西安2015“华山杯”网络安全技能大赛逆向破解1题解

Sound 发表于 2015-10-31 10:50

本帖最后由 Sound 于 2015-11-2 02:20 编辑

-------------------------------------------------【文章简介】-------------------------------------------------

【文章标题】西安2015“华山杯”网络安全技能大赛逆向破解1题解
【文章作者】 Sound
【作者邮箱】 Sound@Crack4r.cc
【作者主页】 http://Crack4r.cc
【软件名称】逆向破解 --- 逆向破解-1
【软件大小】 20.0 KB (20,480 bytes)
【下载地址】http://static.seclover.com/mfcEncrypt.exe
【加壳方式】无
【保护方式】密码
【编写语言】Microsoft Visual C++(6.0)
【使用工具】 OllyDbg1.10 ,Detect It Easy
【操作平台】 Win7x86.【软件介绍】比赛平台：http://lab.seclover.com/
【作者声明】旨在以学习为前提的目的性 ,在不影响大赛的情况下,拿最简单的一个逆向题来解。为了方便大家阅读采用诙谐语气与普通话(虽然我普通话不怎么标准)

-------------------------------------------------【文章正文】-------------------------------------------------

逆向破解 --- 逆向破解-1
该题目已有xxxxxxxxx个队伍完成
据说扫描器其实完全无用的~~
解题说明
请破解该程序，拿到Flag
Flag中木有Flag{XxXxXXx}所以直接提交即可

前言：以下图文为本人刚拿到此题目时解题思路、也就是本文要讲的内容。打开程序扫一眼。

试运行提示（密码长度不符合）主界面文本显示：输入正确的密码，这里会显示Flag, 同时拿解题说明当参考，可知道此题为明码判断。既然是明码，我考虑了2种方式进行来解题。追码与爆破。

拖入 Detect It Easy 扫下compiler

得到Microsoft Visual C++(6.0)MFC(4.2)[-] 无壳开始偷笑，（无壳的软柿子是我最喜欢的咯）

既然无壳我想到好多种初步尝试手法：字符串检索法 Api检索法等等等。。。。。

那么我肯定首选字符串检索法咯

调试器停留Ep(EntryPoint)代码进行find ascii
Address Disassembly                            Text String
00401382 PUSH 00401DAE                      赴$@
004013CC PUSH 00403068                      输入正确的密码，这里会显示Flag
004015B2 PUSH 00401DDF                      歌$@
00401695 PUSH 00403114                      w9zC67K7xNzOqr/V
004016E6 PUSH 004030FC                      w9zC67Oktsiyu7f7us8=
0040172B PUSH 004030DC                      R05WTE+v6r7ozfa4zsWjZ2RnZA==
0040177F PUSH 004030CC                      w9zC69X9yLc=
004017C9 PUSH 0040309C                      LzVjMWFgODVkMmMzYjEvMmExOGNkZTE0ZTE2MC9jMzE=
0040181F PUSH 00403088                      w9zC67K7t/u6zw==
00401B20 PUSH EBP                            (Initial CPU selection)

唔没有 (密码长度不符合) 这个错误提示文本字串（mfc编码）为了方便懒得继续调试分析啦,不用这种方法啦。

Api检索法鼠标右键反汇编窗口Search for >> all intermodular calls

Address Disassembly
00401571 CALL DWORD PTR DS:[<&USER32.DrawIcon>user32.DrawIcon
0040157B CALL <JMP.&MFC42.#755>             mfc42.#755
00401589 CALL <JMP.&MFC42.#2379>             mfc42.#2379
004015EF CALL <JMP.&MFC42.#5856>             mfc42.#5856
00401609 CALL <JMP.&MFC42.#535>             mfc42.#535
0040161F CALL <JMP.&MFC42.#800>             mfc42.#800
0040169A CAll <JMP.&MFC42.#537>                      mfc42.#537
004016B9 CALL <JMP.&MFC42.#4224>             mfc42.#4224
004016EB CALL <JMP.&MFC42.#537>             mfc42.#537
0040170A CALL <JMP.&MFC42.#4224>             mfc42.#4224
00401730 CALL <JMP.&MFC42.#537>             mfc42.#537
0040174E CALL DWORD PTR DS:[<&MSVCRT._mbscmp>]msvcrt._mbscmp
0040175F CALL <JMP.&MFC42.#800>             mfc42.#800
00401784 CALL <JMP.&MFC42.#537>             mfc42.#537
004017A3 CALL <JMP.&MFC42.#4224>             mfc42.#4224
004017AF CALL <JMP.&MFC42.#800>             mfc42.#800
004017C2 PUSH ECX                            (Initial CPU selection)
004017CE CALL <JMP.&MFC42.#537>             mfc42.#537
004017F0 CALL <JMP.&MFC42.#858>             mfc42.#858
004017FC CALL <JMP.&MFC42.#800>             mfc42.#800
0040180A CALL <JMP.&MFC42.#6334>             mfc42.#6334
00401824 CALL <JMP.&MFC42.#537>             mfc42.#537
00401843 CALL <JMP.&MFC42.#4224>             mfc42.#4224
0040184F CALL <JMP.&MFC42.#800>             mfc42.#800
0040185E CALL <JMP.&MFC42.#800>             mfc42.#800
00401896 CALL DWORD PTR DS:[<&USER32.EnableWinuser32.EnableWindow
004018A6 CALL DWORD PTR DS:[<&USER32.EnableWinuser32.EnableWindow
00401ADF CALL DWORD PTR DS:[<&MSVCRT._onexit>]msvcrt._onexit
我看到一个嫌疑犯。_mbscmp

0040174E CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] msvcrt._mbscmp

它作为比较字符串调用
int _mbscmp(
const unsigned char *string1,
const unsigned char *string2
);

跟随地址找到断首
0040167B .01E8       ADD EAX, EBP
0040167D .8B46 64    MOV EAX, DWORD PTR DS:
00401680 .8B48 F8    MOV ECX, DWORD PTR DS:
00401683 .85C9       TEST ECX, ECX
00401685 .75 43       JNZ SHORT 004016CA
00401687 .6A 00       PUSH 0x0
00401689 .8D4D F0    LEA ECX, DWORD PTR SS:
0040168C .6A 00       PUSH 0x0
0040168E .51          PUSH ECX
0040168F .51          PUSH ECX
00401690 .8BCC       MOV ECX, ESP
00401692 .8965 E8    MOV DWORD PTR SS:, ESP
00401695 .68 14314000 PUSH 00403114                      ;w9zC67K7xNzOqr/V
0040169A .E8 27040000 CALL <JMP.&MFC42.#537>

0x40167D 处设置个int3断点 f9 （run）、输入我们的假密码 www.52pojie.cn断点位于
0x40167D

0040167D .8B46 64    MOV EAX, DWORD PTR DS:
00401680 .8B48 F8    MOV ECX, DWORD PTR DS:
00401683 .85C9       TEST ECX, ECX
数据窗口跟随
00512DD077 77 77 2E 35 32 70 6F 6A 69 65 2E 63 6E 00 00www.52pojie.cn..
00512DE000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
00512DF000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
00512E0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
00512E1000 00 00 00 B4 2E 51 00 14 00 00 00 40 00 00 00....?Q....@...
00512E2077 39 7A 43 36 37 4F 6B 74 73 69 79 75 37 66 37w9zC67Oktsiyu7f7
00512E3075 73 38 3D 00 00 00 00 00 00 00 00 00 00 00 00us8=............
00512E4000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
00512E5000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
00512E6000 00 00 00 14 2E 51 00 0E 00 00 00 40 00 00 00.....Q....@...
00512E70C3 DC C2 EB B3 A4 B6 C8 B2 BB B7 FB BA CF 00 00密码长度不符合..
00512E8000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............

唔已经提示了密码长度不符合。我们执行 F8(Set Over)操作指令
004016CF > \8B46 64    MOV EAX, DWORD PTR DS:
004016D2 .8378 F8 13 CMP DWORD PTR DS:, 0x13
004016D6 .74 43       JE    SHORT 0040171B
004016D8 .6A 00       PUSH 0x0
004016DA .8D4D F0    LEA ECX, DWORD PTR SS:
004016DD .6A 00       PUSH 0x0
004016DF .51          PUSH ECX
004016E0 .51          PUSH ECX
004016E1 .8BCC       MOV ECX, ESP
004016E3 .8965 E4    MOV DWORD PTR SS:, ESP
004016E6 .68 FC304000 PUSH 004030FC                      ;w9zC67Oktsiyu7f7us8=
004016EB .E8 D6030000 CALL <JMP.&MFC42.#537>
004016F0 .8D55 E8    LEA EDX, DWORD PTR SS:
004016F3 .52          PUSH EDX
004016F4 .E8 D7FAFFFF CALL 004011D0
004016F9 .83C4 0C    ADD ESP, 0xC
004016FC .8BC8       MOV ECX, EAX
004016FE .C645 FC 02 MOV BYTE PTR SS:, 0x2
00401702 .E8 79010000 CALL 00401880
00401707 .50          PUSH EAX
00401708 .8BCE       MOV ECX, ESI
0040170A .E8 B1030000 CALL <JMP.&MFC42.#4224>
0040170F .C645 FC 00 MOV BYTE PTR SS:, 0x0
00401713 .8D4D E8    LEA ECX, DWORD PTR SS:
00401716 .E9 34010000 JMP 0040184F

Eip停留在0x4016CF 处

004016CF >8B46 64    MOV EAX, DWORD PTR DS:
004016D2 .8378 F8 13 CMP DWORD PTR DS:, 0x13
004016D6 .74 43       JE    SHORT 0040171B
发现一句Compare指令 CMP DWORD PTR DS:, 0x13
简单翻译下判断 eax-8 Dword类型的值是否为 13 (16进制值)10进制是（19）由此得到我们真正的密码的长度是19

Ctrl+F2 重新载入重载之前设置个大本营(004016CF 下个断点) 运行后输入我们的假密码 (1234567891234567891)

断点位于

004016CF > \8B46 64    MOV EAX, DWORD PTR DS:
004016D2 .8378 F8 13 CMP DWORD PTR DS:, 0x13
004016D6 .74 43       JE    SHORT 0040171B
004016D8 .6A 00       PUSH 0x0
004016DA .8D4D F0    LEA ECX, DWORD PTR SS:
004016DD .6A 00       PUSH 0x0

Set Over 来到 0x4016D2

DS:=00000013

007B2DC813 00 00 00 40 00 00 00 31 32 33 34 35 36 37 38...@...12345678
007B2DD839 31 32 33 34 35 36 37 38 39 31 00 00 00 00 0091234567891.....

继续 Set Over发现0x4016D6处的JE 0040171B 转移指令转移了跳转到0x40171B

0040171B > \51          PUSH ECX
0040171C .8D45 F0    LEA EAX, DWORD PTR SS:
0040171F .8BFC       MOV EDI, ESP
00401721 .8965 E4    MOV DWORD PTR SS:, ESP
00401724 .50          PUSH EAX
00401725 .51          PUSH ECX
00401726 .8BCC       MOV ECX, ESP
00401728 .8965 E4    MOV DWORD PTR SS:, ESP
0040172B .68 DC304000 PUSH 004030DC                      ;R05WTE+v6r7ozfa4zsWjZ2RnZA==
00401730 .E8 91030000 CALL <JMP.&MFC42.#537>
00401735 .57          PUSH EDI
00401736 .E8 95FAFFFF CALL 004011D0
0040173B .83C4 0C    ADD ESP, 0xC
0040173E .8D4D E8    LEA ECX, DWORD PTR SS:
00401741 .51          PUSH ECX
00401742 .E8 69FEFFFF CALL 004015B0
00401747 .8B00       MOV EAX, DWORD PTR DS:
00401749 .8B4E 64    MOV ECX, DWORD PTR DS:
0040174C .50          PUSH EAX                            ; /s2
0040174D .51          PUSH ECX                            ; |s1
0040174E .FF15 D4214000 CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; \_mbscmp
00401754 .83C4 10    ADD ESP, 0x10
00401757 .8D4D E8    LEA ECX, DWORD PTR SS:
0040175A .85C0       TEST EAX, EAX
0040175C .0F94C3    SETE BL
0040175F .E8 3C020000 CALL <JMP.&MFC42.#800>
00401764 .84DB       TEST BL, BL

这里发现了我们之前找到的嫌疑犯。这个嫌疑犯真的有嫌疑吗。让我们来一探究竟。

继续执行Set Over

同时观察数据窗口内容对还是这个熟悉的13

007B2DC813 00 00 00 40 00 00 00 31 32 33 34 35 36 37 38...@...12345678
007B2DD839 31 32 33 34 35 36 37 38 39 31 00 00 00 00 0091234567891.....
007B2DE800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
007B2DF800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
007B2E0800 00 00 00 00 00 00 00 00 00 00 00 64 2E 7B 00............d.{.
007B2E180A 00 00 00 40 00 00 00 C3 DC C2 EB B2 BB B7 FB....@...密码不符
007B2E28BA CF 00 6F 7A 66 61 34 7A 73 57 6A 5A 32 52 6E合.ozfa4zsWjZ2Rn
007B2E385A 41 3D 3D 00 00 00 00 00 00 00 00 00 00 00 00ZA==............
007B2E4800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
007B2E5800 00 00 00 00 00 00 00 00 00 00 00 B4 2E 7B 00............?{.
007B2E6810 00 00 00 40 00 00 00 77 39 7A 43 36 37 4B 37...@...w9zC67K7
007B2E7874 2F 75 36 7A 77 3D 3D 00 68 65 00 00 00    t/u6zw==.he...

执行到 0x40173B

0040173B .83C4 0C    ADD ESP, 0xC
0040173E .8D4D E8    LEA ECX, DWORD PTR SS:
00401741 .51          PUSH ECX
00401742 .E8 69FEFFFF CALL 004015B0
00401747 .8B00       MOV EAX, DWORD PTR DS:

007B2DC813 00 00 00 40 00 00 00 31 32 33 34 35 36 37 38...@...12345678
007B2DD839 31 32 33 34 35 36 37 38 39 31 00 00 00 00 0091234567891.....
007B2DE800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
007B2DF800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
007B2E0800 00 00 00 00 00 00 00 00 00 00 00 B4 2E 7B 00............?{.
007B2E181C 00 00 00 40 00 00 00 52 30 35 57 54 45 2B 76...@...R05WTE+v
007B2E2836 72 37 6F 7A 66 61 34 7A 73 57 6A 5A 32 52 6E6r7ozfa4zsWjZ2Rn
007B2E385A 41 3D 3D 00 00 00 00 00 00 00 00 00 00 00 00ZA==............
007B2E4800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00................
007B2E5800 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00...............
007B2E6813 00 00 00 40 00 00 00 47 4E 56 4C 4F AF EA BE...@...GNVLO?
007B2E78E8 CD F6 B8 CE C5 A3 67 64 67 64 00 00 00 00 柰龈闻dgd.....

发现经过 0x40172B 参数值后数据窗口数值已经开始解码啦。解码后要干什么?交给嫌疑犯。

Set Over执行到 0x40174E

0040174E .FF15 D4214000 CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; \_mbscmp

观察OllyDbg 堆栈窗口

0018F6C4 00401DDFEntry address0018F6C8

007B2DD0|s1 = "1234567891234567891"0018F6CC
007B2E70\s2 = "HOWMP半块西瓜皮hehe"0018F6D0 0018F6E8

007B2E7048 4F 57 4D 50 B0 EB BF E9 CE F7 B9 CF C6 A4 68HOWMP半块西瓜皮h
007B2E8065 68 65                                     eheStart:
0x7B2E70 End:0x7B2E82 Size:0x13

熟悉的13 (不知道为什么今天特别喜欢13这个数字以前都很很很讨厌的咯。) 尝试下吧 HOWMP半块西瓜皮hehe 密码正确显示Flag (06d2ba96e3d4c203b29def25f2710d42)

提交下看看

---------------------------------------------------------
是不是人性如此在心底都会有个崇尚的暴力的地方(我最喜欢爆破啦，暴破CM,暴破外挂、暴破商业软件、爆米花、当然还想暴菇凉。。。。。。)

OllyDbg Ctrl+F2 重载程序设置CC断点 0x4016D2 run
004016D2 .8378 F8 13 CMP DWORD PTR DS:, 0x13
004016D6 .74 43       JE    SHORT 0040171B
004016D8 .6A 00       PUSH 0x0
004016DA .8D4D F0    LEA ECX, DWORD PTR SS:
004016DD .6A 00       PUSH 0x0
004016DF .51          PUSH ECX
004016E0 .51          PUSH ECX
004016E1 .8BCC       MOV ECX, ESP
004016E3 .8965 E4    MOV DWORD PTR SS:, ESP
004016E6 .68 FC304000 PUSH 004030FC                      ;w9zC67Oktsiyu7f7us8=
运行后输入我的小名 (Sound)

Pause Eip= 0x4016D2

DS:=00000005

002B2DC805 00 00 00 40 00 00 00 53 6F 75 6E 64 00 00 00...@...Sound...
002B2DD800 00 00                                     ...

修改 0x2B2DC8 05 >> 13 (让cmp的值相等影响Zf标志位 0x4016D6 处转移指令跳转)

或者修改0x4016D6 74 43 >> 75 43

继续 Set Over

0040174E .FF15 D4214000 CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; \_mbscmp
00401754 .83C4 10    ADD ESP, 0x10
00401757 .8D4D E8    LEA ECX, DWORD PTR SS:
0040175A .85C0       TEST EAX, EAX
0040175C    0F94C3    SETE BL
0040175F .E8 3C020000 CALL <JMP.&MFC42.#800>
00401764 .84DB       TEST BL, BL
00401766 .0F84 A5000000 JE    00401811
0040176C .70 03       JO    SHORT 00401771
0040176E .71 01       JNO SHORT 00401771
00401770    E8          DB    E8
00401771 >6A 00       PUSH 0x0
00401773 .8D55 F0    LEA EDX, DWORD PTR SS:
00401776 .6A 00       PUSH 0x0

汇编指令可以看出

0x401766处转移指令受影响于
TEST BL, BL 其次影响 Zf 标志位

而
0x401764受影响于 0040175C 0F94C3 SETE BL >> SETNE BL >> 0F95C3

Patch
0x40175C    0F95C3    SETNE BL
0x4016D6 75 43       Je SHORT 0040171B

完成暴破

-------------------------------------------------【版权声明】-------------------------------------------------
【版权声明】本文由Sound原创, 转载请注明作者并保持文章的完整, 谢谢!

Emil 发表于 2015-10-31 11:11

沙发感谢分享大赛也醉了

xh410117 发表于 2015-10-31 11:14

好屌！！！！！！！！只能膜拜！！！

小小怪下士 发表于 2015-10-31 11:34

前排围观大牛

我是一个小白 发表于 2015-10-31 11:35

看起来不错，顶一个{:301_975:}

蚯蚓翔龙 发表于 2015-10-31 11:41

文字风格看起来感觉变了~

lifushan0 发表于 2015-10-31 12:01

围观学习收藏大牛的经验啊

霄遥子 发表于 2015-10-31 12:04

主页做的很有意思借用一下源码咯

水立方 发表于 2015-10-31 12:10

看起来不错，{:301_1003:}

霄遥子 发表于 2015-10-31 12:29

顺便说一句那是OICQ不是QICQ- -

页: [1] 2

吾爱破解 - 52pojie.cn's Archiver

西安2015“华山杯”网络安全技能大赛 逆向破解1题解

西安2015“华山杯”网络安全技能大赛逆向破解1题解