吾爱破解培训第十课:探寻逆向新航标---x64平台脱壳与破解实战

Author Avatar
kabeor 2月 01, 2018

吾爱破解培训第十课:探寻逆向新航标—x64平台脱壳与破解实战

			  AL
AH
AX..
EAX.....
RAX.............
0000000000401000
R8b byte
R8w. word
R8d..... dword
R8.............. qword

ESP定律

应用堆栈平衡找到pop

push rdi    
push rsi
push rbx
push rcx
push rdx
push r8
========
pop r8
pop rdx
pop rcx
pop rbx
pop rsi
pop rdi
41585A595B5E5F

pop r15
pop r14
pop r13
pop r12
pop rdi
pop rsi
pop rbp
pop rbx
ret
415F415E415D415C5F5E5D5BC3

脱壳脚本

find rip,"415F415E415D415C5F5E5D5BC3"
mov first_jmp,$result
add first_jmp, D
bp first_jmp
erun
bc
sti
find rip,"41585A595B5E5F"
mov second_jmp,$result
add second_jmp,7
bp second_jmp
erun
sti
msg "This is oep"
ret

实例破解

爆破

1.指令起始部分:
000000014001B0C0 | 57 | push rdi |
000000014001B0C1 | 56 | push rsi |
000000014001B0C2 | 53 | push rbx |
000000014001B0C3 | 51 | push rcx |
000000014001B0C4 | 52 | push rdx |
000000014001B0C5 | 41 50 | push r8 |
-------------------------------------------------------------------------------
那么指令结束部分:
| pop r8
| pop rdx
| pop rcx
| pop rbx
| pop rsi
| pop rdi
-------------------------------------------------------
单步后发现指令结束部分与上面一毛一样:
0000000140011D12 | 41 58 | pop r8 |
0000000140011D14 | 5A | pop rdx |
0000000140011D15 | 59 | pop rcx |
0000000140011D16 | 5B | pop rbx |
0000000140011D17 | 5E | pop rsi |
0000000140011D18 | 5F | pop rdi |

二进制:41585A595B5E5F
------------------------------------------------------------------------------
2.
000000014001BB9A | 41 5F | pop r15 |
000000014001BB9C | 41 5E | pop r14 |
000000014001BB9E | 41 5D | pop r13 |
000000014001BBA0 | 41 5C | pop r12 |
000000014001BBA2 | 5F | pop rdi |
000000014001BBA3 | 5E | pop rsi |
000000014001BBA4 | 5D | pop rbp |
000000014001BBA5 | 5B | pop rbx |
000000014001BBA6 | C3 | ret |
二进制:415F415E415D415C5F5E5D5BC3

OEP:0000000140001180 | 48 83 EC 28 | sub rsp,28 |
search references:you failed
0000000140001078 | 75 13 | jnz 14000108D | ------------->nop

脚本

find rip,"415F415E415D415C5F5E5D5BC3"
mov first_jmp,$result
add first_jmp,D
bp first_jmp
erun
bc
sti
find rip,"41585A595B5E5F"
mov second_jmp,$result
add second_jmp,7
bp second_jmp
erun
sti
msg "this is oep"
ret

追码

破解,运行下断点 bp MessgeBoxA,输入52PoJie.Cn,check
断在
00007FFD1C8236A0 | sub rsp,38 |
00007FFD1C8236A4 | xor r11d,r11d |
00007FFD1C8236A7 | cmp dword ptr ds:[7FFD1C839104],r11d |
00007FFD1C8236AE | je user32.7FFD1C8236DE |
00007FFD1C8236B0 | mov rax,qword ptr gs:[30]

看堆栈返回到 00000001400010EB
00000001400010E6 | E8 15 FF FF FF | call 140001000 |
00000001400010EB | EB F1 | jmp 1400010DE

重载,跟进call 140001000 ,找到key的计算

000000014000101B | call qword ptr ds:[<&GetDlgItemTextA>] |
0000000140001021 | cmp byte ptr ds:[140015820],0 | ;比较长度是否=0
0000000140001028 | je 140001060 |
000000014000102A | lea rdx,qword ptr ds:[140015820] | ;140015820:"52KjEd`.>i"
0000000140001031 | mov cl,byte ptr ds:[rdx] | ;取一字节
0000000140001033 | lea eax,dword ptr ds:[rcx-61] |
0000000140001036 | cmp al,19 | ;大于19则跳
0000000140001038 | ja 140001042 |
000000014000103A | sub cl,5 |
000000014000103D | cmp cl,7A |
0000000140001040 | jmp 14000104F |
0000000140001042 | lea eax,dword ptr ds:[rcx-41] |
0000000140001045 | cmp al,19 | ;大于19跳
0000000140001047 | ja 140001058 |
0000000140001049 | sub cl,5 |
000000014000104C | cmp cl,5A |
000000014000104F | mov byte ptr ds:[rdx],cl |
0000000140001051 | jle 140001058 | ;小于等于7A跳
0000000140001053 | sub cl,1A |
0000000140001056 | mov byte ptr ds:[rdx],cl |
0000000140001058 | inc rdx |
000000014000105B | cmp byte ptr ds:[rdx],0 |
000000014000105E | jnz 140001031 |

计算完,比较
0000000140001060 | lea rdx,qword ptr ds:[140015820] | ;140015820:"52KjEd`.>i"
0000000140001067 | lea rcx,qword ptr ds:[1400112F0] | ;1400112F0:"52PoJie.Cn"
000000014000106E | call 14000B900 | ;与计算后的比较
0000000140001073 | mov rcx,rbx |
0000000140001076 | test eax,eax |
0000000140001078 | jnz 14000108D | ;不等跳走
000000014000107A | xor r9d,r9d |
000000014000107D | lea r8,qword ptr ds:[1400112FC] | ;1400112FC:"Boom!"
0000000140001084 | lea rdx,qword ptr ds:[140011308] | ;140011308:"Congratulations! You have successfully Registered"
000000014000108B | jmp 1400010A1 |
000000014000108D | mov r9d,10 |
0000000140001093 | lea r8,qword ptr ds:[140011340] | ;140011340:"Boomshakalaka"
000000014000109A | lea rdx,qword ptr ds:[140011350] | ;140011350:"You Failed!"

通过计算得出注册码:52UtOnj.Hs

From https://kabeor.github.io/吾爱破解培训第十课:探寻逆向新航标—x64平台脱壳与破解实战/ bye

This blog is under a CC BY-NC-SA 4.0 Unported License
本文链接:https://kabeor.github.io/吾爱破解培训第十课:探寻逆向新航标---x64平台脱壳与破解实战/