这个感觉巨难的,怎么放到这了
用ida打开找不着它在干嘛,在函数列表里有 __except_handler4 经搜索是异常处理的。逆向找引用,它被sub_402320调用。sub_402320调用sub_402450通过key对404000块进行解密,异或取反
int __usercall sub_402450@<eax>(int a1@<edx>, int a2@<ecx>, int a3, int a4)
{
int result; // eax
int v7; // edx
char v8; // cl
result = 0;
if ( a1 > 0 )
{
while ( 1 )
{
v7 = 0;
if ( a4 > 0 )
break;
LABEL_5:
if ( result >= a1 )
return result;
}
while ( result < a1 )
{
v8 = aSycloversyclov[v7++]; // sycloversyclover
*(_BYTE *)(result + a2) = ~(*(_BYTE *)(result + a2) ^ v8);
++result;
if ( v7 >= a4 )
goto LABEL_5;
}
}
return result;
}
写程序对这块进行解密再放到ida
key = b'sycloversyclover'
data = list(open('attachment.exe', 'rb').read())
for i in range(0x3400, 0x3600):
data[i] = 0xff - data[i]^key[i%16]
open('a3.exe', 'wb').write(bytes(data))
这个函数对密文进入-1和反向处理
unsigned int sub_404000()
{
unsigned int i; // edx
unsigned int v1; // esi
unsigned int result; // eax
int v3; // eax
char v4; // dl
for ( i = 0; i < strlen(aPvfqyc4ttc2uxr); ++i )
--aPvfqyc4ttc2uxr[i]; // 减1
v1 = 0;
result = strlen(aPvfqyc4ttc2uxr);
if ( (result & 0xFFFFFFFE) != 0 )
{
do
{
v3 = result - v1; // 反向
v4 = *(_BYTE *)(v3 + 0x409017);
*(_BYTE *)(v3 + 4231191) = aPvfqyc4ttc2uxr[v1];
aPvfqyc4ttc2uxr[v1++] = v4;
result = strlen(aPvfqyc4ttc2uxr);
}
while ( v1 < result >> 1 );
}
return result;
}
再用ida查密是AES,从字符表里找到两个串
sycloversyclover
sctfsctfsctfsctf
两个都是16字符,符合AES的key和iv的特征,用第1个作key第2个作iv解到的密文base64解码后作为密文进行解密
#查密AES
cipher = b'>pvfqYc,4tTc2UxRmlJ,sB{Fh4Ck2:CFOb4ErhtIcoLo' #猜
cipher = bytes([i-1 for i in cipher[::-1]])
print(cipher)
#密文为base64编码,先解码再进行AES解密
from base64 import b64decode
cipher = b64decode(cipher)
key = b'sycloversyclover' #两个猜
iv = b'sctfsctfsctfsctf'
from Crypto.Cipher import AES
import base64
aes = AES.new(key, AES.MODE_CBC, iv)
m = aes.decrypt(cipher)
print(m)
#sctf{Ae3_C8c_I28_pKcs79ad4}
#flag{Ae3_C8c_I28_pKcs79ad4}