March 21, 2022

De1CTF2019-Re_Sign

0x00 日常查壳

upx,直接脱脱不掉,直接ESP定律脱

(详细可见 UPX壳分析

image-20220321134136748

0x01 sub_401000

通过调试发现输入的地方在401000函数

逻辑还是挺乱的,不过慢慢调试是关键几个函数在干什么(我不理解这是经过什么混淆?)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
int sub_401000()
{
  char *v0; // eax
  char *v1; // eax
  HANDLE v2; // eax
  char *v4; // [esp+0h] [ebp-14h]
  char *v5; // [esp+4h] [ebp-10h]
  void *v6; // [esp+8h] [ebp-Ch] BYREF
  void *v7; // [esp+Ch] [ebp-8h] BYREF
  void *lp; // [esp+10h] [ebp-4h]

  v7 = 0;
  lp = sub_402BA0(1, 0, 0, 0);                  // 输入flag
  v0 = (char *)lp;
  if ( !lp )
    v0 = &byte_41E300;
  v6 = (void *)sub_402E40(1, (int)v0, 0, 0x80000004);
  v5 = sub_401233(&v6);                         // 经过对flag的base64变化,不过是变表
  if ( v6 )
    sub_402258(v6);
  v1 = v5;
  if ( !v5 )
    v1 = &byte_41E300;
  v4 = sub_402F80(1, COERCE_DOUBLE((unsigned __int64)v1), 0x80000004);
  if ( v5 )
    sub_402258(v5);
  if ( v7 )
    sub_402258(v7);
  v7 = v4;
  if ( sub_401F0A((char **)&v7) )               // 判断flag
    sub_403220(2u, 0, 0, 0, (char)aSuccess);
  else
    sub_403220(2u, 0, 0, 0, (char)aFail);
  v2 = sub_402BA0(1, 0, 0, 0);
  if ( v2 )
    sub_402258(v2);
  if ( lp )
    sub_402258(lp);
  if ( v7 )
    sub_402258(v7);
  return 0;
}

因为看到后面有base64加密的痕迹,所以大概是判断这几个函数里有base64加密,但不是标准加密,是变表

image-20220321141310708

sub_401233

只能说里面乱的不得了,通过到处找,发现这里可以找到码表

image-20220321141028110

0x02 sub_401F0A

这里是判断flag的地方,大略阅读可以得知长度为48

比较关键是的这里,v33是我们加密后的base64,v19是密文

image-20220321141736218

FindIndex

第一次传入的是‘E’,每次都会压入正常的base64码表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
UPX0:00402190 loc_402190:                             ; CODE XREF: FindIndex+29↑j
UPX0:00402190 push    eax
UPX0:00402191 push    80000004h
UPX0:00402196 push    0
UPX0:00402198 push    offset aAbcdefghijklmn_0        ; "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklm"...
UPX0:0040219D push    4
UPX0:004021A2 mov     ebx, 148h
UPX0:004021A7 call    sub_403500
UPX0:004021AC add     esp, 34h
UPX0:004021AF jmp     $+5
UPX0:004021B4 ; ---------------------------------------------------------------------------
UPX0:004021B4
UPX0:004021B4 loc_4021B4:                             ; CODE XREF: FindIndex+4F↑j
UPX0:004021B4 mov     esp, ebp
UPX0:004021B6 pop     ebp
UPX0:004021B7 retn    4

通过多次调试可以发现,会返回数组下标 + 1

就比如第一个字符是E,返回的是5

image-20220321141958387

0x03 GetFlag!

返回之后再和v19对比,我们把v19里的数组拿出,直接逆即可

  1. 拿base64表下标减1恢复,经过变表加密的flag
  2. 拿变表解密字符串
  3. GetFlag!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#include <stdio.h>
#include <string.h>

static char Base64Code[] =
{
    'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J',
    'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T',
    'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 
    'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
    'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 
    'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7',
    '8', '9', '+', '/', '='
};
static unsigned char CBase64Code[] = "0123456789QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm+/";

int main(void)
{
    unsigned char input[] = 
    {
        0x8, 0x3B, 0x1, 0x20, 0x7, 0x34, 0x9, 0x1F, 0x18, 0x24, 0x13, 0x3, 0x10, 0x38, 0x9, 0x1B, 0x8, 0x34, 0x13, 0x2, 0x8, 0x22, 0x12, 0x3, 0x5, 0x6, 0x12, 0x3, 0xF, 0x22, 0x12, 0x17, 0x8, 0x1, 0x29, 0x22, 0x6, 0x24, 0x32, 0x24, 0xF, 0x1F, 0x2B, 0x24, 0x3, 0x15
    };
    int len = sizeof(input) / sizeof(unsigned char);
    char flag[len];
    int i, j;

    for ( i = 0; i < len; i++ )
        input[i] = Base64Code[input[i] - 1];
    for ( i = 0; i < len; i++ )
    {
        for ( j = 0; j < 64; j++ )
        {
            if ( input[i] == CBase64Code[j] )
            {
                input[i] = j;
//                printf("0x%-2x, ", input[i]);
                break;
            }
        }
    }
    
    for ( i = 0, j = 0; j < len; i += 3, j += 4 )
    {
        flag[i] = (input[j] << 2) | ((input[j + 1] & 0x30) >> 4);
        flag[i + 1] = ((input[j + 1] & 0xF) << 4) | ((input[j + 2] & 0x3C) >> 2);
        flag[i + 2] = ((input[j + 2] & 0x3) << 6) | input[j + 3] ;
//        printf("%x %x %x ",  flag[i], flag[i + 1], flag[i + 2]);
    }

    for ( i = 0; i < 36; i++ )
        printf("%c", flag[i]);
        

/*   标准base64解密  4位变3位*/
    // for (i = 0, j = 0; j < strlen(input); i += 3, j +=4 )
    // {
    //     flag[i] = (input[j] << 2) | ((input[j + 1] & 0x30) >> 4);
    //     flag[i + 1] = ((input[j + 1] & 0xF) << 4) | ((input[j + 2] & 0x3C) >> 2);
    //     flag[i + 2] = ((input[j + 2] & 0x3) << 6) | input[j + 3] ;
    //     printf("%x %x %x ",  flag[i], flag[i + 1], flag[i + 2]);
    // }


    
/*  标准base64加密   3位变4位*/
    // for ( i = 0, j = 0; i <= strlen(flag); i += 3, j += 4 )
	// {
	// 	input[j] = (flag[i] >> 2) & 0x3F;
	// 	input[j + 1] = ((flag[i] & 0x3) << 4) | (flag[i + 1] & 0xF0 ) >> 4;
	// 	input[j + 2] = ((flag[i + 1] & 0xF ) << 2) | (flag[i + 2] & 0xC0) >> 6;
	// 	input[j + 3] = flag[i + 2] & 0x3F;	
	// }
}

GetFlag!

image-20220321142651699

About this Post

This post is written by P.Z, licensed under CC BY-NC 4.0.