看雪CTF.TSRC 2018 团队赛 第九题 谍战
这次是个win32窗口程序,先找到创建窗口的主线索:
.text:00404124 push esi ; lpParam
.text:00404125 push 0FFFFFFFAh ; nIndex
.text:00404127 push dword ptr [edi+10h] ; hWnd
.text:0040412A call ds:GetWindowLongW
.text:00404130 push eax ; hInstance
.text:00404131 push esi ; hMenu
.text:00404132 push dword ptr [edi+10h] ; hWndParent
.text:00404135 push dword ptr [edi+40h] ; nHeight
.text:00404138 push dword ptr [edi+3Ch] ; nWidth
.text:0040413B push dword ptr [edi+38h] ; Y
.text:0040413E push dword ptr [edi+34h] ; X
.text:00404141 push 50000000h ; dwStyle
.text:00404146 push offset WindowName ; "2018CTF@pediy.com"
.text:0040414B push [esp+3B8h+lpClassName] ; lpClassName
.text:00404152 push esi ; dwExStyle
.text:00404153 call ds:CreateWindowExW
然后往下调试,发现有D3D调用:
.text:004042E0 lea ecx, [esp+390h+var_374]
.text:004042E4 push ecx
.text:004042E5 lea ecx, [esp+394h+var_224]
.text:004042EC push ecx
.text:004042ED lea ecx, [esp+398h+var_370]
.text:004042F1 push ecx
.text:004042F2 lea ecx, [esp+39Ch+var_338+0Ch]
.text:004042F6 push ecx
.text:004042F7 lea ecx, [esp+3A0h+var_2DC]
.text:004042FE push ecx
.text:004042FF push 7
.text:00404301 push 3
.text:00404303 lea ecx, [esp+3ACh+var_7C]
.text:0040430A push ecx
.text:0040430B push 0
.text:0040430D push 0
.text:0040430F push [esp+eax*4+3B8h+Msg.hwnd]
.text:00404316 push 0
.text:00404318 call ds:D3D11CreateDeviceAndSwapChain
再往下走就会发现有意思的东西了:
.text:00404572 mov eax, [esp+390h+var_370]
.text:00404576 lea edx, [esp+390h+var_358]
.text:0040457A push edx
.text:0040457B push 51Ch
.text:00404580 push offset byte_4AC4B8 //指向带DXBC头的数据
.text:00404585 mov ecx, [eax]
.text:00404587 lea edx, [esp+39Ch+var_70]
.text:0040458E push 3
.text:00404590 push edx
.text:00404591 push eax
.text:00404592 call dword ptr [ecx+2Ch]
.text:00404595 mov esi, eax
.text:00404597 test esi, esi
.text:00404599 js loc_404AC6
.text:0040459F mov eax, [esp+390h+var_370]
.text:004045A3 lea edx, [esp+390h+var_350]
.text:004045A7 push edx
.text:004045A8 push 0
.text:004045AA push 1F0h
.text:004045AF mov ecx, [eax]
.text:004045B1 push offset byte_4AC2C8 //指向带DXBC头的数据
.text:004045B6 push eax
.text:004045B7 call dword ptr [ecx+3Ch]
.text:004045BA mov esi, eax
.text:004045BC test esi, esi
.text:004045BE js loc_404AC6
.text:004045C4 mov eax, [esp+390h+var_370]
.text:004045C8 lea edx, [esp+390h+var_328+0Ch]
.text:004045CC push edx
.text:004045CD push 0
.text:004045CF push 0C24h
.text:004045D4 mov ecx, [eax]
.text:004045D6 push offset byte_4AB6A0 //指向带DXBC头的数据
.text:004045DB push eax
.text:004045DC call dword ptr [ecx+3Ch]
看到3处带DXBC头的数据,出题团队的名字叫GPUber,这基本可以判断是和GPU有关的,用了DirectX HLSL
可以直接用D3D反汇编:
void decompile(BYTE *dxbc_ptr,DWORD len)
{
HMODULE hDxd;
DWORD rv = 0;
DWORD blob[0x400];
DWORD D3DCreateBlob;
DWORD D3DDisassemble;
hDxd = LoadLibrary("D3dcompiler_47.dll");
if (hDxd)
{
D3DCreateBlob = (DWORD)GetProcAddress(hDxd,"D3DCreateBlob");
D3DDisassemble = (DWORD)GetProcAddress(hDxd,"D3DDisassemble");
if (D3DDisassemble)
{
rv = ((DWORD (__stdcall *)(DWORD,DWORD *))D3DCreateBlob)(0x400,&blob[0]);
rv = ((DWORD (__stdcall *)(BYTE *,DWORD,DWORD,char *,DWORD *))D3DDisassemble)(dxbc_ptr,len,0,"",&blob[0]);
//返回的反汇编数据在blob结构中,我直接内存抓出来了
DWORD dwTmp = blob[0];
DWORD len = *(DWORD *)(dwTmp+0x08);
BYTE *p = *(BYTE **)(dwTmp+0x0C);
//SaveToFile(p,len,"test.txt");
}
}
}
前两处没发现什么有价值代码,其中最后一处长度0xC24长度的数据反出来如下:
//
// Generated by Microsoft (R) HLSL Shader Compiler 6.3.9600.16384
//
//
// Buffer Definitions:
//
// cbuffer cb
// {
//
// float4x4 v; // Offset: 0 Size: 64 [unused]
// float4x4 p; // Offset: 64 Size: 64 [unused]
// float4x4 w; // Offset: 128 Size: 64 [unused]
// float4 c1; // Offset: 192 Size: 16 [unused]
// float4 c2; // Offset: 208 Size: 16 [unused]
// uint4 val; // Offset: 224 Size: 16
//
// }
//
//
// Resource Bindings:
//
// Name Type Format Dim HLSL Bind Count
// ------------------------------ ---------- ------- ----------- -------------- ------
// samLinear sampler NA NA s0 1
// tx0 texture float4 2d t0 1
// tx1 texture float4 2d t1 1
// cb cbuffer NA NA cb0 1
//
//
//
// Input signature:
//
// Name Index Mask Register SysValue Format Used
// -------------------- ----- ------ -------- -------- ------- ------
// SV_POSITION 0 xyzw 0 POS float
// TEXCOORD 0 xy 1 NONE float xy
// COLOR 0 xyzw 2 NONE float
//
//
// Output signature:
//
// Name Index Mask Register SysValue Format Used
// -------------------- ----- ------ -------- -------- ------- ------
// SV_Target 0 xyzw 0 TARGET float xyzw
//
ps_4_0
dcl_constantbuffer CB0[15], immediateIndexed
dcl_sampler s0, mode_default
dcl_resource_texture2d (float,float,float,float) t0
dcl_resource_texture2d (float,float,float,float) t1
dcl_input_ps linear v1.xy
dcl_output o0.xyzw
dcl_temps 4
ine r0.xyz, cb0[14].xyzx, l(0, 0, 0, 0)
and r0.x, r0.y, r0.x
and r0.x, r0.z, r0.x
ult r0.y, l(0x3b9aca00), cb0[14].x
and r0.x, r0.y, r0.x
ult r0.yz, cb0[14].xxyx, cb0[14].yyzy
and r0.x, r0.y, r0.x
and r0.x, r0.z, r0.x
ult r0.y, cb0[14].z, l(-1)
and r0.x, r0.y, r0.x
udiv r0.yzw, null, cb0[14].zzxy, l(0, 0x000186a0, 0x000186a0, 0x000186a0)
imad r1.xyz, r0.zwyz, l(0xfffe7960, 0xfffe7960, 0xfffe7960, 0), cb0[14].xyzx
udiv r2.x, r3.x, r0.z, l(10)
udiv null, r1.w, r2.x, l(10)
udiv r2.xyzw, null, r0.zzzw, l(100, 1000, 10000, 100)
udiv null, r2.xyzw, r2.xyzw, l(10, 10, 10, 10)
imul null, r1.w, r1.w, l(1000)
imad r1.w, r3.x, l(10000), r1.w
imad r1.w, r2.x, l(100), r1.w
imad r1.w, r2.y, l(10), r1.w
iadd r1.w, r2.z, r1.w
ieq r1.x, r1.x, r1.w
and r0.x, r0.x, r1.x
udiv r1.x, r2.x, r0.w, l(10)
udiv null, r1.x, r1.x, l(10)
udiv r3.xyzw, null, r0.wwyy, l(1000, 10000, 100, 1000)
udiv null, r3.xyzw, r3.xyzw, l(10, 10, 10, 10)
imul null, r1.x, r1.x, l(1000)
imad r1.x, r2.x, l(10000), r1.x
imad r1.x, r2.w, l(100), r1.x
imad r1.x, r3.x, l(10), r1.x
iadd r1.x, r3.y, r1.x
ieq r1.x, r1.y, r1.x
and r0.x, r0.x, r1.x
udiv r1.x, r2.x, r0.y, l(10)
udiv r1.y, null, r0.y, l(10000)
udiv null, r1.xy, r1.xyxx, l(10, 10, 0, 0)
imul null, r1.x, r1.x, l(1000)
imad r1.x, r2.x, l(10000), r1.x
imad r1.x, r3.z, l(100), r1.x
imad r1.x, r3.w, l(10), r1.x
iadd r1.x, r1.y, r1.x
ieq r1.x, r1.z, r1.x
and r0.x, r0.x, r1.x
movc r0.yzw, r0.xxxx, r0.yyzw, cb0[14].zzxy
iadd r1.x, r0.w, r0.z
iadd r1.x, r0.y, r1.x
iadd r1.x, r1.x, l(0x0000374f)
ieq r1.x, r1.x, l(0x00017334)
and r0.x, r0.x, r1.x
imad r1.xy, l(3, 6, 0, 0), r0.zyzz, r0.wzww
iadd r1.xy, r1.xyxx, l(0x0000374f, 0x0000a5ed, 0, 0)
iadd r1.xy, -r0.ywyy, r1.xyxx
ieq r1.xy, r1.xyxx, l(0x0000d146, 0x00040ad5, 0, 0)
and r0.x, r0.x, r1.x
ishl r0.w, r0.w, l(1)
iadd r0.y, r0.w, r0.y
iadd r0.y, r0.y, l(0x00006e9e)
iadd r0.y, -r0.z, r0.y
ieq r0.y, r0.y, l(0x000182c1)
and r0.x, r0.y, r0.x
and r0.x, r1.y, r0.x
if_nz r0.x
sample o0.xyzw, v1.xyxx, t0.xyzw, s0
ret
else
sample o0.xyzw, v1.xyxx, t1.xyzw, s0
ret
endif
ret
这里似乎就是体力活了,从这段代码中分析得到下面几个关系式:
a = x的10进制高5位数
b = y的10进制高5位数
c = z的10进制高5位数
d = x的10进制高5位数反序排列
e = y的10进制高5位数反序排列
f = z的10进制高5位数反序排列
a * 4294867296 + x = d
b * 4294867296 + y = e
c * 4294867296 + z = f
//a - b + 6*c = 222440,此关系式最后没用到,舍弃
a + b + c = 80869
3*a + b - c = 39415
a - b - c = -70691
先解出最后这个三元一次方程组得到:
a=17580
b=24982
c=38307
所以:
d=8571
e=28942
f=70383
最后用a * 4294867296 + x = d这个关系式得到x,y,z的低5位:
8571 - 17580 * 4294867296 - 1758000000 = 17580
28942 - 24982 * 4294867296 - 2498200000 = 24982
70383 - 38307 * 4294867296 - 3830700000 = 38307
从结果看低5位就是高5位的倒序
拼起来得到结果最终:
175800857124982289423830770383
