一 百般周折得到结果:BwnsAtPediy2017KX9Ok,加了几个空格基本看懂作者想表达啥意思了:Bwns At Pediy 2017 KX 9 Ok
二 就是一下子没猜到Bwns是啥意思,思索了10分钟,我觉得应该是:白袜女神
三 白袜女神的这个cm有点意思,可是为嘛win7 x64下不能跑,为嘛那么喜欢异或CC
四 关键点是0x411B30处len=0x1AA的代码需要smc解码后执行,根据校验算法写代码:
char *cmtab7 = "EpY07v!Vwb2UnTu5SHP1Oazei9@kRZF8IrdCJcDQKs3mGMlgBqyfNXhAo4x6WjtL";
BYTE cm7r[0x50] = {
0x02,0x02,0x00,0x03,0x00,0x00,0x02,0x03,0x00,0x01,0x02,0x03,0x02,0x00,0x00,0x02,
0x02,0x00,0x02,0x02,0x02,0x03,0x02,0x03,0x01,0x00,0x02,0x02,0x02,0x01,0x02,0x03,
0x02,0x02,0x02,0x01,0x02,0x03,0x02,0x03,0x02,0x01,0x00,0x03,0x02,0x02,0x02,0x02,
0x02,0x02,0x00,0x03,0x01,0x02,0x02,0x03,0x02,0x00,0x00,0x02,0x02,0x02,0x02,0x02,
0x00,0x00,0x00,0x02,0x01,0x00,0x02,0x02,0x02,0x03,0x00,0x02,0x01,0x00,0x00,0x03
};
BYTE t[0x40];
BYTE r[0x14];
void testcm07()
{
DWORD i,j,k;
BYTE c;
BYTE s;
for (i=0;i<0x40;i++)
{
t[i] = cmtab7[i] ^ 0xCC;
}
for (i=0;i<20;i++)
{
r[i] = cm7r[i*4+0] << 6;
r[i] += cm7r[i*4+1] << 4;
r[i] += cm7r[i*4+2] << 2;
r[i] += cm7r[i*4+3];
r[i] = (r[i] >> 3) | (r[i] << 5);
}
for (j=0;j<20;j++)
{
for (i=0;i<0x40;i++)
{
c = cmtab7[i];
s = i;
for (k=0;k<j+1;k++)
{
s = (s + s/5 + 5) % 0x40;
}
if (r[j] == cmtab7[s])
{
printf("%c",c);
}
}
printf("\n");
}
}
运行后得到:
B
wj
n
ds
YlA
bt
Pi
He
dcs
Pi
y
25
0go
1a
7B4
rK
JGX
9ID
O
kF
各种组合解码查看看汇编结果,最终得到能正确运行的合理结果
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
