32位程序IDA反编译如下
int __cdecl main_0(int argc, const char **argv, const char **envp)
{
DWORD v3; // eax
DWORD v4; // eax
char Str[260]; // [esp+4Ch] [ebp-310h] BYREF
int v7; // [esp+150h] [ebp-20Ch]
char String1[260]; // [esp+154h] [ebp-208h] BYREF
char Destination[260]; // [esp+258h] [ebp-104h] BYREF
memset(Destination, 0, sizeof(Destination));
memset(String1, 0, sizeof(String1));
v7 = 0;
printf("pls input the first passwd(1): ");
scanf("%s", Destination);
if ( strlen(Destination) != 6 )
{
printf("Must be 6 characters!\n");
ExitProcess(0);
}
v7 = atoi(Destination);
if ( v7 < 100000 )
ExitProcess(0);
strcat(Destination, "@DBApp");
v3 = strlen(Destination);
sub_40100A(Destination, v3, String1);
if ( !_strcmpi(String1, "6E32D0943418C2C33385BC35A1470250DD8923A9") )
{
printf("continue...\n\n");
printf("pls input the first passwd(2): ");
memset(Str, 0, sizeof(Str));
scanf("%s", Str);
if ( strlen(Str) != 6 )
{
printf("Must be 6 characters!\n");
ExitProcess(0);
}
strcat(Str, Destination);
memset(String1, 0, sizeof(String1));
v4 = strlen(Str);
sub_401019(Str, v4, String1);
if ( !_strcmpi("27019e688a4e62a649fd99cadaafdb4e", String1) )
{
if ( !sub_40100F(Str) )
{
printf("Error!!\n");
ExitProcess(0);
}
printf("bye ~~\n");
}
}
return 0;
}
知道了第一次输入在10000~999999
之间,与@DBApp
拼接之后用sub40100A
函数加密与一串值比较
进入这个加密函数查看发现是做哈希运算,想到一些常见的散列算法得到的散列值位数
- sha-1:160bit
- md5:128bit
- sha-256:256bit
然后计算一下那个明文的长度发现是160bit,推测是sha-1
为进一步确认,搜索CryptCreateHash
函数的官方文档,发现第二个参数(即 0x8004)指明了算法的类型
这里把全部ALG_ID的参考值扒下来
Identifier | Value | Description |
---|---|---|
CALG_3DES | 0x00006603 | Triple DES encryption algorithm. |
CALG_3DES_112 | 0x00006609 | Two-key triple DES encryption with effective key length equal to 112 bits. |
CALG_AES | 0x00006611 | Advanced Encryption Standard (AES). This algorithm is supported by the Microsoft AES Cryptographic Provider. |
CALG_AES_128 | 0x0000660e | 128 bit AES. This algorithm is supported by the Microsoft AES Cryptographic Provider. |
CALG_AES_192 | 0x0000660f | 192 bit AES. This algorithm is supported by the Microsoft AES Cryptographic Provider. |
CALG_AES_256 | 0x00006610 | 256 bit AES. This algorithm is supported by the Microsoft AES Cryptographic Provider. |
CALG_AGREEDKEY_ANY | 0x0000aa03 | Temporary algorithm identifier for handles of Diffie-Hellman–agreed keys. |
CALG_CYLINK_MEK | 0x0000660c | An algorithm to create a 40-bit DES key that has parity bits and zeroed key bits to make its key length 64 bits. This algorithm is supported by the Microsoft Base Cryptographic Provider. |
CALG_DES | 0x00006601 | DES encryption algorithm. |
CALG_DESX | 0x00006604 | DESX encryption algorithm. |
CALG_DH_EPHEM | 0x0000aa02 | Diffie-Hellman ephemeral key exchange algorithm. |
CALG_DH_SF | 0x0000aa01 | Diffie-Hellman store and forward key exchange algorithm. |
CALG_DSS_SIGN | 0x00002200 | DSA public key signature algorithm. |
CALG_ECDH | 0x0000aa05 | Elliptic curve Diffie-Hellman key exchange algorithm.[!Note] This algorithm is supported only through Cryptography API: Next Generation. Windows Server 2003 and Windows XP: This algorithm is not supported. |
CALG_ECDH_EPHEM | 0x0000ae06 | Ephemeral elliptic curve Diffie-Hellman key exchange algorithm.[!Note] This algorithm is supported only through Cryptography API: Next Generation. Windows Server 2003 and Windows XP: This algorithm is not supported. |
CALG_ECDSA | 0x00002203 | Elliptic curve digital signature algorithm.[!Note] This algorithm is supported only through Cryptography API: Next Generation. Windows Server 2003 and Windows XP: This algorithm is not supported. |
CALG_ECMQV | 0x0000a001 | Elliptic curve Menezes, Qu, and Vanstone (MQV) key exchange algorithm. This algorithm is not supported. |
CALG_HASH_REPLACE_OWF | 0x0000800b | One way function hashing algorithm. |
CALG_HUGHES_MD5 | 0x0000a003 | Hughes MD5 hashing algorithm. |
CALG_HMAC | 0x00008009 | HMAC keyed hash algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider. |
CALG_KEA_KEYX | 0x0000aa04 | KEA key exchange algorithm (FORTEZZA). This algorithm is not supported. |
CALG_MAC | 0x00008005 | MAC keyed hash algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider. |
CALG_MD2 | 0x00008001 | MD2 hashing algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider. |
CALG_MD4 | 0x00008002 | MD4 hashing algorithm. |
CALG_MD5 | 0x00008003 | MD5 hashing algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider. |
CALG_NO_SIGN | 0x00002000 | No signature algorithm. |
CALG_OID_INFO_CNG_ONLY | 0xffffffff | The algorithm is only implemented in CNG. The macro, IS_SPECIAL_OID_INFO_ALGID, can be used to determine whether a cryptography algorithm is only supported by using the CNG functions. |
CALG_OID_INFO_PARAMETERS | 0xfffffffe | The algorithm is defined in the encoded parameters. The algorithm is only supported by using CNG. The macro, IS_SPECIAL_OID_INFO_ALGID, can be used to determine whether a cryptography algorithm is only supported by using the CNG functions. |
CALG_PCT1_MASTER | 0x00004c04 | Used by the Schannel.dll operations system. This ALG_ID should not be used by applications. |
CALG_RC2 | 0x00006602 | RC2 block encryption algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider. |
CALG_RC4 | 0x00006801 | RC4 stream encryption algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider. |
CALG_RC5 | 0x0000660d | RC5 block encryption algorithm. |
CALG_RSA_KEYX | 0x0000a400 | RSA public key exchange algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider. |
CALG_RSA_SIGN | 0x00002400 | RSA public key signature algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider. |
CALG_SCHANNEL_ENC_KEY | 0x00004c07 | Used by the Schannel.dll operations system. This ALG_ID should not be used by applications. |
CALG_SCHANNEL_MAC_KEY | 0x00004c03 | Used by the Schannel.dll operations system. This ALG_ID should not be used by applications. |
CALG_SCHANNEL_MASTER_HASH | 0x00004c02 | Used by the Schannel.dll operations system. This ALG_ID should not be used by applications. |
CALG_SEAL | 0x00006802 | SEAL encryption algorithm. This algorithm is not supported. |
CALG_SHA | 0x00008004 | SHA hashing algorithm. This algorithm is supported by the Microsoft Base Cryptographic Provider. |
CALG_SHA1 | 0x00008004 | Same as CALG_SHA. This algorithm is supported by the Microsoft Base Cryptographic Provider. |
CALG_SHA_256 | 0x0000800c | 256 bit SHA hashing algorithm. This algorithm is supported by Microsoft Enhanced RSA and AES Cryptographic Provider…Windows XP with SP3: This algorithm is supported by the Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype). Windows XP with SP2, Windows XP with SP1 and Windows XP: This algorithm is not supported. |
CALG_SHA_384 | 0x0000800d | 384 bit SHA hashing algorithm. This algorithm is supported by Microsoft Enhanced RSA and AES Cryptographic Provider.Windows XP with SP3: This algorithm is supported by the Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype). Windows XP with SP2, Windows XP with SP1 and Windows XP: This algorithm is not supported. |
CALG_SHA_512 | 0x0000800e | 512 bit SHA hashing algorithm. This algorithm is supported by Microsoft Enhanced RSA and AES Cryptographic Provider.Windows XP with SP3: This algorithm is supported by the Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype). Windows XP with SP2, Windows XP with SP1 and Windows XP: This algorithm is not supported. |
CALG_SKIPJACK | 0x0000660a | Skipjack block encryption algorithm (FORTEZZA). This algorithm is not supported. |
CALG_SSL2_MASTER | 0x00004c05 | Used by the Schannel.dll operations system. This ALG_ID should not be used by applications. |
CALG_SSL3_MASTER | 0x00004c01 | Used by the Schannel.dll operations system. This ALG_ID should not be used by applications. |
CALG_SSL3_SHAMD5 | 0x00008008 | Used by the Schannel.dll operations system. This ALG_ID should not be used by applications. |
CALG_TEK | 0x0000660b | TEK (FORTEZZA). This algorithm is not supported. |
CALG_TLS1_MASTER | 0x00004c06 | Used by the Schannel.dll operations system. This ALG_ID should not be used by applications. |
CALG_TLS1PRF | 0x0000800a | Used by the Schannel.dll operations system. This ALG_ID should not be used by applications. |
确认了是SHA-1算法没错了,这里尝试用python的hashlib模块爆破一下得到第一个密码123321
import hashlib
for i in range(100000,999999):
h = hashlib.sha1((str(i)+"@DBApp").encode('utf8'))
if h.hexdigest()=="6e32d0943418c2c33385bc35a1470250dd8923a9":
print((str(i)+"@DBApp").encode('utf-8'))
break
再往下看这次的同样是做哈希,只不过不是sha-1,查表发现是md5,这次没有限定小范围,只告诉我们是6位数,爆破也很难爆破
先看看第三重关键函数sub_40100F(一些不知道功能的函数直接查文档就好)
读取这个exe文件集成的AAA资源文件,
打开ResourceHack查找一下这个AAA文件
进入sub_401005函数,这个函数就是把输入的密码组合起来然后跟上面AAA文件里的每一个字节循环异或,得到新的值再写入rtf文件
我们只要输入的password都是正确的,那么最终会生成一个rtf文件,里面应该有我们要的flag,第二次密码输入既然无法爆破,那就从rtf文件头入手,网上查了一下rtf文件头部为7B5C72746631,跟AAA文件的前6个数据异或一下就得到了密码
~!3a@0
两次输入密码之后,打开生成的rtf文件看到flag