通过IDA静态分析获悉口令为6位数字,考虑用穷举进行破解。
同时通过代码逆出了如下校验函数
void check(char *input, int len)
{
unsigned char byte_406030[] = {
0xf4,0x12,0x9d,0x60,0x45,0xf8,0x20,0x6a,0x6f,0x67,0x04,0x71,0xc0,0x9b,0x0c,0x5a,
0x1d,0x18,0x6c,0x96,0x69,0x01,0x1c,0xf4,0x7f,0x28,0x5a,0xfb,0x29,0x07,0x40,0x8b,
0xd3,0xe1,0xb1,0x12,0xfb,0xca,0x7c,0x89,0xb9,0x5a,0x30,0x70,0x9d,0x95,0x2b,0x95,
0x3c,0x8d,0x2e,0x45,0xef,0x70,0xc6,0xa3,0xb9,0xb2,0x5a,0x63,0x5f,0x03,0x33,0xb8,
0x64,0x4a,0x8f,0xbc,0xf7,0x91,0x69,0x6a,0x56,0x2e,0xd4,0x6e,0x82,0x93,0xe9,0x76,
0xdc,0xa3,0x6c,0x5e,0x6b,0x72,0x64,0x37,0xe7,0x15,0x17,0xac,0x64,0x78,0xd5,0x4a,
0x60,0x2d,0xf0,0x54,0xa6,0xf3,0xe8,0xe0,0xe0,0xb9,0x8f,0x85,0x90,0xe4,0xea,0xd6,
0xbb,0xb7,0x15,0x9e,0x2a,0x44,0xe7,0x31,0x63,0xac,0x80,0x6c,0x34,0x82,0xe9,0xcf
};
unsigned char A[256];
unsigned char c=0, d=0;
int i, j;
for(i = 0;i < 256; i++ )
{
A[i] = (unsigned char)i;
}
for( i = 0; i < 256; i++ )
{
c = A[i];
d = d + A[i] + input[i%len];
A[i] = A[d];
A[d] = c;
}
for( i = 0;i < 128; i++ )
{
byte_406030[i] = byte_406030[i] ^ (A[i] + A[255-i]);
}
int sum = 0;
for( i = 0; i < 128; i++ )
{
sum += byte_406030[i];
}
if( sum == 0x2979 )
{
printf("success: %s \n", input);
}
return;
}
穷举调用校验函数
int main(int argc, char *argv)
{
char bytes[7];
bytes[6] = 0;
int i = 0;
int slen;
for( i = 0; i < 1000000; i++ )
{
sprintf(bytes, "%d", i);
slen = strlen(bytes);
if( slen < 6 )
{
memset(bytes, 0x30, 6-slen );
sprintf(bytes+6-slen, "%d", i);
}
check(bytes, 6);
}
system("pause");
return 1;
}
得到口令为:771535
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
