DASCTF 2023六月挑战赛｜二进制专项 WP

careful

看到 第一个 gethostbyname 下断进name 得到值 “welcome_t0_dasctf.com”
第二个 gethostbyname name的值 “Just_An_APIH00k11.com”


两种方法

#include <windows.h>
#include <iostream>


int main(int argc, char** argv)
{
    char name[] = { "welcome_t0_dasctf.com" };
    char* a1 = name;
    name[0] = *a1 ^ 0x3D;
    name[1] = a1[1] ^ 0x10;
    name[2] = a1[2] ^ 0x1F;
    name[3] = a1[3] ^ 0x17;
    name[4] = a1[4] ^ 0x30;
    name[5] = a1[5] ^ 0x2C;
    name[6] = a1[6] ^ 0xB;
    name[7] = a1[7];
    name[8] = a1[8] ^ 0x35;
    name[9] = a1[9] ^ 0x60;
    name[10] = a1[10] ^ 0x16;
    name[11] = a1[11] ^ 0x2C;
    name[12] = a1[12] ^ 0x51;
    name[13] = a1[13] ^ 0x43;
    name[14] = a1[14] ^ 8;
    name[15] = a1[15] ^ 0x45;
    name[16] = a1[16] ^ 0x57;
    name[17] = a1[17];
    name[18] = a1[18];
    name[19] = a1[19];
    name[20] = a1[20];
    name[21] = a1[21];

    cout<<name;
    return 0;
}

md5一下 f18566f93963f72f463fdfa2d163c37c
wireshark抓取网络

babyRe

动调一下发现函数被更改了 并且还发现多余的资源 cod

主exe下 StartAddress_0 动调过程发现 xor

v6[0] = -9;
  v6[1] = 46;
  v6[2] = 52;
  v6[3] = -16;
  v6[4] = 114;
  v6[5] = -49;
  v6[6] = 94;
  v6[7] = 10;
  v6[8] = -69;
  v6[9] = -20;
  v6[10] = -79;
  v6[11] = 43;
  v6[12] = 112;
  v6[13] = -120;
  v6[14] = -120;
  v6[15] = -19;
  v6[16] = 70;
  v6[17] = 56;
  v6[18] = -37;
  v6[19] = -38;
  v6[20] = 108;
  v6[21] = -67;
  v6[22] = -44;
  v6[23] = 6;
  v6[24] = 119;
  v6[25] = -14;
  v6[26] = -49;
  v6[27] = 86;
  v6[28] = -120;
  v6[29] = -58;
  v6[30] = 49;
  v6[31] = -46;
  v6[32] = -73;
  v6[33] = 90;
  v6[34] = -63;
  v6[35] = 66;
  v6[36] = -80;
  v6[37] = -12;
  v6[38] = 72;
  v6[39] = 55;
  v6[40] = -11;
  v6[41] = 44;
  v6[42] = -11;
  v6[43] = 88;
  puts(" ");
  for ( j = 0; j < 44; ++j )
  {
    if ( *(char *)(a1 + j) != v6[j] )
    {
      sub_7FF62FAF114A((__int64)"error!\n");
      exit(0);
    }
  }
  sub_7FF62FAF114A((__int64)"get flag!");
  exit(0);
}

cod 提取出来去除花把byte_7FF644C0F000改成

0xb3,0x6c,0x61,0xae,0x3a,0x8c,0x23,0x33,
0x80,0xd7,0x93,0x16,0x07,0xba,0xe4,0xc6,
0x27,0x52,0xb0,0xe3,0x48,0x84,0xfa,0x99,
0x08,0xcb,0xf6,0x67,0xbe,0xf6,0x00,0xf8,
0x85,0x36,0x88,0x58,0xc2,0xd0,0x04,0x53,
0xc2,0x1e,0xcb,0x29,0xa4,0x46,0x2c

提取文件还一个 RC4 伪代码

memset(v5, 0, 0x101u i64);
	v10[0] = 93;
	v10[1] = 66;
	v10[2] = 98;
	v10[3] = 41;
	v10[4] = 3;
	v10[5] = 54;
	v10[6] = 71;
	v10[7] = 65;
	v10[8] = 21;
	v10[9] = 54;
	v11 = 0;
	for (j = v15; *j; ++j)
		++v11;
	for (k = 0; k < 0x100; ++k)
		v5[k] = k;
	v8 = 0;
	v7 = 0;
	for (k = 0; k < 0x100; ++k)
	{
		v9 = (unsigned __int8)v5[k];
		v7 = (v10[v8] + v9 + 2 * v7) % 0x100;
		v5[k] = v5[v7];
		v5[v7] = v9;
		if (++v8 >= 0xA)
			v8 = 0;
	}
	v8 = 0;
	sub_1EE();
	v7 = v8;
	for (k = 0; ; ++k)
	{
		result = v11;
		if (k >= v11)
			break;
		v7 = (v8 + v7) % 0x100;
		v8 = ((unsigned __int8)v5[v7] + v8) % 0x100;
		v9 = (unsigned __int8)v5[v7];
		v5[v7] = v5[v8];
		v5[v8] = v9;
		v13 = (unsigned __int8)v5[((unsigned __int8)v5[v7] + v8 + (unsigned __int8)v5[v8]) % 0x100];
		v15[k] ^= v13;
		v14 = k;
		v15[k] += k % 0xD;
	}
	return result;
}

保存一下 感觉有两种解开方法
xor 解法

#include<bits/stdc++.h>
#include<windows.h>
using namespace std;
signed main(){
	int v6[45];
	v6[0] = -9;
	v6[1] = 46;
	v6[2] = 52;
	v6[3] = -16;
	v6[4] = 114;
	v6[5] = -49;
	v6[6] = 94;
	v6[7] = 10;
	v6[8] = -69;
	v6[9] = -20;
	v6[10] = -79;
	v6[11] = 43;
	v6[12] = 112;
	v6[13] = -120;
	v6[14] = -120;
	v6[15] = -19;
	v6[16] = 70;
	v6[17] = 56;
	v6[18] = -37;
	v6[19] = -38;
	v6[20] = 108;
	v6[21] = -67;
	v6[22] = -44;
	v6[23] = 6;
	v6[24] = 119;
	v6[25] = -14;
	v6[26] = -49;
	v6[27] = 86;
	v6[28] = -120;
	v6[29] = -58;
	v6[30] = 49;
	v6[31] = -46;
	v6[32] = -73;
	v6[33] = 90;
	v6[34] = -63;
	v6[35] = 66;
	v6[36] = -80;
	v6[37] = -12;
	v6[38] = 72;
	v6[39] = 55;
	v6[40] = -11;
	v6[41] = 44;
	v6[42] = -11;
	v6[43] = 88;
unsigned char xor[] ={
	0xb3,0x6c,0x61,0xae,0x3a,0x8c,0x23,0x33,
	0x80,0xd7,0x93,0x16,0x07,0xba,0xe4,0xc6,
	0x27,0x52,0xb0,0xe3,0x48,0x84,0xfa,0x99,
	0x08,0xcb,0xf6,0x67,0xbe,0xf6,0x00,0xf8,
	0x85,0x36,0x88,0x58,0xc2,0xd0,0x04,0x53,
	0xc2,0x1e,0xcb,0x29,0xa4,0x46,0x2c
};
for (int i = 0; i < 44; i++)
{
    cout<<char((v6[i] -= i % 0xd) ^ xor[i]);
}
}

ez_exe

python 解包

反编译 调用了部分windows API 一开始 还一部分没出来 看看字节码在推推

import ctypes
from time import *
from ctypes import *
from ctypes import wintypes
from hashlib import md5

class _STARTUPINFO(Structure):
    _fields_ = [
        ('cb', c_ulong),
        ('lpReserved', c_char_p),
        ('lpDesktop', c_char_p),
        ('lpTitle', c_char_p),
        ('dwX', c_ulong),
        ('dwY', c_ulong),
        ('dwXSize', c_ulong),
        ('dwYSize', c_ulong),
        ('dwXCountChars', c_ulong),
        ('dwYCountChars', c_ulong),
        ('dwFillAttribute', c_ulong),
        ('dwFlags', c_ulong),
        ('wShowWindow', c_ushort),
        ('cbReserved2', c_ushort),
        ('lpReserved2', c_char_p),
        ('hStdInput', c_ulong),
        ('hStdOutput', c_ulong),
        ('hStdError', c_ulong)]


class _PROCESS_INFORMATION(Structure):
    _fields_ = [
        ('hProcess', c_void_p),
        ('hThread', c_void_p),
        ('dwProcessId', c_ulong),
        ('dwThreadId', c_ulong)]

StartupInfo = _STARTUPINFO()
ProcessInfo = _PROCESS_INFORMATION()
key1 = bytes(md5(b'bin1bin1bin1').hexdigest().encode())
file = open('bin1', 'rb').read()
arr=[key1[i%len(key1)]^file[i] for i in range(len(file))]
open('bin1', 'wb').write(bytes(arr))
sleep(0)
bet = ctypes.windll.kernel32.CreateProcessA(b'bin1', ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(0), byref(StartupInfo), byref(ProcessInfo))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ProcessInfo.hProcess), ctypes.c_int(-1))
open('bin1', 'wb').write(file)

对着代码改

import ctypes
from time import *
from ctypes import *
from ctypes import wintypes
from hashlib import md5
key1 = bytes(md5(b'bin2bin2bin2').hexdigest().encode())
file = open('bin2', 'rb').read()
arr=[key1[i%len(key1)]^file[i] for i in range(len(file))]
open('bin2', 'wb').write(bytes(arr))
sleep(0)

import ctypes
from time import *
from ctypes import *
from ctypes import wintypes
from hashlib import md5
key1 = bytes(md5(b'bin1bin1bin1').hexdigest().encode())
file = open('bin1', 'rb').read()
arr=[key1[i%len(key1)]^file[i] for i in range(len(file))]
open('bin1', 'wb').write(bytes(arr))
sleep(0)

分析程序中以bin1bin1bin1的md5值作为秘钥解密bin1文件 同理？？bin2bin2bin2的md5值作为秘钥解密bin2文件
BTEA 算法

#include <iostream>
#include <stdio.h>
#include <stdint.h>
#define DELTA 0x7937B99E
using namespace std;
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))

void btea(uint32_t* v, int n, uint32_t const key[4]) {
    uint32_t y, z, sum;
    unsigned p, rounds, e;
    if (n > 1) {          /* Coding Part */
        rounds = 6 + 52 / n;
        sum = 0;
        z = v[n - 1];
        do {
            sum += DELTA;
            e = (sum >> 2) & 3;
            for (p = 0; p < n - 1; p++) {
                y = v[p + 1];
                z = v[p] += MX;
            }
            y = v[0];
            z = v[n - 1] += MX;
        } while (--rounds);
    }
    else if (n < -1) {  /* Decoding Part */
        n = -n;
        rounds =  52 / n;
        sum = rounds * DELTA;
        y = v[0];
        do {
            e = (sum >> 2) & 3;
            for (p = n - 1; p > 0; p--) {
                z = v[p - 1];
                y = v[p] -= MX;
            }
            z = v[n - 1];
            y = v[0] -= MX;
        } while ((sum -= DELTA) != 0);
    }
}

int main()
{
    uint32_t key[4]={0x4b5f,0xdead,0x11ed,0xb3cc};
    uint32_t v5[11]={0xcc45699d,0x683d5352,0xb8bb71a0,0xd3817ad,0x7547e79e,0x4bdd8c7c,0x95e25a81,0xc4525103,0x7049b46f,0x5417f77c,0x65567138};
    btea(v5, -11, key);
    for (int i = 0; i < 44; i++)
    {
        printf("%c",*((char *)v5 +i) & 0xff);
    }
    return 0;
}