-
-
[原创]看雪CTF.TSRC 2018 团队赛 第九题 谍战
-
发表于: 2018-12-19 10:31
-
这个题能够做出来,还是有点运气的....在跟踪程序获取输入sn的过程中,都没有找到相关的代码,不管是对GetWindowTextW下断,还是跟踪WM_GETTEXT消息以及消息循环。最后无奈的查看了窗口创建过程的函数sub_403E70,看起来有点复杂。不过到是发现这个程序使用了DirectX的API,猜测与sn有关的运算可能转到GPU了,所以调试器也跟踪不到。
查了下文档D3D11CreateDeviceAndSwapChain这个函数是创建一个用于渲染的设备和交换链接,第一次接触DirectX,一开始也不太理解这个函数。继续浏览了后面的代码,发现很多函数的调用来自pDevice或pImmediateContext对象中的方法。所以需要制定一个D3D11的类型识别库来识别ID3D11Device和ID3D11DeviceContext对象,方便分析这些方法的作用和用途,我这里用的是kkhaike大神制作的til。
这个地方创建了一个顶点着色器,和两个像素着色器。byte_4AC4B8、unk_4AC2C8和byte_4AB6A0是HLSL(
高阶着色器语言
)的字节码。后面的代码主要是创建缓存、更新资源和设置渲染目标以及图像的绘制等,然后就是来到了消息循环处。消息循环处一些这样的代码,代码如下:
这里使用了顶点着色器和一个像素着色器。我的猜测是该题根据sn的输入来绘制正确与否的提示信息,相关的运算在这两个着色器中。所以需要分析这两个着色器的HLSL字节码。在分析字节码之前,也花了较多的时间学了下HLSL。借鉴了下ccfer大神在看雪京东2018CTF第10题的wp的D3D反汇编方法。反汇编得到的一个像素着色器的代码如下:
//
// Generated by Microsoft (R) HLSL Shader Compiler 6.3.9600.16384
//
//
// Buffer Definitions:
//
// cbuffer cb
// {
//
// float4x4 v; // Offset: 0 Size: 64
// float4x4 p; // Offset: 64 Size: 64
// float4x4 w; // Offset: 128 Size: 64
// float4 c1; // Offset: 192 Size: 16 [unused]
// float4 c2; // Offset: 208 Size: 16 [unused]
// uint4 val; // Offset: 224 Size: 16 [unused]
//
// }
//
//
// Resource Bindings:
//
// Name Type Format Dim Slot Elements
// ------------------------------ ---------- ------- ----------- ---- --------
// cb cbuffer NA NA 0 1
//
//
//
// Input signature:
//
// Name Index Mask Register SysValue Format Used
// -------------------- ----- ------ -------- -------- ------- ------
// POSITION 0 xyzw 0 NONE float xyzw
// TEXCOORD 0 xy 1 NONE float xy
// COLOR 0 xyzw 2 NONE float xyzw
//
//
// Output signature:
//
// Name Index Mask Register SysValue Format Used
// -------------------- ----- ------ -------- -------- ------- ------
// SV_POSITION 0 xyzw 0 POS float xyzw
// TEXCOORD 0 xy 1 NONE float xy
// COLOR 0 xyzw 2 NONE float xyzw
//
vs_4_0
dcl_constantbuffer cb0[12], immediateIndexed
dcl_input v0.xyzw
dcl_input v1.xy
dcl_input v2.xyzw
dcl_output_siv o0.xyzw, position
dcl_output o1.xy
dcl_output o2.xyzw
dcl_temps 2
dp4 r0.x, v0.xyzw, cb0[8].xyzw
dp4 r0.y, v0.xyzw, cb0[9].xyzw
dp4 r0.z, v0.xyzw, cb0[10].xyzw
dp4 r0.w, v0.xyzw, cb0[11].xyzw
dp4 r1.x, r0.xyzw, cb0[0].xyzw
dp4 r1.y, r0.xyzw, cb0[1].xyzw
dp4 r1.z, r0.xyzw, cb0[2].xyzw
dp4 r1.w, r0.xyzw, cb0[3].xyzw
dp4 o0.x, r1.xyzw, cb0[4].xyzw
dp4 o0.y, r1.xyzw, cb0[5].xyzw
dp4 o0.z, r1.xyzw, cb0[6].xyzw
dp4 o0.w, r1.xyzw, cb0[7].xyzw
mov o1.xy, v1.xyxx
mov o2.xyzw, v2.xyzw
ret
// Approximately 15 instruction slots used顶点着色器的代码如下:
//
// Generated by Microsoft (R) HLSL Shader Compiler 6.3.9600.16384
//
//
// Buffer Definitions:
//
// cbuffer cb
// {
//
// float4x4 v; // Offset: 0 Size: 64
// float4x4 p; // Offset: 64 Size: 64
// float4x4 w; // Offset: 128 Size: 64
// float4 c1; // Offset: 192 Size: 16 [unused]
// float4 c2; // Offset: 208 Size: 16 [unused]
// uint4 val; // Offset: 224 Size: 16 [unused]
//
// }
//
//
// Resource Bindings:
//
// Name Type Format Dim Slot Elements
// ------------------------------ ---------- ------- ----------- ---- --------
// cb cbuffer NA NA 0 1
//
//
//
// Input signature:
//
// Name Index Mask Register SysValue Format Used
// -------------------- ----- ------ -------- -------- ------- ------
// POSITION 0 xyzw 0 NONE float xyzw
// TEXCOORD 0 xy 1 NONE float xy
// COLOR 0 xyzw 2 NONE float xyzw
//
//
// Output signature:
//
// Name Index Mask Register SysValue Format Used
// -------------------- ----- ------ -------- -------- ------- ------
// SV_POSITION 0 xyzw 0 POS float xyzw
// TEXCOORD 0 xy 1 NONE float xy
// COLOR 0 xyzw 2 NONE float xyzw
//
vs_4_0
dcl_constantbuffer cb0[12], immediateIndexed
dcl_input v0.xyzw
dcl_input v1.xy
dcl_input v2.xyzw
dcl_output_siv o0.xyzw, position
dcl_output o1.xy
dcl_output o2.xyzw
dcl_temps 2
dp4 r0.x, v0.xyzw, cb0[8].xyzw
dp4 r0.y, v0.xyzw, cb0[9].xyzw
dp4 r0.z, v0.xyzw, cb0[10].xyzw
dp4 r0.w, v0.xyzw, cb0[11].xyzw
dp4 r1.x, r0.xyzw, cb0[0].xyzw
dp4 r1.y, r0.xyzw, cb0[1].xyzw
dp4 r1.z, r0.xyzw, cb0[2].xyzw
dp4 r1.w, r0.xyzw, cb0[3].xyzw
dp4 o0.x, r1.xyzw, cb0[4].xyzw
dp4 o0.y, r1.xyzw, cb0[5].xyzw
dp4 o0.z, r1.xyzw, cb0[6].xyzw
dp4 o0.w, r1.xyzw, cb0[7].xyzw
mov o1.xy, v1.xyxx
mov o2.xyzw, v2.xyzw
ret
// Approximately 15 instruction slots used顶点着色器的代码如下:
//
// Generated by Microsoft (R) HLSL Shader Compiler 6.3.9600.16384
//
//
// Buffer Definitions:
//
// cbuffer cb
// {
//
// float4x4 v; // Offset: 0 Size: 64 [unused]
// float4x4 p; // Offset: 64 Size: 64 [unused]
// float4x4 w; // Offset: 128 Size: 64 [unused]
// float4 c1; // Offset: 192 Size: 16 [unused]
// float4 c2; // Offset: 208 Size: 16 [unused]
// uint4 val; // Offset: 224 Size: 16
//
// }
//
//
// Resource Bindings:
//
// Name Type Format Dim Slot Elements
// ------------------------------ ---------- ------- ----------- ---- --------
// samLinear sampler NA NA 0 1
// tx0 texture float4 2d 0 1
// tx1 texture float4 2d 1 1
// cb cbuffer NA NA 0 1
//
//
//
// Input signature:
//
// Name Index Mask Register SysValue Format Used
// -------------------- ----- ------ -------- -------- ------- ------
// SV_POSITION 0 xyzw 0 POS float
// TEXCOORD 0 xy 1 NONE float xy
// COLOR 0 xyzw 2 NONE float
//
//
// Output signature:
//
// Name Index Mask Register SysValue Format Used
// -------------------- ----- ------ -------- -------- ------- ------
// SV_Target 0 xyzw 0 TARGET float xyzw
//
ps_4_0
dcl_constantbuffer cb0[15], immediateIndexed
dcl_sampler s0, mode_default
dcl_resource_texture2d (float,float,float,float) t0
dcl_resource_texture2d (float,float,float,float) t1
dcl_input_ps linear v1.xy
dcl_output o0.xyzw
dcl_temps 4
ine r0.xyz, cb0[14].xyzx, l(0, 0, 0, 0)
and r0.x, r0.y, r0.x
and r0.x, r0.z, r0.x
ult r0.y, l(0x3b9aca00), cb0[14].x
and r0.x, r0.y, r0.x
ult r0.yz, cb0[14].xxyx, cb0[14].yyzy
and r0.x, r0.y, r0.x
and r0.x, r0.z, r0.x
ult r0.y, cb0[14].z, l(-1)
and r0.x, r0.y, r0.x
udiv r0.yzw, null, cb0[14].zzxy, l(0, 0x000186a0, 0x000186a0, 0x000186a0)
imad r1.xyz, r0.zwyz, l(0xfffe7960, 0xfffe7960, 0xfffe7960, 0), cb0[14].xyzx
udiv r2.x, r3.x, r0.z, l(10)
udiv null, r1.w, r2.x, l(10)
udiv r2.xyzw, null, r0.zzzw, l(100, 1000, 10000, 100)
udiv null, r2.xyzw, r2.xyzw, l(10, 10, 10, 10)
imul null, r1.w, r1.w, l(1000)
imad r1.w, r3.x, l(10000), r1.w
imad r1.w, r2.x, l(100), r1.w
imad r1.w, r2.y, l(10), r1.w
iadd r1.w, r2.z, r1.w
ieq r1.x, r1.x, r1.w
and r0.x, r0.x, r1.x
udiv r1.x, r2.x, r0.w, l(10)
udiv null, r1.x, r1.x, l(10)
udiv r3.xyzw, null, r0.wwyy, l(1000, 10000, 100, 1000)
udiv null, r3.xyzw, r3.xyzw, l(10, 10, 10, 10)
imul null, r1.x, r1.x, l(1000)
imad r1.x, r2.x, l(10000), r1.x
imad r1.x, r2.w, l(100), r1.x
imad r1.x, r3.x, l(10), r1.x
iadd r1.x, r3.y, r1.x
ieq r1.x, r1.y, r1.x
and r0.x, r0.x, r1.x
udiv r1.x, r2.x, r0.y, l(10)
udiv r1.y, null, r0.y, l(10000)
udiv null, r1.xy, r1.xyxx, l(10, 10, 0, 0)
imul null, r1.x, r1.x, l(1000)
imad r1.x, r2.x, l(10000), r1.x
imad r1.x, r3.z, l(100), r1.x
imad r1.x, r3.w, l(10), r1.x
iadd r1.x, r1.y, r1.x
ieq r1.x, r1.z, r1.x
and r0.x, r0.x, r1.x
movc r0.yzw, r0.xxxx, r0.yyzw, cb0[14].zzxy
iadd r1.x, r0.w, r0.z
iadd r1.x, r0.y, r1.x
iadd r1.x, r1.x, l(0x0000374f)
ieq r1.x, r1.x, l(0x00017334)
and r0.x, r0.x, r1.x
imad r1.xy, l(3, 6, 0, 0), r0.zyzz, r0.wzww
iadd r1.xy, r1.xyxx, l(0x0000374f, 0x0000a5ed, 0, 0)
iadd r1.xy, -r0.ywyy, r1.xyxx
ieq r1.xy, r1.xyxx, l(0x0000d146, 0x00040ad5, 0, 0)
and r0.x, r0.x, r1.x
ishl r0.w, r0.w, l(1)
iadd r0.y, r0.w, r0.y
iadd r0.y, r0.y, l(0x00006e9e)
iadd r0.y, -r0.z, r0.y
ieq r0.y, r0.y, l(0x000182c1)
and r0.x, r0.y, r0.x
and r0.x, r1.y, r0.x
if_nz r0.x
sample o0.xyzw, v1.xyxx, t0.xyzw, s0
ret
else
sample o0.xyzw, v1.xyxx, t1.xyzw, s0
ret
endif
ret
// Approximately 70 instruction slots used//
// Generated by Microsoft (R) HLSL Shader Compiler 6.3.9600.16384
//
//
// Buffer Definitions:
//
// cbuffer cb
// {
//
// float4x4 v; // Offset: 0 Size: 64 [unused]
// float4x4 p; // Offset: 64 Size: 64 [unused]
// float4x4 w; // Offset: 128 Size: 64 [unused]
// float4 c1; // Offset: 192 Size: 16 [unused]
// float4 c2; // Offset: 208 Size: 16 [unused]
// uint4 val; // Offset: 224 Size: 16
//
// }
//
//
// Resource Bindings:
//
// Name Type Format Dim Slot Elements
// ------------------------------ ---------- ------- ----------- ---- --------
// samLinear sampler NA NA 0 1
// tx0 texture float4 2d 0 1
// tx1 texture float4 2d 1 1
// cb cbuffer NA NA 0 1
//
//
//
// Input signature:
//
// Name Index Mask Register SysValue Format Used
// -------------------- ----- ------ -------- -------- ------- ------
// SV_POSITION 0 xyzw 0 POS float
// TEXCOORD 0 xy 1 NONE float xy
// COLOR 0 xyzw 2 NONE float
//
//
// Output signature:
//
// Name Index Mask Register SysValue Format Used
// -------------------- ----- ------ -------- -------- ------- ------
// SV_Target 0 xyzw 0 TARGET float xyzw
//
ps_4_0
dcl_constantbuffer cb0[15], immediateIndexed
dcl_sampler s0, mode_default
dcl_resource_texture2d (float,float,float,float) t0
dcl_resource_texture2d (float,float,float,float) t1
dcl_input_ps linear v1.xy
dcl_output o0.xyzw
dcl_temps 4
ine r0.xyz, cb0[14].xyzx, l(0, 0, 0, 0)
and r0.x, r0.y, r0.x
and r0.x, r0.z, r0.x
ult r0.y, l(0x3b9aca00), cb0[14].x
and r0.x, r0.y, r0.x
ult r0.yz, cb0[14].xxyx, cb0[14].yyzy
and r0.x, r0.y, r0.x
and r0.x, r0.z, r0.x
ult r0.y, cb0[14].z, l(-1)
and r0.x, r0.y, r0.x
udiv r0.yzw, null, cb0[14].zzxy, l(0, 0x000186a0, 0x000186a0, 0x000186a0)
imad r1.xyz, r0.zwyz, l(0xfffe7960, 0xfffe7960, 0xfffe7960, 0), cb0[14].xyzx
udiv r2.x, r3.x, r0.z, l(10)
udiv null, r1.w, r2.x, l(10)
udiv r2.xyzw, null, r0.zzzw, l(100, 1000, 10000, 100)
udiv null, r2.xyzw, r2.xyzw, l(10, 10, 10, 10)
imul null, r1.w, r1.w, l(1000)
imad r1.w, r3.x, l(10000), r1.w
imad r1.w, r2.x, l(100), r1.w
imad r1.w, r2.y, l(10), r1.w
iadd r1.w, r2.z, r1.w
ieq r1.x, r1.x, r1.w
and r0.x, r0.x, r1.x
udiv r1.x, r2.x, r0.w, l(10)
udiv null, r1.x, r1.x, l(10)
udiv r3.xyzw, null, r0.wwyy, l(1000, 10000, 100, 1000)
udiv null, r3.xyzw, r3.xyzw, l(10, 10, 10, 10)
imul null, r1.x, r1.x, l(1000)
imad r1.x, r2.x, l(10000), r1.x
imad r1.x, r2.w, l(100), r1.x
imad r1.x, r3.x, l(10), r1.x
iadd r1.x, r3.y, r1.x
ieq r1.x, r1.y, r1.x
and r0.x, r0.x, r1.x
udiv r1.x, r2.x, r0.y, l(10)
udiv r1.y, null, r0.y, l(10000)
udiv null, r1.xy, r1.xyxx, l(10, 10, 0, 0)
imul null, r1.x, r1.x, l(1000)
imad r1.x, r2.x, l(10000), r1.x
imad r1.x, r3.z, l(100), r1.x
imad r1.x, r3.w, l(10), r1.x
iadd r1.x, r1.y, r1.x
ieq r1.x, r1.z, r1.x
and r0.x, r0.x, r1.x
movc r0.yzw, r0.xxxx, r0.yyzw, cb0[14].zzxy
iadd r1.x, r0.w, r0.z
iadd r1.x, r0.y, r1.x
iadd r1.x, r1.x, l(0x0000374f)
ieq r1.x, r1.x, l(0x00017334)
and r0.x, r0.x, r1.x
imad r1.xy, l(3, 6, 0, 0), r0.zyzz, r0.wzww
iadd r1.xy, r1.xyxx, l(0x0000374f, 0x0000a5ed, 0, 0)
iadd r1.xy, -r0.ywyy, r1.xyxx
ieq r1.xy, r1.xyxx, l(0x0000d146, 0x00040ad5, 0, 0)
and r0.x, r0.x, r1.x
ishl r0.w, r0.w, l(1)
iadd r0.y, r0.w, r0.y
iadd r0.y, r0.y, l(0x00006e9e)
iadd r0.y, -r0.z, r0.y
ieq r0.y, r0.y, l(0x000182c1)
and r0.x, r0.y, r0.x
and r0.x, r1.y, r0.x
if_nz r0.x
sample o0.xyzw, v1.xyxx, t0.xyzw, s0
ret
else
sample o0.xyzw, v1.xyxx, t1.xyzw, s0
ret
endif
ret
// Approximately 70 instruction slots used[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
