[原创][2]简要分析-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创][2]简要分析

2016-11-4 22:29 3298

[原创][2]简要分析

magicboy

2016-11-4 22:29

3298

1.判断过程在lua里，lua是编译过的，大小0x400
003E6A18  1B 6C 73 11 00 19 93 0D 0A 1A 0A 04 04 04 08 08  ls.?..
003E6A28  78 56 00 00 00 00 00 00 00 00 00 00 00 28 77 40  xV...........(w@
003E6A38  01 0E 40 54 61 73 6B 42 65 67 69 6E 2E 6C 73 00  @TaskBegin.ls.
003E6A48  00 00 00 00 00 00 00 00 02 02 07 00 00 00 08 40  ...........@
003E6A58  40 80 08 C0 40 81 2C 00 00 00 08 00 00 82 2C 40  @€繞?.....?@
003E6A68  00 00 08 00 80 82 26 00 80 00 06 00 00 00 04 0B  ...€?.€....
003E6A78  67 5F 73 74 72 52 65 67 53 6E 04 02 20 04 13 67  g_strRegSn g
003E6A88  5F 73 74 72 52 65 67 53 6E 54 6F 56 65 72 69 66  _strRegSnToVerif
003E6A98  79 04 01 04 0D 75 73 65 72 52 65 67 69 73 74 65  y.userRegiste
003E6AA8  72 04 12 67 65 74 52 65 67 53 6E 41 66 74 65 72  rgetRegSnAfter
003E6AB8  43 61 6C 63 01 00 00 00 01 00 02 00 00 00 00 05  Calc........
003E6AC8  00 00 00 10 00 00 00 01 00 04 11 00 00 00 41 00  ..........A.
003E6AD8  00 00 08 00 80 80 86 C0 40 00 A4 80 80 00 08 80  ...€€喞@.€.€
003E6AE8  00 81 86 00 41 00 C6 40 40 00 A4 80 00 01 08 80  .亞.A.艪@..€
003E6AF8  80 80 86 40 40 00 C6 80 40 00 1F C0 00 01 1E 00  €€咢@.苺@.?.
003E6B08  00 80 41 40 01 00 08 80 41 81 66 00 00 01 26 00  .€A@.€A乫..&.
003E6B18  80 00 07 00 00 00 13 FF FF FF FF FF FF FF FF 04  €....
003E6B28  0B 67 5F 73 74 72 52 65 67 53 6E 04 13 67 5F 73  g_strRegSng_s
003E6B38  74 72 52 65 67 53 6E 54 6F 56 65 72 69 66 79 04  trRegSnToVerify
003E6B48  13 66 6E 47 65 74 52 65 67 53 6E 54 6F 56 65 72  fnGetRegSnToVer
003E6B58  69 66 79 04 1D 66 6E 43 61 6C 63 55 73 65 72 49  ifyfnCalcUserI
003E6B68  6E 70 75 74 52 65 67 53 6E 41 66 74 65 72 45 6E  nputRegSnAfterEn
003E6B78  63 13 00 04 00 00 00 00 00 00 04 01 01 00 00 00  c..........
003E6B88  00 00 00 00 00 00 11 00 00 00 06 00 00 00 07 00  .............
003E6B98  00 00 08 00 00 00 08 00 00 00 08 00 00 00 09 00  .............
003E6BA8  00 00 09 00 00 00 09 00 00 00 09 00 00 00 0A 00  ................
003E6BB8  00 00 0A 00 00 00 0A 00 00 00 0A 00 00 00 0B 00  ...............
003E6BC8  00 00 0D 00 00 00 0F 00 00 00 10 00 00 00 02 00  .............
003E6BD8  00 00 0B 73 74 72 52 65 67 53 6E 49 6E 00 00 00  ..strRegSnIn...
003E6BE8  00 11 00 00 00 04 69 52 63 01 00 00 00 11 00 00  ....iRc.....
003E6BF8  00 01 00 00 00 05 5F 45 4E 56 00 13 00 00 00 15  ...._ENV....
003E6C08  00 00 00 01 00 02 03 00 00 00 46 00 40 00 66 00  .......F.@.f.
003E6C18  00 01 26 00 80 00 01 00 00 00 04 0B 67 5F 73 74  .&.€....g_st
003E6C28  72 52 65 67 53 6E 01 00 00 00 00 00 00 00 00 00  rRegSn.........
003E6C38  03 00 00 00 14 00 00 00 14 00 00 00 15 00 00 00  ............
003E6C48  01 00 00 00 0B 73 74 72 52 65 67 53 6E 49 6E 00  ...strRegSnIn.
003E6C58  00 00 00 03 00 00 00 01 00 00 00 05 5F 45 4E 56  ........._ENV
003E6C68  07 00 00 00 01 00 00 00 02 00 00 00 10 00 00 00  ............
003E6C78  05 00 00 00 15 00 00 00 13 00 00 00 15 00 00 00  ............
003E6C88  00 00 00 00 01 00 00 00 05 5F 45 4E 56 00 00 00  ......._ENV...
003E6C98  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6CA8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6CB8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6CC8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6CD8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6CE8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6CF8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6D08  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6D18  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6D28  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6D38  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6D48  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6D58  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6D68  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6D78  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6D88  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6D98  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6DA8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6DB8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6DC8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6DD8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6DE8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6DF8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
003E6E08  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

头被修改过了，然后下载官方源代码对比了下，确定应该是5.3版本，然后修改成5.3的头后，
用luac.exe分析得到大概流程，并取得2个重要函数计算函数的地址
004019C7  /.  55          push ebp

以及
004019A2 .  FF7424 04    push dword ptr [esp+0x4]
004019A6 .  E8 F11C0000 call 0040369C
004019AB .  85C0       test eax, eax
004019AD .  59          pop    ecx
004019AE .  75 13       jnz    short 004019C3
004019B0 .  6A 20       push 0x20
004019B2 .  68 44D24200 push 0042D244       ===========最终密文
004019B7 .  FF7424 0C    push dword ptr [esp+0xC]
004019BB .  E8 50220000 call 00403C10
004019C0 .  83C4 0C    add    esp, 0xC
004019C3 >  6A 01       push 0x1
004019C5 .  58          pop    eax
004019C6 .  C3          retn

在004019A2的函数发现最终的密文，而004019C7也只是与2组固定key异或，
反推后得到
4b7d6f22bdea61c30be7b2d92c6b41885d712785ba71f0b92377286cfc36a6d0

2. 输入数据加密
00403438  /$  55          push ebp
00403439  |.  8BEC       mov    ebp, esp
0040343B  |.  51          push ecx
0040343C  |.  51          push ecx
0040343D  |.  53          push ebx
0040343E  |.  56          push esi
0040343F  |.  57          push edi
00403440  |.  8BF1       mov    esi, ecx
00403442  |.  E8 E5FFFFFF call 0040342C
00403447  |.  8BD8       mov    ebx, eax
00403449  |.  8BCE       mov    ecx, esi
0040344B  |.  81CB 0000E1B7 or    ebx, 0xB7E10000
00403451  |.  E8 DCFFFFFF call 00403432
00403456  |.  FF75 08    push dword ptr [ebp+0x8]
00403459  |.  0D 0000379E or    eax, 0x9E370000
0040345E  |.  8BCE       mov    ecx, esi
00403460  |.  8945 FC    mov    dword ptr [ebp-0x4], eax
00403463  |.  E8 9DFFFFFF call 00403405
00403468  |.  FF75 08    push dword ptr [ebp+0x8]
0040346B  |.  8BCE       mov    ecx, esi
0040346D  |.  8945 F8    mov    dword ptr [ebp-0x8], eax
00403470  |.  E8 9AFFFFFF call 0040340F

根据常量推测是RC5, 但手上没有RC5的代码，看到
0041B422  /$  B8 27C74200 mov    eax, 0042C727
0041B427  |.  E8 F84D0000 call 00420224
0041B42C  |.  81EC A0000000 sub    esp, 0xA0
0041B432  |.  56          push esi
0041B433  |.  57          push edi
0041B434  |.  8D8D 54FFFFFF lea    ecx, dword ptr [ebp-0xAC]
0041B43A  |.  E8 D47BFEFF call 00403013

的代码结构和加密过程很类似，果断设置EIP到这里，将输入的数据替换成1中得到的数据，成功解密

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

点赞・0

打赏

最新回复 (2)
netwind 雪币： 7034 活跃值： (2604) 能力值： (RANK：520 ) 在线值：发帖 77 回帖 684 粉丝 24 关注私信	netwind 13 2016-11-4 22:40 2 楼 0 感谢参与！非常精彩！如果有时间希望尽量详细点加密算法反推过程思路操作步骤等这样以后也可以给其他会员参考学习
爱琴海雪币： 1355 活跃值： (329) 能力值： ( LV13，RANK：920 ) 在线值：发帖 70 回帖 633 粉丝 7 关注私信	爱琴海 13 2016-11-6 14:31 3 楼 0 那是RC6
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复

magicboy

发帖

回帖

130

RANK

关注

私信

他的文章

第四题的问题

[看雪CTF2016]第3题简要分析

[原创][2]简要分析

[原创]游戏保护驱动VM还原

OD反汇编引擎求助

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
netwind 雪币： 7034 活跃值： (2604) 能力值： (RANK：520 ) 在线值：发帖 77 回帖 684 粉丝 24 关注私信	netwind 13 2016-11-4 22:40 2 楼 0 感谢参与！非常精彩！如果有时间希望尽量详细点加密算法反推过程思路操作步骤等这样以后也可以给其他会员参考学习
爱琴海雪币： 1355 活跃值： (329) 能力值： ( LV13，RANK：920 ) 在线值：发帖 70 回帖 633 粉丝 7 关注私信	爱琴海 13 2016-11-6 14:31 3 楼 0 那是RC6
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复