-
-
[原创]2018CTF团队赛 第十二题 移动迷宫
-
2018-12-24 21:48
-
观察
大佬kkHAIKE有事,小弟代写WP。
用 IDA 分析程序,发现程序调用了很多文件处理相关的函数
用IDA动态调试程序,在IDA的输出窗口发现程序一直在load KillProcDLL.dll和unlaod KillProcDLL.dll 
在KillProcDLL.dll所在目录,发现程序在临时目录一共释放出了5个dll文件 
用PEiD分析5个dll文件发现Bamer.dll中用到了AES算法,怀疑核心代码在Bamer.dll中,用IDA打开Bamer.dll文件,发现其导出了ABCFGP6个函数,想看程序何时加载了Bamer.dll文件,于是在.text:0040203E call ds:LoadLibraryExA处下了一个断点,发现有一个线程一直在加载KillProcDLL.dll文件,只好把断点改为条件断点"C:\Users\pc\AppData\Local\Temp\nsh7002.tmp\KillProcDLL" not in GetManyBytes(GetRegValue("ESI"),100)
于是一直动态调试跟踪,发现有一个巨大的switch case结构,像是一直在解释代码执行。
在IDA中发现有Installer integrity check has failed字符串,百度搜索发现是NSIS中的提示信息,程序肯定与NSIS有关,那个解释器应该是在解释NSIS脚本,在网上发现7-ZipV15.05能提取NSIS脚本,对比NSIS源码,找到读取NSIS脚本的地方
发现源码中的头部标识为Null,被修改为了XXXX
修复文件头后,提取出NSIS脚本如下
; NSIS script NSIS-3 BadCmd=11
; Install
SetCompressor zlib
; --------------------
; HEADER SIZE: 27310
; START HEADER SIZE: 300
; MAX STRING LENGTH: 1024
; STRING CHARS: 2264
OutFile [NSIS].exe
!include WinMessages.nsh
; --------------------
; LANG TABLES: 1
; LANG STRINGS: 40
Name "Pediy CTF TSRC 2018"
BrandingText "Pediy CTF TSRC 2018"
; LANG: 1033
LangString LSTR_0 1033 "Pediy CTF TSRC 2018"
LangString LSTR_1 1033 "$(LSTR_2) Setup"
LangString LSTR_2 1033 "Pediy CTF TSRC 2018"
LangString LSTR_5 1033 "Can't write: "
LangString LSTR_8 1033 "Could not find symbol: "
LangString LSTR_9 1033 "Could not load: "
LangString LSTR_17 1033 "Error decompressing data! Corrupted installer?"
LangString LSTR_21 1033 "Extract: "
LangString LSTR_22 1033 "Extract: error writing to file "
LangString LSTR_23 1033 "Installer corrupted: invalid opcode"
LangString LSTR_24 1033 "No OLE for: "
LangString LSTR_25 1033 "Output folder: "
LangString LSTR_29 1033 "Skipped: "
LangString LSTR_30 1033 "Copy Details To Clipboard"
LangString LSTR_36 1033 "Error opening file for writing: $\r$\n$\r$\n$0$\r$\n$\r$\nClick Abort to stop the installation,$\r$\nRetry to try again, or$\r$\nIgnore to skip this file."
LangString LSTR_37 1033 Custom
LangString LSTR_38 1033 Cancel
LangString LSTR_39 1033 &Close
; --------------------
; VARIABLES: 7
Var _0_
Var _1_
Var _2_
Var _3_
Var _4_
Var _5_
Var _6_
InstType $(LSTR_37) ; Custom
; wininit = $WINDIR\wininit.ini
; --------------------
; PAGES: 1
; Page 0
Page custom func_747 "" /ENABLECANCEL
; --------------------
; SECTIONS: 1
; COMMANDS: 838
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Invalid
Function func_46
Exch $0
; Push $0
; Exch
; Pop $0
Push $1
Push $2
StrCpy $2 1
label_52:
IntFmt $1 %c $2
StrCmpS $1 $0 0 label_56
StrCpy $0 $2
Goto label_59
label_56:
IntOp $2 $2 + 1
StrCmp $2 255 0 label_52
StrCpy $0 0
label_59:
Pop $2
Pop $1
Exch $0
; Push $0
; Exch
; Pop $0
Return
KillProcDLL::KillProc ida
; Call Initialize_____Plugins
; SetOverwrite off
; File $PLUGINSDIR\KillProcDLL.dll
; SetDetailsPrint lastused
; Push ida
; CallInstDLL $PLUGINSDIR\KillProcDLL.dll KillProc
KillProcDLL::KillProc Olly
; Call Initialize_____Plugins
; AllowSkipFiles off
; File $PLUGINSDIR\KillProcDLL.dll
; SetDetailsPrint lastused
; Push Olly
; CallInstDLL $PLUGINSDIR\KillProcDLL.dll KillProc
KillProcDLL::KillProc OD
; Call Initialize_____Plugins
; File $PLUGINSDIR\KillProcDLL.dll
; SetDetailsPrint lastused
; Push OD
; CallInstDLL $PLUGINSDIR\KillProcDLL.dll KillProc
KillProcDLL::KillProc dbg
; Call Initialize_____Plugins
; File $PLUGINSDIR\KillProcDLL.dll
; SetDetailsPrint lastused
; Push dbg
; CallInstDLL $PLUGINSDIR\KillProcDLL.dll KillProc
FunctionEnd
Function func_86
Exch $R8
; Push $R8
; Exch
; Pop $R8
StrLen $8 JTZmLD/8Sh6MOmd=
Bamer::B JTZmLD/8Sh6MOmd= $8
; Call Initialize_____Plugins
; AllowSkipFiles on
; File $PLUGINSDIR\Bamer.dll
; SetDetailsPrint lastused
; Push $8
; Push JTZmLD/8Sh6MOmd=
; CallInstDLL $PLUGINSDIR\Bamer.dll B
Pop $R9
StrLen $R7 $R8
IntCmp $R7 11 label_99 label_120 label_120
label_99:
IntOp $R6 0 + 0
label_100:
StrCpy $R1 $R8 1 $R6
Push $R1
Call func_46
Pop $R1
IntOp $R2 $R1 ^ 0x17
IntOp $R3 $R2 - $R6
StrCpy $R4 $R9 1 $R6
Push $R4
Call func_46
Pop $R4
IntCmp $R3 $R4 0 label_120 label_120
StrCmp $R6 10 0 label_113
Goto label_115
label_113:
IntOp $R6 $R6 + 1
Goto label_100
label_115:
StrCpy $0 True
Exch $0
; Push $0
; Exch
; Pop $0
Return
label_120:
StrCpy $0 False
Exch $0
; Push $0
; Exch
; Pop $0
FunctionEnd
Function func_125
Exch $0
; Push $0
; Exch
; Pop $0
StrCpy $1 $000010
Exch $1
; Push $1
; Exch
; Pop $1
FunctionEnd
Function func_133
Exch $0
; Push $0
; Exch
; Pop $0
StrLen $1 $0
IntCmp $1 11 0 label_609 label_609
StrCpy $1 $0 1 0
StrCpy $2 $0 1 1
StrCpy $3 $0 1 2
StrCpy $4 $0 1 3
StrCpy $5 $0 1 4
StrCpy $6 $0 1 5
StrCpy $7 $0 1 6
StrCpy $8 $0 1 7
StrCpy $9 $0 1 8
StrCpy $_4_ $0 1 9
StrCpy $_5_ $0 1 10
Push $1
Call func_46
Pop $1
Push $2
Call func_46
Pop $2
Push $3
Call func_46
Pop $3
Push $4
Call func_46
Pop $4
Push $5
Call func_46
Pop $5
Push $6
Call func_46
Pop $6
Push $7
Call func_46
Pop $7
Push $8
Call func_46
Pop $8
Push $9
Call func_46
Pop $9
Push $_4_
Call func_46
Pop $_4_
Push $_5_
Call func_46
Pop $_5_
IntOp $R2 $1 * 18334
IntOp $R3 $2 * 19371
IntOp $R2 $R2 + $R3
IntOp $R4 $3 * 15568
IntOp $R3 $4 * 19321
IntOp $R4 $3 * 17784
IntOp $R2 $R2 - $R4
IntOp $R5 $R2 * 21534
IntOp $R5 $4 * 21534
IntOp $R3 $4 * 18321
IntOp $R2 $R2 + $R5
IntOp $R4 $R4 * 11321
IntOp $R3 $9 * 16158
IntOp $R6 $5 * 23633
IntOp $R5 $_5_ * 18278
IntOp $R7 $6 * 16027
IntOp $R8 $7 * 18430
IntOp $R2 $R2 + $R3
IntOp $R4 $_4_ * 15917
IntOp $R9 $8 * 24544
IntOp $R2 $R2 - $R6
IntOp $R2 $R2 + $R7
IntOp $R3 $R3 * 25621
IntOp $R2 $R2 + $R5
IntOp $R2 $R2 - $R8
IntOp $R5 $R2 * 33321
IntOp $R2 $R2 + $R4
IntOp $R4 $R3 * 25321
IntOp $R2 $R2 - $R9
IntOp $R3 $R2 * 12345
IntOp $R2 $1 * 19292
IntOp $R4 $3 * 17677
IntOp $R5 $4 * 18327
IntOp $R9 $8 * 20472
IntOp $R6 $5 * 19344
IntOp $R3 $2 * 21770
IntOp $R7 $6 * 16593
IntOp $R8 $7 * 20094
IntOp $R2 $R2 - $R8
IntOp $R2 $R2 + $R9
IntOp $R2 $R2 + $R3
IntOp $R2 $R2 + $R4
IntOp $R2 $R2 - $R5
IntOp $R2 $R2 + $R6
IntOp $R2 $R2 + $R7
IntOp $R3 $9 * 19029
IntOp $R4 $_4_ * 16001
IntOp $R5 $_5_ * 20980
IntOp $R2 $R2 - $R3
IntOp $R2 $R2 + $R4
IntOp $R2 $R2 - $R5
IntCmp $R2 5295553 0 label_609 label_609
IntOp $R3 $R2 * 17228
IntOp $R4 $R2 * 17228
IntOp $R2 $R2 + $R5
IntOp $R5 $R3 * 17228
IntOp $R7 $6 * 19397
IntOp $R3 $R2 * 17228
IntOp $R8 $7 * 21857
IntOp $R3 $R2 * 17228
IntOp $R9 $8 * 23641
IntOp $R2 $R2 + $R8
IntOp $R3 $R2 * 17228
IntOp $R8 $7 * 24396
IntOp $R2 $1 * 23630
IntOp $R3 $2 * 23633
IntOp $R6 $5 * 17525
IntOp $R4 $3 * 18077
IntOp $R5 $4 * 15076
IntOp $R2 $R2 - $R3
IntOp $R2 $R2 - $R4
IntOp $R2 $R2 + $R5
IntOp $R7 $6 * 15510
IntOp $R2 $R2 + $R8
IntOp $R9 $8 * 24273
IntOp $R2 $R2 - $R6
IntOp $R2 $R2 + $R9
IntOp $R2 $R2 - $R7
IntOp $R3 $9 * 24865
IntOp $R4 $_4_ * 22272
IntOp $R2 $R2 + $R3
IntOp $R2 $R2 + $R4
IntOp $R5 $_5_ * 18068
IntOp $R2 $R2 + $R5
IntOp $R2 0 + 0
IntOp $R9 $8 * 24749
IntOp $R3 $2 * 17754
IntOp $R5 $4 * 24365
IntOp $R6 $5 * 20645
IntOp $R2 $1 * 17901
IntOp $R7 $6 * 20553
IntOp $R4 $3 * 22962
IntOp $R8 $7 * 21906
IntOp $R2 $R2 + $R3
IntOp $R2 $R2 - $R7
IntOp $R2 $R2 + $R8
IntOp $R2 $R2 + $R4
IntOp $R2 $R2 - $R5
IntOp $R2 $R2 + $R9
IntOp $R2 $R2 - $R6
IntOp $R3 $9 * 20195
IntOp $R2 $R2 + $R3
IntOp $R4 $_4_ * 20968
IntOp $R2 $R2 + $R4
IntOp $R5 $_5_ * 17780
IntOp $R2 $R2 - $R5
IntCmp $R2 5518223 0 label_609 label_609
IntOp $R3 $R2 * 17228
IntOp $R4 $R2 * 17228
IntOp $R2 $R2 + $R5
IntOp $R5 $R3 * 17228
IntOp $R7 $6 * 19397
IntOp $R3 $R2 * 17228
IntOp $R8 $7 * 21857
IntOp $R3 $R2 * 17228
IntOp $R9 $8 * 23641
IntOp $R2 $R2 + $R8
IntOp $R3 $R2 * 17228
IntOp $R8 $7 * 24396
IntOp $R2 $1 * 23630
IntOp $R3 $2 * 23633
IntOp $R6 $5 * 17525
IntOp $R4 $3 * 18077
IntOp $R5 $4 * 15076
IntOp $R2 $R2 - $R3
IntOp $R2 $R2 - $R4
IntOp $R2 $R2 + $R5
IntOp $R7 $6 * 15510
IntOp $R2 $R2 + $R8
IntOp $R9 $8 * 24273
IntOp $R2 $R2 - $R6
IntOp $R2 $R2 + $R9
IntOp $R2 $R2 - $R7
IntOp $R3 $9 * 24865
IntOp $R4 $_4_ * 22272
IntOp $R2 $R2 + $R3
IntOp $R2 $R2 + $R4
IntOp $R5 $_5_ * 18068
IntOp $R2 $R2 + $R5
IntCmp $R2 6649741 0 label_609 label_609
IntOp $R4 $3 * 18077
IntOp $R5 $4 * 15076
IntOp $R2 $R2 - $R3
IntOp $R2 $R2 - $R4
IntOp $R2 $R2 + $R5
IntOp $R7 $6 * 15510
IntOp $R2 $R2 + $R8
IntOp $R9 $8 * 24273
IntOp $R2 $R2 - $R6
IntOp $R2 $R2 + $R9
IntOp $R2 $R2 - $R7
IntOp $R5 $4 * 21286
IntOp $R2 $1 * 17723
IntOp $R4 $3 * 22913
IntOp $R3 $2 * 22504
IntOp $R6 $5 * 16384
IntOp $R2 $R2 + $R3
IntOp $R2 $R2 + $R6
IntOp $R2 $R2 - $R4
IntOp $R2 $R2 + $R5
IntOp $R7 $6 * 15349
IntOp $R3 $9 * 17180
IntOp $R4 $_4_ * 20872
IntOp $R8 $7 * 22234
IntOp $R9 $8 * 23057
IntOp $R2 $R2 + $R7
IntOp $R2 $R2 - $R8
IntOp $R2 $R2 - $R9
IntOp $R2 $R2 + $R3
IntOp $R2 $R2 - $R4
IntOp $R5 $_5_ * 22229
IntOp $R2 $R2 + $R5
IntCmp $R2 4482135 0 label_609 label_609
IntOp $R2 $1 * 18536
IntOp $R9 $8 * 15487
IntOp $R7 $6 * 23787
IntOp $R8 $7 * 23788
IntOp $R2 $R2 - $R9
IntOp $R2 $R2 + $R8
IntOp $R2 $R2 - $R7
IntOp $R6 $5 * 15180
IntOp $R3 $2 * 18849
IntOp $R2 $R2 + $R6
IntOp $R4 $3 * 19901
IntOp $R2 $R2 + $R3
IntOp $R3 $9 * 16571
IntOp $R5 $4 * 18443
IntOp $R2 $R2 - $R5
IntOp $R5 $_5_ * 17695
IntOp $R2 $R2 - $R4
IntOp $R4 $_4_ * 15420
IntOp $R2 $R2 + $R5
IntOp $R2 $R2 + $R3
IntOp $R2 $R2 + $R4
IntOp $R2 $1 * 18536
IntOp $R9 $8 * 15487
IntOp $R7 $6 * 23787
IntOp $R8 $7 * 23788
IntOp $R2 $R2 - $R9
IntOp $R2 $R2 + $R8
IntOp $R2 $R2 - $R7
IntOp $R6 $5 * 15180
IntOp $R3 $2 * 18849
IntOp $R2 $R2 + $R6
IntOp $R4 $3 * 19901
IntOp $R2 $R2 + $R3
IntOp $R3 $9 * 16571
IntOp $R5 $4 * 18443
IntOp $R2 $R2 - $R5
IntOp $R5 $_5_ * 17695
IntOp $R2 $R2 - $R4
IntOp $R4 $_4_ * 15420
IntOp $R2 $R2 + $R5
IntOp $R2 $R2 + $R3
IntOp $R2 $R2 + $R4
IntCmp $R2 5135079 0 label_609 label_609
IntOp $R3 $R2 * 17228
IntOp $R9 $8 * 23641
IntOp $R2 $R2 + $R8
IntOp $R3 $R2 * 17228
IntOp $R2 $R2 + $R9
IntOp $R3 $R2 * 17228
IntOp $R2 $R2 + $R6
IntOp $R3 $R2 * 17228
IntOp $R2 $1 * 20282
IntOp $R3 $2 * 21583
IntOp $R2 $R2 + $R3
IntOp $R4 $3 * 18830
IntOp $R2 $R2 + $R4
IntOp $R5 $4 * 24997
IntOp $R2 $R2 + $R5
IntOp $R6 $5 * 17723
IntOp $R2 $R2 + $R6
IntOp $R7 $6 * 24278
IntOp $R2 $R2 - $R7
IntOp $R8 $7 * 22517
IntOp $R2 $R2 - $R8
IntOp $R9 $8 * 20548
IntOp $R2 $R2 + $R9
IntOp $R3 $9 * 24963
IntOp $R2 $R2 + $R3
IntOp $R4 $_4_ * 19274
IntOp $R2 $R2 - $R4
IntOp $R5 $_5_ * 18086
IntOp $R2 $R2 - $R5
IntCmp $R2 5299343 0 label_609 label_609
IntOp $R2 $1 * 22035
IntOp $R3 $2 * 23475
IntOp $R2 $R2 + $R3
IntOp $R4 $3 * 16349
IntOp $R3 $R2 * 17228
IntOp $R5 $4 * 18849
IntOp $R2 $R2 - $R4
IntOp $R6 $5 * 22560
IntOp $R3 $R2 * 17228
IntOp $R4 $R2 * 17228
IntOp $R2 $R2 + $R5
IntOp $R5 $R3 * 17228
IntOp $R7 $6 * 19397
IntOp $R3 $R2 * 17228
IntOp $R8 $7 * 21857
IntOp $R3 $R2 * 17228
IntOp $R9 $8 * 23641
IntOp $R2 $R2 + $R8
IntOp $R3 $R2 * 17228
IntOp $R2 $R2 + $R9
IntOp $R3 $R2 * 17228
IntOp $R2 $R2 + $R6
IntOp $R3 $R2 * 17228
IntOp $R2 $R2 - $R7
IntOp $R3 $9 * 15110
IntOp $R2 $R2 - $R3
IntOp $R4 $_4_ * 21024
IntOp $R2 $R2 + $R4
IntOp $R5 $_5_ * 21705
IntOp $R2 $R2 + $R5
IntCmp $R2 11895342 0 label_609 label_609
IntOp $R2 $1 * 17297
IntOp $R5 $R3 ^ 18614
IntOp $R3 $R5 * 20004
IntOp $R3 $4 * 20004
IntOp $R4 $R3 * 10014
IntOp $R4 $3 * 20329
IntOp $R5 $R1 * 18614
IntOp $R5 $4 * 24185
IntOp $R6 $5 * 24637
IntOp $R2 $R5 + $R3
IntOp $R2 $R2 + $R4
IntOp $R7 $6 * 15223
IntOp $R8 $R2 * 15223
IntOp $R8 $7 * 19192
IntOp $R2 $R2 - $R5
IntOp $R9 $1 * 23539
IntOp $R2 $R2 - $R6
IntOp $R3 $R2 * 22104
IntOp $R2 $R2 - $R7
IntOp $R3 $R2 * 33304
IntOp $R2 $R2 - $R8
IntOp $R2 $R2 - $R9
IntOp $R3 $R2 * 20004
IntOp $R3 $9 * 23170
IntOp $R4 $_4_ * 17101
IntOp $R5 $_5_ * 16781
IntOp $R2 $R2 + $R3
IntOp $R2 $R2 + $R4
IntOp $R2 $R2 + $R5
IntOp $R2 $1 * 18334
IntOp $R3 $2 * 19371
IntOp $R2 $R2 + $R3
IntOp $R4 $3 * 15568
IntOp $R3 $4 * 19321
IntOp $R4 $3 * 17784
IntOp $R2 $R2 - $R4
IntOp $R5 $R2 * 21534
IntOp $R5 $4 * 21534
IntOp $R3 $4 * 18321
IntOp $R2 $R2 + $R5
IntOp $R4 $R4 * 11321
IntOp $R3 $9 * 16158
IntOp $R6 $5 * 23633
IntOp $R5 $_5_ * 18278
IntOp $R7 $6 * 16027
IntOp $R8 $7 * 18430
IntOp $R2 $R2 + $R3
IntOp $R4 $_4_ * 15917
IntOp $R9 $8 * 24544
IntOp $R2 $R2 - $R6
IntOp $R2 $R2 + $R7
IntOp $R3 $R3 * 25621
IntOp $R2 $R2 + $R5
IntOp $R2 $R2 - $R8
IntOp $R5 $R2 * 33321
IntOp $R2 $R2 + $R4
IntOp $R4 $R3 * 25321
IntOp $R2 $R2 - $R9
IntOp $R3 $R2 * 12345
IntCmp $R2 4549415 0 label_609 label_609
IntOp $R2 $1 * 20198
IntOp $R3 $2 * 22945
IntOp $R8 $R3 * 23321
IntOp $R4 $3 * 23807
IntOp $R7 $R3 * 17621
IntOp $R5 $4 * 17050
IntOp $R6 $5 * 21682
IntOp $R2 $R2 + $R3
IntOp $R7 $6 * 16136
IntOp $R8 $R3 * 35621
IntOp $R2 $R2 - $R5
IntOp $R8 $7 * 23014
IntOp $R9 $8 * 19532
IntOp $R2 $R2 + $R4
IntOp $R3 $9 * 19020
IntOp $R4 $_4_ * 23750
IntOp $R5 $R3 * 25621
IntOp $R5 $_5_ * 19323
IntOp $R2 $R2 - $R6
IntOp $R2 $R2 + $R7
IntOp $R2 $R2 - $R3
IntOp $R2 $R2 - $R4
IntOp $R2 $R2 + $R5
IntOp $R2 $R2 + $R8
IntOp $R2 $R2 + $R9
IntCmp $R2 5344900 0 label_609 label_609
IntOp $R3 $2 * 10086
IntOp $R2 $1 * 18800
IntOp $R3 $2 * 15632
IntOp $R5 $3 * 22359
IntOp $R2 $R2 - $R3
IntOp $R4 $3 * 23898
IntOp $R5 $R4 * 22359
IntOp $R2 $R2 + $R4
IntOp $R5 $4 * 22359
IntOp $R3 $9 * 21734
IntOp $R2 $R2 + $R3
IntOp $R3 $5 * 22386
IntOp $R2 $R2 + $R5
IntOp $R6 $5 * 20855
IntOp $R2 $R2 + $R6
IntOp $R7 $6 * 16366
IntOp $R2 $R2 + $R7
IntOp $R3 $5 * 14486
IntOp $R8 $7 * 15562
IntOp $R4 $_4_ * 21130
IntOp $R3 $5 * 22336
IntOp $R5 $_5_ * 20089
IntOp $R9 $8 * 21845
IntOp $R2 $R2 - $R8
IntOp $R2 $R2 + $R9
IntOp $R2 $R2 + $R4
IntOp $R3 $5 * 2556
IntOp $R2 $R2 + $R5
IntCmp $R2 15581697 0 label_609 label_609
IntOp $R2 $1 * 17297
IntOp $R5 $R3 ^ 18614
IntOp $R3 $R2 * 20004
IntOp $R3 $2 * 20004
IntOp $R4 $R3 * 10014
IntOp $R4 $3 * 20329
IntOp $R5 $R3 * 18614
IntOp $R5 $4 * 24185
IntOp $R6 $5 * 24637
IntOp $R2 $R2 + $R3
IntOp $R2 $R2 + $R4
IntOp $R7 $6 * 15223
IntOp $R8 $R7 * 15223
IntOp $R8 $7 * 19192
IntOp $R2 $R2 - $R5
IntOp $R9 $8 * 23539
IntOp $R2 $R2 - $R6
IntOp $R3 $R2 * 22104
IntOp $R2 $R2 - $R7
IntOp $R3 $R2 * 33304
IntOp $R2 $R2 - $R8
IntOp $R2 $R2 - $R9
IntOp $R3 $R2 * 20004
IntOp $R3 $9 * 23170
IntOp $R4 $_4_ * 17101
IntOp $R5 $_5_ * 16781
IntOp $R2 $R2 + $R3
IntOp $R2 $R2 + $R4
IntOp $R2 $R2 + $R5
IntCmp $R2 1259535 0 label_609 label_609
StrCpy $0 True
Exch $0
; Push $0
; Exch
; Pop $0
Return
label_609:
StrCpy $0 False
Exch $0
; Push $0
; Exch
; Pop $0
Return
FunctionEnd
Function func_615
Exch $0
; Push $0
; Exch
; Pop $0
Push $R0
Push $R0
Push $R2
IntOp $R0 0 + 0
IntOp $R1 $R0 + 10
IntOp $R2 $R1 + 0x4A
StrCpy $1 $0 7 0
IntFmt $R0 %c $R2
StrCpy $2 $1$R0
IntFmt $R2 %c 0x6f
StrCpy $2 $2$R2
StrCpy $1 $2 1 1
StrCpy $3 $0 4 7
StrCpy $4 $2$3
IntFmt $R0 %c 0x46
IntFmt $R1 %c 0x75
IntFmt $R2 %c 0x6e
StrCpy $5 $4$R0$R1$R2
Pop $R2
Pop $R1
Pop $R0
Exch $5
; Push $5
; Exch
; Pop $5
Return
System::Call user32::GetWindowText(p$_1_,t.s,i1024)
; Call Initialize_____Plugins
; File $PLUGINSDIR\System.dll
; SetDetailsPrint lastused
; Push user32::GetWindowText(p$_1_,t.s,i1024)
; CallInstDLL $PLUGINSDIR\System.dll Call
Pop $0
StrCpy $_3_ $0
Bamer::P $0
; Call Initialize_____Plugins
; AllowSkipFiles off
; File $PLUGINSDIR\Bamer.dll
; SetDetailsPrint lastused
; Push $0
; CallInstDLL $PLUGINSDIR\Bamer.dll P
Pop $R0
StrCmp $R0 0 0 label_658
Goto label_737
label_658:
StrLen $1 $0
IntCmp $1 100 0 label_737 label_737
Bamer::B $0 $1
; Call Initialize_____Plugins
; File $PLUGINSDIR\Bamer.dll
; SetDetailsPrint lastused
; Push $1
; Push $0
; CallInstDLL $PLUGINSDIR\Bamer.dll B
Pop $2
StrCpy $3 $2 11 0
Push $3
Call func_86
Pop $R0
StrCmp $R0 False 0 label_673
Goto label_737
label_673:
Push $3
Call func_125
Pop $3
StrCpy $4 $2 64 11
StrLen $R0 $4
StrCmp $R0 64 label_680
Goto label_737
label_680:
Bamer::A $4 64 $3
; Call Initialize_____Plugins
; File $PLUGINSDIR\Bamer.dll
; SetDetailsPrint lastused
; Push $3
; Push 64
; Push $4
; CallInstDLL $PLUGINSDIR\Bamer.dll A
Pop $R0
StrCmp $R0 0 0 label_690
Goto label_737
label_690:
Pop $R1
StrCpy $5 $R1 11 0
StrCpy $_6_ $5
Push $5
Call func_133
Pop $R0
StrCmp $R0 False 0 label_698
Goto label_737
label_698:
StrCpy $6 $R1 53 11
Bamer::C 36 4 $6
; Call Initialize_____Plugins
; File $PLUGINSDIR\Bamer.dll
; SetDetailsPrint lastused
; Push $6
; Push 4
; Push 36
; CallInstDLL $PLUGINSDIR\Bamer.dll C
Pop $R2
Push $_6_
Call func_615
Pop $5
Bamer::G $5 $R2
; Call Initialize_____Plugins
; File $PLUGINSDIR\Bamer.dll
; SetDetailsPrint lastused
; Push $R2
; Push $5
; CallInstDLL $PLUGINSDIR\Bamer.dll G
Pop $R0
StrCmp $R0 0 0 label_719
Goto label_737
label_719:
Bamer::F $_3_
; Call Initialize_____Plugins
; File $PLUGINSDIR\Bamer.dll
; SetDetailsPrint lastused
; Push $_3_
; CallInstDLL $PLUGINSDIR\Bamer.dll F
Pop $R0
StrCmp $R0 0 0 label_727
Goto label_737
label_727:
StrLen $R1 XX+2IHcragE=
Bamer::B XX+2IHcragE= $R1
; Call Initialize_____Plugins
; File $PLUGINSDIR\Bamer.dll
; SetDetailsPrint lastused
; Push $R1
; Push XX+2IHcragE=
; CallInstDLL $PLUGINSDIR\Bamer.dll B
Pop $R2
MessageBox MB_OK $R2
Return
label_737:
StrLen $R1 U0JtakdiZX6wc1UxIR==
Bamer::B U0JtakdiZX6wc1UxIR== $R1
; Call Initialize_____Plugins
; File $PLUGINSDIR\Bamer.dll
; SetDetailsPrint lastused
; Push $R1
; Push U0JtakdiZX6wc1UxIR==
; CallInstDLL $PLUGINSDIR\Bamer.dll B
Pop $R2
MessageBox MB_OK|MB_ICONINFORMATION $R2
FunctionEnd
Function func_747 ; Page 0, Pre
nsDialogs::Create 1018
; Call Initialize_____Plugins
; AllowSkipFiles on
; File $PLUGINSDIR\nsDialogs.dll
; SetDetailsPrint lastused
; Push 1018
; CallInstDLL $PLUGINSDIR\nsDialogs.dll Create
Pop $_0_
nsDialogs::CreateControl STATIC 0x40000000|0x10000000|0x04000000|0x00000100 0x00000020 0u 0u 100% 12u Serial:
; Call Initialize_____Plugins
; AllowSkipFiles off
; File $PLUGINSDIR\nsDialogs.dll
; SetDetailsPrint lastused
; Push Serial:
; Push 12u
; Push 100%
; Push 0u
; Push 0u
; Push 0x00000020
; Push 0x40000000|0x10000000|0x04000000|0x00000100
; Push STATIC
; CallInstDLL $PLUGINSDIR\nsDialogs.dll CreateControl
nsDialogs::CreateControl EDIT 0x40000000|0x10000000|0x04000000|0x00010000|0x00000080 0x00000100|0x00000200 0u 20u 100% 12u ""
; Call Initialize_____Plugins
; File $PLUGINSDIR\nsDialogs.dll
; SetDetailsPrint lastused
; Push ""
; Push 12u
; Push 100%
; Push 20u
; Push 0u
; Push 0x00000100|0x00000200
; Push 0x40000000|0x10000000|0x04000000|0x00010000|0x00000080
; Push EDIT
; CallInstDLL $PLUGINSDIR\nsDialogs.dll CreateControl
Pop $_1_
SendMessage $_1_ 0x00C5 110 0
nsDialogs::CreateControl BUTTON 0x40000000|0x10000000|0x04000000|0x00010000 0 25% 52u 50% 14u Check
; Call Initialize_____Plugins
; File $PLUGINSDIR\nsDialogs.dll
; SetDetailsPrint lastused
; Push Check
; Push 14u
; Push 50%
; Push 52u
; Push 25%
; Push 0
; Push 0x40000000|0x10000000|0x04000000|0x00010000
; Push BUTTON
; CallInstDLL $PLUGINSDIR\nsDialogs.dll CreateControl
Pop $_2_
Push $0
Push $1
StrCpy $1 $_2_
StrCpy $0 644
nsDialogs::OnClick $1 $0
; Call Initialize_____Plugins
; File $PLUGINSDIR\nsDialogs.dll
; SetDetailsPrint lastused
; Push $0
; Push $1
; CallInstDLL $PLUGINSDIR\nsDialogs.dll OnClick
Pop $1
Pop $0
Push $0
StrCpy $0 66
nsDialogs::CreateTimer $0 1000
; Call Initialize_____Plugins
; File $PLUGINSDIR\nsDialogs.dll
; SetDetailsPrint lastused
; Push 1000
; Push $0
; CallInstDLL $PLUGINSDIR\nsDialogs.dll CreateTimer
Pop $0
nsDialogs::Show
; Call Initialize_____Plugins
; File $PLUGINSDIR\nsDialogs.dll
; SetDetailsPrint lastused
; CallInstDLL $PLUGINSDIR\nsDialogs.dll Show
FunctionEnd
Function .onInit
InitPluginsDir
; Call Initialize_____Plugins
; SetDetailsPrint lastused
SetOutPath $PLUGINSDIR
SetOverwrite on
AllowSkipFiles on
File msvcr100.dll
FunctionEnd
Section ; Section_0
SectionEnd
/*
Function Initialize_____Plugins
SetDetailsPrint none
StrCmp $PLUGINSDIR "" 0 label_834
Push $0
SetErrors
GetTempFileName $0
Delete $0
CreateDirectory $0 ; !!!! Unknown Params: $0 "" ProgramFilesDir ; 100 0 1
IfErrors label_835
StrCpy $PLUGINSDIR $0
Pop $0
label_834:
Return
label_835:
MessageBox MB_OK|MB_ICONSTOP "Error! Can't initialize plug-ins directory. Please try again later." /SD IDOK
Quit
FunctionEnd
*/
; --------------------
; UNREFERENCED STRINGS:
/*
17 CommonFilesDir
32 "C:\Program Files"
49 $PROGRAMFILES
53 "$PROGRAMFILES\Common Files"
70 $COMMONFILES
90 -1
95 -$R0
*/
程序流程分析
程序会一直调用KillProcDL.dll中的KillProc来kill IDA和OD,但不知为何并没有关掉我的IDA,点击check按钮后会调用System.dll中的Call函数调用user32::GetWindowText(p$1,t.s,i1024)获取用户输入,然后调用Bamer.dll中的P函数检查输入的字符串是否只为0-9,a-z,A-Z,然后判断输入的长度是否为100,然后将输入的字符串用Bamer.dll中的B函数做一个变换(修改过的base64,多了一个异或),然后取了前11个字符做了检验
def dec11():
tmp = b64dec("JTZmLD/8Sh6MOmd=")
ret = ""
for i in xrange(len(tmp)):
ret += chr((ord(tmp[i]) + i) ^ 0x17)
return ret
得到输入解码后的前11个字符为2018TSCRCTF,和00010拼接后以2018TSCRCTF00010作为密钥key,调用Bamer.dll中的A函数(修改过的AES,直接动态调试提取出roundkey,AES解密算法的初始轮密钥加和最后一轮轮密钥加的异或顺序被改变了,中间异或时还交换了第三列和第四列的位置)解密后64字节,然后取解密后的前11个字节传入func_133中校验,可编写z3脚本求出得到前11个字节为WelcomeHave,然后把后53字节的数据传入Bamer.dll中的C函数做36进制转换到4进制(大小写字母等价),然后把得到的数据和把WelcomeHave经func_615变换得到WelcomeToHaveFun,传入Bamer.dll中的G函数做检验,传入的WelcomeToHaveFun作密钥解密地图,4进制的数据相当于控制字母移动,G函数中有一个迷宫地图
...........B .R...Y..A... ............ .....DG..R.. ............ ......B.S... ............ .......D.... .......P.... ......Y..... .......G..S. .....P...A.. aa = 'ABDGPRSY' #bb = '\x18\x0b56\x87\x11X\x15\x00\x00\x8dv' bb = [(8, 1), (11, 0), (5, 3), (6, 3), (7, 8), (1, 1), (8, 5), (5, 1)] #cc = '\xb9Vw\xa7\xb59\xaa\x96\x00\x009t' cc = [(9, 11), (6, 5), (7, 7), (7, 10), (5, 11), (9, 3), (10, 10), (6, 9)]
aa 是各字符
bb 该字符起点坐标
cc 该字符终点坐标
C 函数输出画法 0 1 2 3 对应 左 右 上 下
每个字符,从起点坐标画同字符点,直到终点坐标,中间只能经过 .
比如 A 按照 画法 画到终点后,继续画法 画B
最后要填满地图,不能有 .
大佬手动解出
得到4进制数据为1113333333333000000333330033331113033111333030000222222111220000003333333333311111333333333111113112122222222221133333333000333333331111
从而得到36进制数据为32WSFUPIFV9TYJWWPH14NZZ85YDHXOLO37ATG4IYC4ZCDIKCA7EJ9
加上前WelcomeHave,经AES加密(修改过的)得到"\xb7\x39\x5a\xab\x55\x19\xa3\xe8\x0c\xb5\xd2\x51\x25\x08\xbc\xaa\x05\x2d\xf9\x25\x07\x38\x11\xc2\xe9\xce\xaa\x97\xb9\x64\x46\xe7\xfc\xcb\x76\x57\xc0\xa0\x3c\x74\x55\x5e\x3f\x02\x27\x29\x66\x56\xda\x50\xbd\xcc\xfa\xd7\x3f\xeb\x58\xa0\xa4\xda\x05\xf9\xbd\x05"
最后加上2018TSCRCTF,做base64(修改过的)编码得到注册码
MhAyOFQSR2JDUEb0OUopUQkh5Ax23nEnCLxoBT06JRd7EdLrwooWsXQG68wLcneAqDy3UU78AgdrYnabVL0M9vd852girNqF9a3F
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
最后于 2018-12-24 23:30
被新手慢慢来编辑
,原因:
