type
status
date
slug
summary
tags
category
icon
password
复现一下比赛中没有做出来的逆向题
easyre
这个题有大量的混淆,因此这个题我们选用x64dbg进行求解
其实对于这样的题我们需要确定的东西是
函数的输入的寻找
点击选项选择断在入口断点,这样他会断在Entrypoint那里
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Ffebf3c7a-1d1f-4fc6-b512-a34611641155%2Fimage.png?table=block&id=128533f9-4e40-80cf-856b-f47459e938f4&t=128533f9-4e40-80cf-856b-f47459e938f4&width=706.1749877929688&cache=v2)
我们就一直往里面调,这里我直接F8步过了一个函数发现这个函数直接可以输入
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fcb957de2-92bb-46c6-9f85-87f84627c543%2Fimage.png?table=block&id=128533f9-4e40-8074-b3dd-dadcf3bc2efa&t=128533f9-4e40-8074-b3dd-dadcf3bc2efa&width=706.1625366210938&cache=v2)
但是这里我们看他存储到了一个地址,但这个不是我们最后的存储我们输入的地址
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F1543a85c-fcb9-4f15-b2f1-5c7216190925%2Fimage.png?table=block&id=128533f9-4e40-80e8-ad65-d1492e16a63e&t=128533f9-4e40-80e8-ad65-d1492e16a63e&width=664&cache=v2)
调到00007FF765224F82这个地址发现它在读取你的输入,这里的读取是为了后面存储到地址中做准备
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F6ef15048-3ff6-43ab-9caa-e3aab0560049%2Fimage.png?table=block&id=128533f9-4e40-8068-8036-d2b413b5fc2f&t=128533f9-4e40-8068-8036-d2b413b5fc2f&width=2560&cache=v2)
继续往下面调,发现这里00007FF765214BC8开始读取之前的字符串到相对应的地址里,并且r12作为索引每次复制完以后,还会自增,因此我们可以确定这里就是相对应的地址
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fb53414f2-e02a-4e08-a75a-66349d217ad5%2Fimage.png?table=block&id=128533f9-4e40-808c-8c04-c3e94d8ca0bf&t=128533f9-4e40-808c-8c04-c3e94d8ca0bf&width=2374&cache=v2)
我们可以看到rsi那里存储着我们的地址,我们直接在内存窗口Ctrl+g跳到相对应的内存地址
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fb9e0cb8f-6200-4714-b158-6154e57c211f%2Fimage.png?table=block&id=128533f9-4e40-800f-966d-e18130b0d87a&t=128533f9-4e40-800f-966d-e18130b0d87a&width=2265&cache=v2)
对应的内存地址
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F627949b3-e17b-41e8-b8d6-c3ee561f39f8%2Fimage.png?table=block&id=128533f9-4e40-8057-bcf9-eb0d3687441e&t=128533f9-4e40-8057-bcf9-eb0d3687441e&width=707.9874877929688&cache=v2)
这个时候我们就可以下一个硬件断点跟踪我们输入的字符串
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F38468840-f418-43ee-9d31-346f404b3a65%2Fimage.png?table=block&id=128533f9-4e40-8022-bd71-f8b77a7b55bc&t=128533f9-4e40-8022-bd71-f8b77a7b55bc&width=707.9874877929688&cache=v2)
F9之后跳到的第一个函数就是判断字符串长度的
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F1fb9e1ea-5003-4102-b2fd-a06157ae92e2%2Fimage.png?table=block&id=128533f9-4e40-80a3-ad95-c15d0869e0e7&t=128533f9-4e40-80a3-ad95-c15d0869e0e7&width=2560&cache=v2)
我们直接往下面运行到ret那里,之后我们发现它的rax被赋值成了0x4,这正好是我们字符串的长度,然后我们到了ret那里根据rdi里面存储的地址,利用rdi-1可以得到调用比较字符串大小的函数00007FF76520772F
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fce168b2d-f828-416e-8033-19442ef4fbd8%2Fimage.png?table=block&id=128533f9-4e40-8068-bd87-edb70ab116a1&t=128533f9-4e40-8068-bd87-edb70ab116a1&width=2551&cache=v2)
等我们运行完这个程序之后就开始利用x64dbgtrace,我们直接在我们所在的汇编代码处右键,代码覆盖那里有启动运行跟踪,trace的作用就是能够跟踪我们运行过的每一行汇编代码,以及记录寄存器的变化.
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fd7af5e77-e7af-45da-9f6e-619956b59395%2Fimage.png?table=block&id=128533f9-4e40-8007-84e0-fb0e311caa76&t=128533f9-4e40-8007-84e0-fb0e311caa76&width=707.9750366210938&cache=v2)
根据trace我们可以定位到这个区域,这里的意思就是将我们返回的字符串的长度赋值给了rdx这个寄存器,最后进行一个比较,因此可以得到字符串的长度为0x38
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F5fdc0d8b-58dd-4971-aee7-2e8c723c42d7%2Fimage.png?table=block&id=128533f9-4e40-80e5-9b8f-cb2af467ec0c&t=128533f9-4e40-80e5-9b8f-cb2af467ec0c&width=2081&cache=v2)
重新运行,然后把其它的软件断点全部禁用,只留下硬件断点.
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F0f28c1c6-0f42-4d3a-a87d-8a2b069e3214%2Fimage.png?table=block&id=128533f9-4e40-8090-a11b-e49d9611520a&t=128533f9-4e40-8090-a11b-e49d9611520a&width=707.9750366210938&cache=v2)
并且我们要在内存窗口查看我们的input_addr
然后F9进行trace,在跳过字符串长度检查之后我们发现跳到了另一个地方,这个时候不着急往下面调,直接再F9一下,我们发现第一个字节发生了变化,应该是对一个字节进行
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F1444864f-d00b-4372-acba-87e74705e339%2Fimage.png?table=block&id=128533f9-4e40-8003-abd9-d293299764e5&t=128533f9-4e40-8003-abd9-d293299764e5&width=707.8875122070312&cache=v2)
这个时候直接在你所在的代码那里进行trace直到它第三个字节发生变化,其实主要的加密逻辑还是在前面,它里面虽然包含了很多的数但其实最后只实现了一个 每个字节加0x40
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fa9a7eeb4-57bd-4096-974c-b74100beeb0e%2Fimage.png?table=block&id=128533f9-4e40-8077-8901-cc3c0cf2a5e4&t=128533f9-4e40-8077-8901-cc3c0cf2a5e4&width=707.9874877929688&cache=v2)
记得把之前的trace删掉这样分析起来不会重合,第二步还是按上面的办法,这一步的数看着很繁琐,但其实最后只跟rdx这个有关,总结起来就是E9FCF789^B62DD00^E29E2AF6=7F
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Ffd56e3fa-919b-44e7-ab00-2edf271113eb%2Fimage.png?table=block&id=128533f9-4e40-80a7-871a-dffa16bde55b&t=128533f9-4e40-80a7-871a-dffa16bde55b&width=2188&cache=v2)
我们继续F9,发现它是对八个字节进行了加密,这里猜测是TEA加密
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fa15400a7-088a-4238-b973-01bec4766026%2Fimage.png?table=block&id=128533f9-4e40-80fb-8342-cfcbbd81410d&t=128533f9-4e40-80fb-8342-cfcbbd81410d&width=706.1625366210938&cache=v2)
我们可以回到第二轮加密完那里直接F7开始trace但是这个trace量很大,从trace的结果可以看确实是xtea加密,并且轮数发生了变化,变成了102轮,并且多加了一层异或
异或在这里
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F9cb02529-20a2-4402-9539-913113bc6275%2Fimage.png?table=block&id=128533f9-4e40-809c-8c6b-fe34903acd59&t=128533f9-4e40-809c-8c6b-fe34903acd59&width=707.8624877929688&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fcca0d7bd-8c23-4182-934c-097e956ce878%2Fimage.png?table=block&id=128533f9-4e40-8014-be78-daf8b45487b4&t=128533f9-4e40-8014-be78-daf8b45487b4&width=707.9874877929688&cache=v2)
根据这里我们其实可以判断是key,r8>>11很明显符合sum>>11,那么后面的mov eax,dword ptr ds:[rax+r8*4] 操作就是取里面的key
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fedaa0758-7e28-46cd-8c03-b05b326f3381%2Fimage.png?table=block&id=128533f9-4e40-806f-9025-e7b51b0dff02&t=128533f9-4e40-806f-9025-e7b51b0dff02&width=707.9625244140625&cache=v2)
找到key的地址
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Ffd50c693-8ea6-4bad-99a0-9d92700c51bd%2Fimage.png?table=block&id=128533f9-4e40-806a-8f78-c88fd34e3f86&t=128533f9-4e40-806a-8f78-c88fd34e3f86&width=706&cache=v2)
最后就是差比较密文的地方,在进行所有TEA加密之后直接F7trace
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Fae690f8c-744a-4c47-b85a-f965bace0d8c%2Fimage.png?table=block&id=128533f9-4e40-8041-b6d0-d9af06185307&t=128533f9-4e40-8041-b6d0-d9af06185307&width=2128&cache=v2)
由于它是一个密文一个密文进行比较,我们在比较的时候把对应的替换一下
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2Ff5179d0d-bb4e-4521-a59a-2dacf5b70d3d%2Fimage.png?table=block&id=128533f9-4e40-8050-a5b2-feba7cf163ef&t=128533f9-4e40-8050-a5b2-feba7cf163ef&width=2128&cache=v2)
Exp
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F582ce2af-2e77-4e62-b5fc-f70c97e80a61%2F13acaa90-364e-48c7-b1b9-3615f97dbba7%2Fimage.png?table=block&id=129533f9-4e40-80f5-bc06-ed80730cac67&t=129533f9-4e40-80f5-bc06-ed80730cac67&width=707.9625244140625&cache=v2)
📎 参考文章
有关学习或者复现上的问题,欢迎您在底部评论区留言,一起交流~
- Author:5m10v3
- URL:https://5m10v3.top/article/128533f9-4e40-8025-ae09-d2b69406fc2d
- Copyright:All articles in this blog, except for special statements, adopt BY-NC-SA agreement. Please indicate the source!
Relate Posts