-
-
[原创]KCTF 2024 第十题 试探
-
发表于: 2024-9-4 21:40 1976
-
011110202122
"kctf"+输入 +shelllcode_sz_0xED3_140006050,写入到ZwAllocateVirtualMemory分配的PAGE_EXECUTE_READWRITE 内存中
创建2个线程,线程1输出校验结果,线程2自注入(Tartarus-TpAllocInject)shellcode进行验证
输出结果
Tartarus-TpAllocInject自注入,执行shellcode
+44h 处开始,2Ah 替换为0
jcc混淆
去混淆脚本
反编译结果
1、输入转换 hexstr_to_dight,转换成3x3 坐标
2、从(0,0)开始,根据坐标选取number_table中的数字,每次与上一次的位置进行交换
3、交换排序后为1-8
int __cdecl main(int argc, const char **argv, const char **envp)
{ // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
Src.u._Ptr = 0i64;
Src._Myres = 0xFi64;
Src._Mysize = 0i64;
string_140001DE0(&Src, 0x14ui64, (__int64)envp, 0x14ui64);
v49.u._Ptr = 0i64;
v49._Mysize = 0i64;
v49._Myres = 0xFi64;
string_140001CA0(&v49, 0x16ui64, v3, "Ummdrm%dfqdz%xgps(ndq?");
Ptr = &v49;
if ( v49._Myres >= 0x10 )
Ptr = (std_string *)v49.u._Ptr;
// Please enter your key:
v5 = (const char *)str_xor_140001FC0((__int64)Ptr, v49._Mysize, xor1_1400043BC);
printf_5(v5);
p_Src = &Src;
if ( Src._Myres >= 0x10 )
p_Src = (std_string *)Src.u._Ptr;
scanf("%s", p_Src, Src._Mysize);
kctf._Myres = 0xFi64;
kctf._Mysize = 4i64;
*(_QWORD *)kctf.u._Buf = 0x637C626Ei64;
// kctf
v7 = str_xor_140001FC0((__int64)&kctf, 4, xor1_1400043BC);
kctf_ = (const void *)v7;
kctf_sz = 0xFFFFFFFFFFFFFFFFui64;
do
++kctf_sz;
while ( *(_BYTE *)(v7 + kctf_sz) );
Mysize = Src._Mysize;
if ( 0x7FFFFFFFFFFFFFFFi64 - Src._Mysize < kctf_sz )
LABEL_74: sub_140001280();
input = &Src;
if ( Src._Myres >= 0x10 )
input = (std_string *)Src.u._Ptr;
v52[0] = 0i64;
v53 = 0i64;
v54 = 0i64;
v12 = Src._Mysize + kctf_sz;
v13 = 0xFi64;
input_data = (char *)v52;
if ( Src._Mysize + kctf_sz > 0xF )
{
v15 = Src._Mysize + kctf_sz;
if ( v12 < 0x10 )
v15 = 0x10i64;
v13 = v15 | 0xF;
if ( v13 <= 0x7FFFFFFFFFFFFFFFi64 )
{
if ( v13 < 0x16 )
v13 = 0x16i64;
if ( v13 + 1 < 0x1000 )
{
input_data = (char *)operator new(v13 + 1);
LABEL_23: v52[0] = input_data;
goto LABEL_24;
}
v16 = v13 + 0x28;
if ( v13 + 0x28 <= v13 + 1 )
hkThreadLocalBlockStreamAllocator::clear();
}
else
{
v13 = 0x7FFFFFFFFFFFFFFFi64;
v16 = 0x8000000000000027ui64;
}
v17 = operator new(v16);
if ( !v17 )
goto LABEL_54;
input_data = (char *)(((unsigned __int64)v17 + 0x27) & 0xFFFFFFFFFFFFFFE0ui64);
*((_QWORD *)input_data + 0xFFFFFFFF) = v17;
goto LABEL_23;
}
LABEL_24: v53 = Mysize + kctf_sz;
v54 = v13;
memcpy(input_data, kctf_, kctf_sz);
memcpy(&input_data[kctf_sz], input, Mysize);
input_data[v12] = 0;
v48 = 0xFi64;
v47 = 9i64;
strcpy((char *)v46, "kulim&amd");
// ntdll.dll
ntdll_dll = (const CHAR *)str_xor_140001FC0((__int64)v46, 9, xor1_1400043BC);
ntdll_dll_ModuleHandleA = GetModuleHandleA(ntdll_dll);
v43 = 0xFi64;
v42 = 0xEi64;
strcpy((char *)Block, "KuIaeJjn|@o|wx");
// NtAddBootEntry
v20 = (const CHAR *)str_xor_140001FC0((__int64)Block, 0xE, xor1_1400043BC);
syscall_adr_1400075B8 = (__int64)GetProcAddress(ntdll_dll_ModuleHandleA, v20) + 0x12;
event_1400075B0 = (__int64)CreateEventA(0i64, 0, 1, 0i64);
input_data_sz = v53;
v51 = v53 + 0xED4;
get_ssn_140002160((_IMAGE_DOS_HEADER *)ntdll_dll_ModuleHandleA, v22, (__int64)str_ZwAllocateVirtualMemory_);
set_syscall_stub_140002510(xx_ssn_1400075A8, (__int64 (*)(void))syscall_adr_1400075B8);
// ZwAllocateVirtualMemory
call_syscall_140002533(0xFFFFFFFFFFFFFFFFui64, &addr_1400075C0, 0i64, &v51, 0x1000, PAGE_EXECUTE_READWRITE);
v23 = v52;
v24 = v54;
v25 = v54 >= 0x10;
v26 = (char *)v52[0];
if ( v54 >= 0x10 )
v23 = (void **)v52[0];
addr_ = (_BYTE *)addr_1400075C0;
v28 = input_data_sz;
if ( input_data_sz )
{
do
{
*addr_++ = *(_BYTE *)v23;
v23 = (void **)((char *)v23 + 1);
--v28;
}
while ( v28 );
addr_ = (_BYTE *)addr_1400075C0;
}
// 0x19
v29 = &addr_[input_data_sz + 1];
v30 = data_140006050;
v31 = 0xED3i64;
do
{
//写入shellcode sz:0xED3
*v29++ = *(_BYTE *)v30;
v30 = (__int64 (__fastcall *)())((char *)v30 + 1);
--v31;
}
while ( v31 );
index2_1400075AC = input_data_sz + 1;
v32 = (int (**)())operator new(8ui64);
*v32 = thread1_140001530;
v55._Hnd = v32;
if ( !beginthreadex(
0i64,
0,
(_beginthreadex_proc_type)std::thread::_Invoke<std::tuple<void (__cdecl *)(void)>,0>,
v32,
0,
&ThrdAddr) )
goto LABEL_73;
v33 = (void (**)())operator new(8ui64);
*v33 = thread2_1400012C0;
v55._Hnd = v33;
*(_QWORD *)v45 = beginthreadex(
0i64,
0,
(_beginthreadex_proc_type)std::thread::_Invoke<std::tuple<void (__cdecl *)(void)>,0>,
v33,
0,
&v45[2]);
int __cdecl main(int argc, const char **argv, const char **envp)
{ // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
Src.u._Ptr = 0i64;
Src._Myres = 0xFi64;
Src._Mysize = 0i64;
string_140001DE0(&Src, 0x14ui64, (__int64)envp, 0x14ui64);
v49.u._Ptr = 0i64;
v49._Mysize = 0i64;
v49._Myres = 0xFi64;
string_140001CA0(&v49, 0x16ui64, v3, "Ummdrm%dfqdz%xgps(ndq?");
Ptr = &v49;
if ( v49._Myres >= 0x10 )
Ptr = (std_string *)v49.u._Ptr;
// Please enter your key:
v5 = (const char *)str_xor_140001FC0((__int64)Ptr, v49._Mysize, xor1_1400043BC);
printf_5(v5);
p_Src = &Src;
if ( Src._Myres >= 0x10 )
p_Src = (std_string *)Src.u._Ptr;
scanf("%s", p_Src, Src._Mysize);
kctf._Myres = 0xFi64;
kctf._Mysize = 4i64;
*(_QWORD *)kctf.u._Buf = 0x637C626Ei64;
// kctf
v7 = str_xor_140001FC0((__int64)&kctf, 4, xor1_1400043BC);
kctf_ = (const void *)v7;
kctf_sz = 0xFFFFFFFFFFFFFFFFui64;
do
++kctf_sz;
while ( *(_BYTE *)(v7 + kctf_sz) );
Mysize = Src._Mysize;
if ( 0x7FFFFFFFFFFFFFFFi64 - Src._Mysize < kctf_sz )
LABEL_74: sub_140001280();
input = &Src;
if ( Src._Myres >= 0x10 )
input = (std_string *)Src.u._Ptr;
v52[0] = 0i64;
v53 = 0i64;
v54 = 0i64;
v12 = Src._Mysize + kctf_sz;
v13 = 0xFi64;
input_data = (char *)v52;
if ( Src._Mysize + kctf_sz > 0xF )
{
v15 = Src._Mysize + kctf_sz;
if ( v12 < 0x10 )
v15 = 0x10i64;
v13 = v15 | 0xF;
if ( v13 <= 0x7FFFFFFFFFFFFFFFi64 )
{
if ( v13 < 0x16 )
v13 = 0x16i64;
if ( v13 + 1 < 0x1000 )
{
input_data = (char *)operator new(v13 + 1);
LABEL_23: v52[0] = input_data;
goto LABEL_24;
}
v16 = v13 + 0x28;
if ( v13 + 0x28 <= v13 + 1 )
hkThreadLocalBlockStreamAllocator::clear();
}
else
{
v13 = 0x7FFFFFFFFFFFFFFFi64;
v16 = 0x8000000000000027ui64;
}
v17 = operator new(v16);
if ( !v17 )
goto LABEL_54;
input_data = (char *)(((unsigned __int64)v17 + 0x27) & 0xFFFFFFFFFFFFFFE0ui64);
*((_QWORD *)input_data + 0xFFFFFFFF) = v17;
goto LABEL_23;
}
LABEL_24: v53 = Mysize + kctf_sz;
v54 = v13;
memcpy(input_data, kctf_, kctf_sz);
memcpy(&input_data[kctf_sz], input, Mysize);
input_data[v12] = 0;
v48 = 0xFi64;
v47 = 9i64;
strcpy((char *)v46, "kulim&amd");
// ntdll.dll
ntdll_dll = (const CHAR *)str_xor_140001FC0((__int64)v46, 9, xor1_1400043BC);
ntdll_dll_ModuleHandleA = GetModuleHandleA(ntdll_dll);
v43 = 0xFi64;
v42 = 0xEi64;
strcpy((char *)Block, "KuIaeJjn|@o|wx");
// NtAddBootEntry
v20 = (const CHAR *)str_xor_140001FC0((__int64)Block, 0xE, xor1_1400043BC);
syscall_adr_1400075B8 = (__int64)GetProcAddress(ntdll_dll_ModuleHandleA, v20) + 0x12;
event_1400075B0 = (__int64)CreateEventA(0i64, 0, 1, 0i64);
input_data_sz = v53;
v51 = v53 + 0xED4;
get_ssn_140002160((_IMAGE_DOS_HEADER *)ntdll_dll_ModuleHandleA, v22, (__int64)str_ZwAllocateVirtualMemory_);
set_syscall_stub_140002510(xx_ssn_1400075A8, (__int64 (*)(void))syscall_adr_1400075B8);
// ZwAllocateVirtualMemory
call_syscall_140002533(0xFFFFFFFFFFFFFFFFui64, &addr_1400075C0, 0i64, &v51, 0x1000, PAGE_EXECUTE_READWRITE);
v23 = v52;
v24 = v54;
v25 = v54 >= 0x10;
v26 = (char *)v52[0];
if ( v54 >= 0x10 )
v23 = (void **)v52[0];
addr_ = (_BYTE *)addr_1400075C0;
v28 = input_data_sz;
if ( input_data_sz )
{
do
{
*addr_++ = *(_BYTE *)v23;
v23 = (void **)((char *)v23 + 1);
--v28;
}
while ( v28 );
addr_ = (_BYTE *)addr_1400075C0;
}
// 0x19
v29 = &addr_[input_data_sz + 1];
v30 = data_140006050;
v31 = 0xED3i64;
do
{
//写入shellcode sz:0xED3
*v29++ = *(_BYTE *)v30;
v30 = (__int64 (__fastcall *)())((char *)v30 + 1);
--v31;
}
while ( v31 );
index2_1400075AC = input_data_sz + 1;
v32 = (int (**)())operator new(8ui64);
*v32 = thread1_140001530;
v55._Hnd = v32;
if ( !beginthreadex(
0i64,
0,
(_beginthreadex_proc_type)std::thread::_Invoke<std::tuple<void (__cdecl *)(void)>,0>,
v32,
0,
&ThrdAddr) )
goto LABEL_73;
v33 = (void (**)())operator new(8ui64);
*v33 = thread2_1400012C0;
v55._Hnd = v33;
*(_QWORD *)v45 = beginthreadex(
0i64,
0,
(_beginthreadex_proc_type)std::thread::_Invoke<std::tuple<void (__cdecl *)(void)>,0>,
v33,
0,
&v45[2]);
int thread1_140001530()
{ __int64 v0; // rcx
char i; // al
char *k; // r8
const char *v3; // rax
v0 = addr_1400075C0;
for ( i = *(_BYTE *)addr_1400075C0; *(_BYTE *)addr_1400075C0 == 'k'; i = *(_BYTE *)addr_1400075C0 )
{
Sleep(0xAu);
v0 = addr_1400075C0;
}
// ok!:
// *BaseAddress = 0x69;
// BaseAddress[1] = 0x6F;
// BaseAddress[2] = 0x20;
//
// no!:
// *BaseAddress = 0x6D;
// BaseAddress[1] = 0x6A;
// BaseAddress[2] = 0x29;
k = (char *)&ok_key_1400043F8;
if ( i != 0x69 )
// no!
k = (char *)&no_key_1400043FC;
// ok!
v3 = (const char *)str_xor_140001FC0(v0, 3, k);
return printf_5(v3);
}int thread1_140001530()
{ __int64 v0; // rcx
char i; // al
char *k; // r8
const char *v3; // rax
v0 = addr_1400075C0;
for ( i = *(_BYTE *)addr_1400075C0; *(_BYTE *)addr_1400075C0 == 'k'; i = *(_BYTE *)addr_1400075C0 )
{
Sleep(0xAu);
v0 = addr_1400075C0;
}
// ok!:
// *BaseAddress = 0x69;
// BaseAddress[1] = 0x6F;
// BaseAddress[2] = 0x20;
//
// no!:
// *BaseAddress = 0x6D;
// BaseAddress[1] = 0x6A;
// BaseAddress[2] = 0x29;
k = (char *)&ok_key_1400043F8;
if ( i != 0x69 )
// no!
k = (char *)&no_key_1400043FC;
// ok!
v3 = (const char *)str_xor_140001FC0(v0, 3, k);
return printf_5(v3);
}void thread2_1400012C0()
{ // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v10 = 0i64;
v15 = 0xFi64;
v14 = 9i64;
strcpy((char *)v13, "kulim&amd");
// ntdll.dll
v0 = (const CHAR *)str_xor_140001FC0((__int64)v13, 9, xor1_1400043BC);
ntdll = GetModuleHandleA(v0);
v11._Myres = 0xFi64;
v11._Mysize = 0xBi64;
strcpy(v11.u._Buf, "QqIimgfVilu");
// TpAllocWait
v2 = (const CHAR *)str_xor_140001FC0((__int64)&v11, 0xB, xor1_1400043BC);
TpAllocWait = GetProcAddress(ntdll, v2);
((void (__fastcall *)(__int64 *, __int64, _QWORD, _QWORD))TpAllocWait)(
&v10,
addr_1400075C0 + (unsigned int)index2_1400075AC,
0i64,
0i64);
Block._Myres = 0xFi64;
Block._Mysize = 9i64;
strcpy(Block.u._Buf, "Qq[`u_dh|");
// TpSetWait
v4 = (const CHAR *)str_xor_140001FC0((__int64)&Block, 9, xor1_1400043BC);
TpSetWait = GetProcAddress(ntdll, v4);
((void (__fastcall *)(__int64, __int64, _QWORD))TpSetWait)(v10, event_1400075B0, 0i64);
//like https://github.com/nettitude/Tartarus-TpAllocInject/blob/main/TpAllocInjection/TpAllocInjection.cpp
get_ssn_140002160((_IMAGE_DOS_HEADER *)ntdll, v6, (__int64)"Or_`o|GizRoffjmNdbde|");
set_syscall_stub_140002510(xx_ssn_1400075A8, (__int64 (*)(void))syscall_adr_1400075B8);
// NtWaitForSingleObject
call_syscall_140002533(event_1400075B0, 0i64, 0i64);
void thread2_1400012C0()
{ // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v10 = 0i64;
v15 = 0xFi64;
v14 = 9i64;
strcpy((char *)v13, "kulim&amd");
// ntdll.dll
v0 = (const CHAR *)str_xor_140001FC0((__int64)v13, 9, xor1_1400043BC);
ntdll = GetModuleHandleA(v0);
v11._Myres = 0xFi64;
v11._Mysize = 0xBi64;
strcpy(v11.u._Buf, "QqIimgfVilu");
// TpAllocWait
v2 = (const CHAR *)str_xor_140001FC0((__int64)&v11, 0xB, xor1_1400043BC);
TpAllocWait = GetProcAddress(ntdll, v2);
((void (__fastcall *)(__int64 *, __int64, _QWORD, _QWORD))TpAllocWait)(
&v10,
addr_1400075C0 + (unsigned int)index2_1400075AC,
0i64,
0i64);
Block._Myres = 0xFi64;
Block._Mysize = 9i64;
strcpy(Block.u._Buf, "Qq[`u_dh|");
// TpSetWait
v4 = (const CHAR *)str_xor_140001FC0((__int64)&Block, 9, xor1_1400043BC);
TpSetWait = GetProcAddress(ntdll, v4);
((void (__fastcall *)(__int64, __int64, _QWORD))TpSetWait)(v10, event_1400075B0, 0i64);
//like https://github.com/nettitude/Tartarus-TpAllocInject/blob/main/TpAllocInjection/TpAllocInjection.cpp
get_ssn_140002160((_IMAGE_DOS_HEADER *)ntdll, v6, (__int64)"Or_`o|GizRoffjmNdbde|");
set_syscall_stub_140002510(xx_ssn_1400075A8, (__int64 (*)(void))syscall_adr_1400075B8);
// NtWaitForSingleObject
call_syscall_140002533(event_1400075B0, 0i64, 0i64);
$+21 000 | FFC0 | inc eax |
$+23 000 | 5F | pop rdi |
$+24 000 | B9 A60F0101 | mov ecx,1010FA6 |
$+29 000 | 81F1 01010101 | xor ecx,1010101 |
$+2F 000 | 48:83C7 22 | add rdi,22 |
$+33 000 | 33F6 | xor esi,esi |
$+35 000 | FC | cld |
$+36 000 | 8A07 | mov al,byte ptr ds:[rdi] |;offset +0x44
$+38 000 | 3C 2A | cmp al,2A | 2A:'*'
$+3A 000 | 0F44C6 | cmove eax,esi |;后续中2Ah 替换为0
$+3D 000 | AA | stosb |
$+3E 000 | E2 F6 | loop 4B0036 |
$+40 000 | 5F | pop rdi |
$+41 000 | 58 | pop rax |
$+42 000 | 59 | pop rcx |
$+43 000 | 5E | pop rsi |
$+21 000 | FFC0 | inc eax |
$+23 000 | 5F | pop rdi |
$+24 000 | B9 A60F0101 | mov ecx,1010FA6 |
$+29 000 | 81F1 01010101 | xor ecx,1010101 |
$+2F 000 | 48:83C7 22 | add rdi,22 |
$+33 000 | 33F6 | xor esi,esi |
$+35 000 | FC | cld |
$+36 000 | 8A07 | mov al,byte ptr ds:[rdi] |;offset +0x44
$+38 000 | 3C 2A | cmp al,2A | 2A:'*'
$+3A 000 | 0F44C6 | cmove eax,esi |;后续中2Ah 替换为0
$+3D 000 | AA | stosb |
$+3E 000 | E2 F6 | loop 4B0036 |
$+40 000 | 5F | pop rdi |
$+41 000 | 58 | pop rax |
$+42 000 | 59 | pop rcx |
$+43 000 | 5E | pop rsi |
$+57 000 | 83FE F5 | cmp esi,FFFFFFF5 |
$+5A 000 | 75 0D | jne 4B0069 |;必跳转
$+5C 000 | 74 08 | je 4B0066 |;垃圾数据
$+5E 000 | 76 0D | jbe 4B006D |
$+60 000 | EB E2 | jmp 4B0044 |
$+62 000 | FD | std |
$+63 000 | EB 1F | jmp 4B0084 |
$+65 000 | 3E:1C EB | sbb al,EB |
$+68 000 | EB B9 | jmp 4B0023 |
$+57 000 | 83FE F5 | cmp esi,FFFFFFF5 |
$+5A 000 | 75 0D | jne 4B0069 |;必跳转
$+5C 000 | 74 08 | je 4B0066 |;垃圾数据
$+5E 000 | 76 0D | jbe 4B006D |
$+60 000 | EB E2 | jmp 4B0044 |
$+62 000 | FD | std |
$+63 000 | EB 1F | jmp 4B0084 |
$+65 000 | 3E:1C EB | sbb al,EB |
$+68 000 | EB B9 | jmp 4B0023 |
$+69 000 | B9 46DF8DF8 | mov ecx,F88DDF46 |
$+6E 000 | E8 65050000 | call 4B05D8 |
$+73 000 | 48:8BD8 | mov rbx,rax |
$+69 000 | B9 46DF8DF8 | mov ecx,F88DDF46 |
$+6E 000 | E8 65050000 | call 4B05D8 |
$+73 000 | 48:8BD8 | mov rbx,rax |
from idc import *
from idaapi import *
from idautils import *
def patch_instructions(start_addr, end_addr):
"""
将起始地址到结束地址之间的所有指令都替换为 NOP。
"""
for addr in range(start_addr, end_addr):
patch_byte(addr, 0x90) # 0x90 是 NOP 的操作码
def process_segment(segment_start, segment_end):
addr = segment_start
while addr < segment_end:
# 打印当前指令的助记符
mnem = print_insn_mnem(addr)
# 判断是否是我们需要的 cmp 指令
if mnem == "cmp":
cmp_addr = addr
next_addr = addr + get_item_size(addr)
# 检查接下来的指令是否是 jnz, jz, jbe
mnem_next = print_insn_mnem(next_addr)
if mnem_next == "jnz":
jnz_addr = next_addr
jnz_target = get_operand_value(jnz_addr, 0)
next_addr += get_item_size(next_addr)
mnem_next = print_insn_mnem(next_addr)
if mnem_next == "jz":
jz_addr = next_addr
next_addr += get_item_size(next_addr)
mnem_next = print_insn_mnem(next_addr)
if mnem_next == "jbe":
jbe_addr = next_addr
print('%08x\t'%cmp_addr,idc.GetDisasm(cmp_addr))
# 修补从 cmp 到 jnz 的目标地址之间的所有指令
patch_instructions(cmp_addr, jnz_target)
# 跳过已修补的指令
addr = next_addr + get_item_size(next_addr)
continue
# 前进到下一条指令
addr += get_item_size(addr)
def main():
# 获取当前段的起始和结束地址
segment_start = get_segm_start(here())
segment_end = get_segm_end(here())
# 处理段中的代码
process_segment(segment_start, segment_end)
if __name__ == "__main__":
main()
from idc import *
from idaapi import *
from idautils import *
def patch_instructions(start_addr, end_addr):
"""
将起始地址到结束地址之间的所有指令都替换为 NOP。
"""
for addr in range(start_addr, end_addr):
patch_byte(addr, 0x90) # 0x90 是 NOP 的操作码
def process_segment(segment_start, segment_end):
addr = segment_start
while addr < segment_end:
# 打印当前指令的助记符
mnem = print_insn_mnem(addr)
# 判断是否是我们需要的 cmp 指令
if mnem == "cmp":
cmp_addr = addr
next_addr = addr + get_item_size(addr)
# 检查接下来的指令是否是 jnz, jz, jbe
mnem_next = print_insn_mnem(next_addr)
if mnem_next == "jnz":
jnz_addr = next_addr
jnz_target = get_operand_value(jnz_addr, 0)
next_addr += get_item_size(next_addr)
mnem_next = print_insn_mnem(next_addr)
if mnem_next == "jz":
jz_addr = next_addr
next_addr += get_item_size(next_addr)
mnem_next = print_insn_mnem(next_addr)
if mnem_next == "jbe":
jbe_addr = next_addr
print('%08x\t'%cmp_addr,idc.GetDisasm(cmp_addr))
# 修补从 cmp 到 jnz 的目标地址之间的所有指令
patch_instructions(cmp_addr, jnz_target)
# 跳过已修补的指令
addr = next_addr + get_item_size(next_addr)
continue
# 前进到下一条指令
addr += get_item_size(addr)
def main():
# 获取当前段的起始和结束地址
segment_start = get_segm_start(here())
segment_end = get_segm_end(here())
# 处理段中的代码
process_segment(segment_start, segment_end)
if __name__ == "__main__":
main()
__int64 sub_44()
{ // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
CreateToolhelp32Snapshot = (__int64 (__fastcall *)(__int64, _QWORD))find_api_func_5D8(0xF88DDF46);
OpenProcess = find_api_func_5D8(0xFD0B55A7);
// VirtualQueryEx
VirtualQueryEx = (__int64 (__fastcall *)(__int64, char *, MEMORY_BASIC_INFORMATION *, __int64))find_api_func_5D8(0x242E6FF);
// Process32First
Process32First = (__int64 (__fastcall *)(__int64, int *))find_api_func_5D8(0x3F347695);
// Process32Next
Process32Next = find_api_func_5D8(0x93E12339);
// CloseHandle
CloseHandle = (void (__fastcall *)(__int64))find_api_func_5D8(0x1CA655F1);
// GetCurrentProcessId
GetCurrentProcessId = (void (*)(void))find_api_func_5D8(0x35634E1);
v4 = 0i64;
v15 = 0x238;
v5 = 0;
v6 = CreateToolhelp32Snapshot(2i64, 0i64);
v7 = v6;
if ( v6 == 0xFFFFFFFFFFFFFFFFui64 )
return 0xFFFFFFFFi64;
v9 = Process32First(v6, &v15);
OpenProcess1 = (__int64 (__fastcall *)(__int64, _QWORD, _QWORD))OpenProcess;
for ( i = (__int64 (__fastcall *)(__int64, int *))Process32Next; v9; v9 = i(v7, &v15) )
{
if ( v16 == ((unsigned int (*)(void))GetCurrentProcessId)() )
{
v4 = OpenProcess1(0x2000000i64, 0i64, v16);
if ( v4 )
{
v12 = 0i64;
// SIZE_T VirtualQueryEx(
// [in] HANDLE hProcess,
// [in, optional] LPCVOID lpAddress,
// [out] PMEMORY_BASIC_INFORMATION lpBuffer,
// [in] SIZE_T dwLength
// );
while ( VirtualQueryEx(v4, v12, &v14, 0x30i64) )
{
v12 = (char *)v14.BaseAddress + *(_QWORD *)&v14.State;
if ( v14.Type == MEM_COMMIT && v14.AllocationProtect == PAGE_EXECUTE_READWRITE )
{
GetCurrentProcessId();
v5 = sub_6A4(*(unsigned int *)v14.BaseAddress);
BaseAddress = v14.BaseAddress;
if ( v5 )
{
if ( check_6E4((char *)v14.BaseAddress + 4) )
{
// 成功
*BaseAddress = 0x69;
BaseAddress[1] = 0x6F;
BaseAddress[2] = 0x20;
}
else
{
*BaseAddress = 0x6D;
BaseAddress[1] = 0x6A;
BaseAddress[2] = 0x29;
}
BaseAddress[3] = 0;
break;
}
*(_BYTE *)v14.BaseAddress = 0x6D;
BaseAddress[1] = 0x6A;
BaseAddress[2] = 0x29;
BaseAddress[3] = 0;
}
}
OpenProcess1 = (__int64 (__fastcall *)(__int64, _QWORD, _QWORD))OpenProcess;
i = (__int64 (__fastcall *)(__int64, int *))Process32Next;
}
if ( v5 )
break;
}
}
CloseHandle(v7);
return ((__int64 (__fastcall *)(__int64))CloseHandle)(v4);
}__int64 sub_44()
{ // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
CreateToolhelp32Snapshot = (__int64 (__fastcall *)(__int64, _QWORD))find_api_func_5D8(0xF88DDF46);
OpenProcess = find_api_func_5D8(0xFD0B55A7);
// VirtualQueryEx
VirtualQueryEx = (__int64 (__fastcall *)(__int64, char *, MEMORY_BASIC_INFORMATION *, __int64))find_api_func_5D8(0x242E6FF);
// Process32First
Process32First = (__int64 (__fastcall *)(__int64, int *))find_api_func_5D8(0x3F347695);
// Process32Next
Process32Next = find_api_func_5D8(0x93E12339);
// CloseHandle
CloseHandle = (void (__fastcall *)(__int64))find_api_func_5D8(0x1CA655F1);
// GetCurrentProcessId
GetCurrentProcessId = (void (*)(void))find_api_func_5D8(0x35634E1);
v4 = 0i64;
v15 = 0x238;
v5 = 0;
v6 = CreateToolhelp32Snapshot(2i64, 0i64);
v7 = v6;
if ( v6 == 0xFFFFFFFFFFFFFFFFui64 )
return 0xFFFFFFFFi64;
v9 = Process32First(v6, &v15);
OpenProcess1 = (__int64 (__fastcall *)(__int64, _QWORD, _QWORD))OpenProcess;
for ( i = (__int64 (__fastcall *)(__int64, int *))Process32Next; v9; v9 = i(v7, &v15) )
{
if ( v16 == ((unsigned int (*)(void))GetCurrentProcessId)() )
{
v4 = OpenProcess1(0x2000000i64, 0i64, v16);
if ( v4 )
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
他的文章
- [原创]KCTF 2024 第十题 试探 1977
- KCTF2023第五题 争分夺秒 9500
- KCTF2022第三题 石像病毒 7282
- [原创]KCTF2021春季赛第四题 英雄救美 10008
- [原创] 第五题:魅影舞姬 3192
赞赏
雪币:
留言:
