suctf逆向部分

Posted kk328

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了suctf逆向部分相关的知识,希望对你有一定的参考价值。

自己真的菜,然后在网上找了一篇分析pyc反编译后的文件然后进行手撸opcode,过程真痛苦
http://www.wooy0ung.me/writeup/2017/10/11/0ctf-quals-2017-py/
   names (‘ctypes‘, ‘libnum‘, ‘n2s‘, ‘s2n‘, ‘binascii‘, ‘b‘, ‘key‘, ‘aaaa‘, ‘aa‘, ‘aaaaa‘, ‘aaa‘, ‘aaaaaa‘, ‘__name__‘)从这我们看到程序的大概函数和变量
   ctypes libnum n2s s2n binascii  b key aaaa aa aaaaa aaa aaaaaa  __name__
查找了一下发现 ctypes 是python 访问c 的库
连接http://python3-cookbook.readthedocs.io/zh_CN/latest/c15/p01_access_ccode_using_ctypes.html
libnum 类似 用法参考以下链接
http://www.cnblogs.com/pcat/p/7225782.html
google 了一下发现这个
Very Hard RSA
http://bestwing.me/2016/09/10/Common%20types%20of%20RSA/
基本还原前四个的代码了
import ctypes
from libnum import n2s,s2n
至于binasciipython内置模块我这里不做阐述
然后就是 b key aaaa aa aaaaa aaa aaaaaa  ‘__name__‘
开始猜测大概函数是这样
import ctypes
from libnum import n2s,s2n

def b():
     ...
def key():
     ...
def aaaa():
     ...
def aa():
     ...
def aaaaa():
     ...
def aaa():
     ...
def aaaaaa():
     ...
def main():
     ...
if ‘__name__==main()‘
     main()
但是再回去分析发现导出都在传key所以key几乎不可能是一个函数而且b只在a.py处出现了一次,推测b可能是一个局部变量
现在有如下结构
import ctypes
from libnum import n2s,s2n

def aaaa():
     ...
def aa():
     ...
def aaaaa():
     ...
def aaa():
     ...
def aaaaaa():
     ...
def main():
     ...
if ‘__name__==main()‘
     main()
这时候我们通过 names vernames和name 进行还原
import ctypes
from libnum import n2s,s2n

def aaaa():
     a=lambda a:b.hexhexlify(a)
    
def aa():
     a=cdll.LoadLibrary(‘./a‘) #https://blog.csdn.net/linda1000/article/details/12623527
def aaaaa():
     s2n(a)
def aaa():
     a=cdll.LoadLibrary(‘./a‘)
def aaaaaa():
     aaa(aaaa(key))
def main():
     aaaaaa()
if ‘__name__==main()‘
     main()
发现似乎含有bug,使得freevars段还没使用,怎么办呢google http://kdr2.com/tech/main/1012-pyc-format.html
发现这是嵌套函数使用的,好了们明白了
import ctypes
from libnum import n2s,s2n
key=***

def aaaa(key):
     a=lambda a:b.hexhexlify(a)
     return ‘‘.join(a[i] for i in key)
def aa(key):
     a=cdll.LoadLibrary(‘./a‘) #https://blog.csdn.net/linda1000/article/details/12623527
     a(key)
def aaaaa(a):
     s2n(a)
def aaa(key):
     a=cdll.LoadLibrary(‘./a‘)
     a(key)
def aaaaaa():
     aaa(aaaa(key))
def main():
     aaaaaa()
if ‘__name__==main()‘
     main()
程序逻辑到这里差不多清晰了,但是b还有点模糊猜测是import模块引起的,于是在修改
import ctypes
from libnum import n2s,s2n
import binascii as b
key=***

def aaaa(key):
     a=lambda a:b.hexhexlify(a)
     return ‘‘.join(a[i] for i in key)
def aa(key):
     a=cdll.LoadLibrary(‘./a‘) #https://blog.csdn.net/linda1000/article/details/12623527
     a(key)
def aaaaa(a):
     s2n(a)
def aaa(key):
     a=cdll.LoadLibrary(‘./a‘)
     a(key)
def aaaaaa():
     aaa(aaaa(key))
def main():
     aaaaaa()
if ‘__name__==main()‘
     main()
这里基本就复现完成,下面我们在进行解密即可,参考大牛的技术进行后面的解密即可
void decrypt(char *k){
     FILE *fp1, *fp2;
     unsigned char key[256] = {0x00};
     unsigned char sbox[256] = {0x00};
     fp1 = fopen("code.txt","r");
     fp2 = fopen("decode.txt","w");
     DataEncrypt(k, key, sbox, fp1, fp2);
}

extern "C" 
{   
    void a(char *k){
        encrypt(k);
    }
    void aa(char *k){
        decrypt(k);
    }
}
解密时python调用c函数进行解密
from ctypes import *
from libnum import n2s,s2n
import binascii as b
#key="20182018"
def aaaa(key):
     a=lambda a:b.hexlify(a)
     return "".join(a(i) for i in key)
def aa(key): #jia mi
     a=cdll.LoadLibrary("./a").a
     a(key)
def aaaaa(a):
     return s2n(a)
def aaa(key): #jie mi
     a=cdll.LoadLibrary("./a").aa
     a(key)
def brup_key():
     i=20182000
     while i<100000000:
         aaa(aaaa(str(i)))
         data=open("flag.txt","r").read()
         if "SUCTF" in data:
             print i
             break
         i=i+1
def aaaaaa():
     # aa(aaaa(key))#jia mi
     # aaa(aaaa(key)) #jie mi
     brup_key()
if __name__=="__main__":
     aaaaaa()
key为20182018
参考文章安全客suctfwp链接:https://www.anquanke.com/post/id/146419


































































































































































以上是关于suctf逆向部分的主要内容,如果未能解决你的问题,请参考以下文章

ISCC 2016 逆向部分 writeup

逆向工程部分

攻防世界(XCTF)逆向部分write up

MyBatis-Generator 逆向工程(生成异常缺少部分的方法)

什么是Android逆向?如何学习安卓逆向?Android逆向自学笔记入门到实战

BugkuCTF RE部分题解