-
-
[原创]2018CTF团队赛 第十二题 移动迷宫
-
2018-12-24 21:48 5832
-
观察
大佬kkHAIKE有事,小弟代写WP。
用 IDA 分析程序,发现程序调用了很多文件处理相关的函数
用IDA动态调试程序,在IDA的输出窗口发现程序一直在load KillProcDLL.dll和unlaod KillProcDLL.dll
在KillProcDLL.dll所在目录,发现程序在临时目录一共释放出了5个dll文件
用PEiD分析5个dll文件发现Bamer.dll中用到了AES算法,怀疑核心代码在Bamer.dll中,用IDA打开Bamer.dll文件,发现其导出了ABCFGP6个函数,想看程序何时加载了Bamer.dll文件,于是在.text:0040203E call ds:LoadLibraryExA处下了一个断点,发现有一个线程一直在加载KillProcDLL.dll文件,只好把断点改为条件断点"C:\Users\pc\AppData\Local\Temp\nsh7002.tmp\KillProcDLL" not in GetManyBytes(GetRegValue("ESI"),100)
于是一直动态调试跟踪,发现有一个巨大的switch case结构,像是一直在解释代码执行。
在IDA中发现有Installer integrity check has failed字符串,百度搜索发现是NSIS中的提示信息,程序肯定与NSIS有关,那个解释器应该是在解释NSIS脚本,在网上发现7-ZipV15.05能提取NSIS脚本,对比NSIS源码,找到读取NSIS脚本的地方
发现源码中的头部标识为Null,被修改为了XXXX
修复文件头后,提取出NSIS脚本如下
; NSIS script NSIS-3 BadCmd=11 ; Install SetCompressor zlib ; -------------------- ; HEADER SIZE: 27310 ; START HEADER SIZE: 300 ; MAX STRING LENGTH: 1024 ; STRING CHARS: 2264 OutFile [NSIS].exe !include WinMessages.nsh ; -------------------- ; LANG TABLES: 1 ; LANG STRINGS: 40 Name "Pediy CTF TSRC 2018" BrandingText "Pediy CTF TSRC 2018" ; LANG: 1033 LangString LSTR_0 1033 "Pediy CTF TSRC 2018" LangString LSTR_1 1033 "$(LSTR_2) Setup" LangString LSTR_2 1033 "Pediy CTF TSRC 2018" LangString LSTR_5 1033 "Can't write: " LangString LSTR_8 1033 "Could not find symbol: " LangString LSTR_9 1033 "Could not load: " LangString LSTR_17 1033 "Error decompressing data! Corrupted installer?" LangString LSTR_21 1033 "Extract: " LangString LSTR_22 1033 "Extract: error writing to file " LangString LSTR_23 1033 "Installer corrupted: invalid opcode" LangString LSTR_24 1033 "No OLE for: " LangString LSTR_25 1033 "Output folder: " LangString LSTR_29 1033 "Skipped: " LangString LSTR_30 1033 "Copy Details To Clipboard" LangString LSTR_36 1033 "Error opening file for writing: $\r$\n$\r$\n$0$\r$\n$\r$\nClick Abort to stop the installation,$\r$\nRetry to try again, or$\r$\nIgnore to skip this file." LangString LSTR_37 1033 Custom LangString LSTR_38 1033 Cancel LangString LSTR_39 1033 &Close ; -------------------- ; VARIABLES: 7 Var _0_ Var _1_ Var _2_ Var _3_ Var _4_ Var _5_ Var _6_ InstType $(LSTR_37) ; Custom ; wininit = $WINDIR\wininit.ini ; -------------------- ; PAGES: 1 ; Page 0 Page custom func_747 "" /ENABLECANCEL ; -------------------- ; SECTIONS: 1 ; COMMANDS: 838 Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Invalid Function func_46 Exch $0 ; Push $0 ; Exch ; Pop $0 Push $1 Push $2 StrCpy $2 1 label_52: IntFmt $1 %c $2 StrCmpS $1 $0 0 label_56 StrCpy $0 $2 Goto label_59 label_56: IntOp $2 $2 + 1 StrCmp $2 255 0 label_52 StrCpy $0 0 label_59: Pop $2 Pop $1 Exch $0 ; Push $0 ; Exch ; Pop $0 Return KillProcDLL::KillProc ida ; Call Initialize_____Plugins ; SetOverwrite off ; File $PLUGINSDIR\KillProcDLL.dll ; SetDetailsPrint lastused ; Push ida ; CallInstDLL $PLUGINSDIR\KillProcDLL.dll KillProc KillProcDLL::KillProc Olly ; Call Initialize_____Plugins ; AllowSkipFiles off ; File $PLUGINSDIR\KillProcDLL.dll ; SetDetailsPrint lastused ; Push Olly ; CallInstDLL $PLUGINSDIR\KillProcDLL.dll KillProc KillProcDLL::KillProc OD ; Call Initialize_____Plugins ; File $PLUGINSDIR\KillProcDLL.dll ; SetDetailsPrint lastused ; Push OD ; CallInstDLL $PLUGINSDIR\KillProcDLL.dll KillProc KillProcDLL::KillProc dbg ; Call Initialize_____Plugins ; File $PLUGINSDIR\KillProcDLL.dll ; SetDetailsPrint lastused ; Push dbg ; CallInstDLL $PLUGINSDIR\KillProcDLL.dll KillProc FunctionEnd Function func_86 Exch $R8 ; Push $R8 ; Exch ; Pop $R8 StrLen $8 JTZmLD/8Sh6MOmd= Bamer::B JTZmLD/8Sh6MOmd= $8 ; Call Initialize_____Plugins ; AllowSkipFiles on ; File $PLUGINSDIR\Bamer.dll ; SetDetailsPrint lastused ; Push $8 ; Push JTZmLD/8Sh6MOmd= ; CallInstDLL $PLUGINSDIR\Bamer.dll B Pop $R9 StrLen $R7 $R8 IntCmp $R7 11 label_99 label_120 label_120 label_99: IntOp $R6 0 + 0 label_100: StrCpy $R1 $R8 1 $R6 Push $R1 Call func_46 Pop $R1 IntOp $R2 $R1 ^ 0x17 IntOp $R3 $R2 - $R6 StrCpy $R4 $R9 1 $R6 Push $R4 Call func_46 Pop $R4 IntCmp $R3 $R4 0 label_120 label_120 StrCmp $R6 10 0 label_113 Goto label_115 label_113: IntOp $R6 $R6 + 1 Goto label_100 label_115: StrCpy $0 True Exch $0 ; Push $0 ; Exch ; Pop $0 Return label_120: StrCpy $0 False Exch $0 ; Push $0 ; Exch ; Pop $0 FunctionEnd Function func_125 Exch $0 ; Push $0 ; Exch ; Pop $0 StrCpy $1 $000010 Exch $1 ; Push $1 ; Exch ; Pop $1 FunctionEnd Function func_133 Exch $0 ; Push $0 ; Exch ; Pop $0 StrLen $1 $0 IntCmp $1 11 0 label_609 label_609 StrCpy $1 $0 1 0 StrCpy $2 $0 1 1 StrCpy $3 $0 1 2 StrCpy $4 $0 1 3 StrCpy $5 $0 1 4 StrCpy $6 $0 1 5 StrCpy $7 $0 1 6 StrCpy $8 $0 1 7 StrCpy $9 $0 1 8 StrCpy $_4_ $0 1 9 StrCpy $_5_ $0 1 10 Push $1 Call func_46 Pop $1 Push $2 Call func_46 Pop $2 Push $3 Call func_46 Pop $3 Push $4 Call func_46 Pop $4 Push $5 Call func_46 Pop $5 Push $6 Call func_46 Pop $6 Push $7 Call func_46 Pop $7 Push $8 Call func_46 Pop $8 Push $9 Call func_46 Pop $9 Push $_4_ Call func_46 Pop $_4_ Push $_5_ Call func_46 Pop $_5_ IntOp $R2 $1 * 18334 IntOp $R3 $2 * 19371 IntOp $R2 $R2 + $R3 IntOp $R4 $3 * 15568 IntOp $R3 $4 * 19321 IntOp $R4 $3 * 17784 IntOp $R2 $R2 - $R4 IntOp $R5 $R2 * 21534 IntOp $R5 $4 * 21534 IntOp $R3 $4 * 18321 IntOp $R2 $R2 + $R5 IntOp $R4 $R4 * 11321 IntOp $R3 $9 * 16158 IntOp $R6 $5 * 23633 IntOp $R5 $_5_ * 18278 IntOp $R7 $6 * 16027 IntOp $R8 $7 * 18430 IntOp $R2 $R2 + $R3 IntOp $R4 $_4_ * 15917 IntOp $R9 $8 * 24544 IntOp $R2 $R2 - $R6 IntOp $R2 $R2 + $R7 IntOp $R3 $R3 * 25621 IntOp $R2 $R2 + $R5 IntOp $R2 $R2 - $R8 IntOp $R5 $R2 * 33321 IntOp $R2 $R2 + $R4 IntOp $R4 $R3 * 25321 IntOp $R2 $R2 - $R9 IntOp $R3 $R2 * 12345 IntOp $R2 $1 * 19292 IntOp $R4 $3 * 17677 IntOp $R5 $4 * 18327 IntOp $R9 $8 * 20472 IntOp $R6 $5 * 19344 IntOp $R3 $2 * 21770 IntOp $R7 $6 * 16593 IntOp $R8 $7 * 20094 IntOp $R2 $R2 - $R8 IntOp $R2 $R2 + $R9 IntOp $R2 $R2 + $R3 IntOp $R2 $R2 + $R4 IntOp $R2 $R2 - $R5 IntOp $R2 $R2 + $R6 IntOp $R2 $R2 + $R7 IntOp $R3 $9 * 19029 IntOp $R4 $_4_ * 16001 IntOp $R5 $_5_ * 20980 IntOp $R2 $R2 - $R3 IntOp $R2 $R2 + $R4 IntOp $R2 $R2 - $R5 IntCmp $R2 5295553 0 label_609 label_609 IntOp $R3 $R2 * 17228 IntOp $R4 $R2 * 17228 IntOp $R2 $R2 + $R5 IntOp $R5 $R3 * 17228 IntOp $R7 $6 * 19397 IntOp $R3 $R2 * 17228 IntOp $R8 $7 * 21857 IntOp $R3 $R2 * 17228 IntOp $R9 $8 * 23641 IntOp $R2 $R2 + $R8 IntOp $R3 $R2 * 17228 IntOp $R8 $7 * 24396 IntOp $R2 $1 * 23630 IntOp $R3 $2 * 23633 IntOp $R6 $5 * 17525 IntOp $R4 $3 * 18077 IntOp $R5 $4 * 15076 IntOp $R2 $R2 - $R3 IntOp $R2 $R2 - $R4 IntOp $R2 $R2 + $R5 IntOp $R7 $6 * 15510 IntOp $R2 $R2 + $R8 IntOp $R9 $8 * 24273 IntOp $R2 $R2 - $R6 IntOp $R2 $R2 + $R9 IntOp $R2 $R2 - $R7 IntOp $R3 $9 * 24865 IntOp $R4 $_4_ * 22272 IntOp $R2 $R2 + $R3 IntOp $R2 $R2 + $R4 IntOp $R5 $_5_ * 18068 IntOp $R2 $R2 + $R5 IntOp $R2 0 + 0 IntOp $R9 $8 * 24749 IntOp $R3 $2 * 17754 IntOp $R5 $4 * 24365 IntOp $R6 $5 * 20645 IntOp $R2 $1 * 17901 IntOp $R7 $6 * 20553 IntOp $R4 $3 * 22962 IntOp $R8 $7 * 21906 IntOp $R2 $R2 + $R3 IntOp $R2 $R2 - $R7 IntOp $R2 $R2 + $R8 IntOp $R2 $R2 + $R4 IntOp $R2 $R2 - $R5 IntOp $R2 $R2 + $R9 IntOp $R2 $R2 - $R6 IntOp $R3 $9 * 20195 IntOp $R2 $R2 + $R3 IntOp $R4 $_4_ * 20968 IntOp $R2 $R2 + $R4 IntOp $R5 $_5_ * 17780 IntOp $R2 $R2 - $R5 IntCmp $R2 5518223 0 label_609 label_609 IntOp $R3 $R2 * 17228 IntOp $R4 $R2 * 17228 IntOp $R2 $R2 + $R5 IntOp $R5 $R3 * 17228 IntOp $R7 $6 * 19397 IntOp $R3 $R2 * 17228 IntOp $R8 $7 * 21857 IntOp $R3 $R2 * 17228 IntOp $R9 $8 * 23641 IntOp $R2 $R2 + $R8 IntOp $R3 $R2 * 17228 IntOp $R8 $7 * 24396 IntOp $R2 $1 * 23630 IntOp $R3 $2 * 23633 IntOp $R6 $5 * 17525 IntOp $R4 $3 * 18077 IntOp $R5 $4 * 15076 IntOp $R2 $R2 - $R3 IntOp $R2 $R2 - $R4 IntOp $R2 $R2 + $R5 IntOp $R7 $6 * 15510 IntOp $R2 $R2 + $R8 IntOp $R9 $8 * 24273 IntOp $R2 $R2 - $R6 IntOp $R2 $R2 + $R9 IntOp $R2 $R2 - $R7 IntOp $R3 $9 * 24865 IntOp $R4 $_4_ * 22272 IntOp $R2 $R2 + $R3 IntOp $R2 $R2 + $R4 IntOp $R5 $_5_ * 18068 IntOp $R2 $R2 + $R5 IntCmp $R2 6649741 0 label_609 label_609 IntOp $R4 $3 * 18077 IntOp $R5 $4 * 15076 IntOp $R2 $R2 - $R3 IntOp $R2 $R2 - $R4 IntOp $R2 $R2 + $R5 IntOp $R7 $6 * 15510 IntOp $R2 $R2 + $R8 IntOp $R9 $8 * 24273 IntOp $R2 $R2 - $R6 IntOp $R2 $R2 + $R9 IntOp $R2 $R2 - $R7 IntOp $R5 $4 * 21286 IntOp $R2 $1 * 17723 IntOp $R4 $3 * 22913 IntOp $R3 $2 * 22504 IntOp $R6 $5 * 16384 IntOp $R2 $R2 + $R3 IntOp $R2 $R2 + $R6 IntOp $R2 $R2 - $R4 IntOp $R2 $R2 + $R5 IntOp $R7 $6 * 15349 IntOp $R3 $9 * 17180 IntOp $R4 $_4_ * 20872 IntOp $R8 $7 * 22234 IntOp $R9 $8 * 23057 IntOp $R2 $R2 + $R7 IntOp $R2 $R2 - $R8 IntOp $R2 $R2 - $R9 IntOp $R2 $R2 + $R3 IntOp $R2 $R2 - $R4 IntOp $R5 $_5_ * 22229 IntOp $R2 $R2 + $R5 IntCmp $R2 4482135 0 label_609 label_609 IntOp $R2 $1 * 18536 IntOp $R9 $8 * 15487 IntOp $R7 $6 * 23787 IntOp $R8 $7 * 23788 IntOp $R2 $R2 - $R9 IntOp $R2 $R2 + $R8 IntOp $R2 $R2 - $R7 IntOp $R6 $5 * 15180 IntOp $R3 $2 * 18849 IntOp $R2 $R2 + $R6 IntOp $R4 $3 * 19901 IntOp $R2 $R2 + $R3 IntOp $R3 $9 * 16571 IntOp $R5 $4 * 18443 IntOp $R2 $R2 - $R5 IntOp $R5 $_5_ * 17695 IntOp $R2 $R2 - $R4 IntOp $R4 $_4_ * 15420 IntOp $R2 $R2 + $R5 IntOp $R2 $R2 + $R3 IntOp $R2 $R2 + $R4 IntOp $R2 $1 * 18536 IntOp $R9 $8 * 15487 IntOp $R7 $6 * 23787 IntOp $R8 $7 * 23788 IntOp $R2 $R2 - $R9 IntOp $R2 $R2 + $R8 IntOp $R2 $R2 - $R7 IntOp $R6 $5 * 15180 IntOp $R3 $2 * 18849 IntOp $R2 $R2 + $R6 IntOp $R4 $3 * 19901 IntOp $R2 $R2 + $R3 IntOp $R3 $9 * 16571 IntOp $R5 $4 * 18443 IntOp $R2 $R2 - $R5 IntOp $R5 $_5_ * 17695 IntOp $R2 $R2 - $R4 IntOp $R4 $_4_ * 15420 IntOp $R2 $R2 + $R5 IntOp $R2 $R2 + $R3 IntOp $R2 $R2 + $R4 IntCmp $R2 5135079 0 label_609 label_609 IntOp $R3 $R2 * 17228 IntOp $R9 $8 * 23641 IntOp $R2 $R2 + $R8 IntOp $R3 $R2 * 17228 IntOp $R2 $R2 + $R9 IntOp $R3 $R2 * 17228 IntOp $R2 $R2 + $R6 IntOp $R3 $R2 * 17228 IntOp $R2 $1 * 20282 IntOp $R3 $2 * 21583 IntOp $R2 $R2 + $R3 IntOp $R4 $3 * 18830 IntOp $R2 $R2 + $R4 IntOp $R5 $4 * 24997 IntOp $R2 $R2 + $R5 IntOp $R6 $5 * 17723 IntOp $R2 $R2 + $R6 IntOp $R7 $6 * 24278 IntOp $R2 $R2 - $R7 IntOp $R8 $7 * 22517 IntOp $R2 $R2 - $R8 IntOp $R9 $8 * 20548 IntOp $R2 $R2 + $R9 IntOp $R3 $9 * 24963 IntOp $R2 $R2 + $R3 IntOp $R4 $_4_ * 19274 IntOp $R2 $R2 - $R4 IntOp $R5 $_5_ * 18086 IntOp $R2 $R2 - $R5 IntCmp $R2 5299343 0 label_609 label_609 IntOp $R2 $1 * 22035 IntOp $R3 $2 * 23475 IntOp $R2 $R2 + $R3 IntOp $R4 $3 * 16349 IntOp $R3 $R2 * 17228 IntOp $R5 $4 * 18849 IntOp $R2 $R2 - $R4 IntOp $R6 $5 * 22560 IntOp $R3 $R2 * 17228 IntOp $R4 $R2 * 17228 IntOp $R2 $R2 + $R5 IntOp $R5 $R3 * 17228 IntOp $R7 $6 * 19397 IntOp $R3 $R2 * 17228 IntOp $R8 $7 * 21857 IntOp $R3 $R2 * 17228 IntOp $R9 $8 * 23641 IntOp $R2 $R2 + $R8 IntOp $R3 $R2 * 17228 IntOp $R2 $R2 + $R9 IntOp $R3 $R2 * 17228 IntOp $R2 $R2 + $R6 IntOp $R3 $R2 * 17228 IntOp $R2 $R2 - $R7 IntOp $R3 $9 * 15110 IntOp $R2 $R2 - $R3 IntOp $R4 $_4_ * 21024 IntOp $R2 $R2 + $R4 IntOp $R5 $_5_ * 21705 IntOp $R2 $R2 + $R5 IntCmp $R2 11895342 0 label_609 label_609 IntOp $R2 $1 * 17297 IntOp $R5 $R3 ^ 18614 IntOp $R3 $R5 * 20004 IntOp $R3 $4 * 20004 IntOp $R4 $R3 * 10014 IntOp $R4 $3 * 20329 IntOp $R5 $R1 * 18614 IntOp $R5 $4 * 24185 IntOp $R6 $5 * 24637 IntOp $R2 $R5 + $R3 IntOp $R2 $R2 + $R4 IntOp $R7 $6 * 15223 IntOp $R8 $R2 * 15223 IntOp $R8 $7 * 19192 IntOp $R2 $R2 - $R5 IntOp $R9 $1 * 23539 IntOp $R2 $R2 - $R6 IntOp $R3 $R2 * 22104 IntOp $R2 $R2 - $R7 IntOp $R3 $R2 * 33304 IntOp $R2 $R2 - $R8 IntOp $R2 $R2 - $R9 IntOp $R3 $R2 * 20004 IntOp $R3 $9 * 23170 IntOp $R4 $_4_ * 17101 IntOp $R5 $_5_ * 16781 IntOp $R2 $R2 + $R3 IntOp $R2 $R2 + $R4 IntOp $R2 $R2 + $R5 IntOp $R2 $1 * 18334 IntOp $R3 $2 * 19371 IntOp $R2 $R2 + $R3 IntOp $R4 $3 * 15568 IntOp $R3 $4 * 19321 IntOp $R4 $3 * 17784 IntOp $R2 $R2 - $R4 IntOp $R5 $R2 * 21534 IntOp $R5 $4 * 21534 IntOp $R3 $4 * 18321 IntOp $R2 $R2 + $R5 IntOp $R4 $R4 * 11321 IntOp $R3 $9 * 16158 IntOp $R6 $5 * 23633 IntOp $R5 $_5_ * 18278 IntOp $R7 $6 * 16027 IntOp $R8 $7 * 18430 IntOp $R2 $R2 + $R3 IntOp $R4 $_4_ * 15917 IntOp $R9 $8 * 24544 IntOp $R2 $R2 - $R6 IntOp $R2 $R2 + $R7 IntOp $R3 $R3 * 25621 IntOp $R2 $R2 + $R5 IntOp $R2 $R2 - $R8 IntOp $R5 $R2 * 33321 IntOp $R2 $R2 + $R4 IntOp $R4 $R3 * 25321 IntOp $R2 $R2 - $R9 IntOp $R3 $R2 * 12345 IntCmp $R2 4549415 0 label_609 label_609 IntOp $R2 $1 * 20198 IntOp $R3 $2 * 22945 IntOp $R8 $R3 * 23321 IntOp $R4 $3 * 23807 IntOp $R7 $R3 * 17621 IntOp $R5 $4 * 17050 IntOp $R6 $5 * 21682 IntOp $R2 $R2 + $R3 IntOp $R7 $6 * 16136 IntOp $R8 $R3 * 35621 IntOp $R2 $R2 - $R5 IntOp $R8 $7 * 23014 IntOp $R9 $8 * 19532 IntOp $R2 $R2 + $R4 IntOp $R3 $9 * 19020 IntOp $R4 $_4_ * 23750 IntOp $R5 $R3 * 25621 IntOp $R5 $_5_ * 19323 IntOp $R2 $R2 - $R6 IntOp $R2 $R2 + $R7 IntOp $R2 $R2 - $R3 IntOp $R2 $R2 - $R4 IntOp $R2 $R2 + $R5 IntOp $R2 $R2 + $R8 IntOp $R2 $R2 + $R9 IntCmp $R2 5344900 0 label_609 label_609 IntOp $R3 $2 * 10086 IntOp $R2 $1 * 18800 IntOp $R3 $2 * 15632 IntOp $R5 $3 * 22359 IntOp $R2 $R2 - $R3 IntOp $R4 $3 * 23898 IntOp $R5 $R4 * 22359 IntOp $R2 $R2 + $R4 IntOp $R5 $4 * 22359 IntOp $R3 $9 * 21734 IntOp $R2 $R2 + $R3 IntOp $R3 $5 * 22386 IntOp $R2 $R2 + $R5 IntOp $R6 $5 * 20855 IntOp $R2 $R2 + $R6 IntOp $R7 $6 * 16366 IntOp $R2 $R2 + $R7 IntOp $R3 $5 * 14486 IntOp $R8 $7 * 15562 IntOp $R4 $_4_ * 21130 IntOp $R3 $5 * 22336 IntOp $R5 $_5_ * 20089 IntOp $R9 $8 * 21845 IntOp $R2 $R2 - $R8 IntOp $R2 $R2 + $R9 IntOp $R2 $R2 + $R4 IntOp $R3 $5 * 2556 IntOp $R2 $R2 + $R5 IntCmp $R2 15581697 0 label_609 label_609 IntOp $R2 $1 * 17297 IntOp $R5 $R3 ^ 18614 IntOp $R3 $R2 * 20004 IntOp $R3 $2 * 20004 IntOp $R4 $R3 * 10014 IntOp $R4 $3 * 20329 IntOp $R5 $R3 * 18614 IntOp $R5 $4 * 24185 IntOp $R6 $5 * 24637 IntOp $R2 $R2 + $R3 IntOp $R2 $R2 + $R4 IntOp $R7 $6 * 15223 IntOp $R8 $R7 * 15223 IntOp $R8 $7 * 19192 IntOp $R2 $R2 - $R5 IntOp $R9 $8 * 23539 IntOp $R2 $R2 - $R6 IntOp $R3 $R2 * 22104 IntOp $R2 $R2 - $R7 IntOp $R3 $R2 * 33304 IntOp $R2 $R2 - $R8 IntOp $R2 $R2 - $R9 IntOp $R3 $R2 * 20004 IntOp $R3 $9 * 23170 IntOp $R4 $_4_ * 17101 IntOp $R5 $_5_ * 16781 IntOp $R2 $R2 + $R3 IntOp $R2 $R2 + $R4 IntOp $R2 $R2 + $R5 IntCmp $R2 1259535 0 label_609 label_609 StrCpy $0 True Exch $0 ; Push $0 ; Exch ; Pop $0 Return label_609: StrCpy $0 False Exch $0 ; Push $0 ; Exch ; Pop $0 Return FunctionEnd Function func_615 Exch $0 ; Push $0 ; Exch ; Pop $0 Push $R0 Push $R0 Push $R2 IntOp $R0 0 + 0 IntOp $R1 $R0 + 10 IntOp $R2 $R1 + 0x4A StrCpy $1 $0 7 0 IntFmt $R0 %c $R2 StrCpy $2 $1$R0 IntFmt $R2 %c 0x6f StrCpy $2 $2$R2 StrCpy $1 $2 1 1 StrCpy $3 $0 4 7 StrCpy $4 $2$3 IntFmt $R0 %c 0x46 IntFmt $R1 %c 0x75 IntFmt $R2 %c 0x6e StrCpy $5 $4$R0$R1$R2 Pop $R2 Pop $R1 Pop $R0 Exch $5 ; Push $5 ; Exch ; Pop $5 Return System::Call user32::GetWindowText(p$_1_,t.s,i1024) ; Call Initialize_____Plugins ; File $PLUGINSDIR\System.dll ; SetDetailsPrint lastused ; Push user32::GetWindowText(p$_1_,t.s,i1024) ; CallInstDLL $PLUGINSDIR\System.dll Call Pop $0 StrCpy $_3_ $0 Bamer::P $0 ; Call Initialize_____Plugins ; AllowSkipFiles off ; File $PLUGINSDIR\Bamer.dll ; SetDetailsPrint lastused ; Push $0 ; CallInstDLL $PLUGINSDIR\Bamer.dll P Pop $R0 StrCmp $R0 0 0 label_658 Goto label_737 label_658: StrLen $1 $0 IntCmp $1 100 0 label_737 label_737 Bamer::B $0 $1 ; Call Initialize_____Plugins ; File $PLUGINSDIR\Bamer.dll ; SetDetailsPrint lastused ; Push $1 ; Push $0 ; CallInstDLL $PLUGINSDIR\Bamer.dll B Pop $2 StrCpy $3 $2 11 0 Push $3 Call func_86 Pop $R0 StrCmp $R0 False 0 label_673 Goto label_737 label_673: Push $3 Call func_125 Pop $3 StrCpy $4 $2 64 11 StrLen $R0 $4 StrCmp $R0 64 label_680 Goto label_737 label_680: Bamer::A $4 64 $3 ; Call Initialize_____Plugins ; File $PLUGINSDIR\Bamer.dll ; SetDetailsPrint lastused ; Push $3 ; Push 64 ; Push $4 ; CallInstDLL $PLUGINSDIR\Bamer.dll A Pop $R0 StrCmp $R0 0 0 label_690 Goto label_737 label_690: Pop $R1 StrCpy $5 $R1 11 0 StrCpy $_6_ $5 Push $5 Call func_133 Pop $R0 StrCmp $R0 False 0 label_698 Goto label_737 label_698: StrCpy $6 $R1 53 11 Bamer::C 36 4 $6 ; Call Initialize_____Plugins ; File $PLUGINSDIR\Bamer.dll ; SetDetailsPrint lastused ; Push $6 ; Push 4 ; Push 36 ; CallInstDLL $PLUGINSDIR\Bamer.dll C Pop $R2 Push $_6_ Call func_615 Pop $5 Bamer::G $5 $R2 ; Call Initialize_____Plugins ; File $PLUGINSDIR\Bamer.dll ; SetDetailsPrint lastused ; Push $R2 ; Push $5 ; CallInstDLL $PLUGINSDIR\Bamer.dll G Pop $R0 StrCmp $R0 0 0 label_719 Goto label_737 label_719: Bamer::F $_3_ ; Call Initialize_____Plugins ; File $PLUGINSDIR\Bamer.dll ; SetDetailsPrint lastused ; Push $_3_ ; CallInstDLL $PLUGINSDIR\Bamer.dll F Pop $R0 StrCmp $R0 0 0 label_727 Goto label_737 label_727: StrLen $R1 XX+2IHcragE= Bamer::B XX+2IHcragE= $R1 ; Call Initialize_____Plugins ; File $PLUGINSDIR\Bamer.dll ; SetDetailsPrint lastused ; Push $R1 ; Push XX+2IHcragE= ; CallInstDLL $PLUGINSDIR\Bamer.dll B Pop $R2 MessageBox MB_OK $R2 Return label_737: StrLen $R1 U0JtakdiZX6wc1UxIR== Bamer::B U0JtakdiZX6wc1UxIR== $R1 ; Call Initialize_____Plugins ; File $PLUGINSDIR\Bamer.dll ; SetDetailsPrint lastused ; Push $R1 ; Push U0JtakdiZX6wc1UxIR== ; CallInstDLL $PLUGINSDIR\Bamer.dll B Pop $R2 MessageBox MB_OK|MB_ICONINFORMATION $R2 FunctionEnd Function func_747 ; Page 0, Pre nsDialogs::Create 1018 ; Call Initialize_____Plugins ; AllowSkipFiles on ; File $PLUGINSDIR\nsDialogs.dll ; SetDetailsPrint lastused ; Push 1018 ; CallInstDLL $PLUGINSDIR\nsDialogs.dll Create Pop $_0_ nsDialogs::CreateControl STATIC 0x40000000|0x10000000|0x04000000|0x00000100 0x00000020 0u 0u 100% 12u Serial: ; Call Initialize_____Plugins ; AllowSkipFiles off ; File $PLUGINSDIR\nsDialogs.dll ; SetDetailsPrint lastused ; Push Serial: ; Push 12u ; Push 100% ; Push 0u ; Push 0u ; Push 0x00000020 ; Push 0x40000000|0x10000000|0x04000000|0x00000100 ; Push STATIC ; CallInstDLL $PLUGINSDIR\nsDialogs.dll CreateControl nsDialogs::CreateControl EDIT 0x40000000|0x10000000|0x04000000|0x00010000|0x00000080 0x00000100|0x00000200 0u 20u 100% 12u "" ; Call Initialize_____Plugins ; File $PLUGINSDIR\nsDialogs.dll ; SetDetailsPrint lastused ; Push "" ; Push 12u ; Push 100% ; Push 20u ; Push 0u ; Push 0x00000100|0x00000200 ; Push 0x40000000|0x10000000|0x04000000|0x00010000|0x00000080 ; Push EDIT ; CallInstDLL $PLUGINSDIR\nsDialogs.dll CreateControl Pop $_1_ SendMessage $_1_ 0x00C5 110 0 nsDialogs::CreateControl BUTTON 0x40000000|0x10000000|0x04000000|0x00010000 0 25% 52u 50% 14u Check ; Call Initialize_____Plugins ; File $PLUGINSDIR\nsDialogs.dll ; SetDetailsPrint lastused ; Push Check ; Push 14u ; Push 50% ; Push 52u ; Push 25% ; Push 0 ; Push 0x40000000|0x10000000|0x04000000|0x00010000 ; Push BUTTON ; CallInstDLL $PLUGINSDIR\nsDialogs.dll CreateControl Pop $_2_ Push $0 Push $1 StrCpy $1 $_2_ StrCpy $0 644 nsDialogs::OnClick $1 $0 ; Call Initialize_____Plugins ; File $PLUGINSDIR\nsDialogs.dll ; SetDetailsPrint lastused ; Push $0 ; Push $1 ; CallInstDLL $PLUGINSDIR\nsDialogs.dll OnClick Pop $1 Pop $0 Push $0 StrCpy $0 66 nsDialogs::CreateTimer $0 1000 ; Call Initialize_____Plugins ; File $PLUGINSDIR\nsDialogs.dll ; SetDetailsPrint lastused ; Push 1000 ; Push $0 ; CallInstDLL $PLUGINSDIR\nsDialogs.dll CreateTimer Pop $0 nsDialogs::Show ; Call Initialize_____Plugins ; File $PLUGINSDIR\nsDialogs.dll ; SetDetailsPrint lastused ; CallInstDLL $PLUGINSDIR\nsDialogs.dll Show FunctionEnd Function .onInit InitPluginsDir ; Call Initialize_____Plugins ; SetDetailsPrint lastused SetOutPath $PLUGINSDIR SetOverwrite on AllowSkipFiles on File msvcr100.dll FunctionEnd Section ; Section_0 SectionEnd /* Function Initialize_____Plugins SetDetailsPrint none StrCmp $PLUGINSDIR "" 0 label_834 Push $0 SetErrors GetTempFileName $0 Delete $0 CreateDirectory $0 ; !!!! Unknown Params: $0 "" ProgramFilesDir ; 100 0 1 IfErrors label_835 StrCpy $PLUGINSDIR $0 Pop $0 label_834: Return label_835: MessageBox MB_OK|MB_ICONSTOP "Error! Can't initialize plug-ins directory. Please try again later." /SD IDOK Quit FunctionEnd */ ; -------------------- ; UNREFERENCED STRINGS: /* 17 CommonFilesDir 32 "C:\Program Files" 49 $PROGRAMFILES 53 "$PROGRAMFILES\Common Files" 70 $COMMONFILES 90 -1 95 -$R0 */
程序流程分析
程序会一直调用KillProcDL.dll中的KillProc来kill IDA和OD,但不知为何并没有关掉我的IDA,点击check按钮后会调用System.dll中的Call函数调用user32::GetWindowText(p$1,t.s,i1024)获取用户输入,然后调用Bamer.dll中的P函数检查输入的字符串是否只为0-9,a-z,A-Z,然后判断输入的长度是否为100,然后将输入的字符串用Bamer.dll中的B函数做一个变换(修改过的base64,多了一个异或),然后取了前11个字符做了检验
def dec11(): tmp = b64dec("JTZmLD/8Sh6MOmd=") ret = "" for i in xrange(len(tmp)): ret += chr((ord(tmp[i]) + i) ^ 0x17) return ret
得到输入解码后的前11个字符为2018TSCRCTF,和00010拼接后以2018TSCRCTF00010作为密钥key,调用Bamer.dll中的A函数(修改过的AES,直接动态调试提取出roundkey,AES解密算法的初始轮密钥加和最后一轮轮密钥加的异或顺序被改变了,中间异或时还交换了第三列和第四列的位置)解密后64字节,然后取解密后的前11个字节传入func_133中校验,可编写z3脚本求出得到前11个字节为WelcomeHave,然后把后53字节的数据传入Bamer.dll中的C函数做36进制转换到4进制(大小写字母等价),然后把得到的数据和把WelcomeHave经func_615变换得到WelcomeToHaveFun,传入Bamer.dll中的G函数做检验,传入的WelcomeToHaveFun作密钥解密地图,4进制的数据相当于控制字母移动,G函数中有一个迷宫地图
...........B .R...Y..A... ............ .....DG..R.. ............ ......B.S... ............ .......D.... .......P.... ......Y..... .......G..S. .....P...A.. aa = 'ABDGPRSY' #bb = '\x18\x0b56\x87\x11X\x15\x00\x00\x8dv' bb = [(8, 1), (11, 0), (5, 3), (6, 3), (7, 8), (1, 1), (8, 5), (5, 1)] #cc = '\xb9Vw\xa7\xb59\xaa\x96\x00\x009t' cc = [(9, 11), (6, 5), (7, 7), (7, 10), (5, 11), (9, 3), (10, 10), (6, 9)]
aa 是各字符
bb 该字符起点坐标
cc 该字符终点坐标
C 函数输出画法 0 1 2 3 对应 左 右 上 下
每个字符,从起点坐标画同字符点,直到终点坐标,中间只能经过 .
比如 A 按照 画法 画到终点后,继续画法 画B
最后要填满地图,不能有 .
大佬手动解出
得到4进制数据为1113333333333000000333330033331113033111333030000222222111220000003333333333311111333333333111113112122222222221133333333000333333331111
从而得到36进制数据为32WSFUPIFV9TYJWWPH14NZZ85YDHXOLO37ATG4IYC4ZCDIKCA7EJ9
加上前WelcomeHave,经AES加密(修改过的)得到"\xb7\x39\x5a\xab\x55\x19\xa3\xe8\x0c\xb5\xd2\x51\x25\x08\xbc\xaa\x05\x2d\xf9\x25\x07\x38\x11\xc2\xe9\xce\xaa\x97\xb9\x64\x46\xe7\xfc\xcb\x76\x57\xc0\xa0\x3c\x74\x55\x5e\x3f\x02\x27\x29\x66\x56\xda\x50\xbd\xcc\xfa\xd7\x3f\xeb\x58\xa0\xa4\xda\x05\xf9\xbd\x05"
最后加上2018TSCRCTF,做base64(修改过的)编码得到注册码
MhAyOFQSR2JDUEb0OUopUQkh5Ax23nEnCLxoBT06JRd7EdLrwooWsXQG68wLcneAqDy3UU78AgdrYnabVL0M9vd852girNqF9a3F
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法