RE
PZthon
发现是python写的,先用 pyinstxtractor解包,然后将PZthon.pyc用pycdc反编译得到源码
def hello():
art = '\n ___ \n // ) ) / / // ) ) // | | / / // | | \\ / / \\ / / \n //___/ / / / // //__| | / / //__| | \\ / \\ / / \n / ____ / / / // ____ / ___ | / / / ___ | / / \\/ / \n // / / // / / // | | / / // | | / /\\ / / \n// / /___ ((____/ / // | | / /____/ / // | | / / \\ / / \n \n / / // / / || / / // / / / / /__ ___/ || / | / / // ) ) \n / / //____ || / / //____ / / / / || / | / / // / / \n / / / ____ || / / / ____ / / / / || / /||/ / // / / \n / / // ||/ / // / / / / ||/ / | / // / / \n / /____/ / //____/ / | / //____/ / / /____/ / / / | / | / ((___/ / \n'
print(art)
return bytearray(input('Please give me the flag: ').encode())
enc = [
115,
121,
116,
114,
110,
76,
37,
96,
88,
116,
113,
112,
36,
97,
65,
125,
103,
37,
96,
114,
125,
65,
39,
112,
70,
112,
118,
37,
123,
113,
69,
79,
82,
84,
89,
84,
77,
76,
36,
112,
99,
112,
36,
65,
39,
116,
97,
36,
102,
86,
37,
37,
36,
104]
data = hello()
for i in range(len(data)):
data[i] = data[i] ^ 21
if bytearray(enc) == data:
print('WOW!!')
else:
print('I believe you can do it!')
input('To be continue...')
异或一下拿到flag
enc = [
115,
121,
116,
114,
110,
76,
37,
96,
88,
116,
113,
112,
36,
97,
65,
125,
103,
37,
96,
114,
125,
65,
39,
112,
70,
112,
118,
37,
123,
113,
69,
79,
82,
84,
89,
84,
77,
76,
36,
112,
99,
112,
36,
65,
39,
116,
97,
36,
102,
86,
37,
37,
36,
104]
for i in enc:
print(chr(i ^ 21),end="")
SMC
smc 顾名思义Self-Modifying Code,将代码加密,在运行的时候运行解密的函数,解密加密的代码
这里首先用了一个 VP函数改变了text段的权限,然后通过sub_401042() 里的逻辑,对加密的代码解密,只需要用idapy写一个解密的逻辑,然后转unk类型 转function类型,就能看到加密前的逻辑了
int __cdecl main(int argc, const char **argv, const char **envp)
{
DWORD *v3;
v3 = (DWORD *)malloc(0x26u);
VirtualProtect(&byte_403040, 0x26u, 0x40u, v3);
puts("Please enter your flag:");
sub_401025("%s", (char)&unk_4033D4);
if ( NtCurrentPeb()->BeingDebugged )
{
MessageBoxA(0, "Debug Detected!", "Warning!", 0);
Sleep(0x1388u);
exit(0);
}
sub_401042();
if ( ((int (__cdecl *)(void *, void *))byte_403040)(&unk_4033D4, &unk_403020) )
puts("Win!");
else
puts("Lose!");
return system("pause");
}