[XCTF-Reverse] 69 XCTF 3rd-RCTF-2017_MyDriver2-397
生活随笔
收集整理的這篇文章主要介紹了
[XCTF-Reverse] 69 XCTF 3rd-RCTF-2017_MyDriver2-397
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
一個.sys文件,應該是驅動程序。反正當個exe文件處理吧。
在數據區找到兩個串,感覺是加密用的qword_16310,qword_16390,順著這個線索找引用處。于是找到sub_113c8 手工找也行,因為一共也沒幾個函數。
__int64 sub_113C8() {PVOID v0; // rbxint v1; // er11int v2; // edx_DWORD *v3; // raxint v4; // ecx__int64 v5; // raxsigned __int64 v6; // r8__int64 result; // raxchar Dst; // [rsp+20h] [rbp-38h]memmove(&Dst, sub_11DF0, 0x22ui64);v0 = ExAllocatePool(0, 0x22ui64);memmove(v0, &Dst, 0x22ui64);dword_16414 = ((__int64 (__fastcall *)(signed __int64, signed __int64))v0)(3435209541i64, 1412570316i64);// 0xccc12345,0x54321cccExFreePoolWithTag(v0, 0);v1 = dword_16414; // 0x5c3113c5v2 = dword_16414 - 1546720155; // 42v3 = qword_16310;do{*v3 ^= v1;++v3;}while ( (signed __int64)v3 < (signed __int64)qword_16390 );v4 = 0;v5 = v2;SubStr = (wchar_t *)qword_16310;word_16432 = v2;word_16430 = v2;qword_16310[v5] = 0;qword_16310[v5 + 1] = 0;v6 = 0i64;do{qword_16390[v6] ^= qword_16310[v4];++v6;result = (unsigned int)((v4 + 1) / (unsigned __int16)v2);v4 = (v4 + 1) % (unsigned __int16)v2;}while ( v6 < 128 );return result; }這里先把sub_11DF0給Dst再殷Dst給v0再運行v0其實就是運行sub_11DF0
unsigned __int64 __fastcall sub_11DF0(__int64 a1, __int64 a2) {return a2 & 0xF0F0F0F0F0F0F0F0ui64 ^ a1 & 0xF0F0F0F0F0F0F0Fi64; }所有參數都已經給出了,可以順序得到dword_16414 =?0x5c3113c5 再逄出v2=42(從數據也可看出長度)
然后給qword_16310和v1做個異或(因為v3是dword類型的,每4字節作一次),再然后就是390和310異或了。
解碼
from pwn import *v = 0x54321ccc & 0xF0F0F0F0F0F0F0F0 ^ 0xccc12345 & 0x0F0F0F0F0F0F0F0F #0x5c3113c5a = [0x5C5813A25C6E1395,0x5C5413885C5413B3,0x5C5013A95C57139A,0x5C0213F75C6E13A2,0x5C4913B15C1F13F6,0x13B1] b = b'' for i in a:b +=p64(i^ 0x5c3113c55c3113c5) print(b)c = [0x6105664765377470,0x733A416D730C2011,0x6E285F096C166D36,0x6F5C686D6531690B,0x780002726A5F58,0x67005F00500074,0x4D006500760069,0x6C0066005F0065,0x32005F00670061,0x74002E00330033,0x5F005000740078,0x65007600690067,0x66005F0065004D,0x5F00670061006C,0x2E003300330032,0x50007400780074] d = b'' for i in c:d +=p64(i) print(d)e = [] for i,v in enumerate(d):e.append(v^b[i%42])print(bytes(e)) #A_simple_Inline_hook_Drv #RCTF{A_simple_Inline_hook_Drv}總結
以上是生活随笔為你收集整理的[XCTF-Reverse] 69 XCTF 3rd-RCTF-2017_MyDriver2-397的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: UBLOX配置/GPS配置设置/u-ce
- 下一篇: ipad iphone开发_如何在iPa