WJH's Blog
WJH's Blog

2022 腾讯游戏安全初赛 Writeup

wjh wjh 收录于 Default
 约 5500 字 预计阅读 11 分钟  - 次阅读   - 条评论  
警告
本文最后更新于 2022-04-30,文中内容可能已过时。

解题过程

主要逻辑

程序通过 shellcode 的形式来解析 opcode,执行 vm 的相关操作,最终通过 D3D 函数来绘制方框

解析 Opcode 逻辑

通过编写以下程序来解析 opcode 基本逻辑

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275

#include <cstdio>

int table[1596] = {
	0x00000002, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004,
	0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
	0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x005A8E2C, 0x00000002, 0x00000000,
	0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002, 0x00000003, 0x00000001, 0x00000002,
	0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008,
	0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
	0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000005,
	0x00000000, 0x00000003, 0x000001F4, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000005,
	0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x005A8E2C,
	0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002,
	0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004, 0x00000000,
	0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
	0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x00985AD2, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002,
	0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
	0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
	0x00000009, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x00A9685D, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002,
	0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
	0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
	0x00000004, 0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000,
	0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000005, 0x00000000, 0x00000003, 0x000001F4,
	0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000,
	0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00785CEF, 0x00000002, 0x00000000, 0x00000006,
	0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000012C, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
	0x00000005, 0x00000001, 0x00000004, 0x00963EA7, 0x00000002, 0x00000000, 0x00000003, 0x00000002,
	0x00000001, 0x00000000, 0x00000002, 0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006,
	0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
	0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004,
	0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000005, 0x00000002, 0x00000005, 0x00000000, 0x00000003, 0x000001F4, 0x00000001,
	0x00000001, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
	0x00000005, 0x00000001, 0x00000004, 0x00465215, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
	0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078,
	0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
	0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
	0x00000005, 0x00000000, 0x00000003, 0x000001F4, 0x00000001, 0x00000001, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x00856DCE, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002,
	0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
	0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004, 0x00000000, 0x00000003, 0x000003E8,
	0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
	0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
	0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00758C6E, 0x00000002,
	0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008,
	0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000005, 0x00000002, 0x00000005, 0x00000000, 0x00000003, 0x000001F4, 0x00000001,
	0x00000001, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
	0x00000005, 0x00000001, 0x00000004, 0x0098A6B4, 0x00000002, 0x00000000, 0x00000003, 0x00000002,
	0x00000001, 0x00000000, 0x00000002, 0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006,
	0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
	0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004,
	0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
	0x00000004, 0x00856ECE, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000,
	0x00000002, 0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
	0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000258, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000008, 0x00000002, 0x00000008, 0x00000000, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
	0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00ABFC52,
	0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
	0x00000008, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000001, 0x00000002, 0x00000000,
	0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005,
	0x00000001, 0x00000004, 0x00856ECE, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
	0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001,
	0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
	0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
	0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x009654EA, 0x00000002, 0x00000000,
	0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
	0x00000003, 0x000000B4, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
	0x00000009, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x008523AC, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
	0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000001, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
	0x00000005, 0x00000001, 0x00000004, 0x0086EACC, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
	0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000B4,
	0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
	0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
	0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00EA3245, 0x00000002,
	0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
	0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
	0x00000004, 0x00854AEC, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
	0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x00963DCE, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
	0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
	0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0098EE44,
	0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
	0x00000008, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
	0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0078A213, 0x00000002,
	0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
	0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
	0x00000004, 0x00526339, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
	0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078,
	0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000,
	0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0088574E, 0x00000002, 0x00000000, 0x00000006,
	0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
	0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009,
	0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
	0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0012445A,
	0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
	0x00000008, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005,
	0x00000001, 0x00000004, 0x00965243, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
	0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
	0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
	0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00AA23E4, 0x00000002, 0x00000000,
	0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
	0x00000003, 0x00000168, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
	0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x00AA2488, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
	0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000001A4, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
	0x00000005, 0x00000001, 0x00000004, 0x00965224, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
	0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C,
	0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000008, 0x00000002, 0x00000008, 0x00000000,
	0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x00263554, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
	0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
	0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00015478,
	0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
	0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
	0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00963524, 0x00000002,
	0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
	0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
	0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00AEBCDF, 0x00000002, 0x00000000,
	0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
	0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
	0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x008547AE, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
	0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
	0x00000005, 0x00000001, 0x00000004, 0x009685AA, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
	0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000B4,
	0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
	0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
	0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0096335A, 0x00000002,
	0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
	0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
	0x00000004, 0x00965234, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
	0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078,
	0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000,
	0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x007845EE, 0x00000002, 0x00000000, 0x00000006,
	0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
	0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009,
	0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
	0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00482526,
	0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
	0x00000008, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005,
	0x00000001, 0x00000004, 0x00326212, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
	0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
	0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
	0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00747475, 0x00000002, 0x00000000,
	0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
	0x00000003, 0x00000168, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
	0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x002314EC, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
	0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000001A4, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
	0x00000005, 0x00000001, 0x00000004, 0x009634EA, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
	0x00000001, 0x00000007, 0x00000006, 0x00000007
};

int main()
{
	int ip = 0;
	unsigned int data[10] = { 0 };
	data[8] = data[9] = 0x32;
	while (1)
	{
		switch (table[ip])
		{
		case 0:
			printf("data[0] += data[1] #data[0] = 0x%08X data[1] = 0x%08X\n", data[0], data[1]);
			data[0] += data[1];
			break;
		case 1:
			printf("data[0] -= data[1] #data[0] = 0x%08X data[1] = 0x%08X\n", data[0], data[1]);
			data[0] -= data[1];
			if (*(int*)&data[0] < 0)
				data[0] += data[1];
			break;
		case 2:
		{
			printf("%02X %02X %02X ", table[ip], table[ip + 1], table[ip + 2]);
			__int64 idx = table[ip + 1];
			ip += 2;

			data[table[ip]] = (__int64)data[idx];
		
			printf("data[%d] = data[%d] #data[%d] = 0x%08X\n", table[ip], idx, table[ip], data[table[ip]]);
			break;
		}
		case 3:
		{
			unsigned int val = table[ip + 1];
			ip += 2;
			data[table[ip]] = val;

			printf("data[%d] = 0x%08X\n", table[ip], val);
			break;
		}
		case 4:
		{
		
			++ip;
			printf("Encode (data[0], data[1], table[ip]) #Encode(0x%08X, 0x%08X, 0x%08X)\n", data[0], data[1], table[ip]);
			__int32 v13 = data[0];
			__int32 v14 = data[0] * (data[1] + 1);
			data[0] = table[ip] ^ 0x414345;
			data[1] = (unsigned int)((int)(data[0] ^ (data[1] + v13)) % 256
				+ (((int)(data[0] ^ (v13 * data[1])) % 256
					+ (((int)(data[0] ^ (data[1] + v14)) % 256) << 8)) << 8));
			break;
		}
		case 5:
		{
			printf("Draw(0x%08x, 0x%08x, 0x%08x, 0x%08x, 0xFFFFFF00)\n", data[4], data[5], data[6], data[7]);
			break;
		}
		case 6:
			printf("Draw(0x%08x, 0x%08x, 0x%08x, 0x%08x, 0xFF2DDBE7)\n", data[4], data[5], data[6], data[7]);
			break;
		case 7:
			printf("End\n");
			return 0;
		}
		if (++ip >= 0x1301)
			break;
	}
	return 0;

}

通过观察可以发现,在正常的情况下,所调用的 Draw 函数前两个参数分别对应着写入位置的坐标,第三个和第四个参数对应着从 case 4 中加密计算的验证值。

寻找 Flag 不能显示的原因

在输出内容中,其中 0xFFFFFF00 对应是颜色值为黄色,0xFF2DDBE7 为蓝色,结合题目说明来看,前者就是 Flag 标志的图案内容,而后者是正常输出的 ACE Logo。

在过程中,可以发现和 Flag 标志内容有关的位置信息存在错误,被减去一个值成为了负数,导致坐标偏移正常范围,我们可以在代码中对 case 1 这个 opcode handler 进行 hook,使用汇编指令 jns 来判定相减过程是否导致值变成了负数,如果这样的情况存在则把减去的值加回。

1
2
3
4

BYTE Myshellcode[] =
 "\x79\x03" // jns $+3
 "\x01\x45\xD8" // add dword ptr [rbp - 0x28], eax
 "\xE9\x00\x00\x00\x00"; // jmp xxx

在通过以上修复后,发现有几个 Flag 方框被成功显示

image-20220417192641790

但是显示内容并不完整,于是继续观察能够被成功显示的这几个方框存在的特性。

image-20220417192808570

发现,能够被正常显示的方框的参数三四没有通过交换,而没有正常显示的方框的参数三四被交换!这说明交换参数三、四这个操作是错误的,需要我们剔除。

这里因为我们之前使用了 Hook 的方法进行修改,所以这里尝试使用修复 opcode 的方式。我们打印出这个操作序列对应的 opcode,然后搜索此序列并剔除,再把修复后的 opcode 写回到程序中。

成功显示 Flag 内容

通过以上两个修复,最终成功显示了 Flag 内容

FLAG.png

解题代码

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447

#define NAME TEXT("2022游戏安全技术竞赛初赛.exe")
#include <iostream>
#include <Windows.h>
#include <tlhelp32.h>
#include <tchar.h>

int opcode[1596] = {
	0x00000002, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004,
	0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
	0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x005A8E2C, 0x00000002, 0x00000000,
	0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002, 0x00000003, 0x00000001, 0x00000002,
	0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008,
	0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
	0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000005,
	0x00000000, 0x00000003, 0x000001F4, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000005,
	0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x005A8E2C,
	0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002,
	0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004, 0x00000000,
	0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
	0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x00985AD2, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002,
	0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
	0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
	0x00000009, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x00A9685D, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002,
	0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
	0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
	0x00000004, 0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000,
	0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000005, 0x00000000, 0x00000003, 0x000001F4,
	0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000,
	0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00785CEF, 0x00000002, 0x00000000, 0x00000006,
	0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000012C, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
	0x00000005, 0x00000001, 0x00000004, 0x00963EA7, 0x00000002, 0x00000000, 0x00000003, 0x00000002,
	0x00000001, 0x00000000, 0x00000002, 0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006,
	0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
	0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004,
	0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000005, 0x00000002, 0x00000005, 0x00000000, 0x00000003, 0x000001F4, 0x00000001,
	0x00000001, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
	0x00000005, 0x00000001, 0x00000004, 0x00465215, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
	0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078,
	0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
	0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
	0x00000005, 0x00000000, 0x00000003, 0x000001F4, 0x00000001, 0x00000001, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x00856DCE, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002,
	0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
	0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004, 0x00000000, 0x00000003, 0x000003E8,
	0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
	0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
	0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00758C6E, 0x00000002,
	0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008,
	0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000005, 0x00000002, 0x00000005, 0x00000000, 0x00000003, 0x000001F4, 0x00000001,
	0x00000001, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
	0x00000005, 0x00000001, 0x00000004, 0x0098A6B4, 0x00000002, 0x00000000, 0x00000003, 0x00000002,
	0x00000001, 0x00000000, 0x00000002, 0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006,
	0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
	0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004,
	0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
	0x00000004, 0x00856ECE, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000,
	0x00000002, 0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
	0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000258, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000008, 0x00000002, 0x00000008, 0x00000000, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
	0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00ABFC52,
	0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
	0x00000008, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000001, 0x00000002, 0x00000000,
	0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005,
	0x00000001, 0x00000004, 0x00856ECE, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
	0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001,
	0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
	0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
	0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x009654EA, 0x00000002, 0x00000000,
	0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
	0x00000003, 0x000000B4, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
	0x00000009, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x008523AC, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
	0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000001, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
	0x00000005, 0x00000001, 0x00000004, 0x0086EACC, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
	0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000B4,
	0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
	0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
	0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00EA3245, 0x00000002,
	0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
	0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
	0x00000004, 0x00854AEC, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
	0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x00963DCE, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
	0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
	0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0098EE44,
	0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
	0x00000008, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
	0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0078A213, 0x00000002,
	0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
	0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
	0x00000004, 0x00526339, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
	0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078,
	0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000,
	0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0088574E, 0x00000002, 0x00000000, 0x00000006,
	0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
	0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009,
	0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
	0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0012445A,
	0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
	0x00000008, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005,
	0x00000001, 0x00000004, 0x00965243, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
	0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
	0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
	0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00AA23E4, 0x00000002, 0x00000000,
	0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
	0x00000003, 0x00000168, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
	0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x00AA2488, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
	0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000001A4, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
	0x00000005, 0x00000001, 0x00000004, 0x00965224, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
	0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C,
	0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000008, 0x00000002, 0x00000008, 0x00000000,
	0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x00263554, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
	0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
	0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00015478,
	0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
	0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
	0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00963524, 0x00000002,
	0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
	0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
	0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00AEBCDF, 0x00000002, 0x00000000,
	0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
	0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
	0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x008547AE, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
	0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
	0x00000005, 0x00000001, 0x00000004, 0x009685AA, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
	0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000B4,
	0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
	0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
	0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0096335A, 0x00000002,
	0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
	0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
	0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
	0x00000004, 0x00965234, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
	0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078,
	0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000,
	0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x007845EE, 0x00000002, 0x00000000, 0x00000006,
	0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
	0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009,
	0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
	0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00482526,
	0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
	0x00000008, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000,
	0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005,
	0x00000001, 0x00000004, 0x00326212, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
	0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
	0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
	0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00747475, 0x00000002, 0x00000000,
	0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
	0x00000003, 0x00000168, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
	0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
	0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
	0x002314EC, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
	0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000001A4, 0x00000001, 0x00000000, 0x00000002,
	0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001,
	0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
	0x00000005, 0x00000001, 0x00000004, 0x009634EA, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
	0x00000001, 0x00000007, 0x00000006, 0x00000007
};

int fcode[1596];

void printError(const TCHAR* msg)
{
	DWORD eNum;
	TCHAR sysMsg[256];
	TCHAR* p;

	eNum = GetLastError();
	FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
		NULL, eNum,
		MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
		sysMsg, 256, NULL);

	// Trim the end of the line and terminate it with a null
	p = sysMsg;
	while ((*p > 31) || (*p == 9))
		++p;
	do { *p-- = 0; } while ((p >= sysMsg) &&
		((*p == '.') || (*p < 33)));

	// Display the message
	_tprintf(TEXT("\n  WARNING: %s failed with error %d (%s)"), msg, eNum, sysMsg);
}

BYTE* FindShellcodeAddr(DWORD dwPID)
{
	HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
	MODULEENTRY32 me32;

	// Take a snapshot of all modules in the specified process.
	hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
	if (hModuleSnap == INVALID_HANDLE_VALUE)
	{
		printError(TEXT("CreateToolhelp32Snapshot (of modules)"));
		return(FALSE);
	}

	// Set the size of the structure before using it.
	me32.dwSize = sizeof(MODULEENTRY32);

	// Retrieve information about the first module,
	// and exit if unsuccessful
	if (!Module32First(hModuleSnap, &me32))
	{
		printError(TEXT("Module32First"));  // show cause of failure
		CloseHandle(hModuleSnap);           // clean the snapshot object
		return(FALSE);
	}

	// Now walk the module list of the process,
	// and display information about each module
	BYTE* shellcode_addr = 0;
	do
	{
		if (!_tcscmp(me32.szModule, NAME))
		{
			shellcode_addr = me32.modBaseAddr + 0x8318;
			break;
		}
	} while (Module32Next(hModuleSnap, &me32));

	CloseHandle(hModuleSnap);
	return shellcode_addr;
}

BOOL CommandThread(DWORD dwOwnerPID, BOOL isSuspend)
{
	HANDLE hThreadSnap = INVALID_HANDLE_VALUE;
	THREADENTRY32 te32;

	// Take a snapshot of all running threads  
	hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
	if (hThreadSnap == INVALID_HANDLE_VALUE)
		return(FALSE);

	// Fill in the size of the structure before using it. 
	te32.dwSize = sizeof(THREADENTRY32);

	// Retrieve information about the first thread,
	// and exit if unsuccessful
	if (!Thread32First(hThreadSnap, &te32))
	{
		printError(TEXT("Thread32First")); // show cause of failure
		CloseHandle(hThreadSnap);          // clean the snapshot object
		return(FALSE);
	}

	// Now walk the thread list of the system,
	// and display information about each thread
	// associated with the specified process
	do
	{
		if (te32.th32OwnerProcessID == dwOwnerPID)
		{
			HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, 0, te32.th32ThreadID);
			if (isSuspend)
				SuspendThread(hThread);
			else
				ResumeThread(hThread);
			CloseHandle(hThread);
		}
	} while (Thread32Next(hThreadSnap, &te32));

	CloseHandle(hThreadSnap);
	return(TRUE);
}


BOOL HOOK()
{
	HANDLE hProcessSnap;
	HANDLE hProcess;
	PROCESSENTRY32 pe32;
	DWORD dwPriorityClass;


	hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hProcessSnap == INVALID_HANDLE_VALUE)
	{
		printError(TEXT("CreateToolhelp32Snapshot (of processes)"));
		return(FALSE);
	}

	pe32.dwSize = sizeof(PROCESSENTRY32);

	if (!Process32First(hProcessSnap, &pe32))
	{
		printError(TEXT("Process32First"));
		CloseHandle(hProcessSnap);
		return(FALSE);
	}

	do
	{
		if (!_tcscmp(pe32.szExeFile, NAME))
		{
			hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
			if (hProcess == NULL)
			{
				printError(TEXT("OpenProcess"));
				CloseHandle(hProcessSnap);
				return(FALSE);
			}
			_tprintf(TEXT("Process ID: 0x%08X\n"), pe32.th32ProcessID);
			BYTE* shellcode_ptr = FindShellcodeAddr(pe32.th32ProcessID);
	
			BYTE* shellcode;
			if (!ReadProcessMemory(hProcess, shellcode_ptr, &shellcode, 8, 0))
			{
				printError(TEXT("ReadProcessMemory"));
				CloseHandle(hProcess);
				return(FALSE);
			}
			shellcode -= 0x650;
			_tprintf(TEXT("Shellcode: 0x%p"), shellcode);
			BYTE* HookAdr = shellcode + 0x4DE;


			BYTE Myshellcode[] =
				"\x79\x03" // jns $+3
				"\x01\x45\xD8" // add dword ptr [rbp - 0x28], eax
				"\xE9\x00\x00\x00\x00"; // jmp xxx
			BYTE HookCode[] = "\xE9\x00\x00\x00\x00";
	
			
			//Alloc Shellcode, Write Shellcode
			PBYTE pMem = (PBYTE)VirtualAllocEx(hProcess, NULL, sizeof(Myshellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
			if (!pMem)
			{
				printError(TEXT("VirtualAllocEx"));
				return(FALSE);
			}

			ULONG ShellcodeJmp = (sizeof(Myshellcode) - 1 - 5);
			*(ULONG*)(HookCode + 1) = (ULONG)pMem - (ULONG)HookAdr - 5;
			*(ULONG*)(Myshellcode + ShellcodeJmp + 1) = (ULONG)(shellcode + 0x5FA) - (ULONG)(pMem + ShellcodeJmp) - 5;

	
			if (!WriteProcessMemory(hProcess, pMem, &Myshellcode, sizeof(Myshellcode), 0))
			{
				VirtualFreeEx(hProcess, pMem, 0, MEM_RELEASE);
				return(FALSE);
			}


			CommandThread(pe32.th32ParentProcessID, TRUE);

			// FIX OPCODE
			int i = 0, j = 0;
			while (i < 1596)
			{
				if (i + 8 < 1596 &&
					opcode[i] == 2 && opcode[i + 1] == 0 && opcode[i + 2] == 3 &&
					opcode[i + 3] == 2 && opcode[i + 4] == 1 && opcode[i + 5] == 0 &&
					opcode[i + 6] == 2 && opcode[i + 7] == 3 && opcode[i + 8] == 1)
					i += 9;
				else 
				{
					fcode[j++] = opcode[i++];
				}
			}
	
			//Write JMP
			DWORD dwOldProt;
			VirtualProtectEx(hProcess, (LPVOID)(HookAdr), 5, PAGE_EXECUTE_READWRITE, &dwOldProt);

			if (!WriteProcessMemory(hProcess, (LPVOID)HookAdr, &HookCode, 5, 0))
			{
				return(FALSE);
			}
			VirtualProtectEx(hProcess, (LPVOID)(HookAdr), 5, dwOldProt, &dwOldProt);

			//Write Opcode
			BYTE* opcode_addr = shellcode + 0x1301;

			VirtualProtectEx(hProcess, (LPVOID)(opcode_addr), sizeof(fcode), PAGE_EXECUTE_READWRITE, &dwOldProt);

			if (!WriteProcessMemory(hProcess, (LPVOID)opcode_addr, &fcode, sizeof(fcode), 0))
			{
				return(FALSE);
			}
			VirtualProtectEx(hProcess, (LPVOID)(opcode_addr), sizeof(fcode), dwOldProt, &dwOldProt);

			CommandThread(pe32.th32ParentProcessID, FALSE);
			break;
		}
	} while (Process32Next(hProcessSnap, &pe32));

	CloseHandle(hProcessSnap);
	return(TRUE);
}

int main()
{
	HOOK();
	return 0;
}
更新于 2022-04-30 
CC BY-NC-SA 4.0
返回 | 主页
0%