首页
论坛
专栏
课程

[原创]看雪CTF2017 第十五题 CrackMe逆向分析

2017-6-30 20:20 1360

[原创]看雪CTF2017 第十五题 CrackMe逆向分析

2017-6-30 20:20
1360

1.壳的部分

了解的不深,主要是过反调试。

OD直接运行会弹出来这个,然后就被卡了1天,哎。

中间过程就不说了,不断的单步,run跟踪,找到vm的dispatch的地方:

0049376E         - FF6424 D4       JMP     NEAR DWORD PTR SS:[ESP-0x2C]

主要信息见上图:

0x281Dcc0  这个是接下来要执行的地方

栈顶 0x5d309a 是执行之后返回的地址,里边各种乱跳,run跟踪多次,希望找到计算下次返回的地址,然并卵。

再次下断点大约执行16次之后就会触发反调试弹框。

前16就是检测是否在调试状态的。

其中包括一次时间检查:

n次窗口检查:

这些大概不是全部的检测,不然我的OD应该检测不到,毕竟标题和类名都是修改了的。

弹出反调试之后如果程序去

0019FCE8   005D3AEF  CrackMe.005D3AEF

上边地址去就挂了,所以就要改了他。

程序正常运行并不会谈这个框,说明有其他流程可走。一般两个挨的也不远,经过测试,改成0x5d3b23就可以。

壳和反调试就这样了,贴个脚本,直接运行,可以到算法处:

//dispatch  处下硬件断点
BPHWS  0049376E,"x"
//算法流程
BPHWS  0040103D,"x"
run
EOB  LABEL_PAUSE
//停下来比较是否到了反调试的地方,如果是就跳到LABEL_CHANGE
LABEL_PAUSE:
    cmp [esp],05d3aef
    JE  LABEL_CHANGE
    run
//修改流程
LABEL_CHANGE:
    mov [esp],005d3b23
    BPHWC 0049376E
    run

直接运行脚本,弹出反调试框之后点确定,然后输入注册码回车即可。

2.算法:

004021A0      C68424 A0020000>MOV     BYTE PTR SS:[ESP+0x2A0], 0x75
004021A8      C68424 A1020000>MOV     BYTE PTR SS:[ESP+0x2A1], 0x69
004021B0      C68424 A2020000>MOV     BYTE PTR SS:[ESP+0x2A2], 0x72
004021B8      C68424 A3020000>MOV     BYTE PTR SS:[ESP+0x2A3], 0x65
004021C0      889C24 A4020000 MOV     BYTE PTR SS:[ESP+0x2A4], BL
004021C7      E8 64FE0000     CALL    CrackMe.00412030
004021CC      8BF0            MOV     ESI, EAX
004021CE      56              PUSH    ESI
004021CF      E8 9C000100     CALL    CrackMe.00412270
004021D4      53              PUSH    EBX
004021D5      68 75020000     PUSH    0x275
004021DA      8D4424 3C       LEA     EAX, DWORD PTR SS:[ESP+0x3C]
004021DE      50              PUSH    EAX
004021DF      56              PUSH    ESI
004021E0      E8 5B040100     CALL    CrackMe.00412640
004021E5      53              PUSH    EBX
004021E6      56              PUSH    ESI
004021E7      E8 C41B0100     CALL    CrackMe.00413DB0
004021EC      68 883E4800     PUSH    CrackMe.00483E88                       ; ASCII "main"
004021F1      68 EED8FFFF     PUSH    -0x2712
004021F6      56              PUSH    ESI
004021F7      E8 84130100     CALL    CrackMe.00413580                       ; lua_getglobal
004021FC      57              PUSH    EDI                                    ; 注册码
004021FD      56              PUSH    ESI                                    ; L*
004021FE      E8 DD0E0100     CALL    CrackMe.004130E0                       ; lua_pushstring
00402203      6A 01           PUSH    0x1
00402205      56              PUSH    ESI
00402206      E8 A51B0100     CALL    CrackMe.00413DB0                       ;  lua_pcall
0040220B      83C4 38         ADD     ESP, 0x38
0040220E      85C0            TEST    EAX, EAX
00402210      74 1A           JE      SHORT CrackMe.0040222C
00402212      5F              POP     EDI
00402213      5E              POP     ESI
00402214      33C0            XOR     EAX, EAX
00402216      5B              POP     EBX
00402217      8B8C24 9C020000 MOV     ECX, DWORD PTR SS:[ESP+0x29C]
0040221E      33CC            XOR     ECX, ESP
00402220      E8 BB010000     CALL    CrackMe.004023E0
00402225      81C4 A0020000   ADD     ESP, 0x2A0
0040222B      C3              RETN
0040222C      55              PUSH    EBP
0040222D      6A F4           PUSH    -0xC                                   ; 第一个
0040222F      56              PUSH    ESI
00402230      E8 AB0A0100     CALL    CrackMe.00412CE0                       ; 取第一个返回的字符
00402235      8BF8            MOV     EDI, EAX                               ; 第一个
00402237      6A F5           PUSH    -0xB
00402239      56              PUSH    ESI
0040223A      83F7 05         XOR     EDI, 0x5                               ; 第一个返回的字符异或
0040223D      E8 9E0A0100     CALL    CrackMe.00412CE0
00402242      8BD8            MOV     EBX, EAX
00402244      6A F6           PUSH    -0xA
00402246      56              PUSH    ESI
00402247      83F3 12         XOR     EBX, 0x12
0040224A      E8 910A0100     CALL    CrackMe.00412CE0
0040224F      8BE8            MOV     EBP, EAX
00402251      6A F7           PUSH    -0x9
00402253      56              PUSH    ESI
00402254      83F5 0A         XOR     EBP, 0xA
00402257      E8 840A0100     CALL    CrackMe.00412CE0
0040225C      83F0 29         XOR     EAX, 0x29
0040225F      6A F8           PUSH    -0x8
00402261      56              PUSH    ESI
00402262      894424 58       MOV     DWORD PTR SS:[ESP+0x58], EAX
00402266      E8 750A0100     CALL    CrackMe.00412CE0
0040226B      83F0 42         XOR     EAX, 0x42
0040226E      6A F9           PUSH    -0x7
00402270      56              PUSH    ESI
00402271      894424 48       MOV     DWORD PTR SS:[ESP+0x48], EAX
00402275      E8 660A0100     CALL    CrackMe.00412CE0
0040227A      83F0 41         XOR     EAX, 0x41
0040227D      6A FA           PUSH    -0x6
0040227F      56              PUSH    ESI
00402280      894424 60       MOV     DWORD PTR SS:[ESP+0x60], EAX
00402284      E8 570A0100     CALL    CrackMe.00412CE0
00402289      83F0 75         XOR     EAX, 0x75
0040228C      6A FB           PUSH    -0x5
0040228E      56              PUSH    ESI
0040228F      894424 60       MOV     DWORD PTR SS:[ESP+0x60], EAX
00402293      E8 480A0100     CALL    CrackMe.00412CE0
00402298      83C4 40         ADD     ESP, 0x40
0040229B      83F0 61         XOR     EAX, 0x61
0040229E      6A FC           PUSH    -0x4
004022A0      56              PUSH    ESI
004022A1      894424 18       MOV     DWORD PTR SS:[ESP+0x18], EAX
004022A5      E8 360A0100     CALL    CrackMe.00412CE0
004022AA      83F0 35         XOR     EAX, 0x35
004022AD      6A FD           PUSH    -0x3
004022AF      56              PUSH    ESI
004022B0      894424 24       MOV     DWORD PTR SS:[ESP+0x24], EAX
004022B4      E8 270A0100     CALL    CrackMe.00412CE0
004022B9      35 83000000     XOR     EAX, 0x83
004022BE      6A FE           PUSH    -0x2
004022C0      56              PUSH    ESI
004022C1      894424 34       MOV     DWORD PTR SS:[ESP+0x34], EAX
004022C5      E8 160A0100     CALL    CrackMe.00412CE0
004022CA      83F0 55         XOR     EAX, 0x55
004022CD      6A FF           PUSH    -0x1
004022CF      56              PUSH    ESI
004022D0      894424 44       MOV     DWORD PTR SS:[ESP+0x44], EAX
004022D4      E8 070A0100     CALL    CrackMe.00412CE0
004022D9      35 94000000     XOR     EAX, 0x94
004022DE      6A F3           PUSH    -0xD
004022E0      56              PUSH    ESI
004022E1      894424 54       MOV     DWORD PTR SS:[ESP+0x54], EAX
004022E5      E8 26050100     CALL    CrackMe.00412810
004022EA      56              PUSH    ESI
004022EB      E8 80200100     CALL    CrackMe.00414370                       ; free
004022F0      83C4 2C         ADD     ESP, 0x2C
004022F3      83FF 18         CMP     EDI, 0x18
004022F6      75 54           JNZ     SHORT CrackMe.0040234C
004022F8      83FB 16         CMP     EBX, 0x16
004022FB      75 4F           JNZ     SHORT CrackMe.0040234C
004022FD      83FD 1E         CMP     EBP, 0x1E
00402300      75 4A           JNZ     SHORT CrackMe.0040234C
00402302      837C24 30 2F    CMP     DWORD PTR SS:[ESP+0x30], 0x2F
00402307      75 43           JNZ     SHORT CrackMe.0040234C
00402309      837C24 18 48    CMP     DWORD PTR SS:[ESP+0x18], 0x48
0040230E      75 3C           JNZ     SHORT CrackMe.0040234C
00402310      837C24 28 11    CMP     DWORD PTR SS:[ESP+0x28], 0x11
00402315      75 35           JNZ     SHORT CrackMe.0040234C
00402317      837C24 20 21    CMP     DWORD PTR SS:[ESP+0x20], 0x21          ; 70
0040231C      75 2E           JNZ     SHORT CrackMe.0040234C
0040231E      837C24 10 37    CMP     DWORD PTR SS:[ESP+0x10], 0x37          ; 6a
00402323      75 27           JNZ     SHORT CrackMe.0040234C
00402325      837C24 14 33    CMP     DWORD PTR SS:[ESP+0x14], 0x33
0040232A      75 20           JNZ     SHORT CrackMe.0040234C
0040232C      817C24 1C 86000>CMP     DWORD PTR SS:[ESP+0x1C], 0x86
00402334      75 16           JNZ     SHORT CrackMe.0040234C
00402336      837C24 24 52    CMP     DWORD PTR SS:[ESP+0x24], 0x52
0040233B      75 0F           JNZ     SHORT CrackMe.0040234C
0040233D      817C24 2C 94000>CMP     DWORD PTR SS:[ESP+0x2C], 0x94
00402345      75 05           JNZ     SHORT CrackMe.0040234C
00402347      8D47 E9         LEA     EAX, DWORD PTR DS:[EDI-0x17]
0040234A      EB 02           JMP     SHORT CrackMe.0040234E
0040234C      33C0            XOR     EAX, EAX
0040234E      8B8C24 AC020000 MOV     ECX, DWORD PTR SS:[ESP+0x2AC]
00402355      5D              POP     EBP
00402356      5F              POP     EDI
00402357      5E              POP     ESI
00402358      5B              POP     EBX
00402359      33CC            XOR     ECX, ESP
0040235B      E8 80000000     CALL    CrackMe.004023E0
00402360      81C4 A0020000   ADD     ESP, 0x2A0
00402366      C3              RETN


算法就这一段,c调用luajit。

完整的dump脚本

  

本来想找个反编译工具的,结果一直找不到,最后看了看脚本中的字符串,发现xor,再对比一下输入输出,果然是xor.

反推:

1.根据输入的字符串,输出的结果,以及异或的过程和最终的对比结果,直接用python还原:

#python 3
#输入字符串,长度不等于12则返回结果全为0
inputN="mapzzzzzzz12"
#经过luajit运算之后的结果
outN=[0x1d,0x4,0x14,0x13,0x3,0x4b,0x48,0x49,0x4e,0x4f,0x7,0x5]
#C代码中异或的值
cXorList=[0x5,0x12,0xa,0x29,0x42,0x41,0x75,0x61,0x35,0x83,0x55,0x94]
#最终的比较结果
cmpList=[0x18,0x16,0x1e,0x2f,0x48,0x11,0x21,0x37,0x33,0x86,0x52,0x94]
#求luajit中异或的值
luaXorList=[]
#这个list中值为输入字符串之后应该输出的值
needList=[]
for i in range(0,len(inputN)):
    tmp=cXorList[i]^cmpList[i]
    #print(hex(tmp))
    needList.append(tmp&0xff)
for i in range(0,len(inputN)):
    tmp=ord(inputN[i])^outN[i]
    #print(hex(tmp))
    luaXorList.append(tmp&0xff)
strRet=""
for i in range(0,len(inputN)):
    tmp=luaXorList[i]^needList[i]
    #print(hex(tmp))
    strRet+=chr(tmp)
print(strRet)



[招聘]欢迎市场人员加入看雪学院团队!

最新回复 (0)
游客
登录 | 注册 方可回帖
返回