-
-
[原创]街机少年
-
2019-12-7 00:04 3631
-
XYLearn tqllllll ! 7feilee tqllllll !
应该是非预期了
IDA载入程序,看到主程序:
if ( get_input() ) { SetUnhandledExceptionFilter(TopLevelExceptionFilter); if ( GAME((unsigned __int8 *)name, name_len) ) output("You Win! You are very clever!"); else output("Game Over"); system("pause"); result = 0; } else { output("Game Over"); system("pause"); result = 0; }
程序读入name和serial,而后走过一个判断,通过GAME函数返回值来判断是否正确
首先读入name和serial:
for ( i = 0; i < 32; ++i ) { v4 = read_input(); if ( (v4 < 97 || v4 > 122) && (v4 < 65 || v4 > 90) && (v4 < 48 || v4 > 57) ) { if ( v4 != 13 && v4 != 10 ) return 0; name_len = i; break; } name[i] = v4; } if ( name_len < 4 || name_len > 16 ) return 0; output("Please input your KEY: ( : to z )"); for ( j = 0; j < 128; ++j ) { v3 = read_input(); if ( v3 < ':' || v3 > 'z' ) { if ( v3 != 13 && v3 != 10 ) return 0; serial_len = j; break; } serial[j] = v3; } if ( !serial_len || serial_len > 128 ) return 0; dec_len = dec1((int)decode_serial, (int)serial, serial_len);
简单判断name和serial合法后decode并存入全局变量数组
decode类似一个base64,只是对应处理位不同,直接对照求逆即可:
def dec1(str1): ans=[] for i in range(len(str1)/3): ans.append(ord(str1[i*3])>>2) ans.append(((ord(str1[i*3])&0b11)<<4)+((ord(str1[i*3+1])&0b11110000)>>4)) ans.append((ord(str1[i*3+1])&0b1111)+((ord(str1[i*3+2])&0b11000000)>>2)) ans.append(ord(str1[i*3+2])&0b00111111) s="" for i in ans: s+=chr(i+ord(":")) return s #后面不足对应相同位置并补'z'即可
在GAME中,首先使用大量数组查表隐藏了算法和计算过程
首先将第一轮table扣下来:
def func1(x, m): s = x none_primitive_root = 0 for i in range(1, m): y = min(x, s) z = max(x, s) s = y * y % 17 ^ triangle_at(xor_table, y, z) ......
根据返回值发现是一个乘方运算(取模意义下),计算pow(x,m)
故而在第一层:
for ( i = 1; i < 16; ++i ) { v35 = v38; v27 = v51; if ( v38 > (signed int)v51 ) { v35 = v51; // 乘方 v27 = v38; } v38 = v35 * v35 % 17 ^ table[(unsigned __int8)(v27 + (v35 - 1) * (34 - v35) / 2 - v35)]; if ( v38 == 1 && i != 15 ) // (p-1)/2不满足 { v51 = (v51 + 1) % 16 + 1; v38 = 0; break; } }
其实际计算的是相对v51步长2的模17下最近的非二次剩余
而后其根据输入name初始化了一个256长度数组(前16参与运算)
而后大致流程可以取下:
from base64 import b64decode,b64encode import os from functools import reduce xor_table = [0,3,2,5,4,7,6,9,8,11,10,13,12,15,14,17,0,2,12,14,8,10,20,5,7,1,3,13,15,9,11,0,5,6,8,13,14,3,4,25,11,12,1,2,7,0,19,23,27,31,18,22,26,30,17,21,25,29,0,5,9,14,3,24,12,1,6,10,15,4,0,10,12,1,11,13,6,8,18,7,9,0,10,3,13,6,31,9,2,12,5,0,9,1,14,6,15,7,12,4,0,8,3,11,2,10,29,5,0,7,14,4,11,1,8,0,15,5,3,14,4,0,11,7,2,13,0,28,24,20,0,15,10,0,6,0] with open('E:/Totoro.exe', 'rb') as f: f.seek(0x16088, os.SEEK_SET) bytes_397288 = f.read(65536) bytes_397288 = [i for i in bytes_397288] f.seek(0x26088, os.SEEK_SET) bytes_3A7288 = f.read(256) bytes_3A7288 = [i for i in bytes_3A7288] f.seek(0x14E88, os.SEEK_SET) bytes_396088 = f.read(256) bytes_396088 = [i for i in bytes_396088] f.seek(0x14F88, os.SEEK_SET) bytes_396188 = f.read(4096) bytes_396188 = [i for i in bytes_396188] f.seek(0x15F88, os.SEEK_SET) bytes_417188 = f.read(256) bytes_417188 = [i for i in bytes_417188] def quadratic_residues(x, m): while True: s = x for i in range(1, m): y = s z = x if s > x: y = x z = s idx = (z + (y - 1) * (34 - y) // 2 - y)%256 s = (y * y % 17) ^ xor_table[idx] if s == 1 and i != 15: x = (x + 1) % 16 + 1 s = 0 break if s == 1: break return x def _pow(x, m): s = x global flag for i in range(1, m): y = s z = x if s > x: y = x z = s idx = (z + (y - 1) * (34 - y) // 2 - y)%256 s = (y * y % 17) ^ xor_table[idx] if s == 1 and i != 15: flag = 1 return s def triangle_index(y, z): return z + (y - 1) * (34 - y) // 2 - y def triangle_at(mat, y, z): return mat[triangle_index(y, z)] def get_inv(x): while True: s = x for i in range(1, 16): y = min(x, s) z = max(x, s) s = y * y % 17 ^ triangle_at(xor_table, y, z) if s == 1 and i != 16 - 1: x = (x + 1) % 16 + 1 s = 0 break if s == 1: break return x def pows(x, m): s = x none_primitive_root = 0 for i in range(1, m): y = min(x, s) z = max(x, s) s = y * y % 17 ^ triangle_at(xor_table, y, z) if s == 1 and i != m-1: none_primitive_root = 1 return s,none_primitive_root def map_username(username,bytes_417188): for i in range(len(username) - 1): ch = username[i + 1] if i >= 7: if i >= 10: if i >= 13: bytes_417188[i] = ch % 8 + 8 else: bytes_417188[i] = 7 - ch % 7 else: bytes_417188[i] = ch % 8 + 8 else: bytes_417188[i] = 7 - ch % 7 return bytes_417188 def get_idx(a, b, c): lo = ((b >> 2) ^ ((c << 4) & 0xC0)) ^ ((a << 2) & 0x3C) ^ 0xC7 hi = (c & 3) ^ ((b << 2) & 0xf) ^ 2 x = lo | (hi << 8) return x def unknown(a, b, c): '''a^b^c''' return bytes_397288[((a + b + c) % 16) | (a << 4) | (b << 8) | (c << 12)] def check(username, key): #key= [61, 136, 200, 67, 168, 249, 66, 246, 42, 33, 212, 253, 243, 246, 246, 244, 246, 249, 244, 255, 237] key_len = len(key) ch = username[0] % 16 + 1 username = map_username(username,bytes_417188) primitive_root = quadratic_residues(ch,16) kidx = 0 x = 5 while kidx < key_len: key_low = key[kidx] % 16 + 1 key_high = (key[kidx]>>4) % 16 + 1 flag = 1 if primitive_root and key_low <= 16 and key_high <=16: flag = 0 key_low = _pow(primitive_root, key_low) r2 = quadratic_residues(key_low,16) key_high = _pow(r2, key_high) if flag: break primitive_root = quadratic_residues(key_high,16) primitive_flag = (key_high * bytes_396088[username[key_low - 1] - key_high])&0xff for i in range(key_low, 128): v4 = int(username[i] == 0) v5 = (((v4 + bytes_396188[get_idx(username[key_low - 1], username[i], key_high)])%256) * primitive_flag)&0xff primitive_flag = (((v5 + 1) & int(v5 != 0)) + v5)&0xff username[key_low - 1] = (username[key_low - 1] + ((((2 * ((primitive_flag + 1) & 1) - 1)&0xff) * key_high)&0xff))&0xff #print("test xor is {}".format(reduce(lambda x, y: x ^ y, username))) if not primitive_flag: break if not any(username): return kidx == key_len - 1 key_low_ = (key[kidx] >> 4) % 16 + 1 key_high_ = key[kidx + 1] % 16 + 1 bytes_396088[key_low_ // 2] = (bytes_396088[key_low_ // 2] + key_high_) % 127 + 1 kidx += 1 tmp = unknown(username[2], username[1], username[0]) tmp = unknown(username[4], username[3], tmp) tmp = unknown(username[6], username[5], tmp) tmp = unknown(username[8], username[7], tmp) tmp = unknown(username[10], username[9], tmp) tmp = unknown(username[12], username[11], tmp) tmp = unknown(username[14], username[13], tmp) if tmp: for i in range(15): val = bytes_3A7288[tmp | (username[i] << 4)] if val & 1: username[i] = val >> 1 break else: print(kidx) fflag = 0 while True: if username[x] == 1: username[x] = (username[x] - 1)%256 x = (x + 4) % 15 fflag = 1 break if username[x] > 1: break x = (x + 4) % 15 if fflag == 0: username[x] = username[x] - ((x * x + 1) % username[x] + 1) x = (x + 4) % 15 if not reduce(lambda x, y: x | y, username): break return False
在循环过程中,每轮12bit key参与运算,首先根据第一步结果进行乘方,再进行一次求非平方剩余,再进行一次乘方(不出现单位元),根据结果及一个数组操作更新一位username数组,而后进行一轮变换(unknown),根据变换结果更新一位username
通过观察数组及结果发现unknown操作是进行一组异或
若异或后不为0则依赖第二个数组将其每位异或结果调整为0
通过观察正确序列号发现:
正确退出应该是循环过每一位序列号经由最后: 判断username数组变换为0时 根据"循环次数==序列号长度-1"来return 在正确序列号变换下经由unknow变换的tmp值每轮都是0(即username数组每一位异或后为0)
其实到这里也没猜到具体的数学背景是什么,最开始肖神通过unknown中变换的数组搜索到AES的add field,不过后来发现只是一组异或,遂失败
不过从上面分析可以看到,每轮参与计算的只有12bit,而且通过正确序列号的程序流可以猜测到每一轮tmp=0即为控制条件,以此进行逐位爆破即可得到可能解
最后肖神用unicorn成功解出(tqlll !!!)(python爆破我写得有点问题没搞定(飞神那边应该快改好了,已经出了几位)):
import sys import os import struct from base64 import b64decode, b64encode from capstone import * from capstone.x86_const import * from unicorn import * from unicorn.x86_const import * def p32(n): return struct.pack("<I", n) to = b'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/' base = b':;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxy' def base64_enc(data): data = b64encode(data) res = [] for i in data: res.append(base[to.index(i)]) return ("".join([chr(i) for i in res])).encode() def base64_dec(data): res = [] for i in data: res.append(to[base.index(i)]) return b64decode("".join([chr(i) for i in res]).encode()) cs = Cs(CS_ARCH_X86, CS_MODE_32) last_addr = 0 def hook_code(mu, addr, size, user_data): global last_addr last_addr = addr code = mu.mem_read(addr, 10) ins = next(cs.disasm(code, addr, 1)) disasm = "{:08x}: {} {}".format(addr, ins.mnemonic, ins.op_str) print(disasm) mu = None with open("./Totoro.exe", 'rb') as f: f.seek(0x400, os.SEEK_SET) text = f.read(0xf13b - 0x400) f.seek(0xf320, os.SEEK_SET) rdata = f.read(0x14c68 - 0xf320) f.seek(0x14E00, os.SEEK_SET) data = f.read(0x26C00-0x14E00) def check(username, key, addr_points=None): global mu mu = Uc(UC_ARCH_X86, UC_MODE_32) text_start , text_end = 0x401000, 0x410000 idata_start, idata_end = 0x410000, 0x410120 rdata_start, rdata_end = 0x410120, 0x416000 data_start , data_end = 0x416000, 0x429000 stack_start, stack_end = 0x7ffa0000, 0x80000000 cache_start, cache_end = 0x100000, 0x110000 stack_curr = 0x7fff0000 mu.mem_map(text_start, data_end - text_start) mu.mem_write(text_start, text) mu.mem_write(rdata_start, rdata) mu.mem_write(data_start, data) mu.mem_map(stack_start, stack_end - stack_start) mu.mem_map(cache_start, cache_end - cache_start) mu.reg_write(UC_X86_REG_ESP, stack_curr) # key key_addr = 0x427E38 key_len_addr = 0x427F38 mu.mem_write(key_addr, key) mu.mem_write(key_addr + len(key), b'\0' * (256 - len(key))) mu.mem_write(key_len_addr, p32(len(key))) # username mu.mem_write(stack_curr + 4, p32(cache_start)) mu.mem_write(cache_start, username) mu.mem_write(stack_curr + 8, p32(len(username))) # hook # mu.hook_add(UC_HOOK_CODE, hook_code) # execute check_addr = 0x401480 check_ret_addr = 0x402088 try: if not addr_points: mu.emu_start(check_addr, check_ret_addr) else: start = check_addr for addr in addr_points: mu.emu_start(start, addr) mu.emu_start(addr, 0, count=1) start = mu.reg_read(UC_X86_REG_EIP) except UcError as e: return False return True username = b'KCTF' key = [0 for i in range(0x20)] # key = [61, 136, 200, 67, 168, 249, 66, 246, 42, 33, 212, 253, 243, 246, 246, 244, 246, 249, 244, 255, 237, 249] end = False for i in range(21): for ch in range(256): key[i] = ch if not check(username, bytes(key), [0x401F00] * (i+1)): continue if mu.reg_read(UC_X86_REG_EAX) == 0: print(i, ch) break key[i] = 0x100 if key[i] == 0x100: break i += 1 for ch in range(256): key[i] = ch if not check(username, bytes(key)): continue if mu.reg_read(UC_X86_REG_EAX) == 0: print(i, ch) break print(key) #Output:[61, 136, 200, 67, 168, 249, 66, 246, 42, 33, 212, 253, 243, 246, 246, 244, 246, 249, 244, 255, 237, 249] ------------------------------------------------------------------------------- def dec1(str1): ans=[] for i in range(len(str1)/3): ans.append(ord(str1[i*3])>>2) ans.append(((ord(str1[i*3])&0b11)<<4)+((ord(str1[i*3+1])&0b11110000)>>4)) ans.append((ord(str1[i*3+1])&0b1111)+((ord(str1[i*3+2])&0b11000000)>>2)) ans.append(ord(str1[i*3+2])&0b00111111) ans.append(ord(str1[21])>>2) ans.append((ord(str1[21])&0b11)<<4) s="" for i in ans: s+=chr(i+ord(":")) return s+"zz" s="" final_key=[61, 136, 200, 67, 168, 249, 66, 246, 42, 33, 212, 253, 243, 246, 246, 244, 246, 249, 244, 255, 237, 249] for i in final_key: s+=chr(i) print dec1(s) #Output:IRrBJtrsJi@dBWnwvyppwIpswIygxJzz
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法