ezlua

关键位置在于这里

img

运行程序发现,随便输入40字节的hex字符,程序会输出attempt to call a string value,调试发现,lua_pcall 的调用返回值为1就是失败,说明传入的lua_state的数据为不合法

经过dump双次对比,合法输入check为0x59B9位置 为除去03外20字节对应hex即可

img

img

g0Re-U

因为感觉加了壳,找到start入口点进行dump

image-20230721183221778

dump后:

image-20230721184030914

逆推第一步是:减去key值 再进行xor 0x1A

image-20230721185441440

动态调试的时候发现key的值进行了改变

void change_key()
{
    string fuck_key = "kjsuhnmsknw2n46p";
    for(int i = 0; i < fuck_key.size(); i++)
    {
        if(fuck_key.data()[i] >= 0x62 && fuck_key.data()[i] <= 0x6D)
        {
            fuck_key.data()[i] += 0xC;
        }
        else if (fuck_key.data()[i] >= 0x42 && fuck_key.data()[i] <= 0x4D)
        {
            fuck_key.data()[i] += 0xC;
        }
        else if (fuck_key.data()[i] >= 0x6E && fuck_key.data()[i] <= 0x79)
        {
            fuck_key.data()[i] -= 0xC;
        }
        else if (fuck_key.data()[i] >= 0x4E && fuck_key.data()[i] <= 0x5A)
        {
            fuck_key.data()[i] -= 0xC;
        }
    }
    cout << fuck_key << endl;
}

image-20230721194419811 

#include <iostream>
#include <string>

using namespace std;



int main()
{
    unsigned char ida_chars[] =
    {
      0xE6, 0xCE, 0x89, 0xC8, 0xCF, 0xC5, 0xF5, 0xC9, 0xD2, 0xD9,
      0xC0, 0x91, 0xCE, 0x7F, 0xAC, 0xCC, 0xE9, 0xCF, 0xB7, 0xC0,
      0x96, 0xD4, 0xEA, 0x92, 0xE2, 0xD7, 0xDF, 0x84, 0xCB, 0xA5,
      0xAE, 0x93, 0xA6, 0xCA, 0xBE, 0x97, 0xDF, 0xCE, 0xF0, 0xC9,
      0xB7, 0xE1, 0xAE, 0x6B, 0xC4, 0xB1, 0x65, 0xDB, 0xCE, 0xED,
      0x92, 0x93, 0xD6, 0x8C, 0xED, 0xC3, 0xA3, 0xDA, 0x94, 0xA5,
      0xAA, 0xB2, 0xB5, 0xA7, 0x55
    };
    
    unsigned char enc_1[64] = {0};
    
    unsigned char key[] =
    {
      0x77, 0x76, 0x67, 0x69, 0x74, 0x62, 0x79, 0x67, 0x77, 0x62,
      0x6B, 0x32, 0x62, 0x34, 0x36, 0x64
    };
    
    for(int i = 0; i < 64; i++)
    {
        enc_1[i] = (((unsigned char*)ida_chars)[i] - key[i % 0x10]) ^ 0x1A;
        printf("%c", enc_1[i]);
    }
    
    printf("\n");
    return 0;
}

进行变表的base64 : 456789}#IJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123ABCDEFGH

在进行aes,其中key就是上面的wvgitbygwbk2b46d

image-20230721194652720

image-20230721194801856

M1_read

发现左上角的图标上面点击后的about,可以看到key = 0

image-20230806164151461

白盒AES,这里有个xor 66

image-20230806171409677

数据进行xor66,进行key=0 ase

image-20230806185525060 

from Crypto.Cipher import AES

key = bytes.fromhex('00000000000000000000000000000000')

data = [0x0B,0x98,0x7E,0xF5,0xD9,0x4D,0xD6,0x79,0x59,0x2C,0x4D,0x2F,0xAD,0xD4,0xEB,0x89]
for i in range(16):
    data[i] ^= 0x66
    print(hex(data[i]),end=" ")

AES_test = AES.new(key, AES.MODE_ECB)
flag = AES_test.decrypt(bytes(data))
print(flag)

image-20230806191559362