临近期末要考试,目前只逆了一个函数,BOOL CryptCATAdminAcquireContext(HCATADMIN *phCatAdmin,GUID *pgSubsystem,DWORD dwFlags),待有时间后再一一逆完。没什么技术含量,高手飘过。
BYTE guidtowstr[] = {0x3,0x2,0x1,0x0,0x2d,0x5,0x4,0x2d,0x7,0x6,0x2d,0x8,0x9,0x2d,0xa,0xb,0xc,0xd,0xe,0xf};
WCHAR UnicodeNumber[] = L"0123456789ABCDEF";
//FIX ME:THE PATH BELOW SHOULD BE PRODUCED ACCORDING TO YOUR OWN MACHINE!
WCHAR OrigPath[] = L"C:\\WINDOWS\\system32\\CatRoot\\";
WCHAR OrigPath2[] = L"C:\\WINDOWS\\system32\\CatRoot2\\";
WCHAR Slash[] = L"\\";
typedef struct _CAT_CONTEXT
{
int cbSize;
BOOL UseDefaultGUID;
PWCHAR pwGUID;
PWCHAR pwDirectoryPath;
PWCHAR pwDirectoryPath2;
int _20;
PVOID list1;
PVOID list2;
PVOID list3;
int _36;
CRITICAL_SECTION CriticalSection;
int _64;
int _68;
HANDLE hWakeEventHandle;
HANDLE hCleanWaitObject;
int _80;
int _84;
}CAT_CONTEXT,*PCAT_CONTEXT;
BOOL CryptCATAdminAcquireContext(HCATADMIN *phCatAdmin,GUID *pgSubsystem,DWORD dwFlags);
BOOL CryptCATAdminAcquireContext_Internal(HCATADMIN *phCatAdmin,GUID *pgSubsystem,DWORD dwFlags,int arg);
VOID LIST_Initialize(PVOID pBegin);
BOOL guid2wstr(GUID *guid,PWCHAR pwguid);
PWCHAR _CatAdminCreatePath(PWCHAR OrigPath,PWCHAR pwGUID,BOOL UseDefaultGUID);
BOOL _CatAdminRecursiveCreateDirectory(PWCHAR pwDirectoryPath,LPSECURITY_ATTRIBUTES lpSecurityAttributes);
VOID CALLBACK _CatAdminWaitOrTimerCallback(PVOID lpParameter,BOOLEAN TimerOrWaitFired);;
BOOL CryptCATAdminAcquireContext(HCATADMIN *phCatAdmin,GUID *pgSubsystem,DWORD dwFlags)
{
return CryptCATAdminAcquireContext_Internal(phCatAdmin,pgSubsystem,dwFlags,0);
}
BOOL CryptCATAdminAcquireContext_Internal(HCATADMIN *phCatAdmin,GUID *pgSubsystem,DWORD dwFlags,int arg)
{
WCHAR wGUID[0x100];
GUID DefaultGUID = {0x127d0a1d,0x4ef2,0x11d1,{0x86,0x8,0x0,0xc0,0x4f,0xc2,0x95,0xee}};
BOOL ReturnValue;
GUID *pGUIDToUse;
HCATADMIN *_phCatAdmin;
GUID *_pgSubsystem;
PCAT_CONTEXT pCatContext;
BOOL UseDefaultGUID;
_phCatAdmin = phCatAdmin;
_pgSubsystem = pgSubsystem;
pGUIDToUse = &DefaultGUID;
ReturnValue = 1;
UseDefaultGUID = TRUE;
//FIX ME: CHECK WHEN phCatAdmin == NULL!
*phCatAdmin = 0;
pCatContext = (PCAT_CONTEXT)LocalAlloc(LMEM_ZEROINIT,0x54);
memset((PVOID)pCatContext,0,0x54);
//FIX ME: CHECK WHEN pCatAdmin == NULL!
pCatContext->cbSize = 0x54;
LIST_Initialize(&(pCatContext->list1));
if(_pgSubsystem == NULL)
{
pCatContext->UseDefaultGUID = UseDefaultGUID;
}
else
{
UseDefaultGUID = FALSE;
pGUIDToUse = _pgSubsystem;
}
guid2wstr(pGUIDToUse,wGUID);
InitializeCriticalSection(&(pCatContext->CriticalSection));
pCatContext->_64 = UseDefaultGUID;
pCatContext->_68 = 0;
//FIX ME:WHEN NULL RETURNED!
pCatContext->pwGUID = (PWCHAR)LocalAlloc(LMEM_ZEROINIT,2 * lstrlenW(wGUID) + 2);
wcscpy(pCatContext->pwGUID,wGUID);
//FIX ME:WHEN NULL RETURNED!
pCatContext->pwDirectoryPath = _CatAdminCreatePath(OrigPath,wGUID,TRUE);
//FIX ME:WHEN NULL RETURNED!
pCatContext->pwDirectoryPath2 = _CatAdminCreatePath(OrigPath2,wGUID,TRUE);
//FIX ME:WHEN FALSE RETURNED!
if(_CatAdminRecursiveCreateDirectory(pCatContext->pwDirectoryPath,NULL))
{
//FIX ME:WHEN FALSE RETURNED!
if(_CatAdminRecursiveCreateDirectory(pCatContext->pwDirectoryPath2,NULL))
{
//FIX ME:WHEN NULL RETURNED!
pCatContext->hWakeEventHandle = CreateEvent(NULL,FALSE,FALSE,NULL);
if(pCatContext->hWakeEventHandle)
{
//FIX ME:WHEN 0 RETURNED!
//if(RegisterWaitForSingleObject(&(pCatContext->hCleanWaitObject),pCatContext->hWakeEventHandle,(WAITORTIMERCALLBACK)_CatAdminWaitOrTimerCallback,pCatContext,INFINITE,WT_EXECUTEDEFAULT))
//{
*_phCatAdmin = (HCATADMIN *)pCatContext;
//}
}
}
}
return ReturnValue;
}
VOID LIST_Initialize(PVOID pBegin)
{
*(DWORD *)pBegin = 0;
*(DWORD *)((BYTE *)pBegin + 4) = 0;
*(DWORD *)((BYTE *)pBegin + 8) = 0;
}
BOOL guid2wstr(GUID *guid,PWCHAR pwguid)
{
int i = 0;
//FIX ME:WHEN guid OR pwguid == NULL!
*pwguid = L'{';
pwguid += 1;
for(;i < 0x14;i++,pwguid++)
{
if(guidtowstr[i] != '-')
{
*pwguid = UnicodeNumber[((DWORD)(*((BYTE *)guid + guidtowstr[i]))) / 16];
pwguid++;
*pwguid = UnicodeNumber[((DWORD)(*((BYTE *)guid + guidtowstr[i]))) & 0xf];
}
else
{
*pwguid = L'-';
}
}
*pwguid = L'}';
*(pwguid + 1) = 0;
return TRUE;
}
PWCHAR _CatAdminCreatePath(PWCHAR OrigPath,PWCHAR pwGUID,BOOL UseDefaultGUID)
{
int length = 0;
PWCHAR pwFinalPath;
length += lstrlenW(OrigPath);
length += lstrlenW(pwGUID);
length += 2;
if(UseDefaultGUID)
{
length += 1;
}
//FIX ME:WHEN NULL RETURNED!
pwFinalPath = (PWCHAR)LocalAlloc(LMEM_ZEROINIT,2 * length);
wcscpy(pwFinalPath,OrigPath);
if(OrigPath[lstrlenW(OrigPath) - 1] != L'\\')
{
wcscat(pwFinalPath,Slash);
}
wcscat(pwFinalPath,pwGUID);
if(UseDefaultGUID)
{
wcscat(pwFinalPath,Slash);
}
return pwFinalPath;
}
BOOL _CatAdminRecursiveCreateDirectory(PWCHAR pwDirectoryPath,LPSECURITY_ATTRIBUTES lpSecurityAttributes)
{
PWCHAR pwPath = NULL;
BOOL ret;
if(pwDirectoryPath[lstrlenW(pwDirectoryPath) - 1] == L'\\')
{
//FIX ME:WHEN NULL RETURNED!
pwPath = (PWCHAR)LocalAlloc(LMEM_ZEROINIT,2 * lstrlenW(pwDirectoryPath));
memcpy((PVOID)pwPath,(PVOID)pwDirectoryPath,2 * lstrlenW(pwDirectoryPath) - 2);
pwPath[lstrlenW(pwDirectoryPath) - 1] = 0;
ret = _CatAdminRecursiveCreateDirectory(pwPath,lpSecurityAttributes);
}
else
{
//FIX ME:CHECK WHETHER IT'S WINNT FIRST!
if(GetFileAttributesW(pwDirectoryPath) != 0xffffffff) //INVALID_FILE_ATTRIBUTES
{
//FIX ME:WHEN NOT!
if(GetFileAttributesW(pwDirectoryPath) & FILE_ATTRIBUTE_DIRECTORY)
{
ret = TRUE;
}
}
else
{
//FIX ME:WHEN ERROR CODE IS OTHERS!
if(GetLastError() == ERROR_PATH_NOT_FOUND || GetLastError() == ERROR_FILE_NOT_FOUND)
{
//FIX ME:CHECK WHETHER IT'S WINNT FIRST!
CreateDirectoryW(pwDirectoryPath,lpSecurityAttributes);
SetFileAttributesW(pwDirectoryPath,FILE_ATTRIBUTE_NORMAL);
ret = TRUE;
}
}
}
if(pwPath)
{
LocalFree(pwPath);
}
return ret;
}
VOID CALLBACK _CatAdminWaitOrTimerCallback(PVOID lpParameter,BOOLEAN TimerOrWaitFired)
{
}
最后那个注册的回调函数,是用来清理释放资源的,由于我的vc6 SDK不够高级,没有RegisterWaitForSingleObject,所以也就没有还原除c代码。实际使用时,即使不加上这些,也是可以成功验证的,只是可能有一些资源泄漏问题。
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界