPLMODAL
00401E5A|.68 70D95400 PUSH CrackMe.0054D970 ; |Title = "0"
00401E5F|.68 74D95400 PUSH CrackMe.0054D974 ; |Text = "good"
00401E64|.52 PUSH EDX ; |hOwner = 00000122 (class='tooltips_class32',parent=005801B6)
00401E65|.FF15 40585200 CALL NEAR DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
00401E6B|>68 50214000 PUSH CrackMe.00402150
00401E70|.6A 51 PUSH 0x51
00401E72|.6A 14 PUSH 0x14
00401E74|.8D4424 48 LEA EAX, DWORD PTR SS:
00401E78|.50 PUSH EAX
00401E79|>C78424 D00700>MOV DWORD PTR SS:, -0x1
00401E84|.E8 BFEC0F00 CALL CrackMe.00500B48
00401E89|.8B8C24 B80700>MOV ECX, DWORD PTR SS:
00401E90|.64:890D 00000>MOV DWORD PTR FS:, ECX
7.所以,用户名操作运算后密码表被重新复制,其运算结果不可能导致比较相等。所以需利用注册码操作运算来XOR所有0xEEFFEEFF。
注册码操作代码:
00401CD6|.BB FEFEFEFE MOV EBX, 0xFEFEFEFE
……
00401CE0|>0FBE843C A406>/MOVSX EAX, BYTE PTR SS:
00401CE8|. |8BC8 |MOV ECX, EAX
00401CEA|. |C1F9 04 |SAR ECX, 0x4
00401CED|. |83E1 0F |AND ECX, 0xF
00401CF0|. |83E0 0F |AND EAX, 0xF
00401CF3|. |8BF0 |MOV ESI, EAX
00401CF5|. |83F9 09 |CMP ECX, 0x9
00401CF8|. |76 0E |JBE SHORT CrackMe.00401D08
00401CFA|. |B8 398EE338 |MOV EAX, 0x38E38E39
00401CFF|. |F7E1 |MUL ECX
00401D01|. |D1EA |SHR EDX, 1
00401D03|. |6BD2 F7 |IMUL EDX, EDX, -0x9
00401D06|. |03CA |ADD ECX, EDX
00401D08|> |83FE 09 |CMP ESI, 0x9
00401D0B|. |76 0E |JBE SHORT CrackMe.00401D1B
00401D0D|. |B8 398EE338 |MOV EAX, 0x38E38E39
00401D12|. |F7E6 |MUL ESI
00401D14|. |D1EA |SHR EDX, 1
00401D16|. |6BD2 F7 |IMUL EDX, EDX, -0x9
00401D19|. |03F2 |ADD ESI, EDX
00401D1B|> |8D04CE |LEA EAX, DWORD PTR DS:
00401D1E|. |03C1 |ADD EAX, ECX
00401D20|. |8D0C80 |LEA ECX, DWORD PTR DS:
00401D23|. |03C9 |ADD ECX, ECX
00401D25|. |03C9 |ADD ECX, ECX
00401D27|. |395C0C 40 |CMP DWORD PTR SS:, EBX
00401D2B|. |74 10 |JE SHORT CrackMe.00401D3D
00401D2D|. |8D5480 D3 |LEA EDX, DWORD PTR DS:
00401D31|. |817494 3C 111>|XOR DWORD PTR SS:, 0x11111111
00401D39|. |8D5494 3C |LEA EDX, DWORD PTR SS:
00401D3D|> |395C0C 44 |CMP DWORD PTR SS:, EBX
00401D41|. |74 15 |JE SHORT CrackMe.00401D58
00401D43|. |8D5480 D3 |LEA EDX, DWORD PTR DS:
00401D47|. |8B5494 3C |MOV EDX, DWORD PTR SS:
00401D4B|. |81F2 11111111 |XOR EDX, 0x11111111
00401D51|. |89940C F00000>|MOV DWORD PTR SS:, EDX
00401D58|> |395C0C 48 |CMP DWORD PTR SS:, EBX
00401D5C|. |74 12 |JE SHORT CrackMe.00401D70
00401D5E|. |8D5480 D3 |LEA EDX, DWORD PTR DS:
00401D62|. |8B5494 3C |MOV EDX, DWORD PTR SS:
00401D66|. |81F2 11111111 |XOR EDX, 0x11111111
00401D6C|. |89540C 28 |MOV DWORD PTR SS:, EDX
00401D70|> |395C0C 4C |CMP DWORD PTR SS:, EBX
00401D74|. |74 12 |JE SHORT CrackMe.00401D88
00401D76|. |8D4480 D3 |LEA EAX, DWORD PTR DS:
00401D7A|. |8B5484 3C |MOV EDX, DWORD PTR SS:
00401D7E|. |81F2 11111111 |XOR EDX, 0x11111111
00401D84|. |89540C 50 |MOV DWORD PTR SS:, EDX
00401D88|> |47 |INC EDI
00401D89|. |3B7C24 10 |CMP EDI, DWORD PTR SS:
00401D8D|.^\0F8C 4DFFFFFF \JL CrackMe.00401CE0
8.算法比我想象的要复杂一些,还请高人还原,
下面是简单的一些分析:
360FFEEFFEEEFEFEFEFEFEFEFEF00EFEFEFEF
异或-45:315,原值存入+45:405,不存入-5:355,存入+5:365
355FFEEFFEEEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEF
异或-45:310,原值存入+45:400,存入-5:350,存入+5:360
注意到:S:16进制第一位,G:16进制第二位
12F058+4*(1+5*(S*9+G))
S=
G=
注册码操作运算只可获取90-400以内的。
9.工作之余时间有限,且提供爆破答案。注册机制作,后续再进一步分析。
tree_fly.
修正:
6.事实上,这里的运算时对以上80组值得每一行第一个值累计 : 80 改 81
7.修正为:所以,用户名操作运算后密码表第一列被重新赋值,后期求和运算结果不可能比较相等。所以需利用注册码操作运算来XOR所有0xEEFFEEFF。
可惜时间都到了
Kido 发表于 2014-10-28 17:28
可惜时间都到了
重在参与啦
我就知道我找错方向
我是来学习的 上面的代码,我有的地方看不出来是啥意思! 膜拜大神 不错不错不错
页:
[1]
2