好友
阅读权限10
听众
最后登录1970-1-1
|
本帖最后由 疯狂的小精灵 于 2026-3-5 15:58 编辑
2026解题领红包之二—暴力追码
题目预览
1. 查壳无壳
查壳
2. 拖进OD调试
查找关键字符串
关键字符串
程序关键代码,追码过程 注释在里面了,以 #加数字代表步骤
[Asm] 纯文本查看 复制代码
008FD199 C74424 04 44309>mov dword ptr ss:[esp+0x4],【2026春.009030>; ========================================
008FD1A1 C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD1A8 E8 A3ACFFFF call 【2026春.008F7E50
008FD1AD E8 FE43F3FF call 【2026春.008315B0
008FD1B2 C74424 04 70309>mov dword ptr ss:[esp+0x4],【2026春.009030>; CrackMe Challenge v2.5 - 2026
008FD1BA C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD1C1 E8 8AACFFFF call 【2026春.008F7E50
008FD1C6 E8 E543F3FF call 【2026春.008315B0
008FD1CB C74424 04 44309>mov dword ptr ss:[esp+0x4],【2026春.009030>; ========================================
008FD1D3 C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD1DA E8 71ACFFFF call 【2026春.008F7E50
008FD1DF E8 CC43F3FF call 【2026春.008315B0
008FD1E4 C74424 04 9C309>mov dword ptr ss:[esp+0x4],【2026春.009030>; Keywords: 52pojie, 2026, Happy new year
008FD1EC C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD1F3 E8 58ACFFFF call 【2026春.008F7E50
008FD1F8 E8 B343F3FF call 【2026春.008315B0
008FD1FD C74424 04 C4309>mov dword ptr ss:[esp+0x4],【2026春.009030>; Hint: Fake flag; length is key
008FD205 C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD20C E8 3FACFFFF call 【2026春.008F7E50
008FD211 E8 9A43F3FF call 【2026春.008315B0
008FD216 C74424 04 E4309>mov dword ptr ss:[esp+0x4],【2026春.009030>; ----------------------------------------
008FD21E C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD225 E8 26ACFFFF call 【2026春.008F7E50
008FD22A E8 8143F3FF call 【2026春.008315B0
008FD22F C74424 04 0D319>mov dword ptr ss:[esp+0x4],【2026春.009031>; \n[?] Enter the password:
008FD237 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]
008FD23A C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD241 8945 E0 mov dword ptr ss:[ebp-0x20],eax
008FD244 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]
008FD247 C745 E4 0000000>mov dword ptr ss:[ebp-0x1C],0x0
008FD24E C645 E8 00 mov byte ptr ss:[ebp-0x18],0x0
008FD252 C745 A8 0100000>mov dword ptr ss:[ebp-0x58],0x1
008FD259 8945 9C mov dword ptr ss:[ebp-0x64],eax
008FD25C E8 EFABFFFF call 【2026春.008F7E50
008FD261 A1 E0259000 mov eax,dword ptr ds:[0x9025E0]
008FD266 8D5D E0 lea ebx,dword ptr ss:[ebp-0x20]
008FD269 BA 0A000000 mov edx,0xA
008FD26E 895D 9C mov dword ptr ss:[ebp-0x64],ebx
008FD271 8B40 F4 mov eax,dword ptr ds:[eax-0xC]
008FD274 8B80 5C269000 mov eax,dword ptr ds:[eax+0x90265C]
008FD27A E8 E142F3FF call 【2026春.00831560
008FD27F 0FBEC0 movsx eax,al
008FD282 895C24 04 mov dword ptr ss:[esp+0x4],ebx
008FD286 894424 08 mov dword ptr ss:[esp+0x8],eax
008FD28A C70424 E0259000 mov dword ptr ss:[esp],【2026春.009025E0
008FD291 895D 9C mov dword ptr ss:[ebp-0x64],ebx
008FD294 E8 A785FFFF call 【2026春.008F5840
008FD299 8B45 E0 mov eax,dword ptr ss:[ebp-0x20]
008FD29C 890424 mov dword ptr ss:[esp],eax
008FD29F 8945 A0 mov dword ptr ss:[ebp-0x60],eax
008FD2A2 E8 9944F3FF call 【2026春.00831740
008FD2A7 BA 35000000 mov edx,0x35
008FD2AC 89C1 mov ecx,eax
008FD2AE 31C0 xor eax,eax
008FD2B0 84C9 test cl,cl
008FD2B2 74 13 je short 【2026春.008FD2C7
008FD2B4 E9 43010000 jmp 【2026春.008FD3FC
008FD2B9 8DB426 00000000 lea esi,dword ptr ds:[esi]
008FD2C0 0FB690 32309000 movzx edx,byte ptr ds:[eax+0x903032] ; 52pojie2026Happy
008FD2C7 8B4D A0 mov ecx,dword ptr ss:[ebp-0x60]
008FD2CA 381401 cmp byte ptr ds:[ecx+eax],dl
008FD2CD 75 2C jnz short 【2026春.008FD2FB
008FD2CF 83C0 01 add eax,0x1
008FD2D2 83F8 10 cmp eax,0x10
008FD2D5 ^ 75 E9 jnz short 【2026春.008FD2C0
008FD2D7 C74424 04 91329>mov dword ptr ss:[esp+0x4],【2026春.009032>; \n[!] You're getting closer...
008FD2DF C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD2E6 C745 A8 0100000>mov dword ptr ss:[ebp-0x58],0x1
008FD2ED E8 5EABFFFF call 【2026春.008F7E50
008FD2F2 C745 A8 0100000>mov dword ptr ss:[ebp-0x58],0x1
008FD2F9 EB 2B jmp short 【2026春.008FD326
008FD2FB 8B45 A0 mov eax,dword ptr ss:[ebp-0x60]
008FD2FE 890424 mov dword ptr ss:[esp],eax
008FD301 E8 B23BF5FF call <jmp.&msvcrt.strlen>
008FD306 83F8 1F cmp eax,0x1F
​###############################################
# 1. 关键跳,输入错误,会显示 Hint: The length is your first real challenge.
# 所以在这里下断点,运行到这里,将 je 修改为 jmp
###############################################
008FD309 74 44 je short 【2026春.008FD34F
008FD30B C74424 04 50319>mov dword ptr ss:[esp+0x4],【2026春.009031>; \n[!] Hint: The length is your first real challenge.
008FD313 C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD31A C745 A8 0100000>mov dword ptr ss:[ebp-0x58],0x1
008FD321 E8 2AABFFFF call 【2026春.008F7E50
008FD326 E8 8542F3FF call 【2026春.008315B0
008FD32B E8 9044F3FF call 【2026春.008317C0
008FD330 8B4D 9C mov ecx,dword ptr ss:[ebp-0x64]
008FD333 E8 A847FEFF call 【2026春.008E1AE0
008FD338 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
008FD33B 890424 mov dword ptr ss:[esp],eax
008FD33E E8 BDF2F3FF call 【2026春.0083C600
008FD343 8D65 F8 lea esp,dword ptr ss:[ebp-0x8]
008FD346 31C0 xor eax,eax
008FD348 59 pop ecx ; ntdll.777C2A46
008FD349 5B pop ebx ; ntdll.777C2A46
008FD34A 5D pop ebp ; ntdll.777C2A46
008FD34B 8D61 FC lea esp,dword ptr ds:[ecx-0x4]
008FD34E C3 retn
008FD34F 8B45 A0 mov eax,dword ptr ss:[ebp-0x60]
008FD352 C74424 04 1F000>mov dword ptr ss:[esp+0x4],0x1F
008FD35A C745 A8 0100000>mov dword ptr ss:[ebp-0x58],0x1
008FD361 890424 mov dword ptr ss:[esp],eax
​################################################
# 3. 关键call,在这里下断点,F7步入,查看第二段汇编代码
################################################
008FD364 E8 6743F3FF call 【2026春.008316D0
008FD369 84C0 test al,al
008FD36B 0F84 A4000000 je 【2026春.008FD415
008FD371 8B4D E0 mov ecx,dword ptr ss:[ebp-0x20]
008FD374 C745 A0 0000000>mov dword ptr ss:[ebp-0x60],0x0
008FD37B 0FB601 movzx eax,byte ptr ds:[ecx]
008FD37E 84C0 test al,al
008FD380 74 27 je short 【2026春.008FD3A9
008FD382 31D2 xor edx,edx ; 【2026春.00830000
008FD384 8D7426 00 lea esi,dword ptr ds:[esi]
008FD388 83C2 01 add edx,0x1
008FD38B 0FB6C0 movzx eax,al
008FD38E 0FAFC2 imul eax,edx ; 【2026春.00830000
008FD391 0145 A0 add dword ptr ss:[ebp-0x60],eax
008FD394 0FB60411 movzx eax,byte ptr ds:[ecx+edx]
008FD398 84C0 test al,al
008FD39A ^ 75 EC jnz short 【2026春.008FD388
008FD39C 817D A0 A5AE000>cmp dword ptr ss:[ebp-0x60],0xAEA5
008FD3A3 0F84 A7000000 je 【2026春.008FD450
​###############################
# 2. 从这里向上找关键call
###############################
008FD3A9 C74424 04 14329>mov dword ptr ss:[esp+0x4],【2026春.009032>; \n[!] Checksum failed! Something is wrong...
008FD3B1 C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD3B8 C745 A8 0100000>mov dword ptr ss:[ebp-0x58],0x1
008FD3BF E8 8CAAFFFF call 【2026春.008F7E50
008FD3C4 E8 E741F3FF call 【2026春.008315B0
008FD3C9 C74424 04 40329>mov dword ptr ss:[esp+0x4],【2026春.009032>; [!] Expected: 44709, Got:
008FD3D1 C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD3D8 E8 73AAFFFF call 【2026春.008F7E50
008FD3DD 89C1 mov ecx,eax
008FD3DF 8B45 A0 mov eax,dword ptr ss:[ebp-0x60]
008FD3E2 890424 mov dword ptr ss:[esp],eax
008FD3E5 E8 860AFBFF call 【2026春.008ADE70
008FD3EA 52 push edx ; 【2026春.00830000
008FD3EB E8 C041F3FF call 【2026春.008315B0
008FD3F0 C745 A8 0100000>mov dword ptr ss:[ebp-0x58],0x1
008FD3F7 ^ E9 2FFFFFFF jmp 【2026春.008FD32B
008FD3FC C74424 04 28319>mov dword ptr ss:[esp+0x4],【2026春.009031>; \n[!] Nice try, but not quite right...
008FD404 C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD40B E8 40AAFFFF call 【2026春.008F7E50
008FD410 ^ E9 11FFFFFF jmp 【2026春.008FD326
008FD415 C74424 04 5B329>mov dword ptr ss:[esp+0x4],【2026春.009032>; \n[X] Access Denied!
008FD41D C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD424 C745 A8 0100000>mov dword ptr ss:[ebp-0x58],0x1
008FD42B E8 20AAFFFF call 【2026春.008F7E50
008FD430 E8 7B41F3FF call 【2026春.008315B0
008FD435 C74424 04 70329>mov dword ptr ss:[esp+0x4],【2026春.009032>; [X] Wrong password. Keep trying!
008FD43D C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD444 E8 07AAFFFF call 【2026春.008F7E50
008FD449 E8 6241F3FF call 【2026春.008315B0
008FD44E ^ EB A0 jmp short 【2026春.008FD3F0
008FD450 C74424 04 84319>mov dword ptr ss:[esp+0x4],【2026春.009031>; \n========================================
008FD458 C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD45F C745 A8 0100000>mov dword ptr ss:[ebp-0x58],0x1
008FD466 E8 E5A9FFFF call 【2026春.008F7E50
008FD46B E8 4041F3FF call 【2026春.008315B0
008FD470 C74424 04 B0319>mov dword ptr ss:[esp+0x4],【2026春.009031>; *** SUCCESS! ***
008FD478 C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD47F E8 CCA9FFFF call 【2026春.008F7E50
008FD484 E8 2741F3FF call 【2026春.008315B0
008FD489 C74424 04 44309>mov dword ptr ss:[esp+0x4],【2026春.009030>; ========================================
008FD491 C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD498 E8 B3A9FFFF call 【2026春.008F7E50
008FD49D E8 0E41F3FF call 【2026春.008315B0
008FD4A2 C74424 04 DC319>mov dword ptr ss:[esp+0x4],【2026春.009031>; [+] Congratulations! You cracked it!
008FD4AA C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD4B1 E8 9AA9FFFF call 【2026春.008F7E50
008FD4B6 E8 F540F3FF call 【2026春.008315B0
008FD4BB C74424 04 01329>mov dword ptr ss:[esp+0x4],【2026春.009032>; [+] Correct flag:
008FD4C3 C70424 C0279000 mov dword ptr ss:[esp],【2026春.009027C0
008FD4CA E8 81A9FFFF call 【2026春.008F7E50
008FD4CF 8B55 E4 mov edx,dword ptr ss:[ebp-0x1C] ; ntdll.777C2A46
008FD4D2 890424 mov dword ptr ss:[esp],eax
008FD4D5 895424 08 mov dword ptr ss:[esp+0x8],edx ; 【2026春.00830000
008FD4D9 8B55 E0 mov edx,dword ptr ss:[ebp-0x20]
008FD4DC 895424 04 mov dword ptr ss:[esp+0x4],edx ; 【2026春.00830000
008FD4E0 E8 4B6EFFFF call 【2026春.008F4330
008FD4E5 ^ E9 5FFFFFFF jmp 【2026春.008FD449
008FD4EA 8B45 AC mov eax,dword ptr ss:[ebp-0x54]
008FD4ED 8B4D 9C mov ecx,dword ptr ss:[ebp-0x64]
008FD4F0 8945 A0 mov dword ptr ss:[ebp-0x60],eax
008FD4F3 E8 E845FEFF call 【2026春.008E1AE0
008FD4F8 8B45 A0 mov eax,dword ptr ss:[ebp-0x60]
008FD4FB C745 A8 FFFFFFF>mov dword ptr ss:[ebp-0x58],-0x1
008FD502 890424 mov dword ptr ss:[esp],eax
008FD505 E8 E6F2F3FF call 【2026春.0083C7F0
008FD50A 8DB6 00000000 lea esi,dword ptr ds:[esi]
008FD510 83EC 1C sub esp,0x1C
008FD513 B9 28F09000 mov ecx,【2026春.0090F028
008FD518 E8 A321FFFF call 【2026春.008EF6C0
008FD51D C70424 20158300 mov dword ptr ss:[esp],【2026春.00831520
008FD524 E8 A73FF3FF call 【2026春.008314D0
008FD529 83C4 1C add esp,0x1C
008FD52C C3 retn
[Asm] 纯文本查看 复制代码
008316C6 8DB426 00000000 lea esi,dword ptr ds:[esi]
008316CD 8D76 00 lea esi,dword ptr ds:[esi]
008316D0 55 push ebp
008316D1 57 push edi
008316D2 56 push esi
008316D3 53 push ebx
008316D4 83EC 1C sub esp,0x1C
008316D7 8B7424 34 mov esi,dword ptr ss:[esp+0x34]
008316DB 8B7C24 30 mov edi,dword ptr ss:[esp+0x30]
008316DF C70424 64000000 mov dword ptr ss:[esp],0x64
008316E6 E8 25A00C00 call 【2026春.008FB710
008316EB 890424 mov dword ptr ss:[esp],eax
008316EE 89C5 mov ebp,eax
​
##################################
# 4. 关键call,单步运行,即可在寄存器窗口看到flag
##################################
008316F0 E8 2BFFFFFF call 【2026春.00831620
008316F5 85F6 test esi,esi
008316F7 7E 37 jle short 【2026春.00831730
008316F9 31C0 xor eax,eax
008316FB 31DB xor ebx,ebx
008316FD 8D76 00 lea esi,dword ptr ds:[esi]
00831700 0FB65405 00 movzx edx,byte ptr ss:[ebp+eax]
00831705 0FBE0C07 movsx ecx,byte ptr ds:[edi+eax]
00831709 39D1 cmp ecx,edx
0083170B 0F94C2 sete dl
0083170E 83C0 01 add eax,0x1
00831711 0FB6D2 movzx edx,dl
00831714 01D3 add ebx,edx
00831716 39C6 cmp esi,eax
00831718 ^ 75 E6 jnz short 【2026春.00831700
0083171A 892C24 mov dword ptr ss:[esp],ebp
0083171D E8 BE9F0C00 call 【2026春.008FB6E0
00831722 39DE cmp esi,ebx
00831724 0F94C0 sete al
00831727 83C4 1C add esp,0x1C
0083172A 5B pop ebx ; 01A71908
0083172B 5E pop esi ; 01A71908
0083172C 5F pop edi ; 01A71908
0083172D 5D pop ebp ; 01A71908
0083172E C3 retn
调试器图
将该flag复制到程序输入,即可看到成功提示。
题目成功
【春节】解题领红包之四 {Windows 初级题} flag获取
通过图标很容易认出该软件用python编写,想必是用了python打包工具,所以话不多说,直接解包。
软件工具:
- python 3.14 (通过解包发现软件用python3.14写的)
- pyinstxtractor.py 解包脚本
反编译源码过程:
# 源文件名太长,所以更改为crack
python pyinstxtractor.py crack.exe
会在同目录生成 crack.exe_extracted 目录,查看该文件夹里面的文件,发现入口文件 crackme_easy.pyc ,然后将本文件恢复成 .py 文件,我使用的在线恢复,恢复出的源代码如下:
import hashlib
import base64
import sys
def xor_decrypt(data, key):
"""XOR解密"""
result = bytearray()
for i, byte in enumerate(data):
result.append(byte ^ key ^ i & 255)
return result.decode('utf-8', errors='ignore')
def get_encrypted_flag():
"""获取加密的flag"""
enc_data = 'e3w+fiRvfW18fnx4ZAZ6Pj43YwB9OWMXfXo8Dg4O'
return base64.b64decode(enc_data)
def generate_flag():
"""动态生成flag"""
encrypted = get_encrypted_flag()
key = 78
result = bytearray()
for i, byte in enumerate(encrypted):
result.append(byte ^ key)
return result.decode('utf-8')
def calculate_checksum(s):
"""计算校验和"""
total = 0
for i, c in enumerate(s):
total += ord(c) * (i + 1)
return total
def hash_string(s):
"""计算字符串哈希"""
return hashlib.sha256(s.encode()).hexdigest()
def verify_flag(user_input):
"""验证flag"""
correct_flag = generate_flag()
if len(user_input)!= len(correct_flag):
return False
else:
for i in range(len(correct_flag)):
if user_input[i] != correct_flag[i]:
return False
return True
def fake_check_1(user_input):
"""假检查1"""
fake_hash = 'a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890'
return hash_string(user_input) == fake_hash
def fake_check_2(user_input):
"""假检查2"""
fake_hash = '1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef'
return hash_string(user_input) == fake_hash
def main():
"""主函数"""
print('==================================================')
print(' CrackMe Challenge - Python Edition')
print('==================================================')
print('Keywords: 52pojie, 2026, Happy New Year')
print('Hint: Decompile me if you can!')
print('--------------------------------------------------')
user_input = input('\n[?] Enter the password: ').strip()
if fake_check_1(user_input):
print('\n[!] Nice try, but not quite right...')
input('\nPress Enter to exit...')
return None
else:
if fake_check_2(user_input):
print('\n[!] You\'re getting closer...')
input('\nPress Enter to exit...')
else:
if verify_flag(user_input):
checksum = calculate_checksum(user_input)
expected_checksum = calculate_checksum(generate_flag())
if checksum == expected_checksum:
print('\n==================================================')
print(' *** SUCCESS! ***')
print('==================================================')
print('[+] Congratulations! You cracked it!')
print(f'[+] Correct flag: {user_input}')
else:
print('\n[!] Checksum failed!')
else:
print('\n[X] Access Denied!')
print('[X] Wrong password. Keep trying!')
input('\nPress Enter to exit...')
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
print('\n\n[!] Interrupted by user')
sys.exit(0)
分析以上代码,可知 generate_flag() 生成的flag为最终密码。 |
免费评分
-
| 参与人数 1 | 威望 +1 |
吾爱币 +20 |
热心值 +1 |
收起
理由
|
 Hmily
| + 1 |
+ 20 |
+ 1 |
感谢发布原创作品,吾爱破解论坛因你更精彩! |
查看全部评分
|
[复制链接]
发表于 2026-3-5 15:36
|
发表于 2026-3-6 11:18
666666
