-
-
[原创]看雪2023 第三题 秘密计划
-
发表于: 2023-9-6 17:37 8886
-
第二处
第三处
还有一堆int3的指令
3. 反复调试,看到了消息循环的函数4061D0
先看弹窗代码
继续往下能看到
.text:00AE4952 loc_AE4952: ; CODE XREF: start-7B↑j
.text:00AE4952 56 push esi ; uExitCode
.text:00AE4953 E8 78 67 01 00 call sub_AFB0D0
.text:00AE4958
.text:00AE4958 loc_AE4958: ; CODE XREF: start-3D↑j
.text:00AE4958 FF 75 E0 push dword ptr [ebp-20h] ; uExitCode
.text:00AE495B E8 34 67 01 00 call sub_AFB094
.text:00AE4960 CC int 3 ; Trap to Debugger#
.text:00AE4952 loc_AE4952: ; CODE XREF: start-7B↑j
.text:00AE4952 56 push esi ; uExitCode
.text:00AE4953 E8 78 67 01 00 call sub_AFB0D0
.text:00AE4958
.text:00AE4958 loc_AE4958: ; CODE XREF: start-3D↑j
.text:00AE4958 FF 75 E0 push dword ptr [ebp-20h] ; uExitCode
.text:00AE495B E8 34 67 01 00 call sub_AFB094
.text:00AE4960 CC int 3 ; Trap to Debugger#
void __stdcall sub_4079D0(PVOID a1, BOOLEAN a2){ HMODULE v2; // eax
FARPROC v3; // eax
HANDLE v4; // eax
HANDLE v5; // eax
int v6; // [esp+0h] [ebp-8h]
if ( dword_E4309C
|| ((v2 = GetModuleHandleW(L"ntdll.dll")) == 0 ? (v3 = (FARPROC)dword_E4309C) : (v3 = GetProcAddress(
v2,
"NtQueryInformationProcess"),
dword_E4309C = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD))v3),
v3) )
{
v6 = 0;
v4 = GetCurrentProcess();
if ( !dword_E4309C(v4, 7, &v6, 4, 0) )
{
if ( v6 )
{
v5 = GetCurrentProcess();
TerminateProcess(v5, 0);
}
}
}
}void __stdcall sub_4079D0(PVOID a1, BOOLEAN a2){ HMODULE v2; // eax
FARPROC v3; // eax
HANDLE v4; // eax
HANDLE v5; // eax
int v6; // [esp+0h] [ebp-8h]
if ( dword_E4309C
|| ((v2 = GetModuleHandleW(L"ntdll.dll")) == 0 ? (v3 = (FARPROC)dword_E4309C) : (v3 = GetProcAddress(
v2,
"NtQueryInformationProcess"),
dword_E4309C = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD))v3),
v3) )
{
v6 = 0;
v4 = GetCurrentProcess();
if ( !dword_E4309C(v4, 7, &v6, 4, 0) )
{
if ( v6 )
{
v5 = GetCurrentProcess();
TerminateProcess(v5, 0);
}
}
}
}if ( a4 != 0x47A )
{ if ( a4 == 0x47B )
{
if ( *(_BYTE *)(a1 + 652) ) // 就是shellcode 发消息机制 修改为1的那个
MessageBoxW(*(HWND *)(a1 + 28), &Text, "衏:y", 0);// 验证成功
else
(*(void (__stdcall **)(int, signed int, _DWORD, _DWORD))(*(_DWORD *)a1 + 176))(a1, 1149, 0, 0);
return 0;
}
if ( a4 == 0x47D )
{
MessageBoxW(*(HWND *)(a1 + 28), a1y, "衏:y", 0);// 验证失败
return 0;
}
if ( a4 != 0x47C )
{
if ( a4 == 0x47E && input )
{
*(_OWORD *)(a1 + 628) = *input; // 接收验证段发来的结果
*(_OWORD *)(a1 + 644) = input[1];
}
return 0;
}
if ( a4 != 0x47A )
{ if ( a4 == 0x47B )
{
if ( *(_BYTE *)(a1 + 652) ) // 就是shellcode 发消息机制 修改为1的那个
MessageBoxW(*(HWND *)(a1 + 28), &Text, "衏:y", 0);// 验证成功
else
(*(void (__stdcall **)(int, signed int, _DWORD, _DWORD))(*(_DWORD *)a1 + 176))(a1, 1149, 0, 0);
return 0;
}
if ( a4 == 0x47D )
{
MessageBoxW(*(HWND *)(a1 + 28), a1y, "衏:y", 0);// 验证失败
return 0;
}
if ( a4 != 0x47C )
{
if ( a4 == 0x47E && input )
{
*(_OWORD *)(a1 + 628) = *input; // 接收验证段发来的结果
*(_OWORD *)(a1 + 644) = input[1];
}
return 0;
}
if ( !*(_WORD *)input )
{ j_fun_free(input);
return 0;
}sub_406850(input, &sha256, (int)&v31, input_len);// 计算SHA256
v30 = 0;
sha256_1 = (__int128 *)&sha256;
if ( v22 >= 0x10 )
sha256_1 = sha256;
sub_406D20(sha256_1, (int)&rsa_out, (int)&v31, (int)v9, esi0);// 把SHA256用RSA公钥加密
LOBYTE(v30) = 1;
if ( v24 )
{ v11 = &rsa_out;
if ( v25 >= 0x10 )
v11 = rsa_out;
(*(void (__thiscall **)(_DWORD *, _DWORD *, int, _DWORD))(v9[170] + 8))(v9 + 170, v11, v24, v9[7]);// 40cf10,将RSA加密结果,再次复制过去。。。
(*(void (__thiscall **)(_DWORD *, unsigned int))(v9[170] + 12))(v9 + 170, v18);// 这个,就是喜闻乐见的Function了 40cf60
}else{ (*(void (__stdcall **)(_DWORD *, signed int, _DWORD, _DWORD))(*v9 + 176))(v9, 1149, 0, 0);// 没走
}if ( !*(_WORD *)input )
{ j_fun_free(input);
return 0;
}sub_406850(input, &sha256, (int)&v31, input_len);// 计算SHA256
v30 = 0;
sha256_1 = (__int128 *)&sha256;
if ( v22 >= 0x10 )
sha256_1 = sha256;
sub_406D20(sha256_1, (int)&rsa_out, (int)&v31, (int)v9, esi0);// 把SHA256用RSA公钥加密
LOBYTE(v30) = 1;
if ( v24 )
{ v11 = &rsa_out;
if ( v25 >= 0x10 )
v11 = rsa_out;
(*(void (__thiscall **)(_DWORD *, _DWORD *, int, _DWORD))(v9[170] + 8))(v9 + 170, v11, v24, v9[7]);// 40cf10,将RSA加密结果,再次复制过去。。。
(*(void (__thiscall **)(_DWORD *, unsigned int))(v9[170] + 12))(v9 + 170, v18);// 这个,就是喜闻乐见的Function了 40cf60
}else{ (*(void (__stdcall **)(_DWORD *, signed int, _DWORD, _DWORD))(*v9 + 176))(v9, 1149, 0, 0);// 没走
}F33FC7A6-5A29-44E7-921E-1A3E9D88B648
93E5A078-5BA5-44F2-94B7-3109EA01DE10
0377E944-EFB5-4AE8-A5D8-C6AE0677CDB3
E7FDEE55-7AB9-4495-A48E-F510DF009792
9D5E62A2-AA9E-42D8-B3AB-17A4ACD94D2B
EB1DB27D-50FB-4CEC-8EAC-C0EBE37C6EAE
56214411-0AB7-4FB7-B8B4-3B8DFE906E42
8FADFA6A-5DB6-4F9C-BECA-5C8D1E4003FF
F33FC7A6-5A29-44E7-921E-1A3E9D88B648
93E5A078-5BA5-44F2-94B7-3109EA01DE10
0377E944-EFB5-4AE8-A5D8-C6AE0677CDB3
E7FDEE55-7AB9-4495-A48E-F510DF009792
9D5E62A2-AA9E-42D8-B3AB-17A4ACD94D2B
EB1DB27D-50FB-4CEC-8EAC-C0EBE37C6EAE
56214411-0AB7-4FB7-B8B4-3B8DFE906E42
8FADFA6A-5DB6-4F9C-BECA-5C8D1E4003FF
.text:0040E195 A08 8A 11 mov dl, [ecx]
.text:0040E197 A08 3A 10 cmp dl, [eax]
.text:0040E199 A08 75 1A jnz short loc_40E1B5
.text:0040E19B A08 84 D2 test dl, dl
.text:0040E19D A08 74 12 jz short loc_40E1B1
.text:0040E19F A08 8A 51 01 mov dl, [ecx+1]
.text:0040E1A2 A08 3A 50 01 cmp dl, [eax+1]
.text:0040E195 A08 8A 11 mov dl, [ecx]
.text:0040E197 A08 3A 10 cmp dl, [eax]
.text:0040E199 A08 75 1A jnz short loc_40E1B5
.text:0040E19B A08 84 D2 test dl, dl
.text:0040E19D A08 74 12 jz short loc_40E1B1
.text:0040E19F A08 8A 51 01 mov dl, [ecx+1]
.text:0040E1A2 A08 3A 50 01 cmp dl, [eax+1]
if ( (_DWORD)code_byte_len ) // 0x754,就是纯密文的字节码长度
{
v10 = v57;
(*(void (__thiscall **)(LPVOID, _BYTE **))(*(_DWORD *)v57 + 4))(v57, &sha256);// 40E670 调用核心函数
LOBYTE(v71) = 1;
if ( !v62 ) // 此时=0x20 本次验证就通过了...
if ( (_DWORD)code_byte_len ) // 0x754,就是纯密文的字节码长度
{
v10 = v57;
(*(void (__thiscall **)(LPVOID, _BYTE **))(*(_DWORD *)v57 + 4))(v57, &sha256);// 40E670 调用核心函数
LOBYTE(v71) = 1;
if ( !v62 ) // 此时=0x20 本次验证就通过了...
if ( uc_open(1, 0, (signed int **)&o_uc) )// 1=UC_ARCH_ARM? UC_MODE_ARM
{ ptr_SendMessageW = (void (__stdcall *)(HWND, UINT, WPARAM, LPARAM))SendMessageW;
}uc_ctl(o_uc, 0x44000007, 17); // 7=UC_CTL_CPU_MODEL ,垃圾代码 故意返回UC_ERR_ARG
uc_mem_map(o_uc, 0, 0, (int)sub_A00000, 7, (int)lpAddress);// 这里是分配了0xA00000空间,从地址0开始
v23 = code_byte_len_1;
uc_mem_write(o_uc, 0x43000, 0, (int)all_str, code_byte_len_1);// all_str,一堆奇怪的字符串 00 00 结尾
input_sha256 = &v64;
if ( v66 >= 0x10 )
input_sha256 = (__int128 *)v64;
uc_mem_write(o_uc, 0x4033, 0, (int)input_sha256, input_sha256_len);// 明文sha256,长度是64个字节
if ( uc_emu_start(a1, v19, o_uc, 0x43000, 0, v23 + 0x43000, 0i64, 0) )// 返回了0,代表模拟执行成功了
{ v10 = v57;
ptr_SendMessageW = (void (__stdcall *)(HWND, UINT, WPARAM, LPARAM))SendMessageW;
}uc_mem_read(o_uc, 0x14390, 0, (int)wParam, 0x20u);// wParam 应该是返回的值
uc_mem_unmap(o_uc, 0i64, (unsigned int)sub_A00000);
uc_close(o_uc);if ( uc_open(1, 0, (signed int **)&o_uc) )// 1=UC_ARCH_ARM? UC_MODE_ARM
{ ptr_SendMessageW = (void (__stdcall *)(HWND, UINT, WPARAM, LPARAM))SendMessageW;
}uc_ctl(o_uc, 0x44000007, 17); // 7=UC_CTL_CPU_MODEL ,垃圾代码 故意返回UC_ERR_ARG
uc_mem_map(o_uc, 0, 0, (int)sub_A00000, 7, (int)lpAddress);// 这里是分配了0xA00000空间,从地址0开始
v23 = code_byte_len_1;
uc_mem_write(o_uc, 0x43000, 0, (int)all_str, code_byte_len_1);// all_str,一堆奇怪的字符串 00 00 结尾
input_sha256 = &v64;
if ( v66 >= 0x10 )
input_sha256 = (__int128 *)v64;
uc_mem_write(o_uc, 0x4033, 0, (int)input_sha256, input_sha256_len);// 明文sha256,长度是64个字节
if ( uc_emu_start(a1, v19, o_uc, 0x43000, 0, v23 + 0x43000, 0i64, 0) )// 返回了0,代表模拟执行成功了
{ v10 = v57;
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
他的文章
- 2024KCTF_第九题 第一次接触-提交题目 1666
- [原创]KCTF2023 第十二题深入内核 3539
- [原创]KCTF2023 第八题AI核心地带 9830
- [原创]KCTF2023 第六题 至暗时刻 9612
- [原创]KCTF2023 第五题 争分夺秒 8543
赞赏
雪币:
留言:
