西湖论剑 2024 Reverse WriteUp

Posted on

MZ

使用IDAPython脚本进行一次搜索即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import idaapi
import string


# 512 dwords, 256 structs
table = []
table_addr = 0x00449078
steps = []

print(hex(idaapi.get_dword(table_addr + (2 * ord("a")) * 4)))

for i, v in enumerate(string.printable):
    c = ord(v)
    next_c = chr(idaapi.get_dword(table_addr + (2 * c) * 4) & 0xFF)
    next_addr = idaapi.get_dword(table_addr + (2 * c + 1) * 4)
    if (c - 5) == ord(next_c) or (c + 5) == ord(next_c):
        steps.append({"path": v, "addr": next_addr})

print(steps)

# 剪枝,一遍遍从输出中找到有意义的子字符串,减少爆破时间
steps = [{"path": "Somet1mes_ch0ice_i5_more_import@nt_tHan_effor", "addr": 4522496}]
res = []

# traverse
while len(steps) != 0:
    step = steps[0]
    steps = steps[1:]

    print("------------------------")
    print(steps)
    print(step)
    print("------------------------")
    if len(step["path"]) == 48:
        res.append(step)
        continue

    addr = step["addr"]
    for i, v in enumerate(string.printable):
        c = ord(v)
        next_c = chr(idaapi.get_dword(addr + (2 * c) * 4) & 0xFF)
        next_table = idaapi.get_dword(addr + (2 * c + 1) * 4)
        if (c - 5) == ord(next_c) or (c + 5) == ord(next_c):
            new_step = step.copy()
            new_step["path"] += v
            new_step["addr"] = next_table
            steps.append(new_step)

print(res)
# 'Somet1mes_ch0ice_i5_more_import@nt_tHan_effort~!'

BabyCPP

用到C++的STL,使用函数实现&<<>>^,然后实现了TEA,后面有点体力活,有时间再更…