Preface

Today, I suddenly feel like I want to write something , But there has really been little technical progress lately , There's nothing to write about . After reading the article, I found that I haven't written anything about ape man for a long time , I went to the ape man competition website for a visit , Find the latest 20 I haven't done it yet , How can this be ！ But I have nothing wasm Reverse experience , I looked it up on the Internet , Also some rpc The plan , Just this time, I'll learn more

One 、 know wasm

What is? wasm： Reference link
Get familiar with it before starting to do the problem wasm, Get into 20 topic ,f12 Looking at the parameters, it is found that there is only one problem to be solved sign, The old rule is to click on the call stack information to enter the contract issuing location ：

It can be seen that sign It is the page number plus time stamp window.sign Method ：

Continue to follow up window.sign, The break point enters the function , It's like this ：

The name of the method call is really long , Let's look at this directly from experience _index_bg_wasm__WEBPACK_IMPORTED_MODULE_0__["sign"]
After all, there is a familiar sign Words , Enter and come to wasm Within the code ：

Here we need to make up for it first wasm The foundation of , About the following ：

                  |   Represents the export function  sign  |
         false id  71  |  export modification          |    $var0,$var1  Parameter name  i32 On behalf of the type  int32
(func $sign (;71;) (export "sign") (param $var0 i32) (param $var1 i32) (param $var2 i32)
local  It is a variable used inside the current function 
(local $var3 i32) (local $var4 i32) (local $var5 i32) (local $var6 i32) (local $var7 i32) (local $var8 i32) (local $var9 i32) (local $var10 i32) (local $var11 i32) (local $var12 i32) (local $var13 i32) (local $var14 i32) (local $var15 i32) (local $var16 i32) (local $var17 i32) (local $var18 i32) (local $var19 i32) (local $var20 i32) (local $var21 i32) (local $var22 i32) (local $var23 i32) (local $var24 i32) (local $var25 i32) (local $var26 i32) (local $var27 i32) (local $var28 i32) (local $var29 i32) (local $var30 i32) (local $var31 i32) (local $var32 i32) (local $var33 i32) (local $var34 i32) (local $var35 i32) (local $var36 i64)
global.get $global0         global.get  Read from global variables 
local.set $var3             local.set   Write to local variables      Reading and writing are usually in pairs , Generally, it is assignment operation     （ About equal to $var3 = $global0）
i32.const 80                 It's also a read operation , Defines a from the type 80 Number of numbers 
local.set $var4              Write to  $var4   （ About equal to ：$var4 = 80）
local.get $var3              read $var3
local.get $var4              read $var4
i32.sub                      Write operations ,i32 Subtraction operation 
local.set $var5              Write to  $var5    （ About equal to ：$var5 = $var3 - $var4） Stack operation    Read first 
local.get $var5
global.set $global0
local.get $var5
local.get $var1
i32.store offset=64          Memory operations ,store： cache ,load： Read ,offset： Offset 
local.get $var5
local.get $var2
i32.store offset=68
i32.const 16
local.set $var6
local.get $var5
local.get $var6
i32.add						 Add operation , It is also a write operation 
local.set $var7
local.get $var7
local.get $var1
local.get $var2
call $func246            Perform function operations , See the previous get Operate until set stop it , This is equivalent to   take $var7,$var1,$var2, The incoming function executes 
local.get $var5
i32.load offset=16
local.set $var8

Look at the difference between the debugger ：

Maybe our browsers are different , The versions are different, so there will be a little difference

 The debugger ：
    scope：
        expression:
            stack:  Stack , Each read operation will press the stack , Each write operation will be out of the stack once , When calling the method, the stack will be flattened （ Clear stack contents ）, You can view the contents of the current stack 
        local: local variable （ Such as $var5,$var6,$var7）, Displayed pointer / Memory address , It's not real 
        module:
            function tables: It can be understood as wasm And js Interactive correlation method 
            globals: Global variables 
            instance:
                exports: wasm Provide to js Methods that can be called directly 
            memory:  Virtual memory 

It's almost enough to know

Two 、 Reverse analysis

Through the previously positioned sign function , Know the last getStringFromWasm0(r0, r1); Get the final result ,getStringFromWasm0 To get the specified location in memory , Length data ：

r1 The parameter is constant 32, We just need to ask r0 that will do ,r0 adopt getInt32Memory0 Parameters are defined from the index , see getInt32Memory0 Method ：

See memory, Guess it has something to do with virtual memory , here int32：294912, Divide by in the corresponding method 4 operation , We put it *4 obtain 1179648, Check the debugger again scope Under the module Under the memory, Find agreement , This method returns the array of virtual memory and obtains the pointer address of the encrypted parameter through the index ：

I want to see others retptr How did it come from , Through breakpoint debugging, you can get to wasm In the method , It looks like this ：

global = var0 + global

ptr0 Well , Is the pointer address of the incoming plaintext in the virtual memory , Can pass getStringFromWasm0(1114120, 15) Check it out. , It's the same , Again, the point of interruption is _index_bg_wasm__WEBPACK_IMPORTED_MODULE_0__["sign"](retptr, ptr0, len0);
It is found that every time after this method , Changing the data under the memory address will change , Let's follow this function again , But this function is very long , There are many other methods that are called , We find keywords directly sign Method here , Of course you want to talk to / All translations are OK

Enter into sign Function , View the overall logic of the function , Found something interesting ：md5, It's a coincidence , The encryption parameter length is also 32, And the data format is also right , Let's directly interrupt here , Let's see what Chuan Shen is

adopt getStringFromWasm0(var56,var55) Query the real value , Found a passage of plain text with salt

Try using standards md5 Encrypt the parameter , Comparing the results


very , It's the same , Since then, encryption has been solved , Standard md5 encryption , As for whether the salt value changes dynamically , You can try to view more than once , Discovery will not change ,
I won't tell you the salt value here , I still hope I can go through the process by myself to complete my study , I don't want you to call the algorithm directly after reading the plaintext to do the problem through encryption , Because if that's the case , In fact, the whole article is useless , If you really want to just do questions , You can go out directly and turn left directly rpc Okay

3、 ... and 、 other

jeb Can open wasm The file to view , The decompile method is c Code , It can be seen more clearly
Reference link ：tql
Just follow the steps , Tips :Class com/pnfsoftware/jeb/rcpclient/Launcher not found.
That means you have a Chinese path

summary

Yes, if you have a familiar feeling , you 're right , I just watched the open class of big brother Zhiyuan learn , It can also be regarded as a knowledge reserve