好友 阅读权限 40
听众 最后登录 1970-1-1
Sound
发表于 2017-5-22 07:22
本帖最后由 Sound 于 2017-5-22 07:32 编辑 0x0 大早晨的咯,还是比较困的,思绪有点乱,凑合看吧。 0x1 Crack Me 当然都是没有壳啦,没有VM啦,然后最适合我这菜鸡啦,毕竟真正的CrackMe玩的都是套路,唔,有点碎碎念了。
QT的Crack Me,试运行
界面标题 有个cutie keygen,找Main,懒得拖IDA 了 。 0x2 Main位于 01381BF0,PS:自行注意偏移地址 [Asm] 纯文本查看 复制代码
0138190B |. 6A 0C PUSH 0xC0138190D |. 68 18B0C401 PUSH 01C4B018 ; cutie keygen
01381912 |. FFD5 CALL EBP
01381914 |. 83C4 08 ADD ESP, 0x8
01381917 |. 894424 10 MOV DWORD PTR SS:[ESP+0x10], EAX
0138191B |. 8D4424 10 LEA EAX, DWORD PTR SS:[ESP+0x10]
0138191F |. C64424 68 07 MOV BYTE PTR SS:[ESP+0x68], 0x7
01381924 |. 50 PUSH EAX
01381925 |. 8D4C24 1C LEA ECX, DWORD PTR SS:[ESP+0x1C]
01381929 |. FF15 A0413801 CALL DWORD PTR DS:[<&Qt5Gui.QWindow::setTitle>] ; Qt5Gui.QWindow::setTitle
0138192F |. 8D4C24 10 LEA ECX, DWORD PTR SS:[ESP+0x10]
01381933 |. C64424 68 04 MOV BYTE PTR SS:[ESP+0x68], 0x4
01381938 |. FF15 84413801 CALL DWORD PTR DS:[<&Qt5Core.QString::~QString>] ; Qt5Core.QXmlStreamStringRef::~QXmlStreamStringRef
0138193E |. 8D4C24 18 LEA ECX, DWORD PTR SS:[ESP+0x18]
01381942 |. FF15 BC413801 CALL DWORD PTR DS:[<&Qt5Gui.QWindow::show>] ; Qt5Gui.QWindow::show
01381948 |. 6A 00 PUSH 0x0
0138194A |. 8D4C24 38 LEA ECX, DWORD PTR SS:[ESP+0x38]
0138194E |. E8 9D020000 CALL 01381BF0
0x3 找按钮派发事件 [Asm] 纯文本查看 复制代码
01382E80 /$ 8B4424 08 MOV EAX, DWORD PTR SS:[ESP+0x8]
01382E84 |. 83EC 08 SUB ESP, 0x8
01382E87 |. 85C0 TEST EAX, EAX
01382E89 |. 75 61 JNZ SHORT 01382EEC
01382E8B |. 8B4424 14 MOV EAX, DWORD PTR SS:[ESP+0x14]
01382E8F |. 83E8 00 SUB EAX, 0x0 ; Switch (cases 0..1)
01382E92 |. 74 20 JE SHORT 01382EB4
01382E94 |. 48 DEC EAX
01382E95 |. 75 71 JNZ SHORT 01382F08
01382E97 |. 8B4424 18 MOV EAX, DWORD PTR SS:[ESP+0x18] ; Case 1 of switch 01382E8F
01382E9B |. 51 PUSH ECX
01382E9C |. 8BCC MOV ECX, ESP
01382E9E |. FF70 04 PUSH DWORD PTR DS:[EAX+0x4]
01382EA1 |. FF15 40413801 CALL DWORD PTR DS:[<&Qt5Core.QString::QString>] ; Qt5Core.QString::QString
01382EA7 |. 8B4C24 10 MOV ECX, DWORD PTR SS:[ESP+0x10] ; |
01382EAB |. E8 E0F5FFFF CALL 01382490 ; \win-crac.01382490
01382EB0 |. 83C4 08 ADD ESP, 0x8
01382EB3 |. C3 RETN
跟进来 [Asm] 纯文本查看 复制代码
01382EAB |. E8 E0F5FFFF CALL 01382490 ; \win-crac.01382490
这里是字符串消息记录调试 [Asm] 纯文本查看 复制代码
013825AA |. E8 A1F7FFFF CALL 01381D50 ; \win-crac.01381D50013825AF |. 84C0 TEST AL, AL
013825B1 |. 8D4C24 38 LEA ECX, DWORD PTR SS:[ESP+0x38]
013825B5 |. 8D4424 18 LEA EAX, DWORD PTR SS:[ESP+0x18]
013825B9 |. 50 PUSH EAX
013825BA |. 6A 00 PUSH 0x0
013825BC |. 6A 00 PUSH 0x0
013825BE |. 6A 00 PUSH 0x0
013825C0 74 2B JE SHORT 013825ED
013825C2 |. FF15 54413801 CALL DWORD PTR DS:[<&Qt5Core.QMessageLogger::QMessageLogger>>; Qt5Core.QMessageLogger::QMessageLogger
013825C8 |. 8BC8 MOV ECX, EAX
013825CA |. FFD5 CALL EBP
013825CC |. 68 B4B0C401 PUSH 01C4B0B4 ; YES!
013825D1 |. 8BC8 MOV ECX, EAX
013825D3 |. C64424 58 03 MOV BYTE PTR SS:[ESP+0x58], 0x3
013825D8 |. FF15 1C413801 CALL DWORD PTR DS:[<&Qt5Core.QDebug::operator<<>] ; Qt5Core.QDebug::operator<<
013825DE |. 8D4C24 18 LEA ECX, DWORD PTR SS:[ESP+0x18]
013825E2 |. C64424 54 01 MOV BYTE PTR SS:[ESP+0x54], 0x1
013825E7 |. FFD7 CALL EDI
013825E9 |. 6A 00 PUSH 0x0
013825EB |. EB 29 JMP SHORT 01382616
013825ED |> FF15 54413801 CALL DWORD PTR DS:[<&Qt5Core.QMessageLogger::QMessageLogger>>; Qt5Core.QMessageLogger::QMessageLogger
013825F3 |. 8BC8 MOV ECX, EAX
013825F5 |. FFD5 CALL EBP
013825F7 |. 68 BCB0C401 PUSH 01C4B0BC ; NOPE :( 爆破的话 013825C0 0x4 PassWord [Asm] 纯文本查看 复制代码
013825AA |. E8 A1F7FFFF CALL 01381D50 ; \win-crac.01381D50
[Asm] 纯文本查看 复制代码
01381DB3 |. FF15 40413801 CALL DWORD PTR DS:[<&Qt5Core.QString::QString>] ; Qt5Core.QString::QString
01381DB9 |. 8BCB MOV ECX, EBX ; |
01381DBB |. E8 E0000000 CALL 01381EA0 ; \win-crac.01381EA0
01381DC0 |. 50 PUSH EAX
01381DC1 |. 8D8C24 2C010000 LEA ECX, DWORD PTR SS:[ESP+0x12C]
01381DC8 |. FF15 3C413801 CALL DWORD PTR DS:[<&Qt5Core.QString::operator=>] ; Qt5Core.QString::operator=
01381DCE |. 51 PUSH ECX
01381DCF |. 8D8424 2C010000 LEA EAX, DWORD PTR SS:[ESP+0x12C]
01381DD6 |. 8BCC MOV ECX, ESP
01381DD8 |. 50 PUSH EAX
01381DD9 |. FF15 40413801 CALL DWORD PTR DS:[<&Qt5Core.QString::QString>] ; Qt5Core.QString::QString
01381DDF |. 8BCB MOV ECX, EBX
01381DE1 |. E8 7A080000 CALL 01382660
01381DB3 PassWord 01381DE1 |. E8 7A080000 CALL 01382660 xor PassWord 0x5 初始化算法 跟进Main CALL 01381BF0 01381C32 |. E8 69030000 CALL 01381FA0 算法 加密的关键,块加密算法, 初始化的数据 [Asm] 纯文本查看 复制代码
0138221B |. C78424 90000000 DF90BC70 MOV DWORD PTR SS:[ESP+0x90], 0x70BC90DF
01382226 |. C78424 94000000 57EF965A MOV DWORD PTR SS:[ESP+0x94], 0x5A96EF57
01382231 |. C78424 98000000 EECF0955 MOV DWORD PTR SS:[ESP+0x98], 0x5509CFEE
0138223C |. C78424 9C000000 CE80200D MOV DWORD PTR SS:[ESP+0x9C], 0xD2080CE
01382247 |. C78424 A0000000 4FE10E07 MOV DWORD PTR SS:[ESP+0xA0], 0x70EE14F
01382252 |. C78424 A4000000 46A4C62F MOV DWORD PTR SS:[ESP+0xA4], 0x2FC6A446
0138225D |. C78424 A8000000 F0EC5553 MOV DWORD PTR SS:[ESP+0xA8], 0x5355ECF0
01382268 |. C78424 AC000000 2B785764 MOV DWORD PTR SS:[ESP+0xAC], 0x6457782B
用了一对64的块,并且每个都使用了个64的密钥并且看关键的地方是不是一个字符或单个数据块,然后这些数值在初始化的时候就被利用 。 [Asm] 纯文本查看 复制代码
013822B8 |. C747 18 3A0E0F88 MOV DWORD PTR DS:[EDI+0x18], 0x880F0E3A
013822BF |. C747 1C AF56D816 MOV DWORD PTR DS:[EDI+0x1C], 0x16D856AF
013822C6 |. C747 20 10F38F05 MOV DWORD PTR DS:[EDI+0x20], 0x58FF310
013822CD |. C747 24 7C36E8D8 MOV DWORD PTR DS:[EDI+0x24], 0xD8E8367C
再看这里01381DE1 |. E8 7A080000 CALL 01382660 xor PassWord 这里是16个字节的第一块地方,然后同一段代码来处理最后16个字节,其次逆变换在最小尾数 [Asm] 纯文本查看 复制代码
013829C0 > /33C0 XOR EAX, EAX
013829C2 . |8BCA MOV ECX, EDX
013829C4 . |0FACEA 08 SHRD EDX, EBP, 0x8
013829C8 . |C1E1 18 SHL ECX, 0x18
013829CB . |C1ED 08 SHR EBP, 0x8
013829CE . |0BD0 OR EDX, EAX
013829D0 . |0BE9 OR EBP, ECX
013829D2 . |03D3 ADD EDX, EBX
013829D4 . |8BCE MOV ECX, ESI
013829D6 . |13EE ADC EBP, ESI
013829D8 . |C1E9 1D SHR ECX, 0x1D
013829DB . |336C24 58 XOR EBP, DWORD PTR SS:[ESP+0x58]
013829DF . |33D7 XOR EDX, EDI
013829E1 . |0FA4DE 03 SHLD ESI, EBX, 0x3
013829E5 . |896C24 3C MOV DWORD PTR SS:[ESP+0x3C], EBP
013829E9 . |0BF0 OR ESI, EAX
013829EB . |896C24 7C MOV DWORD PTR SS:[ESP+0x7C], EBP
013829EF . |33F5 XOR ESI, EBP
013829F1 . |C1E3 03 SHL EBX, 0x3
013829F4 . |8B6C24 5C MOV EBP, DWORD PTR SS:[ESP+0x5C]
013829F8 . |0BD9 OR EBX, ECX
013829FA . |8B4C24 1C MOV ECX, DWORD PTR SS:[ESP+0x1C]
013829FE . |33DA XOR EBX, EDX
01382A00 . |0FAC6C24 1C 08 SHRD DWORD PTR SS:[ESP+0x1C], EBP, 0x8
01382A06 . |0B4424 1C OR EAX, DWORD PTR SS:[ESP+0x1C]
01382A0A . |C1E1 18 SHL ECX, 0x18
01382A0D . |C1ED 08 SHR EBP, 0x8
01382A10 . |0BCD OR ECX, EBP
01382A12 . |895424 78 MOV DWORD PTR SS:[ESP+0x78], EDX
01382A16 . |8B6C24 58 MOV EBP, DWORD PTR SS:[ESP+0x58]
01382A1A . |03C7 ADD EAX, EDI
01382A1C . |897424 74 MOV DWORD PTR SS:[ESP+0x74], ESI
01382A20 . |13CD ADC ECX, EBP
01382A22 . |334424 24 XOR EAX, DWORD PTR SS:[ESP+0x24]
01382A26 . |334C24 14 XOR ECX, DWORD PTR SS:[ESP+0x14]
01382A2A . |894424 1C MOV DWORD PTR SS:[ESP+0x1C], EAX
01382A2E . |33C0 XOR EAX, EAX
01382A30 . |894C24 5C MOV DWORD PTR SS:[ESP+0x5C], ECX
01382A34 . |8BCD MOV ECX, EBP
01382A36 . |0FA4FD 03 SHLD EBP, EDI, 0x3
01382A3A . |C1E9 1D SHR ECX, 0x1D
01382A3D . |0BC5 OR EAX, EBP
01382A3F . |C1E7 03 SHL EDI, 0x3
01382A42 . |334424 5C XOR EAX, DWORD PTR SS:[ESP+0x5C]
01382A46 . |0BF9 OR EDI, ECX
01382A48 . |337C24 1C XOR EDI, DWORD PTR SS:[ESP+0x1C]
01382A4C . |8B6C24 3C MOV EBP, DWORD PTR SS:[ESP+0x3C]
01382A50 . |894424 58 MOV DWORD PTR SS:[ESP+0x58], EAX
01382A54 . |8B4424 24 MOV EAX, DWORD PTR SS:[ESP+0x24]
01382A58 . |83C0 01 ADD EAX, 0x1
01382A5B . |894424 24 MOV DWORD PTR SS:[ESP+0x24], EAX
01382A5F . |835424 14 00 ADC DWORD PTR SS:[ESP+0x14], 0x0
01382A64 . |75 09 JNZ SHORT 01382A6F
01382A66 . |83F8 20 CMP EAX, 0x20
01382A69 .^\0F82 51FFFFFF JB 013829C0
013829D0 . 0BE9 OR EBP, ECX ; s0 = ror(s0, 8) 013829D6 . 13EE ADC EBP, ESI ; s0 = s0 + s1 013829DF . 33D7 XOR EDX, EDI ; s0 = s0 ^ x0 013829F8 . 0BD9 OR EBX, ECX ; s1 = rol(s1, 3) 013829FE . 33DA XOR EBX, EDX ; s1 = s1 ^ s0 01382A10 . 0BCD OR ECX, EBP ; x1 = ror(x1, 8) 01382A20 . 13CD ADC ECX, EBP ; x1 = x1 + x0 01382A26 . 334C24 14 XOR ECX, DWORD PTR SS:[ESP+0x14] ; x1 = x1 ^ i 01382A46 . 0BF9 OR EDI, ECX ; x0 = rol(x0, 3) 01382A48 . 337C24 1C XOR EDI, DWORD PTR SS:[ESP+0x1C] ; x0 = x0 ^ x1 01382A5F . 835424 14 00 ADC DWORD PTR SS:[ESP+0x14], 0x0 ; i = i + 1 C747 18 3A0E0F88 MOV DWORD PTR DS:[EDI+0x18], 0x880F0E3A Python [Python] 纯文本查看 复制代码
def en_cry(HexData):
s0, s1 = HexData
x0 = 0xD8E8367C058FF310
x1 = 0x16D856AF880F0E3A
for i in xrange(32):
s0 = add(ror(s0, 8), s1) ^ x0
x1 = add(ror(x1, 8), x0) ^ i
s1 = rol(s1, 3) ^ s0
x0 = rol(x0, 3) ^ x1
return s0, s1
def encrypt(HexData):
res = []
for i in xrange(0, len(HexData), 2):
res.extend(en_cry(HexData[i:i + 2]))
return res
def encrypt_passwd(passwd):
l = unpack('>4Q', pack('>16H', *passwd))
l = encrypt(l)
l = unpack('>16H', pack('>4Q', *l)) return l 0x6 加密密钥与阵列块 [Asm] 纯文本查看 复制代码
01381E11 |> \FF73 08 PUSH DWORD PTR DS:[EBX+0x8]
01381E14 |. 8D4424 18 LEA EAX, DWORD PTR SS:[ESP+0x18]
01381E18 |. 50 PUSH EAX
01381E19 |. 8D8424 9C000000 LEA EAX, DWORD PTR SS:[ESP+0x9C]
01381E20 |. 50 PUSH EAX
01381E21 |. E8 0AFCFFFF CALL 01381A30
01381E26 |. 8BF0 MOV ESI, EAX
01381E28 |. B9 20000000 MOV ECX, 0x20
01381E2D |. F3:A5 REP MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI]
01381E2F |. 83C4 0C ADD ESP, 0xC
01381E32 |. 8D7C24 14 LEA EDI, DWORD PTR SS:[ESP+0x14]
01381E36 |. 8BF0 MOV ESI, EAX
01381E38 |. B9 20000000 MOV ECX, 0x20
01381E3D |. F3:A5 REP MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI]
01381E3F |. FF73 0C PUSH DWORD PTR DS:[EBX+0xC]
01381E42 |. 8D4C24 18 LEA ECX, DWORD PTR SS:[ESP+0x18]
01381E46 |. E8 05FEFFFF CALL 01381C50
01381E4B |. 84C0 TEST AL, AL
01381E4D |. 75 04 JNZ SHORT 01381E53
01381E4F |. B3 01 MOV BL, 0x1
01381E51 |. EB 02 JMP SHORT 01381E55
01381E53 |> 32DB XOR BL, BL
01381E55 |> 8D8C24 28010000 LEA ECX, DWORD PTR SS:[ESP+0x128]
01381E5C |. C78424 20010000 FFFFFFFF MOV DWORD PTR SS:[ESP+0x120], -0x1
01381E67 |. FF15 84413801 CALL DWORD PTR DS:[<&Qt5Core.QString::~QString>] ; Qt5Core.QXmlStreamStringRef::~QXmlStreamStringRef
这里基于密钥与阵列,然后创造我们的Key与基准数据进行比较。 [Asm] 纯文本查看 复制代码
01381FBE |. C74424 10 80130000 MOV DWORD PTR SS:[ESP+0x10], 0x1380
01381FC6 |. C74424 14 00000000 MOV DWORD PTR SS:[ESP+0x14], 0x0
01381FCE |. C74424 18 E4040000 MOV DWORD PTR SS:[ESP+0x18], 0x4E4
01381FD6 |. C74424 1C 00000000 MOV DWORD PTR SS:[ESP+0x1C], 0x0
01381FDE |. C74424 20 09270000 MOV DWORD PTR SS:[ESP+0x20], 0x2709
01381FE6 |. C74424 24 00000000 MOV DWORD PTR SS:[ESP+0x24], 0x0
01381FEE |. C74424 28 35200000 MOV DWORD PTR SS:[ESP+0x28], 0x2035
01381FF6 |. C74424 2C 00000000 MOV DWORD PTR SS:[ESP+0x2C], 0x0
01381FFE |. C74424 30 FA250000 MOV DWORD PTR SS:[ESP+0x30], 0x25FA
01382006 |. C74424 34 00000000 MOV DWORD PTR SS:[ESP+0x34], 0x0
0138200E |. C74424 38 DA560000 MOV DWORD PTR SS:[ESP+0x38], 0x56DA
01382016 |. C74424 3C 00000000 MOV DWORD PTR SS:[ESP+0x3C], 0x0
0138201E |. C74424 40 03010000 MOV DWORD PTR SS:[ESP+0x40], 0x103
01382026 |. C74424 44 00000000 MOV DWORD PTR SS:[ESP+0x44], 0x0
0138202E |. C74424 48 31150000 MOV DWORD PTR SS:[ESP+0x48], 0x1531
01382036 |. C74424 4C 00000000 MOV DWORD PTR SS:[ESP+0x4C], 0x0
0138203E |. C74424 50 AA0C0000 MOV DWORD PTR SS:[ESP+0x50], 0xCAA
01382046 |. C74424 54 00000000 MOV DWORD PTR SS:[ESP+0x54], 0x0
0138204E |. C74424 58 611A0000 MOV DWORD PTR SS:[ESP+0x58], 0x1A61
01382056 |. C74424 5C 00000000 MOV DWORD PTR SS:[ESP+0x5C], 0x0
0138205E |. C74424 60 070E0000 MOV DWORD PTR SS:[ESP+0x60], 0xE07
01382066 |. C74424 64 00000000 MOV DWORD PTR SS:[ESP+0x64], 0x0
0138206E |. C74424 68 20000000 MOV DWORD PTR SS:[ESP+0x68], 0x20
01382076 |. C74424 6C 00000000 MOV DWORD PTR SS:[ESP+0x6C], 0x0
0138207E |. C74424 70 E2000000 MOV DWORD PTR SS:[ESP+0x70], 0xE2
01382086 |. C74424 74 00000000 MOV DWORD PTR SS:[ESP+0x74], 0x0
0138208E |. C74424 78 3F120000 MOV DWORD PTR SS:[ESP+0x78], 0x123F
01382096 |. C74424 7C 00000000 MOV DWORD PTR SS:[ESP+0x7C], 0x0
0138209E |. C78424 80000000 C0000000 MOV DWORD PTR SS:[ESP+0x80], 0xC0
013820A9 |. C78424 84000000 00000000 MOV DWORD PTR SS:[ESP+0x84], 0x0
013820B4 |. C78424 88000000 C70D0000 MOV DWORD PTR SS:[ESP+0x88], 0xDC7
013820BF |. C78424 8C000000 00000000 MOV DWORD PTR SS:[ESP+0x8C], 0x0
这里有16个数据块的阵列,我们可以先表示位为4×4的矩阵,它在开始时就被初始化,以及另一个常数数据矩阵相乘。 如果是相等的,输入的Key就是有效的。 [Asm] 纯文本查看 复制代码
013820EE |. C74424 10 6AC26F14 MOV DWORD PTR SS:[ESP+0x10], 0x146FC26A
013820F6 |. C74424 14 00000000 MOV DWORD PTR SS:[ESP+0x14], 0x0
013820FE |. C74424 18 9A013424 MOV DWORD PTR SS:[ESP+0x18], 0x2434019A
01382106 |. C74424 1C 00000000 MOV DWORD PTR SS:[ESP+0x1C], 0x0
0138210E |. C74424 20 4E96B216 MOV DWORD PTR SS:[ESP+0x20], 0x16B2964E
01382116 |. C74424 24 00000000 MOV DWORD PTR SS:[ESP+0x24], 0x0
0138211E |. C74424 28 64C1FC1D MOV DWORD PTR SS:[ESP+0x28], 0x1DFCC164
01382126 |. C74424 2C 00000000 MOV DWORD PTR SS:[ESP+0x2C], 0x0
0138212E |. C74424 30 046B7610 MOV DWORD PTR SS:[ESP+0x30], 0x10766B04
01382136 |. C74424 34 00000000 MOV DWORD PTR SS:[ESP+0x34], 0x0
0138213E |. C74424 38 9DE9671F MOV DWORD PTR SS:[ESP+0x38], 0x1F67E99D
01382146 |. C74424 3C 00000000 MOV DWORD PTR SS:[ESP+0x3C], 0x0
0138214E |. C74424 40 02589013 MOV DWORD PTR SS:[ESP+0x40], 0x13905802
01382156 |. C74424 44 00000000 MOV DWORD PTR SS:[ESP+0x44], 0x0
0138215E |. C74424 48 A39DA914 MOV DWORD PTR SS:[ESP+0x48], 0x14A99DA3
01382166 |. C74424 4C 00000000 MOV DWORD PTR SS:[ESP+0x4C], 0x0
0138216E |. C74424 50 6CCEE52A MOV DWORD PTR SS:[ESP+0x50], 0x2AE5CE6C
01382176 |. C74424 54 00000000 MOV DWORD PTR SS:[ESP+0x54], 0x0
0138217E |. C74424 58 7FAA4840 MOV DWORD PTR SS:[ESP+0x58], 0x4048AA7F
01382186 |. C74424 5C 00000000 MOV DWORD PTR SS:[ESP+0x5C], 0x0
0138218E |. C74424 60 5F9BCF33 MOV DWORD PTR SS:[ESP+0x60], 0x33CF9B5F
01382196 |. C74424 64 00000000 MOV DWORD PTR SS:[ESP+0x64], 0x0
0138219E |. C74424 68 6216102C MOV DWORD PTR SS:[ESP+0x68], 0x2C101662
013821A6 |. C74424 6C 00000000 MOV DWORD PTR SS:[ESP+0x6C], 0x0
013821AE |. C74424 70 E4FCF52D MOV DWORD PTR SS:[ESP+0x70], 0x2DF5FCE4
013821B6 |. C74424 74 00000000 MOV DWORD PTR SS:[ESP+0x74], 0x0
013821BE |. C74424 78 4CC7264C MOV DWORD PTR SS:[ESP+0x78], 0x4C26C74C
013821C6 |. C74424 7C 00000000 MOV DWORD PTR SS:[ESP+0x7C], 0x0
013821CE |. C78424 80000000 0F98D52C MOV DWORD PTR SS:[ESP+0x80], 0x2CD5980F
013821D9 |. C78424 84000000 00000000 MOV DWORD PTR SS:[ESP+0x84], 0x0
013821E4 |. C78424 88000000 DBDEA92B MOV DWORD PTR SS:[ESP+0x88], 0x2BA9DEDB
013821EF |. C78424 8C000000 00000000 MOV DWORD PTR SS:[ESP+0x8C], 0x0
Python [Python] 纯文本查看 复制代码
def Fuck():
B = []
for i in xrange(16):
B.append(Int(i))
s = Fuckr()
for i in B:
s.add(And(i >= 0, i <= 0xFFFF))
for i in xrange(4):
for j in xrange(4):
s.add(
B[i + 0 * 4] * A[j + 0 * 4] +
B[i + 1 * 4] * A[j + 1 * 4] +
B[i + 2 * 4] * A[j + 2 * 4] +
B[i + 3 * 4] * A[j + 3 * 4] == R[i * 4 + j]
)
r = []
if s.check() == sat:
r = []
model = s.model()
for i in xrange(16):
r.append(model[B[i]].as_long())
else:
print 'Oops'
return r 编写脚本进行解密,经过测试还需要正确排列解密密钥的顺序。测试后 [Python] 纯文本查看 复制代码
def De_cry(HexData):[/i]
[i] s0, s1 = HexData[/i]
[i] x0 = 0x0A728E203850A80E[/i]
[i] x1 = 0x1B8E2679CCAEF6B4[/i]
[i] for i in xrange(32):[/i]
[i] x0 = ror(x0 ^ x1, 3)[/i]
[i] s1 = ror(s1 ^ s0, 3)[/i]
[i] x1 = rol(sub(x1 ^ (31 - i), x0), 8)[/i]
[i] s0 = rol(sub(s0 ^ x0, s1), 8)[/i]
[i] return s0, s1[/i]
[i]def De(HexData):[/i]
[i] res = [][/i]
[i] for i in xrange(0, len(HexData), 2):[/i]
[i] res.extend(De_cry(HexData[i:i + 2]))[/i]
[i] return res[/i]
[i]def De_PassWord(passwd):[/i]
[i] l = unpack('>4Q', pack('>16H', *passwd))[/i]
[i] l = De(l)[/i]
[i] l = unpack('>16H', pack('>4Q', *l)) return l 0x7 Done: [Python] 纯文本查看 复制代码
A = [0x1380, 0x4E4, 0x2709, 0x2035, 0x25FA, 0x56DA, 0x103, 0x1531,
0x0CAA, 0x1A61, 0x0E07, 0x20, 0x0E2, 0x123F, 0x0C0, 0x0DC7]
R = [0x146FC26A, 0x2434019A, 0x16B2964E, 0x1DFCC164,
0x10766B04, 0x1F67E99D, 0x13905802, 0x14A99DA3,
0x2AE5CE6C, 0x4048AA7F, 0x33CF9B5F, 0x2C101662,
0x2DF5FCE4, 0x4C26C74C, 0x2CD5980F, 0x2BA9DEDB,]
xor_key = [0x90DF, 0x70BC, 0x0EF57, 0x5A96, 0x0CFEE, 0x5509, 0x80CE, 0x0D20,
0x0E14F, 0x70E, 0x0A446, 0x2FC6, 0x0ECF0, 0x5355, 0x782B, 0x6457]
def Fuck():
B = []
for i in xrange(16):
B.append(Int(i))
s = Fuckr()
for i in B:
s.add(And(i >= 0, i <= 0xFFFF))
for i in xrange(4):
for j in xrange(4):
s.add(
B[i + 0 * 4] * A[j + 0 * 4] +
B[i + 1 * 4] * A[j + 1 * 4] +
B[i + 2 * 4] * A[j + 2 * 4] +
B[i + 3 * 4] * A[j + 3 * 4] == R[i * 4 + j]
)
r = []
if s.check() == sat:
r = []
model = s.model()
for i in xrange(16):
r.append(model[B[i]].as_long())
else:
print 'Oops'
return r
def ror(n, c, bits=64):
mask = (1 << bits) - 1
return ((n >> c) | (n << (bits - c))) & mask
def rol(n, c, bits=64):
return ror(n, bits - c, bits)
def sub(n, c, bits=64):
mask = (1 << bits) - 1
return (n - c) & mask
def xor_passwd(passwd):
l = [0] * 16
for i in xrange(16):
l[i] = passwd[i] ^ xor_key[i]
return l
def De_cry(HexData):
s0, s1 = HexData
x0 = 0x0A728E203850A80E
x1 = 0x1B8E2679CCAEF6B4
for i in xrange(32):
x0 = ror(x0 ^ x1, 3)
s1 = ror(s1 ^ s0, 3)
x1 = rol(sub(x1 ^ (31 - i), x0), 8)
s0 = rol(sub(s0 ^ x0, s1), 8)
return s0, s1
def De(HexData):
res = []
for i in xrange(0, len(HexData), 2):
res.extend(De_cry(HexData[i:i + 2]))
return res
def De_PassWord(passwd):
l = unpack('>4Q', pack('>16H', *passwd))
l = De(l)
l = unpack('>16H', pack('>4Q', *l))
return l
passwd = Fuck()
passwd = De_PassWord(passwd)
passwd = xor_passwd(passwd)
print(''.join(map(chr, passwd)))
Key = BKP{KYU7EC!PH3R}
Download: [Asm] 纯文本查看 复制代码
https://www.crack.vc/index.php?dir=Exercise/&file=cutie-keygen.zip
查看全部评分
· 学习及教程 | 主题: 1126, 订阅: 1118
· 优秀逆向文 | 主题: 238, 订阅: 93
· 教程类 | 主题: 265, 订阅: 43
[复制链接]
发表于 2017-5-22 07:22
发表于 2017-5-22 07:38
