CTF-rootme 题解之PE - 0 protection
题目地址:https://www.root-me.org/en/Challenges/Cracking/PE-0-protection
crack-exe:http://challenge01.root-me.org/cracking/ch15/ch15.exe
工具:32位版本的x64dbg
下载连接:https://x64dbg.com/
sourcecode:https://github.com/x64dbg/x64dbg
exefile:https://sourceforge.net/projects/x64dbg/files/snapshots/
1.使用x32dbg打开目标程序ch15.exe,搜索字符串信息。如图所示
2.找到关键字符串"Usage: %s pass"所在位置双击,如图所示:
3.找到关键代码如下:(其实这一步我们就可以判断出密码,但是为了更易懂,我们将破解密码的方法放在最后一步,反编译后更直观。)
00401706 | B8 44 40 40 00 | mov eax,ch15.404044 | 404044:"Usage: %s pass" 0040170B | 8B 55 08 | mov edx,dword ptr ss:[ebp+8] | 0040170E | 89 54 24 04 | mov dword ptr ss:[esp+4],edx | 00401712 | 89 04 24 | mov dword ptr ss:[esp],eax | 00401715 | E8 96 11 00 00 | call <ch15.printf> | 0040171A | C7 04 24 00 00 00 00 | mov dword ptr ss:[esp],0 | 00401721 | E8 7A 11 00 00 | call <ch15.exit> | 00401726 | 55 | push ebp | 00401727 | 89 E5 | mov ebp,esp | 00401729 | 83 EC 28 | sub esp,28 | 0040172C | C7 45 F4 00 00 00 00 | mov dword ptr ss:[ebp-C],0 | 00401733 | 83 7D 0C 07 | cmp dword ptr ss:[ebp+C],7 | 00401737 | 75 71 | jne ch15.4017AA | 00401739 | 8B 45 08 | mov eax,dword ptr ss:[ebp+8] | 0040173C | 0F B6 00 | movzx eax,byte ptr ds:[eax] | 0040173F | 3C 53 | cmp al,53 | 53:'S' 00401741 | 75 67 | jne ch15.4017AA | 00401743 | 8B 45 08 | mov eax,dword ptr ss:[ebp+8] | 00401746 | 83 C0 01 | add eax,1 | 00401749 | 0F B6 00 | movzx eax,byte ptr ds:[eax] | 0040174C | 3C 50 | cmp al,50 | 50:'P' 0040174E | 75 5A | jne ch15.4017AA | 00401750 | 8B 45 08 | mov eax,dword ptr ss:[ebp+8] | 00401753 | 83 C0 02 | add eax,2 | 00401756 | 0F B6 00 | movzx eax,byte ptr ds:[eax] | 00401759 | 3C 61 | cmp al,61 | 61:'a' 0040175B | 75 4D | jne ch15.4017AA | 0040175D | 8B 45 08 | mov eax,dword ptr ss:[ebp+8] | 00401760 | 83 C0 03 | add eax,3 | 00401763 | 0F B6 00 | movzx eax,byte ptr ds:[eax] | 00401766 | 3C 43 | cmp al,43 | 43:'C' 00401768 | 75 40 | jne ch15.4017AA | 0040176A | 8B 45 08 | mov eax,dword ptr ss:[ebp+8] | 0040176D | 83 C0 04 | add eax,4 | 00401770 | 0F B6 00 | movzx eax,byte ptr ds:[eax] | 00401773 | 3C 49 | cmp al,49 | 49:'I' 00401775 | 75 33 | jne ch15.4017AA | 00401777 | 8B 45 08 | mov eax,dword ptr ss:[ebp+8] | 0040177A | 83 C0 05 | add eax,5 | 0040177D | 0F B6 00 | movzx eax,byte ptr ds:[eax] | 00401780 | 3C 6F | cmp al,6F | 6F:'o' 00401782 | 75 26 | jne ch15.4017AA | 00401784 | 8B 45 08 | mov eax,dword ptr ss:[ebp+8] | 00401787 | 83 C0 06 | add eax,6 | 0040178A | 0F B6 00 | movzx eax,byte ptr ds:[eax] | 0040178D | 3C 53 | cmp al,53 | 53:'S' 0040178F | 75 19 | jne ch15.4017AA | 00401791 | B8 53 40 40 00 | mov eax,ch15.404053 | 404053:"Gratz man :)" 00401796 | 89 04 24 | mov dword ptr ss:[esp],eax | 00401799 | E8 12 11 00 00 | call <ch15.printf> | 0040179E | C7 04 24 00 00 00 00 | mov dword ptr ss:[esp],0 | 004017A5 | E8 F6 10 00 00 | call <ch15.exit> | 004017AA | C7 04 24 60 40 40 00 | mov dword ptr ss:[esp],ch15.404060 | 404060:"Wrong password"
如图:
4.选中上一步骤得到的关键代码后右击选择“反编译”-->“选区”。
反编译该部分得到如下代码段:
struct s0 {
uint8_t f0;
uint8_t f1;
uint8_t f2;
uint8_t f3;
uint8_t f4;
uint8_t f5;
uint8_t f6; //密码为7个字段。
};
struct s1 {
int8_t[8] pad8;
struct s0* f8;
};
void fun_4028b0(int32_t a1);
void fun_4028a0(int32_t a1);
void fun_4028b8(int32_t a1);
void fun_401706() {
struct s0* v1;
struct s1* ebp2;
int32_t v3;
uint32_t eax4;
uint32_t eax5;
uint32_t eax6;
uint32_t eax7;
uint32_t eax8;
uint32_t eax9;
uint32_t eax10;
v1 = ebp2->f8;
fun_4028b0(0x404044);
fun_4028a0(0);
if (v3 == 7 && ((eax4 = static_cast<uint32_t>(v1->f0), *(int8_t*)&eax4 == 83) && ((eax5 = static_cast<uint32_t>(v1->f1), *(int8_t*)&eax5 == 80)
&& ((eax6 = static_cast<uint32_t>(v1->f2), *(int8_t*)&eax6 == 97) && ((eax7 = static_cast<uint32_t>(v1->f3), *(int8_t*)&eax7 == 67)
&& ((eax8 = static_cast<uint32_t>(v1->f4), *(int8_t*)&eax8 == 73) && ((eax9 = static_cast<uint32_t>(v1->f5), *(int8_t*)&eax9 == 0x6f)
&& (eax10 = static_cast<uint32_t>(v1->f6), *(int8_t*)&eax10 == 83)))))))) {
fun_4028b0(0x404053); //对照ascii码可以得到密码中第一个字母ascii码值为83,对应字母为S,依次类推得到密码为SPaCIoS
fun_4028a0(0);
}
fun_4028b8(0x404060);
}
如图:
浙公网安备 33010602011771号