XY_RE复现（四）舔狗四部曲

一，我的白月光

BOOK框还叉不掉，主函数很长

int __cdecl main(int argc, const char **argv, const char **envp)
{__m128 si128; // xmm6__int128 *v4; // raxint v5; // r13dunsigned int v6; // ecx__m128 v7; // xmm0_DWORD *v8; // raxHMODULE ModuleHandleA; // rdiunsigned int *v10; // rbx_QWORD *v11; // r12__int64 v12; // raxchar *v13; // rbxsize_t v14; // rdiunsigned __int64 v15; // rsivoid *v16; // r14size_t v17; // rax__int64 v18; // raxunsigned __int64 v19; // rbxvoid **v20; // rcxsize_t v21; // r8__int64 v22; // r15_BYTE *v23; // rax__int64 v24; // rdichar *v25; // rbx_DWORD *v26; // rcxunsigned int v27; // eax__m128 v28; // xmm0__int64 i; // rbxconst WCHAR *v30; // rdxchar v32[10]; // [rsp+20h] [rbp-E0h] BYREF__int64 *v33; // [rsp+30h] [rbp-D0h]unsigned int *v34; // [rsp+38h] [rbp-C8h]void *Buf1[2]; // [rsp+40h] [rbp-C0h] BYREFsize_t v36; // [rsp+50h] [rbp-B0h]unsigned __int64 v37; // [rsp+58h] [rbp-A8h]HMODULE v38; // [rsp+60h] [rbp-A0h]char v39[1024]; // [rsp+80h] [rbp-80h] BYREFDWORD flOldProtect[2]; // [rsp+480h] [rbp+380h] BYREFchar Buf2[8]; // [rsp+488h] [rbp+388h] BYREFchar v42[16]; // [rsp+490h] [rbp+390h] BYREF__int128 v43[63]; // [rsp+4A0h] [rbp+3A0h] BYREFchar v44[1008]; // [rsp+890h] [rbp+790h] BYREFsub_1400025D0(0x280u, 0x1E0u, 0);sub_140002650(0xFFFFFFi64);sub_140002580();sub_140002670(0xAA00u);  //这个好像是初始窗口sub_140002660(1u);sub_140002690(0xAAu);v43[0] = _mm_load_si128(&xmmword_14000ADE0);v43[1] = _mm_load_si128(&xmmword_14000ADF0);v43[2] = _mm_load_si128(&xmmword_14000AD70);v43[3] = _mm_load_si128(&xmmword_14000ADC0);v43[4] = _mm_load_si128(&xmmword_14000AE30);v43[5] = _mm_load_si128(&xmmword_14000AD80);v43[6] = _mm_load_si128(&xmmword_14000ADD0);  v43[7] = _mm_load_si128(&xmmword_14000ADB0);v43[8] = _mm_load_si128(&xmmword_14000AD90);v43[9] = _mm_load_si128(&xmmword_14000AE00);v43[10] = _mm_load_si128(&xmmword_14000ADA0);v43[11] = _mm_load_si128(&xmmword_14000AD60);v43[12] = _mm_load_si128(&xmmword_14000AE20);v43[13] = _mm_load_si128(&xmmword_14000AE10);*&v43[14] = 0x4E5C0000809Bi64;DWORD2(v43[14]) = 21245;memset(&v43[14] + 12, 0, 0xA4ui64);si128 = _mm_load_si128(&xmmword_14000AD50);v4 = &v43[1];v5 = 0;v6 = 0;do{v7 = _mm_loadu_si128(v4 - 1);v4 += 4;v6 += 16;*(v4 - 5) = _mm_xor_ps(si128, v7);*(v4 - 4) = _mm_xor_ps(_mm_loadu_si128(v4 - 4), si128);*(v4 - 3) = _mm_xor_ps(si128, _mm_loadu_si128(v4 - 3));*(v4 - 2) = _mm_xor_ps(si128, _mm_loadu_si128(v4 - 2));}while ( v6 < 0x60 );if ( v6 < 0x64 ){v8 = v43 + v6;do{*v8++ ^= 0x66u;++v6;}while ( v6 < 0x64 );}sub_140002630(0i64, 0i64, &unk_14000A5F8);sub_140002630(50i64, 50i64, &unk_14000A620);sub_140002630(100i64, 100i64, &unk_14000A648);sub_140002630(150i64, 150i64, &unk_14000A668);sub_140002630(200i64, 200i64, &unk_14000A688);sub_140002630(250i64, 250i64, &unk_14000A6A8);sub_140002630(300i64, 300i64, &unk_14000A6D8);sub_140002630(350i64, 350i64, aFlagL0v3);MessageBoxA(0i64, "LOOK_ME_AGAIN", "BOOB", 0);ModuleHandleA = GetModuleHandleA(0i64);v38 = ModuleHandleA;v10 = (ModuleHandleA + *(ModuleHandleA + *(ModuleHandleA + 15) + 144));v34 = v10;if ( v10[3] ){while ( 1 ){if ( LoadLibraryA(ModuleHandleA + v10[3]) ){v33 = (ModuleHandleA + *v10);v11 = (ModuleHandleA + v10[4]);v12 = *v33;if ( *v33 )break;}
LABEL_44:v10 += 5;v34 = v10;if ( !v10[3] )goto LABEL_45;}while ( 1 ){qmemcpy(v32, "essigiLozU", sizeof(v32));v42[3] = 0;v13 = ModuleHandleA + v12;*Buf1 = 0i64;v14 = -1i64;do++v14;while ( v13[v14 + 2] );if ( v14 > 0x7FFFFFFFFFFFFFFFi64 )sub_140001270();if ( v14 <= 0xF ){v36 = v14;v37 = 15i64;memcpy(Buf1, v13 + 2, v14);*(Buf1 + v14) = 0;v15 = v37;v14 = v36;v16 = Buf1[0];goto LABEL_26;}v15 = v14 | 0xF;if ( (v14 | 0xF) > 0x7FFFFFFFFFFFFFFFi64 )break;if ( v15 < 0x16 )v15 = 22i64;if ( v15 + 1 >= 0x1000 ){v17 = v15 + 40;if ( v15 + 40 <= v15 + 1 )sub_1400011D0();goto LABEL_20;}if ( v15 == -1i64 )v16 = 0i64;elsev16 = sub_1400081BC(v15 + 1);
LABEL_25:Buf1[0] = v16;v36 = v14;v37 = v15;memcpy(v16, v13 + 2, v14);*(v16 + v14) = 0;
LABEL_26:v19 = -1i64;Buf2[0] = 77;Buf2[1] = (v32[0] - 1) ^ 1;Buf2[2] = (v32[1] - 2) ^ 2;Buf2[3] = (v32[2] - 3) ^ 3;Buf2[4] = (v32[3] - 4) ^ 4;Buf2[5] = (v32[4] - 5) ^ 5;Buf2[6] = (v32[5] - 6) ^ 6;Buf2[7] = (v32[6] - 7) ^ 7;v42[0] = (v32[7] - 8) ^ 8;v42[1] = (v32[8] - 9) ^ 9;v42[2] = (v32[9] - 10) ^ 0xA;do++v19;while ( Buf2[v19] );v20 = Buf1;v21 = v14;if ( v15 > 0xF )v20 = v16;if ( v19 < v14 )v21 = v19;LODWORD(v22) = memcmp(v20, Buf2, v21);if ( !v22 ){if ( v14 >= v19 )v22 = v14 > v19;elseLODWORD(v22) = -1;}if ( v15 > 0xF ){v23 = v16;if ( v15 + 1 >= 0x1000 ){v16 = *(v16 - 1);if ( (v23 - v16 - 8) > 0x1F )
LABEL_56:invalid_parameter_noinfo_noreturn();}j_j_free(v16);}if ( !v22 ){flOldProtect[0] = 0;VirtualProtect(v11, 8ui64, 4u, flOldProtect);*v11 = sub_140001470;}++v11;ModuleHandleA = v38;v12 = *++v33;if ( !*v33 ){v10 = v34;goto LABEL_44;}}v15 = 0x7FFFFFFFFFFFFFFFi64;v17 = 0x8000000000000027ui64;
LABEL_20:v18 = sub_1400081BC(v17);if ( !v18 )goto LABEL_56;v16 = ((v18 + 39) & 0xFFFFFFFFFFFFFFE0ui64);*(v16 - 1) = v18;goto LABEL_25;}
LABEL_45:v24 = 440i64;v25 = v39;do{v26 = 0i64;v43[0] = _mm_load_si128(&xmmword_14000AC40);v43[2] = _mm_load_si128(&xmmword_14000AC50);v43[1] = _mm_load_si128(&xmmword_14000AB10);v43[4] = _mm_load_si128(&xmmword_14000AC30);v43[3] = _mm_load_si128(&xmmword_14000AD20);v43[6] = _mm_load_si128(&xmmword_14000AC10);v43[5] = _mm_load_si128(&xmmword_14000ABB0);v43[8] = _mm_load_si128(&xmmword_14000ABF0);v43[7] = _mm_load_si128(&xmmword_14000AB60);v43[10] = _mm_load_si128(&xmmword_14000AD30);v43[9] = _mm_load_si128(&xmmword_14000AD40);v43[12] = _mm_load_si128(&xmmword_14000ABE0);v43[11] = _mm_load_si128(&xmmword_14000AD10);v43[14] = _mm_load_si128(&xmmword_14000AC70);v43[13] = _mm_load_si128(&xmmword_14000AC20);v43[16] = _mm_load_si128(&xmmword_14000AB20);v43[15] = _mm_load_si128(&xmmword_14000AB30);v43[18] = _mm_load_si128(&xmmword_14000AB90);v43[17] = _mm_load_si128(&xmmword_14000AC60);LODWORD(v43[20]) = 22;v27 = 0;*(&v43[20] + 4) = 0i64;*(&v43[24] + 4) = 0i64;*(&v43[21] + 4) = 0i64;HIDWORD(v43[24]) = 0;*(&v43[22] + 4) = 0i64;*(&v43[23] + 4) = 0i64;v43[19] = _mm_load_si128(&xmmword_14000AC00);do{v28 = _mm_loadu_si128((v43 + 4 * v26));v26 += 4;v27 += 16;*&v39[4 * v26 + 992] = _mm_xor_ps(si128, v28);*&v39[4 * v26 + 1008] = _mm_xor_ps(_mm_loadu_si128(&v39[4 * v26 + 1008]), si128);*&flOldProtect[v26] = _mm_xor_ps(_mm_loadu_si128(&flOldProtect[v26]), si128);*&v42[4 * v26] = _mm_xor_ps(_mm_loadu_si128(&v42[4 * v26]), si128);}while ( v27 < 0x60 );if ( v27 < 0x64 ){v26 = v43 + v26;do{*v26++ ^= 0x66u;++v27;}while ( v27 < 0x64 );}sub_1400024A0(v26, LODWORD(v43[0]));*v25++ = (MessageBoxA(0i64, &byte_14000A758, &byte_14000A748, 4u) & 1) == 0;--v24;}while ( v24 );for ( i = 0i64; i < 440; i += 8i64 ){sub_140001070(&v44[v5 / 4], 0x3E8ui64, "%02x");v5 += 8;}v44[55] = 0;memset(v43, 0, 0x3E8ui64);sub_140001290(v44, v43);if ( !memcmp(v43,"1YmNkZTN2QmNmdjM3kTNmZTZ2UzN2YTN3ITNmZzN2YWNmZDN2YmNlZTN1YmN2YTO2UmNxYzY2M2N5UjZ3QjN4YTM2UmNidTO2Y2N1UjZ3gjN5Y""TM2Y2N3YTM2UmN3cDN2YmNlZzN3gzN1YTN3QG=",0x94ui64) ){v30 = &unk_14000A840;}else{MessageBoxW(0i64, &word_14000A998, L"BOOB", 0);v30 = L"I_AM_NOT_EXIT_HOPE_YOU_CAN_BE_BETTER_SEE_YOU_AGAIN_JUST_LIKE_I_WAS_BEING_REPLACED";}MessageBoxW(0i64, v30, L"BOOB", 0);return 0;
}

二，记忆中的时光机

00055EEFC204018这报红了，

不对，P可以，但报更多红了。

好像又只能看汇编了

通过在栈上存放地址，每次执行一段操作后，读栈上保存的地址并跳转，实现函数内的控制流。动态调试一下 check 函数第一次 jmp 后可以知道 flag 长度为 48 走到 enc 被调用处，edi 寄存器是用户输入的字符串指针，esi 寄存器是即将比对的字符下标，每次调用 enc 将加密一个字符，手动记录关键，额，不是太懂。

edi = (char*)Input
esi = (int)Idx
r10 = esi
esi += 6
r11 = (char*)Key
r8d = (char)Input[Idx]
r8d ^= esi
r8d ^= 0x66
r8d -= 6
r9d = (char)Key[Idx]
r8d ^= r9d
eax = r8d

#include <stdio.h>unsigned char ans[] ={0x69, 0x58, 0x61, 0x63, 0x67, 0x4C, 0x4D, 0x32, 0x98, 0x20,0x4D, 0x51, 0x7B, 0x25, 0x75, 0x51, 0xA3, 0x58, 0x60, 0x72,0x42, 0x62, 0x67, 0x66, 0x37, 0x6C, 0x30, 0x46, 0x66, 0x4F,0x5D, 0x03, 0x5D, 0xA4, 0x66, 0x01, 0x43, 0x68, 0x7D, 0x7C,0x55, 0x4F, 0x7A, 0x3F, 0x6C, 0x12, 0x21, 0x09};const char *key = "i_have_get_shell_but_where_is_you_my_dear_baby!!";int main() {for (int i = 0; i < 48; i++) {ans[i] ^= key[i];ans[i] += 6;ans[i] ^= 0x66;ans[i] ^= (i + 6);}printf(ans);return 0;
}

三，简爱

又不晓得什么问题，包括文件路径不正确、文件格式不受支持、调试器插件配置错误等

zsh: exec format error: ./简爱

file '/root/Desktop/简爱'
/root/Desktop/简爱: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), not stripped

给出的是可重定位目标文件（只编译了、没有链接），链接一下

最好先改成英文的，中文字符串是国标码，打印出来全是问号

对几个字符串的复制与引用很混乱（问了出题人发现是因为用了栈上的可变长度数组），动态调试才知道每一处分别用的是哪个地址的字符串 TEA 是骗人的，真正的加密逻辑在 howtolove 函数（参数是用户输入原样），密文需要与 fake flag 一致，z3 梭了

好像还是一个vm题，啊！

四，相逢已是上上签

好像又是16位的，拖ida，也打不开。用010分析一下

发现这并不是一个16位的程序，他有标准的PE头的不知道哪里被魔改了，打开一个正常的PE文件看一下：

对照修改一下：看见30h行的C位00被改成了10

成功了。

int __cdecl main(int argc, const char **argv, const char **envp)
{int v4; // [esp+8h] [ebp-50h]int i; // [esp+Ch] [ebp-4Ch]int v6[8]; // [esp+10h] [ebp-48h]char Str[4]; // [esp+30h] [ebp-28h] BYREFint v8; // [esp+34h] [ebp-24h]int v9; // [esp+38h] [ebp-20h]int v10; // [esp+3Ch] [ebp-1Ch]int v11; // [esp+40h] [ebp-18h]int v12; // [esp+44h] [ebp-14h]int v13; // [esp+48h] [ebp-10h]int v14; // [esp+4Ch] [ebp-Ch]char v15; // [esp+50h] [ebp-8h]*(_DWORD *)Str = 0;v8 = 0;v9 = 0;v10 = 0;v11 = 0;v12 = 0;v13 = 0;v14 = 0;v15 = 0;v6[0] = 0x66697271;v6[1] = 0x896E2285;v6[2] = 0xC5188C1B;v6[3] = 0x72BCFD03;v6[4] = 1400902090;v6[5] = 0x4DA146AC;v6[6] = 0x86630D6B;v6[7] = 0xF89797F0;print("Please enter your key:");scan("%s", &key);if ( 532 * *(&key + 5) + 829 * *(&key + 4) + 258 * *(&key + 3) + 811 * *(&key + 2) + 997 * *(&key + 1) + 593 * key == 292512&& 576 * *(&key + 5) + 695 * *(&key + 4) + 602 * *(&key + 3) + 328 * *(&key + 2) + 686 * *(&key + 1) + 605 * key == 254496&& 580 * *(&key + 5) + 448 * *(&key + 4) + 756 * *(&key + 3) + 449 * *(&key + 2) + (*(&key + 1) << 9) + 373 * key == 222479&& 597 * *(&key + 5) + 855 * *(&key + 4) + 971 * *(&key + 3) + 422 * *(&key + 2) + 635 * *(&key + 1) + 560 * key == 295184&& 524 * *(&key + 5) + 324 * *(&key + 4) + 925 * *(&key + 3) + 388 * *(&key + 2) + 507 * *(&key + 1) + 717 * key == 251887&& 414 * *(&key + 5) + 495 * *(&key + 4) + 518 * *(&key + 3) + 884 * *(&key + 2) + 368 * *(&key + 1) + 312 * key == 211260 ){print(&unk_41B19C);}else{_loaddll(0);}print("Please enter your flag:");scan("%s", Str);if ( strlen(Str) != 32 ){print("Wrong length\n");_loaddll(0);}v4 = (int)strlen(Str) / 4;sub_401000((int)Str, v4);for ( i = 0; i < v4; ++i ){if ( v6[i] != *(_DWORD *)&Str[4 * i] ){print("Wrong!!!\n");_loaddll(0);}}print("congratulations\n");sub_40B48E("pause");return 0;
}

先z3求出key：XYCTF ，然后还有一个重要函数

int __cdecl sub_401000(_DWORD *a1, int a2)
{int v2; // ecxint v3; // eaxint v4; // edxint result; // eaxint v6; // [esp+4h] [ebp-1Ch]int v7; // [esp+Ch] [ebp-14h]unsigned int v8; // [esp+10h] [ebp-10h]unsigned int v9; // [esp+18h] [ebp-8h]unsigned int i; // [esp+1Ch] [ebp-4h]if ( a2 > 1 ){v7 = 52 / a2 + 6;v8 = 0;v9 = a1[a2 - 1];do{v8 -= 1640531527;v6 = (v8 >> 2) & 5;for ( i = 0; i < a2 - 1; ++i ){v2 = ((v9 ^ key[v6 ^ i & 5]) + (a1[i + 1] ^ v8)) ^ (((16 * v9) ^ (a1[i + 1] >> 3))+ ((4 * a1[i + 1]) ^ (v9 >> 5)));v3 = a1[i];a1[i] = v2 + v3;v9 = v2 + v3;}v4 = (((v9 ^ key[v6 ^ i & 5]) + (*a1 ^ v8)) ^ (((16 * v9) ^ (*a1 >> 3)) + ((4 * *a1) ^ (v9 >> 5)))) + a1[a2 - 1];a1[a2 - 1] = v4;result = v4;v9 = v4;--v7;}while ( v7 );}return result;
}

#include <stdio.h>
#define u32 unsigned int
char* Key = "XYCTF!";
void sub_401000(u32 *a1, int a2)
{int v2;          // ecxint v3;          // eaxint v4;          // edxint v5;          // [esp+4h] [ebp-1Ch]int v6;          // [esp+Ch] [ebp-14h]unsigned int v7; // [esp+10h] [ebp-10h]unsigned int v8; // [esp+18h] [ebp-8h]unsigned int i;  // [esp+1Ch] [ebp-4h]if (a2 > 1){v6 = 52 / a2 + 6;v7 = 0;v8 = a1[a2 - 1];do{v7 -= 0x61C88647;v5 = (v7 >> 2) & 5;for (i = 0; i < a2 - 1; ++i){v2 = ((v8 ^ Key[v5 ^ i & 5]) + (a1[i + 1] ^ v7)) ^ (((16 * v8) ^ (a1[i + 1] >> 3)) + ((4 * a1[i + 1]) ^ (v8 >> 5)));v3 = a1[i];a1[i] = v2 + v3;v8 = v2 + v3;}v4 = (((v8 ^ Key[v5 ^ i & 5]) + (*a1 ^ v7)) ^ (((16 * v8) ^ (*a1 >> 3)) + ((4 * *a1) ^ (v8 >> 5)))) + a1[a2 - 1];a1[a2 - 1] = v4;v8 = v4;--v6;} while (v6);}
}
void decrypt(u32 *a1, int a2)
{int v5;          // [esp+4h] [ebp-1Ch]int v6;          // [esp+Ch] [ebp-14h]unsigned int v7; // [esp+10h] [ebp-10h]unsigned int v8; // [esp+18h] [ebp-8h]int i;  // [esp+1Ch] [ebp-4h]if (a2 > 1){v7 = (-0x61C88647) * (52 / a2 + 6);for (v6 = 0; v6 < 52 / a2 + 6; ++v6){v5 = (v7 >> 2) & 5;for (i = a2 - 1; i >= 0; --i){v8 = a1[(i - 1 + a2) % a2];a1[i] -= ((v8 ^ Key[v5 ^ i & 5]) + (a1[(i + 1) % a2] ^ v7)) ^ (((16 * v8) ^ (a1[(i + 1) % a2] >> 3)) + ((4 * a1[(i + 1) % a2]) ^ (v8 >> 5)));}v7 += 0x61C88647;}}
}
int main() {int v6[8];v6[0] = 1718186609;v6[1] = -1989270907;v6[2] = -988247013;v6[3] = 1924988163;v6[4] = 1400902090;v6[5] = 1302415020;v6[6] = -2040328853;v6[7] = -124282896;decrypt(v6, 8);printf("%s\n", v6);return 0;
}

总体来说，这四个题都很难，还有很多还没搞懂。这年头，舔狗都不好当了。