先来到主函数看看
按顺序理解,sub_411523函数为一个加密函数
跟进sub_411523—>sub_415100
发现为一个XTEA加密
密钥为v7和v8,注意看汇编代码,发现它俩的内存位置在一块
密文为v9
XTEA解密脚本:
#include<stdio.h>
int main()
{
int result; // eax
unsigned int i; // [esp+DCh] [ebp-2Ch]
int v4; // [esp+E8h] [ebp-20h]
unsigned int v5; // [esp+F4h] [ebp-14h]
unsigned int v6; // [esp+100h] [ebp-8h]
int a2[] = { 18 ,52 ,86 ,120 };
unsigned int a1[] = {0x60FCDEF7,0x236DBEC};v6 = a1[0];
v5 = a1[1];
v4 = 0xC6EF3720;//注意修改为16进制,这样不会溢出,不会出错
for (i = 0; i < 0x20; ++i)
{
v5 -= (a2[3] + (v6 >> 5)) ^ (v4 + v6) ^ (a2[2] + 16 * v6);
v6 -= (a2[1] + (v5 >> 5)) ^ (v4 + v5) ^ (a2[0] + 16 * v5);
v4 -= 0x9e3779b9;
}
a1[0] = v6;
result = 4;
a1[1] = v5;
printf("%d\n", a1[0]);
}//3
所以得到v7=3
因为v10=v7
所以v10=3
继续分析:
sub_4113DE —>sub_414C10—>sub_411046—>sub_414B00—>sub_411221—>sub_415340
发现是一个smc加密
sub_414B00函数:
可知smc解密的位置
可在反汇编窗口,通过搜索”hdctf“得到具体位置
两种方法解密
第一种方法:smc自解密,再找到相对应的位置,按p转换成函数
先在smc函数解密后随便一个位置下断点
动调,运行到此处,再在反汇编窗口进行搜索”hdctf“
发现为rc4加密
rc4脚本解密:
import re def rc4_decrypt(ciphertext, key): S = list(range(256)) j = 0 res = [] # 初始化 S for i in range(256): j = (j + S[i] + key[i % len(key)]) % 256 S[i], S[j] = S[j], S[i] # 解密 i = j = 0 for char in ciphertext: i = (i + 1) % 256 j = (j + S[i]) % 256 S[i], S[j] = S[j], S[i] res.append(char ^ S[(S[i] + S[j]) % 256]) return bytes(res) s = """ mov [ebp+var_2C], 0Fh mov [ebp+var_2B], 94h mov [ebp+var_2A], 0AEh mov [ebp+var_29], 0F2h mov [ebp+var_28], 0C0h mov [ebp+var_27], 57h ; 'W' mov [ebp+var_26], 0C2h mov [ebp+var_25], 0E0h mov [ebp+var_24], 9Ah mov [ebp+var_23], 45h ; 'E' mov [ebp+var_22], 37h ; '7' mov [ebp+var_21], 50h ; 'P' mov [ebp+var_20], 0F5h mov [ebp+var_1F], 0A0h mov [ebp+var_1E], 5Eh ; '^' mov [ebp+var_1D], 0CBh mov [ebp+var_1C], 2Ch ; ',' mov [ebp+var_1B], 16h mov [ebp+var_1A], 28h ; '(' mov [ebp+var_19], 29h ; ')' mov [ebp+var_18], 0FEh mov [ebp+var_17], 0FFh mov [ebp+var_16], 33h ; '3' mov [ebp+var_15], 46h ; 'F' mov [ebp+var_14], 0Eh mov [ebp+var_13], 57h ; 'W' mov [ebp+var_12], 82h mov [ebp+var_11], 22h ; '"' mov [ebp+var_10], 52h ; 'R' mov [ebp+var_F], 26h ; '&' mov [ebp+var_E], 2Bh ; '+' mov [ebp+var_D], 6Eh ; 'n' mov [ebp+var_C], 0E4h mov [ebp+var_B], 82h mov [ebp+var_A], 24h ; '$' """ pattern = r',\s*(\S+)h' data_list = re.findall(pattern, s) print(data_list) data_list = ['0x' + x for x in data_list] print(data_list) data_list = [int(j, 16) for j in data_list] print(data_list) key = 'you_are_master' key = 'you_are_master' key_list = [ord(c) for c in key] flag = rc4_decrypt(data_list, key_list) print(flag)
第二种方法:
写idc脚本:进行解密。
for i in range(0x41d000,0x41E600):
patch_byte(i,get_wide_byte(i)^3)