好友
阅读权限30
听众
最后登录1970-1-1
|
首先, Z3真的很好用, 然后, Z3真的很好用
HEX:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FB CE E3 88 88 DA B6 54 98 29 19 EE B8 4B 67 73
F8 07 7C AA 78 DF 2E 00 78 30 09 55 78 3E C7 E6
我用了一个比较耗时的方法, 写了个小反编译器:
函数表(wow DEADBEEF):
IDA真的好坑啊我去, 第三个参数给我吞了 (图片没有显示第三个参数, 但实际上还有一个参, 应该是esi?)
指令格式为: opcode, operand1, operand2, operand3
附上反编译器:
[Python] 纯文本查看 复制代码 opcodes = [0x00000000, 0x9E3779B9, 0x00000064, 0x00000000, 0x00000000, 0x85EBCA77, 0x00000065, 0x00000000, 0x00000000, 0xC2B2AE35, 0x00000066, 0x00000000, 0x00000000, 0x6E24F083, 0x00000067, 0x00000000, 0x0000000A, 0x00000001, 0x00000000, 0x00000001, 0x00000002, 0x00000001, 0x00000000, 0x00000001, 0x0000000A, 0x00000001, 0x00000064, 0x00000001, 0x00000002, 0x00000001, 0x00000065, 0x00000001, 0x0000000A, 0x00000001, 0x00000066, 0x00000001, 0x00000002, 0x00000001, 0x00000067, 0x00000001, 0x0000000A, 0x00000002, 0x00000001, 0x00000002, 0x00000002, 0x00000002, 0x00000001, 0x00000002, 0x0000000A, 0x00000002, 0x00000064, 0x00000002, 0x00000002, 0x00000002, 0x00000065, 0x00000002, 0x0000000A, 0x00000002, 0x00000066, 0x00000002, 0x00000002, 0x00000002, 0x00000067, 0x00000002, 0x0000000A, 0x00000003, 0x00000002, 0x00000003, 0x00000002, 0x00000003, 0x00000002, 0x00000003, 0x0000000A, 0x00000003, 0x00000064, 0x00000003, 0x00000002, 0x00000003, 0x00000065, 0x00000003, 0x0000000A, 0x00000003, 0x00000066, 0x00000003, 0x00000002, 0x00000003, 0x00000067, 0x00000003, 0x0000000A, 0x00000004, 0x00000003, 0x00000004, 0x00000002, 0x00000004, 0x00000003, 0x00000004, 0x0000000A, 0x00000004, 0x00000064, 0x00000004, 0x00000002, 0x00000004, 0x00000065, 0x00000004, 0x0000000A, 0x00000004, 0x00000066, 0x00000004, 0x00000002, 0x00000004, 0x00000067, 0x00000004, 0x0000000A, 0x00000005, 0x00000004, 0x00000005, 0x00000002, 0x00000005, 0x00000004, 0x00000005, 0x0000000A, 0x00000005, 0x00000064, 0x00000005, 0x00000002, 0x00000005, 0x00000065, 0x00000005, 0x0000000A, 0x00000005, 0x00000066, 0x00000005, 0x00000002, 0x00000005, 0x00000067, 0x00000005, 0x0000000A, 0x00000006, 0x00000005, 0x00000006, 0x00000002, 0x00000006, 0x00000005, 0x00000006, 0x0000000A, 0x00000006, 0x00000064, 0x00000006, 0x00000002, 0x00000006, 0x00000065, 0x00000006, 0x0000000A, 0x00000006, 0x00000066, 0x00000006, 0x00000002, 0x00000006, 0x00000067, 0x00000006, 0x0000000A, 0x00000007, 0x00000006, 0x00000007, 0x00000002, 0x00000007, 0x00000006, 0x00000007, 0x0000000A, 0x00000007, 0x00000064, 0x00000007, 0x00000002, 0x00000007, 0x00000065, 0x00000007, 0x0000000A, 0x00000007, 0x00000066, 0x00000007, 0x00000002, 0x00000007, 0x00000067, 0x00000007, 0x0000000A, 0x00000000, 0x00000067, 0x00000000, 0x0000000A, 0x00000000, 0x00000007, 0x00000000, 0x00000008, 0x00000000, 0x00000008, 0x00000039, 0x00000008, 0x00000001, 0x00000009, 0x00000039, 0x00000008, 0x00000002, 0x0000000A, 0x00000039, 0x00000008, 0x00000003, 0x0000000B, 0x00000039, 0x00000008, 0x00000004, 0x0000000C, 0x00000039, 0x00000008, 0x00000005, 0x0000000D, 0x00000039, 0x00000008, 0x00000006, 0x0000000E, 0x00000039, 0x00000008, 0x00000007, 0x0000000F, 0x00000039, 0x00000000, 0x00000001, 0x000000FF, 0x00000000, 0x00000007]
buf = [0] * 256
PC = 0
arr = ['buf[{1}] = {0}', 'buf[{1}] = buf[{0}]', 'buf[{2}] = buf[{0}] + buf[{1}]', 'buf[{2}] = buf[{0}] - buf[{1}]', 'buf[{2}] = buf[{0}] * buf[{1}]', 'buf[{1}] = buf[{0}] / buf[0]', 'buf[{1}] = buf[{0}] % buf[0]', 'STOP', 'buf[{1}] != buf[{0}] ? jmp {2}: nothing', 'jmp {0}', 'buf[{2}] = buf[{0}] ^ buf[{1}]']
while True:
v13 = opcodes[4 * PC]
if v13 == 7:
print('STOP')
print(arr[v13].format(str(opcodes[4 * PC + 1]), str(opcodes[4 * PC + 2]), str(opcodes[4 * PC + 3])))
PC += 1
依旧暴力Z3(着急睡觉, 不写keygen了)[Python] 纯文本查看 复制代码 from z3 import *
buf = list(BitVecs('B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 B10 B11 B12 B13 B14 B15', 32))
buff = buf.copy()
buf.extend([0] * 240)
buf[100] = BitVecVal(2654435769, 32)
buf[101] = BitVecVal(2246822519, 32)
buf[102] = BitVecVal(3266489909, 32)
buf[103] = BitVecVal(1847914627, 32)
buf[1] = buf[1] ^ buf[0]
buf[1] = buf[1] + buf[0]
buf[1] = buf[1] ^ buf[100]
buf[1] = buf[1] + buf[101]
buf[1] = buf[1] ^ buf[102]
buf[1] = buf[1] + buf[103]
buf[2] = buf[2] ^ buf[1]
buf[2] = buf[2] + buf[1]
buf[2] = buf[2] ^ buf[100]
buf[2] = buf[2] + buf[101]
buf[2] = buf[2] ^ buf[102]
buf[2] = buf[2] + buf[103]
buf[3] = buf[3] ^ buf[2]
buf[3] = buf[3] + buf[2]
buf[3] = buf[3] ^ buf[100]
buf[3] = buf[3] + buf[101]
buf[3] = buf[3] ^ buf[102]
buf[3] = buf[3] + buf[103]
buf[4] = buf[4] ^ buf[3]
buf[4] = buf[4] + buf[3]
buf[4] = buf[4] ^ buf[100]
buf[4] = buf[4] + buf[101]
buf[4] = buf[4] ^ buf[102]
buf[4] = buf[4] + buf[103]
buf[5] = buf[5] ^ buf[4]
buf[5] = buf[5] + buf[4]
buf[5] = buf[5] ^ buf[100]
buf[5] = buf[5] + buf[101]
buf[5] = buf[5] ^ buf[102]
buf[5] = buf[5] + buf[103]
buf[6] = buf[6] ^ buf[5]
buf[6] = buf[6] + buf[5]
buf[6] = buf[6] ^ buf[100]
buf[6] = buf[6] + buf[101]
buf[6] = buf[6] ^ buf[102]
buf[6] = buf[6] + buf[103]
buf[7] = buf[7] ^ buf[6]
buf[7] = buf[7] + buf[6]
buf[7] = buf[7] ^ buf[100]
buf[7] = buf[7] + buf[101]
buf[7] = buf[7] ^ buf[102]
buf[7] = buf[7] + buf[103]
buf[0] = buf[0] ^ buf[103]
buf[0] = buf[0] ^ buf[7]
s = Solver()
s.add(buf[8] == buf[0])
s.add(buf[9] == buf[1])
s.add(buf[10] == buf[2])
s.add(buf[11] == buf[3])
s.add(buf[12] == buf[4])
s.add(buf[13] == buf[5])
s.add(buf[14] == buf[6])
s.add(buf[15] == buf[7])
# solve
if s.check() == sat:
m = s.model()
print("Solution:")
Fp = open('philia.093', 'wb')
for v in buff:
print(v)
print(hex(m[v].as_long()))
Fp.write(m[v].as_long().to_bytes(4, 'little'))
Fp.close()
else:
print("UNSAT (no solution)"):
|
|
发表于 2026-2-13 00:10
|
发表于 2026-2-13 09:31
|楼主
分享到朋友圈
