首页
社区
课程
招聘
[原创]看雪2023 第三题 秘密计划
发表于: 2023-9-6 17:37 8904

[原创]看雪2023 第三题 秘密计划

2023-9-6 17:37
8904

第二处

第三处
还有一堆int3的指令
3. 反复调试,看到了消息循环的函数4061D0
先看弹窗代码

继续往下能看到

.text:00AE4952                            loc_AE4952:                             ; CODE XREF: start-7B↑j
.text:00AE4952 56                                         push    esi             ; uExitCode
.text:00AE4953 E8 78 67 01 00                             call    sub_AFB0D0
.text:00AE4958
.text:00AE4958                            loc_AE4958:                             ; CODE XREF: start-3D↑j
.text:00AE4958 FF 75 E0                                   push    dword ptr [ebp-20h] ; uExitCode
.text:00AE495B E8 34 67 01 00                             call    sub_AFB094
.text:00AE4960 CC                                         int     3               ; Trap to Debugger#
.text:00AE4952                            loc_AE4952:                             ; CODE XREF: start-7B↑j
.text:00AE4952 56                                         push    esi             ; uExitCode
.text:00AE4953 E8 78 67 01 00                             call    sub_AFB0D0
.text:00AE4958
.text:00AE4958                            loc_AE4958:                             ; CODE XREF: start-3D↑j
.text:00AE4958 FF 75 E0                                   push    dword ptr [ebp-20h] ; uExitCode
.text:00AE495B E8 34 67 01 00                             call    sub_AFB094
.text:00AE4960 CC                                         int     3               ; Trap to Debugger#
void __stdcall sub_4079D0(PVOID a1, BOOLEAN a2)
{
  HMODULE v2; // eax
  FARPROC v3; // eax
  HANDLE v4; // eax
  HANDLE v5; // eax
  int v6; // [esp+0h] [ebp-8h]
 
  if ( dword_E4309C
    || ((v2 = GetModuleHandleW(L"ntdll.dll")) == 0 ? (v3 = (FARPROC)dword_E4309C) : (v3 = GetProcAddress(
                                                                                            v2,
                                                                                            "NtQueryInformationProcess"),
                                                                                     dword_E4309C = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD))v3),
        v3) )
  {
    v6 = 0;
    v4 = GetCurrentProcess();
    if ( !dword_E4309C(v4, 7, &v6, 4, 0) )
    {
      if ( v6 )
      {
        v5 = GetCurrentProcess();
        TerminateProcess(v5, 0);
      }
    }
  }
}
void __stdcall sub_4079D0(PVOID a1, BOOLEAN a2)
{
  HMODULE v2; // eax
  FARPROC v3; // eax
  HANDLE v4; // eax
  HANDLE v5; // eax
  int v6; // [esp+0h] [ebp-8h]
 
  if ( dword_E4309C
    || ((v2 = GetModuleHandleW(L"ntdll.dll")) == 0 ? (v3 = (FARPROC)dword_E4309C) : (v3 = GetProcAddress(
                                                                                            v2,
                                                                                            "NtQueryInformationProcess"),
                                                                                     dword_E4309C = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD))v3),
        v3) )
  {
    v6 = 0;
    v4 = GetCurrentProcess();
    if ( !dword_E4309C(v4, 7, &v6, 4, 0) )
    {
      if ( v6 )
      {
        v5 = GetCurrentProcess();
        TerminateProcess(v5, 0);
      }
    }
  }
}
if ( a4 != 0x47A )
{
  if ( a4 == 0x47B )
  {
    if ( *(_BYTE *)(a1 + 652) )               // 就是shellcode 发消息机制 修改为1的那个
      MessageBoxW(*(HWND *)(a1 + 28), &Text, "衏:y", 0);// 验证成功
    else
      (*(void (__stdcall **)(int, signed int, _DWORD, _DWORD))(*(_DWORD *)a1 + 176))(a1, 1149, 0, 0);
    return 0;
  }
  if ( a4 == 0x47D )
  {
    MessageBoxW(*(HWND *)(a1 + 28), a1y, "衏:y", 0);// 验证失败
    return 0;
  }
  if ( a4 != 0x47C )
  {
    if ( a4 == 0x47E && input )
    {
      *(_OWORD *)(a1 + 628) = *input;         // 接收验证段发来的结果
      *(_OWORD *)(a1 + 644) = input[1];
    }
    return 0;
  }
if ( a4 != 0x47A )
{
  if ( a4 == 0x47B )
  {
    if ( *(_BYTE *)(a1 + 652) )               // 就是shellcode 发消息机制 修改为1的那个
      MessageBoxW(*(HWND *)(a1 + 28), &Text, "衏:y", 0);// 验证成功
    else
      (*(void (__stdcall **)(int, signed int, _DWORD, _DWORD))(*(_DWORD *)a1 + 176))(a1, 1149, 0, 0);
    return 0;
  }
  if ( a4 == 0x47D )
  {
    MessageBoxW(*(HWND *)(a1 + 28), a1y, "衏:y", 0);// 验证失败
    return 0;
  }
  if ( a4 != 0x47C )
  {
    if ( a4 == 0x47E && input )
    {
      *(_OWORD *)(a1 + 628) = *input;         // 接收验证段发来的结果
      *(_OWORD *)(a1 + 644) = input[1];
    }
    return 0;
  }
if ( !*(_WORD *)input )
{
  j_fun_free(input);
  return 0;
}
sub_406850(input, &sha256, (int)&v31, input_len);// 计算SHA256
v30 = 0;
sha256_1 = (__int128 *)&sha256;
if ( v22 >= 0x10 )
  sha256_1 = sha256;
sub_406D20(sha256_1, (int)&rsa_out, (int)&v31, (int)v9, esi0);// 把SHA256用RSA公钥加密
LOBYTE(v30) = 1;
if ( v24 )
{
  v11 = &rsa_out;
  if ( v25 >= 0x10 )
    v11 = rsa_out;
  (*(void (__thiscall **)(_DWORD *, _DWORD *, int, _DWORD))(v9[170] + 8))(v9 + 170, v11, v24, v9[7]);// 40cf10,将RSA加密结果,再次复制过去。。。
  (*(void (__thiscall **)(_DWORD *, unsigned int))(v9[170] + 12))(v9 + 170, v18);// 这个,就是喜闻乐见的Function了 40cf60
}
else
{
  (*(void (__stdcall **)(_DWORD *, signed int, _DWORD, _DWORD))(*v9 + 176))(v9, 1149, 0, 0);// 没走
}
if ( !*(_WORD *)input )
{
  j_fun_free(input);
  return 0;
}
sub_406850(input, &sha256, (int)&v31, input_len);// 计算SHA256
v30 = 0;
sha256_1 = (__int128 *)&sha256;
if ( v22 >= 0x10 )
  sha256_1 = sha256;
sub_406D20(sha256_1, (int)&rsa_out, (int)&v31, (int)v9, esi0);// 把SHA256用RSA公钥加密
LOBYTE(v30) = 1;
if ( v24 )
{
  v11 = &rsa_out;
  if ( v25 >= 0x10 )
    v11 = rsa_out;
  (*(void (__thiscall **)(_DWORD *, _DWORD *, int, _DWORD))(v9[170] + 8))(v9 + 170, v11, v24, v9[7]);// 40cf10,将RSA加密结果,再次复制过去。。。
  (*(void (__thiscall **)(_DWORD *, unsigned int))(v9[170] + 12))(v9 + 170, v18);// 这个,就是喜闻乐见的Function了 40cf60
}
else
{
  (*(void (__stdcall **)(_DWORD *, signed int, _DWORD, _DWORD))(*v9 + 176))(v9, 1149, 0, 0);// 没走
}
F33FC7A6-5A29-44E7-921E-1A3E9D88B648
93E5A078-5BA5-44F2-94B7-3109EA01DE10
0377E944-EFB5-4AE8-A5D8-C6AE0677CDB3
E7FDEE55-7AB9-4495-A48E-F510DF009792
9D5E62A2-AA9E-42D8-B3AB-17A4ACD94D2B
EB1DB27D-50FB-4CEC-8EAC-C0EBE37C6EAE
56214411-0AB7-4FB7-B8B4-3B8DFE906E42
8FADFA6A-5DB6-4F9C-BECA-5C8D1E4003FF
F33FC7A6-5A29-44E7-921E-1A3E9D88B648
93E5A078-5BA5-44F2-94B7-3109EA01DE10
0377E944-EFB5-4AE8-A5D8-C6AE0677CDB3
E7FDEE55-7AB9-4495-A48E-F510DF009792
9D5E62A2-AA9E-42D8-B3AB-17A4ACD94D2B
EB1DB27D-50FB-4CEC-8EAC-C0EBE37C6EAE
56214411-0AB7-4FB7-B8B4-3B8DFE906E42
8FADFA6A-5DB6-4F9C-BECA-5C8D1E4003FF
.text:0040E195 A08 8A 11                                      mov     dl, [ecx]
.text:0040E197 A08 3A 10                                      cmp     dl, [eax]
.text:0040E199 A08 75 1A                                      jnz     short loc_40E1B5
.text:0040E19B A08 84 D2                                      test    dl, dl
.text:0040E19D A08 74 12                                      jz      short loc_40E1B1
.text:0040E19F A08 8A 51 01                                   mov     dl, [ecx+1]
.text:0040E1A2 A08 3A 50 01                                   cmp     dl, [eax+1]
.text:0040E195 A08 8A 11                                      mov     dl, [ecx]
.text:0040E197 A08 3A 10                                      cmp     dl, [eax]
.text:0040E199 A08 75 1A                                      jnz     short loc_40E1B5
.text:0040E19B A08 84 D2                                      test    dl, dl
.text:0040E19D A08 74 12                                      jz      short loc_40E1B1
.text:0040E19F A08 8A 51 01                                   mov     dl, [ecx+1]
.text:0040E1A2 A08 3A 50 01                                   cmp     dl, [eax+1]
if ( (_DWORD)code_byte_len )                // 0x754,就是纯密文的字节码长度
    {
      v10 = v57;
      (*(void (__thiscall **)(LPVOID, _BYTE **))(*(_DWORD *)v57 + 4))(v57, &sha256);// 40E670 调用核心函数
      LOBYTE(v71) = 1;
      if ( !v62 )                               // 此时=0x20  本次验证就通过了...
if ( (_DWORD)code_byte_len )                // 0x754,就是纯密文的字节码长度
    {
      v10 = v57;
      (*(void (__thiscall **)(LPVOID, _BYTE **))(*(_DWORD *)v57 + 4))(v57, &sha256);// 40E670 调用核心函数
      LOBYTE(v71) = 1;
      if ( !v62 )                               // 此时=0x20  本次验证就通过了...
if ( uc_open(1, 0, (signed int **)&o_uc) )// 1=UC_ARCH_ARM?   UC_MODE_ARM
{
    ptr_SendMessageW = (void (__stdcall *)(HWND, UINT, WPARAM, LPARAM))SendMessageW;
}
 
uc_ctl(o_uc, 0x44000007, 17);       // 7=UC_CTL_CPU_MODEL ,垃圾代码 故意返回UC_ERR_ARG
 
uc_mem_map(o_uc, 0, 0, (int)sub_A00000, 7, (int)lpAddress);// 这里是分配了0xA00000空间,从地址0开始
v23 = code_byte_len_1;
uc_mem_write(o_uc, 0x43000, 0, (int)all_str, code_byte_len_1);// all_str,一堆奇怪的字符串 00 00 结尾
input_sha256 = &v64;
if ( v66 >= 0x10 )
    input_sha256 = (__int128 *)v64;
uc_mem_write(o_uc, 0x4033, 0, (int)input_sha256, input_sha256_len);// 明文sha256,长度是64个字节
if ( uc_emu_start(a1, v19, o_uc, 0x43000, 0, v23 + 0x43000, 0i64, 0) )// 返回了0,代表模拟执行成功了
{
    v10 = v57;
    ptr_SendMessageW = (void (__stdcall *)(HWND, UINT, WPARAM, LPARAM))SendMessageW;
}
uc_mem_read(o_uc, 0x14390, 0, (int)wParam, 0x20u);// wParam 应该是返回的值
uc_mem_unmap(o_uc, 0i64, (unsigned int)sub_A00000);
uc_close(o_uc);
if ( uc_open(1, 0, (signed int **)&o_uc) )// 1=UC_ARCH_ARM?   UC_MODE_ARM
{
    ptr_SendMessageW = (void (__stdcall *)(HWND, UINT, WPARAM, LPARAM))SendMessageW;
}
 
uc_ctl(o_uc, 0x44000007, 17);       // 7=UC_CTL_CPU_MODEL ,垃圾代码 故意返回UC_ERR_ARG
 
uc_mem_map(o_uc, 0, 0, (int)sub_A00000, 7, (int)lpAddress);// 这里是分配了0xA00000空间,从地址0开始
v23 = code_byte_len_1;
uc_mem_write(o_uc, 0x43000, 0, (int)all_str, code_byte_len_1);// all_str,一堆奇怪的字符串 00 00 结尾
input_sha256 = &v64;
if ( v66 >= 0x10 )
    input_sha256 = (__int128 *)v64;
uc_mem_write(o_uc, 0x4033, 0, (int)input_sha256, input_sha256_len);// 明文sha256,长度是64个字节
if ( uc_emu_start(a1, v19, o_uc, 0x43000, 0, v23 + 0x43000, 0i64, 0) )// 返回了0,代表模拟执行成功了
{
    v10 = v57;

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 1
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//