WMCTF-RE--WMware
bochs的逆向,蛮有趣,终于会了bochs的调试
去网上下一个bochs就可以在windows下运行
文件里面的那个txt其实就算是bochsrc文件,可以丢到ida里面使用bochs调试
调试之前要设置好ida的dbg_bochs.cfg里面bochsdbg的路径
然后就是使用ida在本地进行调试,简单调试可知我们的输入长度为36
注意一点,bochs读取的输入大概是类似于驱动里面的键盘扫描码对应的值,具体了解不多,盲猜可能是linux下的键盘扫描码2333
首先会安装6*6的矩阵形式将输入打乱,然后将对应键盘扫描码的值依次加上0x55
正向其实就是循环0x81次的位运算加密,将xor运算用与运算(&),或运算(|),非运算(~)实现,有点类似于ollvm的指令替换
加密如下
def encode(test):
for i in range(0x81):
if i % 3 == 0:
for j in range(9):
a=test[j]
b=test[(j+1)%9]
test[j]=a^b^0x24114514
elif i % 3 == 1:
for j in range(9):
a=test[j]
b=test[(j+1)%9]
test[j]=a^b^0x1919810
elif i % 3 ==2:
for j in range(9):
a=test[j]
b=test[(j+1)%9]
test[j]=a^b^0x19260817
print test
然后逆向
def decode(test):
for i in range(0x80,-1,-1):
if i % 3 == 0:
for j in range(8,-1,-1):
a=test[j]
b=test[(j+1)%9]
test[j]=a^b^0x24114514
elif i % 3 == 1:
for j in range(8,-1,-1):
a=test[j]
b=test[(j+1)%9]
test[j]=a^b^0x1919810
elif i % 3 ==2:
for j in range(8,-1,-1):
a=test[j]
b=test[(j+1)%9]
test[j]=a^b^0x19260817
flag=[((test[i] >> 8*j)&0xff)-0x55 for i in range(9) for j in range(4)]
print flag
这里得到的并不是最终的flag,而是经过矩阵打乱的键盘扫描码
还原即可
dic={78:"A", 96:"B", 94:"C", 80:"D", 66:"E", 81:"F", 82:"G", 83:"H", 71:"I", 84:"J",
85:"K", 86:"L", 98:"M", 97:"N", 72:"O", 73:"P", 64:"Q", 67:"R", 79:"S", 68:"T",
70:"U", 95:"V", 65:"W", 93:"X", 69:"Y", 92:"Z",
30:"a", 48:"b", 46:"c", 32:"d", 18:"e", 33:'f', 34:"g", 35:"h", 23:"i", 36:"j",
37:"k", 38:"l", 50:"m", 49:"n", 24:"o", 25:"p", 16:"q", 19:"r", 31:"s", 20:"t",
22:"u", 47:"v", 17:"w", 45:"x", 21:"y", 44:"z",
2:"1", 3:"2", 4:"3", 5:"4", 6:"5", 7:"6", 8:"7", 9:"8", 10:"9", 11:"0",
12:"_", 13:"+", 26:"{", 27:"}"}
enc=[65L, 80L, 12L, 20L, 11L, 32L, 98L, 11L, 37L, 35L, 20L, 98L, 94L, 12L, 49L, 4L, 4L, 11L, 68L, 69L, 11L, 12L, 46L, 32L, 81L, 11L, 17L, 73L, 20L, 4L, 26L, 22L, 12L, 19L, 4L, 27L]
str=""
for i in enc:
str+=dic[i]
print str
flag=""
for i in range(6):
for j in range(6):
flag+=str[i+6*j]
print flag
#WMCTF{D0_Y0u_kn0w_th3_Pr0t3ct3dM0d3}