既然原64位程序可以跑,但是转成32位之后就出问题了,说明这个binary肯定哪个地方要patch以下,而且它报的错是”Unable to open the script file”,那我就根据这个来找到底在哪里没有满足条件而出错。
我先是动态调试,把反调的函数patch掉,跟踪找到32位程序弹窗报错的执行流: 在这里调用sub_4128CF之后会对返回值进行一个check,如果返回1的话,或跳转到LABEL_3执行,而这个LABEL_3: 会调用sub_40B506之后直接返回,之后这个程序就逐步地推出了。这个sub_40B506实际上正是完成弹出”Unable to open the script file”窗口的操作: 那么显然sub_4128CF函数部分就是我们需要分析的重点:
raw = "097e0b7609097f78582b5b7f5f582c780d775c7a0e5a7a78587a5e7a095b7a2e5b7c0c7d0b09297c0c765a295d0b2e790b7f587b58097f2a572c572b090b7b7c0e78572c5b572e7d5e7f5e7d5e5a792958760b7c590d7b7f0d2c5d7b585d78770a7b5e2c5c5a777c5f7e5e7b5d0c2b2a562e0b780b0d7b7d5b775a2c560a7b2e5c7f0b2d575f767d5b2a582e570a2e7d0929577c5b58787e0b7d582e56097e785b2a582a0e0e78790c2e59780a0b2d7d097e577b0d0b2b7e5e295f2e5a097e2e0b2b097b5a0a7b2e5b7f0e29560d767b0b2e0c7a565b297b0a7e5d7f095c76795d2a0e7e5a0e2a29097c572c575a7f7d5e7a0c295f0a2d7b0e2d0a7e0b0c7b2a5a29592c0a0b7e76587d5b77560e7c2a5e775e775e097a2b09295d7c5e092d780b7b5f78090c7d775d7c5f2958097a760d2d0e2c5d562a2b577e577a565c2e7c5f765d775b5c7d2d0c2e0e2a5f592a2a0c7d0d7c0b0b7d7c5a77582a5a59767a0e79562b5e092d2d5d785a7b0e097c7a0d79092c0a0c2b79097f097f57572e295b7b5a7a585f787c0a7c5e2a5b0b2d2b0d7b5b2d5d587c7b5e2e592a5d5c7b290d2e5f79590d7a7b0c7f0e7d575c7d79597f5b79595c772c587b5c7e0b0b7a7e5f2d5a78575b2b2d597b0a780d0e7e795d7b0976585a7a7e567c57785d562a2d0d2b0c290e577e2c587f0e775f0e2e7b09795a2d5c58292c5f765f7f58092978" raw_int = [] for i in range(0, len(raw), 2): raw_int.append(int(raw[i:i+2], 16))
string = "" i = 0 for item in raw_int: string += chr(item ^ table_1[i % len(table_1)]) i += 1 # print(string)
for i in range(0, len(cipher), 32): md5_list.append(cipher[i:i+32]) # print(md5_list)
from hashlib import md5 from itertools import permutations
flag = "" table = "" for i in range(32, 127): table += chr(i) i = 0 for item in md5_list: for s in permutations(table, 3): target = "" for ch in s: target += ch m = md5() m.update(target.encode("utf-8")) if m.hexdigest() == item: flag += target i += 1 print(flag) break