vm

Windows下的VM
二血。
拖入IDA，可以直接观察到一个SIMD优化的RC4_init，直接看下面的单字节部分就行了，上面的优化只是对于整16字节进行的快速处理，而下面就是对余16字节后的进行的处理。

然后sub_140001970里面是RC4的优化展开。

最后程序直接输出了这个。我们发现rc4的key传入了这个函数，并且这个函数会校验这个key是否正确

该函数就是一个标准的栈VM了。

于是我们直接开始调试，找到下面几个关键点：



VM_sub, VM_div 没调用，所以就不管了，调用的是VM_Add
然后去Xdbg中打断点输出
输入一组测试数据

abcdefghijklmnopqrstuvwxyzABCDEF

我们可以trace出以下结果

INT3 breakpoint at secret_box.00007FF77B1820E3!
1 = (61 >> 0) & 1
2 = 1 * 2
0 = (61 >> 1) & 1
0 = 0 * 3
0 = (61 >> 2) & 1
0 = 0 * 43
0 = (61 >> 3) & 1
0 = 0 * 25
0 = (61 >> 4) & 1
0 = 0 * 29
1 = (61 >> 5) & 1
B = 1 * B
1 = (61 >> 6) & 1
D = 1 * D
0 = (61 >> 7) & 1
0 = 0 * 59
D = D + 0
18 = B + D
18 = 0 + 18
18 = 0 + 18
18 = 0 + 18
18 = 0 + 18
1A = 2 + 18
5C = 1A ^ 46
0 = (62 >> 0) & 1
0 = 0 * 2
1 = (62 >> 1) & 1
3 = 1 * 3
0 = (62 >> 2) & 1
0 = 0 * 43
0 = (62 >> 3) & 1
0 = 0 * 5
0 = (62 >> 4) & 1
0 = 0 * 7
1 = (62 >> 5) & 1
2F = 1 * 2F
1 = (62 >> 6) & 1
3D = 1 * 3D
0 = (62 >> 7) & 1
0 = 0 * 1D
3D = 3D + 0
6C = 2F + 3D
6C = 0 + 6C
6C = 0 + 6C
6C = 0 + 6C
6F = 3 + 6C
6F = 0 + 6F
57 = 6F ^ 38
1 = (63 >> 0) & 1
2 = 1 * 2
1 = (63 >> 1) & 1
43 = 1 * 43
0 = (63 >> 2) & 1
0 = 0 * 25
0 = (63 >> 3) & 1
0 = 0 * 7
0 = (63 >> 4) & 1
0 = 0 * 2B
1 = (63 >> 5) & 1
B = 1 * B
1 = (63 >> 6) & 1
D = 1 * D
0 = (63 >> 7) & 1
0 = 0 * 1F
D = D + 0
18 = B + D
18 = 0 + 18
18 = 0 + 18
18 = 0 + 18
5B = 43 + 18
5D = 2 + 5B
1B = 5D ^ 46
0 = (64 >> 0) & 1
0 = 0 * 61
0 = (64 >> 1) & 1
0 = 0 * 3
1 = (64 >> 2) & 1
29 = 1 * 29
0 = (64 >> 3) & 1
0 = 0 * 49
0 = (64 >> 4) & 1
0 = 0 * B
1 = (64 >> 5) & 1
D = 1 * D
1 = (64 >> 6) & 1
35 = 1 * 35
0 = (64 >> 7) & 1
0 = 0 * 1D
35 = 35 + 0
42 = D + 35
42 = 0 + 42
42 = 0 + 42
6B = 29 + 42
6B = 0 + 6B
6B = 0 + 6B
26 = 6B ^ 4D
1 = (65 >> 0) & 1
61 = 1 * 61
0 = (65 >> 1) & 1
0 = 0 * 43
1 = (65 >> 2) & 1
3 = 1 * 3
0 = (65 >> 3) & 1
0 = 0 * B
0 = (65 >> 4) & 1
0 = 0 * 2B
1 = (65 >> 5) & 1
D = 1 * D
1 = (65 >> 6) & 1
2F = 1 * 2F
0 = (65 >> 7) & 1
0 = 0 * 53
2F = 2F + 0
3C = D + 2F
3C = 0 + 3C
3C = 0 + 3C
3F = 3 + 3C
3F = 0 + 3F
A0 = 61 + 3F
EA = A0 ^ 4A
0 = (66 >> 0) & 1
0 = 0 * 43
1 = (66 >> 1) & 1
5 = 1 * 5
1 = (66 >> 2) & 1
25 = 1 * 25
0 = (66 >> 3) & 1
0 = 0 * 47
0 = (66 >> 4) & 1
0 = 0 * 7
1 = (66 >> 5) & 1
B = 1 * B
1 = (66 >> 6) & 1
59 = 1 * 59
0 = (66 >> 7) & 1
0 = 0 * 1D
59 = 59 + 0
64 = B + 59
64 = 0 + 64
64 = 0 + 64
89 = 25 + 64
8E = 5 + 89
8E = 0 + 8E
D4 = 8E ^ 5A
1 = (67 >> 0) & 1
2 = 1 * 2
1 = (67 >> 1) & 1
3 = 1 * 3
1 = (67 >> 2) & 1
5 = 1 * 5
0 = (67 >> 3) & 1
0 = 0 * B
0 = (67 >> 4) & 1
0 = 0 * D
1 = (67 >> 5) & 1
53 = 1 * 53
1 = (67 >> 6) & 1
35 = 1 * 35
0 = (67 >> 7) & 1
0 = 0 * 3D
35 = 35 + 0
88 = 53 + 35
88 = 0 + 88
88 = 0 + 88
8D = 5 + 88
90 = 3 + 8D
92 = 2 + 90
C5 = 92 ^ 57
0 = (68 >> 0) & 1
0 = 0 * 2
0 = (68 >> 1) & 1
0 = 0 * 3
0 = (68 >> 2) & 1
0 = 0 * 7
1 = (68 >> 3) & 1
47 = 1 * 47
0 = (68 >> 4) & 1
0 = 0 * 2B
1 = (68 >> 5) & 1
53 = 1 * 53
1 = (68 >> 6) & 1
1D = 1 * 1D
0 = (68 >> 7) & 1
0 = 0 * 1F
1D = 1D + 0
70 = 53 + 1D
70 = 0 + 70
B7 = 47 + 70
B7 = 0 + B7
B7 = 0 + B7
B7 = 0 + B7
E5 = B7 ^ 52
1 = (69 >> 0) & 1
7 = 1 * 7
0 = (69 >> 1) & 1
0 = 0 * 49
0 = (69 >> 2) & 1
0 = 0 * B
1 = (69 >> 3) & 1
D = 1 * D
0 = (69 >> 4) & 1
0 = 0 * 35
1 = (69 >> 5) & 1
59 = 1 * 59
1 = (69 >> 6) & 1
1D = 1 * 1D
0 = (69 >> 7) & 1
0 = 0 * 1F
1D = 1D + 0
76 = 59 + 1D
76 = 0 + 76
83 = D + 76
83 = 0 + 83
83 = 0 + 83
8A = 7 + 83
B6 = 8A ^ 3C
0 = (6A >> 0) & 1
0 = 0 * 2
1 = (6A >> 1) & 1
3 = 1 * 3
0 = (6A >> 2) & 1
0 = 0 * 5
1 = (6A >> 3) & 1
25 = 1 * 25
0 = (6A >> 4) & 1
0 = 0 * 7
1 = (6A >> 5) & 1
2B = 1 * 2B
1 = (6A >> 6) & 1
D = 1 * D
0 = (6A >> 7) & 1
0 = 0 * 3D
D = D + 0
38 = 2B + D
38 = 0 + 38
5D = 25 + 38
5D = 0 + 5D
60 = 3 + 5D
60 = 0 + 60
23 = 60 ^ 43
1 = (6B >> 0) & 1
2 = 1 * 2
1 = (6B >> 1) & 1
5 = 1 * 5
0 = (6B >> 2) & 1
0 = 0 * 7
1 = (6B >> 3) & 1
2B = 1 * 2B
0 = (6B >> 4) & 1
0 = 0 * B
1 = (6B >> 5) & 1
D = 1 * D
1 = (6B >> 6) & 1
35 = 1 * 35
0 = (6B >> 7) & 1
0 = 0 * 59
35 = 35 + 0
42 = D + 35
42 = 0 + 42
6D = 2B + 42
6D = 0 + 6D
72 = 5 + 6D
74 = 2 + 72
22 = 74 ^ 56
0 = (6C >> 0) & 1
0 = 0 * 5
0 = (6C >> 1) & 1
0 = 0 * 7
1 = (6C >> 2) & 1
49 = 1 * 49
1 = (6C >> 3) & 1
2B = 1 * 2B
0 = (6C >> 4) & 1
0 = 0 * B
1 = (6C >> 5) & 1
D = 1 * D
1 = (6C >> 6) & 1
3B = 1 * 3B
0 = (6C >> 7) & 1
0 = 0 * 1F
3B = 3B + 0
48 = D + 3B
48 = 0 + 48
73 = 2B + 48
BC = 49 + 73
BC = 0 + BC
BC = 0 + BC
E3 = BC ^ 5F
1 = (6D >> 0) & 1
3 = 1 * 3
0 = (6D >> 1) & 1
0 = 0 * 5
1 = (6D >> 2) & 1
49 = 1 * 49
1 = (6D >> 3) & 1
29 = 1 * 29
0 = (6D >> 4) & 1
0 = 0 * 2B
1 = (6D >> 5) & 1
D = 1 * D
1 = (6D >> 6) & 1
53 = 1 * 53
0 = (6D >> 7) & 1
0 = 0 * 59
53 = 53 + 0
60 = D + 53
60 = 0 + 60
89 = 29 + 60
D2 = 49 + 89
D2 = 0 + D2
D5 = 3 + D2
95 = D5 ^ 40
0 = (6E >> 0) & 1
0 = 0 * 2
1 = (6E >> 1) & 1
7 = 1 * 7
1 = (6E >> 2) & 1
47 = 1 * 47
1 = (6E >> 3) & 1
B = 1 * B
0 = (6E >> 4) & 1
0 = 0 * 2B
1 = (6E >> 5) & 1
D = 1 * D
1 = (6E >> 6) & 1
1D = 1 * 1D
0 = (6E >> 7) & 1
0 = 0 * 3D
1D = 1D + 0
2A = D + 1D
2A = 0 + 2A
35 = B + 2A
7C = 47 + 35
83 = 7 + 7C
83 = 0 + 83
DD = 83 ^ 5E
1 = (6F >> 0) & 1
2 = 1 * 2
1 = (6F >> 1) & 1
5 = 1 * 5
1 = (6F >> 2) & 1
7 = 1 * 7
1 = (6F >> 3) & 1
B = 1 * B
0 = (6F >> 4) & 1
0 = 0 * D
1 = (6F >> 5) & 1
4F = 1 * 4F
1 = (6F >> 6) & 1
2F = 1 * 2F
0 = (6F >> 7) & 1
0 = 0 * 53
2F = 2F + 0
7E = 4F + 2F
7E = 0 + 7E
89 = B + 7E
90 = 7 + 89
95 = 5 + 90
97 = 2 + 95
C2 = 97 ^ 55
0 = (70 >> 0) & 1
0 = 0 * 3
0 = (70 >> 1) & 1
0 = 0 * 43
0 = (70 >> 2) & 1
0 = 0 * 25
0 = (70 >> 3) & 1
0 = 0 * 5
1 = (70 >> 4) & 1
49 = 1 * 49
1 = (70 >> 5) & 1
B = 1 * B
1 = (70 >> 6) & 1
D = 1 * D
0 = (70 >> 7) & 1
0 = 0 * 3D
D = D + 0
18 = B + D
61 = 49 + 18
61 = 0 + 61
61 = 0 + 61
61 = 0 + 61
61 = 0 + 61
23 = 61 ^ 42
1 = (71 >> 0) & 1
2 = 1 * 2
0 = (71 >> 1) & 1
0 = 0 * 43
0 = (71 >> 2) & 1
0 = 0 * 5
0 = (71 >> 3) & 1
0 = 0 * 7
1 = (71 >> 4) & 1
47 = 1 * 47
1 = (71 >> 5) & 1
B = 1 * B
1 = (71 >> 6) & 1
D = 1 * D
0 = (71 >> 7) & 1
0 = 0 * 3D
D = D + 0
18 = B + D
5F = 47 + 18
5F = 0 + 5F
5F = 0 + 5F
5F = 0 + 5F
61 = 2 + 5F
40 = 61 ^ 21
0 = (72 >> 0) & 1
0 = 0 * 43
1 = (72 >> 1) & 1
3 = 1 * 3
0 = (72 >> 2) & 1
0 = 0 * 5
0 = (72 >> 3) & 1
0 = 0 * 25
1 = (72 >> 4) & 1
2B = 1 * 2B
1 = (72 >> 5) & 1
B = 1 * B
1 = (72 >> 6) & 1
D = 1 * D
0 = (72 >> 7) & 1
0 = 0 * 3D
D = D + 0
18 = B + D
43 = 2B + 18
43 = 0 + 43
43 = 0 + 43
46 = 3 + 43
46 = 0 + 46
3 = 46 ^ 45
1 = (73 >> 0) & 1
2 = 1 * 2
1 = (73 >> 1) & 1
3 = 1 * 3
0 = (73 >> 2) & 1
0 = 0 * 25
0 = (73 >> 3) & 1
0 = 0 * 7
1 = (73 >> 4) & 1
47 = 1 * 47
1 = (73 >> 5) & 1
29 = 1 * 29
1 = (73 >> 6) & 1
B = 1 * B
0 = (73 >> 7) & 1
0 = 0 * 1D
B = B + 0
34 = 29 + B
7B = 47 + 34
7B = 0 + 7B
7B = 0 + 7B
7E = 3 + 7B
80 = 2 + 7E
C0 = 80 ^ 40
0 = (74 >> 0) & 1
0 = 0 * 3
0 = (74 >> 1) & 1
0 = 0 * 5
1 = (74 >> 2) & 1
29 = 1 * 29
0 = (74 >> 3) & 1
0 = 0 * B
1 = (74 >> 4) & 1
2B = 1 * 2B
1 = (74 >> 5) & 1
2F = 1 * 2F
1 = (74 >> 6) & 1
35 = 1 * 35
0 = (74 >> 7) & 1
0 = 0 * 1D
35 = 35 + 0
64 = 2F + 35
8F = 2B + 64
8F = 0 + 8F
B8 = 29 + 8F
B8 = 0 + B8
B8 = 0 + B8
DA = B8 ^ 62
1 = (75 >> 0) & 1
2 = 1 * 2
0 = (75 >> 1) & 1
0 = 0 * 3
1 = (75 >> 2) & 1
7 = 1 * 7
0 = (75 >> 3) & 1
0 = 0 * 47
1 = (75 >> 4) & 1
2B = 1 * 2B
1 = (75 >> 5) & 1
D = 1 * D
1 = (75 >> 6) & 1
2F = 1 * 2F
0 = (75 >> 7) & 1
0 = 0 * 4F
2F = 2F + 0
3C = D + 2F
67 = 2B + 3C
67 = 0 + 67
6E = 7 + 67
6E = 0 + 6E
70 = 2 + 6E
33 = 70 ^ 43
0 = (76 >> 0) & 1
0 = 0 * 2
1 = (76 >> 1) & 1
3 = 1 * 3
1 = (76 >> 2) & 1
5 = 1 * 5
0 = (76 >> 3) & 1
0 = 0 * 25
1 = (76 >> 4) & 1
B = 1 * B
1 = (76 >> 5) & 1
2B = 1 * 2B
1 = (76 >> 6) & 1
D = 1 * D
0 = (76 >> 7) & 1
0 = 0 * 4F
D = D + 0
38 = 2B + D
43 = B + 38
43 = 0 + 43
48 = 5 + 43
4B = 3 + 48
4B = 0 + 4B
C = 4B ^ 47
1 = (77 >> 0) & 1
61 = 1 * 61
1 = (77 >> 1) & 1
43 = 1 * 43
1 = (77 >> 2) & 1
5 = 1 * 5
0 = (77 >> 3) & 1
0 = 0 * 25
1 = (77 >> 4) & 1
7 = 1 * 7
1 = (77 >> 5) & 1
29 = 1 * 29
1 = (77 >> 6) & 1
B = 1 * B
0 = (77 >> 7) & 1
0 = 0 * 3D
B = B + 0
34 = 29 + B
3B = 7 + 34
3B = 0 + 3B
40 = 5 + 3B
83 = 43 + 40
E4 = 61 + 83
BA = E4 ^ 5E
0 = (78 >> 0) & 1
0 = 0 * 3
0 = (78 >> 1) & 1
0 = 0 * 47
0 = (78 >> 2) & 1
0 = 0 * 7
1 = (78 >> 3) & 1
2B = 1 * 2B
1 = (78 >> 4) & 1
B = 1 * B
1 = (78 >> 5) & 1
4F = 1 * 4F
1 = (78 >> 6) & 1
35 = 1 * 35
0 = (78 >> 7) & 1
0 = 0 * 3D
35 = 35 + 0
84 = 4F + 35
8F = B + 84
BA = 2B + 8F
BA = 0 + BA
BA = 0 + BA
BA = 0 + BA
E7 = BA ^ 5D
1 = (79 >> 0) & 1
2 = 1 * 2
0 = (79 >> 1) & 1
0 = 0 * 3
0 = (79 >> 2) & 1
0 = 0 * 47
1 = (79 >> 3) & 1
49 = 1 * 49
1 = (79 >> 4) & 1
B = 1 * B
1 = (79 >> 5) & 1
D = 1 * D
1 = (79 >> 6) & 1
3D = 1 * 3D
0 = (79 >> 7) & 1
0 = 0 * 1F
3D = 3D + 0
4A = D + 3D
55 = B + 4A
9E = 49 + 55
9E = 0 + 9E
9E = 0 + 9E
A0 = 2 + 9E
FA = A0 ^ 5A
0 = (7A >> 0) & 1
0 = 0 * 61
1 = (7A >> 1) & 1
2 = 1 * 2
0 = (7A >> 2) & 1
0 = 0 * 3
1 = (7A >> 3) & 1
43 = 1 * 43
1 = (7A >> 4) & 1
5 = 1 * 5
1 = (7A >> 5) & 1
B = 1 * B
1 = (7A >> 6) & 1
D = 1 * D
0 = (7A >> 7) & 1
0 = 0 * 53
D = D + 0
18 = B + D
1D = 5 + 18
60 = 43 + 1D
60 = 0 + 60
62 = 2 + 60
62 = 0 + 62
42 = 62 ^ 20
1 = (41 >> 0) & 1
2 = 1 * 2
0 = (41 >> 1) & 1
0 = 0 * 3
0 = (41 >> 2) & 1
0 = 0 * 5
0 = (41 >> 3) & 1
0 = 0 * 25
0 = (41 >> 4) & 1
0 = 0 * 7
0 = (41 >> 5) & 1
0 = 0 * 29
1 = (41 >> 6) & 1
B = 1 * B
0 = (41 >> 7) & 1
0 = 0 * 35
B = B + 0
B = 0 + B
B = 0 + B
B = 0 + B
B = 0 + B
B = 0 + B
D = 2 + B
4C = D ^ 41
0 = (42 >> 0) & 1
0 = 0 * 2
1 = (42 >> 1) & 1
3 = 1 * 3
0 = (42 >> 2) & 1
0 = 0 * 49
0 = (42 >> 3) & 1
0 = 0 * 2B
0 = (42 >> 4) & 1
0 = 0 * B
0 = (42 >> 5) & 1
0 = 0 * D
1 = (42 >> 6) & 1
35 = 1 * 35
0 = (42 >> 7) & 1
0 = 0 * 3D
35 = 35 + 0
35 = 0 + 35
35 = 0 + 35
35 = 0 + 35
35 = 0 + 35
38 = 3 + 35
38 = 0 + 38
6A = 38 ^ 52
1 = (43 >> 0) & 1
2 = 1 * 2
1 = (43 >> 1) & 1
43 = 1 * 43
0 = (43 >> 2) & 1
0 = 0 * 3
0 = (43 >> 3) & 1
0 = 0 * 25
0 = (43 >> 4) & 1
0 = 0 * 7
0 = (43 >> 5) & 1
0 = 0 * B
1 = (43 >> 6) & 1
2F = 1 * 2F
0 = (43 >> 7) & 1
0 = 0 * 3B
2F = 2F + 0
2F = 0 + 2F
2F = 0 + 2F
2F = 0 + 2F
2F = 0 + 2F
72 = 43 + 2F
74 = 2 + 72
30 = 74 ^ 44
0 = (44 >> 0) & 1
0 = 0 * 2
0 = (44 >> 1) & 1
0 = 0 * 25
1 = (44 >> 2) & 1
5 = 1 * 5
0 = (44 >> 3) & 1
0 = 0 * 49
0 = (44 >> 4) & 1
0 = 0 * D
0 = (44 >> 5) & 1
0 = 0 * 2F
1 = (44 >> 6) & 1
35 = 1 * 35
0 = (44 >> 7) & 1
0 = 0 * 3B
35 = 35 + 0
35 = 0 + 35
35 = 0 + 35
35 = 0 + 35
3A = 5 + 35
3A = 0 + 3A
3A = 0 + 3A
7B = 3A ^ 41
1 = (45 >> 0) & 1
2 = 1 * 2
0 = (45 >> 1) & 1
0 = 0 * 43
1 = (45 >> 2) & 1
47 = 1 * 47
0 = (45 >> 3) & 1
0 = 0 * 49
0 = (45 >> 4) & 1
0 = 0 * 29
0 = (45 >> 5) & 1
0 = 0 * B
1 = (45 >> 6) & 1
D = 1 * D
0 = (45 >> 7) & 1
0 = 0 * 59
D = D + 0
D = 0 + D
D = 0 + D
D = 0 + D
54 = 47 + D
54 = 0 + 54
56 = 2 + 54
B = 56 ^ 5D
0 = (46 >> 0) & 1
0 = 0 * 2
1 = (46 >> 1) & 1
3 = 1 * 3
1 = (46 >> 2) & 1
43 = 1 * 43
0 = (46 >> 3) & 1
0 = 0 * 25
0 = (46 >> 4) & 1
0 = 0 * 49
0 = (46 >> 5) & 1
0 = 0 * B
1 = (46 >> 6) & 1
2B = 1 * 2B
0 = (46 >> 7) & 1
0 = 0 * 3B
2B = 2B + 0
2B = 0 + 2B
2B = 0 + 2B
2B = 0 + 2B
6E = 43 + 2B
71 = 3 + 6E
71 = 0 + 71
11 = 71 ^ 60
1C = B + 11
97 = 7B + 1C
C7 = 30 + 97
131 = 6A + C7
17D = 4C + 131
1BF = 42 + 17D
2B9 = FA + 1BF
3A0 = E7 + 2B9
45A = BA + 3A0
466 = C + 45A
499 = 33 + 466
573 = DA + 499
633 = C0 + 573
636 = 3 + 633
676 = 40 + 636
699 = 23 + 676
75B = C2 + 699
838 = DD + 75B
8CD = 95 + 838
9B0 = E3 + 8CD
9D2 = 22 + 9B0
9F5 = 23 + 9D2
AAB = B6 + 9F5
B90 = E5 + AAB
C55 = C5 + B90
D29 = D4 + C55
E13 = EA + D29
E39 = 26 + E13
E54 = 1B + E39
EAB = 57 + E54
F07 = 5C + EAB
INT3 breakpoint at secret_box.00007FF77B182055!

显然是对于每一个输入的东西，由于是8位的，按照位拆开，每个位分别是0或者1，然后乘以一个const，得到的结果是本位的加密后结果，然后这个结果会异或一个东西得到enc[i]，然后程序将计算他们的和，从而得到最后的结果

0 = S = \sum{(bits[i]_0 * c_0 + bits[i]_1 * c_1 + bits[i]_2 * c_2 + bits[i]_3 * c_3 + bits[i]_4 * c_4 + bits[i]_5 * c_5 + bits[i]_6 * c_6 + bits[i]_7 * c_7) \oplus CONST[i] }

由于程序约束S == 0，则
Exp:

enc = [0x46, 0x38, 0x46, 0x4D, 0x4A, 0x5A, 0x57, 0x52, 0x3C, 0x43, 0x56, 0x5F, 0x40, 0x5E, 0x55, 0x42, 0x21, 0x45, 0x40, 0x62, 0x43, 0x47, 0x5E, 0x5D, 0x5A, 0x20, 0x41, 0x52, 0x44, 0x41, 0x5D, 0x60]
muls = []
muls.append([0x2,0x3,0x43,0x25,0x29,0xB,0xD,0x59]   )
muls.append([0x2,0x3,0x43,0x5,0x7,0x2F,0x3D,0x1D]   )
muls.append([0x2,0x43,0x25,0x7,0x2B,0xB,0xD,0x1F]   )
muls.append([0x61,0x3,0x29,0x49,0xB,0xD,0x35,0x1D]  )
muls.append([0x61,0x43,0x3,0xB,0x2B,0xD,0x2F,0x53]  )
muls.append([0x43,0x5,0x25,0x47,0x7,0xB,0x59,0x1D]  )
muls.append([0x2,0x3,0x5,0xB,0xD,0x53,0x35,0x3D]    )
muls.append([0x2,0x3,0x7,0x47,0x2B,0x53,0x1D,0x1F]  )
muls.append([0x7,0x49,0xB,0xD,0x35,0x59,0x1D,0x1F]  )
muls.append([0x2,0x3,0x5,0x25,0x7,0x2B,0xD,0x3D]    )
muls.append([0x2,0x5,0x7,0x2B,0xB,0xD,0x35,0x59]    )
muls.append([0x5,0x7,0x49,0x2B,0xB,0xD,0x3B,0x1F]   )
muls.append([0x3,0x5,0x49,0x29,0x2B,0xD,0x53,0x59]  )
muls.append([0x2,0x7,0x47,0xB,0x2B,0xD,0x1D,0x3D]   )
muls.append([0x2,0x5,0x7,0xB,0xD,0x4F,0x2F,0x53]    )
muls.append([0x3,0x43,0x25,0x5,0x49,0xB,0xD,0x3D]   )
muls.append([0x2,0x43,0x5,0x7,0x47,0xB,0xD,0x3D]    )
muls.append([0x43,0x3,0x5,0x25,0x2B,0xB,0xD,0x3D]   )
muls.append([0x2,0x3,0x25,0x7,0x47,0x29,0xB,0x1D]   )
muls.append([0x3,0x5,0x29,0xB,0x2B,0x2F,0x35,0x1D]  )
muls.append([0x2,0x3,0x7,0x47,0x2B,0xD,0x2F,0x4F]   )
muls.append([0x2,0x3,0x5,0x25,0xB,0x2B,0xD,0x4F]    )
muls.append([0x61,0x43,0x5,0x25,0x7,0x29,0xB,0x3D]  )
muls.append([0x3,0x47,0x7,0x2B,0xB,0x4F,0x35,0x3D]  )
muls.append([0x2,0x3,0x47,0x49,0xB,0xD,0x3D,0x1F]   )
muls.append([0x61,0x2,0x3,0x43,0x5,0xB,0xD,0x53]    )
muls.append([0x2,0x3,0x5,0x25,0x7,0x29,0xB,0x35]    )
muls.append([0x2,0x3,0x49,0x2B,0xB,0xD,0x35,0x3D]   )
muls.append([0x2,0x43,0x3,0x25,0x7,0xB,0x2F,0x3B]   )
muls.append([0x2,0x25,0x5,0x49,0xD,0x2F,0x35,0x3B]  )
muls.append([0x2,0x43,0x47,0x49,0x29,0xB,0xD,0x59]  )
muls.append([0x2,0x3,0x43,0x25,0x49,0xB,0x2B,0x3B]  )
ans = bytearray()
for rin range(32):
    # BruteForce Ascii
    for i in range(0x20, 0x7f):
        a0 = ((i >> 0) & 1) * muls[r][0]
        a1 = ((i >> 1) & 1) * muls[r][8]
        a2 = ((i >> 2) & 1) * muls[r][9]
        a3 = ((i >> 3) & 1) * muls[r][10]
        a4 = ((i >> 4) & 1) * muls[r][11]
        a5 = ((i >> 5) & 1) * muls[r][12]
        a6 = ((i >> 6) & 1) * muls[r][13]
        a7 = ((i >> 7) & 1) * muls[r][14] 
        s1 = a0 + a1 + a2 + a3 + a4 + a5 + a6 + a7
        if s1 == enc[r]:
            ans.append(i)
            break
print(ans)
# bytearray(b's1mpl3_VM_us3s_link3d_l1st_st4ck')

然后把这个输入程序就能解出真flag了

C:\Users\Administrator\Desktop\S1mpLeVM_6d429db3ceeba8f95131c477020ee899>secret_box.exe quest
Enter ur passcode: s1mpl3_VM_us3s_link3d_l1st_st4ck115
Thank for providing passcode, my ultimate secret box is checking...
Cracked...
flag{s1mpl3_VM_us1ng_st4ck_th4t_1mpl3m3nt_by_l1nk3d_l1st_^3^_!!}

unsafeFile

小Y玩游戏很菜，于是他找了个神秘人要了一个修改器文件，在开启功能后，发现他的一个重要文件居然被加密了，你能想办法帮他恢复吗
请不要在物理机上运行题目中的任何文件，主办方对由此造成的任何损失不承担任何责任，如有需要请在虚拟机内进行运行和调试，解压密码2024qwbfinal

Cheat Engine 脚本，用于注入PlantsVsZombies.exe实现修改
ce的库函数 decodefuction()解码成函数
使用Github上的这个工具来提取encodeFunction的内容。

下面是反编译后的重要内容。

// 远程代码注入
L2_1 = "injectDLL"
L2_1 = _ENV[L2_1]
L3_1 = "C:\\system.dll"
L2_1(L3_1)
L2_1 = "sleep"
L2_1 = _ENV[L2_1]
L3_1 = 5
L2_1(L3_1)
L2_1 = [[
alloc(newmem,256)
label(returnhere)
label(originalcode)
label(exit)
// 远程代码注入
newmem:

originalcode:
xor eax,5A

mov ecx, eax
shr eax, 4
shl ecx, 4
or eax, ecx

mov ecx,[ebp-1C]

exit:
jmp returnhere

"system.dll"+25C6:
jmp newmem
nop
returnhere:

]]
L3_1 = "autoAssemble"
L3_1 = _ENV[L3_1]
L4_1 = L2_1
L3_1(L4_1)
L3_1 = "writeByte"
L3_1 = _ENV[L3_1]
L4_1 = "system.dll+C6DC"
L5_1 = 1
L3_1(L4_1, L5_1)
L3_1 = "activateProtection"
L3_1 = _ENV[L3_1]
L3_1()
L3_1 = "enableDRM"
L3_1 = _ENV[L3_1]
L3_1()

可以看出是导出了一个system.dll
我们直接在ce里面运行这个脚本，由于经过我们分析，只要没有pvz.exe的运行，这个dll就不会被注入，但是无论如何这个dll都会被释放到C盘根目录，这样我们就可以导出system.dll。
分析System.dll，发现AES

AES-CBC

文件遍历

加密，然后弄成.yr结尾的

加密文件

xdbg动态调试，在DeleteFile上下断点防止程序把本机的正常文件删掉。随后断KEY_Expansion，发现是随机的key，然后断这里，就可以拿到iv（v39）。

发现Iv也是随机的，由于题目肯定能解，所以猜测key和iv都写进了文件
分析手动加密的.yr，发现多了32字节，对应key和iv，key被xor了0x5a，iv直接放进去的。

newmem:

originalcode:
xor eax,5A

mov ecx, eax
shr eax, 4
shl ecx, 4
or eax, ecx

mov ecx,[ebp-1C]

exit:
jmp returnhere

"system.dll"+25C6:
jmp newmem
nop
returnhere:

注意到上面，把xor eax, 5a后面加上了ror 4
所以我们有EXP

from regadgets import *
enc = open('secret.pdf.yr', 'rb').read()
iv = enc[-16:]
key = enc[-32:-16]
key = bytes([ror8(i, 4) for i in key])
key = bxor_cycle(key, 0x5a)
print("iv", iv.hex())
print("key", key.hex())
enc = enc[:-32]
dec = AES_cbc_decrypt(enc, key, iv)
open('secret.pdf', 'wb').write(dec)

flag{7he_Che47_En9INe_74BLE_I5_N07_54fE#cf17565a3d91fdbf}