baby_re

直接执行文件,输出”nope”。

代码里有大量没用的反调试代码,最后发现有个函数有用,而且有两个特征。

输出”nope”是在这个函数里的 这个函数有读文件的操作,打开了叫”nothing”的文件 于是手动创建”nothing”的文件,随便写点东西进去,再执行这个exe,发现确实被加密了,但最后的几个byte是完整的,看起来是16byte一组的ECB模式。

这时候直接set RIP到这个函数,发现功能没有出问题,确实其他代码是反调试代码,全都NOP掉就行了。

主要就是逆sub_140002B60吧,没什么好讲的,还是这个套路。

python如下

target = [0xb, 0xe8, 0xa3, 0xd6, 0xf7, 0x19, 0x19, 0x4c, 0x12, 0x42, 0x0, 0x54, 0x3d, 0x41, 0xbb, 0x16, 0xe5, 0x6a, 0x87, 0xec, 0xd0, 0xeb, 0xfa, 0x62, 0x3d, 0xce, 0x61, 0x1e, 0xe, 0xc9, 0x11, 0xed, 0x68, 0x74, 0x3f, 0x7d, ]
# target = [0x62, 0x3f, 0xc6, 0x1f, 0xca, 0x03, 0x0b, 0xae, 0xe2, 0x05, 0xf8, 0xf7, 0xe1, 0xe1, 0x81, 0x46]
plain = [48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102, ]
keyPool = [0xface, 0xdead, 0xbabe, 0xd00d]
magic = 0x61c88647

before_array = [0, 2654435769, 1013904242, 3668340011, 2027808484, 387276957, 3041712726, 1401181199, 4055616968, 2415085441, 774553914, 3428989683, 1788458156, 147926629, 2802362398, 1161830871, 3816266640, 2175735113, 535203586, 3189639355, 1549107828, 4203543597, 2563012070, 922480543, 3576916312, 1936384785, 295853258, 2950289027, 1309757500, 3964193269, 2323661742, 683130215]
after_array = [2654435769, 1013904242, 3668340011, 2027808484, 387276957, 3041712726, 1401181199, 4055616968, 2415085441, 774553914, 3428989683, 1788458156, 147926629, 2802362398, 1161830871, 3816266640, 2175735113, 535203586, 3189639355, 1549107828, 4203543597, 2563012070, 922480543, 3576916312, 1936384785, 295853258, 2950289027, 1309757500, 3964193269, 2323661742, 683130215, 3337565984]

print len(before_array)
print len(after_array)

before = 0
after = 0
right = plain[0] | (plain[1] << 8) | (plain[2] << 16) | (plain[3] << 24)
left = plain[0 + 4] | (plain[1 + 4] << 8) | (plain[2 + 4] << 16) | (plain[3 + 4] << 24)

print hex(left), hex(right)
for i in range(0x20):
    adder1 = (before + keyPool[after & 3]) ^ (left + (16 * left ^ (left >> 5)))
    adder1 &= 0xffffffff
    right += adder1
    right &= 0xffffffff
    before -= magic
    before &= 0xffffffff
    after = before
    adder2 = (before + keyPool[(before >> 11) & 3]) ^ (right + (16 * right ^ (right >> 5)))
    adder2 &= 0xffffffff
    left += adder2
    left &= 0xffffffff
    print hex(left), hex(right), hex(adder1), hex(adder2), hex(before)
print hex(left), hex(right)

print "===================================="

target_left = 0xae0b03ca
target_right = 0x1fc63f62

for j in range(4):
    target_right = target[0 + j * 8] | (target[1 + j * 8] << 8) | (target[2 + j * 8] << 16) | (target[3 + j * 8] << 24)
    target_left = target[0 + 4 + j * 8] | (target[1 + 4 + j * 8] << 8) | (target[2 + 4 + j * 8] << 16) | (target[3 + 4 + j * 8] << 24)

    for i in range(0x20):
        before = after_array[0x20 - i - 1]
        after = before_array[0x20 - i - 1]
        sub1 = (before + keyPool[(before >> 11) & 3]) ^ (target_right + (16 * target_right ^ (target_right >> 5)))
        sub1 &= 0xffffffff
        target_left -= sub1
        target_left &= 0xffffffff
        before += magic
        before &= 0xffffffff
        sub2 = (before + keyPool[after & 3]) ^ (target_left + (16 * target_left ^ (target_left >> 5)))
        sub2 &= 0xffffffff
        target_right -= sub2
        target_right &= 0xffffffff
        print hex(target_left), hex(target_right), hex(sub2), hex(sub1)
    print hex(target_left)[2:].decode('hex')[::-1], hex(target_right)[2:].decode('hex')[::-1]

# tf{t qwbc
# is_n his_
# hat_ ot_t
# _rig hard
# ht?}

# qwbctf{this_is_not_that_hard_right?}

本文章首发在 网安wangan.com 网站上。

上一篇 下一篇
讨论数量: 0
只看当前版本


暂无话题~