学破解第102天,《攻防世界reverse练习区Newbie_calculations》分析
前言:
一直对黑客充满了好奇,觉得黑客神秘,强大,无所不能,来论坛两年多了,天天看各位大佬发帖,自己只能做一个伸手党。也看了官方的入门视频教程,奈何自己基础太差,看不懂。自我反思之下,决定从今天(2019年6月17日)开始定下心来,从简单的基础教程开始学习,希望能从照抄照搬,到能独立分析,能独立破解。
不知不觉学习了好几个月,发现自己离了教程什么都不会,不懂算法,不懂编程。随着破解学习的深入,楼主这个半吊子迷失了自我,日渐沉迷水贴装X,不能自拔。
==========申明:从第71天楼主开始水贴装X,帖子不再具有连续性,仅供参考,后续帖子为楼主YY专用贴!!!==========
立帖为证!--------记录学习的点点滴滴
0x1下载程序
1.把程序下载下来,跑起来,看到了如下的字符串提示:
2.发现程序一直在运行,但是并没有输出flag,现在唯一的线索就是Your flag is:这个字符串,题目是新手的计算,可能是要我们追算法。
0x2调试分析
1.习惯了OD,先上OD,把程序丢进去,搜索字符串,看到几个这样的字符串:
010B1357 |. 68 78A10B01 push 3f1303e5.010BA178 ; Your flag is:
010B1BFE |. 68 88A10B01 push 3f1303e5.010BA188 ; CTF{
010B1C3E |. 68 90A10B01 |push 3f1303e5.010BA190 ; %c
010B1C4D |> \68 94A10B01 push 3f1303e5.010BA194 ; }\n
2.在上IDA看一下main函数,前面都是一大段的变量定义,和函数调用,可以看到这里是输出CTF的地方
for ( i = 0; i < 32; ++i )
v120[i] = 1;
v152 = 0;
puts("Your flag is:");
((void (__cdecl *)(const char *, signed int))sub_401C7F)("CTF{", 1);
for ( j = 0; j < 32; ++j )
sub_401C7F("%c", SLOBYTE(v120[j]));//IDA中 #define SLOBYTE(x) (*((int8*)&(x)))
sub_401C7F("}\n");
看后面一段代码可以知道,输出的字符串肯定是32位,但是全程不需要我们输入数据,按道理来说它应该能够直接输出flag
3.先来试试OD,看能不能追出flag,正常运行程序的时候程序一直停在Your flag is:这里,那我就从这里入手看看,能不能爆破
01281357 |. 68 78A12801 push 3f1303e5.0128A178 ; Your flag is:
0128135C |. E8 CA090000 call 3f1303e5.01281D2B
01281361 |. 83C4 04 add esp,0x4
01281364 |. 6A 02 push 0x2
01281366 |. 68 CEC99A3B push 0x3B9AC9CE
0128136B |. 68 00CA9A3B push 0x3B9ACA00
从这里开始单步跟踪,一直F8,程序跑飞就重新载入F7进去再F8跟,最终发现程序一直在运行,但是又没输出flag,是这里一直死循环
00911037 |> /837D E8 00 /cmp [local.6],0x0 ;0xFFFFFFFF,然后一直慢慢减一,怎么也不可能等于0
0091103B |. |74 79 |je short 3f1303e5.009110B6
0091103D |. |8B55 F8 |mov edx,[local.2]
00911040 |. |83C2 01 |add edx,0x1
00911043 |. |8955 F8 |mov [local.2],edx
00911046 |. |C745 FC 8E000>|mov [local.1],0x8E
0091104D |. |C745 E4 06030>|mov [local.7],0x306
00911054 |. |C745 E0 AD260>|mov [local.8],0x26AD
0091105B |. |C745 F0 70000>|mov [local.4],0x70
00911062 |. |8B45 08 |mov eax,[arg.1]
00911065 |. |8B08 |mov ecx,dword ptr ds:[eax]
00911067 |. |83E9 01 |sub ecx,0x1
0091106A |. |8B55 08 |mov edx,[arg.1]
0091106D |. |890A |mov dword ptr ds:[edx],ecx
0091106F |. |8B45 FC |mov eax,[local.1]
00911072 |. |99 |cdq
00911073 |. |F77D E0 |idiv [local.8]
00911076 |. |0FAF45 E4 |imul eax,[local.7]
0091107A |. |0345 F0 |add eax,[local.4]
0091107D |. |8945 F0 |mov [local.4],eax
00911080 |. |8B45 FC |mov eax,[local.1]
00911083 |. |0FAF45 F0 |imul eax,[local.4]
00911087 |. |0345 E0 |add eax,[local.8]
0091108A |. |8945 E4 |mov [local.7],eax
0091108D |. |8B4D E8 |mov ecx,[local.6]
00911090 |. |83E9 01 |sub ecx,0x1
00911093 |. |894D E8 |mov [local.6],ecx
00911096 |. |8B55 F4 |mov edx,[local.3]
00911099 |. |83EA 01 |sub edx,0x1
0091109C |. |8955 F4 |mov [local.3],edx
0091109F |. |8B45 FC |mov eax,[local.1]
009110A2 |. |0345 E4 |add eax,[local.7]
009110A5 |. |0345 E0 |add eax,[local.8]
009110A8 |. |8945 F0 |mov [local.4],eax
009110AB |. |8B4D FC |mov ecx,[local.1]
009110AE |. |83C1 01 |add ecx,0x1
009110B1 |. |894D FC |mov [local.1],ecx
009110B4 |.^\EB 81 \jmp short 3f1303e5.00911037 ;这里跳回去
4.然后发现把这几个地方nop,后面很多函数还是会跳到这里来,而且后面都是从0xFFFFFFFF一直减1这种操作,跟不下去了,那么有没有可能后面的函数都是混淆视线,故意坑人的呢?我直接从提示flag的地方jmp到输出flag的地方,试试:
01351357 |. 68 78A13501 push 3f1303e5.0135A178 ; Your flag is:
0135135C |. E8 CA090000 call 3f1303e5.01351D2B
01351361 E9 98080000 jmp 3f1303e5.01351BFE ;改为jmp
01351BFE |. 68 88A13501 push 3f1303e5.0135A188 ; CTF{
01351C03 |. E8 77000000 call 3f1303e5.01351C7F
输出结果:
Your flag is:
CTF{一堆表情}
5.看来必须执行这些有毒的函数,先去看一下IDA F5的结果,中间调用了很多函数,但是重复性多,提取出来就是:
//三个未知函数
sub_401100
sub_401220
sub_401000
//一个输出函数
sub_401C7F
接下来就要从这几个函数入手分析,搞清楚它的功能就能还原程序了。
0x3函数分析
1.那就一个个来,首先从这句代码入手:v3 = sub_401100(v120, 1000000000)
1)_DWORD *v3; ,百度一下含义:DWORD 双字即为4个字节,每个字节是8位,共32位,我的理解就是char[4];
2)int v120[32]; 这个就是32个int类型的数组, for ( i = 0; i < 32; ++i ) v120[i] = 1;数组每一个值都为1
3)传递了一个int类型的数字1000000000
4)跟进去看函数
_DWORD *__cdecl sub_401100(_DWORD *a1, int a2)
{
int v2; // ST20_4
signed int v4; // [esp+Ch] [ebp-1Ch]
int v5; // [esp+14h] [ebp-14h]
int v6; // [esp+18h] [ebp-10h]
int v7; // [esp+1Ch] [ebp-Ch]
int v8; // [esp+20h] [ebp-8h]
v5 = *a1;//int v120[32] ,数组的第一个元素1
v6 = a2;//a2 = 1000000000
v4 = -1;
v8 = 0;
v7 = a2 * v5;//1000000000 * 1 = 1000000000
while ( a2 )
{
v2 = v7 * v5;//1000000000 * 1 = 1000000000,v5不变,这个值在循环中+1
sub_401000(&v8, *a1);
++v7;//v7每次加1,影响v2的值
--a2;//a2每次减1,这个循环要执行1000000000次,我的个天
v6 = v2 - 1;//v6每次比v2小1
}
while ( v4 )
{
++v7;//前面v7累加后2000000000
++*a1;
--v4;//这???这怎么退出的循环
--v6;
}
++*a1;//
*a1 = v8;//a1的值等于v8,sub_401000(&v8, *a1);
return a1;
}
5)很显然,我还得去把sub_401000这个函数,才能知道a1里面元素的值变化
2.同样的点进去,看看sub_401000干了什么:
1)第一个参数v8的值默认是0
2)第二个参数还是int v120[32]数组的第一个元素1
3)跟进去看看,这里面a1就是int值,a2
int *__cdecl sub_401000(int *a1, int a2)
{
int v2; // edx
int v4; // [esp+Ch] [ebp-18h]
signed int v5; // [esp+10h] [ebp-14h]
int v6; // [esp+18h] [ebp-Ch]
signed int v7; // [esp+1Ch] [ebp-8h]
v5 = -1;
v4 = -1 - a2 + 1;//-1 - 1 + 1 = -1
v7 = 1231;
v2 = *a1;//0
v6 = a2 + 1231;//1232
while ( v4 )//从-1开始,第一个循环结束a1=a1 - (100000000 - a2)
{
++v7;
--*a1;
--v4;这???这怎么退出的循环
--v6;
}
while ( v5 )从-1开始,a1=a1 - (100000000 - a2) + (-1)
{
--v6;
++*a1;
--v5;//这什么神仙代码,看不懂
}//一加一减,*a1应该还是0
++*a1;
return a1;//返回的是指针,*a1 = *a1 +a2 = 1
}
4)显然v8的值就是1,传进来的int v120[32]第一个元素值不变,还是1,也就是说这个函数的作用就是将第一个参数值加1
5)我们再回头看一下,sub_401100改变了什么?
while ( a2 )
{
v2 = v7 * v5;//1000000000 * 1 = 1000000000,v5不变,这个值在循环中+1
sub_401000(&v8, *a1);//循环了a2次,所以就是a2个a1相加,就是a1*a2.
++v7;//v7每次加1,影响v2的值
--a2;//a2每次减1,这个循环要执行1000000000次,我的个天
v6 = v2 - 1;//v6每次比v2小1
}
++*a1;//就是将a1的值+1
*a1 = v8;//a1的值等于v8,v8就是1
return a1;//a1第一个元素的值压根没变,1*1还是1
可以得出结论:sub_401100这个函数啥也不干,浪费我的电脑CPU
3.接下来就剩下最后一个函数了,v4 = (_DWORD *)sub_401220(v3, 999999950);
1)这里的第一个参数V3就是前面数组的第一个元素1
2)直接跟进去看看
_DWORD *__cdecl sub_401220(_DWORD *a1, int a2)
{
int v3; // [esp+8h] [ebp-10h]
signed int v4; // [esp+Ch] [ebp-Ch]
signed int v5; // [esp+14h] [ebp-4h]
int v6; // [esp+14h] [ebp-4h]
v4 = -1;
v3 = -1 - a2 + 1;//-1-999999950+1 = -999999950(-a2)
v5 = -1;
while ( v3 )//从-999999950开始每次-1
{
++*a1;
--v3;
--v5;
}
v6 = v5 * v5;
while ( v4 )//从-1开始每次-1
{
v6 *= 123;
++*a1;
--v4;
}//这...两次循环的次数不对等啊
++*a1;
return a1;
}
3)欺负我没学过算法......,反正中间都是瞎折腾,我只需要知道第一个循环之后a1的值,和第二个循环后a1的值,就大概猜的出来。
第一个循环执行完a1 = a2 + 1 = -999999949
第二个循环执行完a1 = a2 = -999999950
最后++*a1 = -999999949,返回a1的值
4.最后把IDA中main函数F5的代码复制过来,略作修改,加上简化后加法,减法,乘法的三个函数,以及输出函数,运行程序即可
#include "main.h"
int *__cdecl sub_401100(int *a1, int a2)//a1 * a2
{
*a1 = *a1 * a2;
return a1;
}
int *__cdecl sub_401000(int *a1, int a2)//a1 + a2
{
*a1 = *a1 + a2;
return a1;
}
int *__cdecl sub_401220(int *a1, int a2)//实际上就是a1 - a2
{
*a1 = *a1 -a2;
return a1;
}
int __cdecl main(int argc, const char **argv, const char **envp)
{
int *v3; // eax
int *v4; // eax
int *v5; // eax
int *v6; // eax
int *v7; // eax
int *v8; // eax
int *v9; // eax
int *v10; // eax
int *v11; // eax
int *v12; // eax
int *v13; // eax
int *v14; // eax
int *v15; // eax
int *v16; // eax
int *v17; // eax
int *v18; // eax
int *v19; // eax
int *v20; // eax
int *v21; // eax
int *v22; // eax
int *v23; // eax
int *v24; // eax
int *v25; // eax
int *v26; // eax
int *v27; // eax
int *v28; // eax
int *v29; // eax
int *v30; // eax
int *v31; // eax
int *v32; // eax
int *v33; // eax
int *v34; // eax
int *v35; // eax
int *v36; // eax
int *v37; // eax
int *v38; // eax
int *v39; // eax
int *v40; // eax
int *v41; // eax
int *v42; // eax
int *v43; // eax
int *v44; // eax
int *v45; // eax
int *v46; // eax
int *v47; // eax
int *v48; // eax
int *v49; // eax
int *v50; // eax
int *v51; // eax
int *v52; // eax
int *v53; // eax
int *v54; // eax
int *v55; // eax
int *v56; // eax
int *v57; // eax
int *v58; // eax
int *v59; // eax
int *v60; // eax
int *v61; // eax
int *v62; // eax
int *v63; // eax
int *v64; // eax
int *v65; // eax
int *v66; // eax
int *v67; // eax
int *v68; // eax
int *v69; // eax
int *v70; // eax
int *v71; // eax
int *v72; // eax
int *v73; // eax
int *v74; // eax
int *v75; // eax
int *v76; // eax
int *v77; // eax
int *v78; // eax
int *v79; // eax
int *v80; // eax
int *v81; // eax
int *v82; // eax
int *v83; // eax
int *v84; // eax
int *v85; // eax
int *v86; // eax
int *v87; // eax
int *v88; // eax
int *v89; // eax
int *v90; // eax
int *v91; // eax
int *v92; // eax
int *v93; // eax
int *v94; // eax
int *v95; // eax
int *v96; // eax
int *v97; // eax
int *v98; // eax
int *v99; // eax
int *v100; // eax
int *v101; // eax
int *v102; // eax
int *v103; // eax
int *v104; // eax
int *v105; // eax
int *v106; // eax
int *v107; // eax
int *v108; // eax
int v109; // ST1C_4
int *v110; // eax
int *v111; // eax
int v112; // ST20_4
int *v113; // eax
int *v114; // eax
int v115; // ST20_4
int *v116; // eax
signed int i; // [esp+4h] [ebp-90h]
signed int j; // [esp+8h] [ebp-8Ch]
int v120[32]; // [esp+Ch] [ebp-88h]
int v121; // [esp+8Ch] [ebp-8h]
for (i = 0; i < 32; ++i)
v120[i] = 1;
v121 = 0;
puts("Your flag is:");
v3 = sub_401100(v120, 1000000000);
v4 = sub_401220(v3, 999999950);
sub_401100(v4, 2);
v5 = sub_401000(&v120[1], 5000000);
v6 = sub_401220(v5, 6666666);
v7 = sub_401000(v6, 1666666);
v8 = sub_401000(v7, 45);
v9 = sub_401100(v8, 2);
sub_401000(v9, 5);
v10 = sub_401100(&v120[2], 1000000000);
v11 = sub_401220(v10, 999999950);
v12 = sub_401100(v11, 2);
sub_401000(v12, 2);
v13 = sub_401000(&v120[3], 55);
v14 = sub_401220(v13, 3);
v15 = sub_401000(v14, 4);
sub_401220(v15, 1);
v16 = sub_401100(&v120[4], 100000000);
v17 = sub_401220(v16, 99999950);
v18 = sub_401100(v17, 2);
sub_401000(v18, 2);
v19 = sub_401220(&v120[5], 1);
v20 = sub_401100(v19, 1000000000);
v21 = sub_401000(v20, 55);
sub_401220(v21, 3);
v22 = sub_401100(&v120[6], 1000000);
v23 = sub_401220(v22, 999975);
sub_401100(v23, 4);
v24 = sub_401000(&v120[7], 55);
v25 = sub_401220(v24, 33);
v26 = sub_401000(v25, 44);
sub_401220(v26, 11);
v27 = sub_401100(&v120[8], 10);
v28 = sub_401220(v27, 5);
v29 = sub_401100(v28, 8);
sub_401000(v29, 9);
v30 = sub_401000(&v120[9], 0);
v31 = sub_401220(v30, 0);
v32 = sub_401000(v31, 11);
v33 = sub_401220(v32, 11);
sub_401000(v33, 53);
v34 = sub_401000(&v120[10], 49);
v35 = sub_401220(v34, 2);
v36 = sub_401000(v35, 4);
sub_401220(v36, 2);
v37 = sub_401100(&v120[11], 1000000);
v38 = sub_401220(v37, 999999);
v39 = sub_401100(v38, 4);
sub_401000(v39, 50);
v40 = sub_401000(&v120[12], 1);
v41 = sub_401000(v40, 1);
v42 = sub_401000(v41, 1);
v43 = sub_401000(v42, 1);
v44 = sub_401000(v43, 1);
v45 = sub_401000(v44, 1);
v46 = sub_401000(v45, 10);
sub_401000(v46, 32);
v47 = sub_401100(&v120[13], 10);
v48 = sub_401220(v47, 5);
v49 = sub_401100(v48, 8);
v50 = sub_401000(v49, 9);
sub_401000(v50, 48);
v51 = sub_401220(&v120[14], 1);
v52 = sub_401100(v51, -294967296);
v53 = sub_401000(v52, 55);
sub_401220(v53, 3);
v54 = sub_401000(&v120[15], 1);
v55 = sub_401000(v54, 2);
v56 = sub_401000(v55, 3);
v57 = sub_401000(v56, 4);
v58 = sub_401000(v57, 5);
v59 = sub_401000(v58, 6);
v60 = sub_401000(v59, 7);
sub_401000(v60, 20);
v61 = sub_401100(&v120[16], 10);
v62 = sub_401220(v61, 5);
v63 = sub_401100(v62, 8);
v64 = sub_401000(v63, 9);
sub_401000(v64, 48);
v65 = sub_401000(&v120[17], 7);
v66 = sub_401000(v65, 6);
v67 = sub_401000(v66, 5);
v68 = sub_401000(v67, 4);
v69 = sub_401000(v68, 3);
v70 = sub_401000(v69, 2);
v71 = sub_401000(v70, 1);
sub_401000(v71, 20);
v72 = sub_401000(&v120[18], 7);
v73 = sub_401000(v72, 2);
v74 = sub_401000(v73, 4);
v75 = sub_401000(v74, 3);
v76 = sub_401000(v75, 6);
v77 = sub_401000(v76, 5);
v78 = sub_401000(v77, 1);
sub_401000(v78, 20);
v79 = sub_401100(&v120[19], 1000000);
v80 = sub_401220(v79, 999999);
v81 = sub_401100(v80, 4);
v82 = sub_401000(v81, 50);
sub_401220(v82, 1);
v83 = sub_401220(&v120[20], 1);
v84 = sub_401100(v83, -294967296);
v85 = sub_401000(v84, 49);
sub_401220(v85, 1);
v86 = sub_401220(&v120[21], 1);
v87 = sub_401100(v86, 1000000000);
v88 = sub_401000(v87, 54);
v89 = sub_401220(v88, 1);
v90 = sub_401000(v89, 1000000000);
sub_401220(v90, 1000000000);
v91 = sub_401000(&v120[22], 49);
v92 = sub_401220(v91, 1);
v93 = sub_401000(v92, 2);
sub_401220(v93, 1);
v94 = sub_401100(&v120[23], 10);
v95 = sub_401220(v94, 5);
v96 = sub_401100(v95, 8);
v97 = sub_401000(v96, 9);
sub_401000(v97, 48);
v98 = sub_401000(&v120[24], 1);
v99 = sub_401000(v98, 3);
v100 = sub_401000(v99, 3);
v101 = sub_401000(v100, 3);
v102 = sub_401000(v101, 6);
v103 = sub_401000(v102, 6);
v104 = sub_401000(v103, 6);
sub_401000(v104, 20);
v105 = sub_401000(&v120[25], 55);
v106 = sub_401220(v105, 33);
v107 = sub_401000(v106, 44);
v108 = sub_401220(v107, 11);
sub_401000(v108, 42);
sub_401000(&v120[26], v120[25]);
sub_401000(&v120[27], v120[12]);
v109 = v120[27];
v110 = sub_401220(&v120[28], 1);
v111 = sub_401000(v110, v109);
sub_401220(v111, 1);
v112 = v120[23];
v113 = sub_401220(&v120[29], 1);
v114 = sub_401100(v113, 1000000);
sub_401000(v114, v112);
v115 = v120[27];
v116 = sub_401000(&v120[30], 1);
sub_401100(v116, v115);
sub_401000(&v120[31], v120[30]);
printf("CTF{");
for (j = 0; j < 32; ++j)
printf("%c", (v120[j]));
printf("}\n");
system("pause");
return 0;
}
输出结果:
Your flag is:
CTF{daf8f4d816261a41a115052a1bc21ade}
请按任意键继续. . .
0x4总结
1.通过变量的计算结果,寻找两个变量之间的关系
2.乘法等于多个相同的数相加(这个坑死我了,我以为它也是加法......)
3.最后放上成功图,不容易啊!
[复制链接]
发表于 2020-4-13 17:44
|
发表于 2020-4-14 12:59
