-
-
[原创]看雪2023 第三题 秘密计划
-
发表于: 2023-9-6 17:37 8904
-
第二处
第三处
还有一堆int3的指令
3. 反复调试,看到了消息循环的函数4061D0
先看弹窗代码
继续往下能看到
.text:
00AE4952
loc_AE4952: ; CODE XREF: start
-
7B
↑j
.text:
00AE4952
56
push esi ; uExitCode
.text:
00AE4953
E8
78
67
01
00
call sub_AFB0D0
.text:
00AE4958
.text:
00AE4958
loc_AE4958: ; CODE XREF: start
-
3D
↑j
.text:
00AE4958
FF
75
E0 push dword ptr [ebp
-
20h
] ; uExitCode
.text:
00AE495B
E8
34
67
01
00
call sub_AFB094
.text:
00AE4960
CC
int
3
; Trap to Debugger
#
.text:
00AE4952
loc_AE4952: ; CODE XREF: start
-
7B
↑j
.text:
00AE4952
56
push esi ; uExitCode
.text:
00AE4953
E8
78
67
01
00
call sub_AFB0D0
.text:
00AE4958
.text:
00AE4958
loc_AE4958: ; CODE XREF: start
-
3D
↑j
.text:
00AE4958
FF
75
E0 push dword ptr [ebp
-
20h
] ; uExitCode
.text:
00AE495B
E8
34
67
01
00
call sub_AFB094
.text:
00AE4960
CC
int
3
; Trap to Debugger
#
void __stdcall sub_4079D0(PVOID a1, BOOLEAN a2)
{
HMODULE v2;
/
/
eax
FARPROC v3;
/
/
eax
HANDLE v4;
/
/
eax
HANDLE v5;
/
/
eax
int
v6;
/
/
[esp
+
0h
] [ebp
-
8h
]
if
( dword_E4309C
|| ((v2
=
GetModuleHandleW(L
"ntdll.dll"
))
=
=
0
? (v3
=
(FARPROC)dword_E4309C) : (v3
=
GetProcAddress(
v2,
"NtQueryInformationProcess"
),
dword_E4309C
=
(
int
(__stdcall
*
)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD))v3),
v3) )
{
v6
=
0
;
v4
=
GetCurrentProcess();
if
( !dword_E4309C(v4,
7
, &v6,
4
,
0
) )
{
if
( v6 )
{
v5
=
GetCurrentProcess();
TerminateProcess(v5,
0
);
}
}
}
}
void __stdcall sub_4079D0(PVOID a1, BOOLEAN a2)
{
HMODULE v2;
/
/
eax
FARPROC v3;
/
/
eax
HANDLE v4;
/
/
eax
HANDLE v5;
/
/
eax
int
v6;
/
/
[esp
+
0h
] [ebp
-
8h
]
if
( dword_E4309C
|| ((v2
=
GetModuleHandleW(L
"ntdll.dll"
))
=
=
0
? (v3
=
(FARPROC)dword_E4309C) : (v3
=
GetProcAddress(
v2,
"NtQueryInformationProcess"
),
dword_E4309C
=
(
int
(__stdcall
*
)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD))v3),
v3) )
{
v6
=
0
;
v4
=
GetCurrentProcess();
if
( !dword_E4309C(v4,
7
, &v6,
4
,
0
) )
{
if
( v6 )
{
v5
=
GetCurrentProcess();
TerminateProcess(v5,
0
);
}
}
}
}
if
( a4 !
=
0x47A
)
{
if
( a4
=
=
0x47B
)
{
if
(
*
(_BYTE
*
)(a1
+
652
) )
/
/
就是shellcode 发消息机制 修改为
1
的那个
MessageBoxW(
*
(HWND
*
)(a1
+
28
), &Text,
"衏:y"
,
0
);
/
/
验证成功
else
(
*
(void (__stdcall
*
*
)(
int
, signed
int
, _DWORD, _DWORD))(
*
(_DWORD
*
)a1
+
176
))(a1,
1149
,
0
,
0
);
return
0
;
}
if
( a4
=
=
0x47D
)
{
MessageBoxW(
*
(HWND
*
)(a1
+
28
), a1y,
"衏:y"
,
0
);
/
/
验证失败
return
0
;
}
if
( a4 !
=
0x47C
)
{
if
( a4
=
=
0x47E
&&
input
)
{
*
(_OWORD
*
)(a1
+
628
)
=
*
input
;
/
/
接收验证段发来的结果
*
(_OWORD
*
)(a1
+
644
)
=
input
[
1
];
}
return
0
;
}
if
( a4 !
=
0x47A
)
{
if
( a4
=
=
0x47B
)
{
if
(
*
(_BYTE
*
)(a1
+
652
) )
/
/
就是shellcode 发消息机制 修改为
1
的那个
MessageBoxW(
*
(HWND
*
)(a1
+
28
), &Text,
"衏:y"
,
0
);
/
/
验证成功
else
(
*
(void (__stdcall
*
*
)(
int
, signed
int
, _DWORD, _DWORD))(
*
(_DWORD
*
)a1
+
176
))(a1,
1149
,
0
,
0
);
return
0
;
}
if
( a4
=
=
0x47D
)
{
MessageBoxW(
*
(HWND
*
)(a1
+
28
), a1y,
"衏:y"
,
0
);
/
/
验证失败
return
0
;
}
if
( a4 !
=
0x47C
)
{
if
( a4
=
=
0x47E
&&
input
)
{
*
(_OWORD
*
)(a1
+
628
)
=
*
input
;
/
/
接收验证段发来的结果
*
(_OWORD
*
)(a1
+
644
)
=
input
[
1
];
}
return
0
;
}
if
( !
*
(_WORD
*
)
input
)
{
j_fun_free(
input
);
return
0
;
}
sub_406850(
input
, &sha256, (
int
)&v31, input_len);
/
/
计算SHA256
v30
=
0
;
sha256_1
=
(__int128
*
)&sha256;
if
( v22 >
=
0x10
)
sha256_1
=
sha256;
sub_406D20(sha256_1, (
int
)&rsa_out, (
int
)&v31, (
int
)v9, esi0);
/
/
把SHA256用RSA公钥加密
LOBYTE(v30)
=
1
;
if
( v24 )
{
v11
=
&rsa_out;
if
( v25 >
=
0x10
)
v11
=
rsa_out;
(
*
(void (__thiscall
*
*
)(_DWORD
*
, _DWORD
*
,
int
, _DWORD))(v9[
170
]
+
8
))(v9
+
170
, v11, v24, v9[
7
]);
/
/
40cf10
,将RSA加密结果,再次复制过去。。。
(
*
(void (__thiscall
*
*
)(_DWORD
*
, unsigned
int
))(v9[
170
]
+
12
))(v9
+
170
, v18);
/
/
这个,就是喜闻乐见的Function了
40cf60
}
else
{
(
*
(void (__stdcall
*
*
)(_DWORD
*
, signed
int
, _DWORD, _DWORD))(
*
v9
+
176
))(v9,
1149
,
0
,
0
);
/
/
没走
}
if
( !
*
(_WORD
*
)
input
)
{
j_fun_free(
input
);
return
0
;
}
sub_406850(
input
, &sha256, (
int
)&v31, input_len);
/
/
计算SHA256
v30
=
0
;
sha256_1
=
(__int128
*
)&sha256;
if
( v22 >
=
0x10
)
sha256_1
=
sha256;
sub_406D20(sha256_1, (
int
)&rsa_out, (
int
)&v31, (
int
)v9, esi0);
/
/
把SHA256用RSA公钥加密
LOBYTE(v30)
=
1
;
if
( v24 )
{
v11
=
&rsa_out;
if
( v25 >
=
0x10
)
v11
=
rsa_out;
(
*
(void (__thiscall
*
*
)(_DWORD
*
, _DWORD
*
,
int
, _DWORD))(v9[
170
]
+
8
))(v9
+
170
, v11, v24, v9[
7
]);
/
/
40cf10
,将RSA加密结果,再次复制过去。。。
(
*
(void (__thiscall
*
*
)(_DWORD
*
, unsigned
int
))(v9[
170
]
+
12
))(v9
+
170
, v18);
/
/
这个,就是喜闻乐见的Function了
40cf60
}
else
{
(
*
(void (__stdcall
*
*
)(_DWORD
*
, signed
int
, _DWORD, _DWORD))(
*
v9
+
176
))(v9,
1149
,
0
,
0
);
/
/
没走
}
F33FC7A6
-
5A29
-
44E7
-
921E
-
1A3E9D88B648
93E5A078
-
5BA5
-
44F2
-
94B7
-
3109EA01DE10
0377E944
-
EFB5
-
4AE8
-
A5D8
-
C6AE0677CDB3
E7FDEE55
-
7AB9
-
4495
-
A48E
-
F510DF009792
9D5E62A2
-
AA9E
-
42D8
-
B3AB
-
17A4ACD94D2B
EB1DB27D
-
50FB
-
4CEC
-
8EAC
-
C0EBE37C6EAE
56214411
-
0AB7
-
4FB7
-
B8B4
-
3B8DFE906E42
8FADFA6A
-
5DB6
-
4F9C
-
BECA
-
5C8D1E4003FF
F33FC7A6
-
5A29
-
44E7
-
921E
-
1A3E9D88B648
93E5A078
-
5BA5
-
44F2
-
94B7
-
3109EA01DE10
0377E944
-
EFB5
-
4AE8
-
A5D8
-
C6AE0677CDB3
E7FDEE55
-
7AB9
-
4495
-
A48E
-
F510DF009792
9D5E62A2
-
AA9E
-
42D8
-
B3AB
-
17A4ACD94D2B
EB1DB27D
-
50FB
-
4CEC
-
8EAC
-
C0EBE37C6EAE
56214411
-
0AB7
-
4FB7
-
B8B4
-
3B8DFE906E42
8FADFA6A
-
5DB6
-
4F9C
-
BECA
-
5C8D1E4003FF
.text:
0040E195
A08
8A
11
mov dl, [ecx]
.text:
0040E197
A08
3A
10
cmp
dl, [eax]
.text:
0040E199
A08
75
1A
jnz short loc_40E1B5
.text:
0040E19B
A08
84
D2 test dl, dl
.text:
0040E19D
A08
74
12
jz short loc_40E1B1
.text:
0040E19F
A08
8A
51
01
mov dl, [ecx
+
1
]
.text:
0040E1A2
A08
3A
50
01
cmp
dl, [eax
+
1
]
.text:
0040E195
A08
8A
11
mov dl, [ecx]
.text:
0040E197
A08
3A
10
cmp
dl, [eax]
.text:
0040E199
A08
75
1A
jnz short loc_40E1B5
.text:
0040E19B
A08
84
D2 test dl, dl
.text:
0040E19D
A08
74
12
jz short loc_40E1B1
.text:
0040E19F
A08
8A
51
01
mov dl, [ecx
+
1
]
.text:
0040E1A2
A08
3A
50
01
cmp
dl, [eax
+
1
]
if
( (_DWORD)code_byte_len )
/
/
0x754
,就是纯密文的字节码长度
{
v10
=
v57;
(
*
(void (__thiscall
*
*
)(LPVOID, _BYTE
*
*
))(
*
(_DWORD
*
)v57
+
4
))(v57, &sha256);
/
/
40E670
调用核心函数
LOBYTE(v71)
=
1
;
if
( !v62 )
/
/
此时
=
0x20
本次验证就通过了...
if
( (_DWORD)code_byte_len )
/
/
0x754
,就是纯密文的字节码长度
{
v10
=
v57;
(
*
(void (__thiscall
*
*
)(LPVOID, _BYTE
*
*
))(
*
(_DWORD
*
)v57
+
4
))(v57, &sha256);
/
/
40E670
调用核心函数
LOBYTE(v71)
=
1
;
if
( !v62 )
/
/
此时
=
0x20
本次验证就通过了...
if
( uc_open(
1
,
0
, (signed
int
*
*
)&o_uc) )
/
/
1
=
UC_ARCH_ARM? UC_MODE_ARM
{
ptr_SendMessageW
=
(void (__stdcall
*
)(HWND, UINT, WPARAM, LPARAM))SendMessageW;
}
uc_ctl(o_uc,
0x44000007
,
17
);
/
/
7
=
UC_CTL_CPU_MODEL ,垃圾代码 故意返回UC_ERR_ARG
uc_mem_map(o_uc,
0
,
0
, (
int
)sub_A00000,
7
, (
int
)lpAddress);
/
/
这里是分配了
0xA00000
空间,从地址
0
开始
v23
=
code_byte_len_1;
uc_mem_write(o_uc,
0x43000
,
0
, (
int
)all_str, code_byte_len_1);
/
/
all_str,一堆奇怪的字符串
00
00
结尾
input_sha256
=
&v64;
if
( v66 >
=
0x10
)
input_sha256
=
(__int128
*
)v64;
uc_mem_write(o_uc,
0x4033
,
0
, (
int
)input_sha256, input_sha256_len);
/
/
明文sha256,长度是
64
个字节
if
( uc_emu_start(a1, v19, o_uc,
0x43000
,
0
, v23
+
0x43000
,
0i64
,
0
) )
/
/
返回了
0
,代表模拟执行成功了
{
v10
=
v57;
ptr_SendMessageW
=
(void (__stdcall
*
)(HWND, UINT, WPARAM, LPARAM))SendMessageW;
}
uc_mem_read(o_uc,
0x14390
,
0
, (
int
)wParam,
0x20u
);
/
/
wParam 应该是返回的值
uc_mem_unmap(o_uc,
0i64
, (unsigned
int
)sub_A00000);
uc_close(o_uc);
if
( uc_open(
1
,
0
, (signed
int
*
*
)&o_uc) )
/
/
1
=
UC_ARCH_ARM? UC_MODE_ARM
{
ptr_SendMessageW
=
(void (__stdcall
*
)(HWND, UINT, WPARAM, LPARAM))SendMessageW;
}
uc_ctl(o_uc,
0x44000007
,
17
);
/
/
7
=
UC_CTL_CPU_MODEL ,垃圾代码 故意返回UC_ERR_ARG
uc_mem_map(o_uc,
0
,
0
, (
int
)sub_A00000,
7
, (
int
)lpAddress);
/
/
这里是分配了
0xA00000
空间,从地址
0
开始
v23
=
code_byte_len_1;
uc_mem_write(o_uc,
0x43000
,
0
, (
int
)all_str, code_byte_len_1);
/
/
all_str,一堆奇怪的字符串
00
00
结尾
input_sha256
=
&v64;
if
( v66 >
=
0x10
)
input_sha256
=
(__int128
*
)v64;
uc_mem_write(o_uc,
0x4033
,
0
, (
int
)input_sha256, input_sha256_len);
/
/
明文sha256,长度是
64
个字节
if
( uc_emu_start(a1, v19, o_uc,
0x43000
,
0
, v23
+
0x43000
,
0i64
,
0
) )
/
/
返回了
0
,代表模拟执行成功了
{
v10
=
v57;
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
- 2024KCTF_第九题 第一次接触-提交题目 1790
- [原创]KCTF2023 第十二题深入内核 3583
- [原创]KCTF2023 第八题AI核心地带 9876
- [原创]KCTF2023 第六题 至暗时刻 9658
- [原创]KCTF2023 第五题 争分夺秒 8584
看原图
赞赏
雪币:
留言: