参考:
https://bbs.pediy.com/thread-251371.htm
qiutruth@qiutruth-virtual-machine:~$ ps -ef | grep hide
qiutruth@qiutruth-virtual-machine:~$ pmap -d 4253
4253: ./hide
住址 Kbytes Mode Offset Device Mapping
0000000000400000 808 r-x-- 0000000000000000 000:00000 [ anon ]
00000000004ca000 2040 ----- 0000000000000000 000:00000 [ anon ]
00000000006c8000 20 rwx-- 0000000000000000 000:00000 [ anon ]
0000000000800000 4 rwx-- 0000000000000000 000:00000 [ anon ]
00000000017b5000 140 rwx-- 0000000000000000 000:00000 [ anon ]
00007fff8c79e000 132 rwx-- 0000000000000000 000:00000 [ stack ]
00007fff8c7d1000 12 r---- 0000000000000000 000:00000 [ anon ]
00007fff8c7d4000 8 r-x-- 0000000000000000 000:00000 [ anon ]
ffffffffff600000 4 r-x-- 0000000000000000 000:00000 [ anon ]
mapped: 3168K writeable/private: 296K shared: 0K
qiutruth@qiutruth-virtual-machine:~$ sudo dd if=/proc/$(pidof hide)/mem of=hide_dump1 skip=4194304 bs=1c count=827392
qiutruth@qiutruth-virtual-machine:~$ file hide_dump1
hide_dump1: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, missing section headers
qiutruth@qiutruth-virtual-machine:~$ sudo dd if=/proc/$(pidof hide)/mem of=hide_dump2 skip=7110656 bs=1c count=1277952
qiutruth@qiutruth-virtual-machine:~$ file hide_dump2
hide_dump2: data
qiutruth@qiutruth-virtual-machine:~$ cat hide_dump1 hide_dump2 >hide_dump
qiutruth@qiutruth-virtual-machine:~$ file hide_dump
hide_dump: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
拷贝的原因是程序的可执行段,如何判断我没想明白,有执行权限+4GB内存空间?
静态分析
查看字符串,关键字符串有两处索引
输入格式为qwb{}
分析正确分支
ida没有将其识别称为一个函数,同时关注到程序通过sys_read,sys_write输入输出
若在0x4C8EC2处create function f5后会很奇怪,在与输入存储变量unk_6CCDB0有关的0x4C8EF4处 create function
signed __int64 sub_4C8EF4()
{
_BYTE *v0; // rdi
__int64 *v1; // rsi
unsigned __int64 v2; // rdx
signed __int64 result; // rax
if ( strlen((const char *)&unk_6CCDB0) == 21 //长度
&& *((_BYTE *)&unk_6CCDB0 + 1) == 'w'
&& *((_BYTE *)&unk_6CCDB0 + 2) == 'b'
&& *((_BYTE *)&unk_6CCDB0 + 3) == '{'
&& *((_BYTE *)&unk_6CCDB0 + 20) == '}' )
{
sub_4C8CC0(&unk_6CCDB4); //qwb{之后的字符串,XTEA变形
sub_4C8E50(&unk_6CCDB4); //异或
sub_4C8CC0(&unk_6CCDB4);
sub_4C8E50(&unk_6CCDB4);
sub_4C8CC0(&unk_6CCDB4);
v0 = &unk_6CCDB4;
sub_4C8E50(&unk_6CCDB4);
v1 = qword_4C8CB0;
v2 = 0LL;
while ( v2 < 0x10 && *v0 == *(_BYTE *)v1 )
{
++v2;
++v0;
v1 = (__int64 *)((char *)v1 + 1);
}
}
__asm { syscall; LINUX - sys_write }
result = 60LL;
__asm { syscall; LINUX - sys_exit }
return result;
}
分析sub_4C8CC0
^ >> +=delta像TEA
__int64 __fastcall sub_4C8CC0(__int64 a1)
{
__int64 result; // rax
unsigned __int64 v2; // rt1
unsigned int v3; // [rsp+18h] [rbp-48h]
__int64 v4; // [rsp+1Ch] [rbp-44h]
signed int i; // [rsp+24h] [rbp-3Ch]
signed int j; // [rsp+28h] [rbp-38h]
int v7; // [rsp+40h] [rbp-20h]
int v8; // [rsp+44h] [rbp-1Ch]
int v9; // [rsp+48h] [rbp-18h]
int v10; // [rsp+4Ch] [rbp-14h]
unsigned __int64 v11; // [rsp+58h] [rbp-8h]
v11 = __readfsqword(0x28u);
v7 = 1883844979;
v8 = 1165112144;
v9 = 2035430262;
v10 = 861484132;
for ( i = 0; i <= 1; ++i )
{
v3 = *(_DWORD *)(8 * i + a1);
v4 = *(unsigned int *)(a1 + 4 + 8 * i);
for ( j = 0; j <= 7; ++j )
{
v3 += (*(&v7 + (BYTE4(v4) & 3)) + HIDWORD(v4)) ^ ((((unsigned int)v4 >> 5) ^ 16 * v4) + v4);
HIDWORD(v4) += 0x676E696C;
LODWORD(v4) = ((*(&v7 + ((HIDWORD(v4) >> 11) & 3)) + HIDWORD(v4)) ^ (((v3 >> 5) ^ 16 * v3) + v3)) + v4;
}
*(_DWORD *)(a1 + 8 * i) = v3;
*(_DWORD *)(a1 + 4 + 8 * i) = v4;
}
v2 = __readfsqword(0x28u);
result = v2 ^ v11;
if ( v2 != v11 )
result = ((__int64 (*)(void))loc_4C8B9A)();
return result;
}
后面按着参考链接的步骤来
最后的结果注意file后是小端还是大端,LSB低存底高存高
qwb{f1Nd_TH3HldeC0dE}