-
-
[原创] 看雪 2024 KCTF 大赛 第十题 试探
-
发表于: 2024-9-6 06:46 2263
-
IDA打开,从main函数开始:
常量字符串被加密了,sub_140001FC0用来解密(上面重命名为decode_str)。不过字符串不多,可以动态调试看结果,不用管解密逻辑。
main函数的大半都是内联的std::string相关操作,定义出结构体可以让代码稍微清楚一点。
按顺序调试,发现程序第一处非常规的地方是 GetProcAddress(ModuleHandleA, v23) + 18 ,取了 NtAddBootEntry 入口地址 + 18 后,实际指向的位置是一条 syscall 指令。
(似乎是一种规避hook和隐藏真实调用的函数的方法,找到一篇文章_,不过它讲的是直接patch NtAddBootEntry的syscall指令之前赋值系统调用号的汇编指令修改系统调用号,与本题的做法无关)
先不去深究,继续向下,程序通过beginthreadex启动了两个线程,各自之后分别调用了sub_140001530和sub_1400012C0。
sub_140001530最后调用的sub_140001020函数是printf,断点调试发现这里是最终输出结果的地方。判定和输出都依赖全局变量unk_1400075C0(上面重命名为maybe_shellcode)指向的内存的一些数据。
sub_1400012C0调用了TpAllocWait和TpSetWait,并且前者调用时传递了 maybe_shellcode + dword_1400075AC 作为参数。(找到一份代码,似乎也是一种文档未记录的启动线程执行代码的方法)
虽然Windows的这些机制搞不明白,但可以确定unk_1400075C0(maybe_shellcode)指向的内存是关键。
main函数里 *v30++ = *v26++ (0x1400018F3) 在向头部复制输入的key,而 *v32++ = *v33++ (0x140001923) 接着复制的 unk_140006050 则是真正的shellcode所在。或者,也可以在sub_140001530最后的printf处下断点然后dump unk_1400075C0的内存,可以看到更直观的内存布局,与main函数里写入的内容一致。
分析dump的内存(附件MEM_0000000000590000_00001000.mem),其前4个字节初始为"kctf",跑完key的判定之后会根据情况覆盖为"no!\0"或"ok!\0",随后有20个字节的空间保存着输入的key,然后是一个\0,从0x19偏移开始的内容与unk_140006050一致,是shellcode,而maybe_shellcode + dword_1400075AC也是指向这里。
0x1D有一个call到自己中间的花指令,可以简单patch掉:
接下来是一段反复出现的模式:
显然0x5A和0x5C的jnz和jz有且仅有一个会执行到。分别追踪两条分支的语句序列,发现0x5A的jnz会让程序不断地向下跳转,而0x5D的jz会回跳到上面的位置。
结合动态调试可以确认,0x5A的jnz是程序实际会执行的路径。
(p.s. 关于动态调试,虽然不知道是如何启动执行这段shellcode的,但是可以在unk_140006050向0x19偏移复制后立刻下一个硬件执行断点,然后恢复执行,即可断点成功)
这段代码模式,在jnz之前总是有一个 cmp reg, 0FFFFFFF?h,且跳转的目标偏移也是固定的,可以直接字节匹配nop掉:
再手动nop掉0x1D-0x20四个字节,可以完整反编译出来这段shellcode的逻辑:
外围的大部分只是用来找到所在内存区域,动态调试可以直接断点在sub_6E4,这里是最终检查输入的key是否正确的逻辑所在:(栈变量的大小需要手动调一下,例如v71)
然后是一边调试一边理解代码。注意到以下分开的三个部分:
v59初始化了一个3*3的区域,&v71[11](也即v19)开始储存着输入的值(减去48之后)且限制范围在0-2之间。
v22将v19指向的3*3二维坐标转换为一维。重点是以下两行代码:
上面刚检查过v59[v21]需要是0,然后就交换了v59[v21]和v59[v22]的值。
将v59的初始值画成3*3:
可以联想到经典的数字华容道游戏,0是空位,1-8分别是8个方块。
如果v59的目标值是标准位置:
很容易观察出需要的移动方式:
每次移动的方块坐标依次为:
连在一起:
尝试作为key输入给程序,发现能通过验证,程序的后半部分自然不需要再逆向了。
所以最终正确的key就是 011110202122 。
大局已定,但签到题仍然卡着没做出来,还是回头看看。
F12查看源代码,发现/flag.php,进入后源代码尾部有注释掉的base64 aGlkZGVuX3BhZ2UucGhw,解开后是hidden_page.php,一个文件上传页面,提示只允许jpg图片。
开赛当天在hidden_page.php源代码尾部发现过注释掉的base64 aDFkZGVuX2F1cm9yYV9ob2NobGFkZW4ucGhw,解开后是h1dden_aurora_hochladen.php。Google搜索它可以找到一篇writeup,里面的Web-aurorawebsit题目解法说,可以改form-data的Content-Type为image/jpeg绕开检测同时确保filename后缀为php,文件内容是正常jpeg图片数据然后末尾接上webshell,上传成功后访问即可。
(奇怪的是,aDFkZGVuX2F1cm9yYV9ob2NobGFkZW4ucGhw这个字串只遇到过一次,之后再启动题目和刷新页面都没有再见到过,不知道是什么情况)
看起来本题也是这样,但上传文件的保存路径在哪里呢?根路径/、背景图片bg_0?.jpg所在的/img都试过不成功,至此解题卡住,再无思路。
(p.s. 以上都是开赛第一天的尝试)
今天再次尝试Google搜索,关键词是ctf "hidden_page.php"(链接),意外的发现本题的writeup已经偷跑出来了:http://www.yxfzedu.com/article/11382 和 http://47.243.232.19:8089/article/11382 。
(论坛内搜索标题,原帖地址应该是 https://bbs.kanxue.com/thread-283029.htm 。对比一下时间,原帖发表于 2024-8-21 16:10 ,搬运贴是 2024/8/22 14:00:50 ,原帖被编辑于 2024-8-23 04:19 ,爬虫的动作真的快)
所以,上传文件保存的路径在/upload,这是怎么看出来的?(貌似题目的各个页面都没有指向这个路径的的提示,所以是web手的直觉?还是说,需要常备一个扫描器?总之自己肯定猜不到这个路径)
int __fastcall main(int argc, const char **argv, const char **envp)
{ __int64 v3; // r8
void **v4; // rcx
const char *v5; // rax
struct stdstring *p_Src; // rdx
__int64 v7; // rax
__int64 v8; // rdx
__int64 v9; // r8
const void *v10; // r14
size_t v11; // rdi
size_t size; // r12
char *v13; // r13
unsigned __int64 v14; // r15
unsigned __int64 v15; // rbx
_QWORD *v16; // rsi
__int64 v17; // rbx
size_t v18; // rax
void *v19; // rax
size_t v20; // rcx
const CHAR *v21; // rax
HMODULE ModuleHandleA; // rbx
const CHAR *v23; // rax
__int64 v24; // rdi
__int64 v25; // rdx
char *v26; // rdx
__int64 capacity; // rsi
bool v28; // r14
char *v29; // rbx
_BYTE *v30; // rcx
__int64 v31; // r8
_BYTE *v32; // rdx
_BYTE *v33; // rcx
__int64 v34; // r8
int (**v35)(); // rax
void (**v36)(); // rax
void *v37; // rcx
void *v38; // rcx
char *v39; // rax
_BYTE *v40; // rcx
void *v41; // rcx
void *v42; // rcx
unsigned int InitFlag; // [rsp+20h] [rbp-E0h]
int ThrdAddr; // [rsp+28h] [rbp-D8h]
void *Block[2]; // [rsp+30h] [rbp-D0h] BYREF
__int64 v47; // [rsp+40h] [rbp-C0h]
unsigned __int64 v48; // [rsp+48h] [rbp-B8h]
struct stdstring Src; // [rsp+50h] [rbp-B0h] BYREF
unsigned int v50[4]; // [rsp+70h] [rbp-90h] BYREF
void *v51[2]; // [rsp+80h] [rbp-80h] BYREF
__int64 v52; // [rsp+90h] [rbp-70h]
unsigned __int64 v53; // [rsp+98h] [rbp-68h]
void *v54[2]; // [rsp+A0h] [rbp-60h] BYREF
__int64 v55; // [rsp+B0h] [rbp-50h]
unsigned __int64 v56; // [rsp+B8h] [rbp-48h]
void *v57; // [rsp+C0h] [rbp-40h] BYREF
__int64 v58; // [rsp+D0h] [rbp-30h]
unsigned __int64 v59; // [rsp+D8h] [rbp-28h]
__int64 v60; // [rsp+E0h] [rbp-20h] BYREF
struct stdstring v61; // [rsp+E8h] [rbp-18h] BYREF
_Thrd_t v62; // [rsp+110h] [rbp+10h] BYREF
unsigned int v64; // [rsp+128h] [rbp+28h] BYREF
*(_QWORD *)Src.field_0 = 0LL;
Src.capacity = 15LL;
Src.size = 0LL;
sub_140001DE0(&Src, 0x14uLL, (__int64)envp, 0x14uLL);
v54[0] = 0LL;
v55 = 0LL;
v56 = 15LL;
sub_140001CA0((__int64)v54, 0x16uLL, v3, "Ummdrm%dfqdz%xgps(ndq?", InitFlag, ThrdAddr);
v4 = v54;
if ( v56 >= 0x10 )
v4 = (void **)v54[0];
v5 = (const char *)decode_str((__int64)v4, v55, (const __m128i *)&unk_1400043BC);// Please enter your key:
printf(v5);
p_Src = &Src;
if ( Src.capacity >= 0x10uLL )
p_Src = *(struct stdstring **)Src.field_0;
scanf("%s", p_Src);
v59 = 15LL;
v58 = 4LL;
v57 = (void *)1669096046;
v7 = decode_str((__int64)&v57, 4, (const __m128i *)&unk_1400043BC);
v10 = (const void *)v7;
v11 = -1LL;
do
++v11;
while ( *(_BYTE *)(v7 + v11) );
size = Src.size;
if ( 0x7FFFFFFFFFFFFFFFLL - Src.size < v11 )
LABEL_74: sub_140001280();
v13 = (char *)&Src;
if ( Src.capacity >= 0x10uLL )
v13 = *(char **)Src.field_0;
*(_QWORD *)v61.field_0 = 0LL;
v61.size = 0LL;
v61.capacity = 0LL;
v14 = Src.size + v11;
v15 = 15LL;
v16 = &v61;
if ( Src.size + v11 > 0xF )
{
v17 = Src.size + v11;
if ( v14 < 0x10 )
v17 = 16LL;
v15 = v17 | 0xF;
if ( v15 <= 0x7FFFFFFFFFFFFFFFLL )
{
if ( v15 < 0x16 )
v15 = 22LL;
v20 = v15 + 1;
if ( v15 + 1 < 0x1000 )
{
v16 = operator new(v20);
LABEL_23: *(_QWORD *)v61.field_0 = v16;
goto LABEL_24;
}
v18 = v15 + 40;
if ( v15 + 40 < v15 + 1 )
sub_1400011E0(v20, v8, v9);
}
else
{
v15 = 0x7FFFFFFFFFFFFFFFLL;
v18 = 0x8000000000000027uLL;
}
v19 = operator new(v18);
if ( !v19 )
goto LABEL_54;
v16 = (_QWORD *)(((unsigned __int64)v19 + 39) & 0xFFFFFFFFFFFFFFE0uLL);
*(v16 - 1) = v19;
goto LABEL_23;
}
LABEL_24: v61.size = size + v11;
v61.capacity = v15;
memcpy(v16, v10, v11);
memcpy((char *)v16 + v11, v13, size);
*((_BYTE *)v16 + v14) = 0;
v53 = 15LL;
v52 = 9LL;
strcpy((char *)v51, "kulim&amd");
v21 = (const CHAR *)decode_str((__int64)v51, 9, (const __m128i *)&unk_1400043BC);// ntdll.dll
ModuleHandleA = GetModuleHandleA(v21);
v48 = 15LL;
v47 = 14LL;
strcpy((char *)Block, "KuIaeJjn|@o|wx");
v23 = (const CHAR *)decode_str((__int64)Block, 14, (const __m128i *)&unk_1400043BC);// NtAddBootEntry
syscall_inst_of_NtAddBootEntry = (__int64)GetProcAddress(ModuleHandleA, v23) + 18;
qword_1400075B0 = (__int64)CreateEventA(0LL, 0, 1, 0LL);
v24 = v61.size;
v60 = v61.size + 3796;
sub_140002160((__int64)ModuleHandleA, v25, (__int64)&unk_140004438);
sub_140002510(dword_1400075A8, syscall_inst_of_NtAddBootEntry);
sub_140002533(-1LL, (__int64)&maybe_shellcode, 0LL, (__int64)&v60);
v26 = (char *)&v61;
capacity = v61.capacity;
v28 = v61.capacity >= 0x10uLL;
v29 = *(char **)v61.field_0;
if ( v61.capacity >= 0x10uLL )
v26 = *(char **)v61.field_0;
v30 = (_BYTE *)maybe_shellcode;
v31 = v24;
if ( v24 )
{
do
{
*v30++ = *v26++;
--v31;
}
while ( v31 );
v30 = (_BYTE *)maybe_shellcode;
}
v32 = &v30[v24 + 1];
v33 = &unk_140006050;
v34 = 3795LL;
do
{
*v32++ = *v33++;
--v34;
}
while ( v34 );
dword_1400075AC = v24 + 1;
v35 = (int (**)())operator new(8uLL);
*v35 = sub_140001530;
v62._Hnd = v35;
if ( !beginthreadex(0LL, 0, StartAddress, v35, 0, &v64) )
goto LABEL_73;
v36 = (void (**)())operator new(8uLL);
*v36 = sub_1400012C0;
v62._Hnd = v36;
*(_QWORD *)v50 = beginthreadex(0LL, 0, StartAddress, v36, 0, &v50[2]);
if ( !*(_QWORD *)v50 )
{
v50[2] = 0;
std::_Throw_Cpp_error(6);
LABEL_73: v64 = 0;
std::_Throw_Cpp_error(6);
goto LABEL_74;
}
if ( !v50[2] )
{
std::_Throw_Cpp_error(1);
__debugbreak();
}
if ( v50[2] == Thrd_id() )
{
std::_Throw_Cpp_error(5);
__debugbreak();
}
v62 = *(_Thrd_t *)v50;
if ( Thrd_join(&v62, 0LL) )
{
std::_Throw_Cpp_error(2);
__debugbreak();
}
*(_OWORD *)v50 = 0LL;
if ( v64 )
terminate();
if ( v48 >= 0x10 )
{
v37 = Block[0];
if ( v48 + 1 >= 0x1000 )
{
v37 = (void *)*((_QWORD *)Block[0] - 1);
if ( (unsigned __int64)((char *)Block[0] - (char *)v37 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v37);
}
v47 = 0LL;
v48 = 15LL;
LOBYTE(Block[0]) = 0;
if ( v53 >= 0x10 )
{
v38 = v51[0];
if ( v53 + 1 >= 0x1000 )
{
v38 = (void *)*((_QWORD *)v51[0] - 1);
if ( (unsigned __int64)((char *)v51[0] - (char *)v38 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v38);
}
v52 = 0LL;
v53 = 15LL;
LOBYTE(v51[0]) = 0;
if ( v28 )
{
v39 = v29;
if ( (unsigned __int64)(capacity + 1) >= 0x1000 )
{
v29 = (char *)*((_QWORD *)v29 - 1);
if ( (unsigned __int64)(v39 - v29 - 8) > 0x1F )
LABEL_54: invalid_parameter_noinfo_noreturn();
}
j_j_free(v29);
}
if ( v59 >= 0x10 )
{
v40 = v57;
if ( v59 + 1 >= 0x1000 )
{
v40 = (_BYTE *)*((_QWORD *)v57 - 1);
if ( (unsigned __int64)((_BYTE *)v57 - v40 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v40);
}
v58 = 0LL;
v59 = 15LL;
LOBYTE(v57) = 0;
if ( v56 >= 0x10 )
{
v41 = v54[0];
if ( v56 + 1 >= 0x1000 )
{
v41 = (void *)*((_QWORD *)v54[0] - 1);
if ( (unsigned __int64)((char *)v54[0] - (char *)v41 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v41);
}
v55 = 0LL;
v56 = 15LL;
LOBYTE(v54[0]) = 0;
if ( Src.capacity >= 0x10uLL )
{
v42 = *(void **)Src.field_0;
if ( (unsigned __int64)(Src.capacity + 1) >= 0x1000 )
{
v42 = *(void **)(*(_QWORD *)Src.field_0 - 8LL);
if ( (unsigned __int64)(*(_QWORD *)Src.field_0 - (_QWORD)v42 - 8LL) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v42);
}
return 0;
}int __fastcall main(int argc, const char **argv, const char **envp)
{ __int64 v3; // r8
void **v4; // rcx
const char *v5; // rax
struct stdstring *p_Src; // rdx
__int64 v7; // rax
__int64 v8; // rdx
__int64 v9; // r8
const void *v10; // r14
size_t v11; // rdi
size_t size; // r12
char *v13; // r13
unsigned __int64 v14; // r15
unsigned __int64 v15; // rbx
_QWORD *v16; // rsi
__int64 v17; // rbx
size_t v18; // rax
void *v19; // rax
size_t v20; // rcx
const CHAR *v21; // rax
HMODULE ModuleHandleA; // rbx
const CHAR *v23; // rax
__int64 v24; // rdi
__int64 v25; // rdx
char *v26; // rdx
__int64 capacity; // rsi
bool v28; // r14
char *v29; // rbx
_BYTE *v30; // rcx
__int64 v31; // r8
_BYTE *v32; // rdx
_BYTE *v33; // rcx
__int64 v34; // r8
int (**v35)(); // rax
void (**v36)(); // rax
void *v37; // rcx
void *v38; // rcx
char *v39; // rax
_BYTE *v40; // rcx
void *v41; // rcx
void *v42; // rcx
unsigned int InitFlag; // [rsp+20h] [rbp-E0h]
int ThrdAddr; // [rsp+28h] [rbp-D8h]
void *Block[2]; // [rsp+30h] [rbp-D0h] BYREF
__int64 v47; // [rsp+40h] [rbp-C0h]
unsigned __int64 v48; // [rsp+48h] [rbp-B8h]
struct stdstring Src; // [rsp+50h] [rbp-B0h] BYREF
unsigned int v50[4]; // [rsp+70h] [rbp-90h] BYREF
void *v51[2]; // [rsp+80h] [rbp-80h] BYREF
__int64 v52; // [rsp+90h] [rbp-70h]
unsigned __int64 v53; // [rsp+98h] [rbp-68h]
void *v54[2]; // [rsp+A0h] [rbp-60h] BYREF
__int64 v55; // [rsp+B0h] [rbp-50h]
unsigned __int64 v56; // [rsp+B8h] [rbp-48h]
void *v57; // [rsp+C0h] [rbp-40h] BYREF
__int64 v58; // [rsp+D0h] [rbp-30h]
unsigned __int64 v59; // [rsp+D8h] [rbp-28h]
__int64 v60; // [rsp+E0h] [rbp-20h] BYREF
struct stdstring v61; // [rsp+E8h] [rbp-18h] BYREF
_Thrd_t v62; // [rsp+110h] [rbp+10h] BYREF
unsigned int v64; // [rsp+128h] [rbp+28h] BYREF
*(_QWORD *)Src.field_0 = 0LL;
Src.capacity = 15LL;
Src.size = 0LL;
sub_140001DE0(&Src, 0x14uLL, (__int64)envp, 0x14uLL);
v54[0] = 0LL;
v55 = 0LL;
v56 = 15LL;
sub_140001CA0((__int64)v54, 0x16uLL, v3, "Ummdrm%dfqdz%xgps(ndq?", InitFlag, ThrdAddr);
v4 = v54;
if ( v56 >= 0x10 )
v4 = (void **)v54[0];
v5 = (const char *)decode_str((__int64)v4, v55, (const __m128i *)&unk_1400043BC);// Please enter your key:
printf(v5);
p_Src = &Src;
if ( Src.capacity >= 0x10uLL )
p_Src = *(struct stdstring **)Src.field_0;
scanf("%s", p_Src);
v59 = 15LL;
v58 = 4LL;
v57 = (void *)1669096046;
v7 = decode_str((__int64)&v57, 4, (const __m128i *)&unk_1400043BC);
v10 = (const void *)v7;
v11 = -1LL;
do
++v11;
while ( *(_BYTE *)(v7 + v11) );
size = Src.size;
if ( 0x7FFFFFFFFFFFFFFFLL - Src.size < v11 )
LABEL_74: sub_140001280();
v13 = (char *)&Src;
if ( Src.capacity >= 0x10uLL )
v13 = *(char **)Src.field_0;
*(_QWORD *)v61.field_0 = 0LL;
v61.size = 0LL;
v61.capacity = 0LL;
v14 = Src.size + v11;
v15 = 15LL;
v16 = &v61;
if ( Src.size + v11 > 0xF )
{
v17 = Src.size + v11;
if ( v14 < 0x10 )
v17 = 16LL;
v15 = v17 | 0xF;
if ( v15 <= 0x7FFFFFFFFFFFFFFFLL )
{
if ( v15 < 0x16 )
v15 = 22LL;
v20 = v15 + 1;
if ( v15 + 1 < 0x1000 )
{
v16 = operator new(v20);
LABEL_23: *(_QWORD *)v61.field_0 = v16;
goto LABEL_24;
}
v18 = v15 + 40;
if ( v15 + 40 < v15 + 1 )
sub_1400011E0(v20, v8, v9);
}
else
{
v15 = 0x7FFFFFFFFFFFFFFFLL;
v18 = 0x8000000000000027uLL;
}
v19 = operator new(v18);
if ( !v19 )
goto LABEL_54;
v16 = (_QWORD *)(((unsigned __int64)v19 + 39) & 0xFFFFFFFFFFFFFFE0uLL);
*(v16 - 1) = v19;
goto LABEL_23;
}
LABEL_24: v61.size = size + v11;
v61.capacity = v15;
memcpy(v16, v10, v11);
memcpy((char *)v16 + v11, v13, size);
*((_BYTE *)v16 + v14) = 0;
v53 = 15LL;
v52 = 9LL;
strcpy((char *)v51, "kulim&amd");
v21 = (const CHAR *)decode_str((__int64)v51, 9, (const __m128i *)&unk_1400043BC);// ntdll.dll
ModuleHandleA = GetModuleHandleA(v21);
v48 = 15LL;
v47 = 14LL;
strcpy((char *)Block, "KuIaeJjn|@o|wx");
v23 = (const CHAR *)decode_str((__int64)Block, 14, (const __m128i *)&unk_1400043BC);// NtAddBootEntry
syscall_inst_of_NtAddBootEntry = (__int64)GetProcAddress(ModuleHandleA, v23) + 18;
qword_1400075B0 = (__int64)CreateEventA(0LL, 0, 1, 0LL);
v24 = v61.size;
v60 = v61.size + 3796;
sub_140002160((__int64)ModuleHandleA, v25, (__int64)&unk_140004438);
sub_140002510(dword_1400075A8, syscall_inst_of_NtAddBootEntry);
sub_140002533(-1LL, (__int64)&maybe_shellcode, 0LL, (__int64)&v60);
v26 = (char *)&v61;
capacity = v61.capacity;
v28 = v61.capacity >= 0x10uLL;
v29 = *(char **)v61.field_0;
if ( v61.capacity >= 0x10uLL )
v26 = *(char **)v61.field_0;
v30 = (_BYTE *)maybe_shellcode;
v31 = v24;
if ( v24 )
{
do
{
*v30++ = *v26++;
--v31;
}
while ( v31 );
v30 = (_BYTE *)maybe_shellcode;
}
v32 = &v30[v24 + 1];
v33 = &unk_140006050;
v34 = 3795LL;
do
{
*v32++ = *v33++;
--v34;
}
while ( v34 );
dword_1400075AC = v24 + 1;
v35 = (int (**)())operator new(8uLL);
*v35 = sub_140001530;
v62._Hnd = v35;
if ( !beginthreadex(0LL, 0, StartAddress, v35, 0, &v64) )
goto LABEL_73;
v36 = (void (**)())operator new(8uLL);
*v36 = sub_1400012C0;
v62._Hnd = v36;
*(_QWORD *)v50 = beginthreadex(0LL, 0, StartAddress, v36, 0, &v50[2]);
if ( !*(_QWORD *)v50 )
{
v50[2] = 0;
std::_Throw_Cpp_error(6);
LABEL_73: v64 = 0;
std::_Throw_Cpp_error(6);
goto LABEL_74;
}
if ( !v50[2] )
{
std::_Throw_Cpp_error(1);
__debugbreak();
}
if ( v50[2] == Thrd_id() )
{
std::_Throw_Cpp_error(5);
__debugbreak();
}
v62 = *(_Thrd_t *)v50;
if ( Thrd_join(&v62, 0LL) )
{
std::_Throw_Cpp_error(2);
__debugbreak();
}
*(_OWORD *)v50 = 0LL;
if ( v64 )
terminate();
if ( v48 >= 0x10 )
{
v37 = Block[0];
if ( v48 + 1 >= 0x1000 )
{
v37 = (void *)*((_QWORD *)Block[0] - 1);
if ( (unsigned __int64)((char *)Block[0] - (char *)v37 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v37);
}
v47 = 0LL;
v48 = 15LL;
LOBYTE(Block[0]) = 0;
if ( v53 >= 0x10 )
{
v38 = v51[0];
if ( v53 + 1 >= 0x1000 )
{
v38 = (void *)*((_QWORD *)v51[0] - 1);
if ( (unsigned __int64)((char *)v51[0] - (char *)v38 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v38);
}
v52 = 0LL;
v53 = 15LL;
LOBYTE(v51[0]) = 0;
if ( v28 )
{
v39 = v29;
if ( (unsigned __int64)(capacity + 1) >= 0x1000 )
{
v29 = (char *)*((_QWORD *)v29 - 1);
if ( (unsigned __int64)(v39 - v29 - 8) > 0x1F )
LABEL_54: invalid_parameter_noinfo_noreturn();
}
j_j_free(v29);
}
if ( v59 >= 0x10 )
{
v40 = v57;
if ( v59 + 1 >= 0x1000 )
{
v40 = (_BYTE *)*((_QWORD *)v57 - 1);
if ( (unsigned __int64)((_BYTE *)v57 - v40 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v40);
}
v58 = 0LL;
v59 = 15LL;
LOBYTE(v57) = 0;
if ( v56 >= 0x10 )
{
v41 = v54[0];
if ( v56 + 1 >= 0x1000 )
{
v41 = (void *)*((_QWORD *)v54[0] - 1);
if ( (unsigned __int64)((char *)v54[0] - (char *)v41 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v41);
}
v55 = 0LL;
v56 = 15LL;
LOBYTE(v54[0]) = 0;
if ( Src.capacity >= 0x10uLL )
{
v42 = *(void **)Src.field_0;
if ( (unsigned __int64)(Src.capacity + 1) >= 0x1000 )
{
v42 = *(void **)(*(_QWORD *)Src.field_0 - 8LL);
if ( (unsigned __int64)(*(_QWORD *)Src.field_0 - (_QWORD)v42 - 8LL) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v42);
}
return 0;
}struct stdstring
{ char field_0[16];
__int64 size;
__int64 capacity;
};struct stdstring
{ char field_0[16];
__int64 size;
__int64 capacity;
};int sub_140001530()
{ __int64 v0; // rcx
char i; // al
const __m128i *v2; // r8
const char *v3; // rax
v0 = maybe_shellcode;
for ( i = *(_BYTE *)maybe_shellcode; *(_BYTE *)maybe_shellcode == 'k'; i = *(_BYTE *)maybe_shellcode )
{
Sleep(10u);
v0 = maybe_shellcode;
}
v2 = (const __m128i *)&unk_1400043F8;
if ( i != 'i' )
v2 = (const __m128i *)&unk_1400043FC;
v3 = (const char *)decode_str(v0, 3, v2);
return printf(v3);
}void sub_1400012C0()
{ const CHAR *v0; // rax
HMODULE ModuleHandleA; // rbx
const CHAR *v2; // rax
FARPROC ProcAddress; // rax
const CHAR *v4; // rax
FARPROC v5; // rax
__int64 v6; // rdx
__int64 v7; // r9
void *v8; // rcx
void *v9; // rcx
void *v10; // rcx
__int64 v11; // [rsp+20h] [rbp-19h] BYREF
_QWORD v12[2]; // [rsp+28h] [rbp-11h] BYREF
__int64 v13; // [rsp+38h] [rbp-1h]
unsigned __int64 v14; // [rsp+40h] [rbp+7h]
void *Block[2]; // [rsp+48h] [rbp+Fh] BYREF
__int64 v16; // [rsp+58h] [rbp+1Fh]
unsigned __int64 v17; // [rsp+60h] [rbp+27h]
_QWORD v18[3]; // [rsp+68h] [rbp+2Fh] BYREF
unsigned __int64 v19; // [rsp+80h] [rbp+47h]
v11 = 0LL;
v19 = 15LL;
v18[2] = 9LL;
strcpy((char *)v18, "kulim&amd");
v0 = (const CHAR *)decode_str((__int64)v18, 9, (const __m128i *)&unk_1400043BC);// ntdll.dll
ModuleHandleA = GetModuleHandleA(v0);
v14 = 15LL;
v13 = 11LL;
strcpy((char *)v12, "QqIimgfVilu");
v2 = (const CHAR *)decode_str((__int64)v12, 11, (const __m128i *)&unk_1400043BC);// TpAllocWait
ProcAddress = GetProcAddress(ModuleHandleA, v2);
((void (__fastcall *)(__int64 *, __int64, _QWORD, _QWORD))ProcAddress)(
&v11,
maybe_shellcode + (unsigned int)dword_1400075AC,
0LL,
0LL);
v17 = 15LL;
v16 = 9LL;
strcpy((char *)Block, "Qq[`u_dh|");
v4 = (const CHAR *)decode_str((__int64)Block, 9, (const __m128i *)&unk_1400043BC);// TpSetWait
v5 = GetProcAddress(ModuleHandleA, v4);
((void (__fastcall *)(__int64, __int64, _QWORD))v5)(v11, qword_1400075B0, 0LL);
sub_140002160((__int64)ModuleHandleA, v6, (__int64)"Or_`o|GizRoffjmNdbde|");
sub_140002510(dword_1400075A8, syscall_inst_of_NtAddBootEntry);
sub_140002533(qword_1400075B0, 0LL, 0LL, v7);
if ( v17 >= 0x10 )
{
v8 = Block[0];
if ( v17 + 1 >= 0x1000 )
{
v8 = (void *)*((_QWORD *)Block[0] - 1);
if ( (unsigned __int64)((char *)Block[0] - (char *)v8 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v8);
}
v16 = 0LL;
v17 = 15LL;
LOBYTE(Block[0]) = 0;
if ( v14 >= 0x10 )
{
v9 = (void *)v12[0];
if ( v14 + 1 >= 0x1000 )
{
v9 = *(void **)(v12[0] - 8LL);
if ( (unsigned __int64)(v12[0] - (_QWORD)v9 - 8LL) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v9);
}
v13 = 0LL;
v14 = 15LL;
LOBYTE(v12[0]) = 0;
if ( v19 >= 0x10 )
{
v10 = (void *)v18[0];
if ( v19 + 1 >= 0x1000 )
{
v10 = *(void **)(v18[0] - 8LL);
if ( (unsigned __int64)(v18[0] - (_QWORD)v10 - 8LL) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v10);
}
}int sub_140001530()
{ __int64 v0; // rcx
char i; // al
const __m128i *v2; // r8
const char *v3; // rax
v0 = maybe_shellcode;
for ( i = *(_BYTE *)maybe_shellcode; *(_BYTE *)maybe_shellcode == 'k'; i = *(_BYTE *)maybe_shellcode )
{
Sleep(10u);
v0 = maybe_shellcode;
}
v2 = (const __m128i *)&unk_1400043F8;
if ( i != 'i' )
v2 = (const __m128i *)&unk_1400043FC;
v3 = (const char *)decode_str(v0, 3, v2);
return printf(v3);
}void sub_1400012C0()
{ const CHAR *v0; // rax
HMODULE ModuleHandleA; // rbx
const CHAR *v2; // rax
FARPROC ProcAddress; // rax
const CHAR *v4; // rax
FARPROC v5; // rax
__int64 v6; // rdx
__int64 v7; // r9
void *v8; // rcx
void *v9; // rcx
void *v10; // rcx
__int64 v11; // [rsp+20h] [rbp-19h] BYREF
_QWORD v12[2]; // [rsp+28h] [rbp-11h] BYREF
__int64 v13; // [rsp+38h] [rbp-1h]
unsigned __int64 v14; // [rsp+40h] [rbp+7h]
void *Block[2]; // [rsp+48h] [rbp+Fh] BYREF
__int64 v16; // [rsp+58h] [rbp+1Fh]
unsigned __int64 v17; // [rsp+60h] [rbp+27h]
_QWORD v18[3]; // [rsp+68h] [rbp+2Fh] BYREF
unsigned __int64 v19; // [rsp+80h] [rbp+47h]
v11 = 0LL;
v19 = 15LL;
v18[2] = 9LL;
strcpy((char *)v18, "kulim&amd");
v0 = (const CHAR *)decode_str((__int64)v18, 9, (const __m128i *)&unk_1400043BC);// ntdll.dll
ModuleHandleA = GetModuleHandleA(v0);
v14 = 15LL;
v13 = 11LL;
strcpy((char *)v12, "QqIimgfVilu");
v2 = (const CHAR *)decode_str((__int64)v12, 11, (const __m128i *)&unk_1400043BC);// TpAllocWait
ProcAddress = GetProcAddress(ModuleHandleA, v2);
((void (__fastcall *)(__int64 *, __int64, _QWORD, _QWORD))ProcAddress)(
&v11,
maybe_shellcode + (unsigned int)dword_1400075AC,
0LL,
0LL);
v17 = 15LL;
v16 = 9LL;
strcpy((char *)Block, "Qq[`u_dh|");
v4 = (const CHAR *)decode_str((__int64)Block, 9, (const __m128i *)&unk_1400043BC);// TpSetWait
v5 = GetProcAddress(ModuleHandleA, v4);
((void (__fastcall *)(__int64, __int64, _QWORD))v5)(v11, qword_1400075B0, 0LL);
sub_140002160((__int64)ModuleHandleA, v6, (__int64)"Or_`o|GizRoffjmNdbde|");
sub_140002510(dword_1400075A8, syscall_inst_of_NtAddBootEntry);
sub_140002533(qword_1400075B0, 0LL, 0LL, v7);
if ( v17 >= 0x10 )
{
v8 = Block[0];
if ( v17 + 1 >= 0x1000 )
{
v8 = (void *)*((_QWORD *)Block[0] - 1);
if ( (unsigned __int64)((char *)Block[0] - (char *)v8 - 8) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v8);
}
v16 = 0LL;
v17 = 15LL;
LOBYTE(Block[0]) = 0;
if ( v14 >= 0x10 )
{
v9 = (void *)v12[0];
if ( v14 + 1 >= 0x1000 )
{
v9 = *(void **)(v12[0] - 8LL);
if ( (unsigned __int64)(v12[0] - (_QWORD)v9 - 8LL) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v9);
}
v13 = 0LL;
v14 = 15LL;
LOBYTE(v12[0]) = 0;
if ( v19 >= 0x10 )
{
v10 = (void *)v18[0];
if ( v19 + 1 >= 0x1000 )
{
v10 = *(void **)(v18[0] - 8LL);
if ( (unsigned __int64)(v18[0] - (_QWORD)v10 - 8LL) > 0x1F )
invalid_parameter_noinfo_noreturn();
}
j_j_free(v10);
}
}seg000:000000000000001C push rsi
seg000:000000000000001D db 0E8h
seg000:000000000000001E db 0FFh
seg000:000000000000001F db 0FFh
seg000:0000000000000020 db 0FFh
seg000:0000000000000021 inc eax
seg000:000000000000001C push rsi
seg000:000000000000001D db 0E8h
seg000:000000000000001E db 0FFh
seg000:000000000000001F db 0FFh
seg000:0000000000000020 db 0FFh
seg000:0000000000000021 inc eax
seg000:0000000000000057 83 FE F5 cmp esi, 0FFFFFFF5h
seg000:000000000000005A 75 0D jnz short loc_69
seg000:000000000000005C 74 08 jz short loc_66
seg000:000000000000005E 76 0D jbe short near ptr loc_69+4
seg000:0000000000000060
seg000:0000000000000060 loc_60: ; DATA XREF: sub_50C+1C↓r
seg000:0000000000000060 ; sub_5D8+18↓r
seg000:0000000000000060 EB E2 jmp short loc_44
seg000:0000000000000060 ; ---------------------------------------------------------------------------
seg000:0000000000000062 FD db 0FDh
seg000:0000000000000063 ; ---------------------------------------------------------------------------
seg000:0000000000000063
seg000:0000000000000063 loc_63: ; CODE XREF: seg000:000000000000007F↓j
seg000:0000000000000063 EB 1F jmp short loc_84
seg000:0000000000000063 ; ---------------------------------------------------------------------------
seg000:0000000000000065 3E db 3Eh ; >
seg000:0000000000000066 ; ---------------------------------------------------------------------------
seg000:0000000000000066
seg000:0000000000000066 loc_66: ; CODE XREF: seg000:000000000000005C↑j
seg000:0000000000000066 1C EB sbb al, 0EBh
seg000:0000000000000066 ; ---------------------------------------------------------------------------
seg000:0000000000000068 EB db 0EBh
seg000:0000000000000069 ; ---------------------------------------------------------------------------
seg000:0000000000000069
seg000:0000000000000069 loc_69: ; CODE XREF: seg000:000000000000005A↑j
seg000:0000000000000069 ; seg000:000000000000005E↑j
seg000:0000000000000069 B9 46 DF 8D F8 mov ecx
seg000:0000000000000057 83 FE F5 cmp esi, 0FFFFFFF5h
seg000:000000000000005A 75 0D jnz short loc_69
seg000:000000000000005C 74 08 jz short loc_66
seg000:000000000000005E 76 0D jbe short near ptr loc_69+4
seg000:0000000000000060
seg000:0000000000000060 loc_60: ; DATA XREF: sub_50C+1C↓r
seg000:0000000000000060 ; sub_5D8+18↓r
seg000:0000000000000060 EB E2 jmp short loc_44
seg000:0000000000000060 ; ---------------------------------------------------------------------------
seg000:0000000000000062 FD db 0FDh
seg000:0000000000000063 ; ---------------------------------------------------------------------------
seg000:0000000000000063
seg000:0000000000000063 loc_63: ; CODE XREF: seg000:000000000000007F↓j
seg000:0000000000000063 EB 1F jmp short loc_84
seg000:0000000000000063 ; ---------------------------------------------------------------------------
seg000:0000000000000065 3E db 3Eh ; >
seg000:0000000000000066 ; ---------------------------------------------------------------------------
seg000:0000000000000066
seg000:0000000000000066 loc_66: ; CODE XREF: seg000:000000000000005C↑j
seg000:0000000000000066 1C EB sbb al, 0EBh
seg000:0000000000000066 ; ---------------------------------------------------------------------------
seg000:0000000000000068 EB db 0EBh
seg000:0000000000000069 ; ---------------------------------------------------------------------------
seg000:0000000000000069
seg000:0000000000000069 loc_69: ; CODE XREF: seg000:000000000000005A↑j
seg000:0000000000000069 ; seg000:000000000000005E↑j
seg000:0000000000000069 B9 46 DF 8D F8 mov ecx
with open("MEM_0000000000590000_00001000.mem", "rb") as f:
content = bytearray(f.read())
pc = 0
somebytes = [ # 注:这几个模式并不确定全部出现在程序里
bytes.fromhex("83F8F5 750D"),
bytes.fromhex("83F9F5 750D"),
bytes.fromhex("83FAF5 750D"),
bytes.fromhex("83FBF5 750D"),
bytes.fromhex("83FCF5 750D"),
bytes.fromhex("83FDF5 750D"),
bytes.fromhex("83FEF5 750D"),
bytes.fromhex("83FFF5 750D"),
bytes.fromhex("83F9F1 750D"),
]while pc < len(content):
if content[pc:pc+5] in somebytes:
content[pc:pc+0x12] = b"\x90"*0x12
else:
pc += 1
with open("MEM_0000000000590000_00001000_patched1.mem", "wb") as f:
f.write(content)
with open("MEM_0000000000590000_00001000.mem", "rb") as f:
content = bytearray(f.read())
pc = 0
somebytes = [ # 注:这几个模式并不确定全部出现在程序里
bytes.fromhex("83F8F5 750D"),
bytes.fromhex("83F9F5 750D"),
bytes.fromhex("83FAF5 750D"),
bytes.fromhex("83FBF5 750D"),
bytes.fromhex("83FCF5 750D"),
bytes.fromhex("83FDF5 750D"),
bytes.fromhex("83FEF5 750D"),
bytes.fromhex("83FFF5 750D"),
bytes.fromhex("83F9F1 750D"),
]while pc < len(content):
if content[pc:pc+5] in somebytes:
content[pc:pc+0x12] = b"\x90"*0x12
else:
pc += 1
with open("MEM_0000000000590000_00001000_patched1.mem", "wb") as f:
f.write(content)
// positive sp value has been detected, the output may be wrong!__int64 __usercall sub_19@<rax>(__int64 a1@<rax>, __int64 a2@<rcx>, __int64 a3@<rsi>)
{ __int64 v3; // rcx
char *v4; // rdi
char v5; // al
__int64 (__fastcall *v6)(__int64, _QWORD); // rbx
__int64 (__fastcall *v7)(__int64, int *); // rdi
void (__fastcall *v8)(__int64); // r12
void (*v9)(void); // r13
__int64 v10; // rsi
bool v11; // r14
__int64 v12; // rax
__int64 v13; // r15
int v15; // eax
__int64 (__fastcall *v16)(__int64, _QWORD, _QWORD); // rbx
__int64 (__fastcall *i)(__int64, int *); // rdi
__int64 v18; // rdi
_BYTE *v19; // rbx
__int64 v20; // [rsp+20h] [rbp-2B0h] BYREF
int v21; // [rsp+30h] [rbp-2A0h]
__int64 v22; // [rsp+38h] [rbp-298h]
__int64 v23; // [rsp+40h] [rbp-290h]
int v24; // [rsp+58h] [rbp-278h] BYREF
unsigned int v25; // [rsp+60h] [rbp-270h]
__int64 v26; // [rsp+2B0h] [rbp-20h]
__int64 v27; // [rsp+2B8h] [rbp-18h]
__int64 v28; // [rsp+2C0h] [rbp-10h]
__int64 v29; // [rsp+2C8h] [rbp-8h]
__int64 v30; // [rsp+2D8h] [rbp+8h]
__int64 v31; // [rsp+2E0h] [rbp+10h]
__int64 (__fastcall *v32)(__int64, __int64, __int64 *, __int64); // [rsp+2E8h] [rbp+18h]
v27 = a1;
v26 = a2;
v3 = 3751LL;
v4 = (char *)(a3 + 34);
do
{
v5 = *v4;
if ( *v4 == '*' )
v5 = 0;
*v4++ = v5;
--v3;
}
while ( v3 );
v28 = v29;
v27 = v26;
v6 = (__int64 (__fastcall *)(__int64, _QWORD))sub_5D8(-124919994);
v30 = sub_5D8(-49588825);
v32 = (__int64 (__fastcall *)(__int64, __int64, __int64 *, __int64))sub_5D8(37938943);
v7 = (__int64 (__fastcall *)(__int64, int *))sub_5D8(1060402837);
v31 = sub_5D8(-1813961927);
v8 = (void (__fastcall *)(__int64))sub_5D8(480663025);
v9 = (void (*)(void))sub_5D8(55981281);
v10 = 0LL;
v24 = 568;
v11 = 0;
v12 = v6(2LL, 0LL);
v13 = v12;
if ( v12 == -1 )
return 0xFFFFFFFFLL;
v15 = v7(v12, &v24); // Process32First
v16 = (__int64 (__fastcall *)(__int64, _QWORD, _QWORD))v30;
for ( i = (__int64 (__fastcall *)(__int64, int *))v31; v15; v15 = i(v13, &v24) )
{
if ( v25 == ((unsigned int (*)(void))v9)() )
{
v10 = v16(0x2000000LL, 0LL, v25);
if ( v10 )
{
v18 = 0LL;
while ( v32(v10, v18, &v20, 48LL) )
{
v18 = v20 + v22;
if ( (_DWORD)v23 == 4096 && v21 == 64 )
{
v9(); // GetCurrentProcessId
v11 = sub_6A4(*(_DWORD *)v20);
v19 = (_BYTE *)v20;
if ( v11 )
{
if ( sub_6E4((_BYTE *)(v20 + 4)) )
{
*v19 = 105;
v19[1] = 111;
v19[2] = 32;
}
else
{
*v19 = 109;
v19[1] = 106;
v19[2] = 41;
}
v19[3] = 0;
break;
}
*(_BYTE *)v20 = 109;
v19[1] = 106;
v19[2] = 41;
v19[3] = 0;
}
}
v16 = (__int64 (__fastcall *)(__int64, _QWORD, _QWORD))v30;
i = (__int64 (__fastcall *)(__int64, int *))v31;
}
if ( v11 )
break;
}
}
v8(v13);
return ((__int64 (__fastcall *)(__int64))v8)(v10);
}bool __fastcall sub_6A4(int a1)
{ return a1 == 'ftck';
}// positive sp value has been detected, the output may be wrong!__int64 __usercall sub_19@<rax>(__int64 a1@<rax>, __int64 a2@<rcx>, __int64 a3@<rsi>)
{ __int64 v3; // rcx
char *v4; // rdi
char v5; // al
__int64 (__fastcall *v6)(__int64, _QWORD); // rbx
__int64 (__fastcall *v7)(__int64, int *); // rdi
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
他的文章
谁下载
赞赏
雪币:
留言:
