-
-
[原创]强网杯MINIRE
-
发表于: 2024-11-11 20:18
-
有upx壳,并且把upx改为gcc了
两种解法 一种是hook运算操作,尝试还原算法,我比赛时就是用的这种,但是这题校验非常难找,导致比赛时一直没找到,另一种是单字节爆破
脱壳,f5发现没法反编译
但是ghidra是可以的,它没有栈限制
对应的找到各个运算的位置下断点,很容易就能得到加密逻辑
这里打印的时候可以格式化一下,便于后续写脚本,因为没想到能直接写z3()
参考0xcafebabe师傅的题解给出的脚本格式,会非常方便搞成z3,但是这里需要看出来eax - 46 就是index
接着就是找密文或者校验逻辑了,但是比赛卡这地方卡了一下午ww
后来将多个点全hook,并根据已知正确的前五个字符'flag{'的加密结果,可以发现其读的方式
猜测应该是存于某一个连续内存的,hook方式如下
通过上述脚本可断于特定位置,跟以下发现了以下内存块存储了enc
然后即可用z3解了
脚本可参考https://blog.hxzzz.asia/,属实是懒得写z3了
比赛的时候原本是有想用的,但是看波动范围比较大就没用,下来试了下发现没问题
插桩点分别是handler与数据清理出
hook.js
brute.py
case 'X':
local_20 = 0;
while (local_1c = local_1c + 1, *(char *)(param_1 + local_1c) != 'x') {
(&stack0xffffffffffc24328)[local_20] = *(undefined *)(param_1 + local_1c);
local_20 = local_20 + 1;
}
(&stack0xffffffffffc24328)[local_20] = 0;
if (1 < local_20) {
if (in_stack_ffffffffffc24328 != 'V') {
for (local_24 = 1;
((local_24 < local_20 && ('/' < (char)(&stack0xffffffffffc24328)[local_24])) &&
((char)(&stack0xffffffffffc24328)[local_24] < ':')); local_24 = local_24 + 1) {
}
}
iVar7 = (int)in_stack_ffffffffffc24328;
if (iVar7 == 0x20) {
bVar1 = (&DAT_005175a0)[DAT_00768090];
bVar5 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = bVar1 ^ bVar5;
iVar6 = DAT_00768094;
}
else if (((0x1f < iVar7) && (iVar7 < 0x6b)) && (0x40 < iVar7)) {
switch(iVar7) {
case 0x41:
cVar2 = (&DAT_005175a0)[DAT_00768090];
cVar4 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = cVar2 * cVar4;
iVar6 = DAT_00768094;
break;
case 0x4a:
iVar7 = FUN_00405c10(&stack0xffffffffffc24329);
iVar6 = DAT_00768094;
if (iVar7 != 0) {
cVar2 = (&DAT_005175a0)[DAT_00768090];
cVar4 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = cVar2 + cVar4;
iVar6 = DAT_00768094;
}
break;
case 0x51:
cVar2 = (&DAT_005175a0)[DAT_00768090];
cVar4 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = cVar2 - cVar4;
iVar6 = DAT_00768094;
break;
case 0x54:
bVar1 = (&DAT_005175a0)[DAT_00768090];
bVar5 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = bVar1 | bVar5;
iVar6 = DAT_00768094;
break;
case 0x55:
uVar3 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = uVar3;
iVar6 = DAT_00768094;
break;
case 0x5f:
cVar2 = (&DAT_005175a0)[DAT_00768090];
cVar4 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = cVar2 + cVar4;
iVar6 = DAT_00768094;
break;
case 0x61:
iVar7 = FUN_00405c10(&stack0xffffffffffc24329);
iVar6 = DAT_00768094;
if (iVar7 != 0) {
bVar1 = (&DAT_005175a0)[DAT_00768090];
bVar5 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = bVar1 / bVar5;
iVar6 = DAT_00768094;
}
break;
case 0x6a:
bVar1 = (&DAT_005175a0)[DAT_00768090];
bVar5 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = bVar1 & bVar5;
iVar6 = DAT_00768094;
case 'X':
local_20 = 0;
while (local_1c = local_1c + 1, *(char *)(param_1 + local_1c) != 'x') {
(&stack0xffffffffffc24328)[local_20] = *(undefined *)(param_1 + local_1c);
local_20 = local_20 + 1;
}
(&stack0xffffffffffc24328)[local_20] = 0;
if (1 < local_20) {
if (in_stack_ffffffffffc24328 != 'V') {
for (local_24 = 1;
((local_24 < local_20 && ('/' < (char)(&stack0xffffffffffc24328)[local_24])) &&
((char)(&stack0xffffffffffc24328)[local_24] < ':')); local_24 = local_24 + 1) {
}
}
iVar7 = (int)in_stack_ffffffffffc24328;
if (iVar7 == 0x20) {
bVar1 = (&DAT_005175a0)[DAT_00768090];
bVar5 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = bVar1 ^ bVar5;
iVar6 = DAT_00768094;
}
else if (((0x1f < iVar7) && (iVar7 < 0x6b)) && (0x40 < iVar7)) {
switch(iVar7) {
case 0x41:
cVar2 = (&DAT_005175a0)[DAT_00768090];
cVar4 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = cVar2 * cVar4;
iVar6 = DAT_00768094;
break;
case 0x4a:
iVar7 = FUN_00405c10(&stack0xffffffffffc24329);
iVar6 = DAT_00768094;
if (iVar7 != 0) {
cVar2 = (&DAT_005175a0)[DAT_00768090];
cVar4 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = cVar2 + cVar4;
iVar6 = DAT_00768094;
}
break;
case 0x51:
cVar2 = (&DAT_005175a0)[DAT_00768090];
cVar4 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = cVar2 - cVar4;
iVar6 = DAT_00768094;
break;
case 0x54:
bVar1 = (&DAT_005175a0)[DAT_00768090];
bVar5 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = bVar1 | bVar5;
iVar6 = DAT_00768094;
break;
case 0x55:
uVar3 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = uVar3;
iVar6 = DAT_00768094;
break;
case 0x5f:
cVar2 = (&DAT_005175a0)[DAT_00768090];
cVar4 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = cVar2 + cVar4;
iVar6 = DAT_00768094;
break;
case 0x61:
iVar7 = FUN_00405c10(&stack0xffffffffffc24329);
iVar6 = DAT_00768094;
if (iVar7 != 0) {
bVar1 = (&DAT_005175a0)[DAT_00768090];
bVar5 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = bVar1 / bVar5;
iVar6 = DAT_00768094;
}
break;
case 0x6a:
bVar1 = (&DAT_005175a0)[DAT_00768090];
bVar5 = FUN_00405c10(&stack0xffffffffffc24329);
(&DAT_005175a0)[DAT_00768090] = bVar1 & bVar5;
iVar6 = DAT_00768094;
import ida_dbg
index = ida_dbg.get_reg_value('RAX') - 0x46
# 获取 R8D 寄存器的值EDX_value = ida_dbg.get_reg_val("EDX")
print(f"x[{value}]^= 0x{EDX_value:X}")
import ida_dbg
index = ida_dbg.get_reg_value('RAX') - 0x46
# 获取 R8D 寄存器的值EDX_value = ida_dbg.get_reg_val("EDX")
print(f"x[{value}]^= 0x{EDX_value:X}")
import ida_dbg
EAX_value = ida_dbg.get_reg_val("EAX")
print(f"case 69: 0x{EAX_value:X}")
import ida_dbg
EAX_value = ida_dbg.get_reg_val("EAX")
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
