2022-11-17
<p>[TOC]</p>
<h1>🌓今天喝茶,明天上班</h1>
<h2>🌙分析</h2>
<p><img src="https://pic.imgdb.cn/item/6376642d16f2c2beb1233ba6.png" alt="" /> </p>
<p>主要逻辑很简单,byte_40a01c是密文,通过IDAPython进行提取</p>
<pre><code class="language-python">start = 0x40A01C
end = 0x40A048
li = []
for i in range(end-start):
li.append(get_wide_byte(start+i))
print(li)</code></pre>
<p><img src="https://pic.imgdb.cn/item/6376678b16f2c2beb1286dea.png" alt="" /> </p>
<p>大概逻辑都在加密处理里面</p>
<p><img src="https://pic.imgdb.cn/item/6376653016f2c2beb124d6fa.png" alt="" /> </p>
<p>根据加密特征发现是一个XXTEA加密,直接对照网上写出XXTEA解密函数,但是发现解密出来的数据是乱码,说明有问题,x32dbg调试看看加密过程有什么问题,一开始没有用sharpOD,然后发现并没有什么变化</p>
<p><img src="https://pic.imgdb.cn/item/637669ad16f2c2beb12c7ab6.png" alt="" /> </p>
<p>但是程序里有这条语句,应该加了反调试,所以用上sharpOD,发现第三个参数被改变了</p>
<p><img src="https://pic.imgdb.cn/item/637665fd16f2c2beb1260d89.png" alt="" /> </p>
<p>它在没有检测到调试的时候先执行如下函数</p>
<p><img src="https://pic.imgdb.cn/item/63766bf516f2c2beb1314000.png" alt="" /> </p>
<p>然后再调用该函数即完成了数据的替换</p>
<p><img src="https://pic.imgdb.cn/item/63766c3f16f2c2beb1319330.png" alt="" />
将脚本内部的第三个参数修改为该 <code>0x74746561</code> 即可</p>
<h2>🌙Exploit</h2>
<pre><code class="language-cpp">#include<stdio.h>
#include<stdint.h>
void decrypt(uint32_t *v, int n, int key) {
uint32_t y, z, sum;
unsigned p, rounds, e;
rounds = 6 + 52/n;
sum = rounds*key;
y = v[0];
do {
e = (sum >> 2) & 3;
for (p = n-1; p > 0; p--) {
z = v[p-1];
y = v[p] -= ((z >> 6 ^ y*4) + (y >> 3 ^ z*16)) ^ ((sum ^ y) + (*((char *)&key + (e ^ p & 3)) ^ z));
}
z = v[n-1];
y = v[0] -= ((z >> 6 ^ y*4) + (y >> 3 ^ z*16)) ^ ((sum ^ y) + (*((char *)&key + (e ^ p & 3)) ^ z));
sum -= 0x74746561;
} while (--rounds);
}
int main() {
char en[] = {3, 35, 34, 47, 54, 136, 253, 67, 33, 232, 91, 101, 49, 30, 59, 166, 75, 184, 220, 136, 128, 25, 132, 111, 151, 114, 33, 38, 173, 100, 238, 187, 136, 4, 77, 6, 47, 38, 229, 107, 129, 75, 245, 115};
decrypt((int *)en, 44 >> 2, 0x74746561);
for(int i = 0; i < 44; i++) {
printf("%c", en[i]);
}
return 0;
}</code></pre>
<p><img src="https://pic.imgdb.cn/item/63766a8016f2c2beb12e86cd.png" alt="" /> </p>
<p><img src="https://pic.imgdb.cn/item/63766a9416f2c2beb12eba0d.png" alt="" /></p>
<h2>🌙参考文章</h2>
<p><a href="https://www.showdoc.com.cn/zepor/9572993373408272">https://www.showdoc.com.cn/zepor/9572993373408272</a></p>
<h2>🌙附件</h2>
<p>附件: <a href="https://cowtransfer.com/s/e43e6eb08c224d">https://cowtransfer.com/s/e43e6eb08c224d</a>
exp: <a href="https://cowtransfer.com/s/d47f602534f94a">https://cowtransfer.com/s/d47f602534f94a</a></p>