首页
社区
课程
招聘
[游戏]猛男测试,挑战 fsg 2.0 脱壳
发表于: 2010-7-13 16:39 13876

[游戏]猛男测试,挑战 fsg 2.0 脱壳

2010-7-13 16:39
13876

目标:脱掉外层的 fsg 其实不顶用,有几个函数被混淆了,找出来他们还原

比如其中某一个函数

0040332D   $  55            push    ebp
0040332E   .  8BEC          mov     ebp, esp
00403330   .  56            push    esi
00403331   .  57            push    edi
00403332   .  53            push    ebx
00403333   .  EB 39         jmp     short unpacked.0040336E
00403335      B8            db      B8
00403336   .^ 78 ED         js      short unpacked.00403325
00403338   >  E8 01000000   call    unpacked.0040333E
0040333D      3B            db      3B                               ;  CHAR ';'
0040333E   .  8D6424 04     lea     esp, [esp+4]
00403342   .  97            xchg    eax, edi
00403343   .  F2:           prefix repne:                            ;  Superfluous prefix
00403344   .  EB 02         jmp     short unpacked.00403348
00403346      A6            db      A6
00403347      83            db      83
00403348   >  E9 B6170000   jmp     unpacked.00404B03
0040334D      BD            db      BD
0040334E      16            db      16
0040334F      BB            db      BB
00403350   >  F3:           prefix rep:                              ;  Superfluous prefix
00403351   .  E8 01000000   call    unpacked.00403357
00403356   .  A7            cmps
00403357   $  8D6424 04     lea     esp, [esp+4]

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

上传的附件:
收藏
免费 7
支持
分享
最新回复 (26)
雪    币: 348
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
  菜鸟想知道还原原理。
2010-7-13 16:46
0
雪    币: 1946
活跃值: (248)
能力值: (RANK:330 )
在线值:
发帖
回帖
粉丝
3
2010-7-13 20:31
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
?????什么东西 是不是第一个是不是 加壳时候的入口 第二是脱壳的入口  你想怎么怎么解密的?
2010-7-15 02:05
0
雪    币: 3
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
..
阿卡卡卡..
2010-7-15 11:50
0
雪    币: 253
活跃值: (25)
能力值: ( LV9,RANK:290 )
在线值:
发帖
回帖
粉丝
6
2010-7-19 11:55
0
雪    币: 129
活跃值: (53)
能力值: ( LV9,RANK:220 )
在线值:
发帖
回帖
粉丝
7

JCC不知道有什么好办法处理 不跳的话 下面碰到往上的JMP就完了
只会人肉记住标签
批量处理 只有模拟分支吗?
<0040332D>

@L00000001:
	push ebp
	mov ebp,esp
	push esi
	push edi
	push ebx
	push 100000
	push 40AF21
	call 00402B22
	xor eax,eax
	mov dword ptr [40AF5D],eax
	mov dword ptr [40AF71],eax
	mov esi,40AEA1

@L00000002:
	push dword ptr [ebp+8]
	call 00402A7C
	inc eax
	je @L00000003
	test ecx,ecx
	je @L00000004
	dec eax
	mov dword ptr [esi+8],eax
	mov dword ptr [esi+C],ecx
	push eax
	push ecx
	call 00402AB1
	test eax,eax
	je @l1
	test ecx,ecx
	je @l1
	mov dword ptr [esi],eax
	jmp short @L00000002

@L00000003:
	push 40A21D
	jmp @L00000007

@L00000004:
	push 40A235
	jmp @L00000005
@l1:
	push 40A252
	jmp @L00000005
@L00000005:
	mov ebx,40AEA1
	push dword ptr [ebx]
	push dword ptr [ebx+4]
	call 00402AD3
	xor eax,eax

@L00000006:
	push eax
	push eax
	push dword ptr [ebx+C]
	push dword ptr [ebx+8]
	call 00407284
	push dword ptr [ebx+8]
	call 00407278
	push dword ptr [ebx+8]
	call 00407230

@L00000007:
	mov ebx,402B6B
	push 40AF49
	call ebx
	push 40AF35
	call ebx

@L00000008:
	push 40AF5D
	call ebx
	push 40AF71
	call ebx
	push 40AF21
	call ebx
	pop eax
	pop ebx
	pop edi
	pop esi
	leave
	retn 0C


2010-7-19 12:26
0
雪    币: 2067
活跃值: (82)
能力值: ( LV9,RANK:180 )
在线值:
发帖
回帖
粉丝
8
姑姑..你近来都去那里玩了?
整个香港都找不着妳啊.
2010-7-19 20:54
0
雪    币: 6075
活跃值: (2236)
能力值: (RANK:1060 )
在线值:
发帖
回帖
粉丝
9
不够长啊。不过这题我想考的是拓扑排序。

0040332D
558bec56575368000010006821af4000e8e0f7ffff2bc0a35daf4000a371af4000bea1ae4000ff75
08e821f7ffff400f8493090000909090909085c90f8449090000909090909048894608894e0c5051
e82ff7ffff85c0741690909090909090909085c9740990909090eb0d9090906852a24000e91c0900
008906894e049666813e4d5a0f85f708000090909090908b463ca9030000000f85da080000909090
90903b05adae40000f83c9080000909090909003f08935b1ae4000813e504500000f85b008000090
90909090837e28000f8497080000909090909066817e044c01750990909090eb0d9090906875a340
00e99f08000066f746160020750990909090eb0d9090906838a34000e98408000066837e5c010f84
4708000090909090908b86f4000000a9000001000f8527080000909090909085c0757f9090909090
90909090817e0846534721740990909090eb0d9090906875a24000e93508000083be800000000074
0990909090eb0d9090906882a14000e91908000083bee8000000000f85c607000090909090900fb7
46148d443018a3b5ae4000833800741a909090909090909090813855505830740990909090eb0d90
909068cfa24000e9d10700008b4634a3d5ae40008b463ca3c9ae40008b4638a3cdae40008b4628a3
d1ae40000fb75e06891dc5ae40008b15b5ae40008b0dc5ae4000496bc92801ca8b4214034210e871
fdffff8b0dadae40003bc876249090909090909090902bc88bf90305a1ae400051506885af4000e8
e1f5ffff90909090908b4e50c1e102516849af4000e8abf5ffffff35adae40006835af4000e89bf5
ffff8b3866c7074d5ac7473c0c000000c7470c504500008b550c85d2744e9090909090909090908d
4f02b40a9090909090813a7b73707d750990909090eb239090908a02423c00742390909090909090
9090880141fecc75d890909090eb0d909090b02083c204ebe990909083c70c893db9ae4000c74708
46534721a1d5ae4000894734c7473c00020000c7475400020000c7477410000000a1cdae40008947
38668b460466894704668b461683c8016689471666c74706020066c74714e0008b461c89471c8b46
208947208b46248947248b462c89472c668b464066894740668b464266894742668b464466894744
668b464666894746668b464866894748668b464a6689474a8b464c89474c8b46608947608b466489
47648b46688947688b466c89476c668b461866894718668b465c6689475c0fb747148d443818a3bd
ae4000938363140083631000c74324e00000c0a1cdae400089430c8b4650e8b8fbffff8943080343
0ce8adfbffffa3c1ae4000894334c7433c00020000c7434ce00000c0c7472854010000832519af40
00008b86a000000085c0741f90909090909090909050ffb6a400000068eba34000e87efaffff9090
9090908b86c000000085c07439909090909090909090ff0519af4000e886fbffff976a18576801af
4000e822f4ffffffb6c00000006a186813a44000e83bfaffff90909090908b86a800000085c0741f
90909090909090909050ffb6ac00000068ffa34000e812faffff90909090908b467885c0742c9090
9090909090909050ff767c6871af4000e8b3dbffffff7678ff767c6827a44000e8dff9ffff909090
90908b35b1ae40000fb70dc5ae4000890dc5ae40008b868800000085c0741a909090909090909090
ffb68c00000050e8e5f5ffff9090909090e842ebffffa31daf40008b35b5ae40008b3d49af4000ff
35c5ae400090909090908b46088b561085c0750990909090eb4890909085d2740990909090eb1b90
9090e844faffff03f883c628ff0c2475d190909090eb2a9090908bd88bc2e831faffff508b460ce8
63faffff5057e806f3ffff89d8ebcb9090908bc2ebb7909090592b3d49af400057ff3549af4000e8
eef8ffff893d55af40008b35b9ae40008b3d35af400081c7000200008b1dc1ae4000833d5daf4000
00743a909090909090909090ff3561af4000ff355daf400057e8a3f2ffffa161af4000e8a0f9ffff
899e8800000089868c00000003f803d89090909090f7451002000000755690909090909090909083
3d71af4000007444909090909090909090891d79af40006871af4000e836e8ffffff357daf4000ff
3571af400057e83ef2ffffa17daf4000e83bf9ffff895e7889467c03f803d89090909090ff3595ae
40006a32e8f1d8ffff89d80305d5ae4000a3732d400068c82d4000ff3521af4000ff3555af400057
ff3549af4000e82944000083c414e8edf8ffff03f803d8ff3599ae40006a32e8aed8ffff833d19af
40000074359090909090909090906a186801af400057e8b6f1ffffb818000000e8b3f8ffff899ec0
0000008986c400000003f803d89090909090899e80000000b881000000e88ef8ffff898684000000
8b15d5ae4000a1cdae400003c2a36f2d4000b84800000001d803c2a37f2d4000b82800000001d803
c2a38b2d4000b84400000001d803c2a39e2c4000c705832d400080000000c705872d4000007d0000
a11daf400003c2a3772d4000be472d4000b88f2d4000bae80100008910badc010000895004bade01
00008950088b15d1ae400089500c8b15d5ae4000011001500401500801500c8d4010ba6200000089
10ba7000000089500401180158042d472d400001d8890689461068810000005657e8bbf0ffff81c7
8100000089fb2b1d35af4000891d41af400081eb00020000833d85af400000745f90909090909090
9090f7451001000000754d90909090909090909089d8b900020000e880f7ffff8bd88b3d35af4000
8dbc3800020000ff3591af4000ff3585af400057e850f0ffff033d91af40002b3d35af4000893d41
af400090909090908b35bdae4000895e3889d8e83bf7ffff8946308b3db9ae40000346348947508b
3d35af400081c754010000be9c2c400068ab0000005657e8fdefffffbba1ae4000ff3541af4000ff
3535af4000ff33e8e5efffffff33ff7304e820efffff2bc05050ff3541af4000ff7308e8bf360000
ff7308e8ab360000ff7308e85b3600008b3595ae40008b1d99ae4000bf67124000566a34ffd7ff35
adae40006a3ee88bd6ffff68f4010000e888360000536a34ffd7566a36ffd7ff3541af40006a40e8
6ad6ffff68f4010000e867360000536a36ffd7566a38ffd76b0541af40006429d2f735adae4000ba
640000002bd0526847a14000ff3521af4000e88a3600005883c408506a42ff3555ae4000e86c3600
006858020000e81a360000536a38ffd76a00e98300000068a9a34000eb3f9090906894a24000eb35
9090906801a34000eb2b909090689ca14000eb2190909068e8a14000eb1790909068afa14000eb0d
9090906835a240009090909090bba1ae4000ff33ff7304e802eeffff2bc05050ff730cff7308e8a4
350000ff7308e890350000ff7308e840350000eb0d909090681da240009090909090bb6b2b400068
49af4000ffd36835af4000ffd3685daf4000ffd36871af4000ffd36821af4000ffd3585b5f5ec9c2
0c009090909090
2010-7-19 21:12
0
雪    币: 101
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
diy壳 拓扑排序如何和还原代码联系起来?
2010-7-22 13:26
0
雪    币: 425
活跃值: (205)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
11
我也想知道拓扑排序如何和还原代码联系起来
2010-7-23 11:05
0
雪    币: 284
活跃值: (16)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
12
Mark,下载需要kx。。。
2010-7-23 12:45
0
雪    币: 112
活跃值: (14)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
13
fsg 2.0 是什么
2010-7-23 13:38
0
雪    币: 347
活跃值: (25)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
14
只找到4个乱序过的函数
5? 5? 5? E9
1
0040137D   .  55            push    ebp
0040137E   .  8BEC          mov     ebp, esp
00401380   .  83C4 E8       add     esp, -18
00401383   .  57            push    edi
00401384   .  56            push    esi
00401385   .  53            push    ebx
00401386   .  E9 3D090000   jmp     00401CC8
0040138B   .  EC            in      al, dx
0040138C   >  E8 01000000   call    00401392

2
00402174   $  55            push    ebp
00402175   .  8BEC          mov     ebp, esp
00402177   .  57            push    edi
00402178   .  56            push    esi
00402179   .  53            push    ebx
0040217A   >  E9 28010000   jmp     004022A7

3,
0040235D   $  55            push    ebp
0040235E   .  8BEC          mov     ebp, esp
00402360   .  83C4 F0       add     esp, -10
00402363   .  57            push    edi
00402364   .  56            push    esi
00402365   .  53            push    ebx
00402366   .  52            push    edx
00402367   .  E9 06010000   jmp     00402472

5? 5? 5? EB
4,
0040332D   $  55            push    ebp
0040332E   .  8BEC          mov     ebp, esp
00403330   .  56            push    esi
00403331   .  57            push    edi
00403332   .  53            push    ebx
00403333   .  EB 39         jmp     short 0040336E
00403335      B8            db      B8
00403336   .^ 78 ED         js      short 00403325
00403338   >  E8 01000000   call    0040333E

和LZ大牛给出的还原函数对比了下,相差太远了,不懂怎么拓扑排序
自己的土方法改了好久,自己都晕了
给个bin,不知道最终效果相同么
上传的附件:
2010-8-4 13:41
0
雪    币: 6075
活跃值: (2236)
能力值: (RANK:1060 )
在线值:
发帖
回帖
粉丝
15
猛男一号,welcome to the club。

整个程序可以当成一个偏序集,拓扑排序要先把图转成DAG,先找到SCC当做一个结点。

我之前贴的结果也不是最优的,不过不是排序问题,产生长短跳的方法可以用EL Robertson(1977)算法。
2010-8-4 13:55
0
雪    币: 347
活跃值: (25)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
16
感谢大牛分享方法
不过这下是彻底晕了
加油学习

大牛能说下 EL Robertson(1977)算法 是什么么?随便给个链接也行
2010-8-4 14:23
0
雪    币: 6075
活跃值: (2236)
能力值: (RANK:1060 )
在线值:
发帖
回帖
粉丝
17
参考资料
[1] Kahn, A. B. (1962), "Topological sorting of large networks", Communications of the ACM 5 (11): 558–562, doi:10.1145/368996.369025.
[2] Robert Tarjan: Depth-first search and linear graph algorithms. In: SIAM Journal on Computing. Vol. 1 (1972), No. 2, P. 146-160.
[3] Robertson,Edward L. (1977) Code Generation for Short/Long Address Machines.
2010-8-4 14:46
0
雪    币: 347
活跃值: (25)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
18
[QUOTE=forgot;843190]参考资料
[1] Kahn, A. B. (1962), "Topological sorting of large networks", Communications of the ACM 5 (11): 558–562, doi:10.1145/368996.369025.
[2] Robert...[/QUOTE]

非常感谢
2010-8-4 14:48
0
雪    币: 6075
活跃值: (2236)
能力值: (RANK:1060 )
在线值:
发帖
回帖
粉丝
19
土方法是什么,我倒很有兴趣知道
2010-8-4 14:56
0
雪    币: 347
活跃值: (25)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
20
把每条Jcc作为二叉树的一个节点,记录true分支段,false分支段。

前序遍历,记录true分支段: 遇到Jcc就跳,记录true分支段。后序遍历,记录false分支段: true分支段结束了就开始记录false分支段。

//记录分支段时可以和之前记录的段比较下,看看是否是循环

正序代码时前序遍历Jcc二叉树,每条Jcc都预留5个Nop之后填充为Jmp Jcc_false指令。

正序后Jcc_false的开始地址是Jcc_true段的结束地址。

表达能力比较差,多见谅,土方法很土,多见笑,哈哈。手机码字好慢 :(

2010-8-4 20:21
0
雪    币: 6075
活跃值: (2236)
能力值: (RANK:1060 )
在线值:
发帖
回帖
粉丝
21
好猥琐的方法
2010-8-4 20:56
0
雪    币: 347
活跃值: (25)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
22
没办法,大牛的方法根本不会:(
2010-8-4 21:29
0
雪    币: 6075
活跃值: (2236)
能力值: (RANK:1060 )
在线值:
发帖
回帖
粉丝
23
贴个好一点的结果
558bec56575368000010006821af4000e8e0f7ffff2bc0a35daf4000a371af4000bea1ae4000ff75
08e821f7ffff400f841108000085c90f84d407000048894608894e0c5051e839f7ffff85c00f84b7
07000085c90f84af0700008906894e049666813e4d5a0f85970700008b463ca903000000751a3b05
adae4000731203f08935b1ae4000813e504500007502eb0a68e8a14000e97c070000837e28007402
eb0a689ca14000e96a07000066817e044c017502eb0a6875a34000e95607000066f7461600200f85
3007000066837e5c010f841e0700008b86f4000000a9000001007502eb0a6894a24000e926070000
85c00f85ef060000817e08465347217402eb0a6875a24000e90907000083be80000000000f84d406
000083bee8000000007502eb0a68a9a34000e9e70600000fb746148d443018a3b5ae40008338000f
84a20600008138555058300f84960600008b4634a3d5ae40008b463ca3c9ae40008b4638a3cdae40
008b4628a3d1ae40000fb75e06891dc5ae40008b15b5ae40008b0dc5ae4000496bc92801ca8b4214
034210e8e4fdffff8b0dadae40003bc876162bc88bf90305a1ae400051506885af4000e85df6ffff
8b4e50c1e102516849af4000e82cf6ffffff35adae40006835af4000e81cf6ffff8b3866c7074d5a
c7473c0c000000c7470c504500008b550c85d274248d4f02b40a813a7b73707d7502eb098a02423c
00740eeb05b02083c204880141fecc75e183c70c893db9ae4000c7470846534721a1d5ae40008947
34c7473c00020000c7475400020000c7477410000000a1cdae4000894738668b460466894704668b
461683c8016689471666c74706020066c74714e0008b461c89471c8b46208947208b46248947248b
462c89472c668b464066894740668b464266894742668b464466894744668b464666894746668b46
4866894748668b464a6689474a8b464c89474c8b46608947608b46648947648b46688947688b466c
89476c668b461866894718668b465c6689475c0fb747148d443818a3bdae40009383631400836310
00c74324e00000c0a1cdae400089430c8b4650e863fcffff89430803430ce858fcffffa3c1ae4000
894334c7433c00020000c7434ce00000c0c7472854010000832519af4000008b86a000000085c074
1150ffb6a400000068eba34000e832fbffff8b86c000000085c0742bff0519af4000e848fcffff97
6a18576801af4000e8e4f4ffffffb6c00000006a186813a44000e8fdfaffff8b86a800000085c074
1150ffb6ac00000068ffa34000e8e2faffff8b467885c0741e50ff767c6871af4000e891dcffffff
7678ff767c6827a44000e8bdfaffff8b35b1ae40000fb70dc5ae4000890dc5ae40008b8688000000
85c0740cffb68c00000050e8d1f6ffffe833ecffffa31daf40008b35b5ae40008b3d49af4000ff35
c5ae40008b46088b561085c075028bc285d2741b8bd88bc2e84ffbffff508b460ce881fbffff5057
e824f4ffff89d8e82ffbffff03f883c628ff0c2475c6592b3d49af400057ff3549af4000e809faff
ff893d55af40008b35b9ae40008b3d35af400081c7000200008b1dc1ae4000833d5daf400000742c
ff3561af4000ff355daf400057e8c7f3ffffa161af4000e8c4faffff899e8800000089868c000000
03f803d8f7451002000000753f833d71af4000007436891d79af40006871af4000e871e9ffffff35
7daf4000ff3571af400057e879f3ffffa17daf4000e876faffff895e7889467c03f803d8ff3595ae
40006a32e831daffff89d80305d5ae4000a3732d400068c82d4000ff3521af4000ff3555af400057
ff3549af4000e86945000083c414e82dfaffff03f803d8ff3599ae40006a32e8eed9ffff833d19af
40000074276a186801af400057e8fff2ffffb818000000e8fcf9ffff899ec00000008986c4000000
03f803d8899e80000000b881000000e8dcf9ffff8986840000008b15d5ae4000a1cdae400003c2a3
6f2d4000b84800000001d803c2a37f2d4000b82800000001d803c2a38b2d4000b84400000001d803
c2a39e2c4000c705832d400080000000c705872d4000007d0000a11daf400003c2a3772d4000be47
2d4000b88f2d4000bae80100008910badc010000895004bade0100008950088b15d1ae400089500c
8b15d5ae4000011001500401500801500c8d4010ba620000008910ba700000008950040118015804
2d472d400001d8890689461068810000005657e809f2ffff81c78100000089fb2b1d35af4000891d
41af400081eb00020000833d85af4000007448f7451001000000753f89d8b900020000e8e0f8ffff
8bd88b3d35af40008dbc3800020000ff3591af4000ff3585af400057e8b0f1ffff033d91af40002b
3d35af4000893d41af40008b35bdae4000895e3889d8e8a0f8ffff8946308b3db9ae400003463489
47508b3d35af400081c754010000be9c2c400068ab0000005657e862f1ffffbba1ae4000ff3541af
4000ff3535af4000ff33e84af1ffffff33ff7304e885f0ffff2bc05050ff3541af4000ff7308e824
380000ff7308e810380000ff7308e8c03700008b3595ae40008b1d99ae4000bf67124000566a34ff
d7ff35adae40006a3ee8f0d7ffff68f4010000e8ed370000536a34ffd7566a36ffd7ff3541af4000
6a40e8cfd7ffff68f4010000e8cc370000536a36ffd7566a38ffd76b0541af40006429d2f735adae
4000ba640000002bd0526847a14000ff3521af4000e8ef3700005883c408506a42ff3555ae4000e8
d13700006858020000e87f370000536a38ffd76a00eb6468cfa24000eb286882a14000eb216801a3
4000eb1a6838a34000eb1368afa14000eb0c6852a24000eb056835a24000bba1ae4000ff33ff7304
e881efffff2bc05050ff730cff7308e823370000ff7308e80f370000ff7308e8bf360000eb05681d
a24000bb6b2b40006849af4000ffd36835af4000ffd3685daf4000ffd36871af4000ffd36821af40
00ffd3585b5f5ec9c20c00
2010-8-6 23:24
0
雪    币: 347
活跃值: (25)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
24
只能膜拜
这个结果,IDA出来很顺眼
2010-8-7 20:01
0
雪    币: 6075
活跃值: (2236)
能力值: (RANK:1060 )
在线值:
发帖
回帖
粉丝
25
准备下一轮猛男测试,vmp pure M.
2010-8-7 20:49
0
游客
登录 | 注册 方可回帖
返回
//