Try   HackMD

大同大學 惡意程式分析 W11 writeup

X64 dbg 練習

題目

利用 x64 dbg 修改密碼檢查後的判斷跳轉流程,讓使用者「不管輸入任何號碼」都會輸出【密碼正確】。

這隻程式會接受使用者一段字串作為密碼,接著彈出一個視窗,顯示是否密碼正確。那就可以簡單判斷程式碼可能會看到哪些東西:

  • gets(或其他讀取字串的函式)
  • 正確密碼
  • MessageBoxA

先進 entry point 看看有沒有什麼可用的字串。很幸運的是密碼正確以及錯誤的字串。上面的 369abc 就很有可能是正確密碼可以試試看。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

跳過去發現那一坨剛號是一個函式就下個斷點。然後就直接 F9 過去看,中間也都剛好沒遇到什麼中斷。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

印出輸入提示跟讀取完字串後,可以看到程式呼叫 strcspn

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

順順的往下檢查就會看到有一個 jne 會跳到密碼正確的地方,然後上面也有出現我輸入的 aaaabbbbccccdddd 跟之一開始看到的字串 369abc,就可以推測 369abc 就是正確密碼了。

那要改成無論輸入什麼字串都會【密碼正確】,就只要馬條件跳轉的 jne 改成無條件跳轉的 jmp(\xEB) 即可。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

F9 繼續執行,就會得到以下結果。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

當然輸入正確密碼也會是對的。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

X64 dbg 練習

題目

請找到 HelloWorld.exe「執行視窗跳出」的程式碼段。

  • 不要用找MessageBoxAPI方式
  • 不要用找字串的方式

可以直接用 F8 看看是哪個程式叫出視窗。可以看到 EIP 在一個 function call 停下了。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

接著 F7 進去就看到 MessageBoxA 的呼叫了。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Challenge 1

題目

讓程式認為你有CD-ROM Drive

密碼:369abc

這一提的關鍵在於 GetDirveType回傳值

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

我們只要在呼叫完 GetDriveType 後,可以嘗試先把 EAX 的值改成 0x5

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

也可以在跳轉前改一下 ZF

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Challenge 2

題目

請找出並輸入正確的「Name and Serial」

密碼:GetDriveTypeA

偷看一下下一關的密碼要求:

Tip

密碼就是在challenge02題目中輸入David時的Serial值(請注意大小寫)

所以就老老實實地在 Name 輸入 David 然後去找找看吧。

進入 Entry Point 後一樣先看看有沒有什麼可疑字串。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

然後我們就根據字串所在的位置快速定位可疑的位置。從字串 "Congradulations!" 定位過去後,可以看到前面有一個叫做 __vbaVarTstEq 的函式呼叫,很有可能就是字串比較的地方了。所以我就下斷點跑跑看。

VarCmp 的函式裡面的一段 mov 指令後看到了字串被引入進來,而且是在比較的函式裡面,所以很有可能就是 David 的正確密碼。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Challenge 3

題目

按下「確定」後,不要出現錯誤(請不要變更程式任何機械碼)

密碼:A8C5DACD

直接執行程式後,依據上面的提示他可能會是要開啟某個檔案,可以以此為方向找相關函式。

一進到 Entry Point 就在呼叫 CreateFile 前看到了一個檔案名稱 abex.l2c。先在相同目錄底下建立一個同檔名的檔案,然後繼續追蹤看看程式在幹嘛。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

在開啟檔案之後會用 GetFileSize 獲取檔案大小,若檔案大小等於 0x12 就會跳出成功的視窗。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

可以透過修改 ZF 的值,讓他跳到成功的畫面。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

也可以直接在檔案裡寫 18(0x12) 的 a,使該檔案符合條件。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Challenge 4

題目

請輸入「Serial」,完成註冊動作

密碼:abex.l2c18

一樣先進 Entry Point 看看字串。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

定位到 Well done! 後往上看,發現被包在一個函式裡面,就先下斷點執行看看。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

啥也沒發生,就去看看跨模組呼叫,發現有一個 __vbaStrCmp,人真好。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

再回去操作輸入時,斷點就觸發了。往上看發現又有一個字串 2034120,很有可能就是答案了。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

然後再去看看下一關密碼的提示:

Tip

密碼就是在challenge04題目把電腦時間調到2024/11/22/09:00時的Serial值

乖乖照著他做在執行一次。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Challenge 5

題目

請輸入「正確的Serial」

密碼:2115080

繼續進 Entry Point 看字串。

圖片

看到幾個像是跳出提示的文字,定位過去就直接看到一個 lstrcmpiA,馬上就下斷點執行看看。

按下 check 按鈕後,斷點附近就出現了很可疑的字串,L2C-57816784-ABEX

圖片

把輸入換成 L2C-57816784-ABEX 在按下 check 按鈕應該就會過了。

圖片

Challenge 6

題目

  • 請問這隻程式做了什麼事,才會顯示這個視窗?
  • 請在不修改跳轉、不使用NOP情況下,變更流程。

密碼:L2C-57816784-ABEX

可以看到有彈出視窗的文字敘述,定位過去後發現這兩個都被包在同一個函式裡面,所以下斷點觀察看看。

圖片

圖片

總之,可以在這個程式裡面看到兩個函式呼叫,然後第二個函式呼叫的回傳值拿去跟 0x4876E7FF 比較,若相同就繼續比 edx 是否等於 0x17

所以,只要在第二個函式呼叫後,在執行 cmp 前,把eax 的值改成 0x4876E7FF,接著把 edx 改成 0x17 就會顯示成功。

圖片

Last changed by 
羅崧瑋
0
696

Read more

伺服器遠端管理系統

I3B31 羅崧瑋

Jun 3, 2025
2025q1 Homework1 (lab0)

2025q1 Homework1 (lab0)

Apr 14, 2025
VMware DNS

總之突然 kali 就連不到 google.com 了

Apr 9, 2025
OverTheWire: Bandit 解題筆記|前言

title:

Mar 9, 2025
Read more from 羅崧瑋
Published on HackMD