5mc
virtureprotect动态修改函数,用ida动态调试,给输入的数据下硬件断点运行分析就可以发现正确的逻辑。
但是不能反汇编,选中按c恢复成汇编代码。
直接读汇编写出加密代码,注意一下细节,每次循环左移的值都是不一样的,以防万一还是每次加密都细看了一下。一共有四种加密方法,四种加密循环进行一共十六次加密,顺序大概是box()–>index()–>shift(stat==0)–>shift(stat==1)–>……。直接写出逆向函数就行,密文就在比对的位置。
#include <stdio.h>
#include <stdint.h>
//加密函数
int box(unsigned char* data) {
unsigned char sbox[] = { 0xB0, 0xF0, 0x21, 0xCF, 0xF2, 0x04, 0x3A, 0x68, 0x84, 0x7B, 0x39, 0x86, 0x36, 0x87, 0x9B, 0xF7,
0x3D, 0x18, 0x1E, 0x61, 0x1B, 0x2E, 0x6C, 0xDF, 0x2C, 0xAE, 0x65, 0x9D, 0xEB, 0x2F, 0xDA, 0xF4,
0xDE, 0xCA, 0x56, 0x92, 0x75, 0x3B, 0x62, 0x45, 0x06, 0x3C, 0x52, 0x33, 0x6E, 0x25, 0xCE, 0xA3,
0xD2, 0x44, 0xA1, 0x4A, 0x58, 0xB1, 0xA0, 0x2A, 0x47, 0x0A, 0x02, 0xAF, 0x50, 0xC3, 0xDC, 0xEA,
0xE5, 0x0D, 0x67, 0x91, 0xE1, 0x51, 0xE3, 0xC1, 0xAA, 0x95, 0x5C, 0x79, 0x72, 0x1C, 0x3F, 0xB8,
0xE8, 0x1F, 0xFF, 0x7A, 0x73, 0x26, 0x54, 0x9E, 0xED, 0xA9, 0x41, 0x20, 0xEF, 0xA6, 0x48, 0x97,
0x4F, 0xD4, 0xBB, 0x23, 0x66, 0xD9, 0xE4, 0x0B, 0x30, 0x15, 0xD7, 0x6B, 0x19, 0xCD, 0xC4, 0x08,
0xB4, 0xC8, 0x14, 0xFD, 0x7F, 0x28, 0x0E, 0x05, 0x0F, 0x4B, 0x6F, 0xF5, 0x90, 0x76, 0xBF, 0x60,
0xE7, 0x24, 0x78, 0x6D, 0x71, 0xA8, 0x43, 0xB5, 0x0C, 0x31, 0xF9, 0xA2, 0x9C, 0x99, 0xF6, 0x2D,
0xDB, 0xB7, 0xC9, 0x85, 0x81, 0x03, 0x64, 0x1D, 0x07, 0x34, 0x5A, 0xBD, 0x37, 0x4C, 0xA7, 0x5F,
0x46, 0xE9, 0x35, 0x93, 0x8D, 0xA5, 0xFB, 0x42, 0x01, 0xC2, 0x17, 0x12, 0x1A, 0x77, 0xC6, 0x53,
0x83, 0x4D, 0xB2, 0x10, 0x2B, 0xF8, 0x88, 0x6A, 0x3E, 0xD0, 0x7C, 0x63, 0x40, 0x27, 0xBE, 0xD5,
0x38, 0xD1, 0x74, 0xB6, 0x57, 0x94, 0xAB, 0x8A, 0xB9, 0xBC, 0x7D, 0xB3, 0x96, 0x7E, 0xFC, 0xAD,
0x22, 0x4E, 0xFA, 0xE0, 0xCB, 0x8B, 0xEE, 0x32, 0xA4, 0x16, 0xFE, 0x5B, 0x13, 0xDD, 0xC0, 0x9A,
0x5E, 0x8E, 0x29, 0xF3, 0x8F, 0x49, 0xE6, 0x9F, 0xF1, 0xC5, 0x70, 0x55, 0x8C, 0x11, 0xCC, 0x5D,
0xEC, 0x00, 0xAC, 0x89, 0xD3, 0x82, 0x69, 0xD6, 0xBA, 0xD8, 0x59, 0x98, 0x09, 0x80, 0xE2, 0xC7
};
for (int i = 0; i < 32;i++) {
data[i] = sbox[data[i]];
}
return 0;
}
int index(unsigned char* data) {
unsigned char tmp[32], table[32] = { 0x13, 0x1F, 0x10, 0x1D, 0x01, 0x0D, 0x07, 0x15, 0x08, 0x06, 0x16, 0x00, 0x0F, 0x0C, 0x02, 0x05, 0x0E,0x03, 0x12, 0x04, 0x18, 0x14, 0x1A, 0x1C, 0x1E, 0x19, 0x09, 0x1B, 0x11, 0x0B, 0x17, 0x0A };
for (int i = 0; i < 32; i++) {
tmp[table[i]] = data[i];
}
for (int i = 0; i < 32; i++) {
data[table[i]] = tmp[i];
}
return 0;
}
int shift(int l, int r, unsigned char* data,int stat) {
unsigned char indext2[] = { 0x7D, 0xB7, 0x24, 0x7E, 0xC3, 0x6B, 0xBD, 0xD8, 0x7F, 0x13, 0x6E, 0x0F, 0x43, 0xCD, 0x6B, 0xCF, 0x18,
0x4F, 0x26, 0x18, 0x12, 0x2A, 0x7E, 0x9B, 0x27, 0x4C, 0x33, 0x67, 0x40, 0xC9, 0x9E, 0xC4 },
indextb2[] = { 0x91, 0xDB, 0x9F, 0x5F, 0x26, 0x27, 0xD6, 0xA8, 0xBF, 0x41, 0x16, 0x79, 0xDE, 0x73, 0x16, 0xF8, 0x1E,
0xBA, 0x6A, 0xBE, 0xC6, 0x12, 0xB2, 0x39, 0x9E, 0xF3, 0x12, 0x4E, 0x02, 0x1C, 0xE2, 0x43 };
if (stat == 0) {
for (int i = 0; i < 32; i++) {
unsigned char c;
c = data[i] ^ indext2[i];
data[i] = c + indextb2[i];
data[i] = (data[i] << l) | (data[i] >> r);
}
}
else {
for (int i = 0; i < 32; i++) {
data[i] = (data[i] + indextb2[i]) ^ indext2[i];
data[i] = (data[i] << l) | (data[i] >> r);
}
}
return 0;
}
//解密函数
int rebox(unsigned char* data) {
unsigned char sbox[] = { 0xB0, 0xF0, 0x21, 0xCF, 0xF2, 0x04, 0x3A, 0x68, 0x84, 0x7B, 0x39, 0x86, 0x36, 0x87, 0x9B, 0xF7,
0x3D, 0x18, 0x1E, 0x61, 0x1B, 0x2E, 0x6C, 0xDF, 0x2C, 0xAE, 0x65, 0x9D, 0xEB, 0x2F, 0xDA, 0xF4,
0xDE, 0xCA, 0x56, 0x92, 0x75, 0x3B, 0x62, 0x45, 0x06, 0x3C, 0x52, 0x33, 0x6E, 0x25, 0xCE, 0xA3,
0xD2, 0x44, 0xA1, 0x4A, 0x58, 0xB1, 0xA0, 0x2A, 0x47, 0x0A, 0x02, 0xAF, 0x50, 0xC3, 0xDC, 0xEA,
0xE5, 0x0D, 0x67, 0x91, 0xE1, 0x51, 0xE3, 0xC1, 0xAA, 0x95, 0x5C, 0x79, 0x72, 0x1C, 0x3F, 0xB8,
0xE8, 0x1F, 0xFF, 0x7A, 0x73, 0x26, 0x54, 0x9E, 0xED, 0xA9, 0x41, 0x20, 0xEF, 0xA6, 0x48, 0x97,
0x4F, 0xD4, 0xBB, 0x23, 0x66, 0xD9, 0xE4, 0x0B, 0x30, 0x15, 0xD7, 0x6B, 0x19, 0xCD, 0xC4, 0x08,
0xB4, 0xC8, 0x14, 0xFD, 0x7F, 0x28, 0x0E, 0x05, 0x0F, 0x4B, 0x6F, 0xF5, 0x90, 0x76, 0xBF, 0x60,
0xE7, 0x24, 0x78, 0x6D, 0x71, 0xA8, 0x43, 0xB5, 0x0C, 0x31, 0xF9, 0xA2, 0x9C, 0x99, 0xF6, 0x2D,
0xDB, 0xB7, 0xC9, 0x85, 0x81, 0x03, 0x64, 0x1D, 0x07, 0x34, 0x5A, 0xBD, 0x37, 0x4C, 0xA7, 0x5F,
0x46, 0xE9, 0x35, 0x93, 0x8D, 0xA5, 0xFB, 0x42, 0x01, 0xC2, 0x17, 0x12, 0x1A, 0x77, 0xC6, 0x53,
0x83, 0x4D, 0xB2, 0x10, 0x2B, 0xF8, 0x88, 0x6A, 0x3E, 0xD0, 0x7C, 0x63, 0x40, 0x27, 0xBE, 0xD5,
0x38, 0xD1, 0x74, 0xB6, 0x57, 0x94, 0xAB, 0x8A, 0xB9, 0xBC, 0x7D, 0xB3, 0x96, 0x7E, 0xFC, 0xAD,
0x22, 0x4E, 0xFA, 0xE0, 0xCB, 0x8B, 0xEE, 0x32, 0xA4, 0x16, 0xFE, 0x5B, 0x13, 0xDD, 0xC0, 0x9A,
0x5E, 0x8E, 0x29, 0xF3, 0x8F, 0x49, 0xE6, 0x9F, 0xF1, 0xC5, 0x70, 0x55, 0x8C, 0x11, 0xCC, 0x5D,
0xEC, 0x00, 0xAC, 0x89, 0xD3, 0x82, 0x69, 0xD6, 0xBA, 0xD8, 0x59, 0x98, 0x09, 0x80, 0xE2, 0xC7
};
for (int i = 0; i < 32;i++) {
for (int j = 0; j < 256;j++) {
if (data[i] == sbox[j]) {
data[i] = j;
break;
}
}
}
return 0;
}
int reindex(unsigned char *data) {
unsigned char tmp[32], table[32] = { 0x13, 0x1F, 0x10, 0x1D, 0x01, 0x0D, 0x07, 0x15, 0x08, 0x06, 0x16, 0x00, 0x0F, 0x0C, 0x02, 0x05, 0x0E,0x03, 0x12, 0x04, 0x18, 0x14, 0x1A, 0x1C, 0x1E, 0x19, 0x09, 0x1B, 0x11, 0x0B, 0x17, 0x0A };
for (int i = 0; i < 32; i++) {
tmp[i] = data[table[i]];
}
for (int i = 0; i < 32; i++) {
data[i] = tmp[table[i]];
}
return 0;
}
int reshift(int l, int r, unsigned char* data,int stat) {
unsigned char indext2[] = { 0x7D, 0xB7, 0x24, 0x7E, 0xC3, 0x6B, 0xBD, 0xD8, 0x7F, 0x13, 0x6E, 0x0F, 0x43, 0xCD, 0x6B, 0xCF, 0x18,
0x4F, 0x26, 0x18, 0x12, 0x2A, 0x7E, 0x9B, 0x27, 0x4C, 0x33, 0x67, 0x40, 0xC9, 0x9E, 0xC4 },
indextb2[] = { 0x91, 0xDB, 0x9F, 0x5F, 0x26, 0x27, 0xD6, 0xA8, 0xBF, 0x41, 0x16, 0x79, 0xDE, 0x73, 0x16, 0xF8, 0x1E,
0xBA, 0x6A, 0xBE, 0xC6, 0x12, 0xB2, 0x39, 0x9E, 0xF3, 0x12, 0x4E, 0x02, 0x1C, 0xE2, 0x43 };
if (stat == 1) {
for (int i = 0; i < 32; i++) {
unsigned char c;
data[i] = (data[i] >> l) | (data[i] << r);
c = data[i] - indextb2[i];
data[i] = c ^ indext2[i];
}
}
else {
for (int i = 0; i < 32; i++) {
unsigned char c;
data[i] = (data[i] >> l) | (data[i] << r);
data[i] = (data[i] ^ indext2[i]) - indextb2[i];
}
}
return 0;
}
void prlhex(unsigned char* data,const char *hit) {
printf("\n--------------------------------------------------------------------------------------\n");
printf("--------%s\n", hit);
for (int i = 0; i < 32; i++) {
printf("%02x ", data[i]);
}
}
int main() {
unsigned char data[] = { 0x5B, 0x2D, 0xE9, 0x66, 0xED, 0x39, 0x90, 0x23, 0xAF, 0xDA, 0xEB, 0x2E, 0xD1, 0x0D, 0xBB, 0xBD, 0x57, 0x52, 0x02, 0xB0, 0xBA, 0x9D, 0x52, 0xFA, 0x67, 0xEE, 0xA3, 0x85, 0xA9, 0x84, 0xE2, 0x6F };
reshift(1, 7, data,0); //逆向解密
reshift(2, 6, data,1);
reindex(data);
rebox(data);
reshift(5, 3, data,0);
reshift(3, 5, data,1);
reindex(data);
rebox(data);
reshift(4, 4, data,0);
reshift(6, 2, data,1);
reindex(data);
rebox(data);
reshift(7, 1, data,0);
reshift(3, 5, data,1);
reindex(data);
rebox(data);
for (int i = 0; i < 32; i++) {
printf("%c", data[i]);
}
return 0;
}
//flag{Master_of_5mc_XoR_aDD_r0r!}
sf5
有四个加密函数被存储在了数组v28里,并以每次加密次数为索引获取加密前的数据然后进行按位或操作(Buf1[v3++] & 3),以这个结果为索引加载数组v28中的函数进行加密。先分析四个加密函数,
v28[0]是一个盒的查找替换,v28[1]以一个索引表对数据进行打乱,v28[2]把输入与两串常量异或并相加,v28[3]把数据每一字节循环右移了3位。值得注意的是这里的v28[2]是有点难看懂的,要结合汇编动调才能完全理解,下面是一些理解。
加密逻辑大概如下
//encode
#include <stdio.h>
#include <string.h>
#include <stdint.h>
int enc1(uint8_t* data) {
uint8_t sbox[256] = { 0xB0, 0xF0, 0x21, 0xCF, 0xF2, 0x04, 0x3A, 0x68, 0x84, 0x7B, 0x39, 0x86, 0x36, 0x87, 0x9B, 0xF7, 0x3D, 0x18,
0x1E, 0x61, 0x1B, 0x2E, 0x6C, 0xDF, 0x2C, 0xAE, 0x65, 0x9D, 0xEB, 0x2F, 0xDA, 0xF4, 0xDE, 0xCA, 0x56, 0x92,
0x75, 0x3B, 0x62, 0x45, 0x06, 0x3C, 0x52, 0x33, 0x6E, 0x25, 0xCE, 0xA3, 0xD2, 0x44, 0xA1, 0x4A, 0x58, 0xB1,
0xA0, 0x2A, 0x47, 0x0A, 0x02, 0xAF, 0x50, 0xC3, 0xDC, 0xEA, 0xE5, 0x0D, 0x67, 0x91, 0xE1, 0x51, 0xE3, 0xC1,
0xAA, 0x95, 0x5C, 0x79, 0x72, 0x1C, 0x3F, 0xB8, 0xE8, 0x1F, 0xFF, 0x7A, 0x73, 0x26, 0x54, 0x9E, 0xED, 0xA9,
0x41, 0x20, 0xEF, 0xA6, 0x48, 0x97, 0x4F, 0xD4, 0xBB, 0x23, 0x66, 0xD9, 0xE4, 0x0B, 0x30, 0x15, 0xD7, 0x6B,
0x19, 0xCD, 0xC4, 0x08, 0xB4, 0xC8, 0x14, 0xFD, 0x7F, 0x28, 0x0E, 0x05, 0x0F, 0x4B, 0x6F, 0xF5, 0x90, 0x76,
0xBF, 0x60, 0xE7, 0x24, 0x78, 0x6D, 0x71, 0xA8, 0x43, 0xB5, 0x0C, 0x31, 0xF9, 0xA2, 0x9C, 0x99, 0xF6, 0x2D,
0xDB, 0xB7, 0xC9, 0x85, 0x81, 0x03, 0x64, 0x1D, 0x07, 0x34, 0x5A, 0xBD, 0x37, 0x4C, 0xA7, 0x5F, 0x46, 0xE9,
0x35, 0x93, 0x8D, 0xA5, 0xFB, 0x42, 0x01, 0xC2, 0x17, 0x12, 0x1A, 0x77, 0xC6, 0x53, 0x83, 0x4D, 0xB2, 0x10,
0x2B, 0xF8, 0x88, 0x6A, 0x3E, 0xD0, 0x7C, 0x63, 0x40, 0x27, 0xBE, 0xD5, 0x38, 0xD1, 0x74, 0xB6, 0x57, 0x94,
0xAB, 0x8A, 0xB9, 0xBC, 0x7D, 0xB3, 0x96, 0x7E, 0xFC, 0xAD, 0x22, 0x4E, 0xFA, 0xE0, 0xCB, 0x8B, 0xEE, 0x32,
0xA4, 0x16, 0xFE, 0x5B, 0x13, 0xDD, 0xC0, 0x9A, 0x5E, 0x8E, 0x29, 0xF3, 0x8F, 0x49, 0xE6, 0x9F, 0xF1, 0xC5,
0x70, 0x55, 0x8C, 0x11, 0xCC, 0x5D, 0xEC, 0x00, 0xAC, 0x89, 0xD3, 0x82, 0x69, 0xD6, 0xBA, 0xD8, 0x59, 0x98,
0x09, 0x80, 0xE2, 0xC7 };
for (int i = 0; i < 32; i++) {
data[i] = sbox[data[i]];
}
return 0;
}
int enc2(uint8_t* data) {
unsigned char tmp[32], table[32] = { 0x13, 0x1F, 0x10, 0x1D, 0x01, 0x0D, 0x07, 0x15, 0x08, 0x06, 0x16, 0x00, 0x0F, 0x0C, 0x02, 0x05, 0x0E,0x03, 0x12, 0x04, 0x18, 0x14, 0x1A, 0x1C, 0x1E, 0x19, 0x09, 0x1B, 0x11, 0x0B, 0x17, 0x0A };
for (int i = 0; i < 32; i++) {
tmp[table[i]] = data[i];
}
for (int i = 0; i < 32; i++) {
data[table[i]] = tmp[i];
}
return 0;
}
int enc3(uint8_t* data) {
uint8_t index1[] = { 0x7D, 0xB7, 0x24, 0x7E, 0xC3, 0x6B, 0xBD, 0xD8, 0x7F, 0x13, 0x6E, 0x0F, 0x43, 0xCD, 0x6B, 0xCF,
0x18, 0x4F, 0x26, 0x18, 0x12, 0x2A, 0x7E, 0x9B, 0x27, 0x4C, 0x33, 0x67, 0x40, 0xC9, 0x9E, 0xC4 };
uint8_t index2[] = { 0x91, 0xDB, 0x9F, 0x5F, 0x26, 0x27, 0xD6, 0xA8, 0xBF, 0x41, 0x16, 0x79, 0xDE, 0x73, 0x16, 0xF8,
0x1E, 0xBA, 0x6A, 0xBE, 0xC6, 0x12, 0xB2, 0x39, 0x9E, 0xF3, 0x12, 0x4E, 0x02, 0x1C, 0xE2, 0x43 };
for (int i = 0; i < 32; i++) {
data[i] ^= index1[i];
data[i] += index2[i];
}
return 0;
}
int enc4(uint8_t* data) {
for (int i = 0; i < 32; i++) {
data[i] = (data[i] >> 3) | (data[i] << 5);
}
return 0;
}
因为不知道明文,我们每一次的解密有4种可能性,题目也提示dfs,我们就用dfs遍历解密路径就行。我们可以检查在解密后31减去解密次数与3进行与操作(data[31-step] & 3)是不是当前解密函数的下标,以确定路径,减少遍历的时间。结尾检查flag输出即可。
写出解密函数和dfs,脚本如下。
//decode
#include <stdio.h>
#include <stdint.h>
#include <string.h>
void prlhex(uint8_t* data, const char* hit);
int refun4(uint8_t* data) {
for (int i = 0; i < 32; i++) {
data[i] = (data[i] << 3) | (data[i] >> 5);
}
return 0;
}
int refun2(uint8_t *data) {
unsigned char tmp[32], table[32] = { 0x13, 0x1F, 0x10, 0x1D, 0x01, 0x0D, 0x07, 0x15, 0x08, 0x06, 0x16, 0x00, 0x0F, 0x0C, 0x02, 0x05, 0x0E,0x03, 0x12, 0x04, 0x18, 0x14, 0x1A, 0x1C, 0x1E, 0x19, 0x09, 0x1B, 0x11, 0x0B, 0x17, 0x0A };
for (int i = 0; i < 32; i++) {
tmp[i] = data[table[i]];
}
for (int i = 0; i < 32; i++) {
data[i] = tmp[table[i]];
}
return 0;
}
int refun3(uint8_t* data) {
uint8_t index1[] = { 0x7D, 0xB7, 0x24, 0x7E, 0xC3, 0x6B, 0xBD, 0xD8, 0x7F, 0x13, 0x6E, 0x0F, 0x43, 0xCD, 0x6B, 0xCF,
0x18, 0x4F, 0x26, 0x18, 0x12, 0x2A, 0x7E, 0x9B, 0x27, 0x4C, 0x33, 0x67, 0x40, 0xC9, 0x9E, 0xC4 };
uint8_t index2[] = { 0x91, 0xDB, 0x9F, 0x5F, 0x26, 0x27, 0xD6, 0xA8, 0xBF, 0x41, 0x16, 0x79, 0xDE, 0x73, 0x16, 0xF8,
0x1E, 0xBA, 0x6A, 0xBE, 0xC6, 0x12, 0xB2, 0x39, 0x9E, 0xF3, 0x12, 0x4E, 0x02, 0x1C, 0xE2, 0x43 };
for (int i = 0; i < 32; i++) {
data[i] = (data[i] - index2[i]) ^ index1[i];
}
return 0;
}
int refun1(uint8_t* data) {
uint8_t sbox[256] = { 0xB0, 0xF0, 0x21, 0xCF, 0xF2, 0x04, 0x3A, 0x68, 0x84, 0x7B, 0x39, 0x86, 0x36, 0x87, 0x9B, 0xF7, 0x3D, 0x18,
0x1E, 0x61, 0x1B, 0x2E, 0x6C, 0xDF, 0x2C, 0xAE, 0x65, 0x9D, 0xEB, 0x2F, 0xDA, 0xF4, 0xDE, 0xCA, 0x56, 0x92,
0x75, 0x3B, 0x62, 0x45, 0x06, 0x3C, 0x52, 0x33, 0x6E, 0x25, 0xCE, 0xA3, 0xD2, 0x44, 0xA1, 0x4A, 0x58, 0xB1,
0xA0, 0x2A, 0x47, 0x0A, 0x02, 0xAF, 0x50, 0xC3, 0xDC, 0xEA, 0xE5, 0x0D, 0x67, 0x91, 0xE1, 0x51, 0xE3, 0xC1,
0xAA, 0x95, 0x5C, 0x79, 0x72, 0x1C, 0x3F, 0xB8, 0xE8, 0x1F, 0xFF, 0x7A, 0x73, 0x26, 0x54, 0x9E, 0xED, 0xA9,
0x41, 0x20, 0xEF, 0xA6, 0x48, 0x97, 0x4F, 0xD4, 0xBB, 0x23, 0x66, 0xD9, 0xE4, 0x0B, 0x30, 0x15, 0xD7, 0x6B,
0x19, 0xCD, 0xC4, 0x08, 0xB4, 0xC8, 0x14, 0xFD, 0x7F, 0x28, 0x0E, 0x05, 0x0F, 0x4B, 0x6F, 0xF5, 0x90, 0x76,
0xBF, 0x60, 0xE7, 0x24, 0x78, 0x6D, 0x71, 0xA8, 0x43, 0xB5, 0x0C, 0x31, 0xF9, 0xA2, 0x9C, 0x99, 0xF6, 0x2D,
0xDB, 0xB7, 0xC9, 0x85, 0x81, 0x03, 0x64, 0x1D, 0x07, 0x34, 0x5A, 0xBD, 0x37, 0x4C, 0xA7, 0x5F, 0x46, 0xE9,
0x35, 0x93, 0x8D, 0xA5, 0xFB, 0x42, 0x01, 0xC2, 0x17, 0x12, 0x1A, 0x77, 0xC6, 0x53, 0x83, 0x4D, 0xB2, 0x10,
0x2B, 0xF8, 0x88, 0x6A, 0x3E, 0xD0, 0x7C, 0x63, 0x40, 0x27, 0xBE, 0xD5, 0x38, 0xD1, 0x74, 0xB6, 0x57, 0x94,
0xAB, 0x8A, 0xB9, 0xBC, 0x7D, 0xB3, 0x96, 0x7E, 0xFC, 0xAD, 0x22, 0x4E, 0xFA, 0xE0, 0xCB, 0x8B, 0xEE, 0x32,
0xA4, 0x16, 0xFE, 0x5B, 0x13, 0xDD, 0xC0, 0x9A, 0x5E, 0x8E, 0x29, 0xF3, 0x8F, 0x49, 0xE6, 0x9F, 0xF1, 0xC5,
0x70, 0x55, 0x8C, 0x11, 0xCC, 0x5D, 0xEC, 0x00, 0xAC, 0x89, 0xD3, 0x82, 0x69, 0xD6, 0xBA, 0xD8, 0x59, 0x98,
0x09, 0x80, 0xE2, 0xC7 };
for (int i = 0; i < 32;i++) {
for (int j = 0; j < 256;j++) {
if (data[i] == sbox[j]) {
data[i] = j;
break;
}
}
}
return 0;
}
int backupdata(uint8_t *data,uint8_t *data2) {
for (int i = 0; i < 32; i++) {
data[i] = data2[i];
}
return 0;
}
int (*refun[4])(uint8_t*) = { refun1, refun2, refun3, refun4 };
int check(unsigned char* data) {
if (!strncmp((char*)data, "flag", 4)) {
prlhex(data, "result"); //flag
}
return 0;
}
int dfs(uint8_t* data, int step, int* path) {
if (step == 32) {
check(data); //检查结果
return 1;
}
uint8_t backup[256];
backupdata(backup, data); //备份密文
for (int i = 0; i < 4; i++) { //四个解密函数进行解密
refun[i](data);
if ((data[31-step] & 3) == i) { //用&3剪枝
path[step] = i;
dfs(data, step + 1, path);
}
backupdata(data,backup);
}
return 0;
}
void prlhex(uint8_t* data,const char *hit) {
printf("\n------------------------------------------------------------------------------\n");
printf("--------%s\n", hit);
for (int i = 0; i < 32; i++) {
printf("%c", data[i]);
}
}
int main() {
uint8_t ciphertext[] = { 0x65, 0x3E, 0x43, 0xB8, 0xBA, 0xDB, 0xF6, 0x88, 0x25, 0x1B, 0x28, 0xC7, 0xC0, 0x54, 0xA6, 0x4A,
0x90, 0x37, 0xBC, 0x29, 0x41, 0xAA, 0x28, 0xDB, 0x9A, 0x59, 0x63, 0x9E, 0x4B, 0xCF, 0x2E, 0x41 };
int path[32];
dfs(ciphertext, 0, path);
return 0;
}
//flag{Ea5y_enCrypt_And_decrYpt!!}
easy-re
拿下来是一个Android elf文件,用真机运行几次发现报错先分析代码。
看了一下main函数才知道要带参数运行。加了许多混淆,c代码难以阅读,不过还是看到了一些rc4加密。字符串也被加密了,写个脚本用于dnmp。
var inter =setInterval(function() { dump(); }, 3);
function dump() {
var libxx = Process.getModuleByName("easy-re");
var exe_s_size=0x0
console.log("*****************************************************");
console.log("name: " +libxx.name);
console.log("base: " +libxx.base);
console.log("size: " +ptr(libxx.size));
var file_path = libxx.name + "_" + libxx.base + "_" + ptr(libxx.size) + ".so";
console.log(file_path);
var file_handle = new File(file_path, "wb");
if (file_handle && file_handle != null) {
Memory.protect(ptr(libxx.base), libxx.size, 'rwx');
var buffer = ptr(libxx.base).add(exe_s_size).readByteArray(libxx.size-exe_s_size);
file_handle.write(buffer);
file_handle.flush();
file_handle.close();
console.log("[dump]:", file_path);
}
clearInterval(inter)
}
再用Sofixer修复一下偏移。
重新在ida中分析,在Init_array有一个ptrace检测,可以通过字符串看出来。如果程序执行被检测到ptrace就会出现异常的结果。
c代码太难看了,尝试动调,发现ida调试是可以用的(ptrace检测没有直接结束程序),我们可以用Ida调试elf并利用trace来分析程序算法。Trace结果过长就不展示了。
大概逻辑就是flag_char ^ index ^一个表 ^ 异或前一个char,那个表估计是rc4的。主要的难点是这个表,当前调试是被ptrace检测的,测试过多次,直接使用常规frida调试也是被检测了的。
由于ptrace检测,不是很好patch,打算用环境变量加载frida_gadget来启动frida,PRE_LOAD=/data/local/tmp/frida-gadget.so ./easy-re AAAAAABAAAAAAAAAAAAAAAAAAAAAAAAB
hook脚本
function time(num)
{
let sum=0
for(let i=0;i<num*1024;i++){
sum+=i;
}
}
var mInterval = setInterval(function () {
var sgame = Process.findModuleByName("easy-re");
if (sgame == null) {
console.log("无");
return;
}
clearInterval(mInterval);
// var addr = sgame.base.add(0x1400012A0-0x140000000) //windows
var addr = sgame.base.add(0x05BC0309280 - 0x005BC0307000)
console.log("" + addr);
console.log(Instruction.parse(addr).toString());
Interceptor.attach(addr, {
onEnter: function (args) {
var rax = this.context.x10;
console.log( rax,",");
time(5451)
}
})
addr = sgame.base.add(0x5BC03094F0 - 0x005BC0307000)
console.log("" + addr);
console.log(Instruction.parse(addr).toString());
Interceptor.attach(addr, {
onEnter: function (args) {
var rax = this.context.x1;
// var mm=[68,39,43,160,45,33,116,240,251,156,45,31,225,255,45,22,140,155,112,144,214,47,152,233,164,146,168,3,253,29,123,37]
// ptr(rax).writeByteArray(mm);
}
})
addr = sgame.base.add(0x5DF1A811A0 - 0x05DF1A7F000)
console.log("" + addr);
console.log(Instruction.parse(addr).toString());
Interceptor.attach(addr, {
onEnter: function (args) {
var rax = this.context.x8;
console.log(hexdump(ptr(rax), { length: 50, ansi: true }));
time(5451)
}
})
}, 1)
直接可以拿到表
写出解密代码
#include <stdio.h>
char flag[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
unsigned char mm[32] = {
0x50, 0x4C, 0x8B, 0x94, 0x86, 0x6D, 0x72, 0xFB, 0x54, 0xF3, 0x17, 0x0F, 0xEE, 0xE4, 0xC5, 0x1E,
0xB8, 0x1A, 0xC7, 0xDF, 0x2D, 0x3D, 0x4E, 0x51, 0xE7, 0xAD, 0x97, 0x55, 0xF3, 0xF5, 0x41, 0x79
};
unsigned char box[]={0x36,0x71,0xf4,0x67,0xfa,0x9a,0xf9,0x0a,0x5e,0xa0,0xb6,0xb0,0x11,0xab,0x7a,0x2d,0xd0,0xd3,0x0a,0xca,0xe8,0x91,0x9a,0xc2,0x64,0x8e,0x12,0x08,0xba,0x46,0x4a,0x6e};
int main(){
// int n=0;
unsigned char xor2=0;
unsigned char keys[40];
for (size_t i = 0; i < 32; i++)
{
if (i!=0) {
xor2^=mm[i-1];
keys[i]=xor2;
}
}
for (size_t i = 0; i <32; i++)
{
// flag[i]^=i;
if (i!=0)
{
mm[i]^=keys[i];
}
}
for (size_t i = 0; i < 32; i++)
{
mm[i]^=i;
mm[i]^=box[i];
printf("%c", mm[i]);
}
}
//flag{welcome-re-world!go!go!go!}