依赖
- IDA7.7
- python的pefile库
作者:hans774882968以及hans774882968以及hans774882968
本文52pojie:https://www.52pojie.cn/thread-1689683-1-1.html
本文juejin:https://juejin.cn/post/7144760578349727780
本文csdn:https://blog.csdn.net/hans774882968/article/details/126925833
正文
32位程序,Section: [.text], EP: 0x00001F40故无壳。
用IDA打开立刻定位到main函数:
int __cdecl main_0(int argc, const char **argv, const char **envp)
{
DWORD v3; // eax
DWORD v4; // eax
char Str[260]; // [esp+4Ch] [ebp-310h] BYREF
int v7; // [esp+150h] [ebp-20Ch]
char String1[260]; // [esp+154h] [ebp-208h] BYREF
char Destination[260]; // [esp+258h] [ebp-104h] BYREF
memset(Destination, 0, sizeof(Destination));
memset(String1, 0, sizeof(String1));
v7 = 0;
printf("pls input the first passwd(1): ");
scanf("%s", Destination);
if ( strlen(Destination) != 6 )
{
printf("Must be 6 characters!\n");
ExitProcess(0);
}
v7 = atoi(Destination);
if ( v7 < 100000 )
ExitProcess(0);
strcat(Destination, "@DBApp");
v3 = strlen(Destination);
sub_40100A((BYTE *)Destination, v3, String1);
if ( !_strcmpi(String1, "6E32D0943418C2C33385BC35A1470250DD8923A9") )
{
printf("continue...\n\n");
printf("pls input the first passwd(2): ");
memset(Str, 0, sizeof(Str));
scanf("%s", Str);
if ( strlen(Str) != 6 )
{
printf("Must be 6 characters!\n");
ExitProcess(0);
}
strcat(Str, Destination);
memset(String1, 0, sizeof(String1));
v4 = strlen(Str);
sub_401019((BYTE *)Str, v4, String1);
if ( !_strcmpi("27019e688a4e62a649fd99cadaafdb4e", String1) )
{
if ( !(unsigned __int8)sub_40100F(Str) )
{
printf("Error!!\n");
ExitProcess(0);
}
printf("bye ~~\n");
}
}
return 0;
}
可以看到这里要过两个密码,涉及的关键语句分别是sub_40100A((BYTE *)Destination, v3, String1)和sub_401019((BYTE *)Str, v4, String1)。
第一关
点击sub_40100A会定位到:
int __cdecl sub_401230(BYTE *pbData, DWORD dwDataLen, LPSTR lpString1)
{
DWORD i; // [esp+4Ch] [ebp-28h]
CHAR String2[4]; // [esp+50h] [ebp-24h] BYREF
BYTE v6[20]; // [esp+54h] [ebp-20h] BYREF
DWORD pdwDataLen; // [esp+68h] [ebp-Ch] BYREF
HCRYPTHASH phHash; // [esp+6Ch] [ebp-8h] BYREF
HCRYPTPROV phProv; // [esp+70h] [ebp-4h] BYREF
if ( !CryptAcquireContextA(&phProv, 0, 0, 1u, 0xF0000000) )
return 0;
if ( CryptCreateHash(phProv, 0x8004u, 0, 0, &phHash) )
{
if ( CryptHashData(phHash, pbData, dwDataLen, 0) )
{
CryptGetHashParam(phHash, 2u, v6, &pdwDataLen, 0);
*lpString1 = 0;
for ( i = 0; i < pdwDataLen; ++i )
{
wsprintfA(String2, "%02X", v6[i]);
lstrcatA(lpString1, String2);
}
CryptDestroyHash(phHash);
CryptReleaseContext(phProv, 0);
return 1;
}
else
{
CryptDestroyHash(phHash);
CryptReleaseContext(phProv, 0);
return 0;
}
}
else
{
CryptReleaseContext(phProv, 0);
return 0;
}
}
根据参考链接1,可知CryptCreateHash的第二个参数是ALG_ID,而根据参考链接2,找到0x8004u表示CALG_SHA1。
接着梳理一下问题:要求6位数i满足sha1(f'{i}@DBApp') == 某常量串。解法很简单,枚举100000到999999即可。
代码
def get_tail():
for i in range(100000, 1000000):
s = f'{i}@DBApp'
bs = s.encode()
obj = hashlib.sha1(bs)
result = obj.hexdigest().upper()
if result == '6E32D0943418C2C33385BC35A1470250DD8923A9':
return bs
第二关
点击sub_401019会定位到:
int __cdecl sub_401040(BYTE *pbData, DWORD dwDataLen, LPSTR lpString1)
{
DWORD i; // [esp+4Ch] [ebp-24h]
CHAR String2[4]; // [esp+50h] [ebp-20h] BYREF
BYTE v6[16]; // [esp+54h] [ebp-1Ch] BYREF
DWORD pdwDataLen; // [esp+64h] [ebp-Ch] BYREF
HCRYPTHASH phHash; // [esp+68h] [ebp-8h] BYREF
HCRYPTPROV phProv; // [esp+6Ch] [ebp-4h] BYREF
if ( !CryptAcquireContextA(&phProv, 0, 0, 1u, 0xF0000000) )
return 0;
if ( CryptCreateHash(phProv, 0x8003u, 0, 0, &phHash) )
{
if ( CryptHashData(phHash, pbData, dwDataLen, 0) )
{
CryptGetHashParam(phHash, 2u, v6, &pdwDataLen, 0);
*lpString1 = 0;
for ( i = 0; i < pdwDataLen; ++i )
{
wsprintfA(String2, "%02X", v6[i]);
lstrcatA(lpString1, String2);
}
CryptDestroyHash(phHash);
CryptReleaseContext(phProv, 0);
return 1;
}
else
{
CryptDestroyHash(phHash);
CryptReleaseContext(phProv, 0);
return 0;
}
}
else
{
CryptReleaseContext(phProv, 0);
return 0;
}
}
同理,在参考链接2中找到0x8003u表示CALG_MD5。
接着梳理一下问题:要求长度为6的字符串s满足md5(f'{s}@DBApp') == 某常量串。解空间过大,直接枚举不可行。
那么我们看看sub_40100F能给予我们哪些必要的提示。点sub_40100F会定位到:
char __cdecl sub_4014D0(LPCSTR lpString)
{
LPCVOID lpBuffer; // [esp+50h] [ebp-1Ch]
DWORD NumberOfBytesWritten; // [esp+58h] [ebp-14h] BYREF
DWORD nNumberOfBytesToWrite; // [esp+5Ch] [ebp-10h]
HGLOBAL hResData; // [esp+60h] [ebp-Ch]
HRSRC hResInfo; // [esp+64h] [ebp-8h]
HANDLE hFile; // [esp+68h] [ebp-4h]
hFile = 0;
hResData = 0;
nNumberOfBytesToWrite = 0;
NumberOfBytesWritten = 0;
hResInfo = FindResourceA(0, (LPCSTR)0x65, "AAA");
if ( !hResInfo )
return 0;
nNumberOfBytesToWrite = SizeofResource(0, hResInfo);
hResData = LoadResource(0, hResInfo);
if ( !hResData )
return 0;
lpBuffer = LockResource(hResData);
sub_401005(lpString, (int)lpBuffer, nNumberOfBytesToWrite);
hFile = CreateFileA("dbapp.rtf", 0x10000000u, 0, 0, 2u, 0x80u, 0);
if ( hFile == (HANDLE)-1 )
return 0;
if ( !WriteFile(hFile, lpBuffer, nNumberOfBytesToWrite, &NumberOfBytesWritten, 0) )
return 0;
CloseHandle(hFile);
return 1;
}
这个函数要拿一个叫AAA的资源,作为常量串,跑sub_401005的异或,最后要求生成一个合法的.rtf文件。
提取exe中的资源
我们需要拿到AAA资源的内容。这里用pefile库来完成(也可以更简单地用Resource Hacker等软件来拿):
import os
import sys
import string
import pefile
import hashlib
import struct
def main():
path_sample = r"CrackRTF.exe"
peobj = pefile.PE(path_sample)
print(pefile.RESOURCE_TYPE, end='\n\n\n')
for resource_type in peobj.DIRECTORY_ENTRY_RESOURCE.entries:
if resource_type.name is not None:
name = "%s" % resource_type.name
else:
name = "%s" % pefile.RESOURCE_TYPE.get(resource_type.struct.Id)
if name is None:
name = "%d" % resource_type.struct.Id
if name != 'AAA':
continue
# resource_type已经是ResourceDirEntryData类型,而非ResourceDirData类型
for resId in resource_type.directory.entries:
if hasattr(resId, 'directory'):
for resLang in resId.directory.entries:
dat = peobj.get_data(
resLang.data.struct.OffsetToData,
resLang.data.struct.Size)
print('resLang', dat)
else:
dat = peobj.get_data(
resId.data.struct.OffsetToData,
resId.data.struct.Size)
print('resId', dat)
peobj.close()
if __name__ == "__main__":
main()
RTF的固定文件头
接下来看看sub_401005的异或:
unsigned int __cdecl sub_401420(LPCSTR lpString, int a2, unsigned int a3)
{
unsigned int result; // eax
unsigned int i; // [esp+4Ch] [ebp-Ch]
unsigned int v5; // [esp+54h] [ebp-4h]
v5 = lstrlenA(lpString);
for ( i = 0; ; ++i )
{
result = i;
if ( i >= a3 )
break;
*(_BYTE *)(i + a2) ^= lpString[i % v5];
}
return result;
}
异或方程需要知道其中两个,才能解出第三个,但只有AAA资源的内容是已知的,.rtf文件和我们要输入的密码都是未知的。此时我们需要一个隐含知识:rtf文件有固定的文件头:b'{\\rtf1'(6字节)。结合AAA资源的内容,可以解出第二关的密码。最后,拿整体的密码异或一下AAA资源的内容,即可得到所求的rtf文件。
总结
- 用pefile库获取资源文件。
- 文件头、函数头拥有固定数据是常常涉及的常识,比如:png头固定:MagicImageViewer、函数头固定:SCUx401CTF2021-RE2-pixpix。
完整代码
import os
import struct
import hashlib
def get_tail():
for i in range(100000, 1000000):
s = f'{i}@DBApp'
bs = s.encode()
obj = hashlib.sha1(bs)
result = obj.hexdigest().upper()
if result == '6E32D0943418C2C33385BC35A1470250DD8923A9':
return bs
def main():
aaa = b'\x05}A\x15&\x01mS]@[m!*1(\x13\x00\x19\x18\x00W\x1cTTTU\x03nU%". \x1e\x17O\x11\x00R\x1cTTT_R\\V&!pqEB\x05}U\x0e.DEP_HnWp\x18$,\x1f\x14\x1bS]=&@CC\x05oTR(%02\x15\x04O\x12\x07A\x1c\x17RPo\x14QT\x1cc!",W\x1b\x14\x08\x1c==;Io\x19nV%*\'3\x11\x04\x11S\x13,3VEWWZF\x11ujvp^AK\x0f\x02Tq\x05\nOoE[T7/+/\x14D"TPP\x1c@P@Wo^P.#pqEB"G\x03=&C\x03\x02\x13u^P\'\x189\x0f@/3\x11A\x04\x1fvCWVlpD\'7\x1e<,\x00\x1fS>k==;2'
rtf_head = b'{\\rtf1'
passwd = bytearray()
for i in range(6):
passwd.append(aaa[i] ^ rtf_head[i])
print(passwd)
passwd += get_tail()
print(passwd)
ans = b''
for i in range(len(aaa)):
ans += struct.pack('<B', aaa[i] ^ passwd[i % len(passwd)])
print(ans)
with open('ans.rtf', 'wb') as f:
f.write(ans)
if __name__ == '__main__':
main()
参考资料
- https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptcreatehash
- https://learn.microsoft.com/en-us/windows/win32/seccrypto/alg-id
- https://www.52pojie.cn/thread-994588-1-1.html
[复制链接]
发表于 2022-9-19 00:38
