1、OD附加,能发现用了LuaJIT-2.1.0-beta3,能够找到luaL_loadbuffer:
004021C7 E8 64FE0000 CALL CrackMe(.00412030
dump LuaJIT bytecode 大小275字节 dump.luac (见附件)
用LuaJIT-2.1.0-beta3编译出来的luajit.exe,然后执行luajit.exe -bl dump.luac 命令能都得到:
-- BYTECODE -- dump.luac:0-0
0001 GGET 2 0 ; "string"
0002 TGETS 2 2 1 ; "byte"
0003 GGET 3 0 ; "string"
0004 TGETS 3 3 2 ; "sub"
0005 MOV 4 0
0006 MOV 5 1
0007 MOV 6 1
0008 CALL 3 0 4
0009 CALLMT 2 0
-- BYTECODE -- dump.luac:0-0
0001 GGET 1 0 ; "string"
0002 TGETS 1 1 1 ; "len"
0003 MOV 2 0
0004 CALL 1 2 2
0005 ISEQN 1 0 ; 12 //比较key长度是否等于12
0006 JMP 1 => 0009
0007 KSHORT 1 0
0008 RET1 1 2
0009 => GGET 1 2 ; "bit"
0010 TGETS 1 1 3 ; "bxor"
0011 GGET 2 4 ; "by"
0012 MOV 3 0
0013 KSHORT 4 1
0014 CALL 2 2 3
0015 KSHORT 3 112 //p
0016 CALL 1 2 3
0017 GGET 2 2 ; "bit"
0018 TGETS 2 2 3 ; "bxor"
0019 GGET 3 4 ; "by"
0020 MOV 4 0
0021 KSHORT 5 2
0022 CALL 3 2 3
0023 KSHORT 4 101 //e
0024 CALL 2 2 3
0025 GGET 3 2 ; "bit"
0026 TGETS 3 3 3 ; "bxor"
0027 GGET 4 4 ; "by"
0028 MOV 5 0
0029 KSHORT 6 3
0030 CALL 4 2 3
0031 KSHORT 5 100 //d
0032 CALL 3 2 3
0033 GGET 4 2 ; "bit"
0034 TGETS 4 4 3 ; "bxor"
0035 GGET 5 4 ; "by"
0036 MOV 6 0
0037 KSHORT 7 4
0038 CALL 5 2 3
0039 KSHORT 6 105 //i
0040 CALL 4 2 3
0041 GGET 5 2 ; "bit"
0042 TGETS 5 5 3 ; "bxor"
0043 GGET 6 4 ; "by"
0044 MOV 7 0
0045 KSHORT 8 5
0046 CALL 6 2 3
0047 KSHORT 7 121 //y
0048 CALL 5 2 3
0049 GGET 6 2 ; "bit"
0050 TGETS 6 6 3 ; "bxor"
0051 GGET 7 4 ; "by"
0052 MOV 8 0
0053 KSHORT 9 6
0054 CALL 7 2 3
0055 KSHORT 8 49 //1
0056 CALL 6 2 3
0057 GGET 7 2 ; "bit"
0058 TGETS 7 7 3 ; "bxor"
0059 GGET 8 4 ; "by"
0060 MOV 9 0
0061 KSHORT 10 7
0062 CALL 8 2 3
0063 KSHORT 9 50 //2
0064 CALL 7 2 3
0065 GGET 8 2 ; "bit"
0066 TGETS 8 8 3 ; "bxor"
0067 GGET 9 4 ; "by"
0068 MOV 10 0
0069 KSHORT 11 8
0070 CALL 9 2 3
0071 KSHORT 10 51 //3
0072 CALL 8 2 3
0073 GGET 9 2 ; "bit"
0074 TGETS 9 9 3 ; "bxor"
0075 GGET 10 4 ; "by"
0076 MOV 11 0
0077 KSHORT 12 9
0078 CALL 10 2 3
0079 KSHORT 11 52 //4
0080 CALL 9 2 3
0081 GGET 10 2 ; "bit"
0082 TGETS 10 10 3 ; "bxor"
0083 GGET 11 4 ; "by"
0084 MOV 12 0
0085 KSHORT 13 10
0086 CALL 11 2 3
0087 KSHORT 12 53 //5
0088 CALL 10 2 3
0089 GGET 11 2 ; "bit"
0090 TGETS 11 11 3 ; "bxor"
0091 GGET 12 4 ; "by"
0092 MOV 13 0
0093 KSHORT 14 11
0094 CALL 12 2 3
0095 KSHORT 13 54 //6
0096 CALL 11 2 3
0097 GGET 12 2 ; "bit"
0098 TGETS 12 12 3 ; "bxor"
0099 GGET 13 4 ; "by"
0100 MOV 14 0
0101 KSHORT 15 12
0102 CALL 13 2 3
0103 KSHORT 14 55 //7
0104 CALL 12 2 3
0105 MOV 13 1
0106 MOV 14 2
0107 MOV 15 3
0108 MOV 16 4
0109 MOV 17 5
0110 MOV 18 6
0111 MOV 19 7
0112 MOV 20 8
0113 MOV 21 9
0114 MOV 22 10
0115 MOV 23 11
0116 MOV 24 12
0117 RET 13 13
-- BYTECODE -- dump.luac:0-0
0001 GGET 0 0 ; "require"
0002 KSTR 1 1 ; "bit"
0003 CALL 0 1 2
0004 FNEW 0 2 ; dump.luac:0
0005 GSET 0 3 ; "by"
0006 FNEW 0 4 ; dump.luac:0
0007 GSET 0 5 ; "main"
0008 RET0 0 1
可以看出是和pediy1234567异或操作后返回
执行lua函数得到一个buffer,还会和 0x05,0x12,0x0A,0x29,0x42,0x41,0x75,0x61,0x35,0x83,0x55,0x94 异或,
结果在比较是不是 0x18,0x16,0x1E,0x2F,0x48,0x11,0x21,0x37,0x33,0x86,0x52,0x94,这些分析在004021C7后面的都能看到
2、具体计算key算法如下:
#include "stdafx.h"
int _tmain(int argc, _TCHAR* argv[])
{
char szPediy[]="pediy1234567";
char szKey[]="123456789012";
unsigned char szTemp[]={0x05,0x12,0x0A,0x29,0x42,0x41,0x75,0x61,0x35,0x83,0x55,0x94};
unsigned char szResult[]={0x18,0x16,0x1E,0x2F,0x48,0x11,0x21,0x37,0x33,0x86,0x52,0x94};
int i=0,j=0;
for (i=0;i<12;i++)
{
szKey[i]=szPediy[i]^szTemp[i]^szResult[i];
}
printf("key:%s",szKey);
return 0;
}key:maposafe2017
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
