解题过程
主要逻辑
程序通过 shellcode 的形式来解析 opcode,执行 vm 的相关操作,最终通过 D3D 函数来绘制方框
解析 Opcode 逻辑
通过编写以下程序来解析 opcode 基本逻辑
#include <cstdio>
int table[1596] = {
0x00000002, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004,
0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x005A8E2C, 0x00000002, 0x00000000,
0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002, 0x00000003, 0x00000001, 0x00000002,
0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008,
0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000005,
0x00000000, 0x00000003, 0x000001F4, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000005,
0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x005A8E2C,
0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002,
0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004, 0x00000000,
0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x00985AD2, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002,
0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
0x00000009, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x00A9685D, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002,
0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
0x00000004, 0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000,
0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000005, 0x00000000, 0x00000003, 0x000001F4,
0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000,
0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00785CEF, 0x00000002, 0x00000000, 0x00000006,
0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000012C, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
0x00000005, 0x00000001, 0x00000004, 0x00963EA7, 0x00000002, 0x00000000, 0x00000003, 0x00000002,
0x00000001, 0x00000000, 0x00000002, 0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006,
0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004,
0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000005, 0x00000002, 0x00000005, 0x00000000, 0x00000003, 0x000001F4, 0x00000001,
0x00000001, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
0x00000005, 0x00000001, 0x00000004, 0x00465215, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078,
0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
0x00000005, 0x00000000, 0x00000003, 0x000001F4, 0x00000001, 0x00000001, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x00856DCE, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002,
0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004, 0x00000000, 0x00000003, 0x000003E8,
0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00758C6E, 0x00000002,
0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008,
0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000005, 0x00000002, 0x00000005, 0x00000000, 0x00000003, 0x000001F4, 0x00000001,
0x00000001, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
0x00000005, 0x00000001, 0x00000004, 0x0098A6B4, 0x00000002, 0x00000000, 0x00000003, 0x00000002,
0x00000001, 0x00000000, 0x00000002, 0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006,
0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004,
0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
0x00000004, 0x00856ECE, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000,
0x00000002, 0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000258, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000008, 0x00000002, 0x00000008, 0x00000000, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00ABFC52,
0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
0x00000008, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000001, 0x00000002, 0x00000000,
0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005,
0x00000001, 0x00000004, 0x00856ECE, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001,
0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x009654EA, 0x00000002, 0x00000000,
0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
0x00000003, 0x000000B4, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
0x00000009, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x008523AC, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000001, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
0x00000005, 0x00000001, 0x00000004, 0x0086EACC, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000B4,
0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00EA3245, 0x00000002,
0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
0x00000004, 0x00854AEC, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x00963DCE, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0098EE44,
0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
0x00000008, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0078A213, 0x00000002,
0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
0x00000004, 0x00526339, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078,
0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000,
0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0088574E, 0x00000002, 0x00000000, 0x00000006,
0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009,
0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0012445A,
0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
0x00000008, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005,
0x00000001, 0x00000004, 0x00965243, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00AA23E4, 0x00000002, 0x00000000,
0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
0x00000003, 0x00000168, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x00AA2488, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000001A4, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
0x00000005, 0x00000001, 0x00000004, 0x00965224, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C,
0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000008, 0x00000002, 0x00000008, 0x00000000,
0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x00263554, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00015478,
0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00963524, 0x00000002,
0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00AEBCDF, 0x00000002, 0x00000000,
0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x008547AE, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
0x00000005, 0x00000001, 0x00000004, 0x009685AA, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000B4,
0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0096335A, 0x00000002,
0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
0x00000004, 0x00965234, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078,
0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000,
0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x007845EE, 0x00000002, 0x00000000, 0x00000006,
0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009,
0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00482526,
0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
0x00000008, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005,
0x00000001, 0x00000004, 0x00326212, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00747475, 0x00000002, 0x00000000,
0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
0x00000003, 0x00000168, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x002314EC, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000001A4, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
0x00000005, 0x00000001, 0x00000004, 0x009634EA, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
0x00000001, 0x00000007, 0x00000006, 0x00000007
};
int main()
{
int ip = 0;
unsigned int data[10] = { 0 };
data[8] = data[9] = 0x32;
while (1)
{
switch (table[ip])
{
case 0:
printf("data[0] += data[1] #data[0] = 0x%08X data[1] = 0x%08X\n", data[0], data[1]);
data[0] += data[1];
break;
case 1:
printf("data[0] -= data[1] #data[0] = 0x%08X data[1] = 0x%08X\n", data[0], data[1]);
data[0] -= data[1];
if (*(int*)&data[0] < 0)
data[0] += data[1];
break;
case 2:
{
printf("%02X %02X %02X ", table[ip], table[ip + 1], table[ip + 2]);
__int64 idx = table[ip + 1];
ip += 2;
data[table[ip]] = (__int64)data[idx];
printf("data[%d] = data[%d] #data[%d] = 0x%08X\n", table[ip], idx, table[ip], data[table[ip]]);
break;
}
case 3:
{
unsigned int val = table[ip + 1];
ip += 2;
data[table[ip]] = val;
printf("data[%d] = 0x%08X\n", table[ip], val);
break;
}
case 4:
{
++ip;
printf("Encode (data[0], data[1], table[ip]) #Encode(0x%08X, 0x%08X, 0x%08X)\n", data[0], data[1], table[ip]);
__int32 v13 = data[0];
__int32 v14 = data[0] * (data[1] + 1);
data[0] = table[ip] ^ 0x414345;
data[1] = (unsigned int)((int)(data[0] ^ (data[1] + v13)) % 256
+ (((int)(data[0] ^ (v13 * data[1])) % 256
+ (((int)(data[0] ^ (data[1] + v14)) % 256) << 8)) << 8));
break;
}
case 5:
{
printf("Draw(0x%08x, 0x%08x, 0x%08x, 0x%08x, 0xFFFFFF00)\n", data[4], data[5], data[6], data[7]);
break;
}
case 6:
printf("Draw(0x%08x, 0x%08x, 0x%08x, 0x%08x, 0xFF2DDBE7)\n", data[4], data[5], data[6], data[7]);
break;
case 7:
printf("End\n");
return 0;
}
if (++ip >= 0x1301)
break;
}
return 0;
}通过观察可以发现,在正常的情况下,所调用的 Draw 函数前两个参数分别对应着写入位置的坐标,第三个和第四个参数对应着从 case 4 中加密计算的验证值。
寻找 Flag 不能显示的原因
在输出内容中,其中 0xFFFFFF00 对应是颜色值为黄色,0xFF2DDBE7 为蓝色,结合题目说明来看,前者就是 Flag 标志的图案内容,而后者是正常输出的 ACE Logo。
在过程中,可以发现和 Flag 标志内容有关的位置信息存在错误,被减去一个值成为了负数,导致坐标偏移正常范围,我们可以在代码中对 case 1 这个 opcode handler 进行 hook,使用汇编指令 jns 来判定相减过程是否导致值变成了负数,如果这样的情况存在则把减去的值加回。
BYTE Myshellcode[] =
"\x79\x03" // jns $+3
"\x01\x45\xD8" // add dword ptr [rbp - 0x28], eax
"\xE9\x00\x00\x00\x00"; // jmp xxx在通过以上修复后,发现有几个 Flag 方框被成功显示
但是显示内容并不完整,于是继续观察能够被成功显示的这几个方框存在的特性。
发现,能够被正常显示的方框的参数三四没有通过交换,而没有正常显示的方框的参数三四被交换!这说明交换参数三、四这个操作是错误的,需要我们剔除。
这里因为我们之前使用了 Hook 的方法进行修改,所以这里尝试使用修复 opcode 的方式。我们打印出这个操作序列对应的 opcode,然后搜索此序列并剔除,再把修复后的 opcode 写回到程序中。
成功显示 Flag 内容
通过以上两个修复,最终成功显示了 Flag 内容
解题代码
#define NAME TEXT("2022游戏安全技术竞赛初赛.exe")
#include <iostream>
#include <Windows.h>
#include <tlhelp32.h>
#include <tchar.h>
int opcode[1596] = {
0x00000002, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004,
0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x005A8E2C, 0x00000002, 0x00000000,
0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002, 0x00000003, 0x00000001, 0x00000002,
0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008,
0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000005,
0x00000000, 0x00000003, 0x000001F4, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000005,
0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x005A8E2C,
0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002,
0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004, 0x00000000,
0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x00985AD2, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002,
0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
0x00000009, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x00A9685D, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002,
0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
0x00000004, 0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000,
0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000005, 0x00000000, 0x00000003, 0x000001F4,
0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000,
0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00785CEF, 0x00000002, 0x00000000, 0x00000006,
0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000012C, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
0x00000005, 0x00000001, 0x00000004, 0x00963EA7, 0x00000002, 0x00000000, 0x00000003, 0x00000002,
0x00000001, 0x00000000, 0x00000002, 0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006,
0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004,
0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000005, 0x00000002, 0x00000005, 0x00000000, 0x00000003, 0x000001F4, 0x00000001,
0x00000001, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
0x00000005, 0x00000001, 0x00000004, 0x00465215, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078,
0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
0x00000005, 0x00000000, 0x00000003, 0x000001F4, 0x00000001, 0x00000001, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x00856DCE, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000, 0x00000002,
0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004, 0x00000000, 0x00000003, 0x000003E8,
0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00758C6E, 0x00000002,
0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008,
0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000005, 0x00000002, 0x00000005, 0x00000000, 0x00000003, 0x000001F4, 0x00000001,
0x00000001, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
0x00000005, 0x00000001, 0x00000004, 0x0098A6B4, 0x00000002, 0x00000000, 0x00000003, 0x00000002,
0x00000001, 0x00000000, 0x00000002, 0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006,
0x00000002, 0x00000001, 0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000004,
0x00000000, 0x00000003, 0x000003E8, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
0x00000004, 0x00856ECE, 0x00000002, 0x00000000, 0x00000003, 0x00000002, 0x00000001, 0x00000000,
0x00000002, 0x00000003, 0x00000001, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
0x00000007, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000258, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000008, 0x00000002, 0x00000008, 0x00000000, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00ABFC52,
0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
0x00000008, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000001, 0x00000002, 0x00000000,
0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005,
0x00000001, 0x00000004, 0x00856ECE, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001,
0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x009654EA, 0x00000002, 0x00000000,
0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
0x00000003, 0x000000B4, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
0x00000009, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x008523AC, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000001, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
0x00000005, 0x00000001, 0x00000004, 0x0086EACC, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000B4,
0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00EA3245, 0x00000002,
0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000001, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
0x00000004, 0x00854AEC, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x00963DCE, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0098EE44,
0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
0x00000008, 0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0078A213, 0x00000002,
0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
0x00000004, 0x00526339, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078,
0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000,
0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0088574E, 0x00000002, 0x00000000, 0x00000006,
0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009,
0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0012445A,
0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
0x00000008, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005,
0x00000001, 0x00000004, 0x00965243, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00AA23E4, 0x00000002, 0x00000000,
0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
0x00000003, 0x00000168, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x00AA2488, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000001A4, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
0x00000005, 0x00000001, 0x00000004, 0x00965224, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C,
0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000008, 0x00000002, 0x00000008, 0x00000000,
0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x00263554, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00015478,
0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00963524, 0x00000002,
0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00AEBCDF, 0x00000002, 0x00000000,
0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
0x00000009, 0x00000000, 0x00000003, 0x0000003C, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x008547AE, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
0x00000005, 0x00000001, 0x00000004, 0x009685AA, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000000B4,
0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000,
0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002,
0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x0096335A, 0x00000002,
0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008,
0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004,
0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001,
0x00000004, 0x00965234, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007,
0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x00000078,
0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000,
0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x007845EE, 0x00000002, 0x00000000, 0x00000006,
0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003,
0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009,
0x00000000, 0x00000003, 0x000000B4, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005,
0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00482526,
0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002,
0x00000008, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000,
0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005,
0x00000001, 0x00000004, 0x00326212, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001,
0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x0000012C, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003,
0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004,
0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004, 0x00747475, 0x00000002, 0x00000000,
0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006, 0x00000002, 0x00000008, 0x00000000,
0x00000003, 0x00000168, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000004, 0x00000002,
0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001, 0x00000000, 0x00000002, 0x00000000,
0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002, 0x00000005, 0x00000001, 0x00000004,
0x002314EC, 0x00000002, 0x00000000, 0x00000006, 0x00000002, 0x00000001, 0x00000007, 0x00000006,
0x00000002, 0x00000008, 0x00000000, 0x00000003, 0x000001A4, 0x00000001, 0x00000000, 0x00000002,
0x00000000, 0x00000004, 0x00000002, 0x00000009, 0x00000000, 0x00000003, 0x000000F0, 0x00000001,
0x00000000, 0x00000002, 0x00000000, 0x00000005, 0x00000002, 0x00000004, 0x00000000, 0x00000002,
0x00000005, 0x00000001, 0x00000004, 0x009634EA, 0x00000002, 0x00000000, 0x00000006, 0x00000002,
0x00000001, 0x00000007, 0x00000006, 0x00000007
};
int fcode[1596];
void printError(const TCHAR* msg)
{
DWORD eNum;
TCHAR sysMsg[256];
TCHAR* p;
eNum = GetLastError();
FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
NULL, eNum,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
sysMsg, 256, NULL);
// Trim the end of the line and terminate it with a null
p = sysMsg;
while ((*p > 31) || (*p == 9))
++p;
do { *p-- = 0; } while ((p >= sysMsg) &&
((*p == '.') || (*p < 33)));
// Display the message
_tprintf(TEXT("\n WARNING: %s failed with error %d (%s)"), msg, eNum, sysMsg);
}
BYTE* FindShellcodeAddr(DWORD dwPID)
{
HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
MODULEENTRY32 me32;
// Take a snapshot of all modules in the specified process.
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
if (hModuleSnap == INVALID_HANDLE_VALUE)
{
printError(TEXT("CreateToolhelp32Snapshot (of modules)"));
return(FALSE);
}
// Set the size of the structure before using it.
me32.dwSize = sizeof(MODULEENTRY32);
// Retrieve information about the first module,
// and exit if unsuccessful
if (!Module32First(hModuleSnap, &me32))
{
printError(TEXT("Module32First")); // show cause of failure
CloseHandle(hModuleSnap); // clean the snapshot object
return(FALSE);
}
// Now walk the module list of the process,
// and display information about each module
BYTE* shellcode_addr = 0;
do
{
if (!_tcscmp(me32.szModule, NAME))
{
shellcode_addr = me32.modBaseAddr + 0x8318;
break;
}
} while (Module32Next(hModuleSnap, &me32));
CloseHandle(hModuleSnap);
return shellcode_addr;
}
BOOL CommandThread(DWORD dwOwnerPID, BOOL isSuspend)
{
HANDLE hThreadSnap = INVALID_HANDLE_VALUE;
THREADENTRY32 te32;
// Take a snapshot of all running threads
hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hThreadSnap == INVALID_HANDLE_VALUE)
return(FALSE);
// Fill in the size of the structure before using it.
te32.dwSize = sizeof(THREADENTRY32);
// Retrieve information about the first thread,
// and exit if unsuccessful
if (!Thread32First(hThreadSnap, &te32))
{
printError(TEXT("Thread32First")); // show cause of failure
CloseHandle(hThreadSnap); // clean the snapshot object
return(FALSE);
}
// Now walk the thread list of the system,
// and display information about each thread
// associated with the specified process
do
{
if (te32.th32OwnerProcessID == dwOwnerPID)
{
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, 0, te32.th32ThreadID);
if (isSuspend)
SuspendThread(hThread);
else
ResumeThread(hThread);
CloseHandle(hThread);
}
} while (Thread32Next(hThreadSnap, &te32));
CloseHandle(hThreadSnap);
return(TRUE);
}
BOOL HOOK()
{
HANDLE hProcessSnap;
HANDLE hProcess;
PROCESSENTRY32 pe32;
DWORD dwPriorityClass;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
printError(TEXT("CreateToolhelp32Snapshot (of processes)"));
return(FALSE);
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hProcessSnap, &pe32))
{
printError(TEXT("Process32First"));
CloseHandle(hProcessSnap);
return(FALSE);
}
do
{
if (!_tcscmp(pe32.szExeFile, NAME))
{
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
if (hProcess == NULL)
{
printError(TEXT("OpenProcess"));
CloseHandle(hProcessSnap);
return(FALSE);
}
_tprintf(TEXT("Process ID: 0x%08X\n"), pe32.th32ProcessID);
BYTE* shellcode_ptr = FindShellcodeAddr(pe32.th32ProcessID);
BYTE* shellcode;
if (!ReadProcessMemory(hProcess, shellcode_ptr, &shellcode, 8, 0))
{
printError(TEXT("ReadProcessMemory"));
CloseHandle(hProcess);
return(FALSE);
}
shellcode -= 0x650;
_tprintf(TEXT("Shellcode: 0x%p"), shellcode);
BYTE* HookAdr = shellcode + 0x4DE;
BYTE Myshellcode[] =
"\x79\x03" // jns $+3
"\x01\x45\xD8" // add dword ptr [rbp - 0x28], eax
"\xE9\x00\x00\x00\x00"; // jmp xxx
BYTE HookCode[] = "\xE9\x00\x00\x00\x00";
//Alloc Shellcode, Write Shellcode
PBYTE pMem = (PBYTE)VirtualAllocEx(hProcess, NULL, sizeof(Myshellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!pMem)
{
printError(TEXT("VirtualAllocEx"));
return(FALSE);
}
ULONG ShellcodeJmp = (sizeof(Myshellcode) - 1 - 5);
*(ULONG*)(HookCode + 1) = (ULONG)pMem - (ULONG)HookAdr - 5;
*(ULONG*)(Myshellcode + ShellcodeJmp + 1) = (ULONG)(shellcode + 0x5FA) - (ULONG)(pMem + ShellcodeJmp) - 5;
if (!WriteProcessMemory(hProcess, pMem, &Myshellcode, sizeof(Myshellcode), 0))
{
VirtualFreeEx(hProcess, pMem, 0, MEM_RELEASE);
return(FALSE);
}
CommandThread(pe32.th32ParentProcessID, TRUE);
// FIX OPCODE
int i = 0, j = 0;
while (i < 1596)
{
if (i + 8 < 1596 &&
opcode[i] == 2 && opcode[i + 1] == 0 && opcode[i + 2] == 3 &&
opcode[i + 3] == 2 && opcode[i + 4] == 1 && opcode[i + 5] == 0 &&
opcode[i + 6] == 2 && opcode[i + 7] == 3 && opcode[i + 8] == 1)
i += 9;
else
{
fcode[j++] = opcode[i++];
}
}
//Write JMP
DWORD dwOldProt;
VirtualProtectEx(hProcess, (LPVOID)(HookAdr), 5, PAGE_EXECUTE_READWRITE, &dwOldProt);
if (!WriteProcessMemory(hProcess, (LPVOID)HookAdr, &HookCode, 5, 0))
{
return(FALSE);
}
VirtualProtectEx(hProcess, (LPVOID)(HookAdr), 5, dwOldProt, &dwOldProt);
//Write Opcode
BYTE* opcode_addr = shellcode + 0x1301;
VirtualProtectEx(hProcess, (LPVOID)(opcode_addr), sizeof(fcode), PAGE_EXECUTE_READWRITE, &dwOldProt);
if (!WriteProcessMemory(hProcess, (LPVOID)opcode_addr, &fcode, sizeof(fcode), 0))
{
return(FALSE);
}
VirtualProtectEx(hProcess, (LPVOID)(opcode_addr), sizeof(fcode), dwOldProt, &dwOldProt);
CommandThread(pe32.th32ParentProcessID, FALSE);
break;
}
} while (Process32Next(hProcessSnap, &pe32));
CloseHandle(hProcessSnap);
return(TRUE);
}
int main()
{
HOOK();
return 0;
}