• 猛男测试,挑战 fsg 2.0 脱壳

目标:脱掉外层的 fsg 其实不顶用,有几个函数被混淆了,找出来他们还原
 
比如其中某一个函数

代码:
0040332D   $  55            push    ebp
0040332E   .  8BEC          mov     ebp, esp
00403330   .  56            push    esi
00403331   .  57            push    edi
00403332   .  53            push    ebx
00403333   .  EB 39         jmp     short unpacked.0040336E
00403335      B8            db      B8
00403336   .^ 78 ED         js      short unpacked.00403325
00403338   >  E8 01000000   call    unpacked.0040333E
0040333D      3B            db      3B                               ;  CHAR ';'
0040333E   .  8D6424 04     lea     esp, [esp+4]
00403342   .  97            xchg    eax, edi
00403343   .  F2:           prefix repne:                            ;  Superfluous prefix
00403344   .  EB 02         jmp     short unpacked.00403348
00403346      A6            db      A6
00403347      83            db      83
00403348   >  E9 B6170000   jmp     unpacked.00404B03
0040334D      BD            db      BD
0040334E      16            db      16
0040334F      BB            db      BB
00403350   >  F3:           prefix rep:                              ;  Superfluous prefix
00403351   .  E8 01000000   call    unpacked.00403357
00403356   .  A7            cmps
00403357   $  8D6424 04     lea     esp, [esp+4]
要还原成可读的代码,例如:
代码:
0040332D   $  55            push    ebp
0040332E   .  8BEC          mov     ebp, esp
00403330   .  56            push    esi
00403331   .  57            push    edi
00403332   .  53            push    ebx
00403333   .  68 00001000   push    100000
00403338   .  68 21AF4000   push    0040AF21
0040333D   .  E8 E0F7FFFF   call    00402B22
00403342   .  2BC0          sub     eax, eax
00403344   .  8905 5DAF4000 mov     [40AF5D], eax
0040334A   .  8905 71AF4000 mov     [40AF71], eax
00403350   .  C7C6 A1AE4000 mov     esi, 0040AEA1
00403356   .  FFB5 08000000 push    dword ptr [ebp+8]
0040335C   .  E8 1BF7FFFF   call    00402A7C
00403361   .  40            inc     eax
00403362   .  0F84 C10B0000 je      00403F29


不要贴中间结果,不是重点,要可以运行的bin。
上传的附件 fsg2.0.rar

  • 标 题:答复
  • 作 者:kunkun
  • 时 间:2010-07-19 12:26:54


JCC不知道有什么好办法处理 不跳的话 下面碰到往上的JMP就完了
只会人肉记住标签
批量处理 只有模拟分支吗?

代码:
<0040332D>

@L00000001:
  push ebp
  mov ebp,esp
  push esi
  push edi
  push ebx
  push 100000
  push 40AF21
  call 00402B22
  xor eax,eax
  mov dword ptr [40AF5D],eax
  mov dword ptr [40AF71],eax
  mov esi,40AEA1

@L00000002:
  push dword ptr [ebp+8]
  call 00402A7C
  inc eax
  je @L00000003
  test ecx,ecx
  je @L00000004
  dec eax
  mov dword ptr [esi+8],eax
  mov dword ptr [esi+C],ecx
  push eax
  push ecx
  call 00402AB1
  test eax,eax
  je @l1
  test ecx,ecx
  je @l1
  mov dword ptr [esi],eax
  jmp short @L00000002

@L00000003:
  push 40A21D
  jmp @L00000007

@L00000004:
  push 40A235
  jmp @L00000005
@l1:
  push 40A252
  jmp @L00000005
@L00000005:
  mov ebx,40AEA1
  push dword ptr [ebx]
  push dword ptr [ebx+4]
  call 00402AD3
  xor eax,eax

@L00000006:
  push eax
  push eax
  push dword ptr [ebx+C]
  push dword ptr [ebx+8]
  call 00407284
  push dword ptr [ebx+8]
  call 00407278
  push dword ptr [ebx+8]
  call 00407230

@L00000007:
  mov ebx,402B6B
  push 40AF49
  call ebx
  push 40AF35
  call ebx

@L00000008:
  push 40AF5D
  call ebx
  push 40AF71
  call ebx
  push 40AF21
  call ebx
  pop eax
  pop ebx
  pop edi
  pop esi
  leave
  retn 0C

  • 标 题:答复
  • 作 者:forgot
  • 时 间:2010-07-19 21:12:36

引用:
最初由 kunkun发布 查看帖子

JCC不知道有什么好办法处理 不跳的话 下面碰到往上的JMP就完了
只会人肉记住标签
批量处理 只有模拟分支吗?
<0040332D>

@L00000001:
  push ebp
  mov ebp,esp
  push esi
  push...
不够长啊。不过这题我想考的是拓扑排序。

代码:
0040332D
558bec56575368000010006821af4000e8e0f7ffff2bc0a35daf4000a371af4000bea1ae4000ff75
08e821f7ffff400f8493090000909090909085c90f8449090000909090909048894608894e0c5051
e82ff7ffff85c0741690909090909090909085c9740990909090eb0d9090906852a24000e91c0900
008906894e049666813e4d5a0f85f708000090909090908b463ca9030000000f85da080000909090
90903b05adae40000f83c9080000909090909003f08935b1ae4000813e504500000f85b008000090
90909090837e28000f8497080000909090909066817e044c01750990909090eb0d9090906875a340
00e99f08000066f746160020750990909090eb0d9090906838a34000e98408000066837e5c010f84
4708000090909090908b86f4000000a9000001000f8527080000909090909085c0757f9090909090
90909090817e0846534721740990909090eb0d9090906875a24000e93508000083be800000000074
0990909090eb0d9090906882a14000e91908000083bee8000000000f85c607000090909090900fb7
46148d443018a3b5ae4000833800741a909090909090909090813855505830740990909090eb0d90
909068cfa24000e9d10700008b4634a3d5ae40008b463ca3c9ae40008b4638a3cdae40008b4628a3
d1ae40000fb75e06891dc5ae40008b15b5ae40008b0dc5ae4000496bc92801ca8b4214034210e871
fdffff8b0dadae40003bc876249090909090909090902bc88bf90305a1ae400051506885af4000e8
e1f5ffff90909090908b4e50c1e102516849af4000e8abf5ffffff35adae40006835af4000e89bf5
ffff8b3866c7074d5ac7473c0c000000c7470c504500008b550c85d2744e9090909090909090908d
4f02b40a9090909090813a7b73707d750990909090eb239090908a02423c00742390909090909090
9090880141fecc75d890909090eb0d909090b02083c204ebe990909083c70c893db9ae4000c74708
46534721a1d5ae4000894734c7473c00020000c7475400020000c7477410000000a1cdae40008947
38668b460466894704668b461683c8016689471666c74706020066c74714e0008b461c89471c8b46
208947208b46248947248b462c89472c668b464066894740668b464266894742668b464466894744
668b464666894746668b464866894748668b464a6689474a8b464c89474c8b46608947608b466489
47648b46688947688b466c89476c668b461866894718668b465c6689475c0fb747148d443818a3bd
ae4000938363140083631000c74324e00000c0a1cdae400089430c8b4650e8b8fbffff8943080343
0ce8adfbffffa3c1ae4000894334c7433c00020000c7434ce00000c0c7472854010000832519af40
00008b86a000000085c0741f90909090909090909050ffb6a400000068eba34000e87efaffff9090
9090908b86c000000085c07439909090909090909090ff0519af4000e886fbffff976a18576801af
4000e822f4ffffffb6c00000006a186813a44000e83bfaffff90909090908b86a800000085c0741f
90909090909090909050ffb6ac00000068ffa34000e812faffff90909090908b467885c0742c9090
9090909090909050ff767c6871af4000e8b3dbffffff7678ff767c6827a44000e8dff9ffff909090
90908b35b1ae40000fb70dc5ae4000890dc5ae40008b868800000085c0741a909090909090909090
ffb68c00000050e8e5f5ffff9090909090e842ebffffa31daf40008b35b5ae40008b3d49af4000ff
35c5ae400090909090908b46088b561085c0750990909090eb4890909085d2740990909090eb1b90
9090e844faffff03f883c628ff0c2475d190909090eb2a9090908bd88bc2e831faffff508b460ce8
63faffff5057e806f3ffff89d8ebcb9090908bc2ebb7909090592b3d49af400057ff3549af4000e8
eef8ffff893d55af40008b35b9ae40008b3d35af400081c7000200008b1dc1ae4000833d5daf4000
00743a909090909090909090ff3561af4000ff355daf400057e8a3f2ffffa161af4000e8a0f9ffff
899e8800000089868c00000003f803d89090909090f7451002000000755690909090909090909083
3d71af4000007444909090909090909090891d79af40006871af4000e836e8ffffff357daf4000ff
3571af400057e83ef2ffffa17daf4000e83bf9ffff895e7889467c03f803d89090909090ff3595ae
40006a32e8f1d8ffff89d80305d5ae4000a3732d400068c82d4000ff3521af4000ff3555af400057
ff3549af4000e82944000083c414e8edf8ffff03f803d8ff3599ae40006a32e8aed8ffff833d19af
40000074359090909090909090906a186801af400057e8b6f1ffffb818000000e8b3f8ffff899ec0
0000008986c400000003f803d89090909090899e80000000b881000000e88ef8ffff898684000000
8b15d5ae4000a1cdae400003c2a36f2d4000b84800000001d803c2a37f2d4000b82800000001d803
c2a38b2d4000b84400000001d803c2a39e2c4000c705832d400080000000c705872d4000007d0000
a11daf400003c2a3772d4000be472d4000b88f2d4000bae80100008910badc010000895004bade01
00008950088b15d1ae400089500c8b15d5ae4000011001500401500801500c8d4010ba6200000089
10ba7000000089500401180158042d472d400001d8890689461068810000005657e8bbf0ffff81c7
8100000089fb2b1d35af4000891d41af400081eb00020000833d85af400000745f90909090909090
9090f7451001000000754d90909090909090909089d8b900020000e880f7ffff8bd88b3d35af4000
8dbc3800020000ff3591af4000ff3585af400057e850f0ffff033d91af40002b3d35af4000893d41
af400090909090908b35bdae4000895e3889d8e83bf7ffff8946308b3db9ae40000346348947508b
3d35af400081c754010000be9c2c400068ab0000005657e8fdefffffbba1ae4000ff3541af4000ff
3535af4000ff33e8e5efffffff33ff7304e820efffff2bc05050ff3541af4000ff7308e8bf360000
ff7308e8ab360000ff7308e85b3600008b3595ae40008b1d99ae4000bf67124000566a34ffd7ff35
adae40006a3ee88bd6ffff68f4010000e888360000536a34ffd7566a36ffd7ff3541af40006a40e8
6ad6ffff68f4010000e867360000536a36ffd7566a38ffd76b0541af40006429d2f735adae4000ba
640000002bd0526847a14000ff3521af4000e88a3600005883c408506a42ff3555ae4000e86c3600
006858020000e81a360000536a38ffd76a00e98300000068a9a34000eb3f9090906894a24000eb35
9090906801a34000eb2b909090689ca14000eb2190909068e8a14000eb1790909068afa14000eb0d
9090906835a240009090909090bba1ae4000ff33ff7304e802eeffff2bc05050ff730cff7308e8a4
350000ff7308e890350000ff7308e840350000eb0d909090681da240009090909090bb6b2b400068
49af4000ffd36835af4000ffd3685daf4000ffd36871af4000ffd36821af4000ffd3585b5f5ec9c2
0c009090909090

  • 标 题:答复
  • 作 者:YwdxY
  • 时 间:2010-08-04 13:41:56

只找到4个乱序过的函数
5? 5? 5? E9

0040137D   .  55            push    ebp
0040137E   .  8BEC          mov     ebp, esp
00401380   .  83C4 E8       add     esp, -18
00401383   .  57            push    edi
00401384   .  56            push    esi
00401385   .  53            push    ebx
00401386   .  E9 3D090000   jmp     00401CC8
0040138B   .  EC            in      al, dx
0040138C   >  E8 01000000   call    00401392


2
00402174   $  55            push    ebp
00402175   .  8BEC          mov     ebp, esp
00402177   .  57            push    edi
00402178   .  56            push    esi
00402179   .  53            push    ebx
0040217A   >  E9 28010000   jmp     004022A7

3,
0040235D   $  55            push    ebp
0040235E   .  8BEC          mov     ebp, esp
00402360   .  83C4 F0       add     esp, -10
00402363   .  57            push    edi
00402364   .  56            push    esi
00402365   .  53            push    ebx
00402366   .  52            push    edx
00402367   .  E9 06010000   jmp     00402472

5? 5? 5? EB
4,
0040332D   $  55            push    ebp
0040332E   .  8BEC          mov     ebp, esp
00403330   .  56            push    esi
00403331   .  57            push    edi
00403332   .  53            push    ebx
00403333   .  EB 39         jmp     short 0040336E
00403335      B8            db      B8
00403336   .^ 78 ED         js      short 00403325
00403338   >  E8 01000000   call    0040333E

和LZ大牛给出的还原函数对比了下,相差太远了,不懂怎么拓扑排序 
自己的土方法改了好久,自己都晕了
给个bin,不知道最终效果相同么

上传的附件 test.rar

  • 标 题:答复
  • 作 者:forgot
  • 时 间:2010-08-04 13:55:17

引用:
最初由 YwdxY发布 查看帖子
只找到4个乱序过的函数
5? 5? 5? E9

0040137D   .  55            push    ebp
0040137E   .  8BEC          mov     ebp, esp
00401380   .  83C4 E8       add  ...
猛男一号,welcome to the club。

整个程序可以当成一个偏序集,拓扑排序要先把图转成DAG,先找到SCC当做一个结点。

我之前贴的结果也不是最优的,不过不是排序问题,产生长短跳的方法可以用EL Robertson(1977)算法。

  • 标 题:答复
  • 作 者:forgot
  • 时 间:2010-08-04 14:46:29

引用:
最初由 YwdxY发布 查看帖子
感谢大牛分享方法
不过这下是彻底晕了
加油学习
 
大牛能说下 EL Robertson(1977)算法 是什么么?随便给个链接也行
 参考资料
[1] Kahn, A. B. (1962), "Topological sorting of large networks", Communications of the ACM 5 (11): 558562, doi:10.1145/368996.369025.
[2] Robert Tarjan: Depth-first search and linear graph algorithms. In: SIAM Journal on Computing. Vol. 1 (1972), No. 2, P. 146-160.
[3] Robertson,Edward L. (1977) Code Generation for Short/Long Address Machines.

  • 标 题:答复
  • 作 者:forgot
  • 时 间:2010-08-06 23:24:04

贴个好一点的结果

代码:
558bec56575368000010006821af4000e8e0f7ffff2bc0a35daf4000a371af4000bea1ae4000ff75
08e821f7ffff400f841108000085c90f84d407000048894608894e0c5051e839f7ffff85c00f84b7
07000085c90f84af0700008906894e049666813e4d5a0f85970700008b463ca903000000751a3b05
adae4000731203f08935b1ae4000813e504500007502eb0a68e8a14000e97c070000837e28007402
eb0a689ca14000e96a07000066817e044c017502eb0a6875a34000e95607000066f7461600200f85
3007000066837e5c010f841e0700008b86f4000000a9000001007502eb0a6894a24000e926070000
85c00f85ef060000817e08465347217402eb0a6875a24000e90907000083be80000000000f84d406
000083bee8000000007502eb0a68a9a34000e9e70600000fb746148d443018a3b5ae40008338000f
84a20600008138555058300f84960600008b4634a3d5ae40008b463ca3c9ae40008b4638a3cdae40
008b4628a3d1ae40000fb75e06891dc5ae40008b15b5ae40008b0dc5ae4000496bc92801ca8b4214
034210e8e4fdffff8b0dadae40003bc876162bc88bf90305a1ae400051506885af4000e85df6ffff
8b4e50c1e102516849af4000e82cf6ffffff35adae40006835af4000e81cf6ffff8b3866c7074d5a
c7473c0c000000c7470c504500008b550c85d274248d4f02b40a813a7b73707d7502eb098a02423c
00740eeb05b02083c204880141fecc75e183c70c893db9ae4000c7470846534721a1d5ae40008947
34c7473c00020000c7475400020000c7477410000000a1cdae4000894738668b460466894704668b
461683c8016689471666c74706020066c74714e0008b461c89471c8b46208947208b46248947248b
462c89472c668b464066894740668b464266894742668b464466894744668b464666894746668b46
4866894748668b464a6689474a8b464c89474c8b46608947608b46648947648b46688947688b466c
89476c668b461866894718668b465c6689475c0fb747148d443818a3bdae40009383631400836310
00c74324e00000c0a1cdae400089430c8b4650e863fcffff89430803430ce858fcffffa3c1ae4000
894334c7433c00020000c7434ce00000c0c7472854010000832519af4000008b86a000000085c074
1150ffb6a400000068eba34000e832fbffff8b86c000000085c0742bff0519af4000e848fcffff97
6a18576801af4000e8e4f4ffffffb6c00000006a186813a44000e8fdfaffff8b86a800000085c074
1150ffb6ac00000068ffa34000e8e2faffff8b467885c0741e50ff767c6871af4000e891dcffffff
7678ff767c6827a44000e8bdfaffff8b35b1ae40000fb70dc5ae4000890dc5ae40008b8688000000
85c0740cffb68c00000050e8d1f6ffffe833ecffffa31daf40008b35b5ae40008b3d49af4000ff35
c5ae40008b46088b561085c075028bc285d2741b8bd88bc2e84ffbffff508b460ce881fbffff5057
e824f4ffff89d8e82ffbffff03f883c628ff0c2475c6592b3d49af400057ff3549af4000e809faff
ff893d55af40008b35b9ae40008b3d35af400081c7000200008b1dc1ae4000833d5daf400000742c
ff3561af4000ff355daf400057e8c7f3ffffa161af4000e8c4faffff899e8800000089868c000000
03f803d8f7451002000000753f833d71af4000007436891d79af40006871af4000e871e9ffffff35
7daf4000ff3571af400057e879f3ffffa17daf4000e876faffff895e7889467c03f803d8ff3595ae
40006a32e831daffff89d80305d5ae4000a3732d400068c82d4000ff3521af4000ff3555af400057
ff3549af4000e86945000083c414e82dfaffff03f803d8ff3599ae40006a32e8eed9ffff833d19af
40000074276a186801af400057e8fff2ffffb818000000e8fcf9ffff899ec00000008986c4000000
03f803d8899e80000000b881000000e8dcf9ffff8986840000008b15d5ae4000a1cdae400003c2a3
6f2d4000b84800000001d803c2a37f2d4000b82800000001d803c2a38b2d4000b84400000001d803
c2a39e2c4000c705832d400080000000c705872d4000007d0000a11daf400003c2a3772d4000be47
2d4000b88f2d4000bae80100008910badc010000895004bade0100008950088b15d1ae400089500c
8b15d5ae4000011001500401500801500c8d4010ba620000008910ba700000008950040118015804
2d472d400001d8890689461068810000005657e809f2ffff81c78100000089fb2b1d35af4000891d
41af400081eb00020000833d85af4000007448f7451001000000753f89d8b900020000e8e0f8ffff
8bd88b3d35af40008dbc3800020000ff3591af4000ff3585af400057e8b0f1ffff033d91af40002b
3d35af4000893d41af40008b35bdae4000895e3889d8e8a0f8ffff8946308b3db9ae400003463489
47508b3d35af400081c754010000be9c2c400068ab0000005657e862f1ffffbba1ae4000ff3541af
4000ff3535af4000ff33e84af1ffffff33ff7304e885f0ffff2bc05050ff3541af4000ff7308e824
380000ff7308e810380000ff7308e8c03700008b3595ae40008b1d99ae4000bf67124000566a34ff
d7ff35adae40006a3ee8f0d7ffff68f4010000e8ed370000536a34ffd7566a36ffd7ff3541af4000
6a40e8cfd7ffff68f4010000e8cc370000536a36ffd7566a38ffd76b0541af40006429d2f735adae
4000ba640000002bd0526847a14000ff3521af4000e8ef3700005883c408506a42ff3555ae4000e8
d13700006858020000e87f370000536a38ffd76a00eb6468cfa24000eb286882a14000eb216801a3
4000eb1a6838a34000eb1368afa14000eb0c6852a24000eb056835a24000bba1ae4000ff33ff7304
e881efffff2bc05050ff730cff7308e823370000ff7308e80f370000ff7308e8bf360000eb05681d
a24000bb6b2b40006849af4000ffd36835af4000ffd3685daf4000ffd36871af4000ffd36821af40
00ffd3585b5f5ec9c20c00