BUUCTF Reverse/CrackRTF
没有加壳,且为32位程序
找到main函数分析代码
int __cdecl main_0(int argc, const char **argv, const char **envp)
{
DWORD v3; // eax
DWORD v4; // eax
char Str[260]; // [esp+4Ch] [ebp-310h] BYREF
int v7; // [esp+150h] [ebp-20Ch]
char String1[260]; // [esp+154h] [ebp-208h] BYREF
char Destination[260]; // [esp+258h] [ebp-104h] BYREF
memset(Destination, 0, sizeof(Destination));
memset(String1, 0, sizeof(String1));
v7 = 0;
printf("pls input the first passwd(1): ");
scanf("%s", Destination);
if ( strlen(Destination) != 6 )
{
printf("Must be 6 characters!\n");
ExitProcess(0);
}
v7 = atoi(Destination);
if ( v7 < 100000 )
ExitProcess(0);
strcat(Destination, "@DBApp");
v3 = strlen(Destination);
sub_40100A((BYTE *)Destination, v3, String1);
if ( !_strcmpi(String1, "6E32D0943418C2C33385BC35A1470250DD8923A9") )
{
printf("continue...\n\n");
printf("pls input the first passwd(2): ");
memset(Str, 0, sizeof(Str));
scanf("%s", Str);
if ( strlen(Str) != 6 )
{
printf("Must be 6 characters!\n");
ExitProcess(0);
}
strcat(Str, Destination);
memset(String1, 0, sizeof(String1));
v4 = strlen(Str);
sub_401019((BYTE *)Str, v4, String1);
if ( !_strcmpi("27019e688a4e62a649fd99cadaafdb4e", String1) )
{
if ( !(unsigned __int8)sub_40100F(Str) )
{
printf("Error!!\n");
ExitProcess(0);
}
printf("bye ~~\n");
}
}
return 0;
}
有两串加密后的字符串,一个是40位,一个是32位,测一下是由什么加密的,得到一个是SHA-1加密,一个是MD532位加密
本来想找下网站看有没有爆破的,结果都爆破不出来
看输入的第一串字符有一个大于100000的条件,根据这个写出一个爆破脚本
v7 = atoi(Destination);
if ( v7 < 100000 )
ExitProcess(0);
脚本:
import hashlib
t = "@DBApp"
Str1 = "6E32D0943418C2C33385BC35A1470250DD8923A9"
Str1_l = Str1.lower() #将字符串中的大写字母转成小写
print(Str1_l)
for i in range(100000,999999):
s = str(i) + t
x = hashlib.sha1(s.encode())
cnt = x.hexdigest() #返回16进制字符串值
if Str1_l in cnt:
print(s)
运行结果
6e32d0943418c2c33385bc35a1470250dd8923a9
123321@DBApp
得到第一串字符为 123321
然后让你输入第二串字符串,再将前面得到的12331@DBApp拼接在后面,再进行MD5加密,得到
27019e688a4e62a649fd99cadaafdb4e
主要是这MD5真爆破不出来。。
看到这个函数还调用了Str函数,设Str 为 xxxxxx123321@DBApp
if ( !(unsigned __int8)sub_40100F(Str) )
{
printf("Error!!\n");
ExitProcess(0);
}
跟进查看
char __cdecl sub_4014D0(LPCSTR lpString)
{
LPCVOID lpBuffer; // [esp+50h] [ebp-1Ch]
DWORD NumberOfBytesWritten; // [esp+58h] [ebp-14h] BYREF
DWORD nNumberOfBytesToWrite; // [esp+5Ch] [ebp-10h]
HGLOBAL hResData; // [esp+60h] [ebp-Ch]
HRSRC hResInfo; // [esp+64h] [ebp-8h]
HANDLE hFile; // [esp+68h] [ebp-4h]
hFile = 0;
hResData = 0;
nNumberOfBytesToWrite = 0;
NumberOfBytesWritten = 0;
hResInfo = FindResourceA(0, (LPCSTR)0x65, "AAA");
if ( !hResInfo )
return 0;
nNumberOfBytesToWrite = SizeofResource(0, hResInfo);
hResData = LoadResource(0, hResInfo);
if ( !hResData )
return 0;
lpBuffer = LockResource(hResData);
sub_401005(lpString, (int)lpBuffer, nNumberOfBytesToWrite);
hFile = CreateFileA("dbapp.rtf", 0x10000000u, 0, 0, 2u, 0x80u, 0);
if ( hFile == (HANDLE)-1 )
return 0;
if ( !WriteFile(hFile, lpBuffer, nNumberOfBytesToWrite, &NumberOfBytesWritten, 0) )
return 0;
CloseHandle(hFile);
return 1;
}
这里又用了Str
sub_401005(lpString, (int)lpBuffer, nNumberOfBytesToWrite);
是用Str里的字符与啥异或异或
unsigned int __cdecl sub_401420(LPCSTR lpString, int a2, int a3)
{
unsigned int result; // eax
unsigned int i; // [esp+4Ch] [ebp-Ch]
unsigned int v5; // [esp+54h] [ebp-4h]
v5 = lstrlenA(lpString);
for ( i = 0; ; ++i )
{
result = i;
if ( i >= a3 )
break;
*(_BYTE *)(i + a2) ^= lpString[i % v5];
}
return result;
}
看了大佬的博客才知道这是与rtf文件中取的数据进行异或
大佬的脚本
s = "{\\rtf1"
a = [0x05,0x7D,0x41,0x15,0x26,0x01]
flag = ""
for i in range(0,len(s)):
x = ord(s[i]) ^ a[i]
flag += chr(x)
print(flag)
得到结果
~!3a@0
得到第二串字符为 ~!3a@0
依次输入这两串字符,在同文件夹下会生成一个rtf文件,里面就是flag
flag : Flag{N0_M0re_Free_Bugs}