JEB
直接跟进主函数找到


ASSERT里面拿到ooo文件 直接脚本解密
k = "vn2022"with open('ooo', 'rb') as f: c = f.read()with open('123', 'wb') as wwww: for i in range(len(c)): wwww.write(((c[i] ^ ord(k[i % 1024 % len(k)]))).to_bytes(1, byteorder="little")) # 他一次read是1024!新dex再反编译

典型xxtea
#include <stdint.h>#include <stdio.h>using namespace std;#define DELTA 0x9E3779B9#define MX (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)))void xxtea(uint32_t* v, int n, uint32_t* key){ uint32_t y, z; int sum; unsigned p, rounds, e; // encrypt if (n > 1) { rounds = 6 + (52 / n); sum = 0; z = v[n - 1]; do { sum += DELTA; e = (sum >> 2) & 3; for (p = 0; p < n - 1; p++) { y = v[p + 1]; z = v[p] += MX; } y = v[0]; z = v[n - 1] += MX; } while (--rounds); } // decrypt else if (n < -1) { n = -n; rounds = 6 + (52 / n); sum = rounds * DELTA; y = v[0]; do { e = (sum >> 2) & 3; for (p = n - 1; p > 0; p--) { z = v[p - 1]; y = v[p] -= MX; } z = v[n - 1]; y = v[0] -= MX; sum -= DELTA; } while (--rounds); }}int main(){ int8_t a[] = { 68, 39, -92, 108, -82, -18, 72, -55, 74, -56, 38, 11, 60, 84, 97, -40, 87, 71, 99, -82, 120, 104, 47, -71, -58, -57, 0, 33, 42, 38, -44, -39, -60, 113, -2, 92, -75, 118, -77, 50, -121, 43, 32, -106 }; uint32_t *v=(uint32_t *)a; // uint32_t v[9] = { 1,1,1,1,1,1,1,1,1 }; // 四个32位无符号整数,即128bit的key uint32_t *k=(uint32_t *)"H4pPY_VNCTF!!OvO"; // n的绝对值表示v的长度,取正表示加密,取负表示解密 int n = 11; printf("Data is : %x %x %X %x %x %X %x %x %X\n", v[0], v[1], v[2], v[3], v[4], v[5], v[6], v[7], v[8]); // xxtea(v, n, k); // printf("Encrypted data is : %x %x %X %x %x %X %x %x %X\n", v[0], v[1], v[2], v[3], v[4], v[5], v[6], v[7], v[8]); xxtea(v, -n, k); printf("Decrypted data is : %x %x %X %x %x %X %x %x %X\n", v[0], v[1], v[2], v[3], v[4], v[5], v[6], v[7], v[8]); printf("最后结果为%s", v); return 0;}ida7.6打开 go语言直接反编译好了

unk_AFD8A0是opcode
main___ptr_MzVm__run函数的((void (*)(void))(v1 + 8 * v4 + 4104))();
来根据opcode运行虚拟机

一共20种命令
动态调试一下 发现他每三个一组 第一个数表示操作指令 二三个数表示寄存器或者操作数

跟进[rbx+rdi*8+1008h] 查看opcode和函数的映射关系

转dq后对应一下opcode的 0-16对应函数1-17
97 98 99对应函数18 19 20
分析一下opcode和对应函数 发现不是所有函数都被使用 所以我们只用分析用到的函数(code值为0, 1, 98, 97, 2, 5, 6, 7, 8, 99, 10, 9, 12, 11, 14)








opcode = [[0, 0, 0], [0, 0, 0], [1, 0, 87], [98, 0, 0], [1, 0, 101], [98, 0, 0], [1, 0, 108], [98, 0, 0], [1, 0, 99], [98, 0, 0], [1, 0, 111], [98, 0, 0], [1, 0, 109], [98, 0, 0], [1, 0, 101], [98, 0, 0], [1, 0, 32], [98, 0, 0], [1, 0, 116], [98, 0, 0], [1, 0, 111], [98, 0, 0], [1, 0, 32], [98, 0, 0], [1, 0, 86], [98, 0, 0], [1, 0, 78], [98, 0, 0], [1, 0, 67], [98, 0, 0], [1, 0, 84], [98, 0, 0], [1, 0, 70], [98, 0, 0], [1, 0, 50], [98, 0, 0], [1, 0, 48], [98, 0, 0], [1, 0, 50], [98, 0, 0], [1, 0, 50], [98, 0, 0], [1, 0, 33], [98, 0, 0], [1, 0, 10], [98, 0, 0], [1, 0, 105], [98, 0, 0], [1, 0, 110], [98, 0, 0], [1, 0, 112], [98, 0, 0], [1, 0, 117], [98, 0, 0], [1, 0, 116], [98, 0, 0], [1, 0, 32], [98, 0, 0], [1, 0, 102], [98, 0, 0], [1, 0, 108], [98, 0, 0], [1, 0, 97], [98, 0, 0], [1, 0, 103], [98, 0, 0], [1, 0, 58], [98, 0, 0], [1, 0, 10], [98, 0, 0], [1, 19, 73], [1, 3, 0], [1, 1, 43], [1, 2, 1], [97, 0, 0], [5, 0, 0], [8, 1, 2], [14, 1, 3], [1, 0, 0], [5, 0, 0], [0, 0, 0], [0, 0, 0], [6, 0, 0], [1, 5, 256], [10, 0, 5], [2, 6, 0], [6, 0, 0], [7, 6, 0], [2, 0, 6], [10, 0, 5], [2, 6, 0], [6, 0, 0], [7, 6, 0], [2, 0, 6], [10, 0, 5], [2, 6, 0], [6, 0, 0], [7, 6, 0], [0, 0, 0], [6, 0, 0], [1, 5, 256], [10, 0, 5], [2, 7, 0], [6, 0, 0], [7, 7, 0], [2, 0, 7], [10, 0, 5], [2, 7, 0], [6, 0, 0], [7, 7, 0], [2, 0, 7], [10, 0, 5], [2, 7, 0], [6, 0, 0], [7, 7, 0], [0, 0, 0], [6, 0, 0], [1, 5, 256], [10, 0, 5], [2, 8, 0], [6, 0, 0], [7, 8, 0], [2, 0, 8], [10, 0, 5], [2, 8, 0], [6, 0, 0], [7, 8, 0], [2, 0, 8], [10, 0, 5], [2, 8, 0], [6, 0, 0], [7, 8, 0], [0, 0, 0], [6, 0, 0], [1, 5, 256], [10, 0, 5], [2, 9, 0], [6, 0, 0], [7, 9, 0], [2, 0, 9], [10, 0, 5], [2, 9, 0], [6, 0, 0], [7, 9, 0], [2, 0, 9], [10, 0, 5], [2, 9, 0], [6, 0, 0], [7, 9, 0], [0, 0, 0], [6, 0, 0], [1, 5, 256], [10, 0, 5], [2, 10, 0], [6, 0, 0], [7, 10, 0], [2, 0, 10], [10, 0, 5], [2, 10, 0], [6, 0, 0], [7, 10, 0], [2, 0, 10], [10, 0, 5], [2, 10, 0], [6, 0, 0], [7, 10, 0], [0, 0, 0], [6, 0, 0], [1, 5, 256], [10, 0, 5], [2, 11, 0], [6, 0, 0], [7, 11, 0], [2, 0, 11], [10, 0, 5], [2, 11, 0], [6, 0, 0], [7, 11, 0], [2, 0, 11], [10, 0, 5], [2, 11, 0], [6, 0, 0], [7, 11, 0], [0, 0, 0], [6, 0, 0], [1, 5, 256], [10, 0, 5], [2, 12, 0], [6, 0, 0], [7, 12, 0], [2, 0, 12], [10, 0, 5], [2, 12, 0], [6, 0, 0], [7, 12, 0], [2, 0, 12], [10, 0, 5], [2, 12, 0], [6, 0, 0], [7, 12, 0], [0, 0, 0], [6, 0, 0], [1, 5, 256], [10, 0, 5], [2, 13, 0], [6, 0, 0], [7, 13, 0], [2, 0, 13], [10, 0, 5], [2, 13, 0], [6, 0, 0], [7, 13, 0], [2, 0, 13], [10, 0, 5], [2, 13, 0], [6, 0, 0], [7, 13, 0], [0, 0, 0], [6, 0, 0], [1, 5, 256], [10, 0, 5], [2, 14, 0], [6, 0, 0], [7, 14, 0], [2, 0, 14], [10, 0, 5], [2, 14, 0], [6, 0, 0], [7, 14, 0], [2, 0, 14], [10, 0, 5], [2, 14, 0], [6, 0, 0], [7, 14, 0], [0, 0, 0], [6, 0, 0], [1, 5, 256], [10, 0, 5], [2, 15, 0], [6, 0, 0], [7, 15, 0], [2, 0, 15], [10, 0, 5], [2, 15, 0], [6, 0, 0], [7, 15, 0], [2, 0, 15], [10, 0, 5], [2, 15, 0], [6, 0, 0], [7, 15, 0], [0, 0, 0], [6, 0, 0], [1, 5, 256], [10, 0, 5], [2, 16, 0], [6, 0, 0], [7, 16, 0], [2, 0, 16], [10, 0, 5], [2, 16, 0], [6, 0, 0], [7, 16, 0], [2, 0, 16], [10, 0, 5], [2, 16, 0], [6, 0, 0], [7, 16, 0], [0, 0, 0], [5, 6, 0], [5, 7, 0], [5, 8, 0], [5, 9, 0], [5, 10, 0], [5, 11, 0], [5, 12, 0], [5, 13, 0], [5, 14, 0], [5, 15, 0], [5, 16, 0], [6, 1, 0], [6, 2, 0], [1, 20, 284], [1, 0, 340], [12, 0, 0], [1, 0, 3906065887], [1, 19, 387], [1, 20, 339], [14, 1, 0], [1, 0, 4125344020], [14, 2, 0], [6, 1, 0], [6, 2, 0], [1, 20, 295], [1, 0, 340], [12, 0, 0], [1, 0, 579781142], [1, 19, 387], [1, 20, 339], [14, 1, 0], [1, 0, 2312395361], [14, 2, 0], [6, 1, 0], [6, 2, 0], [1, 20, 306], [1, 0, 340], [12, 0, 0], [1, 0, 1700499305], [1, 19, 387], [1, 20, 339], [14, 1, 0], [1, 0, 612671610], [14, 2, 0], [6, 1, 0], [6, 2, 0], [1, 20, 317], [1, 0, 340], [12, 0, 0], [1, 0, 3655723000], [1, 19, 387], [1, 20, 339], [14, 1, 0], [1, 0, 977540402], [14, 2, 0], [6, 1, 0], [6, 2, 0], [1, 20, 328], [1, 0, 340], [12, 0, 0], [1, 0, 2443935368], [1, 19, 387], [1, 20, 339], [14, 1, 0], [1, 0, 1778148540], [14, 2, 0], [6, 1, 0], [1, 0, 8206181], [14, 1, 0], [1, 0, 393], [12, 0, 0], [99, 0, 0], [1, 3, 2654435769], [1, 4, 613452], [1, 5, 34589], [1, 6, 108471], [1, 7, 1230791], [1, 8, 0], [1, 17, 16], [1, 18, 32], [1, 19, 352], [1, 10, 0], [1, 11, 32], [1, 12, 1], [7, 8, 3], [2, 0, 2], [10, 0, 17], [7, 0, 4], [2, 14, 0], [2, 0, 2], [7, 0, 8], [2, 15, 0], [2, 0, 2], [9, 0, 18], [7, 0, 5], [2, 16, 0], [2, 0, 14], [11, 0, 15], [11, 0, 16], [7, 1, 0], [2, 0, 1], [10, 0, 17], [7, 0, 6], [2, 14, 0], [2, 0, 1], [7, 0, 8], [2, 15, 0], [2, 0, 1], [9, 0, 18], [7, 0, 7], [2, 16, 0], [2, 0, 14], [11, 0, 15], [11, 0, 16], [7, 2, 0], [8, 11, 12], [14, 11, 10], [12, 20, 0], [0, 0, 0], [1, 0, 110], [98, 0, 0], [1, 0, 111], [98, 0, 0], [12, 20, 0], [0, 0, 0], [1, 0, 121], [98, 0, 0], [1, 0, 101], [98, 0, 0], [1, 0, 115], [98, 0, 0], [12, 20, 0], [0, 0, 0], [0, 0, 0], [0, 0, 0], [0, 0, 0], [0, 0, 0]]for x in opcode: if x[0] == 0: # print("nop") pass elif x[0] == 1: print(f"mov r{x[1]} {hex(x[2]).upper()}") elif x[0] == 2: print(f"mov r{x[1]} r{x[2]}") elif x[0] == 5: print(f"push r{x[1]}") elif x[0] == 6: print(f"pop r{x[1]}") elif x[0] == 7: print(f"add r{x[1]} r{x[2]}") elif x[0] == 8: print(f"sub r{x[1]} r{x[2]}") elif x[0] == 9: print(f"div r{x[1]} r{x[2]}") elif x[0] == 10: print(f"mul r{x[1]} r{x[2]}") elif x[0] == 11: print(f"xor r{x[1]} r{x[2]}") elif x[0] == 12: print(f"jmp r{x[1]}") elif x[0] == 14: print(f"if r{x[1]}!=r{x[2]}:quit") elif x[0] == 97: print(f"scanf r{x[1]} ") elif x[0] == 98: print(f"putchar r{x[1]} ") elif x[0] == 99: print(f"quit ")mov r0 0X57putchar r0 mov r0 0X65putchar r0 mov r0 0X6Cputchar r0 mov r0 0X63putchar r0 mov r0 0X6Fputchar r0 mov r0 0X6Dputchar r0 mov r0 0X65putchar r0 mov r0 0X20putchar r0 mov r0 0X74putchar r0 mov r0 0X6Fputchar r0 mov r0 0X20putchar r0 mov r0 0X56putchar r0 mov r0 0X4Eputchar r0 mov r0 0X43putchar r0 mov r0 0X54putchar r0 mov r0 0X46putchar r0 mov r0 0X32putchar r0 mov r0 0X30putchar r0 mov r0 0X32putchar r0 mov r0 0X32putchar r0 mov r0 0X21putchar r0 mov r0 0XAputchar r0 mov r0 0X69putchar r0 mov r0 0X6Eputchar r0 mov r0 0X70putchar r0 mov r0 0X75putchar r0 mov r0 0X74putchar r0 mov r0 0X20putchar r0 mov r0 0X66putchar r0 mov r0 0X6Cputchar r0 mov r0 0X61putchar r0 mov r0 0X67putchar r0 mov r0 0X3Aputchar r0 mov r0 0XAputchar r0 #以上都是提示信息 没啥用mov r19 0X49mov r3 0X0mov r1 0X2Bmov r2 0X1scanf r0 push r0sub r1 r2if r1!=r3:quitmov r0 0X0push r0pop r0mov r5 0X100 #这两行相当于>>8 有点teamul r0 r5mov r6 r0pop r0add r6 r0mov r0 r6mul r0 r5mov r6 r0pop r0add r6 r0mov r0 r6mul r0 r5mov r6 r0pop r0add r6 r0pop r0mov r5 0X100mul r0 r5mov r7 r0pop r0add r7 r0mov r0 r7mul r0 r5mov r7 r0pop r0add r7 r0mov r0 r7mul r0 r5mov r7 r0pop r0add r7 r0pop r0mov r5 0X100mul r0 r5mov r8 r0pop r0add r8 r0mov r0 r8mul r0 r5mov r8 r0pop r0add r8 r0mov r0 r8mul r0 r5mov r8 r0pop r0add r8 r0pop r0mov r5 0X100mul r0 r5mov r9 r0pop r0add r9 r0mov r0 r9mul r0 r5mov r9 r0pop r0add r9 r0mov r0 r9mul r0 r5mov r9 r0pop r0add r9 r0pop r0mov r5 0X100mul r0 r5mov r10 r0pop r0add r10 r0mov r0 r10mul r0 r5mov r10 r0pop r0add r10 r0mov r0 r10mul r0 r5mov r10 r0pop r0add r10 r0pop r0mov r5 0X100mul r0 r5mov r11 r0pop r0add r11 r0mov r0 r11mul r0 r5mov r11 r0pop r0add r11 r0mov r0 r11mul r0 r5mov r11 r0pop r0add r11 r0pop r0mov r5 0X100mul r0 r5mov r12 r0pop r0add r12 r0mov r0 r12mul r0 r5mov r12 r0pop r0add r12 r0mov r0 r12mul r0 r5mov r12 r0pop r0add r12 r0pop r0mov r5 0X100mul r0 r5mov r13 r0pop r0add r13 r0mov r0 r13mul r0 r5mov r13 r0pop r0add r13 r0mov r0 r13mul r0 r5mov r13 r0pop r0add r13 r0pop r0mov r5 0X100mul r0 r5mov r14 r0pop r0add r14 r0mov r0 r14mul r0 r5mov r14 r0pop r0add r14 r0mov r0 r14mul r0 r5mov r14 r0pop r0add r14 r0pop r0mov r5 0X100mul r0 r5mov r15 r0pop r0add r15 r0mov r0 r15mul r0 r5mov r15 r0pop r0add r15 r0mov r0 r15mul r0 r5mov r15 r0pop r0add r15 r0pop r0mov r5 0X100mul r0 r5mov r16 r0pop r0add r16 r0mov r0 r16mul r0 r5mov r16 r0pop r0add r16 r0mov r0 r16mul r0 r5mov r16 r0pop r0add r16 r0push r6push r7push r8push r9push r10push r11push r12push r13push r14push r15push r16pop r1pop r2mov r20 0X11Cmov r0 0X154jmp r0mov r0 0XE8D1D5DFmov r19 0X183mov r20 0X153if r1!=r0:quitmov r0 0XF5E3C114if r2!=r0:quitpop r1pop r2mov r20 0X127mov r0 0X154jmp r0mov r0 0X228EC216mov r19 0X183mov r20 0X153if r1!=r0:quitmov r0 0X89D45A61if r2!=r0:quitpop r1pop r2mov r20 0X132mov r0 0X154jmp r0mov r0 0X655B8F69mov r19 0X183mov r20 0X153if r1!=r0:quitmov r0 0X2484A07Aif r2!=r0:quitpop r1pop r2mov r20 0X13Dmov r0 0X154jmp r0mov r0 0XD9E5E7F8mov r19 0X183mov r20 0X153if r1!=r0:quitmov r0 0X3A441532if r2!=r0:quitpop r1pop r2mov r20 0X148mov r0 0X154jmp r0mov r0 0X91AB7E88mov r19 0X183mov r20 0X153if r1!=r0:quitmov r0 0X69FC64BCif r2!=r0:quitpop r1mov r0 0X7D3765if r1!=r0:quitmov r0 0X189jmp r0quit mov r3 0X9E3779B9 #delta 确定是teamov r4 0X95C4C #k0 到k3mov r5 0X871Dmov r6 0X1A7B7mov r7 0X12C7C7mov r8 0X0 #summov r17 0X10mov r18 0X20mov r19 0X160mov r10 0X0mov r11 0X20mov r12 0X1add r8 r3mov r0 r2mul r0 r17add r0 r4mov r14 r0mov r0 r2add r0 r8mov r15 r0mov r0 r2div r0 r18add r0 r5mov r16 r0mov r0 r14xor r0 r15xor r0 r16add r1 r0mov r0 r1mul r0 r17add r0 r6mov r14 r0mov r0 r1add r0 r8mov r15 r0mov r0 r1div r0 r18add r0 r7mov r16 r0mov r0 r14xor r0 r15xor r0 r16add r2 r0sub r11 r12if r11!=r10:quitjmp r20mov r0 0X6Eputchar r0 mov r0 0X6Fputchar r0 jmp r20mov r0 0X79putchar r0 mov r0 0X65putchar r0 mov r0 0X73putchar r0 jmp r20可以从0x9e3779b9看出应该是个tea类函数 位运算较少应该是个标准tea
上面的所有mul和div都是当位运算用的
其中根据比较函数可以拿到正确的结果(一共11个 但是tea只加密了10个) 然后tea脚本解密即可
#include <iostream>#include <stdio.h>#include <string>using namespace std;int TEA_decode(uint32_t* v, uint32_t* key){ uint32_t j; uint32_t delta = 0x9e3779b9; uint32_t sum = 0xC6EF3720; uint32_t v0 = v[0], v1 = v[1]; uint32_t key0 = key[0], key1 = key[1], key2 = key[2], key3 = key[3]; for (j = 0; j < 32; j++) { v1 -= ((v0 << 4) + key2) ^ (v0 + sum) ^ ((v0 >> 5) + key3); v0 -= ((v1 << 4) + key0) ^ (v1 + sum) ^ ((v1 >> 5) + key1); sum -= delta; } v[0] = v0; v[1] = v1;}int main(){ uint32_t k[4] = { 0X95C4C, 0X871D, 0X1A7B7, 0X12C7C7 }; uint32_t enc[11] = { 0XE8D1D5DF, 0XF5E3C114, 0X228EC216, 0X89D45A61, 0X655B8F69, 0X2484A07A, 0XD9E5E7F8, 0X3A441532, 0X91AB7E88, 0X69FC64BC, 0X7D3765 }; // TEA_encrypt(enc2,k); uint32_t t1[3] = { 0XE8D1D5DF, 0XF5E3C114, 0 }; uint32_t t2[3] = { 0X228EC216, 0X89D45A61, 0 }; uint32_t t3[3] = { 0X655B8F69, 0X2484A07A, 0 }; uint32_t t4[3] = { 0XD9E5E7F8, 0X3A441532, 0 }; uint32_t t5[3] = { 0X91AB7E88, 0X69FC64BC, 0 }; uint32_t t6[2] = { 0X7D3765, 0 }; TEA_decode(t1, k); TEA_decode(t2, k); TEA_decode(t3, k); TEA_decode(t4, k); TEA_decode(t5, k); // TEA_decode(t6, k); printf("%s%s%s%s%s%s", t1, t2, t3, t4, t5, t6); return 0;}VNCTF{ecd63ae5-8945-4ac4-b5a5-34fc3ade81e7}