输入22个字符,拆分成8个串(列表v),构造成树v39, sub_4030E0(&v39, &dword_407E48)比较输入构造的数和407E48是否一样,+0x4为前缀字符串,+88为孩子节点指针,+108为孩子个数,遍历得到:kx |(c7Mk|(ctf|ct9)),再根据sub_401B80:v[1]=c7,v[5]=kx,v[0]=ctf,v[6]=ct9, 唯一长度4的字符v[2]=c7Mk,剩下2长1短穷举:
import itertools, subprocess
from subprocess import Popen, PIPE, STDOUT
def getAllString():
r = []
m3 = ['ctf', 'ct9','c7M']
m2 = ['kx', 'ct', 'c7' ]
v = ['ctf','c7', 'c7Mk', '???', '??', 'kx', 'ct9', '???']
for i in itertools.product([0,1,2], repeat = 2):
v[3] = m3[i[0]]
v[7] = m3[i[1]]
for j in itertools.product([0,1,2], repeat = 1):
v[4] = m2[j[0]]
s = vtos( v )
r.append(s)
return r
def solve():
r = getAllString()
for i in r:
pr = Popen([r'E:\2018CMv4.exe'], stdout=PIPE, stdin=PIPE)
out, err = pr.communicate(input=i)
if out.find('correct') != -1:
print i
def vtos( v ):
s = bytearray(22)
offsets = [13,0,9,4,2,7,16,19]
for i in range(8):
s[offsets[i]:offsets[i] + len(v[i])] = v[i]
return str(s)
solve()
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
