拿到hack.exe,浅分析一下发现加了VM,并且有检测黑客工具的行为,检测到了之后即使关闭黑客程序也会影响程序正常运行,但是xdbg稍微改一下还是可以动调的,在xdbg里下一些可能的函数断点,我这里在这些地方下了断点
运行发现程序会多次在WriteProcessMemory
下断下,hook一下观察传参
这里输出了三个txt文件
其中out200.txt文件有明显的PE头
去除前面的字节,把文件丢到DIE里分析一下发现是dll64文件并且貌似没加壳,所以hack.exe通过WriteProcessMemory
往某个进程写入了一个dll?怀疑是远程注入,至于做了什么,有可能跟token有关,继续分析。
ida64打开发现程序的dllMain入口还是被加密了
还是继续动调,随便找了个64位的可执行文件,拖到X64dbg里运行,直接用xdbg的注入方式将out200.dll注入进程,在
入口点下断点,并且对一些可疑的WINDOWS API下断观察进程行为
这里我对下面这几个API下了断点
运行,第一次成功在openProcess函数断下
观察传参窗口,找到了一个系统进程名称字符串winlogon.exe
,而这里调用的是openProcess,疑似是对系统进程winlogon.exe做了一些操作。继续分析,运行到返回,回溯一层函数,找到一段没有被加密的代码
汇编代码不是很好看,根据偏移在IDA里反汇编看看
这段代码一次进行了获取进程pid,打开进程,遍历模块等操作,并且在函数失败后做了一些奇奇怪怪的东西,对一些地址赋上了一些64位的值,猜测是隐藏字符串来打印调试信息用的,再通过messagebox和outputDebugString给出调试信息,显示打开进程失败,猜测是因为hack.exe启动是管理员启动,这里失去了管理员权限。
分析完这个函数,继续回溯一层,运行到返回,定位到这个地方
继续根据偏移转到IDA里看反汇编
前面应该是一个加密的字符串操作,用python打印出字符串
得到的刚好是winlogon.exe字符串,然后程序将这个字符串转移到了dword_1800349A0全局变量中,目的应该是隐藏字符串,接着sub_180004770函数也是一个类似memmove操作,把这个字符串传到了Dst局部变量中,接着在sub_1800070A0中传入这个字符串,貌似是在根据字符串获取进程PID,接着调用sub_1800063D0函数根据pid打开进程,并将进程句柄存储到了某个地方
随后return exit退出。
随后我在退出函数传参的时候看到了一个hProcess
一个全局变量,很有可能在其他地方对句柄进行了读取,交叉引用一下定位到如下函数
看到了有WriteProcessMemory写入hProcess内存操作,CreateFileA,WriteFile,打开和写入文件操作,但是并没有找到hProcess的赋值语句,也就是说这个进程句柄还不知道是谁的,猜测赋值被隐藏了,但是可以猜测可能是winlogon.exe进程句柄。byte_180032C00是一个全局的标志变量,强制函数只能执行一次,对应的是运行程序时仅一次的初始化操作。接着看一下CreateFileA函数,同样的文件名被隐藏了,python解析一下
整个拼起来是字符串C:\2024GameSafeRace.token1
,应该是创建了一个文件,然后向这个文件写入了token1了,接着往下
loc_180007A20这个函数内部被加密了,猜测是对token1的解密过程,然后通过WriteFile写入C:\2024GameSafeRace.token1
中,并不是很像去分析这个函数,直接加载驱动看看能不能直接运行得到2024GameSafeRace.token1文件。
找到下没找到,回头看看CreateFileA函数,核查一下后面几个参数
看来是参数在作怪,CreateFileA函数传入OPEN_EXISTING参数,如果没有指定文件,则函数会返回失败,那也好办,自己创建一个就好了。
C:\2024GameSafeRace.token1成功被写入
010打开找到token1:757F4749AEBB1891EF5AC2A9B5439CEA
token2的寻找就偏简单了,加载驱动后留意一下dbgView的打印信息就可以获取
组合一下就是token2:803f14a24d64f3e697957c252e3a5686
题目要求:
编写程序,运行时修改尽量少的内存,让两段token输出成功。(满分2分)
根据之前分析的token1,我们可以知道程序会在CreateFileA后解密token1然后写入到C:\2024GameSafeRace.token1
中,但是会因为CreateFileA参数OPEN_EXISTING
条件不满足而失败,所以我们只需要修改这个传参,改成OPEN_ALWAYS
,即可实现输出token1,那我们只需要hook CreateFileA
函数修改传参即可,但是有个问题,因为不是hack.exe本身调用CreateFileA
函数,而是hack.exe注入了一个dll到winlogon.exe,然后再winlogon.exe里调用CreateFileA
函数,所以我们可以考虑在注入前修改WriteProcessMemory
函数参数buffer,从而在注入前patch dll,或者编写代码直接注入winlogon.exe,hook CreateFileA函数修改传参,但是考虑到第二种方式可能不被允许,winlogon.exe毕竟是系统进程,题目应该是要我们通过patch dll的方式解题。
这里我们要patch 传参,通过ida找到传参的汇编代码
在winhex里找到对应所在文件偏移
也就是在0x7171处OPEN_EXISTING:0x3是要patch的地方,把这个参数修改成OPEN_ALWAYS:0x4即可。下面编写代码实现。
成功输出token1文件:
然后是token2,既然是内核输出,那只能是在ace.sys里做点手脚,DIE查壳发现ace.sys的大部分代码都被加壳过了,静态代码不好看,只能先猜测token2的输出调用了DbgPrint或者DbgPrintEx,因为之前输出token2的时候开启了Verbose Kernel outPut,猜测之所以正常输出失败是因为DbgPrintEx的level值太低,仅将字符串传递给内核调试器,不执行输出操作。
hook DbgPrintEx函数看一眼传参。
发现加载ace驱动后,有大量的level:5的调试信息输出
也就是说,程序通过设置调试信息的重要级别来控制调试信息是否正常输出,于是可以提高level级别来输出token2,那么最简单的方式就是hook之后修改level后传回去,编写代码hook测试下。
成功输出token2,但是根据题目要求是不能修改系统模块代码的,也就是说hook内核函数的方法不能过这道题,还是得想想别的方法。现在已知的ace.sys的行为就是驱动会在被加载之后做了某些操作会使得系统持续调用DbgPrintEx来输出token2,但是ace.sys其实做了某种操作后就被卸载掉了,如下图所示。
可以想到就是说驱动启动了一个线程或者进程,让该任务持续输出token2,创建完随后再卸载自己并且不停止这个线程或者进程。先枚举进程看看有没有奇怪的进程出现。
结果发现好像没有奇怪的进程被创建出来,那么有可能是驱动利用PsCreateSystemThread
创建了一个内核线程。hookPsCreateSystemThread
函数看看驱动加载时是否调用了这个函数。
发现在token2输出前确实有PsCreateSystemThread函数调用,虽然不确定是不是ace.sys创建的。在windbg里反汇编看看线程函数
导入到ida里看伪代码
好像是做了一个字符串解密然后输出的操作,浅浅用python跑一下解析字符串验证猜想。
打印出了token
基本上确定了这个线程就是打印token的线程,现在就是要想怎么patch这个线程函数使得token能够输出出来。
这里有个mov edx,5
语句,将DbgPrintEx函数的level设置成5,可以考虑patch这个语句,将5改成0,那么只需要patch一个字节,共三处。但是又要怎么patch呢,首先不能通过现在这种方式hook PsCreateSystemThread函数调用来确定StartRoutine地址(题目要求不能修改系统模块代码),也就是说得想另外一个办法确定这个线程的地址,然后通过偏移来确定需要patch的地址。
那么怎么确定这个线程地址呢,如果通过ZwQuerySystemInformation
枚举内核模块然后枚举模块下的所有线程的话,已经卸载了的ace.sys模块还能被枚举到么?问了下GPT好像是不能的,还可以考虑用StartRoutine地址的后几位做特征,匹配所有线程的开始地址的后几位,但是这种方式又感觉怕遇到地址特征一模一样的,感觉还是不大行。又问GPT怎么寻找到某个内核线程,得到答复是除了ZwQuerySystemInformation
枚举,还有通过PsLookupThreadByThreadId
函数从进程id和线程id查找的。
那么线程id和进程id又从哪获取呢?因为之前hook过PsCreateSystemThread函数,翻阅文档找到了一个ClientId参数,这个参数指向接收新线程的客户端标识符的结构,即一个pid,一个tid,但是pid,tid应该都是系统分配的吧,能是一个固定值么?hook一下看看输出
诶,tid貌似是系统分配的,但是pid一直都是4,很奇怪,pid=4代表的是什么进程呢?之前刚好枚举过进程来找有没有新进程创建,现在正好能派上用场。
貌似是一个系统进程,GPT了一下发现原来如果驱动程序通过内核模式创建系统线程(使用PsCreateSystemThread
),这些线程通常会在系统进程下运行,PID为4。原来如此,驱动程序和进程是一个级别的,但是驱动程序创建的这个线程是在系统进程之下的,而不是属于驱动模块,只是线程起始地址隶属于模块地址空间的,驱动卸载并不影响线程的运行。
这样的话,我们要找的线程因为模块被卸载了,所以它不在所有模块地址空间内,只要枚举所有系统进程pid=4下的所有线程,然后通过判断线程的起始地址是否在所有模块地址之内,即可判断它是否是我们要找的线程。这下思路就通了,开始编写代码实现patch。
成功输出token2
题目要求:
编写程序,运行时修改尽量少的内存,让shellcode 往自行指定的位置写入token1成功。(满分3分)
要求任意位置,也就是要修改CreateFileA函数的第一个参数的值,根据之前分析的C:\2024GameSafeRace.token1
字符串是由十六进制异或得到的,也就是下面这些
可以考虑的是patch这些十六进制数据,把异或的key改成0,然后密文改成明文即可,因为明文异或0还是明文,但是考虑到要尽量修改少量的内存,我们最好还是保持key不变,自定义密文解密到我们所要的文件地址。跑个python脚本解出新的密文,得到新的密文,接着找到密文所在文件的偏移然后patch即可,给出解题代码。
注入hook成功后,成功在桌面的flag.txt
输出token1
#include "pch.h"
#include <windows.h>
#include <shellapi.h>
#include <detours.h>
#include <tlhelp32.h>
#include <stdlib.h>
#include <stdio.h>
#pragma comment(lib,"detours.lib")
#define _KDEBUG
#define DBGMGEBOX(fmt, ...) \
do
{ \
\
wsprintfA(out, fmt, __VA_ARGS__); \
MessageBoxA(NULL, out,
"提示"
, MB_OK); \
}
while
(0)
char
out[100];
typedef
BOOL
(WINAPI* WriteProcessMemory_t)(
_In_
HANDLE
hProcess,
_In_
LPVOID
lpBaseAddress,
_In_reads_bytes_(nSize)
LPCVOID
lpBuffer,
_In_
SIZE_T
nSize,
_Out_opt_
SIZE_T
* lpNumberOfBytesWritten
);
WriteProcessMemory_t TrueWriteProcessMemory = NULL;
BOOL
WINAPI
HookWriteProcessMemory(
_In_
HANDLE
hProcess,
_In_
LPVOID
lpBaseAddress,
_In_reads_bytes_(nSize)
LPCVOID
lpBuffer,
_In_
SIZE_T
nSize,
_Out_opt_
SIZE_T
* lpNumberOfBytesWritten
)
{
char
fileName[12] = { 0 };
sprintf
(fileName,
"out%d.txt"
, (
int
)hProcess % 1000);
HANDLE
hFile = CreateFile(fileName, FILE_APPEND_DATA, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if
(hFile == INVALID_HANDLE_VALUE)
{
DBGMGEBOX(
"CreateFile Fail"
);
return
TrueWriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten);
}
SetFilePointer(hFile, 0, NULL, FILE_END);
DWORD
bytesWritten;
BOOL
result = WriteFile(hFile, lpBuffer, nSize, &bytesWritten, NULL);
CloseHandle(hFile);
DBGMGEBOX(
"findProcess WriteProcessMemory:%p,size:%d\n"
, hProcess,nSize);
return
TrueWriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten);
}
BOOL
APIENTRY DllMain(
HMODULE
hModule,
DWORD
ul_reason_for_call,
LPVOID
lpReserved) {
switch
(ul_reason_for_call) {
case
DLL_PROCESS_ATTACH:
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
TrueWriteProcessMemory = (WriteProcessMemory_t)DetourFindFunction(
"kernel32.dll"
,
"WriteProcessMemory"
);
DetourAttach(&(
PVOID
&)TrueWriteProcessMemory, HookWriteProcessMemory);
DetourTransactionCommit();
break
;
case
DLL_PROCESS_DETACH:
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(
PVOID
&)TrueWriteProcessMemory, HookWriteProcessMemory);
DetourTransactionCommit();
break
;
}
return
TRUE;
}
#include "pch.h"
#include <windows.h>
#include <shellapi.h>
#include <detours.h>
#include <tlhelp32.h>
#include <stdlib.h>
#include <stdio.h>
#pragma comment(lib,"detours.lib")
#define _KDEBUG
#define DBGMGEBOX(fmt, ...) \
do
{ \
\
wsprintfA(out, fmt, __VA_ARGS__); \
MessageBoxA(NULL, out,
"提示"
, MB_OK); \
}
while
(0)
char
out[100];
typedef
BOOL
(WINAPI* WriteProcessMemory_t)(
_In_
HANDLE
hProcess,
_In_
LPVOID
lpBaseAddress,
_In_reads_bytes_(nSize)
LPCVOID
lpBuffer,
_In_
SIZE_T
nSize,
_Out_opt_
SIZE_T
* lpNumberOfBytesWritten
);
WriteProcessMemory_t TrueWriteProcessMemory = NULL;
BOOL
WINAPI
HookWriteProcessMemory(
_In_
HANDLE
hProcess,
_In_
LPVOID
lpBaseAddress,
_In_reads_bytes_(nSize)
LPCVOID
lpBuffer,
_In_
SIZE_T
nSize,
_Out_opt_
SIZE_T
* lpNumberOfBytesWritten
)
{
char
fileName[12] = { 0 };
sprintf
(fileName,
"out%d.txt"
, (
int
)hProcess % 1000);
HANDLE
hFile = CreateFile(fileName, FILE_APPEND_DATA, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if
(hFile == INVALID_HANDLE_VALUE)
{
DBGMGEBOX(
"CreateFile Fail"
);
return
TrueWriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten);
}
SetFilePointer(hFile, 0, NULL, FILE_END);
DWORD
bytesWritten;
BOOL
result = WriteFile(hFile, lpBuffer, nSize, &bytesWritten, NULL);
CloseHandle(hFile);
DBGMGEBOX(
"findProcess WriteProcessMemory:%p,size:%d\n"
, hProcess,nSize);
return
TrueWriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten);
}
BOOL
APIENTRY DllMain(
HMODULE
hModule,
DWORD
ul_reason_for_call,
LPVOID
lpReserved) {
switch
(ul_reason_for_call) {
case
DLL_PROCESS_ATTACH:
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
TrueWriteProcessMemory = (WriteProcessMemory_t)DetourFindFunction(
"kernel32.dll"
,
"WriteProcessMemory"
);
DetourAttach(&(
PVOID
&)TrueWriteProcessMemory, HookWriteProcessMemory);
DetourTransactionCommit();
break
;
case
DLL_PROCESS_DETACH:
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(
PVOID
&)TrueWriteProcessMemory, HookWriteProcessMemory);
DetourTransactionCommit();
break
;
}
return
TRUE;
}
__int64
__fastcall sub_1800063D0(_DWORD *Dst,
DWORD
dwProcessId)
{
__m128i si128;
__m128i v6;
__int64
result;
__m128i v10;
size_t
v14;
__int64
v15;
int
v16;
HANDLE
Toolhelp32Snapshot;
HANDLE
v18;
__int64
v21;
CHAR
Caption[16];
_RBP = (unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64;
if
( !dwProcessId )
{
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x28) = 0xC65BF3E99CAA093Cui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 8) = 0xC65BF3E99CAA093Cui64;
*(_QWORD *)_RBP = 0xE795A71250E2465Aui64;
si128 = _mm_load_si128((
const
__m128i *)_RBP);
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x20) = 0xE795A7603F90341Fui64;
v6 = _mm_xor_si128(si128, *(__m128i *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x20));
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x20) = 0x84FAD5301FE45158ui64;
*(__m128i *)_RBP = v6;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x28) = 0xBF19D3ADD5D97A59ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1A0) = 0xE795A7603F90341Fui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x30) = 0xBD1C9CA3F4C12EC9ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x38) = 0xA727C05763438E84ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1A8) = 0xC65BF3E99CAA093Cui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1B0) = 0xCF59BCC699A060E9ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1B8) = 0xA727C0574231E1F6ui64;
__asm
{
vmovdqu ymm0, [rbp+210h+var_70]
vpxor ymm1, ymm0, ymmword ptr [rbp+210h+Text]
vmovdqa ymmword ptr [rbp+210h+Text], ymm1
vzeroupper
}
MessageBoxA(0i64, (
LPCSTR
)(_RBP + 32), (
LPCSTR
)((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64), 0);
LABEL_3:
GetLastError();
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x20) = 0xE795A7603F90341Fui64;
*(_QWORD *)_RBP = 0x88D6871250E2465Aui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x28) = 0xC65BF3E99CAA093Cui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 8) = 0xC65BF98DB9906C58ui64;
*(__m128i *)_RBP = _mm_xor_si128(
_mm_load_si128((
const
__m128i *)_RBP),
*(__m128i *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x20));
return
sub_180006A00((
void
*)((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64));
}
if
( !(unsigned
__int8
)sub_180006FC0() )
{
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1A0) = 0xE795A7603F90341Fui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x48) = 0x44F651D568826090i64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1C0) = 0x52C9FCDC77FF5FC3i64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x20) = 0xDDD2E92971C27548ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x28) = 0xA43EB7C9E8CF4E1Cui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x30) = 0xA62FD5B4C980079Cui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x38) = 0xD55585772756849Aui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x40) = 0x52C9FCDC7DDE2DACi64;
v10 = _mm_load_si128((
const
__m128i *)(_RBP + 64));
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1C8) = 0x44F651D568826090i64;
_XMM2 = _mm_xor_si128(v10, *(__m128i *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1C0));
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1A8) = 0xC65BF3E99CAA093Cui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1B0) = 0xCF59BCC699A060E9ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1B8) = 0xA727C0574231E1F6ui64;
__asm
{
vmovdqu ymm0, [rbp+210h+var_70]
vpxor ymm1, ymm0, ymmword ptr [rbp+210h+Text]
vmovdqa [rbp+210h+var_1D0], xmm2
vmovdqa ymmword ptr [rbp+210h+Text], ymm1
vzeroupper
}
sub_180006A00((
void
*)(_RBP + 32));
}
v14 = -1i64;
if
( dwProcessId == -1 )
{
Dst[34] = GetCurrentProcessId();
*((_QWORD *)Dst + 13) = -1i64;
}
else
{
Dst[34] = dwProcessId;
v18 = OpenProcess(0x1FFFFFu, 0, dwProcessId);
*((_QWORD *)Dst + 13) = v18;
if
( !v18 )
{
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x38) = 0xA727C0574231E1F6ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x20) = 0x84FAD53051F54450ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1A0) = 0xE795A7603F90341Fui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x28) = 0xA92981ACBCD97A59ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x30) = 0xCF59BCC699AA419Bui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1A8) = 0xC65BF3E99CAA093Cui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1B0) = 0xCF59BCC699A060E9ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1B8) = 0xA727C0574231E1F6ui64;
__asm
{
vmovdqu ymm0, [rbp+210h+var_70]
vpxor ymm1, ymm0, ymmword ptr [rbp+210h+Text]
vmovdqa ymmword ptr [rbp+210h+Text], ymm1
vzeroupper
}
sub_180006A00((
void
*)(_RBP + 32));
goto
LABEL_3;
}
}
Dst[30] = 0x1FFFFF;
v15 = -1i64;
do
++v15;
while
( *((_BYTE *)Dst + v15) );
if
( !v15 )
{
v16 = Dst[34];
Toolhelp32Snapshot = CreateToolhelp32Snapshot(2u, 0);
if
( Toolhelp32Snapshot != (
HANDLE
)-1i64 )
{
*(_DWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x60) = 304;
memset
((
void
*)(_RBP + 100), 0, 0x12Cui64);
if
( Process32First(Toolhelp32Snapshot, (LPPROCESSENTRY32)(_RBP + 96)) )
{
while
( *(_DWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x68) != v16 )
{
if
( !Process32Next(Toolhelp32Snapshot, (LPPROCESSENTRY32)(_RBP + 96)) )
goto
LABEL_20;
}
do
++v14;
while
( *(_BYTE *)(_RBP + 140 + v14) );
memmove
(Dst, (
const
void
*)(_RBP + 140), v14);
}
LABEL_20:
CloseHandle(Toolhelp32Snapshot);
}
}
*((_QWORD *)Dst + 18) = sub_1800068D0(Dst, Dst);
v21 = 0i64;
*(_DWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 8) = Dst[34];
*(_QWORD *)_RBP = 0i64;
EnumWindows(EnumFunc, (unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64);
result = *(_QWORD *)_RBP;
if
( *(_QWORD *)_RBP )
v21 = *(_QWORD *)_RBP;
*((_QWORD *)Dst + 16) = v21;
return
result;
}
__int64
__fastcall sub_1800063D0(_DWORD *Dst,
DWORD
dwProcessId)
{
__m128i si128;
__m128i v6;
__int64
result;
__m128i v10;
size_t
v14;
__int64
v15;
int
v16;
HANDLE
Toolhelp32Snapshot;
HANDLE
v18;
__int64
v21;
CHAR
Caption[16];
_RBP = (unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64;
if
( !dwProcessId )
{
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x28) = 0xC65BF3E99CAA093Cui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 8) = 0xC65BF3E99CAA093Cui64;
*(_QWORD *)_RBP = 0xE795A71250E2465Aui64;
si128 = _mm_load_si128((
const
__m128i *)_RBP);
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x20) = 0xE795A7603F90341Fui64;
v6 = _mm_xor_si128(si128, *(__m128i *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x20));
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x20) = 0x84FAD5301FE45158ui64;
*(__m128i *)_RBP = v6;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x28) = 0xBF19D3ADD5D97A59ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1A0) = 0xE795A7603F90341Fui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x30) = 0xBD1C9CA3F4C12EC9ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x38) = 0xA727C05763438E84ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1A8) = 0xC65BF3E99CAA093Cui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1B0) = 0xCF59BCC699A060E9ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1B8) = 0xA727C0574231E1F6ui64;
__asm
{
vmovdqu ymm0, [rbp+210h+var_70]
vpxor ymm1, ymm0, ymmword ptr [rbp+210h+Text]
vmovdqa ymmword ptr [rbp+210h+Text], ymm1
vzeroupper
}
MessageBoxA(0i64, (
LPCSTR
)(_RBP + 32), (
LPCSTR
)((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64), 0);
LABEL_3:
GetLastError();
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x20) = 0xE795A7603F90341Fui64;
*(_QWORD *)_RBP = 0x88D6871250E2465Aui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x28) = 0xC65BF3E99CAA093Cui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 8) = 0xC65BF98DB9906C58ui64;
*(__m128i *)_RBP = _mm_xor_si128(
_mm_load_si128((
const
__m128i *)_RBP),
*(__m128i *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x20));
return
sub_180006A00((
void
*)((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64));
}
if
( !(unsigned
__int8
)sub_180006FC0() )
{
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1A0) = 0xE795A7603F90341Fui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x48) = 0x44F651D568826090i64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1C0) = 0x52C9FCDC77FF5FC3i64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x20) = 0xDDD2E92971C27548ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x28) = 0xA43EB7C9E8CF4E1Cui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x30) = 0xA62FD5B4C980079Cui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x38) = 0xD55585772756849Aui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x40) = 0x52C9FCDC7DDE2DACi64;
v10 = _mm_load_si128((
const
__m128i *)(_RBP + 64));
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1C8) = 0x44F651D568826090i64;
_XMM2 = _mm_xor_si128(v10, *(__m128i *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1C0));
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1A8) = 0xC65BF3E99CAA093Cui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1B0) = 0xCF59BCC699A060E9ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1B8) = 0xA727C0574231E1F6ui64;
__asm
{
vmovdqu ymm0, [rbp+210h+var_70]
vpxor ymm1, ymm0, ymmword ptr [rbp+210h+Text]
vmovdqa [rbp+210h+var_1D0], xmm2
vmovdqa ymmword ptr [rbp+210h+Text], ymm1
vzeroupper
}
sub_180006A00((
void
*)(_RBP + 32));
}
v14 = -1i64;
if
( dwProcessId == -1 )
{
Dst[34] = GetCurrentProcessId();
*((_QWORD *)Dst + 13) = -1i64;
}
else
{
Dst[34] = dwProcessId;
v18 = OpenProcess(0x1FFFFFu, 0, dwProcessId);
*((_QWORD *)Dst + 13) = v18;
if
( !v18 )
{
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x38) = 0xA727C0574231E1F6ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x20) = 0x84FAD53051F54450ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1A0) = 0xE795A7603F90341Fui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x28) = 0xA92981ACBCD97A59ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x30) = 0xCF59BCC699AA419Bui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1A8) = 0xC65BF3E99CAA093Cui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1B0) = 0xCF59BCC699A060E9ui64;
*(_QWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x1B8) = 0xA727C0574231E1F6ui64;
__asm
{
vmovdqu ymm0, [rbp+210h+var_70]
vpxor ymm1, ymm0, ymmword ptr [rbp+210h+Text]
vmovdqa ymmword ptr [rbp+210h+Text], ymm1
vzeroupper
}
sub_180006A00((
void
*)(_RBP + 32));
goto
LABEL_3;
}
}
Dst[30] = 0x1FFFFF;
v15 = -1i64;
do
++v15;
while
( *((_BYTE *)Dst + v15) );
if
( !v15 )
{
v16 = Dst[34];
Toolhelp32Snapshot = CreateToolhelp32Snapshot(2u, 0);
if
( Toolhelp32Snapshot != (
HANDLE
)-1i64 )
{
*(_DWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x60) = 304;
memset
((
void
*)(_RBP + 100), 0, 0x12Cui64);
if
( Process32First(Toolhelp32Snapshot, (LPPROCESSENTRY32)(_RBP + 96)) )
{
while
( *(_DWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 0x68) != v16 )
{
if
( !Process32Next(Toolhelp32Snapshot, (LPPROCESSENTRY32)(_RBP + 96)) )
goto
LABEL_20;
}
do
++v14;
while
( *(_BYTE *)(_RBP + 140 + v14) );
memmove
(Dst, (
const
void
*)(_RBP + 140), v14);
}
LABEL_20:
CloseHandle(Toolhelp32Snapshot);
}
}
*((_QWORD *)Dst + 18) = sub_1800068D0(Dst, Dst);
v21 = 0i64;
*(_DWORD *)(((unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64) + 8) = Dst[34];
*(_QWORD *)_RBP = 0i64;
EnumWindows(EnumFunc, (unsigned
__int64
)Caption & 0xFFFFFFFFFFFFFFE0ui64);
result = *(_QWORD *)_RBP;
if
( *(_QWORD *)_RBP )
v21 = *(_QWORD *)_RBP;
*((_QWORD *)Dst + 16) = v21;
return
result;
}
int
sub_180001990()
{
size_t
v0;
DWORD
v1;
__m128i Dst;
__int64
v4;
__int64
v5;
__m128i Src;
Dst.m128i_i64[0] = 0xE795A7603F90341Fui64;
Dst.m128i_i64[1] = 0xC65BF3E99CAA093Cui64;
Src.m128i_i64[0] = 0x89FAC00F53FE5D68ui64;
Src.m128i_i64[1] = 0xC65BF3E9F9D26C12ui64;
Src = _mm_xor_si128(_mm_load_si128(&Src), Dst);
v0 = -1i64;
do
++v0;
while
( Src.m128i_i8[v0] );
memmove
(dword_1800349A0, &Src, v0);
Dst.m128i_i64[0] = 0i64;
v4 = 0i64;
v5 = 15i64;
sub_180004770(&Dst, &Src, v0);
v1 = sub_1800070A0(&Dst);
sub_1800063D0(dword_1800349A0, v1);
return
atexit
(sub_180020C90);
}
int
sub_180001990()
{
size_t
v0;
DWORD
v1;
__m128i Dst;
__int64
v4;
__int64
v5;
__m128i Src;
Dst.m128i_i64[0] = 0xE795A7603F90341Fui64;
Dst.m128i_i64[1] = 0xC65BF3E99CAA093Cui64;
Src.m128i_i64[0] = 0x89FAC00F53FE5D68ui64;
Src.m128i_i64[1] = 0xC65BF3E9F9D26C12ui64;
Src = _mm_xor_si128(_mm_load_si128(&Src), Dst);
v0 = -1i64;
do
++v0;
while
( Src.m128i_i8[v0] );
memmove
(dword_1800349A0, &Src, v0);
Dst.m128i_i64[0] = 0i64;
v4 = 0i64;
v5 = 15i64;
sub_180004770(&Dst, &Src, v0);
v1 = sub_1800070A0(&Dst);
sub_1800063D0(dword_1800349A0, v1);
return
atexit
(sub_180020C90);
}
def
hex_xor_to_string(a, b):
result
=
a ^ b
hex_str
=
hex
(result)[
2
:]
if
len
(hex_str)
%
2
!
=
0
:
hex_str
=
'0'
+
hex_str
result_str
=
''.join(
chr
(
int
(hex_str[i:i
+
2
],
16
))
for
i
in
range
(
0
,
len
(hex_str),
2
))
return
result_str
x1
=
0xE795A7603F90341F
x2
=
0xC65BF3E99CAA093C
y1
=
0x89FAC00F53FE5D68
y2
=
0xC65BF3E9F9D26C12
result1
=
hex_xor_to_string(x1, y1)
result2
=
hex_xor_to_string(x2, y2)
print
(
"Result 1:"
, result1)
print
(
"Result 2:"
, result2)
def
hex_xor_to_string(a, b):
result
=
a ^ b
hex_str
=
hex
(result)[
2
:]
if
len
(hex_str)
%
2
!
=
0
:
hex_str
=
'0'
+
hex_str
result_str
=
''.join(
chr
(
int
(hex_str[i:i
+
2
],
16
))
for
i
in
range
(
0
,
len
(hex_str),
2
))
return
result_str
x1
=
0xE795A7603F90341F
[峰会]看雪.第八届安全开发者峰会10月23日上海龙之梦大酒店举办!