-
-
[原创]看雪CTF2016第二十六题分析
-
发表于: 2016-12-24 09:44 3685
-
该提主要的验证过程如下
CrackMe.exe创建Broiler.exe进程,并将自身作为其调试器,将SN(变换后)数据和执行代码写入Broiler.exe,并使其执行写入代码对SN(变换后)进行计算,最后将计算结果取回进行验证。
CrackMe.exe中主要函数如下:
call 00401D40-创建Broiler.exe进程,并将自身作为其调试器,接管各类异常进行处理;
call 00101060-对输入SN进行变换,变换后数据结果长度21B
call 004010D0-打开Broiler.exe进程,挂起线程,远程写入SN变换数据和执行代码(0x3A0000-SN变换结果(21B),0x3B0000-执行代码),修改线程上下文中的EIP,恢复线程使其跳转到0x3B0000中开始执行
call 00401F20-调试Broiler.exe的消息处理循环,Case 80000003为int3中断消息
call 00401FA0-int3消息处理函数,2个功能:修改Broiler.exe线程中的一处代码(将0xCCC6修改为0x902A)、取回线程计算结果并对结果进行验证
Broiler.exe中主要函数及数据如下:
0x3A0000-CrackMe.exe写入的SN(变换后)数据,长度21B
0x3B0000-CrackMe.exe写入的执行代码,主要完成对0x3A0000的21B数据的一个置换处理,其中有2处int3,第1处需要CrackMe.exe进行一次代码修改,第2处由CrackMe.exe将处理结果取回
下面是上述主要函数的具体解析:
Cracme.exe
call 00401D40-创建Broiler.exe进程,并将自身作为其调试器
00401D40 /$ 81EC 84030000 sub esp, 384
00401D46 |. 53 push ebx
00401D47 |. 55 push ebp
00401D48 |. 56 push esi
00401D49 |. 8BD9 mov ebx, ecx
00401D4B |. 57 push edi
00401D4C |. B9 B2000000 mov ecx, 0B2
00401D51 |. 33C0 xor eax, eax
00401D53 |. 8DBC24 CC0000>lea edi, dword ptr [esp+CC]
00401D5A |. C78424 C80000>mov dword ptr [esp+C8], 0
00401D65 |. 8D9424 840000>lea edx, dword ptr [esp+84]
00401D6C |. F3:AB rep stos dword ptr es:[edi]
00401D6E |. B9 11000000 mov ecx, 11
00401D73 |. 8DBC24 840000>lea edi, dword ptr [esp+84]
00401D7A |. F3:AB rep stos dword ptr es:[edi]
00401D7C |. 894424 10 mov dword ptr [esp+10], eax
00401D80 |. B9 18000000 mov ecx, 18
00401D85 |. 894424 14 mov dword ptr [esp+14], eax
00401D89 |. 8D7C24 24 lea edi, dword ptr [esp+24]
00401D8D |. 894424 18 mov dword ptr [esp+18], eax
00401D91 |. C78424 840000>mov dword ptr [esp+84], 44
00401D9C |. F3:AB rep stos dword ptr es:[edi]
00401D9E |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00401DA2 |. 894424 1C mov dword ptr [esp+1C], eax
00401DA6 |. 51 push ecx ; /pProcessInfo
00401DA7 |. 52 push edx ; |pStartupInfo
00401DA8 |. 50 push eax ; |CurrentDir => NULL
00401DA9 |. 50 push eax ; |pEnvironment => NULL
00401DAA |. 6A 00 push 2 ; |CreationFlags = 2
00401DAC |. 50 push eax ; |InheritHandles => FALSE
00401DAD |. 50 push eax ; |pThreadSecurity => NULL
00401DAE |. 50 push eax ; |pProcessSecurity => NULL
00401DAF |. 50 push eax ; |CommandLine => NULL
00401DB0 |. 8B8424 BC0300>mov eax, dword ptr [esp+3BC] ; |
00401DB7 |. 50 push eax ; |ModuleFileName
00401DB8 |. FF15 48904000 call dword ptr [<&KERNEL32.CreateProcessA>] ; \CreateProcessA
call 00401F20-调试Broiler.exe的消息处理循环,Case 80000003为int3中断消息,call 00401FA0为消息处理函数
00401F20 /$ 8B5424 10 mov edx, dword ptr [esp+10] ;
00401F24 |. 56 push esi
00401F25 |. B8 01000180 mov eax, 80010001
00401F2A |. 8B72 0C mov esi, dword ptr [edx+C]
00401F2D |. 81FE 03000080 cmp esi, 80000003 ; Switch (cases 80000003..C0000005)
00401F33 |. 74 42 je short 00401F77
00401F35 |. 81FE 04000080 cmp esi, 80000004
00401F3B |. 74 21 je short 00401F5E
00401F3D |. 81FE 050000C0 cmp esi, C0000005
00401F43 |. 75 47 jnz short 00401F8C
00401F45 |. 8B4424 10 mov eax, dword ptr [esp+10] ; Case C0000005 (ACCESS VIOLATION) of switch 00401F2D
00401F49 |. 52 push edx
00401F4A |. 8B5424 10 mov edx, dword ptr [esp+10]
00401F4E |. 50 push eax
00401F4F |. 8B4424 10 mov eax, dword ptr [esp+10]
00401F53 |. 52 push edx
00401F54 |. 50 push eax
00401F55 |. E8 B6010000 call 00402110
00401F5A |. 5E pop esi
00401F5B |. C2 1000 retn 10
00401F5E |> 8B4424 0C mov eax, dword ptr [esp+C] ; Case 80000004 (SINGLE STEP) of switch 00401F2D
00401F62 |. 52 push edx
00401F63 |. 8B5424 14 mov edx, dword ptr [esp+14]
00401F67 |. 52 push edx
00401F68 |. 8B5424 10 mov edx, dword ptr [esp+10]
00401F6C |. 50 push eax
00401F6D |. 52 push edx
00401F6E |. E8 9D010000 call 00402110
00401F73 |. 5E pop esi
00401F74 |. C2 1000 retn 10
00401F77 |> 8B4424 10 mov eax, dword ptr [esp+10] ; Case 80000003 (BREAKPOINT) of switch 00401F2D
00401F7B |. 52 push edx
00401F7C |. 8B5424 10 mov edx, dword ptr [esp+10]
00401F80 |. 50 push eax
00401F81 |. 8B4424 10 mov eax, dword ptr [esp+10]
00401F85 |. 52 push edx
00401F86 |. 50 push eax
00401F87 |. E8 14000000 call 00401FA0 ; int3处理函数
00401F8C |> 5E pop esi ; Default case of switch 00401F2D
00401F8D \. C2 1000 retn 10
call 00101060-对输入SN进行变换,变换后数据长度0x15=21B
00401060 /$ 53 push ebx ; 对输入SN进行变换,产生0x15B的数据,后续该数据会远程写入Broiler.exe进程缓存中
00401061 |. 56 push esi
00401062 |. 57 push edi
00401063 |. 8B7C24 10 mov edi, dword ptr [esp+10]
00401067 |. 33D2 xor edx, edx
00401069 |. 0FBE37 movsx esi, byte ptr [edi]
0040106C |> 8A0F /mov cl, byte ptr [edi]
0040106E |. 8BC6 |mov eax, esi
00401070 |. C1F8 08 |sar eax, 8
00401073 |. C0F9 02 |sar cl, 2
00401076 |. 32C1 |xor al, cl
00401078 |. 88043A |mov byte ptr [edx+edi], al
0040107B |. 25 FF000000 |and eax, 0FF
00401080 |. 03C6 |add eax, esi
00401082 |. 8D0CC0 |lea ecx, dword ptr [eax+eax*8]
00401085 |. 8D0C48 |lea ecx, dword ptr [eax+ecx*2]
00401088 |. 8D0C49 |lea ecx, dword ptr [ecx+ecx*2]
0040108B |. C1E1 04 |shl ecx, 4
0040108E |. 03C8 |add ecx, eax
00401090 |. 8BC6 |mov eax, esi
00401092 |. C1F8 02 |sar eax, 2
00401095 |. 8D1C49 |lea ebx, dword ptr [ecx+ecx*2]
00401098 |. 8BC8 |mov ecx, eax
0040109A |. C1E1 05 |shl ecx, 5
0040109D |. 2BC8 |sub ecx, eax
0040109F |. 8D0C49 |lea ecx, dword ptr [ecx+ecx*2]
004010A2 |. 8D0C88 |lea ecx, dword ptr [eax+ecx*4]
004010A5 |. 8D0C49 |lea ecx, dword ptr [ecx+ecx*2]
004010A8 |. 8D0448 |lea eax, dword ptr [eax+ecx*2]
004010AB |. C1E0 02 |shl eax, 2
004010AE |. 8D3458 |lea esi, dword ptr [eax+ebx*2]
004010B1 |. 8A1C3A |mov bl, byte ptr [edx+edi]
004010B4 |. 80F3 41 |xor bl, 41
004010B7 |. 881C3A |mov byte ptr [edx+edi], bl
004010BA |. 42 |inc edx
004010BB |. 83FA 15 |cmp edx, 15
004010BE |.^ 7C AC \jl short 0040106C
004010C0 |. 5F pop edi
004010C1 |. 5E pop esi
004010C2 |. 33C0 xor eax, eax
004010C4 |. 5B pop ebx
004010C5 \. C3 retn
call 004010D0-打开Broiler.exe进程,挂起线程,写入数据(0x3A0000-SN变换数据,0x3B0000-执行代码),修改线程上下文中的EIP,恢复线程使得跳转到0x3B0000中开始执行
004010D0 $ 81EC 50050000 sub esp, 550 ;
004010D6 . 53 push ebx
004010D7 . 55 push ebp
004010D8 . 56 push esi
004010D9 . 33DB xor ebx, ebx
004010DB . 57 push edi
004010DC . 53 push ebx ; /ProcessID => 0
004010DD . 6A 02 push 2 ; |Flags = TH32CS_SNAPPROCESS
004010DF . 33ED xor ebp, ebp ; |
004010E1 . 899C24 500100>mov dword ptr [esp+150], ebx ; |
004010E8 . C78424 740100>mov dword ptr [esp+174], 128 ; |
004010F3 . E8 40100000 call <jmp.&KERNEL32.CreateToolhelp32Snapshot> ; \CreateToolhelp32Snapshot
004010F8 . 8BF8 mov edi, eax
004010FA . 83FF FF cmp edi, -1
004010FD . 75 0D jnz short 0040110C
004010FF . 5F pop edi
00401100 . 5E pop esi
00401101 . 5D pop ebp
00401102 . 0BC0 or eax, eax
00401104 . 5B pop ebx
00401105 . 81C4 50050000 add esp, 550
0040110B . C3 retn
0040110C > 8D8424 6C0100>lea eax, dword ptr [esp+16C]
00401113 . 50 push eax ; /lppe
00401114 . 57 push edi ; |hSnapshot
00401115 . E8 18100000 call <jmp.&KERNEL32.Process32First> ; \Process32First
0040111A . 85C0 test eax, eax
0040111C . 74 54 je short 00401172
0040111E > BE 4CA04000 mov esi, 0040A04C ; ASCII "Broiler.exe"
00401123 . 8D8424 900100>lea eax, dword ptr [esp+190]
0040112A > 8A10 mov dl, byte ptr [eax]
0040112C . 8ACA mov cl, dl
0040112E . 3A16 cmp dl, byte ptr [esi]
00401130 . 75 1C jnz short 0040114E
00401132 . 84C9 test cl, cl
00401134 . 74 14 je short 0040114A
00401136 . 8A50 01 mov dl, byte ptr [eax+1]
00401139 . 8ACA mov cl, dl
0040113B . 3A56 01 cmp dl, byte ptr [esi+1]
0040113E . 75 0E jnz short 0040114E
00401140 . 83C0 02 add eax, 2
00401143 . 83C6 02 add esi, 2
00401146 . 84C9 test cl, cl
00401148 .^ 75 E0 jnz short 0040112A
0040114A > 33C0 xor eax, eax
0040114C . EB 05 jmp short 00401153
0040114E > 1BC0 sbb eax, eax
00401150 . 83D8 FF sbb eax, -1
00401153 > 85C0 test eax, eax
00401155 . 74 14 je short 0040116B
00401157 . 8D8424 6C0100>lea eax, dword ptr [esp+16C]
0040115E . 50 push eax ; /lppe
0040115F . 57 push edi ; |hSnapshot
00401160 . E8 C70F0000 call <jmp.&KERNEL32.Process32Next> ; \Process32Next
00401165 . 85C0 test eax, eax
00401167 .^ 75 B5 jnz short 0040111E
00401169 . EB 07 jmp short 00401172
0040116B > 8BAC24 740100>mov ebp, dword ptr [esp+174]
00401172 > 57 push edi ; /hObject
00401173 . FF15 28904000 call dword ptr [<&KERNEL32.CloseHandle>] ; \CloseHandle
00401179 . 85ED test ebp, ebp
0040117B . EB 15 jmp short 00401192
0040117D . 55 push ebp ; /Style
0040117E . 68 40A04000 push 0040A040 ; |Title = ""D7,"",A2,"入失",B0,"?
00401183 . 55 push ebp ; |Text
00401184 . 55 push ebp ; |hOwner
00401185 . FF15 1C914000 call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
0040118B . 6A 01 push 1
0040118D . E8 87100000 call 00402219
00401192 > 33C0 xor eax, eax
00401194 . B9 06000000 mov ecx, 6
00401199 . 8DBC24 540100>lea edi, dword ptr [esp+154]
004011A0 . C78424 500100>mov dword ptr [esp+150], 1C
004011AB . 50 push eax ; /ProcessID => 0
004011AC . 6A 04 push 4 ; |Flags = TH32CS_SNAPTHREAD
004011AE . F3:AB rep stos dword ptr es:[edi] ; |
004011B0 . E8 830F0000 call <jmp.&KERNEL32.CreateToolhelp32Snapshot> ; \CreateToolhelp32Snapshot
004011B5 . 8D8C24 500100>lea ecx, dword ptr [esp+150]
004011BC . 8BF0 mov esi, eax
004011BE . 51 push ecx ; /pThreadentry
004011BF . 56 push esi ; |hSnapshot
004011C0 . E8 610F0000 call <jmp.&KERNEL32.Thread32First> ; \Thread32First
004011C5 . 85C0 test eax, eax
004011C7 . 74 46 je short 0040120F
004011C9 . 3BAC24 5C0100>cmp ebp, dword ptr [esp+15C]
004011D0 . 74 1B je short 004011ED
004011D2 > 8D9424 500100>lea edx, dword ptr [esp+150]
004011D9 . 52 push edx ; /pThreadentry
004011DA . 56 push esi ; |hSnapshot
004011DB . E8 400F0000 call <jmp.&KERNEL32.Thread32Next> ; \Thread32Next
004011E0 . 85C0 test eax, eax
004011E2 . 74 2B je short 0040120F
004011E4 . 3BAC24 5C0100>cmp ebp, dword ptr [esp+15C]
004011EB .^ 75 E5 jnz short 004011D2
004011ED > 8B8424 580100>mov eax, dword ptr [esp+158] ; 获取Broiler.exe进程的线程ID
004011F4 . 85C0 test eax, eax
004011F6 . 74 17 je short 0040120F
004011F8 . 50 push eax ; /dwThreadId
004011F9 . 6A 00 push 0 ; |bInheritHandle = FALSE
004011FB . 68 FF031F00 push 1F03FF ; |dwDesiredAccess = 1F03FF (2032639.)
00401200 . FF15 1C904000 call dword ptr [<&KERNEL32.OpenThread>] ; \打开Broiler.exe的线程
00401206 . 898424 480100>mov dword ptr [esp+148], eax
0040120D . 8BD8 mov ebx, eax
0040120F > 53 push ebx ; /hThread
00401210 . FF15 18904000 call dword ptr [<&KERNEL32.SuspendThread>] ; \挂起线程
00401216 . B9 B2000000 mov ecx, 0B2
0040121B . 33C0 xor eax, eax
0040121D . 8DBC24 980200>lea edi, dword ptr [esp+298]
00401224 . F3:AB rep stos dword ptr es:[edi]
00401226 . 8D8424 940200>lea eax, dword ptr [esp+294]
0040122D . C78424 940200>mov dword ptr [esp+294], 10001
00401238 . 50 push eax ; /pContext
00401239 . 53 push ebx ; |hThread
0040123A . FF15 14904000 call dword ptr [<&KERNEL32.GetThreadContext>] ; \获取线程上下文,并保存
00401240 . 8B8C24 4C0300>mov ecx, dword ptr [esp+34C]
00401247 . 55 push ebp ; /ProcessId
00401248 . 6A 01 push 1 ; |Inheritable = TRUE
0040124A . 68 FF0F1F00 push 1F0FFF ; |Access = PROCESS_ALL_ACCESS
0040124F . 890D 70CA4000 mov dword ptr [40CA70], ecx ; |
00401255 . FF15 10904000 call dword ptr [<&KERNEL32.OpenProcess>] ; \打开Broiler.exe进程
0040125B . 8BF0 mov esi, eax
0040125D . 85F6 test esi, esi
0040125F . 75 0E jnz short 0040126F
00401261 . 5F pop edi
00401262 . 5E pop esi
00401263 . 5D pop ebp
00401264 . 83C8 FF or eax, FFFFFFFF
00401267 . 5B pop ebx
00401268 . 81C4 50050000 add esp, 550
0040126E . C3 retn
0040126F > 8B3D 0C904000 mov edi, dword ptr [<&KERNEL32.VirtualAllocEx>] ; kernel32.VirtualAllocEx
00401275 . 6A 40 push 40 ; /flProtect = 40 (64.)
00401277 . 68 00100000 push 1000 ; |flAllocationType = 1000 (4096.)
0040127C . 68 00020000 push 200 ; |dwSize = 200 (512.)
00401281 . 6A 00 push 0 ; |lpAddress = NULL
00401283 . 56 push esi ; |hProcess
00401284 . FFD7 call edi ; \远程开辟缓存
00401286 . 85C0 test eax, eax
00401288 . A3 6CCA4000 mov dword ptr [40CA6C], eax
0040128D . 75 0E jnz short 0040129D
0040128F . 5F pop edi
00401290 . 5E pop esi
00401291 . 5D pop ebp
00401292 . 83C8 FF or eax, FFFFFFFF
00401295 . 5B pop ebx
00401296 . 81C4 50050000 add esp, 550
0040129C . C3 retn
0040129D > 8B9424 640500>mov edx, dword ptr [esp+564]
004012A4 . 8B2D 08904000 mov ebp, dword ptr [<&KERNEL32.WriteProcessMemory>] ; kernel32.WriteProcessMemory
004012AA . 6A 00 push 0 ; /pBytesWritten = NULL
004012AC . 6A 15 push 15 ; |BytesToWrite = 15 (21.)
004012AE . 52 push edx ; |Buffer的首字节应该等于0x8C
004012AF . 50 push eax ; |Address
004012B0 . 56 push esi ; |hProcess
004012B1 . A3 48C94000 mov dword ptr [40C948], eax ; |
004012B6 . FFD5 call ebp ; \向缓存中写入数据,写入SN变换后的21B数据
004012B8 . 85C0 test eax, eax
004012BA . 75 0E jnz short 004012CA
004012BC . 5F pop edi
004012BD . 5E pop esi
004012BE . 5D pop ebp
004012BF . 83C8 FF or eax, FFFFFFFF
004012C2 . 5B pop ebx
004012C3 . 81C4 50050000 add esp, 550
004012C9 . C3 retn
004012CA > B0 45 mov al, 45
004012CC . B3 89 mov bl, 89
004012CE . B2 8B mov dl, 8B
004012D0 . B1 C6 mov cl, 0C6
004012D2 . C64424 14 C7 mov byte ptr [esp+14], 0C7
004012D7 . 884424 15 mov byte ptr [esp+15], al
004012DB . C64424 16 FC mov byte ptr [esp+16], 0FC
004012E0 . C64424 17 00 mov byte ptr [esp+17], 0
004012E5 . C64424 18 00 mov byte ptr [esp+18], 0
004012EA . C64424 19 00 mov byte ptr [esp+19], 0
004012EF . C64424 1A 00 mov byte ptr [esp+1A], 0
004012F4 . 885C24 1B mov byte ptr [esp+1B], bl
004012F8 . C64424 1C 65 mov byte ptr [esp+1C], 65
004012FD . C64424 1D FC mov byte ptr [esp+1D], 0FC
00401302 . 885424 1E mov byte ptr [esp+1E], dl
00401306 . 884424 1F mov byte ptr [esp+1F], al
0040130A . C64424 20 FC mov byte ptr [esp+20], 0FC
0040130F . C64424 21 B3 mov byte ptr [esp+21], 0B3
00401314 . C64424 22 2A mov byte ptr [esp+22], 2A
00401319 . C64424 23 B2 mov byte ptr [esp+23], 0B2
0040131E . C64424 24 3F mov byte ptr [esp+24], 3F
00401323 . 884C24 25 mov byte ptr [esp+25], cl
00401327 . 884424 26 mov byte ptr [esp+26], al
0040132B . C64424 27 C4 mov byte ptr [esp+27], 0C4
00401330 . C64424 28 8C mov byte ptr [esp+28], 8C
00401335 . 885424 29 mov byte ptr [esp+29], dl
00401339 . C64424 2A 08 mov byte ptr [esp+2A], 8
0040133E . C64424 2B B0 mov byte ptr [esp+2B], 0B0
00401343 . C64424 2C B6 mov byte ptr [esp+2C], 0B6
00401348 . 884C24 2D mov byte ptr [esp+2D], cl
0040134C . 884424 2E mov byte ptr [esp+2E], al
00401350 . C64424 2F C5 mov byte ptr [esp+2F], 0C5
00401355 . C64424 30 4C mov byte ptr [esp+30], 4C
0040135A . 884C24 31 mov byte ptr [esp+31], cl
0040135E . 884424 32 mov byte ptr [esp+32], al
00401362 . 884C24 33 mov byte ptr [esp+33], cl
00401366 . C64424 34 96 mov byte ptr [esp+34], 96
0040136B . 884C24 35 mov byte ptr [esp+35], cl
0040136F . 884424 36 mov byte ptr [esp+36], al
00401373 . C64424 37 C7 mov byte ptr [esp+37], 0C7
00401378 . C64424 38 5B mov byte ptr [esp+38], 5B
0040137D . C64424 39 88 mov byte ptr [esp+39], 88
00401382 . C64424 3A 5D mov byte ptr [esp+3A], 5D
00401387 . C64424 3B C8 mov byte ptr [esp+3B], 0C8
0040138C . C64424 3C 88 mov byte ptr [esp+3C], 88
00401391 . C64424 3D 55 mov byte ptr [esp+3D], 55
00401396 . C64424 3E C9 mov byte ptr [esp+3E], 0C9
0040139B . C64424 3F 88 mov byte ptr [esp+3F], 88
004013A0 . 884424 40 mov byte ptr [esp+40], al
004013A4 . C64424 41 CA mov byte ptr [esp+41], 0CA
004013A9 . 884C24 42 mov byte ptr [esp+42], cl
004013AD . 884424 43 mov byte ptr [esp+43], al
004013B1 . C64424 44 CB mov byte ptr [esp+44], 0CB
004013B6 . C64424 45 5B mov byte ptr [esp+45], 5B
004013BB . C64424 46 88 mov byte ptr [esp+46], 88
004013C0 . C64424 47 5D mov byte ptr [esp+47], 5D
004013C5 . C64424 48 CC mov byte ptr [esp+48], 0CC
004013CA . 884C24 49 mov byte ptr [esp+49], cl
004013CE . 884424 4A mov byte ptr [esp+4A], al
004013D2 . C64424 4B CD mov byte ptr [esp+4B], 0CD
004013D7 . C64424 4C 11 mov byte ptr [esp+4C], 11
004013DC . 884C24 4D mov byte ptr [esp+4D], cl
004013E0 . 884424 4E mov byte ptr [esp+4E], al
004013E4 . C64424 4F CE mov byte ptr [esp+4F], 0CE
004013E9 . C64424 50 B1 mov byte ptr [esp+50], 0B1
004013EE . 884C24 51 mov byte ptr [esp+51], cl
004013F2 . 884424 52 mov byte ptr [esp+52], al
004013F6 . C64424 53 CF mov byte ptr [esp+53], 0CF
004013FB . C64424 54 15 mov byte ptr [esp+54], 15
00401400 . 884C24 55 mov byte ptr [esp+55], cl
00401404 . 884424 56 mov byte ptr [esp+56], al
00401408 . C64424 57 D0 mov byte ptr [esp+57], 0D0
0040140D . C64424 58 AC mov byte ptr [esp+58], 0AC
00401412 . 884C24 59 mov byte ptr [esp+59], cl
00401416 . 884424 5A mov byte ptr [esp+5A], al
0040141A . C64424 5B D1 mov byte ptr [esp+5B], 0D1
0040141F . C64424 5C C3 mov byte ptr [esp+5C], 0C3
00401424 . 884C24 5D mov byte ptr [esp+5D], cl
00401428 . 884424 5E mov byte ptr [esp+5E], al
0040142C . C64424 5F D2 mov byte ptr [esp+5F], 0D2
00401431 . C64424 60 53 mov byte ptr [esp+60], 53
00401436 . C64424 61 88 mov byte ptr [esp+61], 88
0040143B . 884424 62 mov byte ptr [esp+62], al
0040143F . C64424 63 D3 mov byte ptr [esp+63], 0D3
00401444 . C64424 64 88 mov byte ptr [esp+64], 88
00401449 . C64424 65 5D mov byte ptr [esp+65], 5D
0040144E . C64424 66 D4 mov byte ptr [esp+66], 0D4
00401453 . C64424 67 88 mov byte ptr [esp+67], 88
00401458 . C64424 68 55 mov byte ptr [esp+68], 55
0040145D . C64424 69 D5 mov byte ptr [esp+69], 0D5
00401462 . 884C24 6A mov byte ptr [esp+6A], cl
00401466 . 884424 6B mov byte ptr [esp+6B], al
0040146A . C64424 6C D6 mov byte ptr [esp+6C], 0D6
0040146F . C64424 6D B2 mov byte ptr [esp+6D], 0B2
00401474 . 884C24 6E mov byte ptr [esp+6E], cl
00401478 . 884424 6F mov byte ptr [esp+6F], al
0040147C . C64424 70 D7 mov byte ptr [esp+70], 0D7
00401481 . C64424 71 FC mov byte ptr [esp+71], 0FC
00401486 . 884C24 72 mov byte ptr [esp+72], cl
0040148A . 884424 73 mov byte ptr [esp+73], al
0040148E . C64424 74 D8 mov byte ptr [esp+74], 0D8
00401493 . C64424 75 69 mov byte ptr [esp+75], 69
00401498 . 884C24 76 mov byte ptr [esp+76], cl
0040149C . 884424 77 mov byte ptr [esp+77], al
004014A0 . C64424 78 D9 mov byte ptr [esp+78], 0D9
004014A5 . C64424 79 10 mov byte ptr [esp+79], 10
004014AA . 884C24 7A mov byte ptr [esp+7A], cl
004014AE . 884424 7B mov byte ptr [esp+7B], al
004014B2 . C64424 7C DA mov byte ptr [esp+7C], 0DA
004014B7 . C64424 7D BF mov byte ptr [esp+7D], 0BF
004014BC . 884C24 7E mov byte ptr [esp+7E], cl
004014C0 . 884424 7F mov byte ptr [esp+7F], al
004014C4 . C68424 800000>mov byte ptr [esp+80], 0DB
004014CC . C68424 810000>mov byte ptr [esp+81], 0FD
004014D4 . C68424 820000>mov byte ptr [esp+82], 88
004014DC . 888424 830000>mov byte ptr [esp+83], al
004014E3 . C68424 840000>mov byte ptr [esp+84], 0DC
004014EB . 888C24 850000>mov byte ptr [esp+85], cl
004014F2 . 888424 860000>mov byte ptr [esp+86], al
004014F9 . C68424 870000>mov byte ptr [esp+87], 0DD
00401501 . C68424 880000>mov byte ptr [esp+88], 5B
00401509 . C68424 890000>mov byte ptr [esp+89], 88
00401511 . C68424 8A0000>mov byte ptr [esp+8A], 55
00401519 . C68424 8B0000>mov byte ptr [esp+8B], 0DE
00401521 . 889C24 8C0000>mov byte ptr [esp+8C], bl
00401528 . C68424 8D0000>mov byte ptr [esp+8D], 4D
00401530 . C68424 8E0000>mov byte ptr [esp+8E], 0E4
00401538 . C68424 8F0000>mov byte ptr [esp+8F], 0C7
00401540 . 888424 900000>mov byte ptr [esp+90], al
00401547 . C68424 910000>mov byte ptr [esp+91], 0E0
0040154F . C68424 920000>mov byte ptr [esp+92], 15
00401557 . C68424 930000>mov byte ptr [esp+93], 0
0040155F . C68424 940000>mov byte ptr [esp+94], 0
00401567 . C68424 950000>mov byte ptr [esp+95], 0
0040156F . C68424 960000>mov byte ptr [esp+96], 8D
00401577 . C68424 970000>mov byte ptr [esp+97], 55
0040157F . C68424 980000>mov byte ptr [esp+98], 0C4
00401587 . C68424 990000>mov byte ptr [esp+99], 8D
0040158F . 888424 9A0000>mov byte ptr [esp+9A], al
00401596 . C68424 9B0000>mov byte ptr [esp+9B], 0C4
0040159E . C68424 9C0000>mov byte ptr [esp+9C], 0C7
004015A6 . 888424 9D0000>mov byte ptr [esp+9D], al
004015AD . C68424 9E0000>mov byte ptr [esp+9E], 0F4
004015B5 . C68424 9F0000>mov byte ptr [esp+9F], 0
004015BD . C68424 A00000>mov byte ptr [esp+A0], 0
004015C5 . C68424 A10000>mov byte ptr [esp+A1], 0
004015CD . C68424 A20000>mov byte ptr [esp+A2], 0
004015D5 . 889C24 A30000>mov byte ptr [esp+A3], bl
004015DC . C68424 A40000>mov byte ptr [esp+A4], 55
004015E4 . C68424 A50000>mov byte ptr [esp+A5], 0EC
004015EC . 889C24 A60000>mov byte ptr [esp+A6], bl
004015F3 . 888424 A70000>mov byte ptr [esp+A7], al
004015FA . C68424 A80000>mov byte ptr [esp+A8], 0F0
00401602 . 889424 A90000>mov byte ptr [esp+A9], dl
00401609 . C68424 AA0000>mov byte ptr [esp+AA], 55
00401611 . C68424 AB0000>mov byte ptr [esp+AB], 0F0
00401619 . 889424 AC0000>mov byte ptr [esp+AC], dl
00401620 . 888424 AD0000>mov byte ptr [esp+AD], al
00401627 . C68424 AE0000>mov byte ptr [esp+AE], 0EC
0040162F . C68424 AF0000>mov byte ptr [esp+AF], 33
00401637 . C68424 B00000>mov byte ptr [esp+B0], 0FF
0040163F . 889C24 B10000>mov byte ptr [esp+B1], bl
00401646 . C68424 B20000>mov byte ptr [esp+B2], 55
0040164E . C68424 B30000>mov byte ptr [esp+B3], 0FC
00401656 . 889C24 B40000>mov byte ptr [esp+B4], bl
0040165D . C68424 B50000>mov byte ptr [esp+B5], 7D
00401665 . C68424 B60000>mov byte ptr [esp+B6], 0E8
0040166D . 889C24 B70000>mov byte ptr [esp+B7], bl
00401674 . 888424 B80000>mov byte ptr [esp+B8], al
0040167B . C68424 B90000>mov byte ptr [esp+B9], 0F8
00401683 . 889424 BA0000>mov byte ptr [esp+BA], dl
0040168A . C68424 BB0000>mov byte ptr [esp+BB], 75
00401692 . C68424 BC0000>mov byte ptr [esp+BC], 0FC
0040169A . C68424 BD0000>mov byte ptr [esp+BD], 33
004016A2 . C68424 BE0000>mov byte ptr [esp+BE], 0D2
004016AA . 889424 BF0000>mov byte ptr [esp+BF], dl
004016B1 . 888424 C00000>mov byte ptr [esp+C0], al
004016B8 . C68424 C10000>mov byte ptr [esp+C1], 0F8
004016C0 . C68424 C20000>mov byte ptr [esp+C2], 8A
004016C8 . C68424 C30000>mov byte ptr [esp+C3], 19
004016D0 . C68424 C40000>mov byte ptr [esp+C4], 8A
004016D8 . C68424 C50000>mov byte ptr [esp+C5], 4
004016E0 . C68424 C60000>mov byte ptr [esp+C6], 10
004016E8 . C68424 C70000>mov byte ptr [esp+C7], 3A
004016F0 . C68424 C80000>mov byte ptr [esp+C8], 0D8
004016F8 . C68424 C90000>mov byte ptr [esp+C9], 75
00401700 . C68424 CA0000>mov byte ptr [esp+CA], 22
00401708 . C68424 CB0000>mov byte ptr [esp+CB], 8D
00401710 . C68424 CC0000>mov byte ptr [esp+CC], 0C
00401718 . C68424 CD0000>mov byte ptr [esp+CD], 17
00401720 . 889424 CE0000>mov byte ptr [esp+CE], dl
00401727 . C68424 CF0000>mov byte ptr [esp+CF], 7D
0040172F . C68424 D00000>mov byte ptr [esp+D0], 0F4
00401737 . C68424 D10000>mov byte ptr [esp+D1], 8D
0040173F . C68424 D20000>mov byte ptr [esp+D2], 3C
00401747 . C68424 D30000>mov byte ptr [esp+D3], 4F
0040174F . C68424 D40000>mov byte ptr [esp+D4], 3
00401757 . C68424 D50000>mov byte ptr [esp+D5], 0CF
0040175F . C68424 D60000>mov byte ptr [esp+D6], 0F
00401767 . C68424 D70000>mov byte ptr [esp+D7], 0BE
0040176F . C68424 D80000>mov byte ptr [esp+D8], 0FB
00401777 . C68424 D90000>mov byte ptr [esp+D9], 0F
0040177F . C68424 DA0000>mov byte ptr [esp+DA], 0BE
00401787 . C68424 DB0000>mov byte ptr [esp+DB], 4C
0040178F . C68424 DC0000>mov byte ptr [esp+DC], 0D
00401797 . C68424 DD0000>mov byte ptr [esp+DD], 0C4
0040179F . C68424 DE0000>mov byte ptr [esp+DE], 33
004017A7 . C68424 DF0000>mov byte ptr [esp+DF], 0CF
004017AF . C68424 E00000>mov byte ptr [esp+E0], 0CC
004017B7 . C68424 E10000>mov byte ptr [esp+E1], 2
004017BF . C68424 E20000>mov byte ptr [esp+E2], 0C1
004017C7 . 889424 E30000>mov byte ptr [esp+E3], dl
004017CE . C68424 E40000>mov byte ptr [esp+E4], 4D
004017D6 . C68424 E50000>mov byte ptr [esp+E5], 0E4
004017DE . C68424 E60000>mov byte ptr [esp+E6], 0F6
004017E6 . C68424 E70000>mov byte ptr [esp+E7], 2E
004017EE . 889424 E80000>mov byte ptr [esp+E8], dl
004017F5 . C68424 E90000>mov byte ptr [esp+E9], 7D
004017FD . C68424 EA0000>mov byte ptr [esp+EA], 0E8
00401805 . C68424 EB0000>mov byte ptr [esp+EB], 88
0040180D . C68424 EC0000>mov byte ptr [esp+EC], 1
00401815 . C68424 ED0000>mov byte ptr [esp+ED], 42
0040181D . C68424 EE0000>mov byte ptr [esp+EE], 83
00401825 . 888C24 EF0000>mov byte ptr [esp+EF], cl
0040182C . C68424 F00000>mov byte ptr [esp+F0], 9
00401834 . C68424 F10000>mov byte ptr [esp+F1], 83
0040183C . C68424 F20000>mov byte ptr [esp+F2], 0FA
00401844 . C68424 F30000>mov byte ptr [esp+F3], 4
0040184C . C68424 F40000>mov byte ptr [esp+F4], 7C
00401854 . C68424 F50000>mov byte ptr [esp+F5], 0C9
0040185C . 889424 F60000>mov byte ptr [esp+F6], dl
00401863 . C68424 F70000>mov byte ptr [esp+F7], 5D
0040186B . C68424 F80000>mov byte ptr [esp+F8], 0FC
00401873 . 889424 F90000>mov byte ptr [esp+F9], dl
0040187A . C68424 FA0000>mov byte ptr [esp+FA], 55
00401882 . C68424 FB0000>mov byte ptr [esp+FB], 0F8
0040188A . C68424 FC0000>mov byte ptr [esp+FC], 83
00401892 . C68424 FD0000>mov byte ptr [esp+FD], 0C7
0040189A . C68424 FE0000>mov byte ptr [esp+FE], 3
004018A2 . C68424 FF0000>mov byte ptr [esp+FF], 43
004018AA . C68424 000100>mov byte ptr [esp+100], 83
004018B2 . C68424 010100>mov byte ptr [esp+101], 0C2
004018BA . C68424 020100>mov byte ptr [esp+102], 3
004018C2 . 6A 40 push 40
004018C4 . 68 00100000 push 1000
004018C9 . 888424 1A0100>mov byte ptr [esp+11A], al
004018D0 . 888424 2D0100>mov byte ptr [esp+12D], al
004018D7 . 888424 3C0100>mov byte ptr [esp+13C], al
004018DE . 888424 440100>mov byte ptr [esp+144], al
004018E5 . 68 00100000 push 1000
004018EA . B0 90 mov al, 90
004018EC . 6A 00 push 0
004018EE . 56 push esi
004018EF . C68424 170100>mov byte ptr [esp+117], 83
004018F7 . C68424 180100>mov byte ptr [esp+118], 0FF
004018FF . C68424 190100>mov byte ptr [esp+119], 6
00401907 . 889C24 1A0100>mov byte ptr [esp+11A], bl
0040190E . C68424 1B0100>mov byte ptr [esp+11B], 5D
00401916 . C68424 1C0100>mov byte ptr [esp+11C], 0FC
0040191E . 889C24 1D0100>mov byte ptr [esp+11D], bl
00401925 . C68424 1E0100>mov byte ptr [esp+11E], 7D
0040192D . C68424 1F0100>mov byte ptr [esp+11F], 0E8
00401935 . 889C24 200100>mov byte ptr [esp+120], bl
0040193C . C68424 210100>mov byte ptr [esp+121], 55
00401944 . C68424 220100>mov byte ptr [esp+122], 0F8
0040194C . C68424 230100>mov byte ptr [esp+123], 7C
00401954 . C68424 240100>mov byte ptr [esp+124], 0A9
0040195C . 889424 250100>mov byte ptr [esp+125], dl
00401963 . C68424 270100>mov byte ptr [esp+127], 0F4
0040196B . 889424 280100>mov byte ptr [esp+128], dl
00401972 . C68424 290100>mov byte ptr [esp+129], 7D
0040197A . C68424 2A0100>mov byte ptr [esp+12A], 0F0
00401982 . 889424 2B0100>mov byte ptr [esp+12B], dl
00401989 . C68424 2C0100>mov byte ptr [esp+12C], 75
00401991 . C68424 2D0100>mov byte ptr [esp+12D], 0EC
00401999 . C68424 2E0100>mov byte ptr [esp+12E], 40
004019A1 . C68424 2F0100>mov byte ptr [esp+12F], 83
004019A9 . C68424 300100>mov byte ptr [esp+130], 0C7
004019B1 . C68424 310100>mov byte ptr [esp+131], 3
004019B9 . C68424 320100>mov byte ptr [esp+132], 83
004019C1 . 888C24 330100>mov byte ptr [esp+133], cl
004019C8 . C68424 340100>mov byte ptr [esp+134], 9
004019D0 . C68424 350100>mov byte ptr [esp+135], 83
004019D8 . C68424 360100>mov byte ptr [esp+136], 0F8
004019E0 . C68424 370100>mov byte ptr [esp+137], 3
004019E8 . 889C24 380100>mov byte ptr [esp+138], bl
004019EF . C68424 3A0100>mov byte ptr [esp+13A], 0F4
004019F7 . 889C24 3B0100>mov byte ptr [esp+13B], bl
004019FE . C68424 3C0100>mov byte ptr [esp+13C], 7D
00401A06 . C68424 3D0100>mov byte ptr [esp+13D], 0F0
00401A0E . 889C24 3E0100>mov byte ptr [esp+13E], bl
00401A15 . C68424 3F0100>mov byte ptr [esp+13F], 75
00401A1D . C68424 400100>mov byte ptr [esp+140], 0EC
00401A25 . C68424 410100>mov byte ptr [esp+141], 0F
00401A2D . C68424 420100>mov byte ptr [esp+142], 8C
00401A35 . C68424 430100>mov byte ptr [esp+143], 76
00401A3D . C68424 440100>mov byte ptr [esp+144], 0FF
00401A45 . C68424 450100>mov byte ptr [esp+145], 0FF
00401A4D . C68424 460100>mov byte ptr [esp+146], 0FF
00401A55 . 889424 470100>mov byte ptr [esp+147], dl
00401A5C . C68424 490100>mov byte ptr [esp+149], 0E0
00401A64 . C68424 4A0100>mov byte ptr [esp+14A], 41
00401A6C . C68424 4B0100>mov byte ptr [esp+14B], 48
00401A74 . 889C24 4C0100>mov byte ptr [esp+14C], bl
00401A7B . C68424 4D0100>mov byte ptr [esp+14D], 4D
00401A83 . C68424 4E0100>mov byte ptr [esp+14E], 0E4
00401A8B . 889C24 4F0100>mov byte ptr [esp+14F], bl
00401A92 . C68424 510100>mov byte ptr [esp+151], 0E0
00401A9A . C68424 520100>mov byte ptr [esp+152], 0F
00401AA2 . C68424 530100>mov byte ptr [esp+153], 85
00401AAA . C68424 540100>mov byte ptr [esp+154], 52
00401AB2 . C68424 550100>mov byte ptr [esp+155], 0FF
00401ABA . C68424 560100>mov byte ptr [esp+156], 0FF
00401AC2 . C68424 570100>mov byte ptr [esp+157], 0FF
00401ACA . 888424 580100>mov byte ptr [esp+158], al
00401AD1 . 888424 590100>mov byte ptr [esp+159], al
00401AD8 . 888424 5A0100>mov byte ptr [esp+15A], al
00401ADF . C68424 5B0100>mov byte ptr [esp+15B], 0CC
00401AE7 . FFD7 call edi ; 继续远程开辟缓存
00401AE9 . 85C0 test eax, eax
00401AEB . A3 68CA4000 mov dword ptr [40CA68], eax
00401AF0 . 75 0E jnz short 00401B00
00401AF2 . 5F pop edi
00401AF3 . 5E pop esi
00401AF4 . 5D pop ebp
00401AF5 . 83C8 FF or eax, FFFFFFFF
00401AF8 . 5B pop ebx
00401AF9 . 81C4 50050000 add esp, 550
00401AFF . C3 retn
00401B00 > 8B0D 6CCA4000 mov ecx, dword ptr [40CA6C]
00401B06 . 6A 00 push 0
00401B08 . 8D5424 17 lea edx, dword ptr [esp+17]
00401B0C . 6A 01 push 1
00401B0E . 52 push edx
00401B0F . 50 push eax
00401B10 . 56 push esi
00401B11 . 898C24 600100>mov dword ptr [esp+160], ecx
00401B18 . C64424 27 68 mov byte ptr [esp+27], 68
00401B1D . FFD5 call ebp ; 向缓存中写入执行代码
00401B1F . 8B0D 68CA4000 mov ecx, dword ptr [40CA68]
00401B25 . 6A 00 push 0
00401B27 . 8D8424 500100>lea eax, dword ptr [esp+150]
00401B2E . 6A 04 push 4
00401B30 . 41 inc ecx
00401B31 . 50 push eax
00401B32 . 51 push ecx
00401B33 . 56 push esi
00401B34 . FFD5 call ebp ; 继续向缓存中写入执行代码
00401B36 . A1 68CA4000 mov eax, dword ptr [40CA68]
00401B3B . 6A 00 push 0
00401B3D . 8D5424 18 lea edx, dword ptr [esp+18]
00401B41 . 68 34010000 push 134
00401B46 . 83C0 05 add eax, 5
00401B49 . 52 push edx
00401B4A . 50 push eax
00401B4B . 56 push esi
00401B4C . FFD5 call ebp ; 继续向缓存中写入执行代码
00401B4E . 85C0 test eax, eax
00401B50 . 75 0E jnz short 00401B60
00401B52 . 5F pop edi
00401B53 . 5E pop esi
00401B54 . 5D pop ebp
00401B55 . 83C8 FF or eax, FFFFFFFF
00401B58 . 5B pop ebx
00401B59 . 81C4 50050000 add esp, 550
00401B5F . C3 retn
00401B60 > 8BBC24 480100>mov edi, dword ptr [esp+148]
00401B67 . 8B0D 68CA4000 mov ecx, dword ptr [40CA68]
00401B6D . 8D9424 940200>lea edx, dword ptr [esp+294]
00401B74 . 898C24 4C0300>mov dword ptr [esp+34C], ecx ; \修改EIP
00401B7B . 52 push edx ; /pContext
00401B7C . 57 push edi ; |hThread
00401B7D . FF15 04904000 call dword ptr [<&KERNEL32.SetThreadContext>] ; \设置线程上下文
00401B83 . 57 push edi ; /hThread
00401B84 . FF15 00904000 call dword ptr [<&KERNEL32.ResumeThread>] ; \恢复线程
00401B8A . 56 push esi ; /hObject
00401B8B . 8B35 28904000 mov esi, dword ptr [<&KERNEL32.CloseHandle>] ; |kernel32.CloseHandle
00401B91 . FFD6 call esi ; \关闭句柄
00401B93 . 57 push edi ; /hObject
00401B94 . FFD6 call esi ; \CloseHandle
00401B96 . 5F pop edi
00401B97 . 5E pop esi
00401B98 . 5D pop ebp
00401B99 . B8 01000000 mov eax, 1
00401B9E . 5B pop ebx
00401B9F . 81C4 50050000 add esp, 550
00401BA5 . C3 retn
call 00401FA0-int3消息处理函数,主要包括修改Broiler.exe线程中的代码(2B)、读取Broiler.exe线程的计算结果并进行比较验证
00401FA0 /$ 83EC 34 sub esp, 34
00401FA3 |. 53 push ebx
00401FA4 |. 56 push esi
00401FA5 |. 57 push edi
00401FA6 |. 8B7C24 50 mov edi, dword ptr [esp+50]
00401FAA |. 33DB xor ebx, ebx
00401FAC |. B8 01000180 mov eax, 80010001
00401FB1 |. 8B57 0C mov edx, dword ptr [edi+C]
00401FB4 |. 895C24 0C mov dword ptr [esp+C], ebx
00401FB8 |. 81FA 03000080 cmp edx, 80000003
00401FBE |. C64424 50 90 mov byte ptr [esp+50], 90
00401FC3 |. C64424 51 2A mov byte ptr [esp+51], 2A
00401FC8 |. 0F85 2D010000 jnz 004020FB
00401FCE |. 83B9 1C010000>cmp dword ptr [ecx+11C], 1
00401FD5 |. 75 14 jnz short 00401FEB
00401FD7 |. 5F pop edi
00401FD8 |. 8999 1C010000 mov dword ptr [ecx+11C], ebx
00401FDE |. 5E pop esi
00401FDF |. B8 02000100 mov eax, 10002 ; UNICODE "::=::\"
00401FE4 |. 5B pop ebx
00401FE5 |. 83C4 34 add esp, 34
00401FE8 |. C2 1000 retn 10
00401FEB |> 8BB1 24010000 mov esi, dword ptr [ecx+124]
00401FF1 |. 46 inc esi
00401FF2 |. 8BC6 mov eax, esi
00401FF4 |. 89B1 24010000 mov dword ptr [ecx+124], esi
00401FFA |. 8B7424 44 mov esi, dword ptr [esp+44]
00401FFE |. 83F8 02 cmp eax, 2
00402001 |. 0F85 CB000000 jnz 004020D2
00402007 |. 33C0 xor eax, eax
00402009 |. 8B49 08 mov ecx, dword ptr [ecx+8]
0040200C |. 894424 29 mov dword ptr [esp+29], eax
00402010 |. 8D5424 44 lea edx, dword ptr [esp+44]
00402014 |. 894424 2D mov dword ptr [esp+2D], eax
00402018 |. 52 push edx ; /pBytesRead
00402019 |. 894424 35 mov dword ptr [esp+35], eax ; |
0040201D |. 6A 15 push 15 ; |BytesToRead = 15 (21.)
0040201F |. 894424 3D mov dword ptr [esp+3D], eax ; |
00402023 |. 885C24 30 mov byte ptr [esp+30], bl ; |
00402027 |. 894424 41 mov dword ptr [esp+41], eax ; |
0040202B |. 8D4424 30 lea eax, dword ptr [esp+30] ; |
0040202F |. 50 push eax ; |Buffer
00402030 |. 51 push ecx ; |pBaseAddress
00402031 |. 56 push esi ; |hProcess
00402032 |. C64424 24 EF mov byte ptr [esp+24], 0EF ; 用于比较的正确结果,长度21B
00402037 |. C64424 25 86 mov byte ptr [esp+25], 86 ; |
0040203C |. C64424 26 85 mov byte ptr [esp+26], 85 ; |
00402041 |. C64424 27 0C mov byte ptr [esp+27], 0C ; |
00402046 |. C64424 28 D2 mov byte ptr [esp+28], 0D2 ; |
0040204B |. C64424 29 89 mov byte ptr [esp+29], 89 ; |
00402050 |. C64424 2A 64 mov byte ptr [esp+2A], 64 ; |
00402055 |. C64424 2B A6 mov byte ptr [esp+2B], 0A6 ; |
0040205A |. C64424 2C 9E mov byte ptr [esp+2C], 9E ; |
0040205F |. C64424 2D C8 mov byte ptr [esp+2D], 0C8 ; |
00402064 |. C64424 2E CC mov byte ptr [esp+2E], 0CC ; |
00402069 |. C64424 2F 70 mov byte ptr [esp+2F], 70 ; |
0040206E |. 885C24 30 mov byte ptr [esp+30], bl ; |
00402072 |. C64424 31 90 mov byte ptr [esp+31], 90 ; |
00402077 |. C64424 32 09 mov byte ptr [esp+32], 9 ; |
0040207C |. C64424 33 F4 mov byte ptr [esp+33], 0F4 ; |
00402081 |. C64424 34 28 mov byte ptr [esp+34], 28 ; |
00402086 |. C64424 35 6E mov byte ptr [esp+35], 6E ; |
0040208B |. C64424 36 5A mov byte ptr [esp+36], 5A ; |
00402090 |. C64424 37 04 mov byte ptr [esp+37], 4 ; |
00402095 |. C64424 38 F9 mov byte ptr [esp+38], 0F9 ; |
0040209A |. 895C24 58 mov dword ptr [esp+58], ebx ; |
0040209E |. FF15 4C904000 call dword ptr [<&KERNEL32.ReadProcessMemory>] ; \读取Broiler.exe进程缓存中的数据,将0x15B读回
004020A4 |. 33C9 xor ecx, ecx
004020A6 |. 33C0 xor eax, eax
004020A8 |> 8A5404 28 /mov dl, byte ptr [esp+eax+28] ; 读取回的数据
004020AC |. 3A5404 10 |cmp dl, byte ptr [esp+eax+10] ; 与之前创建的表中数据进行比较
004020B0 |. 74 01 |je short 004020B3
004020B2 |. 41 |inc ecx
004020B3 |> 40 |inc eax
004020B4 |. 83F8 15 |cmp eax, 15
004020B7 |.^ 7C EF \jl short 004020A8
004020B9 |. 3BCB cmp ecx, ebx ; 完全相同则注册成功
004020BB |. 75 15 jnz short 004020D2
004020BD |. 53 push ebx ; /Style
004020BE |. 68 94A04000 push 0040A094 ; |Title = "成?,A6,"了"
004020C3 |. 53 push ebx ; |Text
004020C4 |. 53 push ebx ; |hOwner
004020C5 |. FF15 1C914000 call dword ptr [<&USER32.MessageBoxA>] ; \MessageBoxA
004020CB |. 6A 01 push 1
004020CD |. E8 47010000 call 00402219
004020D2 |> 8B57 18 mov edx, dword ptr [edi+18]
004020D5 |. 8D4424 0C lea eax, dword ptr [esp+C]
004020D9 |. 50 push eax ; /pBytesWritten
004020DA |. 8D4C24 54 lea ecx, dword ptr [esp+54] ; |
004020DE |. 6A 02 push 2 ; |BytesToWrite = 2
004020E0 |. 51 push ecx ; |Buffer
004020E1 |. 52 push edx ; |Address
004020E2 |. 56 push esi ; |hProcess
004020E3 |. FF15 08904000 call dword ptr [<&KERNEL32.WriteProcessMemory>] ; \WriteProcessMemory 向0x3B00D1写入2B,0x902A
004020E9 |. 8B4C24 4C mov ecx, dword ptr [esp+4C]
004020ED |. 8B47 18 mov eax, dword ptr [edi+18]
004020F0 |. 8981 B8000000 mov dword ptr [ecx+B8], eax
004020F6 |. B8 02000100 mov eax, 10002 ; UNICODE "::=::\"
004020FB |> 5F pop edi
004020FC |. 5E pop esi
004020FD |. 5B pop ebx
004020FE |. 83C4 34 add esp, 34
00402101 \. C2 1000 retn 10
取回的结果主要与下面的21B进行比较,完全相同则注册成功
009FFBC0 EF 86 85 0C D2 89 64 A6 9E C8 CC 70 00 90 09 F4 飭?覊d忍p.?
009FFBD0 28 6E 5A 04 F9 FC 9F 00 00 00 00 00 00 00 00 00 (nZ?........
Broiler.exe
0x3A0000-CrackMe.exe写入的SN(变换后)数据,长度21B
0x3B0000-CrackMe.exe写入的执行代码,主要完成对0x3A0000的21B数据的一个置换处理
0x3B0000执行代码如下,主要功能是完成了一个置换处理,
68 00 00 3A 00 C7 45 FC 00 00 00 00 89 65 FC 8B 45 FC B3 2A B2 3F C6 45 C4 8C 8B 08 B0 B6 C6 45 C5 4C C6 45 C6 96 C6 45 C7 5B 88 5D C8 88 55 C9 88 45 CA C6
45 CB 5B 88 5D CC C6 45 CD 11 C6 45 CE B1 C6 45 CF 15 C6 45 D0 AC C6 45 D1 C3 C6 45 D2 53 88 45 D3 88 5D D4 88 55 D5 C6 45 D6 B2 C6 45 D7 FC C6 45 D8 69 C6
45 D9 10 C6 45 DA BF C6 45 DB FD 88 45 DC C6 45 DD 5B 88 55 DE 89 4D E4 C7 45 E0 15 00 00 00 8D 55 C4 8D 45 C4 C7 45 F4 00 00 00 00 89 55 EC 89 45 F0 8B 55
F0 8B 45 EC 33 FF 89 55 FC 89 7D E8 89 45 F8 8B 75 FC 33 D2 8B 45 F8 8A 19 8A 04 10 3A D8 75 22 8D 0C 17 8B 7D F4 8D 3C 4F 03 CF 0F BE FB 0F BE 4C 0D C4 33
CF 90 2A C1 8B 4D E4 F6 2E 8B 7D E8 88 01 42 83 C6 09 83 FA 04 7C C9 8B 5D FC 8B 55 F8 83 C7 03 43 83 C2 03 83 FF 06 89 5D FC 89 7D E8 89 55 F8 7C A9 8B 45
F4 8B 7D F0 8B 75 EC 40 83 C7 03 83 C6 09 83 F8 03 89 45 F4 89 7D F0 89 75 EC 0F 8C 76 FF FF FF 8B 45 E0 41 48 89 4D E4 89 45 E0 0F 85 52 FF FF FF 90 90 90
90 2A 00 00 00 00 00 00
置换对应关系如下,不在对应关系表中的数据字节则原样输出:
8C-90
4C-85
96-0C
5B-EF
2A-64
3F-28
B6-D2
11-FC
B1-C8
15-70
AC-00
C3-89
53-A6
B2-F4
FC-86
69-04
10-E9
BF-9E
FD-F9
在清楚了置换关系后,我们将为CrackMe.exe call 00401FA0中正确的比较结果进行一个反置换,就得到了在Broiler.exe 0x3A0000处的正确数据:
5B FC 4C 96 B6 C3 2A 53 BF B1 CC 15 AC 8C 09 B2 3F 6E 5A 69 FD
这个数据是CrackMe.exe在call 00101060中对输入SN进行变换后得到并写入Broiler.exe中的,因此最后的问题就是在call 00101060中确定SN
int __cdecl sub_401060(signed int *SN)
{
signed int v1; // edx@1
signed int v2; // esi@1
unsigned __int8 v3; // al@2
v1 = 0;
v2 = *(_BYTE *)SN;
do
{
v3 = (*(_BYTE *)SN >> 2) ^ BYTE1(v2);
*((_BYTE *)SN + v1) = v3;
v2 = 8956 * (v2 >> 2) + 5478 * (v2 + v3);
*((_BYTE *)SN + v1++) ^= 0x41u;
}
while ( v1 < 21 );
return 0;
}
通过IDA Por+F5得到的C代码可以看出,变换结果仅与SN中的第1字节有关,当第1字节是小写字母k时,就能够得到正确的21B变换结果,因此SN只要是首字节为k的字符串都可以通过验证,该题存在多解。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
- [原创]看雪CTF2017第一题分析 3456
- [原创]看雪CTF2016第二十六题分析 2944
- [原创]看雪CTF2016第二十六题分析 3686
- [原创]看雪CTF2016第十题分析 3184
- [原创]看雪CTF2016第八题分析 2909
