[SWPU2019]EasiestRe
阿新 • • 發佈:2020-08-22
雙程序保護
父程序
用於除錯執行子程序,遇到int3指令進行處理
int __usercall sub_978BC0@<eax>(int a1@<xmm0>)
{
ProcessInformation.hProcess = 0;
ProcessInformation.hThread = 0;
ProcessInformation.dwProcessId = 0;
ProcessInformation.dwThreadId = 0;
sub_971EFB((int)&StartupInfo, 0, 68);
v94 = -112;
v95 = -125
子程序
根據父程序的程式碼對缺失的機器碼進行修改後
看加密部分
v28 = 0x1234;
v20 = 0;
v21 = 0;
v22 = 0;
v23 = 0;
v24 = 0;
v25 = 0;
v26 = 0;
v27 = 0;
v18 = 0;
v19 = 0;
v17 = len(a1);
sub_97460B(v7, xmm0_4_0, a2, (int)&v20);
for ( i = 0; ; ++i )
{
v9 = v17;
if ( i >= v17 )
break;
if ( i )
a1[i] ^= *(_BYTE *)(a3 + 4 * i - 4);
else
*a1 ^= v28;
v13 = 1;
sub_971EFB((int)&v18, 0, 8);
__debugbreak();
for ( j = 0; j < 8; ++j )
{
if ( v13 & (char)a1[i] )
{
*((_BYTE *)&v18 + j) = 1;
}
else
{
if ( (unsigned int)j >= 8 )
sub_9726CB(ebx0, edi0, a4);
*((_BYTE *)&v18 + j) = 0;
}
v13 *= 2;
}
for ( k = 0; k < 8; ++k )
*(_DWORD *)(a3 + 4 * i) += *(&v20 + 7 - k) * *((unsigned __int8 *)&v18 + k);
v8 = i + 1;
}
其中sub_97460B經過填充後
揹包加密,sub_97460B是公鑰的生成函式,給了私鑰,iv
看check部分
可找到密文
#for i in range(1,10000): #這裡計算的是inv
#if 41*i%491==1:
#print(i)
# break
iv=0x1234
inv=12
c=[0x3d1,0x2f0,0x52,0x475,0x1d2,0x2f0,0x224,0x51c,0x4e6,0x29f,0x2ee,0x39b,0x3f9,0x32b,0x2f2,0x5b5,0x24c,0x45a,0x34c,0x56d,0xa,0x4e6,0x476,0x2d9]
key=[2,3,7,14,30,57,120,251]
flag=[]
for i in range(24):
t=c[i]*inv%491
p=""
for i in range(8):
if key[7-i]>t:
p+="0"
else:
p+="1"
t-=key[7-i]
flag.append(int(p[::-1],2))
print(chr((flag[0]^0x1234)&0xff),end="")
for i in range(1,len(flag)):
print(chr((flag[i]^c[i-1])&0xff),end="")