2021 湖湘杯 Reverse WP
Hideit
经分析过程中感觉有点像,内存直接加载并运行了一个PE文件,不过并未仔细看。根据控制太输出输入等特征,猜测应该是调用标准库IO进行输出的,可以直接在标准库函数内下一系列断点,发现最终可以在scanf内部段下来,跳出scanf函数后就直接进入加密函数了。
第一次输入是一个xtea加密验证,key和密文都有直接解密即可。
#include <Windows.h>
#include <stdio.h>
#include <string.h>
#include <stdint.h>
void XTeaDecipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
unsigned int i;
uint32_t v0 = v[0], v1 = v[1], delta = 0x9E3779B9, sum = delta * num_rounds;
uint32_t idx = 0;
uint32_t v1_0 = 0;
uint32_t v8, v10, v6;
v6 = num_rounds;
v8 = v1;
do
{
v10 = (sum >> 2) & 3;
v1 -= ((sum ^ v0) + (v0 ^ key[v10 ^ 1])) ^ (((16 * v0) ^ (v0 >> 3)) + ((v0 >> 5) ^ (4 * v0)));
v8 = v1;
v0 -= ((sum ^ v1) + (v8 ^ key[v10])) ^ (((16 * v8) ^ (v1 >> 3)) + ((v8 >> 5) ^ (4 * v1)));
sum -= delta;
--v6;
} while (v6);
v[0] = v0; v[1] = v1;
}
int main()
{
uint32_t enc[] = { 0x1130BE1B , 0x63747443 ,0 };
uint32_t key[] = { 0x72, 0x202,0x13,0x13 };
XTeaDecipher(32, enc, key); //dotitsit {0x69746f64, 0x74697374
puts((char*)enc); // dotitsit
return 0;
}
第二层是一个哈希加密,似乎是md5算法结合了一些额外的操作,以至于输出结果并不像正常MD5。这里一共要求32个字节的输入数据,随后输出32个字节的加密数据,再比较密文,但令人困惑的是这里并没有获取输入。经过对算法的分析,每个位置的字节都有一一映射,所以可以直接枚举出可见字符的映射,将密文映射回去。(这里纠正一下,赛后看其他师傅的WP发现是chacha20,当时看得太快并未仔细看,后面经过算法的黑盒分析发现了这个输入输出特征,虽然有点疑惑哈希算法为什么会存在单字节的变换,但没多想。)
import hashlib
import string
enc = [
0xEB, 0x8E, 0x5C, 0xA5, 0x62, 0xB4, 0x1C, 0x84, 0x5C, 0x59,
0xFC, 0x0D, 0x43, 0x3C, 0xAB, 0x20, 0xD8, 0x93, 0x33, 0x13,
0xA1, 0x9E, 0x39, 0x00, 0x76, 0x14, 0xB5, 0x04, 0x58, 0x9D,
0x06, 0xB8
]
table = [
[0XBD,0xD2,0x0D,0xF2,0x29,0xC2,0x1D,0xFA,0x28,0x24,0xFF,0x62,0x47,0x6A,0xAC,0x23,0x9A,0xFC,0x34,0x6B,0xA2,0xF1,0x3C,0x58,0x75,0x68,0xC9,0x77,0x58,0xE9,0x05,0xF5],
[0XBC,0xD3,0x0C,0xF3,0x28,0xC3,0x1C,0xFB,0x29,0x25,0xFE,0x63,0x46,0x6B,0xAD,0x22,0x9B,0xFD,0x35,0x6A,0xA3,0xF0,0x3D,0x59,0x74,0x69,0xC8,0x76,0x59,0xE8,0x04,0xF4],
[0XBF,0xD0,0x0F,0xF0,0x2B,0xC0,0x1F,0xF8,0x2A,0x26,0xFD,0x60,0x45,0x68,0xAE,0x21,0x98,0xFE,0x36,0x69,0xA0,0xF3,0x3E,0x5A,0x77,0x6A,0xCB,0x75,0x5A,0xEB,0x07,0xF7],
[0XBE,0xD1,0x0E,0xF1,0x2A,0xC1,0x1E,0xF9,0x2B,0x27,0xFC,0x61,0x44,0x69,0xAF,0x20,0x99,0xFF,0x37,0x68,0xA1,0xF2,0x3F,0x5B,0x76,0x6B,0xCA,0x74,0x5B,0xEA,0x06,0xF6],
[0XB9,0xD6,0x09,0xF6,0x2D,0xC6,0x19,0xFE,0x2C,0x20,0xFB,0x66,0x43,0x6E,0xA8,0x27,0x9E,0xF8,0x30,0x6F,0xA6,0xF5,0x38,0x5C,0x71,0x6C,0xCD,0x73,0x5C,0xED,0x01,0xF1],
[0XB8,0xD7,0x08,0xF7,0x2C,0xC7,0x18,0xFF,0x2D,0x21,0xFA,0x67,0x42,0x6F,0xA9,0x26,0x9F,0xF9,0x31,0x6E,0xA7,0xF4,0x39,0x5D,0x70,0x6D,0xCC,0x72,0x5D,0xEC,0x00,0xF0],
[0XBB,0xD4,0x0B,0xF4,0x2F,0xC4,0x1B,0xFC,0x2E,0x22,0xF9,0x64,0x41,0x6C,0xAA,0x25,0x9C,0xFA,0x32,0x6D,0xA4,0xF7,0x3A,0x5E,0x73,0x6E,0xCF,0x71,0x5E,0xEF,0x03,0xF3],
[0XBA,0xD5,0x0A,0xF5,0x2E,0xC5,0x1A,0xFD,0x2F,0x23,0xF8,0x65,0x40,0x6D,0xAB,0x24,0x9D,0xFB,0x33,0x6C,0xA5,0xF6,0x3B,0x5F,0x72,0x6F,0xCE,0x70,0x5F,0xEE,0x02,0xF2],
[0XB5,0xDA,0x05,0xFA,0x21,0xCA,0x15,0xF2,0x20,0x2C,0xF7,0x6A,0x4F,0x62,0xA4,0x2B,0x92,0xF4,0x3C,0x63,0xAA,0xF9,0x34,0x50,0x7D,0x60,0xC1,0x7F,0x50,0xE1,0x0D,0xFD],
[0XB4,0xDB,0x04,0xFB,0x20,0xCB,0x14,0xF3,0x21,0x2D,0xF6,0x6B,0x4E,0x63,0xA5,0x2A,0x93,0xF5,0x3D,0x62,0xAB,0xF8,0x35,0x51,0x7C,0x61,0xC0,0x7E,0x51,0xE0,0x0C,0xFC],
[0XEC,0x83,0x5C,0xA3,0x78,0x93,0x4C,0xAB,0x79,0x75,0xAE,0x33,0x16,0x3B,0xFD,0x72,0xCB,0xAD,0x65,0x3A,0xF3,0xA0,0x6D,0x09,0x24,0x39,0x98,0x26,0x09,0xB8,0x54,0xA4],
[0XEF,0x80,0x5F,0xA0,0x7B,0x90,0x4F,0xA8,0x7A,0x76,0xAD,0x30,0x15,0x38,0xFE,0x71,0xC8,0xAE,0x66,0x39,0xF0,0xA3,0x6E,0x0A,0x27,0x3A,0x9B,0x25,0x0A,0xBB,0x57,0xA7],
[0XEE,0x81,0x5E,0xA1,0x7A,0x91,0x4E,0xA9,0x7B,0x77,0xAC,0x31,0x14,0x39,0xFF,0x70,0xC9,0xAF,0x67,0x38,0xF1,0xA2,0x6F,0x0B,0x26,0x3B,0x9A,0x24,0x0B,0xBA,0x56,0xA6],
[0XE9,0x86,0x59,0xA6,0x7D,0x96,0x49,0xAE,0x7C,0x70,0xAB,0x36,0x13,0x3E,0xF8,0x77,0xCE,0xA8,0x60,0x3F,0xF6,0xA5,0x68,0x0C,0x21,0x3C,0x9D,0x23,0x0C,0xBD,0x51,0xA1],
[0XE8,0x87,0x58,0xA7,0x7C,0x97,0x48,0xAF,0x7D,0x71,0xAA,0x37,0x12,0x3F,0xF9,0x76,0xCF,0xA9,0x61,0x3E,0xF7,0xA4,0x69,0x0D,0x20,0x3D,0x9C,0x22,0x0D,0xBC,0x50,0xA0],
[0XEB,0x84,0x5B,0xA4,0x7F,0x94,0x4B,0xAC,0x7E,0x72,0xA9,0x34,0x11,0x3C,0xFA,0x75,0xCC,0xAA,0x62,0x3D,0xF4,0xA7,0x6A,0x0E,0x23,0x3E,0x9F,0x21,0x0E,0xBF,0x53,0xA3],
[0XEA,0x85,0x5A,0xA5,0x7E,0x95,0x4A,0xAD,0x7F,0x73,0xA8,0x35,0x10,0x3D,0xFB,0x74,0xCD,0xAB,0x63,0x3C,0xF5,0xA6,0x6B,0x0F,0x22,0x3F,0x9E,0x20,0x0F,0xBE,0x52,0xA2],
[0XE5,0x8A,0x55,0xAA,0x71,0x9A,0x45,0xA2,0x70,0x7C,0xA7,0x3A,0x1F,0x32,0xF4,0x7B,0xC2,0xA4,0x6C,0x33,0xFA,0xA9,0x64,0x00,0x2D,0x30,0x91,0x2F,0x00,0xB1,0x5D,0xAD],
[0XE4,0x8B,0x54,0xAB,0x70,0x9B,0x44,0xA3,0x71,0x7D,0xA6,0x3B,0x1E,0x33,0xF5,0x7A,0xC3,0xA5,0x6D,0x32,0xFB,0xA8,0x65,0x01,0x2C,0x31,0x90,0x2E,0x01,0xB0,0x5C,0xAC],
[0XE7,0x88,0x57,0xA8,0x73,0x98,0x47,0xA0,0x72,0x7E,0xA5,0x38,0x1D,0x30,0xF6,0x79,0xC0,0xA6,0x6E,0x31,0xF8,0xAB,0x66,0x02,0x2F,0x32,0x93,0x2D,0x02,0xB3,0x5F,0xAF],
[0XE6,0x89,0x56,0xA9,0x72,0x99,0x46,0xA1,0x73,0x7F,0xA4,0x39,0x1C,0x31,0xF7,0x78,0xC1,0xA7,0x6F,0x30,0xF9,0xAA,0x67,0x03,0x2E,0x33,0x92,0x2C,0x03,0xB2,0x5E,0xAE],
[0XE1,0x8E,0x51,0xAE,0x75,0x9E,0x41,0xA6,0x74,0x78,0xA3,0x3E,0x1B,0x36,0xF0,0x7F,0xC6,0xA0,0x68,0x37,0xFE,0xAD,0x60,0x04,0x29,0x34,0x95,0x2B,0x04,0xB5,0x59,0xA9],
[0XE0,0x8F,0x50,0xAF,0x74,0x9F,0x40,0xA7,0x75,0x79,0xA2,0x3F,0x1A,0x37,0xF1,0x7E,0xC7,0xA1,0x69,0x36,0xFF,0xAC,0x61,0x05,0x28,0x35,0x94,0x2A,0x05,0xB4,0x58,0xA8],
[0XE3,0x8C,0x53,0xAC,0x77,0x9C,0x43,0xA4,0x76,0x7A,0xA1,0x3C,0x19,0x34,0xF2,0x7D,0xC4,0xA2,0x6A,0x35,0xFC,0xAF,0x62,0x06,0x2B,0x36,0x97,0x29,0x06,0xB7,0x5B,0xAB],
[0XE2,0x8D,0x52,0xAD,0x76,0x9D,0x42,0xA5,0x77,0x7B,0xA0,0x3D,0x18,0x35,0xF3,0x7C,0xC5,0xA3,0x6B,0x34,0xFD,0xAE,0x63,0x07,0x2A,0x37,0x96,0x28,0x07,0xB6,0x5A,0xAA],
[0XFD,0x92,0x4D,0xB2,0x69,0x82,0x5D,0xBA,0x68,0x64,0xBF,0x22,0x07,0x2A,0xEC,0x63,0xDA,0xBC,0x74,0x2B,0xE2,0xB1,0x7C,0x18,0x35,0x28,0x89,0x37,0x18,0xA9,0x45,0xB5],
[0XFC,0x93,0x4C,0xB3,0x68,0x83,0x5C,0xBB,0x69,0x65,0xBE,0x23,0x06,0x2B,0xED,0x62,0xDB,0xBD,0x75,0x2A,0xE3,0xB0,0x7D,0x19,0x34,0x29,0x88,0x36,0x19,0xA8,0x44,0xB4],
[0XFF,0x90,0x4F,0xB0,0x6B,0x80,0x5F,0xB8,0x6A,0x66,0xBD,0x20,0x05,0x28,0xEE,0x61,0xD8,0xBE,0x76,0x29,0xE0,0xB3,0x7E,0x1A,0x37,0x2A,0x8B,0x35,0x1A,0xAB,0x47,0xB7],
[0XFE,0x91,0x4E,0xB1,0x6A,0x81,0x5E,0xB9,0x6B,0x67,0xBC,0x21,0x04,0x29,0xEF,0x60,0xD9,0xBF,0x77,0x28,0xE1,0xB2,0x7F,0x1B,0x36,0x2B,0x8A,0x34,0x1B,0xAA,0x46,0xB6],
[0XF9,0x96,0x49,0xB6,0x6D,0x86,0x59,0xBE,0x6C,0x60,0xBB,0x26,0x03,0x2E,0xE8,0x67,0xDE,0xB8,0x70,0x2F,0xE6,0xB5,0x78,0x1C,0x31,0x2C,0x8D,0x33,0x1C,0xAD,0x41,0xB1],
[0XF8,0x97,0x48,0xB7,0x6C,0x87,0x58,0xBF,0x6D,0x61,0xBA,0x27,0x02,0x2F,0xE9,0x66,0xDF,0xB9,0x71,0x2E,0xE7,0xB4,0x79,0x1D,0x30,0x2D,0x8C,0x32,0x1D,0xAC,0x40,0xB0],
[0XFB,0x94,0x4B,0xB4,0x6F,0x84,0x5B,0xBC,0x6E,0x62,0xB9,0x24,0x01,0x2C,0xEA,0x65,0xDC,0xBA,0x72,0x2D,0xE4,0xB7,0x7A,0x1E,0x33,0x2E,0x8F,0x31,0x1E,0xAF,0x43,0xB3],
[0XFA,0x95,0x4A,0xB5,0x6E,0x85,0x5A,0xBD,0x6F,0x63,0xB8,0x25,0x00,0x2D,0xEB,0x64,0xDD,0xBB,0x73,0x2C,0xE5,0xB6,0x7B,0x1F,0x32,0x2F,0x8E,0x30,0x1F,0xAE,0x42,0xB2],
[0XF5,0x9A,0x45,0xBA,0x61,0x8A,0x55,0xB2,0x60,0x6C,0xB7,0x2A,0x0F,0x22,0xE4,0x6B,0xD2,0xB4,0x7C,0x23,0xEA,0xB9,0x74,0x10,0x3D,0x20,0x81,0x3F,0x10,0xA1,0x4D,0xBD],
[0XF4,0x9B,0x44,0xBB,0x60,0x8B,0x54,0xB3,0x61,0x6D,0xB6,0x2B,0x0E,0x23,0xE5,0x6A,0xD3,0xB5,0x7D,0x22,0xEB,0xB8,0x75,0x11,0x3C,0x21,0x80,0x3E,0x11,0xA0,0x4C,0xBC],
[0XF7,0x98,0x47,0xB8,0x63,0x88,0x57,0xB0,0x62,0x6E,0xB5,0x28,0x0D,0x20,0xE6,0x69,0xD0,0xB6,0x7E,0x21,0xE8,0xBB,0x76,0x12,0x3F,0x22,0x83,0x3D,0x12,0xA3,0x4F,0xBF],
[0XCC,0xA3,0x7C,0x83,0x58,0xB3,0x6C,0x8B,0x59,0x55,0x8E,0x13,0x36,0x1B,0xDD,0x52,0xEB,0x8D,0x45,0x1A,0xD3,0x80,0x4D,0x29,0x04,0x19,0xB8,0x06,0x29,0x98,0x74,0x84],
[0XCF,0xA0,0x7F,0x80,0x5B,0xB0,0x6F,0x88,0x5A,0x56,0x8D,0x10,0x35,0x18,0xDE,0x51,0xE8,0x8E,0x46,0x19,0xD0,0x83,0x4E,0x2A,0x07,0x1A,0xBB,0x05,0x2A,0x9B,0x77,0x87],
[0XCE,0xA1,0x7E,0x81,0x5A,0xB1,0x6E,0x89,0x5B,0x57,0x8C,0x11,0x34,0x19,0xDF,0x50,0xE9,0x8F,0x47,0x18,0xD1,0x82,0x4F,0x2B,0x06,0x1B,0xBA,0x04,0x2B,0x9A,0x76,0x86],
[0XC9,0xA6,0x79,0x86,0x5D,0xB6,0x69,0x8E,0x5C,0x50,0x8B,0x16,0x33,0x1E,0xD8,0x57,0xEE,0x88,0x40,0x1F,0xD6,0x85,0x48,0x2C,0x01,0x1C,0xBD,0x03,0x2C,0x9D,0x71,0x81],
[0XC8,0xA7,0x78,0x87,0x5C,0xB7,0x68,0x8F,0x5D,0x51,0x8A,0x17,0x32,0x1F,0xD9,0x56,0xEF,0x89,0x41,0x1E,0xD7,0x84,0x49,0x2D,0x00,0x1D,0xBC,0x02,0x2D,0x9C,0x70,0x80],
[0XCB,0xA4,0x7B,0x84,0x5F,0xB4,0x6B,0x8C,0x5E,0x52,0x89,0x14,0x31,0x1C,0xDA,0x55,0xEC,0x8A,0x42,0x1D,0xD4,0x87,0x4A,0x2E,0x03,0x1E,0xBF,0x01,0x2E,0x9F,0x73,0x83],
[0XCA,0xA5,0x7A,0x85,0x5E,0xB5,0x6A,0x8D,0x5F,0x53,0x88,0x15,0x30,0x1D,0xDB,0x54,0xED,0x8B,0x43,0x1C,0xD5,0x86,0x4B,0x2F,0x02,0x1F,0xBE,0x00,0x2F,0x9E,0x72,0x82],
[0XC5,0xAA,0x75,0x8A,0x51,0xBA,0x65,0x82,0x50,0x5C,0x87,0x1A,0x3F,0x12,0xD4,0x5B,0xE2,0x84,0x4C,0x13,0xDA,0x89,0x44,0x20,0x0D,0x10,0xB1,0x0F,0x20,0x91,0x7D,0x8D],
[0XC4,0xAB,0x74,0x8B,0x50,0xBB,0x64,0x83,0x51,0x5D,0x86,0x1B,0x3E,0x13,0xD5,0x5A,0xE3,0x85,0x4D,0x12,0xDB,0x88,0x45,0x21,0x0C,0x11,0xB0,0x0E,0x21,0x90,0x7C,0x8C],
[0XC7,0xA8,0x77,0x88,0x53,0xB8,0x67,0x80,0x52,0x5E,0x85,0x18,0x3D,0x10,0xD6,0x59,0xE0,0x86,0x4E,0x11,0xD8,0x8B,0x46,0x22,0x0F,0x12,0xB3,0x0D,0x22,0x93,0x7F,0x8F],
[0XC6,0xA9,0x76,0x89,0x52,0xB9,0x66,0x81,0x53,0x5F,0x84,0x19,0x3C,0x11,0xD7,0x58,0xE1,0x87,0x4F,0x10,0xD9,0x8A,0x47,0x23,0x0E,0x13,0xB2,0x0C,0x23,0x92,0x7E,0x8E],
[0XC1,0xAE,0x71,0x8E,0x55,0xBE,0x61,0x86,0x54,0x58,0x83,0x1E,0x3B,0x16,0xD0,0x5F,0xE6,0x80,0x48,0x17,0xDE,0x8D,0x40,0x24,0x09,0x14,0xB5,0x0B,0x24,0x95,0x79,0x89],
[0XC0,0xAF,0x70,0x8F,0x54,0xBF,0x60,0x87,0x55,0x59,0x82,0x1F,0x3A,0x17,0xD1,0x5E,0xE7,0x81,0x49,0x16,0xDF,0x8C,0x41,0x25,0x08,0x15,0xB4,0x0A,0x25,0x94,0x78,0x88],
[0XC3,0xAC,0x73,0x8C,0x57,0xBC,0x63,0x84,0x56,0x5A,0x81,0x1C,0x39,0x14,0xD2,0x5D,0xE4,0x82,0x4A,0x15,0xDC,0x8F,0x42,0x26,0x0B,0x16,0xB7,0x09,0x26,0x97,0x7B,0x8B],
[0XC2,0xAD,0x72,0x8D,0x56,0xBD,0x62,0x85,0x57,0x5B,0x80,0x1D,0x38,0x15,0xD3,0x5C,0xE5,0x83,0x4B,0x14,0xDD,0x8E,0x43,0x27,0x0A,0x17,0xB6,0x08,0x27,0x96,0x7A,0x8A],
[0XDD,0xB2,0x6D,0x92,0x49,0xA2,0x7D,0x9A,0x48,0x44,0x9F,0x02,0x27,0x0A,0xCC,0x43,0xFA,0x9C,0x54,0x0B,0xC2,0x91,0x5C,0x38,0x15,0x08,0xA9,0x17,0x38,0x89,0x65,0x95],
[0XDC,0xB3,0x6C,0x93,0x48,0xA3,0x7C,0x9B,0x49,0x45,0x9E,0x03,0x26,0x0B,0xCD,0x42,0xFB,0x9D,0x55,0x0A,0xC3,0x90,0x5D,0x39,0x14,0x09,0xA8,0x16,0x39,0x88,0x64,0x94],
[0XDF,0xB0,0x6F,0x90,0x4B,0xA0,0x7F,0x98,0x4A,0x46,0x9D,0x00,0x25,0x08,0xCE,0x41,0xF8,0x9E,0x56,0x09,0xC0,0x93,0x5E,0x3A,0x17,0x0A,0xAB,0x15,0x3A,0x8B,0x67,0x97],
[0XDE,0xB1,0x6E,0x91,0x4A,0xA1,0x7E,0x99,0x4B,0x47,0x9C,0x01,0x24,0x09,0xCF,0x40,0xF9,0x9F,0x57,0x08,0xC1,0x92,0x5F,0x3B,0x16,0x0B,0xAA,0x14,0x3B,0x8A,0x66,0x96],
[0XD9,0xB6,0x69,0x96,0x4D,0xA6,0x79,0x9E,0x4C,0x40,0x9B,0x06,0x23,0x0E,0xC8,0x47,0xFE,0x98,0x50,0x0F,0xC6,0x95,0x58,0x3C,0x11,0x0C,0xAD,0x13,0x3C,0x8D,0x61,0x91],
[0XD8,0xB7,0x68,0x97,0x4C,0xA7,0x78,0x9F,0x4D,0x41,0x9A,0x07,0x22,0x0F,0xC9,0x46,0xFF,0x99,0x51,0x0E,0xC7,0x94,0x59,0x3D,0x10,0x0D,0xAC,0x12,0x3D,0x8C,0x60,0x90],
[0XDB,0xB4,0x6B,0x94,0x4F,0xA4,0x7B,0x9C,0x4E,0x42,0x99,0x04,0x21,0x0C,0xCA,0x45,0xFC,0x9A,0x52,0x0D,0xC4,0x97,0x5A,0x3E,0x13,0x0E,0xAF,0x11,0x3E,0x8F,0x63,0x93],
[0XDA,0xB5,0x6A,0x95,0x4E,0xA5,0x7A,0x9D,0x4F,0x43,0x98,0x05,0x20,0x0D,0xCB,0x44,0xFD,0x9B,0x53,0x0C,0xC5,0x96,0x5B,0x3F,0x12,0x0F,0xAE,0x10,0x3F,0x8E,0x62,0x92],
[0XD5,0xBA,0x65,0x9A,0x41,0xAA,0x75,0x92,0x40,0x4C,0x97,0x0A,0x2F,0x02,0xC4,0x4B,0xF2,0x94,0x5C,0x03,0xCA,0x99,0x54,0x30,0x1D,0x00,0xA1,0x1F,0x30,0x81,0x6D,0x9D],
[0XD4,0xBB,0x64,0x9B,0x40,0xAB,0x74,0x93,0x41,0x4D,0x96,0x0B,0x2E,0x03,0xC5,0x4A,0xF3,0x95,0x5D,0x02,0xCB,0x98,0x55,0x31,0x1C,0x01,0xA0,0x1E,0x31,0x80,0x6C,0x9C],
[0XD7,0xB8,0x67,0x98,0x43,0xA8,0x77,0x90,0x42,0x4E,0x95,0x08,0x2D,0x00,0xC6,0x49,0xF0,0x96,0x5E,0x01,0xC8,0x9B,0x56,0x32,0x1F,0x02,0xA3,0x1D,0x32,0x83,0x6F,0x9F],
[0XAA,0x99,0x46,0xB9,0x62,0x89,0x56,0xB1,0x63,0x6F,0xB4,0x29,0x0C,0x21,0xE7,0x68,0xD1,0xB7,0x7F,0x20,0xE9,0xBA,0x77,0x13,0x3E,0x23,0x82,0x3C,0x13,0xA2,0x4E,0xBE],
[0XF0,0x9F,0x40,0xBF,0x64,0x8F,0x50,0xB7,0x65,0x69,0xB2,0x2F,0x0A,0x27,0xE1,0x6E,0xD7,0xB1,0x79,0x26,0xEF,0xBC,0x71,0x15,0x38,0x25,0x84,0x3A,0x15,0xA4,0x48,0xB8],
[0XD2,0xBD,0x62,0x9D,0x46,0xAD,0x72,0x95,0x47,0x4B,0x90,0x0D,0x28,0x05,0xC3,0x4C,0xF5,0x93,0x5B,0x04,0xCD,0x9E,0x53,0x37,0x1A,0x07,0xA6,0x18,0x37,0x86,0x6A,0x9A],
[0XAA,0xA2,0x7D,0x82,0x59,0xB2,0x6D,0x8A,0x58,0x54,0x8F,0x12,0x37,0x1A,0xDC,0x53,0xEA,0x8C,0x44,0x1B,0xD2,0x81,0x4C,0x28,0x05,0x18,0xB9,0x07,0x28,0x99,0x75,0x85],
]
flag = ['+']*32
for i in range(len(enc)):
for n in range(len(table)):
if table[n][i] == enc[i]:
flag[i] = n
ret = string.digits + string.ascii_lowercase + string.ascii_uppercase + "{}_@"
for e in flag:
if type(e) == int:
print(ret[e],end='') #
else:
print(e,end='')
flag{F1NDM3_4f73r_7H3_5h3LLC0D3}
Shell
这个题目有一个关键函数ZwUnmapViewOfSection,一般用于傀儡进程技术,多进程相关的安全技术。继续逆向分析,的确如此,shell.exe中的.psb段是真正进行加密验证的PE文件,不过加密了。
程序运行时首先会解密psb段中的PE文件,并且启动解密后的PE文件作为一个进程。
可以通过任务管理器将子进程的内存转储dump下来,IDA能够直接分析并且附加。
子进程PE的入口点损坏了,不过不要紧直接通过搜索特征码定位main的父函数。
main的最后有个int3,似乎是与父进程有关,到这里不是很清楚怎么往下分析。最终是通过指令
48 8D 35 20 2F 00 00 lea rsi, input
提取特征码48 8D ?? ?? ?? ?? ??,找到main附近的所有lea指令,查看那些lea指令引用了input,意外的是还发现了win字符串引用的地方,win的引用处是最终数据比较的地方。
对子进程中唯一一处引用input的是如下操作。
对win的引用如下。
另一侧引用了input的是父进程,这里将输入用ReadProcessMemory从子进程读取出来,随后与0x78异或,再写回子进程。
简言之,输入在父进程和子进程都有一处运算。提取加密数据写个解密脚本即可。
#include <stdint.h>
#include <stdio.h>
int main()
{
uint8_t input[] = {
0x1E, 0x15, 0x1B, 0x1C, 0x07, 0x4D, 0x1F, 0x1B, 0x12, 0x17,
0x4B, 0x44, 0x47, 0x58, 0x12, 0x47, 0x58, 0x58, 0x47, 0x5F,
0x54, 0x54, 0x58, 0x42, 0x59, 0x57, 0x50, 0x01, 0x49, 0x51,
0x53, 0x57, 0x3D, 0x6B, 0x3E, 0x6F, 0x3D, 0x6D, 0x6C, 0x3E,
0x69, 0x2C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
for (int i = 0; i < 42; ++i)
{
input[i] = ~(~(i & ~(i & input[i])) & ~(input[i] & ~(i & input[i])));
input[i] ^= 0x78;
}
printf("%s", input); // flag{0adbf973-d001-4896-962b-450e2d4a02a9}
return 0;
}
to be or not to be, is a question.
