首页
社区
课程
招聘
[原创]KCTF2023 第五题 争分夺秒
发表于: 2023-9-12 14:39 8585

[原创]KCTF2023 第五题 争分夺秒

2023-9-12 14:39
8585

程序中充满着大量恶心的垃圾代码,直接挑选参数的传递函数去分析

先看弹窗逻辑

2a 62 53 31 //4字节,第四层的M
4a 00       //arr1长度
37 38             //???
arr1            //第七层,大数arr1
f550c4d11be88545a17edf49a600d30212a17760f814f054f252f5fac9e3c915b1195d9f2d52f3bbd2cb5690982c85dfbca0c4102132cff25e4740f3c9c71174802c59a7faf98daebc52
9d a4 72 43 //4字节,第四层的N
4a 00       //arr2长度
33 34         //???
arr2            //第七层,大数arr2
54449bc8e9713a6f2de69acceadb2bb55f550294d7f4d887d561c858c12d74aa218e45766d0799391a8c617f5e3fb00fd4995e9e5077100721858261a223fb4773736ce6027275e7a9ec
0B 73 5F 7A //crc32  7A5F730B
2a 62 53 31 //4字节,第四层的M
4a 00       //arr1长度
37 38             //???
arr1            //第七层,大数arr1
f550c4d11be88545a17edf49a600d30212a17760f814f054f252f5fac9e3c915b1195d9f2d52f3bbd2cb5690982c85dfbca0c4102132cff25e4740f3c9c71174802c59a7faf98daebc52
9d a4 72 43 //4字节,第四层的N
4a 00       //arr2长度
33 34         //???
arr2            //第七层,大数arr2
54449bc8e9713a6f2de69acceadb2bb55f550294d7f4d887d561c858c12d74aa218e45766d0799391a8c617f5e3fb00fd4995e9e5077100721858261a223fb4773736ce6027275e7a9ec
0B 73 5F 7A //crc32  7A5F730B
int __usercall sub_4EB910@<eax>(int ebx0@<ebx>, int edi0@<edi>, int a3@<esi>, int a1, int a2)
{
  if ( a1 == 2 )
  {
    lstrlenA(*(LPCSTR *)(a2 + 4));
    if ( sub_47B430(ebx0, edi0, a3, *(_DWORD *)(a2 + 4)) == 1 )
      MessageBoxA(0, "OK!", 0, 0);
    else
      MessageBoxA(0, "Error!", 0, 0);
  }
  return 0;
}
int __usercall sub_4EB910@<eax>(int ebx0@<ebx>, int edi0@<edi>, int a3@<esi>, int a1, int a2)
{
  if ( a1 == 2 )
  {
    lstrlenA(*(LPCSTR *)(a2 + 4));
    if ( sub_47B430(ebx0, edi0, a3, *(_DWORD *)(a2 + 4)) == 1 )
      MessageBoxA(0, "OK!", 0, 0);
    else
      MessageBoxA(0, "Error!", 0, 0);
  }
  return 0;
}
signed int __usercall sub_47B430@<eax>(int ebx0@<ebx>, int a2@<edi>, int a3@<esi>, int a1)
{
  if ( sub_40A580(ebx0, a2, a3, a1, (char **)&input, &input_len) )  √   //3339 解base64,刚解密出来是正常的
  {
    if ( sub_455F80((int)input, input_len) )    ("4234567890", 10)  Crc32("前len-4位")==4位  √
    {
      if ( sub_458D90(ebx0, a2, input, input_len - 4, (int)&v2357, (int)&v2356) )   //字符串中有2个长度标记位,校验通过,√
      {
        if ( sub_474170(*v2357, *v2356) )   //2个dword进行除法校验,满足的情况总共有2*4=8
        {
          v1378 = v2357 + 8;                                                            //5153  .text:004870AC 这里就要篡改一次数据
          for ( i169 = 0; i169 < v1379; ++i169 )
          {
            v5 = 16;
            *(_BYTE *)(i169 + v1378) ^= *(&v1593 + i169 % 0x10u);
          }
          sub_4E1620(*(_DWORD *)v2357, v2357 + 8, *(unsigned __int16 *)(v2357 + 4));    //5298  +8数组进行xor操作
          sub_4E1620(*(_DWORD *)v2356, v2356 + 8, *(unsigned __int16 *)(v2356 + 4));    //5453
          v1360 = v2357 + 8;                                                            //5602
          for ( i214 = 0; i214 < v1361; ++i214 )
          {
            v5 = 16;
            *(_BYTE *)(i214 + v1360) ^= *(&v1577 + i214 % 0x10u);       //arr1比arr2多2次xor
          }
          if ( sub_45F640(
                 (int)(v2357 + 2),
                 *((unsigned __int16 *)v2357 + 2),
                 (int)(v2356 + 2),
                 *((unsigned __int16 *)v2356 + 2)) )
          {
            sub_4E81E0(ebx0, a2, v5, v2359);
            result = 1;
          }
          else
            result = 0;
        }
        else
          result = 0;
      }
      else
        result = 0;
    }
    else
      result = 0;
  }
  else
    result = 0;
}
signed int __usercall sub_47B430@<eax>(int ebx0@<ebx>, int a2@<edi>, int a3@<esi>, int a1)
{
  if ( sub_40A580(ebx0, a2, a3, a1, (char **)&input, &input_len) )  √   //3339 解base64,刚解密出来是正常的
  {
    if ( sub_455F80((int)input, input_len) )    ("4234567890", 10)  Crc32("前len-4位")==4位  √
    {
      if ( sub_458D90(ebx0, a2, input, input_len - 4, (int)&v2357, (int)&v2356) )   //字符串中有2个长度标记位,校验通过,√
      {
        if ( sub_474170(*v2357, *v2356) )   //2个dword进行除法校验,满足的情况总共有2*4=8
        {
          v1378 = v2357 + 8;                                                            //5153  .text:004870AC 这里就要篡改一次数据
          for ( i169 = 0; i169 < v1379; ++i169 )
          {
            v5 = 16;
            *(_BYTE *)(i169 + v1378) ^= *(&v1593 + i169 % 0x10u);
          }
          sub_4E1620(*(_DWORD *)v2357, v2357 + 8, *(unsigned __int16 *)(v2357 + 4));    //5298  +8数组进行xor操作
          sub_4E1620(*(_DWORD *)v2356, v2356 + 8, *(unsigned __int16 *)(v2356 + 4));    //5453
          v1360 = v2357 + 8;                                                            //5602
          for ( i214 = 0; i214 < v1361; ++i214 )
          {
            v5 = 16;
            *(_BYTE *)(i214 + v1360) ^= *(&v1577 + i214 % 0x10u);       //arr1比arr2多2次xor
          }
          if ( sub_45F640(
                 (int)(v2357 + 2),
                 *((unsigned __int16 *)v2357 + 2),
                 (int)(v2356 + 2),
                 *((unsigned __int16 *)v2356 + 2)) )
          {
            sub_4E81E0(ebx0, a2, v5, v2359);
            result = 1;
          }
          else
            result = 0;
        }
        else
          result = 0;
      }
      else
        result = 0;
    }
    else
      result = 0;
  }
  else
    result = 0;
}
if ( BASE64_table_4FBD18[kk] == a1 )
  break;
v347 = 119;
v232 = -1;
v274 = 104;
if ( BASE64_table_4FBD18[kk] == a1 )
  break;
v347 = 119;
v232 = -1;
v274 = 104;
v207 = sub_453B90(v2, v3, v4, (char *)input, input_len - 4);
if ( v207 == *(_DWORD *)(input_len + input - 4) )
      result = 1;
v207 = sub_453B90(v2, v3, v4, (char *)input, input_len - 4);
if ( v207 == *(_DWORD *)(input_len + input - 4) )
      result = 1;
if ( (unsigned int)input_len_jian4 >= 0x10 ) //len-4>=16
  {
    *(_DWORD *)a5 = input//1406
    if ( (signed int)*(unsigned __int16 *)(*(_DWORD *)a5 + 4) > 0                                //1547  45B83C
      && *(unsigned __int16 *)(*(_DWORD *)a5 + 4) <= (unsigned int)(input_len_jian4 - 16) )
    {
      *(_DWORD *)a6 = input + *(unsigned __int16 *)(*(_DWORD *)a5 + 4) + 8;     //1655
      if ( (signed int)*(unsigned __int16 *)(*(_DWORD *)a6 + 4) > 0              //1831          45d381
        && *(unsigned __int16 *)(*(_DWORD *)a6 + 4) <= input_len_jian4
                                                     - 16
                                                     - (unsigned int)*(unsigned __int16 *)(*(_DWORD *)a5 + 4) )
      {
        result = 1;
      }
    }
  }
if ( (unsigned int)input_len_jian4 >= 0x10 ) //len-4>=16
  {
    *(_DWORD *)a5 = input//1406

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//