网站 › 『UnPackMe◇CrackMe◇KeyGenMe◇ReverseMe』 › Lua 简单虚拟化代码混淆 找出密码 （欢迎大牛

Ax王者 发表于 2022-10-2 10:00

Lua 简单虚拟化代码混淆 找出密码 （欢迎大牛

本帖最后由 Ax王者 于 2022-10-3 17:36 编辑

理论全平台通用，但只在 LuaJIT/Lua 5.1 测试过可用
无复杂指令集，存在部分简单变异

armcha1r 发表于 2022-12-14 12:35

输入密码s长度为7，满足以下要求
s ~= 'b'
s > s
s - s >= 1
s == s
s - s == 1
s - s == 3

armcha1r 发表于 2022-12-21 09:51

Ax王者 发表于 2022-12-20 19:41
大佬牛逼。 请问是如何解的？

就分析虚拟机函数，把虚拟化指令反汇编成lua代码
[ 1] l0 = {}
[ 2] l1 = _G.string
[ 3] l2 = closure92 table: 0000000000E41D10 0
[ 4] l0.size = l2
[ 5] l2 = closure68 table: 0000000000E41CC0 1
[ 6] l0 = l1
[ 7] l0.fromString = l2
[ 8] l2 = closure68 table: 0000000000E43500 2
[ 9] l0 = l1
l0.toString = l2
l2 = {}
l3 = 0
l4 = 255
l5 = 1
((l5 > 0 and l3 > l4) or (l5 <= 0 and l3 < l4)) ? branch 22 : l6 = l3
l7 = l1.format
l8 = %02X
l9 = l6
l7 = l7(l8 .. l-1)
l2 = l7
l3 = l3 + l5
l5 > 0 and l3 + l5 <= l4 ? (l6 = l3 + l5; branch 16)
l3 + l5 >= l4 ? (l6 = l3 + l5; branch 16)
l3 = closure68 table: 0000000000E446D0 3
l0 = l2
l0.toHex = l3
l3 = closure92 table: 0000000000E45150 4
l0.concat = l3
l3 = closure92 table: 0000000000E460A0 5
l0.truncate = l3
l3 = closure92 table: 0000000000E45D80 6
l0.substitute = l3
l3 = closure92 table: 0000000000E47ED0 7
l0.permute = l3
l3 = closure92 table: 0000000000E46F80 8
l0.copy = l3
l3 = closure92 table: 0000000000E47AC0 9
l0.slice = l3
-------- 26, 2 0 0
l2 .. l3 = nil .. nil
l4 = _G.io
l4 = l4.write
l5 = What's your guess?

l4(l5)
l4 = io
l4 = l4.flush
l4()
l4 = l0.fromString
l5 = tostring
l6 = io
l6 = l6.read
l6 ... = l6() -- l6 = io.read()
l5 ... = l5(l6 ...) -- l5 = tostring(io.read())
l4 = l4(l5 ...)-- l4 = l0.fromString(io.read())
l2 = l4    -- l2为输入字符串的ascii数组
l4 = #l2
6 < l4 ? branch 58 : branch 57 -- check: #l2 > 6
branch 58
branch 150
l4 = #l2
l4 <= 7 ? branch 61 : branch 150 -- check: #l2 <= 7
branch 150
l4 .. l8 = nil .. nil
l5 = l2.2
l6 = l2.1
l9 = l2.4
l10 = l2.1
l9 = l9 - l10
l9 <= -1 ? branch 69 : branch 150 -- check: l2.4 - l2.1 <= -1
branch 150
l9 = l2.5
l10 = l2.1
l9 = l9 - l10
1 <= l9 ? branch 75 : branch 74 -- check: l2.5 - l2.1 >= 1
branch 75
branch 150
l9 = l2.6
l9 == 98 ? branch 78 : branch 108 -- check: l2.6 ~= 98
branch 108
l9 = l2.2
l10 = l2.5
l9 = l9 - l10
l9 = l2.l9
l10 = l2.7
l9 = l9 / l10
l10 = l2.6
l9 = l9 * l10
l10 = l2.5
l9 == l10 ? branch 89 : branch 150
branch 150
l9 = l2.3
l10 = l2.4
l9 = l9 - l10
l9 = l9 / 7
l10 = race
l10 = #l10
l10 = l10 - 3
l11 = 1
(l11 > 0 and l9 > l10) or (l11 <= 0 and l9 < l10) ? branch 107 : l12 = l9
l13 .. l17 = nil .. nil
l18 = l2.5
l19 = l2.3
l14 = l18 - l19
l13 = l14 + 5
l16 = l13 / l14
branch 106
branch 98
l9 = l9 + l11
l11 > 0 and l9 + l11 <= l10 ? (l12 = l9 + l11; branch 98)
l9 + l11 >= l10 ? (l12 = l9 + l11; branch 98)
branch 150
l9 = l2.7
l10 = l2.6
l9 = l9 - l10   -- l9 = l2.7 - l2.6
l9 = l2.l9      -- l9 = l2
l10 = l2.7      -- l10 = l2.7
l9 = l9 / l10   -- l9 = l2 / l2.7
l10 = l2.1      -- l10 = l2.1
l9 = l9 * l10   -- l9 = l2 / l2.7 * l2.1
l10 = l2.1      -- l10 = l2.1
l9 ~= l10 ? branch 119 : branch 120 -- check: l2 / l2.7 * l2.1 == l2.1 (l2.7-l2.6==1, l2.7==l2.1)
branch 120
branch 150
l9 = l2.7
l10 = l2.6
l9 = l9 - l10   -- l9 = l2.7 - l2.6
l9 = l9 / 7       -- l9 = (l2.7 - l2.6) / 7
l10 = racel
l10 = #l10
l10 = l10 - 4   -- l10 == 1
l11 = 1
(l11 > 0 and l9 > l10) or (l11 <= 0 and l9 < l10) ? branch 148 : l12 = l9   -- check: (l2.7 - l2.6) <= 7
l13 .. l17 = nil .. nil
l17 = l13
l14 = l2.5
l16 = l2.3
l18 = l2.3
l19 = l2.2
l18 = l18 - l19   -- l18 = l2.3 - l2.2
l19 = l2.1
l18 = l18 - l19   -- l18 = l2.3 - l2.2 - l2.1
l19 = l2.7
l18 = l18 + l19   -- l18 = l2.3 - l2.2 - l2.1 + l2.7
l18 == 3 ? branch 142 : branch 147    -- check: l2.3 - l2.2 - l2.1 + l2.7 == 3
branch 147
l18 = l2.5
l19 = l2.2
l3 = l18 - l19
branch 147
branch 133
l9 = l9 + l11
l11 > 0 and l9 + l11 <= l10 ? (l12 = l9 + l11; branch 129)
l9 + l11 >= l10 ? (l12 = l9 + l11; branch 129)
branch 150
branch 58
not l3 ? branch 152 : branch 153
branch 153
branch 39
l4 = _G.print
l5 = Correct! But I'll be unhappy if you don't know the exact password :<
-------- 24, 4 2 1
-------- 61, 0 1 0

JerryLia 发表于 2022-10-2 10:24

感谢分享，下载看看。

emmaus7777 发表于 2022-10-2 11:36

kkeraa 发表于 2022-10-3 01:46

lvbuqing 发表于 2022-10-3 18:55

解密不都是找到关键的luaload的地方，导出不就行了么

chalefly 发表于 2022-10-5 10:38

感谢分享，先收藏了。

Ax王者 发表于 2022-10-5 19:15

lvbuqing 发表于 2022-10-3 18:55
解密不都是找到关键的luaload的地方，导出不就行了么

这个东西原理其实类似于jsvmp
没那么简单

AVS353 发表于 2022-10-5 23:44

991547436 发表于 2022-10-6 00:36

Correct! But I'll be unhappy if you don't know the exact password :<

Ax王者 发表于 2022-10-6 15:05

991547436 发表于 2022-10-6 00:36
Correct! But I'll be unhappy if you don't know the exact password :

这是一个 Reverse me
请给出密码

查看完整版本: Lua 简单虚拟化代码混淆 找出密码 （欢迎大牛