运行分析
- username长度为4~50
- 验证失败返回Hello, Mr. Badboy!
PE分析
- ASM程序,32位,无壳
静态分析
- 找到关键字符串,进入主要函数并分析
- 将username进行计算得到v0,再通过v0计算得到password1、password2、password3,拼接获得真正password
动态调试
- 输入username=1234,下断点运行,运行到上图位置,发现真正password
- 输入password=Bon-FFFFFF9A-FFEFCEA8-41720F48,返回Hello, Mr. Goodboy!,破解成功
- 查看password1的地址为0040E0F8
算法分析
username = 'concealbear'
password = ''
password1 = ''
password2 = ''
password3 = ''
password_adress = 0x0040E0F8
# 计算v0的值
v0 = 0
for v1 in range(len(username)):
v0 -= ord(username[v1]) - 25
v0 = 0xffffffff + 1 + v0 # 因为v0为负数,转为8位16进制
password1 = hex(v0)[2:].upper()
password2 = hex(v0 * v0 * v0)[-8:].upper()
password3 = hex(password_adress * password_adress - password_adress)[-8:].upper()
password = 'Bon-' + password1 + '-' + password2 + '-' + password3
print(username + '的password为:\n' + password)
- 输入任意username,执行算法得到passowrd,验证破解成功