查壳一下,64位ELF文件带UPX壳
轻车熟路脱壳,啪的一下很快啊,就脱壳失败了
给我整不会了,尝试用IDA远程调试手动脱壳也没成功
陷入僵局之时,通过查询知道可能是修改了UPX!特征字符导致无法脱壳
用01editor打开
这段很可疑,可能就是被篡改的特征字符,改成upx试试,结果还是不行
后来又看了看文件尾部,发现同样有两个QAQ!
修改后就可以脱壳了
拖到IDA64中分析
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // ecx
int v4; // edx
int i; // [rsp+1Ch] [rbp-B4h]
unsigned __int8 v7[16]; // [rsp+20h] [rbp-B0h] BYREF
__int64 v8[2]; // [rsp+30h] [rbp-A0h]
unsigned __int8 v9[16]; // [rsp+40h] [rbp-90h] BYREF
char v10[64]; // [rsp+50h] [rbp-80h] BYREF
unsigned __int8 s[58]; // [rsp+90h] [rbp-40h] BYREF
unsigned __int8 v12; // [rsp+CAh] [rbp-6h]
unsigned __int8 v13; // [rsp+CBh] [rbp-5h]
int v14; // [rsp+CCh] [rbp-4h]
v14 = 0;
memset(s, 0, 0x32uLL);
memset(v10, 0, 0x32uLL);
qmemcpy(v9, "HuangHeSanAAyycc", sizeof(v9));
v8[0] = 0x87ADCFE906761922LL;
v8[1] = 0x2C3145A9057B1DALL;
v12 = 16;
puts("Please input your flag : ");
__isoc99_scanf("%s", v7);
encode_fun(0x10u, v9, v7, s);
v13 = 0;
for ( i = 2105986346; ; i = v3 )
{
while ( 1 )
{
while ( 1 )
{
while ( i == 135243530 )
{
printf("Your input is your flag!");
i = 1394223264;
}
if ( i != 263616848 )
break;
printf("Try again!");
i = 1394223264;
}
if ( i != 919097481 )
break;
v4 = 263616848;
if ( *((unsigned __int8 *)v8 + v13) == s[v13] )
v4 = 135243530;
i = v4;
}
if ( i == 1394223264 )
break;
v3 = 1394223264;
if ( v13 < (int)v12 )
v3 = 919097481;
}
system("pause");
return 0;
}
v8数组和v9这串字符都可能很关键,经过encode_fun这个函数后再判断读入的是不是flag。
点进去看看encode_fun
有点长
void __fastcall encode_fun(unsigned __int8 a1, unsigned __int8 *a2, unsigned __int8 *a3, unsigned __int8 *a4)
{
int v4; // ecx
int v5; // ecx
int v6; // esi
int v7; // edx
int v8; // ecx
__int64 v9; // [rsp+8h] [rbp-2D8h]
__int64 v10; // [rsp+20h] [rbp-2C0h]
int v11; // [rsp+4Ch] [rbp-294h]
unsigned __int64 v12; // [rsp+50h] [rbp-290h] BYREF
unsigned __int64 v13; // [rsp+58h] [rbp-288h] BYREF
unsigned __int64 v14; // [rsp+60h] [rbp-280h] BYREF
unsigned __int64 v15[33]; // [rsp+68h] [rbp-278h] BYREF
__int64 v16[36]; // [rsp+170h] [rbp-170h] BYREF
unsigned __int64 s; // [rsp+290h] [rbp-50h] BYREF
unsigned __int64 v18; // [rsp+298h] [rbp-48h] BYREF
unsigned __int64 v19; // [rsp+2A0h] [rbp-40h] BYREF
unsigned __int64 v20; // [rsp+2A8h] [rbp-38h] BYREF
void *ptr; // [rsp+2B0h] [rbp-30h]
int v22; // [rsp+2B8h] [rbp-28h]
int v23; // [rsp+2BCh] [rbp-24h]
unsigned __int8 *v24; // [rsp+2C0h] [rbp-20h]
unsigned __int8 *v25; // [rsp+2C8h] [rbp-18h]
unsigned __int8 *v26; // [rsp+2D0h] [rbp-10h]
unsigned __int8 v27; // [rsp+2DFh] [rbp-1h]
v27 = a1;
v26 = a2;
v25 = a3;
v24 = a4;
v23 = 0;
v22 = 0;
ptr = malloc(0x32uLL);
memset(&s, 0, 0x20uLL);
memset(v16, 0, sizeof(v16));
memset(&v12, 0, 0x120uLL);
four_uCh2uLong(v26, &s);
four_uCh2uLong(v26 + 4, &v18);
four_uCh2uLong(v26 + 8, &v19);
four_uCh2uLong(v26 + 12, &v20);
v16[0] = TBL_SYS_PARAMS ^ s;
v16[1] = v18 ^ 0x56AA3350;
v16[2] = v19 ^ 0x677D9197;
v16[3] = v20 ^ 0xB27022DC;
v23 = 0;
v11 = 2105986346;
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
while ( v11 == 135243530 )
{
++v23;
v11 = 2105986346;
}
if ( v11 != 227891681 )
break;
v6 = 1034388533;
if ( v23 < 16 - v27 % 16 )
v6 = 930095792;
v11 = v6;
}
if ( v11 != 263616848 )
break;
v23 = 0;
v11 = 1285516208;
}
if ( v11 != 381793825 )
break;
v7 = 1005638776;
if ( v22 < (v27 % 16 != 0) + v27 / 16 )
v7 = 1881144313;
v11 = v7;
}
if ( v11 != 382904869 )
break;
v23 = 0;
v11 = 227891681;
}
if ( v11 != 402477600 )
break;
uLong2four_uCh(v15[32], &v24[16 * v22]);
uLong2four_uCh(v15[31], &v24[16 * v22 + 4]);
uLong2four_uCh(v15[30], &v24[16 * v22 + 8]);
uLong2four_uCh(v15[29], &v24[16 * v22 + 12]);
v11 = 1533527408;
}
if ( v11 != 919097481 )
break;
v10 = v16[v23];
v16[v23 + 4] = func_key(TBL_FIX_PARAMS[v23] ^ v16[v23 + 3] ^ v16[v23 + 2] ^ v16[v23 + 1]) ^ v10;
v11 = 135243530;
}
if ( v11 != 930095792 )
break;
*((_BYTE *)ptr + v27 + v23) = 0;
v11 = 2136672185;
}
if ( v11 == 1005638776 )
break;
switch ( v11 )
{
case 1034388533:
v22 = 0;
v11 = 381793825;
break;
case 1230639529:
v8 = 402477600;
if ( v23 < 32 )
v8 = 2131393533;
v11 = v8;
break;
case 1285516208:
v5 = 382904869;
if ( v23 < v27 )
v5 = 1394223264;
v11 = v5;
break;
case 1394223264:
*((_BYTE *)ptr + v23) = v25[v23];
v11 = 1776402855;
break;
case 1533527408:
++v22;
v11 = 381793825;
break;
case 1714646845:
++v23;
v11 = 1230639529;
break;
case 1776402855:
++v23;
v11 = 1285516208;
break;
case 1881144313:
four_uCh2uLong((unsigned __int8 *)ptr + 16 * v22, &v12);
four_uCh2uLong((unsigned __int8 *)ptr + 16 * v22 + 4, &v13);
four_uCh2uLong((unsigned __int8 *)ptr + 16 * v22 + 8, &v14);
four_uCh2uLong((unsigned __int8 *)ptr + 16 * v22 + 12, v15);
v23 = 0;
v11 = 1230639529;
break;
case 2105986346:
v4 = 263616848;
if ( v23 < 32 )
v4 = 919097481;
v11 = v4;
break;
case 2131393533:
v9 = *(&v12 + v23);
*(&v12 + v23 + 4) = func_data(v16[v23 + 4] ^ *(&v12 + v23 + 3) ^ *(&v12 + v23 + 2) ^ *(&v12 + v23 + 1)) ^ v9;
v11 = 1714646845;
break;
default:
++v23;
v11 = 227891681;
break;
}
}
free(ptr);
}
里面有func_data,func_key,TBL_FIX_PARAMS,four_uCh2uLong等等函数,敏感的师傅佬应该看出是SM4加密,我比较菜,没看出来,通过搜索才知道,按理说findcrypt应该可以识别出来,但我不知道为什么我的findcrypt没识别出来
提取出v9,解密就行,这里采用在线SM4解密
附官方WP解密脚本
点击查看
#ifndef _SM4_H_
#define _SM4_H_
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#define u8 unsigned char
#define u32 unsigned long
void four_uCh2uLong(u8* in, u32* out); //四字节转换成u32
void uLong2four_uCh(u32 in, u8* out); //u32转换成四字节
unsigned long move(u32 data, int length); //左移,保留丢弃位放置尾部
unsigned long func_key(u32 input); //先使用Sbox进行非线性变化,再将线性变换L置换为L'
unsigned long func_data(u32 input); //先使用Sbox进行非线性变化,再进行线性变换L
void print_hex(u8* data, int len); //无符号字符数组转16进制打印
void encode_fun(u8 len, u8* key, u8* input, u8* output); //加密函数
void decode_fun(u8 len, u8* key, u8* input, u8* output); //解密函数
/******************************定义系统参数FK的取值****************************************/
const u32 TBL_SYS_PARAMS[4] = {
0xa3b1bac6,
0x56aa3350,
0x677d9197,
0xb27022dc
};
/******************************定义固定参数CK的取值****************************************/
const u32 TBL_FIX_PARAMS[32] = {
0x00070e15,0x1c232a31,0x383f464d,0x545b6269,
0x70777e85,0x8c939aa1,0xa8afb6bd,0xc4cbd2d9,
0xe0e7eef5,0xfc030a11,0x181f262d,0x343b4249,
0x50575e65,0x6c737a81,0x888f969d,0xa4abb2b9,
0xc0c7ced5,0xdce3eaf1,0xf8ff060d,0x141b2229,
0x30373e45,0x4c535a61,0x686f767d,0x848b9299,
0xa0a7aeb5,0xbcc3cad1,0xd8dfe6ed,0xf4fb0209,
0x10171e25,0x2c333a41,0x484f565d,0x646b7279
};
/******************************SBox参数列表****************************************/
const u8 TBL_SBOX[256] = {
0xd6,0x90,0xe9,0xfe,0xcc,0xe1,0x3d,0xb7,0x16,0xb6,0x14,0xc2,0x28,0xfb,0x2c,0x05,
0x2b,0x67,0x9a,0x76,0x2a,0xbe,0x04,0xc3,0xaa,0x44,0x13,0x26,0x49,0x86,0x06,0x99,
0x9c,0x42,0x50,0xf4,0x91,0xef,0x98,0x7a,0x33,0x54,0x0b,0x43,0xed,0xcf,0xac,0x62,
0xe4,0xb3,0x1c,0xa9,0xc9,0x08,0xe8,0x95,0x80,0xdf,0x94,0xfa,0x75,0x8f,0x3f,0xa6,
0x47,0x07,0xa7,0xfc,0xf3,0x73,0x17,0xba,0x83,0x59,0x3c,0x19,0xe6,0x85,0x4f,0xa8,
0x68,0x6b,0x81,0xb2,0x71,0x64,0xda,0x8b,0xf8,0xeb,0x0f,0x4b,0x70,0x56,0x9d,0x35,
0x1e,0x24,0x0e,0x5e,0x63,0x58,0xd1,0xa2,0x25,0x22,0x7c,0x3b,0x01,0x21,0x78,0x87,
0xd4,0x00,0x46,0x57,0x9f,0xd3,0x27,0x52,0x4c,0x36,0x02,0xe7,0xa0,0xc4,0xc8,0x9e,
0xea,0xbf,0x8a,0xd2,0x40,0xc7,0x38,0xb5,0xa3,0xf7,0xf2,0xce,0xf9,0x61,0x15,0xa1,
0xe0,0xae,0x5d,0xa4,0x9b,0x34,0x1a,0x55,0xad,0x93,0x32,0x30,0xf5,0x8c,0xb1,0xe3,
0x1d,0xf6,0xe2,0x2e,0x82,0x66,0xca,0x60,0xc0,0x29,0x23,0xab,0x0d,0x53,0x4e,0x6f,
0xd5,0xdb,0x37,0x45,0xde,0xfd,0x8e,0x2f,0x03,0xff,0x6a,0x72,0x6d,0x6c,0x5b,0x51,
0x8d,0x1b,0xaf,0x92,0xbb,0xdd,0xbc,0x7f,0x11,0xd9,0x5c,0x41,0x1f,0x10,0x5a,0xd8,
0x0a,0xc1,0x31,0x88,0xa5,0xcd,0x7b,0xbd,0x2d,0x74,0xd0,0x12,0xb8,0xe5,0xb4,0xb0,
0x89,0x69,0x97,0x4a,0x0c,0x96,0x77,0x7e,0x65,0xb9,0xf1,0x09,0xc5,0x6e,0xc6,0x84,
0x18,0xf0,0x7d,0xec,0x3a,0xdc,0x4d,0x20,0x79,0xee,0x5f,0x3e,0xd7,0xcb,0x39,0x48
};
#endif
//4字节无符号数组转无符号long型
void four_uCh2uLong(u8* in, u32* out)
{
int i = 0;
*out = 0;
for (i = 0; i < 4; i++)
*out = ((u32)in[i] << (24 - i * 8)) ^ *out;
}
//无符号long型转4字节无符号数组
void uLong2four_uCh(u32 in, u8* out)
{
int i = 0;
//从32位unsigned long的高位开始取
for (i = 0; i < 4; i++)
*(out + i) = (u32)(in >> (24 - i * 8));
}
//左移,保留丢弃位放置尾部
u32 move(u32 data, int length)
{
u32 result = 0;
result = (data << length) ^ (data >> (32 - length));
return result;
}
//秘钥处理函数,先使用Sbox进行非线性变化,再将线性变换L置换为L'
u32 func_key(u32 input)
{
int i = 0;
u32 ulTmp = 0;
u8 ucIndexList[4] = { 0 };
u8 ucSboxValueList[4] = { 0 };
uLong2four_uCh(input, ucIndexList);
for (i = 0; i < 4; i++)
{
ucSboxValueList[i] = TBL_SBOX[ucIndexList[i]];
}
four_uCh2uLong(ucSboxValueList, &ulTmp);
ulTmp = ulTmp ^ move(ulTmp, 13) ^ move(ulTmp, 23);
return ulTmp;
}
//加解密数据处理函数,先使用Sbox进行非线性变化,再进行线性变换L
u32 func_data(u32 input)
{
int i = 0;
u32 ulTmp = 0;
u8 ucIndexList[4] = { 0 };
u8 ucSboxValueList[4] = { 0 };
uLong2four_uCh(input, ucIndexList);
for (i = 0; i < 4; i++)
{
ucSboxValueList[i] = TBL_SBOX[ucIndexList[i]];
}
four_uCh2uLong(ucSboxValueList, &ulTmp);
ulTmp = ulTmp ^ move(ulTmp, 2) ^ move(ulTmp, 10) ^ move(ulTmp, 18) ^ move(ulTmp, 24);
return ulTmp;
}
//加密函数(可以加密任意长度数据,16字节为一次循环,不足部分补0凑齐16字节的整数倍)
//len:数据长度(任意长度数据) key:密钥(16字节) input:输入的原始数据 output:加密后输出数据
void encode_fun(u8 len, u8* key, u8* input, u8* output)
{
int i = 0, j = 0;
u8* p = (u8*)malloc(50); //定义一个50字节缓存区
u32 ulKeyTmpList[4] = { 0 }; //存储密钥的u32数据
u32 ulKeyList[36] = { 0 }; //用于密钥扩展算法与系统参数FK运算后的结果存储
u32 ulDataList[36] = { 0 }; //用于存放加密数据
/***************************开始生成子秘钥********************************************/
four_uCh2uLong(key, &(ulKeyTmpList[0]));
four_uCh2uLong(key + 4, &(ulKeyTmpList[1]));
four_uCh2uLong(key + 8, &(ulKeyTmpList[2]));
four_uCh2uLong(key + 12, &(ulKeyTmpList[3]));
ulKeyList[0] = ulKeyTmpList[0] ^ TBL_SYS_PARAMS[0];
ulKeyList[1] = ulKeyTmpList[1] ^ TBL_SYS_PARAMS[1];
ulKeyList[2] = ulKeyTmpList[2] ^ TBL_SYS_PARAMS[2];
ulKeyList[3] = ulKeyTmpList[3] ^ TBL_SYS_PARAMS[3];
for (i = 0; i < 32; i++) //32次循环迭代运算
{
//5-36为32个子秘钥
ulKeyList[i + 4] = ulKeyList[i] ^ func_key(ulKeyList[i + 1] ^ ulKeyList[i + 2] ^ ulKeyList[i + 3] ^ TBL_FIX_PARAMS[i]);
}
/***********************************生成32轮32位长子秘钥结束**********************************/
for (i = 0; i < len; i++) //将输入数据存放在p缓存区
*(p + i) = *(input + i);
for (i = 0; i < 16 - len % 16; i++)//将不足16位补0凑齐16的整数倍
*(p + len + i) = 0;
for (j = 0; j < len / 16 + ((len % 16) ? 1 : 0); j++) //进行循环加密,并将加密后数据保存(可以看出此处是以16字节为一次加密,进行循环,即若16字节则进行一次,17字节补0至32字节后进行加密两次,以此类推)
{
/*开始处理加密数据*/
four_uCh2uLong(p + 16 * j, &(ulDataList[0]));
four_uCh2uLong(p + 16 * j + 4, &(ulDataList[1]));
four_uCh2uLong(p + 16 * j + 8, &(ulDataList[2]));
four_uCh2uLong(p + 16 * j + 12, &(ulDataList[3]));
//加密
for (i = 0; i < 32; i++)
{
ulDataList[i + 4] = ulDataList[i] ^ func_data(ulDataList[i + 1] ^ ulDataList[i + 2] ^ ulDataList[i + 3] ^ ulKeyList[i + 4]);
}
/*将加密后数据输出*/
uLong2four_uCh(ulDataList[35], output + 16 * j);
uLong2four_uCh(ulDataList[34], output + 16 * j + 4);
uLong2four_uCh(ulDataList[33], output + 16 * j + 8);
uLong2four_uCh(ulDataList[32], output + 16 * j + 12);
}
free(p);
}
//解密函数(与加密函数基本一致,只是秘钥使用的顺序不同,即把钥匙反着用就是解密)
//len:数据长度 key:密钥 input:输入的加密后数据 output:输出的解密后数据
void decode_fun(u8 len, u8* key, u8* input, u8* output)
{
int i = 0, j = 0;
u32 ulKeyTmpList[4] = { 0 };//存储密钥的u32数据
u32 ulKeyList[36] = { 0 }; //用于密钥扩展算法与系统参数FK运算后的结果存储
u32 ulDataList[36] = { 0 }; //用于存放加密数据
/*开始生成子秘钥*/
four_uCh2uLong(key, &(ulKeyTmpList[0]));
four_uCh2uLong(key + 4, &(ulKeyTmpList[1]));
four_uCh2uLong(key + 8, &(ulKeyTmpList[2]));
four_uCh2uLong(key + 12, &(ulKeyTmpList[3]));
ulKeyList[0] = ulKeyTmpList[0] ^ TBL_SYS_PARAMS[0];
ulKeyList[1] = ulKeyTmpList[1] ^ TBL_SYS_PARAMS[1];
ulKeyList[2] = ulKeyTmpList[2] ^ TBL_SYS_PARAMS[2];
ulKeyList[3] = ulKeyTmpList[3] ^ TBL_SYS_PARAMS[3];
for (i = 0; i < 32; i++) //32次循环迭代运算
{
//5-36为32个子秘钥
ulKeyList[i + 4] = uKleyList[i] ^ func_key(ulKeyList[i + 1] ^ ulKeyList[i + 2] ^ ulKeyList[i + 3] ^ TBL_FIX_PARAMS[i]);
}
/*生成32轮32位长子秘钥结束*/
for (j = 0; j < len / 16; j++) //进行循环加密,并将加密后数据保存
{
/*开始处理解密数据*/
four_uCh2uLong(input + 16 * j, &(ulDataList[0]));
four_uCh2uLong(input + 16 * j + 4, &(ulDataList[1]));
four_uCh2uLong(input + 16 * j + 8, &(ulDataList[2]));
four_uCh2uLong(input + 16 * j + 12, &(ulDataList[3]));
//解密
for (i = 0; i < 32; i++)
{
ulDataList[i + 4] = ulDataList[i] ^ func_data(ulDataList[i + 1] ^ ulDataList[i + 2] ^ ulDataList[i + 3] ^ ulKeyList[35 - i]);//与加密唯一不同的就是轮密钥的使用顺序
}
/*将解密后数据输出*/
uLong2four_uCh(ulDataList[35], output + 16 * j);
uLong2four_uCh(ulDataList[34], output + 16 * j + 4);
uLong2four_uCh(ulDataList[33], output + 16 * j + 8);
uLong2four_uCh(ulDataList[32], output + 16 * j + 12);
}
}
//无符号字符数组转16进制打印
void print_hex(u8* data, int len)
{
int i = 0;
char alTmp[16] = { '0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f' };
for (i = 0; i < len; i++)
{
printf("%c", alTmp[data[i] / 16]);
printf("%c", alTmp[data[i] % 16]);
putchar(' ');
}
putchar('\n');
}
/*在主函数中实现任意字节加密与解密,并且结果正确*/
int main(void)
{
u8 i, len;
u8 encode_Result[50] = { 0 }; //定义加密输出缓存区
u8 decode_Result[50] = { 0 }; //定义解密输出缓存区
u8 key[16] = { 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10 }; //定义16字节的密钥
//u8 Data_plain[18] = { 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10,0x01,0x23 };//定义18字节的原始输入数据(测试用)
//u8 Data_plain[32] = { 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xfe,0xdc,0xba,0x98,0x76,0x54,0x32,0x10 };//定义32字节的原始输入数据(测试用)
u8 Data_plain[16] = { 0x01,0x23,0,0,0,0,0,0,0,0,0,0,0,0,0,0 };//定义16字节的原始输入数据(测试用)
len = 16 * (sizeof(Data_plain) / 16) + 16 * ((sizeof(Data_plain) % 16) ? 1 : 0);//得到扩充后的字节数(解密函数会用到)
decode_fun(len, key, Data_plain, decode_Result); //数据解密
printf("解密后数据是:\n");
for (i = 0; i < len; i++)
printf("%x ", *(decode_Result + i));
system("pause");
return 0;
}