[原创]看雪CTF2016第二十六题分析-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]看雪CTF2016第二十六题分析

2016-12-24 09:44 3183

[原创]看雪CTF2016第二十六题分析

hotsauce

2016-12-24 09:44

3183

该提主要的验证过程如下
CrackMe.exe创建Broiler.exe进程，并将自身作为其调试器，将SN（变换后）数据和执行代码写入Broiler.exe，并使其执行写入代码对SN（变换后）进行计算，最后将计算结果取回进行验证。
CrackMe.exe中主要函数如下：
call 00401D40-创建Broiler.exe进程，并将自身作为其调试器，接管各类异常进行处理；
call 00101060-对输入SN进行变换，变换后数据结果长度21B
call 004010D0-打开Broiler.exe进程，挂起线程，远程写入SN变换数据和执行代码（0x3A0000-SN变换结果（21B），0x3B0000-执行代码），修改线程上下文中的EIP，恢复线程使其跳转到0x3B0000中开始执行
call 00401F20-调试Broiler.exe的消息处理循环，Case 80000003为int3中断消息
call 00401FA0-int3消息处理函数，2个功能：修改Broiler.exe线程中的一处代码（将0xCCC6修改为0x902A）、取回线程计算结果并对结果进行验证
Broiler.exe中主要函数及数据如下：
0x3A0000-CrackMe.exe写入的SN（变换后）数据，长度21B
0x3B0000-CrackMe.exe写入的执行代码，主要完成对0x3A0000的21B数据的一个置换处理，其中有2处int3，第1处需要CrackMe.exe进行一次代码修改，第2处由CrackMe.exe将处理结果取回

下面是上述主要函数的具体解析：
Cracme.exe
call 00401D40-创建Broiler.exe进程，并将自身作为其调试器
00401D40  /$  81EC 84030000 sub     esp, 384
00401D46  |.  53            push    ebx
00401D47  |.  55            push    ebp
00401D48  |.  56            push    esi
00401D49  |.  8BD9          mov     ebx, ecx
00401D4B  |.  57            push    edi
00401D4C  |.  B9 B2000000   mov     ecx, 0B2
00401D51  |.  33C0          xor     eax, eax
00401D53  |.  8DBC24 CC0000>lea     edi, dword ptr [esp+CC]
00401D5A  |.  C78424 C80000>mov     dword ptr [esp+C8], 0
00401D65  |.  8D9424 840000>lea     edx, dword ptr [esp+84]
00401D6C  |.  F3:AB         rep     stos dword ptr es:[edi]
00401D6E  |.  B9 11000000   mov     ecx, 11
00401D73  |.  8DBC24 840000>lea     edi, dword ptr [esp+84]
00401D7A  |.  F3:AB         rep     stos dword ptr es:[edi]
00401D7C  |.  894424 10     mov     dword ptr [esp+10], eax
00401D80  |.  B9 18000000   mov     ecx, 18
00401D85  |.  894424 14     mov     dword ptr [esp+14], eax
00401D89  |.  8D7C24 24     lea     edi, dword ptr [esp+24]
00401D8D  |.  894424 18     mov     dword ptr [esp+18], eax
00401D91  |.  C78424 840000>mov     dword ptr [esp+84], 44
00401D9C  |.  F3:AB         rep     stos dword ptr es:[edi]
00401D9E  |.  8D4C24 10     lea     ecx, dword ptr [esp+10]
00401DA2  |.  894424 1C     mov     dword ptr [esp+1C], eax
00401DA6  |.  51            push    ecx                                             ; /pProcessInfo
00401DA7  |.  52            push    edx                                             ; |pStartupInfo
00401DA8  |.  50            push    eax                                             ; |CurrentDir => NULL
00401DA9  |.  50            push    eax                                             ; |pEnvironment => NULL
00401DAA  |.  6A 00         push    2                                               ; |CreationFlags = 2
00401DAC  |.  50            push    eax                                             ; |InheritHandles => FALSE
00401DAD  |.  50            push    eax                                             ; |pThreadSecurity => NULL
00401DAE  |.  50            push    eax                                             ; |pProcessSecurity => NULL
00401DAF  |.  50            push    eax                                             ; |CommandLine => NULL
00401DB0  |.  8B8424 BC0300>mov     eax, dword ptr [esp+3BC]                        ; |
00401DB7  |.  50            push    eax                                             ; |ModuleFileName
00401DB8  |.  FF15 48904000 call    dword ptr [<&KERNEL32.CreateProcessA>]          ; \CreateProcessA

call 00401F20-调试Broiler.exe的消息处理循环，Case 80000003为int3中断消息，call 00401FA0为消息处理函数
00401F20  /$  8B5424 10     mov     edx, dword ptr [esp+10]                         ;
00401F24  |.  56            push    esi
00401F25  |.  B8 01000180   mov     eax, 80010001
00401F2A  |.  8B72 0C       mov     esi, dword ptr [edx+C]
00401F2D  |.  81FE 03000080 cmp     esi, 80000003                                   ;  Switch (cases 80000003..C0000005)
00401F33  |.  74 42         je      short 00401F77
00401F35  |.  81FE 04000080 cmp     esi, 80000004
00401F3B  |.  74 21         je      short 00401F5E
00401F3D  |.  81FE 050000C0 cmp     esi, C0000005
00401F43  |.  75 47         jnz     short 00401F8C
00401F45  |.  8B4424 10     mov     eax, dword ptr [esp+10]                         ;  Case C0000005 (ACCESS VIOLATION) of switch 00401F2D
00401F49  |.  52            push    edx
00401F4A  |.  8B5424 10     mov     edx, dword ptr [esp+10]
00401F4E  |.  50            push    eax
00401F4F  |.  8B4424 10     mov     eax, dword ptr [esp+10]
00401F53  |.  52            push    edx
00401F54  |.  50            push    eax
00401F55  |.  E8 B6010000   call    00402110
00401F5A  |.  5E            pop     esi
00401F5B  |.  C2 1000       retn    10
00401F5E  |>  8B4424 0C     mov     eax, dword ptr [esp+C]                          ;  Case 80000004 (SINGLE STEP) of switch 00401F2D
00401F62  |.  52            push    edx
00401F63  |.  8B5424 14     mov     edx, dword ptr [esp+14]
00401F67  |.  52            push    edx
00401F68  |.  8B5424 10     mov     edx, dword ptr [esp+10]
00401F6C  |.  50            push    eax
00401F6D  |.  52            push    edx
00401F6E  |.  E8 9D010000   call    00402110
00401F73  |.  5E            pop     esi
00401F74  |.  C2 1000       retn    10
00401F77  |>  8B4424 10     mov     eax, dword ptr [esp+10]                         ;  Case 80000003 (BREAKPOINT) of switch 00401F2D
00401F7B  |.  52            push    edx
00401F7C  |.  8B5424 10     mov     edx, dword ptr [esp+10]
00401F80  |.  50            push    eax
00401F81  |.  8B4424 10     mov     eax, dword ptr [esp+10]
00401F85  |.  52            push    edx
00401F86  |.  50            push    eax
00401F87  |.  E8 14000000   call    00401FA0                                        ;  int3处理函数
00401F8C  |>  5E            pop     esi                                             ;  Default case of switch 00401F2D
00401F8D  \.  C2 1000       retn    10

call 00101060-对输入SN进行变换，变换后数据长度0x15=21B
00401060  /$  53            push    ebx                                             ;  对输入SN进行变换，产生0x15B的数据，后续该数据会远程写入Broiler.exe进程缓存中
00401061  |.  56            push    esi
00401062  |.  57            push    edi
00401063  |.  8B7C24 10     mov     edi, dword ptr [esp+10]
00401067  |.  33D2          xor     edx, edx
00401069  |.  0FBE37        movsx   esi, byte ptr [edi]
0040106C  |>  8A0F          /mov     cl, byte ptr [edi]
0040106E  |.  8BC6          |mov     eax, esi
00401070  |.  C1F8 08       |sar     eax, 8
00401073  |.  C0F9 02       |sar     cl, 2
00401076  |.  32C1          |xor     al, cl
00401078  |.  88043A        |mov     byte ptr [edx+edi], al
0040107B  |.  25 FF000000   |and     eax, 0FF
00401080  |.  03C6          |add     eax, esi
00401082  |.  8D0CC0        |lea     ecx, dword ptr [eax+eax*8]
00401085  |.  8D0C48        |lea     ecx, dword ptr [eax+ecx*2]
00401088  |.  8D0C49        |lea     ecx, dword ptr [ecx+ecx*2]
0040108B  |.  C1E1 04       |shl     ecx, 4
0040108E  |.  03C8          |add     ecx, eax
00401090  |.  8BC6          |mov     eax, esi
00401092  |.  C1F8 02       |sar     eax, 2
00401095  |.  8D1C49        |lea     ebx, dword ptr [ecx+ecx*2]
00401098  |.  8BC8          |mov     ecx, eax
0040109A  |.  C1E1 05       |shl     ecx, 5
0040109D  |.  2BC8          |sub     ecx, eax
0040109F  |.  8D0C49        |lea     ecx, dword ptr [ecx+ecx*2]
004010A2  |.  8D0C88        |lea     ecx, dword ptr [eax+ecx*4]
004010A5  |.  8D0C49        |lea     ecx, dword ptr [ecx+ecx*2]
004010A8  |.  8D0448        |lea     eax, dword ptr [eax+ecx*2]
004010AB  |.  C1E0 02       |shl     eax, 2
004010AE  |.  8D3458        |lea     esi, dword ptr [eax+ebx*2]
004010B1  |.  8A1C3A        |mov     bl, byte ptr [edx+edi]
004010B4  |.  80F3 41       |xor     bl, 41
004010B7  |.  881C3A        |mov     byte ptr [edx+edi], bl
004010BA  |.  42            |inc     edx
004010BB  |.  83FA 15       |cmp     edx, 15
004010BE  |.^ 7C AC         \jl      short 0040106C
004010C0  |.  5F            pop     edi
004010C1  |.  5E            pop     esi
004010C2  |.  33C0          xor     eax, eax
004010C4  |.  5B            pop     ebx
004010C5  \.  C3            retn

call 004010D0-打开Broiler.exe进程，挂起线程，写入数据（0x3A0000-SN变换数据，0x3B0000-执行代码），修改线程上下文中的EIP，恢复线程使得跳转到0x3B0000中开始执行
004010D0   $  81EC 50050000 sub     esp, 550                                        ;
004010D6   .  53            push    ebx
004010D7   .  55            push    ebp
004010D8   .  56            push    esi
004010D9   .  33DB          xor     ebx, ebx
004010DB   .  57            push    edi
004010DC   .  53            push    ebx                                             ; /ProcessID => 0
004010DD   .  6A 02         push    2                                               ; |Flags = TH32CS_SNAPPROCESS
004010DF   .  33ED          xor     ebp, ebp                                        ; |
004010E1   .  899C24 500100>mov     dword ptr [esp+150], ebx                        ; |
004010E8   .  C78424 740100>mov     dword ptr [esp+174], 128                        ; |
004010F3   .  E8 40100000   call    <jmp.&KERNEL32.CreateToolhelp32Snapshot>        ; \CreateToolhelp32Snapshot
004010F8   .  8BF8          mov     edi, eax
004010FA   .  83FF FF       cmp     edi, -1
004010FD   .  75 0D         jnz     short 0040110C
004010FF   .  5F            pop     edi
00401100   .  5E            pop     esi
00401101   .  5D            pop     ebp
00401102   .  0BC0          or      eax, eax
00401104   .  5B            pop     ebx
00401105   .  81C4 50050000 add     esp, 550
0040110B   .  C3            retn
0040110C   >  8D8424 6C0100>lea     eax, dword ptr [esp+16C]
00401113   .  50            push    eax                                             ; /lppe
00401114   .  57            push    edi                                             ; |hSnapshot
00401115   .  E8 18100000   call    <jmp.&KERNEL32.Process32First>                  ; \Process32First
0040111A   .  85C0          test    eax, eax
0040111C   .  74 54         je      short 00401172
0040111E   >  BE 4CA04000   mov     esi, 0040A04C                                   ;  ASCII "Broiler.exe"
00401123   .  8D8424 900100>lea     eax, dword ptr [esp+190]
0040112A   >  8A10          mov     dl, byte ptr [eax]
0040112C   .  8ACA          mov     cl, dl
0040112E   .  3A16          cmp     dl, byte ptr [esi]
00401130   .  75 1C         jnz     short 0040114E
00401132   .  84C9          test    cl, cl
00401134   .  74 14         je      short 0040114A
00401136   .  8A50 01       mov     dl, byte ptr [eax+1]
00401139   .  8ACA          mov     cl, dl
0040113B   .  3A56 01       cmp     dl, byte ptr [esi+1]
0040113E   .  75 0E         jnz     short 0040114E
00401140   .  83C0 02       add     eax, 2
00401143   .  83C6 02       add     esi, 2
00401146   .  84C9          test    cl, cl
00401148   .^ 75 E0         jnz     short 0040112A
0040114A   >  33C0          xor     eax, eax
0040114C   .  EB 05         jmp     short 00401153
0040114E   >  1BC0          sbb     eax, eax
00401150   .  83D8 FF       sbb     eax, -1
00401153   >  85C0          test    eax, eax
00401155   .  74 14         je      short 0040116B
00401157   .  8D8424 6C0100>lea     eax, dword ptr [esp+16C]
0040115E   .  50            push    eax                                             ; /lppe
0040115F   .  57            push    edi                                             ; |hSnapshot
00401160   .  E8 C70F0000   call    <jmp.&KERNEL32.Process32Next>                   ; \Process32Next
00401165   .  85C0          test    eax, eax
00401167   .^ 75 B5         jnz     short 0040111E
00401169   .  EB 07         jmp     short 00401172
0040116B   >  8BAC24 740100>mov     ebp, dword ptr [esp+174]
00401172   >  57            push    edi                                             ; /hObject
00401173   .  FF15 28904000 call    dword ptr [<&KERNEL32.CloseHandle>]             ; \CloseHandle
00401179   .  85ED          test    ebp, ebp
0040117B   .  EB 15         jmp     short 00401192
0040117D   .  55            push    ebp                                             ; /Style
0040117E   .  68 40A04000   push    0040A040                                        ; |Title = ""D7,"",A2,"入失",B0,"?
00401183   .  55            push    ebp                                             ; |Text
00401184   .  55            push    ebp                                             ; |hOwner
00401185   .  FF15 1C914000 call    dword ptr [<&USER32.MessageBoxA>]               ; \MessageBoxA
0040118B   .  6A 01         push    1
0040118D   .  E8 87100000   call    00402219
00401192   >  33C0          xor     eax, eax
00401194   .  B9 06000000   mov     ecx, 6
00401199   .  8DBC24 540100>lea     edi, dword ptr [esp+154]
004011A0   .  C78424 500100>mov     dword ptr [esp+150], 1C
004011AB   .  50            push    eax                                             ; /ProcessID => 0
004011AC   .  6A 04         push    4                                               ; |Flags = TH32CS_SNAPTHREAD
004011AE   .  F3:AB         rep     stos dword ptr es:[edi]                         ; |
004011B0   .  E8 830F0000   call    <jmp.&KERNEL32.CreateToolhelp32Snapshot>        ; \CreateToolhelp32Snapshot
004011B5   .  8D8C24 500100>lea     ecx, dword ptr [esp+150]
004011BC   .  8BF0          mov     esi, eax
004011BE   .  51            push    ecx                                             ; /pThreadentry
004011BF   .  56            push    esi                                             ; |hSnapshot
004011C0   .  E8 610F0000   call    <jmp.&KERNEL32.Thread32First>                   ; \Thread32First
004011C5   .  85C0          test    eax, eax
004011C7   .  74 46         je      short 0040120F
004011C9   .  3BAC24 5C0100>cmp     ebp, dword ptr [esp+15C]
004011D0   .  74 1B         je      short 004011ED
004011D2   >  8D9424 500100>lea     edx, dword ptr [esp+150]
004011D9   .  52            push    edx                                             ; /pThreadentry
004011DA   .  56            push    esi                                             ; |hSnapshot
004011DB   .  E8 400F0000   call    <jmp.&KERNEL32.Thread32Next>                    ; \Thread32Next
004011E0   .  85C0          test    eax, eax
004011E2   .  74 2B         je      short 0040120F
004011E4   .  3BAC24 5C0100>cmp     ebp, dword ptr [esp+15C]
004011EB   .^ 75 E5         jnz     short 004011D2
004011ED   >  8B8424 580100>mov     eax, dword ptr [esp+158]                        ;  获取Broiler.exe进程的线程ID
004011F4   .  85C0          test    eax, eax
004011F6   .  74 17         je      short 0040120F
004011F8   .  50            push    eax                                             ; /dwThreadId
004011F9   .  6A 00         push    0                                               ; |bInheritHandle = FALSE
004011FB   .  68 FF031F00   push    1F03FF                                          ; |dwDesiredAccess = 1F03FF (2032639.)
00401200   .  FF15 1C904000 call    dword ptr [<&KERNEL32.OpenThread>]              ; \打开Broiler.exe的线程
00401206   .  898424 480100>mov     dword ptr [esp+148], eax
0040120D   .  8BD8          mov     ebx, eax
0040120F   >  53            push    ebx                                             ; /hThread
00401210   .  FF15 18904000 call    dword ptr [<&KERNEL32.SuspendThread>]           ; \挂起线程
00401216   .  B9 B2000000   mov     ecx, 0B2
0040121B   .  33C0          xor     eax, eax
0040121D   .  8DBC24 980200>lea     edi, dword ptr [esp+298]
00401224   .  F3:AB         rep     stos dword ptr es:[edi]
00401226   .  8D8424 940200>lea     eax, dword ptr [esp+294]
0040122D   .  C78424 940200>mov     dword ptr [esp+294], 10001
00401238   .  50            push    eax                                             ; /pContext
00401239   .  53            push    ebx                                             ; |hThread
0040123A   .  FF15 14904000 call    dword ptr [<&KERNEL32.GetThreadContext>]        ; \获取线程上下文，并保存
00401240   .  8B8C24 4C0300>mov     ecx, dword ptr [esp+34C]
00401247   .  55            push    ebp                                             ; /ProcessId
00401248   .  6A 01         push    1                                               ; |Inheritable = TRUE
0040124A   .  68 FF0F1F00   push    1F0FFF                                          ; |Access = PROCESS_ALL_ACCESS
0040124F   .  890D 70CA4000 mov     dword ptr [40CA70], ecx                         ; |
00401255   .  FF15 10904000 call    dword ptr [<&KERNEL32.OpenProcess>]             ; \打开Broiler.exe进程
0040125B   .  8BF0          mov     esi, eax
0040125D   .  85F6          test    esi, esi
0040125F   .  75 0E         jnz     short 0040126F
00401261   .  5F            pop     edi
00401262   .  5E            pop     esi
00401263   .  5D            pop     ebp
00401264   .  83C8 FF       or      eax, FFFFFFFF
00401267   .  5B            pop     ebx
00401268   .  81C4 50050000 add     esp, 550
0040126E   .  C3            retn
0040126F   >  8B3D 0C904000 mov     edi, dword ptr [<&KERNEL32.VirtualAllocEx>]     ;  kernel32.VirtualAllocEx
00401275   .  6A 40         push    40                                              ; /flProtect = 40 (64.)
00401277   .  68 00100000   push    1000                                            ; |flAllocationType = 1000 (4096.)
0040127C   .  68 00020000   push    200                                             ; |dwSize = 200 (512.)
00401281   .  6A 00         push    0                                               ; |lpAddress = NULL
00401283   .  56            push    esi                                             ; |hProcess
00401284   .  FFD7          call    edi                                             ; \远程开辟缓存
00401286   .  85C0          test    eax, eax
00401288   .  A3 6CCA4000   mov     dword ptr [40CA6C], eax
0040128D   .  75 0E         jnz     short 0040129D
0040128F   .  5F            pop     edi
00401290   .  5E            pop     esi
00401291   .  5D            pop     ebp
00401292   .  83C8 FF       or      eax, FFFFFFFF
00401295   .  5B            pop     ebx
00401296   .  81C4 50050000 add     esp, 550
0040129C   .  C3            retn
0040129D   >  8B9424 640500>mov     edx, dword ptr [esp+564]
004012A4   .  8B2D 08904000 mov     ebp, dword ptr [<&KERNEL32.WriteProcessMemory>] ;  kernel32.WriteProcessMemory
004012AA   .  6A 00         push    0                                               ; /pBytesWritten = NULL
004012AC   .  6A 15         push    15                                              ; |BytesToWrite = 15 (21.)
004012AE   .  52            push    edx                                             ; |Buffer的首字节应该等于0x8C
004012AF   .  50            push    eax                                             ; |Address
004012B0   .  56            push    esi                                             ; |hProcess
004012B1   .  A3 48C94000   mov     dword ptr [40C948], eax                         ; |
004012B6   .  FFD5          call    ebp                                             ; \向缓存中写入数据，写入SN变换后的21B数据
004012B8   .  85C0          test    eax, eax
004012BA   .  75 0E         jnz     short 004012CA
004012BC   .  5F            pop     edi
004012BD   .  5E            pop     esi
004012BE   .  5D            pop     ebp
004012BF   .  83C8 FF       or      eax, FFFFFFFF
004012C2   .  5B            pop     ebx
004012C3   .  81C4 50050000 add     esp, 550
004012C9   .  C3            retn
004012CA   >  B0 45         mov     al, 45
004012CC   .  B3 89         mov     bl, 89
004012CE   .  B2 8B         mov     dl, 8B
004012D0   .  B1 C6         mov     cl, 0C6
004012D2   .  C64424 14 C7  mov     byte ptr [esp+14], 0C7
004012D7   .  884424 15     mov     byte ptr [esp+15], al
004012DB   .  C64424 16 FC  mov     byte ptr [esp+16], 0FC
004012E0   .  C64424 17 00  mov     byte ptr [esp+17], 0
004012E5   .  C64424 18 00  mov     byte ptr [esp+18], 0
004012EA   .  C64424 19 00  mov     byte ptr [esp+19], 0
004012EF   .  C64424 1A 00  mov     byte ptr [esp+1A], 0
004012F4   .  885C24 1B     mov     byte ptr [esp+1B], bl
004012F8   .  C64424 1C 65  mov     byte ptr [esp+1C], 65
004012FD   .  C64424 1D FC  mov     byte ptr [esp+1D], 0FC
00401302   .  885424 1E     mov     byte ptr [esp+1E], dl
00401306   .  884424 1F     mov     byte ptr [esp+1F], al
0040130A   .  C64424 20 FC  mov     byte ptr [esp+20], 0FC
0040130F   .  C64424 21 B3  mov     byte ptr [esp+21], 0B3
00401314   .  C64424 22 2A  mov     byte ptr [esp+22], 2A
00401319   .  C64424 23 B2  mov     byte ptr [esp+23], 0B2
0040131E   .  C64424 24 3F  mov     byte ptr [esp+24], 3F
00401323   .  884C24 25     mov     byte ptr [esp+25], cl
00401327   .  884424 26     mov     byte ptr [esp+26], al
0040132B   .  C64424 27 C4  mov     byte ptr [esp+27], 0C4
00401330   .  C64424 28 8C  mov     byte ptr [esp+28], 8C
00401335   .  885424 29     mov     byte ptr [esp+29], dl
00401339   .  C64424 2A 08  mov     byte ptr [esp+2A], 8
0040133E   .  C64424 2B B0  mov     byte ptr [esp+2B], 0B0
00401343   .  C64424 2C B6  mov     byte ptr [esp+2C], 0B6
00401348   .  884C24 2D     mov     byte ptr [esp+2D], cl
0040134C   .  884424 2E     mov     byte ptr [esp+2E], al
00401350   .  C64424 2F C5  mov     byte ptr [esp+2F], 0C5
00401355   .  C64424 30 4C  mov     byte ptr [esp+30], 4C
0040135A   .  884C24 31     mov     byte ptr [esp+31], cl
0040135E   .  884424 32     mov     byte ptr [esp+32], al
00401362   .  884C24 33     mov     byte ptr [esp+33], cl
00401366   .  C64424 34 96  mov     byte ptr [esp+34], 96
0040136B   .  884C24 35     mov     byte ptr [esp+35], cl
0040136F   .  884424 36     mov     byte ptr [esp+36], al
00401373   .  C64424 37 C7  mov     byte ptr [esp+37], 0C7
00401378   .  C64424 38 5B  mov     byte ptr [esp+38], 5B
0040137D   .  C64424 39 88  mov     byte ptr [esp+39], 88
00401382   .  C64424 3A 5D  mov     byte ptr [esp+3A], 5D
00401387   .  C64424 3B C8  mov     byte ptr [esp+3B], 0C8
0040138C   .  C64424 3C 88  mov     byte ptr [esp+3C], 88
00401391   .  C64424 3D 55  mov     byte ptr [esp+3D], 55
00401396   .  C64424 3E C9  mov     byte ptr [esp+3E], 0C9
0040139B   .  C64424 3F 88  mov     byte ptr [esp+3F], 88
004013A0   .  884424 40     mov     byte ptr [esp+40], al
004013A4   .  C64424 41 CA  mov     byte ptr [esp+41], 0CA
004013A9   .  884C24 42     mov     byte ptr [esp+42], cl
004013AD   .  884424 43     mov     byte ptr [esp+43], al
004013B1   .  C64424 44 CB  mov     byte ptr [esp+44], 0CB
004013B6   .  C64424 45 5B  mov     byte ptr [esp+45], 5B
004013BB   .  C64424 46 88  mov     byte ptr [esp+46], 88
004013C0   .  C64424 47 5D  mov     byte ptr [esp+47], 5D
004013C5   .  C64424 48 CC  mov     byte ptr [esp+48], 0CC
004013CA   .  884C24 49     mov     byte ptr [esp+49], cl
004013CE   .  884424 4A     mov     byte ptr [esp+4A], al
004013D2   .  C64424 4B CD  mov     byte ptr [esp+4B], 0CD
004013D7   .  C64424 4C 11  mov     byte ptr [esp+4C], 11
004013DC   .  884C24 4D     mov     byte ptr [esp+4D], cl
004013E0   .  884424 4E     mov     byte ptr [esp+4E], al
004013E4   .  C64424 4F CE  mov     byte ptr [esp+4F], 0CE
004013E9   .  C64424 50 B1  mov     byte ptr [esp+50], 0B1
004013EE   .  884C24 51     mov     byte ptr [esp+51], cl
004013F2   .  884424 52     mov     byte ptr [esp+52], al
004013F6   .  C64424 53 CF  mov     byte ptr [esp+53], 0CF
004013FB   .  C64424 54 15  mov     byte ptr [esp+54], 15
00401400   .  884C24 55     mov     byte ptr [esp+55], cl
00401404   .  884424 56     mov     byte ptr [esp+56], al
00401408   .  C64424 57 D0  mov     byte ptr [esp+57], 0D0
0040140D   .  C64424 58 AC  mov     byte ptr [esp+58], 0AC
00401412   .  884C24 59     mov     byte ptr [esp+59], cl
00401416   .  884424 5A     mov     byte ptr [esp+5A], al
0040141A   .  C64424 5B D1  mov     byte ptr [esp+5B], 0D1
0040141F   .  C64424 5C C3  mov     byte ptr [esp+5C], 0C3
00401424   .  884C24 5D     mov     byte ptr [esp+5D], cl
00401428   .  884424 5E     mov     byte ptr [esp+5E], al
0040142C   .  C64424 5F D2  mov     byte ptr [esp+5F], 0D2
00401431   .  C64424 60 53  mov     byte ptr [esp+60], 53
00401436   .  C64424 61 88  mov     byte ptr [esp+61], 88
0040143B   .  884424 62     mov     byte ptr [esp+62], al
0040143F   .  C64424 63 D3  mov     byte ptr [esp+63], 0D3
00401444   .  C64424 64 88  mov     byte ptr [esp+64], 88
00401449   .  C64424 65 5D  mov     byte ptr [esp+65], 5D
0040144E   .  C64424 66 D4  mov     byte ptr [esp+66], 0D4
00401453   .  C64424 67 88  mov     byte ptr [esp+67], 88
00401458   .  C64424 68 55  mov     byte ptr [esp+68], 55
0040145D   .  C64424 69 D5  mov     byte ptr [esp+69], 0D5
00401462   .  884C24 6A     mov     byte ptr [esp+6A], cl
00401466   .  884424 6B     mov     byte ptr [esp+6B], al
0040146A   .  C64424 6C D6  mov     byte ptr [esp+6C], 0D6
0040146F   .  C64424 6D B2  mov     byte ptr [esp+6D], 0B2
00401474   .  884C24 6E     mov     byte ptr [esp+6E], cl
00401478   .  884424 6F     mov     byte ptr [esp+6F], al
0040147C   .  C64424 70 D7  mov     byte ptr [esp+70], 0D7
00401481   .  C64424 71 FC  mov     byte ptr [esp+71], 0FC
00401486   .  884C24 72     mov     byte ptr [esp+72], cl
0040148A   .  884424 73     mov     byte ptr [esp+73], al
0040148E   .  C64424 74 D8  mov     byte ptr [esp+74], 0D8
00401493   .  C64424 75 69  mov     byte ptr [esp+75], 69
00401498   .  884C24 76     mov     byte ptr [esp+76], cl
0040149C   .  884424 77     mov     byte ptr [esp+77], al
004014A0   .  C64424 78 D9  mov     byte ptr [esp+78], 0D9
004014A5   .  C64424 79 10  mov     byte ptr [esp+79], 10
004014AA   .  884C24 7A     mov     byte ptr [esp+7A], cl
004014AE   .  884424 7B     mov     byte ptr [esp+7B], al
004014B2   .  C64424 7C DA  mov     byte ptr [esp+7C], 0DA
004014B7   .  C64424 7D BF  mov     byte ptr [esp+7D], 0BF
004014BC   .  884C24 7E     mov     byte ptr [esp+7E], cl
004014C0   .  884424 7F     mov     byte ptr [esp+7F], al
004014C4   .  C68424 800000>mov     byte ptr [esp+80], 0DB
004014CC   .  C68424 810000>mov     byte ptr [esp+81], 0FD
004014D4   .  C68424 820000>mov     byte ptr [esp+82], 88
004014DC   .  888424 830000>mov     byte ptr [esp+83], al
004014E3   .  C68424 840000>mov     byte ptr [esp+84], 0DC
004014EB   .  888C24 850000>mov     byte ptr [esp+85], cl
004014F2   .  888424 860000>mov     byte ptr [esp+86], al
004014F9   .  C68424 870000>mov     byte ptr [esp+87], 0DD
00401501   .  C68424 880000>mov     byte ptr [esp+88], 5B
00401509   .  C68424 890000>mov     byte ptr [esp+89], 88
00401511   .  C68424 8A0000>mov     byte ptr [esp+8A], 55
00401519   .  C68424 8B0000>mov     byte ptr [esp+8B], 0DE
00401521   .  889C24 8C0000>mov     byte ptr [esp+8C], bl
00401528   .  C68424 8D0000>mov     byte ptr [esp+8D], 4D
00401530   .  C68424 8E0000>mov     byte ptr [esp+8E], 0E4
00401538   .  C68424 8F0000>mov     byte ptr [esp+8F], 0C7
00401540   .  888424 900000>mov     byte ptr [esp+90], al
00401547   .  C68424 910000>mov     byte ptr [esp+91], 0E0
0040154F   .  C68424 920000>mov     byte ptr [esp+92], 15
00401557   .  C68424 930000>mov     byte ptr [esp+93], 0
0040155F   .  C68424 940000>mov     byte ptr [esp+94], 0
00401567   .  C68424 950000>mov     byte ptr [esp+95], 0
0040156F   .  C68424 960000>mov     byte ptr [esp+96], 8D
00401577   .  C68424 970000>mov     byte ptr [esp+97], 55
0040157F   .  C68424 980000>mov     byte ptr [esp+98], 0C4
00401587   .  C68424 990000>mov     byte ptr [esp+99], 8D
0040158F   .  888424 9A0000>mov     byte ptr [esp+9A], al
00401596   .  C68424 9B0000>mov     byte ptr [esp+9B], 0C4
0040159E   .  C68424 9C0000>mov     byte ptr [esp+9C], 0C7
004015A6   .  888424 9D0000>mov     byte ptr [esp+9D], al
004015AD   .  C68424 9E0000>mov     byte ptr [esp+9E], 0F4
004015B5   .  C68424 9F0000>mov     byte ptr [esp+9F], 0
004015BD   .  C68424 A00000>mov     byte ptr [esp+A0], 0
004015C5   .  C68424 A10000>mov     byte ptr [esp+A1], 0
004015CD   .  C68424 A20000>mov     byte ptr [esp+A2], 0
004015D5   .  889C24 A30000>mov     byte ptr [esp+A3], bl
004015DC   .  C68424 A40000>mov     byte ptr [esp+A4], 55
004015E4   .  C68424 A50000>mov     byte ptr [esp+A5], 0EC
004015EC   .  889C24 A60000>mov     byte ptr [esp+A6], bl
004015F3   .  888424 A70000>mov     byte ptr [esp+A7], al
004015FA   .  C68424 A80000>mov     byte ptr [esp+A8], 0F0
00401602   .  889424 A90000>mov     byte ptr [esp+A9], dl
00401609   .  C68424 AA0000>mov     byte ptr [esp+AA], 55
00401611   .  C68424 AB0000>mov     byte ptr [esp+AB], 0F0
00401619   .  889424 AC0000>mov     byte ptr [esp+AC], dl
00401620   .  888424 AD0000>mov     byte ptr [esp+AD], al
00401627   .  C68424 AE0000>mov     byte ptr [esp+AE], 0EC
0040162F   .  C68424 AF0000>mov     byte ptr [esp+AF], 33
00401637   .  C68424 B00000>mov     byte ptr [esp+B0], 0FF
0040163F   .  889C24 B10000>mov     byte ptr [esp+B1], bl
00401646   .  C68424 B20000>mov     byte ptr [esp+B2], 55
0040164E   .  C68424 B30000>mov     byte ptr [esp+B3], 0FC
00401656   .  889C24 B40000>mov     byte ptr [esp+B4], bl
0040165D   .  C68424 B50000>mov     byte ptr [esp+B5], 7D
00401665   .  C68424 B60000>mov     byte ptr [esp+B6], 0E8
0040166D   .  889C24 B70000>mov     byte ptr [esp+B7], bl
00401674   .  888424 B80000>mov     byte ptr [esp+B8], al
0040167B   .  C68424 B90000>mov     byte ptr [esp+B9], 0F8
00401683   .  889424 BA0000>mov     byte ptr [esp+BA], dl
0040168A   .  C68424 BB0000>mov     byte ptr [esp+BB], 75
00401692   .  C68424 BC0000>mov     byte ptr [esp+BC], 0FC
0040169A   .  C68424 BD0000>mov     byte ptr [esp+BD], 33
004016A2   .  C68424 BE0000>mov     byte ptr [esp+BE], 0D2
004016AA   .  889424 BF0000>mov     byte ptr [esp+BF], dl
004016B1   .  888424 C00000>mov     byte ptr [esp+C0], al
004016B8   .  C68424 C10000>mov     byte ptr [esp+C1], 0F8
004016C0   .  C68424 C20000>mov     byte ptr [esp+C2], 8A
004016C8   .  C68424 C30000>mov     byte ptr [esp+C3], 19
004016D0   .  C68424 C40000>mov     byte ptr [esp+C4], 8A
004016D8   .  C68424 C50000>mov     byte ptr [esp+C5], 4
004016E0   .  C68424 C60000>mov     byte ptr [esp+C6], 10
004016E8   .  C68424 C70000>mov     byte ptr [esp+C7], 3A
004016F0   .  C68424 C80000>mov     byte ptr [esp+C8], 0D8
004016F8   .  C68424 C90000>mov     byte ptr [esp+C9], 75
00401700   .  C68424 CA0000>mov     byte ptr [esp+CA], 22
00401708   .  C68424 CB0000>mov     byte ptr [esp+CB], 8D
00401710   .  C68424 CC0000>mov     byte ptr [esp+CC], 0C
00401718   .  C68424 CD0000>mov     byte ptr [esp+CD], 17
00401720   .  889424 CE0000>mov     byte ptr [esp+CE], dl
00401727   .  C68424 CF0000>mov     byte ptr [esp+CF], 7D
0040172F   .  C68424 D00000>mov     byte ptr [esp+D0], 0F4
00401737   .  C68424 D10000>mov     byte ptr [esp+D1], 8D
0040173F   .  C68424 D20000>mov     byte ptr [esp+D2], 3C
00401747   .  C68424 D30000>mov     byte ptr [esp+D3], 4F
0040174F   .  C68424 D40000>mov     byte ptr [esp+D4], 3
00401757   .  C68424 D50000>mov     byte ptr [esp+D5], 0CF
0040175F   .  C68424 D60000>mov     byte ptr [esp+D6], 0F
00401767   .  C68424 D70000>mov     byte ptr [esp+D7], 0BE
0040176F   .  C68424 D80000>mov     byte ptr [esp+D8], 0FB
00401777   .  C68424 D90000>mov     byte ptr [esp+D9], 0F
0040177F   .  C68424 DA0000>mov     byte ptr [esp+DA], 0BE
00401787   .  C68424 DB0000>mov     byte ptr [esp+DB], 4C
0040178F   .  C68424 DC0000>mov     byte ptr [esp+DC], 0D
00401797   .  C68424 DD0000>mov     byte ptr [esp+DD], 0C4
0040179F   .  C68424 DE0000>mov     byte ptr [esp+DE], 33
004017A7   .  C68424 DF0000>mov     byte ptr [esp+DF], 0CF
004017AF   .  C68424 E00000>mov     byte ptr [esp+E0], 0CC
004017B7   .  C68424 E10000>mov     byte ptr [esp+E1], 2
004017BF   .  C68424 E20000>mov     byte ptr [esp+E2], 0C1
004017C7   .  889424 E30000>mov     byte ptr [esp+E3], dl
004017CE   .  C68424 E40000>mov     byte ptr [esp+E4], 4D
004017D6   .  C68424 E50000>mov     byte ptr [esp+E5], 0E4
004017DE   .  C68424 E60000>mov     byte ptr [esp+E6], 0F6
004017E6   .  C68424 E70000>mov     byte ptr [esp+E7], 2E
004017EE   .  889424 E80000>mov     byte ptr [esp+E8], dl
004017F5   .  C68424 E90000>mov     byte ptr [esp+E9], 7D
004017FD   .  C68424 EA0000>mov     byte ptr [esp+EA], 0E8
00401805   .  C68424 EB0000>mov     byte ptr [esp+EB], 88
0040180D   .  C68424 EC0000>mov     byte ptr [esp+EC], 1
00401815   .  C68424 ED0000>mov     byte ptr [esp+ED], 42
0040181D   .  C68424 EE0000>mov     byte ptr [esp+EE], 83
00401825   .  888C24 EF0000>mov     byte ptr [esp+EF], cl
0040182C   .  C68424 F00000>mov     byte ptr [esp+F0], 9
00401834   .  C68424 F10000>mov     byte ptr [esp+F1], 83
0040183C   .  C68424 F20000>mov     byte ptr [esp+F2], 0FA
00401844   .  C68424 F30000>mov     byte ptr [esp+F3], 4
0040184C   .  C68424 F40000>mov     byte ptr [esp+F4], 7C
00401854   .  C68424 F50000>mov     byte ptr [esp+F5], 0C9
0040185C   .  889424 F60000>mov     byte ptr [esp+F6], dl
00401863   .  C68424 F70000>mov     byte ptr [esp+F7], 5D
0040186B   .  C68424 F80000>mov     byte ptr [esp+F8], 0FC
00401873   .  889424 F90000>mov     byte ptr [esp+F9], dl
0040187A   .  C68424 FA0000>mov     byte ptr [esp+FA], 55
00401882   .  C68424 FB0000>mov     byte ptr [esp+FB], 0F8
0040188A   .  C68424 FC0000>mov     byte ptr [esp+FC], 83
00401892   .  C68424 FD0000>mov     byte ptr [esp+FD], 0C7
0040189A   .  C68424 FE0000>mov     byte ptr [esp+FE], 3
004018A2   .  C68424 FF0000>mov     byte ptr [esp+FF], 43
004018AA   .  C68424 000100>mov     byte ptr [esp+100], 83
004018B2   .  C68424 010100>mov     byte ptr [esp+101], 0C2
004018BA   .  C68424 020100>mov     byte ptr [esp+102], 3
004018C2   .  6A 40         push    40
004018C4   .  68 00100000   push    1000
004018C9   .  888424 1A0100>mov     byte ptr [esp+11A], al
004018D0   .  888424 2D0100>mov     byte ptr [esp+12D], al
004018D7   .  888424 3C0100>mov     byte ptr [esp+13C], al
004018DE   .  888424 440100>mov     byte ptr [esp+144], al
004018E5   .  68 00100000   push    1000
004018EA   .  B0 90         mov     al, 90
004018EC   .  6A 00         push    0
004018EE   .  56            push    esi
004018EF   .  C68424 170100>mov     byte ptr [esp+117], 83
004018F7   .  C68424 180100>mov     byte ptr [esp+118], 0FF
004018FF   .  C68424 190100>mov     byte ptr [esp+119], 6
00401907   .  889C24 1A0100>mov     byte ptr [esp+11A], bl
0040190E   .  C68424 1B0100>mov     byte ptr [esp+11B], 5D
00401916   .  C68424 1C0100>mov     byte ptr [esp+11C], 0FC
0040191E   .  889C24 1D0100>mov     byte ptr [esp+11D], bl
00401925   .  C68424 1E0100>mov     byte ptr [esp+11E], 7D
0040192D   .  C68424 1F0100>mov     byte ptr [esp+11F], 0E8
00401935   .  889C24 200100>mov     byte ptr [esp+120], bl
0040193C   .  C68424 210100>mov     byte ptr [esp+121], 55
00401944   .  C68424 220100>mov     byte ptr [esp+122], 0F8
0040194C   .  C68424 230100>mov     byte ptr [esp+123], 7C
00401954   .  C68424 240100>mov     byte ptr [esp+124], 0A9
0040195C   .  889424 250100>mov     byte ptr [esp+125], dl
00401963   .  C68424 270100>mov     byte ptr [esp+127], 0F4
0040196B   .  889424 280100>mov     byte ptr [esp+128], dl
00401972   .  C68424 290100>mov     byte ptr [esp+129], 7D
0040197A   .  C68424 2A0100>mov     byte ptr [esp+12A], 0F0
00401982   .  889424 2B0100>mov     byte ptr [esp+12B], dl
00401989   .  C68424 2C0100>mov     byte ptr [esp+12C], 75
00401991   .  C68424 2D0100>mov     byte ptr [esp+12D], 0EC
00401999   .  C68424 2E0100>mov     byte ptr [esp+12E], 40
004019A1   .  C68424 2F0100>mov     byte ptr [esp+12F], 83
004019A9   .  C68424 300100>mov     byte ptr [esp+130], 0C7
004019B1   .  C68424 310100>mov     byte ptr [esp+131], 3
004019B9   .  C68424 320100>mov     byte ptr [esp+132], 83
004019C1   .  888C24 330100>mov     byte ptr [esp+133], cl
004019C8   .  C68424 340100>mov     byte ptr [esp+134], 9
004019D0   .  C68424 350100>mov     byte ptr [esp+135], 83
004019D8   .  C68424 360100>mov     byte ptr [esp+136], 0F8
004019E0   .  C68424 370100>mov     byte ptr [esp+137], 3
004019E8   .  889C24 380100>mov     byte ptr [esp+138], bl
004019EF   .  C68424 3A0100>mov     byte ptr [esp+13A], 0F4
004019F7   .  889C24 3B0100>mov     byte ptr [esp+13B], bl
004019FE   .  C68424 3C0100>mov     byte ptr [esp+13C], 7D
00401A06   .  C68424 3D0100>mov     byte ptr [esp+13D], 0F0
00401A0E   .  889C24 3E0100>mov     byte ptr [esp+13E], bl
00401A15   .  C68424 3F0100>mov     byte ptr [esp+13F], 75
00401A1D   .  C68424 400100>mov     byte ptr [esp+140], 0EC
00401A25   .  C68424 410100>mov     byte ptr [esp+141], 0F
00401A2D   .  C68424 420100>mov     byte ptr [esp+142], 8C
00401A35   .  C68424 430100>mov     byte ptr [esp+143], 76
00401A3D   .  C68424 440100>mov     byte ptr [esp+144], 0FF
00401A45   .  C68424 450100>mov     byte ptr [esp+145], 0FF
00401A4D   .  C68424 460100>mov     byte ptr [esp+146], 0FF
00401A55   .  889424 470100>mov     byte ptr [esp+147], dl
00401A5C   .  C68424 490100>mov     byte ptr [esp+149], 0E0
00401A64   .  C68424 4A0100>mov     byte ptr [esp+14A], 41
00401A6C   .  C68424 4B0100>mov     byte ptr [esp+14B], 48
00401A74   .  889C24 4C0100>mov     byte ptr [esp+14C], bl
00401A7B   .  C68424 4D0100>mov     byte ptr [esp+14D], 4D
00401A83   .  C68424 4E0100>mov     byte ptr [esp+14E], 0E4
00401A8B   .  889C24 4F0100>mov     byte ptr [esp+14F], bl
00401A92   .  C68424 510100>mov     byte ptr [esp+151], 0E0
00401A9A   .  C68424 520100>mov     byte ptr [esp+152], 0F
00401AA2   .  C68424 530100>mov     byte ptr [esp+153], 85
00401AAA   .  C68424 540100>mov     byte ptr [esp+154], 52
00401AB2   .  C68424 550100>mov     byte ptr [esp+155], 0FF
00401ABA   .  C68424 560100>mov     byte ptr [esp+156], 0FF
00401AC2   .  C68424 570100>mov     byte ptr [esp+157], 0FF
00401ACA   .  888424 580100>mov     byte ptr [esp+158], al
00401AD1   .  888424 590100>mov     byte ptr [esp+159], al
00401AD8   .  888424 5A0100>mov     byte ptr [esp+15A], al
00401ADF   .  C68424 5B0100>mov     byte ptr [esp+15B], 0CC
00401AE7   .  FFD7          call    edi                                             ;  继续远程开辟缓存
00401AE9   .  85C0          test    eax, eax
00401AEB   .  A3 68CA4000   mov     dword ptr [40CA68], eax
00401AF0   .  75 0E         jnz     short 00401B00
00401AF2   .  5F            pop     edi
00401AF3   .  5E            pop     esi
00401AF4   .  5D            pop     ebp
00401AF5   .  83C8 FF       or      eax, FFFFFFFF
00401AF8   .  5B            pop     ebx
00401AF9   .  81C4 50050000 add     esp, 550
00401AFF   .  C3            retn
00401B00   >  8B0D 6CCA4000 mov     ecx, dword ptr [40CA6C]
00401B06   .  6A 00         push    0
00401B08   .  8D5424 17     lea     edx, dword ptr [esp+17]
00401B0C   .  6A 01         push    1
00401B0E   .  52            push    edx
00401B0F   .  50            push    eax
00401B10   .  56            push    esi
00401B11   .  898C24 600100>mov     dword ptr [esp+160], ecx
00401B18   .  C64424 27 68  mov     byte ptr [esp+27], 68
00401B1D   .  FFD5          call    ebp                                             ;  向缓存中写入执行代码
00401B1F   .  8B0D 68CA4000 mov     ecx, dword ptr [40CA68]
00401B25   .  6A 00         push    0
00401B27   .  8D8424 500100>lea     eax, dword ptr [esp+150]
00401B2E   .  6A 04         push    4
00401B30   .  41            inc     ecx
00401B31   .  50            push    eax
00401B32   .  51            push    ecx
00401B33   .  56            push    esi
00401B34   .  FFD5          call    ebp                                             ;  继续向缓存中写入执行代码
00401B36   .  A1 68CA4000   mov     eax, dword ptr [40CA68]
00401B3B   .  6A 00         push    0
00401B3D   .  8D5424 18     lea     edx, dword ptr [esp+18]
00401B41   .  68 34010000   push    134
00401B46   .  83C0 05       add     eax, 5
00401B49   .  52            push    edx
00401B4A   .  50            push    eax
00401B4B   .  56            push    esi
00401B4C   .  FFD5          call    ebp                                             ;  继续向缓存中写入执行代码
00401B4E   .  85C0          test    eax, eax
00401B50   .  75 0E         jnz     short 00401B60
00401B52   .  5F            pop     edi
00401B53   .  5E            pop     esi
00401B54   .  5D            pop     ebp
00401B55   .  83C8 FF       or      eax, FFFFFFFF
00401B58   .  5B            pop     ebx
00401B59   .  81C4 50050000 add     esp, 550
00401B5F   .  C3            retn
00401B60   >  8BBC24 480100>mov     edi, dword ptr [esp+148]
00401B67   .  8B0D 68CA4000 mov     ecx, dword ptr [40CA68]
00401B6D   .  8D9424 940200>lea     edx, dword ptr [esp+294]
00401B74   .  898C24 4C0300>mov     dword ptr [esp+34C], ecx          ; \修改EIP
00401B7B   .  52            push    edx                                             ; /pContext
00401B7C   .  57            push    edi                                             ; |hThread
00401B7D   .  FF15 04904000 call    dword ptr [<&KERNEL32.SetThreadContext>]        ; \设置线程上下文
00401B83   .  57            push    edi                                             ; /hThread
00401B84   .  FF15 00904000 call    dword ptr [<&KERNEL32.ResumeThread>]            ; \恢复线程
00401B8A   .  56            push    esi                                             ; /hObject
00401B8B   .  8B35 28904000 mov     esi, dword ptr [<&KERNEL32.CloseHandle>]        ; |kernel32.CloseHandle
00401B91   .  FFD6          call    esi                                             ; \关闭句柄
00401B93   .  57            push    edi                                             ; /hObject
00401B94   .  FFD6          call    esi                                             ; \CloseHandle
00401B96   .  5F            pop     edi
00401B97   .  5E            pop     esi
00401B98   .  5D            pop     ebp
00401B99   .  B8 01000000   mov     eax, 1
00401B9E   .  5B            pop     ebx
00401B9F   .  81C4 50050000 add     esp, 550
00401BA5   .  C3            retn

call 00401FA0-int3消息处理函数，主要包括修改Broiler.exe线程中的代码（2B）、读取Broiler.exe线程的计算结果并进行比较验证
00401FA0  /$  83EC 34       sub     esp, 34
00401FA3  |.  53            push    ebx
00401FA4  |.  56            push    esi
00401FA5  |.  57            push    edi
00401FA6  |.  8B7C24 50     mov     edi, dword ptr [esp+50]
00401FAA  |.  33DB          xor     ebx, ebx
00401FAC  |.  B8 01000180   mov     eax, 80010001
00401FB1  |.  8B57 0C       mov     edx, dword ptr [edi+C]
00401FB4  |.  895C24 0C     mov     dword ptr [esp+C], ebx
00401FB8  |.  81FA 03000080 cmp     edx, 80000003
00401FBE  |.  C64424 50 90  mov     byte ptr [esp+50], 90
00401FC3  |.  C64424 51 2A  mov     byte ptr [esp+51], 2A
00401FC8  |.  0F85 2D010000 jnz     004020FB
00401FCE  |.  83B9 1C010000>cmp     dword ptr [ecx+11C], 1
00401FD5  |.  75 14         jnz     short 00401FEB
00401FD7  |.  5F            pop     edi
00401FD8  |.  8999 1C010000 mov     dword ptr [ecx+11C], ebx
00401FDE  |.  5E            pop     esi
00401FDF  |.  B8 02000100   mov     eax, 10002                                      ;  UNICODE "::=::\"
00401FE4  |.  5B            pop     ebx
00401FE5  |.  83C4 34       add     esp, 34
00401FE8  |.  C2 1000       retn    10
00401FEB  |>  8BB1 24010000 mov     esi, dword ptr [ecx+124]
00401FF1  |.  46            inc     esi
00401FF2  |.  8BC6          mov     eax, esi
00401FF4  |.  89B1 24010000 mov     dword ptr [ecx+124], esi
00401FFA  |.  8B7424 44     mov     esi, dword ptr [esp+44]
00401FFE  |.  83F8 02       cmp     eax, 2
00402001  |.  0F85 CB000000 jnz     004020D2
00402007  |.  33C0          xor     eax, eax
00402009  |.  8B49 08       mov     ecx, dword ptr [ecx+8]
0040200C  |.  894424 29     mov     dword ptr [esp+29], eax
00402010  |.  8D5424 44     lea     edx, dword ptr [esp+44]
00402014  |.  894424 2D     mov     dword ptr [esp+2D], eax
00402018  |.  52            push    edx                                             ; /pBytesRead
00402019  |.  894424 35     mov     dword ptr [esp+35], eax                         ; |
0040201D  |.  6A 15         push    15                                              ; |BytesToRead = 15 (21.)
0040201F  |.  894424 3D     mov     dword ptr [esp+3D], eax                         ; |
00402023  |.  885C24 30     mov     byte ptr [esp+30], bl                           ; |
00402027  |.  894424 41     mov     dword ptr [esp+41], eax                         ; |
0040202B  |.  8D4424 30     lea     eax, dword ptr [esp+30]                         ; |
0040202F  |.  50            push    eax                                             ; |Buffer
00402030  |.  51            push    ecx                                             ; |pBaseAddress
00402031  |.  56            push    esi                                             ; |hProcess
00402032  |.  C64424 24 EF  mov     byte ptr [esp+24], 0EF                          ; 用于比较的正确结果，长度21B
00402037  |.  C64424 25 86  mov     byte ptr [esp+25], 86                           ; |
0040203C  |.  C64424 26 85  mov     byte ptr [esp+26], 85                           ; |
00402041  |.  C64424 27 0C  mov     byte ptr [esp+27], 0C                           ; |
00402046  |.  C64424 28 D2  mov     byte ptr [esp+28], 0D2                          ; |
0040204B  |.  C64424 29 89  mov     byte ptr [esp+29], 89                           ; |
00402050  |.  C64424 2A 64  mov     byte ptr [esp+2A], 64                           ; |
00402055  |.  C64424 2B A6  mov     byte ptr [esp+2B], 0A6                          ; |
0040205A  |.  C64424 2C 9E  mov     byte ptr [esp+2C], 9E                           ; |
0040205F  |.  C64424 2D C8  mov     byte ptr [esp+2D], 0C8                          ; |
00402064  |.  C64424 2E CC  mov     byte ptr [esp+2E], 0CC                          ; |
00402069  |.  C64424 2F 70  mov     byte ptr [esp+2F], 70                           ; |
0040206E  |.  885C24 30     mov     byte ptr [esp+30], bl                           ; |
00402072  |.  C64424 31 90  mov     byte ptr [esp+31], 90                           ; |
00402077  |.  C64424 32 09  mov     byte ptr [esp+32], 9                            ; |
0040207C  |.  C64424 33 F4  mov     byte ptr [esp+33], 0F4                          ; |
00402081  |.  C64424 34 28  mov     byte ptr [esp+34], 28                           ; |
00402086  |.  C64424 35 6E  mov     byte ptr [esp+35], 6E                           ; |
0040208B  |.  C64424 36 5A  mov     byte ptr [esp+36], 5A                           ; |
00402090  |.  C64424 37 04  mov     byte ptr [esp+37], 4                            ; |
00402095  |.  C64424 38 F9  mov     byte ptr [esp+38], 0F9                          ; |
0040209A  |.  895C24 58     mov     dword ptr [esp+58], ebx                         ; |
0040209E  |.  FF15 4C904000 call    dword ptr [<&KERNEL32.ReadProcessMemory>]       ; \读取Broiler.exe进程缓存中的数据，将0x15B读回
004020A4  |.  33C9          xor     ecx, ecx
004020A6  |.  33C0          xor     eax, eax
004020A8  |>  8A5404 28     /mov     dl, byte ptr [esp+eax+28]                      ;  读取回的数据
004020AC  |.  3A5404 10     |cmp     dl, byte ptr [esp+eax+10]                      ;  与之前创建的表中数据进行比较
004020B0  |.  74 01         |je      short 004020B3
004020B2  |.  41            |inc     ecx
004020B3  |>  40            |inc     eax
004020B4  |.  83F8 15       |cmp     eax, 15
004020B7  |.^ 7C EF         \jl      short 004020A8
004020B9  |.  3BCB          cmp     ecx, ebx                                        ;  完全相同则注册成功
004020BB  |.  75 15         jnz     short 004020D2
004020BD  |.  53            push    ebx                                             ; /Style
004020BE  |.  68 94A04000   push    0040A094                                        ; |Title = "成?,A6,"了"
004020C3  |.  53            push    ebx                                             ; |Text
004020C4  |.  53            push    ebx                                             ; |hOwner
004020C5  |.  FF15 1C914000 call    dword ptr [<&USER32.MessageBoxA>]               ; \MessageBoxA
004020CB  |.  6A 01         push    1
004020CD  |.  E8 47010000   call    00402219
004020D2  |>  8B57 18       mov     edx, dword ptr [edi+18]
004020D5  |.  8D4424 0C     lea     eax, dword ptr [esp+C]
004020D9  |.  50            push    eax                                             ; /pBytesWritten
004020DA  |.  8D4C24 54     lea     ecx, dword ptr [esp+54]                         ; |
004020DE  |.  6A 02         push    2                                               ; |BytesToWrite = 2
004020E0  |.  51            push    ecx                                             ; |Buffer
004020E1  |.  52            push    edx                                             ; |Address
004020E2  |.  56            push    esi                                             ; |hProcess
004020E3  |.  FF15 08904000 call    dword ptr [<&KERNEL32.WriteProcessMemory>]      ; \WriteProcessMemory 向0x3B00D1写入2B，0x902A
004020E9  |.  8B4C24 4C     mov     ecx, dword ptr [esp+4C]
004020ED  |.  8B47 18       mov     eax, dword ptr [edi+18]
004020F0  |.  8981 B8000000 mov     dword ptr [ecx+B8], eax
004020F6  |.  B8 02000100   mov     eax, 10002                                      ;  UNICODE "::=::\"
004020FB  |>  5F            pop     edi
004020FC  |.  5E            pop     esi
004020FD  |.  5B            pop     ebx
004020FE  |.  83C4 34       add     esp, 34
00402101  \.  C2 1000       retn    10

取回的结果主要与下面的21B进行比较，完全相同则注册成功
009FFBC0  EF 86 85 0C D2 89 64 A6 9E C8 CC 70 00 90 09 F4  飭?覊d忍p.?
009FFBD0  28 6E 5A 04 F9 FC 9F 00 00 00 00 00 00 00 00 00  (nZ?........

Broiler.exe
0x3A0000-CrackMe.exe写入的SN（变换后）数据，长度21B
0x3B0000-CrackMe.exe写入的执行代码，主要完成对0x3A0000的21B数据的一个置换处理
0x3B0000执行代码如下，主要功能是完成了一个置换处理，
68 00 00 3A 00 C7 45 FC 00 00 00 00 89 65 FC 8B 45 FC B3 2A B2 3F C6 45 C4 8C 8B 08 B0 B6 C6 45 C5 4C C6 45 C6 96 C6 45 C7 5B 88 5D C8 88 55 C9 88 45 CA C6

45 CB 5B 88 5D CC C6 45 CD 11 C6 45 CE B1 C6 45 CF 15 C6 45 D0 AC C6 45 D1 C3 C6 45 D2 53 88 45 D3 88 5D D4 88 55 D5 C6 45 D6 B2 C6 45 D7 FC C6 45 D8 69 C6

45 D9 10 C6 45 DA BF C6 45 DB FD 88 45 DC C6 45 DD 5B 88 55 DE 89 4D E4 C7 45 E0 15 00 00 00 8D 55 C4 8D 45 C4 C7 45 F4 00 00 00 00 89 55 EC 89 45 F0 8B 55

F0 8B 45 EC 33 FF 89 55 FC 89 7D E8 89 45 F8 8B 75 FC 33 D2 8B 45 F8 8A 19 8A 04 10 3A D8 75 22 8D 0C 17 8B 7D F4 8D 3C 4F 03 CF 0F BE FB 0F BE 4C 0D C4 33

CF 90 2A C1 8B 4D E4 F6 2E 8B 7D E8 88 01 42 83 C6 09 83 FA 04 7C C9 8B 5D FC 8B 55 F8 83 C7 03 43 83 C2 03 83 FF 06 89 5D FC 89 7D E8 89 55 F8 7C A9 8B 45

F4 8B 7D F0 8B 75 EC 40 83 C7 03 83 C6 09 83 F8 03 89 45 F4 89 7D F0 89 75 EC 0F 8C 76 FF FF FF 8B 45 E0 41 48 89 4D E4 89 45 E0 0F 85 52 FF FF FF 90 90 90

90 2A 00 00 00 00 00 00

置换对应关系如下，不在对应关系表中的数据字节则原样输出：
8C-90
4C-85
96-0C
5B-EF
2A-64
3F-28
B6-D2
11-FC
B1-C8
15-70
AC-00
C3-89
53-A6
B2-F4
FC-86
69-04
10-E9
BF-9E
FD-F9

在清楚了置换关系后，我们将为CrackMe.exe call 00401FA0中正确的比较结果进行一个反置换，就得到了在Broiler.exe 0x3A0000处的正确数据：
5B FC 4C 96 B6 C3 2A 53 BF B1 CC 15 AC 8C 09 B2 3F 6E 5A 69 FD

这个数据是CrackMe.exe在call 00101060中对输入SN进行变换后得到并写入Broiler.exe中的，因此最后的问题就是在call 00101060中确定SN
int __cdecl sub_401060(signed int *SN)
{
  signed int v1; // edx@1
  signed int v2; // esi@1
  unsigned __int8 v3; // al@2

  v1 = 0;
  v2 = *(_BYTE *)SN;
  do
  {
    v3 = (*(_BYTE *)SN >> 2) ^ BYTE1(v2);
    *((_BYTE *)SN + v1) = v3;
    v2 = 8956 * (v2 >> 2) + 5478 * (v2 + v3);
    *((_BYTE *)SN + v1++) ^= 0x41u;
  }
  while ( v1 < 21 );
  return 0;
}
通过IDA Por+F5得到的C代码可以看出，变换结果仅与SN中的第1字节有关，当第1字节是小写字母k时，就能够得到正确的21B变换结果，因此SN只要是首字节为k的字符串都可以通过验证，该题存在多解。

阿里云助力开发者！2核2G 3M带宽不限流量！6.18限时价，开发者可享99元/年，续费同价！

收藏・0

点赞・1

打赏