首页
社区
课程
招聘
[原创]KCTF 2024 第十题 试探
发表于: 2024-9-4 21:40 3187

[原创]KCTF 2024 第十题 试探

2024-9-4 21:40
3187

011110202122

"kctf"+输入 +shelllcode_sz_0xED3_140006050,写入到ZwAllocateVirtualMemory分配的PAGE_EXECUTE_READWRITE 内存中

创建2个线程,线程1输出校验结果,线程2自注入(Tartarus-TpAllocInject)shellcode进行验证

输出结果

Tartarus-TpAllocInject自注入,执行shellcode

+44h 处开始,2Ah 替换为0

jcc混淆

去混淆脚本

反编译结果

1、输入转换 hexstr_to_dight,转换成3x3 坐标

2、从(0,0)开始,根据坐标选取number_table中的数字,每次与上一次的位置进行交换

3、交换排序后为1-8

int __cdecl main(int argc, const char **argv, const char **envp)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
 
  Src.u._Ptr = 0i64;
  Src._Myres = 0xFi64;
  Src._Mysize = 0i64;
  string_140001DE0(&Src, 0x14ui64, (__int64)envp, 0x14ui64);
  v49.u._Ptr = 0i64;
  v49._Mysize = 0i64;
  v49._Myres = 0xFi64;
  string_140001CA0(&v49, 0x16ui64, v3, "Ummdrm%dfqdz%xgps(ndq?");
  Ptr = &v49;
  if ( v49._Myres >= 0x10 )
    Ptr = (std_string *)v49.u._Ptr;
  // Please enter your key:
  v5 = (const char *)str_xor_140001FC0((__int64)Ptr, v49._Mysize, xor1_1400043BC);
  printf_5(v5);
  p_Src = &Src;
  if ( Src._Myres >= 0x10 )
    p_Src = (std_string *)Src.u._Ptr;
  scanf("%s", p_Src, Src._Mysize);
  kctf._Myres = 0xFi64;
  kctf._Mysize = 4i64;
  *(_QWORD *)kctf.u._Buf = 0x637C626Ei64;
  // kctf
  v7 = str_xor_140001FC0((__int64)&kctf, 4, xor1_1400043BC);
  kctf_ = (const void *)v7;
  kctf_sz = 0xFFFFFFFFFFFFFFFFui64;
  do
    ++kctf_sz;
  while ( *(_BYTE *)(v7 + kctf_sz) );
  Mysize = Src._Mysize;
  if ( 0x7FFFFFFFFFFFFFFFi64 - Src._Mysize < kctf_sz )
LABEL_74:
    sub_140001280();
  input = &Src;
  if ( Src._Myres >= 0x10 )
    input = (std_string *)Src.u._Ptr;
  v52[0] = 0i64;
  v53 = 0i64;
  v54 = 0i64;
  v12 = Src._Mysize + kctf_sz;
  v13 = 0xFi64;
  input_data = (char *)v52;
  if ( Src._Mysize + kctf_sz > 0xF )
  {
    v15 = Src._Mysize + kctf_sz;
    if ( v12 < 0x10 )
      v15 = 0x10i64;
    v13 = v15 | 0xF;
    if ( v13 <= 0x7FFFFFFFFFFFFFFFi64 )
    {
      if ( v13 < 0x16 )
        v13 = 0x16i64;
      if ( v13 + 1 < 0x1000 )
      {
        input_data = (char *)operator new(v13 + 1);
LABEL_23:
        v52[0] = input_data;
        goto LABEL_24;
      }
      v16 = v13 + 0x28;
      if ( v13 + 0x28 <= v13 + 1 )
        hkThreadLocalBlockStreamAllocator::clear();
    }
    else
    {
      v13 = 0x7FFFFFFFFFFFFFFFi64;
      v16 = 0x8000000000000027ui64;
    }
    v17 = operator new(v16);
    if ( !v17 )
      goto LABEL_54;
    input_data = (char *)(((unsigned __int64)v17 + 0x27) & 0xFFFFFFFFFFFFFFE0ui64);
    *((_QWORD *)input_data + 0xFFFFFFFF) = v17;
    goto LABEL_23;
  }
LABEL_24:
  v53 = Mysize + kctf_sz;
  v54 = v13;
  memcpy(input_data, kctf_, kctf_sz);
  memcpy(&input_data[kctf_sz], input, Mysize);
  input_data[v12] = 0;
  v48 = 0xFi64;
  v47 = 9i64;
  strcpy((char *)v46, "kulim&amd");
  // ntdll.dll
  ntdll_dll = (const CHAR *)str_xor_140001FC0((__int64)v46, 9, xor1_1400043BC);
  ntdll_dll_ModuleHandleA = GetModuleHandleA(ntdll_dll);
  v43 = 0xFi64;
  v42 = 0xEi64;
  strcpy((char *)Block, "KuIaeJjn|@o|wx");
  // NtAddBootEntry
  v20 = (const CHAR *)str_xor_140001FC0((__int64)Block, 0xE, xor1_1400043BC);
  syscall_adr_1400075B8 = (__int64)GetProcAddress(ntdll_dll_ModuleHandleA, v20) + 0x12;
  event_1400075B0 = (__int64)CreateEventA(0i64, 0, 1, 0i64);
  input_data_sz = v53;
  v51 = v53 + 0xED4;
  get_ssn_140002160((_IMAGE_DOS_HEADER *)ntdll_dll_ModuleHandleA, v22, (__int64)str_ZwAllocateVirtualMemory_);
  set_syscall_stub_140002510(xx_ssn_1400075A8, (__int64 (*)(void))syscall_adr_1400075B8);
  // ZwAllocateVirtualMemory
  call_syscall_140002533(0xFFFFFFFFFFFFFFFFui64, &addr_1400075C0, 0i64, &v51, 0x1000, PAGE_EXECUTE_READWRITE);
  v23 = v52;
  v24 = v54;
  v25 = v54 >= 0x10;
  v26 = (char *)v52[0];
  if ( v54 >= 0x10 )
    v23 = (void **)v52[0];
  addr_ = (_BYTE *)addr_1400075C0;
  v28 = input_data_sz;
  if ( input_data_sz )
  {
    do
    {
      *addr_++ = *(_BYTE *)v23;
      v23 = (void **)((char *)v23 + 1);
      --v28;
    }
    while ( v28 );
    addr_ = (_BYTE *)addr_1400075C0;
  }
  // 0x19
  v29 = &addr_[input_data_sz + 1];
  v30 = data_140006050;
  v31 = 0xED3i64;
  do
  {
      //写入shellcode sz:0xED3
    *v29++ = *(_BYTE *)v30;
    v30 = (__int64 (__fastcall *)())((char *)v30 + 1);
    --v31;
  }
  while ( v31 );
  index2_1400075AC = input_data_sz + 1;
  v32 = (int (**)())operator new(8ui64);
  *v32 = thread1_140001530;
  v55._Hnd = v32;
  if ( !beginthreadex(
          0i64,
          0,
          (_beginthreadex_proc_type)std::thread::_Invoke<std::tuple<void (__cdecl *)(void)>,0>,
          v32,
          0,
          &ThrdAddr) )
    goto LABEL_73;
  v33 = (void (**)())operator new(8ui64);
  *v33 = thread2_1400012C0;
  v55._Hnd = v33;
  *(_QWORD *)v45 = beginthreadex(
                     0i64,
                     0,
                     (_beginthreadex_proc_type)std::thread::_Invoke<std::tuple<void (__cdecl *)(void)>,0>,
                     v33,
                     0,
                     &v45[2]);
int __cdecl main(int argc, const char **argv, const char **envp)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
 
  Src.u._Ptr = 0i64;
  Src._Myres = 0xFi64;
  Src._Mysize = 0i64;
  string_140001DE0(&Src, 0x14ui64, (__int64)envp, 0x14ui64);
  v49.u._Ptr = 0i64;
  v49._Mysize = 0i64;
  v49._Myres = 0xFi64;
  string_140001CA0(&v49, 0x16ui64, v3, "Ummdrm%dfqdz%xgps(ndq?");
  Ptr = &v49;
  if ( v49._Myres >= 0x10 )
    Ptr = (std_string *)v49.u._Ptr;
  // Please enter your key:
  v5 = (const char *)str_xor_140001FC0((__int64)Ptr, v49._Mysize, xor1_1400043BC);
  printf_5(v5);
  p_Src = &Src;
  if ( Src._Myres >= 0x10 )
    p_Src = (std_string *)Src.u._Ptr;
  scanf("%s", p_Src, Src._Mysize);
  kctf._Myres = 0xFi64;
  kctf._Mysize = 4i64;
  *(_QWORD *)kctf.u._Buf = 0x637C626Ei64;
  // kctf
  v7 = str_xor_140001FC0((__int64)&kctf, 4, xor1_1400043BC);
  kctf_ = (const void *)v7;
  kctf_sz = 0xFFFFFFFFFFFFFFFFui64;
  do
    ++kctf_sz;
  while ( *(_BYTE *)(v7 + kctf_sz) );
  Mysize = Src._Mysize;
  if ( 0x7FFFFFFFFFFFFFFFi64 - Src._Mysize < kctf_sz )
LABEL_74:
    sub_140001280();
  input = &Src;
  if ( Src._Myres >= 0x10 )
    input = (std_string *)Src.u._Ptr;
  v52[0] = 0i64;
  v53 = 0i64;
  v54 = 0i64;
  v12 = Src._Mysize + kctf_sz;
  v13 = 0xFi64;
  input_data = (char *)v52;
  if ( Src._Mysize + kctf_sz > 0xF )
  {
    v15 = Src._Mysize + kctf_sz;
    if ( v12 < 0x10 )
      v15 = 0x10i64;
    v13 = v15 | 0xF;
    if ( v13 <= 0x7FFFFFFFFFFFFFFFi64 )
    {
      if ( v13 < 0x16 )
        v13 = 0x16i64;
      if ( v13 + 1 < 0x1000 )
      {
        input_data = (char *)operator new(v13 + 1);
LABEL_23:
        v52[0] = input_data;
        goto LABEL_24;
      }
      v16 = v13 + 0x28;
      if ( v13 + 0x28 <= v13 + 1 )
        hkThreadLocalBlockStreamAllocator::clear();
    }
    else
    {
      v13 = 0x7FFFFFFFFFFFFFFFi64;
      v16 = 0x8000000000000027ui64;
    }
    v17 = operator new(v16);
    if ( !v17 )
      goto LABEL_54;
    input_data = (char *)(((unsigned __int64)v17 + 0x27) & 0xFFFFFFFFFFFFFFE0ui64);
    *((_QWORD *)input_data + 0xFFFFFFFF) = v17;
    goto LABEL_23;
  }
LABEL_24:
  v53 = Mysize + kctf_sz;
  v54 = v13;
  memcpy(input_data, kctf_, kctf_sz);
  memcpy(&input_data[kctf_sz], input, Mysize);
  input_data[v12] = 0;
  v48 = 0xFi64;
  v47 = 9i64;
  strcpy((char *)v46, "kulim&amd");
  // ntdll.dll
  ntdll_dll = (const CHAR *)str_xor_140001FC0((__int64)v46, 9, xor1_1400043BC);
  ntdll_dll_ModuleHandleA = GetModuleHandleA(ntdll_dll);
  v43 = 0xFi64;
  v42 = 0xEi64;
  strcpy((char *)Block, "KuIaeJjn|@o|wx");
  // NtAddBootEntry
  v20 = (const CHAR *)str_xor_140001FC0((__int64)Block, 0xE, xor1_1400043BC);
  syscall_adr_1400075B8 = (__int64)GetProcAddress(ntdll_dll_ModuleHandleA, v20) + 0x12;
  event_1400075B0 = (__int64)CreateEventA(0i64, 0, 1, 0i64);
  input_data_sz = v53;
  v51 = v53 + 0xED4;
  get_ssn_140002160((_IMAGE_DOS_HEADER *)ntdll_dll_ModuleHandleA, v22, (__int64)str_ZwAllocateVirtualMemory_);
  set_syscall_stub_140002510(xx_ssn_1400075A8, (__int64 (*)(void))syscall_adr_1400075B8);
  // ZwAllocateVirtualMemory
  call_syscall_140002533(0xFFFFFFFFFFFFFFFFui64, &addr_1400075C0, 0i64, &v51, 0x1000, PAGE_EXECUTE_READWRITE);
  v23 = v52;
  v24 = v54;
  v25 = v54 >= 0x10;
  v26 = (char *)v52[0];
  if ( v54 >= 0x10 )
    v23 = (void **)v52[0];
  addr_ = (_BYTE *)addr_1400075C0;
  v28 = input_data_sz;
  if ( input_data_sz )
  {
    do
    {
      *addr_++ = *(_BYTE *)v23;
      v23 = (void **)((char *)v23 + 1);
      --v28;
    }
    while ( v28 );
    addr_ = (_BYTE *)addr_1400075C0;
  }
  // 0x19
  v29 = &addr_[input_data_sz + 1];
  v30 = data_140006050;
  v31 = 0xED3i64;
  do
  {
      //写入shellcode sz:0xED3
    *v29++ = *(_BYTE *)v30;
    v30 = (__int64 (__fastcall *)())((char *)v30 + 1);
    --v31;
  }
  while ( v31 );
  index2_1400075AC = input_data_sz + 1;
  v32 = (int (**)())operator new(8ui64);
  *v32 = thread1_140001530;
  v55._Hnd = v32;
  if ( !beginthreadex(
          0i64,
          0,
          (_beginthreadex_proc_type)std::thread::_Invoke<std::tuple<void (__cdecl *)(void)>,0>,
          v32,
          0,
          &ThrdAddr) )
    goto LABEL_73;
  v33 = (void (**)())operator new(8ui64);
  *v33 = thread2_1400012C0;
  v55._Hnd = v33;
  *(_QWORD *)v45 = beginthreadex(
                     0i64,
                     0,
                     (_beginthreadex_proc_type)std::thread::_Invoke<std::tuple<void (__cdecl *)(void)>,0>,
                     v33,
                     0,
                     &v45[2]);
int thread1_140001530()
{
  __int64 v0; // rcx
  char i; // al
  char *k; // r8
  const char *v3; // rax
 
  v0 = addr_1400075C0;
  for ( i = *(_BYTE *)addr_1400075C0; *(_BYTE *)addr_1400075C0 == 'k'; i = *(_BYTE *)addr_1400075C0 )
  {
    Sleep(0xAu);
    v0 = addr_1400075C0;
  }
  // ok!:
  //                 *BaseAddress = 0x69;
  //                 BaseAddress[1] = 0x6F;
  //                 BaseAddress[2] = 0x20;
  //                
  // no!:
 
  //                 *BaseAddress = 0x6D;
  //                 BaseAddress[1] = 0x6A;
  //                 BaseAddress[2] = 0x29;
  k = (char *)&ok_key_1400043F8;
  if ( i != 0x69 )
    // no!
    k = (char *)&no_key_1400043FC;
  // ok!
  v3 = (const char *)str_xor_140001FC0(v0, 3, k);
  return printf_5(v3);
}
int thread1_140001530()
{
  __int64 v0; // rcx
  char i; // al
  char *k; // r8
  const char *v3; // rax
 
  v0 = addr_1400075C0;
  for ( i = *(_BYTE *)addr_1400075C0; *(_BYTE *)addr_1400075C0 == 'k'; i = *(_BYTE *)addr_1400075C0 )
  {
    Sleep(0xAu);
    v0 = addr_1400075C0;
  }
  // ok!:
  //                 *BaseAddress = 0x69;
  //                 BaseAddress[1] = 0x6F;
  //                 BaseAddress[2] = 0x20;
  //                
  // no!:
 
  //                 *BaseAddress = 0x6D;
  //                 BaseAddress[1] = 0x6A;
  //                 BaseAddress[2] = 0x29;
  k = (char *)&ok_key_1400043F8;
  if ( i != 0x69 )
    // no!
    k = (char *)&no_key_1400043FC;
  // ok!
  v3 = (const char *)str_xor_140001FC0(v0, 3, k);
  return printf_5(v3);
}
void thread2_1400012C0()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
 
  v10 = 0i64;
  v15 = 0xFi64;
  v14 = 9i64;
  strcpy((char *)v13, "kulim&amd");
  // ntdll.dll
  v0 = (const CHAR *)str_xor_140001FC0((__int64)v13, 9, xor1_1400043BC);
  ntdll = GetModuleHandleA(v0);
  v11._Myres = 0xFi64;
  v11._Mysize = 0xBi64;
  strcpy(v11.u._Buf, "QqIimgfVilu");
  // TpAllocWait
  v2 = (const CHAR *)str_xor_140001FC0((__int64)&v11, 0xB, xor1_1400043BC);
  TpAllocWait = GetProcAddress(ntdll, v2);
  ((void (__fastcall *)(__int64 *, __int64, _QWORD, _QWORD))TpAllocWait)(
    &v10,
    addr_1400075C0 + (unsigned int)index2_1400075AC,
    0i64,
    0i64);
  Block._Myres = 0xFi64;
  Block._Mysize = 9i64;
  strcpy(Block.u._Buf, "Qq[`u_dh|");
  // TpSetWait
  v4 = (const CHAR *)str_xor_140001FC0((__int64)&Block, 9, xor1_1400043BC);
  TpSetWait = GetProcAddress(ntdll, v4);
  ((void (__fastcall *)(__int64, __int64, _QWORD))TpSetWait)(v10, event_1400075B0, 0i64);
  //like https://github.com/nettitude/Tartarus-TpAllocInject/blob/main/TpAllocInjection/TpAllocInjection.cpp
  get_ssn_140002160((_IMAGE_DOS_HEADER *)ntdll, v6, (__int64)"Or_`o|GizRoffjmNdbde|");
  set_syscall_stub_140002510(xx_ssn_1400075A8, (__int64 (*)(void))syscall_adr_1400075B8);
  // NtWaitForSingleObject
  call_syscall_140002533(event_1400075B0, 0i64, 0i64);
void thread2_1400012C0()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
 
  v10 = 0i64;
  v15 = 0xFi64;
  v14 = 9i64;
  strcpy((char *)v13, "kulim&amd");
  // ntdll.dll
  v0 = (const CHAR *)str_xor_140001FC0((__int64)v13, 9, xor1_1400043BC);
  ntdll = GetModuleHandleA(v0);
  v11._Myres = 0xFi64;
  v11._Mysize = 0xBi64;
  strcpy(v11.u._Buf, "QqIimgfVilu");
  // TpAllocWait
  v2 = (const CHAR *)str_xor_140001FC0((__int64)&v11, 0xB, xor1_1400043BC);
  TpAllocWait = GetProcAddress(ntdll, v2);
  ((void (__fastcall *)(__int64 *, __int64, _QWORD, _QWORD))TpAllocWait)(
    &v10,
    addr_1400075C0 + (unsigned int)index2_1400075AC,
    0i64,
    0i64);
  Block._Myres = 0xFi64;
  Block._Mysize = 9i64;
  strcpy(Block.u._Buf, "Qq[`u_dh|");
  // TpSetWait
  v4 = (const CHAR *)str_xor_140001FC0((__int64)&Block, 9, xor1_1400043BC);
  TpSetWait = GetProcAddress(ntdll, v4);
  ((void (__fastcall *)(__int64, __int64, _QWORD))TpSetWait)(v10, event_1400075B0, 0i64);
  //like https://github.com/nettitude/Tartarus-TpAllocInject/blob/main/TpAllocInjection/TpAllocInjection.cpp
  get_ssn_140002160((_IMAGE_DOS_HEADER *)ntdll, v6, (__int64)"Or_`o|GizRoffjmNdbde|");
  set_syscall_stub_140002510(xx_ssn_1400075A8, (__int64 (*)(void))syscall_adr_1400075B8);
  // NtWaitForSingleObject
  call_syscall_140002533(event_1400075B0, 0i64, 0i64);
$+21             000 | FFC0                 | inc eax                               |
$+23             000 | 5F                   | pop rdi                               |
$+24             000 | B9 A60F0101          | mov ecx,1010FA6                       |
$+29             000 | 81F1 01010101        | xor ecx,1010101                       |
$+2F             000 | 48:83C7 22           | add rdi,22                            |
$+33             000 | 33F6                 | xor esi,esi                           |
$+35             000 | FC                   | cld                                   |
$+36             000 | 8A07                 | mov al,byte ptr ds:[rdi]              |;offset +0x44
$+38             000 | 3C 2A                | cmp al,2A                             | 2A:'*'
$+3A             000 | 0F44C6               | cmove eax,esi                         |;后续中2Ah 替换为0
$+3D             000 | AA                   | stosb                                 |
$+3E             000 | E2 F6                | loop 4B0036                           |
$+40             000 | 5F                   | pop rdi                               |
$+41             000 | 58                   | pop rax                               |
$+42             000 | 59                   | pop rcx                               |
$+43             000 | 5E                   | pop rsi                               |
$+21             000 | FFC0                 | inc eax                               |
$+23             000 | 5F                   | pop rdi                               |
$+24             000 | B9 A60F0101          | mov ecx,1010FA6                       |
$+29             000 | 81F1 01010101        | xor ecx,1010101                       |
$+2F             000 | 48:83C7 22           | add rdi,22                            |
$+33             000 | 33F6                 | xor esi,esi                           |
$+35             000 | FC                   | cld                                   |
$+36             000 | 8A07                 | mov al,byte ptr ds:[rdi]              |;offset +0x44
$+38             000 | 3C 2A                | cmp al,2A                             | 2A:'*'
$+3A             000 | 0F44C6               | cmove eax,esi                         |;后续中2Ah 替换为0
$+3D             000 | AA                   | stosb                                 |
$+3E             000 | E2 F6                | loop 4B0036                           |
$+40             000 | 5F                   | pop rdi                               |
$+41             000 | 58                   | pop rax                               |
$+42             000 | 59                   | pop rcx                               |
$+43             000 | 5E                   | pop rsi                               |
$+57             000 | 83FE F5              | cmp esi,FFFFFFF5                      |
$+5A             000 | 75 0D                | jne 4B0069                            |;必跳转
$+5C             000 | 74 08                | je 4B0066                             |;垃圾数据
$+5E             000 | 76 0D                | jbe 4B006D                            |
$+60             000 | EB E2                | jmp 4B0044                            |
$+62             000 | FD                   | std                                   |
$+63             000 | EB 1F                | jmp 4B0084                            |
$+65             000 | 3E:1C EB             | sbb al,EB                             |
$+68             000 | EB B9                | jmp 4B0023                            |
$+57             000 | 83FE F5              | cmp esi,FFFFFFF5                      |
$+5A             000 | 75 0D                | jne 4B0069                            |;必跳转
$+5C             000 | 74 08                | je 4B0066                             |;垃圾数据
$+5E             000 | 76 0D                | jbe 4B006D                            |
$+60             000 | EB E2                | jmp 4B0044                            |
$+62             000 | FD                   | std                                   |
$+63             000 | EB 1F                | jmp 4B0084                            |
$+65             000 | 3E:1C EB             | sbb al,EB                             |
$+68             000 | EB B9                | jmp 4B0023                            |
$+69             000 | B9 46DF8DF8          | mov ecx,F88DDF46                      |
$+6E             000 | E8 65050000          | call 4B05D8                           |
$+73             000 | 48:8BD8              | mov rbx,rax                           |
$+69             000 | B9 46DF8DF8          | mov ecx,F88DDF46                      |
$+6E             000 | E8 65050000          | call 4B05D8                           |
$+73             000 | 48:8BD8              | mov rbx,rax                           |
from idc import *
from idaapi import *
from idautils import *
 
     
 
def patch_instructions(start_addr, end_addr):
    """
    将起始地址到结束地址之间的所有指令都替换为 NOP。
    """
    for addr in range(start_addr, end_addr):
        patch_byte(addr, 0x90# 0x90 是 NOP 的操作码
def process_segment(segment_start, segment_end):
    addr = segment_start
    while addr < segment_end:
        # 打印当前指令的助记符
        mnem = print_insn_mnem(addr)
         
        # 判断是否是我们需要的 cmp 指令
        if mnem == "cmp":
            cmp_addr = addr
            next_addr = addr + get_item_size(addr)
             
            # 检查接下来的指令是否是 jnz, jz, jbe
            mnem_next = print_insn_mnem(next_addr)
            if mnem_next == "jnz":
                jnz_addr = next_addr
                jnz_target = get_operand_value(jnz_addr, 0)
                 
                next_addr += get_item_size(next_addr)
                mnem_next = print_insn_mnem(next_addr)
                 
                if mnem_next == "jz":
                    jz_addr = next_addr
                     
                    next_addr += get_item_size(next_addr)
                    mnem_next = print_insn_mnem(next_addr)
                     
                    if mnem_next == "jbe":
                        jbe_addr = next_addr
                        print('%08x\t'%cmp_addr,idc.GetDisasm(cmp_addr))
                        # 修补从 cmp 到 jnz 的目标地址之间的所有指令
                        patch_instructions(cmp_addr, jnz_target)
                         
                        # 跳过已修补的指令
                        addr = next_addr + get_item_size(next_addr)
                        continue
        # 前进到下一条指令
        addr += get_item_size(addr)
 
def main():
    # 获取当前段的起始和结束地址
    segment_start = get_segm_start(here())
    segment_end = get_segm_end(here())
     
    # 处理段中的代码
    process_segment(segment_start, segment_end)
 
if __name__ == "__main__":
    main()
from idc import *
from idaapi import *
from idautils import *
 
     
 
def patch_instructions(start_addr, end_addr):
    """
    将起始地址到结束地址之间的所有指令都替换为 NOP。
    """
    for addr in range(start_addr, end_addr):
        patch_byte(addr, 0x90# 0x90 是 NOP 的操作码
def process_segment(segment_start, segment_end):
    addr = segment_start
    while addr < segment_end:
        # 打印当前指令的助记符
        mnem = print_insn_mnem(addr)
         
        # 判断是否是我们需要的 cmp 指令
        if mnem == "cmp":
            cmp_addr = addr
            next_addr = addr + get_item_size(addr)
             
            # 检查接下来的指令是否是 jnz, jz, jbe
            mnem_next = print_insn_mnem(next_addr)
            if mnem_next == "jnz":
                jnz_addr = next_addr
                jnz_target = get_operand_value(jnz_addr, 0)
                 
                next_addr += get_item_size(next_addr)
                mnem_next = print_insn_mnem(next_addr)
                 
                if mnem_next == "jz":
                    jz_addr = next_addr
                     
                    next_addr += get_item_size(next_addr)
                    mnem_next = print_insn_mnem(next_addr)
                     
                    if mnem_next == "jbe":
                        jbe_addr = next_addr
                        print('%08x\t'%cmp_addr,idc.GetDisasm(cmp_addr))
                        # 修补从 cmp 到 jnz 的目标地址之间的所有指令
                        patch_instructions(cmp_addr, jnz_target)
                         
                        # 跳过已修补的指令
                        addr = next_addr + get_item_size(next_addr)
                        continue
        # 前进到下一条指令
        addr += get_item_size(addr)
 
def main():
    # 获取当前段的起始和结束地址
    segment_start = get_segm_start(here())
    segment_end = get_segm_end(here())
     
    # 处理段中的代码
    process_segment(segment_start, segment_end)
 
if __name__ == "__main__":
    main()
__int64 sub_44()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
 
  CreateToolhelp32Snapshot = (__int64 (__fastcall *)(__int64, _QWORD))find_api_func_5D8(0xF88DDF46);
  OpenProcess = find_api_func_5D8(0xFD0B55A7);
  // VirtualQueryEx
  VirtualQueryEx = (__int64 (__fastcall *)(__int64, char *, MEMORY_BASIC_INFORMATION *, __int64))find_api_func_5D8(0x242E6FF);
  // Process32First
  Process32First = (__int64 (__fastcall *)(__int64, int *))find_api_func_5D8(0x3F347695);
  // Process32Next
  Process32Next = find_api_func_5D8(0x93E12339);
  // CloseHandle
  CloseHandle = (void (__fastcall *)(__int64))find_api_func_5D8(0x1CA655F1);
  // GetCurrentProcessId
  GetCurrentProcessId = (void (*)(void))find_api_func_5D8(0x35634E1);
  v4 = 0i64;
  v15 = 0x238;
  v5 = 0;
  v6 = CreateToolhelp32Snapshot(2i64, 0i64);
  v7 = v6;
  if ( v6 == 0xFFFFFFFFFFFFFFFFui64 )
    return 0xFFFFFFFFi64;
  v9 = Process32First(v6, &v15);
  OpenProcess1 = (__int64 (__fastcall *)(__int64, _QWORD, _QWORD))OpenProcess;
  for ( i = (__int64 (__fastcall *)(__int64, int *))Process32Next; v9; v9 = i(v7, &v15) )
  {
    if ( v16 == ((unsigned int (*)(void))GetCurrentProcessId)() )
    {
      v4 = OpenProcess1(0x2000000i64, 0i64, v16);
      if ( v4 )
      {
        v12 = 0i64;
        // SIZE_T VirtualQueryEx(
        //   [in]           HANDLE                    hProcess,
        //   [in, optional] LPCVOID                   lpAddress,
        //   [out]          PMEMORY_BASIC_INFORMATION lpBuffer,
        //   [in]           SIZE_T                    dwLength
        // );
        while ( VirtualQueryEx(v4, v12, &v14, 0x30i64) )
        {
          v12 = (char *)v14.BaseAddress + *(_QWORD *)&v14.State;
          if ( v14.Type == MEM_COMMIT && v14.AllocationProtect == PAGE_EXECUTE_READWRITE )
          {
            GetCurrentProcessId();
            v5 = sub_6A4(*(unsigned int *)v14.BaseAddress);
            BaseAddress = v14.BaseAddress;
            if ( v5 )
            {
              if ( check_6E4((char *)v14.BaseAddress + 4) )
              {
                // 成功
                *BaseAddress = 0x69;
                BaseAddress[1] = 0x6F;
                BaseAddress[2] = 0x20;
              }
              else
              {
                *BaseAddress = 0x6D;
                BaseAddress[1] = 0x6A;
                BaseAddress[2] = 0x29;
              }
              BaseAddress[3] = 0;
              break;
            }
            *(_BYTE *)v14.BaseAddress = 0x6D;
            BaseAddress[1] = 0x6A;
            BaseAddress[2] = 0x29;
            BaseAddress[3] = 0;
          }
        }
        OpenProcess1 = (__int64 (__fastcall *)(__int64, _QWORD, _QWORD))OpenProcess;
        i = (__int64 (__fastcall *)(__int64, int *))Process32Next;
      }
      if ( v5 )
        break;
    }
  }
  CloseHandle(v7);
  return ((__int64 (__fastcall *)(__int64))CloseHandle)(v4);
}
__int64 sub_44()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
 
  CreateToolhelp32Snapshot = (__int64 (__fastcall *)(__int64, _QWORD))find_api_func_5D8(0xF88DDF46);
  OpenProcess = find_api_func_5D8(0xFD0B55A7);
  // VirtualQueryEx
  VirtualQueryEx = (__int64 (__fastcall *)(__int64, char *, MEMORY_BASIC_INFORMATION *, __int64))find_api_func_5D8(0x242E6FF);
  // Process32First
  Process32First = (__int64 (__fastcall *)(__int64, int *))find_api_func_5D8(0x3F347695);
  // Process32Next
  Process32Next = find_api_func_5D8(0x93E12339);
  // CloseHandle
  CloseHandle = (void (__fastcall *)(__int64))find_api_func_5D8(0x1CA655F1);
  // GetCurrentProcessId
  GetCurrentProcessId = (void (*)(void))find_api_func_5D8(0x35634E1);
  v4 = 0i64;
  v15 = 0x238;
  v5 = 0;
  v6 = CreateToolhelp32Snapshot(2i64, 0i64);
  v7 = v6;
  if ( v6 == 0xFFFFFFFFFFFFFFFFui64 )
    return 0xFFFFFFFFi64;
  v9 = Process32First(v6, &v15);
  OpenProcess1 = (__int64 (__fastcall *)(__int64, _QWORD, _QWORD))OpenProcess;
  for ( i = (__int64 (__fastcall *)(__int64, int *))Process32Next; v9; v9 = i(v7, &v15) )
  {
    if ( v16 == ((unsigned int (*)(void))GetCurrentProcessId)() )
    {
      v4 = OpenProcess1(0x2000000i64, 0i64, v16);
      if ( v4 )

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//