一道ASPack加壳题和类型强转的坑

DASCTF，easyre签到题，ASPack，脱壳后找到关键函数

int __cdecl sub_401771(char *Str)
{
  int v2[50]; // [esp+1Ch] [ebp-DCh] BYREF
  int v3; // [esp+E4h] [ebp-14h]
  int j; // [esp+E8h] [ebp-10h]
  int i; // [esp+ECh] [ebp-Ch]

  v3 = strlen(Str);
  sub_401500();
  sub_40152B();
  sub_401593();
  sub_401619(Str, v3);
  for ( i = 0; i < v3; ++i )
    byte_492A60[i] = (LOBYTE(dword_492940[i]) ^ Str[i]) + 71;
  memset(v2, 0, sizeof(v2));
  v2[0] = -61;
  v2[1] = -128;
  v2[2] = -43;
  v2[3] = -14;
  v2[4] = -101;
  v2[5] = 48;
  v2[6] = 11;
  v2[7] = -76;
  v2[8] = 85;
  v2[9] = -34;
  v2[10] = 34;
  v2[11] = -125;
  v2[12] = 47;
  v2[13] = -105;
  v2[14] = -72;
  v2[15] = 32;
  v2[16] = 29;
  v2[17] = 116;
  v2[18] = -47;
  v2[19] = 1;
  v2[20] = 115;
  v2[21] = 26;
  v2[22] = -78;
  v2[23] = -56;
  v2[24] = -59;
  v2[25] = 116;
  v2[26] = -64;
  v2[27] = 91;
  v2[28] = -9;
  v2[29] = 15;
  v2[30] = -45;
  v2[31] = 1;
  v2[32] = 85;
  v2[33] = -78;
  v2[34] = -92;
  v2[35] = -82;
  v2[36] = 123;
  v2[37] = -84;
  v2[38] = 92;
  v2[39] = 86;
  v2[40] = -68;
  v2[41] = 35;
  for ( j = 0; j <= 41; ++j )
  {
    if ( v2[j] != byte_492A60[j] )
      exit(0);
  }
  return sub_47BAB0((int)off_488140, aRight);
}

可以看到逻辑很简单，但是这里有int和char的强转问题，直接python逆向，会出现超出有符号char类型范围的问题。可以看到强转的汇编位置：

所以编写脚本的时候必须舍弃高位，低8位要和0x7F相与

# coding : utf-8

tar = [-61, -128, -43, -14, -101, 48, 11, -76, 85, -34, 34, -125, 47, -105, -72, 32, 29, 116, -47,
          1, 115, 26, -78, -56, -59, 116, -64, 91, -9, 15, -45, 1, 85, -78, -92, -82, 123, -84, 92, 86, -68, 35]

key = [0x38,0x78,0xDD,0xE8,0x00,0xAF,0xBF,0x3A,0x6B,0xFB,0xB8,0x0C,0x85,0x35,0x5C,0xAD,0xE6,0x00,0xE0,0x8A,0x1D,0xBD,0x46,0xD2,0x2B,0x00,0x15,0x24,0xC6,0xAD,0xA1,0xC9,0x7B,0x12,0x28,0x00,0x05,0x00,0x72,0x3E,0x10,0xA1]



for i in range(42):
    print(chr(((tar[i] - 0x47) ^ key[i]) & 0x7f), end="")
  
print()

Page View