-
-
[原创]KCTF 2024 第十题 试探
-
发表于: 2024-9-4 21:40 3187
-
011110202122
"kctf"+输入 +shelllcode_sz_0xED3_140006050,写入到ZwAllocateVirtualMemory分配的PAGE_EXECUTE_READWRITE
内存中
创建2个线程,线程1输出校验结果,线程2自注入(Tartarus-TpAllocInject)shellcode进行验证
输出结果
Tartarus-TpAllocInject自注入,执行shellcode
+44h 处开始,2Ah 替换为0
jcc混淆
去混淆脚本
反编译结果
1、输入转换 hexstr_to_dight,转换成3x3 坐标
2、从(0,0)开始,根据坐标选取number_table中的数字,每次与上一次的位置进行交换
3、交换排序后为1-8
int
__cdecl main(
int
argc,
const
char
**argv,
const
char
**envp)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
Src.u._Ptr = 0i64;
Src._Myres = 0xFi64;
Src._Mysize = 0i64;
string_140001DE0(&Src, 0x14ui64, (
__int64
)envp, 0x14ui64);
v49.u._Ptr = 0i64;
v49._Mysize = 0i64;
v49._Myres = 0xFi64;
string_140001CA0(&v49, 0x16ui64, v3,
"Ummdrm%dfqdz%xgps(ndq?"
);
Ptr = &v49;
if
( v49._Myres >= 0x10 )
Ptr = (std_string *)v49.u._Ptr;
// Please enter your key:
v5 = (
const
char
*)str_xor_140001FC0((
__int64
)Ptr, v49._Mysize, xor1_1400043BC);
printf_5(v5);
p_Src = &Src;
if
( Src._Myres >= 0x10 )
p_Src = (std_string *)Src.u._Ptr;
scanf
(
"%s"
, p_Src, Src._Mysize);
kctf._Myres = 0xFi64;
kctf._Mysize = 4i64;
*(_QWORD *)kctf.u._Buf = 0x637C626Ei64;
// kctf
v7 = str_xor_140001FC0((
__int64
)&kctf, 4, xor1_1400043BC);
kctf_ = (
const
void
*)v7;
kctf_sz = 0xFFFFFFFFFFFFFFFFui64;
do
++kctf_sz;
while
( *(_BYTE *)(v7 + kctf_sz) );
Mysize = Src._Mysize;
if
( 0x7FFFFFFFFFFFFFFFi64 - Src._Mysize < kctf_sz )
LABEL_74:
sub_140001280();
input = &Src;
if
( Src._Myres >= 0x10 )
input = (std_string *)Src.u._Ptr;
v52[0] = 0i64;
v53 = 0i64;
v54 = 0i64;
v12 = Src._Mysize + kctf_sz;
v13 = 0xFi64;
input_data = (
char
*)v52;
if
( Src._Mysize + kctf_sz > 0xF )
{
v15 = Src._Mysize + kctf_sz;
if
( v12 < 0x10 )
v15 = 0x10i64;
v13 = v15 | 0xF;
if
( v13 <= 0x7FFFFFFFFFFFFFFFi64 )
{
if
( v13 < 0x16 )
v13 = 0x16i64;
if
( v13 + 1 < 0x1000 )
{
input_data = (
char
*)operator
new
(v13 + 1);
LABEL_23:
v52[0] = input_data;
goto
LABEL_24;
}
v16 = v13 + 0x28;
if
( v13 + 0x28 <= v13 + 1 )
hkThreadLocalBlockStreamAllocator::clear();
}
else
{
v13 = 0x7FFFFFFFFFFFFFFFi64;
v16 = 0x8000000000000027ui64;
}
v17 = operator
new
(v16);
if
( !v17 )
goto
LABEL_54;
input_data = (
char
*)(((unsigned
__int64
)v17 + 0x27) & 0xFFFFFFFFFFFFFFE0ui64);
*((_QWORD *)input_data + 0xFFFFFFFF) = v17;
goto
LABEL_23;
}
LABEL_24:
v53 = Mysize + kctf_sz;
v54 = v13;
memcpy
(input_data, kctf_, kctf_sz);
memcpy
(&input_data[kctf_sz], input, Mysize);
input_data[v12] = 0;
v48 = 0xFi64;
v47 = 9i64;
strcpy
((
char
*)v46,
"kulim&amd"
);
// ntdll.dll
ntdll_dll = (
const
CHAR
*)str_xor_140001FC0((
__int64
)v46, 9, xor1_1400043BC);
ntdll_dll_ModuleHandleA = GetModuleHandleA(ntdll_dll);
v43 = 0xFi64;
v42 = 0xEi64;
strcpy
((
char
*)Block,
"KuIaeJjn|@o|wx"
);
// NtAddBootEntry
v20 = (
const
CHAR
*)str_xor_140001FC0((
__int64
)Block, 0xE, xor1_1400043BC);
syscall_adr_1400075B8 = (
__int64
)GetProcAddress(ntdll_dll_ModuleHandleA, v20) + 0x12;
event_1400075B0 = (
__int64
)CreateEventA(0i64, 0, 1, 0i64);
input_data_sz = v53;
v51 = v53 + 0xED4;
get_ssn_140002160((_IMAGE_DOS_HEADER *)ntdll_dll_ModuleHandleA, v22, (
__int64
)str_ZwAllocateVirtualMemory_);
set_syscall_stub_140002510(xx_ssn_1400075A8, (
__int64
(*)(
void
))syscall_adr_1400075B8);
// ZwAllocateVirtualMemory
call_syscall_140002533(0xFFFFFFFFFFFFFFFFui64, &addr_1400075C0, 0i64, &v51, 0x1000, PAGE_EXECUTE_READWRITE);
v23 = v52;
v24 = v54;
v25 = v54 >= 0x10;
v26 = (
char
*)v52[0];
if
( v54 >= 0x10 )
v23 = (
void
**)v52[0];
addr_ = (_BYTE *)addr_1400075C0;
v28 = input_data_sz;
if
( input_data_sz )
{
do
{
*addr_++ = *(_BYTE *)v23;
v23 = (
void
**)((
char
*)v23 + 1);
--v28;
}
while
( v28 );
addr_ = (_BYTE *)addr_1400075C0;
}
// 0x19
v29 = &addr_[input_data_sz + 1];
v30 = data_140006050;
v31 = 0xED3i64;
do
{
//写入shellcode sz:0xED3
*v29++ = *(_BYTE *)v30;
v30 = (
__int64
(__fastcall *)())((
char
*)v30 + 1);
--v31;
}
while
( v31 );
index2_1400075AC = input_data_sz + 1;
v32 = (
int
(**)())operator
new
(8ui64);
*v32 = thread1_140001530;
v55._Hnd = v32;
if
( !beginthreadex(
0i64,
0,
(_beginthreadex_proc_type)std::
thread
::_Invoke<std::tuple<
void
(__cdecl *)(
void
)>,0>,
v32,
0,
&ThrdAddr) )
goto
LABEL_73;
v33 = (
void
(**)())operator
new
(8ui64);
*v33 = thread2_1400012C0;
v55._Hnd = v33;
*(_QWORD *)v45 = beginthreadex(
0i64,
0,
(_beginthreadex_proc_type)std::
thread
::_Invoke<std::tuple<
void
(__cdecl *)(
void
)>,0>,
v33,
0,
&v45[2]);
int
__cdecl main(
int
argc,
const
char
**argv,
const
char
**envp)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
Src.u._Ptr = 0i64;
Src._Myres = 0xFi64;
Src._Mysize = 0i64;
string_140001DE0(&Src, 0x14ui64, (
__int64
)envp, 0x14ui64);
v49.u._Ptr = 0i64;
v49._Mysize = 0i64;
v49._Myres = 0xFi64;
string_140001CA0(&v49, 0x16ui64, v3,
"Ummdrm%dfqdz%xgps(ndq?"
);
Ptr = &v49;
if
( v49._Myres >= 0x10 )
Ptr = (std_string *)v49.u._Ptr;
// Please enter your key:
v5 = (
const
char
*)str_xor_140001FC0((
__int64
)Ptr, v49._Mysize, xor1_1400043BC);
printf_5(v5);
p_Src = &Src;
if
( Src._Myres >= 0x10 )
p_Src = (std_string *)Src.u._Ptr;
scanf
(
"%s"
, p_Src, Src._Mysize);
kctf._Myres = 0xFi64;
kctf._Mysize = 4i64;
*(_QWORD *)kctf.u._Buf = 0x637C626Ei64;
// kctf
v7 = str_xor_140001FC0((
__int64
)&kctf, 4, xor1_1400043BC);
kctf_ = (
const
void
*)v7;
kctf_sz = 0xFFFFFFFFFFFFFFFFui64;
do
++kctf_sz;
while
( *(_BYTE *)(v7 + kctf_sz) );
Mysize = Src._Mysize;
if
( 0x7FFFFFFFFFFFFFFFi64 - Src._Mysize < kctf_sz )
LABEL_74:
sub_140001280();
input = &Src;
if
( Src._Myres >= 0x10 )
input = (std_string *)Src.u._Ptr;
v52[0] = 0i64;
v53 = 0i64;
v54 = 0i64;
v12 = Src._Mysize + kctf_sz;
v13 = 0xFi64;
input_data = (
char
*)v52;
if
( Src._Mysize + kctf_sz > 0xF )
{
v15 = Src._Mysize + kctf_sz;
if
( v12 < 0x10 )
v15 = 0x10i64;
v13 = v15 | 0xF;
if
( v13 <= 0x7FFFFFFFFFFFFFFFi64 )
{
if
( v13 < 0x16 )
v13 = 0x16i64;
if
( v13 + 1 < 0x1000 )
{
input_data = (
char
*)operator
new
(v13 + 1);
LABEL_23:
v52[0] = input_data;
goto
LABEL_24;
}
v16 = v13 + 0x28;
if
( v13 + 0x28 <= v13 + 1 )
hkThreadLocalBlockStreamAllocator::clear();
}
else
{
v13 = 0x7FFFFFFFFFFFFFFFi64;
v16 = 0x8000000000000027ui64;
}
v17 = operator
new
(v16);
if
( !v17 )
goto
LABEL_54;
input_data = (
char
*)(((unsigned
__int64
)v17 + 0x27) & 0xFFFFFFFFFFFFFFE0ui64);
*((_QWORD *)input_data + 0xFFFFFFFF) = v17;
goto
LABEL_23;
}
LABEL_24:
v53 = Mysize + kctf_sz;
v54 = v13;
memcpy
(input_data, kctf_, kctf_sz);
memcpy
(&input_data[kctf_sz], input, Mysize);
input_data[v12] = 0;
v48 = 0xFi64;
v47 = 9i64;
strcpy
((
char
*)v46,
"kulim&amd"
);
// ntdll.dll
ntdll_dll = (
const
CHAR
*)str_xor_140001FC0((
__int64
)v46, 9, xor1_1400043BC);
ntdll_dll_ModuleHandleA = GetModuleHandleA(ntdll_dll);
v43 = 0xFi64;
v42 = 0xEi64;
strcpy
((
char
*)Block,
"KuIaeJjn|@o|wx"
);
// NtAddBootEntry
v20 = (
const
CHAR
*)str_xor_140001FC0((
__int64
)Block, 0xE, xor1_1400043BC);
syscall_adr_1400075B8 = (
__int64
)GetProcAddress(ntdll_dll_ModuleHandleA, v20) + 0x12;
event_1400075B0 = (
__int64
)CreateEventA(0i64, 0, 1, 0i64);
input_data_sz = v53;
v51 = v53 + 0xED4;
get_ssn_140002160((_IMAGE_DOS_HEADER *)ntdll_dll_ModuleHandleA, v22, (
__int64
)str_ZwAllocateVirtualMemory_);
set_syscall_stub_140002510(xx_ssn_1400075A8, (
__int64
(*)(
void
))syscall_adr_1400075B8);
// ZwAllocateVirtualMemory
call_syscall_140002533(0xFFFFFFFFFFFFFFFFui64, &addr_1400075C0, 0i64, &v51, 0x1000, PAGE_EXECUTE_READWRITE);
v23 = v52;
v24 = v54;
v25 = v54 >= 0x10;
v26 = (
char
*)v52[0];
if
( v54 >= 0x10 )
v23 = (
void
**)v52[0];
addr_ = (_BYTE *)addr_1400075C0;
v28 = input_data_sz;
if
( input_data_sz )
{
do
{
*addr_++ = *(_BYTE *)v23;
v23 = (
void
**)((
char
*)v23 + 1);
--v28;
}
while
( v28 );
addr_ = (_BYTE *)addr_1400075C0;
}
// 0x19
v29 = &addr_[input_data_sz + 1];
v30 = data_140006050;
v31 = 0xED3i64;
do
{
//写入shellcode sz:0xED3
*v29++ = *(_BYTE *)v30;
v30 = (
__int64
(__fastcall *)())((
char
*)v30 + 1);
--v31;
}
while
( v31 );
index2_1400075AC = input_data_sz + 1;
v32 = (
int
(**)())operator
new
(8ui64);
*v32 = thread1_140001530;
v55._Hnd = v32;
if
( !beginthreadex(
0i64,
0,
(_beginthreadex_proc_type)std::
thread
::_Invoke<std::tuple<
void
(__cdecl *)(
void
)>,0>,
v32,
0,
&ThrdAddr) )
goto
LABEL_73;
v33 = (
void
(**)())operator
new
(8ui64);
*v33 = thread2_1400012C0;
v55._Hnd = v33;
*(_QWORD *)v45 = beginthreadex(
0i64,
0,
(_beginthreadex_proc_type)std::
thread
::_Invoke<std::tuple<
void
(__cdecl *)(
void
)>,0>,
v33,
0,
&v45[2]);
int
thread1_140001530()
{
__int64
v0;
// rcx
char
i;
// al
char
*k;
// r8
const
char
*v3;
// rax
v0 = addr_1400075C0;
for
( i = *(_BYTE *)addr_1400075C0; *(_BYTE *)addr_1400075C0 ==
'k'
; i = *(_BYTE *)addr_1400075C0 )
{
Sleep(0xAu);
v0 = addr_1400075C0;
}
// ok!:
// *BaseAddress = 0x69;
// BaseAddress[1] = 0x6F;
// BaseAddress[2] = 0x20;
//
// no!:
// *BaseAddress = 0x6D;
// BaseAddress[1] = 0x6A;
// BaseAddress[2] = 0x29;
k = (
char
*)&ok_key_1400043F8;
if
( i != 0x69 )
// no!
k = (
char
*)&no_key_1400043FC;
// ok!
v3 = (
const
char
*)str_xor_140001FC0(v0, 3, k);
return
printf_5(v3);
}
int
thread1_140001530()
{
__int64
v0;
// rcx
char
i;
// al
char
*k;
// r8
const
char
*v3;
// rax
v0 = addr_1400075C0;
for
( i = *(_BYTE *)addr_1400075C0; *(_BYTE *)addr_1400075C0 ==
'k'
; i = *(_BYTE *)addr_1400075C0 )
{
Sleep(0xAu);
v0 = addr_1400075C0;
}
// ok!:
// *BaseAddress = 0x69;
// BaseAddress[1] = 0x6F;
// BaseAddress[2] = 0x20;
//
// no!:
// *BaseAddress = 0x6D;
// BaseAddress[1] = 0x6A;
// BaseAddress[2] = 0x29;
k = (
char
*)&ok_key_1400043F8;
if
( i != 0x69 )
// no!
k = (
char
*)&no_key_1400043FC;
// ok!
v3 = (
const
char
*)str_xor_140001FC0(v0, 3, k);
return
printf_5(v3);
}
void
thread2_1400012C0()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v10 = 0i64;
v15 = 0xFi64;
v14 = 9i64;
strcpy
((
char
*)v13,
"kulim&amd"
);
// ntdll.dll
v0 = (
const
CHAR
*)str_xor_140001FC0((
__int64
)v13, 9, xor1_1400043BC);
ntdll = GetModuleHandleA(v0);
v11._Myres = 0xFi64;
v11._Mysize = 0xBi64;
strcpy
(v11.u._Buf,
"QqIimgfVilu"
);
// TpAllocWait
v2 = (
const
CHAR
*)str_xor_140001FC0((
__int64
)&v11, 0xB, xor1_1400043BC);
TpAllocWait = GetProcAddress(ntdll, v2);
((
void
(__fastcall *)(
__int64
*,
__int64
, _QWORD, _QWORD))TpAllocWait)(
&v10,
addr_1400075C0 + (unsigned
int
)index2_1400075AC,
0i64,
0i64);
Block._Myres = 0xFi64;
Block._Mysize = 9i64;
strcpy
(Block.u._Buf,
"Qq[`u_dh|"
);
// TpSetWait
v4 = (
const
CHAR
*)str_xor_140001FC0((
__int64
)&Block, 9, xor1_1400043BC);
TpSetWait = GetProcAddress(ntdll, v4);
((
void
(__fastcall *)(
__int64
,
__int64
, _QWORD))TpSetWait)(v10, event_1400075B0, 0i64);
//like https://github.com/nettitude/Tartarus-TpAllocInject/blob/main/TpAllocInjection/TpAllocInjection.cpp
get_ssn_140002160((_IMAGE_DOS_HEADER *)ntdll, v6, (
__int64
)
"Or_`o|GizRoffjmNdbde|"
);
set_syscall_stub_140002510(xx_ssn_1400075A8, (
__int64
(*)(
void
))syscall_adr_1400075B8);
// NtWaitForSingleObject
call_syscall_140002533(event_1400075B0, 0i64, 0i64);
void
thread2_1400012C0()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v10 = 0i64;
v15 = 0xFi64;
v14 = 9i64;
strcpy
((
char
*)v13,
"kulim&amd"
);
// ntdll.dll
v0 = (
const
CHAR
*)str_xor_140001FC0((
__int64
)v13, 9, xor1_1400043BC);
ntdll = GetModuleHandleA(v0);
v11._Myres = 0xFi64;
v11._Mysize = 0xBi64;
strcpy
(v11.u._Buf,
"QqIimgfVilu"
);
// TpAllocWait
v2 = (
const
CHAR
*)str_xor_140001FC0((
__int64
)&v11, 0xB, xor1_1400043BC);
TpAllocWait = GetProcAddress(ntdll, v2);
((
void
(__fastcall *)(
__int64
*,
__int64
, _QWORD, _QWORD))TpAllocWait)(
&v10,
addr_1400075C0 + (unsigned
int
)index2_1400075AC,
0i64,
0i64);
Block._Myres = 0xFi64;
Block._Mysize = 9i64;
strcpy
(Block.u._Buf,
"Qq[`u_dh|"
);
// TpSetWait
v4 = (
const
CHAR
*)str_xor_140001FC0((
__int64
)&Block, 9, xor1_1400043BC);
TpSetWait = GetProcAddress(ntdll, v4);
((
void
(__fastcall *)(
__int64
,
__int64
, _QWORD))TpSetWait)(v10, event_1400075B0, 0i64);
//like https://github.com/nettitude/Tartarus-TpAllocInject/blob/main/TpAllocInjection/TpAllocInjection.cpp
get_ssn_140002160((_IMAGE_DOS_HEADER *)ntdll, v6, (
__int64
)
"Or_`o|GizRoffjmNdbde|"
);
set_syscall_stub_140002510(xx_ssn_1400075A8, (
__int64
(*)(
void
))syscall_adr_1400075B8);
// NtWaitForSingleObject
call_syscall_140002533(event_1400075B0, 0i64, 0i64);
$
+
21
000
| FFC0 | inc eax |
$
+
23
000
|
5F
| pop rdi |
$
+
24
000
| B9 A60F0101 | mov ecx,
1010FA6
|
$
+
29
000
|
81F1
01010101
| xor ecx,
1010101
|
$
+
2F
000
|
48
:
83C7
22
| add rdi,
22
|
$
+
33
000
|
33F6
| xor esi,esi |
$
+
35
000
| FC | cld |
$
+
36
000
|
8A07
| mov al,byte ptr ds:[rdi] |;offset
+
0x44
$
+
38
000
|
3C
2A
|
cmp
al,
2A
|
2A
:
'*'
$
+
3A
000
|
0F44C6
| cmove eax,esi |;后续中
2Ah
替换为
0
$
+
3D
000
| AA | stosb |
$
+
3E
000
| E2 F6 | loop
4B0036
|
$
+
40
000
|
5F
| pop rdi |
$
+
41
000
|
58
| pop rax |
$
+
42
000
|
59
| pop rcx |
$
+
43
000
|
5E
| pop rsi |
$
+
21
000
| FFC0 | inc eax |
$
+
23
000
|
5F
| pop rdi |
$
+
24
000
| B9 A60F0101 | mov ecx,
1010FA6
|
$
+
29
000
|
81F1
01010101
| xor ecx,
1010101
|
$
+
2F
000
|
48
:
83C7
22
| add rdi,
22
|
$
+
33
000
|
33F6
| xor esi,esi |
$
+
35
000
| FC | cld |
$
+
36
000
|
8A07
| mov al,byte ptr ds:[rdi] |;offset
+
0x44
$
+
38
000
|
3C
2A
|
cmp
al,
2A
|
2A
:
'*'
$
+
3A
000
|
0F44C6
| cmove eax,esi |;后续中
2Ah
替换为
0
$
+
3D
000
| AA | stosb |
$
+
3E
000
| E2 F6 | loop
4B0036
|
$
+
40
000
|
5F
| pop rdi |
$
+
41
000
|
58
| pop rax |
$
+
42
000
|
59
| pop rcx |
$
+
43
000
|
5E
| pop rsi |
$
+
57
000
|
83FE
F5 |
cmp
esi,FFFFFFF5 |
$
+
5A
000
|
75
0D
| jne
4B0069
|;必跳转
$
+
5C
000
|
74
08
| je
4B0066
|;垃圾数据
$
+
5E
000
|
76
0D
| jbe
4B006D
|
$
+
60
000
| EB E2 | jmp
4B0044
|
$
+
62
000
| FD | std |
$
+
63
000
| EB
1F
| jmp
4B0084
|
$
+
65
000
|
3E
:
1C
EB | sbb al,EB |
$
+
68
000
| EB B9 | jmp
4B0023
|
$
+
57
000
|
83FE
F5 |
cmp
esi,FFFFFFF5 |
$
+
5A
000
|
75
0D
| jne
4B0069
|;必跳转
$
+
5C
000
|
74
08
| je
4B0066
|;垃圾数据
$
+
5E
000
|
76
0D
| jbe
4B006D
|
$
+
60
000
| EB E2 | jmp
4B0044
|
$
+
62
000
| FD | std |
$
+
63
000
| EB
1F
| jmp
4B0084
|
$
+
65
000
|
3E
:
1C
EB | sbb al,EB |
$
+
68
000
| EB B9 | jmp
4B0023
|
$
+
69
000
| B9
46DF8DF8
| mov ecx,F88DDF46 |
$
+
6E
000
| E8
65050000
| call
4B05D8
|
$
+
73
000
|
48
:
8BD8
| mov rbx,rax |
$
+
69
000
| B9
46DF8DF8
| mov ecx,F88DDF46 |
$
+
6E
000
| E8
65050000
| call
4B05D8
|
$
+
73
000
|
48
:
8BD8
| mov rbx,rax |
from
idc
import
*
from
idaapi
import
*
from
idautils
import
*
def
patch_instructions(start_addr, end_addr):
"""
将起始地址到结束地址之间的所有指令都替换为 NOP。
"""
for
addr
in
range
(start_addr, end_addr):
patch_byte(addr,
0x90
)
# 0x90 是 NOP 的操作码
def
process_segment(segment_start, segment_end):
addr
=
segment_start
while
addr < segment_end:
# 打印当前指令的助记符
mnem
=
print_insn_mnem(addr)
# 判断是否是我们需要的 cmp 指令
if
mnem
=
=
"cmp"
:
cmp_addr
=
addr
next_addr
=
addr
+
get_item_size(addr)
# 检查接下来的指令是否是 jnz, jz, jbe
mnem_next
=
print_insn_mnem(next_addr)
if
mnem_next
=
=
"jnz"
:
jnz_addr
=
next_addr
jnz_target
=
get_operand_value(jnz_addr,
0
)
next_addr
+
=
get_item_size(next_addr)
mnem_next
=
print_insn_mnem(next_addr)
if
mnem_next
=
=
"jz"
:
jz_addr
=
next_addr
next_addr
+
=
get_item_size(next_addr)
mnem_next
=
print_insn_mnem(next_addr)
if
mnem_next
=
=
"jbe"
:
jbe_addr
=
next_addr
print
(
'%08x\t'
%
cmp_addr,idc.GetDisasm(cmp_addr))
# 修补从 cmp 到 jnz 的目标地址之间的所有指令
patch_instructions(cmp_addr, jnz_target)
# 跳过已修补的指令
addr
=
next_addr
+
get_item_size(next_addr)
continue
# 前进到下一条指令
addr
+
=
get_item_size(addr)
def
main():
# 获取当前段的起始和结束地址
segment_start
=
get_segm_start(here())
segment_end
=
get_segm_end(here())
# 处理段中的代码
process_segment(segment_start, segment_end)
if
__name__
=
=
"__main__"
:
main()
from
idc
import
*
from
idaapi
import
*
from
idautils
import
*
def
patch_instructions(start_addr, end_addr):
"""
将起始地址到结束地址之间的所有指令都替换为 NOP。
"""
for
addr
in
range
(start_addr, end_addr):
patch_byte(addr,
0x90
)
# 0x90 是 NOP 的操作码
def
process_segment(segment_start, segment_end):
addr
=
segment_start
while
addr < segment_end:
# 打印当前指令的助记符
mnem
=
print_insn_mnem(addr)
# 判断是否是我们需要的 cmp 指令
if
mnem
=
=
"cmp"
:
cmp_addr
=
addr
next_addr
=
addr
+
get_item_size(addr)
# 检查接下来的指令是否是 jnz, jz, jbe
mnem_next
=
print_insn_mnem(next_addr)
if
mnem_next
=
=
"jnz"
:
jnz_addr
=
next_addr
jnz_target
=
get_operand_value(jnz_addr,
0
)
next_addr
+
=
get_item_size(next_addr)
mnem_next
=
print_insn_mnem(next_addr)
if
mnem_next
=
=
"jz"
:
jz_addr
=
next_addr
next_addr
+
=
get_item_size(next_addr)
mnem_next
=
print_insn_mnem(next_addr)
if
mnem_next
=
=
"jbe"
:
jbe_addr
=
next_addr
print
(
'%08x\t'
%
cmp_addr,idc.GetDisasm(cmp_addr))
# 修补从 cmp 到 jnz 的目标地址之间的所有指令
patch_instructions(cmp_addr, jnz_target)
# 跳过已修补的指令
addr
=
next_addr
+
get_item_size(next_addr)
continue
# 前进到下一条指令
addr
+
=
get_item_size(addr)
def
main():
# 获取当前段的起始和结束地址
segment_start
=
get_segm_start(here())
segment_end
=
get_segm_end(here())
# 处理段中的代码
process_segment(segment_start, segment_end)
if
__name__
=
=
"__main__"
:
main()
__int64
sub_44()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
CreateToolhelp32Snapshot = (
__int64
(__fastcall *)(
__int64
, _QWORD))find_api_func_5D8(0xF88DDF46);
OpenProcess = find_api_func_5D8(0xFD0B55A7);
// VirtualQueryEx
VirtualQueryEx = (
__int64
(__fastcall *)(
__int64
,
char
*, MEMORY_BASIC_INFORMATION *,
__int64
))find_api_func_5D8(0x242E6FF);
// Process32First
Process32First = (
__int64
(__fastcall *)(
__int64
,
int
*))find_api_func_5D8(0x3F347695);
// Process32Next
Process32Next = find_api_func_5D8(0x93E12339);
// CloseHandle
CloseHandle = (
void
(__fastcall *)(
__int64
))find_api_func_5D8(0x1CA655F1);
// GetCurrentProcessId
GetCurrentProcessId = (
void
(*)(
void
))find_api_func_5D8(0x35634E1);
v4 = 0i64;
v15 = 0x238;
v5 = 0;
v6 = CreateToolhelp32Snapshot(2i64, 0i64);
v7 = v6;
if
( v6 == 0xFFFFFFFFFFFFFFFFui64 )
return
0xFFFFFFFFi64;
v9 = Process32First(v6, &v15);
OpenProcess1 = (
__int64
(__fastcall *)(
__int64
, _QWORD, _QWORD))OpenProcess;
for
( i = (
__int64
(__fastcall *)(
__int64
,
int
*))Process32Next; v9; v9 = i(v7, &v15) )
{
if
( v16 == ((unsigned
int
(*)(
void
))GetCurrentProcessId)() )
{
v4 = OpenProcess1(0x2000000i64, 0i64, v16);
if
( v4 )
{
v12 = 0i64;
// SIZE_T VirtualQueryEx(
// [in] HANDLE hProcess,
// [in, optional] LPCVOID lpAddress,
// [out] PMEMORY_BASIC_INFORMATION lpBuffer,
// [in] SIZE_T dwLength
// );
while
( VirtualQueryEx(v4, v12, &v14, 0x30i64) )
{
v12 = (
char
*)v14.BaseAddress + *(_QWORD *)&v14.State;
if
( v14.Type == MEM_COMMIT && v14.AllocationProtect == PAGE_EXECUTE_READWRITE )
{
GetCurrentProcessId();
v5 = sub_6A4(*(unsigned
int
*)v14.BaseAddress);
BaseAddress = v14.BaseAddress;
if
( v5 )
{
if
( check_6E4((
char
*)v14.BaseAddress + 4) )
{
// 成功
*BaseAddress = 0x69;
BaseAddress[1] = 0x6F;
BaseAddress[2] = 0x20;
}
else
{
*BaseAddress = 0x6D;
BaseAddress[1] = 0x6A;
BaseAddress[2] = 0x29;
}
BaseAddress[3] = 0;
break
;
}
*(_BYTE *)v14.BaseAddress = 0x6D;
BaseAddress[1] = 0x6A;
BaseAddress[2] = 0x29;
BaseAddress[3] = 0;
}
}
OpenProcess1 = (
__int64
(__fastcall *)(
__int64
, _QWORD, _QWORD))OpenProcess;
i = (
__int64
(__fastcall *)(
__int64
,
int
*))Process32Next;
}
if
( v5 )
break
;
}
}
CloseHandle(v7);
return
((
__int64
(__fastcall *)(
__int64
))CloseHandle)(v4);
}
__int64
sub_44()
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
CreateToolhelp32Snapshot = (
__int64
(__fastcall *)(
__int64
, _QWORD))find_api_func_5D8(0xF88DDF46);
OpenProcess = find_api_func_5D8(0xFD0B55A7);
// VirtualQueryEx
VirtualQueryEx = (
__int64
(__fastcall *)(
__int64
,
char
*, MEMORY_BASIC_INFORMATION *,
__int64
))find_api_func_5D8(0x242E6FF);
// Process32First
Process32First = (
__int64
(__fastcall *)(
__int64
,
int
*))find_api_func_5D8(0x3F347695);
// Process32Next
Process32Next = find_api_func_5D8(0x93E12339);
// CloseHandle
CloseHandle = (
void
(__fastcall *)(
__int64
))find_api_func_5D8(0x1CA655F1);
// GetCurrentProcessId
GetCurrentProcessId = (
void
(*)(
void
))find_api_func_5D8(0x35634E1);
v4 = 0i64;
v15 = 0x238;
v5 = 0;
v6 = CreateToolhelp32Snapshot(2i64, 0i64);
v7 = v6;
if
( v6 == 0xFFFFFFFFFFFFFFFFui64 )
return
0xFFFFFFFFi64;
v9 = Process32First(v6, &v15);
OpenProcess1 = (
__int64
(__fastcall *)(
__int64
, _QWORD, _QWORD))OpenProcess;
for
( i = (
__int64
(__fastcall *)(
__int64
,
int
*))Process32Next; v9; v9 = i(v7, &v15) )
{
if
( v16 == ((unsigned
int
(*)(
void
))GetCurrentProcessId)() )
{
v4 = OpenProcess1(0x2000000i64, 0i64, v16);
if
( v4 )
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
- [原创]KCTF 2024 第十题 试探 3188
- KCTF2023第五题 争分夺秒 9539
- KCTF2022第三题 石像病毒 7298
- [原创]KCTF2021春季赛第四题 英雄救美 10038
- [原创] 第五题:魅影舞姬 3213
看原图
赞赏
雪币:
留言: