初赛第一题(CrackMe注册机)——社会组PC方向进阶版
本帖最后由 littleNA 于 2018-8-1 16:05 编辑2018.08.01更新:
此文比较粗糙,感兴趣的同学请移步:
[剖析2018腾讯游戏安全竞赛题目(上)](https://bbs.pediy.com/thread-230312.htm)
代码编译平台:VS2017 C++ ,ida6.8
// 分析的idb太大了,不能上传论坛,给个github链接(包括代码):~~https://github.com/littleNA/testGslab2018_1~~
前言
今年初赛的题目结构和去年的差不多,进阶版主要是将RSA算法替换成了修改后的AES算法。
几组注册码:
Name: 1234#5678#9012#3456#7890#0987#6543#2109
Key: YmKvW2h4UdQQr0k8CU4EnADKigV6^HuSBSv@5ou7BSm=
Name: 1234#1234#1234#1234#1234#1234#1234#1234
Key: EB60*2h4UdQKRH^J2235o^^YYvfvxylWBSv@5ou7BSm=
Name: 0000#1111#2222#3333#4444#5555#6666#7777
Key: nhKEDWh4UdQfJ7&Y+$*$4Ltd2OUY$#mYBSv@5ou7BSm=
逆向分析过程:
1. 首先程序会需要输入格式为xxxx#xxxx#xxxx#xxxx#xxxx#xxxx#xxxx#xxxx的注册名,调用check_name进行检查
2. 之后调用calc_code函数对name进行计算,得到5个int64的变量
3. 接着程序调用修改的base64算法,对RegCode进行解密
4. 将解密的数据传递给修改后的AES算法(key为“welcomegslab2018”),再次解密
5. 解密后的数据最后8个字节需要固定为 “2018\x00\x00\x00\x00”. 然后调用check_name_key进行解方程 AES分析过程AES算法被修改了,其中key为固定welcomegslab2018,则拓展后的key也是固定的。还原的解密算法如下:
AES算法分析的中间过程:
--------------------------------------------------------------------------------------------------------------------------------------------
key -->"welcomegslab2018"
--> key拓展后
005D4F4863 6C 65 77 67 65 6D 6F 62 61 6C 73 38 31 30 32clewgemobals8102
005D4F58E3 5B 72 34 84 3E 1F 5B E6 5F 73 28 DE 6E 43 1A鉡r4?¬[鎋s(辬C
005D4F684E EC 26 1E CA D2 39 45 2C 8D 4A 6D F2 E3 09 77N? 室9E,岼m蜚.w
005D4F7849 4A E7 B7 83 98 DE F2 AF 15 94 9F 5D F6 9D E8IJ绶儤掾?敓]鰸?
005D4F88C3 9A 41 A6 40 02 9F 54 EF 17 0B CB B2 E1 96 23脷A烼?瞬釚#
005D4F9814 A1 41 F8 54 A3 DE AC BB B4 D5 67 09 55 43 44鳷^凑g.UCD
005D4FA8B9 BF 14 FB ED 1C CA 57 56 A8 1F 30 5F FD 5C 74箍蔠V?0_?
005D4FB8F8 1B 42 1C 15 07 88 4B 43 AF 97 7B 1C 52 CB 0F?B圞C瘲{R?
005D4FC822 1F 59 6E 37 18 D1 25 74 B7 46 5E 68 E5 8D 51"¬Yn7?t稦^h鍗Q
005D4FD8CB B4 37 9A FC AC E6 BF 88 1B A0 E1 E0 FE 2D B0舜7汓繄犪帼-?
005D4FE839 42 EE 51 C5 EE 08 EE 4D F5 A8 0F AD 0B 85 BF9B頠蓬頜酲?吙
需要加密的16字节
009255D000 10 83 10 51 87 24 82 CA 34 C3 CE 49 34 11 59.?Q?偸4梦I4Y
-->将16字节转换为16个dword,并竖排
0018EE0000 00 00 00 51 00 00 00 CA 00 00 00 49 00 00 00....Q...?..I...
0018EE1010 00 00 00 87 00 00 00 34 00 00 00 34 00 00 00...?..4...4...
0018EE2083 00 00 00 24 00 00 00 C3 00 00 00 11 00 00 00?..$...?.....
0018EE3010 00 00 00 82 00 00 00 CE 00 00 00 59 00 00 00...?..?..Y...
-->加法层,取key拓展的最后一个16字节的key,与上面的字节异或
39 42 EE 51 --> 51^83 EE^10 42^10 39^00
EE 08 EE 4D --> 4D^24 EE^82 08^87 EE^51
....一共4次
-->结果
0018EE0039 00 00 00 94 00 00 00 87 00 00 00 E4 00 00 009...?..?..?..
0018EE1052 00 00 00 69 00 00 00 C1 00 00 00 3F 00 00 00R...i...?..?...
0018EE20D2 00 00 00 CA 00 00 00 CC 00 00 00 AE 00 00 00?..?..?..?..
0018EE30FE 00 00 00 8A 00 00 00 66 00 00 00 DC 00 00 00?..?..f...?..
-->SBOX操作,每一个都进行字节替换
iSBox,iSBox,iSBox...
-->结果
0018EE006E 00 00 00 8A 00 00 00 98 00 00 00 06 00 00 00n...?..?.....
0018EE10A2 00 00 00 3F 00 00 00 C5 00 00 00 80 00 00 00?..?...?..?...
0018EE2034 00 00 00 3E 00 00 00 ED 00 00 00 33 00 00 004...>...?..3...
0018EE30C8 00 00 00 E5 00 00 00 B1 00 00 00 2D 00 00 00?..?..?..-...
-->ShiftRow层
第一列不变,第二列向下循环移动1字节,第三列向下循环移动2字节,第四列向下循环移动3字节
0018EE006E 00 00 00 E5 00 00 00 ED 00 00 00 80 00 00 00n...?..?..?...
0018EE10A2 00 00 00 8A 00 00 00 B1 00 00 00 33 00 00 00?..?..?..3...
0018EE2034 00 00 00 3F 00 00 00 98 00 00 00 2D 00 00 004...?...?..-...
0018EE30C8 00 00 00 3E 00 00 00 C5 00 00 00 06 00 00 00?..>...?.....
-->InvMixColumns层
-->结果 6Em0E ^ A2m0B ^ 34m0D ^ C8m09....
0018EE0035 00 00 00 4D 00 00 00 93 00 00 00 4B 00 00 005...M...?..K...
0018EE108D 00 00 00 2E 00 00 00 21 00 00 00 EF 00 00 00?......!...?..
0018EE200F 00 00 00 4B 00 00 00 E4 00 00 00 CD 00 00 00...K...?..?..
0018EE3087 00 00 00 46 00 00 00 57 00 00 00 F1 00 00 00?..F...W...?..
-->未知层,取key的倒数第二组16个字节,进行位置变换
CB B4 37 9A FC AC E6 BF 88 1B A0 E1 E0 FE 2D B0
-->变换结果
0018ED60CB 00 00 00 FC 00 00 00 88 00 00 00 E0 00 00 00?..?..?..?..
0018ED70B4 00 00 00 AC 00 00 00 1B 00 00 00 FE 00 00 00?..?.....?..
0018ED809A 00 00 00 BF 00 00 00 E1 00 00 00 B0 00 00 00?..?..?..?..
0018ED9037 00 00 00 E6 00 00 00 A0 00 00 00 2D 00 00 007...?..?..-...
-->对上面的结果进行InvMixColumns层变换
-->变换结果
0018ED6072 00 00 00 0A 00 00 00 12 00 00 00 70 00 00 00r..........p...
0018ED70CA 00 00 00 F8 00 00 00 36 00 00 00 F4 00 00 00?..?..6...?..
0018ED809C 00 00 00 5B 00 00 00 C4 00 00 00 3D 00 00 00?..[...?..=...
0018ED90F6 00 00 00 A0 00 00 00 32 00 00 00 3A 00 00 00?..?..2...:...
-->将上一步计算的key与上三步计算的结果异或
-->结果 35 ^ 72, 4D ^ 0A....
0018EE0047 00 00 00 47 00 00 00 81 00 00 00 3B 00 00 00G...G...?..;...
0018EE1047 00 00 00 D6 00 00 00 17 00 00 00 1B 00 00 00G...?........
0018EE2093 00 00 00 10 00 00 00 20 00 00 00 F0 00 00 00?..... ...?..
0018EE3071 00 00 00 E6 00 00 00 65 00 00 00 CB 00 00 00q...?..e...?..
以上步骤循环9次
-->结果
0018EE0085 00 00 00 F9 00 00 00 A6 00 00 00 75 00 00 00?..?..?..u...
0018EE10D3 00 00 00 DC 00 00 00 EB 00 00 00 16 00 00 00?..?..?.....
0018EE2068 00 00 00 DB 00 00 00 C1 00 00 00 F9 00 00 00h...?..?..?..
0018EE3079 00 00 00 8F 00 00 00 2E 00 00 00 E7 00 00 00y...?......?..
-->再进行SBox变换,结果
0018EE0090 00 00 00 C6 00 00 00 92 00 00 00 DF 00 00 00?..?..?..?..
0018EE1020 00 00 00 2D 00 00 00 43 00 00 00 23 00 00 00 ...-...C...#...
0018EE2046 00 00 00 EF 00 00 00 C5 00 00 00 C6 00 00 00F...?..?..?..
0018EE30F5 00 00 00 E4 00 00 00 D0 00 00 00 11 00 00 00?..?..?.....
-->ShiftRow层,同上面的ShiftRow变换
0018EE0090 00 00 00 E4 00 00 00 C5 00 00 00 23 00 00 00?..?..?..#...
0018EE1020 00 00 00 C6 00 00 00 D0 00 00 00 C6 00 00 00 ...?..?..?..
0018EE2046 00 00 00 2D 00 00 00 92 00 00 00 11 00 00 00F...-...?.....
0018EE30F5 00 00 00 EF 00 00 00 43 00 00 00 DF 00 00 00?..?..C...?..
-->加法层,取第一行的key,与上面的字节异或
-->结果
0018EE00F3 00 00 00 83 00 00 00 A7 00 00 00 1B 00 00 00?..?..?.....
0018EE104C 00 00 00 A3 00 00 00 B1 00 00 00 F7 00 00 00L...?..?..?..
0018EE2031 00 00 00 42 00 00 00 E1 00 00 00 23 00 00 001...B...?..#...
0018EE3090 00 00 00 82 00 00 00 2F 00 00 00 EF 00 00 00?..?../...?..
--------------------------------------------------------------------------------------------------------------------------------------------
最后的解方程:
_int64 nTmp6 = (nTmp4 - nTmp2) / (2 * nTmp1);
_int64 nTmp7 = nTmp6*nTmp6*nTmp1 + nTmp6*nTmp2 + nTmp3;
_int64 nTmp8 = nTmp3 + ((nTmp2 + (nTmp1*nTmp5) - nTmp4) * nTmp5);
张思麒 发表于 2018-7-22 13:57
源码开发么?
源码链接已经失效了,感兴趣可以看这篇文章 https://bbs.pediy.com/thread-230312.htm 感谢 有帮助 膜拜大佬 羡慕大佬的水平 哇这也太强了吧 膜拜大佬 感谢开源 大佬没看懂 疯狂打call 完全看不懂啊,赶紧看本书压压惊