careful
题目给出了一个恶意样本,请分析出样本请求服务器的域名(flag的形式为DASCTF{md5(域名)}) 其中md5值都是小写
首先动调可以得到这串
然而发现并不对
翻函数 翻到这里
得到真正的域名: Just_An_APIH00k11.com
babyre
Load了自身的cod后xor解密
注意动调的时候Input是作为命令行参数输入的
瞎翻函数列表翻到个RC4 而解压的资源强行F5得到的也是一个变形的RC4
在原来函数有修改!
#include<bits/stdc++.h>
using namespace std;
signed main(){
unsigned char base64_table[44]={0xF7, 0x2E, 0x34, 0xF0, 0x72, 0xCF, 0x5E, 0x0A, 0xBB, 0xEC, 0xB1, 0x2B, 0x70, 0x88, 0x88, 0xED,
0x46, 0x38, 0xDB, 0xDA, 0x6C, 0xBD, 0xD4, 0x06, 0x77, 0xF2, 0xCF, 0x56, 0x88, 0xC6, 0x31, 0xD2,
0xB7, 0x5A, 0xC1, 0x42, 0xB0, 0xF4, 0x48, 0x37, 0xF5, 0x2C, 0xF5, 0x58};
int s[256],k[256];
int j=0;
int key[10];
key[0] = 93;
key[1] = 66;
key[2] = 98;
key[3] = 41;
key[4] = 3;
key[5] = 54;
key[6] = 71;
key[7] = 65;
key[8] = 21;
key[9] = 54;
int v8=0;unsigned int v7=0;
for (int i = 0; i < 256; i++) {
s[i] = i;
}
for(int i=0;i<256;i++){
int v9=s[i];
v7=(key[v8]+v9+2*v7)&255;
s[i]=s[v7];
s[v7]=v9;
if(++v8>=0xA)
v8=0;
}
int j2 = 0;
int i3 = 0;
int cnt=0;
for (unsigned __int8 i4 : base64_table) {
i4 -= cnt%0xD;
i4 &= 255;
cnt++;
i3 = (i3 + j2) & 255;
j2 = (s[i3] + j2) & 255;
int temp2 = s[i3];
s[i3] = s[j2];
s[j2] = temp2;
int rnd = s[(s[i3] + j2+ s[j2]) & 255];
cout<<( char(i4 ^ rnd))<<"";
}
}
DASCTF{03446c2c-dff7-11ed-9285-54e1ad98d649}
... 没有IDA强行F5在那儿瞪了半天...233
ezexe
exe是py
解包后py反编译不完整
# Visit https://www.lddgo.net/string/pyc-compile-decompile for more information
# Version : Python 3.11
import ctypes
from time import *
from ctypes import *
from ctypes import wintypes
from hashlib import md5
class _STARTUPINFO(Structure):
_fields_ = [
('cb', c_ulong),
('lpReserved', c_char_p),
('lpDesktop', c_char_p),
('lpTitle', c_char_p),
('dwX', c_ulong),
('dwY', c_ulong),
('dwXSize', c_ulong),
('dwYSize', c_ulong),
('dwXCountChars', c_ulong),
('dwYCountChars', c_ulong),
('dwFillAttribute', c_ulong),
('dwFlags', c_ulong),
('wShowWindow', c_ushort),
('cbReserved2', c_ushort),
('lpReserved2', c_char_p),
('hStdInput', c_ulong),
('hStdOutput', c_ulong),
('hStdError', c_ulong)]
class _PROCESS_INFORMATION(Structure):
_fields_ = [
('hProcess', c_void_p),
('hThread', c_void_p),
('dwProcessId', c_ulong),
('dwThreadId', c_ulong)]
StartupInfo = _STARTUPINFO()
ProcessInfo = _PROCESS_INFORMATION()
key1 = bytes(md5(b'bin1bin1bin1').hexdigest().encode())
file = open('bin1', 'rb').read()
arr = range(len(file))()
open('bin1', 'wb').write(bytes(arr))
sleep(0)
bet = ctypes.windll.kernel32.CreateProcessA(b'bin1', ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(0), byref(StartupInfo), byref(ProcessInfo))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ProcessInfo.hProcess), ctypes.c_int(-1))
open('bin1', 'wb').write(file)
得到key1后没找到怎么对bin2进行的加密
其实这种都猜的出来 要么AES 要么循环xor
所以查看pyc字节码:
from marshal import *
from dis import *
f = open(r"C:\Users\asus\Desktop\tmp\ez_exe.exe_extracted\ez_py.pyc","rb+").read()
dis(loads(f[16:]))
关键加密部分
Disassembly of <code object <listcomp> at 0x00000198A0EAB0E0, file "ez_py.py", line 59>:
59 0 RESUME 0
2 BUILD_LIST 0
4 LOAD_FAST 0 (.0)
>> 6 FOR_ITER 50 (to 108)
8 STORE_FAST 1 (i)
10 LOAD_GLOBAL 0 (key1)
22 LOAD_FAST 1 (i)
24 LOAD_GLOBAL 3 (NULL + len)
36 LOAD_GLOBAL 0 (key1)
48 PRECALL 1
52 CALL 1
62 BINARY_OP 6 (%)
66 BINARY_SUBSCR
76 LOAD_GLOBAL 4 (file)
88 LOAD_FAST 1 (i)
90 BINARY_SUBSCR
100 BINARY_OP 12 (^)
104 LIST_APPEND 2
106 JUMP_BACKWARD 51 (to 6)
>> 108 RETURN_VALUE
发现是一个循环xor
根据提示... 把bin1bin1bin1换成bin2bin2bin2 作为key
一个xxtea
魔改了DELTA和加密的rounds
逆回去得到flag
DASCTF{7eb20cb2-deac-11ed-ae42-94085339ce84}
unsym
go逆向
lumina还原符号(貌似IDA8.3能自动还原go的符号)
可以看到大量与BigNum相关的Math运算库
FindCrypt找到 AES,b64特征
main_main:
__int64 __fastcall main_main()
{
__int64 v0; // r14
__int128 v1; // xmm15
_QWORD *v2; // rax
__int64 v3; // rax
__int64 v4; // rbx
__int64 v5; // rcx
__int64 v6; // rdi
__int64 v7; // rax
__int64 v8; // rax
__int64 v9; // rcx
__int64 v10; // rdi
__int64 v11; // rsi
__int64 v12; // rax
__int64 v13; // rbx
__int64 v14; // rbx
__int64 v15; // rax
unsigned __int64 v16; // rcx
__int64 i; // rdx
unsigned __int64 v18; // rbx
__int64 v19; // rax
__int64 v20; // rax
unsigned __int64 v21; // rcx
__int64 File; // rax
__int64 v23; // rax
__int64 v24; // rcx
__int64 v25; // rax
__int64 v26; // rax
__int64 j; // rcx
__int64 v28; // rbx
__int64 v29; // rax
__int64 v31; // rax
__int64 v32; // [rsp-38h] [rbp-230h]
__int64 v33; // [rsp-38h] [rbp-230h]
__int64 v34; // [rsp-38h] [rbp-230h]
__int64 v35; // [rsp-38h] [rbp-230h]
__int64 v36; // [rsp-30h] [rbp-228h]
__int64 v37; // [rsp-30h] [rbp-228h]
__int64 v38; // [rsp-30h] [rbp-228h]
__int64 v39; // [rsp-28h] [rbp-220h]
__int64 v40; // [rsp+18h] [rbp-1E0h]
__int64 v41; // [rsp+28h] [rbp-1D0h]
unsigned __int64 v42; // [rsp+38h] [rbp-1C0h]
unsigned __int64 v43; // [rsp+38h] [rbp-1C0h]
__int64 v44; // [rsp+48h] [rbp-1B0h] BYREF
__int64 v45; // [rsp+50h] [rbp-1A8h]
__int64 v46; // [rsp+58h] [rbp-1A0h] BYREF
_QWORD v47[2]; // [rsp+62h] [rbp-196h]
int v48; // [rsp+72h] [rbp-186h]
__int16 v49; // [rsp+76h] [rbp-182h]
__int64 v50; // [rsp+B8h] [rbp-140h]
__int64 v51; // [rsp+C0h] [rbp-138h]
__int64 v52; // [rsp+C8h] [rbp-130h]
__int64 v53; // [rsp+D0h] [rbp-128h]
__int64 v54; // [rsp+D8h] [rbp-120h]
__int64 v55; // [rsp+E0h] [rbp-118h]
__int64 v56; // [rsp+E8h] [rbp-110h]
__int64 v57; // [rsp+F0h] [rbp-108h]
__int64 v58; // [rsp+F8h] [rbp-100h]
__int64 v59; // [rsp+100h] [rbp-F8h]
_QWORD *v60; // [rsp+108h] [rbp-F0h]
const char *v61; // [rsp+110h] [rbp-E8h]
_QWORD *v62; // [rsp+118h] [rbp-E0h]
void *v63; // [rsp+120h] [rbp-D8h]
char **v64; // [rsp+128h] [rbp-D0h]
__int128 v65; // [rsp+130h] [rbp-C8h]
void *v66; // [rsp+140h] [rbp-B8h]
char **v67; // [rsp+148h] [rbp-B0h]
void *v68; // [rsp+150h] [rbp-A8h]
char **v69; // [rsp+158h] [rbp-A0h]
__int128 v70; // [rsp+160h] [rbp-98h]
char v71; // [rsp+170h] [rbp-88h]
__int64 v72; // [rsp+178h] [rbp-80h]
__int128 v73; // [rsp+180h] [rbp-78h]
char v74; // [rsp+190h] [rbp-68h]
__int64 v75; // [rsp+198h] [rbp-60h]
__int128 v76; // [rsp+1A0h] [rbp-58h]
unsigned __int8 v77; // [rsp+1B0h] [rbp-48h]
__int64 v78; // [rsp+1B8h] [rbp-40h]
__int128 v79; // [rsp+1C0h] [rbp-38h]
char v80; // [rsp+1D0h] [rbp-28h]
__int64 *v81; // [rsp+1D8h] [rbp-20h]
__int64 v82; // [rsp+1E0h] [rbp-18h]
__int64 v83; // [rsp+1E8h] [rbp-10h]
if ( (unsigned __int64)&v44 <= *(_QWORD *)(v0 + 16) )
runtime_morestack_noctxt();
v71 = 0;
v72 = 0LL;
v73 = v1;
math_big__Int_SetString();
v32 = runtime_newobject();
v60 = v2;
*v2 = 0LL;
v63 = &unk_4C9780;
v64 = &off_506CD0;
fmt_Fprint();
v61 = "\b";
v62 = v60;
fmt_Fscanln();
v3 = *v60;
v59 = *v60;
v4 = v60[1];
v45 = v4;
v5 = 0LL;
v6 = 0LL;
while ( v5 < v4 )
{
v55 = v6;
if ( *(unsigned __int8 *)(v3 + v5) >= 0x80u )
{
runtime_decoderune();
v9 = v4;
}
else
{
v9 = v5 + 1;
}
v44 = v9;
v65 = v1;
v7 = runtime_convT64();
*(_QWORD *)&v65 = "\b";
*((_QWORD *)&v65 + 1) = v7;
fmt_Sprintf();
v8 = runtime_concatstring2();
v5 = v44;
v6 = v8;
v3 = v59;
v4 = v45;
}
v46 = 65537LL;
v80 = 0;
v81 = &v46;
v82 = 1LL;
v83 = 1LL;
v77 = 0;
v78 = 0LL;
v79 = v1;
v74 = 0;
v75 = 0LL;
v76 = v1;
math_big__Int_SetString();
sub_4AFAA0();
v10 = v77;
v11 = 16LL;
v36 = sub_4BA240(v32);
v13 = v12;
v52 = runtime_slicebytetostring();
runtime_makeslice();
if ( v13 == 57 && (unsigned __int8)runtime_memequal() )
{
v14 = *v60;
v15 = runtime_stringtoslicebyte();
v47[0] = 0x504D5404501D282FLL;
v47[1] = 0x3D5B2A485C5917LL;
v48 = 54333973;
v49 = 4888;
for ( i = 0LL; i < 22; ++i )
*((_BYTE *)v47 + i) ^= aVghpc19pc19hx2[i];
v43 = v16;
v54 = v15;
v70 = v1;
runtime_slicebytetostring();
v31 = runtime_convTstring();
*(_QWORD *)&v70 = &unk_4C9780;
*((_QWORD *)&v70 + 1) = v31;
v10 = 1LL;
v11 = 1LL;
sub_4A2160();
v21 = v43;
v20 = v54;
}
else
{
v18 = encoding_base64__Encoding_DecodeString();
v19 = runtime_slicebytetostring();
if ( v18 < 0x10 )
runtime_panicSliceAlen(v33, v36);
v14 = v19;
v20 = runtime_stringtoslicebyte();
}
v42 = v21;
v54 = v20;
File = os_ReadFile();
if ( v10 )
{
LABEL_26:
v50 = v11;
v68 = &unk_4C9780;
v69 = &off_506CE0;
sub_4A2160();
while ( 1 )
runtime_gopanic(v33, v36);
}
v51 = File;
v23 = crypto_aes_NewCipher();
if ( v24 )
{
runtime_gopanic(v33, v36);
goto LABEL_26;
}
v56 = v14;
v59 = v23;
v25 = (*(__int64 (**)(void))(v23 + 24))();
if ( !v25 )
runtime_panicdivide();
v40 = v25 - 7 % v25;
v39 = runtime_makeslicecopy(v33, v36);
for ( j = 7LL; j < v40 + 7; ++j )
*(_BYTE *)(v26 + j) = v40;
v58 = v26;
if ( (*(__int64 (**)(void))(v59 + 24))() > v42 )
LABEL_23:
runtime_panicSliceAcap(v34, v37);
v28 = v56;
crypto_cipher_NewCBCEncrypter(v34, v37, v39);
v41 = v29;
v53 = v28;
v57 = runtime_makeslice();
(*(void (**)(void))(v41 + 32))();
if ( os_WriteFile() )
{
runtime_gopanic(v35, v38);
goto LABEL_23;
}
v66 = &unk_4C9780;
v67 = &off_506CF0;
return sub_4A2160();
}
用7.5才能调... 7.7 IDA encouteredxxx 8.3 user credential...
方法就是 8.3识别出go的main_main位置4bee60 然后7.5 Lumina恢复符号后动调...
而且7.xF5不带显示大整数的... 还要从8.3的来看... 难绷...
第一层是RSA 解出来 key: E@sy_RSA_enc7ypt
然后后面的CBC调试猜测IV和key一样
解个CBC即可
from Crypto.Cipher import AES
from Crypto.Util.number import *
data = open(r"D:\浏览器下载\unsym\encrypted.bin","rb+").read()
key = b'E@sy_RSA_enc7ypt'
iv = b'E@sy_RSA_enc7ypt'
cbc = AES.new(key,AES.MODE_CBC,iv)
with open(r"D:\浏览器下载\unsym\encrypted.bin","rb+") as f:
f.write(cbc.decrypt(data))
运行即可得到flag
DASCTF{bbcd7a90e82cd4a32355f05871fc33}
cap
以前Reversing.kr做过位图相关 一般都是一个屏幕截图进行位图操作
这里由于已知是BMP文件 文件头: 42 4D
固定 xor后得到 n c
再动调这里
发现是一个循环xor 那么就是从n开始的循环xor
from Crypto.Util.number import *
key = [0x5F,0x62,0x79,0x5F,0x64,0x61,0x73,0x63,0x74,0x66,0x65,0x6E,0x63,0x5F,0x62]
key = "enc_by_dasctf"
data = open(r"D:\浏览器下载\cap\cap2.bin","rb+").read()
with open(r"D:\浏览器下载\cap\dec.bmp","rb+") as f:
for i in range(len(data)):
x = data[i]^ord(key[(i+1)%len(key)])
f.write(long_to_bytes(x))
print(chr(0x2C^0x42))
得到图片
DASCTF{3d0bd550-edbe-11ed-b2a3-f1d90bff20c4}