-
-
[原创]KCTF2022秋季赛 第八题 商贸往来 题解
-
发表于: 2022-12-3 20:16 13069
-
开头包装的一层调用可以手动清理出来,他调用了sub_4026D2
作为窗口回调,在WM_COMMAND
里面
会再执行一次crackme
,将入口点改为
0x401000通过调用Decompress
函数,解压数据
类似格式是
在这里进行调用,v47
用于加密,v45
用于最后的验证
通过强制F5了几个函数发现,对应输入只进行了基于字节的异或加密、交换、查表,修改其中一个字节,只会对加密结果产生一个字节的影响。
这些代码花式调用了大量API
,拖慢了计算速度,同时也有反调试。
其实根据附带的题目描述我感觉是叫你硬看,但我就偏要硬爆
将最后一个函数F5
找到比对逻辑,将其导出。
将原始文件patch 入口点,push 0x402d4c call 0x401000
后 跟一个int3
,然后nop
掉0x04026C8
的ExitProcess
,到达int3
后读取和重写flag的值,然后更改Eip
为入口点进行下次爆破。
需要用到ScyllaHide
,爆的时候执行一下InjectorCLIx86.exe sb.exe HookLibraryx86.dll nowait
加载一下反反调试,配置文件选Themida x86/x64
。
预计时间是(128 + 94) * 10 / 60 = 37
分钟,
v21
=
(
*
(
int
(__stdcall
*
*
)(
int
,
int
))(dword_4ABE44
+
92
))(a1,
1001
);
/
/
GetDlgItem
if
( v21 )
{
for
( i
=
0
; i <
0x100
;
+
+
i )
v7[i]
=
0
;
v42
=
(
*
(
int
(__stdcall
*
*
)(
int
))(v35
+
96
))(v21);
/
/
GetWindowTextLengthA
if
( v42 <
=
210
&& v42 >
=
1
)
{
(
*
(void (__stdcall
*
*
)(
int
, char
*
,
int
))(v35
+
100
))(v21, v7,
255
);
/
/
GetWindowTextA
v42
=
(
*
(
int
(__stdcall
*
*
)(char
*
))(v35
+
24
))(v7);
/
/
lstrlenA
if
( v42 >
=
1
&& v42 <
=
128
)
{
for
( j
=
v42; j <
128
;
+
+
j )
{
if
( j
%
2
)
v7[j]
=
0x20
;
else
v7[j]
=
0x7F
;
}
v34
=
1
;
}
else
{
v34
=
0
;
}
}
else
{
v34
=
0
;
}
}
else
{
v34
=
0
;
}
if
( v34 )
{
v43
=
dword_4ABE44;
if
( (
*
(
int
(__stdcall
*
*
)(_DWORD, char
*
,
int
))(dword_4ABE44
+
56
))(
0
, v5,
255
) )
{
strcpy(v27,
"h"
);
v27[
2
]
=
0
;
v27[
3
]
=
0
;
v27[
4
]
=
0
;
v27[
5
]
=
0xB8
;
v27[
6
]
=
0
;
v27[
7
]
=
0
;
v27[
8
]
=
0
;
v27[
9
]
=
0
;
v27[
10
]
=
0xFF
;
v27[
11
]
=
0xD0
;
Eax
=
0
;
v31
=
0
;
v8[
17
]
=
0xFFFFFFFF
;
for
( k
=
0
; k <
0x44
;
+
+
k )
*
((_BYTE
*
)v8
+
k)
=
0
;
v8[
0
]
=
68
;
for
( m
=
0
; m <
0x10
;
+
+
m )
*
((_BYTE
*
)&v37
+
m)
=
0
;
if
( (
*
(
int
(__stdcall
*
*
)(char
*
, _DWORD, _DWORD, _DWORD, _DWORD,
int
, _DWORD, _DWORD,
int
*
,
int
*
))(v43
+
28
))(
/
/
CreateProcessW
v5,
0
,
0
,
0
,
0
,
4
,
0
,
0
,
v8,
&v37) )
{
v6.ContextFlags
=
0x10007
;
if
( !(
*
(
int
(__stdcall
*
*
)(
int
, CONTEXT
*
))(v43
+
32
))(v38, &v6) )
/
/
GetThreadContext
goto LABEL_69;
Eax
=
v6.Eax;
v31
=
(
*
(
int
(__stdcall
*
*
)(
int
, _DWORD,
int
,
int
,
int
))(v43
+
44
))(v37,
0
,
128
,
4096
,
4
);
if
( !v31 )
goto LABEL_69;
for
( n
=
0
; n <
0x80
; n
+
=
v17 )
{
v17
=
0
;
if
( !(
*
(
int
(__stdcall
*
*
)(
int
, unsigned
int
, char
*
, unsigned
int
,
int
*
))(v43
+
0x30
))(
/
/
WriteProcessMemory
v37,
n
+
v31,
&v7[n],
128
-
n,
&v17) )
{
v16
=
0
;
goto LABEL_45;
}
}
v16
=
1
;
if
( !v16 )
goto LABEL_69;
LABEL_45:
v20
=
(PIMAGE_DOS_HEADER)(
*
(
int
(__stdcall
*
*
)(_DWORD))(v43
+
20
))(
0
);
/
/
GetModuleHandleW
v10
=
(
int
)v20
+
v20
-
>e_lfanew;
v9
=
Eax
-
*
(_DWORD
*
)(v10
+
40
);
v11
=
(char
*
)sub_401000
-
(char
*
)v20;
*
(_DWORD
*
)&v27[
1
]
=
v31;
*
(_DWORD
*
)&v27[
6
]
=
(char
*
)sub_401000
-
(char
*
)v20
+
v9;
for
( ii
=
0
; ii <
0xC
; ii
+
=
v15 )
{
v15
=
0
;
if
( !(
*
(
int
(__stdcall
*
*
)(
int
, unsigned
int
, char
*
, unsigned
int
,
int
*
))(v43
+
48
))(
v37,
ii
+
Eax,
&v27[ii],
12
-
ii,
&v15) )
{
v14
=
0
;
goto LABEL_52;
}
}
v14
=
1
;
LABEL_52:
if
( v14 )
{
(
*
(void (__stdcall
*
*
)(
int
))(v43
+
36
))(v38);
/
/
ResumeThread
v30
=
2
;
if
( (
*
(
int
(__stdcall
*
*
)(
int
,
int
))(v43
+
60
))(v37,
30000
) )
/
/
WaitForSingleObject
{
(
*
(void (__stdcall
*
*
)(
int
,
int
))(v43
+
64
))(v37,
2
);
/
/
TerminateProcess
}
else
{
v18
=
0
;
if
( (
*
(
int
(__stdcall
*
*
)(
int
,
int
*
))(v43
+
52
))(v37, &v18) && v18 !
=
2
)
/
/
GetExitCodeProcess
v30
=
v18;
}
v21
=
(
*
(
int
(__stdcall
*
*
)(
int
,
int
))(dword_4ABE44
+
92
))(a1,
1001
);
/
/
GetDlgItem
if
( v21 )
{
for
( i
=
0
; i <
0x100
;
+
+
i )
v7[i]
=
0
;
v42
=
(
*
(
int
(__stdcall
*
*
)(
int
))(v35
+
96
))(v21);
/
/
GetWindowTextLengthA
if
( v42 <
=
210
&& v42 >
=
1
)
{
(
*
(void (__stdcall
*
*
)(
int
, char
*
,
int
))(v35
+
100
))(v21, v7,
255
);
/
/
GetWindowTextA
v42
=
(
*
(
int
(__stdcall
*
*
)(char
*
))(v35
+
24
))(v7);
/
/
lstrlenA
if
( v42 >
=
1
&& v42 <
=
128
)
{
for
( j
=
v42; j <
128
;
+
+
j )
{
if
( j
%
2
)
v7[j]
=
0x20
;
else
v7[j]
=
0x7F
;
}
v34
=
1
;
}
else
{
v34
=
0
;
}
}
else
{
v34
=
0
;
}
}
else
{
v34
=
0
;
}
if
( v34 )
{
v43
=
dword_4ABE44;
if
( (
*
(
int
(__stdcall
*
*
)(_DWORD, char
*
,
int
))(dword_4ABE44
+
56
))(
0
, v5,
255
) )
{
strcpy(v27,
"h"
);
v27[
2
]
=
0
;
v27[
3
]
=
0
;
v27[
4
]
=
0
;
v27[
5
]
=
0xB8
;
v27[
6
]
=
0
;
v27[
7
]
=
0
;
v27[
8
]
=
0
;
v27[
9
]
=
0
;
v27[
10
]
=
0xFF
;
v27[
11
]
=
0xD0
;
Eax
=
0
;
v31
=
0
;
v8[
17
]
=
0xFFFFFFFF
;
for
( k
=
0
; k <
0x44
;
+
+
k )
*
((_BYTE
*
)v8
+
k)
=
0
;
v8[
0
]
=
68
;
for
( m
=
0
; m <
0x10
;
+
+
m )
*
((_BYTE
*
)&v37
+
m)
=
0
;
if
( (
*
(
int
(__stdcall
*
*
)(char
*
, _DWORD, _DWORD, _DWORD, _DWORD,
int
, _DWORD, _DWORD,
int
*
,
int
*
))(v43
+
28
))(
/
/
CreateProcessW
v5,
0
,
0
,
0
,
0
,
4
,
0
,
0
,
v8,
&v37) )
{
v6.ContextFlags
=
0x10007
;
if
( !(
*
(
int
(__stdcall
*
*
)(
int
, CONTEXT
*
))(v43
+
32
))(v38, &v6) )
/
/
GetThreadContext
goto LABEL_69;
Eax
=
v6.Eax;
v31
=
(
*
(
int
(__stdcall
*
*
)(
int
, _DWORD,
int
,
int
,
int
))(v43
+
44
))(v37,
0
,
128
,
4096
,
4
);
if
( !v31 )
goto LABEL_69;
for
( n
=
0
; n <
0x80
; n
+
=
v17 )
{
v17
=
0
;
if
( !(
*
(
int
(__stdcall
*
*
)(
int
, unsigned
int
, char
*
, unsigned
int
,
int
*
))(v43
+
0x30
))(
/
/
WriteProcessMemory
v37,
n
+
v31,
&v7[n],
128
-
n,
&v17) )
{
v16
=
0
;
goto LABEL_45;
}
}
v16
=
1
;
if
( !v16 )
goto LABEL_69;
LABEL_45:
v20
=
(PIMAGE_DOS_HEADER)(
*
(
int
(__stdcall
*
*
)(_DWORD))(v43
+
20
))(
0
);
/
/
GetModuleHandleW
v10
=
(
int
)v20
+
v20
-
>e_lfanew;
v9
=
Eax
-
*
(_DWORD
*
)(v10
+
40
);
v11
=
(char
*
)sub_401000
-
(char
*
)v20;
*
(_DWORD
*
)&v27[
1
]
=
v31;
*
(_DWORD
*
)&v27[
6
]
=
(char
*
)sub_401000
-
(char
*
)v20
+
v9;
for
( ii
=
0
; ii <
0xC
; ii
+
=
v15 )
{
v15
=
0
;
if
( !(
*
(
int
(__stdcall
*
*
)(
int
, unsigned
int
, char
*
, unsigned
int
,
int
*
))(v43
+
48
))(
v37,
ii
+
Eax,
&v27[ii],
12
-
ii,
&v15) )
{
v14
=
0
;
goto LABEL_52;
}
}
v14
=
1
;
LABEL_52:
if
( v14 )
{
(
*
(void (__stdcall
*
*
)(
int
))(v43
+
36
))(v38);
/
/
ResumeThread
v30
=
2
;
if
( (
*
(
int
(__stdcall
*
*
)(
int
,
int
))(v43
+
60
))(v37,
30000
) )
/
/
WaitForSingleObject
{
(
*
(void (__stdcall
*
*
)(
int
,
int
))(v43
+
64
))(v37,
2
);
/
/
TerminateProcess
}
else
{
v18
=
0
;
if
( (
*
(
int
(__stdcall
*
*
)(
int
,
int
*
))(v43
+
52
))(v37, &v18) && v18 !
=
2
)
/
/
GetExitCodeProcess
v30
=
v18;
}
push
input
mov eax,
0x401000
call eax
push
input
mov eax,
0x401000
call eax
struct CodeData{
uint32_t CodeSize;
uint8_t code[CodeSize];
};
struct CodeData{
uint32_t CodeSize;
uint8_t code[CodeSize];
};
if
( v38 )
{
v90
=
0
;
v29[
0
]
=
5
;
v29[
1
]
=
0
;
v29[
2
]
=
4
;
v29[
3
]
=
3
;
v29[
4
]
=
2
;
v29[
5
]
=
1
;
for
( ii
=
0
; ii <
6
;
+
+
ii )
{
v32
=
v29[ii];
v92
=
0
;
v47
=
0
;
for
( jj
=
0
; jj <
=
v32;
+
+
jj )
{
v47
=
(
int
(__stdcall
*
)(_DWORD, _DWORD, _DWORD, _DWORD))(v108[
30
]
+
v92
+
4
);
v46
=
*
(_DWORD
*
)(v108[
30
]
+
v92);
v92
+
=
v46
+
4
;
}
v90
=
v47;
if
( !v47(
*
v108, v108[
1
], v108[
2
], a1) )
goto LABEL_134;
}
v56
=
1
;
v91
=
0
;
v45
=
0
;
for
( kk
=
0
; kk <
=
6
;
+
+
kk )
{
v45
=
(
int
(__stdcall
*
)(_DWORD, _DWORD, _DWORD, _DWORD))(v108[
30
]
+
v91
+
4
);
v48
=
*
(_DWORD
*
)(v108[
30
]
+
v91);
v91
+
=
v48
+
4
;
}
v90
=
v45;
if
( !v45(
*
v108, v108[
1
], v108[
2
], a1) )
v56
=
0
;
}
if
( v38 )
{
v90
=
0
;
v29[
0
]
=
5
;
v29[
1
]
=
0
;
v29[
2
]
=
4
;
v29[
3
]
=
3
;
v29[
4
]
=
2
;
v29[
5
]
=
1
;
for
( ii
=
0
; ii <
6
;
+
+
ii )
{
v32
=
v29[ii];
v92
=
0
;
v47
=
0
;
for
( jj
=
0
; jj <
=
v32;
+
+
jj )
{
v47
=
(
int
(__stdcall
*
)(_DWORD, _DWORD, _DWORD, _DWORD))(v108[
30
]
+
v92
+
4
);
v46
=
*
(_DWORD
*
)(v108[
30
]
+
v92);
v92
+
=
v46
+
4
;
}
v90
=
v47;
if
( !v47(
*
v108, v108[
1
], v108[
2
], a1) )
goto LABEL_134;
}
v56
=
1
;
v91
=
0
;
v45
=
0
;
for
( kk
=
0
; kk <
=
6
;
+
+
kk )
{
v45
=
(
int
(__stdcall
*
)(_DWORD, _DWORD, _DWORD, _DWORD))(v108[
30
]
+
v91
+
4
);
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2022-12-3 20:23
被mb_xxgcvcih编辑
,原因:
赞赏
他的文章
看原图
赞赏
雪币:
留言: