[原创]看雪 2016CrackMe 攻防大赛--第17题-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]看雪 2016CrackMe 攻防大赛--第17题

发表于: 2016-12-4 23:00 2774

[原创]看雪 2016CrackMe 攻防大赛--第17题

lacoucou

2016-12-4 23:00

2774

程序是MFC，看起来还是对话框。
用vs2010打开exe没有找到注册的对话框。
打开dll可以找到对话框，submit按钮ID：26001（0x6591）
用IDA打开CrackMeLibrary.dll 转到rdata段搜索65h,搜索几次后找到按钮事件：

.rdata:1017F190 dword_1017F190  dd 111h                 ; DATA XREF: .rdata:1017F18Co
.rdata:1017F194                 dd 0
.rdata:1017F198                 dd 6591h
.rdata:1017F19C                 dd 6591h
.rdata:1017F1A0                 dd 3Ah
.rdata:1017F1A4                 dd offset sub_10007CC0

大致看了看，除了反调试代码关键应该在：
v19 = (*(int (__cdecl **)(__int128 *))&v11[4 * v9])(&xmmword_101AC480);

因为下边有：
if ( !v19 )
CreateThread(0, 0, StartAddress, 0, 0, 0);
这个线程就是用来弹出成功的。

exe中也有反调试，直接调比较麻烦，我们换一种方式：
直接运行程序，输入注册码，然后点submit.
用OD附加程序，把eip转到：
sub_10007940
nop掉几处没用的代码：

53FF7A90      6A 01         PUSH    0x1
53FF7A92      8D85 E7FDFFFF LEA     EAX, DWORD PTR SS:[EBP-0x219]
53FF7A98      C685 E7FDFFFF>MOV     BYTE PTR SS:[EBP-0x219], 0xCC
53FF7A9F      50            PUSH    EAX
53FF7AA0      56            PUSH    ESI
53FF7AA1      E8 3ABE1100   CALL    <CrackMeL._memmove>

53FF7AB1      6A 01         PUSH    0x1
53FF7AB3      8D85 E7FDFFFF LEA     EAX, DWORD PTR SS:[EBP-0x219]
53FF7AB9      C685 E7FDFFFF>MOV     BYTE PTR SS:[EBP-0x219], 0xCC
53FF7AC0      50            PUSH    EAX
53FF7AC1      56            PUSH    ESI
53FF7AC2      E8 19BE1100   CALL    <CrackMeL._memmove>

53FF7AD3      6A 00         PUSH    0x0
53FF7AD5      E8 1BBE0000   CALL    CrackMeL.540038F5

这样这个线程就能成功运行了：
关键代码：

10007B8F   > \8B04BA        MOV     EAX, DWORD PTR DS:[EDX+EDI*4]
10007B92      68 80C41954   PUSH    CrackMeL.5419C480                         ;  UNICODE "123456789999"
10007B97   .  FFD0          CALL    NEAR EAX

eax的值每次都会变，我们直接提出来代码：

SEG001:04530000 sub_4530000     proc near
SEG001:04530000
SEG001:04530000 var_18          = xmmword ptr -18h
SEG001:04530000 var_8           = qword ptr -8
SEG001:04530000 arg_0           = dword ptr  8
SEG001:04530000
SEG001:04530000                 push    ebp
SEG001:04530001                 mov     ebp, esp
SEG001:04530003                 sub     esp, 18h
SEG001:04530006                 mov     eax, [ebp+arg_0]
SEG001:04530009                 xor     ecx, ecx
SEG001:0453000B                 push    esi
SEG001:0453000C                 mov     esi, 3A1h
SEG001:04530011                 movdqu  xmm0, xmmword ptr [eax]
SEG001:04530015                 movdqu  [ebp+var_18], xmm0
SEG001:0453001A                 movq    xmm0, qword ptr [eax+10h]
SEG001:0453001F                 movq    [ebp+var_8], xmm0
SEG001:04530024
SEG001:04530024 loc_4530024:                            ; CODE XREF: sub_4530000+4Bj
SEG001:04530024                 lea     eax, [ecx+1]
SEG001:04530027                 and     eax, 80000001h
SEG001:0453002C                 jns     short loc_4530033
SEG001:0453002E                 dec     eax
SEG001:0453002F                 or      eax, 0FFFFFFFEh
SEG001:04530032                 inc     eax
SEG001:04530033
SEG001:04530033 loc_4530033:                            ; CODE XREF: sub_4530000+2Cj
SEG001:04530033                 jnz     short loc_4530042
SEG001:04530035                 mov     ax, word ptr [ebp+ecx*2+var_18]
SEG001:0453003A                 neg     ax
SEG001:0453003D
SEG001:0453003D                 public start_000
SEG001:0453003D start_000:
SEG001:0453003D                 mov     word ptr [ebp+ecx*2+var_18], ax
SEG001:04530042
SEG001:04530042 loc_4530042:                            ; CODE XREF: sub_4530000:loc_4530033j
SEG001:04530042                 xor     word ptr [ebp+ecx*2+var_18], si
SEG001:04530047                 inc     ecx
SEG001:04530048                 cmp     ecx, 0Ch
SEG001:0453004B                 jl      short loc_4530024
SEG001:0453004D                 xor     eax, eax
SEG001:0453004F                 pop     esi
SEG001:04530050
SEG001:04530050 loc_4530050:                            ; CODE XREF: sub_4530000+64j
SEG001:04530050                 mov     cx, word ptr [ebp+eax+var_18]
SEG001:04530055                 cmp     cx, [eax+2A9B50h]
SEG001:0453005C                 jnz     short loc_453006C
SEG001:0453005E                 add     eax, 2
SEG001:04530061                 cmp     eax, 18h
SEG001:04530064                 jl      short loc_4530050
SEG001:04530066                 xor     eax, eax
SEG001:04530068                 mov     esp, ebp
SEG001:0453006A                 pop     ebp
SEG001:0453006B                 retn
SEG001:0453006C ; ---------------------------------------------------------------------------
SEG001:0453006C
SEG001:0453006C loc_453006C:                            ; CODE XREF: sub_4530000+5Cj
SEG001:0453006C                 mov     eax, 1
SEG001:04530071                 mov     esp, ebp
SEG001:04530073                 pop     ebp
SEG001:04530074                 retn
SEG001:04530074 ; ---------------------------------------------------------------------------
SEG001:04530075                 align 1000h
SEG001:04530075 sub_4530000     endp
SEG001:04530075
SEG001:04530075 SEG001          ends
SEG001:04530075
SEG001:04530075
SEG001:04530075                 end

代码的含义是：
1.注册码长度11位
2.偶数位直接xor0x3a1 奇数位先求补再xor0x3a1
3.最后再与2A9B50h 处的表比较，比较长度24（？？？？？？？？？？？？？？？？？？）
提取到的表：
// F2 03 2A FC D2 03 2A FC C6 03 3A FC D3 03 07 FC F3 03 10 FC 96 03 A1 03 48 00 00 00 00 00 00 00

写个python还原：

keyList=[0x03F2,0xFC2A,0x03D2,0xFC2A,0x03C6,0xFC3A,0x03D3,0xFC07,0x03F3,0xFC10,0x0396]
strKey=""
for i,x in enumerate(keyList):
    if i%2==0:
        strKey+=chr(x^0x3A1)
    else:
        n=x^0x3A1
        strKey+=chr(0x10000-n)
print strKey

注册码为：SusugerZRO7

[培训]科锐逆向工程师培训第53期2025年7月8日开班！

收藏・0

免费・0

支持