K's House
Home
Archives
Tags
Categories
Link
About
avatar
文章
126
标签
67
分类
30
Home
Archives
Tags
Categories
Link
About
目录
  1. 1. 吾爱破解培训第十课:探寻逆向新航标—x64平台脱壳与破解实战
  2. 2. 实例破解
吾爱破解培训第十课:探寻逆向新航标---x64平台脱壳与破解实战
|逆向吾爱破解培训
字数总计:662|阅读时长: 3 分钟
|阅读量:|评论数:

吾爱破解培训第十课:探寻逆向新航标—x64平台脱壳与破解实战

Code
			  AL
			AH
			AX..
		EAX.....
RAX.............
0000000000401000
			  R8b  byte
			R8w.   word
		R8d.....   dword
R8..............   qword

ESP定律

应用堆栈平衡找到pop

Code
push rdi    
push rsi    
push rbx    
push rcx    
push rdx    
push r8     
========
pop r8
pop rdx
pop rcx
pop rbx
pop rsi
pop rdi
41585A595B5E5F

pop r15
pop r14
pop r13
pop r12
pop rdi
pop rsi
pop rbp
pop rbx
ret    
415F415E415D415C5F5E5D5BC3

脱壳脚本

Code
find rip,"415F415E415D415C5F5E5D5BC3"
mov first_jmp,$result
add first_jmp, D
bp first_jmp
erun
bc
sti
find rip,"41585A595B5E5F"
mov second_jmp,$result
add second_jmp,7
bp second_jmp
erun
sti
msg "This is oep"
ret

实例破解

爆破

Code
1.指令起始部分:
000000014001B0C0 | 57                       | push rdi                                |
000000014001B0C1 | 56                       | push rsi                                |
000000014001B0C2 | 53                       | push rbx                                |
000000014001B0C3 | 51                       | push rcx                                |
000000014001B0C4 | 52                       | push rdx                                |
000000014001B0C5 | 41 50                    | push r8                                 |
-------------------------------------------------------------------------------
那么指令结束部分:
                                            | pop r8
                                            | pop rdx
                                            | pop rcx
                                            | pop rbx
                                            | pop rsi
                                            | pop rdi
-------------------------------------------------------
单步后发现指令结束部分与上面一毛一样:
0000000140011D12 | 41 58                    | pop r8                                  |
0000000140011D14 | 5A                       | pop rdx                                 |
0000000140011D15 | 59                       | pop rcx                                 |
0000000140011D16 | 5B                       | pop rbx                                 |
0000000140011D17 | 5E                       | pop rsi                                 |
0000000140011D18 | 5F                       | pop rdi                                 |

二进制:41585A595B5E5F
------------------------------------------------------------------------------
2.
000000014001BB9A | 41 5F                    | pop r15                                 |
000000014001BB9C | 41 5E                    | pop r14                                 |
000000014001BB9E | 41 5D                    | pop r13                                 |
000000014001BBA0 | 41 5C                    | pop r12                                 |
000000014001BBA2 | 5F                       | pop rdi                                 |
000000014001BBA3 | 5E                       | pop rsi                                 |
000000014001BBA4 | 5D                       | pop rbp                                 |
000000014001BBA5 | 5B                       | pop rbx                                 |
000000014001BBA6 | C3                       | ret                                     |
二进制:415F415E415D415C5F5E5D5BC3

OEP:0000000140001180 | 48 83 EC 28              | sub rsp,28                              |
search references:you failed 
0000000140001078 | 75 13                    | jnz 14000108D                           | ------------->nop

脚本

Code
find rip,"415F415E415D415C5F5E5D5BC3"
mov first_jmp,$result
add first_jmp,D
bp first_jmp
erun
bc
sti
find rip,"41585A595B5E5F"
mov second_jmp,$result
add second_jmp,7
bp second_jmp
erun
sti
msg "this is oep"
ret

追码

Code
破解,运行下断点 bp MessgeBoxA,输入52PoJie.Cn,check
断在
00007FFD1C8236A0 | sub rsp,38                              |
00007FFD1C8236A4 | xor r11d,r11d                           |
00007FFD1C8236A7 | cmp dword ptr ds:[7FFD1C839104],r11d    |
00007FFD1C8236AE | je user32.7FFD1C8236DE                  |
00007FFD1C8236B0 | mov rax,qword ptr gs:[30]      

看堆栈返回到 00000001400010EB
00000001400010E6 | E8 15 FF FF FF           | call 140001000                          |
00000001400010EB | EB F1                    | jmp 1400010DE

重载,跟进call 140001000 ,找到key的计算

000000014000101B | call qword ptr ds:[<&GetDlgItemTextA>]  |
0000000140001021 | cmp byte ptr ds:[140015820],0           | ;比较长度是否=0
0000000140001028 | je 140001060                            |
000000014000102A | lea rdx,qword ptr ds:[140015820]        | ;140015820:"52KjEd`.>i"
0000000140001031 | mov cl,byte ptr ds:[rdx]                | ;取一字节
0000000140001033 | lea eax,dword ptr ds:[rcx-61]           |
0000000140001036 | cmp al,19                               | ;大于19则跳
0000000140001038 | ja 140001042                            |
000000014000103A | sub cl,5                                |
000000014000103D | cmp cl,7A                               |
0000000140001040 | jmp 14000104F                           |
0000000140001042 | lea eax,dword ptr ds:[rcx-41]           |
0000000140001045 | cmp al,19                               | ;大于19跳
0000000140001047 | ja 140001058                            |
0000000140001049 | sub cl,5                                |
000000014000104C | cmp cl,5A                               |
000000014000104F | mov byte ptr ds:[rdx],cl                |
0000000140001051 | jle 140001058                           | ;小于等于7A跳
0000000140001053 | sub cl,1A                               |
0000000140001056 | mov byte ptr ds:[rdx],cl                |
0000000140001058 | inc rdx                                 |
000000014000105B | cmp byte ptr ds:[rdx],0                 |
000000014000105E | jnz 140001031                           |

计算完,比较
0000000140001060 | lea rdx,qword ptr ds:[140015820]        | ;140015820:"52KjEd`.>i"
0000000140001067 | lea rcx,qword ptr ds:[1400112F0]        | ;1400112F0:"52PoJie.Cn"
000000014000106E | call 14000B900                          | ;与计算后的比较
0000000140001073 | mov rcx,rbx                             |
0000000140001076 | test eax,eax                            |
0000000140001078 | jnz 14000108D                           | ;不等跳走
000000014000107A | xor r9d,r9d                             |
000000014000107D | lea r8,qword ptr ds:[1400112FC]         | ;1400112FC:"Boom!"
0000000140001084 | lea rdx,qword ptr ds:[140011308]        | ;140011308:"Congratulations! You have successfully Registered"
000000014000108B | jmp 1400010A1                           |
000000014000108D | mov r9d,10                              |
0000000140001093 | lea r8,qword ptr ds:[140011340]         | ;140011340:"Boomshakalaka"
000000014000109A | lea rdx,qword ptr ds:[140011350]        | ;140011350:"You Failed!"

通过计算得出注册码:52UtOnj.Hs
文章作者: kabeor
文章链接: https://kabeor.github.io/%E5%90%BE%E7%88%B1%E7%A0%B4%E8%A7%A3%E5%9F%B9%E8%AE%AD%E7%AC%AC%E5%8D%81%E8%AF%BE%EF%BC%9A%E6%8E%A2%E5%AF%BB%E9%80%86%E5%90%91%E6%96%B0%E8%88%AA%E6%A0%87---x64%E5%B9%B3%E5%8F%B0%E8%84%B1%E5%A3%B3%E4%B8%8E%E7%A0%B4%E8%A7%A3%E5%AE%9E%E6%88%98/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 K's House
逆向 脱壳,x64
相关推荐
2018-08-03
001_Acid_burn.exe 算法分析
2018-07-25
001_Acid_burn.exe
2018-07-15
2018.2 MOCTFcrackme2 WriteUp
评论