首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. CTF对抗
    3. 发新帖
[原创]MR2021MR_register
发表于: 2021-4-23 11:19 3516

[原创]MR2021MR_register

ymws 活跃值
2021-4-23 11:19
3516

MR_register

这是一个双进程调试,建立一个被调试进程,调试器会对被调试者做出一定处理
根据sscanf找到关键函数。CreatProccessA函数中第6哥参数是进程标志,这里是1 | 2 == 3(具体可以查官方文档)

进入sub_40188D函数可以看到是一个调试事件循环

建立调试进程后调试时间第一个就是CREATE_PROCESS_DEBUG_EVENT,其值为3
sub_402CE5就是OpenProcess函数,
被调试者会进入sub_4026EA函数,

动调一下,(不能直接附加),从头开始动调,在除法处会发生异常,buffer[19] == 0, 所以会发生除0异常,
调试器对异常的处理

观察HEX进制窗口,buffer 不满足前面两个条件,通过sub_402545和rip + 2处理异常

主要目的是对dword_405020做修改
sub_402545中有花

因为紧接着就是call的地址,所以不用jmp,直接Nop
再看sub_401CA7函数,有两个断点异常,且下两个字节分别符合0xc3和0x25, 0x25和0x25,


将rip跳走了两个字节,直接nop掉;
这样就可以f5了,虽然f5出来还是有点错误,主要是后面那点栈指针不平衡,但是还是能看,参数传递也分析失败了,这里我直接看的汇编,rcx为第一个参数,依次为rdx,r8,分别对应第二次输入,第一次输入,创建的文件的句柄。
F5出来的伪代码, - (45)作为分割点

然后进入sub_40239E比较

因为加密存在&运算不可逆并且是一个字节一个字节加密,感觉直接暴力还好一点
这里脚本我参考了一下另外一些大佬的改了改写的:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
#include<iostream>
#include<cstdio>
#include<vector>
#include<cstring>
#include<sstream>
 
using namespace std;
 
vector<char> v;
string a[500];
int b[500];
 
int main()
{
    char v9[96]; // [rsp+40h] [rbp-40h] BYREF
    char v10[500]; // [rsp+A0h] [rbp+20h] BYREF
    unsigned char v26; // [rsp+3B61h] [rbp+3AE1h]
    unsigned char v27; // [rsp+3B62h] [rbp+3AE2h]
    unsigned char v28; // [rsp+3B63h] [rbp+3AE3h]
    int i; // [rsp+3B7Ch] [rbp+3AFCh]
    unsigned int miwen[376] = {
    0x0000001D, 0x0000006E, 0x0000004E, 0x0000003F, 0x00000039, 0x0000003A, 0x00000028, 0x00000029,
    0x00000017, 0x00000014, 0x00000037, 0x00000046, 0x00000043, 0x00000030, 0x00000011, 0x00000012,
    0x0000002D, 0x0000002E, 0x00000002, 0x0000000C, 0x00000030, 0x00000031, 0x00000032, 0x0000003E,
    0x00000025, 0x00000026, 0x00000005, 0x00000076, 0x0000005E, 0x0000002D, 0x0000000F, 0x0000000C,
    0x0000001D, 0x0000001E, 0x0000003F, 0x0000004C, 0x00000066, 0x00000015, 0x00000038, 0x0000003B,
    0x00000015, 0x00000016, 0x00000006, 0x00000075, 0x0000006F, 0x0000001C, 0x00000003, 0x00000000,
    0x0000000D, 0x0000007C, 0x0000007F, 0x00000003, 0x00000010, 0x0000006C, 0x0000007A, 0x0000000B,
    0x00000005, 0x00000006, 0x0000002A, 0x0000002B, 0x00000021, 0x00000052, 0x0000007D, 0x0000000E,
    0x00000050, 0x00000053, 0x0000007F, 0x0000007C, 0x0000005B, 0x0000005A, 0x00000056, 0x00000058,
    0x0000006C, 0x00000010, 0x00000006, 0x00000077, 0x00000071, 0x00000072, 0x00000050, 0x00000051,
    0x0000007D, 0x0000000E, 0x00000011, 0x00000062, 0x00000078, 0x0000007B, 0x0000006B, 0x00000068,
    0x00000076, 0x00000078, 0x0000007E, 0x00000070, 0x00000071, 0x00000070, 0x00000043, 0x00000040,
    0x0000005D, 0x00000051, 0x00000046, 0x0000003A, 0x00000005, 0x00000079, 0x00000042, 0x0000004C,
    0x00000079, 0x0000007A, 0x00000057, 0x00000026, 0x00000023, 0x0000005F, 0x0000004A, 0x00000044,
    0x0000006D, 0x0000006C, 0x0000006C, 0x0000006F, 0x00000049, 0x0000004A, 0x00000066, 0x00000067,
    0x00000054, 0x0000005A, 0x0000005E, 0x00000050, 0x00000063, 0x00000062, 0x00000052, 0x00000051,
    0x000000BD, 0x000000BE, 0x0000009D, 0x0000009C, 0x000000A9, 0x000000A8, 0x00000097, 0x00000099,
    0x000000AD, 0x000000D1, 0x000000C6, 0x000000B7, 0x000000B1, 0x000000B2, 0x00000090, 0x000000E3,
    0x000000DC, 0x000000A0, 0x000000B7, 0x000000B9, 0x0000008B, 0x0000008A, 0x000000BB, 0x000000B8,
    0x000000A5, 0x000000A6, 0x000000B7, 0x000000B6, 0x00000082, 0x000000F1, 0x000000DD, 0x000000AE,
    0x000000BE, 0x000000B0, 0x00000086, 0x0000008A, 0x00000099, 0x000000E8, 0x000000E5, 0x00000096,
    0x000000B8, 0x000000B9, 0x000000B4, 0x000000C7, 0x000000E1, 0x00000092, 0x00000080, 0x00000083,
    0x0000008D, 0x0000008E, 0x000000A2, 0x000000A3, 0x000000A5, 0x000000A4, 0x000000AB, 0x000000D8,
    0x000000F7, 0x00000084, 0x00000094, 0x000000E7, 0x000000F1, 0x00000080, 0x00000083, 0x00000080,
    0x000000D0, 0x000000A3, 0x00000081, 0x000000F2, 0x000000E9, 0x000000E8, 0x000000D9, 0x000000D8,
    0x000000E6, 0x000000E7, 0x000000D5, 0x000000D6, 0x000000F1, 0x000000F2, 0x000000D1, 0x000000A2,
    0x00000093, 0x00000092, 0x00000090, 0x000000E3, 0x000000C4, 0x000000C5, 0x000000C9, 0x000000C8,
    0x000000C7, 0x000000C4, 0x000000E7, 0x000000E4, 0x000000C1, 0x000000C0, 0x000000F0, 0x000000F1,
    0x000000F0, 0x000000F1, 0x000000FC, 0x0000008F, 0x000000A6, 0x000000D5, 0x000000F8, 0x000000FB,
    0x000000D5, 0x000000D6, 0x000000C7, 0x000000B4, 0x0000008D, 0x0000008C, 0x000000A3, 0x000000D0,
    0x000000DE, 0x000000DF, 0x000000EC, 0x000000ED, 0x000000E9, 0x000000EA, 0x000000CB, 0x000000BA,
    0x000000BA, 0x000000C9, 0x000000E7, 0x00000094, 0x000000B0, 0x000000CC, 0x000000DB, 0x000000D5,
    0x0000002E, 0x0000002F, 0x0000002C, 0x0000002F, 0x00000039, 0x0000003A, 0x00000016, 0x00000017,
    0x00000017, 0x00000016, 0x00000017, 0x00000019, 0x00000029, 0x00000055, 0x00000041, 0x00000040,
    0x00000052, 0x0000002E, 0x00000037, 0x0000003B, 0x00000029, 0x0000002A, 0x00000006, 0x00000075,
    0x00000054, 0x00000028, 0x0000003F, 0x00000031, 0x00000030, 0x0000003E, 0x0000003A, 0x00000034,
    0x0000000D, 0x0000007E, 0x0000006E, 0x0000001F, 0x00000019, 0x0000001A, 0x00000039, 0x0000004A,
    0x00000049, 0x00000048, 0x00000065, 0x00000016, 0x0000003C, 0x0000003D, 0x00000002, 0x0000000C,
    0x00000015, 0x00000069, 0x0000007E, 0x0000000F, 0x00000009, 0x0000000A, 0x0000002B, 0x00000058,
    0x00000074, 0x00000007, 0x00000016, 0x00000018, 0x00000019, 0x00000017, 0x0000002F, 0x0000002E,
    0x0000006D, 0x0000001E, 0x00000000, 0x00000071, 0x00000079, 0x0000007A, 0x0000006A, 0x00000019,
    0x00000004, 0x00000077, 0x00000064, 0x00000017, 0x0000000F, 0x00000073, 0x0000006A, 0x00000064,
    0x0000004D, 0x0000004C, 0x00000042, 0x00000041, 0x00000069, 0x00000018, 0x0000001B, 0x0000001A,
    0x0000001B, 0x0000001A, 0x00000016, 0x00000065, 0x00000042, 0x0000004C, 0x0000007A, 0x00000006,
    0x0000002D, 0x0000002C, 0x0000002E, 0x0000005F, 0x00000059, 0x0000005A, 0x00000076, 0x00000077,
    0x00000075, 0x0000007B, 0x0000004E, 0x00000040, 0x00000073, 0x00000000, 0x00000021, 0x00000052,
    0x00000060, 0x0000006E, 0x00000056, 0x0000002A, 0x00000036, 0x00000047, 0x0000004B, 0x00000078
    };
    for (int i = 374; i >= 0; i--)
        miwen[i] = miwen[i] ^ miwen[i + 1] ^ i;
    miwen[375] = 120;
    strcpy(v9, "ABCDEFGH");
    strcpy(&v9[9], "12345678");
    strcpy(&v9[18], "0IJKLMNO");
    strcpy(&v9[27], "+OPQRStu");
    strcpy(&v9[36], "\\vwxyzTU");
    strcpy(&v9[45], "abcdefgh");
    strcpy(&v9[54], "VWXYZijk");
    strcpy(&v9[63], "lmnopqrs");
    for (i = 0; i < 375; i+=2)
    {
        for (int j = 0; j <= 255; j++)
        {
            v28 = (j >> 6) & 1;
            v27 = (j >> 3) & 7;
            v26 = j & 7;
            v10[i] = v9[9 * v28 + v27];
            v10[i + 1] = v9[9 * v27 + v26];
            if (v10[i] == (unsigned char)miwen[i] && v10[i + 1] == (unsigned char)miwen[i + 1])
            {
                v.push_back(j);
                break;
            }
        }
    }
    vector<char>::iterator k = v.begin();
    i = 0;
    while(k != v.end())
    {
        if (*k == '#')
        {
            std::stringstream ss;
            ss << a[i];
            ss >> hex >> b[i];
            i++;
        }
        else
            a[i].push_back(*k);
        k++;
    }
    for (int j = i - 1; j >= 2; j--)
    {
        b[j] = b[j] - b[j - 1] - b[j - 2];
    }
    for (int j = 0; j < i; j++)
        printf("%c", b[j]);
    system("pause");
}

有错误请师傅们多多指正


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (2)
kanxue
雪    币: 47147
活跃值: (20445)
能力值: (RANK:350 )
在线值:
发帖
回帖
粉丝
私信
2
目标实例程序能否论坛上传一份?
2021-4-23 13:31
0
ymws
雪    币: 15
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
3
是要题目吗
2021-4-23 15:19
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//