mark about the future analysis
Original: http: //sibears.ru/labs/ASIS-CTF-Quals-2016-Leaked_License/
[ASIS CTF Quals 2016] - leak license [64]
I am from a friend of a friend's brother borrowed where the software license and library! If I can fake license this competition machine ID, they would be great.
We obtained Leaked_Lisence.dll and file [email protected]_license
Groke @ MacBook-Air-groke:〜/ ctf / asis / Leaked_Lisence $ cat admin \ @nsa.gov.us_license
7e43ecf0b4e27dacfb5e613437b17acb46e8deab2c70510dc71844b492a691ec
In the dll, deriving a verification method, which parameter occupies 48 bytes. If a little look at the file, you can see the source code is in C ++:
“ios_base :: eofbit set”
“ios_base :: failbit set”
“ios_base :: badbit set”
Then suppose argument is std :: string. Using the code, we restore the following string of the form:
struct magic {
union {
char * s1 ; char s2 [ 16 ]; }; int size ; int real_length ; };
After adding this structure to the id, it is clear that according to the value of the verification function accepts two such rows.
In fact, the following algorithm itself (pseudo Python):
DEF verification ( ID , license ): with open ( "secret.key" ) as a secret_file: secret = secret_file . Read () checkString = SHA256 ( Secret ) . Decoding ( 'hex' ) while len ( ID ) < 32 : ID = ID + ID secretFromUser = "" License = License .Decoding ( 'hex' ) for X in xrange ( 32 ): secretFromUser + = CHR ( the ord ( ID [ I ]) ^ the ord ( License [ I ])) the check2 = SHA256 ( secretFromUser ) . Decoding ( 'hex' ) if the check2 . equal ( checkString ): return 1 return 0
Obviously, this is enough for us from this license obtain secretFromUser and generate our own license on its basis. There is a problem, because the ID is not clear what the license Yes. One theory is that somewhere there was an error, and prepared the following documentation in order to feel the pen:
#include“stdafx.h”
#include <iostream>
#include <string>
#include <Windows.h>
struct magic { union { char * s1 ; char s2 [ 16 ]; }; int size ; int real_length ; }; magic * get_my_magic (char * buf ){ struct magic * ret = (magic * )malloc (24 ); int ln = strlen (buf ); ret - > s1 = (char * )malloc (ln ); ret - > size = ln ; ret - > real_length = ln ; strncpy (ret - > s1 , buf , ln ); return语句 的RET ; } int main () { magic * id = get_my_magic (“[email protected]” ); magic * key = get_my_magic (“7e43ecf0b4e27dacfb5e613437b17acb46e8deab2c70510dc71844b492a691ec” ); auto hMod = LoadLibraryA (“Leaked_Lisence.dll” ); auto myFunc = (int (* )(magic , magic ))GetProcAddress (hMod , “verify” ); 汽车 s = myFunc (* id , * key ); std :: cout << s << std :: endl ; }
Magic structure required, as a studio sizeof (std :: string) <> 24
However, practice shows that the theoretical calculations are correct, we returned to search the id. After tried "[email protected]", we obtained the following licenses:
6e52e0f5a99023eeac30672828ec22db53ea9dab30414a1fca4511ebd5bea4fe
, the result is flag: