2024春节解题领红包之Windows 高级题

查看 52|回复 5
作者:堂前燕   
解题领红包之Windows 高级题
分析:
crackme2024.exe
x64位程序upx 脱壳,x64dbg设置异常,手动脱壳,略
反调试
cinit-->initterm_4 定位到如下函数


image-20240222164541587.png (28.54 KB, 下载次数: 3)
下载附件
2024-2-25 12:47 上传

VEH_antiBP_140001670
__int64 VEH_antiBP_140001670()
{
  qword_140020E58 = findCC_1400022F0(0x64, 0i64);
  AddVectoredExceptionHandler(1u, (PVECTORED_EXCEPTION_HANDLER)Handle);
  memset(qword_140020EA0, 0, 0x4D0ui64);
  qword_140021370 = check_peb_atdbg_140002350();
  RemoveVectoredExceptionHandler(Handle);
  return 0i64;
}
mapview_and_antidbg_140001000
__int64 mapview_and_antidbg_140001000()
{
  mapview_and_antidbg_1400012F0();
  return onexit_140002510(sub_1400136D0);
}
__int64 *mapview_and_antidbg_1400012F0()
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
  qword_140020E98 = sub_140002340() & 0xFFFFFFFFFFFFF000ui64;
  getMapView_140001700();
  if ( !mapAddr_140020E90 )//共享内存,与crackme2024service.exe共享
    return &qword_1400213A0;
  v0 = sub_140001A90;
  isCC_140020E40 = findCC_1400022F0(0x14, 0i64);
  ModuleHandleW = GetModuleHandleW(ModuleName);
  CsrGetProcessId = GetProcAddress(ModuleHandleW, ProcName);
  if ( CsrGetProcessId )
  {
    // 反调试,
    v3 = CsrGetProcessId();
    v4 = OpenProcess(0x400u, 0, v3);
    if ( v4 )
    {
      CloseHandle(v4);
      v0 = sub_140001AB0;
    }
  }
  *(_QWORD *)mapAddr_140020E90 = v0;
  return &qword_1400213A0;
}
antidbg_checkthread_140001020
_onexit_t antidbg_checkthread_140001020()
{
  *(_QWORD *)&ThreadId = 0i64;
  qword_1400213B0 = 0i64;
  qword_1400213B0 = (__int64)CreateThread(0i64, 0i64, (LPTHREAD_START_ROUTINE)StartAddress, obf_140001AC0, 0, &ThreadId);
  return onexit_140002510(nullsub_2);
}
__int64 __fastcall StartAddress(LPVOID lpThreadParameter)
{
  DWORD ThreadId; // [rsp+30h] [rbp-28h] BYREF
  HANDLE Handles[2]; // [rsp+38h] [rbp-20h] BYREF
  InitializeCriticalSection(&CriticalSection);
  Handles[0] = CreateThread(0i64, 0i64, (LPTHREAD_START_ROUTINE)anti1_140001470, obf_140001AC0, 0, &ThreadId);//检测到软件断点后干扰后续共享内存的操作
  Sleep(1110u);
  Handles[1] = CreateThread(0i64, 0i64, (LPTHREAD_START_ROUTINE)anti_debug_1400014E0, obf_140001AC0, 0, &ThreadId);//作用同上,利用主动触发VEH处理函数进行检测,
  WaitForMultipleObjects(2u, Handles, 1, 0xFFFFFFFF);
  DeleteCriticalSection(&CriticalSection);
  return 0i64;
}
客户端逻辑
main
__int64 __fastcall main_140001AD0(int a1, __int64 a2)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
  printf_s("%s @ www.52pojie.cn\n", &ConsoleTitle);
  onexit((_onexit_t)sub_140001E40);             // printf ==>"\nThank you, HAPPY NEW YEAR!!!!!\n"
  SetConsoleTitleA(&ConsoleTitle);
  printf("Happy New Year!\nAuthor: solly\n\n");
  v9 = 0;
  memset(serial, 0, 0x104ui64);
  StdHandle = GetStdHandle(0xFFFFFFF5);
  if ( a1 = 35 )
  {
    if ( (unsigned __int8)Checking_140001CF0(uid, serial) )
    {
      printf("\nChecking result: ");
      SetConsoleTextAttribute(StdHandle, 9u);
      printf("SUCCESS. ");
      SetConsoleTextAttribute(StdHandle, 7u);
      printf("Congratulations!!\n\n");
      printf("You can run crackme2024service.exe /UnregServer as administrator to unload the server.\n");
    }
    else
    {
      printf("\nChecking result: ");
      SetConsoleTextAttribute(StdHandle, 0xCu);
      printf("FAILURE. ");
      SetConsoleTextAttribute(StdHandle, 7u);
      printf("Try it again!!!!!\n\n");
    }
  }
  else
  {
LABEL_12:
    printf("\nERROR: uid or serial is error\n");
  }
  return 0i64;
}
Checking_140001CF0
__int64 __fastcall Checking_140001CF0(unsigned int uid, const char *a2)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
  v6[0] = 0;
  ret_cc_140020E50 = findCC_1400022F0(0x15A, 0x38i64);
  if ( CoInitialize(0i64) >= 0 )
  {
    if ( CoCreateInstance(&rclsid, 0i64, 0x14u, &riid, (LPVOID *)&ppv.lpVtbl) QueryInterface + 7))(ppv.lpVtbl, uid);
      if ( *(_QWORD *)mapAddr_140020E90 )
          //uid计算,调用sub_140001A90// return (a1 * a1 * a1) ^ 0x323032796C6C6F73i64;
        *(_QWORD *)mapAddr_140020E90 = (*(__int64 (__fastcall **)(_QWORD))mapAddr_140020E90)(*((unsigned int *)mapAddr_140020E90
                                                                                             + 2));
      // void setSerial(Byte[] serial);
      (*((void (__fastcall **)(IUnknownVtbl *, char *))ppv.lpVtbl->QueryInterface + 8))(ppv.lpVtbl, serial);
      // sbyte checkSerial();
      if ( (*((unsigned int (__fastcall **)(IUnknownVtbl *, char *))ppv.lpVtbl->QueryInterface + 9))(ppv.lpVtbl, v6) == 1 )
      {
        v6[0] = 0;
        printf("Running failure. Please run crackme2024service.exe /RegServer as administrator first.\n");
      }
      // [rax+10]:IUnknown_Release_Proxy
      (*((void (__fastcall **)(IUnknownVtbl *))ppv.lpVtbl->QueryInterface + 2))(ppv.lpVtbl);
    }
  }
  CoUninitialize();
  return (unsigned __int8)v6[0];
}
crackme2024service.exe
ATL COM服务端
保护器: Themida/Winlicense(3.XX)[Themida]
ergrelet/unlicense: Dynamic unpacker and import fixer for Themida/WinLicense 2.x and 3.x. (github.com)
脱壳,x32dbg 修改进程名,配置ScyllaHide Plugin反反调试
对ATL COM了解不多,正向写个程序熟悉了一下
ATL创建进程外COM组件服务(C++图解说明)_c++ 进程外组件-CSDN博客
主要对COM接口进行分析
利用OleView对IATLCrackmeObject接口进行查看


image-20240222172123340.png (45.45 KB, 下载次数: 1)
下载附件
2024-2-25 12:47 上传

ida 中对ATL::CComObject进行分析


image-20240222171904285.png (44.83 KB, 下载次数: 0)
下载附件
2024-2-25 12:47 上传



image-20240222172335790.png (85.07 KB, 下载次数: 1)
下载附件
2024-2-25 12:47 上传

setUID_401280
uid 存储到共享内存+8偏移处,DWORD
int __stdcall setUID_401280(CATLCrackmeObject *a1, int uid)
{
  int result; // eax
  // *(int*)&a1->MapViewOfFile[8]=uid;
  *(_DWORD *)&a1->MapViewOfFile_C[a1->isFind_jmpself_F0 + 8] = uid;
  result = 0;
  a1->numb = 0i64;
  return result;
}
setSerial_4012B0
序列号长度35,分成4块,中间使用‘-’连接
序列号16进制字符串各部分分别转换成ulong保存
int __stdcall setSerial_4012B0(CATLCrackmeObject *a1, char *serial)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
  v2 = serial;
  serial_array_10 = a1->serial_array_10;
  memset(a1->serial_array_10, 0, sizeof(a1->serial_array_10));
  v4 = 0;
  // 4*8+3=35
  // 11111111-22222222-33333333-44444444
  for ( i = strstr(serial, SubStr); i; i = strstr(i + 1, SubStr) )
  {
    *i = 0;
    // 16进制字符串转ulong
    v6 = strtoul(v2, &EndPtr, 16);
    v2 = i + 1;
    *serial_array_10 = v6;
    ++v4;
    ++serial_array_10;
  }
  a1->serial_array_10[v4] = strtoul(v2, &EndPtr, 0x10);
  // 取前8字节
  a1->numb = *(_QWORD *)a1->MapViewOfFile_C;
  return 0;
}
checkSerial_401360
变换逻辑,对应写成逆过程;
int __stdcall checkSerial_401360(CATLCrackmeObject *a1, bool *isEqual)
{
  // [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
  numb = a1->numb;
  if ( a1 == (CATLCrackmeObject *)-24 )
  {
    *_errno() = 22;
    _invalid_parameter_noinfo();
    serial = 0i64;
  }
  else
  {
    // 取16字节,即4个int值,serial共有4部分
    serial = *(_OWORD *)a1->serial_array_10;
  }
  v16 = 0;
  *(_OWORD *)serials_data = 0i64;
  zero = NtCurrentPeb()->BeingDebugged;
  *(_OWORD *)serials_data = serial;
  result = serials_data;
  v4 = 2;
  do
  {
    serial_part = *result;
    tb2 = &table2_41F8D0[17];
    serial_next = result[1];
    do
    {
      t2 = *tb2;
      tb2 += -1u;
      serial_part2 = serial_part ^ (zero + t2);
      serial_part = serial_next ^ (table3_41E8D0[3][HIBYTE(serial_part2)]
                                 + (table3_41E8D0[2][BYTE2(serial_part2)] ^ (table3_41E8D0[0][(unsigned __int8)serial_part2]
                                                                           + table3_41E8D0[1][BYTE1(serial_part2)])));
      serial_next = serial_part2;
    }
    while ( (int)tb2 >= (int)&table2_41F8D0[2] );
    part = serial_part ^ table2_41F8D0[1];
    part2_ = serial_part2 ^ table2_41F8D0[0];
    result[1] = part;
    *result = part2_;
    result += 2;
    --v4;
  }
  while ( v4 );
  LOBYTE(v16) = 0;
  // 8字节
  *isEqual = numb == _strtoui64((const char *)serials_data, 0, 16);
  return 0;
}
py
def check_serial(serials_data, table2, table3):
    result=[0]*4
    for i in range(0,4,2):
        serial_part = serials_data
        # tb2 = table2[::-1]
        serial_next = serials_data[i+1]
        for j in range(17,1,-1):
            t2 = table2[j]
            tb_index = serial_part ^ t2
            xordata=(table3[3][(tb_index >> 24) & 0xFF] + (table3[2][(tb_index >> 16) & 0xFF] ^
                                                                       (table3[0][(tb_index >> 0) & 0xFF] +
                                                                        table3[1][(tb_index >> 8) & 0xFF])))&0xffffffff
            serial_part = serial_next ^ xordata
            serial_next = tb_index
        result[i+1] = serial_part^table2[1]
        result = serial_next^table2[0]
    bs=b''
    for x in result:
        bs+=x.to_bytes(4,'little')
        # print(x.to_bytes(4,'little'))
    print('serial_tf:\n',bs,bs.hex())
    # print(serials_data.hex())
    return result
注册脚本
table2_41F8D0、table3_41E8D0需动态dump
table2_41F8D0 = [
    0x5226ADD8, 0x5E55C820, 0xA30A9E51, 0x22BB06C2, 0x5A261794, 0x0C719373, 0x47B81378, 0xFE536644,
0x4659CBBC, 0xEBA4557D, 0x60D52F41, 0x3D6BB2C4, 0x9D15F01B, 0x160D9EB4, 0xECCA07BF, 0x36D0CF94,
0xAE389637, 0xF868B19B
]  # 填入已知的 table2 数据
from tabledata import table3
table3_41E8D0 = []
for i in range(0,4):
    table3_41E8D0.append(table3[i*0x100:i*0x100+0x100])
def numbTotarget(numb:int):
    traget=[0]*4
    numbstr='%0x'%numb
    bs=numbstr.encode()#numb.to_bytes(8,'little')
    traget =[ int.from_bytes(bs[i*4:i*4+4],'little') for i in range(4)]
    return traget
def reverse_check_serial(result, table2, table3):
    # Initialize a list to store the reversed serials_data
    reversed_serials_data = [0, 0, 0, 0]
    for i in range(2,-1,-2):
        serial_part = result[i+1]^table2[1]
        serial_next = result^table2[0]
        for j in range(2,18):
            tb_index=serial_next
            xordata=(table3[3][(tb_index >> 24) & 0xFF] + (table3[2][(tb_index >> 16) & 0xFF] ^
                                                                       (table3[0][(tb_index >> 0) & 0xFF] +
                                                                        table3[1][(tb_index >> 8) & 0xFF])))&0xffffffff
            serial_next=serial_part^ xordata
            serial_part=tb_index^table2[j]
        #re begain
        reversed_serials_data = serial_part
        reversed_serials_data[i+1] = serial_next
    # bs=b''
    # for x in reversed_serials_data:
    #     bs+=x.to_bytes(4,'little')
    #     # print(x.to_bytes(4,'little'))
    # print('reversed_serials_data:\n',bs,bs.hex())
    return reversed_serials_data
def serialStrToIntArray(serial:str):
    serial=serial.split('-')
    serial_array =[ int.from_bytes(bytes.fromhex(serial),'big') for i in range(4)]
    return serial_array
def domain():
    # uid=720957
    print('please input your uid:')
    uidstr=input()
    if not uidstr:
        uid=720957
        print('uid:',uid)
    else:
        uid=int(uidstr)
    numb=uid**3^0x323032796C6C6F73
    serials_data=numbTotarget(numb)
    redata=reverse_check_serial(serials_data, table2_41F8D0, table3_41E8D0)
    result=[]
    for x in redata:
        result.append('%08x'%x)
    print('serial:'+'-'.join(result))   
if __name__=='__main__':
    domain()   
'''
uid: 720957
serial:6A9D679F-D851591D-0B943F6F-D3E95EDC
'''

下载次数, 脱壳

jackyyue_cn   

过程很详细,给LZ点赞!
作为新手 还是有很多不明白的地方
比如
上面黑色背景部分的代码 是用什么分析软件反编译得到 还是阅读汇编指令后对应打的代码?
IDA中是怎么分析COM Object的?是先从exe中解析出com组件的文件 再用ida分析吗
yzy6699   


jackyyue_cn 发表于 2024-2-25 21:05
过程很详细,给LZ点赞!
作为新手 还是有很多不明白的地方

参数rename+自己重新写
BMK   

请问内存的数据是怎么dump的呢,我unlicense后的程序无法正常的RegServer。
王诚   

谢谢楼主,。。。。。。
KeviseBY   

感谢楼主分享,
请问内存的数据是怎么dump的呢,我unlicense后的程序无法正常的RegServer
您需要登录后才可以回帖 登录 | 立即注册