buu CrackRTF

最新推荐文章于 2022-09-19 00:45:50 发布

Em0s_Er1t

最新推荐文章于 2022-09-19 00:45:50 发布

阅读量165

点赞数

分类专栏： CTF-RE 文章标签： python 安全 c语言

本文链接：https://blog.csdn.net/m0_46296905/article/details/121041856

版权

CTF-RE 专栏收录该内容

31 篇文章 6 订阅

订阅专栏

32位程序IDA反编译如下

int __cdecl main_0(int argc, const char **argv, const char **envp)
{
  DWORD v3; // eax
  DWORD v4; // eax
  char Str[260]; // [esp+4Ch] [ebp-310h] BYREF
  int v7; // [esp+150h] [ebp-20Ch]
  char String1[260]; // [esp+154h] [ebp-208h] BYREF
  char Destination[260]; // [esp+258h] [ebp-104h] BYREF

  memset(Destination, 0, sizeof(Destination));
  memset(String1, 0, sizeof(String1));
  v7 = 0;
  printf("pls input the first passwd(1): ");
  scanf("%s", Destination);
  if ( strlen(Destination) != 6 )
  {
    printf("Must be 6 characters!\n");
    ExitProcess(0);
  }
  v7 = atoi(Destination);
  if ( v7 < 100000 )
    ExitProcess(0);
  strcat(Destination, "@DBApp");
  v3 = strlen(Destination);
  sub_40100A(Destination, v3, String1);
  if ( !_strcmpi(String1, "6E32D0943418C2C33385BC35A1470250DD8923A9") )
  {
    printf("continue...\n\n");
    printf("pls input the first passwd(2): ");
    memset(Str, 0, sizeof(Str));
    scanf("%s", Str);
    if ( strlen(Str) != 6 )
    {
      printf("Must be 6 characters!\n");
      ExitProcess(0);
    }
    strcat(Str, Destination);
    memset(String1, 0, sizeof(String1));
    v4 = strlen(Str);
    sub_401019(Str, v4, String1);
    if ( !_strcmpi("27019e688a4e62a649fd99cadaafdb4e", String1) )
    {
      if ( !sub_40100F(Str) )
      {
        printf("Error!!\n");
        ExitProcess(0);
      }
      printf("bye ~~\n");
    }
  }
  return 0;
}

知道了第一次输入在10000~999999之间，与@DBApp拼接之后用sub40100A函数加密与一串值比较
在这里插入图片描述
进入这个加密函数查看发现是做哈希运算，想到一些常见的散列算法得到的散列值位数

sha-1：160bit
md5：128bit
sha-256：256bit

然后计算一下那个明文的长度发现是160bit，推测是sha-1

为进一步确认，搜索CryptCreateHash函数的官方文档，发现第二个参数（即 0x8004）指明了算法的类型

这里把全部ALG_ID的参考值扒下来

Identifier	Value	Description
CALG_3DES	0x00006603	Triple DES encryption algorithm.
CALG_3DES_112	0x00006609	Two-key triple DES encryption with effective key length equal to 112 bits.
CALG_AES	0x00006611	Advanced Encryption Standard (AES). This algorithm is supported by the Microsoft AES Cryptographic Provider.
CALG_AES_128	0x0000660e	128 bit AES. This algorithm is supported by the Microsoft AES Cryptographic Provider.
CALG_AES_192	0x0000660f	192 bit AES. This algorithm is supported by the Microsoft AES Cryptographic Provider.
CALG_AES_256	0x00006610	256 bit AES. This algorithm is supported by the Microsoft AES Cryptographic Provider.
CALG_AGREEDKEY_ANY	0x0000aa03	Temporary algorithm identifier for handles of Diffie-Hellman–agreed keys.
CALG_CYLINK_MEK	0x0000660c	An algorithm to create a 40-bit DES key that has parity bits and zeroed key bits to make its key length 64 bits. This algorithm is supported by the Microsoft Base Cryptographic Provider.
CALG_DES	0x00006601	DES encryption algorithm.
CALG_DESX	0x00006604	DESX encryption algorithm.
CALG_DH_EPHEM	0x0000aa02	Diffie-Hellman ephemeral key exchange algorithm.
CALG_DH_SF	0x0000aa01	Diffie-Hellman store and forward key exchange algorithm.
CALG_DSS_SIGN	0x00002200	DSA public key signature algorithm.
CALG_ECDH	0x0000aa05	Elliptic curve Diffie-Hellman key exchange algorithm.[!Note] This algorithm is supported only through Cryptography API: Next Generation. Windows Server 2003 and Windows XP: This algorithm is not supported.
CALG_ECDH_EPHEM	0x0000ae06	Ephemeral elliptic curve Diffie-Hellman key exchange algorithm.[!Note] This algorithm is supported only through Cryptography API: Next Generation. Windows Server 2003 and Windows XP: This algorithm is not supported.
CALG_ECDSA	0x00002203	Elliptic curve digital signature algorithm.[!Note] This algorithm is supported only through Cryptography API: Next Generation. Windows Server 2003 and Windows XP: This algorithm is not supported.
CALG_ECMQV	0x0000a001	Elliptic curve Menezes, Qu, and Vanstone (MQV) key exchange algorithm. This algorithm is not supported.
CALG_HASH_REPLACE_OWF	0x0000800b	One way function hashing algorithm.
CALG_HUGHES_MD5	0x0000a003	Hughes MD5 hashing algorithm.
CALG_HMAC	0x00008009	HMAC keyed hash algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider.
CALG_KEA_KEYX	0x0000aa04	KEA key exchange algorithm (FORTEZZA). This algorithm is not supported.
CALG_MAC	0x00008005	MAC keyed hash algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider.
CALG_MD2	0x00008001	MD2 hashing algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider.
CALG_MD4	0x00008002	MD4 hashing algorithm.
CALG_MD5	0x00008003	MD5 hashing algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider.
CALG_NO_SIGN	0x00002000	No signature algorithm.
CALG_OID_INFO_CNG_ONLY	0xffffffff	The algorithm is only implemented in CNG. The macro, IS_SPECIAL_OID_INFO_ALGID, can be used to determine whether a cryptography algorithm is only supported by using the CNG functions.
CALG_OID_INFO_PARAMETERS	0xfffffffe	The algorithm is defined in the encoded parameters. The algorithm is only supported by using CNG. The macro, IS_SPECIAL_OID_INFO_ALGID, can be used to determine whether a cryptography algorithm is only supported by using the CNG functions.
CALG_PCT1_MASTER	0x00004c04	Used by the Schannel.dll operations system. This ALG_ID should not be used by applications.
CALG_RC2	0x00006602	RC2 block encryption algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider.
CALG_RC4	0x00006801	RC4 stream encryption algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider.
CALG_RC5	0x0000660d	RC5 block encryption algorithm.
CALG_RSA_KEYX	0x0000a400	RSA public key exchange algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider.
CALG_RSA_SIGN	0x00002400	RSA public key signature algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider.
CALG_SCHANNEL_ENC_KEY	0x00004c07	Used by the Schannel.dll operations system. This ALG_ID should not be used by applications.
CALG_SCHANNEL_MAC_KEY	0x00004c03	Used by the Schannel.dll operations system. This ALG_ID should not be used by applications.
CALG_SCHANNEL_MASTER_HASH	0x00004c02	Used by the Schannel.dll operations system. This ALG_ID should not be used by applications.
CALG_SEAL	0x00006802	SEAL encryption algorithm. This algorithm is not supported.
CALG_SHA	0x00008004	SHA hashing algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider.
CALG_SHA1	0x00008004	Same as CALG_SHA. This algorithm is supported by the Microsoft Base Cryptographic Provider.
CALG_SHA_256	0x0000800c	256 bit SHA hashing algorithm. This algorithm is supported by Microsoft Enhanced RSA and AES Cryptographic Provider…Windows XP with SP3: This algorithm is supported by the Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype). Windows XP with SP2, Windows XP with SP1 and Windows XP: This algorithm is not supported.
CALG_SHA_384	0x0000800d	384 bit SHA hashing algorithm. This algorithm is supported by Microsoft Enhanced RSA and AES Cryptographic Provider.Windows XP with SP3: This algorithm is supported by the Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype). Windows XP with SP2, Windows XP with SP1 and Windows XP: This algorithm is not supported.
CALG_SHA_512	0x0000800e	512 bit SHA hashing algorithm. This algorithm is supported by Microsoft Enhanced RSA and AES Cryptographic Provider.Windows XP with SP3: This algorithm is supported by the Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype). Windows XP with SP2, Windows XP with SP1 and Windows XP: This algorithm is not supported.
CALG_SKIPJACK	0x0000660a	Skipjack block encryption algorithm (FORTEZZA). This algorithm is not supported.
CALG_SSL2_MASTER	0x00004c05	Used by the Schannel.dll operations system. This ALG_ID should not be used by applications.
CALG_SSL3_MASTER	0x00004c01	Used by the Schannel.dll operations system. This ALG_ID should not be used by applications.
CALG_SSL3_SHAMD5	0x00008008	Used by the Schannel.dll operations system. This ALG_ID should not be used by applications.
CALG_TEK	0x0000660b	TEK (FORTEZZA). This algorithm is not supported.
CALG_TLS1_MASTER	0x00004c06	Used by the Schannel.dll operations system. This ALG_ID should not be used by applications.
CALG_TLS1PRF	0x0000800a	Used by the Schannel.dll operations system. This ALG_ID should not be used by applications.

确认了是SHA-1算法没错了，这里尝试用python的hashlib模块爆破一下得到第一个密码123321

import hashlib
for i in range(100000,999999):
    h = hashlib.sha1((str(i)+"@DBApp").encode('utf8'))
    if h.hexdigest()=="6e32d0943418c2c33385bc35a1470250dd8923a9":
        print((str(i)+"@DBApp").encode('utf-8'))
        break

再往下看这次的同样是做哈希，只不过不是sha-1，查表发现是md5，这次没有限定小范围，只告诉我们是6位数，爆破也很难爆破
在这里插入图片描述

先看看第三重关键函数sub_40100F（一些不知道功能的函数直接查文档就好）
读取这个exe文件集成的AAA资源文件，
在这里插入图片描述
打开ResourceHack查找一下这个AAA文件

进入sub_401005函数，这个函数就是把输入的密码组合起来然后跟上面AAA文件里的每一个字节循环异或，得到新的值再写入rtf文件

我们只要输入的password都是正确的，那么最终会生成一个rtf文件，里面应该有我们要的flag，第二次密码输入既然无法爆破，那就从rtf文件头入手，网上查了一下rtf文件头部为7B5C72746631，跟AAA文件的前6个数据异或一下就得到了密码

~!3a@0

两次输入密码之后，打开生成的rtf文件看到flag
在这里插入图片描述

Em0s_Er1t

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
打赏
0
评论
buu CrackRTF

32位程序IDA反编译如下int __cdecl main_0(int argc, const char **argv, const char **envp){ DWORD v3; // eax DWORD v4; // eax char Str[260]; // [esp+4Ch] [ebp-310h] BYREF int v7; // [esp+150h] [ebp-20Ch] char String1[260]; // [esp+154h] [ebp-208h] BYREF
复制链接

扫一扫