ctf2018-第12题-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

ctf2018-第12题

发表于: 2018-7-8 16:30 2729

ctf2018-第12题

风间仁

2018-7-8 16:30

2729

CrackMe.exe sn

一些比较是通过hash来判断的

检测函数

.text:000000013FA469EE                 mov     r9d, 104h       ; MaxCount
.text:000000013FA469F4                 mov     r8, [rdx+8]     ; Src
.text:000000013FA469F8                 mov     edx, r9d        ; SizeInBytes
.text:000000013FA469FB                 lea     rcx, sn         ; Dst
.text:000000013FA46A02                 call    strncpy_s
.text:000000013FA46A07                 mov     rdx, 600000000h
.text:000000013FA46A11                 lea     rcx, [rbp+77h]
.text:000000013FA46A15                 call    check

.text:000000013FA469EE                 mov     r9d, 104h       ; MaxCount
.text:000000013FA469F4                 mov     r8, [rdx+8]     ; Src
.text:000000013FA469F8                 mov     edx, r9d        ; SizeInBytes
.text:000000013FA469FB                 lea     rcx, sn         ; Dst
.text:000000013FA46A02                 call    strncpy_s
.text:000000013FA46A07                 mov     rdx, 600000000h
.text:000000013FA46A11                 lea     rcx, [rbp+77h]
.text:000000013FA46A15                 call    check

.text:000000013FA469EE                 mov     r9d, 104h       ; MaxCount
.text:000000013FA469F4                 mov     r8, [rdx+8]     ; Src
.text:000000013FA469F8                 mov     edx, r9d        ; SizeInBytes
.text:000000013FA469FB                 lea     rcx, sn         ; Dst
.text:000000013FA46A02                 call    strncpy_s
.text:000000013FA46A07                 mov     rdx, 600000000h
.text:000000013FA46A11                 lea     rcx, [rbp+77h]
.text:000000013FA46A15                 call    check

sn_len == 30

.text:000000013FA43449                 shl     r8, 0Ch
.text:000000013FA4344D                 movzx   ecx, ax
.text:000000013FA43450                 add     r8, rcx
.text:000000013FA43453                 mov     ebx, 4
.text:000000013FA43458                 cmp     r8, 1Eh
.text:000000013FA4345C                 jz      short loc_13FA4349B

.text:000000013FA43449                 shl     r8, 0Ch
.text:000000013FA4344D                 movzx   ecx, ax
.text:000000013FA43450                 add     r8, rcx
.text:000000013FA43453                 mov     ebx, 4
.text:000000013FA43458                 cmp     r8, 1Eh
.text:000000013FA4345C                 jz      short loc_13FA4349B

.text:000000013FA43449                 shl     r8, 0Ch
.text:000000013FA4344D                 movzx   ecx, ax
.text:000000013FA43450                 add     r8, rcx
.text:000000013FA43453                 mov     ebx, 4
.text:000000013FA43458                 cmp     r8, 1Eh
.text:000000013FA4345C                 jz      short loc_13FA4349B

i_9_count >=3, (fnv64(sn[i]) == fnv64('9'))

.text:000000013FA43525                 cmp     r8d, 3
...
.text:000000013FA43536                 jl      loc_13FA439C6

sn[0:9] == "KXCTF2018", (fnv64(sn[i] == fnv64(char))

.text:000000013FA43F2A                 movzx   eax, cs:sn
...
.text:000000013FA440EC                 movzx   eax, cs:sn+8

fnv(sn) == 0x4F8075587499C0FF

.text:000000013FA444C4                 lea     rcx, sn
.text:000000013FA444CB                 call    x_hash
.text:000000013FA444D0                 mov     rcx, 4F8075587499C0FFh
.text:000000013FA444DA                 mov     r10, 0CCCCCCCCCCCCCCCDh
.text:000000013FA444E4                 cmp     rax, rcx
.text:000000013FA444E7                 jnz     short loc_13FA444F3

以"9"来分隔sn, 取出dll_name及proc_name

sn格式: KXCTF20189[DLL_NAME]9[PROC_NAME]9, 总长度为30

DLL_NAME有5位, 因此是NTDLL

.text:000000013FA44FA4                 lea     rdx, SubStr     ; "9"
.text:000000013FA44FAB                 lea     rcx, sn         ; Str
.text:000000013FA44FB2                 call    strstr
.text:000000013FA44FB7                 mov     rbx, rax
.text:000000013FA44FBA                 movzx   eax, byte ptr [rax+1]
.text:000000013FA44FBE                 mov     [rbp+0D40h+sz_dll_name], al
.text:000000013FA44FC4                 movzx   eax, byte ptr [rbx+2]
.text:000000013FA44FC8                 mov     [rbp+0D40h+sz_dll_name+1], al
.text:000000013FA44FCE                 movzx   eax, byte ptr [rbx+3]
.text:000000013FA44FD2                 mov     [rbp+0D40h+sz_dll_name+2], al
.text:000000013FA44FD8                 movzx   eax, byte ptr [rbx+4]
.text:000000013FA44FDC                 mov     [rbp+0D40h+sz_dll_name+3], al
.text:000000013FA44FE2                 movzx   eax, byte ptr [rbx+5]
.text:000000013FA44FE6                 mov     [rbp+0D40h+sz_dll_name+4], al
.text:000000013FA44FEC                 mov     r9d, 104h       ; MaxCount
.text:000000013FA44FF2                 lea     r8, Src         ; ".DLL"
.text:000000013FA44FF9                 mov     edx, r9d        ; SizeInBytes
.text:000000013FA44FFC                 lea     rcx, [rbp+0D40h+sz_dll_name] ; Dst
.text:000000013FA45003                 call    strncat_s
.text:000000013FA45008                 lea     rdx, SubStr     ; "9"
.text:000000013FA4500F                 lea     rcx, [rbx+1]    ; Str
.text:000000013FA45013                 call    strstr
.text:000000013FA45018                 mov     rbx, rax
.text:000000013FA4501B                 lea     rdx, SubStr     ; "9"
.text:000000013FA45022                 lea     rcx, [rax+1]    ; Str
.text:000000013FA45026                 call    strstr
.text:000000013FA4502B                 mov     byte ptr [rax], 0
.text:000000013FA4502E                 xor     edx, edx        ; Val
.text:000000013FA45030                 lea     r8d, [rdi+4]    ; Size
.text:000000013FA45034                 lea     rcx, [rbp+0D40h+sz_proc_name] ; Dst
.text:000000013FA4503B                 call    memset
.text:000000013FA45040                 mov     r9d, 104h       ; MaxCount
.text:000000013FA45046                 lea     r8, [rbx+1]     ; Src
.text:000000013FA4504A                 mov     edx, r9d        ; SizeInBytes
.text:000000013FA4504D                 lea     rcx, [rbp+0D40h+sz_proc_name] ; Dst
.text:000000013FA45054                 call    strncpy_s

后面就是LoadLibraryA加载NTDLL.DLL, 判断fnProc(0, len(sn)) < 0就表示成功

只要筛选下NTDLL.DLL的长度为13的导出函数即可

KXCTF20189ntdll9DbgUiContinue9

.text:000000013FA43525                 cmp     r8d, 3
...
.text:000000013FA43536                 jl      loc_13FA439C6

.text:000000013FA43525                 cmp     r8d, 3
...
.text:000000013FA43536                 jl      loc_13FA439C6

sn[0:9] == "KXCTF2018", (fnv64(sn[i] == fnv64(char))

.text:000000013FA43F2A                 movzx   eax, cs:sn
...
.text:000000013FA440EC                 movzx   eax, cs:sn+8

.text:000000013FA43F2A                 movzx   eax, cs:sn
...
.text:000000013FA440EC                 movzx   eax, cs:sn+8

.text:000000013FA43F2A                 movzx   eax, cs:sn
...
.text:000000013FA440EC                 movzx   eax, cs:sn+8

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・1

支持

最新回复 (0)
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

风间仁

111

发帖

591

回帖

3306

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号