安洵杯——game(混淆控制流平坦化)

最新推荐文章于 2025-02-05 15:57:26 发布
原创 最新推荐文章于 2025-02-05 15:57:26 发布 · 3.1k 阅读 · 1 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。

部署运行你感兴趣的模型镜像

文章目录

查壳

在这里插入图片描述

拖进ida

main函数

 printf("input your flag:", argv, envp);
  gets(&v8);
  v10 = general_inspection((int (*)[9])sudoku);
  v7 = -1804515313;
  while ( 1 )
  {
    while ( 1 )
    {
      while ( v7 == -2071121728 )
      {
        v4 = blank_num((int (*)[9])sudoku);
        v5 = mem_alloc(v4);
        trace(sudoku, v5, v4);
        check((int (*)[9])sudoku);
        check1(&v8);
        check3(&v8);
        v9 = 0;
        v7 = -303742386;
      }
      if ( v7 != -1804515313 )
        break;
      v3 = -2071121728;
      if ( v10 )
        v3 = 664169471;
      v7 = v3;
    }
    if ( v7 == -303742386 )
      break;
    if ( v7 == 664169471 )
    {
      printf("error");
      check((int (*)[9])sudoku);
      v9 = 0;
      v7 = -303742386;
    }
  }

分析

主函数中,需要分析的函数有general_inspection((int (*)[9])sudoku),blank_num((int (*)[9])sudoku)trace(sudoku, v5, v4);check((int (*)[9])sudoku);check1(&v8);check3(&v8);check3函数中还有个check2(a1)需要分析

general_inspection((int (*)[9])sudoku)

在这里插入图片描述

在这里插入图片描述
这里的v10一直是0,sudoku在前后也并非发生什么改变。。。忽略不计

blank_num((int (*)[9])sudoku)

代码

__int64 __fastcall blank_num(int (*a1)[9])
{
  signed int v1; // eax
  signed int v2; // eax
  signed int v3; // eax
  signed int v5; // [rsp+2Ch] [rbp-18h]
  unsigned int v6; // [rsp+30h] [rbp-14h]
  signed int v7; // [rsp+34h] [rbp-10h]
  signed int v8; // [rsp+38h] [rbp-Ch]

  v6 = 0;
  v8 = 0;
  v5 = 1046773218;
  while ( 1 )
  {
    while ( v5 == -1892951115 )
    {
      v7 = 0;
      v5 = -1048142948;
    }
    if ( v5 == -1585203536 )
      break;
    switch ( v5 )
    {
      case -1237447983:
        v5 = 1058605341;
        break;
      case -1048142948:
        v2 = -1237447983;
        if ( v7 < 9 )
          v2 = 1501457574;
        v5 = v2;
        break;
      case -1026222996:
        ++v7;
        v5 = -1048142948;
        break;
      case -516195663:
        ++v6;
        v5 = 710936108;
        break;
      case 710936108:
        v5 = -1026222996;
        break;
      case 1046773218:
        v1 = -1585203536;
        if ( v8 < 9 )
          v1 = -1892951115;
        v5 = v1;
        break;
      case 1058605341:
        ++v8;
        v5 = 1046773218;
        break;
      case 1501457574:
        v3 = 710936108;
        if ( !(*a1)[9 * v8 + v7] )
          v3 = -516195663;
        v5 = v3;
        break;
    }
  }
  return v6;
}

第一步

case 1046773218:                          
        v1 = -1585203536;                     
        if ( v8 < 9 )
          v1 = -1892951115;                    
        v5 = v1;
        break;

v8 < 9的话,就会进入-1892951115,否则进入-1585203536
我们先看v8>9的情况:

if ( v5 == -1585203536 )
      break;

直接退出。。。所以v8必须<9才出现下一步。

第二步

 while ( v5 == -1892951115 )
    {
      v7 = 0;                                   // 初始化v7
      v5 = -1048142948;
    }

这里初始化了一个v7,留心即可。

第三步

case -1048142948:
        v2 = -1237447983;                       
                                               
        if ( v7 < 9 )
          v2 = 1501457574;                     
        v5 = v2;
        break;

这里判断了v7的大小,利用v7来判断程序的执行流程,感觉应该是个for循环,
老样子,看看v7>9的情况

case -1237447983:
        v5 = 1058605341;
        break;

继续往下:

case 1058605341:
        ++v8;
        v5 = 1046773218;
        break;

这里进行了v8自增,还没看出有什么猫腻,继续往下:

v5 = 1046773218;

这不就是回到了第一步嘛?????嗯哼,回去了。.。

但是v7 < 9的话,流程进到1501457574;

第四步

case 1501457574:                         
        v3 = 710936108;                        
        if ( !(*sudoku)[9 * v8 + v7] )
          v3 = -516195663;                      
        v5 = v3;
        break;

这里为什么是v8*9+v7呢?我个人认为它把这个数组分成一个二维数组,每行是九个,v8也就代表行数,v7代表列数,当v7大于9时,那么只需要把行数+1(即v8自增,然后v7清零即可)。这个二维数组有9行9列,当行数大于9时(即v8>9时,那么就遍历完了,然后直接退出即可)

  1. 当数组中的元素值非0时
v3 = 710936108;

流程代码不用管

case 710936108:
        v5 = -1026222996;
        break;

依然是流程代码:

case -1026222996:
        ++v7;
        v5 = -1048142948;
        break;

v7自增,然后进行流程代码,往下进行。

v5 = -1048142948;

这个流程-1048142948;直接回到第三步。。灭了
2. 当数组中的元素值为0时

v3 = -516195663;

流程进到了下一步:

第五步

case -516195663:
        ++v6;
        v5 = 710936108;
        break;

这里v6++,也就是统计0的个数,

case 710936108:
        v5 = -1026222996;
        break;

这里全是流程代码,没必要分开写了

case -1026222996:
        ++v7;
        v5 = -1048142948;
        break;

紧接着流程回到第三步v5 = -1048142948;

总结

它把这个数组分成一个二维数组,每行是九个,v8也就代表行数,v7代表列数,当v7大于9时,那么只需要把行数+1(即v8自增,然后v7清零即可)。这个二维数组有9行9列,当行数大于9时(即v8>9时,那么就遍历完了,然后直接退出即可)
也就是一个遍历,然后把0的个数找出来,也就是v6自增。(v6就代表0的个数,最后返回是v6,也就是这个数组中0的个数)

trace(sudoku, v5, v4);

代码

void __fastcall trace(__int64 a1, signed int *a2, int a3)
{
  signed int v3; // eax
  signed int v4; // eax
  signed int v5; // eax
  signed int v6; // eax
  int v7; // eax
  signed int v8; // er8
  signed int v9; // eax
  signed int v10; // eax
  signed int v11; // eax
  signed int v12; // eax
  signed int v13; // [rsp+78h] [rbp-28h]
  int v14; // [rsp+7Ch] [rbp-24h]
  signed int v15; // [rsp+80h] [rbp-20h]
  signed int v16; // [rsp+84h] [rbp-1Ch]
  signed int v17; // [rsp+88h] [rbp-18h]
  int v18; // [rsp+8Ch] [rbp-14h]

  v18 = a3;
  v14 = 0;
  v13 = 671940414;
  while ( 1 )
  {
    while ( 1 )
    {
      while ( 1 )
      {
        while ( 1 )
        {
          while ( 1 )
          {
            while ( 1 )
            {
              while ( 1 )
              {
                while ( v13 == -2124394493 )
                {
                  v4 = 338033522;
                  if ( v17 < 9 )
                    v4 = -1264962160;
                  v13 = v4;
                }
                if ( v13 != -2084617164 )
                  break;
                ++v18;
                v17 = a2[12 * v14];
                v16 = a2[12 * v14 + 1];
                v13 = 295419890;
              }
              if ( v13 != -2069701336 )
                break;
              v5 = 942378879;
              if ( v16 < 9 )
                v5 = 1672958513;
              v13 = v5;
            }
            if ( v13 != -1561315505 )
              break;
            v13 = 2016120547;
          }
          if ( v13 != -1361654796 )
            break;
          ++v16;
          v13 = -2069701336;
        }
        if ( v13 != -1289862082 )
          break;
        v13 = -1361654796;
      }
      if ( v13 != -1264962160 )
        break;
      v16 = 0;
      v13 = -2069701336;
    }
    if ( v13 == -1246113443 )
      break;
    if ( v13 == -446534017 )
    {
      v9 = 1764791757;
      if ( !a2[12 * v14 + 2] )
        v9 = 1923573299;
      v13 = v9;
    }
    else if ( v13 == -264375465 )
    {
      *(_DWORD *)(36LL * a2[12 * v14] + a1 + 4LL * a2[12 * v14 + 1]) = 0;
      ++v18;
      --v14;
      v13 = -446534017;
    }
    else if ( v13 == -127108152 )
    {
      a2[12 * v14] = v17;
      a2[12 * v14 + 1] = v16;
      v7 = findvalue(a1, &a2[12 * v14]);
      v8 = 295419890;
      *(_DWORD *)(36LL * v17 + a1 + 4LL * v16) = v7;
      if ( *(_DWORD *)(36LL * v17 + a1 + 4LL * v16) == -1 )
        v8 = 1601744610;
      v13 = v8;
    }
    else if ( v13 == 67917660 )
    {
      *(_DWORD *)(36LL * a2[12 * v14] + a1 + 4LL * a2[12 * v14 + 1]) = v15;
      a2[12 * v14 + 2 + v15] = 1;
      --a2[12 * v14 + 2];
      v13 = -2084617164;
    }
    else if ( v13 == 295419890 )
    {
      ++v14;
      v18 = v18 - 1146223301 + 1146223300;
      v13 = -1289862082;
    }
    else if ( v13 == 338033522 )
    {
      v13 = 671940414;
    }
    else if ( v13 == 376448068 )
    {
      v17 = 0;
      v13 = -2124394493;
    }
    else if ( v13 == 599244415 )
    {
      v11 = -2084617164;
      if ( v15 < 10 )
        v11 = 1332608024;
      v13 = v11;
    }
    else if ( v13 == 671940414 )
    {
      v3 = -1246113443;
      if ( v18 )
        v3 = 376448068;
      v13 = v3;
    }
    else if ( v13 == 942378879 )
    {
      v13 = 1396614849;
    }
    else if ( v13 == 1332608024 )
    {
      v12 = -1561315505;
      if ( !a2[12 * v14 + 2 + v15] )
        v12 = 67917660;
      v13 = v12;
    }
    else if ( v13 == 1396614849 )
    {
      ++v17;
      v13 = -2124394493;
    }
    else if ( v13 == 1601744610 )
    {
      *(_DWORD *)(36LL * v17 + a1 + 4LL * v16) = 0;
      --v14;
      v13 = -446534017;
    }
    else if ( v13 == 1672958513 )
    {
      v6 = -1289862082;
      if ( !*(_DWORD *)(36LL * v17 + a1 + 4LL * v16) )
        v6 = -127108152;
      v13 = v6;
    }
    else
    {
      if ( v13 == 1751405620 )
      {
        printf(aGameOver);
        exit(1);
      }
      switch ( v13 )
      {
        case 1764791757:
          v15 = 1;
          v13 = 599244415;
          break;
        case 1923573299:
          v10 = -264375465;
          if ( !v14 )
            v10 = 1751405620;
          v13 = v10;
          break;
        case 2016120547:
          ++v15;
          v13 = 599244415;
          break;
      }
    }
  }
  free(a2);
}

第一步

 else if ( v13 == 671940414 )              
    {
      v3 = -1246113443;                       
      if ( v18 )
        v3 = 376448068;
      v13 = v3;
    }

这里利用v18来控制流程,先假设反面,v18为0,v3 = -1246113443;,

 if ( v13 == -1246113443 )
      break;

好了,直接退出。,所以v18必不可能为0.

第二步

else if ( v13 == 376448068 )
    {
      i = 0;
      v13 = -2124394493;
    }

i赋值为0,然后紧接流程代码

while ( v13 == -2124394493 )
                {
                  v4 = 338033522;            
                  if ( i < 9 )
                    v4 = -1264962160;         
                  v13 = v4;
                }

判断了i值和9,先假设坏情况,i>9,v4 = 338033522;,

else if ( v13 == 338033522 )
    {
      v13 = 671940414;
    }

流程代码,直接进行下一个(好家伙,回到第一步了。回到第一步呢,紧接着就会执行第二步,也就是把i置零。):

else if ( v13 == 671940414 )               
    {
      v3 = -1246113443;                         
      if ( v18 )
        v3 = 376448068;
      v13 = v3;
    }

接下来来分析一下i<9的情况v4 = -1264962160;

第三步:

if ( v13 != -1264962160 )
        break;
      j = 0;
      v13 = -2069701336;
    }

这里给j赋值了,然后接下来是流程代码

if ( v13 != -2069701336 )
                break;
              v5 = 942378879;                  
              if ( j < 9 )
                v5 = 1672958513;              
              v13 = v5;
            }

这里判断j值,然后再来进行程序的执行,反向,j>9时v5 = 942378879;

else if ( v13 == 942378879 )
    {
      v13 = 1396614849;
    }

流程代码,继续往下:

else if ( v13 == 1396614849 )
    {
      ++i;
      v13 = -2124394493;
    }

好家伙,i自增,那么这个i就是行数,大于9然后++,盲猜下一步要把j置零。

while ( v13 == -2124394493 )
                {
                  v4 = 338033522;              
                  if ( i < 9 )
                    v4 = -1264962160;          
                  v13 = v4;
                }

这里判断了行数是否大于9,那么不大于9的话,下一步就是列数置零喽

if ( v13 != -1264962160 )
        break;
      j = 0;
      v13 = -2069701336;
    }

好了,我们继续分析,列数小于9,

 if ( j < 9 )
                v5 = 1672958513;            
              v13 = v5;
            }

流程代码,继续分析:

第四步

 else if ( v13 == 1672958513 )               
    {
      v6 = -1289862082;                      
      if ( !*(_DWORD *)(36LL * i + sudoku + 4LL * j) )
        v6 = -127108152;                        
      v13 = v6;
    }

这里又来判断元素是否为0喽。。。。假设非0,v6 = -1289862082;

if ( v13 != -1289862082 )
          break;
        v13 = -1361654796;
      }

流程代码:

if ( v13 != -1361654796 )
            break;
          ++j;
          v13 = -2069701336;
        }

也就是继续遍历下一个元素喽。直到遇到0,好了,我们假设0吧:

第五步

 else if ( v13 == -127108152 )               // step5
    {
      v5_1[12 * v14] = i;
      v5_1[12 * v14 + 1] = j;
      v7 = findvalue(sudoku, &v5_1[12 * v14]);
      v8 = 295419890;
      *(_DWORD *)(36LL * i + sudoku + 4LL * j) = v7;
      if ( *(_DWORD *)(36LL * i + sudoku + 4LL * j) == -1 )
        v8 = 1601744610;
      v13 = v8;
    }

这里把0位置的行数和列数记在一个新数组中,然后,先往下吧,v8 = 295419890;

 else if ( v13 == 295419890 )
    {
      ++v14;
      v18 = v18 - 1146223301 + 1146223300;     
      v13 = -1289862082;
    }

v14自增,然后v18自减,接着流程代码

if ( v13 != -1289862082 )
          break;
        v13 = -1361654796;
      }

流程代码,不用管,接着走。

if ( v13 != -1361654796 )
            break;
          ++j;
          v13 = -2069701336;
        }

继续遍历下一个元素,那没事了。。。。

第六步

继续下一种情况:v8 = 1601744610;

 else if ( v13 == 1601744610 )
    {
      *(_DWORD *)(36LL * i + sudoku + 4LL * j) = 0;
      --v14;
      v13 = -446534017;
    }

把数组相应位置赋0,然后v14自减。接着流程代码:

if ( v13 == -446534017 )
    {
      v9 = 1764791757;
      if ( !v5_1[12 * v14 + 2] )
        v9 = 1923573299;
      v13 = v9;
    }

此处判断所处的数组元素是否为0,为0的话v9 = 1764791757;

case 1764791757:
          v15 = 1;
          v13 = 599244415;
          break;

v15赋值1,然后流程代码

 v13 = 599244415;
          break;

流程代码,

else if ( v13 == 599244415 )
    {
      v11 = -2084617164;
      if ( v15 < 10 )
        v11 = 1332608024;
      v13 = v11;
    }

再来判断是否小于10,首先假设大于10,v11 = -2084617164;

if ( v13 != -2084617164 )
                  break;
                ++v18;
                i = v5_1[12 * v14];
                j = v5_1[12 * v14 + 1];
                v13 = 295419890;
              }

i ,j被利用数组中的值赋上,然后v18自增,紧接着流程代码:
绕回来了:

 else if ( v13 == 295419890 )
    {
      ++v14;
      v18 = v18 - 1146223301 + 1146223300;     
      v13 = -1289862082;
    }

然后假设小于10,v11 = 1332608024;

 else if ( v13 == 1332608024 )
    {
      v12 = -1561315505;
      if ( !v5_1[12 * v14 + 2 + v15] )
        v12 = 67917660;
      v13 = v12;
    }

然后判断数组元素是否为0,非零情况下:v12 = -1561315505;

 if ( v13 != -1561315505 )
              break;
            v13 = 2016120547;
          }

流程代码,继续,

 case 2016120547:
          ++v15;
          v13 = 599244415;
          break;

v15自增,流程代码:

 else if ( v13 == 599244415 )
    {
      v11 = -2084617164;
      if ( v15 < 10 )
        v11 = 1332608024;
      v13 = v11;
    }

为0情况下,v12 = 67917660;

else if ( v13 == 67917660 )
    {
      *(_DWORD *)(36LL * v5_1[12 * v14] + sudoku + 4LL * v5_1[12 * v14 + 1]) = v15;
      v5_1[12 * v14 + 2 + v15] = 1;
      --v5_1[12 * v14 + 2];
      v13 = -2084617164;
    }

改变了数组的内容,紧接着流程代码,然后回到上级

  if ( v13 != -2084617164 )
                  break;
                ++v18;
                i = v5_1[12 * v14];
                j = v5_1[12 * v14 + 1];
                v13 = 295419890;
              }

第七步(第五步的第二种情况)

v8 = 1601744610;这时流程代码如下:

 else if ( v13 == 1601744610 )
    {
      *(_DWORD *)(36LL * i + sudoku + 4LL * j) = 0;
      --v14;
      v13 = -446534017;
    }

数组元素被赋值0,v14自减,紧接着流程代码:

if ( v13 == -446534017 )
    {
      v9 = 1764791757;
      if ( !v5_1[12 * v14 + 2] )
        v9 = 1923573299;
      v13 = v9;
    }

然后又返回去了。

总结

check(int (*a1)[9])

代码

__int64 __fastcall check(int (*a1)[9])
{
  __int64 result; // rax
  signed int v2; // eax
  signed int v3; // eax
  signed int v4; // [rsp+24h] [rbp-18h]
  signed int v5; // [rsp+2Ch] [rbp-10h]
  signed int v6; // [rsp+30h] [rbp-Ch]

  v6 = 0;
  v4 = 1715923540;
  while ( 1 )
  {
    while ( 1 )
    {
      while ( v4 == -1955732718 )
        v4 = 927738670;
      if ( v4 != -1010822917 )
        break;
      v5 = 0;
      v4 = -135298689;
    }
    result = (unsigned int)(v4 + 849866751);
    if ( v4 == -849866751 )
      break;
    switch ( v4 )
    {
      case -135298689:
        v3 = 623468669;
        if ( v5 < 9 )
          v3 = -1955732718;
        v4 = v3;
        break;
      case 623468669:
        v4 = 2055416056;
        break;
      case 927738670:
        ++v5;
        v4 = -135298689;
        break;
      case 1715923540:
        v2 = -849866751;
        if ( v6 < 9 )
          v2 = -1010822917;
        v4 = v2;
        break;
      case 2055416056:
        ++v6;
        v4 = 1715923540;
        break;
    }
  }
  return result;
}

__int64 __fastcall findvalue(__int64 a1, int *a2)

代码

__int64 __fastcall findvalue(__int64 a1, int *a2)
{
  signed int v2; // eax
  signed int v3; // eax
  signed int v4; // eax
  signed int v5; // eax
  signed int v6; // eax
  signed int v7; // eax
  signed int v8; // eax
  signed int v9; // eax
  signed int v10; // eax
  signed int v12; // [rsp+8Ch] [rbp-2Ch]
  int v13; // [rsp+90h] [rbp-28h]
  int v14; // [rsp+94h] [rbp-24h]
  signed int v15; // [rsp+98h] [rbp-20h]
  signed int v16; // [rsp+9Ch] [rbp-1Ch]
  unsigned int v17; // [rsp+B4h] [rbp-4h]

  v14 = *a2;
  v13 = a2[1];
  v16 = 0;
  v12 = -791724132;
  while ( 1 )
  {
    while ( 1 )
    {
      while ( 1 )
      {
        while ( 1 )
        {
          while ( 1 )
          {
            while ( 1 )
            {
              while ( 1 )
              {
                while ( 1 )
                {
                  while ( 1 )
                  {
                    while ( 1 )
                    {
                      while ( 1 )
                      {
                        while ( 1 )
                        {
                          while ( 1 )
                          {
                            while ( 1 )
                            {
                              while ( 1 )
                              {
                                while ( 1 )
                                {
                                  while ( 1 )
                                  {
                                    while ( 1 )
                                    {
                                      while ( 1 )
                                      {
                                        while ( 1 )
                                        {
                                          while ( v12 == -1704444406 )
                                          {
                                            v17 = v16;
                                            v12 = 981711445;
                                          }
                                          if ( v12 != -1635553414 )
                                            break;
                                          ++v16;
                                          v12 = 1796887582;
                                        }
                                        if ( v12 != -1431966323 )
                                          break;
                                        ++v15;
                                        v12 = -53637786;
                                      }
                                      if ( v12 != -1235584672 )
                                        break;
                                      ++v16;
                                      v12 = 156864788;
                                    }
                                    if ( v12 != -1228737224 )
                                      break;
                                    v8 = -1104998472;
                                    if ( v16 < 10 )
                                      v8 = -890529193;
                                    v12 = v8;
                                  }
                                  if ( v12 != -1144155234 )
                                    break;
                                  ++v16;
                                  v12 = -1228737224;
                                }
                                if ( v12 != -1104998472 )
                                  break;
                                v10 = -1704444406;
                                if ( v16 == 10 )
                                  v10 = 2089198738;
                                v12 = v10;
                              }
                              if ( v12 != -890529193 )
                                break;
                              v9 = 862823000;
                              if ( !a2[v16 + 2] )
                                v9 = 771361621;
                              v12 = v9;
                            }
                            if ( v12 != -791724132 )
                              break;
                            v2 = -611155481;
                            if ( v16 < 10 )
                              v2 = 1792341902;
                            v12 = v2;
                          }
                          if ( v12 != -611155481 )
                            break;
                          v16 = 1;
                          v12 = 522488884;
                        }
                        if ( v12 != -248881259 )
                          break;
                        ++a2[2];
                        v12 = 1986744843;
                      }
                      if ( v12 != -53637786 )
                        break;
                      v5 = -32951658;
                      if ( v15 < 3 )
                        v5 = 432619495;
                      v12 = v5;
                    }
                    if ( v12 != -32951658 )
                      break;
                    v12 = -1635553414;
                  }
                  if ( v12 != 156864788 )
                    break;
                  v6 = 507587421;
                  if ( v16 < 10 )
                    v6 = 810472009;
                  v12 = v6;
                }
                if ( v12 != 432619495 )
                  break;
                a2[*(signed int *)(36LL * (v16 - -3 * (v14 / 3)) + a1 + 4LL * (v15 - -3 * (v13 / 3))) + 2] = 1;
                v12 = -1431966323;
              }
              if ( v12 != 507587421 )
                break;
              v16 = 1;
              v12 = -1228737224;
            }
            if ( v12 != 522488884 )
              break;
            v3 = 1921980522;
            if ( v16 < 10 )
              v3 = 1524139080;
            v12 = v3;
          }
          if ( v12 != 771361621 )
            break;
          a2[v16 + 2] = 1;
          --a2[2];
          v12 = -1104998472;
        }
        if ( v12 != 810472009 )
          break;
        v7 = 1986744843;
        if ( !a2[v16 + 2] )
          v7 = -248881259;
        v12 = v7;
      }
      if ( v12 != 862823000 )
        break;
      v12 = -1144155234;
    }
    if ( v12 == 981711445 )
      break;
    switch ( v12 )
    {
      case 1044110222:
        ++v16;
        v12 = -791724132;
        break;
      case 1275000702:
        ++v16;
        v12 = 522488884;
        break;
      case 1353319228:
        a2[2] = 0;
        v16 = 1;
        v12 = 156864788;
        break;
      case 1404549511:
        v15 = 0;
        v12 = -53637786;
        break;
      case 1524139080:
        a2[*(signed int *)(36LL * v14 + a1 + 4LL * (v16 - 1)) + 2] = 1;
        a2[*(signed int *)(36LL * (v16 - 832240230 + 832240229) + a1 + 4LL * v13) + 2] = 1;
        v12 = 1275000702;
        break;
      case 1792341902:
        a2[v16 + 2] = 0;
        v12 = 1044110222;
        break;
      case 1796887582:
        v4 = 1353319228;
        if ( v16 < 3 )
          v4 = 1404549511;
        v12 = v4;
        break;
      case 1921980522:
        v16 = 0;
        v12 = 1796887582;
        break;
      case 1986744843:
        v12 = -1235584672;
        break;
      case 2089198738:
        v17 = -1;
        v12 = 981711445;
        break;
    }
  }
  return v17;
}

第一步

				if ( v12 != -791724132 )
                       break;
                        v2 = -611155481;

控制流代码,没什么好说的,v2 = -611155481;

 				if ( v12 != -611155481 )
                            break;
                          v16 = 1;
                          v12 = 522488884;

v16赋值1,然后控制流代码,v12 = 522488884;

if ( v12 != 522488884 )
              break;
            v3 = 1921980522;

控制流代码v3 = 1921980522;

case 1921980522:
        v16 = 0;
        v12 = 1796887582;
        break;

v16被赋值0,然后控制流代码v12 = 1796887582;

case 1796887582:
        v4 = 1353319228;
        if ( v16 < 3 )
          v4 = 1404549511;
        v12 = v4;
        break;

这里利用v16来判断接下来的流程,先看v16>3的情况吧,

 case 1353319228:
        a2[2] = 0;
        v16 = 1;
        v12 = 156864788;
        break;

数组的第三个元素被赋值为0,然后v16被赋值为1,然后流程代码,v12 = 156864788;

 if ( v12 != 156864788 )
                    break;
                  v6 = 507587421;
                  if ( v16 < 10 )
                    v6 = 810472009;
                  v12 = v6;

这里又来进行第二波判断,v16的值,假设大于10,流程代码,v6 = 507587421;

 if ( v12 != 507587421 )
                break;
              v16 = 1;
              v12 = -1228737224;
            }

v16被赋值为1,然后流程代码,

                                    if ( v12 != -1228737224 )
                                      break;
                                    v8 = -1104998472;
                                    if ( v16 < 10 )
                                      v8 = -890529193;
                                    v12 = v8;
                                  }

v16>10的话,v8 = -1104998472

 			if ( v12 != -1104998472 )
                                  break;
                                v10 = -1704444406;
                                if ( v16 == 10 )
                                  v10 = 2089198738;
                                v12 = v10;
  1. 如果v16等于10,v10 = 2089198738;
case 2089198738:
        v17 = -1;
        v12 = 981711445;
        break;

返回-1,然后退出,if ( v12 == 981711445 ) break;

  1. 如果不等于10的话,
while ( v12 == -1704444406 )
                                     {
                                         v17 = v16;
                                         v12 = 981711445;
                                         }

v16赋给v17,然后退出

if ( v12 == 981711445 )
      break;

然后来看看v16<3的情况

				if ( v12 != 432619495 )
                  break;
                a2[*(signed int *)(36LL * (v16 - -3 * (v14 / 3)) + a1 + 4LL * (v15 - -3 * (v13 / 3))) + 2] = 1;
                v12 = -1431966323;

把你赋值给a2数组的某个位置,然后流程控制代码

                                       if ( v12 != -1431966323 )
                                          break;
                                        ++v15;
                                        v12 = -53637786;

v15自增,紧接着流程控制代码,然后执行回去,近一步探索

 if ( v12 != -53637786 )
                        break;
                      v5 = -32951658;
                      if ( v15 < 3 )
                        v5 = 432619495;
                      v12 = v5;

最上面的v16的值,小于10时,流程代码,v6 = 810472009;

if ( v12 != 810472009 )
          break;
        v7 = 1986744843;
        if ( !a2[v16 + 2] )
          v7 = -248881259;
        v12 = v7;

判断数组元素是否为0,

  1. 非0的情况v7 = 1986744843;
case 1986744843:
        v12 = -1235584672;
        break;

流程代码:

					                                     if ( v12 != -1235584672 )
                                        break;
                                      ++v16;
                                      v12 = 156864788;
                                    }

v16自增,然后流程代码,

                    if ( v12 != 156864788 )
                    break;
                  v6 = 507587421;
                  if ( v16 < 10 )
                    v6 = 810472009;
                  v12 = v6;
  1. 为0情况v7 = -248881259;
 if ( v12 != -248881259 )
                          break;
                        ++a2[2];
                        v12 = 1986744843;
                      }

				case 1986744843:
        v12 = -1235584672;
        break;

                                      if ( v12 != -1235584672 )
                                        break;
                                      ++v16;
                                      v12 = 156864788;
                                    }

 if ( v12 != 156864788 )
                    break;
                  v6 = 507587421;
                  if ( v16 < 10 )
                    v6 = 810472009;
                  v12 = v6;

第二步

v16<10的话,v8 = -890529193

					if ( v12 != -890529193 )
                            break;
                              v9 = 862823000;
                              if ( !a2[v16 + 2] )
                                v9 = 771361621;
                              v12 = v9;

判断数组元素是否为0,

  1. 非0的情况v9 = 862823000;
if ( v12 != 862823000 )
        break;
      v12 = -1144155234;

流程代码:

						if ( v12 != -1144155234 )
                                    break;
                                  ++v16;
                                  v12 = -1228737224;

v16自增,然后流程代码,

                                   if ( v12 != -1228737224 )
                                      break;
                                    v8 = -1104998472;
                                    if ( v16 < 10 )
                                      v8 = -890529193;
                                    v12 = v8;
  1. 为0情况v9 = 771361621;
if ( v12 != 771361621 )
            break;
          a2[v16 + 2] = 1;
          --a2[2];
          v12 = -1104998472;

					if ( v12 != -1104998472 )
                                  break;
                                v10 = -1704444406;
                                if ( v16 == 10 )
                                  v10 = 2089198738;
                                v12 = v10;

check1(char *a1)

代码

__int64 __fastcall check1(char *a1)
{
  __int64 result; // rax
  size_t v2; // rax
  signed int v3; // ecx
  char v4; // ST6F_1
  size_t v5; // rax
  signed int v6; // ecx
  char v7; // ST6E_1
  size_t v8; // rax
  signed int v9; // ecx
  signed int v10; // [rsp+68h] [rbp-18h]
  int v11; // [rsp+70h] [rbp-10h]
  int v12; // [rsp+74h] [rbp-Ch]

  v12 = strlen(a1) >> 1;
  v11 = 0;
  v10 = 1519002972;
  while ( 1 )
  {
    while ( 1 )
    {
      while ( 1 )
      {
        while ( 1 )
        {
          while ( 1 )
          {
            while ( 1 )
            {
              while ( 1 )
              {
                while ( v10 == -2084833488 )
                {
                  v8 = strlen(a1);
                  v9 = -67245798;
                  if ( v12 < v8 )
                    v9 = 1974939745;
                  v10 = v9;
                }
                if ( v10 != -1988665894 )
                  break;
                v12 = 0;
                v10 = -2084833488;
              }
              if ( v10 != -1393133668 )
                break;
              v5 = strlen(a1);
              v6 = -1988665894;
              if ( v12 < v5 )
                v6 = -1018472136;
              v10 = v6;
            }
            if ( v10 != -1018472136 )
              break;
            v7 = a1[v12];
            a1[v12] = a1[v12 + 1];
            a1[v12 + 1] = v7;
            v10 = -146751883;
          }
          if ( v10 != -831482631 )
            break;
          ++v12;
          v10 = -2084833488;
        }
        if ( v10 != -291294424 )
          break;
        ++v11;
        ++v12;
        v10 = 1519002972;
      }
      if ( v10 != -146751883 )
        break;
      v12 += 2;
      v10 = -1393133668;
    }
    result = (unsigned int)(v10 + 67245798);
    if ( v10 == -67245798 )
      break;
    switch ( v10 )
    {
      case 75381312:
        v4 = a1[v12];
        a1[v12] = a1[v11];
        a1[v11] = v4;
        v10 = -291294424;
        break;
      case 1519002972:
        v2 = strlen(a1);
        v3 = 1555725255;
        if ( v11 < v2 >> 1 )
          v3 = 75381312;
        v10 = v3;
        break;
      case 1555725255:
        v12 = 0;
        v10 = -1393133668;
        break;
      case 1974939745:
        a1[v12] = (a1[v12] & 0xF3 | ~a1[v12] & 0xC) - 20;
        v10 = -831482631;
        break;
    }
  }
  return result;
}

check3(char *a1)

代码

__int64 __fastcall check3(char *a1)
{
  __int64 result; // rax
  signed int v2; // eax
  signed int v3; // [rsp+28h] [rbp-18h]
  int v4; // [rsp+3Ch] [rbp-4h]

  v4 = check2(a1);
  v3 = 16123822;
  while ( 1 )
  {
    while ( v3 == 16123822 )
    {
      v2 = 1478060410;
      if ( !v4 )
        v2 = 1274132590;
      v3 = v2;
    }
    result = (unsigned int)(v3 - 824643665);
    if ( v3 == 824643665 )
      break;
    if ( v3 == 1274132590 )
    {
      v3 = 824643665;
      printf("error!\n");
    }
    else if ( v3 == 1478060410 )
    {
      v3 = 824643665;
      printf("you get it!\n");
    }
  }
  return result;
}

check2(char *a1)

代码

__int64 __fastcall check2(char *a1)
{
  size_t v1; // rax
  signed int v2; // ecx
  signed int v3; // eax
  signed int v4; // eax
  signed int v5; // eax
  signed int v6; // eax
  signed int v7; // eax
  signed int v8; // eax
  signed int v9; // eax
  signed int v11; // [rsp+8Ch] [rbp-C4h]
  unsigned int v12; // [rsp+90h] [rbp-C0h]
  int v13; // [rsp+94h] [rbp-BCh]
  signed int v14; // [rsp+98h] [rbp-B8h]
  signed int v15; // [rsp+9Ch] [rbp-B4h]
  int v16[42]; // [rsp+A0h] [rbp-B0h]
  char *s; // [rsp+148h] [rbp-8h]

  s = a1;
  v13 = 0;
  v12 = 1;
  v15 = 0;
  v11 = -2671583;
  while ( 1 )
  {
    while ( 1 )
    {
      while ( 1 )
      {
        while ( 1 )
        {
          while ( 1 )
          {
            while ( 1 )
            {
              while ( 1 )
              {
                while ( 1 )
                {
                  while ( 1 )
                  {
                    while ( 1 )
                    {
                      while ( 1 )
                      {
                        while ( 1 )
                        {
                          while ( 1 )
                          {
                            while ( 1 )
                            {
                              while ( 1 )
                              {
                                while ( v11 == -2119125118 )
                                {
                                  ++v15;
                                  v11 = -94879051;
                                }
                                if ( v11 != -1998111552 )
                                  break;
                                v6 = 396170963;
                                if ( v15 < 9 )
                                  v6 = -512482015;
                                v11 = v6;
                              }
                              if ( v11 != -1695072055 )
                                break;
                              ++v15;
                              v11 = -1998111552;
                            }
                            if ( v11 != -1658909923 )
                              break;
                            v8 = -1129833658;
                            if ( D0g3[9 * v15 + v14] != sudoku[9 * v15 + v14] )
                              v8 = -528396247;
                            v11 = v8;
                          }
                          if ( v11 != -1613667829 )
                            break;
                          v11 = -2119125118;
                        }
                        if ( v11 != -1369143226 )
                          break;
                        v14 = 0;
                        v11 = -740861019;
                      }
                      if ( v11 != -1244045086 )
                        break;
                      D0g3[9 * v15 + v14] = v16[v13++];
                      v11 = 1611237474;
                    }
                    if ( v11 != -1129833658 )
                      break;
                    v11 = -90011013;
                  }
                  if ( v11 != -740861019 )
                    break;
                  v4 = -1613667829;
                  if ( v14 < 9 )
                    v4 = 705300330;
                  v11 = v4;
                }
                if ( v11 != -528396247 )
                  break;
                v12 = 0;
                v11 = 1954800504;
              }
              if ( v11 != -512482015 )
                break;
              v14 = 0;
              v11 = 564268595;
            }
            if ( v11 != -334121999 )
              break;
            v15 = 0;
            v11 = -1998111552;
          }
          if ( v11 != -94879051 )
            break;
          v3 = -334121999;
          if ( v15 < 9 )
            v3 = -1369143226;
          v11 = v3;
        }
        if ( v11 != -90011013 )
          break;
        ++v14;
        v11 = 564268595;
      }
      if ( v11 != -2671583 )
        break;
      v1 = strlen(s);
      v2 = 2101131376;
      if ( v15 < v1 )
        v2 = 441246003;
      v11 = v2;
    }
    if ( v11 == 396170963 )
      break;
    switch ( v11 )
    {
      case 430996436:
        ++v15;
        v11 = -2671583;
        break;
      case 441246003:
        v16[v15] = s[v15] - 232084296 + 232084248;
        v11 = 430996436;
        break;
      case 564268595:
        v7 = 1954800504;
        if ( v14 < 9 )
          v7 = -1658909923;
        v11 = v7;
        break;
      case 705300330:
        v5 = 1611237474;
        if ( !D0g3[9 * v15 + v14] )
          v5 = -1244045086;
        v11 = v5;
        break;
      case 1611237474:
        v11 = 2119231421;
        break;
      case 1908623879:
        v11 = -1695072055;
        break;
      case 1954800504:
        v9 = 1908623879;
        if ( !v12 )
          v9 = 2014359934;
        v11 = v9;
        break;
      case 2014359934:
        v11 = 396170963;
        break;
      case 2101131376:
        v15 = 0;
        v11 = -94879051;
        printf("\n");
        break;
      case 2119231421:
        ++v14;
        v11 = -740861019;
        break;
    }
  }
  return v12;
}

您可能感兴趣的与本文相关的镜像

ACE-Step

ACE-Step

音乐合成
ACE-Step

ACE-Step是由中国团队阶跃星辰(StepFun)与ACE Studio联手打造的开源音乐生成模型。 它拥有3.5B参数量,支持快速高质量生成、强可控性和易于拓展的特点。 最厉害的是,它可以生成多种语言的歌曲,包括但不限于中文、英文、日文等19种语言

混淆技术研究-OLLVM混淆-控制流平坦(FLA)
Tasfa的博客
09-10 2077
控制流平坦通过将程序中的条件分支语句转为等价的平铺控制流来实现。通常,这包括将原始的分支语句(如if语句、switch语句)中的每个分支提取出来,并将它们放置在一系列连续的基本块中,然后使用一个状态变量或标志来选择要执行的基本块。这样,原本嵌套的条件分支结构就被展开成了一个扁平的基本块序列。
混淆技术研究-OLLVM混淆-虚假控制流(BCF)
Tasfa的博客
09-10 9093
虚假控制流(BCF, Bogus Control Flow),该方法通过在当前基本块之前添加一个基本块来修改函数调用图。这个新的基本块包含一个不透明谓词,然后进行条件跳转到原始基本块。并且原始基本块也被克隆,并填充了随机选择的垃圾指令。
跟着铁头干混淆4.1 ollvm控制流平坦基本概念
qq_37507251的博客
09-04 831
ollvm 4.1 控制流平坦基本概念 控制流平坦基本概念 编译器参数:-mllvm -fla 英文全称 简称 编译参数 控制流平坦 Control Flow Flattening fla -mllvm -fla 大家好,我是王铁头 一个乙方安全公司搬砖的菜鸡 持续更新移动安全,iot安全,编译原理相关原创视频文章 视频演示:https://space.bilibili.com/430241559 第1个例子 简单小程序: c++源码 #include <cstdio&gt
[.NET] 超难控制流混淆UnpackMe
11-12
[.NET] 超难控制流混淆UnpackMe[.NET] 超难控制流混淆UnpackMe
安洵-game-wp
令则
12-09 1349
game 安洵2019逆向 链接:https://pan.baidu.com/s/1vICnEqYfSezXUiTJU6C9TA 提取码:d9m7 题目的文件和idb分析文件和写出的python文件都给出了 首先进入函数发现时ollvm, 这次的分析是直接看那个伪代码,比以前好很多了,就简单写下分析的思路方法,然后后面的分析结果直接写成了python代码,同时的idb文件会同样在附赠文件中...
[buuctf.reverse] 079_[安洵 2019]game
weixin_52640415的博客
05-12 567
LLVM代码混淆 扁平
[SUCTF2019]hardcpp
m0_46296905的博客
05-03 1265
题目:[SUCTF2019]hardcpp 64位ELF文件 ida64中打开发现有两处控制流平坦。 装好angr,使用基于angr的脚本deflat.py去除控制流平坦,在deflat.py所在目录下打开cmd命令行输入 python deflat.py hardCpp 0x4007E0 #“python版本 + 脚本名 + 文件名 + 起始地址” 第二处控制流平坦同理去除。 运行几分钟即可得到去除控制流平坦之后的程序。 如果原版deflat.py出错,可以试试优之后的deflat
代码混淆与加密:游戏保护机制的深层次理解
在数字时代,代码的安全性对于软件和游戏尤为重要。代码混淆与加密是保护代码不被未授权访问和滥用的两种常用技术。混淆是指通过一系列的变换操作,使代码的结构、命名及逻辑变得难以理解,但不影响代码的执行。...
【天龙八部防作弊机制】:代码混淆至实时监控的全面指南(防作弊技术专家分享)
本文从多个维度探讨了防作弊技术,包括代码混淆技术、实时监控系统的构建,以及防作弊与用户体验的平衡问题。文中详细分析了代码混淆的基本原理、高级策略和实际应用,实时监控系统的架构设计、技术实施和维护。同时...
import os import random import tkinter as tk from tkinter import filedialog, messagebox, ttk import shutil import tempfile import hashlib import time import pefile import zlib import sys import platform import psutil from Crypto.Cipher import AES # 仅保留但不用于代码段加密 from Crypto.Util.Padding import pad, unpad # 仅保留但不用于代码段加密 class ExeProtectorApp: def __init__(self, root): self.root = root self.root.title("EXE文件保护工具 v4.2") self.root.geometry("750x680") self.root.resizable(True, True) # 设置中文字体 self.style = ttk.Style() self.style.configure("TLabel", font=("SimHei", 10)) self.style.configure("TButton", font=("SimHei", 10)) self.style.configure("TProgressbar", thickness=20) # 创建主框架 self.main_frame = ttk.Frame(root, padding="20") self.main_frame.pack(fill=tk.BOTH, expand=True) # 文件选择部分 ttk.Label(self.main_frame, text="选择EXE文件:").grid(row=0, column=0, sticky=tk.W, pady=5) self.file_path_var = tk.StringVar() ttk.Entry(self.main_frame, textvariable=self.file_path_var, width=50).grid(row=0, column=1, padx=5, pady=5) ttk.Button(self.main_frame, text="浏览...", command=self.browse_file).grid(row=0, column=2, padx=5, pady=5) # 输出目录选择 ttk.Label(self.main_frame, text="输出目录:").grid(row=1, column=0, sticky=tk.W, pady=5) self.output_dir_var = tk.StringVar() ttk.Entry(self.main_frame, textvariable=self.output_dir_var, width=50).grid(row=1, column=1, padx=5, pady=5) ttk.Button(self.main_frame, text="浏览...", command=self.browse_output_dir).grid(row=1, column=2, padx=5, pady=5) # 选项设置 options_frame = ttk.LabelFrame(self.main_frame, text="选项", padding="10") options_frame.grid(row=2, column=0, columnspan=3, sticky=(tk.W, tk.E), pady=10) # 随机字节增加量 ttk.Label(options_frame, text="随机字节增加范围 (KB):").grid(row=0, column=0, sticky=tk.W, pady=5) self.min_size_var = tk.IntVar(value=100) ttk.Entry(options_frame, textvariable=self.min_size_var, width=10).grid(row=0, column=1, padx=5, pady=5) ttk.Label(options_frame, text="至").grid(row=0, column=2, padx=5, pady=5) self.max_size_var = tk.IntVar(value=1000) ttk.Entry(options_frame, textvariable=self.max_size_var, width=10).grid(row=0, column=3, padx=5, pady=5) # 随机性强度 ttk.Label(options_frame, text="随机性强度:").grid(row=0, column=4, sticky=tk.W, pady=5) self.random_strength = tk.StringVar(value="medium") strength_options = ttk.Combobox(options_frame, textvariable=self.random_strength, state="readonly", width=12) strength_options['values'] = ("低", "中", "高") strength_options.grid(row=0, column=5, padx=5, pady=5) # 程序类型模拟 ttk.Label(options_frame, text="模拟程序类型:").grid(row=1, column=0, sticky=tk.W, pady=5) self.app_type = tk.StringVar(value="generic") app_types = ttk.Combobox(options_frame, textvariable=self.app_type, state="readonly", width=15) app_types['values'] = ("通用程序", "游戏程序", "办公软件", "系统工具", "开发工具") app_types.grid(row=1, column=1, padx=5, pady=5) # 处理方法 self.process_method = tk.StringVar(value="safe") ttk.Radiobutton(options_frame, text="安全模式", variable=self.process_method, value="safe").grid(row=1, column=2, sticky=tk.W, pady=5) ttk.Radiobutton(options_frame, text="增强模式", variable=self.process_method, value="enhanced").grid(row=1, column=3, sticky=tk.W, pady=5) ttk.Radiobutton(options_frame, text="标准保护", variable=self.process_method, value="standard").grid(row=1, column=4, sticky=tk.W, pady=5) ttk.Radiobutton(options_frame, text="高级保护", variable=self.process_method, value="advanced").grid(row=1, column=5, sticky=tk.W, pady=5) # 高级选项 advanced_frame = ttk.LabelFrame(self.main_frame, text="保护选项", padding="10") advanced_frame.grid(row=3, column=0, columnspan=3, sticky=(tk.W, tk.E), pady=10) self.obfuscate_resources = tk.BooleanVar(value=True) ttk.Checkbutton(advanced_frame, text="混淆资源文件", variable=self.obfuscate_resources).grid(row=0, column=0, sticky=tk.W, pady=5) self.encrypt_sections = tk.BooleanVar(value=True) ttk.Checkbutton(advanced_frame, text="轻度代码变换", variable=self.encrypt_sections).grid(row=0, column=1, sticky=tk.W, pady=5) self.add_dummy_sections = tk.BooleanVar(value=True) ttk.Checkbutton(advanced_frame, text="添加随机数据块", variable=self.add_dummy_sections).grid(row=1, column=0, sticky=tk.W, pady=5) self.randomize_imports = tk.BooleanVar(value=True) ttk.Checkbutton(advanced_frame, text="随机导入表顺序", variable=self.randomize_imports).grid(row=1, column=1, sticky=tk.W, pady=5) # 终极选项 ultra_frame = ttk.LabelFrame(self.main_frame, text="高级优", padding="10") ultra_frame.grid(row=4, column=0, columnspan=3, sticky=(tk.W, tk.E), pady=10) self.anti_vm = tk.BooleanVar(value=False) ttk.Checkbutton(ultra_frame, text="兼容虚拟机环境", variable=self.anti_vm).grid(row=0, column=0, sticky=tk.W, pady=5) self.anti_debug = tk.BooleanVar(value=False) ttk.Checkbutton(ultra_frame, text="调试模式兼容", variable=self.anti_debug).grid(row=0, column=1, sticky=tk.W, pady=5) self.random_pe_layout = tk.BooleanVar(value=True) ttk.Checkbutton(ultra_frame, text="随机PE结构布局", variable=self.random_pe_layout).grid(row=1, column=0, sticky=tk.W, pady=5) self.variable_section_count = tk.BooleanVar(value=True) ttk.Checkbutton(ultra_frame, text="随机区段数量", variable=self.variable_section_count).grid(row=1, column=1, sticky=tk.W, pady=5) # 处理按钮 ttk.Button(self.main_frame, text="保护文件", command=self.process_file).grid(row=5, column=0, columnspan=3, pady=20) # 状态和进度条 self.status_var = tk.StringVar(value="就绪") ttk.Label(self.main_frame, textvariable=self.status_var).grid(row=6, column=0, columnspan=2, sticky=tk.W, pady=5) self.progress_var = tk.DoubleVar(value=0) self.progress_bar = ttk.Progressbar(self.main_frame, variable=self.progress_var, length=100) self.progress_bar.grid(row=6, column=2, sticky=(tk.W, tk.E), pady=5) # 默认输出目录 self.output_dir_var.set(os.path.join(os.getcwd(), "protected_exes")) # 绑定窗口关闭事件 self.root.protocol("WM_DELETE_WINDOW", self.on_closing) # 初始随机种子 self.initialize_random_seed() # 初始随机种子,使用多种来源确保高随机性 def initialize_random_seed(self): # 使用多种系统信息和随机源作为种子材料,增强随机性 seed_material = ( time.time_ns().to_bytes(8, 'big') + os.getpid().to_bytes(4, 'big') + os.urandom(32) + # 增加随机字节数量 str(psutil.virtual_memory().available).encode() + str(psutil.cpu_percent(interval=0.1)).encode() + platform.node().encode() + str(random.getstate()).encode() ) # 使用SHA-512获取更复杂的哈希值作为种子 seed = int.from_bytes(hashlib.sha512(seed_material).digest(), 'big') random.seed(seed) # 额外增加随机状态初始 random.getstate() # 浏览文件 def browse_file(self): file_path = filedialog.askopenfilename( filetypes=[("可执行文件", "*.exe"), ("所有文件", "*.*")] ) if file_path: self.file_path_var.set(file_path) # 浏览输出目录 def browse_output_dir(self): dir_path = filedialog.askdirectory() if dir_path: self.output_dir_var.set(dir_path) # 处理文件 def process_file(self): exe_path = self.file_path_var.get() output_dir = self.output_dir_var.get() if not exe_path: messagebox.showerror("错误", "请选择一个EXE文件") return if not os.path.exists(exe_path): messagebox.showerror("错误", "选择的文件不存在") return if not output_dir: messagebox.showerror("错误", "请选择输出目录") return if not os.path.exists(output_dir): try: os.makedirs(output_dir) except: messagebox.showerror("错误", "无法创建输出目录") return # 获取文件名和扩展名 file_name, file_ext = os.path.splitext(os.path.basename(exe_path)) # 添加随机字符串到输出文件名,确保每次不同 random_suffix = hashlib.sha256(str(time.time_ns()).encode() + os.urandom(16)).hexdigest()[:12] output_path = os.path.join(output_dir, f"{file_name}_protected_{random_suffix}{file_ext}") try: # 更新状态 self.status_var.set("正在处理文件...") self.progress_var.set(0) self.root.update() # 计算随机增加的字节大小 min_size = self.min_size_var.get() max_size = self.max_size_var.get() if min_size < 0 or max_size < 0 or min_size > max_size: messagebox.showerror("错误", "请设置有效的字节增加范围") return # 根据随机性强度调整随机范围 strength_factor = 1.0 if self.random_strength.get() == "高": strength_factor = 1.5 elif self.random_strength.get() == "低": strength_factor = 0.5 adjusted_min = int(min_size * strength_factor) adjusted_max = int(max_size * strength_factor) random_size_kb = random.randint(adjusted_min, adjusted_max) random_size_bytes = random_size_kb * 1024 # 复制原始文件 shutil.copy2(exe_path, output_path) # 计算原始文件哈希值 original_hash = self.calculate_file_hash(exe_path) # 更新进度 self.progress_var.set(5) self.root.update() # 根据选择的模式处理文件 if self.process_method.get() == "safe": self.safe_modify_exe_file(output_path, random_size_bytes) elif self.process_method.get() == "enhanced": self.enhanced_modify_exe_file(output_path, random_size_bytes) elif self.process_method.get() == "standard": self.standard_protection(output_path, random_size_bytes) else: self.advanced_protection(output_path, random_size_bytes) # 后续哈希计算、进度更新等 modified_hash = self.calculate_file_hash(output_path) self.progress_var.set(95) self.root.update() if self.verify_exe_file(output_path): self.status_var.set("文件处理完成") self.progress_var.set(100) messagebox.showinfo( "成功", f"文件保护成功!\n" f"原始文件大小: {os.path.getsize(exe_path) // 1024} KB\n" f"处理后文件大小: {os.path.getsize(output_path) // 1024} KB\n" f"增加了: {random_size_kb} KB\n\n" f"原始文件哈希 (MD5): {original_hash}\n" f"处理后文件哈希 (MD5): {modified_hash}\n\n" f"文件已保存至: {output_path}" ) else: self.status_var.set("文件验证失败") self.progress_var.set(100) messagebox.showwarning("警告", "处理后的文件可能需要在特定环境运行") except Exception as e: self.status_var.set("处理过程中出错") messagebox.showerror("错误", f"处理文件时出错: {str(e)}") finally: self.progress_var.set(0) # 每次处理后重新初始随机种子,确保下一次处理的随机性不同 self.initialize_random_seed() # 计算文件哈希 def calculate_file_hash(self, file_path): hash_md5 = hashlib.md5() with open(file_path, "rb") as f: for chunk in iter(lambda: f.read(4096), b""): hash_md5.update(chunk) return hash_md5.hexdigest() # 安全模式:仅添加正常数据 def safe_modify_exe_file(self, file_path, additional_bytes): with open(file_path, 'ab') as f: # 根据选择的应用类型生成对应的数据 app_type = self.app_type.get() data = self.generate_application_specific_data(additional_bytes, app_type) f.write(data) # 增强模式:优PE结构 def enhanced_modify_exe_file(self, file_path, additional_bytes): try: pe = pefile.PE(file_path) # 更新时间戳,使用更大的随机偏移 pe.FILE_HEADER.TimeDateStamp = int(time.time()) + random.randint(-86400, 86400) # 随机偏移1天内 # 随机更多非关键的PE头字段 if self.random_pe_layout.get(): pe.FILE_HEADER.PointerToSymbolTable = random.getrandbits(32) pe.FILE_HEADER.NumberOfSymbols = random.randint(0, 2000) # 添加更多随机字段 pe.OPTIONAL_HEADER.MajorLinkerVersion = random.randint(1, 25) pe.OPTIONAL_HEADER.MinorLinkerVersion = random.randint(0, 99) pe.OPTIONAL_HEADER.MajorImageVersion = random.randint(1, 20) pe.OPTIONAL_HEADER.MinorImageVersion = random.randint(0, 99) # 添加正常附加数据 self.safe_modify_exe_file(file_path, additional_bytes) pe.write(file_path) pe.close() except Exception as e: print(f"增强模式执行: {e}") self.safe_modify_exe_file(file_path, additional_bytes) # 标准保护:添加合理区段 def standard_protection(self, file_path, additional_bytes): try: pe = pefile.PE(file_path) # 随机决定添加的区段数量(1-4个),增加变性 section_count = 1 if self.variable_section_count.get(): section_count = random.randint(1, 4) # 添加多个随机区段 for _ in range(section_count): # 创建新区段 new_section = pefile.SectionStructure(pe.__IMAGE_SECTION_HEADER_format__) # 生成随机但合理的区段名 new_section.Name = self.generate_sane_section_name() # 区段大小随机(1-16KB),范围更大 section_size = random.randint(0x1000, 0x4000) new_section.Misc_VirtualSize = section_size # 地址对齐,添加更大的随机偏移 base_virtual_address = (pe.sections[-1].VirtualAddress + pe.sections[-1].Misc_VirtualSize + 0x1000 - 1) & ~0xFFF new_section.VirtualAddress = base_virtual_address + random.randint(0, 0x2000) base_raw_data = (pe.sections[-1].PointerToRawData + pe.sections[-1].SizeOfRawData + 0x1000 - 1) & ~0xFFF new_section.PointerToRawData = base_raw_data + random.randint(0, 0x2000) new_section.SizeOfRawData = section_size # 随机选择合理的区段属性,增加更多可能性 section_flags = [ 0xC0000040, 0x40000040, 0x20000040, 0x80000040, 0x00000040, 0xE0000040, 0x00000080, 0x40000080 ] new_section.Characteristics = random.choice(section_flags) # 生成与程序类型匹配的区段数据 app_type = self.app_type.get() new_data = self.generate_application_specific_data(section_size, app_type) pe.set_bytes_at_offset(new_section.PointerToRawData, new_data) # 添加新区段到PE结构 pe.sections.append(new_section) pe.FILE_HEADER.NumberOfSections += 1 pe.OPTIONAL_HEADER.SizeOfImage = (new_section.VirtualAddress + new_section.Misc_VirtualSize + 0x1000 - 1) & ~0xFFF # 轻度代码变换 if self.encrypt_sections.get(): self.apply_mild_code_transformations(pe) # 随机导入表顺序(如果启用) if self.randomize_imports.get() and hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'): # 多次随机打乱以增加随机性 for _ in range(random.randint(1, 3)): random.shuffle(pe.DIRECTORY_ENTRY_IMPORT) # 添加文件末尾数据 self.safe_modify_exe_file(file_path, additional_bytes) # 更新时间戳,添加随机偏移 pe.FILE_HEADER.TimeDateStamp = int(time.time()) + random.randint(-86400, 86400) # 随机偏移1天内 pe.write(file_path) pe.close() except Exception as e: print(f"标准保护执行: {e}") self.enhanced_modify_exe_file(file_path, additional_bytes) # 高级保护:进一步增加随机性 def advanced_protection(self, file_path, additional_bytes): try: pe = pefile.PE(file_path) # 随机决定添加的区段数量(2-5个),增加更多变 section_count = 2 if self.variable_section_count.get(): section_count = random.randint(2, 5) # 添加多个随机区段 for _ in range(section_count): new_section = pefile.SectionStructure(pe.__IMAGE_SECTION_HEADER_format__) new_section.Name = self.generate_sane_section_name() # 区段大小变更大(1-32KB) section_size = random.randint(0x1000, 0x8000) new_section.Misc_VirtualSize = section_size # 地址对齐,添加更大的随机偏移 base_virtual_address = (pe.sections[-1].VirtualAddress + pe.sections[-1].Misc_VirtualSize + 0x1000 - 1) & ~0xFFF new_section.VirtualAddress = base_virtual_address + random.randint(0, 0x4000) base_raw_data = (pe.sections[-1].PointerToRawData + pe.sections[-1].SizeOfRawData + 0x1000 - 1) & ~0xFFF new_section.PointerToRawData = base_raw_data + random.randint(0, 0x4000) new_section.SizeOfRawData = section_size # 随机选择合理的区段属性,增加更多选项 section_flags = [ 0xC0000040, 0x40000040, 0x20000040, 0x80000040, 0x00000040, 0xE0000040, 0x00000080, 0x40000080, 0x80000080, 0x20000080, 0x00000100 ] new_section.Characteristics = random.choice(section_flags) # 生成特定类型的应用数据 app_type = self.app_type.get() new_data = self.generate_application_specific_data(section_size, app_type) pe.set_bytes_at_offset(new_section.PointerToRawData, new_data) pe.sections.append(new_section) pe.FILE_HEADER.NumberOfSections += 1 pe.OPTIONAL_HEADER.SizeOfImage = (new_section.VirtualAddress + new_section.Misc_VirtualSize + 0x1000 - 1) & ~0xFFF # 轻度代码变换 if self.encrypt_sections.get(): self.apply_mild_code_transformations(pe) # 混淆资源(如果启用) if self.obfuscate_resources.get() and hasattr(pe, 'DIRECTORY_ENTRY_RESOURCE'): self.obfuscate_pe_resources(pe) # 随机导入表顺序,增加随机性 if self.randomize_imports.get() and hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'): # 多次随机打乱以确保随机性 for _ in range(random.randint(2, 5)): random.shuffle(pe.DIRECTORY_ENTRY_IMPORT) # 添加随机数据块,使用随机大小 if self.add_dummy_sections.get(): dummy_size = random.randint(additional_bytes // 3, additional_bytes * 2 // 3) self.safe_modify_exe_file(file_path, dummy_size) additional_bytes -= dummy_size # 添加文件末尾数据 self.safe_modify_exe_file(file_path, additional_bytes) # 随机更多PE头字段 if self.random_pe_layout.get(): pe.FILE_HEADER.PointerToSymbolTable = random.getrandbits(32) pe.FILE_HEADER.NumberOfSymbols = random.randint(0, 5000) pe.OPTIONAL_HEADER.MajorImageVersion = random.randint(1, 20) pe.OPTIONAL_HEADER.MinorImageVersion = random.randint(0, 99) pe.OPTIONAL_HEADER.MajorSubsystemVersion = random.randint(4, 10) pe.OPTIONAL_HEADER.MinorSubsystemVersion = random.randint(0, 99) pe.OPTIONAL_HEADER.MajorOperatingSystemVersion = random.randint(5, 10) pe.OPTIONAL_HEADER.MinorOperatingSystemVersion = random.randint(0, 99) # 添加更多可随机的字段 pe.OPTIONAL_HEADER.LoaderFlags = random.getrandbits(32) & 0x00000003 # 仅保留合法值 pe.OPTIONAL_HEADER.NumberOfRvaAndSizes = 16 # 标准值,但可以偶尔修改 if random.random() < 0.3: # 30%概率修改这个值 pe.OPTIONAL_HEADER.SizeOfHeaders = (pe.OPTIONAL_HEADER.SizeOfHeaders + random.randint(0x100, 0x800)) & ~0xFF # 保持对齐 # 更新时间戳,使用更大的随机偏移 pe.FILE_HEADER.TimeDateStamp = int(time.time()) + random.randint(-604800, 604800) # 随机偏移1周内 pe.write(file_path) pe.close() except Exception as e: print(f"高级保护执行: {e}") self.standard_protection(file_path, additional_bytes) # 生成模拟特定类型程序的数据,增强随机性和多样性 def generate_application_specific_data(self, size, app_type): """根据程序类型生成不同特征的数据,确保每次生成都不同""" data = bytearray() # 根据选择的应用类型生成对应的数据模板,增加更多模板项 type_templates = { "通用程序": [ b"C:\\Program Files\\Common Files\\\x00", b"HKLM\\Software\\Microsoft\\Windows\\\x00", b"ERROR_ACCESS_DENIED\x00", b"SUCCESS\x00", b"CONFIG_FILE\x00", b"LOG_FILE\x00", b"USER_SETTINGS\x00", b"APPLICATION_DATA\x00", b"SYSTEM32\x00", b"KERNEL32.DLL\x00", b"ADVAPI32.DLL\x00", (0x00000001).to_bytes(4, 'little'), (0x00000100).to_bytes(4, 'little'), (0x00010000).to_bytes(4, 'little'), (0x00100000).to_bytes(4, 'little'), ], "游戏程序": [ b"C:\\Program Files\\Game\\Data\\\x00", b"C:\\Users\\Public\\Documents\\GameSaves\\\x00", b"TEXTURE_", b"MODEL_", b"SOUND_", b"LEVEL_", b"SCORE_", b"PLAYER_", b"ENEMY_", b"WEAPON_", b"QUEST_", b"ACHIEVEMENT_", b"INVENTORY_", b"CHARACTER_", b"MAP_", b"DIFFICULTY_", (0x000F4240).to_bytes(4, 'little'), # 1000000 (0x000003E8).to_bytes(4, 'little'), # 1000 (0x00000064).to_bytes(4, 'little'), # 100 (0x0000000A).to_bytes(4, 'little'), # 10 ], "办公软件": [ b"C:\\Users\\%USERNAME%\\Documents\\\x00", b"File Format: DOCX\x00", b"File Format: XLSX\x00", b"File Format: PPTX\x00", b"Page ", b"Sheet ", b"Table ", b"Font ", b"Style ", b"Paragraph ", b"Header", b"Footer", b"Section", b"Template", b"Macro", b"Add-in", b"Spell Check", b"Grammar Check", b"Word Count", b"Character Count", (0x0000000A).to_bytes(4, 'little'), # 10 (0x00000014).to_bytes(4, 'little'), # 20 (0x00000064).to_bytes(4, 'little'), # 100 ], "系统工具": [ b"C:\\Windows\\System32\\\x00", b"C:\\Windows\\SysWOW64\\\x00", b"HKLM\\SYSTEM\\CurrentControlSet\\\x00", b"Driver ", b"Service ", b"Device ", b"Registry ", b"Process ", b"Thread ", b"Memory ", b"Disk ", b"Network ", b"Adapter ", b"Protocol ", b"Firewall ", b"Security ", b"Policy ", b"Account ", (0x00000001).to_bytes(4, 'little'), (0x00000000).to_bytes(4, 'little'), (0xFFFFFFFF).to_bytes(4, 'little'), (0x00000002).to_bytes(4, 'little'), ], "开发工具": [ b"C:\\Program Files\\Developer\\SDK\\\x00", b"C:\\Users\\%USERNAME%\\Source\\\x00", b"Compiler ", b"Linker ", b"Debugger ", b"Library ", b"Include ", b"Namespace ", b"Class ", b"Function ", b"Variable ", b"Pointer ", b"Array ", b"Struct ", b"Enum ", b"Union ", b"Template ", b"Exception ", b"Thread ", b"Mutex ", (0x00000000).to_bytes(4, 'little'), (0x00000001).to_bytes(4, 'little'), (0x00000002).to_bytes(4, 'little'), (0x00000003).to_bytes(4, 'little'), ] } # 获取对应类型的模板 templates = type_templates.get(app_type, type_templates["通用程序"]) # 根据随机性强度调整模板使用方式 template_usage = 0.7 # 70%使用模板,30%使用随机数据 if self.random_strength.get() == "高": template_usage = 0.5 # 50%使用模板,50%使用随机数据 elif self.random_strength.get() == "低": template_usage = 0.9 # 90%使用模板,10%使用随机数据 # 填充数据直到达到目标大小,使用更复杂的模式 while len(data) < size: # 随机选择使用模板还是生成随机数据 if random.random() < template_usage: # 随机选择一个模板并添加 item = random.choice(templates) data.extend(item) # 偶尔添加随机长度的空白或分隔符 if random.random() < 0.4: separator_length = random.randint(1, 16) if random.random() < 0.5: data.extend(b'\x00' * separator_length) else: data.extend(b' ' * separator_length) else: # 生成更复杂的随机数据 random_len = random.randint(1, 128) if random.random() < 0.3: # 生成随机ASCII文本 random_text = bytes(random.choice(b'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-.') for _ in range(random_len)) data.extend(random_text) elif random.random() < 0.6: # 生成随机二进制数据 data.extend(os.urandom(random_len)) else: # 生成随机数值数据 for _ in range(random_len // 4 + 1): num = random.getrandbits(32) data.extend(num.to_bytes(4, 'little')) return data[:size] # 生成更多样的合理区段名 def generate_sane_section_name(self): # 扩展区段名基础列表 base_names = [ b'.data', b'.rdata', b'.text', b'.rsrc', b'.reloc', b'.bss', b'.edata', b'.idata', b'.pdata', b'.tls', b'.data1', b'.rdata2', b'.text1', b'.rsrc1', b'.data_', b'.rdata_', b'.text_', b'.rsrc_', b'.init', b'.fini', b'.ctors', b'.dtors', b'.gnu', b'.note', b'.eh_frame', b'.debug', b'.xdata', b'.pdata', b'.data2', b'.text2', b'.code', b'.const', b'.dynamic', b'.hash', b'.plt', b'.got', b'.shstrtab', b'.symtab', b'.strtab', b'.comment', b'.note.ABI-tag' ] # 随机选择基础名称并可能添加随机后缀 name = random.choice(base_names) if random.random() < 0.8: # 提高添加后缀的概率 # 添加更多样的随机后缀 suffix_type = random.randint(0, 2) if suffix_type == 0: # 数字后缀 suffix = str(random.randint(10, 999)).encode() elif suffix_type == 1: # 字母后缀 suffix_length = random.randint(1, 3) suffix = bytes(random.choice('abcdefghijklmnopqrstuvwxyz') for _ in range(suffix_length)) else: # 混合后缀 suffix = (str(random.randint(1, 9)) + random.choice('abcdef') + str(random.randint(10, 99))).encode() # 确保总长度不超过8字节 name = name[:8-len(suffix)] + suffix return name.ljust(8, b'\x00')[:8] # 确保正好8字节 # 轻度代码变换,增加更多变换类型 def apply_mild_code_transformations(self, pe): text_section = None for section in pe.sections: if b'.text' in section.Name: text_section = section break if text_section: data = pe.get_data(text_section.VirtualAddress, text_section.SizeOfRawData) if not isinstance(data, bytes): data = bytes(data) data_list = list(data) # 根据随机性强度调整变换程度 transform_count = len(data_list) // 200 if self.random_strength.get() == "高": transform_count = len(data_list) // 100 elif self.random_strength.get() == "低": transform_count = len(data_list) // 400 # 限制最大变换次数,但增加上限 transform_count = min(200, transform_count) # 随机选择位置进行更丰富的轻微变换 for _ in range(transform_count): i = random.randint(0, len(data_list) - 1) # 增加更多变换类型 transform_type = random.choice(range(8)) if transform_type == 0: # 加1 data_list[i] = (data_list[i] + 1) % 256 elif transform_type == 1: # 减1 data_list[i] = (data_list[i] - 1) % 256 elif transform_type == 2: # 与0xFF异或 data_list[i] ^= 0xFF elif transform_type == 3: # 左移一位 data_list[i] = (data_list[i] << 1) % 256 elif transform_type == 4: # 右移一位 data_list[i] = (data_list[i] >> 1) % 256 elif transform_type == 5: # 加一个小随机数 data_list[i] = (data_list[i] + random.randint(1, 5)) % 256 elif transform_type == 6: # 减一个小随机数 data_list[i] = (data_list[i] - random.randint(1, 5)) % 256 else: # 与一个随机数异或 data_list[i] ^= random.randint(1, 255) pe.set_bytes_at_offset(text_section.PointerToRawData, bytes(data_list)) # 增强资源混淆 def obfuscate_pe_resources(self, pe): try: # 遍历所有资源条目 for resource_type in pe.DIRECTORY_ENTRY_RESOURCE.entries: if hasattr(resource_type, 'directory'): for resource_id in resource_type.directory.entries: if hasattr(resource_id, 'directory'): for resource_lang in resource_id.directory.entries: data_rva = resource_lang.data.struct.OffsetToData size = resource_lang.data.struct.Size # 读取资源数据 resource_data = list(pe.get_data(data_rva, size)) # 根据随机性强度调整混淆程度 step_size = 200 if self.random_strength.get() == "高": step_size = 100 elif self.random_strength.get() == "低": step_size = 400 # 增加更多变换类型 for i in range(0, len(resource_data), random.randint(step_size-50, step_size+50)): if i < len(resource_data): # 随机选择一种变换 transform_type = random.randint(0, 4) if transform_type == 0: resource_data[i] = (resource_data[i] + random.randint(1, 5)) % 256 elif transform_type == 1: resource_data[i] = (resource_data[i] - random.randint(1, 5)) % 256 elif transform_type == 2: resource_data[i] ^= random.randint(1, 255) elif transform_type == 3: resource_data[i] = (resource_data[i] << random.randint(1, 3)) % 256 else: resource_data[i] = (resource_data[i] >> random.randint(1, 3)) % 256 # 对部分资源进行块级混淆 if random.random() < 0.3 and size > 1024: block_size = random.randint(64, 256) for b in range(0, size, block_size): if random.random() < 0.2: # 20%的块会被翻转 start = b end = min(b + block_size, size) resource_data[start:end] = resource_data[start:end][::-1] # 写回修改后的资源数据 pe.set_bytes_at_offset(data_rva, bytes(resource_data)) except Exception as e: print(f"资源混淆错误: {e}") # 计算PE校验和 def calculate_pe_checksum(self, pe): try: with open(pe.name, 'rb') as f: data = f.read() checksum = 0 for i in range(0, len(data), 2): if i + 1 < len(data): w = (data[i+1] << 8) | data[i] checksum += w else: checksum += data[i] checksum = (checksum >> 16) + (checksum & 0xffff) checksum += (checksum >> 16) return 0 - checksum except: return 0x00000000 # 验证EXE文件 def verify_exe_file(self, file_path): try: pe = pefile.PE(file_path) pe.close() return True except: return False # 关闭窗口 def on_closing(self): if messagebox.askokcancel("退出", "确定要退出程序吗?"): self.root.destroy() if __name__ == "__main__": root = tk.Tk() app = ExeProtectorApp(root) root.mainloop() 用户希望每次输出的程序减小TEXT代码段熵值 相对上次输出的程序静态特征都有很大差异 绕过qvm静态分析查杀 2025-07-10 09:57:50 恶意软件(HEUR/QVM10.2.95BA.Malware.Gen)MD5:f4722f1fd2c14e65558207bd3415ed0a已删除此文件,如果您发现误删,可从隔离区恢复此文件。 2025-07-10 10:07:34 恶意软件(HEUR/QVM10.2.95BA.Malware.Gen)MD5:3f519280c806a531c2fd494f392add06已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_2587963335de.exe 2025-07-10 10:05:41 恶意软件(HEUR/QVM10.2.95BA.Malware.Gen)MD5:ad5bf7bf68759eaa5f25587d0e977320已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_4df5eb7b2b48.exe 2025-07-10 10:04:55 恶意软件(HEUR/QVM10.2.95BA.Malware.Gen)MD5:ce816bbac00149bda721dec01d623773已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_5795dc64119b.exe 2025-07-10 10:03:42 恶意软件(HEUR/QVM10.2.95BA.Malware.Gen)MD5:224798374219b4fc6046b1da7f4eb632已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_17f73c7eda70.exe 2025-07-10 10:03:16 恶意软件(HEUR/QVM10.2.95BA.Malware.Gen)MD5:cb3c1534897e38110aeeea2aa71c9d5a已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_eb5a679318ab.exe 2025-07-10 09:57:50 恶意软件(HEUR/QVM10.2.95BA.Malware.Gen)MD5:f4722f1fd2c14e65558207bd3415ed0a已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_7e5282a2592431df.exe 2025-07-10 09:56:51 恶意软件(HEUR/QVM10.2.95BA.Malware.Gen)MD5:63d542dffd607fda49b4ca8880069471已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_0269d064dca0e33d.exe 2025-07-10 09:56:23 恶意软件(HEUR/QVM10.2.95BA.Malware.Gen)MD5:c7edea82a1abefe84502a88980b86356已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_98f344f33553ad04.exe 2025-07-10 09:55:20 恶意软件(HEUR/QVM10.2.95BA.Malware.Gen)MD5:8bb531f637cdae52b17ecab88b28b88d已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_32027bfd1919.exe 2025-07-10 09:54:37 恶意软件(HEUR/QVM10.2.95BA.Malware.Gen)MD5:f03cac215d14019e60e97a0a9dff564a已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_dc0e4952f25d.exe 2025-07-10 09:54:16 恶意软件(HEUR/QVM10.2.95BA.Malware.Gen)MD5:79f41c9ca52f656e0d14d7f99a7c0361已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_d0d314c24b51.exe 2025-07-10 09:36:22 恶意软件(HEUR/QVM10.2.958D.Malware.Gen)MD5:7a8102febd74e861b0f798e130e3bbdf已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_3766493edd57.exe 2025-07-10 09:35:48 恶意软件(HEUR/QVM10.2.958D.Malware.Gen)MD5:ceaa9c2e0ae64a9242eae202c127970a已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_e6c9d5d7be4e.exe 2025-07-10 09:34:47 恶意软件(HEUR/QVM10.2.958D.Malware.Gen)MD5:7cfe0a2c5d8fbce0d86a01613bef166e已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_e3d311d2cf8e.exe 2025-07-10 09:31:31 恶意软件(HEUR/QVM10.2.958D.Malware.Gen)MD5:416cfe49e997da0d85efc5eac7cd33f3已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server.exe 2025-07-10 09:18:33 恶意软件(HEUR/QVM10.2.958D.Malware.Gen)MD5:1dae68d1345fe77c6427f8f36ef257a3已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_100a4418.exe 2025-07-10 09:17:27 恶意软件(HEUR/QVM10.2.958D.Malware.Gen)MD5:22be3cbbdaf6adc964323e6cd7b1830e已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_a423e3f7.exe 2025-07-10 09:16:34 恶意软件(HEUR/QVM10.2.958D.Malware.Gen)MD5:19811a97d4f619ccc30fbd9355710c94已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_42c8f493.exe 2025-07-10 09:15:28 恶意软件(HEUR/QVM10.2.9551.Malware.Gen)MD5:603aa37cafcc1a97ba7d3b6944e7c44f已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_1870a4d5.exe 2025-07-10 09:15:28 恶意软件(HEUR/QVM10.2.9551.Malware.Gen)MD5:f4f3aaa34d45f6d392ab02d469529fa2已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_6ef68774.exe 2025-07-10 09:02:21 恶意软件(HEUR/QVM10.2.9551.Malware.Gen)MD5:d963a3b990e387d512c1505cc1defc2d已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\appdata\local\temp\vmware-odaycaogen'\vmwarednd\4e3bc625\server_protected_b162fbecda18.exe 2025-07-10 09:02:20 恶意软件(HEUR/QVM10.2.9551.Malware.Gen)MD5:d963a3b990e387d512c1505cc1defc2d已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_b162fbecda18.exe 2025-07-10 09:01:55 恶意软件(HEUR/QVM10.2.9551.Malware.Gen)MD5:6613a15d293baa581027037940f38123已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_0c7cdb86447c.exe 2025-07-10 09:01:13 恶意软件(HEUR/QVM10.2.9551.Malware.Gen)MD5:6e784a5d6e4c5cd3e102341571186c02已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_91770c617ba9.exe 2025-07-10 09:00:26 恶意软件(HEUR/QVM10.2.9551.Malware.Gen)MD5:ebaba98d0a9815b21c637a4f2cb2fea8已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_c5080514e48f.exe 2025-07-10 08:59:26 恶意软件(HEUR/QVM10.2.9551.Malware.Gen)MD5:3e2c4fc7477c93fe7446866dfa0c0d2a已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_917a4f029497.exe 2025-07-10 08:59:00 恶意软件(HEUR/QVM10.2.9551.Malware.Gen)MD5:fce5281cf86dca7226f2dde2764ceee1已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_e3ea24fe8204.exe 2025-07-09 20:41:17 恶意软件(HEUR/QVM10.2.9279.Malware.Gen)MD5:28391ff043ea6b95c0a22c42b827fd13已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_d94e61705c0d.exe 2025-07-09 20:39:48 恶意软件(HEUR/QVM10.2.9279.Malware.Gen)MD5:0dbbcc8071f854fa75fe485c055e9cb0已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_df81323ec213.exe 2025-07-09 20:39:17 恶意软件(HEUR/QVM10.2.9279.Malware.Gen)MD5:1d3e05e3d94613d048aff46974c9eae5已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_08d18b05d328.exe 2025-07-09 20:38:43 恶意软件(HEUR/QVM10.2.9279.Malware.Gen)MD5:cd26422e884d3110bc75080d27c1c069已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_e06bbef612d8.exe 2025-07-09 20:38:08 恶意软件(HEUR/QVM10.2.9279.Malware.Gen)MD5:8b12ffcdf948eca4636292ee8399b390已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_61f1aadc6f43.exe 2025-07-09 20:37:25 恶意软件(HEUR/QVM10.2.9279.Malware.Gen)MD5:7eb6481e075f5eeb5465e6395b55db92已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\users\odaycaogen'\desktop\server_protected_789d8774794b.exe 2025-07-09 18:54:48 恶意软件(HEUR/QVM10.2.9231.Malware.Gen)MD5:5c7d6aec8656f4850e914408c8779c35已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\program files\360\360safe\softmgr\whitelist\myapp_36171265\454336_protected_9d9289dd.exe 2025-07-09 18:54:43 恶意软件(HEUR/QVM10.2.9231.Malware.Gen)MD5:5c7d6aec8656f4850e914408c8779c35已删除此文件,如果您发现误删,可从隔离区恢复此文件。 c:\program files\360\360safe\softmgr\whitelist\myapp_36170329\454336_protected_9d9289dd.exe 2025-07-09 18:48:32 恶意软件(HEUR/QVM10.2.9231.Malware.Gen)MD5:8b18925bca5cf9c236bae2ed5f39e67c已删除此文件,如果您发现误删,可从隔离区恢复此文件。
最新发布
07-11
然而,由于我们是在没有源代码的情况下操作二进制文件,因此实现复杂的代码混淆(如控制流平坦)非常困难。因此,我们考虑以下相对简单但有效的方法: 具体措施: 1. 在代码段中插入随机选择的“花指令”...
Flash游戏的安全性优:防止作弊与保护代码的技巧
同时,讨论了代码保护技术,包括混淆、压缩和安全编程实践,以及更新与修复流程的重要性。安全性测试方法如黑盒测试、自动工具和渗透测试的运用,以及安全性验证的步骤也被详尽说明。本文最后展望了随着Flash游戏...
[安洵 2019]game writeup
HLi1219的博客
12-31 1115
每天一道re Exeinfo PE查壳,可以用Linux打开 用kali打开,得到关键语句 用ida打开,找到main函数F5反编译 int __cdecl main(int argc, const char **argv, const char **envp) { signed int v3; // eax unsigned int v4; // ST38_4 __int64 v5; // rsi signed int v7; // [rsp+2Ch] [rbp-54h.
[安洵 2019]game
qq_41853048的博客
07-01 318
llvm混淆,第一次接触到,没找到可以直接反混淆的工具,但看了相关知识后,发现有效代码依旧是原有的那一小部分,所以可以直接看有意义的部分代码,有时间好好了解下吧。
re学习笔记(74)BUUCTF - re - [安洵 2019]game
逆向随笔
06-05 631
[安洵 2019]game ollvm混淆 直接贴上分析后的代码了 unsigned int sudoku[81] = { 1, 4, 5, 3, 2, 7, 6, 9, 8, 8, 3, 9, 6, 5, 4, 1, 2, 7, 6, 7, 2, 8, 1, 9, 5, 4, 3, 4, 9, 6, 1, 8, 5, 3, 7, 2, 2, 1, 8, 4, 7, 3, 9, 5, 6, 7, 5, 3, 2, 9, 6, 4, 8,
AST反混淆学习--控制流平坦
Loronto_的博客
02-05 915
本文章是个人学习AST反混淆的笔记记录,发出来供大家参考指正,希望可以多多交流以提高个人技术!!!(注:本文章中所有内容仅供学习交流,不可用于任何商业用途和非法用途,否则后果自负,如有侵权,请联系作者立即删除!大家新年好!美滋滋回家过了个年,把学习和工作全都抛之脑后了。新的一年继续开始学习!
[安洵 2019]Game复现
Sciurdae的博客
12-21 708
有俩处,v9那里其实就是减去了48;后面用我们的输入去填D0g3这个数独,最后跟sudoku比较。开了混淆控制流平坦,可以使用deflat.py进行去除。逆向,先将数独需要填入的拿出来,check1可以根据z3解。要去除的有多个函数,再进行多次重复去除后可以得到。代码不多,慢慢分析,前面是一些生成数独以及检查。直接看check部分,check没有做什么;做了一些置换,以及简单运算。
CTF逆向-[安洵 2019]game-使用deflat对主要混淆混淆后常规逻辑判断
serfend's blog
05-17 1696
CTF逆向-[安洵 2019]game-使用deflat对主要混淆混淆后常规逻辑判断 来源:https://buuoj.cn/ 内容:无 附件: https://pan.baidu.com/s/1qq_64SNIRnnTTCNqNIKOiw?pwd=1iz9 提取码:1iz9 答案:KDEEIFGKIJ@AFGEJAEF@FDKADFGIJFA@FDE@JG@J 总体思路 判断和输入相关的函数,然后对这些函数使用deflat.py对程序扁平处理。 反向编写脚本得到答案 详细步骤 检查文件信息
安洵2019 cssgame
a3320315的博客
01-22 1625
0x01 题目分析 <html> <head> <meta charset="utf8" /> <title>CSS Game</title> <style> </style> </head> <body> <h1>CSS Game</h1...
推荐开源项目:DEX控制流混淆 - BlackObfuscator
gitblog_00070的博客
05-17 963
推荐开源项目:DEX控制流混淆 - BlackObfuscator BlackObfuscatorBlack Obfuscator is an obfuscator for Android APK DexFile, it can help developer to protect source code by control flow flattening, and make it diffic...
评论 1
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

寻梦&之璐

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值