Professional Documents
Culture Documents
CodeEngn Basic RCE 풀이 보고서 - 전공체육
CodeEngn Basic RCE 풀이 보고서 - 전공체육
- of Syn3ck Team
upx.
.
.
.
call
,.
RegisteredUser,GFX754IER954
.
upx.upx.
.
OEP!(OriginalEntryPoint=.
.)
.()
..
chapter1..
chapter2..
chapter3..
..??
().
upxjmpOEP.
POPAD..
jmp.
??MessageBoxApush.OEP0040100C
.
,
3.
upx.
L09upx.
upx.
.L09.exe.
dumpdebuggedprocess.
(Rebuildloadpe.)
ASPack..
RaiseException.
f8
.
bpcall.
.
jnz.
exception.nopfile
..
OK..
RegisteredWelldone!
exception
!!!
ASCII~~~??
.
.
.
.call..
..
1~x+1=x(?)2
.(2.)
2~x+1=x~x=x1
3.
3eax0
ebx1eax1ebx0
..
xor?
4eax=eax^ebx.
,AxorB=CA=BxorCGetDlgItemInt
keyxor
key.
4.
key.
@@@@@@@CMPEAX,7A2896BF!!!!!
7A2896BFkey.10~!
hexeditor
.
~~
C#?!C#.
Reflector!!
~.password
!!
Igotdab~
UPX.or.
MessageBoxA.
bp.
.Name
.
callSerial
.
NameSerial.
(nameserial.)
serial.
serial.
NameSerialc.
5.
.
(1
.)
GoodGood~(?)
textstrings.
!
cmpserialserial.
serial45B844.
serial45B844bp.
bp.
.
!!
C.
.
!!
!!!!!!!
~!!
*1.referencedstring.
*2..
*3..
*4.
referencedtextstrings!
00404C3C
.
.
.
.
1,2,3,4,5
.
1,2,4,5.
3.
.
call.
call
ebxeaxeax[ebp6C].
load.
.0045ACEC.
64
MD5.
MD5statevariable.
3.
(.)
(PEiDKryptoANALyzerplugin
......)
Name>SerialSerial>Name
.
python2.7.
[+]
https://docs.google.com/file/d/0B_BlLbVn2PJQkdGd1ZYT2M2a2s
!
L17.
.Nameor
!!!~!!!!
^^
.
backtotheusermode
.
alt+f9.
?
WaitForSingleObject
.
.
CreateThreadbp.
!!!
CreathThread..
eax0x138..
retn.
??.WaitForSingleObject
.
..
?
start_timesleep
start_time0x2B70.
0x2B70.dec~
0x12CRACKME3.KEY.
buffer.
~~
xorfilecontent
.
!!
~~
Syn3ckTistory:http://syn3ck.tistory.com/
Email:xornrbboy@naver.com
*!
#CodebymajorPE
frommathimport*
fromctypesimport*
importtime
defEncrypt1stPart(Name):
res=c_uint(0)
forchinName:
res.value+=ord(ch)
res.value*=0x772
res.value=res.value**2+res.value
res.value*=0x8E8
res=hex(res.value)[2:6]
returnres
defEncrypt2stPart(Name):
res=c_uint(0)
n=c_uint(0)
forchinName[::1]:
n.value=ord(ch)+0x110x5
n.value*=0x92
n.value*=2
n.value*=0x819
res.value+=n.value
res=hex(res.value)[2:6]
returnres
defEncrypt4stPart(Name):
res=c_uint(0)
k=c_uint(0)
forchinName[::1]:
res.value+=(ord(ch)+0x929+0x767+k.value)
res.value*=0x8392
k.value=res.value
k.value=0x33
k.value*=res.value
k.value+=res.value
res=hex(res.value)[2:6]
returnres
defEncrypt5stPart(Name):
res=c_uint(0)
k=c_uint(0)
forchinName:
res.value+=ord(ch)
res.value*=2
res.value=res.value**3
res.value=(res.value^0x10)|0x44
res.value=res.value*0x373+0x443
res.value+=ord(ch)
res.value*=res.value
res=hex(res.value)[2:6]
returnres
defEncrypt3stPart(Name):
msg=Name
d=[0x77,0x30,0x39,0x2F,0x26,0x37,0x32,0x30,0x28,0x22,0x3D,0x29,0x3D,0x21,0x29,
0x26,0x22,0x29,0x3F,0x60,0x22,0x28,0x3D,0x28,0xA7,0x29]
forhind:
msg+=chr(h)
c=MD5_for_L17(msg)
res=c[0:8]
returnres
#thisMD5havedifferentstatevariable
#msgisstring
#thisfunctionneedstoctypeslibrary(fromctypesimport*)
defMD5_for_L17(msg):
r=[7,12,17,22,7,12,17,22,7,12,17,22,7,12,17,22]+\
[5,9,14,20,5,9,14,20,5,9,14,20,5,9,14,20]+\
[4,11,16,23,4,11,16,23,4,11,16,23,4,11,16,23]+\
[6,10,15,21,6,10,15,21,6,10,15,21,6,10,15,21]
k=[]
foriinrange(0,64):
k.append((int)(floor(fabs(sin(i+1))*pow(2,32))))
#thisisdifferentthannormalMD5
h0=c_uint(0xA3557D07)#normalvalue=0x01234567
h1=c_uint(0x62FB12D3)#normalvalue=0x89ABCDEF
h2=c_uint(0xEFD945F6)#normalvalue=0xFEDCBA98
h3=c_uint(0xE57AE29E)#normalvalue=0x76543210
w=[]
msg_len=len(msg)
msg_bit_len=msg_len*8
msg+=chr(0x80)#append1bittomsg
#makepaddingmessage
foriinrange(0,msg_len+1,4):
w.append(c_uint(0))
foriinrange(0,msg_len+1):
w[i/4].value+=ord(msg[i])<<(i%4)*8
foriinrange(len(w)*32,(448+((msg_bit_len+64)/512)*512),32):
w.append(c_uint(0))
#appendoriginal_message_bit_lentolast64bit(littleendian)
msg_bit_len=msg_bit_len%0x10000000000000000
lower=msg_bit_len%0x100000000
higher=msg_bit_len>>32
w.append(c_uint(lower))
w.append(c_uint(higher))
#print[hex(x.value).upper()[2:]forxinw]#DebugCode
w_len=len(w)
#processeach512bitchunkofmessage
foriinrange(0,w_len,16):
base=i
a=c_uint(h0.value)
b=c_uint(h1.value)
c=c_uint(h2.value)
d=c_uint(h3.value)
forjinrange(0,64):
if0<=jandj<=15:
f=d.value^(b.value&(c.value^d.value))
g=j
elif16<=jandj<=31:
f=c.value^(d.value&(b.value^c.value))
g=(5*j+1)%16
elif32<=jandj<=47:
f=b.value^c.value^d.value
g=(3*j+5)%16
elif48<=jandj<=63:
f=c.value^(b.value|(~d.value))
g=(7*j)%16
tmp=d.value
d.value=c.value
c.value=b.value
x=c_uint(a.value+f+k[j]+w[base+g].value)
b.value=b.value+((x.value<<r[j])|(x.value>>(32r[j])))#b=b+leftrotate(x,r[j])
a.value=tmp
h0.value=h0.value+a.value
h1.value=h1.value+b.value
h2.value=h2.value+c.value
h3.value=h3.value+d.value
res=hex(h0.value%0x100)[2:4]+hex((h0.value/0x100)%0x100)[2:4]+
hex((h0.value/0x10000)%0x100)[2:4]+hex((h0.value/0x1000000)%0x100)[2:4]+\
hex(h1.value%0x100)[2:4]+hex((h1.value/0x100)%0x100)[2:4]+
hex((h1.value/0x10000)%0x100)[2:4]+hex((h1.value/0x1000000)%0x100)[2:4]+\
hex(h2.value%0x100)[2:4]+hex((h2.value/0x100)%0x100)[2:4]+
hex((h2.value/0x10000)%0x100)[2:4]+hex((h2.value/0x1000000)%0x100)[2:4]+\
hex(h3.value%0x100)[2:4]+hex((h3.value/0x100)%0x100)[2:4]+
hex((h3.value/0x10000)%0x100)[2:4]+hex((h3.value/0x1000000)%0x100)[2:4]
returnres
defEncryptName(Name):
serial=Encrypt1stPart(Name)+""+\
Encrypt2stPart(Name)+""+\
Encrypt3stPart(Name)+""+\
Encrypt4stPart(Name)+""+\
Encrypt5stPart(Name)
returnserial.upper()
defNameToSerial():
print"\nNameToSerial"
Name=raw_input("Inputname:")
print"Serialis"+EncryptName(Name)
print"\n"
defshow_brute_res(Name,Serial,dt):
print"[*]BruteForsingSuccess!!"
print"Name:%s"%Name
print"Serial:%s"%Serial
print"time:%.3fsec"%dt
defBruteForce(t_name,piece):
ifpiece[0]!=Encrypt1stPart(t_name).upper():
returnFalse
elifpiece[1]!=Encrypt2stPart(t_name).upper():
returnFalse
elifpiece[3]!=Encrypt4stPart(t_name).upper():
returnFalse
elifpiece[4]!=Encrypt5stPart(t_name).upper():
returnFalse
elifpiece[2]!=Encrypt3stPart(t_name).upper():
returnFalse
else:
returnTrue
defSerialToName():
print"\nSerialToName"
print"[*]Onlysupportascii[0x20~0x7E]"
Serial=raw_input("Inputserial:")
Serial=Serial.upper()
piece=Serial.split('')
iflen(piece)!=5:
print"Incorrectformatserial!"
return
st=time.time()
t_len=1
t_hex_list=[0x20]
print"BruteForsingon%dlength..."%t_len
whileTrue:
t_name=""
forhxint_hex_list:
t_name+=chr(hx)
ifBruteForce(t_name,piece):
break
t_hex_list[t_len1]+=1
foriinrange(t_len1,0,1):
ift_hex_list[i]>0x7E:
t_hex_list[i]=0x20
t_hex_list[i1]+=1
else:
break
ift_hex_list[0]>0x7E:
t_len+=1
t_hex_list=[0x20foriinrange(t_len)]
print"BruteForsingon%dlength..."%t_len
et=time.time()
dt=etst
show_brute_res(t_name,Serial,dt)
print"\n"
defmain():
whileTrue:
print"[+]CodingBymajorPE"
print"Menu"
print"1.NameToSerial"
print"2.SerialToName"
print"q.quit"
print""
sel=raw_input("sel>")
ifsel=='1':
NameToSerial()
elifsel=='2':
SerialToName()
elifsel=='Q'orsel=='q':
break
else:
print"IncorrectSelection!\n"
if__name__=='__main__':
main()