-
-
[原创]看雪 2025·KCTF 第十题 涅槃,亦是新生
-
发表于: 2025-9-3 15:33
-
静态分析的时候发现了很多关于0o这样的字符串
其中还利用了zlib1.dll这个动态链接库,但是我给几个可疑的函数下了断点之后都没断下来只能进行动态调试了
根据动态调试可以定位到函数sub_7FF694547A20
我们注意到它是switch分支结构,可以在以下这个地方下个条件断点方便我们打印case的情况
经过运行之后追踪如下:
我们可以发现它调用了3次同样的case
既然是验证的程序肯定有输入的地方,通过对case 0下断点进行调试后发现这个函数输出了以下内容并且还获取我们输入的flag
其中sub_7FF69455EB8E是单个字符输出'F' 'l' 'a' 'g' ':',sub_7FF6944F90E0是输出了字符串
我们发现case 1,2,3都是设置跳转的作用,其中*(int *)(a1 + 4708)是个全局变量,应该是设置次数
经过分析与trace可知加密函数应该是在case5 case6 case8 case7 case9
首先先设置了128个字节的0x2,经过动调测试它是读取了16个字节并且拓展为了128个字节,其实就说单字节转化为二进制,然后每个二进制位都作为一个字节写入内存中,其中0x0->0x2 0x1->0x3
这一部分貌似是一种多线程对我们经过拓展后的字节进行处理,反正单步调试的很懵逼,但是这并不影响咱们之后的逻辑分析
*(_DWORD *)(a1 + 4576)同样作为全局变量也是计数
这个case就是将我们处理之后的结构与固定的加密数据进行比较
case4就是我们的check,其实他就是设置了v13这个布尔值来判断我们前面case9中的全局变量是否为42,如果为42就输出Correct!,否则就是Wrong
由于我们最后的check逻辑可以得到我们的flag的长度为42,并且加密逻辑为字节拓展->一些其它的处理->16字节加密完的结果进行check,如果正确就存到全局变量里面,然后最后再进行判断。
一开始我以为是单字节加密,但是测试之后发现并不完全是他会影响相邻字节,我选择插桩做法,由于windows平台并没有pintools这样的插桩工具,我们可以使用Frida进行测试。
我们选择以下这个位置进行插桩:
frida脚本:
效果如下:
然后我们就可以利用subprocess+frida写个rpc脚本进行爆破,这个字符集是经过测试之后写的,差不多10分钟就可以爆破完。
这个方法是之前做题的时候没有试出来的方法(主要是字节patch的时候多加了空格结果没有patch成功 QWQ),就是在case4的地方直接进行patch,从而能让验证正确的长度打印出来从来进行逐个单字节爆破。
将case4的前面patch成下面这样
实现效果如下:
利用subprocess或者pwntools这种交互式进行逐字节爆破,速度比上面的rpc更快
char __fastcall sub_7FF694547A20(__int64 a1){ n3 = *(_DWORD *)(a1 + 4536); v2 = a1 + 2240; while ( 2 ) { switch ( n3 )......char __fastcall sub_7FF694547A20(__int64 a1){ n3 = *(_DWORD *)(a1 + 4536); v2 = a1 + 2240; while ( 2 ) { switch ( n3 ).......text:00007FF694547A80 mov eax, [rsp+0A18h+var_9EC].text:00007FF694547A84 cmp rax, 0Ah ; switch 11 cases.text:00007FF694547A80 mov eax, [rsp+0A18h+var_9EC].text:00007FF694547A84 cmp rax, 0Ah ; switch 11 casescase:0case:1case:2case:3case:5case:6case:8case:7case:9case:3case:5case:6case:8case:7case:9case:3case:5case:6case:8case:7case:9case:3case:4case:0case:1case:2case:3case:5case:6case:8case:7case:9case:3case:5case:6case:8case:7case:9case:3case:5case:6case:8case:7case:9case:3case:4case:6case:8case:7case:9case:6case:8case:7case:9KCTF 2025Flag:KCTF 2025Flag:case 0: v206 = sub_7FF694553196(); v202 = (_QWORD *)(a1 + 4560); v203[0] = *(_QWORD *)(a1 + 4560); v296 = &unk_7FF6945B8768; v269[0] = &unk_7FF6945B8768; v269[1] = &unk_7FF6945B8758; v203[1] = v269; v204 = 0; v235 = 0; v205 = 0; sub_7FF6944F9E70(v203); *v202 = v203[0]; sub_7FF6945531EA(v206); v201 = sub_7FF694553196(); v197 = (_QWORD *)(a1 + 4560); v198[0] = *(_QWORD *)(a1 + 4560); v295 = &unk_7FF6945B87E8; v268[0] = &unk_7FF6945B87E8; v268[1] = &unk_7FF6945B87D8; v198[1] = v268; v199 = 0; v234 = 0; v200 = 0; sub_7FF6944F9E70(v198); *v197 = v198[0]; sub_7FF6945531EA(v201); v196 = sub_7FF694553196(); v192 = (_QWORD *)(a1 + 4560); v193[0] = *(_QWORD *)(a1 + 4560); v294 = &unk_7FF6945B8968; v267[0] = &unk_7FF6945B8968; v267[1] = &unk_7FF6945B8958; v193[1] = v267; v194 = 0; v233 = 0; v195 = 0; sub_7FF6944F9E70(v193); *v192 = v193[0]; sub_7FF6945531EA(v196); v191 = sub_7FF694553196(); v187 = (_QWORD *)(a1 + 4560); v188[0] = *(_QWORD *)(a1 + 4560); v293 = &unk_7FF6945B8908; v266[0] = &unk_7FF6945B8908; v266[1] = &unk_7FF6945B88F8; v188[1] = v266; v189 = 0; v232 = 0; v190 = 0; sub_7FF6944F9E70(v188); *v187 = v188[0]; sub_7FF6945531EA(v191); v186 = sub_7FF694553196(); v182 = (_QWORD *)(a1 + 4560); v183[0] = *(_QWORD *)(a1 + 4560); v292 = &unk_7FF6945B87A8; v265[0] = &unk_7FF6945B87A8; v265[1] = &unk_7FF6945B8798; v183[1] = v265; v184 = 0; v231 = 0; v185 = 0; sub_7FF6944F9E70(v183); *v182 = v183[0]; sub_7FF6945531EA(v186); v181 = sub_7FF694553196(); v177 = (_QWORD *)(a1 + 4560); v178[0] = *(_QWORD *)(a1 + 4560); v291 = &unk_7FF6945B8728; v264[0] = &unk_7FF6945B8728; v264[1] = &unk_7FF6945B8718; v178[1] = v264; v179 = 0; v230 = 0; v180 = 0; sub_7FF6944F9E70(v178); *v177 = v178[0]; sub_7FF6945531EA(v181); v176 = sub_7FF694553196(); v172 = (_QWORD *)(a1 + 4560); v173[0] = *(_QWORD *)(a1 + 4560); v290 = &unk_7FF6945B87C8; v263[0] = &unk_7FF6945B87C8; v263[1] = &unk_7FF6945B87B8; v173[1] = v263; v174 = 0; v229 = 0; v175 = 0; sub_7FF6944F9E70(v173); *v172 = v173[0]; sub_7FF6945531EA(v176); v171 = sub_7FF694553196(); v167 = (_QWORD *)(a1 + 4560); v168[0] = *(_QWORD *)(a1 + 4560); v289 = &unk_7FF6945B8728; v262[0] = &unk_7FF6945B8728; v262[1] = &unk_7FF6945B8718; v168[1] = v262; v169 = 0; v228 = 0; v170 = 0; sub_7FF6944F9E70(v168); *v167 = v168[0]; sub_7FF6945531EA(v171); v166 = sub_7FF694553196(); v162 = (_QWORD *)(a1 + 4560); v163[0] = *(_QWORD *)(a1 + 4560); v288 = &unk_7FF6945B8828; v261[0] = &unk_7FF6945B8828; v261[1] = &unk_7FF6945B8818; v163[1] = v261; v164 = 0; v227 = 0; v165 = 0; sub_7FF6944F9E70(v163); *v162 = v163[0]; sub_7FF6945531EA(v166); v161 = sub_7FF694553196(); v159 = dword_7FF6945D905C; v158 = (_QWORD *)(a1 + 4560); v160 = *(_QWORD *)(a1 + 4560); sub_7FF6944F90E0(&v159); *v158 = v160; sub_7FF6945531EA(v161); v287 = &unk_7FF6945B8908; v260[0] = &unk_7FF6945B8908; v260[1] = &unk_7FF6945B88F8; sub_7FF69455EB8E(dword_7FF6945D905C, v260);// 单个字符输出Flag: v286 = &unk_7FF6945B88A8; v259[0] = &unk_7FF6945B88A8; v259[1] = &unk_7FF6945B8898; sub_7FF69455EB8E(dword_7FF6945D905C, v259); v285 = &unk_7FF6945B88C8; v258[0] = &unk_7FF6945B88C8; v258[1] = &unk_7FF6945B88B8; sub_7FF69455EB8E(dword_7FF6945D905C, v258); v284 = &unk_7FF6945B8788; v257[0] = &unk_7FF6945B8788; v257[1] = &unk_7FF6945B8778; sub_7FF69455EB8E(dword_7FF6945D905C, v257); v283 = &unk_7FF6945B8948; v256[0] = &unk_7FF6945B8948; v256[1] = &unk_7FF6945B8938; sub_7FF69455EB8E(dword_7FF6945D905C, v256); v157 = sub_7FF694553196(); v155 = *(_DWORD *)&byte_7FF6945D9058; v154 = (_QWORD *)(a1 + 4544); v156 = *(_QWORD *)(a1 + 4544); sub_7FF6944F2000(&v155); // 获取输入的flag *v154 = v156; sub_7FF6945531EA(v157); v282 = *(_QWORD *)(a1 + 4544); v281 = v282; v280 = v282 + 16; n42 = *(_DWORD *)(v282 + 12); *(_DWORD *)(a1 + 4712) = n42; *(_BYTE *)(a1 + 4716) = n42 == 42; *(_DWORD *)(a1 + 4576) = 0; *(_DWORD *)(a1 + 4708) = 0; v26 = *(_BYTE **)(a1 + 32); v153 = (_BYTE *)(a1 + 4717); *(_BYTE *)(a1 + 4717) = 3; if ( v26[42] == 1 || *v26 != *v153 ) sub_7FF694556FDC((__int64)v26); result = sub_7FF694553688(20000000LL, (__int64)"OoooOooooOOoO", 0x83u); *(_DWORD *)(a1 + 4536) = 1; return result;case 0: v206 = sub_7FF694553196(); v202 = (_QWORD *)(a1 + 4560); v203[0] = *(_QWORD *)(a1 + 4560); v296 = &unk_7FF6945B8768; v269[0] = &unk_7FF6945B8768; v269[1] = &unk_7FF6945B8758; v203[1] = v269; v204 = 0; v235 = 0; v205 = 0; sub_7FF6944F9E70(v203); *v202 = v203[0]; sub_7FF6945531EA(v206); v201 = sub_7FF694553196(); v197 = (_QWORD *)(a1 + 4560); v198[0] = *(_QWORD *)(a1 + 4560); v295 = &unk_7FF6945B87E8; v268[0] = &unk_7FF6945B87E8; v268[1] = &unk_7FF6945B87D8; v198[1] = v268; v199 = 0; v234 = 0; v200 = 0; sub_7FF6944F9E70(v198); *v197 = v198[0]; sub_7FF6945531EA(v201); v196 = sub_7FF694553196(); v192 = (_QWORD *)(a1 + 4560); v193[0] = *(_QWORD *)(a1 + 4560); v294 = &unk_7FF6945B8968; v267[0] = &unk_7FF6945B8968; v267[1] = &unk_7FF6945B8958; v193[1] = v267; v194 = 0; v233 = 0; v195 = 0; sub_7FF6944F9E70(v193); *v192 = v193[0]; sub_7FF6945531EA(v196); v191 = sub_7FF694553196(); v187 = (_QWORD *)(a1 + 4560); v188[0] = *(_QWORD *)(a1 + 4560); v293 = &unk_7FF6945B8908; v266[0] = &unk_7FF6945B8908; v266[1] = &unk_7FF6945B88F8; v188[1] = v266; v189 = 0; v232 = 0; v190 = 0; sub_7FF6944F9E70(v188); *v187 = v188[0]; sub_7FF6945531EA(v191); v186 = sub_7FF694553196(); v182 = (_QWORD *)(a1 + 4560); v183[0] = *(_QWORD *)(a1 + 4560); v292 = &unk_7FF6945B87A8; v265[0] = &unk_7FF6945B87A8; v265[1] = &unk_7FF6945B8798; v183[1] = v265; v184 = 0; v231 = 0; v185 = 0; sub_7FF6944F9E70(v183); *v182 = v183[0]; sub_7FF6945531EA(v186); v181 = sub_7FF694553196(); v177 = (_QWORD *)(a1 + 4560); v178[0] = *(_QWORD *)(a1 + 4560); v291 = &unk_7FF6945B8728; v264[0] = &unk_7FF6945B8728; v264[1] = &unk_7FF6945B8718; v178[1] = v264; v179 = 0; v230 = 0; v180 = 0; sub_7FF6944F9E70(v178); *v177 = v178[0]; sub_7FF6945531EA(v181); v176 = sub_7FF694553196(); v172 = (_QWORD *)(a1 + 4560); v173[0] = *(_QWORD *)(a1 + 4560); v290 = &unk_7FF6945B87C8; v263[0] = &unk_7FF6945B87C8; v263[1] = &unk_7FF6945B87B8; v173[1] = v263; v174 = 0; v229 = 0; v175 = 0; sub_7FF6944F9E70(v173); *v172 = v173[0]; sub_7FF6945531EA(v176); v171 = sub_7FF694553196(); v167 = (_QWORD *)(a1 + 4560); v168[0] = *(_QWORD *)(a1 + 4560); v289 = &unk_7FF6945B8728; v262[0] = &unk_7FF6945B8728; v262[1] = &unk_7FF6945B8718; v168[1] = v262; v169 = 0; v228 = 0; v170 = 0; sub_7FF6944F9E70(v168); *v167 = v168[0]; sub_7FF6945531EA(v171); v166 = sub_7FF694553196(); v162 = (_QWORD *)(a1 + 4560); v163[0] = *(_QWORD *)(a1 + 4560); v288 = &unk_7FF6945B8828; v261[0] = &unk_7FF6945B8828; v261[1] = &unk_7FF6945B8818; v163[1] = v261; v164 = 0; v227 = 0; v165 = 0; sub_7FF6944F9E70(v163); *v162 = v163[0]; sub_7FF6945531EA(v166); v161 = sub_7FF694553196(); v159 = dword_7FF6945D905C; v158 = (_QWORD *)(a1 + 4560); v160 = *(_QWORD *)(a1 + 4560); sub_7FF6944F90E0(&v159); *v158 = v160; sub_7FF6945531EA(v161); v287 = &unk_7FF6945B8908; v260[0] = &unk_7FF6945B8908; v260[1] = &unk_7FF6945B88F8; sub_7FF69455EB8E(dword_7FF6945D905C, v260);// 单个字符输出Flag: v286 = &unk_7FF6945B88A8; v259[0] = &unk_7FF6945B88A8; v259[1] = &unk_7FF6945B8898; sub_7FF69455EB8E(dword_7FF6945D905C, v259); v285 = &unk_7FF6945B88C8; v258[0] = &unk_7FF6945B88C8; v258[1] = &unk_7FF6945B88B8; sub_7FF69455EB8E(dword_7FF6945D905C, v258); v284 = &unk_7FF6945B8788; v257[0] = &unk_7FF6945B8788; v257[1] = &unk_7FF6945B8778; sub_7FF69455EB8E(dword_7FF6945D905C, v257); v283 = &unk_7FF6945B8948; v256[0] = &unk_7FF6945B8948; v256[1] = &unk_7FF6945B8938; sub_7FF69455EB8E(dword_7FF6945D905C, v256); v157 = sub_7FF694553196(); v155 = *(_DWORD *)&byte_7FF6945D9058; v154 = (_QWORD *)(a1 + 4544); v156 = *(_QWORD *)(a1 + 4544); sub_7FF6944F2000(&v155); // 获取输入的flag *v154 = v156; sub_7FF6945531EA(v157); v282 = *(_QWORD *)(a1 + 4544); v281 = v282; v280 = v282 + 16; n42 = *(_DWORD *)(v282 + 12); *(_DWORD *)(a1 + 4712) = n42; *(_BYTE *)(a1 + 4716) = n42 == 42; *(_DWORD *)(a1 + 4576) = 0; *(_DWORD *)(a1 + 4708) = 0; v26 = *(_BYTE **)(a1 + 32); v153 = (_BYTE *)(a1 + 4717); *(_BYTE *)(a1 + 4717) = 3; if ( v26[42] == 1 || *v26 != *v153 ) sub_7FF694556FDC((__int64)v26); result = sub_7FF694553688(20000000LL, (__int64)"OoooOooooOOoO", 0x83u); *(_DWORD *)(a1 + 4536) = 1; return result;case 1: v25 = *(_BYTE **)(a1 + 32); v152 = (_BYTE *)(a1 + 4717); *(_BYTE *)(a1 + 4717) = 2; if ( v25[42] == 1 || *v25 != *v152 ) sub_7FF694556FDC((__int64)v25); result = sub_7FF694553688(10000000LL, (__int64)"OoooOooooOOoO", 0x85u); *(_DWORD *)(a1 + 4536) = 2; return result; case 2: n3 = 3; continue; case 3: if ( *(int *)(a1 + 4708) > 41 ) n3 = 4; else n3 = 5; continue;case 1: v25 = *(_BYTE **)(a1 + 32); v152 = (_BYTE *)(a1 + 4717); *(_BYTE *)(a1 + 4717) = 2; if ( v25[42] == 1 || *v25 != *v152 ) sub_7FF694556FDC((__int64)v25); result = sub_7FF694553688(10000000LL, (__int64)"OoooOooooOOoO", 0x85u); *(_DWORD *)(a1 + 4536) = 2; return result; case 2: n3 = 3; continue; case 3: if ( *(int *)(a1 + 4708) > 41 ) n3 = 4; else n3 = 5; continue;case 5: v151 = a1 + 4580; for ( i = 0; i != 128; ++i ) *(_BYTE *)(v151 + i) = 2; n15 = 0; v40 = (_QWORD *)(a1 + 4544); v39 = (_BYTE *)(a1 + 4568); while ( 1 ) { if ( n15 + *(_DWORD *)(a1 + 4708) >= *(_DWORD *)(a1 + 4712) ) { v136 = v30; v30[0] = 127 - 8 * n15; v30[1] = 120 - 8 * n15; v31 = 1; n8 = 8; p_Size_1 = &Size_1; sub_7FF6944FCB30(&Size_1); v135 = a1 + 4580; v134 = &unk_7FF6945B8978; v133 = v30; if ( n8 ) { v4 = *v134 - *v133 < 0; v8 = *v134 - *v133; v223 = v8; v20 = v8; if ( v4 || (unsigned int)(v133[3] + v8) > v134[3] ) sub_7FF694560D6C("OoooOooooOOoO", 147LL); } else { v20 = 0; } v11 = (void *)(v135 + v20); if ( n8 != 8 ) sub_7FF694560D6C("OoooOooooOOoO", 147LL); v272 = v11; memmove_func(v11, &unk_7FF6945B99F8, (unsigned int)Size_1); } else { v150 = sub_7FF694553196(); v149 = v40; v33 = *(_QWORD *)(a1 + 4544); v148 = v39; v34 = 0; sub_7FF6944F3A20(&v33); *v149 = v33; *v148 = v34; sub_7FF6945531EA(v150); v226 = *(unsigned __int8 *)(a1 + 4568); *(_DWORD *)(a1 + 4572) = v226; v147 = v36; v36[0] = 127 - 8 * n15; v36[1] = 120 - 8 * n15; v37 = 1; n8_1 = 8; p_Size = &Size; sub_7FF6944FCB30(&Size); v146 = a1 + 4580; v145 = &unk_7FF6945B8978; v144 = v36; if ( n8_1 ) { v4 = *v145 - *v144 < 0; v7 = *v145 - *v144; v225 = v7; v21 = v7; if ( v4 || (unsigned int)(v144[3] + v7) > v145[3] ) sub_7FF694560D6C("OoooOooooOOoO", 143LL); } else { v21 = 0; } v9 = (void *)(v146 + v21); v143 = sub_7FF694553196(); v28 = *(_DWORD *)(a1 + 4572); if ( v28 < 0 ) sub_7FF694560D6C("OoooOooooOOoO", 144LL); n8_2 = 8; sub_7FF694534310(&v254, v28, 8); // byte -> bin 0->2 1->3 v278 = &v254; v252 = v254; v253 = v140; v277 = v255; v139 = v140; v138 = v255; v140[0] = *(_DWORD *)v255; v140[1] = *(_DWORD *)(v255 + 4); v141 = *(_BYTE *)(v255 + 8); v142 = *(_DWORD *)(v255 + 12); v137 = (const void **)&v252; while ( 1 ) { v276 = v253; v275 = v36; if ( v253[3] == n8_1 ) break; sub_7FF694560D6C("OoooOooooOOoO", 144LL); } v10 = *v137; v274 = v9; memmove_func(v9, v10, (unsigned int)Size); sub_7FF6945531EA(v143); } if ( n15 == 15 ) break; ++n15; } v132 = a1 + 4580; v131 = a1 + 64; for ( j = 0; (unsigned int)j < 128; ++j ) { v24 = *(_BYTE **)(v131 + 8LL * j); v130 = (_BYTE *)(a1 + 4718 + j); *v130 = *(_BYTE *)(v132 + j); if ( v24[42] == 1 || *v24 != *v130 ) sub_7FF694556FDC((__int64)v24); } v23 = *(_BYTE **)(a1 + 48); v129 = (_BYTE *)(a1 + 4846); *(_BYTE *)(a1 + 4846) = 3; if ( v23[42] || *v23 != *v129 ) sub_7FF694556FDC((__int64)v23); result = sub_7FF694553688(10000000LL, (__int64)"OoooOooooOOoO", 0x9Au); *(_DWORD *)(a1 + 4536) = 6; return result;case 5: v151 = a1 + 4580; for ( i = 0; i != 128; ++i ) *(_BYTE *)(v151 + i) = 2; n15 = 0; v40 = (_QWORD *)(a1 + 4544); v39 = (_BYTE *)(a1 + 4568); while ( 1 ) { if ( n15 + *(_DWORD *)(a1 + 4708) >= *(_DWORD *)(a1 + 4712) ) { v136 = v30; v30[0] = 127 - 8 * n15; v30[1] = 120 - 8 * n15; v31 = 1; n8 = 8; p_Size_1 = &Size_1; sub_7FF6944FCB30(&Size_1); v135 = a1 + 4580; v134 = &unk_7FF6945B8978; v133 = v30; if ( n8 ) { v4 = *v134 - *v133 < 0; v8 = *v134 - *v133; v223 = v8; v20 = v8; if ( v4 || (unsigned int)(v133[3] + v8) > v134[3] ) sub_7FF694560D6C("OoooOooooOOoO", 147LL); } else { v20 = 0; } v11 = (void *)(v135 + v20); if ( n8 != 8 ) sub_7FF694560D6C("OoooOooooOOoO", 147LL); v272 = v11; memmove_func(v11, &unk_7FF6945B99F8, (unsigned int)Size_1); } else { v150 = sub_7FF694553196(); v149 = v40; v33 = *(_QWORD *)(a1 + 4544); v148 = v39; v34 = 0; sub_7FF6944F3A20(&v33); *v149 = v33; *v148 = v34; sub_7FF6945531EA(v150); v226 = *(unsigned __int8 *)(a1 + 4568); *(_DWORD *)(a1 + 4572) = v226; v147 = v36; v36[0] = 127 - 8 * n15; v36[1] = 120 - 8 * n15; v37 = 1; n8_1 = 8; p_Size = &Size; sub_7FF6944FCB30(&Size); v146 = a1 + 4580; v145 = &unk_7FF6945B8978; v144 = v36; if ( n8_1 ) { v4 = *v145 - *v144 < 0; v7 = *v145 - *v144; v225 = v7; v21 = v7; if ( v4 || (unsigned int)(v144[3] + v7) > v145[3] ) sub_7FF694560D6C("OoooOooooOOoO", 143LL); } else { v21 = 0; } v9 = (void *)(v146 + v21); v143 = sub_7FF694553196(); v28 = *(_DWORD *)(a1 + 4572); if ( v28 < 0 ) sub_7FF694560D6C("OoooOooooOOoO", 144LL); n8_2 = 8; sub_7FF694534310(&v254, v28, 8); // byte -> bin 0->2 1->3 v278 = &v254; v252 = v254; v253 = v140; v277 = v255; v139 = v140; v138 = v255; v140[0] = *(_DWORD *)v255; v140[1] = *(_DWORD *)(v255 + 4); v141 = *(_BYTE *)(v255 + 8); v142 = *(_DWORD *)(v255 + 12); v137 = (const void **)&v252; while ( 1 ) { v276 = v253; v275 = v36; if ( v253[3] == n8_1 ) break; sub_7FF694560D6C("OoooOooooOOoO", 144LL); } v10 = *v137; v274 = v9; memmove_func(v9, v10, (unsigned int)Size); sub_7FF6945531EA(v143); } if ( n15 == 15 ) break; ++n15; } v132 = a1 + 4580; v131 = a1 + 64; for ( j = 0; (unsigned int)j < 128; ++j ) { v24 = *(_BYTE **)(v131 + 8LL * j); v130 = (_BYTE *)(a1 + 4718 + j); *v130 = *(_BYTE *)(v132 + j); if ( v24[42] == 1 || *v24 != *v130 ) sub_7FF694556FDC((__int64)v24); } v23 = *(_BYTE **)(a1 + 48); v129 = (_BYTE *)(a1 + 4846); *(_BYTE *)(a1 + 4846) = 3; if ( v23[42] || *v23 != *v129 ) sub_7FF694556FDC((__int64)v23); result = sub_7FF694553688(10000000LL, (__int64)"OoooOooooOOoO", 0x9Au); *(_DWORD *)(a1 + 4536) = 6; return result;case 6: v22 = *(_BYTE **)(a1 + 48); v128 = (_BYTE *)(a1 + 4846); *(_BYTE *)(a1 + 4846) = 2; if ( v22[42] == 1 || *v22 != *v128 ) sub_7FF694556FDC((__int64)v22); sub_7FF694553224(*(_QWORD *)(a1 + 2368)); result = sub_7FF69455340A(); goto LABEL_88; case 7: sub_7FF69455345C(); result = sub_7FF694553688(10000000LL, (__int64)"OoooOooooOOoO", 0x9Fu); *(_DWORD *)(a1 + 4536) = 9; return result; case 8: result = sub_7FF6945533DE(); if ( (result & 1) != 0 ) { n3 = 7; continue; } if ( *(_BYTE *)(a1 + 2376) == 3 ) { n3 = 7; continue; }LABEL_88: *(_DWORD *)(a1 + 4536) = 8; return result;case 6: v22 = *(_BYTE **)(a1 + 48); v128 = (_BYTE *)(a1 + 4846); *(_BYTE *)(a1 + 4846) = 2; if ( v22[42] == 1 || *v22 != *v128 ) sub_7FF694556FDC((__int64)v22); sub_7FF694553224(*(_QWORD *)(a1 + 2368)); result = sub_7FF69455340A(); goto LABEL_88; case 7: sub_7FF69455345C(); result = sub_7FF694553688(10000000LL, (__int64)"OoooOooooOOoO", 0x9Fu); *(_DWORD *)(a1 + 4536) = 9; return result; case 8: result = sub_7FF6945533DE(); if ( (result & 1) != 0 ) { n3 = 7; continue; } if ( *(_BYTE *)(a1 + 2376) == 3 ) { n3 = 7; continue; }LABEL_88: *(_DWORD *)(a1 + 4536) = 8; return result;case 9: // cmp 16bytes for ( k = 0; ; ++k ) { if ( k + *(_DWORD *)(a1 + 4708) <= 41 ) { v123 = v125; v125[0] = 127 - 8 * k; v125[1] = 120 - 8 * k; v126 = 1; n8_3 = 8; v122 = v124; sub_7FF6944FCB30(v124); sub_7FF6944FCB40(v124); v121 = v2; v120 = &unk_7FF6945B8678; v119 = v125; if ( n8_3 ) { v4 = *v120 - *v119 < 0; v5 = *v120 - *v119; v222 = v5; v19 = v5; if ( v4 || (unsigned int)(v119[3] + v5) > v120[3] ) sub_7FF694560D6C("OoooOooooOOoO", 165LL); } else { v19 = 0; } v271 = v121 + v19; v251[0] = v271; v251[1] = v125; n0x2F = k + *(_DWORD *)(a1 + 4708); if ( n0x2F > 0x2F ) sub_7FF694560EB2("OoooOooooOOoO", 165LL, n0x2F, &unk_7FF6945B89B8); v221 = k + *(_DWORD *)(a1 + 4708); v270 = &byte_7FF6945B89D0[8 * n0x2F]; v250[0] = v270; v250[1] = &unk_7FF6945B8998; if ( (sub_7FF6944FCB50(v251, v250) & 1) != 0 )// 比较8个字节 ++*(_DWORD *)(a1 + 4576); } if ( k == 15 ) break; } *(_DWORD *)(a1 + 4708) += 16; n3 = 3; continue;case 9: // cmp 16bytes for ( k = 0; ; ++k ) { if ( k + *(_DWORD *)(a1 + 4708) <= 41 ) { v123 = v125; v125[0] = 127 - 8 * k; v125[1] = 120 - 8 * k; v126 = 1;[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!
最后于 2025-9-3 23:05
被5m10v3编辑
,原因: 写了第二种方法
|
|
|---|---|
