做完了逆向,不得不说das的re还是比较友好的
得到文件py.exe,肯定就是考python打包成exe文件了。可以参考文章https://blog.csdn.net/m0_37552052/article/details/88093427
用pyinstxtractor.py还原
python pyinstxtractor.py [filename]
得到文件夹,看到里面有个py.pyc,直接还原不行,用文章里面的方法还原pyc头文件,如果想学习pyc还可以看看这篇文章https://zhuanlan.zhihu.com/p/145811103
得到py文件。
很简单
简单的apk逆向,加密函数和密文都在so文件的mycheck中,有经验的话不难看出是rc4,看不出来也没关系,反正最后就是一个异或,动调把异或数组取出来就行了,动调apk方法在https://the_itach1.gitee.io/2021/08/02/D0g3%E6%AF%94%E8%B5%9B%E5%B9%B3%E5%8F%B0%20re%20wp/的medical_app。
由于比较懒,不想一个一个调,就直接输入了个错误flag,然后得到假密文,去得到异或的数组。好像rc4的key是12345678,可能也可以用rc4来做。
好家伙,题刚出来2分钟就有人直接秒了,可能是出题人。
就是有很多花指令,来干扰分析,动调就好了,main函数前面一大部分感觉都是用来解密函数代码的,真正要看的地方在(loc_584000)(&v19);
进去可以看到,图片里面忘了说sub_581FA0应该也是用来解密函数代码的。
然后先看看rc4吧
retn后,32字节转4*8
魔改的tea。
然后解密
照着博客做就行,关键是flag.jpg在哪,开始以为是头像,结果没解出来,后面f12看网页,也没找到,然后试了试直接在网页后面加上\flag.jpg,还真的有。
本人blog:https://the_itach1.gitee.io/
def
encode(s):
str
=
''
for
i
in
range
(
len
(s)):
res
=
ord
(s[i]) ^
32
res
+
=
31
str
+
=
chr
(res)
return
str
m
=
'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
strings
=
''
strings
=
input
(
'Input:'
)
if
encode(strings)
=
=
m:
print
'Correct!'
else
:
print
'Try again!'
def
encode(s):
str
=
''
for
i
in
range
(
len
(s)):
res
=
ord
(s[i]) ^
32
res
+
=
31
str
+
=
chr
(res)
return
str
m
=
'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
strings
=
''
strings
=
input
(
'Input:'
)
if
encode(strings)
=
=
m:
print
'Correct!'
else
:
print
'Try again!'
m
=
'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
str
=
''
for
i
in
m:
str
+
=
chr
((
ord
(i)
-
31
)^
32
)
print
(
str
)
m
=
'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
str
=
''
for
i
in
m:
str
+
=
chr
((
ord
(i)
-
31
)^
32
)
print
(
str
)
fake_code
=
[
0xDD
,
0x9F
,
0x58
,
0xB3
,
0x72
,
0xD0
,
0xBC
,
0xC4
,
0x94
,
0x56
,
0x6C
,
0xA8
,
0xCE
,
0x54
,
0x62
,
0xCE
,
0x1E
,
0xF3
,
0xF3
,
0x26
,
0xB9
,
0x19
,
0x0F
,
0xC6
,
0x2D
,
0x6E
,
0xA3
,
0xC0
,
0x21
,
0xD4
,
0x99
,
0x13
]
fake_flag
=
'flag{abcdefghijklmnopqrstuvwxyz}'
enc
=
[
0x8C
,
0xC4
,
0x00
,
0xE6
,
0x6A
,
0x88
,
0xB8
,
0x90
,
0xC2
,
0x07
,
0x6B
,
0xA9
,
0xC3
,
0x0A
,
0x3E
,
0xC0
,
0x44
,
0xA6
,
0xFE
,
0x7E
,
0xF0
,
0x59
,
0x4C
,
0x83
,
0x3D
,
0x2B
,
0xE2
,
0xD3
,
0x38
,
0xCB
,
0x82
,
0x5B
]
for
i
in
range
(
32
):
print
(
chr
(
ord
(fake_flag[i])^fake_code[i]^enc[i]),end
=
'')
fake_code
=
[
0xDD
,
0x9F
,
0x58
,
0xB3
,
0x72
,
0xD0
,
0xBC
,
0xC4
,
0x94
,
0x56
,
0x6C
,
0xA8
,
0xCE
,
0x54
,
0x62
,
0xCE
,
0x1E
,
0xF3
,
0xF3
,
0x26
,
0xB9
,
0x19
,
0x0F
,
0xC6
,
0x2D
,
0x6E
,
0xA3
,
0xC0
,
0x21
,
0xD4
,
0x99
,
0x13
]
fake_flag
=
'flag{abcdefghijklmnopqrstuvwxyz}'
enc
=
[
0x8C
,
0xC4
,
0x00
,
0xE6
,
0x6A
,
0x88
,
0xB8
,
0x90
,
0xC2
,
0x07
,
0x6B
,
0xA9
,
0xC3
,
0x0A
,
0x3E
,
0xC0
,
0x44
,
0xA6
,
0xFE
,
0x7E
,
0xF0
,
0x59
,
0x4C
,
0x83
,
0x3D
,
0x2B
,
0xE2
,
0xD3
,
0x38
,
0xCB
,
0x82
,
0x5B
]
for
i
in
range
(
32
):
print
(
chr
(
ord
(fake_flag[i])^fake_code[i]^enc[i]),end
=
'')
void encrypt(unsigned __int64
*
code , unsigned __int64
*
key)
{
unsigned __int64 delta
=
0x9E3779B9
;
unsigned __int64 tmp1,tmp2,tmp3,tmp4,key1,key2,key3,key4,d;
int
i;
tmp1
=
code[
0
];
tmp2
=
code[
1
];
tmp3
=
code[
2
];
tmp4
=
code[
3
];
key1
=
key[
0
];
key2
=
key[
1
];
key3
=
key[
2
];
key4
=
key[
3
];
for
(i
=
0
;i<
32
;i
+
+
)
{
d
+
=
delta;
tmp1
+
=
(key2
+
(tmp2 >>
5
)) ^ (d
+
tmp2) ^ (key1
+
16
*
tmp2);
tmp2
+
=
(key4
+
(tmp1 >>
5
)) ^ (d
+
tmp1) ^ (key3
+
16
*
tmp1);
tmp3
+
=
(key2
+
(tmp4 >>
5
)) ^ (d
+
tmp4) ^ (key1
+
16
*
tmp4);
tmp4
+
=
(key4
+
(tmp3 >>
5
)) ^ (d
+
tmp3) ^ (key3
+
16
*
tmp3);
}
code[
0
]
=
tmp1;
code[
1
]
=
tmp2;
code[
2
]
=
tmp3;
code[
3
]
=
tmp4;
}
void decrypt(unsigned __int64
*
code , unsigned __int64
*
key)
{
unsigned __int64 delta
=
0x9E3779B9
;
unsigned __int64
sum
=
delta
*
32
;
/
/
sum
=
0x13C6EF3720
unsigned __int64 tmp1,tmp2,tmp3,tmp4,key1,key2,key3,key4;
int
i;
tmp1
=
code[
0
];
tmp2
=
code[
1
];
tmp3
=
code[
2
];
tmp4
=
code[
3
];
key1
=
key[
0
];
key2
=
key[
1
];
key3
=
key[
2
];
key4
=
key[
3
];
for
(i
=
0
;i<
32
;i
+
+
)
{
tmp4
-
=
(key4
+
(tmp3 >>
5
)) ^ (
sum
+
tmp3) ^ (key3
+
16
*
tmp3);
tmp3
-
=
(key2
+
(tmp4 >>
5
)) ^ (
sum
+
tmp4) ^ (key1
+
16
*
tmp4);
tmp2
-
=
(key4
+
(tmp1 >>
5
)) ^ (
sum
+
tmp1) ^ (key3
+
16
*
tmp1);
tmp1
-
=
(key2
+
(tmp2 >>
5
)) ^ (
sum
+
tmp2) ^ (key1
+
16
*
tmp2);
sum
-
=
delta;
}
code[
0
]
=
tmp1;
code[
1
]
=
tmp2;
code[
2
]
=
tmp3;
code[
3
]
=
tmp4;
}
int
main()
{
unsigned __int64 code[
4
]
=
{
0x0E990A522BE80F786
,
0x8B836286B8A5EB59
,
0x2FDE61CCEFC70FF8
,
0x56BC19E119C8B07B
},key[
4
]
=
{
0x54466076484C5476
,
0x4550504F765F4344
,
0x5A796F755F6D6179
,
0x5F6E6565645F7468
};
/
/
encrypt(code,key);
decrypt(code,key);
printf(
"%016llx%016llx%016llx%016llx"
,code[
0
],code[
1
],code[
2
],code[
3
]);
}
/
/
505a4cc462489e8003aef16b785c7501343057844ff5acb809616159f51713f3
void encrypt(unsigned __int64
*
code , unsigned __int64
*
key)
{
unsigned __int64 delta
=
0x9E3779B9
;
unsigned __int64 tmp1,tmp2,tmp3,tmp4,key1,key2,key3,key4,d;
int
i;
tmp1
=
code[
0
];
tmp2
=
code[
1
];
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2021-8-30 21:39
被The_Itach1编辑
,原因: