本次题目跟第七届HWS线下的re2有雷同的地方,均有后门函数。
二进制后门可以明白为:我们只需要修改某个字节或某个函数,就可以将加密的过程变成解密的过程,大大节省逆向本钱。
本题先对内置的dll举行解密,然后调用其加密函数对我们的txt举行加密,假如我们将加密的函数nop为解密函数,就可以直接解密,类比与RC4动态解密技术。
1、初次分析
0地址异常反调试
本题的一大亮点就是有访问0地址的异常反调试,小伙伴们在做的时候有没有发现调试异常艰巨呢
[img=720,211.6]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616636.png[/img]
故意访问0地址
然后走作者自定义的处置处罚函数,假如我们在IDA动调的时候不经过处置处罚函数,步伐就会卡在那里不能继续运行。
[img=720,286.1203770848441]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616639.png[/img]
做法很简朴:将访问0地址的代码和异常处置处罚函数完全给nop掉
(说白了:就是将全部跟异常有关的汇编都给nop掉就完事)
[img=720,363.8181818181818]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616640.png[/img]
处置处罚函数也是完整nop
[img=720,314.7153900210822]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616642.png[/img]
返回处也nop,跟开头相对应
main函数
分析main函数,发现反编译爆红
[img=720,178.95953757225433]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616643.png[/img]
很正常,查看汇编代码,发现了异常反调试和异常花指令干扰分析
【----帮助网安学习,以下全部学习资料免费领!加vx:dctintin,备注 “博客园” 获取!】
① 网安学习发展路径头脑导图
② 60+网安经典常用工具包
③ 100+SRC毛病分析报告
④ 150+网安攻防实战技术电子书
⑤ 最权威CISSP 认证考试指南+题库
⑥ 超1800页CTF实战技巧手册
⑦ 最新网安大厂面试题合集(含答案)
⑧ APP客户端安全检测指南(安卓+IOS)
做法很简朴:直接nop即可
[img=720,314.4230769230769]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616644.png[/img]
详细做法参考:上面一小节,0地址异常反调试
[img=720,161.4065934065934]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616645.png[/img]
nop
[img=720,202.5645933014354]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616646.png[/img]
成功天生函数
[img=720,319.0184049079755]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616647.png[/img]
[img=720,468.3434518647008]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616649.png[/img]
[img=720,283.2471008028546]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616650.png[/img]
TLS回调函数
尝试运行,发现直接退出,发现了TLS反调试函数
[img=720,291.3572023313905]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616651.png[/img]
nop即可
[img=720,392.6742301458671]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616652.png[/img]
天生函数
[img=720,366.4589235127479]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616653.png[/img]
将exit函数nop掉即可,不用管反调试的事情了
[img=720,312.8]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616655.png[/img]
2、内置DLL资源解密
利用工具打开file_encrypt
[img=720,224.25296442687747]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616656.png[/img]
发现内置 pe步伐,猜测key为0x33,解密
这是步伐利用0x33解密
[img=720,303.88375165125495]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616658.png[/img]
[img=720,305.6185919343814]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616659.png[/img]
发现了很多加密函数和解密函数(Crypt开头),因此本题步伐利用本dll举行加密和解密操作
在后面的分析中,也发现了函数加载了我们的dll
[img=720,436.0732113144759]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616660.png[/img]
3、关键函数分析
[img=720,283.2471008028546]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616650.png[/img]
sub_401320
[img=720,177.62376237623764]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616661.png[/img]
[img=720,324.4755244755245]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616662.png[/img]
利用IDA动调发现了很多bug,莫名其妙断下,改用x64dbg
sub_402000
[img=720,340.63291139240505]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616663.png[/img]
路径和盘符有关,比如我在C盘
C:......\document\1.txt
[img=720,258.8502024291498]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616665.png[/img]
找到1.txt
[img=720,104.11568409343715]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616666.png[/img]
sub_4017E0
[img=720,327.938]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616667.png[/img]
[img=720,51.91940615058324]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616668.png[/img]
加载dll
[img=720,212.8738800827016]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616669.png[/img]
sub_4013E0
[img=720,179.39556749496307]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616670.png[/img]
[img=720,194.67391304347825]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616671.png[/img]
[img=720,247.130570758405]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616672.png[/img]
4、解密
既然利用了encrypto,那么我们改为decrypto就可以啦
[img=720,222.36612702366128]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616673.png[/img]
[img=720,357.3960216998192]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616674.png[/img]
[img=720,370.6590257879656]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616675.png[/img]
I added the missing CryptDecrypt call to the binary's import table and patched the executable to decrypt the files. The decryption call takes one parameter less than the encryption one, so I NOP'ed one push to the
stack as well:
[img=720,536.575]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616676.png[/img]
[img=720,249.46478873239437]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616677.png[/img]
[img=720,243.70942812982997]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202407251616678.png[/img]
更多网安技能的在线实操训练,请点击这里>>
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。 | 
