內容物
有一個 such_evil 的檔案
看 hex 發現是 MZ
用 DIE 看發現是 PE32 用 C 寫的 exe 檔案
編譯器是Tiny C
這題為了練習 IDA python 而主要用靜態分析
分析
start 裡面有一段 Code = sub_401000(v4, v3, v2);
sub_401000 因為 有一段 call eax 而不能反編譯
於是用 x64dbg 跑起來發現eax為0x19FD33
dump
在 call eax之前
進到 Memory Map
找到位置在 19B000 長度為 5000 (也就是包含 eax 這段 shellcode)
Dump memory to file
然後就把.bin 丟進 IDA
offset 記得設在 19B000
然後就可以慢慢拆
script
import ida_bytes
start_address = 0x19fd54
key = 0x66
length = 0x1df
while length > 0:
origin_byte = ida_bytes.get_byte(start_address)
origin_byte^=key
ida_bytes.patch_byte(start_address,origin_byte)
start_address+=1
length-=1
print("Patch Done")import ida_bytes
start_address = 0x19fda7
end_address = 0x19ff33+1
key = b"nopasaurus"
point = 0
for i in range(start_address,end_address):
original_byte = ida_bytes.get_byte(i)
original_byte^=key[point]
ida_bytes.patch_byte(i,original_byte)
point = ((point+1)%0xa)
start_address+=1
print("Patch Done")import ida_bytes
import idc
base_addr = 0x19fddd + 0x1e
length = 0x138
key = 0x476C4F62
while length > 0:
patch_byte = ida_bytes.get_wide_dword(base_addr)
patch_byte^=key
ida_bytes.patch_dword(base_addr,patch_byte)
base_addr+=4
length-=4
print("Patch Done")import ida_bytes
key = b"omg is it almost over?!?"
point = 0
start_address = 0x19fe5d
end_address = 0x19ff33
for i in range(start_address,end_address):
origin_byte = ida_bytes.get_byte(i)
origin_byte^=key[point]
ida_bytes.patch_byte(i,origin_byte)
point = (point+1)%24
start_address+=1
print("Patch Done")