CM有混淆有点难度

Jar36 · 发表于 2026-2-11 21:24

本帖最后由 Jar36 于 2026-2-11 21:28 编辑

满足某种条件会成功如上图需要给出这种条件的具体做法
不可以修改程序显示这个对话框
无壳无VMP 手工花指令

第一次有人破解出来发代码或者10天后
压缩包密码 obf

Command · 发表于 2026-2-12 10:34

由于文件传不上来, 我就直接把文件名和HEX给出来吧
keyfile: philia.093
HEX: 10 80 1A 40 11 EA EC 23 07 80 70 03 A0 20 00 00 A7 40 29 31 01 38 40 23

主要是IDA静态识别太坑爹了, 改了老久弄的差不多能看了

导入函数:

读文件(Buffer被作为int[]处理), 并且进行异或(sub_401306获取异或值, uint32)

这里的mov ecx, 6已经说明了是循环六次, 即6个int (24字节)

使用z3约束求解即可:

[Python] 纯文本查看 复制代码

import ctypes
from z3 import *


dword_401450 = ctypes.c_uint32(0x1FFF000)

def sub_401306():
    global dword_401450
    return hex((dword_401450 := ctypes.c_uint32(22695477 * dword_401450.value + 1)).value)
for _ in range(6):
    print(sub_401306())
aBuffer = [0] * 4
# 0 ^ aBuffer[0] ^ 0x16080902
# aBuffer[1] - aBuffer[2] == -301138177from z3 import *

B0, B1, B2, B3, B4, B5 = BitVecs('B0 B1 B2 B3 B4 B5', 32)
# XOR key
K = [
    BitVecVal(0xc51cb001, 32),
    BitVecVal(0x6deabe36, 32),
    BitVecVal(0x5c89d52f, 32),
    BitVecVal(0x490374bc, 32),
    BitVecVal(0xf16072ed, 32),
    BitVecVal(0xb04e0112, 32)
]

# aBuffer = Buffer ^ key
A0 = B0 ^ K[0]
A1 = B1 ^ K[1]
A2 = B2 ^ K[2]
A3 = B3 ^ K[3]
A4 = B4 ^ K[4]
A5 = B5 ^ K[5]

# rotate right 4
def ror(x, n):
    return RotateRight(x, n)

s = Solver()
s.add(A5 ^ A0 ^ BitVecVal(0x16080902, 32) == 0)
s.add(A1 - A2 == BitVecVal(-301138177, 32))
s.add(A4 & -ror(A3, 4) == BitVecVal(0x49020A, 32))
# solve
if s.check() == sat:
    m = s.model()
    print("Solution:")
    Fp = open('philia.093', 'wb')
    for v in [B0, B1, B2, B3, B4, B5]:
        print(hex(m[v].as_long()))
        Fp.write(m[v].as_long().to_bytes(4, 'little'))
    Fp.close()
    
else:
    print("UNSAT (no solution)")

Jar36 · 发表于 2026-2-12 11:26

正确，这是一组解算法是将这个文件的前6个DWORD分别和以1FFF0000种子 22695477为a 1为c的线性同余伪随机异或然后分块0-5 1-4 2-3进行位运算最后验证所以有无数种解
给出我凑好的一组解异或后是"REMEMBRACESUNGINRIPPLES"

怜渠客 · 发表于 2026-2-11 23:43

sub_401306 生成数字，和16080902h对比，根据校验结果提示对应内容。通过LoadLibraryA加载user32.dll，通过GetProcAddress找到MessageBoxA地址来调用，sub_4013E3字符串解密函数，异或0x7f

Hao轩 · 发表于 2026-2-11 23:46

0040122B    90                nop
0040122C    90                nop
0040122D    90                nop
0040122E    90                nop
0040122F    90                nop
00401230    90                nop

00401281    /EB 02

00401285    90                nop
00401286    90                nop

0040129C    90                nop
0040129D    90                nop

004012B7    90                nop
004012B8    90                nop

Jar36 · 发表于 2026-2-12 08:12

不能修改程序本体的提示一下是keyfile型验证请给出keyfile名字和内容（是二进制的）

Jar36 · 发表于 2026-2-12 20:51

[Asm] 纯文本查看 复制代码

.386
.model flat, stdcall
option casemap:none

.code
start:
    ; get hkernel32
    xor  eax, eax
    assume fs:nothing
    mov  eax, fs:[eax + 30h]
    mov  eax, [eax + 0Ch]
    mov  eax, [eax + 14h]
    
    mov  eax, [eax]
    mov  eax, [eax]
    mov  ebx, [eax + 10h]
	
	mov [hkernel32], ebx
    
    mov  eax, [ebx + 3Ch]
    add  eax, ebx
    mov  eax, [eax + 78h]
    add  eax, ebx
    push eax
    
    mov  esi, [eax + 20h]
    add  esi, ebx
    xor  ecx, ecx

find_LoadLibraryA:
    mov  edi, [esi + ecx*4]
    add  edi, ebx
    
    cmp  dword ptr [edi], 64616F4Ch
    jne  next_func1
    cmp  dword ptr [edi+4], 7262694Ch
    jne  next_func1
    cmp  dword ptr [edi+8], 41797261h
    je   found_LoadLibraryA
    
next_func1:
    inc  ecx
    jmp  find_LoadLibraryA

found_LoadLibraryA:
    mov  edx, [eax + 24h]
    add  edx, ebx
    mov  cx, [edx + ecx*2]
    mov  edx, [eax + 1Ch]
    add  edx, ebx
    mov  eax, [edx + ecx*4]
    add  eax, ebx
    push eax

    pop  eax
    pop  edx
    push eax
    push edx
    
    mov  eax, edx
    mov  esi, [eax + 20h]
    add  esi, ebx
    xor  ecx, ecx

find_GetProcAddress:
    mov  edi, [esi + ecx*4]
    add  edi, ebx
    
    cmp  dword ptr [edi], 50746547h
    jne  next_func2
    cmp  dword ptr [edi+4], 41636F72h
    jne  next_func2
    cmp  dword ptr [edi+8], 65726464h
    je   found_GetProcAddress
    
next_func2:
    inc  ecx
    jmp  find_GetProcAddress

found_GetProcAddress:
    mov  edx, [eax + 24h]
    add  edx, ebx
    mov  cx, [edx + ecx*2]
    mov  edx, [eax + 1Ch]
    add  edx, ebx
    mov  eax, [edx + ecx*4]
    add  eax, ebx
	mov [GetProcAddress], eax
    pop  edx
    pop  ebx
	mov [LoadLibraryA], ebx
	
true_start:
    
	push offset Ncreatefilea
	push [hkernel32]
	call [GetProcAddress]
	mov [CreateFileA], eax
	
	push offset Nreadfile
	push [hkernel32]
	call [GetProcAddress]
	mov [ReadFile], eax
	
	push offset Nexitprocess
	push [hkernel32]
	call [GetProcAddress]
	mov [ExitProcess], eax
	
	push offset Nuser32dll
	call [LoadLibraryA]
	mov [huser32], eax
	
	push offset Nmessageboxa
	push [huser32]
	call [GetProcAddress]
	mov [MessageBoxA], eax
	
	; read keyfile
	push 0
	push 80h
	push 3
	push 0
	push 0
	push 80000000h
	push offset keyfile
	call [CreateFileA]
	
	inc eax
	jz finalize
	
	push 0
	push 0
	push 32
	push offset keybuf
	push eax
	call [ReadFile]
	mov ecx, 6
	xor edx, edx
e:
	call random
	xor [keybuf+4*edx], eax
	inc edx
	loop e
	
; check header
	mov eax, [keybuf]
	xor eax, [keybuf+4*5]
	xor eax, 016080902h
	jnz finalize
	
	mov ebx, [keybuf+1*4]
	sub ebx, [keybuf+2*4]
	sub ebx, 0EE0CFEFFh
	jnz finalize
	
	mov ecx, [keybuf+3*4]
	ror ecx, 4
	neg ecx
	and ecx, [keybuf+4*4]
	xor ecx, 00049020Ah
	jnz finalize
	
	jmp ok
finalize:
	push 0
	push offset msg
	push offset msg
	push 0
	call [MessageBoxA]
	push 0
	call [ExitProcess]
	
ok:
	push 0
	push offset okm
	push offset okm
	push 0
	call [MessageBoxA]
	push 0
	call [ExitProcess]
	
random:
	push edx
	push ecx
	mov eax, [seed]
	mov ecx, 22695477
	mul ecx
	inc eax
	mov [seed], eax
	pop ecx
	pop edx
	ret

.data
align 4
keybuf dd 0, 0, 0, 0, 0, 0,      0, 0

seed dd 33550336

hkernel32 dd 0
huser32 dd 0
ExitProcess dd 0
LoadLibraryA dd 0
GetProcAddress dd 0
CreateFileA dd 0
ReadFile dd 0
MessageBoxA dd 0

Ncreatefilea db "CreateFileA", 0
Nreadfile db "ReadFile", 0
Nexitprocess db "ExitProcess", 0
Nmessageboxa db "MessageBoxA", 0

Nuser32dll db "user32.dll", 0

keyfile db "philia.093", 0

msg db "exit", 0
okm db "ok", 0


end start

也是按照之前说的放出代码
编译时需要让.text段可以写

ii丶BigBreast · 发表于 2026-2-13 01:48

条件1 : input[5] ^ input[0] ^ 0x16080902 == 0
条件2 : input[1] - input[2] == 0xEE1EEAEF
条件3 : (input[4] & -ROR(input[3], 4)) == 0x49020A

帐号		自动登录	找回密码
密码			注册[Register]

[CrackMe] CM有混淆有点难度

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源