本文解析了INSHack2018中Tricky-Part1的技巧,涉及利用交叉引用列表进行字符数组异或操作。主要展示了`stack_check`函数中的`v8`和`base`数组使用,以及如何通过C++实现动态查找和数据加密。
文章目录
[INSHack2018]Tricky-Part1
主要利用交叉引用列表( Jump - Jump to xref 或快捷键X,将光标放在一个交叉引用的目标地址上,通过该快捷键可弹出交叉引用列表。)
主要函数分析
std::string *__fastcall stack_check(std::string *a1)
{
unsigned __int64 v1; // rbx
unsigned __int64 v2; // rax
_BYTE *v3; // rax
unsigned __int64 v4; // rbx
char v6; // [rsp+1Bh] [rbp-25h] BYREF
int i; // [rsp+1Ch] [rbp-24h]
char v8[32]; // [rsp+20h] [rbp-20h] BYREF
std::allocator<char>::allocator(&v6);
std::string::string(v8, &unk_4011D8, &v6);
std::allocator<char>::~allocator(&v6);
for ( i = 0; ; ++i )
{
v4 = i;
if ( v4 >= std::string::size((std::string *)&base) )
break;
v1 = i;
v2 = std::string::size((std::string *)v8); // 这里是v8数组大小4
LOBYTE(v1) = *(_BYTE *)std::string::operator[]((__int64)v8, v1 % v2);// 结果v1是取出v8数组元素
v3 = (_BYTE *)std::string::operator[]((__int64)&base, i);// v3是取出对应位置的输入结果
*v3 ^= v1; // 输入数组和v8进行异或
}
std::string::string(a1, (const std::string *)&base);
std::string::~string(v8);
return a1;
}
两个重要数组,一个是v8,另外一个base
unsigned char ida_chars[] =
{
71, 68, 66
};
unsigned char ida_chars[] =
{
0x0E, 0x0A, 0x11, 0x06, 0x3F, 0x01, 0x1F, 0x1C, 0x1D, 0x76,
0x37, 0x1D, 0x2F, 0x70, 0x30, 0x23, 0x77, 0x30, 0x18, 0x22,
0x72, 0x35, 0x1B, 0x31, 0x33, 0x70, 0x36, 0x76, 0x27, 0x1D,
0x73, 0x2A, 0x76, 0x2B, 0x75, 0x31, 0x3E, 0x37, 0x1D, 0x30,
0x2C, 0x71, 0x29, 0x1B, 0x26, 0x74, 0x26, 0x37, 0x20, 0x23,
0x71, 0x35, 0x1B, 0x24, 0x73, 0x75, 0x2E, 0x34, 0x39
};
脚本
a =[
0x0E, 0x0A, 0x11, 0x06, 0x3F, 0x01, 0x1F, 0x1C, 0x1D, 0x76,
0x37, 0x1D, 0x2F, 0x70, 0x30, 0x23, 0x77, 0x30, 0x18, 0x22,
0x72, 0x35, 0x1B, 0x31, 0x33, 0x70, 0x36, 0x76, 0x27, 0x1D,
0x73, 0x2A, 0x76, 0x2B, 0x75, 0x31, 0x3E, 0x37, 0x1D, 0x30,
0x2C, 0x71, 0x29, 0x1B, 0x26, 0x74, 0x26, 0x37, 0x20, 0x23,
0x71, 0x35, 0x1B, 0x24, 0x73, 0x75, 0x2E, 0x34, 0x39
]
b =[
71, 68, 66
]
c=""
for i in range(len(a)):
c+=chr(a[i]^b[i%(len(b))])
print(c)
INSA{CXX_1s_h4rd3r_f0r_st4t1c_4n4l1sys_wh3n_d3bugg3r_f41ls}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
