首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. CTF对抗
    3. 发新帖
[原创]第二题 异常信号 by k1ee
发表于: 2020-11-24 12:33 4236

[原创]第二题 异常信号 by k1ee

k1ee 活跃值
2
2020-11-24 12:33
4236

image-20201120101319463

这种应该是计算CRC(0xEDB88320),从而定位库函数位置

然后是字符串,对于每个signed char转为signed int,xor 996,取低8位就是结果

image-20201120103711081

先写个脚本干,万一直接存在字符串里了呢

image-20201120105808619

不在

有一个看起来像字符串的,异或值是1289,结果是Cabinet.Decompress

先看看起了哪些线程吧

image-20201120111842920

这个线程里又起了

image-20201120114814385

v3906 = *(_DWORD *)(***(_DWORD ***)(*(_DWORD *)(*(_DWORD *)(__readfsdword(0x18u) + 48) + 12) + 12) + 24);究竟是个啥?

https://en.wikipedia.org/wiki/Win32_Thread_Information_Block

https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1809%20Redstone%205%20(October%20Update)/_PEB

https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index.htm

https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb_ldr_data.htm

https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/ldr_data_table_entry.htm

https://www.vergiliusproject.com/kernels/x86/Windows%2010/2009%2020H2%20(October%202020%20Update)/_PEB_LDR_DATA

https://www.vergiliusproject.com/kernels/x86/Windows%2010/2009%2020H2%20(October%202020%20Update)/_IMAGE_DOS_HEADER

TEB->PEB->PEB_LDR_DATA->InLoadOrderModuleList.Flink->InLoadOrderModuleList.Flink->DllBase(_IMAGE_DOS_HEADER)

想复杂了?直接调试解压的代码,搜字符串看到Correct,定位到C712B0

image-20201121010218611

可以看出因为是内存快照,直接找到字符了。下面找到了输入

image-20201120155850947

只有0123456789ABCDEF有效,按输入字符转为对应0-15。然后是两个字符合并成一个hex byte

image-20201121010311441

后面是每两个hex byte转为两字节word,和两个数作比较

image-20201121010325712

rand进去是这个,搜了一下才知道是伪随机数算法

image-20201121010421373

那么那个0x18的偏移就是srand了

image-20201121010444069

那么算法就是和pos_idx生成rand相等就写入idx,neg_idx生成的rand相等就跳过,相当于可以写入0-89到一个数组里,

进去看了一眼get_something

image-20201120160415308

怎么还有纤程,不过看样子不重要。往下看,输入大于12个word

image-20201121010535132

对作差有要求

image-20201121010555160

后面就是关键算法

image-20201121010759287

要求两两作差的绝对值值互不相等,不会爆破,找了算法队友求解了

解得

构造序列号

解(话说86-89也可以填充和neg_idx的rand数,不算多解?)

参考文献

http://www.datagenetics.com/blog/february22013/

 
 
 
 
 
 
func1 : LoadLibraryA
v9143 : LoadLibraryA
v8870 : LoadLibraryA
v7897 : GetProcAddress
v8857 : LoadLibraryA
v7595 : GetThreadContext
v8844 : CreateThread
v7326 : NtSetInformationThread
v9117 : LoadLibraryA
v9130 : LoadLibraryA
v8831 : LoadLibraryA
v7882 : GetProcAddress
v8818 : LoadLibraryA
v7578 : GetThreadContext
v7867 : GetProcAddress
func4 : Cabinet
v7303 : NtSetInformationThread
v9091 : LoadLibraryA
v9104 : LoadLibraryA
v8805 : LoadLibraryA
v7852 : GetProcAddress
v8792 : LoadLibraryA
v7561 : GetThreadContext
v7837 : GetProcAddress
v9078 : LoadLibraryA
v8779 : LoadLibraryA
v7822 : GetProcAddress
v8766 : LoadLibraryA
v7544 : GetThreadContext
func2 : CreateDecompressor
v7280 : NtSetInformationThread
v9052 : LoadLibraryA
v9065 : LoadLibraryA
v8753 : LoadLibraryA
v7807 : GetProcAddress
v8740 : LoadLibraryA
v7527 : GetThreadContext
v7792 : GetProcAddress
v9026 : LoadLibraryA
v9039 : LoadLibraryA
v8727 : LoadLibraryA
v7777 : GetProcAddress
v8714 : LoadLibraryA
v7510 : GetThreadContext
v7762 : GetProcAddress
v9013 : LoadLibraryA
v8701 : LoadLibraryA
v7747 : GetProcAddress
v8688 : LoadLibraryA
v7493 : GetThreadContext
func5 : VirtualAlloc
v9000 : LoadLibraryA
v8662 : LoadLibraryA
v7732 : GetProcAddress
v8649 : LoadLibraryA
v7476 : GetThreadContext
v7717 : GetProcessHeap
v7349 : NtSetInformationThread
v8974 : LoadLibraryA
v8987 : LoadLibraryA
v8636 : LoadLibraryA
v7702 : GetProcAddress
v8623 : LoadLibraryA
v7459 : GetThreadContext
v7687 : GetProcAddress
v7425 : NtCreateThreadEx
v8948 : LoadLibraryA
v8961 : LoadLibraryA
v8610 : LoadLibraryA
v7672 : GetProcAddress
v8597 : LoadLibraryA
v7442 : GetThreadContext
v7657 : GetProcAddress
v8584 : LoadLibraryA
v8896 : LoadLibraryA
v8909 : LoadLibraryA
v8545 : LoadLibraryA
v7627 : GetProcAddress
v8532 : LoadLibraryA
v7391 : GetThreadContext
v7612 : GetProcAddress
v8922 : LoadLibraryA
v8935 : LoadLibraryA
v8571 : LoadLibraryA
v7642 : GetProcAddress
v8558 : LoadLibraryA
v7408 : GetThreadContext
v7912 : GetProcAddress
 
Process finished with exit code 0
func1 : LoadLibraryA
v9143 : LoadLibraryA
v8870 : LoadLibraryA
v7897 : GetProcAddress
v8857 : LoadLibraryA
v7595 : GetThreadContext
v8844 : CreateThread
v7326 : NtSetInformationThread
v9117 : LoadLibraryA
v9130 : LoadLibraryA
v8831 : LoadLibraryA
v7882 : GetProcAddress
v8818 : LoadLibraryA
v7578 : GetThreadContext
v7867 : GetProcAddress
func4 : Cabinet
v7303 : NtSetInformationThread
v9091 : LoadLibraryA
v9104 : LoadLibraryA
v8805 : LoadLibraryA
v7852 : GetProcAddress
v8792 : LoadLibraryA
v7561 : GetThreadContext
v7837 : GetProcAddress
v9078 : LoadLibraryA
v8779 : LoadLibraryA
v7822 : GetProcAddress
v8766 : LoadLibraryA
v7544 : GetThreadContext
func2 : CreateDecompressor
v7280 : NtSetInformationThread
v9052 : LoadLibraryA
v9065 : LoadLibraryA
v8753 : LoadLibraryA
v7807 : GetProcAddress
v8740 : LoadLibraryA
v7527 : GetThreadContext
v7792 : GetProcAddress
v9026 : LoadLibraryA
v9039 : LoadLibraryA
v8727 : LoadLibraryA
v7777 : GetProcAddress
v8714 : LoadLibraryA
v7510 : GetThreadContext
v7762 : GetProcAddress
v9013 : LoadLibraryA
v8701 : LoadLibraryA
v7747 : GetProcAddress
v8688 : LoadLibraryA
v7493 : GetThreadContext
func5 : VirtualAlloc
v9000 : LoadLibraryA
v8662 : LoadLibraryA
v7732 : GetProcAddress
v8649 : LoadLibraryA
v7476 : GetThreadContext
v7717 : GetProcessHeap
v7349 : NtSetInformationThread
v8974 : LoadLibraryA
v8987 : LoadLibraryA
v8636 : LoadLibraryA
v7702 : GetProcAddress
v8623 : LoadLibraryA
v7459 : GetThreadContext
v7687 : GetProcAddress
v7425 : NtCreateThreadEx
v8948 : LoadLibraryA
v8961 : LoadLibraryA
v8610 : LoadLibraryA
v7672 : GetProcAddress
v8597 : LoadLibraryA
v7442 : GetThreadContext
v7657 : GetProcAddress
v8584 : LoadLibraryA
v8896 : LoadLibraryA
v8909 : LoadLibraryA
v8545 : LoadLibraryA
v7627 : GetProcAddress

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2020-11-30 14:40 被k1ee编辑 ,原因: 规范标题
收藏
免费 1
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//