-
-
[原创]kanxuectf2019 第七题
-
2019-3-23 13:48
-
第一步:先去混淆,题目大致采用了一下混淆方法:
1.两条判断条件相反的跳转指令
jump_set = [
('jge','jl'),('jl','jge'),
('jbe','ja'),('ja','jbe'),
('jnb','jb'),('jb','jnb'),
('jp','jnp'),('jnp','jp'),
('jle','jg'),('jg','jle'),
('jno','jo'),('jo','jno'),
('js','jns'),('jns','js'),
('jnz','jz'),('jz','jnz'),
]
2.call; add esp,4指令组
3.call;add [esp+4],6 ; ret 指令组
4.push;call;pop;pop 指令组
5.clc;jnb指令组
6.stc;jb指令组
7.形如 jnz,jl,jmp,jz这样的指令组
第二步:patch掉一处函数(004B97E6 call sub_4B3F00),该函数的分析有问题,影响ida的反编译功能。
第三部:此时ida就能够正常反编译了,整体流程长这样(截取了几个片段)。
整个程序逻辑还是分成清晰的,主要实现了一下功能
(1)检查是否patch了程序,一共有三处
第一处:4B8E55
第二处:4029B2
第三处:4025DE
可以看一下check_patch函数
可以看到check_patch的检查思路为:如果参数1不为0,那么以参数1为起始地址,参数2为要检查的Dword数,进行如图所示的运算。然后将结果存入以special_value(004BC080)为起始地址,返回地址+4处字节为偏移的地方。如果参数1为0,那么以返回地址作为起始地址。
import os import idaapi def ror(x,i): return ((x>>9)&0x007fffff) | ((x<<23)&0xfffffe00) def calc_check_value(addr,ret_addr,size): t = 0 for i in range(size): data = Dword(addr+i*4) data = data ^ t data = data ^ 0x78563412 #print hex(data) t = ror(data,9) #print hex(t) return hex(t^Dword(ret_addr)) addr = 0x00401F58 + 5 print calc_check_value(addr,0x004025F2,0x68) addr = 0x004B8E5A + 5 print calc_check_value(addr,0x004B8E5A,0x25a) addr = 0x004025D3 + 5 print calc_check_value(addr,0x004029C6,0xf0)
(2)读取输入,做十六进制转十进制
(3)做一个大数乘法,乘数1为刚才check_patch函数计算得到的值,乘数2为一个固定值
x = 0xc23f6401c93adb y = 0xeedcea3743d03a263af94f386de1 z = x*y
其中作者用了一种自定义的大数结构,如下图所示:
numbuff字段存放数据的每一位,idx_buff字段为数据每一位的索引,之所以这样做猜测作者是为了防止数据连续出现,用来干扰分析者的。
(4)以乘法结果z的每一位进行判断,如果该位小于等于9,最终的key中存放z的这一位,如果该位大于9,则存放输入内容,具体翻译过后的c代码如下所示:
while True: if z == 0: break tmp = z % 0x10 if tmp == 0: z /= 0x10 continue if tmp <= 9: x1 = cnt x2 = tmp + 9 * (cnt/9) + 0x50 x3 = tmp + 9 * (cnt%9) + 0xa1 x4 = tmp + 9 * (3 * (cnt/27) + (cnt%9)/3) + 0xf2 #print x1,x2,x3,x4 cnt = cnt + 1 else: for i in range(tmp-9): for k in range(9): x1 = cnt x2 = k + 9 * (cnt/9) + 0x51 x3 = k + 9 * (cnt%9) + 0xa2 x4 = k + 9 * ((cnt%9) / 3 + 3 * (cnt/27)) + 0xf3 #print x1,x2,x3,x4 #lo.append(cnt) #print cnt, cnt = cnt + 1 if (z/0x10)%0x10 >9: print cnt z /= 0x10
其中同时记录了当前值与位置的关系。
(5)反调试
作者一共用了9中反调试的手法,大家自行去分析吧,这里不再赘述,并将反调试的结果也作为一位加了进去(第40位),用来影响后面的分析。最后通过实际测试这9中反调试在正常环境运行时有7中返回值为0,2种返回时不为0。
(6)进行置换操作(5步),并将结果(value*9)^0x37
s = [0x86, 0x89, 0x84, 0x8D, 0xA7, 0x83, 0xA6, 0x25, 0x47, 0x14, 0x35, 0x1D, 0x0F, 0x1E, 0x97, 0x9C, 0x95, 0x01, 0xAE, 0x3F, 0x37, 0xB6, 0x02, 0x14, 0x0B, 0x17, 0x8A, 0x1F, 0x93, 0xAC, 0x96, 0x02, 0x2D, 0x0E, 0x07, 0x9F, 0x92, 0x8C, 0x15, 0xBE, 0x0A, 0x86, 0x07, 0xA4, 0x03, 0x85, 0x2F, 0x8C, 0x8E, 0x0B, 0x9B, 0x05, 0x0F, 0x84, 0x80, 0x9E, 0x8D, 0x00, 0x16, 0x01 ] g = [0xBD, 0x48, 0x2B, 0xAA, 0xB0, 0xA3, 0xB9, 0x42, 0xCF, 0x98, 0x4D, 0xB8, 0x3C, 0xA0, 0x32, 0x41, 0x21, 0x91, 0x3A, 0x45, 0x3B, 0x44, 0x9A, 0xBB, 0x19, 0x38, 0x10, 0x28, 0x40, 0x4C, 0xA9, 0xCD, 0x43, 0x33, 0xC6, 0x30, 0x49, 0xA2, 0xBA, 0x4E, 0xC5, 0xC9, 0xC8, 0xCB, 0xCC, 0x34, 0xB1, 0xC3, 0x41, 0xC4, 0xCA, 0x4A, 0x40, 0xCB, 0x08, 0x31, 0xC2, 0xCF, 0x39, 0x4E] for i in range(len(g)): g[i] = g[i] & 0x7f for i in range(len(s)): s[i] = s[i] & 0x7f for j in range(4): for i in range(len(g)): c[a[g[i]]] += 1 c[a[s[i]]] += 1 t = a[g[i]] a[g[i]] = a[s[i]] a[s[i]] = t
(7)比较结果,这里使用od脚本记录下比较索引和比较值,然后直接爆破即可
od脚本如下:
@START: ifeq eip,004b96fc wrta "out.txt",eax endif ifeq eip,004b9731 wrta "out1.txt",eax endif STO ifneq eip,004B9778 jmp @START endif
最终爆破脚本:
import os
sn_data = [ 0x38, 0x39, 0x07, 0xE0, 0x5A, 0x18, 0x1E, 0xE7, 0x5E, 0x3B,
0xEB, 0xA5, 0xAE, 0x07, 0x06, 0x27, 0x0D, 0x89, 0xF1, 0x6E,
0xD8, 0x0D, 0x3A, 0xE0, 0x1E, 0x96, 0xA7, 0xB2, 0x7D, 0x15,
0x16, 0x37, 0x01, 0x41, 0x4B, 0x08, 0x1C, 0x1D, 0x33, 0x2B,
0x40, 0x49, 0x79, 0xE3, 0x04, 0xFA, 0x05, 0x47, 0x66, 0x1B,
0xDB, 0x9E, 0x2C, 0x2D, 0x4E, 0x20, 0x87, 0x9E, 0xBB, 0xE9,
0x14, 0x8A, 0x36, 0x7E, 0xD5, 0x63, 0x51, 0x71, 0x3C, 0x41,
0x37, 0xA8, 0x2E, 0x01, 0x02, 0x23, 0x24, 0x63, 0x46, 0xE9,
0x08, 0x09, 0x19, 0x2B, 0x48, 0x4D, 0xBD, 0xBC, 0x22, 0x11,
0x6C, 0x33, 0x34, 0x77, 0xE0, 0x27, 0x18, 0x6C, 0x35, 0x3B,
0xB6, 0x8F, 0x46, 0x10, 0xC3, 0x43, 0x22, 0x5E, 0x44, 0xB3,
0x8C, 0x53, 0x28, 0xA4, 0xCB, 0xF0, 0x81, 0xD6, 0x96, 0x0F,
0x5C, 0x31, 0x32, 0x19, 0xF0, 0xDA, 0x50, 0x4E, 0x94, 0xF7,
0x27, 0x4E, 0x40, 0x7A, 0x33, 0x1F, 0x20, 0x41, 0x42, 0x6C,
0x66, 0x05, 0x49, 0xA4, 0x48, 0x49, 0x30, 0xAC, 0x0C, 0xBE,
0x2E, 0x2F, 0x30, 0x9D, 0x18, 0x2A, 0x23, 0x23, 0x6F, 0x0B,
0x20, 0x21, 0x2A, 0x6E, 0x4F, 0x83, 0x3E, 0x3F, 0x51, 0x63,
0x9A, 0x03, 0x53, 0x25, 0x26, 0x48, 0xCF, 0x4C, 0x0A, 0x0B,
0x98, 0xB7, 0x88, 0x4F, 0xE9, 0xD3, 0x1E, 0x13, 0x57, 0x35,
0xD2, 0xF2, 0x08, 0x9A, 0x1A, 0x1B, 0x84, 0x3D, 0xC9, 0x66,
0x0E, 0x8B, 0xB4, 0x58, 0xD0, 0x45, 0xDA, 0x19, 0xA5, 0xB9,
0x2A, 0x1C, 0x4C, 0x2B, 0xDB, 0x07, 0xFF, 0x19, 0x12, 0x31,
0x1E, 0x96, 0xE2, 0x88, 0x4B, 0x19, 0x3A, 0x19, 0x1A, 0x19,
0xE6, 0xDE, 0x00, 0x21, 0xF7, 0x43, 0x4B, 0x32, 0x32, 0x07,
0x46, 0x29, 0x4A, 0x4B, 0x29, 0x97, 0x0E, 0x19, 0x10, 0xE0,
0x90, 0x73, 0x65, 0xE4, 0x4C, 0x17]
s = [0x86, 0x89, 0x84, 0x8D, 0xA7, 0x83, 0xA6, 0x25, 0x47, 0x14,
0x35, 0x1D, 0x0F, 0x1E, 0x97, 0x9C, 0x95, 0x01, 0xAE, 0x3F,
0x37, 0xB6, 0x02, 0x14, 0x0B, 0x17, 0x8A, 0x1F, 0x93, 0xAC,
0x96, 0x02, 0x2D, 0x0E, 0x07, 0x9F, 0x92, 0x8C, 0x15, 0xBE,
0x0A, 0x86, 0x07, 0xA4, 0x03, 0x85, 0x2F, 0x8C, 0x8E, 0x0B,
0x9B, 0x05, 0x0F, 0x84, 0x80, 0x9E, 0x8D, 0x00, 0x16, 0x01
]
g = [0xBD, 0x48, 0x2B, 0xAA, 0xB0, 0xA3, 0xB9, 0x42, 0xCF, 0x98,
0x4D, 0xB8, 0x3C, 0xA0, 0x32, 0x41, 0x21, 0x91, 0x3A, 0x45,
0x3B, 0x44, 0x9A, 0xBB, 0x19, 0x38, 0x10, 0x28, 0x40, 0x4C,
0xA9, 0xCD, 0x43, 0x33, 0xC6, 0x30, 0x49, 0xA2, 0xBA, 0x4E,
0xC5, 0xC9, 0xC8, 0xCB, 0xCC, 0x34, 0xB1, 0xC3, 0x41, 0xC4,
0xCA, 0x4A, 0x40, 0xCB, 0x08, 0x31, 0xC2, 0xCF, 0x39, 0x4E]
fp = open('out.txt','r')
check_data = []
for x in fp.read():
if x == '\x0d' or x == '\x0a' or x == '\x20':
continue
check_data.append(int(x))
#print x,
print len(check_data)
print check_data
fp.close()
fp = open('out1.txt','r')
idx_data = []
data_list = fp.readlines()
for data in data_list:
if data == '\x0a':
continue
#print hex(ord(data[0])),hex(ord(data[1]))
idx_data.append(int(data[:-1],16))
print len(idx_data)
print idx_data
x = 0xc23f6401c93adb
y = 0xeedcea3743d03a263af94f386de1
z = x*y
print len(str(z))
cnt = 0
cnt1 = 0
lo = []
while True:
if z == 0:
break
tmp = z % 0x10
if tmp == 0:
z /= 0x10
continue
if tmp <= 9:
cnt = cnt + 1
cnt1 += 1
else:
for i in range(tmp-9):
lo.append(cnt)
#print cnt,
cnt = cnt + 1
z /= 0x10
print cnt1
print lo
a = []
c = []
for i in range(0x80):
a.append(i)
c.append(0)
for i in range(len(g)):
g[i] = g[i] & 0x7f
for i in range(len(s)):
s[i] = s[i] & 0x7f
'''
for j in range(1):
for i in range(len(g)):
c[a[g[i]]] += 1
c[a[s[i]]] += 1
t = a[g[i]]
a[g[i]] = a[s[i]]
a[s[i]] = t
'''
'''
for i in range(4):
c[a[g[i]]] += 1
c[a[s[i]]] += 1
t = a[g[i]]
a[g[i]] = a[s[i]]
a[s[i]] = t
t = a[s[4]]
a[s[4]] = a[g[4]]
c[a[s[4]]] += 1
'''
#print ''
def search(x,cnt):
for i in range(10):
t = i
for j in range(cnt):
t = (t*9)^0x37
t &= 0xff
#print t,
if t == x:
#print i
return i
return -1
def calc_m(x,cnt):
t = x
for i in range(cnt):
t = (t*9)^0x37
return t&0xff
real_lo = []
def check_zero(x):
for i in range(len(x)):
if x[i] == '0':
return 1
return 0
real_ans = []
for i in range(58):
real_ans.append('1')
for i in range(10000000):
c[a[g[i%len(g)]]] += 1
c[a[s[i%len(g)]]] += 1
t = a[g[i%len(g)]]
a[g[i%len(g)]] = a[s[i%len(g)]]
a[s[i%len(g)]] = t
ans = ''
for i1 in range(len(lo)):
flag = 0
for j in range(len(a)):
if a[j] == lo[i1]:
change_lo = j
break
for j in range(len(idx_data)):
if idx_data[j] == change_lo:
flag = j
break
t = check_data[flag]
idx = 0
for j in range(len(sn_data)):
if t == sn_data[j]:
idx = j
value = search(idx,c[lo[i1]])
#print j,value
if value != -1:
ans += str(value)
#real_ans[real_lo[i]] = str(value)
#print ans
#print hex(int(ans[::-1]))[2:-1].upper()[::-1]
if len(ans) >= 58:
h_ans = hex(int(ans[::-1]))[2:-1].upper()[::-1]
print h_ans
if check_zero(h_ans) == 0:
print h_ans
break[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
太暴力了
|
|
|
od调的时候测了下是跑4轮,后面写代码的时候就懒得改了
|
|
|
|
|
|
我刚开始也是,都没仔细看。直接想当然了,后面跑出来一个带0的解,才感觉不对
|
|
|
中了惯性思维的毒,设计时本来只用了7种,后来想着多加二种返回为0的会不会更有趣?
|
|
|
是,我也出了个带0的解。。。 |
|
|
|
skytar
