一道有意思的题
本帖最后由 zusheng 于 2014-12-28 12:28 编辑做了这个题目,觉得挺有意思。就在吾爱给出writeup和大家交流一下吧!
http://bbs.pediy.com/attachment.php?attachmentid=92139&thumb=1&d=1410443710
随便输入可以断在下面:
http://bbs.pediy.com/attachment.php?attachmentid=92140&thumb=1&d=1410443710
单步到这里,看到了刚才输入的pass1:
http://bbs.pediy.com/attachment.php?attachmentid=92141&thumb=1&d=1410443710
进入函数call 004011D0后找到这里:
http://bbs.pediy.com/attachment.php?attachmentid=92142&thumb=1&d=1410443710
004011A0 8B4C24 08 mov ecx,dword ptr ss:
004011A4 B8 01000000 mov eax,1
004011A9 41 inc ecx
004011AA 3BC8 cmp ecx,eax
004011AC 74 18 je short 4.004011C6
004011AE 56 push esi
004011AF 8B7424 10 mov esi,dword ptr ss:
004011B3 57 push edi
004011B4 8B7C24 0C mov edi,dword ptr ss:
004011B8 49 dec ecx
004011B9 0FAFC7 imul eax,edi
004011BC 99 cdq
004011BD F7FE idiv esi
004011BF 49 dec ecx
004011C0 8BC2 mov eax,edx
004011C2 ^ 75 F5 jnz short 4.004011B9
004011C4 5F pop edi
004011C5 5E pop esi
004011C6 C3 retn
这段代码就是一次取出422000开始处的2个字节,解密得到一个字节再写回去。考虑到解密后的是函数的头部通常是:
55 push ebp
8BEC mov ebp,esp
用python爆破一下:
for pass1 in xrange(1,10000):
edx=1
ecx=pass1+1
while ecx>1:
ecx-=1
edx=(0x00f9*edx) % 0x5ed
x=edx & 0xff
edx=1
ecx=pass1+1
while ecx>1:
ecx-=1
edx=(0x02c3*edx) % 0x5ed
y=edx & 0xff
if x==0x55 and y==0x8b:
print 'pass1: '+str(pass1)
break
跑出来pass1: 4913
重新输入pass1为4913,pass2任意输入:
00401460 53 push ebx
00401461 50 push eax
00401462 56 push esi
00401463 E8 980B0200 call 4.00422000//在这里断下后进入
http://bbs.pediy.com/attachment.php?attachmentid=92143&thumb=1&d=1410443710
上面是在比较pass2,如果正确则弹出下面的框。
http://bbs.pediy.com/attachment.php?attachmentid=92144&thumb=1&d=1410443710
= =关键位置看不懂
页:
[1]