sus-unpackme

peid查壳upx壳,尝试手动脱壳。然而对着教程发现,用od载入时我的od载入的一开始并不是push ad,也就一直没有办法脱壳。百度了接近半个晚上才知道,原来虚拟机里用od时不要把要载入的文件放在共享文件夹里,否则就会出现这种状况,把unpackme.exe拖到虚拟机文件夹里后脱壳成功。

定位到关键函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
pdwDataLen = 16;
if ( a2 == 514 )
{
v4 = GetParent(hWnd);
v5 = GetDlgItemTextA(v4, 101, &String, 63);
if ( v5 )
{
phProv = 0;
phHash = 0;
if ( !CryptAcquireContextA(&phProv, 0, 0, 1u, 0xF0000000)
|| !CryptCreateHash(phProv, 0x8003u, 0, 0, &phHash)
|| !CryptHashData(phHash, (const BYTE *)&String, v5, 0)
|| !CryptGetHashParam(phHash, 2u, (BYTE *)pbData, &pdwDataLen, 0) )
{
ExitProcess(1u);
}
CryptDestroyHash(phHash);
CryptReleaseContext(phProv, 0);
v7 = pbData;
v8 = dword_4128A0;
v9 = 12;
while ( *(_DWORD *)v7 == *v8 )
{
v7 += 4;
++v8;
v10 = v9 < 4;
v9 -= 4;
if ( v10 )
{
v11 = String;
v12 = 0;
v13 = 3;
v14 = 2;
do
{
*(&Text + v12) = v11 ^ byte_410A80[v12] ^ pbData[v12 & 0xF];
*(&v23 + v12) = v11 ^ byte_410A81[v12] ^ pbData[((_BYTE)v14 - 1) & 0xF];
v15 = byte_410A80[v14] ^ pbData[v14 & 0xF];
v14 += 4;
*(&v24 + v13 - 3) = v11 ^ v15;
v16 = byte_410A80[v13] ^ pbData[v13 & 0xF];
v13 += 4;
v25[v12] = v11 ^ v16;
v12 += 4;
}
while ( v14 < 0x22 );
if ( v12 < 0x80 )
{
*(&Text + v12) = 0;
MessageBoxA(hWnd, &Text, "Flag is", 0x40u);
ExitProcess(0);
}
__report_rangecheckfailure();
__debugbreak();
JUMPOUT(*(_DWORD *)algn_40BDCF);
}
}
MessageBoxA(hWnd, "Wrong answer", "HACKMECTF", 0x10u);
}
else
{
MessageBoxA(hWnd, "Say something!", "HACKMECTF", 0x10u);
}
}
return MEMORY[0](hWnd, a2, a3, a4);

Text处存放的就是flag

赋值语句:

*(&Text + v12) = v11 ^ byte_410A80[v12] ^ pbData[v12 & 0xF]

v11是输入的string,pbData可以在上面发现就是dword_4128A0处的值,由v12 < 0x80可以知道flag的长度不超过0x20位,爆破脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import string
byte_410a80 = [0x1A, 0x8B, 0x24, 0x28, 0x58, 0x37, 0xAC, 0x52, 0x53, 0xB5,
0x1E, 0x3E, 0x4A, 0x25, 0x4A, 0x27, 0x6B, 0xB2, 0x17, 0x01,
0x03, 0x0B, 0xF4, 0x14, 0x00, 0xF1, 0x61, 0x70, 0x0C, 0x55,
0x20, 0x7A]
pbData = [0x34, 0xAF, 0x0D, 0x07, 0x4B, 0x17, 0xF4, 0x4D, 0x1B, 0xB9,
0x39, 0x76, 0x5B, 0x02, 0x77, 0x6F]
for i in string.printable:
a = ord(i)
flag = ""
for a1 in range(0,0x20):
flag += chr(a ^ byte_410a80[a1] ^ pbData[a1&0xf])
if ~flag.find("FLAG"):
print flag

如果flag中有”FLAG”的话,flag.find()返回的是“FLAG”所在的下标0。所以加上取反号,就可以打印出flag。

文章目录
|