【reversing.kr逆向之旅】Position的writeup
有提示是说flag就是当Serial为76876-77776时的Name 有多解 提示有四位 且最后一位是p
ReversingKr KeygenMe
Find the Name when the Serial is 76876-77776
This problem has several answers.Password is ***p
PEiD查不到壳 于是IDA载入
shift+f12找不到什么关键的字符串
于是用OD载入 发现可以找到关键字符串
双击Input Name 找到函数开始的地址
在IDA的函数列表进行过滤
然后F5发现这里没什么用
那就找correct的函数开始地址 F5
发现sub_401740()这个函数处理了我们的输入input 之后将返回值赋给v2 从而判断是否正确
双击进入 发现有API获取输入
CWnd::GetWindowTextW(a1 + 304, &v50);
一共有两句 v50,v51猜测就是Name,Serial
signed int __stdcall sub_401740(int a1)
{int v1; // ediint v3; // esiint v4; // esi__int16 v5; // bxunsigned __int8 v6; // alunsigned __int8 v7; // ST2C_1unsigned __int8 v8; // alunsigned __int8 v9; // blwchar_t *v10; // eax__int16 v11; // diwchar_t *v12; // eax__int16 v13; // diwchar_t *v14; // eax__int16 v15; // diwchar_t *v16; // eax__int16 v17; // diwchar_t *v18; // eax__int16 v19; // diunsigned __int8 v20; // alunsigned __int8 v21; // ST2C_1unsigned __int8 v22; // alunsigned __int8 v23; // blwchar_t *v24; // eax__int16 v25; // diwchar_t *v26; // eax__int16 v27; // diwchar_t *v28; // eax__int16 v29; // diwchar_t *v30; // eax__int16 v31; // diwchar_t *v32; // eax__int16 v33; // siunsigned __int8 v34; // [esp+10h] [ebp-28h]unsigned __int8 v35; // [esp+10h] [ebp-28h]unsigned __int8 v36; // [esp+11h] [ebp-27h]unsigned __int8 v37; // [esp+11h] [ebp-27h]unsigned __int8 v38; // [esp+13h] [ebp-25h]unsigned __int8 v39; // [esp+13h] [ebp-25h]unsigned __int8 v40; // [esp+14h] [ebp-24h]unsigned __int8 v41; // [esp+14h] [ebp-24h]unsigned __int8 v42; // [esp+19h] [ebp-1Fh]unsigned __int8 v43; // [esp+19h] [ebp-1Fh]unsigned __int8 v44; // [esp+1Ah] [ebp-1Eh]unsigned __int8 v45; // [esp+1Ah] [ebp-1Eh]unsigned __int8 v46; // [esp+1Bh] [ebp-1Dh]unsigned __int8 v47; // [esp+1Bh] [ebp-1Dh]unsigned __int8 v48; // [esp+1Ch] [ebp-1Ch]unsigned __int8 v49; // [esp+1Ch] [ebp-1Ch]int Name; // [esp+20h] [ebp-18h]int Serial; // [esp+24h] [ebp-14h]char v52; // [esp+28h] [ebp-10h]int v53; // [esp+34h] [ebp-4h]ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&Name);v1 = 0;v53 = 0;ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&Serial);ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&v52);LOBYTE(v53) = 2;CWnd::GetWindowTextW(a1 + 304, &Name);if ( *(Name - 12) == 4 ) // Name长度等于4{v3 = 0;while ( ATL::CSimpleStringT<wchar_t,1>::GetAt(&Name, v3) >= 'a'// Name都为小写字母&& ATL::CSimpleStringT<wchar_t,1>::GetAt(&Name, v3) <= 'z' ){if ( ++v3 >= 4 ){
LABEL_7:v4 = 0;while ( 1 ){if ( v1 != v4 ){v5 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&Name, v4);if ( ATL::CSimpleStringT<wchar_t,1>::GetAt(&Name, v1) == v5 )// 每个字母都不能相同goto LABEL_2;}if ( ++v4 >= 4 ){if ( ++v1 < 4 )goto LABEL_7;CWnd::GetWindowTextW(a1 + 420, &Serial);if ( *(Serial - 12) == 11 && ATL::CSimpleStringT<wchar_t,1>::GetAt(&Serial, 5) == '-' )// Serial长度等于11且Serial[5]是"_"{v6 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&Name, 0);// v6 = Name[0]v7 = (v6 & 1) + 5;v48 = ((v6 >> 4) & 1) + 5;v42 = ((v6 >> 1) & 1) + 5;v44 = ((v6 >> 2) & 1) + 5;v46 = ((v6 >> 3) & 1) + 5;v8 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&Name, 1);// v8 = Name[1]v34 = (v8 & 1) + 1;v40 = ((v8 >> 4) & 1) + 1;v36 = ((v8 >> 1) & 1) + 1;v9 = ((v8 >> 2) & 1) + 1;v38 = ((v8 >> 3) & 1) + 1;v10 = ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&v52);itow_s(v7 + v9, v10, 0xAu, 10);v11 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&v52, 0);if ( ATL::CSimpleStringT<wchar_t,1>::GetAt(&Serial, 0) == v11 )// v11 = Serial[0]{ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&v52, -1);v12 = ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&v52);itow_s(v46 + v38, v12, 0xAu, 10);v13 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&Serial, 1);// v13 = Serial[1]if ( v13 == ATL::CSimpleStringT<wchar_t,1>::GetAt(&v52, 0) ){ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&v52, -1);v14 = ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&v52);itow_s(v42 + v40, v14, 0xAu, 10);v15 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&Serial, 2);// v15 = Serial[2]if ( v15 == ATL::CSimpleStringT<wchar_t,1>::GetAt(&v52, 0) ){ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&v52, -1);v16 = ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&v52);itow_s(v44 + v34, v16, 0xAu, 10);v17 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&Serial, 3);// v17 = Serial[3]if ( v17 == ATL::CSimpleStringT<wchar_t,1>::GetAt(&v52, 0) ){ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&v52, -1);v18 = ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&v52);itow_s(v48 + v36, v18, 0xAu, 10);v19 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&Serial, 4);// v19 = Serial[4]if ( v19 == ATL::CSimpleStringT<wchar_t,1>::GetAt(&v52, 0) ){ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&v52, -1);v20 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&Name, 2);// v20 = Name[2]v21 = (v20 & 1) + 5;v49 = ((v20 >> 4) & 1) + 5;v43 = ((v20 >> 1) & 1) + 5;v45 = ((v20 >> 2) & 1) + 5;v47 = ((v20 >> 3) & 1) + 5;v22 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&Name, 3);// v22 = Name[3]v35 = (v22 & 1) + 1;v41 = ((v22 >> 4) & 1) + 1;v37 = ((v22 >> 1) & 1) + 1;v23 = ((v22 >> 2) & 1) + 1;v39 = ((v22 >> 3) & 1) + 1;v24 = ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&v52);itow_s(v21 + v23, v24, 0xAu, 10);v25 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&Serial, 6);// v25 = Serial[6]if ( v25 == ATL::CSimpleStringT<wchar_t,1>::GetAt(&v52, 0) ){ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&v52, -1);v26 = ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&v52);itow_s(v47 + v39, v26, 0xAu, 10);v27 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&Serial, 7);// v27 = Serial[7]if ( v27 == ATL::CSimpleStringT<wchar_t,1>::GetAt(&v52, 0) ){ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&v52, -1);v28 = ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&v52);itow_s(v43 + v41, v28, 0xAu, 10);v29 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&Serial, 8);// v29 = Serial[8]if ( v29 == ATL::CSimpleStringT<wchar_t,1>::GetAt(&v52, 0) ){ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&v52, -1);v30 = ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&v52);itow_s(v45 + v35, v30, 0xAu, 10);v31 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&Serial, 9);// v31 = Serial[9]if ( v31 == ATL::CSimpleStringT<wchar_t,1>::GetAt(&v52, 0) ){ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&v52, -1);v32 = ATL::CSimpleStringT<wchar_t,1>::GetBuffer(&v52);itow_s(v49 + v37, v32, 0xAu, 10);v33 = ATL::CSimpleStringT<wchar_t,1>::GetAt(&Serial, 10);// v33 = Serial[10]if ( v33 == ATL::CSimpleStringT<wchar_t,1>::GetAt(&v52, 0) ){ATL::CSimpleStringT<wchar_t,1>::ReleaseBuffer(&v52, -1);ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::~CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&v52);ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::~CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&Serial);ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::~CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&Name);return 1;}}}}}}}}}}}goto LABEL_2;}}}}}
LABEL_2:ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::~CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&v52);ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::~CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&Serial);ATL::CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>::~CStringT<wchar_t,StrTraitMFC_DLL<wchar_t,ATL::ChTraitsCRT<wchar_t>>>(&Name);return 0;
}
v6 = Name[0]
v7 = (v6 & 1) + 5
v48 = ((v6 >> 4) & 1) + 5
v42 = ((v6 >> 1) & 1) + 5
v44 = ((v6 >> 2) & 1) + 5
v46 = ((v6 >> 3) & 1) + 5
v8 = Name[1]
v34 = (v8 & 1) + 1
v40 = ((v8 >> 4) & 1) + 1
v36 = ((v8 >> 1) & 1) + 1
v9 = ((v8 >> 2) & 1) + 1
v38 = ((v8 >> 3) & 1) + 1v7 + v9 = Serial[0]v46 + v38 = Serial[1]v42 + v40 = Serial[2]v44 + v34 = Serial[3]v48 + v36 = Serial[4]v20 = Name[2]
v21 = (v20 & 1) + 5
v49 = ((v20 >> 4) & 1) + 5
v43 = ((v20 >> 1) & 1) + 5
v45 = ((v20 >> 2) & 1) + 5
v47 = ((v20 >> 3) & 1) + 5
v22 = Name[3]
v35 = (v22 & 1) + 1
v41 = ((v22 >> 4) & 1) + 1
v37 = ((v22 >> 1) & 1) + 1
v23 = ((v22 >> 2) & 1) + 1
v39 = ((v22 >> 3) & 1) + 1v21 + v23 = Serial[6]v47 + v39 = Serial[7]v43 + v41 = Serial[8]v45 + v35 = Serial[9]v49 + v37 = Serial[10]
然后写脚本进行爆破即可
先求Name前两位
Serial='76876_77776'
for i in range(ord('a'),ord('z')+1):for j in range(ord('a'),ord('z')+1):v6=iv8=jv7 = (v6 & 1) + 5v48 = ((v6 >> 4) & 1) + 5v42 = ((v6 >> 1) & 1) + 5v44 = ((v6 >> 2) & 1) + 5v46 = ((v6 >> 3) & 1) + 5v34 = (v8 & 1) + 1v40 = ((v8 >> 4) & 1) + 1v36 = ((v8 >> 1) & 1) + 1v9 = ((v8 >> 2) & 1) + 1v38 = ((v8 >> 3) & 1) + 1if v7 + v9 == int(Serial[0]) and v46 + v38 == int(Serial[1]) and v42 + v40 == int(Serial[2]) and v44 + v34 == int(Serial[3]) and v48 + v36 == int(Serial[4]):print chr(i),chr(j)#Name前两位
'''
b u
c q
f t
g p
'''
再求后两位
Serial='76876_77776'
for i in range(ord('a'),ord('z')+1):for j in range(ord('a'),ord('z')+1):v20=iv22=jv21 = (v20 & 1) + 5v49 = ((v20 >> 4) & 1) + 5v43 = ((v20 >> 1) & 1) + 5v45 = ((v20 >> 2) & 1) + 5v47 = ((v20 >> 3) & 1) + 5v35 = (v22 & 1) + 1v41 = ((v22 >> 4) & 1) + 1v37 = ((v22 >> 1) & 1) + 1v23 = ((v22 >> 2) & 1) + 1v39 = ((v22 >> 3) & 1) + 1if v21 + v23 == int(Serial[6]) and v47 + v39 == int(Serial[7]) and v43 + v41 == int(Serial[8]) and v45 + v35 == int(Serial[9]) and v49 + v37 == int(Serial[10]):print chr(i),chr(j)
'''
a y
b m
c i
e x
f l
g h
h u
i q
j e
k a
l t
m p *
n d
'''
可以发现最后有p的是 mp
与前两位进行构造可以得到
bump
cqmp
ftmp
gpmp
输入bump 正确
参考链接:
https://veritas501.space/2017/03/04/Reversing.kr%20writeup/
【reversing.kr逆向之旅】Position的writeup相关推荐
- 【reversing.kr逆向之旅】Ransomware的writeup
Exeinfope查到有UPX壳 先使用脱壳机进行脱壳 脱壳后载入IDA 发现直接显示太大无法展示 空格转为文本视图 可以很明显知道 下面红框中的就是一段段花指令 查看最后结束的位置 就在 ...
- 170929 逆向-Reversing.kr(Ransomware)
1625-5 王子昂 总结<2017年9月29日> [连续第362天总结] A. Reversing.kr-Ransomware B. Ransomware readme提示解密文件,运行 ...
- 171019 逆向-Reversing.kr(MetroApp)
1625-5 王子昂 总结<2017年10月19日> [连续第384天总结] A. reversing.kr B. MetroApp 这次的逆向处理了很多麻烦,学到了不少关于MetroAp ...
- 170926 逆向-Reversing.kr(ImagePrc)
1625-5 王子昂 总结<2017年9月26日> [连续第359天总结] A. Reversing.kr-ImagePrc B. ImagePrc 首先查壳,运行发现是一个光秃秃的窗口, ...
- 171003 逆向-Reversing.kr(CSHOP)
1625-5 王子昂 总结<2017年10月3日> [连续第368天总结] A. Reversing.kr-CSHOP B. CSHOP 这次只有一个文件,没有可怕的ReadMe了 打开是 ...
- 171002 逆向-Reversing.kr(AutoHotKey)
1625-5 王子昂 总结<2017年10月2日> [连续第367天总结] A. Reversing.kr-AutoHotKey B. AutoHotKey 解压出来一个ReadMe一个e ...
- 171013 逆向-Reversing.kr(AutoHotKey2)
1625-5 王子昂 总结<2017年10月13日> [连续第378天总结] A. reversing.kr B. AutoHotKey2 解压出来又来了ReadMe 不过这次比较简单,翻 ...
- 170925 逆向-Reversing.kr(Replace)
1625-5 王子昂 总结<2017年9月25日> [连续第358天总结] A. Reversing.kr-Replace B. Replace 先查一波壳,还好没有 运行,是一个GUI程 ...
- reversing.kr学习之路-ransomeware
ransomeware - writeup 题目来源 http://reversing.kr 题目知识点:upx + 花指令 + 堆栈不平衡 + exe特征码提取key 前言 文章只是记录一下自己在r ...
最新文章
- objective C socket 库
- 新版信标的信号板调试
- leetcode 518. 零钱兑换 II
- K-means算法详解及python代码实现
- Scala入门到精通——第十六节 泛型与注解
- android-远程图片获取和本地缓存
- [数据结构]二叉树的性质
- uC/GUI 在Cortex-M3 内核上的移植
- Git常用指令及功能总结
- r语言怎么保存代码_R代码忘记保存,系统崩溃了怎么办?
- 更好地在云上:物联网,大数据和人工智能
- android 平台 列表布局,Android 设计指南 - 风格
- 中职计算机多媒体教材,中职汽车维修课中计算机多媒体教学的实施
- Delphi 调试连接 任意Android手机/平板/盒子
- 安卓自定义控件的原理
- ODI Studio(问题5)ORA-12899:列的长度不相同
- 基于深度学习的关系抽取
- java计算机毕业设计教务排课系统MyBatis+系统+LW文档+源码+调试部署
- Guass-seidel 迭代法 matlab实现
- PDF文件解密安全口令