Lua 简单虚拟化代码混淆找出密码（欢迎大牛

Ax王者 · 发表于 2022-10-2 10:00

本帖最后由 Ax王者于 2022-10-3 17:36 编辑

理论全平台通用，但只在 LuaJIT/Lua 5.1 测试过可用
无复杂指令集，存在部分简单变异

armcha1r · 发表于 2022-12-14 12:35

输入密码s长度为7，满足以下要求
s[6] ~= 'b'
s[5] > s[1]
s[1] - s[4] >= 1
s[7] == s[1]
s[7] - s[6] == 1
s[3] - s[2] == 3

armcha1r · 发表于 2022-12-21 09:51

Ax王者发表于 2022-12-20 19:41
大佬牛逼。请问是如何解的？

就分析虚拟机函数，把虚拟化指令反汇编成lua代码

[Lua] 纯文本查看 复制代码

[ 1] l0 = {}
[ 2] l1 = _G.string
[ 3] l2 = closure92 table: 0000000000E41D10 0
[ 4] l0.size = l2
[ 5] l2 = closure68 table: 0000000000E41CC0 1
[ 6] l0 = l1
[ 7] l0.fromString = l2
[ 8] l2 = closure68 table: 0000000000E43500 2
[ 9] l0 = l1
[10] l0.toString = l2
[11] l2 = {}
[12] l3 = 0
[13] l4 = 255
[14] l5 = 1
[15] ((l5 > 0 and l3 > l4) or (l5 <= 0 and l3 < l4)) ? branch 22 : l6 = l3
[16] l7 = l1.format
[17] l8 = %02X
[18] l9 = l6
[19] l7 = l7(l8 .. l-1)
[20] l2[l6] = l7
[21] l3 = l3 + l5
[21] l5 > 0 and l3 + l5 <= l4 ? (l6 = l3 + l5; branch 16)
[21] l3 + l5 >= l4 ? (l6 = l3 + l5; branch 16)
[22] l3 = closure68 table: 0000000000E446D0 3
[23] l0 = l2
[24] l0.toHex = l3
[25] l3 = closure92 table: 0000000000E45150 4
[26] l0.concat = l3
[27] l3 = closure92 table: 0000000000E460A0 5
[28] l0.truncate = l3
[29] l3 = closure92 table: 0000000000E45D80 6
[30] l0.substitute = l3
[31] l3 = closure92 table: 0000000000E47ED0 7
[32] l0.permute = l3
[33] l3 = closure92 table: 0000000000E46F80 8
[34] l0.copy = l3
[35] l3 = closure92 table: 0000000000E47AC0 9
[36] l0.slice = l3
[37] -------- 26, 2 0 0
[38] l2 .. l3 = nil .. nil
[39] l4 = _G.io
[40] l4 = l4.write
[41] l5 = What's your guess?

[42] l4(l5)
[43] l4 = io
[44] l4 = l4.flush
[45] l4()
[46] l4 = l0.fromString
[47] l5 = tostring
[48] l6 = io
[49] l6 = l6.read
[50] l6 ... = l6() -- l6 = io.read()
[51] l5 ... = l5(l6 ...) -- l5 = tostring(io.read())
[52] l4 = l4(l5 ...)  -- l4 = l0.fromString(io.read())
[53] l2 = l4    -- l2为输入字符串的ascii数组
[54] l4 = #l2
[55] 6 < l4 ? branch 58 : branch 57 -- check: #l2 > 6
[56] branch 58
[57] branch 150
[58] l4 = #l2
[59] l4 <= 7 ? branch 61 : branch 150 -- check: #l2 <= 7
[60] branch 150
[61] l4 .. l8 = nil .. nil
[62] l5 = l2.2
[63] l6 = l2.1
[64] l9 = l2.4
[65] l10 = l2.1
[66] l9 = l9 - l10
[67] l9 <= -1 ? branch 69 : branch 150 -- check: l2.4 - l2.1 <= -1
[68] branch 150
[69] l9 = l2.5
[70] l10 = l2.1
[71] l9 = l9 - l10
[72] 1 <= l9 ? branch 75 : branch 74 -- check: l2.5 - l2.1 >= 1
[73] branch 75
[74] branch 150
[75] l9 = l2.6
[76] l9 == 98 ? branch 78 : branch 108 -- check: l2.6 ~= 98
[77] branch 108
[78] l9 = l2.2
[79] l10 = l2.5
[80] l9 = l9 - l10
[81] l9 = l2.l9
[82] l10 = l2.7
[83] l9 = l9 / l10
[84] l10 = l2.6
[85] l9 = l9 * l10
[86] l10 = l2.5
[87] l9 == l10 ? branch 89 : branch 150
[88] branch 150
[89] l9 = l2.3
[90] l10 = l2.4
[91] l9 = l9 - l10
[92] l9 = l9 / 7
[93] l10 = race
[94] l10 = #l10
[95] l10 = l10 - 3
[96] l11 = 1
[97] (l11 > 0 and l9 > l10) or (l11 <= 0 and l9 < l10) ? branch 107 : l12 = l9
[98] l13 .. l17 = nil .. nil
[99] l18 = l2.5
[100] l19 = l2.3
[101] l14 = l18 - l19
[102] l13 = l14 + 5
[103] l16 = l13 / l14
[104] branch 106
[105] branch 98
[106] l9 = l9 + l11
[106] l11 > 0 and l9 + l11 <= l10 ? (l12 = l9 + l11; branch 98)
[106] l9 + l11 >= l10 ? (l12 = l9 + l11; branch 98)
[107] branch 150
[108] l9 = l2.7
[109] l10 = l2.6
[110] l9 = l9 - l10     -- l9 = l2.7 - l2.6
[111] l9 = l2.l9        -- l9 = l2[l2.7-l2.6]
[112] l10 = l2.7        -- l10 = l2.7
[113] l9 = l9 / l10     -- l9 = l2[l2.7-l2.6] / l2.7
[114] l10 = l2.1        -- l10 = l2.1
[115] l9 = l9 * l10     -- l9 = l2[l2.7-l2.6] / l2.7 * l2.1
[116] l10 = l2.1        -- l10 = l2.1
[117] l9 ~= l10 ? branch 119 : branch 120 -- check: l2[l2.7-l2.6] / l2.7 * l2.1 == l2.1 (l2.7-l2.6==1, l2.7==l2.1)
[118] branch 120
[119] branch 150
[120] l9 = l2.7
[121] l10 = l2.6
[122] l9 = l9 - l10     -- l9 = l2.7 - l2.6
[123] l9 = l9 / 7       -- l9 = (l2.7 - l2.6) / 7
[124] l10 = racel
[125] l10 = #l10
[126] l10 = l10 - 4     -- l10 == 1
[127] l11 = 1
[128] (l11 > 0 and l9 > l10) or (l11 <= 0 and l9 < l10) ? branch 148 : l12 = l9     -- check: (l2.7 - l2.6) <= 7
[129] l13 .. l17 = nil .. nil
[130] l17 = l13
[131] l14 = l2.5
[132] l16 = l2.3
[133] l18 = l2.3
[134] l19 = l2.2
[135] l18 = l18 - l19   -- l18 = l2.3 - l2.2
[136] l19 = l2.1
[137] l18 = l18 - l19   -- l18 = l2.3 - l2.2 - l2.1
[138] l19 = l2.7
[139] l18 = l18 + l19   -- l18 = l2.3 - l2.2 - l2.1 + l2.7
[140] l18 == 3 ? branch 142 : branch 147    -- check: l2.3 - l2.2 - l2.1 + l2.7 == 3
[141] branch 147
[142] l18 = l2.5
[143] l19 = l2.2
[144] l3 = l18 - l19
[145] branch 147
[146] branch 133
[147] l9 = l9 + l11
[147] l11 > 0 and l9 + l11 <= l10 ? (l12 = l9 + l11; branch 129)
[147] l9 + l11 >= l10 ? (l12 = l9 + l11; branch 129)
[148] branch 150
[149] branch 58
[150] not l3 ? branch 152 : branch 153
[151] branch 153
[152] branch 39
[153] l4 = _G.print
[154] l5 = Correct! But I'll be unhappy if you don't know the exact password :<
[155] -------- 24, 4 2 1
[156] -------- 61, 0 1 0

JerryLia · 发表于 2022-10-2 10:24

感谢分享，下载看看。

emmaus7777 · 发表于 2022-10-2 11:36

提示: 该帖被管理员或版主屏蔽

kkeraa · 发表于 2022-10-3 01:46

提示: 该帖被管理员或版主屏蔽

lvbuqing · 发表于 2022-10-3 18:55

解密不都是找到关键的luaload的地方，导出不就行了么

chalefly · 发表于 2022-10-5 10:38

感谢分享，先收藏了。

Ax王者 · 发表于 2022-10-5 19:15

lvbuqing 发表于 2022-10-3 18:55
解密不都是找到关键的luaload的地方，导出不就行了么

这个东西原理其实类似于jsvmp
没那么简单

AVS353 · 发表于 2022-10-5 23:44

提示: 该帖被管理员或版主屏蔽

991547436 · 发表于 2022-10-6 00:36

Correct! But I'll be unhappy if you don't know the exact password :<

Ax王者 · 发表于 2022-10-6 15:05

991547436 发表于 2022-10-6 00:36
Correct! But I'll be unhappy if you don't know the exact password :

这是一个 Reverse me
请给出密码

帐号		自动登录	找回密码
密码			注册[Register]

emmaus7777 emmaus7777 当前离线好友阅读权限 10 听众最后登录 1970-1-1 头像被屏蔽	emmaus7777 发表于 2022-10-2 11:36 提示: 该帖被管理员或版主屏蔽
	如何快速判断一个文件是否为病毒！
	回复支持举报

[ReverseMe] Lua 简单虚拟化代码混淆找出密码（欢迎大牛

本帖子中包含更多资源

免费评分

kkeraa kkeraa 当前离线好友阅读权限 10 听众最后登录 1970-1-1 头像被屏蔽	kkeraa 发表于 2022-10-3 01:46 提示: 该帖被管理员或版主屏蔽

	回复支持举报

AVS353 AVS353 当前离线好友阅读权限 10 听众最后登录 1970-1-1 头像被屏蔽	AVS353 发表于 2022-10-5 23:44 提示: 该帖被管理员或版主屏蔽

	回复支持举报

[ReverseMe] Lua 简单虚拟化代码混淆 找出密码 （欢迎大牛

本帖子中包含更多资源

免费评分

[ReverseMe] Lua 简单虚拟化代码混淆找出密码（欢迎大牛