好友
阅读权限40
听众
最后登录1970-1-1
|
Sound
发表于 2015-10-31 10:50
本帖最后由 Sound 于 2015-11-2 02:20 编辑
-------------------------------------------------【文章简介】-------------------------------------------------
【文章标题】 西安2015“华山杯”网络安全技能大赛 逆向破解1题解
【文章作者】 Sound
【作者邮箱】 Sound@Crack4r.cc
【作者主页】 http://Crack4r.cc
【软件名称】逆向破解 --- 逆向破解-1
【软件大小】 20.0 KB (20,480 bytes)
【下载地址】http://static.seclover.com/mfcEncrypt.exe
【加壳方式】 无
【保护方式】 密码
【编写语言】Microsoft Visual C++(6.0)[msvcrt]
【使用工具】 OllyDbg1.10 ,Detect It Easy
【操作平台】 Win7x86.【软件介绍】比赛平台:http://lab.seclover.com/
【作者声明】 旨在以学习为前提的目的性 ,在不影响大赛的情况下,拿最简单的一个逆向题来解。为了方便大家阅读 采用诙谐语气与普通话(虽然我普通话不怎么标准)
-------------------------------------------------【文章正文】-------------------------------------------------
逆向破解 --- 逆向破解-1
该题目已有xxxxxxxxx个队伍完成
据说扫描器其实完全无用的~~
解题说明
请破解该程序,拿到Flag
Flag中木有Flag{XxXxXXx}所以直接提交即可
前言:以下图文为本人刚拿到此题目时解题思路、 也就是本文要讲的内容。打开程序 扫一眼。
试运行 提示 ( 密码长度不符合)主界面文本显示: 输入正确的密码,这里会显示Flag, 同时拿解题说明当参考,可知道此题为明码判断。 既然是明码,我考虑了2种方式进行来解题。追码 与 爆破。
拖入 Detect It Easy 扫下compiler
得到Microsoft Visual C++(6.0)[msvcrt] MFC(4.2)[-] 无壳 开始偷笑,(无壳的软柿子是我最喜欢的咯)
既然无壳 我想到好多种初步尝试手法: 字符串检索法 Api检索法 等等等。。。。。
那么我肯定首选 字符串检索法咯
调试器停留Ep(EntryPoint)代码 进行find ascii
Address Disassembly Text String
00401382 PUSH 00401DAE 赴$@
004013CC PUSH 00403068 输入正确的密码,这里会显示Flag
004015B2 PUSH 00401DDF 歌$@
00401695 PUSH 00403114 w9zC67K7xNzOqr/V
004016E6 PUSH 004030FC w9zC67Oktsiyu7f7us8=
0040172B PUSH 004030DC R05WTE+v6r7ozfa4zsWjZ2RnZA==
0040177F PUSH 004030CC w9zC69X9yLc=
004017C9 PUSH 0040309C LzVjMWFgODVkMmMzYjEvMmExOGNkZTE0ZTE2MC9jMzE=
0040181F PUSH 00403088 w9zC67K7t/u6zw==
00401B20 PUSH EBP (Initial CPU selection)
唔 没有 (密码长度不符合) 这个错误提示文本字串(mfc编码) 为了方便 懒得继续调试分析啦,不用这种方法啦。
Api检索法 鼠标右键反汇编窗口 Search for >> all intermodular calls
Address Disassembly
00401571 CALL DWORD PTR DS:[<&USER32.DrawIcon> user32.DrawIcon
0040157B CALL <JMP.&MFC42.#755> mfc42.#755
00401589 CALL <JMP.&MFC42.#2379> mfc42.#2379
004015EF CALL <JMP.&MFC42.#5856> mfc42.#5856
00401609 CALL <JMP.&MFC42.#535> mfc42.#535
0040161F CALL <JMP.&MFC42.#800> mfc42.#800
0040169A CAll <JMP.&MFC42.#537> mfc42.#537
004016B9 CALL <JMP.&MFC42.#4224> mfc42.#4224
004016EB CALL <JMP.&MFC42.#537> mfc42.#537
0040170A CALL <JMP.&MFC42.#4224> mfc42.#4224
00401730 CALL <JMP.&MFC42.#537> mfc42.#537
0040174E CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] msvcrt._mbscmp
0040175F CALL <JMP.&MFC42.#800> mfc42.#800
00401784 CALL <JMP.&MFC42.#537> mfc42.#537
004017A3 CALL <JMP.&MFC42.#4224> mfc42.#4224
004017AF CALL <JMP.&MFC42.#800> mfc42.#800
004017C2 PUSH ECX (Initial CPU selection)
004017CE CALL <JMP.&MFC42.#537> mfc42.#537
004017F0 CALL <JMP.&MFC42.#858> mfc42.#858
004017FC CALL <JMP.&MFC42.#800> mfc42.#800
0040180A CALL <JMP.&MFC42.#6334> mfc42.#6334
00401824 CALL <JMP.&MFC42.#537> mfc42.#537
00401843 CALL <JMP.&MFC42.#4224> mfc42.#4224
0040184F CALL <JMP.&MFC42.#800> mfc42.#800
0040185E CALL <JMP.&MFC42.#800> mfc42.#800
00401896 CALL DWORD PTR DS:[<&USER32.EnableWin user32.EnableWindow
004018A6 CALL DWORD PTR DS:[<&USER32.EnableWin user32.EnableWindow
00401ADF CALL DWORD PTR DS:[<&MSVCRT._onexit>] msvcrt._onexit
我看到一个嫌疑犯。_mbscmp
0040174E CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] msvcrt._mbscmp
它作为比较字符串调用
[Asm] 纯文本查看 复制代码 int _mbscmp(
const unsigned char *string1,
const unsigned char *string2
);
跟随地址 找到断首
0040167B . 01E8 ADD EAX, EBP
0040167D . 8B46 64 MOV EAX, DWORD PTR DS:[ESI+0x64]
00401680 . 8B48 F8 MOV ECX, DWORD PTR DS:[EAX-0x8]
00401683 . 85C9 TEST ECX, ECX
00401685 . 75 43 JNZ SHORT 004016CA
00401687 . 6A 00 PUSH 0x0
00401689 . 8D4D F0 LEA ECX, DWORD PTR SS:[EBP-0x10]
0040168C . 6A 00 PUSH 0x0
0040168E . 51 PUSH ECX
0040168F . 51 PUSH ECX
00401690 . 8BCC MOV ECX, ESP
00401692 . 8965 E8 MOV DWORD PTR SS:[EBP-0x18], ESP
00401695 . 68 14314000 PUSH 00403114 ; w9zC67K7xNzOqr/V
0040169A . E8 27040000 CALL <JMP.&MFC42.#537>
0x40167D 处 设置个int3断点 f9 (run) 、输入我们的假密码 www.52pojie.cn断点位于
0x40167D
0040167D . 8B46 64 MOV EAX, DWORD PTR DS:[ESI+0x64]
00401680 . 8B48 F8 MOV ECX, DWORD PTR DS:[EAX-0x8]
00401683 . 85C9 TEST ECX, ECX
数据窗口跟随
00512DD0 77 77 77 2E 35 32 70 6F 6A 69 65 2E 63 6E 00 00 www.52pojie.cn..
00512DE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00512DF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00512E00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00512E10 00 00 00 00 B4 2E 51 00 14 00 00 00 40 00 00 00 ....?Q.�...@...
00512E20 77 39 7A 43 36 37 4F 6B 74 73 69 79 75 37 66 37 w9zC67Oktsiyu7f7
00512E30 75 73 38 3D 00 00 00 00 00 00 00 00 00 00 00 00 us8=............
00512E40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00512E50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00512E60 00 00 00 00 14 2E 51 00 0E 00 00 00 40 00 00 00 ....�.Q.�...@...
00512E70 C3 DC C2 EB B3 A4 B6 C8 B2 BB B7 FB BA CF 00 00 密码长度不符合..
00512E80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
唔 已经提示了密码长度不符合。我们执行 F8(Set Over)操作指令
004016CF > \8B46 64 MOV EAX, DWORD PTR DS:[ESI+0x64]
004016D2 . 8378 F8 13 CMP DWORD PTR DS:[EAX-0x8], 0x13
004016D6 . 74 43 JE SHORT 0040171B
004016D8 . 6A 00 PUSH 0x0
004016DA . 8D4D F0 LEA ECX, DWORD PTR SS:[EBP-0x10]
004016DD . 6A 00 PUSH 0x0
004016DF . 51 PUSH ECX
004016E0 . 51 PUSH ECX
004016E1 . 8BCC MOV ECX, ESP
004016E3 . 8965 E4 MOV DWORD PTR SS:[EBP-0x1C], ESP
004016E6 . 68 FC304000 PUSH 004030FC ; w9zC67Oktsiyu7f7us8=
004016EB . E8 D6030000 CALL <JMP.&MFC42.#537>
004016F0 . 8D55 E8 LEA EDX, DWORD PTR SS:[EBP-0x18]
004016F3 . 52 PUSH EDX
004016F4 . E8 D7FAFFFF CALL 004011D0
004016F9 . 83C4 0C ADD ESP, 0xC
004016FC . 8BC8 MOV ECX, EAX
004016FE . C645 FC 02 MOV BYTE PTR SS:[EBP-0x4], 0x2
00401702 . E8 79010000 CALL 00401880
00401707 . 50 PUSH EAX
00401708 . 8BCE MOV ECX, ESI
0040170A . E8 B1030000 CALL <JMP.&MFC42.#4224>
0040170F . C645 FC 00 MOV BYTE PTR SS:[EBP-0x4], 0x0
00401713 . 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-0x18]
00401716 . E9 34010000 JMP 0040184F
Eip停留在0x4016CF 处
004016CF > 8B46 64 MOV EAX, DWORD PTR DS:[ESI+0x64]
004016D2 . 8378 F8 13 CMP DWORD PTR DS:[EAX-0x8], 0x13
004016D6 . 74 43 JE SHORT 0040171B
发现一句Compare指令 CMP DWORD PTR DS:[EAX-0x8], 0x13
简单翻译下 判断 eax-8 Dword类型的值是否为 13 (16进制值)10进制是(19) 由此得到 我们真正的密码的长度是19
Ctrl+F2 重新载入 重载之前设置个大本营(004016CF 下个断点) 运行后 输入我们的假密码 (1234567891234567891)
断点位于
004016CF > \8B46 64 MOV EAX, DWORD PTR DS:[ESI+0x64]
004016D2 . 8378 F8 13 CMP DWORD PTR DS:[EAX-0x8], 0x13
004016D6 . 74 43 JE SHORT 0040171B
004016D8 . 6A 00 PUSH 0x0
004016DA . 8D4D F0 LEA ECX, DWORD PTR SS:[EBP-0x10]
004016DD . 6A 00 PUSH 0x0
Set Over 来到 0x4016D2
DS:[007B2DC8]=00000013
007B2DC8 13 00 00 00 40 00 00 00 31 32 33 34 35 36 37 38 �...@...12345678
007B2DD8 39 31 32 33 34 35 36 37 38 39 31 00 00 00 00 00 91234567891.....
继续 Set Over发现0x4016D6处的JE 0040171B 转移指令转移了 跳转到0x40171B
0040171B > \51 PUSH ECX
0040171C . 8D45 F0 LEA EAX, DWORD PTR SS:[EBP-0x10]
0040171F . 8BFC MOV EDI, ESP
00401721 . 8965 E4 MOV DWORD PTR SS:[EBP-0x1C], ESP
00401724 . 50 PUSH EAX
00401725 . 51 PUSH ECX
00401726 . 8BCC MOV ECX, ESP
00401728 . 8965 E4 MOV DWORD PTR SS:[EBP-0x1C], ESP
0040172B . 68 DC304000 PUSH 004030DC ; R05WTE+v6r7ozfa4zsWjZ2RnZA==
00401730 . E8 91030000 CALL <JMP.&MFC42.#537>
00401735 . 57 PUSH EDI
00401736 . E8 95FAFFFF CALL 004011D0
0040173B . 83C4 0C ADD ESP, 0xC
0040173E . 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-0x18]
00401741 . 51 PUSH ECX
00401742 . E8 69FEFFFF CALL 004015B0
00401747 . 8B00 MOV EAX, DWORD PTR DS:[EAX]
00401749 . 8B4E 64 MOV ECX, DWORD PTR DS:[ESI+0x64]
0040174C . 50 PUSH EAX ; /s2
0040174D . 51 PUSH ECX ; |s1
0040174E . FF15 D4214000 CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; \_mbscmp
00401754 . 83C4 10 ADD ESP, 0x10
00401757 . 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-0x18]
0040175A . 85C0 TEST EAX, EAX
0040175C . 0F94C3 SETE BL
0040175F . E8 3C020000 CALL <JMP.&MFC42.#800>
00401764 . 84DB TEST BL, BL
这里发现了我们之前找到的嫌疑犯。 这个嫌疑犯真的有嫌疑吗。让我们来一探究竟。
继续执行Set Over
同时观察 数据窗口内容 对 还是这个熟悉的13
007B2DC8 13 00 00 00 40 00 00 00 31 32 33 34 35 36 37 38 �...@...12345678
007B2DD8 39 31 32 33 34 35 36 37 38 39 31 00 00 00 00 00 91234567891.....
007B2DE8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
007B2DF8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
007B2E08 00 00 00 00 00 00 00 00 00 00 00 00 64 2E 7B 00 ............d.{.
007B2E18 0A 00 00 00 40 00 00 00 C3 DC C2 EB B2 BB B7 FB ....@...密码不符
007B2E28 BA CF 00 6F 7A 66 61 34 7A 73 57 6A 5A 32 52 6E 合.ozfa4zsWjZ2Rn
007B2E38 5A 41 3D 3D 00 00 00 00 00 00 00 00 00 00 00 00 ZA==............
007B2E48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
007B2E58 00 00 00 00 00 00 00 00 00 00 00 00 B4 2E 7B 00 ............?{.
007B2E68 10 00 00 00 40 00 00 00 77 39 7A 43 36 37 4B 37 �...@...w9zC67K7
007B2E78 74 2F 75 36 7A 77 3D 3D 00 68 65 00 00 00 t/u6zw==.he...
执行到 0x40173B
0040173B . 83C4 0C ADD ESP, 0xC
0040173E . 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-0x18]
00401741 . 51 PUSH ECX
00401742 . E8 69FEFFFF CALL 004015B0
00401747 . 8B00 MOV EAX, DWORD PTR DS:[EAX]
007B2DC8 13 00 00 00 40 00 00 00 31 32 33 34 35 36 37 38 �...@...12345678
007B2DD8 39 31 32 33 34 35 36 37 38 39 31 00 00 00 00 00 91234567891.....
007B2DE8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
007B2DF8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
007B2E08 00 00 00 00 00 00 00 00 00 00 00 00 B4 2E 7B 00 ............?{.
007B2E18 1C 00 00 00 40 00 00 00 52 30 35 57 54 45 2B 76 �...@...R05WTE+v
007B2E28 36 72 37 6F 7A 66 61 34 7A 73 57 6A 5A 32 52 6E 6r7ozfa4zsWjZ2Rn
007B2E38 5A 41 3D 3D 00 00 00 00 00 00 00 00 00 00 00 00 ZA==............
007B2E48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
007B2E58 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ............�...
007B2E68 13 00 00 00 40 00 00 00 47 4E 56 4C 4F AF EA BE �...@...GNVLO?
007B2E78 E8 CD F6 B8 CE C5 A3 67 64 67 64 00 00 00 00 柰龈闻dgd.....
发现经过 0x40172B 参数值后 数据窗口数值已经开始解码啦。 解码后要干什么? 交给嫌疑犯。
Set Over执行到 0x40174E
0040174E . FF15 D4214000 CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; \_mbscmp
观察OllyDbg 堆栈窗口
0018F6C4 00401DDF Entry address0018F6C8
007B2DD0 |s1 = "1234567891234567891"0018F6CC
007B2E70 \s2 = "HOWMP半块西瓜皮hehe"0018F6D0 0018F6E8
007B2E70 48 4F 57 4D 50 B0 EB BF E9 CE F7 B9 CF C6 A4 68 HOWMP半块西瓜皮h
007B2E80 65 68 65 eheStart:
0x7B2E70 End:0x7B2E82 Size:0x13
熟悉的13 (不知道为什么 今天特别喜欢13这个数字 以前都很很很讨厌的咯。) 尝试下吧 HOWMP半块西瓜皮hehe 密码正确 显示Flag (06d2ba96e3d4c203b29def25f2710d42)
提交下看看
---------------------------------------------------------
是不是人性如此 在心底都会有个崇尚的暴力的地方(我最喜欢爆破啦,暴破CM,暴破外挂、暴破商业软件、爆米花、当然还想暴菇凉。。。。。。)
OllyDbg Ctrl+F2 重载程序 设置CC断点 0x4016D2 run
004016D2 . 8378 F8 13 CMP DWORD PTR DS:[EAX-0x8], 0x13
004016D6 . 74 43 JE SHORT 0040171B
004016D8 . 6A 00 PUSH 0x0
004016DA . 8D4D F0 LEA ECX, DWORD PTR SS:[EBP-0x10]
004016DD . 6A 00 PUSH 0x0
004016DF . 51 PUSH ECX
004016E0 . 51 PUSH ECX
004016E1 . 8BCC MOV ECX, ESP
004016E3 . 8965 E4 MOV DWORD PTR SS:[EBP-0x1C], ESP
004016E6 . 68 FC304000 PUSH 004030FC ; w9zC67Oktsiyu7f7us8=
运行后 输入我的小名 (Sound)
Pause Eip= 0x4016D2
DS:[002B2DC8]=00000005
002B2DC8 05 00 00 00 40 00 00 00 53 6F 75 6E 64 00 00 00 �...@...Sound...
002B2DD8 00 00 00 ...
修改 0x2B2DC8 05 >> 13 (让cmp的值 相等 影响Zf标志位 0x4016D6 处转移指令跳转)
或者修改0x4016D6 74 43 >> 75 43
继续 Set Over
0040174E . FF15 D4214000 CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; \_mbscmp
00401754 . 83C4 10 ADD ESP, 0x10
00401757 . 8D4D E8 LEA ECX, DWORD PTR SS:[EBP-0x18]
0040175A . 85C0 TEST EAX, EAX
0040175C 0F94C3 SETE BL
0040175F . E8 3C020000 CALL <JMP.&MFC42.#800>
00401764 . 84DB TEST BL, BL
00401766 . 0F84 A5000000 JE 00401811
0040176C . 70 03 JO SHORT 00401771
0040176E . 71 01 JNO SHORT 00401771
00401770 E8 DB E8
00401771 > 6A 00 PUSH 0x0
00401773 . 8D55 F0 LEA EDX, DWORD PTR SS:[EBP-0x10]
00401776 . 6A 00 PUSH 0x0
汇编指令可以看出
0x401766处转移指令 受影响于
TEST BL, BL 其次影响 Zf 标志位
而
0x401764 受影响于 0040175C 0F94C3 SETE BL >> SETNE BL >> 0F95C3
Patch
0x40175C 0F95C3 SETNE BL
0x4016D6 75 43 Je SHORT 0040171B
完成暴破
-------------------------------------------------【版权声明】-------------------------------------------------
【版权声明】 本文由Sound原创, 转载请注明作者并保持文章的完整, 谢谢!
|
免费评分
-
查看全部评分
|
