很有意思的一道题,拿到程序尝试运行,发现缺少dll文件尝试下了几个文件也没什么用。打算直接ida分析。
拖入ida观察程序的逻辑,定位到main函数
__int64 __fastcall sub_140013AA0(__int64 a1, __int64 a2, __int64 *a3)
{
char *v3; // rdi
signed __int64 i; // rcx
__int64 v5; // rax
__int64 v6; // rax
__int64 v7; // rax
__int64 v8; // rax
char v10; // [rsp+0h] [rbp-20h]
struct _SYSTEM_INFO SystemInfo; // [rsp+28h] [rbp+8h]
__int64 *j; // [rsp+78h] [rbp+58h]
__int64 v13; // [rsp+98h] [rbp+78h]
__int64 *v14; // [rsp+1A0h] [rbp+180h]
v14 = a3;
v3 = &v10;
for ( i = 94i64; i; --i )
{
*(_DWORD *)v3 = -858993460;
v3 += 4;
}
sub_1400110AA((__int64)&unk_140027033);
GetSystemInfo(&SystemInfo);
putchar(byte_140021004);
putchar(byte_140021005);
putchar(byte_140021006);
putchar(byte_140021007);
putchar(byte_140021019);
putchar(byte_14002101A);
putchar(byte_140021005);
putchar(10);
puts("Let me have a look at your computer...");
for ( j = v14; *j; ++j )
{
v13 = *j;
sub_140011226("%s\n", v13);
}
std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, sub_140011127);
dword_140021190 = SystemInfo.dwNumberOfProcessors;// 交叉引用定位到关键函数
sub_140011226("now system cpu num is %d\n", SystemInfo.dwNumberOfProcessors);
if ( dword_140021190 < 8 )
{
puts("Are you in VM?");
_exit(0);
}
if ( GetUserNameA(Str1, &pcbBuffer) )
{
v5 = sub_140011172(std::cout, "this is useful");// 提示语句
std::basic_ostream<char,std::char_traits<char>>::operator<<(v5, sub_140011127);
}
v6 = std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, sub_140011127);
v7 = sub_140011172(v6, "ok,I am checking...");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v7, sub_140011127);
if ( !j_strcmp(Str1, "cxx") )
{
v8 = sub_140011172(std::cout, "flag{where_is_my_true_flag?}");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v8, sub_140011127);
_exit(0);
}
system("pause");
sub_1400113E3(&v10, &unk_14001DE50);
return 0i64;
}
发现提示语句,提醒上面的system cpu num是有用的。使用交叉引用可以定位到关键代码。分析逻辑
__int64 sub_140013580()
{
__int64 *v0; // rdi
signed __int64 i; // rcx
__int64 result; // rax
__int64 v3; // [rsp+0h] [rbp-20h]
int v4; // [rsp+24h] [rbp+4h]
int j; // [rsp+44h] [rbp+24h]
__int64 v6; // [rsp+128h] [rbp+108h]
v0 = &v3;
for ( i = 82i64; i; --i )
{
*(_DWORD *)v0 = 0xCCCCCCCC;
v0 = (__int64 *)((char *)v0 + 4);
}
v6 = -2i64;
sub_1400110AA((__int64)&unk_140027033);
result = sub_140011384((unsigned int)dword_140021190);// 处理函数
v4 = result;
if ( (_DWORD)result == 607052314 && dword_140021190 <= 14549743 )// ('dword_140021190 = :', 123456)
{
for ( j = 0; j < 17; ++j )
{
putchar((unsigned __int8)(dword_140021190 ^ byte_140021008[j]));
result = (unsigned int)(j + 1);
}
}
return result;
}
找到用到dword_140021190的位置
result = sub_140011384((unsigned int)dword_140021190);// 处理函数
v4 = result;
if ( (_DWORD)result == 607052314 && dword_140021190 <= 14549743 )// ('dword_140021190 = :', 1083896751264)
这段限制了dword_140021190的大小,sub_140011384函数对数据进行处理,返回的结果为result == 607052314。当然下面还有对已知的byte_140021008和dword_140021190抑或运算输出结果。进入函数之后
signed __int64 __fastcall sub_140013890(int a1)
{
__int64 *v1; // rdi
signed __int64 i; // rcx
signed __int64 result; // rax
__int64 v4; // [rsp+0h] [rbp-20h]
int v5; // [rsp+24h] [rbp+4h]
int v6; // [rsp+44h] [rbp+24h]
unsigned int v7; // [rsp+64h] [rbp+44h]
int v8; // [rsp+160h] [rbp+140h]
v8 = a1;
v1 = &v4;
for ( i = 82i64; i; --i )
{
*(_DWORD *)v1 = 0xCCCCCCCC;
v1 = (__int64 *)((char *)v1 + 4);
}
sub_1400110AA((__int64)&unk_140027033);
v5 = v8 >> 12;
v6 = v8 << 8;
v7 = (v8 << 8) ^ (v8 >> 12);
v7 *= 291;
if ( v7 )
result = v7;
else
result = 987i64;
return result;
}
分析出处理得到result的逻辑:
v7 = (v8 << 8) ^ (v8 >> 12);
v7 *= 291;
根据以上可以分析出整体的逻辑:
未知的dword_140021190(限制长度)---->(位移乘法操作)result == 607052314
dword_140021190---->(抑或操作)最终结果。
根据逻辑写脚本
import hashlib
opcode =[
0x26, 0x2C, 0x21, 0x27, 0x3B, 0x0D, 0x04, 0x75, 0x68, 0x34,
0x28, 0x25, 0x0E, 0x35, 0x2D, 0x69, 0x3D
]
result = ""
for i in range(0,14549744):
v7 = ((i << 8) ^ (i >> 12))*291
#print(v7)
v7 =v7 & 0xffffffff#avoid overflow
if v7 == 607052314:
print(i)
m = i
break
print("dword_140021190= ",i)
#dword_140021190 = 123456
for j in range(0, len(opcode)):
result += chr((opcode[j] ^ i) & 0xff)# char should be less than 256
#print(result)
print('flag{'+ hashlib.md5('123456'.encode('utf-8')).hexdigest() + '}')
#flag{e10adc3949ba59abbe56e057f20f883e}
解释一下脚本中的
v7 =v7 & 0xffffffff
python对于负数的显示为源码加上负号(Python没有位数这一概念)
python中,对于负数,无论是右移操作,还是n&(n-1)操作,都会陷入死循环。产生混乱。因此需要对结果进行&0xffffffff运算。
下面的&0xff显示0-256对应的字符。