好久没搞cm了,接着上次西电的破解题目,第三题没啥技术含量,突破一个按钮就ok,直接搞第4题,废话不多说。

目标程序,是一个cmd的控制台应用程序:

img

解题的要求提示

img

username=xdsec 算出password,也就是key

上od,找main函数,还有关键调用call

方法就是一直单步,不让程序跑飞,哪个call让程序跑飞就F7进哪个call,继续单步。 进了2个call之后,到了关键部分,代码如下:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

00401390  /$  55            push ebp 
00401391  |.  89E5          mov ebp,esp 
00401393  |.  81EC F8000000 sub esp,0xF8 
00401399  |.  83E4 F0       and esp,0xFFFFFFF0 
0040139C  |.  B8 00000000   mov eax,0x0 
004013A1  |.  83C0 0F       add eax,0xF 
004013A4  |.  83C0 0F       add eax,0xF 
004013A7  |.  C1E8 04       shr eax,0x4 
004013AA  |.  C1E0 04       shl eax,0x4 
004013AD  |.  8985 24FFFFFF mov [local.55],eax 
004013B3  |.  8B85 24FFFFFF mov eax,[local.55] 
004013B9  |.  E8 D2C00000   call dumped.0040D490 
004013BE  |.  E8 0DBD0000   call dumped.0040D0D0 
004013C3  |.  A1 00004400   mov eax,dword ptr ds:[0x440000] 
004013C8  |.  8945 D8       mov [local.10],eax 
004013CB  |.  A1 04004400   mov eax,dword ptr ds:[0x440004] 
004013D0  |.  8945 DC       mov [local.9],eax 
004013D3  |.  A1 08004400   mov eax,dword ptr ds:[0x440008] 
004013D8  |.  8945 E0       mov [local.8],eax 
004013DB  |.  A1 0C004400   mov eax,dword ptr ds:[0x44000C] 
004013E0  |.  8945 E4       mov [local.7],eax 
004013E3  |.  A1 10004400   mov eax,dword ptr ds:[0x440010] 
004013E8  |.  8945 E8       mov [local.6],eax 
004013EB  |.  A1 14004400   mov eax,dword ptr ds:[0x440014] 
004013F0  |.  8945 C8       mov [local.14],eax 
004013F3  |.  A1 18004400   mov eax,dword ptr ds:[0x440018] 
004013F8  |.  8945 CC       mov [local.13],eax 
004013FB  |.  0FB605 1C0044>movzx eax,byte ptr ds:[0x44001C] 
00401402  |.  8845 D0       mov byte ptr ss:[ebp-0x30],al 
00401405  |.  A1 1D004400   mov eax,dword ptr ds:[0x44001D] 
0040140A  |.  8945 B8       mov [local.18],eax 
0040140D  |.  A1 21004400   mov eax,dword ptr ds:[0x440021] 
00401412  |.  8945 BC       mov [local.17],eax 
00401415  |.  0FB605 250044>movzx eax,byte ptr ds:[0x440025] 
0040141C  |.  8845 C0       mov byte ptr ss:[ebp-0x40],al 
0040141F  |.  A1 26004400   mov eax,dword ptr ds:[0x440026] 
00401424  |.  8945 A8       mov [local.22],eax 
00401427  |.  0FB705 2A0044>movzx eax,word ptr ds:[0x44002A] 
0040142E  |.  66:8945 AC    mov word ptr ss:[ebp-0x54],ax 
00401432  |.  0FB605 2C0044>movzx eax,byte ptr ds:[0x44002C] 
00401439  |.  8845 AE       mov byte ptr ss:[ebp-0x52],al 
0040143C  |.  A1 2D004400   mov eax,dword ptr ds:[0x44002D] 
00401441  |.  8945 98       mov [local.26],eax 
00401444  |.  A1 31004400   mov eax,dword ptr ds:[0x440031] 
00401449  |.  8945 9C       mov [local.25],eax 
0040144C  |.  0FB605 350044>movzx eax,byte ptr ds:[0x440035] 
00401453  |.  8845 A0       mov byte ptr ss:[ebp-0x60],al 
00401456  |.  8D45 D8       lea eax,[local.10]

下面是关键

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

00401459  |.  890424        mov dword ptr ss:[esp],eax 
0040145C  |.  E8 F5020000   call dumped.00401756                     ;  打印username 
00401461  |.  8D45 C8       lea eax,[local.14] 
00401464  |.  890424        mov dword ptr ss:[esp],eax 
00401467  |.  E8 EA020000   call dumped.00401756                     ;  获取用户名 
0040146C  |.  8D85 78FFFFFF lea eax,[local.34] 
00401472  |.  890424        mov dword ptr ss:[esp],eax 
00401475  |.  E8 B4000000   call dumped.0040152E                     ;  变形 
0040147A  |.  8D45 B8       lea eax,[local.18] 
0040147D  |.  890424        mov dword ptr ss:[esp],eax 
00401480  |.  E8 D1020000   call dumped.00401756                     ;  打印password 
00401485  |.  8D85 48FFFFFF lea eax,[local.46]                       
0040148B  |.  890424        mov dword ptr ss:[esp],eax            
0040148E  |.  E8 0DF60000   call <jmp.&msvcrt.gets>                  ; \获取密码 
00401493  |.  8D85 38FFFFFF lea eax,[local.50] 
00401499  |.  890424        mov dword ptr ss:[esp],eax 
0040149C  |.  E8 51020000   call dumped.004016F2 
004014A1  |.  C785 34FFFFFF>mov [local.51],0x0 
004014AB  |>  83BD 34FFFFFF>/cmp [local.51],0x9 
004014B2  |.  7F 58         |jg Xdumped.0040150C  //跳想成功,如果爆破的话直接改这里就行了不过我们是分析算法,改这里不科学,你懂得

循环10次,从0到9所以是10次

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

004014B4  |.  8D45 F8       |lea eax,[local.2] 
004014B7  |.  0385 34FFFFFF |add eax,[local.51] 
004014BD  |.  2D C0000000   |sub eax,0xC0 
004014C2  |.  0FBE10        |movsx edx,byte ptr ds:[eax]             ;  关键 
004014C5      8D45 F8       |lea eax,dword ptr ss:[ebp-0x8]         
004014C8      0385 34FFFFFF |add eax,dword ptr ss:[ebp-0xCC] 
004014CE  |.  2D B0000000   |sub eax,0xB0 
004014D3  |.  0FBE00        |movsx eax,byte ptr ds:[eax]             ;  取密码一位的hex 
004014D6  |.  31C2          |xor edx,eax 
004014D8  |.  8D45 F8       |lea eax,[local.2] 
004014DB  |.  0385 34FFFFFF |add eax,[local.51] 
004014E1  |.  83C0 80       |add eax,-0x80 
004014E4  |.  0FBE00        |movsx eax,byte ptr ds:[eax]             ;  取变形码的一位hex 
004014E7  |.  39C2          |cmp edx,eax                             
004014E9  |.  74 17         |je Xdumped.00401502 //每次这个je必须要跳,否则向下就失败了 
004014EB  |.  8D45 A8       |lea eax,[local.22] 
004014EE  |.  890424        |mov dword ptr ss:[esp],eax 
004014F1  |.  E8 60020000   |call dumped.00401756 
004014F6  |.  C785 30FFFFFF>|mov [local.52],0x0 
00401500  |.  EB 24         |jmp Xdumped.00401526  //注意这个跳,跳了就失败 
00401502  |>  8D85 34FFFFFF |lea eax,[local.51] 
00401508  |.  FF00          |inc dword ptr ds:[eax] 
0040150A  |.^ EB 9F         \jmp Xdumped.004014AB 
0040150C  |>  8D45 98       lea eax,[local.26] 
0040150F  |.  890424        mov dword ptr ss:[esp],eax
00401512  |.  E8 3F020000   call dumped.00401756 
00401517  |.  E8 44D20000   call <jmp.&msvcrt._getch>                ; [_getch

上面这俩句直接显示success成功

1
2
3
4

0040151C  |.  C785 30FFFFFF>mov [local.52],0x0 
00401526  |>  8B85 30FFFFFF mov eax,[local.52] 
0040152C  |.  C9            leave 
0040152D  \.  C3            retn

img

这个是透明的cmd下测试的:

img