-
-
KCTF2019Q4 第四题 西部乐园
-
发表于:
2019-12-7 14:57
3628
-
1. sys
根据传入的pass, 解密传入的shellcode, 并执行
解密算法: 1400015A0
ida抠出来直接用void x_decrypt_shellcode(PBYTE buf, int len, int pass);
解密成功的条件
1 2 3 4 5 6 7 8 9 10 11 | struct IOStuff
{
char *out_buf;
void *fn_wrong;
DWORD64 pid;
DWORD64 pass;
char shellcode[0xE7];
};
DWORD enc_size = InputBufferLength - (plain_size + 0x24);
x_decrypt_shellcode(&io->shellcode[plain_size + 4], enc_size, pass);
if ( *&io->shellcode[plain_size + 4] == enc_size )
|
1 2 3 4 5 6 7 8 9 10 11 | struct IOStuff
{
char *out_buf;
void *fn_wrong;
DWORD64 pid;
DWORD64 pass;
char shellcode[0xE7];
};
DWORD enc_size = InputBufferLength - (plain_size + 0x24);
x_decrypt_shellcode(&io->shellcode[plain_size + 4], enc_size, pass);
if ( *&io->shellcode[plain_size + 4] == enc_size )
|
2. exe
shellcode起始: 1400060B0
shellcode大小: 231
shellcode加密部分起始: 140006151+4
shellcode加密部分大小: 0x42
[注意]看雪招聘,专注安全领域的专业人才平台!
