-
-
[原创]一道defcon题的分析
-
发表于: 2011-11-18 10:53 4522
-
ps:第一次做defcon的题,不怎么了解老美比赛的思路,不知道题做到哪一步才是要求的结果
---------------------------------------------------------------------------------------------------
参考资料:
[1]http://blog.csdn.net/yangbostar/article/details/6107169
[2]http://hi.baidu.com/coderui/blog/item/681df92bedfeb4ffe7cd4060.html
[3]http://fujiale.aau.cn/archiver/?tid-34.html
环境:Win7 旗舰版
工具:IDA &OD &UE
----------------------------------------------------------------------------------------------------
修改错误:
0x7E4507EA 内存读写错误,怀疑是中文windows 导致的问题,google了下,发现是MessageBoxA()的地址,改为 0x7748EA71,保存运行,貌似是句俚语(见文章最后的图片)
-----------------------------------------------分析------------------------------------------------
行为收集:没有释放dll,没有进行双进程保护;创建了多个线程
代码分析:
------IDA静态分析-----
关键函数分析:
sub_401220 :首先调用sub_401000得到DLL基地址,然后调用sub_401170得到一些API的入口地址。结合OD调试信息,可得出dll为kernel32.dll,和ntdll.dll。
sub_401000 :调用sub_401060返回PEB结构,进入PEB_LDR_DATA,调用sub_401070,通过比对dllname得到需要的DLL,并返回baseaddress。
sub_401170 :找到内存中DLL镜像的输入表,调用sub_4010f0比对name,找到需要的API,并返回内存地址。
sub_401930 :具体的线程执行函数
------OD动态分析-------
程序流程:
调用sub_401220得到API入口,然后使用InitializeCriticalSectionAndSpinCount得到debug信息,之后是四次循环,循环中创建线程sub_401930,之后在7762639f处发生溢出。
重点函数函数分析sub_401930:
----反调试----
00401AEC FFD1 CALL ECX;
将线程对调试器隐藏:ZwSetInformationThread(GetCurrentThread(), ThreadHideFromDebugger, NULL, 0);
00401AF5 . 8B40 68 MOV EAX,DWORD PTR DS:[EAX+68] ;
PEB结构中的NtGlobalFlag,有调试器时为0x70,无调试器时为0
00401E69 . FF15 00204000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>;
调用CloseHandle释放一个无效句柄,如果进程在调试器之外,那么函数返回FALSE,而GetLastError得到ERROR_INVALID_HANDLE;但是如果进程在调试器内,那么系统将抛出异常C0000008H。
----修改反调试代码----
--1--
ZwSetInformationThread 未修改,使用断点即可 调试
--2--
NtGlobalFlag:
将JNZ SHORT b500_333.00401AFF 改为JNZ SHORT b500_333.00401AFF
--3--
CloseHandle:
将:
call CloseHandle
改为
pop eax
此处由于代码逻辑是要执行seh处代码,
JMP ESI
NOP
NOP
NOP
修改完后,执行时发现 堆栈溢出,所以修改堆栈
00401E7C . 90 NOP
00401E7D . 90 NOP
00401E7E . 90 NOP
00401E7F . 90 NOP
00401E80 . 90 NOP
00401E81 . 90 NOP
00401E82 . 90 NOP
修改之后,程序可以调试,但是有时会“跑飞”,需要经常下断点。
分析到这里,大概猜到这道题的意思,可能是让 通过调试,找到最终需要的字符传?
下面进行解密分析,基本的思路是通过线程同步解密 和 分段解密,造成一种迷惑效果,不过只要能调试,其他的都只是时间问题~
----字符串解密部分---
--1--
00401C18 > /AC LODS BYTE PTR DS:[ESI]
00401C19 . |32C3 XOR AL,BL
00401C1B . |AA STOS BYTE PTR ES:[EDI]
00401C1C . |49 DEC ECX
00401C1D . |E3 02 JECXZ SHORT b500_333.00401C21
00401C1F .^\EB F7 JMP SHORT b500_333.00401C18
--2--
00401BB5 . FC CLD
00401BB6 . 8BB5 CCFCFFFF MOV ESI,DWORD PTR SS:[EBP-334]
00401BBC . 8BBD CCFCFFFF MOV EDI,DWORD PTR SS:[EBP-334]
00401BC2 . 8B9D D8FCFFFF MOV EBX,DWORD PTR SS:[EBP-328]
00401BC8 . B9 00020000 MOV ECX,200
00401BCD . AC LODS BYTE PTR DS:[ESI]
00401BCE . 32C3 XOR AL,BL
00401BD0 . AA STOS BYTE PTR ES:[EDI]
--3--
00401BD3 . FC CLD
00401BD4 . 8BB5 CCFCFFFF MOV ESI,DWORD PTR SS:[EBP-334]
00401BDA . 8BBD CCFCFFFF MOV EDI,DWORD PTR SS:[EBP-334]
00401BE0 . 8B9D D8FCFFFF MOV EBX,DWORD PTR SS:[EBP-328]
00401BE6 . B9 00020000 MOV ECX,200
00401BEB . AC LODS BYTE PTR DS:[ESI]
00401BEC . 32C3 XOR AL,BL
00401BEE . AA STOS BYTE PTR ES:[EDI]
--4--
sub_00401F10
--5--
003C0008 /EB 75 JMP SHORT 003C007F
003C000A |55 PUSH EBP
003C000B |8BEC MOV EBP,ESP
003C000D |83EC 20 SUB ESP,20
003C0010 |8B5D 04 MOV EBX,DWORD PTR SS:[EBP+4]
003C0013 |B9 08000000 MOV ECX,8
003C0018 |49 DEC ECX
003C0019 |FF348A PUSH DWORD PTR DS:[EDX+ECX*4]
003C001C |89048A MOV DWORD PTR DS:[EDX+ECX*4],EAX
003C001F |85C9 TEST ECX,ECX
003C0021 ^|77 F5 JA SHORT 003C0018
003C0023 |8BD4 MOV EDX,ESP
003C0025 |8D73 08 LEA ESI,DWORD PTR DS:[EBX+8]
003C0028 |8D7B 08 LEA EDI,DWORD PTR DS:[EBX+8]
003C002B |FC CLD
003C002C |B9 C0030000 MOV ECX,3C0
003C0031 |33DB XOR EBX,EBX
003C0033 |66:AD LODS WORD PTR DS:[ESI]
003C0035 |66:33C1 XOR AX,CX
003C0038 |66:33045A XOR AX,WORD PTR DS:[EDX+EBX*2]
003C003C |66:AB STOS WORD PTR ES:[EDI]
003C003E |49 DEC ECX
003C003F |85C9 TEST ECX,ECX
003C0041 |74 0A JE SHORT 003C004D
003C0043 |43 INC EBX
003C0044 |83FB 10 CMP EBX,10
003C0047 ^|72 EA JB SHORT 003C0033
003C0049 |33DB XOR EBX,EBX
003C004B ^|EB E6 JMP SHORT 003C0033
003C004D |0F31 RDTSC
003C004F |8BD1 MOV EDX,ECX
003C0051 |BB 14000000 MOV EBX,14
003C0056 |F7F3 DIV EBX
003C0058 |8BC2 MOV EAX,EDX
003C005A |BB 60000000 MOV EBX,60
003C005F |F7E3 MUL EBX
003C0061 |8B5D 04 MOV EBX,DWORD PTR SS:[EBP+4]
003C0064 |8D5403 08 LEA EDX,DWORD PTR DS:[EBX+EAX+8]
003C0068 |33C0 XOR EAX,EAX
003C006A |50 PUSH EAX
003C006B |68 4D4F5444 PUSH 44544F4D
003C0070 |8BF4 MOV ESI,ESP
003C0072 |50 PUSH EAX
003C0073 |56 PUSH ESI
003C0074 |52 PUSH EDX
003C0075 |50 PUSH EAX
003C0076 |FF13 CALL DWORD PTR DS:[EBX] MessageboxA
003C0078 |83C4 04 ADD ESP,4
003C007B |50 PUSH EAX
003C007C |FF53 04 CALL DWORD PTR DS:[EBX+4]
003C007F \E8 86FFFFFF CALL 003C000A
-----------------------------------------------结果------------------------------------------------
会出现的字符串如下:
001F0080 49 6E 20 74 t
001F0090 68 65 20 62 65 67 69 6E 6E 65 72 27 73 20 6D 69 he beginner's mi
001F00A0 6E 64 20 74 68 65 72 65 20 61 72 65 20 6D 61 6E nd there are man
001F00B0 79 20 70 6F 73 73 69 62 69 6C 69 74 69 65 73 2C y possibilities,
001F00C0 20 62 75 74 20 69 6E 20 74 68 65 20 65 78 70 65 but in the expe
001F00D0 72 74 27 73 20 6D 69 6E 64 20 74 68 65 72 65 20 rt's mind there
001F00E0 61 72 65 20 66 65 77 2E 00 00 00 00 4E 6F 20 73 are few.....No s
001F00F0 6E 6F 77 66 6C 61 6B 65 20 65 76 65 72 20 66 61 nowflake ever fa
001F0100 6C 6C 73 20 69 6E 20 74 68 65 20 77 72 6F 6E 67 lls in the wrong
001F0110 20 70 6C 61 63 65 2E 00 00 00 00 00 00 00 00 00 place..........
001F0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0140 00 00 00 00 00 00 00 00 00 00 00 00 54 68 65 20 ............The
001F0150 6F 62 73 74 61 63 6C 65 20 69 73 20 74 68 65 20 obstacle is the
001F0160 70 61 74 68 2E 00 00 00 00 00 00 00 00 00 00 00 path............
001F0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F01A0 00 00 00 00 00 00 00 00 00 00 00 00 54 68 65 20 ............The
001F01B0 74 69 67 68 74 65 72 20 79 6F 75 20 73 71 75 65 tighter you sque
001F01C0 65 7A 65 2C 20 74 68 65 20 6C 65 73 73 20 79 6F eze, the less yo
001F01D0 75 20 68 61 76 65 2E 00 00 00 00 00 00 00 00 00 u have..........
001F01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0200 00 00 00 00 00 00 00 00 00 00 00 00 54 6F 20 6B ............To k
001F0210 6E 6F 77 20 61 6E 64 20 6E 6F 74 20 64 6F 20 69 now and not do i
001F0220 73 20 6E 6F 74 20 79 65 74 20 74 6F 20 6B 6E 6F s not yet to kno
001F0230 77 2E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 w...............
001F0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0260 00 00 00 00 00 00 00 00 00 00 00 00 57 68 65 6E ............When
001F0270 20 74 68 65 20 70 75 70 69 6C 20 69 73 20 72 65 the pupil is re
001F0280 61 64 79 20 74 6F 20 6C 65 61 72 6E 2C 20 61 20 ady to learn, a
001F0290 74 65 61 63 68 65 72 20 77 69 6C 6C 20 61 70 70 teacher will app
001F02A0 65 61 72 2E 00 00 00 00 00 00 00 00 00 00 00 00 ear.............
001F02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F02C0 00 00 00 00 00 00 00 00 00 00 00 00 41 6C 77 61 ............Alwa
001F02D0 79 73 20 72 65 6D 65 6D 62 65 72 20 74 68 61 74 ys remember that
001F02E0 20 79 6F 75 27 72 65 20 75 6E 69 71 75 65 2E 20 you're unique.
001F02F0 4A 75 73 74 20 6C 69 6B 65 20 65 76 65 72 79 6F Just like everyo
001F0300 6E 65 20 65 6C 73 65 2E 00 00 00 00 00 00 00 00 ne else.........
001F0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0320 00 00 00 00 00 00 00 00 00 00 00 00 4E 65 76 65 ............Neve
001F0330 72 20 74 65 73 74 20 74 68 65 20 64 65 70 74 68 r test the depth
001F0340 73 20 6F 66 20 74 68 65 20 77 61 74 65 72 20 77 s of the water w
001F0350 69 74 68 20 62 6F 74 68 20 66 65 65 74 2E 00 00 ith both feet...
001F0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0380 00 00 00 00 00 00 00 00 00 00 00 00 49 66 20 79 ............If y
001F0390 6F 75 20 74 68 69 6E 6B 20 6E 6F 62 6F 64 79 20 ou think nobody
001F03A0 63 61 72 65 73 20 69 66 20 79 6F 75 27 72 65 20 cares if you're
001F03B0 61 6C 69 76 65 2C 20 74 72 79 20 6D 69 73 73 69 alive, try missi
001F03C0 6E 67 20 61 20 63 6F 75 70 6C 65 20 6F 66 20 63 ng a couple of c
001F03D0 61 72 20 70 61 79 6D 65 6E 74 73 2E 00 00 00 00 ar payments.....
001F03E0 00 00 00 00 00 00 00 00 00 00 00 00 49 66 20 61 ............If a
001F03F0 74 20 66 69 72 73 74 20 79 6F 75 20 64 6F 6E 27 t first you don'
001F0400 74 20 73 75 63 63 65 65 64 2C 20 73 6B 79 64 69 t succeed, skydi
001F0410 76 69 6E 67 20 69 73 20 6E 6F 74 20 66 6F 72 20 ving is not for
001F0420 79 6F 75 2E 00 00 00 00 00 00 00 00 00 00 00 00 you.............
001F0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0440 00 00 00 00 00 00 00 00 00 00 00 00 49 66 20 79 ............If y
001F0450 6F 75 20 6C 65 6E 64 20 73 6F 6D 65 6F 6E 65 20 ou lend someone
001F0460 24 32 30 20 61 6E 64 20 6E 65 76 65 72 20 73 65 $20 and never se
001F0470 65 20 74 68 61 74 20 70 65 72 73 6F 6E 20 61 67 e that person ag
001F0480 61 69 6E 2C 20 69 74 20 77 61 73 20 70 72 6F 62 ain, it was prob
001F0490 61 62 6C 79 20 77 6F 72 74 68 20 69 74 2E 00 00 ably worth it...
001F04A0 00 00 00 00 00 00 00 00 00 00 00 00 49 66 20 79 ............If y
001F04B0 6F 75 20 74 65 6C 6C 20 74 68 65 20 74 72 75 74 ou tell the trut
001F04C0 68 2C 20 79 6F 75 20 64 6F 6E 27 74 20 68 61 76 h, you don't hav
001F04D0 65 20 74 6F 20 72 65 6D 65 6D 62 65 72 20 61 6E e to remember an
001F04E0 79 74 68 69 6E 67 2E 00 00 00 00 00 00 00 00 00 ything..........
001F04F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0500 00 00 00 00 00 00 00 00 00 00 00 00 53 6F 6D 65 ............Some
001F0510 20 64 61 79 73 20 79 6F 75 27 72 65 20 74 68 65 days you're the
001F0520 20 62 75 67 2C 20 73 6F 6D 65 20 64 61 79 73 20 bug, some days
001F0530 79 6F 75 27 72 65 20 74 68 65 20 77 69 6E 64 73 you're the winds
001F0540 68 69 65 6C 64 2E 00 00 00 00 00 00 00 00 00 00 hield...........
001F0550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0560 00 00 00 00 00 00 00 00 00 00 00 00 45 76 65 72 ............Ever
001F0570 79 6F 6E 65 20 73 65 65 6D 73 20 6E 6F 72 6D 61 yone seems norma
001F0580 6C 20 75 6E 74 69 6C 20 79 6F 75 20 67 65 74 20 l until you get
001F0590 74 6F 20 6B 6E 6F 77 20 74 68 65 6D 2E 00 00 00 to know them....
001F05A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F05B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F05C0 00 00 00 00 00 00 00 00 00 00 00 00 54 68 65 20 ............The
001F05D0 71 75 69 63 6B 65 73 74 20 77 61 79 20 74 6F 20 quickest way to
001F05E0 64 6F 75 62 6C 65 20 79 6F 75 72 20 6D 6F 6E 65 double your mone
001F05F0 79 20 69 73 20 74 6F 20 66 6F 6C 64 20 69 74 20 y is to fold it
001F0600 69 6E 20 68 61 6C 66 20 61 6E 64 20 70 75 74 20 in half and put
001F0610 69 74 20 62 61 63 6B 20 69 6E 20 79 6F 75 72 20 it back in your
001F0620 70 6F 63 6B 65 74 2E 00 00 00 00 00 41 20 63 6C pocket......A cl
001F0630 6F 73 65 64 20 6D 6F 75 74 68 20 67 61 74 68 65 osed mouth gathe
001F0640 72 73 20 6E 6F 20 66 6F 6F 74 2E 00 00 00 00 00 rs no foot......
001F0650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0670 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0680 00 00 00 00 00 00 00 00 00 00 00 00 54 68 65 72 ............Ther
001F0690 65 20 61 72 65 20 74 77 6F 20 74 68 65 6F 72 69 e are two theori
001F06A0 65 73 20 74 6F 20 61 72 67 75 69 6E 67 20 77 69 es to arguing wi
001F06B0 74 68 20 77 6F 6D 65 6E 2E 20 4E 65 69 74 68 65 th women. Neithe
001F06C0 72 20 6F 6E 65 20 77 6F 72 6B 73 2E 00 00 00 00 r one works.....
001F06D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F06E0 00 00 00 00 00 00 00 00 00 00 00 00 47 65 6E 65 ............Gene
001F06F0 72 61 6C 6C 79 20 73 70 65 61 6B 69 6E 67 2C 20 rally speaking,
001F0700 79 6F 75 20 61 72 65 6E 27 74 20 6C 65 61 72 6E you aren't learn
001F0710 69 6E 67 20 6D 75 63 68 20 77 68 65 6E 20 79 6F ing much when yo
001F0720 75 72 20 6C 69 70 73 20 61 72 65 20 6D 6F 76 69 ur lips are movi
001F0730 6E 67 2E 00 00 00 00 00 00 00 00 00 00 00 00 00 ng..............
001F0740 00 00 00 00 00 00 00 00 00 00 00 00 4E 65 76 65 ............Neve
001F0750 72 20 6D 69 73 73 20 61 20 67 6F 6F 64 20 63 68 r miss a good ch
001F0760 61 6E 63 65 20 74 6F 20 73 68 75 74 20 75 70 2E ance to shut up.
001F0770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0780 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0790 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F07A0 00 00 00 00 00 00 00 00 00 00 00 00 54 68 6F 73 ............Thos
001F07B0 65 20 77 68 6F 20 6B 6E 6F 77 20 64 6F 6E 27 74 e who know don't
001F07C0 20 74 65 6C 6C 20 61 6E 64 20 74 68 6F 73 65 20 tell and those
001F07D0 77 68 6F 20 74 65 6C 6C 20 64 6F 6E 27 74 20 6B who tell don't k
001F07E0 6E 6F 77 2E 00 00 00 00 00 00 00 00 00 00 00 00 now.............
001F07F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
001F0800 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
|
|
|---|---|
|
|
