首页
社区
课程
招聘
[原创]羊城杯 re wp
发表于: 2021-9-14 21:37 26601

[原创]羊城杯 re wp

2021-9-14 21:37
26601

题的质量还是可以,有些题因为遇到一些问题,没解出来。花时间来写wp一是巩固一些知识点,还有让更多的人可以互相学习。

看题目就知道代码肯定被smc处理过了,所以直接动调就ok,也没有反调试。

先看前面部分。

看看base64加密过程

密文和比较。

解密脚本

这道题,流程很乱,通过动调看内存会使分析变的简单。但是也有坑,就是flag的大小写的问题,多试吧。

前面部分。

中间数据处理。

脚本

解出所有数据,拼接起来得到,SangFor{2C7BD2BF862564BAED0B6B6EA94F15BC},但是不对,然后又一组一组的试,看看哪出了问题,发现是某一组大小写问题,得到SangFor{2C7BD2BF862564baED0B6B6EA94F15BC}

elf文件,代码也被加密了,也有自解密函数。

先看看main函数

然后vm内部就只有自己去慢慢调试分析大概逻辑了。

大概有3中方式加密,前32个字符是异或,然后后面4个是一些运算的加密,后面8个字符又分为两组进行同一种运算方式方式加密。

写了个c来打印其过程。

前面32个字符如下结构,就是一个异或

后4个字符逻辑如下

需要特别注意的是里面的0x80对应的指令,比赛时就是在这花了很多时间,还好一步步调,最后找到了。

解法可以考虑爆破,4个字符,也不是很多。

后面8个字符,加密过程也有坑,就是*和<<会产生溢出。也是考虑爆破解。

得到SangFor{16584abc45baff901c59dde3b1bb6701a254b06cdc23}

对apk的分析确实比较少,有点可惜,当时不知道为什么md5去网上解,没解出来,看来得多用几个网站。

拖到jeb看流程。

去看md5解密,现在网站解密又可以解出来了。。。654321

看看key怎么生成的

得到key

去看加密encode函数。

解密

Debug Blocker,这种技术还可以用来hookAPI,还是挺有意思,逆向工程核心原理中也有讲解,之前mrctf也遇到过,流程分析起还是不难,就是解的时候总是各种细节问题。。。。,后面看了师傅的wp来看看出现的问题。

浏览过整体框架可以知道,需要输入3个password。

先看看第一个,太大了 爆出来要等太久,用z3确实会快很多。

输入完password1后就会触发一个int3异常,动调看看,注意main函数中的IsDebuggerPresent(),断点打在sub_140001270()中,也就是程序自己的异常处理函数。

然后去新exe查看该函数,0014000187F处p键

所以password2就是10个字符分5组进行xtea加密,xtea解密如下

password3,引发异常,伪随机数。

然后直接set,ip动调,得到rand()产生的数,虽然生成了32个,实际上只用了前16个。

然后看看乱序函数,通过看比较部分就行了。

问题就来了怎么逆回去,yyds的bxb师傅用了一个小技巧,rand()产生的数有两个字节,我们的字符只有一个字节,xor不会改变高字节的数,所以我们可以通过高字节的数来还原顺序,确实是比较妙,然后我是想直接自己输入假的字符串,然后得到假密文,从而知道乱序规律,然后逆回去,但是好像不可取,顺序还是乱的。

拼接一下GWHT{r3_1S_s0_fuNny_d0_YoU_1ik3_t0o}

流下太菜了的泪水,有师傅已经发了详细的wp了,https://bbs.pediy.com/thread-269328.htm,tql,tql,也该学习一下高级一点的东西了。

 
import base64
 
t=[]
encstr = 'H>oQn6aqLr{DH6odhdm0dMe`MBo?lRglHtGPOdobDlknejmGI|ghDb<4'
xor = [0xa6, 0xa3, 0xa9, 0xac]
for i in range(len(encstr)):
    t.append(ord(encstr[i]) ^ xor[i % 4])
t[-1]=0xE4#由于最后一个是4,是补的,直接改为表中的一个就行。
base1 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
 
base = [0xE4, 0xC4, 0xE7, 0xC7, 0xE6, 0xC6, 0xE1, 0xC1, 0xE0, 0xC0,
        0xE3, 0xC3, 0xE2, 0xC2, 0xED, 0xCD, 0xEC, 0xCC, 0xEF, 0xCF,
        0xEE, 0xCE, 0xE9, 0xC9, 0xE8, 0xC8, 0xEB, 0xCB, 0xEA, 0xCA,
        0xF5, 0xD5, 0xF4, 0xD4, 0xF7, 0xD7, 0xF6, 0xD6, 0xF1, 0xD1,
        0xF0, 0xD0, 0xF3, 0xD3, 0xF2, 0xD2, 0xFD, 0xDD, 0xFC, 0xDC,
        0xFF, 0xDF, 0x95, 0x9C, 0x9D, 0x92, 0x93, 0x90, 0x91, 0x96,
        0x97, 0x94, 0x8A, 0x8E]
ans = ''
for i in t:
    ans += base1[base.index(i)]
print(ans)
print(base64.b64decode(ans))
#SangFor{XSAYT0u5DQhaxveIR50X1U13M-pZK5A0}
import base64
 
t=[]
encstr = 'H>oQn6aqLr{DH6odhdm0dMe`MBo?lRglHtGPOdobDlknejmGI|ghDb<4'
xor = [0xa6, 0xa3, 0xa9, 0xac]
for i in range(len(encstr)):
    t.append(ord(encstr[i]) ^ xor[i % 4])
t[-1]=0xE4#由于最后一个是4,是补的,直接改为表中的一个就行。
base1 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
 
base = [0xE4, 0xC4, 0xE7, 0xC7, 0xE6, 0xC6, 0xE1, 0xC1, 0xE0, 0xC0,
        0xE3, 0xC3, 0xE2, 0xC2, 0xED, 0xCD, 0xEC, 0xCC, 0xEF, 0xCF,
        0xEE, 0xCE, 0xE9, 0xC9, 0xE8, 0xC8, 0xEB, 0xCB, 0xEA, 0xCA,
        0xF5, 0xD5, 0xF4, 0xD4, 0xF7, 0xD7, 0xF6, 0xD6, 0xF1, 0xD1,
        0xF0, 0xD0, 0xF3, 0xD3, 0xF2, 0xD2, 0xFD, 0xDD, 0xFC, 0xDC,
        0xFF, 0xDF, 0x95, 0x9C, 0x9D, 0x92, 0x93, 0x90, 0x91, 0x96,
        0x97, 0x94, 0x8A, 0x8E]
ans = ''
for i in t:
    ans += base1[base.index(i)]
print(ans)
print(base64.b64decode(ans))
#SangFor{XSAYT0u5DQhaxveIR50X1U13M-pZK5A0}
 
#include<stdio.h>
 
int main()
{
    int a,b;
 
    for(a=0;a<=0xffff;a++)
    {
        b=0;
        b=(a-0x9393)&0xffff;
        if(a*b== 0xE5FD104)
        {
            printf("%X %X",a,b);
 
        }
    }
 }
#include<stdio.h>
 
int main()
{
    int a,b;
 
    for(a=0;a<=0xffff;a++)
    {
        b=0;
        b=(a-0x9393)&0xffff;
        if(a*b== 0xE5FD104)
        {
            printf("%X %X",a,b);
 
        }
    }
 }
 
 
 
#include<stdio.h>
 
int main()
{
    int opcode[]={ 0xA1, 0xC1, 0x00, 0xB1, 0x77, 0xC2, 0x4A, 0x01, 0x00, 0x00,
  0xC1, 0x01, 0xB2, 0x77, 0xC2, 0x19, 0x01, 0x00, 0x00, 0xC1,
  0x02, 0xB4, 0x77, 0xC2, 0xDD, 0x01, 0x00, 0x00, 0xC1, 0x03,
  0xB3, 0x77, 0xC2, 0x0F, 0x01, 0x00, 0x00, 0xC1, 0x04, 0xB2,
  0x77, 0xC2, 0x1B, 0x01, 0x00, 0x00, 0xC1, 0x05, 0xB4, 0x77,
  0xC2, 0x89, 0x01, 0x00, 0x00, 0xC1, 0x06, 0xB1, 0x77, 0xC2,
  0x19, 0x01, 0x00, 0x00, 0xC1, 0x07, 0xB3, 0x77, 0xC2, 0x54,
  0x01, 0x00, 0x00, 0xC1, 0x08, 0xB1, 0x77, 0xC2, 0x4F, 0x01,
  0x00, 0x00, 0xC1, 0x09, 0xB1, 0x77, 0xC2, 0x4E, 0x01, 0x00,
  0x00, 0xC1, 0x0A, 0xB3, 0x77, 0xC2, 0x55, 0x01, 0x00, 0x00,
  0xC1, 0x0B, 0xB3, 0x77, 0xC2, 0x56, 0x01, 0x00, 0x00, 0xC1,
  0x0C, 0xB4, 0x77, 0xC2, 0x8E, 0x00, 0x00, 0x00, 0xC1, 0x0D,
  0xB2, 0x77, 0xC2, 0x49, 0x00, 0x00, 0x00, 0xC1, 0x0E, 0xB3,
  0x77, 0xC2, 0x0E, 0x01, 0x00, 0x00, 0xC1, 0x0F, 0xB1, 0x77,
  0xC2, 0x4B, 0x01, 0x00, 0x00, 0xC1, 0x10, 0xB3, 0x77, 0xC2,
  0x06, 0x01, 0x00, 0x00, 0xC1, 0x11, 0xB3, 0x77, 0xC2, 0x54,
  0x01, 0x00, 0x00, 0xC1, 0x12, 0xB2, 0x77, 0xC2, 0x1A, 0x00,
  0x00, 0x00, 0xC1, 0x13, 0xB1, 0x77, 0xC2, 0x42, 0x01, 0x00,
  0x00, 0xC1, 0x14, 0xB3, 0x77, 0xC2, 0x53, 0x01, 0x00, 0x00,
  0xC1, 0x15, 0xB1, 0x77, 0xC2, 0x1F, 0x01, 0x00, 0x00, 0xC1,
  0x16, 0xB3, 0x77, 0xC2, 0x52, 0x01, 0x00, 0x00, 0xC1, 0x17,
  0xB4, 0x77, 0xC2, 0xDB, 0x00, 0x00, 0x00, 0xC1, 0x18, 0xB1,
  0x77, 0xC2, 0x19, 0x01, 0x00, 0x00, 0xC1, 0x19, 0xB4, 0x77,
  0xC2, 0xD9, 0x00, 0x00, 0x00, 0xC1, 0x1A, 0xB1, 0x77, 0xC2,
  0x19, 0x01, 0x00, 0x00, 0xC1, 0x1B, 0xB3, 0x77, 0xC2, 0x55,
  0x01, 0x00, 0x00, 0xC1, 0x1C, 0xB2, 0x77, 0xC2, 0x19, 0x00,
  0x00, 0x00, 0xC1, 0x1D, 0xB3, 0x77, 0xC2, 0x00, 0x01, 0x00,
  0x00, 0xC1, 0x1E, 0xB1, 0x77, 0xC2, 0x4B, 0x01, 0x00, 0x00,
  0xC1, 0x1F, 0xB2, 0x77, 0xC2, 0x1E, 0x00, 0x00, 0x00, 0xC1,
  0x20, 0x80, 0x02, 0x18, 0x00, 0x00, 0x00, 0x23, 0x10, 0xC1,
  0x21, 0x80, 0x02, 0x10, 0x00, 0x00, 0x00, 0x23, 0xF7, 0xC1,
  0x22, 0x80, 0x02, 0x08, 0x00, 0x00, 0x00, 0x23, 0xF7, 0xC1,
  0x23, 0xF7, 0xFE, 0x80, 0x02, 0x05, 0x00, 0x00, 0x00, 0x22,
  0x77, 0x10, 0x80, 0x02, 0x07, 0x00, 0x00, 0x00, 0x23, 0x80,
  0x02, 0x23, 0x77, 0xF1, 0x98, 0x31, 0x77, 0x10, 0x80, 0x02,
  0x18, 0x00, 0x00, 0x00, 0x23, 0x80, 0x02, 0x20, 0xB9, 0xE4,
  0x35, 0x31, 0x77, 0x10, 0x80, 0x02, 0x12, 0x00, 0x00, 0x00,
  0x22, 0x77, 0xA0, 0xC1, 0x24, 0x80, 0x02, 0x18, 0x00, 0x00,
  0x00, 0x23, 0x10, 0xC1, 0x25, 0x80, 0x02, 0x10, 0x00, 0x00,
  0x00, 0x23, 0xF7, 0xC1, 0x26, 0x80, 0x02, 0x08, 0x00, 0x00,
  0x00, 0x23, 0xF7, 0xC1, 0x27, 0xF7, 0xFE, 0x32, 0x20, 0x43,
  0x33, 0x77, 0x80, 0x02, 0x11, 0x00, 0x00, 0x00, 0x22, 0x35,
  0x37, 0x38, 0x77, 0x80, 0x02, 0x0D, 0x00, 0x00, 0x00, 0x23,
  0x77, 0x38, 0x39, 0x10, 0x32, 0x20, 0x43, 0x33, 0x77, 0x80,
  0x02, 0x11, 0x00, 0x00, 0x00, 0x22, 0x35, 0x37, 0x38, 0x77,
  0x80, 0x02, 0x0D, 0x00, 0x00, 0x00, 0x23, 0x77, 0x38, 0x39,
  0xC7, 0xC1, 0x28, 0x80, 0x02, 0x18, 0x00, 0x00, 0x00, 0x23,
  0x10, 0xC1, 0x29, 0x80, 0x02, 0x10, 0x00, 0x00, 0x00, 0x23,
  0xF7, 0xC1, 0x2A, 0x80, 0x02, 0x08, 0x00, 0x00, 0x00, 0x23,
  0xF7, 0xC1, 0x2B, 0xF7, 0xFE, 0x32, 0x20, 0x43, 0x33, 0x77,
  0x80, 0x02, 0x11, 0x00, 0x00, 0x00, 0x22, 0x35, 0x37, 0x38,
  0x77, 0x80, 0x02, 0x0D, 0x00, 0x00, 0x00, 0x23, 0x77, 0x38,
  0x39, 0x10, 0x32, 0x20, 0x43, 0x33, 0x77, 0x80, 0x02, 0x11,
  0x00, 0x00, 0x00, 0x22, 0x35, 0x37, 0x38, 0x77, 0x80, 0x02,
  0x0D, 0x00, 0x00, 0x00, 0x23, 0x77, 0x38, 0x39, 0xC8, 0x99};
  int i=0;
  while ( 1 )
  {
    if ( opcode[i] == 0x71 )
    {
      printf("table[6] -= 4\n");
      printf("*table[6] = 0x%x\n",opcode[i+1]);
      i += 5;
    }
    if ( opcode[i]  == 0x41 )
    {
      printf("table[1] += table[2]\n");
      ++i;
    }
    if ( opcode[i]  == 0x42 )
    {
      printf("table[1] -= table[4];\n");
      ++i;
    }
    if ( opcode[i]  == 0x43 )
    {
      printf("table[1] *= table[3];\n");
      ++i;
    }
    if ( opcode[i]  == 0x37 )
    {
 
      printf("table[1] = table[5];\n");
      ++i;
    }
    if ( opcode[i]  == 0x38 )
    {
      printf("table[1] ^= table[4];\n");
      ++i;
    }
    if ( opcode[i]  == 0x39 )
    {
      printf("table[1] ^= table[5];\n");
      ++i;
    }
    if ( opcode[i]  == 0x35 )
    {
      printf("table[5] = table[1];\n");
      ++i;
    }
    if ( opcode[i]  == 0xF7 )
    {
     printf("table[9] += table[1];\n");
      ++i;
    }
    if ( opcode[i]  == 0x44 )
    {
      printf("table[1] /= table[5];\n");
      ++i;
    }
    if ( opcode[i]  == 0x80 )
    {
      printf("table[2] = 0x%x\n",*((unsigned int*)(&opcode[i+2])));
      i += 6;
    }
    if ( opcode[i]  == 0x77 )
    {
      printf("table[1] ^= table[9];\n");
      ++i;
    }
    if ( opcode[i]  == 0x53 )
    {
      printf("(sub_8048580)(*table[3]);\n");
      i += 2;
    }
    if ( opcode[i]  == 0x22 )
    {
      printf("table[1] >>= table[2];\n");
      ++i;
    }
    if ( opcode[i]  == 0x23 )
    {
         printf("table[1] <<= table[2];\n");
      ++i;
    }
    if ( opcode[i]  == 0x99 )
    {
        printf("out\n");
        break;
    }
 
    if ( opcode[i]  == 0x76 )
    {
      printf("table[3] = *table[6];\n");
      printf("*table[6] = 0;\n");
      printf("table[6] += 4;\n");
      i += 5;
    }
    if ( opcode[i]  == 0x54 )
    {
      printf("v6 = table[3];\n");
      printf("*v6 = sub_8048520();\n");
      i += 2;
    }
    if ( opcode[i]  == 0x30 )
    {
      printf("table[1] |= table[2];\n");
      ++i;
    }
    if ( opcode[i] == 0x31 )
    {
      printf("table[1] &= table[2];\n");
      ++i;
    }
    if ( opcode[i]  == 0x32 )
    {
      printf("table[3] = 0x%x\n",opcode[i+1]) ;
      i += 2;
    }
    if ( opcode[i]  == 9 )
    {
      printf("table[1] = 1877735783;\n");
      ++i;
    }
    if ( opcode[i]  == 0x10 )
    {
      printf("table[9] = table[1];\n");
      ++i;
    }
    if ( opcode[i]  == 0x33 )
    {
      printf("table[4] = table[1]\n");
      ++i;
    }
    if ( opcode[i]  == 0x34 )
    {
      printf("table[2] = 0x%x;",opcode[i+1]);
      i += 2;
    }
    if ( opcode[i]  == 0xFE )
    {
      printf("table[1] = table[9];\n");
      ++i;
    }
    if ( opcode[i]  == 0x11 )
    {
      printf("(sub_8048510)(&unk_8049340, table[1])\n");
      ++i;
    }
    if ( opcode[i]  == 0xA0 )
    {
      printf("if ( table[1] != 1877735783 )\nexit\n\n");
      ++i;
    }
    if ( opcode[i]  == 0xA1 )
    {
        printf("read\n");
      ++i;
    }
    if ( opcode[i]  == 0xB1 )
    {
      printf("table[9] = xor[0]\n");
      ++i;
    }
    if ( opcode[i]  == 0xB2 )
    {
      printf("table[9] = xor[1];\n");
      ++i;
    }
    if ( opcode[i]  == 0xA4 )
    {
      printf("xor[*(table[8] + 1)] = table[1];\n");
      i += 4;
    }
    if ( opcode[i]  == 0xB3 )
    {
     printf("table[9] = xor[2];\n");
      ++i;
    }
    if ( opcode[i] == 0xB4 )
    {
      printf("table[9] = xor[3];\n");
      ++i;
    }
    if ( opcode[i]  == 0xC1 )
    {
      printf("table[1] = flag[%d];\n",opcode[i+1]);
      i += 2;
    }
    if ( opcode[i]  == 0xC7 )
    {
         printf("dword_804B060 != table[1]\n\n");
      ++i;
    }
    if ( opcode[i]  == 0xC8 )
    {
         printf("dword_804B064 != table[1]\n\n");
      ++i;
    }
    if ( opcode[i]  == 0xC2 )
    {
      printf("if ( %d != table[1] )\n\n",opcode[i+1]);
      i+= 5;
    }
  }
}
#include<stdio.h>
 
int main()
{
    int opcode[]={ 0xA1, 0xC1, 0x00, 0xB1, 0x77, 0xC2, 0x4A, 0x01, 0x00, 0x00,
  0xC1, 0x01, 0xB2, 0x77, 0xC2, 0x19, 0x01, 0x00, 0x00, 0xC1,
  0x02, 0xB4, 0x77, 0xC2, 0xDD, 0x01, 0x00, 0x00, 0xC1, 0x03,
  0xB3, 0x77, 0xC2, 0x0F, 0x01, 0x00, 0x00, 0xC1, 0x04, 0xB2,
  0x77, 0xC2, 0x1B, 0x01, 0x00, 0x00, 0xC1, 0x05, 0xB4, 0x77,
  0xC2, 0x89, 0x01, 0x00, 0x00, 0xC1, 0x06, 0xB1, 0x77, 0xC2,
  0x19, 0x01, 0x00, 0x00, 0xC1, 0x07, 0xB3, 0x77, 0xC2, 0x54,
  0x01, 0x00, 0x00, 0xC1, 0x08, 0xB1, 0x77, 0xC2, 0x4F, 0x01,
  0x00, 0x00, 0xC1, 0x09, 0xB1, 0x77, 0xC2, 0x4E, 0x01, 0x00,
  0x00, 0xC1, 0x0A, 0xB3, 0x77, 0xC2, 0x55, 0x01, 0x00, 0x00,
  0xC1, 0x0B, 0xB3, 0x77, 0xC2, 0x56, 0x01, 0x00, 0x00, 0xC1,
  0x0C, 0xB4, 0x77, 0xC2, 0x8E, 0x00, 0x00, 0x00, 0xC1, 0x0D,
  0xB2, 0x77, 0xC2, 0x49, 0x00, 0x00, 0x00, 0xC1, 0x0E, 0xB3,
  0x77, 0xC2, 0x0E, 0x01, 0x00, 0x00, 0xC1, 0x0F, 0xB1, 0x77,
  0xC2, 0x4B, 0x01, 0x00, 0x00, 0xC1, 0x10, 0xB3, 0x77, 0xC2,
  0x06, 0x01, 0x00, 0x00, 0xC1, 0x11, 0xB3, 0x77, 0xC2, 0x54,
  0x01, 0x00, 0x00, 0xC1, 0x12, 0xB2, 0x77, 0xC2, 0x1A, 0x00,
  0x00, 0x00, 0xC1, 0x13, 0xB1, 0x77, 0xC2, 0x42, 0x01, 0x00,
  0x00, 0xC1, 0x14, 0xB3, 0x77, 0xC2, 0x53, 0x01, 0x00, 0x00,
  0xC1, 0x15, 0xB1, 0x77, 0xC2, 0x1F, 0x01, 0x00, 0x00, 0xC1,
  0x16, 0xB3, 0x77, 0xC2, 0x52, 0x01, 0x00, 0x00, 0xC1, 0x17,
  0xB4, 0x77, 0xC2, 0xDB, 0x00, 0x00, 0x00, 0xC1, 0x18, 0xB1,
  0x77, 0xC2, 0x19, 0x01, 0x00, 0x00, 0xC1, 0x19, 0xB4, 0x77,
  0xC2, 0xD9, 0x00, 0x00, 0x00, 0xC1, 0x1A, 0xB1, 0x77, 0xC2,
  0x19, 0x01, 0x00, 0x00, 0xC1, 0x1B, 0xB3, 0x77, 0xC2, 0x55,
  0x01, 0x00, 0x00, 0xC1, 0x1C, 0xB2, 0x77, 0xC2, 0x19, 0x00,
  0x00, 0x00, 0xC1, 0x1D, 0xB3, 0x77, 0xC2, 0x00, 0x01, 0x00,
  0x00, 0xC1, 0x1E, 0xB1, 0x77, 0xC2, 0x4B, 0x01, 0x00, 0x00,
  0xC1, 0x1F, 0xB2, 0x77, 0xC2, 0x1E, 0x00, 0x00, 0x00, 0xC1,
  0x20, 0x80, 0x02, 0x18, 0x00, 0x00, 0x00, 0x23, 0x10, 0xC1,
  0x21, 0x80, 0x02, 0x10, 0x00, 0x00, 0x00, 0x23, 0xF7, 0xC1,
  0x22, 0x80, 0x02, 0x08, 0x00, 0x00, 0x00, 0x23, 0xF7, 0xC1,
  0x23, 0xF7, 0xFE, 0x80, 0x02, 0x05, 0x00, 0x00, 0x00, 0x22,
  0x77, 0x10, 0x80, 0x02, 0x07, 0x00, 0x00, 0x00, 0x23, 0x80,
  0x02, 0x23, 0x77, 0xF1, 0x98, 0x31, 0x77, 0x10, 0x80, 0x02,
  0x18, 0x00, 0x00, 0x00, 0x23, 0x80, 0x02, 0x20, 0xB9, 0xE4,
  0x35, 0x31, 0x77, 0x10, 0x80, 0x02, 0x12, 0x00, 0x00, 0x00,
  0x22, 0x77, 0xA0, 0xC1, 0x24, 0x80, 0x02, 0x18, 0x00, 0x00,
  0x00, 0x23, 0x10, 0xC1, 0x25, 0x80, 0x02, 0x10, 0x00, 0x00,
  0x00, 0x23, 0xF7, 0xC1, 0x26, 0x80, 0x02, 0x08, 0x00, 0x00,
  0x00, 0x23, 0xF7, 0xC1, 0x27, 0xF7, 0xFE, 0x32, 0x20, 0x43,
  0x33, 0x77, 0x80, 0x02, 0x11, 0x00, 0x00, 0x00, 0x22, 0x35,
  0x37, 0x38, 0x77, 0x80, 0x02, 0x0D, 0x00, 0x00, 0x00, 0x23,
  0x77, 0x38, 0x39, 0x10, 0x32, 0x20, 0x43, 0x33, 0x77, 0x80,
  0x02, 0x11, 0x00, 0x00, 0x00, 0x22, 0x35, 0x37, 0x38, 0x77,
  0x80, 0x02, 0x0D, 0x00, 0x00, 0x00, 0x23, 0x77, 0x38, 0x39,
  0xC7, 0xC1, 0x28, 0x80, 0x02, 0x18, 0x00, 0x00, 0x00, 0x23,
  0x10, 0xC1, 0x29, 0x80, 0x02, 0x10, 0x00, 0x00, 0x00, 0x23,
  0xF7, 0xC1, 0x2A, 0x80, 0x02, 0x08, 0x00, 0x00, 0x00, 0x23,
  0xF7, 0xC1, 0x2B, 0xF7, 0xFE, 0x32, 0x20, 0x43, 0x33, 0x77,
  0x80, 0x02, 0x11, 0x00, 0x00, 0x00, 0x22, 0x35, 0x37, 0x38,
  0x77, 0x80, 0x02, 0x0D, 0x00, 0x00, 0x00, 0x23, 0x77, 0x38,
  0x39, 0x10, 0x32, 0x20, 0x43, 0x33, 0x77, 0x80, 0x02, 0x11,
  0x00, 0x00, 0x00, 0x22, 0x35, 0x37, 0x38, 0x77, 0x80, 0x02,
  0x0D, 0x00, 0x00, 0x00, 0x23, 0x77, 0x38, 0x39, 0xC8, 0x99};
  int i=0;
  while ( 1 )
  {
    if ( opcode[i] == 0x71 )
    {
      printf("table[6] -= 4\n");
      printf("*table[6] = 0x%x\n",opcode[i+1]);
      i += 5;
    }
    if ( opcode[i]  == 0x41 )
    {
      printf("table[1] += table[2]\n");
      ++i;
    }
    if ( opcode[i]  == 0x42 )
    {
      printf("table[1] -= table[4];\n");
      ++i;
    }
    if ( opcode[i]  == 0x43 )
    {
      printf("table[1] *= table[3];\n");
      ++i;
    }
    if ( opcode[i]  == 0x37 )
    {
 
      printf("table[1] = table[5];\n");
      ++i;
    }
    if ( opcode[i]  == 0x38 )
    {
      printf("table[1] ^= table[4];\n");
      ++i;
    }
    if ( opcode[i]  == 0x39 )
    {
      printf("table[1] ^= table[5];\n");
      ++i;
    }
    if ( opcode[i]  == 0x35 )
    {
      printf("table[5] = table[1];\n");
      ++i;
    }
    if ( opcode[i]  == 0xF7 )
    {
     printf("table[9] += table[1];\n");
      ++i;
    }
    if ( opcode[i]  == 0x44 )
    {
      printf("table[1] /= table[5];\n");
      ++i;
    }
    if ( opcode[i]  == 0x80 )
    {
      printf("table[2] = 0x%x\n",*((unsigned int*)(&opcode[i+2])));
      i += 6;
    }
    if ( opcode[i]  == 0x77 )
    {
      printf("table[1] ^= table[9];\n");
      ++i;
    }
    if ( opcode[i]  == 0x53 )
    {
      printf("(sub_8048580)(*table[3]);\n");
      i += 2;
    }
    if ( opcode[i]  == 0x22 )
    {
      printf("table[1] >>= table[2];\n");
      ++i;
    }
    if ( opcode[i]  == 0x23 )
    {
         printf("table[1] <<= table[2];\n");
      ++i;
    }
    if ( opcode[i]  == 0x99 )
    {
        printf("out\n");
        break;
    }
 
    if ( opcode[i]  == 0x76 )
    {
      printf("table[3] = *table[6];\n");
      printf("*table[6] = 0;\n");
      printf("table[6] += 4;\n");
      i += 5;
    }
    if ( opcode[i]  == 0x54 )
    {
      printf("v6 = table[3];\n");
      printf("*v6 = sub_8048520();\n");
      i += 2;
    }
    if ( opcode[i]  == 0x30 )
    {
      printf("table[1] |= table[2];\n");
      ++i;
    }
    if ( opcode[i] == 0x31 )
    {
      printf("table[1] &= table[2];\n");
      ++i;
    }
    if ( opcode[i]  == 0x32 )
    {
      printf("table[3] = 0x%x\n",opcode[i+1]) ;
      i += 2;
    }
    if ( opcode[i]  == 9 )
    {
      printf("table[1] = 1877735783;\n");
      ++i;
    }
    if ( opcode[i]  == 0x10 )
    {
      printf("table[9] = table[1];\n");
      ++i;
    }
    if ( opcode[i]  == 0x33 )
    {
      printf("table[4] = table[1]\n");
      ++i;
    }
    if ( opcode[i]  == 0x34 )
    {
      printf("table[2] = 0x%x;",opcode[i+1]);
      i += 2;
    }
    if ( opcode[i]  == 0xFE )
    {
      printf("table[1] = table[9];\n");
      ++i;
    }
    if ( opcode[i]  == 0x11 )
    {
      printf("(sub_8048510)(&unk_8049340, table[1])\n");
      ++i;
    }
    if ( opcode[i]  == 0xA0 )
    {
      printf("if ( table[1] != 1877735783 )\nexit\n\n");
      ++i;
    }
    if ( opcode[i]  == 0xA1 )
    {
        printf("read\n");
      ++i;
    }
    if ( opcode[i]  == 0xB1 )
    {
      printf("table[9] = xor[0]\n");
      ++i;
    }
    if ( opcode[i]  == 0xB2 )
    {
      printf("table[9] = xor[1];\n");
      ++i;
    }
    if ( opcode[i]  == 0xA4 )
    {
      printf("xor[*(table[8] + 1)] = table[1];\n");
      i += 4;
    }
    if ( opcode[i]  == 0xB3 )
    {
     printf("table[9] = xor[2];\n");
      ++i;
    }
    if ( opcode[i] == 0xB4 )
    {
      printf("table[9] = xor[3];\n");
      ++i;
    }
    if ( opcode[i]  == 0xC1 )
    {
      printf("table[1] = flag[%d];\n",opcode[i+1]);
      i += 2;
    }
    if ( opcode[i]  == 0xC7 )
    {
         printf("dword_804B060 != table[1]\n\n");
      ++i;
    }
    if ( opcode[i]  == 0xC8 )
    {
         printf("dword_804B064 != table[1]\n\n");
      ++i;
    }
    if ( opcode[i]  == 0xC2 )
    {

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

上传的附件:
收藏
免费 6
支持
分享
最新回复 (6)
雪    币: 6911
活跃值: (9069)
能力值: ( LV17,RANK:797 )
在线值:
发帖
回帖
粉丝
2
这虚拟机直接angr一把梭就行了
2021-9-15 21:17
0
雪    币: 3508
活跃值: (3333)
能力值: ( LV10,RANK:160 )
在线值:
发帖
回帖
粉丝
3
无名侠
2021-9-15 23:26
0
雪    币: 599
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
4
师傅,password2的dump具体怎么操作
2023-5-8 22:55
0
雪    币: 3508
活跃值: (3333)
能力值: ( LV10,RANK:160 )
在线值:
发帖
回帖
粉丝
5
mb_exfldpnt 师傅,password2的dump具体怎么操作
方法一:提取出WriteProcessMemory函数要修改的0x4A0字节内容以及要修改的起始地址,然后用HxD或者010editor这种二进制编辑工具,手动去改exe文件。
方法二:父进程执行完WriteProcessMemory后,使用HRSword或Process Explorer这种工具,去选中子进程,然后右键内存转储,将转储文件放到ida分析,查看修改的部分。
2023-5-8 23:49
0
雪    币: 599
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
6
Safe Box这题:师傅,方法一是不是也要执行完WriteProcessMemory后,把修改后的内容,确定起始地址和大小,在exe中手动改?搞了好久还是搞不了这个,太菜了
2023-5-10 15:42
0
雪    币: 3508
活跃值: (3333)
能力值: ( LV10,RANK:160 )
在线值:
发帖
回帖
粉丝
7
zxk1ng Safe Box这题:师傅,方法一是不是也要执行完WriteProcessMemory后,把修改后的内容,确定起始地址和大小,在exe中手动改?搞了好久还是搞不了这个,太菜了
实际上,在函数执行前,可以通过查看传入函数的参数,可以看汇编界面的那几个寄存器,获取到对应修改内容,长度,以及修改的地址,函数执行后,可能这些寄存器反而改变了,不如在函数执行前获取。然后可能修改地址还需要注意下,应该会设计到一个RVA和RAW的转换,当然也可以通过二进制特征值搜索去定位吧。
2023-5-13 12:56
0
游客
登录 | 注册 方可回帖
返回
//