Re_Windows爆破exe程序

发表于 | 分类于 | 作者:ESE

爆破最好的解决方法,z3 求解器是什么?

z3

z3的安装

不过的我是在虚拟机上安装虚拟环境的:那z3是angr下的一个模板,那就先安装angr,就可以用z3了。
1、安装虚拟环境,在一个目录下配置虚拟环境
pip install virtualenvwrapper
2、配置虚拟环境

1
2
3
4
mkdir $HOME/.ven                    #创建工作目录
vim $HOME/.bashrc                   #编辑启动项
    export WORKON_HOME=$HOME/.ven       #将这两项添加到文件,开机自动运行
    source /usr/share/virtualenvwrapper/virtualenvwrapper.sh  #这个不同的机器可能位置不同 find / -name virtualenvwrapper.sh 找到

或者直接运行
export WORKON_HOME=$HOME/.ven
source /usr/share/virtualenvwrapper/virtualenvwrapper.sh

3、查看虚拟环境

1
2
3
4
mkvirtualenv env1                   #创建环境
workon                              #列出已有环境
deactivate                          #退出环境
rmvirtualenv                        #删除环境

4、安装angr

1
2
mkvirtualenv angr
pip install angr

z3求解器是什么?

z3是由微软公司开发的一个优秀的SMT求解器(也就定理证明器),它能够检查逻辑表达式的可满足性
通俗讲,就是解方程。比如使用z3解二元一次方程:利用z3约束求解
x-y == 3
3x-8y == 4

1
2
3
4
5
6
7
8
from z3 import *
x = Int('x')
y = Int('y')
solver = Solver()
solver.add(x-y == 3)
solver.add(3*x-8*y == 4)
if solver.check() == sat:
    print solver.model()

angr

它是一个易用的二进制分析套件,可以用于做动态符号执行和多种静态分析,现在来简单记录一下它的用法。详细的文档可以看这里。符号执行 (Symbolic Execution)是一种程序分析技术。其可以通过分析程序来得到让特定代码区域执行的输入。使用符号执行分析一个程序时,该程序会使用符号值作为输入,而非一般执行程序时使用的具体值。在达到目标代码时,分析器可以得到相应的路径约束,然后通过约束求解器来得到可以触发目标代码的具体值。[1]符号模拟技术(symbolic simulation)则把类似的思想用于硬件分析。符号计算(Symbolic computation)则用于数学表达式分析。angr功能很强大,需要多多练习。

windows爆破

1、windows爆破exe

直接看代码,以后可能用到,就记录下来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# -*- coding: utf8 -*-
import subprocess
import threading
import time
pname = 'crackme.exe'
err = "错误"
def crack(source):
    p = subprocess.Popen(pname, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
    source = source.encode(encoding='UTF8')
    result = p.communicate(input=source)
    res=result[0]
    data = res.decode('gbk')  #转换成中文
    if (err in data):
        return
    else:
        print(source)
        exit()
def inputC():
    dic = []
    x="x"
    for a in range(351):
        for b in range(351):
            s = str(a)+x+str(b)+x+"X"
            dic.append(s)
    return dic
def main():
    threads = []
    dic = inputC()
    print(len(dic))
    for i in dic:
        source = i
        t = threading.Thread(target = crack, args=(source,))
        threads.append(t)
    sum = 0
    n1 = time.time()
    for t in threads:
        t.start()
        n2 = time.time()
        if n2-n1>60:
            n1=n2
            sum+=1
            print(sum)   #运行时间
        while True:
            #小于20个线程时,则添加线程,大于20时,会运行线程,知道线程数量小于20
            if(len(threading.enumerate()) < 20): 
                break
if __name__ == "__main__":
    main()

移位密码爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#coding=utf-8
import re
list1 = []
s = "d4e8e1f4a0f7e1f3a0e6e1f3f4a1a0d4e8e5a0e6ece1e7a0e9f3baa0c4c4c3d4c6fbb9b2b2e1e2b9b9b7b4e1b4b7e3e4b3b2b2e3e6b4b3e2b5b0b6b1b0e6e1e5e1b5fd"
result = "0x" + re.sub(r"(?<=\w)(?=(?:\w\w)+$)", "0x", s)
for i in range(len(result)):
    if (i + 1) % 4 == 0:
        list1.append(result[(i - 3):(i + 1)])
    else:
        continue
for j in range(129):
    l=[]
    for i in range(len(list1)):
        l.append(chr(int(list1[i],16) - j))
    k=''.join(l)
    if "DDCTF" in k:
        print k
        print j
    if "ddctf" in k:
        print k
        print j

某秋的比赛

打ctf,怀疑自己到疯,代码不会写,这里记录一下,以后方便用到

1、花指令

6789abcd –> 3637383961626364 ->6789abcd
https://www.bejson.com/convert/ox2str/

b=’66778899’ –> [0x66,0x77,0x88,0x99]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
def fen(b):
    k = len(b)
    n=[]
    for i in range(len(b)-6):
        if i%6==0:
            n.append(b[i]+b[i+1])
            n.append(b[i+2]+b[i+3])
            n.append(b[i+4]+b[i+5])
            i = i + 6
    n.append(b[k - 6] + b[k - 5])
    n.append(b[k - 4] + b[k - 3])
    n.append(b[k - 2] + b[k - 1])
    k = []
    for i in range(len(n)):
        k.append(hex(int(n[i], 16)))
    return k

最后附上,自己的juckcode.代码
思路

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
flag + base64
k=flag+0x40 +base64
flag=(k*7)%256
flag=(flag+0x40) *7)%256
算法1
ZpYA           mqmA             9+LC
大写-0x41
小写-0x47
数字+0x4
+   0x13            
7a z 61 a 33-1a
5a Z 40 A 19-00
shuz  0-9 34-3d
3e        3e-13     
算法2
第一位 
第二位
第三位
a1=0x2c
a2=0x30
a3=0x2c
a4=0
a1=0x19
a2=0x29
a3=0x18
a4=0
k=a1*4+(a2&0x30)/16
print k
k=(a3&0x3c)/4+(a2&0x0f)*16
print k
k=((a3&0x03)*2**6)%256+a4
print k

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#coding:utf-8
import base64
#分解flag_enc
c1=[]
# def fen():
#     a = 'FFIF@@IqqIH@sGBBsBHFAHH@FFIuB@tvrrHHrFuBD@qqqHH@GFtuB@EIqrHHCDuBsBqurHH@EuGuB@trqrHHCDuBsBruvHH@FFIF@@AHqrHHEEFBsBGtvHH@FBHuB@trqrHHADFBD@rquHH@FurF@@IqqrHHvGuBD@tCDHH@EuGuB@tvrrHHCDuBD@tCDHH@FuruB@tvrIH@@DBBsBGtvHH@GquuB@EIqrHHvGuBsBtGEHH@EuGuB@tvrIH@BDqBsBIFEHH@GFtF@@IqqrHHEEFBD@srBHH@GBsuB@trqrHHIFFBD@rquHH@FFIuB@tvrrHHtCDB@@'
#     for i in a:
#         c.append(chr(ord(i) - 16))
#     b = "".join(c)
#     k = len(b)
#     print b
#     for i in range(len(b)-6):
#         if i%6==0:
#             n.append(b[i]+b[i+1])
#             n.append(b[i+2]+b[i+3])
#             n.append(b[i+4]+b[i+5])
#             i = i + 6
#     n.append(b[k - 6] + b[k - 5])
#     n.append(b[k - 4] + b[k - 3])
#     n.append(b[k - 2] + b[k - 1])
#
#     print n
#匹配字符
def bp():
    # n=['66', '96', '00', '9a', 'a9', '80', 'c7', '22', 'c2', '86', '18', '80', '66', '9e', '20', 'df', 'bb', '88', 'b6', 'e2', '40', 'aa', 'a8', '80', '76', 'de', '20', '59', 'ab', '88', '34', 'e2', 'c2', 'ae', 'b8', '80', '5e', '7e', '20', 'db', 'ab', '88', '34', 'e2', 'c2', 'be', 'f8', '80', '66', '96', '00', '18', 'ab', '88', '55', '62', 'c2', '7d', 'f8', '80', '62', '8e', '20', 'db', 'ab', '88', '14', '62', '40', 'ba', 'e8', '80', '6e', 'b6', '00', '9a', 'ab', '88', 'f7', 'e2', '40', 'd3', '48', '80', '5e', '7e', '20', 'df', 'bb', '88', '34', 'e2', '40', 'd3', '48', '80', '6e', 'be', '20', 'df', 'b9', '80', '04', '22', 'c2', '7d', 'f8', '80', '7a', 'ee', '20', '59', 'ab', '88', 'f7', 'e2', 'c2', 'd7', '58', '80', '5e', '7e', '20', 'df', 'b9', '80', '24', 'a2', 'c2', '96', '58', '80', '76', 'd6', '00', '9a', 'ab', '88', '55', '62', '40', 'cb', '28', '80', '72', 'ce', '20', 'db', 'ab', '88', '96', '62', '40', 'ba', 'e8', '80', '66', '9e', '20', 'df', 'bb', '88', 'd3', '42', '00']
    # k=len(n)
    # print k
    # for i in range(len(n)-3):
    #     if i % 3 == 0:
    #         k1=int(n[i], 16)
    #         k2=int(n[i+1], 16)
    #         k3=int(n[i+2], 16)
    #         print i,hex(k1),hex(k2),hex(k3)
    #         bp1(k1, k2, k3)
    #
    # k1 = int(int(n[k-3], 16))
    # k2 = int(int(n[k-2], 16))
    # k3 = int(int(n[k-1], 16))
    # bp1(k1, k2, k3)
    q=[]
    c1=[90, 109, 120, 104, 90, 51, 116, 113, 100, 87, 78, 114, 88, 50, 78, 118, 90, 71, 86, 102, 89, 50, 70, 117, 98, 109, 48, 88, 51, 78, 48, 98, 51, 66, 102, 101, 87, 49, 88, 51, 74, 108, 100, 109, 86, 121, 99, 50, 108, 117, 90, 51, 48]
    print c1
    for i in range(len(c1)):
        q.append(chr(c1[i]))
    print "".join(q)
def bp1(k1,k2,k3):
    begin = 0x2f - 0x41
    end = 0x7a - 0x41
    ll = 0
    for a1 in range(begin, end):
        if ll == 1:
            break;
        for a2 in range(begin, end):
            if ll == 1:
                break;
            for a3 in range(begin, end):
                if ll == 1:
                    break;
                for a4 in range(begin, end):
                    if (a1 * 4 + (a2 & 0x30) / 16 == k1) and ((a3 & 0x3c) / 4 + (a2 & 0x0f) * 16 == k2) and (
                                        ((a3 & 0x03) * 2 ** 6) % 256 + a4 == k3):
                        ll = 1
                        k = int(hex(a1), 16)
                        k=pandun(k)
                        print chr(k)
                        c1.append(chr(k))
                        break;
def pandun(x1):
    if (x1>=0)and(x1<=0x19):
        x1=int(x1)+0x41
    elif (x1>=0x1a)and(x1<=0x33):
        x1 = int(x1) + 0x47
    elif (x1>=0x34)and(x1<=0x3d):
        x1=int(x1)-0x4
    else:
        x1=int(x1)-0x13
    return x1
def test():
    a1 = 0x2c
    a2 = 0x30
    a3 = 0x2c
    a4 = 0
    k = a1 * 4 + (a2 & 0x30) / 16
    print hex(k)
    k = (a3 & 0x3c) / 4 + (a2 & 0x0f) * 16
    print hex(k)
    k = ((a3 & 0x03) * 2 ** 6) % 256 + a4
    print hex(k)
if __name__ == '__main__':
    bp()

这里我是od一步一步分析的,还是耐心不够
后来看师傅们的,发现都用爆破,这。。。。。(怪我代码能力弱了)
还有一个可以看反编译?这很奇怪(原来是有花指令,导致ida不能反编译成伪代码)
后来下来自己下来od手动去除伪代码(没有用的单字节去掉,不过伪代码有些东西类型,这只是一种),可以f5后,也是要看大量的代码,佩服师傅们的能力,自己觉得od和ida结合是最好的


这里也附上师傅们的wp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import string
import base64
data = file('flag.enc').read().strip()
data1 = ''
for i in data:
    data1 += chr(ord(i)-0x10)
data1 = data1.decode('hex')
bd = base64.b64encode(data1)
t1 = string.uppercase+string.lowercase+string.digits+r'+/'
t2=''
for i in t1:
    t2 += chr(ord(i)-10)
table1 = string.maketrans(t1,t2)
table2 = string.maketrans(t2,t1)
bd1 = bd.translate(table1)
s=''
for i in range(len(bd1)/4):
    s += bd1[4*i]
bd2 = s.translate(table2)
n = 3-len(bd2)%3
bd2 += '='*n
print base64.b64decode(bd2)

Donate
-------------本文结束感谢您的阅读-------------