-
-
[原创]KCTF2024 第六题 异星文明 WriteUp
-
发表于: 2024-8-27 00:35
-
用ida打开查看程序代码, 发现存在类似call $+5之类的技巧:
怀疑有自解密, 尝试用windbg time travel debugging录制, 输入提供的用户名序列号结果提示正确;
跟了一小段录制结果感觉不像有自解密, 并注意到程序中存在很多保存各种寄存器与恢复各种寄存器的代码
回头看了下segments, 除了.zxvmp3段比较大以外, 其它的段都比较小, 点进.zxvmp3段尝试在各种地方按c发现很多和下面的代码相似的代码段:
并且这些代码段只有popfq与pushfq之间的一条指令每段不同
回到windbg的录制, 挑一条popfq与pushfq之间的指令地址处下断点
然后按两下Step into Back回跳, 发现是一条ret指令
在该指令地址7ff6503786c2(fzbz+0x1086c2)处下断点, 清除之前的断点, 之后每次执行windbg命令g;t就能看到下一条夹在popfq与pushfq之间的指令并判断该指令就是程序的正常逻辑.
先禁用刚才的断点, 由于程序使用弹窗提示了成功, 在MessageBoxW处下断点然后从程序终止处按Go Back跳回最后一次MessageBoxW触发时, 再启用之前fzbz+0x1086c2处的断点后执行windbg命令g-;g-;t即可从提示处反向查看程序逻辑, 复制出来如下
可分析写出求解代码
.text:0000000140001000 public start
.text:0000000140001000 start proc near ; DATA XREF: .pdata:ExceptionDir↓o
.text:0000000140001000 pushfq
.text:0000000140001001 call sub_140108477
.text:0000000140001006 call sub_14010873F
.text:000000014000100B push rcx
.text:000000014000100C push r8
.text:000000014000100E call $+5
.text:0000000140001013
.text:0000000140001013 loc_140001013: ; DATA XREF: start+15↓o
.text:0000000140001013 pop r8
.text:0000000140001015 sub r8, 1013h
.text:000000014000101C mov rcx, 60E0h
.text:0000000140001026 add rcx, r8
.text:0000000140001029 pop r8
.text:000000014000102B push 0FFFFFFFFCB9DC747h
.text:0000000140001030 call sub_140108580
.text:0000000140001035 pop rcx
.text:0000000140001036 retn
.text:0000000140001036 start endp ; sp-analysis failed
.text:0000000140001000 public start
.text:0000000140001000 start proc near ; DATA XREF: .pdata:ExceptionDir↓o
.text:0000000140001000 pushfq
.text:0000000140001001 call sub_140108477
.text:0000000140001006 call sub_14010873F
.text:000000014000100B push rcx
.text:000000014000100C push r8
.text:000000014000100E call $+5
.text:0000000140001013
.text:0000000140001013 loc_140001013: ; DATA XREF: start+15↓o
.text:0000000140001013 pop r8
.text:0000000140001015 sub r8, 1013h
.text:000000014000101C mov rcx, 60E0h
.text:0000000140001026 add rcx, r8
.text:0000000140001029 pop r8
.text:000000014000102B push 0FFFFFFFFCB9DC747h
.text:0000000140001030 call sub_140108580
.text:0000000140001035 pop rcx
.text:0000000140001036 retn
.text:0000000140001036 start endp ; sp-analysis failed
.zxvmp3:000000014010DDFF jmp near ptr 12A109ED4h
.zxvmp3:000000014010DE04 ; ---------------------------------------------------------------------------
.zxvmp3:000000014010DE04 push rbp
.zxvmp3:000000014010DE04 ; ---------------------------------------------------------------------------
.zxvmp3:000000014010DE05 db 0FFh
.zxvmp3:000000014010DE06 db 8Bh
.zxvmp3:000000014010DE07 db 90h
.zxvmp3:000000014010DE08 db 48h ; H
.zxvmp3:000000014010DE09 db 48h ; H
.zxvmp3:000000014010DE0A ; ---------------------------------------------------------------------------
.zxvmp3:000000014010DE0A popfq
.zxvmp3:000000014010DE0B and ecx, 0FFh
.zxvmp3:000000014010DE11 pushfq
.zxvmp3:000000014010DE12 call sub_140108477
.zxvmp3:000000014010DE17 push 1AD368F8h
.zxvmp3:000000014010DE1C push rax
.zxvmp3:000000014010DE1D call $+5
.zxvmp3:000000014010DE22 pop rax
.zxvmp3:000000014010DE23 add rax, 0FFFFFFFFFFFFA8A1h
.zxvmp3:000000014010DE29 push rax
.zxvmp3:000000014010DE2A xchg rax, [rsp]
.zxvmp3:000000014010DE2E xchg rax, [rsp+8]
.zxvmp3:000000014010DE33 xchg rax, [rsp]
.zxvmp3:000000014010DE37 pop rax
.zxvmp3:000000014010DE38 push rax
.zxvmp3:000000014010DE39 pushfq
.zxvmp3:000000014010DE3A
.zxvmp3:000000014010DE3A loc_14010DE3A: ; CODE XREF: .zxvmp3:loc_14010DE3A↑j
.zxvmp3:000000014010DE3A jmp short near ptr loc_14010DE3A+1
.zxvmp3:000000014010DDFF jmp near ptr 12A109ED4h
.zxvmp3:000000014010DE04 ; ---------------------------------------------------------------------------
.zxvmp3:000000014010DE04 push rbp
.zxvmp3:000000014010DE04 ; ---------------------------------------------------------------------------
.zxvmp3:000000014010DE05 db 0FFh
.zxvmp3:000000014010DE06 db 8Bh
.zxvmp3:000000014010DE07 db 90h
.zxvmp3:000000014010DE08 db 48h ; H
.zxvmp3:000000014010DE09 db 48h ; H
.zxvmp3:000000014010DE0A ; ---------------------------------------------------------------------------
.zxvmp3:000000014010DE0A popfq
.zxvmp3:000000014010DE0B and ecx, 0FFh
.zxvmp3:000000014010DE11 pushfq
.zxvmp3:000000014010DE12 call sub_140108477
.zxvmp3:000000014010DE17 push 1AD368F8h
.zxvmp3:000000014010DE1C push rax
.zxvmp3:000000014010DE1D call $+5
.zxvmp3:000000014010DE22 pop rax
.zxvmp3:000000014010DE23 add rax, 0FFFFFFFFFFFFA8A1h
.zxvmp3:000000014010DE29 push rax
.zxvmp3:000000014010DE2A xchg rax, [rsp]
.zxvmp3:000000014010DE2E xchg rax, [rsp+8]
.zxvmp3:000000014010DE33 xchg rax, [rsp]
.zxvmp3:000000014010DE37 pop rax
.zxvmp3:000000014010DE38 push rax
.zxvmp3:000000014010DE39 pushfq
.zxvmp3:000000014010DE3A
.zxvmp3:000000014010DE3A loc_14010DE3A: ; CODE XREF: .zxvmp3:loc_14010DE3A↑j
.zxvmp3:000000014010DE3A jmp short near ptr loc_14010DE3A+1
00007ff6`50382211 8b0401 mov eax, dword ptr [rcx+rax] sel
00007ff6`50380d8b 89442408 mov dword ptr [rsp+8], eax
00007ff6`50381296 488b442430 mov rax, qword ptr [rsp+30h]
00007ff6`50381098 8b00 mov eax, dword ptr [rax]
00007ff6`50380a0f 890424 mov dword ptr [rsp], eax
00007ff6`5037e40d 488b442430 mov rax, qword ptr [rsp+30h]
00007ff6`5038048a 8b4004 mov eax, dword ptr [rax+4] rax <&8%ome_to_fzbz,
00007ff6`5037fa0d 89442414 mov dword ptr [rsp+14h], eax 0x5F656D6F ome_
00007ff6`5037fd14 c744240c00000000 mov dword ptr [rsp+0Ch], 0
args: [rsp] [rsp+4] [rsp+8] [rsp+30h]=<&8%ome_to_fzbz, 3c263825<&8% 9ff4d2d1 92b60815 0x2538263c 0xd1d2f49f 0x1508b692
args: [rsp] [rsp+4] [rsp+8] [rsp+30h]=name xor wel... 42215f5a 9ff4d2d1 92b60815 0x5a5f2142 0xd1d2f49f 0x1508b692
00007ff6`5037da8a 837c240c1f cmp dword ptr [rsp+0Ch], 1Fh loop 0x20
00007ff6`5037e60c 7d31 jge 00007FF65037E63F
00007ff6`5037e316 8b442408 mov eax, dword ptr [rsp+8]
00007ff6`5037ff0a c1e006 shl eax, 6
00007ff6`5038070f 8b0c24 mov ecx, dword ptr [rsp]
00007ff6`5037de0b 81e1ff000000 and ecx, 0FFh
00007ff6`5037e497 03c1 add eax, ecx
00007ff6`50382194 8b0c24 mov ecx, dword ptr [rsp]
00007ff6`50381014 8b542408 mov edx, dword ptr [rsp+8]
00007ff6`5038278c 03d1 add edx, ecx
00007ff6`5037f40d 8bca mov ecx, edx
00007ff6`5037dd17 33c1 xor eax, ecx
00007ff6`50381491 8b4c2408 mov ecx, dword ptr [rsp+8]
00007ff6`5037e015 c1e903 shr ecx, 3
00007ff6`5037ee18 8b1424 mov edx, dword ptr [rsp]
00007ff6`5037da13 c1ea08 shr edx, 8
00007ff6`5037e80c 81e2ff000000 and edx, 0FFh
00007ff6`50382a09 03ca add ecx, edx
00007ff6`50382412 33c1 xor eax, ecx
00007ff6`5037e88a 8b4c2404 mov ecx, dword ptr [rsp+4]
00007ff6`5038060e 03c8 add ecx, eax
00007ff6`50380f92 8bc1 mov eax, ecx
00007ff6`50382593 89442404 mov dword ptr [rsp+4], eax
00007ff6`50380689 8b442414 mov eax, dword ptr [rsp+14h]
00007ff6`5037d990 8b0c24 mov ecx, dword ptr [rsp]
00007ff6`5037f20d 03c8 add ecx, eax
00007ff6`50380b8d 8bc1 mov eax, ecx
00007ff6`5038270c 890424 mov dword ptr [rsp], eax
00007ff6`5037f78e 8b442404 mov eax, dword ptr [rsp+4]
00007ff6`50380914 c1e006 shl eax, 6
00007ff6`5038050c 8b0c24 mov ecx, dword ptr [rsp]
00007ff6`5037ed0a c1e918 shr ecx, 18h
00007ff6`5038140b 81e1ff000000 and ecx, 0FFh
00007ff6`5037fc15 03c1 add eax, ecx
00007ff6`5037e18f 8b0c24 mov ecx, dword ptr [rsp]
00007ff6`5038268c 8b542404 mov edx, dword ptr [rsp+4]
00007ff6`5037f90d 03d1 add edx, ecx
00007ff6`50380f17 8bca mov ecx, edx
00007ff6`5037f896 33c1 xor eax, ecx
00007ff6`50381f09 8b4c2404 mov ecx, dword ptr [rsp+4]
00007ff6`50382895 c1e903 shr ecx, 3
00007ff6`5037f191 8b1424 mov edx, dword ptr [rsp]
00007ff6`5037ff8f c1ea10 shr edx, 10h
00007ff6`5038040a 81e2ff000000 and edx, 0FFh
00007ff6`50381b8a 03ca add ecx, edx
00007ff6`5037e513 33c1 xor eax, ecx
00007ff6`50382297 8b4c2408 mov ecx, dword ptr [rsp+8]
00007ff6`5038160f 03c8 add ecx, eax
00007ff6`50380b0f 8bc1 mov eax, ecx
00007ff6`50380810 89442408 mov dword ptr [rsp+8], eax
jmp loop start00007ff6`5037fb91 8b0424 mov eax, dword ptr [rsp] 0xB28066AD
00007ff6`5038250b 8b4c2404 mov ecx, dword ptr [rsp+4] 0x5EC6C95A
00007ff6`5037df0e 33c8 xor ecx, eax 0x5EC6C95A 0xB28066AD
00007ff6`5037f98c 8bc1 mov eax, ecx 0xEC46AFF7
00007ff6`5037ec8f 89442404 mov dword ptr [rsp+4], eax 0xEC46AFF7
00007ff6`50380194 8b0424 mov eax, dword ptr [rsp] 0xb28066ad
00007ff6`5037f00c 8b4c2408 mov ecx, dword ptr [rsp+8] 0x803e9ac2
00007ff6`50381198 33c8 xor ecx, eax 0x803E9AC2 0xB28066AD
# 0xF5527262 0xDDF2F30900007ff6`50380e14 8bc1 mov eax, ecx 0x32BEFC6F
00007ff6`5037fc8f 89442408 mov dword ptr [rsp+8], eax 0x32BEFC6F
00007ff6`50381d93 488b442430 mov rax, qword ptr [rsp+30h]
00007ff6`5037f50f 8b4008 mov eax, dword ptr [rax+8] rax <&8%ome_to_fzbz,
00007ff6`50381a0c 890424 mov dword ptr [rsp], eax 0x665f6f74 to_f
00007ff6`5038280f 488b442430 mov rax, qword ptr [rsp+30h]
00007ff6`50381a92 8b400c mov eax, dword ptr [rax+0Ch] rax <&8%ome_to_fzbz, is welcome_to_fzbz, xor username
00007ff6`50380310 89442414 mov dword ptr [rsp+14h], eax 0x2C7A627A
00007ff6`5038010c c744241000000000 mov dword ptr [rsp+10h], 0
00007ff6`50381890 jmp ..
00007ff6`5038170c 837c24101f cmp dword ptr [rsp+10h], 1Fh loop 0x20 start
args: [rsp] [rsp+4] [rsp+8] [rsp+14h] 746f5f66 f7af46ec 6ffcbe32 a05e2f50 0x665f6f74 0xec46aff7 0x32befc6f 0x2C7A627A
args: [rsp] [rsp+4] [rsp+8] [rsp+14h] 435e1c56 5c1c2442 6b81a028 a05e2f50 0x561c5e43 0x42241c5c 0x28a0816b 0x1b3f534c
00007ff6`5037f28b 7d31 jge 00007FF65037F2BE
00007ff6`50380016 8b442408 mov eax, dword ptr [rsp+8]
00007ff6`5037e091 c1e004 shl eax, 4
00007ff6`50381d11 8b0c24 mov ecx, dword ptr [rsp]
00007ff6`5038208d c1e918 shr ecx, 18h 0x9CB6F9C0
00007ff6`5037e697 81e1ff000000 and ecx, 0FFh
00007ff6`5037dc0b 03c1 add eax, ecx 0x49F68400 0x9C
00007ff6`50380c12 8b0c24 mov ecx, dword ptr [rsp] 0x9CB6F9C0
00007ff6`5037e90b 8b542408 mov edx, dword ptr [rsp+8] 0x549F6840
00007ff6`5037e214 03d1 add edx, ecx 0x549F6840 0x9CB6F9C0
00007ff6`5037db90 8bca mov ecx, edx 0xF1566200
00007ff6`5037ef09 33c1 xor eax, ecx 0x49F6849C 0xF1566200
00007ff6`5037f08d 8b4c2408 mov ecx, dword ptr [rsp+8] 0x549F6840
00007ff6`50380397 c1e905 shr ecx, 5 0x549F6840 >> 5
00007ff6`5037f70c 8b1424 mov edx, dword ptr [rsp] 0x9CB6F9C0
00007ff6`5037fb16 81e2ff000000 and edx, 0FFh 0x9CB6F9C0
00007ff6`5037fe11 03ca add ecx, edx 0x02A4FB42 0xc0
00007ff6`5037e109 33c1 xor eax, ecx 0xB8A0E69C 0x02A4FC02
00007ff6`5038130b 8b4c2404 mov ecx, dword ptr [rsp+4] 0x1e7b2f59
00007ff6`5037e992 03c8 add ecx, eax 0x1E7B2F59 0xBA041A9E
00007ff6`5038110c 8bc1 mov eax, ecx 0xD87F49F7
00007ff6`5037ea8a 89442404 mov dword ptr [rsp+4], eax 0xD87F49F7
00007ff6`50380213 8b442414 mov eax, dword ptr [rsp+14h] 0x2C7A627A
00007ff6`50381990 8b0c24 mov ecx, dword ptr [rsp] 0x9CB6F9C0
00007ff6`50382613 03c8 add ecx, eax 0x9CB6F9C0 0x2C7A627A
00007ff6`50380989 8bc1 mov eax, ecx 0xC9315C3A
00007ff6`50380595 890424 mov dword ptr [rsp], eax 0x9cb6f9c0 = 0xC9315C3A
00007ff6`50381c8f 8b442404 mov eax, dword ptr [rsp+4] 0xd87f49f7
00007ff6`5037e713 c1e004 shl eax, 4 0x87F49F70
00007ff6`50381e90 8b0c24 mov ecx, dword ptr [rsp]
00007ff6`5037fd98 c1e910 shr ecx, 10h 0xC9315C3A
00007ff6`5038150b 81e1ff000000 and ecx, 0FFh
00007ff6`5037f10f 03c1 add eax, ecx 0x87F49F70 0x31
00007ff6`5038168c 8b0c24 mov ecx, dword ptr [rsp] 0xC9315C3A
00007ff6`5037ea0d 8b542404 mov edx, dword ptr [rsp+4] f7 49 7f d8
00007ff6`5037db0d 03d1 add edx, ecx 0xD87F49F7 0xC9315C3A
00007ff6`50381812 8bca mov ecx, edx 0xA1B0A631
00007ff6`50381914 33c1 xor eax, ecx 0x87F49FA1 0xA1B0A631
00007ff6`50382993 8b4c2404 mov ecx, dword ptr [rsp+4] f7 49 7f d8
00007ff6`5037d897 c1e905 shr ecx, 5 0xD87F49F7 >> 5
00007ff6`50380295 8b1424 mov edx, dword ptr [rsp] 3a 5c 31 c9 f7 49 7f d8
00007ff6`5038078c c1ea08 shr edx, 8 0xC9315C3A
00007ff6`5037e794 81e2ff000000 and edx, 0FFh 0x00C9315C
00007ff6`50382312 03ca add ecx, edx 0x06C3FA4F 0x5C
00007ff6`5037de97 33c1 xor eax, ecx 0x26443990 0x06C3FAAB 90394426 abfac306
00007ff6`5037f696 8b4c2408 mov ecx, dword ptr [rsp+8] 0x549F6840
00007ff6`5037dd90 03c8 add ecx, eax 0x549F6840 0x2087C33B = 0x75272b7b 40689f54 3bc38720
00007ff6`5037eb0d 8bc1 mov eax, ecx
00007ff6`5037ef8f 89442408 mov dword ptr [rsp+8], eax 0x75272b7b 7b2b2775
00007ff6`5038158c 8b442410 mov eax, dword ptr [rsp+10h]
00007ff6`50381e0d ffc0 inc eax
00007ff6`50382910 89442410 mov dword ptr [rsp+10h], eax
00007ff6`5038170c 837c24101f cmp dword ptr [rsp+10h], 1Fh loop end
00007ff6`5037f28b 7d31 jge 00007FF65037F2BE
00007ff6`50381c0e 8b0424 mov eax, dword ptr [rsp] 3a 5c 31 c9
00007ff6`5037ee8d 8b4c2404 mov ecx, dword ptr [rsp+4] 3a 5c 31 c9 f7 49 7f d8 7b 2b 27 75
00007ff6`5037f594 33c8 xor ecx, eax 0xD87F49F7 0xC9315C3A f7497fd8 3a5c31c9 ix 0x114e15cd
00007ff6`5037f389 8bc1 mov eax, ecx
00007ff6`50382015 b904000000 mov ecx, 4
00007ff6`5038248d 486bc900 imul rcx, rcx, 0
00007ff6`50381392 488b542418 mov rdx, qword ptr [rsp+18h]
00007ff6`50380089 89040a mov dword ptr [rdx+rcx], eax # rdx calced eax cd 15 4e 11
00007ff6`5038008d e8e583ffff jmp...
00007ff6`50381b0a 8b0424 mov eax, dword ptr [rsp]
00007ff6`5037f494 8b4c2408 mov ecx, dword ptr [rsp+8] 3a 5c 31 c9 f7 49 7f d8 7b 2b 27 75
00007ff6`50382114 33c8 xor ecx, eax
00007ff6`5037dc95 8bc1 mov eax, ecx
00007ff6`50382b93 b904000000 mov ecx, 4
00007ff6`5037fe8a 486bc901 imul rcx, rcx, 1
00007ff6`5037ed8b 488b542418 mov rdx, qword ptr [rsp+18h]
00007ff6`50382a92 89040a mov dword ptr [rdx+rcx], eax 0xBC167741
00007ff6`5037e392 4883c428 add rsp, 28h
00007ff6`5038178c e8cc6dffff ret
00007ff6`50384597 8b442434 mov eax, dword ptr [rsp+34h]
00007ff6`50386190 83c008 add eax, 8
00007ff6`50387792 89442434 mov dword ptr [rsp+34h], eax
00007ff6`50388310 837c243420 cmp dword ptr [rsp+34h], 20h
00007ff6`50385913 7d31 jge 00007FF650385946
00007ff6`50386b96 4863442434 movsxd rax, dword ptr [rsp+34h]
00007ff6`5038a293 48634c2434 movsxd rcx, dword ptr [rsp+34h]
00007ff6`50386a0f 488b840498000000 mov rax, qword ptr [rsp+rax+98h] 93bc5e6092c7e230 sel[2,3]
00007ff6`5038820c 4889440c70 mov qword ptr [rsp+rcx+70h], rax
00007ff6`50385889 4863442434 movsxd rax, dword ptr [rsp+34h]
00007ff6`50385709 488d440470 lea rax, [rsp+rax+70h]
00007ff6`5038558d 488bd0 mov rdx, rax
00007ff6`5038440d 488d4c2458 lea rcx, [rsp+58h] <&8%ome_to_fzbz,
00007ff6`5037df91 4889542410 mov qword ptr [rsp+10h], rdx
00007ff6`5037eb93 48894c2408 mov qword ptr [rsp+8], rcx
00007ff6`50380891 4883ec28 sub rsp, 28h
00007ff6`5037e593 488b442438 mov rax, qword ptr [rsp+38h] 7FF6502F5EA8 p [rsp+rax+70h]
00007ff6`5037f616 4889442418 mov qword ptr [rsp+18h], rax
...00007ff6`50387212 0fbe0401 movsx eax, byte ptr [rcx+rax] # welcome_to_fzbz,my_name_is_sbzx! answer
00007ff6`50389195 48634c243c movsxd rcx, dword ptr [rsp+3Ch]
00007ff6`50384e8c 0x117212 movzx ecx, byte ptr [rsp+rcx+70h] # welcome_to_fzbz,my_name_is_sbzx! or wrong data cd 15 4e 11 41 77 16 bc 30 a8 8e d8 .. 01 d3 de 62
00007ff6`50388293 3bc1 cmp eax, ecx 0x21
00007ff6`5038a397 7431 je 00007FF65038A3CA br=1
00007ff6`5038a3cb e8a7e0feff call 00007FF650378477
00007ff6`5038a3d0 68d853f263 push 63F253D8h
00007ff6`5038a3d5 68d6e913da push 0FFFFFFFFDA13E9D6h
00007ff6`5038a3da e8d1e0feff call 00007FF6503784B0
00007ff6`50385d13 9d popfq
00007ff6`50385d14 9c pushfq
00007ff6`50385d15 e85d27ffff call 00007FF650378477
00007ff6`50385d1a 68946aa94e push 4EA96A94h
00007ff6`50385d1f 68b28f7889 push 0FFFFFFFF89788FB2h
00007ff6`50385d24 e88727ffff call 00007FF6503784B0
00007ff6`50385d29 50 push rax
00007ff6`50385d2a e800000000 call 00007FF650385D2F
00007ff6`50384d0e 8b44243c mov eax, dword ptr [rsp+3Ch]
00007ff6`50382c8f ffc0 inc eax
00007ff6`50387f90 8944243c mov dword ptr [rsp+3Ch], eax
00007ff6`50386692 837c243c20 cmp dword ptr [rsp+3Ch], 20h # welcome_to_fzbz,my_name_is_sbzx!
00007ff6`50388993 7d31 jge 00007FF6503889C6 br=1
00007ff6`503889c6 9c pushfq
00007ff6`503889c7 e8abfafeff call 00007FF650378477
00007ff6`503889cc 6857169ebb push 0FFFFFFFFBB9E1657h
00007ff6`503889d1 68d5af412e push 2E41AFD5h
00007ff6`503889d6 e8d5fafeff call 00007FF6503784B0
00007ff6`503889db ebc3 jmp 00007FF6503889A0
00007ff6`50389b09 b801000000 mov eax, 1
00007ff6`50387a12 4881c410010000 add rsp, 110h
00007ff6`50385189 5f pop rdi
00007ff6`5038358f e8c94fffff call 00007FF65037855D
00007ff6`5037855d 53 push rbx
00007ff6`5037855e 50 push rax
00007ff6`5037855f e82bffffff call 00007FF65037848F
00007ff6`50378564 488bd8 mov rbx, rax
00007ff6`50378567 58 pop rax
00007ff6`50378568 488983b0000000 mov qword ptr [rbx+0B0h], rax
00007ff6`5037856f 5b pop rbx
00007ff6`50378570 c3 ret
00007ff6`5038b80b 85c0 test eax, eax
00007ff6`5038bd92 7431 je 00007FF65038BDC5
00007ff6`5038b797 4533c9 xor r9d, r9d
00007ff6`5038ad8b 14011ad8b lea r8, [7FF6502720C8h]
00007ff6`5038c611 14011C611 lea rdx, [7FF6502720D8h]
14011B70E xor ecx, ecx
call MessgeBoxW00007ff6`50382211 8b0401 mov eax, dword ptr [rcx+rax] sel
00007ff6`50380d8b 89442408 mov dword ptr [rsp+8], eax
00007ff6`50381296 488b442430 mov rax, qword ptr [rsp+30h]
00007ff6`50381098 8b00 mov eax, dword ptr [rax]
00007ff6`50380a0f 890424 mov dword ptr [rsp], eax
00007ff6`5037e40d 488b442430 mov rax, qword ptr [rsp+30h]
00007ff6`5038048a 8b4004 mov eax, dword ptr [rax+4] rax <&8%ome_to_fzbz,
00007ff6`5037fa0d 89442414 mov dword ptr [rsp+14h], eax 0x5F656D6F ome_
00007ff6`5037fd14 c744240c00000000 mov dword ptr [rsp+0Ch], 0
args: [rsp] [rsp+4] [rsp+8] [rsp+30h]=<&8%ome_to_fzbz, 3c263825<&8% 9ff4d2d1 92b60815 0x2538263c 0xd1d2f49f 0x1508b692
args: [rsp] [rsp+4] [rsp+8] [rsp+30h]=name xor wel... 42215f5a 9ff4d2d1 92b60815 0x5a5f2142 0xd1d2f49f 0x1508b692
00007ff6`5037da8a 837c240c1f cmp dword ptr [rsp+0Ch], 1Fh loop 0x20
00007ff6`5037e60c 7d31 jge 00007FF65037E63F
00007ff6`5037e316 8b442408 mov eax, dword ptr [rsp+8]
00007ff6`5037ff0a c1e006 shl eax, 6
00007ff6`5038070f 8b0c24 mov ecx, dword ptr [rsp]
00007ff6`5037de0b 81e1ff000000 and ecx, 0FFh
00007ff6`5037e497 03c1 add eax, ecx
00007ff6`50382194 8b0c24 mov ecx, dword ptr [rsp]
00007ff6`50381014 8b542408 mov edx, dword ptr [rsp+8]
00007ff6`5038278c 03d1 add edx, ecx
00007ff6`5037f40d 8bca mov ecx, edx
00007ff6`5037dd17 33c1 xor eax, ecx
00007ff6`50381491 8b4c2408 mov ecx, dword ptr [rsp+8]
00007ff6`5037e015 c1e903 shr ecx, 3
00007ff6`5037ee18 8b1424 mov edx, dword ptr [rsp]
00007ff6`5037da13 c1ea08 shr edx, 8
00007ff6`5037e80c 81e2ff000000 and edx, 0FFh
00007ff6`50382a09 03ca add ecx, edx
00007ff6`50382412 33c1 xor eax, ecx
00007ff6`5037e88a 8b4c2404 mov ecx, dword ptr [rsp+4]
00007ff6`5038060e 03c8 add ecx, eax
00007ff6`50380f92 8bc1 mov eax, ecx
00007ff6`50382593 89442404 mov dword ptr [rsp+4], eax
00007ff6`50380689 8b442414 mov eax, dword ptr [rsp+14h]
00007ff6`5037d990 8b0c24 mov ecx, dword ptr [rsp]
00007ff6`5037f20d 03c8 add ecx, eax
00007ff6`50380b8d 8bc1 mov eax, ecx
00007ff6`5038270c 890424 mov dword ptr [rsp], eax
00007ff6`5037f78e 8b442404 mov eax, dword ptr [rsp+4]
00007ff6`50380914 c1e006 shl eax, 6
00007ff6`5038050c 8b0c24 mov ecx, dword ptr [rsp]
00007ff6`5037ed0a c1e918 shr ecx, 18h
00007ff6`5038140b 81e1ff000000 and ecx, 0FFh
00007ff6`5037fc15 03c1 add eax, ecx
00007ff6`5037e18f 8b0c24 mov ecx, dword ptr [rsp]
00007ff6`5038268c 8b542404 mov edx, dword ptr [rsp+4]
00007ff6`5037f90d 03d1 add edx, ecx
00007ff6`50380f17 8bca mov ecx, edx
00007ff6`5037f896 33c1 xor eax, ecx
00007ff6`50381f09 8b4c2404 mov ecx, dword ptr [rsp+4]
00007ff6`50382895 c1e903 shr ecx, 3
00007ff6`5037f191 8b1424 mov edx, dword ptr [rsp]
00007ff6`5037ff8f c1ea10 shr edx, 10h
00007ff6`5038040a 81e2ff000000 and edx, 0FFh
00007ff6`50381b8a 03ca add ecx, edx
00007ff6`5037e513 33c1 xor eax, ecx
00007ff6`50382297 8b4c2408 mov ecx, dword ptr [rsp+8]
00007ff6`5038160f 03c8 add ecx, eax
00007ff6`50380b0f 8bc1 mov eax, ecx
00007ff6`50380810 89442408 mov dword ptr [rsp+8], eax
jmp loop start00007ff6`5037fb91 8b0424 mov eax, dword ptr [rsp] 0xB28066AD
00007ff6`5038250b 8b4c2404 mov ecx, dword ptr [rsp+4] 0x5EC6C95A
00007ff6`5037df0e 33c8 xor ecx, eax 0x5EC6C95A 0xB28066AD
00007ff6`5037f98c 8bc1 mov eax, ecx 0xEC46AFF7
00007ff6`5037ec8f 89442404 mov dword ptr [rsp+4], eax 0xEC46AFF7
00007ff6`50380194 8b0424 mov eax, dword ptr [rsp] 0xb28066ad
00007ff6`5037f00c 8b4c2408 mov ecx, dword ptr [rsp+8] 0x803e9ac2
00007ff6`50381198 33c8 xor ecx, eax 0x803E9AC2 0xB28066AD
# 0xF5527262 0xDDF2F30900007ff6`50380e14 8bc1 mov eax, ecx 0x32BEFC6F
00007ff6`5037fc8f 89442408 mov dword ptr [rsp+8], eax 0x32BEFC6F
00007ff6`50381d93 488b442430 mov rax, qword ptr [rsp+30h]
00007ff6`5037f50f 8b4008 mov eax, dword ptr [rax+8] rax <&8%ome_to_fzbz,
00007ff6`50381a0c 890424 mov dword ptr [rsp], eax 0x665f6f74 to_f
00007ff6`5038280f 488b442430 mov rax, qword ptr [rsp+30h]
00007ff6`50381a92 8b400c mov eax, dword ptr [rax+0Ch] rax <&8%ome_to_fzbz, is welcome_to_fzbz, xor username
00007ff6`50380310 89442414 mov dword ptr [rsp+14h], eax 0x2C7A627A
00007ff6`5038010c c744241000000000 mov dword ptr [rsp+10h], 0
00007ff6`50381890 jmp ..
00007ff6`5038170c 837c24101f cmp dword ptr [rsp+10h], 1Fh loop 0x20 start
args: [rsp] [rsp+4] [rsp+8] [rsp+14h] 746f5f66 f7af46ec 6ffcbe32 a05e2f50 0x665f6f74 0xec46aff7 0x32befc6f 0x2C7A627A
args: [rsp] [rsp+4] [rsp+8] [rsp+14h] 435e1c56 5c1c2442 6b81a028 a05e2f50 0x561c5e43 0x42241c5c 0x28a0816b 0x1b3f534c
00007ff6`5037f28b 7d31 jge 00007FF65037F2BE
00007ff6`50380016 8b442408 mov eax, dword ptr [rsp+8]
00007ff6`5037e091 c1e004 shl eax, 4
00007ff6`50381d11 8b0c24 mov ecx, dword ptr [rsp]
00007ff6`5038208d c1e918 shr ecx, 18h 0x9CB6F9C0
00007ff6`5037e697 81e1ff000000 and ecx, 0FFh
00007ff6`5037dc0b 03c1 add eax, ecx 0x49F68400 0x9C
00007ff6`50380c12 8b0c24 mov ecx, dword ptr [rsp] 0x9CB6F9C0
00007ff6`5037e90b 8b542408 mov edx, dword ptr [rsp+8] 0x549F6840
00007ff6`5037e214 03d1 add edx, ecx 0x549F6840 0x9CB6F9C0
00007ff6`5037db90 8bca mov ecx, edx 0xF1566200
00007ff6`5037ef09 33c1 xor eax, ecx 0x49F6849C 0xF1566200
00007ff6`5037f08d 8b4c2408 mov ecx, dword ptr [rsp+8] 0x549F6840
00007ff6`50380397 c1e905 shr ecx, 5 0x549F6840 >> 5
00007ff6`5037f70c 8b1424 mov edx, dword ptr [rsp] 0x9CB6F9C0
00007ff6`5037fb16 81e2ff000000 and edx, 0FFh 0x9CB6F9C0
00007ff6`5037fe11 03ca add ecx, edx 0x02A4FB42 0xc0
00007ff6`5037e109 33c1 xor eax, ecx 0xB8A0E69C 0x02A4FC02
00007ff6`5038130b 8b4c2404 mov ecx, dword ptr [rsp+4] 0x1e7b2f59
00007ff6`5037e992 03c8 add ecx, eax 0x1E7B2F59 0xBA041A9E
00007ff6`5038110c 8bc1 mov eax, ecx 0xD87F49F7
00007ff6`5037ea8a 89442404 mov dword ptr [rsp+4], eax 0xD87F49F7
00007ff6`50380213 8b442414 mov eax, dword ptr [rsp+14h] 0x2C7A627A
00007ff6`50381990 8b0c24 mov ecx, dword ptr [rsp] 0x9CB6F9C0
00007ff6`50382613 03c8 add ecx, eax 0x9CB6F9C0 0x2C7A627A
00007ff6`50380989 8bc1 mov eax, ecx 0xC9315C3A
00007ff6`50380595 890424 mov dword ptr [rsp], eax 0x9cb6f9c0 = 0xC9315C3A
00007ff6`50381c8f 8b442404 mov eax, dword ptr [rsp+4] 0xd87f49f7
00007ff6`5037e713 c1e004 shl eax, 4 0x87F49F70
00007ff6`50381e90 8b0c24 mov ecx, dword ptr [rsp]
00007ff6`5037fd98 c1e910 shr ecx, 10h 0xC9315C3A
00007ff6`5038150b 81e1ff000000 and ecx, 0FFh
00007ff6`5037f10f 03c1 add eax, ecx 0x87F49F70 0x31
00007ff6`5038168c 8b0c24 mov ecx, dword ptr [rsp] 0xC9315C3A
00007ff6`5037ea0d 8b542404 mov edx, dword ptr [rsp+4] f7 49 7f d8
00007ff6`5037db0d 03d1 add edx, ecx 0xD87F49F7 0xC9315C3A
00007ff6`50381812 8bca mov ecx, edx 0xA1B0A631
00007ff6`50381914 33c1 xor eax, ecx 0x87F49FA1 0xA1B0A631
00007ff6`50382993 8b4c2404 mov ecx, dword ptr [rsp+4] f7 49 7f d8
00007ff6`5037d897 c1e905 shr ecx, 5 0xD87F49F7 >> 5
00007ff6`50380295 8b1424 mov edx, dword ptr [rsp] 3a 5c 31 c9 f7 49 7f d8
00007ff6`5038078c c1ea08 shr edx, 8 0xC9315C3A
00007ff6`5037e794 81e2ff000000 and edx, 0FFh 0x00C9315C
00007ff6`50382312 03ca add ecx, edx 0x06C3FA4F 0x5C
00007ff6`5037de97 33c1 xor eax, ecx 0x26443990 0x06C3FAAB 90394426 abfac306
00007ff6`5037f696 8b4c2408 mov ecx, dword ptr [rsp+8] 0x549F6840
00007ff6`5037dd90 03c8 add ecx, eax 0x549F6840 0x2087C33B = 0x75272b7b 40689f54 3bc38720
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
