qwb2018 hide lebel:linux脱壳 / create function / XTEA变形 / 大小端

参考:
https://bbs.pediy.com/thread-251371.htm

qiutruth@qiutruth-virtual-machine:~$ ps -ef | grep hide

qiutruth@qiutruth-virtual-machine:~$ pmap -d 4253
4253:   ./hide
住址            Kbytes Mode  Offset           Device    Mapping
0000000000400000     808 r-x-- 0000000000000000 000:00000   [ anon ]
00000000004ca000    2040 ----- 0000000000000000 000:00000   [ anon ]
00000000006c8000      20 rwx-- 0000000000000000 000:00000   [ anon ]
0000000000800000       4 rwx-- 0000000000000000 000:00000   [ anon ]
00000000017b5000     140 rwx-- 0000000000000000 000:00000   [ anon ]
00007fff8c79e000     132 rwx-- 0000000000000000 000:00000   [ stack ]
00007fff8c7d1000      12 r---- 0000000000000000 000:00000   [ anon ]
00007fff8c7d4000       8 r-x-- 0000000000000000 000:00000   [ anon ]
ffffffffff600000       4 r-x-- 0000000000000000 000:00000   [ anon ]
mapped: 3168K    writeable/private: 296K    shared: 0K

qiutruth@qiutruth-virtual-machine:~$ sudo dd if=/proc/$(pidof hide)/mem of=hide_dump1 skip=4194304  bs=1c count=827392

qiutruth@qiutruth-virtual-machine:~$ file hide_dump1
hide_dump1: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, missing section headers

qiutruth@qiutruth-virtual-machine:~$ sudo dd if=/proc/$(pidof hide)/mem of=hide_dump2 skip=7110656  bs=1c count=1277952

qiutruth@qiutruth-virtual-machine:~$ file hide_dump2
hide_dump2: data

qiutruth@qiutruth-virtual-machine:~$ cat hide_dump1 hide_dump2 >hide_dump

qiutruth@qiutruth-virtual-machine:~$ file hide_dump
hide_dump: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped

拷贝的原因是程序的可执行段,如何判断我没想明白,有执行权限+4GB内存空间?

静态分析

查看字符串,关键字符串有两处索引
输入格式为qwb{}

分析正确分支

ida没有将其识别称为一个函数,同时关注到程序通过sys_read,sys_write输入输出
qwb2018 hide lebel:linux脱壳 / create function / XTEA变形 / 大小端
若在0x4C8EC2处create function f5后会很奇怪,在与输入存储变量unk_6CCDB0有关的0x4C8EF4处 create function

signed __int64 sub_4C8EF4()
{
  _BYTE *v0; // rdi
  __int64 *v1; // rsi
  unsigned __int64 v2; // rdx
  signed __int64 result; // rax

  if ( strlen((const char *)&unk_6CCDB0) == 21 //长度
    && *((_BYTE *)&unk_6CCDB0 + 1) == 'w'
    && *((_BYTE *)&unk_6CCDB0 + 2) == 'b'
    && *((_BYTE *)&unk_6CCDB0 + 3) == '{'
    && *((_BYTE *)&unk_6CCDB0 + 20) == '}' )
  {
    sub_4C8CC0(&unk_6CCDB4); //qwb{之后的字符串,XTEA变形
    sub_4C8E50(&unk_6CCDB4); //异或
    sub_4C8CC0(&unk_6CCDB4);
    sub_4C8E50(&unk_6CCDB4);
    sub_4C8CC0(&unk_6CCDB4);
    v0 = &unk_6CCDB4;
    sub_4C8E50(&unk_6CCDB4);
    v1 = qword_4C8CB0;
    v2 = 0LL;
    while ( v2 < 0x10 && *v0 == *(_BYTE *)v1 )
    {
      ++v2;
      ++v0;
      v1 = (__int64 *)((char *)v1 + 1);
    }
  }
  __asm { syscall; LINUX - sys_write }
  result = 60LL;
  __asm { syscall; LINUX - sys_exit }
  return result;
}

分析sub_4C8CC0

^ >> +=delta像TEA
qwb2018 hide lebel:linux脱壳 / create function / XTEA变形 / 大小端

__int64 __fastcall sub_4C8CC0(__int64 a1)
{
  __int64 result; // rax
  unsigned __int64 v2; // rt1
  unsigned int v3; // [rsp+18h] [rbp-48h]
  __int64 v4; // [rsp+1Ch] [rbp-44h]
  signed int i; // [rsp+24h] [rbp-3Ch]
  signed int j; // [rsp+28h] [rbp-38h]
  int v7; // [rsp+40h] [rbp-20h]
  int v8; // [rsp+44h] [rbp-1Ch]
  int v9; // [rsp+48h] [rbp-18h]
  int v10; // [rsp+4Ch] [rbp-14h]
  unsigned __int64 v11; // [rsp+58h] [rbp-8h]

  v11 = __readfsqword(0x28u);
  v7 = 1883844979;
  v8 = 1165112144;
  v9 = 2035430262;
  v10 = 861484132;
  for ( i = 0; i <= 1; ++i )
  {
    v3 = *(_DWORD *)(8 * i + a1);
    v4 = *(unsigned int *)(a1 + 4 + 8 * i);
    for ( j = 0; j <= 7; ++j )
    {
      v3 += (*(&v7 + (BYTE4(v4) & 3)) + HIDWORD(v4)) ^ ((((unsigned int)v4 >> 5) ^ 16 * v4) + v4);
      HIDWORD(v4) += 0x676E696C;
      LODWORD(v4) = ((*(&v7 + ((HIDWORD(v4) >> 11) & 3)) + HIDWORD(v4)) ^ (((v3 >> 5) ^ 16 * v3) + v3)) + v4;
    }
    *(_DWORD *)(a1 + 8 * i) = v3;
    *(_DWORD *)(a1 + 4 + 8 * i) = v4;
  }
  v2 = __readfsqword(0x28u);
  result = v2 ^ v11;
  if ( v2 != v11 )
    result = ((__int64 (*)(void))loc_4C8B9A)();
  return result;
}

后面按着参考链接的步骤来
最后的结果注意file后是小端还是大端,LSB低存底高存高
qwb{f1Nd_TH3HldeC0dE}

上一篇:攻防世界 reverse 进阶 8-The_Maya_Society Hack.lu-2017


下一篇:攻防世界 reverse 666