Canvas is not supported in your browser.
首页 课程 文章
无痕注入 APC注入 线程注入 读写驱动 注入技术 句柄表 进程线程 系统调用 保护模式 内存管理 远程CALL 软件调试 驱动封装 云下发 驱动开发 FPS数据 方框透视 FPS方框 FPS自瞄 CE D3DHOOK D3D绘制 Imgui绘制 DWM
内核课程 驱动出租 学习路线 聊天室 免责声明 提问技巧

CTF对抗- KCTF 2023 第十二题 wp - 98k

推荐 原创

周杰伦

文章分类 CTF对抗 阅读数 : 386 阅读时长 : 9分钟


【CTF对抗- KCTF 2023 第十二题 wp - 98k】此文章归类为:CTF对抗。

程序中的一些关键函数加了混淆,直接把 0x49A0E8 处 patch 为 double 类型的 100.0 ,再声明其类型为 const double 这样 ida F5 就能直接去除无关的逻辑。

题目实现了一个虚拟机,程序启动后会先解密得到虚拟机执行的命令,之后来到函数 0x460D0E 执行:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
char __thiscall global_vtable_2_func_18(C * this )
{
   C *v1; // ebx
   int _pc; // esi
   B *ins_start; // edi MAPDST
   char *v6; // esi
   _DWORD *v7; // eax
   const char *v8; // ecx
   unsigned int v9; // edx
   unsigned int v10; // edi
   _BYTE *v11; // ebx
   char v12; // al
   int v14; // [esp+8h] [ebp-6Ch]
   char v16[88]; // [esp+1Ch] [ebp-58h] BYREF
 
   v1 = this ;
   if ( v1->instructions.start == v1->instructions.finish )
     return 0;
   this ->pc = 0;
   ins_start = this ->instructions.start;
   if ( v1->instructions.finish - ins_start > 0 )
   {
     _pc = 0;
     ins_start = v1->instructions.start;
     do
     {
       if ( _pc == -1 )
       {
         v1->pc = 0;
         _pc = 0;
       }
       if ( !(*((unsigned __int8 (__thiscall **)(C *, B *))v1->vtable + 15))(v1, &ins_start[_pc]) )
       {
         // show error message
       }
       _pc = v1->pc + 1;
       v1->pc = _pc;
       ins_start = v1->instructions.start;
     }
     while ( _pc < v1->instructions.finish - ins_start );
   }
   return 1;
}

v1->vtable + 15 就是虚表中的第 15 项,地址为 0x4525EB 。

相关数据结构:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
struct A
{
   int field_0;
   std::string s0;
   int i1;
   int i2;
   int i3;
   std::string s4;
   std::string s5;
   std::string s6;
};
 
struct std::vector$A$
{
   A *start;
   A *finish;
   A *end_of_storage;
};
 
struct B
{
   int is_label;
   int field_4;
   std::string s1;
   std::string s2;
   std::vector$A$ vector;
};
 
struct std::vector$B$
{
   B *start;
   B *finish;
   B *end_of_storage;
};
 
struct RBTree // std::map<std::string, std::string>
{
   struct RBTree *left;
   struct RBTree *parent;
   struct RBTree *right;
   char color;
   char isnil;
   char padding[2];
   std::string key;
   std::string value;
};
 
struct C
{
   int **vtable;
   RBTree *tree;
   int node_count;
   std::vector$B$ instructions;
   int pc;
   char valid_data;
};

将解密之后的指令所在的内存 dump 出来,写脚本恢复原始指令:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
def vm(ins):
     opcode = int (ins[ 2 ])
     operands = ins[ 3 ]
     if opcode = = 0x21344D4938CE0640 :
         print ( 'system({0})' . format ( repr (operands[ 0 ][ 0 ].decode())))
     elif opcode = = 0x3820EA1739C3E154 :
         print ( 'map[{0}] = hex(vigenere(map[{0}], "恭喜发财".encode("gbk")))' . format ( repr (operands[ 0 ][ 4 ])))
     elif opcode = = 0x4B0134D06B40680 :
         print ( 'if (len(map[{0}]) {1} {2}) goto {3}' . format ( repr (operands[ 0 ][ 4 ]), operands[ 1 ][ 5 ].decode(), operands[ 2 ][ 1 ], operands[ 3 ][ 6 ].decode()))
     elif opcode = = 0x5304FD305CA8C22A :
         print ( 'sleep({})' . format (operands[ 0 ][ 1 ]))
     elif opcode = = 0x5AC009C0F14B76E8 :
         print ( 'map[{0}] = input()' . format ( repr (operands[ 0 ][ 4 ])))
     elif opcode = = 0x6975C7A3C07CD226 :
         print ( 'map[{0}] += {1}' . format ( repr (operands[ 0 ][ 4 ]), repr (operands[ 1 ][ 0 ])))
     elif opcode = = 0x7929CBF0A1496FB0 :
         print ( 'map[{0}] = base64encode(map[{0}])' . format ( repr (operands[ 0 ][ 4 ])))
     elif opcode = = 0x885F75A1461ECEBB :
         print ( 'if (map[{0}] == map[{1}]) goto {2}' . format ( repr (operands[ 0 ][ 4 ]), repr (operands[ 1 ][ 4 ]), operands[ 2 ][ 6 ].decode()))
     elif opcode = = 0x8DB9D83D80004137 :
         print ( 'print({})' . format ( repr (operands[ 0 ][ 0 ].replace(b '\\n' , b '\n' ).decode( 'gbk' ))))
     elif opcode = = 0xA43CBF9D015186F1 :
         if len (operands): code = operands[ 0 ][ 1 ]
         else : code = 0
         print ( 'exit({0})' . format (code))
     elif opcode = = 0xAA9C8E70F01F8D61 :
         print ( 'map[{0}] = map[{1}]' . format ( repr (operands[ 0 ][ 4 ]), repr (operands[ 1 ][ 4 ])))
     elif opcode = = 0xDDEEFF2200112233 :
         print ( 'nop' )
     elif opcode = = 0xE56D33B21C50A892 :
         print ( 'goto {0}' . format (operands[ 0 ][ 6 ].decode()))
     elif opcode = = 0xF4CC06C2E34200F0 :
         print ( 'nop 0' )
     elif opcode = = 0xF4CC06F2E3420459 :
         print ( 'nop 1' )
     elif opcode = = 0xFD1D1DFB19850CA1 :
         print ( 'map[{0}] = md5(map[{0}])' . format ( repr (operands[ 0 ][ 4 ])))
     else :
         assert False , hex (opcode)
 
mem_offset = 0xea0000
mem_size = 0x20000
mem_dump = open ( 'MEM_00EA0000_00020000.mem' , 'rb' ).read()
 
ins_start = 0xeb4b00
ins_end = 0xeb62a4
 
def read_dword(addr):
     assert mem_offset < = addr < mem_offset + mem_size
     return int .from_bytes(mem_dump[addr - mem_offset: addr - mem_offset + 4 ], 'little' )
 
def read_data(addr, size):
     assert mem_offset < = addr < mem_offset + mem_size - size
     return mem_dump[addr - mem_offset: addr - mem_offset + size]
 
def read_str(addr):
     size = read_dword(addr + 0x10 )
     cap = read_dword(addr + 0x14 )
     if cap > 0x10 : addr = read_dword(addr)
     return read_data(addr, size)
 
def read_A(addr):
     return (read_str(addr + 4 ), read_dword(addr + 0x1c ), read_dword(addr + 0x20 ), read_dword(addr + 0x24 ), read_str(addr + 0x28 ), read_str(addr + 0x40 ), read_str(addr + 0x58 ))
 
def read_B(addr):
     B = (read_dword(addr), read_dword(addr + 4 ), read_str(addr + 0x20 ), [])
     A_start = read_dword(addr + 0x38 )
     A_end = read_dword(addr + 0x3c )
     for addr in range (A_start, A_end, 0x70 ):
         B[ - 1 ].append(read_A(addr))
     return B
 
ins = []
for addr in range (ins_start, ins_end, 0x44 ):
     ins.append(read_B(addr))
 
for i in range ( len (ins)):
     t = ins[i]
     if t[ 0 ]:
         print (t[ 3 ][ 0 ][ 6 ].decode() + ':' )
     else :
         # print(i, end=': ')
         print ( '    ' , end = '')
         vm(ins[i])
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
     sleep( 25 )
     print ( '                                           \n' )
     sleep( 25 )
     print ( '                  _oo0oo_                  \n' )
     sleep( 25 )
     print ( '                 o8888888o                 \n' )
     sleep( 25 )
     print ( '                 88" . "88                 \n' )
     sleep( 25 )
     print ( '                 (| -_- |)                 \n' )
     sleep( 25 )
     print ( '                 0\\  =  /0                 \n' )
     sleep( 25 )
     print ( "               ___/`---'\\___               \n" )
     sleep( 25 )
     print ( "             .'\\.\\|     |/./'.             \n" )
     sleep( 25 )
     print ( '            / \\.\\||  :  ||/./ \\            \n' )
     sleep( 25 )
     print ( '           / _||||| -:- |||||- \\           \n' )
     sleep( 25 )
     print ( '          | | \\.\\.\\  -  /././ | |          \n' )
     sleep( 25 )
     print ( "          | \\_|  ''\\---/''  |_/ |          \n" )
     sleep( 25 )
     print ( "          \\  .-\\__  '-'  ___/-. /          \n" )
     sleep( 25 )
     print ( "        ___'. .'  /--.--\\  `. .'___        \n" )
     sleep( 25 )
     print ( '     ."" \'<  `.___\\_<|>_/___.\' >\' "".      \n' )
     sleep( 25 )
     print ( '    | | :  `- \\`.;`\\ _ /`;.`/ - ` : | |    \n' )
     sleep( 25 )
     print ( '    \\  \\ `_.   \\_ __\\ /__ _/   .-` /  /    \n' )
     sleep( 25 )
     print ( "=====`-.____`.___ \\_____/___.-`___.-'===== \n" )
     sleep( 25 )
     print ( "                  `=---='                  \n" )
     sleep( 25 )
     print ( '                                           \n' )
     sleep( 25 )
     print ( '             佛祖保佑 永无BUG              \n' )
     sleep( 25 )
     print ( '            论坛 KCTF2023年度赛            \n' )
     sleep( 25 )
     print ( '            出题战队:中午吃什么            \n' )
     sleep( 25 )
     print ( '                                           \n' )
     sleep( 25 )
     print ( '                                           \n' )
     nop
     sleep( 25 )
     print ( '请输入用户名:\n--> ' )
     map [b '2569430338759937617' ] = input ()
     nop
     sleep( 25 )
     print ( '请输入序列号:\n--> ' )
     map [b '1509181994979340817' ] = input ()
     nop
     nop 0
     nop 1
     if ( len ( map [b '1509181994979340817' ]) ! = 32 ) goto 10547232137042693405
     nop
     map [b '18097274335226857185' ] = map [b '2569430338759937617' ]
     map [b '18097274335226857185' ] + = b 'KCTF2023'
     map [b '18097274335226857185' ] = hex (vigenere( map [b '18097274335226857185' ], "恭喜发财" .encode( "gbk" )))
     map [b '18097274335226857185' ] = base64encode( map [b '18097274335226857185' ])
     map [b '18097274335226857185' ] = md5( map [b '18097274335226857185' ])
     nop
     if ( map [b '18097274335226857185' ] = = map [b '1509181994979340817' ]) goto 15317636321340901566
     goto 15315557398280875957
     nop
10547232137042693405 :
     sleep( 25 )
     print ( 'error\n\n\n' )
     system( 'pause' )
     exit( 0 )
     nop
15317636321340901566 :
     sleep( 25 )
     print ( 'Success GoodJob!\n\n\n' )
     system( 'pause' )
     exit( 0 )
     nop
15315557398280875957 :
     sleep( 25 )
     print ( 'error\n\n\n' )
     system( 'pause' )
     exit( 0 )

求解:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#!/usr/bin/env python3
 
from base64 import b64encode
from hashlib import md5
 
def vigenere(x, y):
     return bytes(x[i] ^ y[i % len (y)] for i in range ( len (x)))
 
def solve(username):
     return md5(b64encode(vigenere(username + b 'KCTF2023' , "恭喜发财" .encode( "gbk" )). hex ().upper().encode())).hexdigest()
 
 
'''
User-Name : 4070382B95A4F0ED
Serial-Number : 47a62c6eb8a72031a27b89abc3d976f7
'''
 
assert solve(b '4070382B95A4F0ED' ) = = '47a62c6eb8a72031a27b89abc3d976f7'
print (solve(b 'KCTF' )) # 35090e1336f1d1e872ba798256db1bfb


更多【CTF对抗- KCTF 2023 第十二题 wp - 98k】相关视频教程:www.yxfzedu.com




相关文章推荐

记录自己的技术轨迹
文章规则:
1):文章标题请尽量与文章内容相符
2):严禁色情、血腥、暴力
3):严禁发布任何形式的广告贴
4):严禁发表关于中国的政治类话题
5):严格遵守中国互联网法律法规
6):有侵权,疑问可发邮件至service@yxfzedu.com
近期原创 更多
友情链接
内核结构 FAQ
免责声明
课程目录
Windows内核
游戏逆向(FPS)
技术交流QQ群
342478842 215039827 137189196
314055665 159620936
微信公众号
www.yxfzedu.com是一个分享游戏安全,游戏外挂与反外挂,游戏驱动保护的视频网站!
接各种驱动定制如:游戏读写驱动,软件内存保护,防止调试等功能定制。
出租读写驱动,调试驱动,无痕注入支持各种游戏。
邮箱:service@yxfzedu.com
QQ:851920120
特别说明:不接游戏数据分析,外挂编写,登陆协议等类似业务。