强网杯 2024 All RE WP 逆向工程详细解析<\/h3>

1. MIPS逆向分析<\/strong><\/h4>
题目特征<\/strong><\/p>

使用QEMU模拟器加载MIPS二进制文件，存在反调试陷阱（调试\/attach状态下无法获取关键异或值）。<\/li>
虚假Flag：直接解MIPS二进制会得到假Flag。<\/li> <\/ul>
关键步骤<\/strong><\/p>

定位关键函数<\/strong><\/p>

IDA中搜索23000<\/code>，定位校验函数，交叉引用发现对Flag头部和长度的检查。<\/li>
魔改RC4加密：对输入字符串进行加密并异或操作。<\/li> <\/ul> <\/li>
解密脚本<\/strong><\/p> #include<\/span> <stdio.h><\/span> <\/span><\/span><\/span>#include<\/span> <malloc.h><\/span> <\/span><\/span><\/span><\/span>unsigned<\/span> char<\/span> N_str[] =<\/span> {0xDE<\/span>, 0xAD<\/span>, 0xBE<\/span>, 0xEF<\/span>}; <\/span><\/span>unsigned<\/span> char<\/span> map1[256<\/span>], map2[256<\/span>]; <\/span><\/span> <\/span><\/span>void<\/span> swap<\/span>(unsigned<\/span> char<\/span> *<\/span>inp, int<\/span> x, int<\/span> y) { <\/span><\/span> unsigned<\/span> char<\/span> ch =<\/span> inp[x]; <\/span><\/span> inp[x] =<\/span> inp[y]; <\/span><\/span> inp[y] =<\/span> ch; <\/span><\/span>} <\/span><\/span> <\/span><\/span>void<\/span> init<\/span>() { <\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 256<\/span>; i++<\/span>) { <\/span><\/span> unsigned<\/span> char<\/span> v3 =<\/span> ((((i <<<\/span> 7<\/span>) |<\/span> (i >><\/span> 1<\/span>)) <<<\/span> 6<\/span>) ^<\/span> 0xC0<\/span> |<\/span> (((i <<<\/span> 7<\/span>) |<\/span> (i >><\/span> 1<\/span>)) >><\/span> 2<\/span>) ^<\/span> 0x3B<\/span>) ^<\/span> 0xBE<\/span>; <\/span><\/span> unsigned<\/span> char<\/span> out =<\/span> ((((16<\/span> *<\/span> (((32<\/span> *<\/span> v3) |<\/span> (v3 >><\/span> 3<\/span>)) ^<\/span> 0xAD<\/span>)) |<\/span> ((((32<\/span> *<\/span> v3) |<\/span> (v3 >><\/span> 3<\/span>)) ^<\/span> 0xAD<\/span>) >><\/span> 4<\/span>)) ^<\/span> 0xDE<\/span>) >><\/span> 5<\/span>) |<\/span> (8<\/span> *<\/span> (((16<\/span> *<\/span> (((32<\/span> *<\/span> v3) |<\/span> (v3 >><\/span> 3<\/span>)) ^<\/span> 0xAD<\/span>)) |<\/span> ((((32<\/span> *<\/span> v3) |<\/span> (v3 >><\/span> 3<\/span>)) ^<\/span> 0xAD<\/span>) >><\/span> 4<\/span>)) ^<\/span> 0xDE<\/span>))); <\/span><\/span> map1[out] =<\/span> i; <\/span><\/span> map2[i] =<\/span> out; <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>unsigned<\/span> char<\/span> *<\/span>de_rc4<\/span>(unsigned<\/span> char<\/span> *<\/span>inp) { <\/span><\/span> \/\/ RC4解密逻辑（略） <\/span><\/span><\/span><\/span> \/\/ 关键操作：交换字节、异或0xA、解密映射 <\/span><\/span><\/span><\/span>} <\/span><\/span> <\/span><\/span>int<\/span> main<\/span>() { <\/span><\/span> init(); <\/span><\/span> unsigned<\/span> char<\/span> cip[] =<\/span> {0xC4<\/span>, 0xEE<\/span>, 0x3C<\/span>, 0xBB<\/span>, 0xE7<\/span>, 0xFD<\/span>, 0x67<\/span>, 0x1D<\/span>, 0xF8<\/span>, 0x97<\/span>, 0x68<\/span>, 0x9D<\/span>, 0x0B<\/span>, 0x7F<\/span>, 0xC7<\/span>, 0x80<\/span>, 0xDF<\/span>, 0xF9<\/span>, 0x4B<\/span>, 0xA0<\/span>, 0x46<\/span>, 0x91<\/span>}; <\/span><\/span> swap(cip, 12<\/span>, 16<\/span>); <\/span><\/span> swap(cip, 7<\/span>, 11<\/span>); <\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 22<\/span>; i++<\/span>) cip[i] ^=<\/span> 0xa<\/span>; <\/span><\/span> unsigned<\/span> char<\/span> *<\/span>m =<\/span> de_rc4(cip); <\/span><\/span> printf("flag{%.*s}"<\/span>, 22<\/span>, m); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>Flag<\/strong>: flag{QeMu_r3v3rs3in9_h@ck6}<\/code><\/p> <\/li> <\/ol> 2. REMEM (AES白盒逆向)<\/strong><\/h4> 题目特征<\/strong><\/p> ELF文件修复后，程序通过mmap动态加载Shellcode片段执行。<\/li> 收集所有Shellcode片段后，识别为AES白盒加密。<\/li> <\/ul> 解题步骤<\/strong><\/p> 收集Shellcode<\/strong><\/p> 动态调试获取所有mmap的Shellcode片段（如0x7F722B883000<\/code>处的指令流）。<\/li> 整理出AES的轮密钥加、字节代换、行移位等操作。<\/li> <\/ul> <\/li> 差分故障分析<\/strong><\/p> 通过注入故障获取中间状态，推导出密钥。<\/li> 关键脚本（Python）： from<\/span> struct import<\/span> pack <\/span><\/span>flag =<\/span> pack(">I"<\/span>,0x33636662<\/span>) +<\/span> pack(">I"<\/span>,0x336f1d5<\/span> +<\/span> 0x5e2f4391<\/span>) +<\/span> ...<\/span> # 拼接各part<\/span> <\/span><\/span>print("flag{"<\/span> +<\/span> flag.<\/span>hex() +<\/span> "}"<\/span>) <\/span><\/span><\/code><\/pre><\/li> <\/ul> Flag<\/strong>: flag{3cfbaf5f9a18382aa23}<\/code><\/p> <\/li> <\/ol> 3. EZ_VM (虚拟化逆向)<\/strong><\/h4> 题目特征<\/strong><\/p> 实现自定义虚拟机，系统调用通过syscalls\/nt\/64\/<\/code>表恢复符号。<\/li> 手动定义虚拟机上下文结构体（包含寄存器、内存等）。<\/li> <\/ul> 逆向步骤<\/strong><\/p> 结构体恢复<\/strong> struct<\/span> context { <\/span><\/span> _QWORD regs[16<\/span>]; \/\/ 寄存器 <\/span><\/span><\/span><\/span> _QWORD stack_base; \/\/ 栈基址 <\/span><\/span><\/span><\/span> _QWORD opcode; \/\/ 操作码 <\/span><\/span><\/span><\/span>}; <\/span><\/span><\/code><\/pre><\/li> 动态跟踪<\/strong> 对输入流下内存断点，记录数据流变化（如AES行移位特征）。<\/li> <\/ul> <\/li> <\/ol> 4. SNAKE (贪吃蛇算法)<\/strong><\/h4> 题目特征<\/strong><\/p> 输入序列需最小化移动步数，通过箱子的移动次数生成Flag的MD5。<\/li> <\/ul> 解题步骤<\/strong><\/p> 自动求解<\/strong><\/p> 使用开源推箱子求解器配置地图，获取最优路径。<\/li> 移动序列：2,12,13,9,21,13,25,31,3<\/code>。<\/li> <\/ul> <\/li> Flag生成<\/strong><\/p> import<\/span> hashlib <\/span><\/span>moves =<\/span> [2<\/span>,12<\/span>,13<\/span>,9<\/span>,21<\/span>,13<\/span>,25<\/span>,31<\/span>,3<\/span>] <\/span><\/span>md5 =<\/span> hashlib.<\/span>md5(','<\/span>.<\/span>join(map(str, moves)).<\/span>encode()).<\/span>hexdigest() <\/span><\/span>print("flag{"<\/span> +<\/span> md5 +<\/span> "qwb!}"<\/span>) <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5. SOLVE2-APK (Android逆向)<\/strong><\/h4> 题目特征<\/strong><\/p> JEB反编译关键函数，发现混淆严重的TEA变种加密。<\/li> <\/ul> 解密流程<\/strong><\/p> TEA解密核心<\/strong> void<\/span> decrypt<\/span>(uint32_t<\/span> v[2<\/span>], uint32_t<\/span> k[4<\/span>]) { <\/span><\/span> uint32_t<\/span> sum =<\/span> 0x61C88647<\/span> *<\/span> 32<\/span>; <\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 32<\/span>; i++<\/span>) { <\/span><\/span> v[1<\/span>] -=<\/span> ((v[0<\/span>] <<<\/span> 4<\/span>) ^<\/span> (v[0<\/span>] >><\/span> 5<\/span>)) +<\/span> v[0<\/span>] ^<\/span> (sum +<\/span> k[(sum >><\/span> 11<\/span>) &<\/span> 3<\/span>]); <\/span><\/span> sum +=<\/span> 0x61C88647<\/span>; <\/span><\/span> v[0<\/span>] -=<\/span> ((v[1<\/span>] <<<\/span> 4<\/span>) ^<\/span> (v[1<\/span>] >><\/span> 5<\/span>)) +<\/span> v[1<\/span>] ^<\/span> (sum +<\/span> k[sum &<\/span> 3<\/span>]); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> 多层校验<\/strong> 第一层：TEA解密后校验。<\/li> 第二层：后32字节异或校验。<\/li> <\/ul> <\/li> <\/ol> Final Flag<\/strong>: flag{iT3N0t7H@tH@E6D0YOV7hInkS0}<\/code><\/p> 总结<\/h3> 工具链<\/strong>：IDA\/QEMU\/JEB\/BPFtrace\/Frida。<\/li> 技巧<\/strong>：动态插桩、差分分析、结构体恢复、自动化求解。<\/li> 关键点<\/strong>：魔改算法识别、反调试绕过、数据流跟踪。<\/li> <\/ul>