SWPUCTF2019 easyRE 逆向分析详解<\/h1>

1. 程序概述<\/h2>
这是一个包含反调试保护和复杂加密逻辑的逆向工程挑战题，要求通过逆向分析找到正确的flag格式和内容。<\/p>

2. 主要函数分析<\/h2>

2.1 主函数结构<\/h3>
int<\/span> __cdecl<\/span> main<\/span>(int<\/span> argc, const<\/span> char<\/span> **<\/span>argv, const<\/span> char<\/span> **<\/span>envp) {
<\/span><\/span>    _DWORD v4[28<\/span>]; 
<\/span><\/span>    _DWORD *<\/span>v5; 
<\/span><\/span>    _DWORD *<\/span>v6; 
<\/span><\/span>    int<\/span> v7; 
<\/span><\/span>    char<\/span> v8[108<\/span>]; 
<\/span><\/span>    int<\/span> v9; 
<\/span><\/span>    
<\/span><\/span>    if<\/span> (sub_40EF90())  \/\/ 反调试检测
<\/span><\/span><\/span><\/span>        return<\/span> 1<\/span>;
<\/span><\/span>    
<\/span><\/span>    sub_4026C0(0x6Cu<\/span>);
<\/span><\/span>    sub_401FE0(v4[27<\/span>], v5);  \/\/ 初始化虚函数表和关键数据
<\/span><\/span><\/span><\/span>    v9 =<\/span> 0<\/span>;
<\/span><\/span>    v6 =<\/span> v4;
<\/span><\/span>    sub_40F360(v8);
<\/span><\/span>    sub_40F080(v4[0<\/span>], v4[1<\/span>]);
<\/span><\/span>    v5 =<\/span> v4;
<\/span><\/span>    sub_40F360(v8);
<\/span><\/span>    sub_40F150(argc, (int<\/span>)argv);  \/\/ 主要处理函数
<\/span><\/span><\/span><\/span>    v7 =<\/span> 0<\/span>;
<\/span><\/span>    v9 =<\/span> -<\/span>1<\/span>;
<\/span><\/span>    sub_4021C0(v8);
<\/span><\/span>    return<\/span> v7;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 反调试检测函数<\/h3>
BOOL sub_40EF90<\/span>() {
<\/span><\/span>    HANDLE v0; 
<\/span><\/span>    NTSTATUS (__stdcall<\/span> *<\/span>NtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
<\/span><\/span>    HMODULE hModule; 
<\/span><\/span>    int<\/span> v4; 
<\/span><\/span>    
<\/span><\/span>    v4 =<\/span> 0<\/span>;
<\/span><\/span>    hModule =<\/span> LoadLibraryA("Ntdll.dll"<\/span>);
<\/span><\/span>    NtQueryInformationProcess =<\/span> (NTSTATUS (__stdcall<\/span> *<\/span>)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(hModule, "NtQueryInformationProcess"<\/span>);
<\/span><\/span>    v0 =<\/span> GetCurrentProcess();
<\/span><\/span>    NtQueryInformationProcess(v0, ProcessDebugPort, &<\/span>v4, 4<\/span>, 0<\/span>);
<\/span><\/span>    return<\/span> v4 !=<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>绕过方法<\/strong>：<\/p>

直接nop掉检测后的跳转指令<\/li>
先运行程序，再用调试器附加<\/li>
<\/ol>
2.3 初始化函数<\/h3>
_DWORD *<\/span>__thiscall sub_401FE0<\/span>(_DWORD *<\/span>this) {
<\/span><\/span>    int<\/span> i; 
<\/span><\/span>    
<\/span><\/span>    *<\/span>this =<\/span> &<\/span>EASYRE::<\/span>`<\/span>vftable'<\/span>;  \/\/ 设置虚函数表
<\/span><\/span><\/span><\/span>    this[1<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 初始化第一组比较数据(40字节)
<\/span><\/span><\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 52<\/span>) =<\/span> 8<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 53<\/span>) =<\/span> 0xEA<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 54<\/span>) =<\/span> 0x58<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 55<\/span>) =<\/span> 0xDE<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 56<\/span>) =<\/span> 0x94<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 57<\/span>) =<\/span> 0xD0<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 58<\/span>) =<\/span> 0x3B<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 59<\/span>) =<\/span> 0xBE<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 60<\/span>) =<\/span> 0x88<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 61<\/span>) =<\/span> 0xD4<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 62<\/span>) =<\/span> 0x32<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 63<\/span>) =<\/span> 0xB6<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 64<\/span>) =<\/span> 0x14<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 65<\/span>) =<\/span> 0x82<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 66<\/span>) =<\/span> 0xB7<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 67<\/span>) =<\/span> 0xAF<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 68<\/span>) =<\/span> 0x14<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 69<\/span>) =<\/span> 0x54<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 70<\/span>) =<\/span> 0x7F<\/span>;
<\/span><\/span>    *<\/span>((_BYTE *<\/span>)this +<\/span> 71<\/span>) =<\/span> 0xCF<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 初始化第二组比较数据(20字节)
<\/span><\/span><\/span><\/span>    qmemcpy(this +<\/span> 18<\/span>, "03<\/span>\"<\/span>3 0 203<\/span>\"<\/span>$"<\/span>, 20<\/span>);
<\/span><\/span>    
<\/span><\/span>    sub_4030A0(this +<\/span> 23<\/span>);
<\/span><\/span>    sub_402DE0(this +<\/span> 26<\/span>);
<\/span><\/span>    
<\/span><\/span>    for<\/span> (i =<\/span> 0<\/span>; i <<\/span> 40<\/span>; ++<\/span>i)
<\/span><\/span>        *<\/span>((_BYTE *<\/span>)this +<\/span> i +<\/span> 12<\/span>) =<\/span> 0<\/span>;
<\/span><\/span>    
<\/span><\/span>    return<\/span> this;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.4 主要处理函数<\/h3>
int<\/span> sub_40F150<\/span>(int<\/span> a1, int<\/span> a2, ...) {
<\/span><\/span>    va_list va;
<\/span><\/span>    va_start(va, a2);
<\/span><\/span>    
<\/span><\/span>    sub_40F5B0(std::<\/span>cout, "Please input your flag : "<\/span>);
<\/span><\/span>    std::<\/span>ostream::<\/span>operator<<<\/span>(v2, sub_40F8F0);
<\/span><\/span>    sub_40F930(std::<\/span>cin, flag);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (sub_4024B0(flag)) {  \/\/ 关键校验函数
<\/span><\/span><\/span><\/span>        sub_40F5B0(std::<\/span>cout, &<\/span>unk_4122F0);  \/\/ "Congratulations"
<\/span><\/span><\/span><\/span>        result =<\/span> 1<\/span>;
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        sub_40F5B0(std::<\/span>cout, &<\/span>unk_41231C);  \/\/ "I'm sorry"
<\/span><\/span><\/span><\/span>        result =<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    return<\/span> result;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.5 关键校验函数<\/h3>
BOOL __thiscall sub_4024B0<\/span>(_DWORD *<\/span>this, int<\/span> flag) {
<\/span><\/span>    this[2<\/span>] =<\/span> flag;
<\/span><\/span>    result =<\/span> 0<\/span>;
<\/span><\/span>    
<\/span><\/span>    if<\/span> (sub_402500(flag)) {  \/\/ 校验flag格式
<\/span><\/span><\/span><\/span>        sub_4026E0();        \/\/ 处理flag
<\/span><\/span><\/span><\/span>        if<\/span> (sub_402A00())    \/\/ 比较结果
<\/span><\/span><\/span><\/span>            result =<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    return<\/span> result;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. Flag格式校验<\/h2>
通过分析sub_402500<\/code>函数，发现flag格式为：<\/p>
^swpuctf\{\w{4}\-\w{4}\-\w{4}\-\w{4}\-\w{4}\}$
<\/code><\/pre>
即：swpuctf{xxxx-xxxx-xxxx-xxxx-xxxx}<\/code><\/p>
4. 核心加密逻辑<\/h2>
4.1 字符处理函数<\/h3>
int<\/span> __thiscall sub_402730<\/span>(_DWORD *<\/span>this, int<\/span> a2) {
<\/span><\/span>    \/\/ 获取flag的4个字符部分
<\/span><\/span><\/span><\/span>    v10 =<\/span> this[2<\/span>] +<\/span> 5<\/span> *<\/span> a2 +<\/span> 8<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 对每个字符进行处理
<\/span><\/span><\/span><\/span>    for<\/span> (i =<\/span> 0<\/span>; i <<\/span> 4<\/span>; ++<\/span>i) {
<\/span><\/span>        \/\/ 计算左移进位次数
<\/span><\/span><\/span><\/span>        v4 =<\/span> *<\/span>((_BYTE *<\/span>)&<\/span>v13 +<\/span> v2);
<\/span><\/span>        _DL =<\/span> v4;
<\/span><\/span>        __asm<\/span> { rcl dl, 1<\/span> }  \/\/ 循环左移直到进位
<\/span><\/span><\/span><\/span>        
<\/span><\/span>        \/\/ 计算右边0的个数
<\/span><\/span><\/span><\/span>        do<\/span> {
<\/span><\/span>            v6 =<\/span> v4 &<\/span> 1<\/span>;
<\/span><\/span>            v4 =<\/span> (v4 >><\/span> 1<\/span>) |<\/span> v8;
<\/span><\/span>            ++<\/span>v7;
<\/span><\/span>        } while<\/span> (v6);
<\/span><\/span>        
<\/span><\/span>        \/\/ 计算结果
<\/span><\/span><\/span><\/span>        res1 =<\/span> 右边<\/span>0<\/span>的个数<\/span> +<\/span> 左移进位次数<\/span>;
<\/span><\/span>        res2 =<\/span> (flag <<<\/span> 左移进位次数<\/span>) &<\/span> 0xff<\/span> >><\/span> res1;
<\/span><\/span>        res3 =<\/span> (flag <<<\/span> (8<\/span> -<\/span> 0<\/span>的个数<\/span>)) |<\/span> ((flag >><\/span> (8<\/span> -<\/span> 左移次数<\/span>)) <<<\/span> 左移次数<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    return<\/span> sub_402F80(&<\/span>v13);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2 关键比较函数<\/h3>
int<\/span> __thiscall sub_402A00<\/span>(unsigned<\/span> __int8<\/span> *<\/span>this) {
<\/span><\/span>    for<\/span> (i =<\/span> 0<\/span>; i <<\/span> 40<\/span>; ++<\/span>i) {
<\/span><\/span>        if<\/span> (this[i +<\/span> 52<\/span>] !=<\/span> this[i +<\/span> 12<\/span>])
<\/span><\/span>            return<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> 1<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. 解题思路<\/h2>


分析加密过程<\/strong>：<\/p>

每个字符独立处理，不受前后字符影响<\/li>
对每个字符进行位移运算，生成3个结果<\/li>
通过5次循环处理，每次处理4个字符<\/li>
<\/ul>
<\/li>

逆向算法<\/strong>：<\/p>

根据已知的比较数据逆向推导字符<\/li>
使用暴力破解方法尝试可能的字符组合<\/li>
<\/ul>
<\/li>
<\/ol>
6. 解题脚本<\/h2>
import<\/span> string
<\/span><\/span>
<\/span><\/span># 计算左移进位次数<\/span>
<\/span><\/span>def<\/span> check_1<\/span>(c):
<\/span><\/span>    num =<\/span> 0<\/span>
<\/span><\/span>    while<\/span> True<\/span>:
<\/span><\/span>        c =<\/span> c <<<\/span> 1<\/span>
<\/span><\/span>        num +=<\/span> 1<\/span>
<\/span><\/span>        if<\/span> c &<\/span> 0x100<\/span>:
<\/span><\/span>            return<\/span> num
<\/span><\/span>
<\/span><\/span># 计算右边0的个数<\/span>
<\/span><\/span>def<\/span> check_0<\/span>(c):
<\/span><\/span>    num =<\/span> 0<\/span>
<\/span><\/span>    while<\/span> True<\/span>:
<\/span><\/span>        if<\/span> c &<\/span> 1<\/span>:
<\/span><\/span>            return<\/span> num
<\/span><\/span>        num +=<\/span> 1<\/span>
<\/span><\/span>        c =<\/span> c >><\/span> 1<\/span>
<\/span><\/span>
<\/span><\/span># 生成三个结果<\/span>
<\/span><\/span>def<\/span> generate_0<\/span>(c):
<\/span><\/span>    res1 =<\/span> check_0(c) +<\/span> check_1(c)
<\/span><\/span>    res2 =<\/span> ((c <<<\/span> check_1(c)) &<\/span> 0xff<\/span>) >><\/span> res1
<\/span><\/span>    res3 =<\/span> ((c >><\/span> (8<\/span> -<\/span> check_1(c))) <<<\/span> check_1(c)) |<\/span> ((c <<<\/span> (8<\/span> -<\/span> check_0(c))) &<\/span> 0xff<\/span>) >><\/span> res1
<\/span><\/span>    return<\/span> [res1, res2, res3]
<\/span><\/span>
<\/span><\/span># 分类可能字符<\/span>
<\/span><\/span>def<\/span> classify<\/span>():
<\/span><\/span>    for_each =<\/span> string.<\/span>ascii_lowercase +<\/span> string.<\/span>ascii_uppercase +<\/span> string.<\/span>digits
<\/span><\/span>    second_part_res =<\/span> '03"3 0 203"$'<\/span>
<\/span><\/span>    res =<\/span> {}
<\/span><\/span>    d =<\/span> dict.<\/span>fromkeys(list(set(second_part_res)))
<\/span><\/span>    
<\/span><\/span>    for<\/span> i in<\/span> list(set(second_part_res)):
<\/span><\/span>        d[i] =<\/span> []
<\/span><\/span>    
<\/span><\/span>    for<\/span> i in<\/span> for_each:
<\/span><\/span>        tmp =<\/span> check_part(ord(i))
<\/span><\/span>        if<\/span> tmp:
<\/span><\/span>            d[tmp].<\/span>append(i)
<\/span><\/span>    
<\/span><\/span>    return<\/span> d
<\/span><\/span>
<\/span><\/span># 检查字符是否符合第二部分<\/span>
<\/span><\/span>def<\/span> check_part<\/span>(c):
<\/span><\/span>    tmp =<\/span> list(set('03"3 0 203"$'<\/span>))
<\/span><\/span>    tmp2 =<\/span> check_0(c) |<\/span> (16<\/span> *<\/span> check_1(c))
<\/span><\/span>    for<\/span> i in<\/span> tmp:
<\/span><\/span>        if<\/span> tmp2 ==<\/span> ord(i):
<\/span><\/span>            return<\/span> i
<\/span><\/span>    return<\/span> ''<\/span>
<\/span><\/span>
<\/span><\/span># 测试第一部分<\/span>
<\/span><\/span>def<\/span> test_1<\/span>(c, v14):
<\/span><\/span>    exam =<\/span> {c: generate_0(ord(c))}
<\/span><\/span>    v14 =<\/span> v14 -<\/span> (8<\/span> -<\/span> exam[c][0<\/span>])
<\/span><\/span>    tmp =<\/span> exam[c][1<\/span>] <<<\/span> v14
<\/span><\/span>    return<\/span> tmp, v14
<\/span><\/span>
<\/span><\/span># 测试第二部分<\/span>
<\/span><\/span>def<\/span> test_2<\/span>(c, v14):
<\/span><\/span>    exam =<\/span> {c: generate_0(ord(c))}
<\/span><\/span>    v14 =<\/span> v14 -<\/span> exam[c][0<\/span>]
<\/span><\/span>    tmp =<\/span> exam[c][2<\/span>] <<<\/span> v14
<\/span><\/span>    return<\/span> tmp, v14
<\/span><\/span>
<\/span><\/span># 检查第一部分<\/span>
<\/span><\/span>def<\/span> check_first_part<\/span>(second_part, first_part):
<\/span><\/span>    for<\/span> i in<\/span> d[second_part[0<\/span>]]:
<\/span><\/span>        for<\/span> j in<\/span> d[second_part[1<\/span>]]:
<\/span><\/span>            for<\/span> k in<\/span> d[second_part[2<\/span>]]:
<\/span><\/span>                for<\/span> m in<\/span> d[second_part[3<\/span>]]:
<\/span><\/span>                    v14 =<\/span> 0x20<\/span>
<\/span><\/span>                    tmp, v14 =<\/span> test_1(i, v14)
<\/span><\/span>                    tmp2, v14 =<\/span> test_1(j, v14)
<\/span><\/span>                    tmp3, v14 =<\/span> test_1(k, v14)
<\/span><\/span>                    tmp4, v14 =<\/span> test_1(m, v14)
<\/span><\/span>                    tmp5, v14 =<\/span> test_2(i, v14)
<\/span><\/span>                    tmp6, v14 =<\/span> test_2(j, v14)
<\/span><\/span>                    tmp7, v14 =<\/span> test_2(k, v14)
<\/span><\/span>                    tmp8, v14 =<\/span> test_2(m, v14)
<\/span><\/span>                    tmp =<\/span> tmp |<\/span> tmp2 |<\/span> tmp3 |<\/span> tmp4 |<\/span> tmp5 |<\/span> tmp6 |<\/span> tmp7 |<\/span> tmp8
<\/span><\/span>                    if<\/span> tmp ==<\/span> first_part:
<\/span><\/span>                        return<\/span> i +<\/span> j +<\/span> k +<\/span> m
<\/span><\/span>
<\/span><\/span>d =<\/span> classify()
<\/span><\/span>s2 =<\/span> '03"3 0 203"$'<\/span>
<\/span><\/span>s =<\/span> ['08'<\/span>, 'EA'<\/span>, '58'<\/span>, 'DE'<\/span>, '94'<\/span>, 'D0'<\/span>, '3B'<\/span>, 'BE'<\/span>, '88'<\/span>, 'D4'<\/span>, '32'<\/span>, 'B6'<\/span>, '14'<\/span>, '82'<\/span>, 'B7'<\/span>, 'AF'<\/span>, '14'<\/span>, '54'<\/span>, '7F'<\/span>, 'CF'<\/span>]
<\/span><\/span>
<\/span><\/span>flag =<\/span> 'swpuctf{'<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(0<\/span>, 5<\/span>):
<\/span><\/span>    first_part =<\/span> int(s[3<\/span> +<\/span> 4<\/span> *<\/span> i] +<\/span> s[2<\/span> +<\/span> 4<\/span> *<\/span> i] +<\/span> s[1<\/span> +<\/span> 4<\/span> *<\/span> i] +<\/span> s[4<\/span> *<\/span> i], 16<\/span>)
<\/span><\/span>    second_part =<\/span> s2[i *<\/span> 4<\/span> : i *<\/span> 4<\/span> +<\/span> 4<\/span>]
<\/span><\/span>    res =<\/span> check_first_part(second_part, first_part)
<\/span><\/span>    if<\/span> i ==<\/span> 4<\/span>:
<\/span><\/span>        flag +=<\/span> res
<\/span><\/span>        break<\/span>
<\/span><\/span>    flag +=<\/span> res +<\/span> '-'<\/span>
<\/span><\/span>flag +=<\/span> '}'<\/span>
<\/span><\/span>
<\/span><\/span>print("Flag:"<\/span>, flag)
<\/span><\/span><\/code><\/pre>7. 最终Flag<\/h2>
swpuctf{we18-l8co-m1e4-58to-swpu}
<\/code><\/pre>
SWPUCTF2019 easyRE 逆向分析详解<\/h1>

1. 程序概述<\/h2> 这是一个包含反调试保护和复杂加密逻辑的逆向工程挑战题，要求通过逆向分析找到正确的flag格式和内容。<\/p>

2. 主要函数分析<\/h2>

7. 最终Flag<\/h2> swpuctf{we18-l8co-m1e4-58to-swpu} <\/code><\/pre>

1. 程序概述<\/h2>
这是一个包含反调试保护和复杂加密逻辑的逆向工程挑战题，要求通过逆向分析找到正确的flag格式和内容。<\/p>

7. 最终Flag<\/h2>
`swpuctf{we18-l8co-m1e4-58to-swpu} <\/code><\/pre>`
