首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. CTF对抗
    3. 发新帖
[原创]羊城杯部分逆向wp
2021-9-14 11:18 15335

[原创]羊城杯部分逆向wp

s1lenc3沉默 活跃值
2021-9-14 11:18
15335

babysmc

有一个smc,
图片描述

 

没发现反调试,直接调试解smc,调试直接跳过了一大串代码,来到关键处。

 

图片描述

 

类似base64,不过加了个异或。

 

写脚本解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import base64
 
base_table = [
        0xE4, 0xC4, 0xE7, 0xC7, 0xE6, 0xC6, 0xE1, 0xC1, 0xE0, 0xC0, 0xE3, 0xC3, 0xE2, 0xC2, 0xED, 0xCD,
        0xEC, 0xCC, 0xEF, 0xCF, 0xEE, 0xCE, 0xE9, 0xC9, 0xE8, 0xC8, 0xEB, 0xCB, 0xEA, 0xCA, 0xF5, 0xD5,
        0xF4, 0xD4, 0xF7, 0xD7, 0xF6, 0xD6, 0xF1, 0xD1, 0xF0, 0xD0, 0xF3, 0xD3, 0xF2, 0xD2, 0xFD, 0xDD,
        0xFC, 0xDC, 0xFF, 0xDF, 0x95, 0x9C, 0x9D, 0x92, 0x93, 0x90, 0x91, 0x96, 0x97, 0x94, 0x8A, 0x8E
]
base_table_str = []
for i in range(len(base_table)):
    base_table_str.append(chr(base_table[i]))
a = "H>oQn6aqLr{DH6odhdm0dMe`MBo?lRglHtGPOdobDlknejmGI|ghDb<4"
tmp = [0xa6, 0xa3, 0xa9, 0xac]
a_res = []
ss = []
for i in range(len(a)-1):
    a_res.append(ord(a[i])^tmp[i%4])
    ss.append(chr(ord(a[i])^tmp[i%4]))
print(ss)
print(len(ss))
# for i in range(len(ss)):
#     print("\\x" + (hex(ord(ss[i]))[2:].rjust(2,'0')), end="")
# aa = "\xee\x9d\xc3\xf8\xc8\x95\xcd\xd8\xea\xd1\xd7\xed\xee\x95\xc3\xcd\xce\xc7\xc1\x99\xc2\xee\xc9\xc9\xeb\xe1\xc3\x96\xca\xf1\xcb\xc5\xee\xd7\xeb\xf9\xe9\xc7\xc3\xcb\xe2\xcf\xc7\xc7\xc3\xc9\xc1\xee\xef\xdf\xcb\xc1\xe2\xc1\x90\x9d"
aa_tmp = []
for i in range(len(ss)):
    aa_tmp.append(base_table_str.index(ss[i]))
print(aa_tmp)
print(len(aa_tmp))
flag = ""
for i in range(0, 52, 4):
    f1 = (aa_tmp[i] << 2) | ((aa_tmp[i+1] >> 4) & 3)
    f2 = ((aa_tmp[i+1] << 4) | ((aa_tmp[i+2] >> 2) & 0xf)) & 0xff
    f3 = ((aa_tmp[i+2] << 6) | (aa_tmp[i+3] & 0x3f)) & 0xff
    flag += chr(f1) + chr(f2) + chr(f3)
f1 = (aa_tmp[52] << 2) | ((aa_tmp[53] >> 4) & 3)
f2 = ((aa_tmp[53] << 4) | ((aa_tmp[54] >> 2) & 0xf)) & 0xff
flag += chr(f1) + chr(f2)
print(flag)

ez_android

mainactivity:

 

图片描述

1
2
3
4
5
ss="c232666f1410b3f5010dc51cec341f58"
res = ""
for i in range(0,len(ss),2):
    res += hex(int("0x" + ss[i:i+2], 16) + 1)[2:].rjust(2, "0")
print(res)

图片描述

 

得到用户名密码。

 

然后frida hook获取key:

1
2
3
4
5
6
7
8
9
10
11
12
function main(){
    Java.perform(function(){
        var ByteString = Java.use("com.android.okhttp.okio.ByteString");
        Java.use("top.zjax.login.EncodeUtils").encode.implementation = function(x, y, z){
            console.log("start......");
            var result = this.encode(x, y, z);
            console.log("arg:", ByteString.of(x), y, ByteString.of(z).hex());
            return result;
        }
    })
}
setImmediate(main)

图片描述

 

就是一个换表base64,key就是被替换的表,解密即可。

easyvm

图片描述

 

xxtea加密,也不管他改没改了,调试直接dump代码。

1
2
3
4
5
from z3 import *
# ss = [0x55, 0x89, 0xE5, 0x53, 0x83, 0xEC, 0x34, 0x8B, 0x45, 0x08, 0x89, 0x45, 0xD4, 0x65, 0xA1, 0x14, 0x00, 0x00, 0x00, 0x89, 0x45, 0xF4, 0x31, 0xC0, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x71, 0x75, 0x2F, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x18, 0x8D, 0x50, 0xFC, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x18, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x18, 0x8B, 0x55, 0xD4, 0x8B, 0x52, 0x20, 0x8B, 0x52, 0x01, 0x89, 0x10, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x05, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x41, 0x75, 0x23, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x08, 0x01, 0xC2, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x42, 0x75, 0x23, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x10, 0x29, 0xC2, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x43, 0x75, 0x24, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x0C, 0x0F, 0xAF, 0xD0, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x37, 0x75, 0x1B, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x14, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x38, 0x75, 0x23, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x10, 0x31, 0xC2, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x39, 0x75, 0x23, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x14, 0x31, 0xC2, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x35, 0x75, 0x1B, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x14, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0xF7, 0x75, 0x23, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x24, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x04, 0x01, 0xC2, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x24, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x44, 0x75, 0x2A, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x04, 0x8B, 0x55, 0xD4, 0x8B, 0x5A, 0x14, 0xBA, 0x00, 0x00, 0x00, 0x00, 0xF7, 0xF3, 0x89, 0xC2, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x80, 0x75, 0x33, 0x8B, 0x5D, 0xD4, 0x83, 0xEC, 0x08, 0x6A, 0x01, 0xFF, 0x75, 0xD4, 0xE8, 0x9E, 0xFD, 0xFF, 0xFF, 0x83, 0xC4, 0x10, 0xC1, 0xE0, 0x02, 0x8D, 0x14, 0x03, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8B, 0x40, 0x02, 0x89, 0x02, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x06, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x77, 0x75, 0x23, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x24, 0x31, 0xC2, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x53, 0x75, 0x27, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x0C, 0x0F, 0xB6, 0x00, 0x0F, 0xBE, 0xC0, 0x83, 0xEC, 0x0C, 0x50, 0xE8, 0x4A, 0xFB, 0xFF, 0xFF, 0x83, 0xC4, 0x10, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x02, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x22, 0x75, 0x25, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x08, 0x89, 0xC1, 0xD3, 0xEA, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x23, 0x75, 0x25, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x08, 0x89, 0xC1, 0xD3, 0xE2, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x99, 0x0F, 0x84, 0x70, 0x04, 0x00, 0x00, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x76, 0x75, 0x38, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x18, 0x8B, 0x10, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x0C, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x18, 0xC7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x18, 0x8D, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x18, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x05, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x54, 0x75, 0x24, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x0C, 0x89, 0x45, 0xE0, 0xE8, 0x03, 0xFA, 0xFF, 0xFF, 0x89, 0xC2, 0x8B, 0x45, 0xE0, 0x88, 0x10, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x02, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x30, 0x75, 0x23, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x08, 0x09, 0xC2, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x31, 0x75, 0x23, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x08, 0x21, 0xC2, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x32, 0x75, 0x24, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x83, 0xC0, 0x01, 0x0F, 0xB6, 0x00, 0x0F, 0xB6, 0xD0, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x0C, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x02, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x09, 0x75, 0x19, 0x8B, 0x45, 0xD4, 0xC7, 0x40, 0x04, 0x67, 0xF9, 0xEB, 0x6F, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x10, 0x75, 0x1B, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x24, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x33, 0x75, 0x1B, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x10, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x34, 0x75, 0x24, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x83, 0xC0, 0x01, 0x0F, 0xB6, 0x00, 0x0F, 0xB6, 0xD0, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x08, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x02, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0xFE, 0x75, 0x1B, 0x8B, 0x45, 0xD4, 0x8B, 0x50, 0x24, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0x11, 0x75, 0x26, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x04, 0x83, 0xEC, 0x08, 0x50, 0x68, 0x40, 0x93, 0x04, 0x08, 0xE8, 0x5C, 0xF8, 0xFF, 0xFF, 0x83, 0xC4, 0x10, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0xA0, 0x75, 0x28, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x04, 0x3D, 0x67, 0xF9, 0xEB, 0x6F, 0x75, 0x11, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0xEB, 0x0A, 0x83, 0xEC, 0x0C, 0x6A, 0x00, 0xE8, 0x55, 0xF8, 0xFF, 0xFF, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0xA1, 0x75, 0x42, 0x83, 0xEC, 0x04, 0x6A, 0x2C, 0x68, 0x40, 0xB3, 0x04, 0x08, 0x6A, 0x00, 0xE8, 0xE7, 0xF7, 0xFF, 0xFF, 0x83, 0xC4, 0x10, 0x83, 0xEC, 0x0C, 0x68, 0x40, 0xB3, 0x04, 0x08, 0xE8, 0x37, 0xF8, 0xFF, 0xFF, 0x83, 0xC4, 0x10, 0x83, 0xF8, 0x2C, 0x74, 0x0A, 0x83, 0xEC, 0x0C, 0x6A, 0x00, 0xE8, 0x15, 0xF8, 0xFF, 0xFF, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0xB1, 0x75, 0x1B, 0x8B, 0x15, 0x80, 0xB0, 0x04, 0x08, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x24, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0xB2, 0x75, 0x1B, 0x8B, 0x15, 0x84, 0xB0, 0x04, 0x08, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x24, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0xA4, 0x75, 0x37, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x83, 0xC0, 0x01, 0x0F, 0xB6, 0x00, 0x0F, 0xB6, 0xC0, 0x89, 0x45, 0xE4, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x04, 0x89, 0x45, 0xE8, 0x8B, 0x55, 0xE8, 0x8B, 0x45, 0xE4, 0x89, 0x14, 0x85, 0x80, 0xB0, 0x04, 0x08, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0xB3, 0x75, 0x1B, 0x8B, 0x15, 0x88, 0xB0, 0x04, 0x08, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x24, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0xB4, 0x75, 0x1B, 0x8B, 0x15, 0x8C, 0xB0, 0x04, 0x08, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x24, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0xC1, 0x75, 0x35, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x83, 0xC0, 0x01, 0x0F, 0xB6, 0x00, 0x0F, 0xB6, 0xC0, 0x89, 0x45, 0xEC, 0x8B, 0x45, 0xEC, 0x05, 0x40, 0xB3, 0x04, 0x08, 0x0F, 0xB6, 0x00, 0x0F, 0xB6, 0xD0, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x04, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x02, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0xC7, 0x75, 0x2B, 0x8B, 0x15, 0x60, 0xB0, 0x04, 0x08, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x04, 0x39, 0xC2, 0x75, 0x11, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0xEB, 0x0A, 0x83, 0xEC, 0x0C, 0x6A, 0x00, 0xE8, 0xA8, 0xF6, 0xFF, 0xFF, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0xC8, 0x75, 0x2B, 0x8B, 0x15, 0x64, 0xB0, 0x04, 0x08, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x04, 0x39, 0xC2, 0x75, 0x11, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x01, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0xEB, 0x0A, 0x83, 0xEC, 0x0C, 0x6A, 0x00, 0xE8, 0x70, 0xF6, 0xFF, 0xFF, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x0F, 0xB6, 0x00, 0x3C, 0xC2, 0x0F, 0x85, 0xCF, 0xF8, 0xFF, 0xFF, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x83, 0xC0, 0x01, 0x8B, 0x00, 0x89, 0x45, 0xF0, 0x8B, 0x45, 0xF0, 0x0F, 0xB6, 0xD0, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x04, 0x39, 0xC2, 0x74, 0x0A, 0x83, 0xEC, 0x0C, 0x6A, 0x00, 0xE8, 0x37, 0xF6, 0xFF, 0xFF, 0x8B, 0x45, 0xD4, 0x8B, 0x40, 0x20, 0x8D, 0x50, 0x05, 0x8B, 0x45, 0xD4, 0x89, 0x50, 0x20, 0xE9, 0x93, 0xF8, 0xFF, 0xFF, 0x90, 0x90, 0x8B, 0x45, 0xF4, 0x65, 0x33, 0x05, 0x14, 0x00, 0x00, 0x00, 0x74, 0x05, 0xE8, 0xF0, 0xF5, 0xFF, 0xFF, 0x8B, 0x5D, 0xFC, 0xC9]
# start = 0x80487A8
# for i in range(len(ss)):
#     idc.PatchByte(start + i, ss[i])

然后分析vm,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
0xA1,
0xC1, 0x00, 0xB1, 0x77, 0xC2, 0x4A, 0x01, 0x00, 0x00, 0x7b^0x4a=
0xC1, 0x01, 0xB2, 0x77, 0xC2, 0x19, 0x01, 0x00, 0x00, 0x19^0x2f=
0xC1, 0x02, 0xB4, 0x77, 0xC2, 0xDD, 0x01, 0x00, 0x00, 0xe8^0xdd=
0xC1, 0x03, 0xB3, 0x77, 0xC2, 0x0F, 0x01, 0x00, 0x00, 0x0f^0x37=
0xC1, 0x04, 0xB2, 0x77, 0xC2, 0x1B, 0x01, 0x00, 0x00,
0xC1, 0x05, 0xB4, 0x77, 0xC2, 0x89, 0x01, 0x00, 0x00,
0xC1, 0x06, 0xB1, 0x77, 0xC2, 0x19, 0x01, 0x00, 0x00,
0xC1, 0x07, 0xB3, 0x77, 0xC2, 0x54, 0x01, 0x00, 0x00,
0xC1, 0x08, 0xB1, 0x77, 0xC2, 0x4F, 0x01, 0x00, 0x00,
0xC1, 0x09, 0xB1, 0x77, 0xC2, 0x4E, 0x01, 0x00, 0x00,
0xC1, 0x0A, 0xB3, 0x77, 0xC2, 0x55, 0x01, 0x00, 0x00,
0xC1, 0x0B, 0xB3, 0x77, 0xC2, 0x56, 0x01, 0x00, 0x00,
0xC1, 0x0C, 0xB4, 0x77, 0xC2, 0x8E, 0x00, 0x00, 0x00,
0xC1, 0x0D, 0xB2, 0x77, 0xC2, 0x49, 0x00, 0x00, 0x00,
0xC1, 0x0E, 0xB3, 0x77, 0xC2, 0x0E, 0x01, 0x00, 0x00,
0xC1, 0x0F, 0xB1, 0x77, 0xC2, 0x4B, 0x01, 0x00, 0x00,
0xC1, 0x10, 0xB3, 0x77, 0xC2, 0x06, 0x01, 0x00, 0x00,
0xC1, 0x11, 0xB3, 0x77, 0xC2, 0x54, 0x01, 0x00, 0x00,
0xC1, 0x12, 0xB2, 0x77, 0xC2, 0x1A, 0x00, 0x00, 0x00,
0xC1, 0x13, 0xB1, 0x77, 0xC2, 0x42, 0x01, 0x00, 0x00,
0xC1, 0x14, 0xB3, 0x77, 0xC2, 0x53, 0x01, 0x00, 0x00,
0xC1, 0x15, 0xB1, 0x77, 0xC2, 0x1F, 0x01, 0x00, 0x00,
0xC1, 0x16, 0xB3, 0x77, 0xC2, 0x52, 0x01, 0x00, 0x00,
0xC1, 0x17, 0xB4, 0x77, 0xC2, 0xDB, 0x00, 0x00, 0x00,
0xC1, 0x18, 0xB1, 0x77, 0xC2, 0x19, 0x01, 0x00, 0x00,
0xC1, 0x19, 0xB4, 0x77, 0xC2, 0xD9, 0x00, 0x00, 0x00,
0xC1, 0x1A, 0xB1, 0x77, 0xC2, 0x19, 0x01, 0x00, 0x00,
0xC1, 0x1B, 0xB3, 0x77, 0xC2, 0x55, 0x01, 0x00, 0x00,
0xC1, 0x1C, 0xB2, 0x77, 0xC2, 0x19, 0x00, 0x00, 0x00,
0xC1, 0x1D, 0xB3, 0x77, 0xC2, 0x00, 0x01, 0x00, 0x00,
0xC1, 0x1E, 0xB1, 0x77, 0xC2, 0x4B, 0x01, 0x00, 0x00,
0xC1, 0x1F, 0xB2, 0x77, 0xC2, 0x1E, 0x00, 0x00, 0x00,
 
0xC1, 0x20, 0x80, 0x02, 0x18, 0x00, 0x00, 0x00, 0x23, 0x10,
0xC1, 0x21, 0x80, 0x02, 0x10, 0x00, 0x00, 0x00, 0x23, 0xF7,
0xC1, 0x22, 0x80, 0x02, 0x08, 0x00, 0x00, 0x00, 0x23, 0xF7,
0xC1, 0x23,
0xF7,
0xFE,
0x80, 0x02, 0x05, 0x00, 0x00, 0x00,
0x22,
0x77,
0x10,
0x80, 0x02, 0x07, 0x00, 0x00, 0x00,
0x23,
0x80, 0x02, 0x23, 0x77, 0xF1, 0x98,
0x31, a[1] &= a[2]
0x77,
0x10,
0x80, 0x02, 0x18, 0x00, 0x00, 0x00,
0x23,
0x80, 0x02, 0x20, 0xB9, 0xE4, 0x35,
0x31,
0x77,
0x10,
0x80, 0x02, 0x12, 0x00, 0x00, 0x00,
0x22,
0x77,
0xA0, 0x6FEBF967
 
0xC1, 0x24, 0x80, 0x02, 0x18, 0x00, 0x00, 0x00, 0x23, 0x10,
0xC1, 0x25, 0x80, 0x02, 0x10, 0x00, 0x00, 0x00, 0x23, 0xF7,
0xC1, 0x26, 0x80, 0x02, 0x08, 0x00, 0x00, 0x00, 0x23, 0xF7,
0xC1, 0x27,
0xF7, a[9] += a[1]
0xFE, a[1] = a[9]
0x32, 0x20, a[3] = 0x20
0x43, a[1] *= a[3]
0x33, a[4] = a[1]
0x77, a[1] ^= a[9]
0x80, 0x02, 0x11, 0x00, 0x00, 0x00, a[2] = 0x11
0x22,  a[1] >>= a[2]
0x35,  a[5] = a[1]
0x37,  a[1] = a[5]
0x38,  a[1] ^= a[4]
0x77,  a[1] ^= a[9]
0x80, 0x02, 0x0D, 0x00, 0x00, 0x00, a[2] = 0xD
0x23, a[1] <<= 0xD
0x77, a[1] ^= a[9]
0x38, a[1] ^= a[4]
0x39, a[1] ^= a[5]
0x10, a[9] = a[1]
0x32, 0x20, a[3] = 0x20
0x43, a[1] *= a[3]
0x33, a[4] = a[1]
0x77, a[1] ^= a[9]
0x80, 0x02, 0x11, 0x00, 0x00, 0x00, a[2] = 0x11
0x22, a[1] >>= a[2]
0x35, a[5] = a[1]
0x37, a[1] = a[5]
0x38, a[1] ^= a[4]
0x77, a[1] ^= a[9]
0x80, 0x02, 0x0D, 0x00, 0x00, 0x00, a[2] = 0xD
0x23, a[1] <<= 0xD
0x77, a[1] ^= a[9]
0x38, a[1] ^= a[4]
0x39, a[1] ^= a[5]
0xC7, a1 = 0xCF1304DC
 
0xC1, 0x28, 0x80, 0x02, 0x18, 0x00, 0x00, 0x00, 0x23, 0x10,
0xC1, 0x29, 0x80, 0x02, 0x10, 0x00, 0x00, 0x00, 0x23, 0xF7,
0xC1, 0x2A, 0x80, 0x02, 0x08, 0x00, 0x00, 0x00, 0x23, 0xF7,
0xC1, 0x2B,
0xF7,
0xFE,
0x32,
0x20,
0x43,
0x33,
0x77,
0x80, 0x02, 0x11, 0x00, 0x00, 0x00,
0x22,
0x35,
0x37,
0x38,
0x77,
0x80, 0x02, 0x0D, 0x00, 0x00, 0x00,
0x23,
0x77,
0x38,
0x39,
0x10,
0x32, 0x20,
0x43,
0x33,
0x77,
0x80, 0x02, 0x11, 0x00, 0x00, 0x00,
0x22,
0x35,
0x37,
0x38,
0x77,
0x80, 0x02, 0x0D, 0x00, 0x00, 0x00,
0x23,
0x77,
0x38,
0x39,
0xC80x283B8E84
0x99

前32个就是异或,后边分析出来是加减乘异或移位。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#include "stdio.h"
 
int main(){
    u_int32_t a[10] = {0};
    for(int i = 0;i< 0xffffffff;i++){
        a[1] = 0;
        a[2] = 0;
        a[3] = 0;
        a[4] = 0;
        a[5] = 0;
        a[9] = 0;
        a[1] = i;
        a[9] = a[1];
        a[1] = a[9];
        a[3] = 0x20;
        a[1] = (a[1] * a[3]);
        a[4] = a[1];
        a[1] ^= a[9];
        a[2] = 0x11;
        a[1] >>= a[2];
        a[5] = a[1];
        a[1] = a[5];
        a[1] ^= a[4];
        a[1] ^= a[9];
        a[2] = 0xD;
        a[1] = (a[1] << 0xD);
        a[1] ^= a[9];
        a[1] ^= a[4];
        a[1] ^= a[5];
        a[9] = a[1];
        a[3] = 0x20;
        a[1] = (a[1] * a[3]);
        a[4] = a[1];
        a[1] ^= a[9];
        a[2] = 0x11;
        a[1] >>= a[2];
        a[5] = a[1];
        a[1] = a[5];
        a[1] ^= a[4];
        a[1] ^= a[9];
        a[2] = 0xD;
        a[1] = (a[1] << 0xD);
        a[1] ^= a[9];
        a[1] ^= a[4];
        a[1] ^= a[5];
        if(a[1] == 0x283B8E84){
            printf("%d\n", i);
        }
    }
}

deltx

图片描述

 

第一个check,直接拿去爆破。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#include <stdlib.h>
#include "stdio.h"
 
int main(){
    int v9;
    unsigned int v48; // er9
    int v49; // esi
    int i; // er14
    int v51; // er10
    unsigned int v52; // er11
    unsigned int v53; // edx
    int v54; // ecx
    unsigned int v55; // er8
    char v56; // al
    int v57; // eax
    int v58; // er10
    for(int j = 0;j < 0xffff; j++){
        //printf("%d\n", j);
        for(int h = 0;h < 0xffff; h++){
            v9 = j;
            v49 = h;
            v48 = 0;
            for ( i = v9; v49; v49 >>= 1 )
            {
                if ( (v49 & 1) != 0 )
                {
                    v51 = i;
                    v52 = v48;
                    do
                    {
                        v48 = 0;
                        v53 = v51;
                        v54 = 0;
                        v55 = v52;
                        while ( v55 || v53 )
                        {
                            v56 = (char)(v55 + v53);
                            v55 >>= 1;
                            v57 = (v56 & 1) << v54++;
                            v48 |= v57;
                            v53 >>= 1;
                        }
                        v58 = (int)(v52 & v51);
                        v52 = v48;
                        v51 = 2 * v58;
                    }
                    while ( v51 );
                }
                i *= 2;
            }
            //0x249E15C5, 0x34C7EAE2, 0x637973BA, 0xE5FD104
            if(v48 == 0xE5FD104){
                printf("%d  %d\n", j,h);
            }
        }
    }
    return 0;
}

第二个check:

 

图片描述
得到的结果要注意开始会检查大小写,爆破可能有多个,通过调试过第二个check。


[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界

收藏
点赞3
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回