[DASCTF2024夏季挑战赛]StrangePrograme

#比赛复现 2024-07-25

眼前所见，亦非真实

你看到的我并不是真正的我，你看到的memcmp不是真正的memcmp

为什么memcmp要保留它当memcmp函数的历史

因为它是钩子

.DASCTF段一大段爆红，首先想到smc

跟随IsDebuggerPresent()的脚步来到这个函数

找到smc的地方

下面是被加密的.DASCTF段

断点一打，开始调试

.DASCTF段解密后恢复里面的几个关键函数

这里，memcmp被hook了，它已经不是原来的memcmp了

这里是加密

TEA

此时如果回主函数找到memcmp，一路跟进，会来到这个地方，这是动态链接库里的memcmp

总得来说，被hook的函数会改变它原本的功能，所以main函数里的memcmp并不是比较，而是加密

#include <bits/stdc++.h>
using namespace std;

void De_tea(unsigned int *a1, unsigned int *a2)
{

    unsigned int i; // [esp+DCh] [ebp-2Ch]
    int v4;     // [esp+E8h] [ebp-20h]
    unsigned int v5;    // [esp+F4h] [ebp-14h]
    unsigned int v6;    // [esp+100h] [ebp-8h]

    v6 = *a1;
    v5 = a1[1];

    // for (i = 0; i < 16; ++i)
    // {
    //     v6 += (a2[1] + (v5 >> 5)) ^ (v4 + v5) ^ (*a2 + 16 * v5);
    //     v5 += (a2[3] + (v6 >> 5)) ^ (v4 + v6) ^ (a2[2] + 16 * v6);
    //     v4 -= 1640531527;
    // }
    v4 = 0 - 16 * 0x61C88647;
    for (i = 0; i < 16; ++i)
    {
        v4 += 0x61C88647;
        v5 -= (a2[3] + (v6 >> 5)) ^ (v4 + v6) ^ (a2[2] + 16 * v6);
        v6 -= (a2[1] + (v5 >> 5)) ^ (v4 + v5) ^ (*a2 + 16 * v5);
        
    }

    *a1 = v6;
    a1[1] = v5;
}

int main(){

    __int64 v1;      // rax
    __int64 v3;      // [esp-8h] [ebp-24Ch]
    int j;           // [esp+D0h] [ebp-174h]
    size_t i;        // [esp+F4h] [ebp-150h]
    char *v6;        // [esp+100h] [ebp-144h]
    unsigned int v7; // [esp+124h] [ebp-120h] BYREF
    int v8;          // [esp+128h] [ebp-11Ch]
    int v9;          // [esp+12Ch] [ebp-118h]
    int v10;         // [esp+130h] [ebp-114h]
    unsigned char v11[41];   // [esp+13Ch] [ebp-108h] BYREF
    int savedregs;   // [esp+244h] [ebp+0h] BYREF

    v11[0] = 0xF9;
    v11[1] = 0x4D;
    v11[2] = 0x2B;
    v11[3] = 0xBC;
    v11[4] = 0x13;
    v11[5] = 0xDD;
    v11[6] = 0x13;
    v11[7] = 0x62;
    v11[8] = 0xC9;
    v11[9] = 0xFC;
    v11[10] = 0xFF;
    v11[11] = 0x89;
    v11[12] = 0x7D;
    v11[13] = 0x4F;
    v11[14] = 0xC9;
    v11[15] = 0xF;
    v11[16] = 0x63;
    v11[17] = 0x1D;
    v11[18] = 0x6D;
    v11[19] = 0x52;
    v11[20] = 0x50;
    v11[21] = 0xFD;
    v11[22] = 0x41;
    v11[23] = 0xE3;
    v11[24] = 0x33;
    v11[25] = 0x76;
    v11[26] = 0x28;
    v11[27] = 0x97;
    v11[28] = 0x38;
    v11[29] = 0x36;
    v11[30] = 0xF9;
    v11[31] = 0x6B;
    v11[32] = 0x90;
    v11[33] = 0x39;
    v11[34] = 0x14;
    v11[35] = 0x83;
    v11[36] = 0x2C;
    v11[37] = 0xE2;
    v11[38] = 0x2C;
    v11[39] = 0x1F;
    v11[40] = 0x0;

    // unsigned int enc[10] = {
    //     0xBC2B4DF9, 0x6213DD13, 0x89FFFCC9, 0x0FC94F7D, 0x526D1D63, 0xE341FD50, 0x97287633, 0x6BF93638,
    //     0x83143990, 0x1F2CE22C};

    // unsigned int key[4] = {
    //     0x12345678, 0x09101112, 0x13141516, 0x15161718};
    // v8 = *(v11 + 1);
    // *v6 = v8;
    unsigned char key[16] =
        {
            0x78, 0x56, 0x34, 0x12, 0x12, 0x11, 0x10, 0x09, 0x16, 0x15,
            0x14, 0x13, 0x18, 0x17, 0x16, 0x15};

    unsigned int *p = (unsigned int *)v11;

    for (int i = 8; i >= 2;i -= 2){

        // *&v11[4 * i + 4] ^= *v11;
        // *&v11[4 * 1] ^= *v6;

        
        // *(unsigned int *)&v11[4 * i + 4] ^= p[1];
        // *(unsigned int *)&v11[4 * i] ^= p[0];

        *(unsigned int *)&v11[4 * i + 4] ^= v11[1];
        *(unsigned int *)&v11[4 * i] ^= v11[0];

        // enc[i] ^= enc[1];
        // enc[i - 1] ^= enc[0];

        De_tea(p, (unsigned int *)key);
        // De_tea((unsigned int *)v11, (unsigned int *)key);
    }

    De_tea(p, (unsigned int *)key);

    for(int i = 0; i < 40;++ i)
        printf("%c", v11[i]);

    return 0;
}

接下来表演的节目是神奇的指针

当我将exp中间部分写成这样时

1 2	`(unsigned int )&v11[4 * i + 4] ^= (unsigned int )v11[1]; (unsigned int )&v11[4 * i] ^= (unsigned int )v11[0];`

它的输出是这样的

当我写成这样时

1
2
3

unsigned int *p = (unsigned int *)v11;
*(unsigned int *)&v11[4 * i + 4] ^= p[1];
*(unsigned int *)&v11[4 * i] ^= p[0];

它的输出是这样的

当我写成这样时

1 2	`(unsigned int )&v11[4 * i + 4] ^= v11[1]; (unsigned int )&v11[4 * i] ^= v11[0];`

它的输出是这样的

指针，很神奇吧