-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathindex.html
More file actions
355 lines (295 loc) · 38.7 KB
/
index.html
File metadata and controls
355 lines (295 loc) · 38.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0"><title>摘星阁 - 月亮无光</title><meta name="author" content="IX221"><meta name="copyright" content="IX221"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta name="description" content="IX221 i4 v3ry c0ol.">
<meta property="og:type" content="website">
<meta property="og:title" content="摘星阁">
<meta property="og:url" content="http://example.com/index.html">
<meta property="og:site_name" content="摘星阁">
<meta property="og:description" content="IX221 i4 v3ry c0ol.">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="http://example.com/img/touxiang1.png">
<meta property="article:author" content="IX221">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="http://example.com/img/touxiang1.png"><link rel="shortcut icon" href="/img/touxiang.png"><link rel="canonical" href="http://example.com/index.html"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.min.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = {
root: '/',
algolia: undefined,
localSearch: {"path":"/search.xml","preload":true,"languages":{"hits_empty":"找不到您查询的内容:${query}"}},
translate: undefined,
noticeOutdate: undefined,
highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
copy: {
success: '复制成功',
error: '复制错误',
noSupport: '浏览器不支持'
},
relativeDate: {
homepage: false,
post: false
},
runtime: '',
date_suffix: {
just: '刚刚',
min: '分钟前',
hour: '小时前',
day: '天前',
month: '个月前'
},
copyright: undefined,
lightbox: 'fancybox',
Snackbar: undefined,
source: {
justifiedGallery: {
js: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.js',
css: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery/dist/fjGallery.min.css'
}
},
isPhotoFigcaption: false,
islazyload: false,
isAnchor: false,
percent: {
toc: true,
rightside: false,
}
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
title: '摘星阁',
isPost: false,
isHome: true,
isHighlightShrink: false,
isToc: false,
postUpdate: '2025-01-22 13:52:16'
}</script><noscript><style type="text/css">
#nav {
opacity: 1
}
.justified-gallery img {
opacity: 1
}
#recent-posts time,
#post-meta time {
display: inline !important
}
</style></noscript><script>(win=>{
win.saveToLocal = {
set: function setWithExpiry(key, value, ttl) {
if (ttl === 0) return
const now = new Date()
const expiryDay = ttl * 86400000
const item = {
value: value,
expiry: now.getTime() + expiryDay,
}
localStorage.setItem(key, JSON.stringify(item))
},
get: function getWithExpiry(key) {
const itemStr = localStorage.getItem(key)
if (!itemStr) {
return undefined
}
const item = JSON.parse(itemStr)
const now = new Date()
if (now.getTime() > item.expiry) {
localStorage.removeItem(key)
return undefined
}
return item.value
}
}
win.getScript = url => new Promise((resolve, reject) => {
const script = document.createElement('script')
script.src = url
script.async = true
script.onerror = reject
script.onload = script.onreadystatechange = function() {
const loadState = this.readyState
if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
script.onload = script.onreadystatechange = null
resolve()
}
document.head.appendChild(script)
})
win.getCSS = url => new Promise((resolve, reject) => {
const link = document.createElement('link')
link.rel = 'stylesheet'
link.href = url
link.onload = () => resolve()
link.onerror = () => reject()
document.head.appendChild(link)
})
win.activateDarkMode = function () {
document.documentElement.setAttribute('data-theme', 'dark')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
}
}
win.activateLightMode = function () {
document.documentElement.setAttribute('data-theme', 'light')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
}
}
const t = saveToLocal.get('theme')
if (t === 'dark') activateDarkMode()
else if (t === 'light') activateLightMode()
const asideStatus = saveToLocal.get('aside-status')
if (asideStatus !== undefined) {
if (asideStatus === 'hide') {
document.documentElement.classList.add('hide-aside')
} else {
document.documentElement.classList.remove('hide-aside')
}
}
const detectApple = () => {
if(/iPad|iPhone|iPod|Macintosh/.test(navigator.userAgent)){
document.documentElement.classList.add('apple')
}
}
detectApple()
})(window)</script><link rel="stylesheet" href="/css/custom.css" media="defer" onload="this.media='all'"></head><body><div id="web_bg"></div><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="avatar-img is-center"><img src="/img/touxiang1.png" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="sidebar-site-data site-data is-center"><a href="/archives/"><div class="headline">文章</div><div class="length-num">40</div></a><a href="/tags/"><div class="headline">标签</div><div class="length-num">7</div></a><a href="/categories/"><div class="headline">分类</div><div class="length-num">2</div></a></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fa fa-home"></i><span> 首页</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fa fa-archive"></i><span> 归档</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fa fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fa fa-folder-open"></i><span> 分类</span></a></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fa fa-link"></i><span> 友链</span></a></div></div></div></div><div class="page" id="body-wrap"><header class="full_page" id="page-header"><nav id="nav"><span id="blog-info"><a href="/" title="摘星阁"><span class="site-name">摘星阁</span></a></span><div id="menus"><div id="search-button"><a class="site-page social-icon search" href="javascript:void(0);"><i class="fas fa-search fa-fw"></i><span> 搜索</span></a></div><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fa fa-home"></i><span> 首页</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fa fa-archive"></i><span> 归档</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fa fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fa fa-folder-open"></i><span> 分类</span></a></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fa fa-link"></i><span> 友链</span></a></div></div><div id="toggle-menu"><a class="site-page" href="javascript:void(0);"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="site-info"><h1 id="site-title">摘星阁</h1><div id="site-subtitle"><span id="subtitle"></span></div></div><div id="scroll-down"><i class="fas fa-angle-down scroll-down-effects"></i></div></header><main class="layout" id="content-inner"><div class="recent-posts" id="recent-posts"><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2025/01/22/%E5%88%9D%E6%8E%A2%E9%B8%BF%E8%92%99%E5%BA%94%E7%94%A8%E9%80%86%E5%90%91%E5%88%86%E6%9E%90/" title="初探鸿蒙应用逆向分析">初探鸿蒙应用逆向分析</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2025-01-22T05:49:55.000Z" title="发表于 2025-01-22 13:49:55">2025-01-22</time></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/%E7%A7%BB%E5%8A%A8%E5%AE%89%E5%85%A8/">移动安全</a></span></div><div class="content">0. 概述近年来,鸿蒙应用开发新兴起来,所以本文借一道鸿蒙应用Demo梳理一下鸿蒙的应用程序的逆向方法。
鸿蒙的定位不是替代安卓,而是实现万物互联。鸿蒙OS是一款面向万物互联新时代的、全场景、分布式的操作系统,实现OS与 硬件解绑、生态共享、跨端共享等。
1. 实战-SU_Harmony题目附件为hap包。
1.1 HAP包那么什么是hap包呢? (类比APK包)
官方文档解释如下:
HAP(Harmony Ability Package)是应用安装和运行的基本单元。HAP包是由代码、资源、第三方库、配置文件等打包生成的模块包,其主要分为两种类型:entry和feature。
entry:应用的主模块,作为应用的入口,提供了应用的基础功能。
feature:应用的动态特性模块,作为应用能力的扩展,可以根据用户的需求和设备类型进行选择性安装。
应用程序包可以只包含一个基础的entry包,也可以包含一个基础的entry包和多个功能性的feature包。
跟APK相似,所以,我们将hap文件解压。
逆向hap包,我们需要关注这里面的 ./ets/modules.abc 和 ./ ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2025/01/20/2025%E8%A5%BF%E6%B9%96%E8%AE%BA%E5%89%91%E5%88%9D%E8%B5%9B%E5%94%AF%E4%B8%80RE%E9%A2%98WriteUp/" title="2025西湖论剑初赛唯一RE题WriteUp">2025西湖论剑初赛唯一RE题WriteUp</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2025-01-20T03:33:44.000Z" title="发表于 2025-01-20 11:33:44">2025-01-20</time></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/WriteUp/">WriteUp</a></span></div><div class="content">0. 概述本次西湖论剑revere分区只有一道题目,并且没有附件,只给了个纯靶机。。。
。。。。
思路:对于无附件的题目,我们采取通过回显来判断出题人意图,从而得解的方式。
1. 测试题目无附件,只给了个靶机
名字叫bitdance
连接靶机,发现只有个长度回显,所以我们首先测试长度,看长度正确回显
测试得知,flag_len = 96
2. 求解回显比较长,我们把回显报存到文件中
12345678910111213141516171819202122232425262728293031323334353637383940414243444546HOST = '139.155.126.78' # 这里请替换为目标主机的真实地址PORT = 19315 # 这里请替换为目标服务的真实端口TIMEOUT = 15 # 设置超时时间def test_input_length(length, filename=None): """尝试发送特定长度的输入""" try: # 创建一个远程连接 with remote(HOST, ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2025/01/17/%E8%BD%AF%E4%BB%B6%E7%B3%BB%E7%BB%9F%E5%AE%89%E5%85%A8%E9%80%86%E5%90%91%E5%88%86%E6%9E%90-%E6%B7%B7%E6%B7%86%E5%AF%B9%E6%8A%97/" title="软件系统安全逆向分析-混淆对抗">软件系统安全逆向分析-混淆对抗</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2025-01-17T05:28:23.000Z" title="发表于 2025-01-17 13:28:23">2025-01-17</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/%E4%BA%8C%E8%BF%9B%E5%88%B6%E5%AD%A6%E4%B9%A0/">二进制学习</a></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/%E9%80%86%E5%90%91%E6%8E%A2%E7%A9%B6/">逆向探究</a></span></div><div class="content">1. 概述在一般的软件中,我们逆向分析时候通常都不能直接看到软件的明文源代码,或多或少存在着混淆对抗的操作。下面,我会实践操作一个例子从无从下手到攻破目标。
花指令对抗
虚函数表
RC4
2. 实战-donntyousee
题目载体为具有漏洞的小型软件,部分题目提供源代码,要求攻击者发现并攻击软件中存在的漏洞。
2.1 程序测试首先拿到这道题目,查壳看架构,elf64
放到虚拟机中运行一下
123plz input your flag8888888888888wrong
ida64反编译,发现软件进行了去符号处理,最直白就是没有main()函数。
但是ida自动帮我们定位到了系统入口函数start()。
然后我们查字符串 plz、wrong,均无法查到相关字符串
可见程序对静态分析做了很大的操作,防止一眼顶真。
然后我们回到系统入口函数start,F5反编译。
程序无法完全反编译,并且发现init和fini均无法正常识别。
进入main函数,即sub_405559(),无可用信息。
2.2 花指令对抗看汇编
很明显,程序做的混淆对抗是加了花指令。
花指令实质就 ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2024/12/29/PE%E6%96%87%E4%BB%B6%E7%BB%93%E6%9E%84-%E5%AE%9E%E9%AA%8C/" title="PE文件结构+实验">PE文件结构+实验</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2024-12-29T06:59:48.000Z" title="发表于 2024-12-29 14:59:48">2024-12-29</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/%E4%BA%8C%E8%BF%9B%E5%88%B6%E5%AD%A6%E4%B9%A0/">二进制学习</a></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/Windows/">Windows</a></span></div><div class="content">0. 概述深入解析PE文件结构学习笔记,文中不乏笔者自己的理解,如有错误,欢迎指正。Orz
1. 啥是PE?PE文件,即Portable Executable File Format,是Windows下可执行程序的一个统称,Windows下的所有可执行文件都是PE文件格式,比如.exe,.dll,.sys等。
PE文件是指 32 位可执行文件,也称为PE32。64位的可执行文件称为 PE+ 或 PE32+,是PE(PE32)的一种扩展形式(请注意不是PE64)。
PE文件由PE头和PE体组成,而非只有头部。
PE结构不是一个单纯的结构,一个PE文件由若干个结构集合所构成,不同的结构有不同的用处。
PE文件格式是一种对文件组织管理的方式。
来张图助助兴,如下图所示=。=
2.PE文件结构概述2.1 PE文件结构一般分为4个部分:
DOS头:DOS头是PE文件结构的第一个头,用来保持对DOS系统的兼容,并且用于定位真正的PE头。我们关注的主要是两个属性:e_magic (MZ标识)和 e_lfanew(定位真正的PE头)。
NT头:包括PE文件标识、PE文件头和可选头。包含 wind ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2024/09/07/LLVM-IR-%E7%A0%94%E7%A9%B6%E5%88%86%E6%9E%90/" title="LLVM IR研究分析">LLVM IR研究分析</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2024-09-07T11:19:45.000Z" title="发表于 2024-09-07 19:19:45">2024-09-07</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/%E4%BA%8C%E8%BF%9B%E5%88%B6%E5%AD%A6%E4%B9%A0/">二进制学习</a></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/LLVM/">LLVM</a></span></div><div class="content">前置知识
LLVM是C++编写的构架编译器的框架系统,可用于优化以任意程序语言编写的程序。
LLVM IR可以理解为LLVM平台的汇编语言,所以官方也是以语言参考手册(Language Reference Manual))的形式给出LLVM IR的文档说明。既然是汇编语言,那么就和传统的CUP类似,有特定的汇编指令集。但是它又与传统的特定平台相关的指令集(x86,ARM,RISC-V等)不一样,它定位为平台无关的汇编语言。也就是说,LLVM IR是一种相对于CUP指令集高级,但是又是一种低级的代码中间表示(比抽象语法树等高级表示更加低级)。
LLVM IR即代码的中间表示,有三种形式:
.ll 格式:人类可以阅读的文本(汇编码) –>这个就是我们要学习的IR
.bc 格式:适合机器存储的二进制文件
内存表示
下面给出.ll格式和.bc格式生成及相互转换的常用指令清单:
12345.c -> .ll:clang -emit-llvm -S a.c -o a.ll.c -> .bc: clang -emit-llvm -c a.c -o a.bc.ll -> ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2024/09/02/MFC%E6%A1%86%E6%9E%B6%E8%BD%AF%E4%BB%B6%E9%80%86%E5%90%91%E7%A0%94%E7%A9%B6/" title="MFC框架软件逆向研究">MFC框架软件逆向研究</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2024-09-02T03:46:43.000Z" title="发表于 2024-09-02 11:46:43">2024-09-02</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/%E4%BA%8C%E8%BF%9B%E5%88%B6%E5%AD%A6%E4%B9%A0/">二进制学习</a></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/%E9%80%86%E5%90%91%E6%8E%A2%E7%A9%B6/">逆向探究</a></span></div><div class="content">MFC框架简介什么是mfc?
MFC库是开发Windows应用程序的C++接口。MFC提供了面向对象的框架,采用面向对象技术,将大部分的Windows API 封装到C++类中,以类成员函数的形式提供给程序开发人员调用。
简单来说,MFC是一种面向对象,用于开发windows应用程序的框架,突出特点是封装了大部分windows API,便于开发人员使用(写win挂方便)。
MFC程序的运行过程分为以下四步:
利用全局应用程序对象theApp启动应用程序。
调用全局应用程序对象的构造函数,从而调用基类(CWinApp)的构造函数,完成应用程序的一些初始化工作,并将应用程序对象的指针保存起来。
进入WinMain函数。在AfxWinMain函数中获取子类的指针,利用指针实现上述的三个函数,从而完成窗口的创建注册等工作。
进入消息循环,一直到WM_QUIT。
那么问题来了,我们如何逆向mfc程序呢?因为其封装了大部分windows API,逆向起来也复杂了不少,因为需要了解大量的windows api 并且熟悉windows编程。下面进行讲解。
MFC如何逆向如下图,是MFC框架软件 ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2024/07/26/%E6%B8%B8%E6%88%8F%E5%AE%89%E5%85%A8%E5%85%A5%E9%97%A8-%E6%89%AB%E9%9B%B7%E5%88%86%E6%9E%90-%E8%BF%9C%E7%A8%8B%E7%BA%BF%E7%A8%8B%E6%B3%A8%E5%85%A5/" title="游戏安全入门-扫雷分析/远程线程注入">游戏安全入门-扫雷分析/远程线程注入</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2024-07-26T08:20:46.000Z" title="发表于 2024-07-26 16:20:46">2024-07-26</time></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/%E6%B8%B8%E6%88%8F%E5%AE%89%E5%85%A8%E5%AD%A6%E4%B9%A0/">游戏安全学习</a></span></div><div class="content">前言无论学习什么,首先,我们应该有个目标,那么入门windows游戏安全,脑海中浮现出来的一个游戏 – 扫雷,一款家喻户晓的游戏,虽然已经被大家分析的不能再透了,但是我觉得自己去分析一下还是极好的,把它作为一个小目标再好不过了。
我们编写一个妙妙小工具,工具要求实现以下功能:时间暂停、修改表情、透视、一键扫雷等等。
本文所用工具:
Cheat Engine、x32dbg(ollydbg)、Visual Studio 2019
扫雷游戏分析游戏数据在内存中是地址,那么第一个任务,找内存地址
打开CE修改器
修改时间->时间暂停计数器的时间是一个精确的值,所以我们通过精确数值扫描出来,游戏开始之前计数器上的数是0,所以我们扫描0。
时间在变化,选择介于什么数值之间再次扫描
可得 0x100579c — winmine.exe+579C
我们发现这个数据都是直接通过基址 + 固定偏移能直接得到的。
然后我们对这个数据去找出 是什么改写了这个地址,得到一个指令和指针:
时间:0x100579c
修改表情 - 没啥用修改表情这个功能怎么搞我觉得还是很容易想到的,这个按钮的作用是重新 ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2024/07/26/%E8%AE%B0%E7%94%B1%E9%95%BF%E5%9F%8E%E6%9D%AF%E5%88%9D%E8%B5%9BTime-Machine%E6%8E%8C%E6%8F%A1%E7%88%B6%E5%AD%90%E8%BF%9B%E7%A8%8B%E5%B9%B6%E5%87%BA%E9%A2%98/" title="记由长城杯初赛Time_Machine掌握父子进程并出题">记由长城杯初赛Time_Machine掌握父子进程并出题</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2024-07-26T06:22:21.000Z" title="发表于 2024-07-26 14:22:21">2024-07-26</time></span><span class="article-meta"><span class="article-meta-separator">|</span><i class="fas fa-inbox"></i><a class="article-meta__categories" href="/categories/%E4%BA%8C%E8%BF%9B%E5%88%B6%E5%AD%A6%E4%B9%A0/">二进制学习</a></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/%E9%80%86%E5%90%91%E6%8E%A2%E7%A9%B6/">逆向探究</a></span></div><div class="content">前言 掌握一道题目的最好办法就是由做题人变成出题人()
本文所说的题目是长城杯某区逆向Time_Machine,题目反编译纯gs,所以本文主要讲解笔者出的题目
:笔者出的题目准备给iscc擂台的,但是没轮上(感觉擂台被控了,怎么说hh)
出题思路额,不算是思路,站在前人的肩膀上罢了。出这道题目的初心是因为比赛的时候用心的做了这道题写了出来感觉收获颇多,但当时只局限于写了出来,并不能全面理解,所以有了这么一个想法。俗话说,实践出真知,熟能生巧,自己去亲手实操将题目敲一遍写一遍,对一个知识点理解的才到位,记忆也更加的深刻。主要加密算法是使用 SuperFastHash 算法对flag逐字节进行哈希处理,然后通过改变环境变量来进入不同的分支,分支里面对内存进行复写和触发异常来实现父子进程的交互,子进程是一大坨代码块,通过以下指令块控制父进程调试子进程实现加密。
12345movabs r11,%dxor r11,0x1337ror r11,13movabs r13,1 #0或1ud2
程序分析程序是64位的exeida64分析拖入ida64后映入眼帘,有一个小的主函数,用于检查环境变量的值 ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2023/12/18/2023%E5%BC%BA%E7%BD%91%E6%9D%AFWriteUp/" title="2023强网杯WriteUp">2023强网杯WriteUp</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-12-18T11:57:54.000Z" title="发表于 2023-12-18 19:57:54">2023-12-18</time></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/WriteUp/">WriteUp</a></span></div><div class="content">前言2023-12-18创建的文件夹,搁到现在才上传,忘了,麻麻了
rev === 强ollvm杯
babyreTls附加dbg
过掉
把程序运行,在这儿附加
静态密文,key都是假的
动调起来得到真的
密文
Key
这是delta
调到跳出循环,得到sum
Exp
12345678910111213141516171819202122232425262728293031323334353637#include <iostream>#include <cstdint>void XTEA_decrypt(uint32_t v[2], uint32_t const key[4]) { unsigned int i; unsigned int sum = 0xd192c263; uint32_t v0 = v[0], v1 = v[1]; for (int j = 0; j < 4; j++) { for (i = 0; i < 33; i++) { sum -= 0x88408067; v1 -= (key[(su ...</div></div></div><div class="recent-post-item"><div class="recent-post-info no-cover"><a class="article-title" href="/2023/12/18/2023%E6%A5%9A%E6%85%A7%E6%9D%AF%E5%88%9D%E8%B5%9BWriteUp/" title="2023楚慧杯初赛WriteUp">2023楚慧杯初赛WriteUp</a><div class="article-meta-wrap"><span class="post-meta-date"><i class="far fa-calendar-alt"></i><span class="article-meta-label">发表于</span><time datetime="2023-12-18T11:43:15.000Z" title="发表于 2023-12-18 19:43:15">2023-12-18</time></span><span class="article-meta tags"><span class="article-meta-separator">|</span><i class="fas fa-tag"></i><a class="article-meta__tags" href="/tags/WriteUp/">WriteUp</a></span></div><div class="content">前言这周末,四级英语考试,强网杯,楚慧杯,还通宵打强网,我滴妈,差点猝si =。=
然后这篇写的楚慧杯的,就重点说(吐槽)一下
vocal,就3个小时的比赛,还得比赛结束前交WP,写了re1,misc1,misc2,0.o真的极限=。=
楚慧杯学生组
还好,收获满满,强网先锋应该够了,楚慧杯也晋级了,四级的话,阿巴阿巴 =。=
revbabyre - ollvm/tea?xtea打完强网库库打ollvm,这玩意又来
好好,周末就ollvm大赛
D810去混淆
D810是插件 搜到直接用 前提:angr要装好
main函数
Encode 离谱,我去玩ollvm脚本没跑出来
然后我没去ollvm改了一下跑出来了,vocal
这个是去ollvm
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960#include <stdio.h>#include <stdint.h& ...</div></div></div><nav id="pagination"><div class="pagination"><span class="page-number current">1</span><a class="page-number" href="/page/2/#content-inner">2</a><span class="space">…</span><a class="page-number" href="/page/4/#content-inner">4</a><a class="extend next" rel="next" href="/page/2/#content-inner"><i class="fas fa-chevron-right fa-fw"></i></a></div></nav></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="is-center"><div class="avatar-img"><img src="/img/touxiang1.png" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/></div><div class="author-info__name">IX221</div><div class="author-info__description">IX221 i4 v3ry c0ol.</div></div><div class="card-info-data site-data is-center"><a href="/archives/"><div class="headline">文章</div><div class="length-num">40</div></a><a href="/tags/"><div class="headline">标签</div><div class="length-num">7</div></a><a href="/categories/"><div class="headline">分类</div><div class="length-num">2</div></a></div><a id="card-info-btn" target="_blank" rel="noopener" href="https://github.com/ix221"><i class="fab fa-github"></i><span>Follow Me</span></a></div><div class="card-widget card-announcement"><div class="item-headline"><i class="fas fa-bullhorn fa-shake"></i><span>公告</span></div><div class="announcement_content">欢迎访问 这是我复习的地方 Orz</div></div><div class="xpand" style="height:200px;"><canvas class="illo" width="800" height="800" style="max-width: 200px; max-height: 200px; touch-action: none; width: 640px; height: 640px;"></canvas></div><script src="https://fastly.jsdelivr.net/gh/xiaopengand/blogCdn@latest/xzxr/twopeople1.js"></script><script src="https://fastly.jsdelivr.net/gh/xiaopengand/blogCdn@latest/xzxr/zdog.dist.js"></script><script id="rendered-js" src="https://fastly.jsdelivr.net/gh/xiaopengand/blogCdn@latest/xzxr/twopeople.js"></script><style>.card-widget.card-announcement {
margin: 0;
align-items: center;
justify-content: center;
text-align: center;
}
canvas {
display: block;
margin: 0 auto;
cursor: move;
}</style><div class="sticky_layout"><div class="card-widget card-recent-post"><div class="item-headline"><i class="fas fa-history"></i><span>最新文章</span></div><div class="aside-list"><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/2025/01/22/%E5%88%9D%E6%8E%A2%E9%B8%BF%E8%92%99%E5%BA%94%E7%94%A8%E9%80%86%E5%90%91%E5%88%86%E6%9E%90/" title="初探鸿蒙应用逆向分析">初探鸿蒙应用逆向分析</a><time datetime="2025-01-22T05:49:55.000Z" title="发表于 2025-01-22 13:49:55">2025-01-22</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/2025/01/20/2025%E8%A5%BF%E6%B9%96%E8%AE%BA%E5%89%91%E5%88%9D%E8%B5%9B%E5%94%AF%E4%B8%80RE%E9%A2%98WriteUp/" title="2025西湖论剑初赛唯一RE题WriteUp">2025西湖论剑初赛唯一RE题WriteUp</a><time datetime="2025-01-20T03:33:44.000Z" title="发表于 2025-01-20 11:33:44">2025-01-20</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/2025/01/17/%E8%BD%AF%E4%BB%B6%E7%B3%BB%E7%BB%9F%E5%AE%89%E5%85%A8%E9%80%86%E5%90%91%E5%88%86%E6%9E%90-%E6%B7%B7%E6%B7%86%E5%AF%B9%E6%8A%97/" title="软件系统安全逆向分析-混淆对抗">软件系统安全逆向分析-混淆对抗</a><time datetime="2025-01-17T05:28:23.000Z" title="发表于 2025-01-17 13:28:23">2025-01-17</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/2024/12/29/PE%E6%96%87%E4%BB%B6%E7%BB%93%E6%9E%84-%E5%AE%9E%E9%AA%8C/" title="PE文件结构+实验">PE文件结构+实验</a><time datetime="2024-12-29T06:59:48.000Z" title="发表于 2024-12-29 14:59:48">2024-12-29</time></div></div><div class="aside-list-item no-cover"><div class="content"><a class="title" href="/2024/09/07/LLVM-IR-%E7%A0%94%E7%A9%B6%E5%88%86%E6%9E%90/" title="LLVM IR研究分析">LLVM IR研究分析</a><time datetime="2024-09-07T11:19:45.000Z" title="发表于 2024-09-07 19:19:45">2024-09-07</time></div></div></div></div><div class="card-widget card-categories"><div class="item-headline">
<i class="fas fa-folder-open"></i>
<span>分类</span>
</div>
<ul class="card-category-list" id="aside-cat-list">
<li class="card-category-list-item "><a class="card-category-list-link" href="/categories/%E4%BA%8C%E8%BF%9B%E5%88%B6%E5%AD%A6%E4%B9%A0/"><span class="card-category-list-name">二进制学习</span><span class="card-category-list-count">6</span></a></li><li class="card-category-list-item "><a class="card-category-list-link" href="/categories/%E9%80%86%E5%90%91%E5%B7%A5%E7%A8%8B/"><span class="card-category-list-name">逆向工程</span><span class="card-category-list-count">1</span></a></li>
</ul></div><div class="card-widget card-tags"><div class="item-headline"><i class="fas fa-tags"></i><span>标签</span></div><div class="card-tag-cloud"><a href="/tags/LLVM/" style="font-size: 1.1em; color: #999">LLVM</a> <a href="/tags/Reverse/" style="font-size: 1.37em; color: #99a4b2">Reverse</a> <a href="/tags/Windows/" style="font-size: 1.1em; color: #999">Windows</a> <a href="/tags/WriteUp/" style="font-size: 1.5em; color: #99a9bf">WriteUp</a> <a href="/tags/%E6%B8%B8%E6%88%8F%E5%AE%89%E5%85%A8%E5%AD%A6%E4%B9%A0/" style="font-size: 1.1em; color: #999">游戏安全学习</a> <a href="/tags/%E7%A7%BB%E5%8A%A8%E5%AE%89%E5%85%A8/" style="font-size: 1.1em; color: #999">移动安全</a> <a href="/tags/%E9%80%86%E5%90%91%E6%8E%A2%E7%A9%B6/" style="font-size: 1.23em; color: #999ea6">逆向探究</a></div></div><div class="card-widget card-archives"><div class="item-headline"><i class="fas fa-archive"></i><span>归档</span><a class="card-more-btn" href="/archives/" title="查看更多">
<i class="fas fa-angle-right"></i></a></div><ul class="card-archive-list"><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2025/01/"><span class="card-archive-list-date">一月 2025</span><span class="card-archive-list-count">3</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2024/12/"><span class="card-archive-list-date">十二月 2024</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2024/09/"><span class="card-archive-list-date">九月 2024</span><span class="card-archive-list-count">2</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2024/07/"><span class="card-archive-list-date">七月 2024</span><span class="card-archive-list-count">2</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2023/12/"><span class="card-archive-list-date">十二月 2023</span><span class="card-archive-list-count">4</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2023/11/"><span class="card-archive-list-date">十一月 2023</span><span class="card-archive-list-count">2</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2023/10/"><span class="card-archive-list-date">十月 2023</span><span class="card-archive-list-count">1</span></a></li><li class="card-archive-list-item"><a class="card-archive-list-link" href="/archives/2023/09/"><span class="card-archive-list-date">九月 2023</span><span class="card-archive-list-count">1</span></a></li></ul></div><div class="card-widget card-webinfo"><div class="item-headline"><i class="fas fa-chart-line"></i><span>网站资讯</span></div><div class="webinfo"><div class="webinfo-item"><div class="item-name">文章数目 :</div><div class="item-count">40</div></div><div class="webinfo-item"><div class="item-name">本站总字数 :</div><div class="item-count">56.3k</div></div><div class="webinfo-item"><div class="item-name">本站访客数 :</div><div class="item-count" id="busuanzi_value_site_uv"><i class="fa-solid fa-spinner fa-spin"></i></div></div><div class="webinfo-item"><div class="item-name">本站总访问量 :</div><div class="item-count" id="busuanzi_value_site_pv"><i class="fa-solid fa-spinner fa-spin"></i></div></div><div class="webinfo-item"><div class="item-name">最后更新时间 :</div><div class="item-count" id="last-push-date" data-lastPushDate="2025-01-22T05:52:16.386Z"><i class="fa-solid fa-spinner fa-spin"></i></div></div></div></div></div></div></main><footer id="footer"><div id="footer-wrap"><div class="copyright">©2020 - 2025 By IX221</div><div class="framework-info"><span>框架 </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>主题 </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button id="go-up" type="button" title="回到顶部"><span class="scroll-percent"></span><i class="fas fa-arrow-up"></i></button></div></div><div id="local-search"><div class="search-dialog"><nav class="search-nav"><span class="search-dialog-title">搜索</span><span id="loading-status"></span><button class="search-close-button"><i class="fas fa-times"></i></button></nav><div class="is-center" id="loading-database"><i class="fas fa-spinner fa-pulse"></i><span> 数据库加载中</span></div><div class="search-wrap"><div id="local-search-input"><div class="local-search-box"><input class="local-search-box--input" placeholder="搜索文章" type="text"/></div></div><hr/><div id="local-search-results"></div></div></div><div id="search-mask"></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.umd.min.js"></script><script src="/js/search/local-search.js"></script><div class="js-pjax"><script>window.typedJSFn = {
init: (str) => {
window.typed = new Typed('#subtitle', Object.assign({
strings: str,
startDelay: 300,
typeSpeed: 150,
loop: true,
backSpeed: 50,
}, null))
},
run: (subtitleType) => {
if (true) {
if (typeof Typed === 'function') {
subtitleType()
} else {
getScript('https://cdn.jsdelivr.net/npm/typed.js/lib/typed.min.js').then(subtitleType)
}
} else {
subtitleType()
}
}
}
</script><script>function subtitleType () {
if (true) {
typedJSFn.init(["知不足而奋进, 望远山而前行","今天你 RE 了嘛?"])
} else {
document.getElementById("subtitle").innerHTML = '知不足而奋进, 望远山而前行'
}
}
typedJSFn.run(subtitleType)</script></div><canvas class="fireworks" mobile="false"></canvas><script src="https://cdn.jsdelivr.net/npm/butterfly-extsrc/dist/fireworks.min.js"></script><script async data-pjax src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div></body></html>