題目總覽
- Easy Crack
- Easy Keygen
- Easy Unpack
Easy Crack: 100
分析
打開之後會彈出一個視窗,要使用者輸入文字
逆向
開啟ghidra分析,使用search->strings
可以看到在00406044位置有一個Congratulation!!字串 跟進去看使用他的函示
void FUN_00401080(HWND param_1)
{
byte bVar1;
byte *pbVar2;
int iVar3;
char *pcVar4;
undefined4 *puVar5;
bool bVar6;
char local_64;
char local_63;
char cStack_62;
byte abStack_61 [97];
local_64 = '\0';
puVar5 = (undefined4 *)&local_63;
for (iVar3 = 0x18; iVar3 != 0; iVar3 = iVar3 + -1) {
*puVar5 = 0;
puVar5 = puVar5 + 1;
}
*(undefined2 *)puVar5 = 0;
*(undefined *)((int)puVar5 + 2) = 0;
GetDlgItemTextA(param_1,1000,&local_64,100);
if (local_63 == 'a') {
iVar3 = _strncmp(&local_63 + 1,&DAT_00406078,2);
if (iVar3 == 0) {
pcVar4 = s_AGR3versing_0040606a;
pbVar2 = (byte *)(&local_63 + 3);
do {
pcVar4 = (char *)((byte *)pcVar4 + 2);
bVar1 = *pbVar2;
bVar6 = bVar1 < (byte)*pcVar4;
if (bVar1 != *pcVar4) {
LAB_00401102:
iVar3 = (1 - (uint)bVar6) - (uint)(bVar6 != 0);
goto LAB_00401107;
}
if (bVar1 == 0) break;
bVar1 = pbVar2[1];
bVar6 = bVar1 < ((byte *)pcVar4)[1];
if (bVar1 != ((byte *)pcVar4)[1]) goto LAB_00401102;
pbVar2 = pbVar2 + 2;
} while (bVar1 != 0);
iVar3 = 0;
LAB_00401107:
if ((iVar3 == 0) && (local_64 == 'E')) {
MessageBoxA(param_1,s_Congratulation_!!_00406044,s_EasyCrackMe_00406058,0x40);
EndDialog(param_1,0);
return;
}
}
}
MessageBoxA(param_1,s_Incorrect_Password_00406030,s_EasyCrackMe_00406058,0x10);
return;
}
另外原反編譯s_AGR3versing_0040606a跟反組譯過後是不同的,因此需要將0040606a位置的資料手動更新
GetDlgItemTextA : 擷取對話方塊中控制項相關聯的標題或文字。
void FUN_00401080(HWND param_1)
{
byte bVar1;
byte *pbVar2;
int i;
char *pcVar3;
undefined4 *puVar4;
bool bVar5;
char user_input [100];
user_input[0] = '\0';
puVar4 = (undefined4 *)(user_input + 1);
for (i = 0x18; i != 0; i = i + -1) {
*puVar4 = 0;
puVar4 = puVar4 + 1;
}
*(undefined2 *)puVar4 = 0;
*(undefined *)((int)puVar4 + 2) = 0;
GetDlgItemTextA(param_1,1000,user_input,100);
if (user_input[1] == 'a') {
i = _strncmp(user_input + 2,5y_DAT_00406078,2);
if (i == 0) {
pcVar3 = s_R3versing_0040606c;
pbVar2 = (byte *)(user_input + 4);
do {
bVar1 = *pbVar2;
bVar5 = bVar1 < (byte)*pcVar3;
if (bVar1 != *pcVar3) {
LAB_00401102:
i = (1 - (uint)bVar5) - (uint)(bVar5 != 0);
goto LAB_00401107;
}
if (bVar1 == 0) break;
bVar1 = pbVar2[1];
bVar5 = bVar1 < ((byte *)pcVar3)[1];
if (bVar1 != ((byte *)pcVar3)[1]) goto LAB_00401102;
pbVar2 = pbVar2 + 2;
pcVar3 = (char *)((byte *)pcVar3 + 2);
} while (bVar1 != 0);
i = 0;
LAB_00401107:
if ((i == 0) && (user_input[0] == 'E')) {
MessageBoxA(param_1,s_Congratulation_!!_00406044,s_EasyCrackMe_00406058,0x40);
EndDialog(param_1,0);
return;
}
}
}
MessageBoxA(param_1,s_Incorrect_Password_00406030,s_EasyCrackMe_00406058,0x10);
return;
}
因此可以推斷user input內容會是 user_input[0] = 'E' user_input[1] = 'a' user_input[2-3] = "5y" user_input[4-12] = "R3versing" 驗證之後即為答案
flag : Ea5yR3versing
Easy Keygen: 100
分析
有一個Readme.txt,內容為
Easy Keygen.exe執行後需要輸入一個input 與serial逆向
使用ida 分析exe
int __cdecl main(int argc, const char **argv, const char **envp)
{
signed int v3; // ebp
int i; // esi
char v6; // [esp+Ch] [ebp-130h]
char v7[2]; // [esp+Dh] [ebp-12Fh] BYREF
char v8[100]; // [esp+10h] [ebp-12Ch] BYREF
char Buffer[197]; // [esp+74h] [ebp-C8h] BYREF
__int16 v10; // [esp+139h] [ebp-3h]
char v11; // [esp+13Bh] [ebp-1h]
memset(v8, 0, sizeof(v8));
memset(Buffer, 0, sizeof(Buffer));
v10 = 0;
v11 = 0;
v6 = 16;
qmemcpy(v7, " 0", sizeof(v7));
sub_4011B9((int)aInputName);
scanf("%s", v8);
v3 = 0;
for ( i = 0; v3 < (int)strlen(v8); ++i )
{
if ( i >= 3 )
i = 0;
sprintf(Buffer, "%s%02X", Buffer, v8[v3++] ^ v7[i - 1]); // v7[i - 1]有解錯應為v7[i]
}
memset(v8, 0, sizeof(v8));
sub_4011B9((int)aInputSerial);
scanf("%s", v8);
if ( !strcmp(v8, Buffer) )
sub_4011B9((int)aCorrect);
else
sub_4011B9((int)aWrong);
return 0;
}
chal.py
def generate_correct_serial(input_name):
v7 = [0x10,0x20,0x30]
Buffer = ""
i = 0
v3 = 0
result = [input_name[i:i+2] for i in range(0, len(input_name), 2)]
for h in result:
Buffer += chr(int(h,16) ^ v7[i])
i+=1
if(i >=3):
i = 0
print(Buffer)
input_name = "5B134977135E7D13" # 假設這是我們的輸入名稱
generate_correct_serial(input_name)
flag:K3yg3nm3
Easy Unpack: 100
根據題目名稱應該是一個需要脫殼的題目,先丟入PEiD看看
發現到有加殼,但不知道是什麼殼,另外在Readme.txt中有說要找到OEP(Orginal Entry Point),因此可以用ida 或 gdb 分析。
可以看到loc_40A1FB,有一個大跳越,跳到loc_401150,這很像脫殼後的樣子,可以猜測0x00401150就是Original Entry Point。可以用x32dbg驗證,在0040A1FB下斷點
F7追進去之後發現在0x00401150的地方有55(push ebp),因此0x00401150就是OEP
flag : 00401150