-
-
[原创] KCTF 2023 第六题 wp - 98k
-
发表于: 2023-9-14 00:35 9106
-
main 之前有两个 TlsCallback 用于反调试,直接 patch 掉;
进入 main ,新开一个线程,执行函数 sub_140001630
sub_140001630 就是主逻辑,字符串都加密了,异或解密之后就能看出来逻辑:
常规流程,提示后输入,之后和 "kctf" 以及两个 main 之前初始化的全局变量字符串拼接 "kctf" + str1 + input + str2
,之后写入到分配的一段内存上,再调用 write_memory 函数向 +500 的位置写入 shellcode ,再用 NtQueueApcThread 执行这段代码。 write_memory 中还有个反调试,去掉就行(上面是已经去掉的)。
write_memory 中可以看到, shellcode 的位置在 0x140008050 ,直接跳转过去,第一条 call 是花指令,跳转到当前地址 +4 的位置,处理后如下:
这一小段循环会将后面指令中的所有 0x17 全部改成 0 ,写个脚本去掉就行,在 0x140008073 处生成函数 F5 :
check_header 函数就检测头部的 "kctf" ,通过这种方式找到分配的这段内存,之后进入 flag 的判断(数独的判断)
进入 check_sudoku 就很明显的能看到,完全就是数独的判断逻辑。最后就只剩下一个函数 get_value ,这里会得到输入的格式的判断。 get_value 里的逻辑比较乱,简单整理一下函数行为:每次读取输入的 3 个字节,必须是数字或者大写的 A-F ,之后这三个字符计算得到 16 进制的数值,10进制表示的个位、十位、百位分别是数独中的 x, y, sudoku[y][x]
。当取到的 y 和 x 与传入的参数相符合时,就会结束循环。如果当前取到的输入的下标不超过 63 (第 21 组内,即原 str1 的范围内),则直接返回;否则会取后 120 字节进行判断,其中找到与 9 * y + x
相等的 2 字节对应的 10 进制数,并且这个下标和要和前一部分的每 3 字节的下标相差 21 (即跳过前面的 21 组),最后还会判断总长度是 243 + 120 保证没有多余字节。
所以前面的 63 字节是给出数独中已有的值,后 120 字节指定了输入的数独格子的顺序。直接套用 z3 例子求解:
int
__cdecl main(
int
argc,
const
char
**argv,
const
char
**envp)
{
_QWORD *v3;
// rax
_Thrd_t ThrdAddr;
// [rsp+30h] [rbp-28h] BYREF
_Thrd_t v6;
// [rsp+40h] [rbp-18h] BYREF
v3 = operator
new
(8ui64);
*v3 = sub_140001630;
ThrdAddr._Hnd = (
void
*)beginthreadex(0i64, 0, (_beginthreadex_proc_type)StartAddress, v3, 0, &ThrdAddr._Id);
if
( !ThrdAddr._Hnd )
{
ThrdAddr._Id = 0;
std::_Throw_Cpp_error(6);
}
if
( !ThrdAddr._Id )
std::_Throw_Cpp_error(1);
if
( ThrdAddr._Id == Thrd_id() )
std::_Throw_Cpp_error(5);
v6 = ThrdAddr;
if
( Thrd_join(&v6, 0i64) )
std::_Throw_Cpp_error(2);
return
0;
}
int
__cdecl main(
int
argc,
const
char
**argv,
const
char
**envp)
{
_QWORD *v3;
// rax
_Thrd_t ThrdAddr;
// [rsp+30h] [rbp-28h] BYREF
_Thrd_t v6;
// [rsp+40h] [rbp-18h] BYREF
v3 = operator
new
(8ui64);
*v3 = sub_140001630;
ThrdAddr._Hnd = (
void
*)beginthreadex(0i64, 0, (_beginthreadex_proc_type)StartAddress, v3, 0, &ThrdAddr._Id);
if
( !ThrdAddr._Hnd )
{
ThrdAddr._Id = 0;
std::_Throw_Cpp_error(6);
}
if
( !ThrdAddr._Id )
std::_Throw_Cpp_error(1);
if
( ThrdAddr._Id == Thrd_id() )
std::_Throw_Cpp_error(5);
v6 = ThrdAddr;
if
( Thrd_join(&v6, 0i64) )
std::_Throw_Cpp_error(2);
return
0;
}
__int64
sub_140001630()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
std::string::ctor(&input_string, empty);
std::string::ctor(&Format, s);
// 'Please enter your key:'
std::string::ctor(&str_kernel32_dll, aJzlOmJnms);
// kernel32.dll
std::string::ctor(&str_RtlFillMemory, aM);
std::string::ctor(&str_kctf, aAJv);
// kctf
std::string::append(&str_RtlFillMemory, aD_0);
// RtlFillMemory
std::string::ctor(&Block,
"7PK:"
);
v0 = (
char
*)&Format;
if
( Format.cap >= 0x10 )
v0 = Format.data.lstr;
vigenere_decrypt(v0, Format.size,
"&x+^x"
, 5);
v1 = (
char
*)&Format;
if
( Format.cap >= 0x10 )
v1 = Format.data.lstr;
printf
(v1);
v2 = input_string.size;
// set input length to 500
if
( input_string.size < 500 )
{
// ...
}
else
{
// ...
}
v7 = (
char
*)&input_string;
if
( input_string.cap >= 0x10 )
v7 = input_string.data.lstr;
scanf
(
"%s"
, v7);
v8 = (
char
*)&input_string;
if
( input_string.cap >= 0x10 )
v8 = input_string.data.lstr;
v9 = (
char
*)&str1;
std::string::append(&str1, v8);
v10 = (
char
*)&str2;
if
( str2.cap >= 0x10 )
v10 = str2.data.lstr;
v11 = str2.size;
v12 = str1.size;
str1 += str2;
// ...
v15 = (
char
*)&str_kctf;
if
( str_kctf.cap >= 0x10 )
v15 = str_kctf.data.lstr;
vigenere_decrypt(v15, str_kctf.size,
"*s>0?"
, 5);
str1 = str_kctf + str1;
// ...
ProcessHandle = GetCurrentProcess();
RegionSize = 5500i64;
NtAllocateVirtualMemory(
ProcessHandle,
(
PVOID
*)&alloced,
0i64,
&RegionSize,
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
if
( str1.cap >= 0x10 )
v9 = str1.data.lstr;
NtWriteVirtualMemory(ProcessHandle, alloced, v9, str1.size, NumberOfBytesWritten);
v20 = (
char
*)&str_kernel32_dll;
if
( str_kernel32_dll.cap >= 0x10 )
v20 = str_kernel32_dll.data.lstr;
vigenere_decrypt(v20, str_kernel32_dll.size,
"!?>d*"
, 5);
v22 = (
char
*)&str_RtlFillMemory;
if
( str_RtlFillMemory.cap >= 0x10 )
v22 = str_RtlFillMemory.data.lstr;
vigenere_decrypt(v22, str_RtlFillMemory.size,
"?x)da"
, v21);
v23 = (
char
*)&str_RtlFillMemory;
if
( str_RtlFillMemory.cap >= 0x10 )
v23 = str_RtlFillMemory.data.lstr;
v24 = (
char
*)&str_kernel32_dll;
if
( str_kernel32_dll.cap >= 0x10 )
v24 = str_kernel32_dll.data.lstr;
kernel32_dll = GetModuleHandleA(v24);
RtlFillMemory = (
void
(__fastcall *)(
void
*,
size_t
,
int
))GetProcAddress(kernel32_dll, v23);
if
( !RtlFillMemory || write_memory(ProcessHandle, alloced + 500) )
{
// string dtor
return
1i64;
}
if
( NtCreateThreadEx(
&hThread,
0x1FFFFFu,
0i64,
ProcessHandle,
(LPTHREAD_START_ROUTINE)ExitThread,
0i64,
1u,
0i64,
0i64,
0i64,
0i64) )
{
// string dtor
return
1;
}
NtQueueApcThread(hThread, (PIO_APC_ROUTINE)(alloced + 500), 0i64, 0i64, 0i64);
ResumeThread(hThread);
NtWaitForSingleObject(hThread, 0, 0i64);
CloseHandle(hThread);
*(_DWORD *)Str1 = 0;
*(_DWORD *)Destination = 0;
strncpy
(Destination, (
const
char
*)alloced, 3ui64);
strncpy
(Str1, (
const
char
*)alloced + 67, 3ui64);
if
( !
strcmp
(Str1,
"110"
) )
{
v40 = (
char
*)&unk_140006590;
}
else
{
if
(
strcmp
(Str1,
"120"
) )
ExitProcess(0);
v40 = (
char
*)&byte_140006598;
}
vigenere_decrypt(Destination, 3, v40, 3);
printf
(
"\n%s"
, Destination);
// string dtor
return
0i64;
}
int
__fastcall write_memory(
HANDLE
ProcessHandle, unsigned
__int8
*ptr)
{
int
v4;
// edi
unsigned
__int8
*i;
// rsi
GetCurrentProcess();
if
( !NtCreateThreadEx(
&Handle,
0x1FFFFFu,
0i64,
ProcessHandle,
(LPTHREAD_START_ROUTINE)ExitThread,
0i64,
1u,
0i64,
0i64,
0i64,
0i64) )
{
v4 = 0;
for
( i = unk_140008050; !NtQueueApcThread(Handle, (PIO_APC_ROUTINE)RtlFillMemory, &ptr[v4], 1i64, *i); ++i )
{
if
( (unsigned
int
)++v4 >= 0x92B )
{
ResumeThread(Handle);
NtWaitForSingleObject(Handle, 0, 0i64);
CloseHandle(Handle);
return
0;
}
}
TerminateThread(Handle, 0);
CloseHandle(Handle);
}
return
1;
}
__int64
sub_140001630()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
std::string::ctor(&input_string, empty);
std::string::ctor(&Format, s);
// 'Please enter your key:'
std::string::ctor(&str_kernel32_dll, aJzlOmJnms);
// kernel32.dll
std::string::ctor(&str_RtlFillMemory, aM);
std::string::ctor(&str_kctf, aAJv);
// kctf
std::string::append(&str_RtlFillMemory, aD_0);
// RtlFillMemory
std::string::ctor(&Block,
"7PK:"
);
v0 = (
char
*)&Format;
if
( Format.cap >= 0x10 )
v0 = Format.data.lstr;
vigenere_decrypt(v0, Format.size,
"&x+^x"
, 5);
v1 = (
char
*)&Format;
if
( Format.cap >= 0x10 )
v1 = Format.data.lstr;
printf
(v1);
v2 = input_string.size;
// set input length to 500
if
( input_string.size < 500 )
{
// ...
}
else
{
// ...
}
v7 = (
char
*)&input_string;
if
( input_string.cap >= 0x10 )
v7 = input_string.data.lstr;
scanf
(
"%s"
, v7);
v8 = (
char
*)&input_string;
if
( input_string.cap >= 0x10 )
v8 = input_string.data.lstr;
v9 = (
char
*)&str1;
std::string::append(&str1, v8);
v10 = (
char
*)&str2;
if
( str2.cap >= 0x10 )
v10 = str2.data.lstr;
v11 = str2.size;
v12 = str1.size;
str1 += str2;
// ...
v15 = (
char
*)&str_kctf;
if
( str_kctf.cap >= 0x10 )
v15 = str_kctf.data.lstr;
vigenere_decrypt(v15, str_kctf.size,
"*s>0?"
, 5);
str1 = str_kctf + str1;
// ...
ProcessHandle = GetCurrentProcess();
RegionSize = 5500i64;
NtAllocateVirtualMemory(
ProcessHandle,
(
PVOID
*)&alloced,
0i64,
&RegionSize,
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
if
( str1.cap >= 0x10 )
v9 = str1.data.lstr;
NtWriteVirtualMemory(ProcessHandle, alloced, v9, str1.size, NumberOfBytesWritten);
v20 = (
char
*)&str_kernel32_dll;
if
( str_kernel32_dll.cap >= 0x10 )
v20 = str_kernel32_dll.data.lstr;
vigenere_decrypt(v20, str_kernel32_dll.size,
"!?>d*"
, 5);
v22 = (
char
*)&str_RtlFillMemory;
if
( str_RtlFillMemory.cap >= 0x10 )
v22 = str_RtlFillMemory.data.lstr;
vigenere_decrypt(v22, str_RtlFillMemory.size,
"?x)da"
, v21);
v23 = (
char
*)&str_RtlFillMemory;
if
( str_RtlFillMemory.cap >= 0x10 )
v23 = str_RtlFillMemory.data.lstr;
v24 = (
char
*)&str_kernel32_dll;
if
( str_kernel32_dll.cap >= 0x10 )
v24 = str_kernel32_dll.data.lstr;
kernel32_dll = GetModuleHandleA(v24);
RtlFillMemory = (
void
(__fastcall *)(
void
*,
size_t
,
int
))GetProcAddress(kernel32_dll, v23);
if
( !RtlFillMemory || write_memory(ProcessHandle, alloced + 500) )
{
// string dtor
return
1i64;
}
if
( NtCreateThreadEx(
&hThread,
0x1FFFFFu,
0i64,
ProcessHandle,
(LPTHREAD_START_ROUTINE)ExitThread,
0i64,
1u,
0i64,
0i64,
0i64,
0i64) )
{
// string dtor
return
1;
}
NtQueueApcThread(hThread, (PIO_APC_ROUTINE)(alloced + 500), 0i64, 0i64, 0i64);
ResumeThread(hThread);
NtWaitForSingleObject(hThread, 0, 0i64);
CloseHandle(hThread);
*(_DWORD *)Str1 = 0;
*(_DWORD *)Destination = 0;
strncpy
(Destination, (
const
char
*)alloced, 3ui64);
strncpy
(Str1, (
const
char
*)alloced + 67, 3ui64);
if
( !
strcmp
(Str1,
"110"
) )
{
v40 = (
char
*)&unk_140006590;
}
else
{
if
(
strcmp
(Str1,
"120"
) )
ExitProcess(0);
v40 = (
char
*)&byte_140006598;
}
vigenere_decrypt(Destination, 3, v40, 3);
printf
(
"\n%s"
, Destination);
// string dtor
return
0i64;
}
int
__fastcall write_memory(
HANDLE
ProcessHandle, unsigned
__int8
*ptr)
{
int
v4;
// edi
unsigned
__int8
*i;
// rsi
GetCurrentProcess();
if
( !NtCreateThreadEx(
&Handle,
0x1FFFFFu,
0i64,
ProcessHandle,
(LPTHREAD_START_ROUTINE)ExitThread,
0i64,
1u,
0i64,
0i64,
0i64,
0i64) )
{
v4 = 0;
for
( i = unk_140008050; !NtQueueApcThread(Handle, (PIO_APC_ROUTINE)RtlFillMemory, &ptr[v4], 1i64, *i); ++i )
{
if
( (unsigned
int
)++v4 >= 0x92B )
{
ResumeThread(Handle);
NtWaitForSingleObject(Handle, 0, 0i64);
CloseHandle(Handle);
return
0;
}
}
TerminateThread(Handle, 0);
CloseHandle(Handle);
}
return
1;
}
.data:
0000000140008054
inc eax
.data:
0000000140008056
pop rdi
.data:
0000000140008057
mov ecx,
1010806h
.data:
000000014000805C
xor ecx,
1010101h
;
0x907
.data:
0000000140008062
add rdi,
1Eh
;
0x140008073
.data:
0000000140008066
xor esi, esi
.data:
0000000140008068
cld
.data:
0000000140008069
.data:
0000000140008069
loc_140008069: ; CODE XREF: .data:
0000000140008071
↓j
.data:
0000000140008069
mov al, [rdi]
.data:
000000014000806B
cmp
al,
17h
.data:
000000014000806D
cmovz eax, esi
.data:
0000000140008070
stosb
.data:
0000000140008071
loop loc_140008069
.data:
0000000140008054
inc eax
.data:
0000000140008056
pop rdi
.data:
0000000140008057
mov ecx,
1010806h
.data:
000000014000805C
xor ecx,
1010101h
;
0x907
.data:
0000000140008062
add rdi,
1Eh
;
0x140008073
.data:
0000000140008066
xor esi, esi
.data:
0000000140008068
cld
.data:
0000000140008069
.data:
0000000140008069
loc_140008069: ; CODE XREF: .data:
0000000140008071
↓j
.data:
0000000140008069
mov al, [rdi]
.data:
000000014000806B
cmp
al,
17h
.data:
000000014000806D
cmovz eax, esi
.data:
0000000140008070
stosb
.data:
0000000140008071
loop loc_140008069
void
__fastcall check()
{
HANDLE
(__fastcall *CreateToolhelp32Snapshot)(
DWORD
,
DWORD
);
// rbx
BOOL
(__stdcall *Process32First)(
HANDLE
, LPPROCESSENTRY32);
// r13
BOOL
(__stdcall *CloseHandle)(
HANDLE
);
// r15
DWORD
(__stdcall *GetCurrentProcessId)();
// r12
HANDLE
v4;
// rdi
bool
v5;
// si
HANDLE
v6;
// rax
void
*v7;
// r14
BOOL
i;
// eax
char
*v11;
// rbx
DWORD
v12;
// eax
_BYTE *v13;
// rdx
_BYTE *v14;
// rbx
struct
_MEMORY_BASIC_INFORMATION Buffer;
// [rsp+48h] [rbp-2B0h] BYREF
PROCESSENTRY32 v16[2];
// [rsp+80h] [rbp-278h] BYREF
BOOL
(__stdcall *Process32Next)(
HANDLE
, LPPROCESSENTRY32);
// [rsp+300h] [rbp+8h] MAPDST
HANDLE
(__stdcall *OpenProcess)(
DWORD
,
BOOL
,
DWORD
);
// [rsp+308h] [rbp+10h] MAPDST
SIZE_T
(__stdcall *VirtualQueryEx)(
HANDLE
,
LPCVOID
, PMEMORY_BASIC_INFORMATION,
SIZE_T
);
// [rsp+310h] [rbp+18h]
CreateToolhelp32Snapshot = (
HANDLE
(__fastcall *)(
DWORD
,
DWORD
))find_proc(0xF88DDF46);
OpenProcess = (
HANDLE
(__stdcall *)(
DWORD
,
BOOL
,
DWORD
))find_proc(0xFD0B55A7);
VirtualQueryEx = (
SIZE_T
(__stdcall *)(
HANDLE
,
LPCVOID
, PMEMORY_BASIC_INFORMATION,
SIZE_T
))find_proc(0x242E6FF);
Process32First = (
BOOL
(__stdcall *)(
HANDLE
, LPPROCESSENTRY32))find_proc(0x3F347695);
Process32Next = (
BOOL
(__stdcall *)(
HANDLE
, LPPROCESSENTRY32))find_proc(0x93E12339);
CloseHandle = (
BOOL
(__stdcall *)(
HANDLE
))find_proc(0x1CA655F1);
GetCurrentProcessId = (
DWORD
(__stdcall *)())find_proc(0x35634E1);
v4 = 0i64;
v16[0].dwSize = 568;
v5 = 0;
v6 = CreateToolhelp32Snapshot(2i64, 0i64);
v7 = v6;
if
( v6 != (
HANDLE
)-1i64 )
{
for
( i = Process32First(v6, v16); i; i = Process32Next(v7, v16) )
{
if
( v16[0].th32ProcessID == GetCurrentProcessId() )
{
v4 = OpenProcess(0x2000000u, 0, v16[0].th32ProcessID);
if
( v4 )
{
v11 = 0i64;
while
( VirtualQueryEx(v4, v11, &Buffer, 0x30ui64) )
{
v11 = (
char
*)Buffer.BaseAddress + Buffer.RegionSize;
if
( Buffer.State == 4096 && Buffer.AllocationProtect == 0x40 )
{
v12 = GetCurrentProcessId();
v13 = Buffer.BaseAddress;
if
( v16[0].th32ProcessID == v12 )
v5 = check_header(*(_DWORD *)Buffer.BaseAddress);
if
( v5 )
{
v14 = v13 + 4;
if
( check_sudoku(v13 + 4) )
{
*(v14 - 4) = 0x69;
*(v14 - 3) = 0x6F;
*(v14 - 2) = 0x20;
*(v14 - 1) = 0;
v14[63] = 0x31;
v14[64] = 0x31;
}
else
{
*(v14 - 4) = 0x6D;
*(v14 - 3) = 0x6A;
*(v14 - 2) = 0x29;
*(v14 - 1) = 0;
v14[63] = 49;
v14[64] = 50;
}
v14[65] = 48;
goto
LABEL_19;
}
*v13 = 109;
v13[1] = 106;
v13[2] = 41;
v13[3] = 0;
v13[67] = 49;
v13[68] = 50;
v13[69] = 48;
}
}
}
}
}
LABEL_19:
CloseHandle(v7);
CloseHandle(v4);
}
}
void
__fastcall check()
{
HANDLE
(__fastcall *CreateToolhelp32Snapshot)(
DWORD
,
DWORD
);
// rbx
BOOL
(__stdcall *Process32First)(
HANDLE
, LPPROCESSENTRY32);
// r13
BOOL
(__stdcall *CloseHandle)(
HANDLE
);
// r15
DWORD
(__stdcall *GetCurrentProcessId)();
// r12
HANDLE
v4;
// rdi
bool
v5;
// si
HANDLE
v6;
// rax
void
*v7;
// r14
BOOL
i;
// eax
char
*v11;
// rbx
DWORD
v12;
// eax
_BYTE *v13;
// rdx
_BYTE *v14;
// rbx
struct
_MEMORY_BASIC_INFORMATION Buffer;
// [rsp+48h] [rbp-2B0h] BYREF
PROCESSENTRY32 v16[2];
// [rsp+80h] [rbp-278h] BYREF
BOOL
(__stdcall *Process32Next)(
HANDLE
, LPPROCESSENTRY32);
// [rsp+300h] [rbp+8h] MAPDST
HANDLE
(__stdcall *OpenProcess)(
DWORD
,
BOOL
,
DWORD
);
// [rsp+308h] [rbp+10h] MAPDST
SIZE_T
(__stdcall *VirtualQueryEx)(
HANDLE
,
LPCVOID
, PMEMORY_BASIC_INFORMATION,
SIZE_T
);
// [rsp+310h] [rbp+18h]
CreateToolhelp32Snapshot = (
HANDLE
(__fastcall *)(
DWORD
,
DWORD
))find_proc(0xF88DDF46);
OpenProcess = (
HANDLE
(__stdcall *)(
DWORD
,
BOOL
,
DWORD
))find_proc(0xFD0B55A7);
VirtualQueryEx = (
SIZE_T
(__stdcall *)(
HANDLE
,
LPCVOID
, PMEMORY_BASIC_INFORMATION,
SIZE_T
))find_proc(0x242E6FF);
Process32First = (
BOOL
(__stdcall *)(
HANDLE
, LPPROCESSENTRY32))find_proc(0x3F347695);
Process32Next = (
BOOL
(__stdcall *)(
HANDLE
, LPPROCESSENTRY32))find_proc(0x93E12339);
CloseHandle = (
BOOL
(__stdcall *)(
HANDLE
))find_proc(0x1CA655F1);
GetCurrentProcessId = (
DWORD
(__stdcall *)())find_proc(0x35634E1);
v4 = 0i64;
v16[0].dwSize = 568;
v5 = 0;
v6 = CreateToolhelp32Snapshot(2i64, 0i64);
v7 = v6;
if
( v6 != (
HANDLE
)-1i64 )
{
for
( i = Process32First(v6, v16); i; i = Process32Next(v7, v16) )
{
if
( v16[0].th32ProcessID == GetCurrentProcessId() )
{
v4 = OpenProcess(0x2000000u, 0, v16[0].th32ProcessID);
if
( v4 )
{
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)