文件md5:85C0D584982424D0890F5A82046A05E1
混淆:
.text:004010DD 74 03 jz short near ptr loc_4010E1+1
.text:004010DF 75 01 jnz short near ptr loc_4010E1+1
.text:004010E1
.text:004010E1 loc_4010E1: ; CODE XREF: sub_401080+5D↑j
.text:004010E1 ; sub_401080+5F↑j
.text:004010E1 E3 C7 jecxz short near ptr loc_4010A7+3
裏邊有幾處像這樣的混淆,手工全部patch掉。
偏移 493h, 長度 Ch, 替換爲0x90
偏移4DDh, 長度 5h, 替換爲0x90
偏移,526h,長度 5h,替換爲0x90
偏移,5D6h,長度 16h,替換爲0x90
替換之後就可以F5看代碼了
int __usercall sub_401080@<eax>(int a1@<ebx>, int a2@<edi>, int a3@<esi>)
{
int v3; // edx
int v4; // edx
int result; // eax
signed int j; // [esp+14h] [ebp-74h]
signed int i; // [esp+18h] [ebp-70h]
signed int k; // [esp+18h] [ebp-70h]
__int64 v9; // [esp+1Ch] [ebp-6Ch]
int Buf1; // [esp+24h] [ebp-64h]
int v11[11]; // [esp+28h] [ebp-60h]
int Dst; // [esp+54h] [ebp-34h]
int v13[11]; // [esp+58h] [ebp-30h]
memset(&Dst, 0, 0x30u);
memset(&Buf1, 0, 0x30u);
printf_401020("please input string:");
scanf_401050("%s", &Dst);
for ( i = 0; i < 64; ++i )
{
if ( *((_BYTE *)&Dst + i) == 10 )
{
if ( i >= (unsigned int)'0' )
sub_401369(a1, a2, a3);
*((_BYTE *)&Dst + i) = 0;
break;
}
}
for ( j = 0; j < 6; ++j )
{
LODWORD(v9) = *(&Dst + 2 * j);
HIDWORD(v9) = v13[2 * j];
for ( k = 0; k < 64; ++k )
{
if ( v9 >= 0 )
{
LODWORD(v9) = sub_401F00(v9, 1u);
HIDWORD(v9) = v4;
}
else
{
LODWORD(v9) = sub_401F00(v9, 1u) ^ 0xEEFF0102;
HIDWORD(v9) = v3 ^ 0xAABBCCDD;
}
}
*(&Buf1 + 2 * j) = v9;
v11[2 * j] = HIDWORD(v9);
}
if ( !memcmp(&Buf1, &unk_402134, 0x30u) )
result = puts("great~");
else
result = puts("wrong");
return result;
}
用python表示就是:
#nIn 64位的整形值
def calc(nIn):
for i in range(0,64):
if nIn<0x8000000000000000:
nIn=nIn<<1
nIn=nIn&0xFFFFFFFFFFFFFFFF
#print ">0",hex(nIn)
else:
nIn=nIn<<1
nIn=nIn^0xAABBCCDDEEFF0102
nIn=nIn&0xFFFFFFFFFFFFFFFF
#print "<0",hex(nIn)
return nIn
完整腳本如下,這題用爆破應該是不行的, 這應該是crt 中的LFSR類題目
https://www.anquanke.com/post/id/181811
import itertools
import binascii
import string
#print string.ascii_letters
#print string.digits
def str_2_hex(strIn):
strxx=strIn[::-1]
e=0
for i in strxx:
d=ord(i)
e=e*256+d
return e
#print hex(str_2_hex("12345678"))
def calc(nIn):
for i in range(0,64):
if nIn<0x8000000000000000:
nIn=nIn<<1
nIn=nIn&0xFFFFFFFFFFFFFFFF
#print ">0",hex(nIn)
else:
nIn=nIn<<1
nIn=nIn^0xAABBCCDDEEFF0102
nIn=nIn&0xFFFFFFFFFFFFFFFF
#print "<0",hex(nIn)
return nIn
def crack_1():
#flag{26a
#0x16, 0xB6, 0xEC, 0x52, 0xA1, 0x5D, 0x9C, 0xA6,
strBegin="flag{"
x=itertools.permutations(string.ascii_letters+string.digits,3)
for i in x:
strxx=''.join(i)
#print strxx
strIn=strBegin+strxx
n=str_2_hex(strIn)
t=calc(n)
if t==0xa69c5da152ecb616L:
print strIn
raw_input("xxxxxxxxxxxxxx")
def crack_2():
## 0x9C, 0xFE, 0x62, 0x66, 0x7F, 0xB1, 0x29, 0x95 string.ascii_lowercase+string.digits
print crack_2
strBegin="}"
x=itertools.permutations(string.ascii_lowercase,7)
for i in x:
strxx=''.join(i)
#print strxx
strIn=strxx+strBegin
n=str_2_hex(strIn)
t=calc(n)
if t==0x9529B17F6662FE9CL:
print strIn,hex(t)
raw_input("xxxxxxxxxxxxxx")
print "none"
crack_2()
def crack_3():
#0x0C, 0x44,0x8C, 0xE5, 0xE1, 0xA5, 0x02, 0x50
## 0x00, 0xBB, 0x74, 0x4B, 0x40, 0x70, 0x22, 0x35,
## 0x96, 0xA3, 0x0B, 0x2A, 0xF1, 0x6A, 0xC4, 0x1E,
## 0xA6, 0xED, 0xDD, 0xE8, 0x3C, 0x01, 0x71, 0x4F,
## 0x9C, 0xFE, 0x62, 0x66, 0x7F, 0xB1, 0x29, 0x95
strBegin=""
x=itertools.permutations(string.ascii_letters+string.digits,8)
for i in x:
strxx=''.join(i)
#print strxx
strIn=strBegin+strxx
n=str_2_hex(strIn)
t=calc(n)
if t==0x5002A5E1E58C440CL or t == 0x352270404B74BB00L or t==0x1EC46AF12A0BA396L or t==0x4F71013CE8DDEDA6L:
print strIn,hex(t)
raw_input("xxxxxxxxxxxxxx")
crack_3()