-
-
[看雪CTF2016]第二十八题分析
-
发表于:
2016-12-27 11:16
6353
-
rc4(key长度1字节)解密lua.dll并内存加载, 跑一下得到sn[40]='I'
.text:00401267 mov eax, offset lua_dll_enc
.text:0040126C lea ecx, [esp+0E0h+sn+28h]
.text:00401273 push eax
.text:00401274 xor edx, edx
.text:00401276 push 34A00h
.text:0040127B push eax
.text:0040127C inc edx
.text:0040127D call rc4_crypt
.text:00401282 sub esp, 0Ch
.text:00401285 call mem_load_pe
.text:00401293 movzx eax, [esp+0E0h+sn+3Ah]
.text:0040129B mov ecx, esi
.text:0040129D movzx edx, [esp+0E0h+sn+1Eh]
.text:004012A5 sub eax, 30h
.text:004012A8 push eax
.text:004012A9 movzx eax, [esp+0E4h+sn+2Eh]
.text:004012B1 sub edx, 30h
.text:004012B4 sub eax, 30h
.text:004012B7 push eax
.text:004012B8 call xGetProcsByOrdinal
.text:0040145A push ebx ; _DWORD
.text:0040145B call luaL_openlibs
.text:00401461 push esi ; sn
.text:00401462 push ebx ; _DWORD
.text:00401463 call lua_pushstring
.text:00401469 push offset asc_404138 ; L
.text:0040146E push ebx ; _DWORD
.text:0040146F call lua_setglobal
.text:00401475 xor eax, eax
.text:00401477 lea ecx, [ebp+var_74]
.text:0040147A mov word ptr [ebp+var_74+1], ax
.text:0040147E mov edi, offset stepa_lua_bytecode
.text:00401483 mov byte ptr [ebp+var_74+3], al
.text:00401486 mov al, [esi+1Eh]
.text:00401489 mov byte ptr [ebp+var_74], al
.text:0040148C mov al, [esi+2Eh]
.text:0040148F mov byte ptr [ebp+var_74+1], al
.text:00401492 mov al, [esi+3Ah]
.text:00401495 mov esi, 8454h
.text:0040149A push edi
.text:0040149B push esi
.text:0040149C push edi
.text:0040149D push 3
.text:0040149F pop edx
.text:004014A0 mov byte ptr [ebp+var_74+2], al
.text:004014A3 call rc4_crypt
.text:004014A8 push 0
.text:004014AA push offset aSa ; "sa"
.text:004014AF push esi
.text:004014B0 push edi ; char *
.text:004014B1 push ebx ; _DWORD
.text:004014B2 call luaL_loadbufferx
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
