好友
阅读权限40
听众
最后登录1970-1-1
|
Sound
发表于 2017-5-22 07:22
本帖最后由 Sound 于 2017-5-22 07:32 编辑
0x0 大早晨的咯,还是比较困的,思绪有点乱,凑合看吧。
0x1 Crack Me 当然都是没有壳啦,没有VM啦,然后最适合我这菜鸡啦,毕竟真正的CrackMe玩的都是套路,唔,有点碎碎念了。
QT的Crack Me,试运行
界面标题 有个cutie keygen,找Main,懒得拖IDA了。
0x2 Main位于01381BF0,PS:自行注意偏移地址
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 | 0138190B |. 6A 0C PUSH 0xC0138190D |. 68 18B0C401 PUSH 01C4B018
01381912 |. FFD5 CALL EBP
01381914 |. 83C4 08 ADD ESP, 0x8
01381917 |. 894424 10 MOV DWORD PTR SS:[ESP+0x10], EAX
0138191B |. 8D4424 10 LEA EAX, DWORD PTR SS:[ESP+0x10]
0138191F |. C64424 68 07 MOV BYTE PTR SS:[ESP+0x68], 0x7
01381924 |. 50 PUSH EAX
01381925 |. 8D4C24 1C LEA ECX, DWORD PTR SS:[ESP+0x1C]
01381929 |. FF15 A0413801 CALL DWORD PTR DS:[<&Qt5Gui.QWindow::setTitle>]
0138192F |. 8D4C24 10 LEA ECX, DWORD PTR SS:[ESP+0x10]
01381933 |. C64424 68 04 MOV BYTE PTR SS:[ESP+0x68], 0x4
01381938 |. FF15 84413801 CALL DWORD PTR DS:[<&Qt5Core.QString::~QString>]
0138193E |. 8D4C24 18 LEA ECX, DWORD PTR SS:[ESP+0x18]
01381942 |. FF15 BC413801 CALL DWORD PTR DS:[<&Qt5Gui.QWindow::show>]
01381948 |. 6A 00 PUSH 0x0
0138194A |. 8D4C24 38 LEA ECX, DWORD PTR SS:[ESP+0x38]
0138194E |. E8 9D020000 CALL 01381BF0
|
0x3 找按钮派发事件
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 | 01382E80 /$ 8B4424 08 MOV EAX, DWORD PTR SS:[ESP+0x8]
01382E84 |. 83EC 08 SUB ESP, 0x8
01382E87 |. 85C0 TEST EAX, EAX
01382E89 |. 75 61 JNZ SHORT 01382EEC
01382E8B |. 8B4424 14 MOV EAX, DWORD PTR SS:[ESP+0x14]
01382E8F |. 83E8 00 SUB EAX, 0x0
01382E92 |. 74 20 JE SHORT 01382EB4
01382E94 |. 48 DEC EAX
01382E95 |. 75 71 JNZ SHORT 01382F08
01382E97 |. 8B4424 18 MOV EAX, DWORD PTR SS:[ESP+0x18]
01382E9B |. 51 PUSH ECX
01382E9C |. 8BCC MOV ECX, ESP
01382E9E |. FF70 04 PUSH DWORD PTR DS:[EAX+0x4]
01382EA1 |. FF15 40413801 CALL DWORD PTR DS:[<&Qt5Core.QString::QString>]
01382EA7 |. 8B4C24 10 MOV ECX, DWORD PTR SS:[ESP+0x10]
01382EAB |. E8 E0F5FFFF CALL 01382490
01382EB0 |. 83C4 08 ADD ESP, 0x8
01382EB3 |. C3 RETN
|
跟进来
[Asm] 纯文本查看 复制代码 1 | 01382EAB |. E8 E0F5FFFF CALL 01382490
|
这里是字符串消息记录调试
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | 013825AA |. E8 A1F7FFFF CALL 01381D50
013825B1 |. 8D4C24 38 LEA ECX, DWORD PTR SS:[ESP+0x38]
013825B5 |. 8D4424 18 LEA EAX, DWORD PTR SS:[ESP+0x18]
013825B9 |. 50 PUSH EAX
013825BA |. 6A 00 PUSH 0x0
013825BC |. 6A 00 PUSH 0x0
013825BE |. 6A 00 PUSH 0x0
013825C0 74 2B JE SHORT 013825ED
013825C2 |. FF15 54413801 CALL DWORD PTR DS:[<&Qt5Core.QMessageLogger::QMessageLogger>>; Qt5Core.QMessageLogger::QMessageLogger
013825C8 |. 8BC8 MOV ECX, EAX
013825CA |. FFD5 CALL EBP
013825CC |. 68 B4B0C401 PUSH 01C4B0B4
013825D1 |. 8BC8 MOV ECX, EAX
013825D3 |. C64424 58 03 MOV BYTE PTR SS:[ESP+0x58], 0x3
013825D8 |. FF15 1C413801 CALL DWORD PTR DS:[<&Qt5Core.QDebug::operator<<>]
013825DE |. 8D4C24 18 LEA ECX, DWORD PTR SS:[ESP+0x18]
013825E2 |. C64424 54 01 MOV BYTE PTR SS:[ESP+0x54], 0x1
013825E7 |. FFD7 CALL EDI
013825E9 |. 6A 00 PUSH 0x0
013825EB |. EB 29 JMP SHORT 01382616
013825ED |> FF15 54413801 CALL DWORD PTR DS:[<&Qt5Core.QMessageLogger::QMessageLogger>>; Qt5Core.QMessageLogger::QMessageLogger
013825F3 |. 8BC8 MOV ECX, EAX
013825F5 |. FFD5 CALL EBP
013825F7 |. 68 BCB0C401 PUSH 01C4B0BC
|
爆破的话 013825C0
0x4 PassWord
[Asm] 纯文本查看 复制代码 1 | 013825AA |. E8 A1F7FFFF CALL 01381D50
|
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 | 01381DB3 |. FF15 40413801 CALL DWORD PTR DS:[<&Qt5Core.QString::QString>]
01381DB9 |. 8BCB MOV ECX, EBX
01381DBB |. E8 E0000000 CALL 01381EA0
01381DC0 |. 50 PUSH EAX
01381DC1 |. 8D8C24 2C010000 LEA ECX, DWORD PTR SS:[ESP+0x12C]
01381DC8 |. FF15 3C413801 CALL DWORD PTR DS:[<&Qt5Core.QString::operator=>]
01381DCE |. 51 PUSH ECX
01381DCF |. 8D8424 2C010000 LEA EAX, DWORD PTR SS:[ESP+0x12C]
01381DD6 |. 8BCC MOV ECX, ESP
01381DD8 |. 50 PUSH EAX
01381DD9 |. FF15 40413801 CALL DWORD PTR DS:[<&Qt5Core.QString::QString>]
01381DDF |. 8BCB MOV ECX, EBX
01381DE1 |. E8 7A080000 CALL 01382660
|
01381DB3 PassWord
01381DE1 |. E8 7A080000 CALL 01382660 xor PassWord
0x5 初始化算法
跟进Main
CALL 01381BF0
01381C32 |. E8 69030000 CALL 01381FA0 算法
加密的关键,块加密算法,
初始化的数据
[Asm] 纯文本查看 复制代码 1 2 3 4 5 6 7 8 | 0138221B |. C78424 90000000 DF90BC70 MOV DWORD PTR SS:[ESP+0x90], 0x70BC90DF
01382226 |. C78424 94000000 57EF965A MOV DWORD PTR SS:[ESP+0x94], 0x5A96EF57
01382231 |. C78424 98000000 EECF0955 MOV DWORD PTR SS:[ESP+0x98], 0x5509CFEE
0138223C |. C78424 9C000000 CE80200D MOV DWORD PTR SS:[ESP+0x9C], 0xD2080CE
01382247 |. C78424 A0000000 4FE10E07 MOV DWORD PTR SS:[ESP+0xA0], 0x70EE14F
01382252 |. C78424 A4000000 46A4C62F MOV DWORD PTR SS:[ESP+0xA4], 0x2FC6A446
0138225D |. C78424 A8000000 F0EC5553 MOV DWORD PTR SS:[ESP+0xA8], 0x5355ECF0
01382268 |. C78424 AC000000 2B785764 MOV DWORD PTR SS:[ESP+0xAC], 0x6457782B
|
用了一对64的块,并且每个都使用了个64的密钥并且看关键的地方是不是一个字符或单个数据块,然后这些数值在初始化的时候就被利用 。
[Asm] 纯文本查看 复制代码 1 2 3 4 | 013822B8 |. C747 18 3A0E0F88 MOV DWORD PTR DS:[EDI+0x18], 0x880F0E3A
013822BF |. C747 1C AF56D816 MOV DWORD PTR DS:[EDI+0x1C], 0x16D856AF
013822C6 |. C747 20 10F38F05 MOV DWORD PTR DS:[EDI+0x20], 0x58FF310
013822CD |. C747 24 7C36E8D8 MOV DWORD PTR DS:[EDI+0x24], 0xD8E8367C
|
再看这里01381DE1 |. E8 7A080000 CALL 01382660 xor PassWord
这里是16个字节的第一块地方,然后同一段代码来处理最后16个字节,其次逆变换在最小尾数
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | 013829C0 > /33C0 XOR EAX, EAX
013829C2 . |8BCA MOV ECX, EDX
013829C4 . |0FACEA 08 SHRD EDX, EBP, 0x8
013829C8 . |C1E1 18 SHL ECX, 0x18
013829CB . |C1ED 08 SHR EBP, 0x8
013829CE . |0BD0 OR EDX, EAX
013829D0 . |0BE9 OR EBP, ECX
013829D2 . |03D3 ADD EDX, EBX
013829D4 . |8BCE MOV ECX, ESI
013829D6 . |13EE ADC EBP, ESI
013829D8 . |C1E9 1D SHR ECX, 0x1D
013829DB . |336C24 58 XOR EBP, DWORD PTR SS:[ESP+0x58]
013829DF . |33D7 XOR EDX, EDI
013829E1 . |0FA4DE 03 SHLD ESI, EBX, 0x3
013829E5 . |896C24 3C MOV DWORD PTR SS:[ESP+0x3C], EBP
013829E9 . |0BF0 OR ESI, EAX
013829EB . |896C24 7C MOV DWORD PTR SS:[ESP+0x7C], EBP
013829EF . |33F5 XOR ESI, EBP
013829F1 . |C1E3 03 SHL EBX, 0x3
013829F4 . |8B6C24 5C MOV EBP, DWORD PTR SS:[ESP+0x5C]
013829F8 . |0BD9 OR EBX, ECX
013829FA . |8B4C24 1C MOV ECX, DWORD PTR SS:[ESP+0x1C]
013829FE . |33DA XOR EBX, EDX
01382A00 . |0FAC6C24 1C 08 SHRD DWORD PTR SS:[ESP+0x1C], EBP, 0x8
01382A06 . |0B4424 1C OR EAX, DWORD PTR SS:[ESP+0x1C]
01382A0A . |C1E1 18 SHL ECX, 0x18
01382A0D . |C1ED 08 SHR EBP, 0x8
01382A10 . |0BCD OR ECX, EBP
01382A12 . |895424 78 MOV DWORD PTR SS:[ESP+0x78], EDX
01382A16 . |8B6C24 58 MOV EBP, DWORD PTR SS:[ESP+0x58]
01382A1A . |03C7 ADD EAX, EDI
01382A1C . |897424 74 MOV DWORD PTR SS:[ESP+0x74], ESI
01382A20 . |13CD ADC ECX, EBP
01382A22 . |334424 24 XOR EAX, DWORD PTR SS:[ESP+0x24]
01382A26 . |334C24 14 XOR ECX, DWORD PTR SS:[ESP+0x14]
01382A2A . |894424 1C MOV DWORD PTR SS:[ESP+0x1C], EAX
01382A2E . |33C0 XOR EAX, EAX
01382A30 . |894C24 5C MOV DWORD PTR SS:[ESP+0x5C], ECX
01382A34 . |8BCD MOV ECX, EBP
01382A36 . |0FA4FD 03 SHLD EBP, EDI, 0x3
01382A3A . |C1E9 1D SHR ECX, 0x1D
01382A3D . |0BC5 OR EAX, EBP
01382A3F . |C1E7 03 SHL EDI, 0x3
01382A42 . |334424 5C XOR EAX, DWORD PTR SS:[ESP+0x5C]
01382A46 . |0BF9 OR EDI, ECX
01382A48 . |337C24 1C XOR EDI, DWORD PTR SS:[ESP+0x1C]
01382A4C . |8B6C24 3C MOV EBP, DWORD PTR SS:[ESP+0x3C]
01382A50 . |894424 58 MOV DWORD PTR SS:[ESP+0x58], EAX
01382A54 . |8B4424 24 MOV EAX, DWORD PTR SS:[ESP+0x24]
01382A58 . |83C0 01 ADD EAX, 0x1
01382A5B . |894424 24 MOV DWORD PTR SS:[ESP+0x24], EAX
01382A5F . |835424 14 00 ADC DWORD PTR SS:[ESP+0x14], 0x0
01382A64 . |75 09 JNZ SHORT 01382A6F
01382A66 . |83F8 20 CMP EAX, 0x20
01382A69 .^\0F82 51FFFFFF JB 013829C0
|
013829D0 . 0BE9 OR EBP, ECX ; s0 = ror(s0, 8)
013829D6 . 13EE ADC EBP, ESI ; s0 = s0 + s1
013829DF . 33D7 XOR EDX, EDI ; s0 = s0 ^ x0
013829F8 . 0BD9 OR EBX, ECX ; s1 = rol(s1, 3)
013829FE . 33DA XOR EBX, EDX ; s1 = s1 ^ s0
01382A10 . 0BCD OR ECX, EBP ; x1 = ror(x1, 8)
01382A20 . 13CD ADC ECX, EBP ; x1 = x1 + x0
01382A26 . 334C24 14 XOR ECX, DWORD PTR SS:[ESP+0x14] ; x1 = x1 ^ i
01382A46 . 0BF9 OR EDI, ECX ; x0 = rol(x0, 3)
01382A48 . 337C24 1C XOR EDI, DWORD PTR SS:[ESP+0x1C] ; x0 = x0 ^ x1
01382A5F . 835424 14 00 ADC DWORD PTR SS:[ESP+0x14], 0x0 ; i = i + 1
C747 18 3A0E0F88 MOV DWORD PTR DS:[EDI+0x18], 0x880F0E3A
013822BF |. C747 1C AF56D816 MOV DWORD PTR DS:[EDI+0x1C], 0x16D856AF
013822C6 |. C747 20 10F38F05 MOV DWORD PTR DS:[EDI+0x20], 0x58FF310
013822CD |. C747 24 7C36E8D8 MOV DWORD PTR DS:[EDI+0x24], 0xD8E8367C
Python
[Python] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 | def en_cry(HexData):
s0, s1 = HexData
x0 = 0xD8E8367C058FF310
x1 = 0x16D856AF880F0E3A
for i in xrange(32):
s0 = add(ror(s0, 8), s1) ^ x0
x1 = add(ror(x1, 8), x0) ^ i
s1 = rol(s1, 3) ^ s0
x0 = rol(x0, 3) ^ x1
return s0, s1
def encrypt(HexData):
res = []
for i in xrange(0, len(HexData), 2):
res.extend(en_cry(HexData[i:i + 2]))
return res
def encrypt_passwd(passwd):
l = unpack('>4Q', pack('>16H', *passwd))
l = encrypt(l)
l = unpack('>16H', pack('>4Q', *l)) return l
|
0x6 加密密钥与阵列块
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | 01381E11 |> \FF73 08 PUSH DWORD PTR DS:[EBX+0x8]
01381E14 |. 8D4424 18 LEA EAX, DWORD PTR SS:[ESP+0x18]
01381E18 |. 50 PUSH EAX
01381E19 |. 8D8424 9C000000 LEA EAX, DWORD PTR SS:[ESP+0x9C]
01381E20 |. 50 PUSH EAX
01381E21 |. E8 0AFCFFFF CALL 01381A30
01381E26 |. 8BF0 MOV ESI, EAX
01381E28 |. B9 20000000 MOV ECX, 0x20
01381E2D |. F3:A5 REP MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI]
01381E2F |. 83C4 0C ADD ESP, 0xC
01381E32 |. 8D7C24 14 LEA EDI, DWORD PTR SS:[ESP+0x14]
01381E36 |. 8BF0 MOV ESI, EAX
01381E38 |. B9 20000000 MOV ECX, 0x20
01381E3D |. F3:A5 REP MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI]
01381E3F |. FF73 0C PUSH DWORD PTR DS:[EBX+0xC]
01381E42 |. 8D4C24 18 LEA ECX, DWORD PTR SS:[ESP+0x18]
01381E46 |. E8 05FEFFFF CALL 01381C50
01381E4B |. 84C0 TEST AL, AL
01381E4D |. 75 04 JNZ SHORT 01381E53
01381E4F |. B3 01 MOV BL, 0x1
01381E51 |. EB 02 JMP SHORT 01381E55
01381E53 |> 32DB XOR BL, BL
01381E55 |> 8D8C24 28010000 LEA ECX, DWORD PTR SS:[ESP+0x128]
01381E5C |. C78424 20010000 FFFFFFFF MOV DWORD PTR SS:[ESP+0x120], -0x1
01381E67 |. FF15 84413801 CALL DWORD PTR DS:[<&Qt5Core.QString::~QString>]
|
这里基于密钥与阵列,然后创造我们的Key与基准数据进行比较。
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | 01381FBE |. C74424 10 80130000 MOV DWORD PTR SS:[ESP+0x10], 0x1380
01381FC6 |. C74424 14 00000000 MOV DWORD PTR SS:[ESP+0x14], 0x0
01381FCE |. C74424 18 E4040000 MOV DWORD PTR SS:[ESP+0x18], 0x4E4
01381FD6 |. C74424 1C 00000000 MOV DWORD PTR SS:[ESP+0x1C], 0x0
01381FDE |. C74424 20 09270000 MOV DWORD PTR SS:[ESP+0x20], 0x2709
01381FE6 |. C74424 24 00000000 MOV DWORD PTR SS:[ESP+0x24], 0x0
01381FEE |. C74424 28 35200000 MOV DWORD PTR SS:[ESP+0x28], 0x2035
01381FF6 |. C74424 2C 00000000 MOV DWORD PTR SS:[ESP+0x2C], 0x0
01381FFE |. C74424 30 FA250000 MOV DWORD PTR SS:[ESP+0x30], 0x25FA
01382006 |. C74424 34 00000000 MOV DWORD PTR SS:[ESP+0x34], 0x0
0138200E |. C74424 38 DA560000 MOV DWORD PTR SS:[ESP+0x38], 0x56DA
01382016 |. C74424 3C 00000000 MOV DWORD PTR SS:[ESP+0x3C], 0x0
0138201E |. C74424 40 03010000 MOV DWORD PTR SS:[ESP+0x40], 0x103
01382026 |. C74424 44 00000000 MOV DWORD PTR SS:[ESP+0x44], 0x0
0138202E |. C74424 48 31150000 MOV DWORD PTR SS:[ESP+0x48], 0x1531
01382036 |. C74424 4C 00000000 MOV DWORD PTR SS:[ESP+0x4C], 0x0
0138203E |. C74424 50 AA0C0000 MOV DWORD PTR SS:[ESP+0x50], 0xCAA
01382046 |. C74424 54 00000000 MOV DWORD PTR SS:[ESP+0x54], 0x0
0138204E |. C74424 58 611A0000 MOV DWORD PTR SS:[ESP+0x58], 0x1A61
01382056 |. C74424 5C 00000000 MOV DWORD PTR SS:[ESP+0x5C], 0x0
0138205E |. C74424 60 070E0000 MOV DWORD PTR SS:[ESP+0x60], 0xE07
01382066 |. C74424 64 00000000 MOV DWORD PTR SS:[ESP+0x64], 0x0
0138206E |. C74424 68 20000000 MOV DWORD PTR SS:[ESP+0x68], 0x20
01382076 |. C74424 6C 00000000 MOV DWORD PTR SS:[ESP+0x6C], 0x0
0138207E |. C74424 70 E2000000 MOV DWORD PTR SS:[ESP+0x70], 0xE2
01382086 |. C74424 74 00000000 MOV DWORD PTR SS:[ESP+0x74], 0x0
0138208E |. C74424 78 3F120000 MOV DWORD PTR SS:[ESP+0x78], 0x123F
01382096 |. C74424 7C 00000000 MOV DWORD PTR SS:[ESP+0x7C], 0x0
0138209E |. C78424 80000000 C0000000 MOV DWORD PTR SS:[ESP+0x80], 0xC0
013820A9 |. C78424 84000000 00000000 MOV DWORD PTR SS:[ESP+0x84], 0x0
013820B4 |. C78424 88000000 C70D0000 MOV DWORD PTR SS:[ESP+0x88], 0xDC7
013820BF |. C78424 8C000000 00000000 MOV DWORD PTR SS:[ESP+0x8C], 0x0
|
这里有16个数据块的阵列,我们可以先表示位为4×4的矩阵,它在开始时就被初始化,以及另一个常数数据矩阵相乘。
如果是相等的,输入的Key就是有效的。
[Asm] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | 013820EE |. C74424 10 6AC26F14 MOV DWORD PTR SS:[ESP+0x10], 0x146FC26A
013820F6 |. C74424 14 00000000 MOV DWORD PTR SS:[ESP+0x14], 0x0
013820FE |. C74424 18 9A013424 MOV DWORD PTR SS:[ESP+0x18], 0x2434019A
01382106 |. C74424 1C 00000000 MOV DWORD PTR SS:[ESP+0x1C], 0x0
0138210E |. C74424 20 4E96B216 MOV DWORD PTR SS:[ESP+0x20], 0x16B2964E
01382116 |. C74424 24 00000000 MOV DWORD PTR SS:[ESP+0x24], 0x0
0138211E |. C74424 28 64C1FC1D MOV DWORD PTR SS:[ESP+0x28], 0x1DFCC164
01382126 |. C74424 2C 00000000 MOV DWORD PTR SS:[ESP+0x2C], 0x0
0138212E |. C74424 30 046B7610 MOV DWORD PTR SS:[ESP+0x30], 0x10766B04
01382136 |. C74424 34 00000000 MOV DWORD PTR SS:[ESP+0x34], 0x0
0138213E |. C74424 38 9DE9671F MOV DWORD PTR SS:[ESP+0x38], 0x1F67E99D
01382146 |. C74424 3C 00000000 MOV DWORD PTR SS:[ESP+0x3C], 0x0
0138214E |. C74424 40 02589013 MOV DWORD PTR SS:[ESP+0x40], 0x13905802
01382156 |. C74424 44 00000000 MOV DWORD PTR SS:[ESP+0x44], 0x0
0138215E |. C74424 48 A39DA914 MOV DWORD PTR SS:[ESP+0x48], 0x14A99DA3
01382166 |. C74424 4C 00000000 MOV DWORD PTR SS:[ESP+0x4C], 0x0
0138216E |. C74424 50 6CCEE52A MOV DWORD PTR SS:[ESP+0x50], 0x2AE5CE6C
01382176 |. C74424 54 00000000 MOV DWORD PTR SS:[ESP+0x54], 0x0
0138217E |. C74424 58 7FAA4840 MOV DWORD PTR SS:[ESP+0x58], 0x4048AA7F
01382186 |. C74424 5C 00000000 MOV DWORD PTR SS:[ESP+0x5C], 0x0
0138218E |. C74424 60 5F9BCF33 MOV DWORD PTR SS:[ESP+0x60], 0x33CF9B5F
01382196 |. C74424 64 00000000 MOV DWORD PTR SS:[ESP+0x64], 0x0
0138219E |. C74424 68 6216102C MOV DWORD PTR SS:[ESP+0x68], 0x2C101662
013821A6 |. C74424 6C 00000000 MOV DWORD PTR SS:[ESP+0x6C], 0x0
013821AE |. C74424 70 E4FCF52D MOV DWORD PTR SS:[ESP+0x70], 0x2DF5FCE4
013821B6 |. C74424 74 00000000 MOV DWORD PTR SS:[ESP+0x74], 0x0
013821BE |. C74424 78 4CC7264C MOV DWORD PTR SS:[ESP+0x78], 0x4C26C74C
013821C6 |. C74424 7C 00000000 MOV DWORD PTR SS:[ESP+0x7C], 0x0
013821CE |. C78424 80000000 0F98D52C MOV DWORD PTR SS:[ESP+0x80], 0x2CD5980F
013821D9 |. C78424 84000000 00000000 MOV DWORD PTR SS:[ESP+0x84], 0x0
013821E4 |. C78424 88000000 DBDEA92B MOV DWORD PTR SS:[ESP+0x88], 0x2BA9DEDB
013821EF |. C78424 8C000000 00000000 MOV DWORD PTR SS:[ESP+0x8C], 0x0
|
Python
[Python] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | def Fuck():
B = []
for i in xrange(16):
B.append(Int(i))
s = Fuckr()
for i in B:
s.add(And(i >= 0, i <= 0xFFFF))
for i in xrange(4):
for j in xrange(4):
s.add(
B[i + 0 * 4] * A[j + 0 * 4] +
B[i + 1 * 4] * A[j + 1 * 4] +
B[i + 2 * 4] * A[j + 2 * 4] +
B[i + 3 * 4] * A[j + 3 * 4] == R[i * 4 + j]
)
r = []
if s.check() == sat:
r = []
model = s.model()
for i in xrange(16):
r.append(model[B[i]].as_long())
else:
print 'Oops'
return r
|
编写脚本进行解密,经过测试还需要正确排列解密密钥的顺序。测试后
[Python] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 | def De_cry(HexData):[/i]
[i] s0, s1 = HexData[/i]
[i] x0 = 0x0A728E203850A80E[/i]
[i] x1 = 0x1B8E2679CCAEF6B4[/i]
[i] for i in xrange(32):[/i]
[i] x0 = ror(x0 ^ x1, 3)[/i]
[i] s1 = ror(s1 ^ s0, 3)[/i]
[i] x1 = rol(sub(x1 ^ (31 - i), x0), 8)[/i]
[i] s0 = rol(sub(s0 ^ x0, s1), 8)[/i]
[i] return s0, s1[/i]
[i]def De(HexData):[/i]
[i] res = [][/i]
[i] for i in xrange(0, len(HexData), 2):[/i]
[i] res.extend(De_cry(HexData[i:i + 2]))[/i]
[i] return res[/i]
[i]def De_PassWord(passwd):[/i]
[i] l = unpack('>4Q', pack('>16H', *passwd))[/i]
[i] l = De(l)[/i]
[i] l = unpack('>16H', pack('>4Q', *l)) return l
|
0x7 Done:
[Python] 纯文本查看 复制代码 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 | A = [0x1380, 0x4E4, 0x2709, 0x2035, 0x25FA, 0x56DA, 0x103, 0x1531,
0x0CAA, 0x1A61, 0x0E07, 0x20, 0x0E2, 0x123F, 0x0C0, 0x0DC7]
R = [0x146FC26A, 0x2434019A, 0x16B2964E, 0x1DFCC164,
0x10766B04, 0x1F67E99D, 0x13905802, 0x14A99DA3,
0x2AE5CE6C, 0x4048AA7F, 0x33CF9B5F, 0x2C101662,
0x2DF5FCE4, 0x4C26C74C, 0x2CD5980F, 0x2BA9DEDB,]
xor_key = [0x90DF, 0x70BC, 0x0EF57, 0x5A96, 0x0CFEE, 0x5509, 0x80CE, 0x0D20,
0x0E14F, 0x70E, 0x0A446, 0x2FC6, 0x0ECF0, 0x5355, 0x782B, 0x6457]
def Fuck():
B = []
for i in xrange(16):
B.append(Int(i))
s = Fuckr()
for i in B:
s.add(And(i >= 0, i <= 0xFFFF))
for i in xrange(4):
for j in xrange(4):
s.add(
B[i + 0 * 4] * A[j + 0 * 4] +
B[i + 1 * 4] * A[j + 1 * 4] +
B[i + 2 * 4] * A[j + 2 * 4] +
B[i + 3 * 4] * A[j + 3 * 4] == R[i * 4 + j]
)
r = []
if s.check() == sat:
r = []
model = s.model()
for i in xrange(16):
r.append(model[B[i]].as_long())
else:
print 'Oops'
return r
def ror(n, c, bits=64):
mask = (1 << bits) - 1
return ((n >> c) | (n << (bits - c))) & mask
def rol(n, c, bits=64):
return ror(n, bits - c, bits)
def sub(n, c, bits=64):
mask = (1 << bits) - 1
return (n - c) & mask
def xor_passwd(passwd):
l = [0] * 16
for i in xrange(16):
l[i] = passwd[i] ^ xor_key[i]
return l
def De_cry(HexData):
s0, s1 = HexData
x0 = 0x0A728E203850A80E
x1 = 0x1B8E2679CCAEF6B4
for i in xrange(32):
x0 = ror(x0 ^ x1, 3)
s1 = ror(s1 ^ s0, 3)
x1 = rol(sub(x1 ^ (31 - i), x0), 8)
s0 = rol(sub(s0 ^ x0, s1), 8)
return s0, s1
def De(HexData):
res = []
for i in xrange(0, len(HexData), 2):
res.extend(De_cry(HexData[i:i + 2]))
return res
def De_PassWord(passwd):
l = unpack('>4Q', pack('>16H', *passwd))
l = De(l)
l = unpack('>16H', pack('>4Q', *l))
return l
passwd = Fuck()
passwd = De_PassWord(passwd)
passwd = xor_passwd(passwd)
print(''.join(map(chr, passwd)))
|
Key = BKP{KYU7EC!PH3R}
Download: [Asm] 纯文本查看 复制代码 1 | https://www.crack.vc/index.php?dir=Exercise/&file=cutie-keygen.zip
|
|
免费评分
-
查看全部评分
本帖被以下淘专辑推荐:
- · 学习及教程|主题: 1074, 订阅: 1129
- · 优秀逆向文|主题: 238, 订阅: 93
- · 教程类|主题: 262, 订阅: 43
|
[复制链接]
发表于 2017-5-22 07:38
