Twist1

With some strange shell , It should be a proprietary shell , Manual shelling is required , ReadMe Said to be in x86 Run under , So throw it in 52pojie Of xp Debug in the virtual machine
Anti debugging is added at the beginning , After breaking point call Twist1.00407059 There will be errors at , It's really the title , Very distorted , On a proprietary shell , Anti debugging , SMC, Function verification , Code obfuscation , The configuration is close to the actual reverse protection software .

The solution is to see the move and remove the move , Single step tracking will crack each encryption protection one by one
Single step tracking without interruption , Debugging can find 0x00407059 It's the key function , Follow in , It is found that the following four instructions are SMC Decrypt the code at run time , F4 After decryption, continue to follow , It takes a total of 4 Decryption instruction segment , Finally, the function body logic can be restored

Arrived in OEP, At this point you can dump It is convenient to reload after shelling the program

Go down , Find out call 0x00401270 The program will perform input operations , After input, the card owner , Then follow in , Found to have SetUnhandledExceptionFilter Exception capture function , Belongs to anti debugging mechanism , nop Drop the judgment condition adc dl,byte ptr ds:[edx] Continue debugging

Next, locate the key logic of the program

Obviously, the string handler is 0x004012C6, Follow in for another period SMC Decryption code , Finally, we come to the processing function , Here you can. dump Come out and use IDA analysis , It's not a problem to read the compilation directly , Exercise basic skills

This will check 16 Byte data to judge function integrity , It is a step to detect the system version

Next there is 3 A debug , nop Drop the failure condition and continue to follow
Another one getthreadcontext Anti debugging , nop Fail to jump and continue to follow

Then hardware breakpoint debugging , It's also nop No brain passes

Finally, it comes to processing logic (finally
But also added code confusion , The control flow is very chaotic , Every need call Follow in and analyze it
Analyze all the way :
arr[0] Cycle moves to the right 6 position , Check with 0x49 equal
arr[2] Exclusive or 0x77, Check with 0x35 equal

arr[1] And 0x20 Exclusive or , Check with 0x69 equal
arr[3] And 0x21 Exclusive or , Check with 0x64 equal
arr[4] And 0x46 Exclusive or , Check with 0x8 equal
arr[5] Cyclic shift to the left 4 position , Check with 0x14 equal

Write inverse

#include <stdlib.h>
#include <stdio.h>

int main() {
    
    char valid[] = {
    0x49, 0x69, 0x35, 0x64, 0x08, 0x14};
    char arr[7] = {
    0};
    arr[0] = valid[0] << 6 | valid[0] >> 2;
    arr[1] = valid[1] ^ 0x20;
    arr[2] = valid[2] ^ 0x77;
    arr[3] = valid[3] ^ 0x21;
    arr[4] = valid[4] ^ 0x46;
    arr[5] = valid[5] >> 4 | valid[5] << 4;
    
    for (int i = 0; i < 7; ++i) {
    
        printf("%c", arr[i]);
    }
    printf("\n");
}

complete ! Before and after debugging 3h, It's really abnormal , A lot of de debugging , SMC, Also check function integrity , Finally, control flow obfuscation and flower instructions are added to the core code , Although it's very painful, you can still learn a lot of skills by going backwards
( reverse , The most important thing is patience

Easy ELF

To get a zip file , Decompression found an error , It is suspected that the file format is incorrect
Put it in kali, file once

yes ELF32 Bit file
Drag in IDA, Scan all functions after reverse compilation , Find a key function that may be

_BOOL4 sub_8048451()
{
    
  if ( byte_804A021 != 49 )
    return 0;
  byte_804A020 ^= 0x34u;
  byte_804A022 ^= 0x32u;
  byte_804A023 ^= 0x88u;
  if ( byte_804A024 != 88 )
    return 0;
  if ( byte_804A025 )
    return 0;
  if ( byte_804A022 != 124 )
    return 0;
  if ( byte_804A020 == 120 )
    return byte_804A023 == -35;
  return 0;
}

Read it main Function assembly , successively call 了 sub_8038434, sub_8048451 Then branch to wrong and correct, It shows that these two functions are the key functions

Write a script

Byte21 = 49
Byte20 = 120 ^ 0x34
Byte22 = 124 ^ 0x32
Byte23 = (-35 & 0xff) ^ 0x88
Byte24 = 88
Byte25 = 0
flag = chr(Byte20) + chr(Byte21) + chr(Byte22) + chr(Byte23) + chr(Byte24) + chr(Byte25)
print(flag)

WindowsKernel

Shell less , Drag in IDA, The program structure is not very complicated , No encryption has been applied , You can see sub_401110 There is a key string in the function

 HWND __thiscall sub_401110(HWND hDlg)
{
    
  HWND result; // eax
  HWND v3; // eax
  HWND v4; // eax
  HWND v5; // eax
  WCHAR String[256]; // [esp+8h] [ebp-204h] BYREF

  GetDlgItemTextW(hDlg, 1003, String, 512);
  if ( lstrcmpW(String, L"Enable") )
  {
    
    result = (HWND)lstrcmpW(String, L"Check");
    if ( !result )
    {
    
      if ( sub_401280(0x2000) == 1 )
        MessageBoxW(hDlg, L"Correct!", L"Reversing.Kr", 0x40u);
      else
        MessageBoxW(hDlg, L"Wrong", L"Reversing.Kr", 0x10u);
      SetDlgItemTextW(hDlg, 1002, &word_4021F0);
      v5 = GetDlgItem(hDlg, 1002);
      EnableWindow(v5, 0);
      result = (HWND)SetDlgItemTextW(hDlg, 1003, L"Enable");
    }
  }
  else if ( sub_401280(4096) )
  {
    
    v3 = GetDlgItem(hDlg, 1002);
    EnableWindow(v3, 1);
    SetDlgItemTextW(hDlg, 1003, L"Check");
    SetDlgItemTextW(hDlg, 1002, &word_4021F0);
    v4 = GetDlgItem(hDlg, 1002);
    result = SetFocus(v4);
  }
  else
  {
    
    result = (HWND)MessageBoxW(hDlg, L"Device Error", L"Reversing.Kr", 0x10u);
  }
  return result;
}

Get into sub_401280 analysis

int __usercall [email protected]<eax>(HWND [email protected]<edi>, DWORD dwIoControlCode)
{
    
  HANDLE v2; // esi
  int result; // eax
  DWORD BytesReturned; // [esp+4h] [ebp-8h] BYREF
  int OutBuffer; // [esp+8h] [ebp-4h] BYREF

  v2 = CreateFileW(L"\\\\.\\RevKr", 0xC0000000, 0, 0, 3u, 0, 0);
  if ( v2 == (HANDLE)-1 )
  {
    
    MessageBoxW(a1, L"[Error] CreateFile", L"Reversing.Kr", 0x10u);
    result = 0;
  }
  else if ( DeviceIoControl(v2, dwIoControlCode, 0, 0, &OutBuffer, 4u, &BytesReturned, 0) )
  {
    
    CloseHandle(v2);
    result = OutBuffer;
  }
  else
  {
    
    MessageBoxW(a1, L"[Error] DeviceIoControl", L"Reversing.Kr", 0x10u);
    result = 0;
  }
  return result;
}

result Results and DeviceIoControl Function related , This is a WinKer.sys Function of , Follow windows Drive related , analysis sys file

NTSTATUS __stdcall DriverEntry(_DRIVER_OBJECT *DriverObject, PUNICODE_STRING RegistryPath)
{
    
  NTSTATUS result; // eax
  int v3; // edi
  PDEVICE_OBJECT v4; // ecx
  char *v5; // et1
  char *v6; // et1
  char *v7; // et1
  char v8; // al
  struct _KDPC *v9; // esi
  char *v10; // et1
  struct _UNICODE_STRING DestinationString; // [esp+Ch] [ebp-134h] BYREF
  union _LARGE_INTEGER Interval; // [esp+14h] [ebp-12Ch] BYREF
  PDEVICE_OBJECT DeviceObject; // [esp+1Ch] [ebp-124h] BYREF
  PVOID P; // [esp+20h] [ebp-120h]
  CCHAR Number[4]; // [esp+24h] [ebp-11Ch]
  struct _OSVERSIONINFOW VersionInformation; // [esp+28h] [ebp-118h] BYREF

  DbgSetDebugFilterState(0x65u, 3u, 1u);
  DbgPrint("Driver Load!! \n");
  DriverObject->DriverUnload = (PDRIVER_UNLOAD)sub_1131C;
  dword_13030 = 0;
  VersionInformation.dwOSVersionInfoSize = 276;
  if ( RtlGetVersion(&VersionInformation) )
  {
    
    MajorVersion = VersionInformation.dwMajorVersion;
    MinorVersion = VersionInformation.dwMinorVersion;
  }
  else
  {
    
    PsGetVersion(&MajorVersion, &MinorVersion, 0, 0);
  }
  RtlInitUnicodeString(&DestinationString, "\\");
  P = (PVOID)IoCreateDevice(DriverObject, 4u, &DestinationString, 0x22u, 0, 0, &DeviceObject);
  if ( (int)P >= 0 )
  {
    
    RtlInitUnicodeString(&SymbolicLinkName, L"\\DosDevices\\RevKr");
    v3 = IoCreateSymbolicLink(&SymbolicLinkName, &DestinationString);
    if ( v3 >= 0 )
    {
    
      v4 = DeviceObject;
      DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)sub_11288;
      DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)sub_112F8;
      DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)sub_112F8;
      *(_DWORD *)v4->DeviceExtension = 0;
      SystemArgument2 = DeviceObject->DeviceExtension;
      *(_DWORD *)SystemArgument2 = DeviceObject;
      v5 = *(char **)&KeNumberProcessors;
      ::P = ExAllocatePool(NonPagedPool, 4 * *v5);
      KeInitializeDpc(&DeviceObject->Dpc, sub_11266, DeviceObject);
      v6 = *(char **)&KeNumberProcessors;
      P = ExAllocatePool(NonPagedPool, 32 * *v6);
      if ( P )
      {
    
        v7 = *(char **)&KeNumberProcessors;
        Interval.QuadPart = -10000000i64;
        v8 = *v7;
        Number[0] = 0;
        if ( v8 > 0 )
        {
    
          do
          {
    
            v9 = (struct _KDPC *)((char *)P + 32 * Number[0]);
            KeInitializeDpc(v9, sub_113E8, 0);
            KeSetTargetProcessorDpc(v9, Number[0]);
            KeInsertQueueDpc(v9, 0, 0);
            KeDelayExecutionThread(0, 0, &Interval);
            v10 = *(char **)&KeNumberProcessors;
            ++Number[0];
          }
          while ( Number[0] < *v10 );
        }
        ExFreePoolWithTag(P, 0);
      }
      result = 0;
    }
    else
    {
    
      IoDeleteDevice(DriverObject->DeviceObject);
      result = v3;
    }
  }
  else
  {
    
    DbgPrint("IoCreateDevice Error\n");
    result = (NTSTATUS)P;
  }
  return result;
}

according to Windows System programming experience , DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)sub_11288; as well as KeInitializeDpc Will open a thread To execute the objective function , Follow in and analyze sub_11288

int __stdcall sub_11288(int a1, PIRP Irp)
{
    
  int v2; // edx
  struct _IRP *v3; // eax

  v2 = *(_DWORD *)(Irp->Tail.Overlay.PacketType + 12);
  v3 = Irp->AssociatedIrp.MasterIrp;
  if ( v2 == 4096 ) // 0x1000
  {
    
    *(_DWORD *)&v3->Type = 1;
    dword_13030 = 1;
    dword_13034 = 0;
    dword_13024 = 0;
    dword_1300C = 0;
  }
  else if ( v2 == 0x2000 )
  {
    
    dword_13030 = 0;
    *(_DWORD *)&v3->Type = dword_13024;
  }
  Irp->IoStatus.Status = 0;
  Irp->IoStatus.Information = 4;
  IofCompleteRequest(Irp, 0);
  return 0;
}

according to WindowsKernel.exe The judgment function of sub_401280(0x2000) == 1, So the parameter passed in here is 0x2000, Only investigate v2 == 0x2000 The logic of this branch , dword_13030 Will be set to 0, And settings lrp. Then look at sub_11266 function

void __stdcall sub_11266(struct _KDPC *Dpc, PVOID DeferredContext, PVOID SystemArgument1, PVOID SystemArgument2)
{
    
  char v4; // al

  v4 = READ_PORT_UCHAR((PUCHAR)0x60);
  sub_111DC(v4);
}

Continue according to Windows System programming experience , This driver function is from port 0x60 That is, the keyboard reading parameters are saved in v4, analysis sub_111DC And the inside heel result Related functions

int __stdcall sub_111DC(char a1)
{
    
  int result; // eax
  bool v2; // zf

  result = 1;
  if ( dword_1300C != 1 )
  {
    
    switch ( dword_13034 )
    {
    
      case 0:
      case 2:
      case 4:
      case 6:
        goto LABEL_3;
      case 1:
        v2 = a1 == -91;
        goto LABEL_6;
      case 3:
        v2 = a1 == -110;
        goto LABEL_6;
      case 5:
        v2 = a1 == -107;
LABEL_6:
        if ( !v2 )
          goto LABEL_7;
LABEL_3:
        ++dword_13034;
        break;
      case 7:
        if ( a1 == -80 )
          dword_13034 = 100;
        else
LABEL_7:
          dword_1300C = 1;
        break;
      default:
        result = sub_11156(a1);
        break;
    }
  }
  return result;
}

// continue analysis sub_11156 and next function in it
int __stdcall sub_11156(char a1)
{
    
  int result; // eax
  bool v2; // zf
  char v3; // [esp+8h] [ebp+8h]

  v3 = a1 ^ 0x12;
  result = dword_13034 - 100;
  switch ( dword_13034 )
  {
    
    case 'd':
    case 'f':
    case 'h':
    case 'j':
      goto LABEL_2;
    case 'e':
      v2 = v3 == -78;
      goto LABEL_4;
    case 'g':
      v2 = v3 == -123;
      goto LABEL_4;
    case 'i':
      v2 = v3 == -93;
LABEL_4:
      if ( !v2 )
        goto LABEL_5;
LABEL_2:
      ++dword_13034;
      break;
    case 'k':
      if ( v3 == -122 )
        dword_13034 = 200;
      else
LABEL_5:
        dword_1300C = 1;
      break;
    default:
      result = sub_110D0(v3);
      break;
  }
  return result;
}

int __stdcall sub_110D0(char a1)
{
    
  int result; // eax
  char v2; // cl
  bool v3; // zf

  result = dword_13034 - 200;
  v2 = a1 ^ 5;
  switch ( dword_13034 )
  {
    
    case 200:
    case 202:
    case 204:
    case 206:
      goto LABEL_2;
    case 201:
      v3 = v2 == -76;
      goto LABEL_4;
    case 203:
    case 205:
      v3 = v2 == -113;
LABEL_4:
      if ( v3 )
        goto LABEL_2;
      goto LABEL_10;
    case 207:
      if ( v2 != -78 )
        goto LABEL_10;
      dword_13024 = 1;
LABEL_2:
      ++dword_13034;
      break;
    case 208:
      dword_13024 = 0;
LABEL_10:
      dword_1300C = 1;
      break;
    default:
      return result;
  }
  return result;
}

dword_13034 = 0 The initial value is 0, So combine scan code Comparison table You can analyze the keyboard input string when the judgment conditions are met
[0xA5, 0x92, 0x95, 0xB0]
[0xB2, 0x85, 0xA3, 0x86] xor 0x12
[0xB4, 0x8F, 0x8F, 0xB2] xor 0x12 xor 0x05