-
-
[原创]看雪CTF2017 第七题分析
-
2017-6-15 11:22 3615
-
使用OD附加,发现停止
00410285 /$ CC int3 00410286 |. 6A 01 push 1 ; /ExitCode = 1 00410288 |. FF15 343E4500 call dword ptr [<&USER32.PostQuitMessage>] ; \PostQuitMessage 0041028E |. 33C0 xor eax, eax 00410290 \. C2 1000 retn 10
使用IDA 分析,发现
signed int __stdcall TopLevelExceptionFilter(struct _EXCEPTION_POINTERS *ExceptionInfo) { signed int result; // eax@2 if ( ExceptionInfo->ExceptionRecord->ExceptionCode == 0x80000003 ) { PostMessageW(0, 0x464u, 0, 0); ExceptionInfo->ContextRecord->Eip += 9; result = -1; } else { result = 0; } return result; }
将 00410286 代码修改,跳过反调试
00410285 6A 00 push 0 00410287 6A 00 push 0 00410289 FF35 302C4000 push dword ptr [402C30] 0041028F FF35 00264500 push dword ptr [452600] 00410295 FF15 E03D4500 call dword ptr [<&USER32.PostMessageW>] ; USER32.PostMessageW 0041029B 90 nop 0041029C 90 nop 0041029D 90 nop 0041029E 90 nop 0041029F 90 nop 004102A0 33C0 xor eax, eax 004102A2 90 nop 004102A3 \. C2 1000 retn 10
OD继续跟踪,在GetItemTextA后,对00411B30处进行解密,之后进行调用
00411BC7 |. 0F477D EC cmova edi, dword ptr [ebp-14] 00411BCB |. 85FF test edi, edi 00411BCD |. 74 0C je short 00411BDB 00411BCF |> 8031 CC /xor byte ptr [ecx], 0CC 00411BD2 |. 41 |inc ecx 00411BD3 |. 42 |inc edx 00411BD4 |. 3BD7 |cmp edx, edi 00411BD6 |.^ 75 F7 \jnz short 00411BCF 00411BD8 |. 8B5D 1C mov ebx, dword ptr [ebp+1C]
sn与0xcc进行异或
00411C3D |. 03C7 |add eax, edi 00411C3F |. 8945 D4 |mov dword ptr [ebp-2C], eax ; group 00411C42 |> 33FF |/xor edi, edi
在表1查找索引
0015D238 89 BC 95 FC FB BA ED 9A BB AE FE 99 A2 98 B9 F9 壖朁須划郭 0015D248 9F 84 9C FD 83 AD B6 A9 A5 F5 8C A7 9E 96 8A F4 焺滮儹订ヵ導灃婔 0015D258 85 BE A8 8F 86 AF 88 9D 87 BF FF A1 8B 81 A0 AB 吘◤啹垵嚳仩 0015D268 8E BD B5 AA 82 94 A4 8D A3 F8 B4 FA 9B A6 B8 80 幗氮倲x代洣竴
对索引对应的值进行异或和循环移位
00410F8E |. /74 17 je short 00410FA7 00410F90 |> |8A0A /mov cl, byte ptr [edx] 00410F92 |. |80F1 CC |xor cl, 0CC ; xor 0xcc 00410F95 |. |8AC1 |mov al, cl 00410F97 |. |C0E1 03 |shl cl, 3 00410F9A |. |C0F8 05 |sar al, 5 00410F9D |. |0AC1 |or al, cl ; rol 3 00410F9F |. |8802 |mov byte ptr [edx], al 00410FA1 |. |42 |inc edx 00410FA2 |. |47 |inc edi 00410FA3 |. |3BFE |cmp edi, esi 00410FA5 |.^|75 E9 \jnz short 00410F90
下面对上述结果进行编码
004119EB |. 03C3 |add eax, ebx 004119ED |. 50 |push eax 004119EE |. FF75 B0 |push dword ptr [ebp-50] 004119F1 |. FF75 AC |push dword ptr [ebp-54] 004119F4 |. E8 53F5FFFF |call <strfind> 004119F9 |. 2A45 AC |sub al, byte ptr [ebp-54] ; i 004119FC |. 83C4 10 |add esp, 10 004119FF |. 0FBEC8 |movsx ecx, al 00411A02 |. 8BC1 |mov eax, ecx
编码结果为
0015D638 02 02 00 03 00 00 02 03 00 01 02 03 02 00 00 02 ...... 0015D648 02 00 02 02 02 03 02 03 01 00 02 02 02 01 02 03 .. 0015D658 02 02 02 01 02 03 02 03 02 01 00 03 02 02 02 02 . 0015D668 02 02 00 03 01 02 02 03 02 00 00 02 02 02 02 02 ... 0015D678 00 00 00 02 01 00 02 02 02 03 00 02 01 00 00 03 .......
对编码后结果进行验证
00411A31 |> \8B4E 1C mov ecx, dword ptr [esi+1C] 00411A34 |. 8B45 BC mov eax, dword ptr [ebp-44] 00411A37 |. 2B4E 18 sub ecx, dword ptr [esi+18] 00411A3A |. 2B45 B8 sub eax, dword ptr [ebp-48] 00411A3D |. 33C8 xor ecx, eax 00411A3F |. F7C1 FEFFFFFF test ecx, FFFFFFFE 00411A45 |. 74 04 je short 00411A4B
验证后必须返回1,之后继续对sn进行处理
0041183B . /0F84 D8000000 je 00411919 00411841 . |6A 40 push 40 ; /Protect = PAGE_EXECUTE_READWRITE 00411843 . |BB 00100000 mov ebx, 1000 ; | 00411848 . |53 push ebx ; |AllocationType => MEM_COMMIT 00411849 . |53 push ebx ; |Size => 1000 (4096.) 0041184A . |33F6 xor esi, esi ; | 0041184C . |56 push esi ; |Address => NULL 0041184D . |FF15 583C4500 call dword ptr [<&KERNEL32.VirtualAlloc>] ; \VirtualAlloc 00411853 . |8BF8 mov edi, eax 00411855 . |897D E8 mov dword ptr [ebp-18], edi 00411858 . |68 94000000 push 94 0041185D . |68 9C1A4100 push 00411A9C 00411862 . |53 push ebx 00411863 . |57 push edi 00411864 . |E8 84090000 call 004121ED 00411869 . |83C4 10 add esp, 10 0041186C . |8BCF mov ecx, edi 0041186E . |894D EC mov dword ptr [ebp-14], ecx
分配可执行内存,sn异或解密代码,并跳过去执行,原始数据如下
00C80000 17 FC 82 19 BE 1C B8 60 21 69 1D 93 30 31 37 4B 鼈?竊!i?17K 00C80010 08 BA A3 4F E3 F3 6A 33 41 47 95 EC 21 99 29 BF 海O泱j3AG曥!? 00C80020 75 C5 53 E8 58 39 4F 6B C1 12 B6 73 CC 31 88 35 u臩鑈9Ok?秙?? 00C80030 E9 24 A5 F5 75 ED 75 1C 16 6A 1E E6 07 9A A9 36 ?ヵu韚j?毄6 00C80040 A1 61 62 47 5B 39 F4 77 D0 F6 72 AF 3A 0A 6E 56 bG[9魒婿r?.nV 00C80050 12 FA 2B A3 86 31 B8 42 12 1D 03 62 F6 74 DB 09 ?1窧b鰐? 00C80060 B0 2B B9 94 BD F4 AA 67 CC 31 B0 0F 24 01 64 0F ?箶紧猤??$d 00C80070 70 31 67 21 58 C6 5A 9B 7F 32 6E F8 0C 80 34 EC p1g!X芞?2n?€4 00C80080 69 69 79 32 30 68 BC 06 A8 0A 82 83 6D 53 6E 73 iiy20h??們mSns 00C80090 CA 91 0D A6 00 00 00 00 00 00 00 00 00 00 00 00 蕬.?...........
先根据第一部分算法,计算sn,如下:
arr = bytearray(b'\x02\x02\x00\x03\x00\x00\x02\x03\x00\x01\x02\x03\x02\x00\x00\x02' b'\x02\x00\x02\x02\x02\x03\x02\x03\x01\x00\x02\x02\x02\x01\x02\x03' b'\x02\x02\x02\x01\x02\x03\x02\x03\x02\x01\x00\x03\x02\x02\x02\x02' b'\x02\x02\x00\x03\x01\x02\x02\x03\x02\x00\x00\x02\x02\x02\x02\x02' b'\x00\x00\x00\x02\x01\x00\x02\x02\x02\x03\x00\x02\x01\x00\x00\x03') t1 = bytearray(b'\x89\xBC\x95\xFC\xFB\xBA\xED\x9A\xBB\xAE\xFE\x99\xA2\x98\xB9\xF9' b'\x9F\x84\x9C\xFD\x83\xAD\xB6\xA9\xA5\xF5\x8C\xA7\x9E\x96\x8A\xF4' b'\x85\xBE\xA8\x8F\x86\xAF\x88\x9D\x87\xBF\xFF\xA1\x8B\x81\xA0\xAB' b'\x8E\xBD\xB5\xAA\x82\x94\xA4\x8D\xA3\xF8\xB4\xFA\x9B\xA6\xB8\x80') def t1_enum(index, n): for i in range(1, len(t1)): x = i for j in range(0, n): x = (x+x/5+5)%0x40 if x == 0: x = 1 if x == index : v = t1[i] print(chr((v ^ 0xCC)&0xFF)), print("") return 0 def nv1_index(l, h): a = (l << 2) | h return a def t1_find(v): i = 0 while i < len(t1): if t1[i] == v: return i i = i + 1 return 0 if __name__ == '__main__': a2 = bytearray() i = 0 while i < len(arr): a = nv1_index(arr[i], arr[i+1]) a2.append(a) i = i + 2 a3 = "" c1 = "0123456789ABCDEF" for i in a2 : a3 = a3 + c1[i] a4 = bytearray() i = 0 while i < len(a3): a4.append(int(a3[i:i+2], 16)) i = i + 2 for x in a4: print(hex(x)) print("") a5 = bytearray() for x in a4: v = (x << 5)|(x >> 3) v = (v ^ 0xCC)&0xFF print(hex(v)) a5.append(v) print("") i = 0 while i < len(a5): x = t1_find(a5[i]) t1_enum(x, i+1) i = i + 1
输出可能的sn结果
B w j n d s Y l A b t P i H e d c s P i y 2 5 0 g o 1 a 7 B 4 @ r K J G X 9 I D O k F
手动调整上述组合对照解密后代码,直至完全解密
00C80000 55 push ebp 00C80001 8BEC mov ebp, esp 00C80003 6A FF push -1 00C80005 68 E8054500 push 4505E8 00C8000A 64:A1 00000000 mov eax, dword ptr fs:[0] 00C80010 42 inc edx ;<- 调整 sn[10] 00C80011 83EC 24 sub esp, 24 00C80014 A1 84044000 mov eax, dword ptr [400484] 00C80019 33C5 xor eax, ebp
sn = BwnsAtPediy2017KX9Ok
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
[原创]C++类成员指针调用
3703
[原创]VMP3.2授权分析
51444
[原创]看雪CTF2017 第十二题分析
4524
[原创]看雪CTF2017 第十一题分析
5699
[原创]看雪CTF2017 第十题分析
5190
看原图