baby_re

2018強網杯-Writeup /

直接執行文件，輸出”nope”。

代碼里有大量沒用的反調試代碼，最后發現有個函數有用，而且有兩個特征。

輸出”nope”是在這個函數里的這個函數有讀文件的操作，打開了叫”nothing”的文件于是手動創建”nothing”的文件，隨便寫點東西進去，再執行這個exe，發現確實被加密了，但最后的幾個byte是完整的，看起來是16byte一組的ECB模式。

這時候直接set RIP到這個函數，發現功能沒有出問題，確實其他代碼是反調試代碼，全都NOP掉就行了。

主要就是逆sub_140002B60吧，沒什么好講的，還是這個套路。

python如下

target = [0xb, 0xe8, 0xa3, 0xd6, 0xf7, 0x19, 0x19, 0x4c, 0x12, 0x42, 0x0, 0x54, 0x3d, 0x41, 0xbb, 0x16, 0xe5, 0x6a, 0x87, 0xec, 0xd0, 0xeb, 0xfa, 0x62, 0x3d, 0xce, 0x61, 0x1e, 0xe, 0xc9, 0x11, 0xed, 0x68, 0x74, 0x3f, 0x7d, ]
# target = [0x62, 0x3f, 0xc6, 0x1f, 0xca, 0x03, 0x0b, 0xae, 0xe2, 0x05, 0xf8, 0xf7, 0xe1, 0xe1, 0x81, 0x46]
plain = [48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102, ]
keyPool = [0xface, 0xdead, 0xbabe, 0xd00d]
magic = 0x61c88647

before_array = [0, 2654435769, 1013904242, 3668340011, 2027808484, 387276957, 3041712726, 1401181199, 4055616968, 2415085441, 774553914, 3428989683, 1788458156, 147926629, 2802362398, 1161830871, 3816266640, 2175735113, 535203586, 3189639355, 1549107828, 4203543597, 2563012070, 922480543, 3576916312, 1936384785, 295853258, 2950289027, 1309757500, 3964193269, 2323661742, 683130215]
after_array = [2654435769, 1013904242, 3668340011, 2027808484, 387276957, 3041712726, 1401181199, 4055616968, 2415085441, 774553914, 3428989683, 1788458156, 147926629, 2802362398, 1161830871, 3816266640, 2175735113, 535203586, 3189639355, 1549107828, 4203543597, 2563012070, 922480543, 3576916312, 1936384785, 295853258, 2950289027, 1309757500, 3964193269, 2323661742, 683130215, 3337565984]

print len(before_array)
print len(after_array)

before = 0
after = 0
right = plain[0] | (plain[1] << 8) | (plain[2] << 16) | (plain[3] << 24)
left = plain[0 + 4] | (plain[1 + 4] << 8) | (plain[2 + 4] << 16) | (plain[3 + 4] << 24)

print hex(left), hex(right)
for i in range(0x20):
    adder1 = (before + keyPool[after & 3]) ^ (left + (16 * left ^ (left >> 5)))
    adder1 &= 0xffffffff
    right += adder1
    right &= 0xffffffff
    before -= magic
    before &= 0xffffffff
    after = before
    adder2 = (before + keyPool[(before >> 11) & 3]) ^ (right + (16 * right ^ (right >> 5)))
    adder2 &= 0xffffffff
    left += adder2
    left &= 0xffffffff
    print hex(left), hex(right), hex(adder1), hex(adder2), hex(before)
print hex(left), hex(right)

print "===================================="

target_left = 0xae0b03ca
target_right = 0x1fc63f62

for j in range(4):
    target_right = target[0 + j * 8] | (target[1 + j * 8] << 8) | (target[2 + j * 8] << 16) | (target[3 + j * 8] << 24)
    target_left = target[0 + 4 + j * 8] | (target[1 + 4 + j * 8] << 8) | (target[2 + 4 + j * 8] << 16) | (target[3 + 4 + j * 8] << 24)

    for i in range(0x20):
        before = after_array[0x20 - i - 1]
        after = before_array[0x20 - i - 1]
        sub1 = (before + keyPool[(before >> 11) & 3]) ^ (target_right + (16 * target_right ^ (target_right >> 5)))
        sub1 &= 0xffffffff
        target_left -= sub1
        target_left &= 0xffffffff
        before += magic
        before &= 0xffffffff
        sub2 = (before + keyPool[after & 3]) ^ (target_left + (16 * target_left ^ (target_left >> 5)))
        sub2 &= 0xffffffff
        target_right -= sub2
        target_right &= 0xffffffff
        print hex(target_left), hex(target_right), hex(sub2), hex(sub1)
    print hex(target_left)[2:].decode('hex')[::-1], hex(target_right)[2:].decode('hex')[::-1]

# tf{t qwbc
# is_n his_
# hat_ ot_t
# _rig hard
# ht?}

# qwbctf{this_is_not_that_hard_right?}

本文章首發在網安wangan.com 網站上。