一.查壳
这个壳的资料不是很多,百度百科解释:Themida_百度百科 (baidu.com)
二.脱壳工具
项目链接:
ergrelet/unlicense
直接下载release版本解压即可
由于这个程序是32位,所以需要使用32位的unlicense
用unlicense32.exe打开TMD.exe,等待几分钟后会输出unpacked_TMD.exe
注意:
unlicense项目里这条注意当时坑了我,我电脑里只有python3.10(64位),所以当时去搜如何多版本python共存,安装了Anaconda,然后下载python3.9(32位)并配置到环境变量
后面我试了下删掉32位python的环境变量,这个程序也能使用!脱壳的程序没什么区别,让我很疑惑
三.解密
ida分析程序: xtea加密
反汇编代码:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int m; // eax
int sum; // edi
unsigned int key0; // esi
int i; // ebx
unsigned int key1; // eax
int j; // ecx
__int128 v10; // [esp+0h] [ebp-40h]
int v11; // [esp+10h] [ebp-30h]
int v12; // [esp+14h] [ebp-2Ch]
unsigned int *enc1; // [esp+18h] [ebp-28h]
unsigned int *enc0; // [esp+1Ch] [ebp-24h]
int n; // [esp+20h] [ebp-20h]
__int128 input; // [esp+24h] [ebp-1Ch] BYREF
__int64 v17; // [esp+34h] [ebp-Ch]
v10 = xmmword_A72120; // D422D788FA77A97D83C4D150D9F3EE16
v11 = 0x5EA221AF;
v12 = 0x725052E8; // 这里还有两块数据
scanf("%s", &input_A73370);
m = 0;
n = 0;
input = input_A73370;
v17 = qword_A73380;
do
{
sum = 0;
key0 = *((_DWORD *)&input + m);
enc0 = (unsigned int *)&input + m;
enc1 = (unsigned int *)&input + m + 1;
i = 32;
key1 = *enc1;
do
{
sum -= 0x61C88647;
key0 += (key1 + sum) ^ (16 * key1 + 0x12345678) ^ ((key1 >> 5) - 0x65432110);
key1 += (key0 + sum) ^ ((key0 >> 5) + 0x76543210) ^ (16 * key0 - 0x1234568);
--i;
}
while ( i ); // 32次循环
*enc0 = key0;
*enc1 = key1;
m = n + 2; // 每次加密两组数据
n = m;
}
while ( m < 6 ); // 循环4*32=128次
j = 0;
while ( *((_BYTE *)&input + j) == *((_BYTE *)&v10 + j) )// 逐字符比较
{
if ( ++j >= 24 ) // 24字符
{
printf(aSuccess, v10);
return 0;
}
}
printf(Format, v10);
return 0;
}解题脚本:文章来源:https://www.toymoban.com/news/detail-779070.html
#include <stdio.h>
int main()
{
int m; // eax
int sum; // edi
unsigned int key0; // esi
int i; // ebx
unsigned int key1; // eax
int j; // ecx
int v11; // [esp+10h] [ebp-30h]
int v12; // [esp+14h] [ebp-2Ch]
unsigned int* enc1; // [esp+18h] [ebp-28h]
unsigned int* enc0; // [esp+1Ch] [ebp-24h]
int n; // [esp+20h] [ebp-20h]
char input[25] = { 0 };
unsigned int* p = (unsigned int*)input;
p[0] = 0x88D722D4;
p[1] = 0x7da977fa;
p[2] = 0x50d1c483;
p[3] = 0x16eef3d9;
p[4] = 0x5EA221AF;
p[5] = 0x725052E8;
m = 4;//注意初值是4不是6
sum = 0;
for (int i = 0; i < 32; i++)
sum -= 0x61C88647;
printf("%x\n", sum);
do
{
sum = 0xc6ef3720;
key0 = *((unsigned int*)&input + m);
enc0 = (unsigned int*)&input + m;
enc1 = (unsigned int*)&input + m + 1;
i = 32;
key1 = *enc1;
do
{
key1 -= (key0 + sum) ^ ((key0 >> 5) + 0x76543210) ^ (16 * key0 - 0x1234568);
key0 -= (key1 + sum) ^ (16 * key1 + 0x12345678) ^ ((key1 >> 5) - 0x65432110);
sum += 0x61C88647;
--i;
} while (i); // 32次循环
*enc0 = key0;
*enc1 = key1;
m = m -2; // 每次加密两组数据
} while (m >=0);
printf("%s", input);//s1mpLE_tEEE1_DeeeCCCRypt
return 0;
}得到flag:s1mpLE_tEEE1_DeeeCCCRypt文章来源地址https://www.toymoban.com/news/detail-779070.html
到了这里,关于HZNUCTF REVERSE TMD题解——Themida脱壳,使用unlicense工具的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
