-
-
[原创]2021强网杯Reverse-LongTimeAgo
-
发表于: 2021-6-18 14:33
-
拖入IDA之后发现有花指令,逐个patch太慢,以便之后我们多次调试,写一个IDAPython的脚本来批量patch,不然IDA每次重新调试我们都要重新patch一次
patch之后反编译,才能正确看到main函数
main函数如下:
逐段进行分析:
输入之后并判断长度是否为64
take_eight_to_hex函数的意思就是:比如我输入的是1111111122222222.....等64个字节,那么逐渐循环take_eight_to_hex取出来的就是0x11111111,0x22222222,.......(自己调试一下就可以发现)
然后这种小循环,是判断有多少个有效16进制字节的,比如0x123456,返回的就是3,0x11111111,返回的就是4
下方对那个已知的数组(就是比较数据)
进行相同的储存方式
存一个地址就偏移36字节,貌似是一个类似对象,结构体的东西
调试一下,每次循环都查看cmp_dest 和input_dest 就可以知道
实际上就是生成key并判断生成的数据的长度,和前面是相同的储存方式
其实对于生成key的函数,就是create里面的一个函数:
每次调试,修改传入的a2参数,然后查看返回的v3的值,猜测规律
我的猜测过程:
得到这个函数功能:
加密的函数,4个部分,前两个进行xtea加密,后两个进行tea加密
里面关键加密的一段:对拍过程看//后面的注释
写出xtea_encrypt函数:
写出tea_encrypt函数:
这里吐槽一句,不知道题目的author是使用了什么库?左移右移加法异或这些都是小函数,得自己看
这里就是和比较数据进行比较
addr = 0x4A2A0C
for i in range(2):
ida_bytes.patch_byte((addr+i), 0x90)
add_arr = [0x00000000004A2A4B, 0x00000000004A2ABC, 0x00000000004A2AC1, 0x00000000004A2B4A,
0x0000000000402F89]
for i in range(len(add_arr)):
for j in range(5):
ida_bytes.patch_byte((add_arr[i]+j), 0x90)
add_arr1 = [0x00000000004A2ABC]
for i in range(len(add_arr)):
for j in range(4):
ida_bytes.patch_byte((add_arr1[i]+j), 0x90)
addr = 0x4A2A0C
for i in range(2):
ida_bytes.patch_byte((addr+i), 0x90)
add_arr = [0x00000000004A2A4B, 0x00000000004A2ABC, 0x00000000004A2AC1, 0x00000000004A2B4A,
0x0000000000402F89]
for i in range(len(add_arr)):
for j in range(5):
ida_bytes.patch_byte((add_arr[i]+j), 0x90)
add_arr1 = [0x00000000004A2ABC]
for i in range(len(add_arr)):
for j in range(4):
ida_bytes.patch_byte((add_arr1[i]+j), 0x90)
int __cdecl main(int argc, const char **argv, const char **envp)
{ char *v3; // rdx
int v4; // ecx
unsigned int v5; // eax
char *input_1; // r15
char *v8; // rdi
int *cmp_addr; // r12
char *cmp_dest; // r14
int *input_dest; // rbx
int *v12; // r13
int hex_data; // eax
__int64 tmp; // rax
int data_len; // edx
int v16; // eax
__int64 cmp_data_len; // rax
int cmp_data_len_1; // edx
int v19; // ecx
int v20; // eax
__int64 v21; // rax
char v22; // dl
char input[80]; // [rsp+30h] [rbp-3F8h] BYREF
int input_dest_1[18]; // [rsp+80h] [rbp-3A8h] BYREF
int v25[18]; // [rsp+C8h] [rbp-360h] BYREF
int v26[18]; // [rsp+110h] [rbp-318h] BYREF
int v27[18]; // [rsp+158h] [rbp-2D0h] BYREF
int key[9]; // [rsp+1A0h] [rbp-288h] BYREF
int v29; // [rsp+1C4h] [rbp-264h] BYREF
__int64 v30; // [rsp+1E8h] [rbp-240h] BYREF
int v31; // [rsp+20Ch] [rbp-21Ch] BYREF
char v32[360]; // [rsp+2C0h] [rbp-168h] BYREF
sub_40CC40(argc, argv, envp);
memset(input, 0, sizeof(input));
std::operator<<<std::char_traits<char>>((std::ostream *)off_4A68E0, "Input Your Key:");
std::operator>><char,std::char_traits<char>>((std::istream *)&addr, input);
v3 = input;
do
{
v4 = *(_DWORD *)v3;
v3 += 4;
v5 = ~v4 & (v4 - 0x1010101) & 0x80808080;
}
while ( !v5 );
if ( (~v4 & (v4 - 0x1010101) & 0x8080) == 0 )
v5 >>= 16;
if ( (~v4 & (v4 - 0x1010101) & 0x8080) == 0 )
v3 += 2;
if ( &v3[-__CFADD__((_BYTE)v5, (_BYTE)v5) - 3] - input == 64 )// strlen() == 64
{
input_1 = input;
v8 = v32;
cmp_addr = &cmp_data;
cmp_dest = v32;
std::operator<<<std::char_traits<char>>((std::ostream *)off_4A68E0, "Are You Sure You Want To Keep Waiting...\n");
input_dest = input_dest_1;
v12 = input_dest_1;
do
{
hex_data = take_eight_to_hex(input_1, 8); // 取8个字节当作16进制数据
*((_BYTE *)input_dest + 8) = 0;
input_dest[1] = hex_data;
tmp = 4i64; // 判断总共有多少个有效16进制数据
while ( 1 )
{
data_len = tmp;
if ( *((_BYTE *)input_dest + tmp + 3) )
break;
if ( !--tmp )
{
data_len = 0;
break;
}
}
*input_dest = data_len;
v16 = *cmp_addr;
cmp_dest[8] = 0;
*((_DWORD *)cmp_dest + 1) = v16;
cmp_data_len = 4i64;
while ( 1 )
{
cmp_data_len_1 = cmp_data_len;
if ( cmp_dest[cmp_data_len + 3] )
break;
if ( !--cmp_data_len )
{
cmp_data_len_1 = 0;
break;
}
}
input_1 += 8; // 输入字符串的地址偏移8字节
*(_DWORD *)cmp_dest = cmp_data_len_1;
input_dest += 9;
cmp_dest += 36;
++cmp_addr;
}
while ( input_1 != &input[64] ); // 循环8次,将对应数据按格式存储
create((__int64)key, 13i64);
create((__int64)&v29, 14i64);
create((__int64)&v30, 15i64);
create((__int64)&v31, 16i64); // 根据第二个参数传入的值,生成一个数并判断其hex共多少字节
// 传入13,14,15,16生成对应的四个key
xtea(input_dest_1, key);
xtea(v25, key);
tea(v26, key);
tea(v27, key);
v19 = 0;
while ( 1 )
{
v20 = *v12;
if ( *v12 != *(_DWORD *)v8 )
break;
if ( v20 - 1 >= 0 )
{
if ( v32[36 * v19 - 573 + v20] != v32[36 * v19 + 3 + v20] )
break;
v21 = v20 - 2;
while ( (int)v21 >= 0 )
{
v22 = *((_BYTE *)v12 + v21-- + 4);
if ( v22 != v8[v21 + 5] )
goto LABEL_8;
}
}
++v19;
v12 += 9;
v8 += 36;
if ( v19 == 8 )
{
printf_0("QWB{%s}\n", input);
return 0;
}
}
}
LABEL_8: printf_0("sorry\n");
return 0;
}int __cdecl main(int argc, const char **argv, const char **envp)
{ char *v3; // rdx
int v4; // ecx
unsigned int v5; // eax
char *input_1; // r15
char *v8; // rdi
int *cmp_addr; // r12
char *cmp_dest; // r14
int *input_dest; // rbx
int *v12; // r13
int hex_data; // eax
__int64 tmp; // rax
int data_len; // edx
int v16; // eax
__int64 cmp_data_len; // rax
int cmp_data_len_1; // edx
int v19; // ecx
int v20; // eax
__int64 v21; // rax
char v22; // dl
char input[80]; // [rsp+30h] [rbp-3F8h] BYREF
int input_dest_1[18]; // [rsp+80h] [rbp-3A8h] BYREF
int v25[18]; // [rsp+C8h] [rbp-360h] BYREF
int v26[18]; // [rsp+110h] [rbp-318h] BYREF
int v27[18]; // [rsp+158h] [rbp-2D0h] BYREF
int key[9]; // [rsp+1A0h] [rbp-288h] BYREF
int v29; // [rsp+1C4h] [rbp-264h] BYREF
__int64 v30; // [rsp+1E8h] [rbp-240h] BYREF
int v31; // [rsp+20Ch] [rbp-21Ch] BYREF
char v32[360]; // [rsp+2C0h] [rbp-168h] BYREF
sub_40CC40(argc, argv, envp);
memset(input, 0, sizeof(input));
std::operator<<<std::char_traits<char>>((std::ostream *)off_4A68E0, "Input Your Key:");
std::operator>><char,std::char_traits<char>>((std::istream *)&addr, input);
v3 = input;
do
{
v4 = *(_DWORD *)v3;
v3 += 4;
v5 = ~v4 & (v4 - 0x1010101) & 0x80808080;
}
while ( !v5 );
if ( (~v4 & (v4 - 0x1010101) & 0x8080) == 0 )
v5 >>= 16;
if ( (~v4 & (v4 - 0x1010101) & 0x8080) == 0 )
v3 += 2;
if ( &v3[-__CFADD__((_BYTE)v5, (_BYTE)v5) - 3] - input == 64 )// strlen() == 64
{
input_1 = input;
v8 = v32;
cmp_addr = &cmp_data;
cmp_dest = v32;
std::operator<<<std::char_traits<char>>((std::ostream *)off_4A68E0, "Are You Sure You Want To Keep Waiting...\n");
input_dest = input_dest_1;
v12 = input_dest_1;
do
{
hex_data = take_eight_to_hex(input_1, 8); // 取8个字节当作16进制数据
*((_BYTE *)input_dest + 8) = 0;
input_dest[1] = hex_data;
tmp = 4i64; // 判断总共有多少个有效16进制数据
while ( 1 )
{
data_len = tmp;
if ( *((_BYTE *)input_dest + tmp + 3) )
break;
if ( !--tmp )
{
data_len = 0;
break;
}
}
*input_dest = data_len;
v16 = *cmp_addr;
cmp_dest[8] = 0;
*((_DWORD *)cmp_dest + 1) = v16;
cmp_data_len = 4i64;
while ( 1 )
{
cmp_data_len_1 = cmp_data_len;
if ( cmp_dest[cmp_data_len + 3] )
break;
if ( !--cmp_data_len )
{
cmp_data_len_1 = 0;
break;
}
}
input_1 += 8; // 输入字符串的地址偏移8字节
*(_DWORD *)cmp_dest = cmp_data_len_1;
input_dest += 9;
cmp_dest += 36;
++cmp_addr;
}
while ( input_1 != &input[64] ); // 循环8次,将对应数据按格式存储
create((__int64)key, 13i64);
create((__int64)&v29, 14i64);
create((__int64)&v30, 15i64);
create((__int64)&v31, 16i64); // 根据第二个参数传入的值,生成一个数并判断其hex共多少字节
// 传入13,14,15,16生成对应的四个key
xtea(input_dest_1, key);
xtea(v25, key);
tea(v26, key);
tea(v27, key);
v19 = 0;
while ( 1 )
{
v20 = *v12;
if ( *v12 != *(_DWORD *)v8 )
break;
if ( v20 - 1 >= 0 )
{
if ( v32[36 * v19 - 573 + v20] != v32[36 * v19 + 3 + v20] )
break;
v21 = v20 - 2;
while ( (int)v21 >= 0 )
{
v22 = *((_BYTE *)v12 + v21-- + 4);
if ( v22 != v8[v21 + 5] )
goto LABEL_8;
}
}
++v19;
v12 += 9;
v8 += 36;
if ( v19 == 8 )
{
printf_0("QWB{%s}\n", input);
return 0;
}
}
}
LABEL_8: printf_0("sorry\n");
return 0;
}sub_40CC40(argc, argv, envp);memset(input, 0, sizeof(input));
std::operator<<<std::char_traits<char>>((std::ostream *)off_4A68E0, "Input Your Key:");
std::operator>><char,std::char_traits<char>>((std::istream *)&addr, input);
v3 = input;
do{ v4 = *(_DWORD *)v3;
v3 += 4;
v5 = ~v4 & (v4 - 0x1010101) & 0x80808080;
}while ( !v5 );
if ( (~v4 & (v4 - 0x1010101) & 0x8080) == 0 )
v5 >>= 16;
if ( (~v4 & (v4 - 0x1010101) & 0x8080) == 0 )
v3 += 2;
if ( &v3[-__CFADD__((_BYTE)v5, (_BYTE)v5) - 3] - input == 64 )// strlen() == 64
sub_40CC40(argc, argv, envp);memset(input, 0, sizeof(input));
std::operator<<<std::char_traits<char>>((std::ostream *)off_4A68E0, "Input Your Key:");
std::operator>><char,std::char_traits<char>>((std::istream *)&addr, input);
v3 = input;
do{ v4 = *(_DWORD *)v3;
v3 += 4;
v5 = ~v4 & (v4 - 0x1010101) & 0x80808080;
}while ( !v5 );
if ( (~v4 & (v4 - 0x1010101) & 0x8080) == 0 )
v5 >>= 16;
if ( (~v4 & (v4 - 0x1010101) & 0x8080) == 0 )
v3 += 2;
if ( &v3[-__CFADD__((_BYTE)v5, (_BYTE)v5) - 3] - input == 64 )// strlen() == 64
input_1 = input;
v8 = v32;
cmp_addr = &cmp_data;
cmp_dest = v32;
std::operator<<<std::char_traits<char>>((std::ostream *)off_4A68E0, "Are You Sure You Want To Keep Waiting...\n");
input_dest = input_dest_1;
v12 = input_dest_1;
do{ hex_data = take_eight_to_hex(input_1, 8); // 取8个字节当作16进制数据
*((_BYTE *)input_dest + 8) = 0;
input_dest[1] = hex_data;
tmp = 4i64; // 判断总共有多少个有效16进制数据
while ( 1 )
{
data_len = tmp;
if ( *((_BYTE *)input_dest + tmp + 3) )
break;
if ( !--tmp )
{
data_len = 0;
break;
}
}
*input_dest = data_len;
v16 = *cmp_addr;
cmp_dest[8] = 0;
*((_DWORD *)cmp_dest + 1) = v16;
cmp_data_len = 4i64;
while ( 1 )
{
cmp_data_len_1 = cmp_data_len;
if ( cmp_dest[cmp_data_len + 3] )
break;
if ( !--cmp_data_len )
{
cmp_data_len_1 = 0;
break;
}
}
input_1 += 8; // 输入字符串的地址偏移8字节
*(_DWORD *)cmp_dest = cmp_data_len_1;
input_dest += 36;
cmp_dest += 36;
++cmp_addr;
}while ( input_1 != &input[64] ); // 循环8次,将对应数据按格式存储
input_1 = input;
v8 = v32;
cmp_addr = &cmp_data;
cmp_dest = v32;
std::operator<<<std::char_traits<char>>((std::ostream *)off_4A68E0, "Are You Sure You Want To Keep Waiting...\n");
input_dest = input_dest_1;
v12 = input_dest_1;
do{ hex_data = take_eight_to_hex(input_1, 8); // 取8个字节当作16进制数据
*((_BYTE *)input_dest + 8) = 0;
input_dest[1] = hex_data;
tmp = 4i64; // 判断总共有多少个有效16进制数据
while ( 1 )
{
data_len = tmp;
if ( *((_BYTE *)input_dest + tmp + 3) )
break;
if ( !--tmp )
{
data_len = 0;
break;
}
}
*input_dest = data_len;
v16 = *cmp_addr;
cmp_dest[8] = 0;
*((_DWORD *)cmp_dest + 1) = v16;
cmp_data_len = 4i64;
while ( 1 )
{
cmp_data_len_1 = cmp_data_len;
if ( cmp_dest[cmp_data_len + 3] )
break;
if ( !--cmp_data_len )
{
cmp_data_len_1 = 0;
break;
}
}
input_1 += 8; // 输入字符串的地址偏移8字节
*(_DWORD *)cmp_dest = cmp_data_len_1;
input_dest += 36;
cmp_dest += 36;
++cmp_addr;
}while ( input_1 != &input[64] ); // 循环8次,将对应数据按格式存储
tmp = 4i64; // 判断总共有多少个有效16进制数据
while ( 1 )
{
data_len = tmp;
if ( *((_BYTE *)input_dest + tmp + 3) )
break;
if ( !--tmp )
{
data_len = 0;
break;
}
}
*input_dest = data_len;
tmp = 4i64; // 判断总共有多少个有效16进制数据
while ( 1 )
{
data_len = tmp;
if ( *((_BYTE *)input_dest + tmp + 3) )
break;
if ( !--tmp )
{
data_len = 0;
break;
}
}
*input_dest = data_len;
data_lendatadata_lendatacreate((__int64)key, 13i64);
create((__int64)&v29, 14i64);
create((__int64)&v30, 15i64);
create((__int64)&v31, 16i64); // 根据第二个参数传入的值,生成一个数并判断其hex共多少字节
// 传入13,14,15,16生成对应的四个key
create((__int64)key, 13i64);
create((__int64)&v29, 14i64);
create((__int64)&v30, 15i64);
create((__int64)&v31, 16i64); // 根据第二个参数传入的值,生成一个数并判断其hex共多少字节
// 传入13,14,15,16生成对应的四个key
part_key_lenkeypart_key_lenkey(((1 << (i-1)) - 1) << 4)+13
(((1 << (i-1)) - 1) << 4)+13
xtea(input_dest_1, key);xtea(v25, key);tea(v26, key);tea(v27, key);xtea(input_dest_1, key);xtea(v25, key);tea(v26, key);tea(v27, key);sum = 0;
do
{
left((__int64)v71, &v1, 4);
right(v72, &v1, 5i64);
xor(v73, v71, v72);
add(v74, v73, &v1); // (((v1 << 4) ^ (v1 >> 5)) + v1)
v57 = 0;
v14 = 4i64;
v56 = sum;
while ( 1 )
{
v15 = v14;
if ( *((_BYTE *)&sum_1 + v14 + 3) )
break;
if ( !--v14 )
{
v15 = 0;
break;
}
}
sum_1 = v15;
v16 = sum & 3;
sum -= 0x70C88617;
add(v75, &sum_1, &key_1[9 * v16]); // sum + key[sum & 3]
xor(v76, v74, v75); // (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3])
add(&v0, &v0, v76); // v0 +=
left((__int64)v77, &v0, 4);
right(v78, &v0, 5i64);
xor(v79, v77, v78);
add(v80, v79, &v0); // (((v0 << 4) ^ (v0 >> 5)) + v0)
v57 = 0;
v17 = 4i64;
v56 = sum;
while ( 1 )
{
v18 = v17;
if ( *((_BYTE *)&sum_1 + v17 + 3) )
break;
if ( !--v17 )
{
v18 = 0;
break;
}
}
sum_1 = v18;
add(xor_data1_1, &sum_1, &key_1[9 * ((sum >> 11) & 3)]);// (sum + key[(sum>>11) & 3])
xor(xor_data2_1, v80, xor_data1_1); // (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3])
add(&v1, &v1, xor_data2_1); // v1 +=
}
while ( sum != 0xE6EF3D20 );
xor_data1 = fun(3, 5);
v82 = 0;
xor_data1_1[1] = xor_data1;
v20 = 4i64;
while ( 1 )
{
v21 = v20;
if ( *((_BYTE *)xor_data1_1 + v20 + 3) )
break;
if ( !--v20 )
{
v21 = 0;
break;
}
}
xor_data1_1[0] = v21;
xor(&v0, &v0, xor_data1_1); // 注意最后还加了一步异或
v22 = v0; // v0 = v0 ^ fun(5)
if ( v0 > 32 )
{
*a1 = 32;
v22 = 32i64;
LABEL_108: *(_QWORD *)((char *)v50 + v22 - 8) = *(_QWORD *)((char *)&v52[-2] + v22);
v45 = v22 - 1;
if ( v45 >= 8 )
{
v46 = v45 & 0xFFFFFFFFFFFFFFF8ui64;
v47 = 0i64;
do
{
*(_QWORD *)&v50[v47 / 4] = *(_QWORD *)&v52[v47 / 4];
v47 += 8i64;
}
while ( v47 < v46 );
}
goto LABEL_66;
}
*a1 = v0;
if ( v22 >= 8 )
goto LABEL_108;
if ( (v22 & 4) != 0 )
{
a1[1] = v52[0];
*(int *)((char *)v50 + v22 - 4) = *(_DWORD *)((char *)&v52[-1] + v22);
}
else if ( v22 )
{
*((_BYTE *)a1 + 4) = v52[0];
if ( (v22 & 2) != 0 )
*(_WORD *)((char *)v50 + v22 - 2) = *(_WORD *)((char *)&v0 + v22 + 2);
}
LABEL_66: xor_data2 = fun(3, 6);
v84 = 0;
xor_data2_1[1] = xor_data2;
v24 = 4i64;
while ( 1 )
{
v25 = v24;
if ( *((_BYTE *)xor_data2_1 + v24 + 3) )
break;
if ( !--v24 )
{
v25 = 0;
break;
}
}
xor_data2_1[0] = v25;
xor(&v1, &v1, xor_data2_1); // v1 = v1 ^ xor_data2
sum = 0;
do
{
left((__int64)v71, &v1, 4);
right(v72, &v1, 5i64);
xor(v73, v71, v72);
add(v74, v73, &v1); // (((v1 << 4) ^ (v1 >> 5)) + v1)
v57 = 0;
v14 = 4i64;
v56 = sum;
while ( 1 )
{
v15 = v14;
if ( *((_BYTE *)&sum_1 + v14 + 3) )
break;
if ( !--v14 )
{
v15 = 0;
break;
}
}
sum_1 = v15;
v16 = sum & 3;
sum -= 0x70C88617;
add(v75, &sum_1, &key_1[9 * v16]); // sum + key[sum & 3]
xor(v76, v74, v75); // (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3])
add(&v0, &v0, v76); // v0 +=
left((__int64)v77, &v0, 4);
right(v78, &v0, 5i64);
xor(v79, v77, v78);
add(v80, v79, &v0); // (((v0 << 4) ^ (v0 >> 5)) + v0)
v57 = 0;
v17 = 4i64;
v56 = sum;
while ( 1 )
{
v18 = v17;
if ( *((_BYTE *)&sum_1 + v17 + 3) )
break;
if ( !--v17 )
{
v18 = 0;
break;
}
}
sum_1 = v18;
add(xor_data1_1, &sum_1, &key_1[9 * ((sum >> 11) & 3)]);// (sum + key[(sum>>11) & 3])
xor(xor_data2_1, v80, xor_data1_1); // (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3])
add(&v1, &v1, xor_data2_1); // v1 +=
}
while ( sum != 0xE6EF3D20 );
xor_data1 = fun(3, 5);
v82 = 0;
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2021-6-23 16:22
被SYJ-Re编辑
,原因:
|
|
|---|---|
|
|
|
|
|
感谢提醒,由于加密步骤解密并没有用到,下次注意
|
|
|
|
|
|
|
|
|
|
