首页
论坛
课程
招聘
[原创]第二题 异常信号 by k1ee
2020-11-24 12:33 2092

[原创]第二题 异常信号 by k1ee

2020-11-24 12:33
2092

异常信号

image-20201120101319463

 

这种应该是计算CRC(0xEDB88320),从而定位库函数位置

 

然后是字符串,对于每个signed char转为signed int,xor 996,取低8位就是结果

 

image-20201120103711081

 

先写个脚本干,万一直接存在字符串里了呢

 

image-20201120105808619

 

不在

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
func1 : LoadLibraryA
v9143 : LoadLibraryA
v8870 : LoadLibraryA
v7897 : GetProcAddress
v8857 : LoadLibraryA
v7595 : GetThreadContext
v8844 : CreateThread
v7326 : NtSetInformationThread
v9117 : LoadLibraryA
v9130 : LoadLibraryA
v8831 : LoadLibraryA
v7882 : GetProcAddress
v8818 : LoadLibraryA
v7578 : GetThreadContext
v7867 : GetProcAddress
func4 : Cabinet
v7303 : NtSetInformationThread
v9091 : LoadLibraryA
v9104 : LoadLibraryA
v8805 : LoadLibraryA
v7852 : GetProcAddress
v8792 : LoadLibraryA
v7561 : GetThreadContext
v7837 : GetProcAddress
v9078 : LoadLibraryA
v8779 : LoadLibraryA
v7822 : GetProcAddress
v8766 : LoadLibraryA
v7544 : GetThreadContext
func2 : CreateDecompressor
v7280 : NtSetInformationThread
v9052 : LoadLibraryA
v9065 : LoadLibraryA
v8753 : LoadLibraryA
v7807 : GetProcAddress
v8740 : LoadLibraryA
v7527 : GetThreadContext
v7792 : GetProcAddress
v9026 : LoadLibraryA
v9039 : LoadLibraryA
v8727 : LoadLibraryA
v7777 : GetProcAddress
v8714 : LoadLibraryA
v7510 : GetThreadContext
v7762 : GetProcAddress
v9013 : LoadLibraryA
v8701 : LoadLibraryA
v7747 : GetProcAddress
v8688 : LoadLibraryA
v7493 : GetThreadContext
func5 : VirtualAlloc
v9000 : LoadLibraryA
v8662 : LoadLibraryA
v7732 : GetProcAddress
v8649 : LoadLibraryA
v7476 : GetThreadContext
v7717 : GetProcessHeap
v7349 : NtSetInformationThread
v8974 : LoadLibraryA
v8987 : LoadLibraryA
v8636 : LoadLibraryA
v7702 : GetProcAddress
v8623 : LoadLibraryA
v7459 : GetThreadContext
v7687 : GetProcAddress
v7425 : NtCreateThreadEx
v8948 : LoadLibraryA
v8961 : LoadLibraryA
v8610 : LoadLibraryA
v7672 : GetProcAddress
v8597 : LoadLibraryA
v7442 : GetThreadContext
v7657 : GetProcAddress
v8584 : LoadLibraryA
v8896 : LoadLibraryA
v8909 : LoadLibraryA
v8545 : LoadLibraryA
v7627 : GetProcAddress
v8532 : LoadLibraryA
v7391 : GetThreadContext
v7612 : GetProcAddress
v8922 : LoadLibraryA
v8935 : LoadLibraryA
v8571 : LoadLibraryA
v7642 : GetProcAddress
v8558 : LoadLibraryA
v7408 : GetThreadContext
v7912 : GetProcAddress
 
Process finished with exit code 0

有一个看起来像字符串的,异或值是1289,结果是Cabinet.Decompress

1
2
3
Decompress
 
Process finished with exit code 0

先看看起了哪些线程吧

 

image-20201120111842920

 

这个线程里又起了

 

image-20201120114814385

 

v3906 = *(_DWORD *)(***(_DWORD ***)(*(_DWORD *)(*(_DWORD *)(__readfsdword(0x18u) + 48) + 12) + 12) + 24);究竟是个啥?

 

https://en.wikipedia.org/wiki/Win32_Thread_Information_Block

 

https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1809%20Redstone%205%20(October%20Update)/_PEB

 

https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index.htm

 

https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb_ldr_data.htm

 

https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/ldr_data_table_entry.htm

 

https://www.vergiliusproject.com/kernels/x86/Windows%2010/2009%2020H2%20(October%202020%20Update)/_PEB_LDR_DATA

 

https://www.vergiliusproject.com/kernels/x86/Windows%2010/2009%2020H2%20(October%202020%20Update)/_IMAGE_DOS_HEADER

 

TEB->PEB->PEB_LDR_DATA->InLoadOrderModuleList.Flink->InLoadOrderModuleList.Flink->DllBase(_IMAGE_DOS_HEADER)

 

想复杂了?直接调试解压的代码,搜字符串看到Correct,定位到C712B0

 

image-20201121010218611

 

可以看出因为是内存快照,直接找到字符了。下面找到了输入

 

image-20201120155850947

 

只有0123456789ABCDEF有效,按输入字符转为对应0-15。然后是两个字符合并成一个hex byte

 

image-20201121010311441

 

后面是每两个hex byte转为两字节word,和两个数作比较

 

image-20201121010325712

 

rand进去是这个,搜了一下才知道是伪随机数算法

 

image-20201121010421373

 

那么那个0x18的偏移就是srand了

 

image-20201121010444069

 

那么算法就是和pos_idx生成rand相等就写入idx,neg_idx生成的rand相等就跳过,相当于可以写入0-89到一个数组里,

 

进去看了一眼get_something

 

image-20201120160415308

 

怎么还有纤程,不过看样子不重要。往下看,输入大于12个word

 

image-20201121010535132

 

对作差有要求

 

image-20201121010555160

 

后面就是关键算法

 

image-20201121010759287

 

要求两两作差的绝对值值互不相等,不会爆破,找了算法队友求解了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
def get_diffs(a):
    s=set()
    for c1 in a:
        for c2 in a:
            if c1!=c2:
                s.add(abs(c1-c2))
    return s
 
A=[[] for _ in range(90)]
A[0]=[[0]]
for i in range(1,90):
    for j in range(i):
        for a in A[j]:
            s1=get_diffs(a)
            s2=set(i-c for c in a)
            if not s1&s2:
                A[i].append(a+[i])
    m=max(len(a) for a in A[i])
    if m==12:
        break
    t=[]
    for a in A[i]:
        if len(a)>m-3:
            t.append(a)
    A[i]=t
    print(i,m,len(A[i]))
for a in A[i]:
    if len(a)==12:
        print(a)

解得

1
[0, 2, 6, 24, 29, 40, 43, 55, 68, 75, 76, 85]

构造序列号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
seed = 0
 
def srand(val):
    global seed
    val &= 0xFFFF
    seed = val
 
def rand():
    global seed
    val = 0x343FD * seed + 0x269EC3
    seed = val
    return (val >> 16) & 0x7FFF
 
serial = ""
vec = [0, 2, 6, 24, 29, 40, 43, 55, 68, 75, 76, 85]
for v in range(86):
    srand(v)
    pos = 0
    for i in range(101):
        pos = rand()
    srand(-v)
    neg = 0
    for i in range(101):
        neg = rand()
    result = -1
    if v in vec:
        result = pos
    else:
        result = neg
    s = hex(result)
    s = s.replace("0x", "")
    s = "0"*(4-len(s)) + s
    s = s.upper()
    adds = ""
    adds += s[2:4]
    adds += s[0:2]
    print("%d %s %d" % (v, adds, v in vec))
    serial += adds
 
print(serial)

解(话说86-89也可以填充和neg_idx的rand数,不算多解?)

1
675E7A025B4786190D65933042199F472513AB5E312AB8753E41C40C4A58D023566FDD3A6306E9516F1DF5687B340100D3490E1794621A2EA0793450AD10335CB9273F73C53E4B0AD1555821DE6C64387111704FF61ADE2E0332897D0F4995141B60A12B2877AE42340EBA59402594244D3CD3075953DF1E656AEB357101F84C7E1804648A2F107BC44E1D12A35D2929AF743540BB0B193E93724E6ED4395A05E050661CED677333F97EDC4A

参考文献

 

http://www.datagenetics.com/blog/february22013/


【公告】欢迎大家踊跃尝试高研班11月试题,挑战自己的极限!

最后于 2020-11-30 14:40 被k1ee编辑 ,原因: 规范标题
收藏
点赞0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回