想研究一下反调试,所以最近的主线是归纳反调试技术
之后会单独写一篇博客来汇总
然后记录一下最近写的题
以及在杂方向上面学的东西
wp:
2024春秋杯夏 re wp
WKCTF-RE部分wp
矩阵杯packpy题目复现:
拿到文件,是一个elf,用010打开,发现被upx过,修改一下标志,把upx?改成UPX!,用upx -d去壳
打开后,发现是一个pyinstaller打包的py文件,用工具反编译成pyc
然后uncompyle6解码主要pyc,得到
1
2
3
4
5
6
7
|
import base58, zlib, marshal
scrambled_code_string = b'X1XehTQeZCsb4WSLBJBYZMjovD1x1E5wjTHh2w3j8dDxbscVa6HLEBSUTPEMsAcerwYASTaXFsCmWb1RxBfwBd6RmyePv3AevTDUiFAvV1GB94eURvtdrpYez7dF1egrwVz3EcQjHxXrpLXs2APE4MS93sMsgMgDrTFCNwTkPba31Aa2FeCSMu151LvEpwiPq5hvaZQPaY2s4pBpH16gGDoVb9MEvLn5J4cP23rEfV7EzNXMgqLUKF82mH1v7yjVCtYQhR8RprKCCtD3bekHjBH2AwES4QythgjVetUNDRpN5gfeJ99UYbZn1oRQHVmiu1sLjpq2mMm8tTuiZgfMfsktf5Suz2w8DgRX4qBKQijnuU4Jou9hduLeudXkZ85oWx9SU7MCE6gjsvy1u57VYw33vckJU6XGGZgZvSqKGR5oQKJf8MPNZi1dF8yF9MkwDdEq59jFsRUJDv7kNwig8XiuBXvmtJPV963thXCFQWQe8XGSu7kJqeRaBX1pkkQ4goJpgTLDHR1LW7bGcZ7m13KzW5mVmJHax81XLis774FjwWpApmTVuiGC2TQr2RcyUTkhGgC8R4bQiXgCsqZMoWyafcSmjdZsHmE6WgNAqPQmEg9FyjpK5f2XC1DkzuyHan5YceeEDMxKUJgJrmNcdGxB7281EyeriyuWNJVH2rVNhio6yoG'
exec(marshal.loads(zlib.decompress(base58.b58decode(scrambled_code_string))))
|
通过把exec改成print,可以得到这个序列化内容是一个code object
我们需要把它还原成可读的代码
在网上搜索资料的时候,发现,py在执行的时候会先被编译成PyCodeObject 对象,然后被保存到pyc文件中
可以这样导入pyc文件的内容
1
2
3
4
5
6
7
8
| from importlib.machinery import SourcelessFileLoader
tools = SourcelessFileLoader(
"tools", "__pycache__/tools.cpython-38.pyc"
).load_module()
print(tools.a)
print(tools.b)
|
可以猜测,marshal反序列化的内容其实可以当成pyc来看,尝试一下
1
2
3
4
5
6
7
8
9
10
11
| import base58
import zlib
import marshal
scrambled_code_string = b'X1XehTQeZCsb4WSLBJBYZMjovD1x1E5wjTHh2w3j8dDxbscVa6HLEBSUTPEMsAcerwYASTaXFsCmWb1RxBfwBd6RmyePv3AevTDUiFAvV1GB94eURvtdrpYez7dF1egrwVz3EcQjHxXrpLXs2APE4MS93sMsgMgDrTFCNwTkPba31Aa2FeCSMu151LvEpwiPq5hvaZQPaY2s4pBpH16gGDoVb9MEvLn5J4cP23rEfV7EzNXMgqLUKF82mH1v7yjVCtYQhR8RprKCCtD3bekHjBH2AwES4QythgjVetUNDRpN5gfeJ99UYbZn1oRQHVmiu1sLjpq2mMm8tTuiZgfMfsktf5Suz2w8DgRX4qBKQijnuU4Jou9hduLeudXkZ85oWx9SU7MCE6gjsvy1u57VYw33vckJU6XGGZgZvSqKGR5oQKJf8MPNZi1dF8yF9MkwDdEq59jFsRUJDv7kNwig8XiuBXvmtJPV963thXCFQWQe8XGSu7kJqeRaBX1pkkQ4goJpgTLDHR1LW7bGcZ7m13KzW5mVmJHax81XLis774FjwWpApmTVuiGC2TQr2RcyUTkhGgC8R4bQiXgCsqZMoWyafcSmjdZsHmE6WgNAqPQmEg9FyjpK5f2XC1DkzuyHan5YceeEDMxKUJgJrmNcdGxB7281EyeriyuWNJVH2rVNhio6yoG'
a = zlib.decompress(base58.b58decode(scrambled_code_string))
HEAD = bytes.fromhex('550D0D0A000000000000000000000000')
with open('output.pyc', 'wb') as f:
f.write(HEAD+a)
|
输出后,真的可以直接反编译,得到
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| import random
encdata = b'\x18\xfa\xadd\xed\xab\xad\x9d\xe5\xc0\xad\xfa\xf9\x0be\xf9\xe5\xade6\xf9\xfd\x88\xf9\x9d\xe5\x9c\xe5\x9de\xc3))\x0f\xff'
hex_output = binascii.hexlify(encdata).decode('utf-8')
def generate_key(seed_value):
key = list(range(256))
random.seed(seed_value)
random.shuffle(key)
return bytes(key)
def encrypt(data, key):
encrypted = bytearray()
for byte in data:
encrypted.append(key[byte] ^ 95)
else:
return bytes(encrypted)
try:
flag = input('input your flag:')
key = generate_key(len(flag))
data = flag.encode()
encrypted_data = encrypt(data, key)
if encrypted_data == encdata:
print('good')
except:
pass
|
直接写脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
| import binascii
from prism import *
print(hex_output)
last = [0x18,0xfa,0xad,0x64,0xed,0xab,0xad,0x9d,0xe5,0xc0,0xad,0xfa,0xf9,0x0b,0x65,0xf9,0xe5,0xad,0x65,0x36,0xf9,0xfd,0x88,0xf9,0x9d,0xe5,0x9c,0xe5,0x9d,0x65,0xc3,0x29,0x29,0x0f,0xff]
okey = generate_key(len(last))
q = []
for i in range(len(last)):
for j in range(255):
if okey[j]^95==last[i]:
q.append(j)
print(q)
pl(q)
|
1
| flag{mar3hal_Is_3asy_t0_r3v3rse!!@}
|
ASM
配置VS asm环境,我的VS版本为2022
CSDN上面写的太抽象了,我在Windows平台编写汇编语言看到了一个不错的
大概步骤就是:
杂项:
git基本操作
golang学习
