ida都快不转了,网上大姥的方法去花指令,然后patch后再用ida重新打开
from ida_bytes import get_bytes, patch_bytes
import re
addr = 0x402400
end = 0x403000
buf = get_bytes(addr, end-addr)
def handler1(s):
s = s.group(0)
print("".join(["%02x"%ord(i) for i in s]))
s = "\x90"*len(s)
return s
p = r"\xe8\x00\x00\x00\x00.*?\xc3.*?\xc3"
buf = re.sub(p, handler1, buf, flags=re.I)
patch_bytes(addr, buf)
print("Done")
他是从402400开始的,所以从这里的函数开始随便点sub_402600这个函数一上来就是一堆赋值,符合检查函数的特征。
v18 = 91;
v19 = -42;
......
v49 = -6;
v2 = (const WCHAR *)sub_401570(&a2);
v14 = sub_4030A0(v2);
v10 = v14;
LOBYTE(v67) = 1;
v3 = (void *)sub_401570(v14);
sub_403000((int)&v57, v3);
LOBYTE(v67) = 3;
sub_4012A0(&v15);
v16 = (char *)unknown_libname_1(&v57);
v51 = v16;
v13 = v16 + 1;
v51 += strlen(v51);
v11 = ++v51 - (v16 + 1);
v9 = v51 - (v16 + 1);
v65 = 0;
memset(&v66, 0, 0x27u);
strncpy(&v65, v16, v51 - (v16 + 1));
if ( check_len(&v65) ) // 检查长度,然后逆序
{
v54 = 0;
v56 = 0;
LABEL_7:
v55 = v56;
}
else
{
v60 = 0x72657771; // 密钥 qwertyuiop
v61 = 0x69757974;
v62 = 0x706F;
v63 = 0;
memset(&v64, 0, 0xF5u);
v58 = 0;
memset(&v59, 0, 0xFFu);
memset(&v5, 0, 0x1FFu);
v50 = (const char *)&v60;
v7 = (int *)((char *)&v60 + 1);
v50 += strlen(v50);
v6 = ++v50 - ((const char *)&v60 + 1);
check_rc4((int)&v58, &v60, v50 - ((const char *)&v60 + 1));// rc4算法
v53 = &v65;
v12 = &v66;
v53 += strlen(v53);
v8 = ++v53 - &v66;
sub_402E80(&v58, &v65, v53 - &v66);
for ( i = 31; i >= 0; --i )
{
if ( *(&v65 + i) != *(&v18 + i) ) // v18开始是密文,在这里检查加密后与密文是否一致
{
v56 = 0;
goto LABEL_7;
}
}
v55 = 1;
}
LOBYTE(v67) = 0;
sub_403060(&v57);
v67 = -1;
sub_4012A0(&a2);
return v55;
}
得到长度,密钥,密文,算法。RC4需要256次,是个特征。据说ida有插件能自动识别。
l =[0x5B,0x0D6,0x0D0,0x26,0x0C8,0x0DD,0x19,0x7E,0x6E,0x3E,0x0CB,0x16,0x91,0x7D,0x0FF,0x0AF,0x0DD,0x76,0x64,0x0B0,0x0F7,0x0E5,0x89,0x57,0x82,0x9F,0x0C,0x0,0x9E,0x0D0,0x45,0x0FA]
from base64 import b64encode
b64encode(bytes(l))
#W9bQJsjdGX5uPssWkX3/r912ZLD35YlXgp8MAJ7QRfo=
然后到网站上解密,最后逆序加皮
#密钥 qwertyuiop
#算法 rc4
#http://tool.chacuo.net/cryptrc4
#明文 f250e3d75820847d427f3af11a783379
#973387a11fa3f724d74802857d3e052f
#flag{973387a11fa3f724d74802857d3e052f}