实战为主,近日2024年羊城杯出了一道Rust编写的题目,这里将会以此题目为例,演示Rust逆向该怎样去做。
题目名称:sedRust_happyVm
题目内容:unhappy rust, happy vm
关于Rust逆向,其实就是看汇编,考验选手的基础逆向本领。在汇编代码眼前,任何干扰都会成为摆设。
1、初步分析
64为步调,利用IDA 64打开
[img=720,214.9176807444524]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544787.png[/img]
通过字符串定位分析点
[img=720,120.60128847530423]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544788.png[/img]
[img=720,459.76503109882515]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544789.png[/img]
如今我们知道 inputflag的长度大于 0x15
[img=720,303.7329286798179]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544791.png[/img]
接下来在汇编层面下一个断点,输入假flag,去观察相关寄存器的值
[img=720,279.3349168646081]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544792.png[/img]
[img=720,357.2277227722772]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544793.png[/img]
[img=720,139.43159286186383]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544794.png[/img]
似乎并没有什么内容
[img=720,280.7142857142857]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544795.png[/img]
继续单步 步过,直到发现下一个要注意的地方!
[img=720,214.2685370741483]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544796.png[/img]
[img=720,216.7047308319739]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544797.png[/img]
字符串长度:0x28
【----帮助网安学习,以下所有学习资料免费领!加vx:dctintin,备注 “博客园” 获取!】
① 网安学习发展路径头脑导图
② 60+网安经典常用工具包
③ 100+SRC弊端分析报告
④ 150+网安攻防实战技术电子书
⑤ 最权威CISSP 认证考试指南+题库
⑥ 超1800页CTF实战本领手册
⑦ 最新网安大厂口试题合集(含答案)
⑧ APP客户端安全检测指南(安卓+IOS)
我们继续单步步过跟踪
[img=720,296.11267605633805]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544798.png[/img]
开辟空间的时间,分析快到真正函数处理过程了。
[img=720,81.36802973977696]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544799.png[/img]
[img=720,208.82562277580072]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544800.png[/img]
[img=720,233.25443786982248]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544801.png[/img]
[img=720,562.787456445993]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544803.png[/img]
2、分析加密流程
2.1 base64分割模块
这里简单将 3 字节变成4字节的操作,称之为 base64分割模块
这里举个例子- 输入的:"111"
- ->二进制字符串 001100010011000100110001
- 经过base64分割模块
- ->001100 010011 000100 110001
发现步调执行完后正好是这样的效果
[img=720,361.80602006688963]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544805.png[/img]
2.2 组合
[img=720,273.081650570676]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544806.png[/img]
举个例子:
假如分割之后的4字节为:那么组合后的字符串- rax = 0xC
- rcx = 0x1300
- edx = 0xB1130C18
2.3 VM处理模块
[img=720,287.10280373831773]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544808.png[/img]
发现func3 非常乱
并且频繁调用sub_40A800()
[img=720,267.2226855713094]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544809.png[/img]
发现这是一道VM类型的题,那么VM的题加密应该会很简单,基本是异或之类。
[img=720,148.9655172413793]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544810.png[/img]
在 sub_40A800 里面找到 异或,下断点
[img=720,448.7203791469194]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544811.png[/img]
[img=720,265.4377880184332]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544812.png[/img]
[img=720,96.5925925925926]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544814.png[/img]
[img=720,126.4957264957265]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544815.png[/img]
这个al每颠末两次就是秘钥
[img=720,188.47457627118644]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544816.png[/img]
[img=720,289.5652173913044]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202410081544817.png[/img]
解题脚本
[code]int main() { //提取的密文 unsigned char s1[] = { 0x00,0x82,0x11,0x92,0xa8,0x39,0x82,0x28,0x9a,0x61,0x58,0x8b,0xa2,0x43,0x68,0x89,0x4,0x8f,0xb0,0x43,0x49,0x3a,0x18,0x39,0x72,0xc,0xba,0x76,0x98,0x13,0x8b,0x46,0x33,0x2b,0x25,0xa2,0x8b,0x27,0xb7,0x61,0x7c,0x3f,0x58 }; //提取的秘钥 unsigned char s2[] = { 0x18,0xb1,0x9,0xa4,0xa6,0x2a,0x9e,0x1b,0x96,0x57,0x5d,0xad,0xae,0x75,0x65,0xac,0x9,0x8c,0xa0,0x76,0x47,0x2c,0x10,0x1,0x7c,0xf,0xba,0x47,0x95,0x30,0x9b,0x74,0x3f,0x2d,0x2d,0x9a,0x87,0x31,0xba,0x43,0x70,0x2c,0x4c }; unsigned char s3[128] = { 0 }; for (int i = 0; i < 43; i++) { s3 = s1 ^ s2; } //还原base64分割模块 char s4[128] = { 0 }; int j = 0; for (int i = 0; i < 44; i += 4, j += 3) { s4[j] = (s3 > 4); s4[j+1] = (s3[i+1] > 2); s4[j+2] = (s3[i+2] ></strong></p>
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。 |
