【攻防世界011】Windows_Reverse1
這題有點(diǎn)怪,涉及UPX脫殼,我解出的密鑰有一個(gè)亂碼字符,輸入到程序中,一會(huì)說對一會(huì)說錯(cuò),我這里用的程序原版的,也就是沒有經(jīng)過任何脫殼處理:
我看了官方的wp,發(fā)現(xiàn)它的腳本解法和我一樣,區(qū)別在于dump出來的內(nèi)存和我的不同,這題正確的Key應(yīng)該是下圖的第二個(gè):
也就是說我解出的第四個(gè)亂碼其實(shí)應(yīng)該是大寫的J,我也不知道為什么用亂碼的版本會(huì)有幾率正確。
下面是我的解題思路。第一步當(dāng)然是查殼,發(fā)現(xiàn)是UPX之后,用 upx -d 脫殼后即可扔進(jìn)IDA分析,這些步驟就不貼圖了。
找到主函數(shù),根據(jù)輸出的字符串倒推上面兩個(gè)分支分別對應(yīng)正確和錯(cuò)誤的情況:
繼續(xù)往上看,提示輸入密鑰,然后將密鑰和一塊內(nèi)存(我給它命名為 Buffer_Size_1024)傳給401000函數(shù)處理,這里的代碼很坑,不知道是混淆還是優(yōu)化,這個(gè)內(nèi)存是用ecx傳的,這里坑就坑在這個(gè) Buffer_Size_1024 和 InputKey 在主函數(shù)的棧上是連續(xù)的,然后在 401000 函數(shù)里面就利用了這一點(diǎn),我不知道編譯器為什么要這樣生成代碼。401000 函數(shù)待會(huì)再說,這里調(diào)用完 401000 之后 這個(gè) Buffer_Size_1024 應(yīng)該要等于 “DDCTF{reverseME}” ,這樣密鑰就是正確的了。
接下來分析 401000,
這個(gè)函數(shù)正如我剛才提到的,它實(shí)際上有兩個(gè)參數(shù),一個(gè)是輸入的密鑰 InputKey,一個(gè)是主函數(shù)棧上的一塊內(nèi)存,這個(gè)函數(shù)的匯編優(yōu)化得很奇怪,分析出來意思就是 byte_402FF8[InputKey[i]] 賦值給 Buffer[i],這個(gè)Buffer應(yīng)該等于 “DDCTF{reverseME}” ,而 byte_402FF8 可以在調(diào)試的時(shí)候 dump 出來,這樣我們就可以寫腳本反解密鑰了。很常規(guī)的套路,我的腳本也寫出來了,但是 dump 出來的內(nèi)存和官方wp的不一樣,下面給出我的腳本和官方的腳本:
官方腳本
table = [00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xFF,0x3A,0xFC,0x30,0x00,0xC5,0x03,0xCF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFF,0x01,0x00,0x00,0x00,0x7E,0x7D,0x7C,0x7B,0x7A,0x79,0x78,0x77,0x76,0x75,0x74,0x73,0x72,0x71,0x70,0x6F,0x6E,0x6D,0x6C,0x6B,0x6A,0x69,0x68,0x67,0x66,0x65,0x64,0x63,0x62,0x61,0x60,0x5F,0x5E,0x5D,0x5C,0x5B,0x5A,0x59,0x58,0x57,0x56,0x55,0x54,0x53,0x52,0x51,0x50,0x4F,0x4E,0x4D,0x4C,0x4B,0x4A,0x49,0x48,0x47,0x46,0x45,0x44,0x43,0x42,0x41,0x40,0x3F,0x3E,0x3D,0x3C,0x3B,0x3A,0x39,0x38,0x37,0x36,0x35,0x34,0x33,0x32,0x31,0x30,0x2F,0x2E,0x2D,0x2C,0x2B,0x2A,0x29,0x28,0x27,0x26,0x25,0x24,0x23,0x22,0x21,0x20,0x00,0x01,0x00,0x00,0x00,0x70,0x19,0x38,0x00,0x80,0x12,0x38,0x00,0x00,0x00,0x00,0x00] flag = '' str1 = "DDCTF{reverseME}" for i in range(len(str1)):flag += chr(table.index(ord(str1[i]))) print(flag)我的腳本
dump = [0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAF, 0xC1, 0x06, 0xAB, 0x50, 0x3E, 0xF9, 0x54,0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x00, 0x00,0x7E, 0x7D, 0x7C, 0x7B, 0x7A, 0x79, 0x78, 0x77, 0x76, 0x75, 0x74, 0x73, 0x72, 0x71, 0x70, 0x6F,0x6E, 0x6D, 0x6C, 0x6B, 0x6A, 0x69, 0x68, 0x67, 0x66, 0x65, 0x64, 0x63, 0x62, 0x61, 0x60, 0x5F,0x5E, 0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F,0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F,0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x32, 0x31, 0x30, 0x2F,0x2E, 0x2D, 0x2C, 0x2B, 0x2A, 0x29, 0x28, 0x27, 0x26, 0x25, 0x24, 0x23, 0x22, 0x21, 0x20, 0x00,0x01, 0x00, 0x00, 0x00, 0x88, 0x19, 0x38, 0x00, 0x80, 0x12, 0x38, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ]str = "" check = "DDCTF{reverseME}"for i in range(len(check)):print(chr(dump.index(ord(check[i]))), end="")其實(shí)區(qū)別就是 dump 的內(nèi)容不一樣,官方答案肯定是對的,我解出的key是概率對,所以說這個(gè)題有點(diǎn)坑啊。
總結(jié)
以上是生活随笔為你收集整理的【攻防世界011】Windows_Reverse1的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 【攻防世界010】re1-100
- 下一篇: 【攻防世界012】gametime