本文为看雪论坛优秀
看雪论坛作者ID:/x01 文章
一
逻辑分析
总结
1、前端为c#编写,如果输入的id和code满足条件就调用dll中的CheckCode进行判断,并且程序存在反调试功能。
2、dll中的CheckCode先将输入进行加密,之后和某32字节的数据进行比较。
二
动态调试
反调试
三
外层逻辑判断
array=[7,90,115,1,117,99,114,97,24]
id=array
code=list(b'))baa!!!(@@###qq')
for i in range(len(code)):
id[i%9]=code[i]^id[i%9]
idstr=''
for i in range(9):
idstr+=chr(id[i])
print(idstr)
四
CheckCode逻辑
for(int i=0;i<32;i++){
keyexpantion(key)
AES_CBC(code,key,iv)
iv=SubBytes(iv)
key^=iv
key=SbuBytes(key)
iv^=key
}
最后比较用的字节。
五
exp
from Crypto.Cipher import AES
sbox = [[0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76],
[0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0],
[0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15],
[0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75],
[0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84],
[0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF],
[0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8],
[0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2],
[0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73],
[0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB],
[0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79],
[0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08],
[0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A],
[0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E],
[0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF],
[0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16]]
def SubBytes(state):
return [sbox[i][j] for i,j in [(t>>4,t&0xf) for t in state]]
def Bytesxor(data1,data2):
data1=list(data1)
data2=list(data2)
res=[]
for i in range(len(data1)):
res.append(data1[i]^data2[i])
return bytearray(res)
key=bytearray(b'x29x23xBEx84xE1x6CxD6xAEx52x90x49xF1xF1xBBxE9xEB')
iv=bytearray(b'xB3xA6xDBx3Cx87x0Cx3Ex99x24x5Ex0Dx1Cx06xB7x47xDE')
keyarray=[]
keyarray.append(key)
ivarray=[]
ivarray.append(iv)
data=b'xF6x1CxE3xD7xF9xFBx0Bx1Ax8BxA2x1DxD8x97x94x05xC4x6Dx97xE7x62xB6x7CxEFx9Ax88x1BxA4x4DxFDxB0xE4x6E'
for i in range(31):
iv=bytearray(SubBytes(iv))
key=Bytesxor(key, iv)
key=bytearray(SubBytes(key))
keyarray.append(key)
iv=Bytesxor(key, iv)
ivarray.append(iv)
keyarray.reverse()
ivarray.reverse()
print(len(keyarray))
for i in range(32):
key=keyarray[i]
iv=ivarray[i]
aes=AES.new(bytes(key), AES.MODE_CBC,bytes(iv))
data=aes.decrypt(data)
print(data)
'''
iv=subbytes(iv)
key=key^iv
key=subbytes(key)
iv^=key
'''
'''
key
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
1B C5 C5 A8 42 4F 43 09 43 E8 0B 3C 0B C9 3B 42
26 27 03 37 AE 17 98 5E 1D 76 5D 86 52 D4 15 5D
20 56 F3 DF E4 A7 7E E5 70 68 69 D5 70 F7 F9 C9
'''
看雪ID:/x01
https://bbs.pediy.com/user-home-929564.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!
原文始发于微信公众号(看雪学苑):GKCTF2021 KillerAid
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论