ssctf crack5详述

crack5中的坑

注册验证函数中,各种int 3,致使进入通过SetUnhandledExceptionFilter设置的异常处理函数TopLevelExceptionFilter,在TopLevelExceptionFilter控制验证函数中的执行流程,由于先前我用的win7 x64调试,注册毫无反应,以为验证函数无法正常完整执行,so手工乱恢复,看了writeup之后,在xp中调试,你妹,居然可以正常执行…这是坑吗

某两大神writeup中的解题思路

  1. geek710 FROM SSEg33k

在TopLevelExceptionFilter亦有花,geek710大神的想法是,走一遍TopLevelExceptionFilter,去除功能代码,然后再要跳去执行验证函数的位置,nop验证函数中所有花,这样,一次执行完整之后,就可以得到无花的验证函数,beautiful,跟着这个思想走了一下,不晓得那弄错了,每次都异常退出,下面是提取的TopLevelExceptionFilter的大致代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
00401336    87ED            xchg ebp,ebp
0040134A    8BDB            mov ebx,ebx                              ; CrackMe.004012F0

00401354    8B4424 04       mov eax,dword ptr ss:[esp+0x4]//STRUCT _EXCEPTION_POINTERS *ExceptionInfo 
00401442    8B08            mov ecx,dword ptr ds:[eax]//exp->ExceptionRecord
0040139A    8139 03000080   cmp dword ptr ds:[ecx],0x80000003 //exp->ExceptionRecord == int 3
0040144A  ^\0F85 14FFFFFF   jnz CrackMe.00401364

//不是 int 3
00401391    33C0            xor eax,eax
0040140D    C2 0400         retn 0x4

//是int 3
0040138A    56              push esi                                 ; kernel32.7C885780
00401471    8B70 04         mov esi,dword ptr ds:[eax+0x4]//exp->ContextRecord; 
0040149F    8B96 B8000000   mov edx,dword ptr ds:[esi+0xB8]          ; CrackMe.0040164B

004014B8    803A CC         cmp byte ptr ds:[edx],0xCC

004012F2   /0F85 D6000000   jnz CrackMe.004013CE 

//是int 3
00401329    42              inc edx                                  ; CrackMe.0040164B
004013B0    87ED            xchg ebp,ebp
004013C4    8BDB            mov ebx,ebx                              ; CrackMe.004012F0
jmp 004014A8

//不是int 3了,0xCC
004014A8    8A0A            mov cl,byte ptr ds:[edx]
004013F1    8AC1            mov al,cl
004014D0    C0E0 06         shl al,0x6
00401477    C0E9 02         shr cl,0x2
00401495    02C1            add al,cl
0040149A    34 0D           xor al,0xD
004014B0    8AC8            mov cl,al
00401430    C0E9 05         shr cl,0x5
004014CA    C0E0 03         shl al,0x3
004014D6    87ED            xchg ebp,ebp
004014EA    8BDB            mov ebx,ebx                              ; CrackMe.004012F0
004014F4    02C8            add cl,al
004014C1    80C1 11         add cl,0x11
004012FF    8AC1            mov al,cl
004013AA    C0E0 05         shl al,0x5
004013DA    C0E9 03         shr cl,0x3
0040146C    02C1            add al,cl
0040141F    34 51           xor al,0x51
0040147D    8AC8            mov cl,al
004013D4    C0E1 07         shl cl,0x7
004013FF    D0E8            shr al,1
00401367    87ED            xchg ebp,ebp
0040137B    8BDB            mov ebx,ebx                              ; CrackMe.004012F0
00401385    02C8            add cl,al
00401407    80E9 6F         sub cl,0x6F
0040145A    81E1 FF000000   and ecx,0xFF
00401463    81E1 07000080   and ecx,0x80000007

00401424    03D1            add edx,ecx
00401307    87ED            xchg ebp,ebp
0040131B    8BDB            mov ebx,ebx                              ; CrackMe.004012F0
00401325    42              inc edx                                  ; CrackMe.00401653
004013E7    83C8 FF         or eax,0xFFFFFFFF
00401416    8996 B8000000   mov dword ptr ds:[esi+0xB8],edx          ; CrackMe.00401654

//清楚混淆的代码,填充0x90
0040136E    8BCA            mov ecx,edx
00401370    2BCF            sub ecx,edi
00401372    B0 90           mov al,0x90
00401374    F3:AA           rep stos byte ptr es:[edi]

004013E7    83C8 FF         or eax,0xFFFFFFFF

0040142C    5E              pop esi                                  ; kernel32.7C885780
00401439    C2 0400         retn 0x4

本来这个是很妙的方法,但是无奈没成功,换一个思路

  1. Anonymous

这个方法较麻烦,在 00401416 mov dword ptr ds:[esi+0xB8],edx 处下条件断点,byte ptr[edx] != 0xCC,每次断下之后,记录edx指向的代码(新的int 3之前),完整记录之后,就是注册验证的代码,手工记录如下(不会脚本啊):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
0040168D    6A 01           push 0x1
0040168F    E8 30100000     call <jmp.&MFC42.#6334>
004016CE    BB E2D90100     mov ebx,0x1D9E2
00401715    8D77 64         lea esi,dword ptr ds:[edi+0x64]
00401718    6A 00           push 0x0
0040171A    8BCE            mov ecx,esi
0040171C    E8 9D0F0000     call <jmp.&MFC42.#2915>
00401721    8945 F8         mov dword ptr ss:[ebp-0x8],eax
0040175A    8B06            mov eax,dword ptr ds:[esi]
0040175C    8B48 F8         mov ecx,dword ptr ds:[eax-0x8]
0040175F    894D FC         mov dword ptr ss:[ebp-0x4],ecx
004017A1    8B36            mov esi,dword ptr ds:[esi]
004017A3    68 0C414000     push CrackMe.0040410C
004017A8    56              push esi
004017A9    8B35 B4314000   mov esi,dword ptr ds:[<&MSVCRT._mbscmp>] ; msvcrt._mbscmp
004017AF    FFD6            call esi
004017B1    83C4 08         add esp,0x8
004017B4    85C0            test eax,eax
004017B6    74 4C           je short CrackMe.00401804
004017F2    8B47 60         mov eax,dword ptr ds:[edi+0x60]
004017F5    68 0C414000     push CrackMe.0040410C
004017FA    50              push eax
004017FB    FFD6            call esi
004017FD    83C4 08         add esp,0x8
00401800    85C0            test eax,eax
00401802    75 17           jnz short CrackMe.0040181B
00401804    6A 00           push 0x0
00401806    6A 00           push 0x0
00401808    68 2C404000     push CrackMe.0040402C                    ; ASCII "注册失败!"
0040180D    8BCF            mov ecx,edi
0040180F    E8 A40E0000     call <jmp.&MFC42.#4224>
00401814    5F              pop edi
00401815    5E              pop esi
00401816    5B              pop ebx
00401817    8BE5            mov esp,ebp
00401819    5D              pop ebp
0040181A    C3              retn

004018ED    8B45 FC         mov eax,dword ptr ss:[ebp-0x4]
004018F0    8B55 F8         mov edx,dword ptr ss:[ebp-0x8]
004018F3    83C9 FF         or ecx,0xFFFFFFFF
004018F6    8D7410 01       lea esi,dword ptr ds:[eax+edx+0x1]
004018FA    2BCA            sub ecx,edx

004018FC    8BC6            mov eax,esi

00401947    0FBE50 FE       movsx edx,byte ptr ds:[eax-0x2]
0040194B    48              dec eax
0040194C    03DA            add ebx,edx
00401994    8D149B          lea edx,dword ptr ds:[ebx+ebx*4]
00401997    8D14D3          lea edx,dword ptr ds:[ebx+edx*8]
0040199A    8D1C52          lea ebx,dword ptr ds:[edx+edx*2]
004019E4    8818            mov byte ptr ds:[eax],bl
00401A22    81F3 3A45AC14   xor ebx,0x14AC453A
00401A66    0018            add byte ptr ds:[eax],bl
00401AA1    8D1401          lea edx,dword ptr ds:[ecx+eax]
00401AA4    85D2            test edx,edx
00401AA6  ^ 0F8F 52FEFFFF   jg CrackMe.004018FE

00401B42    8BC6            mov eax,esi

00401B96    0FBE50 FE       movsx edx,byte ptr ds:[eax-0x2]
00401B9A    48              dec eax
00401B9B    03DA            add ebx,edx
00401BD6    8D149B          lea edx,dword ptr ds:[ebx+ebx*4]
00401BD9    8D14D3          lea edx,dword ptr ds:[ebx+edx*8]
00401BDC    8D1C52          lea ebx,dword ptr ds:[edx+edx*2]
00401C2F    8818            mov byte ptr ds:[eax],bl
00401C6C    81E3 46A554A4   and ebx,0xA454A546
00401CAE    0018            add byte ptr ds:[eax],bl
00401CF8    8D1408          lea edx,dword ptr ds:[eax+ecx]
00401CFB    85D2            test edx,edx
00401CFD  ^ 0F8F 41FEFFFF   jg CrackMe.00401B44

00401D92    8BC6            mov eax,esi

00401DDC    0FBE50 FE       movsx edx,byte ptr ds:[eax-0x2]
00401DE0    48              dec eax
00401DE1    03DA            add ebx,edx
00401E27    8D149B          lea edx,dword ptr ds:[ebx+ebx*4]
00401E2A    8D14D3          lea edx,dword ptr ds:[ebx+edx*8]
00401E2D    8D1C52          lea ebx,dword ptr ds:[edx+edx*2]
00401E75    8818            mov byte ptr ds:[eax],bl
00401ECD    81CB 37214715   or ebx,0x15472137
00401F0A    0018            add byte ptr ds:[eax],bl
00401F4E    8D1408          lea edx,dword ptr ds:[eax+ecx]
00401F51    85D2            test edx,edx
00401F53  ^ 0F8F 3BFEFFFF   jg CrackMe.00401D94

00401F9E    8BC3            mov eax,ebx
00401FA0    33D2            xor edx,edx
00401FA2    B9 1F011500     mov ecx,0x15011F
00401FA7    F7F1            div ecx
00401FA9    8BDA            mov ebx,edx

00401FF0    8D77 60         lea esi,dword ptr ds:[edi+0x60]
00401FF3    6A 00           push 0x0
00401FF5    8BCE            mov ecx,esi
00401FF7    E8 C2060000     call <jmp.&MFC42.#2915>

00402043    8B16            mov edx,dword ptr ds:[esi]
00402045    8B52 F8         mov edx,dword ptr ds:[edx-0x8]
004020D5    33C9            xor ecx,ecx
00402111    83CE FF         or esi,0xFFFFFFFF
00402114    8D5402 01       lea edx,dword ptr ds:[edx+eax+0x1]
00402118    2BF0            sub esi,eax

004021A6    0FBE42 FE       movsx eax,byte ptr ds:[edx-0x2]
004021AA    4A              dec edx
004021AB    8D0C89          lea ecx,dword ptr ds:[ecx+ecx*4]
004021AE    8D4C48 D0       lea ecx,dword ptr ds:[eax+ecx*2-0x30]
004021F9    880A            mov byte ptr ds:[edx],cl
00402245    8D0432          lea eax,dword ptr ds:[edx+esi]
00402248    85C0            test eax,eax
0040224A  ^ 0F8F CAFEFFFF   jg CrackMe.0040211A

00402290    3BD9            cmp ebx,ecx
00402292    75 17           jnz short CrackMe.004022AB
00402294    6A 00           push 0x0
00402296    6A 00           push 0x0
00402298    68 20404000     push CrackMe.00404020                    ; ASCII "注册成功!"
0040229D    8BCF            mov ecx,edi
0040229F    E8 14040000     call <jmp.&MFC42.#4224>
004022A4    5F              pop edi
004022A5    5E              pop esi
004022A6    5B              pop ebx
004022A7    8BE5            mov esp,ebp
004022A9    5D              pop ebp
004022AA    C3              retn

00402384    6A 00           push 0x0
00402386    6A 00           push 0x0
00402388    68 2C404000     push CrackMe.0040402C                    ; ASCII "注册失败!"
0040238D    8BCF            mov ecx,edi
0040238F    E8 24030000     call <jmp.&MFC42.#4224>

根据这个写出注册机就行

注册算法

待续

谢谢你请我吃糖果

微信

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

Windows Kernel/Rootkit/Reverse Engineer/Expolit<br/>内核研究/逆向分析/漏洞分析挖掘