作者：selph

HITCON CTF 2022 Writeup-checker

挺有意思的一道題，這里的關(guān)鍵函數(shù)是使用的動(dòng)態(tài)生成執(zhí)行操作，按照特定參數(shù)序列進(jìn)行解密才能正常執(zhí)行，否則一定會(huì)報(bào)錯(cuò)異常

checker

一共給了兩個(gè)文件：checker.exe和checker_drv.sys

是一道驅(qū)動(dòng)逆向的題，查殼，無(wú)殼，有簽名的Windows 10 x64驅(qū)動(dòng)

先看用戶程序checker.exe：

邏輯很簡(jiǎn)單，就是打開符號(hào)鏈接發(fā)送IRP請(qǐng)求，控制碼是0x222080，沒有輸入?yún)?shù)，接收1個(gè)字節(jié)的輸出

接下來看驅(qū)動(dòng)程序checker_drv.sys：

?

DriverEntry里面就這么一個(gè)函數(shù)，進(jìn)來后，可以看到，先是創(chuàng)建驅(qū)動(dòng)對(duì)象和符號(hào)鏈接，然后填充IRP處理函數(shù)

接下來往全局變量里填充了映射的內(nèi)存地址，

?qword_140013170：里的是dword_140003000函數(shù)地址

?addr_140003030_qword：里的是dword_140003000+48數(shù)組地址

?qword_140013188：里的是sub_140001430函數(shù)地址

?qword_140013180：里的是sub_140001B30函數(shù)地址

最后就是一系列異或操作：

對(duì)qword_140013180里頭的前16字節(jié)異或了兩輪，使用的是qword_140013188里的前32字節(jié)的內(nèi)容

qword_140013180地址的內(nèi)容：

?

qword_140013188地址的內(nèi)容：

?

可以看到這兩個(gè)地址都是函數(shù)，這里用一個(gè)函數(shù)去異或另一個(gè)函數(shù)emmm

這大概是某種保護(hù)手段，阻礙靜態(tài)分析，真正的函數(shù)是運(yùn)行中動(dòng)態(tài)生成的（實(shí)測(cè)，異或這兩輪的結(jié)果并不是可執(zhí)行的代碼）

之前用戶程序里看到，傳入給驅(qū)動(dòng)了一個(gè)控制碼，這里到驅(qū)動(dòng)里去看看這個(gè)控制碼的作用：

?

除了這個(gè)控制碼，上面還有8個(gè)控制碼，等會(huì)再看

當(dāng)用戶傳入0x222080的時(shí)候，驅(qū)動(dòng)進(jìn)入這個(gè)分支，如果數(shù)組byte_140013190里的8個(gè)值均為1，則會(huì)跳轉(zhuǎn)到LABEL_21，很顯然，這里驗(yàn)證的內(nèi)容是dword_140003000的開頭是否是hitcon，這說明這里會(huì)出現(xiàn)flag

byte_140013190的值是在哪里改變的呢？往上看：

?

上面的其他8個(gè)控制碼分支，分別修改該數(shù)組的每一位為1，同時(shí)也會(huì)執(zhí)行一個(gè)相同的處理函數(shù)（參數(shù)不同）

隨便點(diǎn)進(jìn)去一個(gè)看看：

?

首先是進(jìn)行了對(duì)剛剛那個(gè)函數(shù)的又一輪異或操作，異或的值取決于函數(shù)的參數(shù)

然后對(duì)qword_140013170地址，也就是dword_140003000數(shù)組里的值進(jìn)行修改，一共修改48個(gè)字節(jié)，修改方式是調(diào)用sub_140001B30函數(shù)（被異或了好幾輪的那個(gè)）

?

最后再次異或一輪

整理一下思路：

?flag的生成，是在函數(shù)中通過調(diào)用一個(gè)奇怪的東西sub_140001B30生成出來的

?flag是否完成生產(chǎn)的判定是，是否走完了其他8個(gè)控制碼的處理分支

那么是不是只需要依次把這8個(gè)函數(shù)都調(diào)用一遍，生成出來的內(nèi)容就是flag了呢？經(jīng)測(cè)試，根本執(zhí)行不了，直接報(bào)錯(cuò)地址異常，應(yīng)該是函數(shù)異或出來的東西就不是可執(zhí)行的內(nèi)容，在Windows 10 x64虛擬機(jī)上安裝驅(qū)動(dòng)實(shí)測(cè)則會(huì)藍(lán)屏崩潰

這里我卡住了，感覺很接近了，但就是總差一點(diǎn)

休息了一下突然意識(shí)到，有沒有可能是這8次函數(shù)調(diào)用的順序問題？如果程序一定能執(zhí)行成功的話，就一定能一個(gè)一個(gè)把8個(gè)函數(shù)執(zhí)行出結(jié)果

于是經(jīng)過一番倒騰測(cè)試，發(fā)現(xiàn)執(zhí)行一個(gè)函數(shù)，只有最后一個(gè)函數(shù)能執(zhí)行下去，能行，一定是順序問題，經(jīng)過又一番測(cè)試，得到最終測(cè)試順序，

flag生成：

#include

#include

#define _BYTE BYTE

// qword_140013180 = sub_140001B30

unsigned char* pFunc;

DWORD oldprotect;

typedef BYTE(_cdecl* g_pFunc)(BYTE a);

g_pFunc sub_140001B30;

unsigned char* qword_140013180;

// qword_140013170 = dword_140003000

unsigned char qword_140013170[304] = {

? ? 0x63, 0x60, 0xA5, 0xB9, 0xFF, 0xFC, 0x30, 0x0A, 0x48, 0xBB, 0xFE, 0xFE, 0x32, 0x2C, 0x0A, 0xD6,

? ? 0xE6, 0xFE, 0xFE, 0x32, 0x2C, 0x0A, 0xD6, 0xBB, 0x4A, 0x4A, 0x32, 0x2C, 0xFC, 0xFF, 0x0A, 0xFD,

? ? 0xBB, 0xFE, 0x2C, 0xB9, 0x63, 0xD6, 0xB9, 0x62, 0xD6, 0x0A, 0x4F, 0x00, 0x00, 0x00, 0x00, 0x00,

? ? 0x19, 0xBC, 0x8F, 0x82, 0xD0, 0x2C, 0x61, 0x34, 0xC0, 0x9F, 0xF6, 0x50, 0xD5, 0xFB, 0x0C, 0x6E,

? ? 0xD0, 0xEB, 0xE5, 0xE3, 0xCE, 0xB5, 0x4C, 0xCA, 0x45, 0xAA, 0x11, 0xB2, 0x3E, 0x62, 0x6F, 0x7D,

? ? 0xD0, 0xEB, 0xA9, 0xE3, 0xB2, 0x2F, 0x06, 0x47, 0x7C, 0x28, 0xC5, 0xDE, 0xDE, 0x1A, 0x4E, 0xD6,

? ? 0xD8, 0x2D, 0x93, 0x4F, 0x82, 0x65, 0x64, 0xFD, 0x08, 0x62, 0x4B, 0x87, 0x7E, 0x52, 0x47, 0x30,

? ? 0xB7, 0xBA, 0xD0, 0x39, 0x68, 0x53, 0x50, 0xAB, 0x20, 0xD5, 0xCA, 0x84, 0x26, 0x71, 0x6F, 0x91,

? ? 0x1B, 0x36, 0x46, 0x11, 0xA5, 0xF1, 0x4E, 0x58, 0x6C, 0x74, 0xD4, 0x9C, 0x15, 0xE2, 0x28, 0xD5,

? ? 0xD9, 0x0F, 0x3D, 0x83, 0xF3, 0xFC, 0xD1, 0x13, 0x1A, 0x62, 0x12, 0x40, 0xAA, 0xEA, 0xCD, 0xCB,

? ? 0xE1, 0xC6, 0x08, 0x81, 0x98, 0xF6, 0x68, 0x88, 0xBE, 0x23, 0xB5, 0x9E, 0x55, 0xB9, 0xE2, 0x7D,

? ? 0x5A, 0xDA, 0x39, 0x07, 0xF0, 0x2E, 0x32, 0x20, 0x59, 0x56, 0x4C, 0xB4, 0x8F, 0x3E, 0x07, 0x61,

? ? 0xD9, 0x0F, 0x2D, 0x61, 0xF1, 0x91, 0x33, 0x14, 0xCB, 0x49, 0x68, 0xFE, 0x1F, 0xD4, 0x8A, 0xFE,

? ? 0xE1, 0xC6, 0x18, 0x63, 0x9A, 0x9B, 0x8A, 0x8A, 0x7F, 0x08, 0xC3, 0xE8, 0xE1, 0xEC, 0x0B, 0x8F,

? ? 0x3B, 0x00, 0x94, 0xA5, 0x11, 0xE7, 0x47, 0x66, 0xC4, 0x9F, 0x98, 0x18, 0x70, 0xF0, 0x30, 0xF6,

? ? 0x94, 0x71, 0xB1, 0x95, 0xD1, 0xF0, 0x6F, 0xB7, 0xD9, 0x3D, 0x05, 0x9E, 0xC1, 0x53, 0x33, 0x76,

? ? 0x9B, 0x4B, 0x69, 0xCA, 0xDE, 0xFD, 0x7D, 0x67, 0xB8, 0x29, 0x2B, 0xC7, 0xC5, 0x84, 0x2C, 0xD1,

? ? 0x87, 0x87, 0xF1, 0x98, 0x97, 0x74, 0xAD, 0x4B, 0x32, 0xF0, 0x4A, 0x51, 0x72, 0xEA, 0x09, 0xF7,

? ? 0x38, 0xFD, 0x27, 0xBD, 0x1C, 0x52, 0x71, 0x43, 0x95, 0x9C, 0x1A, 0x86, 0xF2, 0xC0, 0xF9, 0xF8

};

// addr_140003030_qword = dword_140003030

unsigned char* qword_140003030 = qword_140013170 + 48;

// qword_140013188 = sub_140001430

void init() {

? ? unsigned char sub_140001B30_init[20] = {

? ? ?0x80, 0xE9, 0x22, 0x80, 0xF1, 0xAD, 0x0F, 0xB6, 0xC1, 0x6B, 0xC8, 0x11, 0xB8, 0x9E, 0x00, 0x00,

? ? ?0x00, 0x2A, 0xC1, 0xC3

? ? };

? ? unsigned char sub_140001430[88] = {

? ? 0x40, 0x53, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x8B, 0x05, 0x3B, 0x0C, 0x00, 0x00, 0x48, 0x8B, 0xDA,

? ? 0x48, 0x8B, 0x4A, 0x10, 0x48, 0x39, 0x08, 0x75, 0x37, 0x48, 0x8B, 0x4A, 0x08, 0xFF, 0x15, 0x1D,

? ? 0x0C, 0x00, 0x00, 0x48, 0x8D, 0x0D, 0x16, 0x1D, 0x00, 0x00, 0x80, 0x3C, 0x08, 0x00, 0x74, 0x20,

? ? 0x8B, 0x03, 0x83, 0xF8, 0x01, 0x74, 0x05, 0x83, 0xF8, 0x02, 0x75, 0x14, 0x48, 0x8B, 0x4B, 0x20,

? ? 0x8B, 0x41, 0x04, 0x83, 0xE0, 0x01, 0x84, 0xC0, 0x74, 0x06, 0xC7, 0x01, 0x00, 0x00, 0x00, 0x00,

? ? 0x33, 0xC0, 0x48, 0x83, 0xC4, 0x20, 0x5B, 0xC3

? ? };

??

? ? pFunc = (unsigned char*)malloc(20);

? ? VirtualProtect((LPVOID)pFunc, 20, PAGE_EXECUTE_READWRITE, &oldprotect);

? ? memcpy(pFunc, sub_140001B30_init, 20);

? ? sub_140001B30 = (g_pFunc)pFunc;

? ? qword_140013180 = pFunc;

? ? for (int i = 0, j = 0; i < 32; i++,j++)

? ? {

? ? ? ? if (j == 16)j = 0;

? ? ? ? pFunc[j] ^= sub_140001430[i];

? ? }

}

void __fastcall sub_1400014D0(unsigned int a1)

{

? ? __int64 v1; // rdi

? ? char* v3; // rbx

? ? unsigned char * v4; // rbx

? ? unsigned char * v5; // rbx

? ? unsigned char * v6; // rbx

? ? unsigned char * v7; // rbx

? ? unsigned char * v8; // rbx

? ? unsigned char * v9; // rbx

? ? unsigned char * v10; // rbx

? ? unsigned char * v11; // rbx

? ? unsigned char * v12; // rbx

? ? unsigned char * v13; // rbx

? ? unsigned char * v14; // rbx

? ? unsigned char * v15; // rbx

? ? unsigned char * v16; // rbx

? ? unsigned char * v17; // rbx

? ? unsigned char * v18; // rbx

? ? unsigned char * v19; // rbx

? ? unsigned char * v20; // rbx

? ? unsigned char * v21; // rbx

? ? unsigned char * v22; // rbx

? ? unsigned char * v23; // rbx

? ? unsigned char * v24; // rbx

? ? unsigned char * v25; // rbx

? ? unsigned char * v26; // rbx

? ? unsigned char * v27; // rbx

? ? unsigned char * v28; // rbx

? ? unsigned char * v29; // rbx

? ? unsigned char * v30; // rbx

? ? unsigned char * v31; // rbx

? ? unsigned char * v32; // rbx

? ? unsigned char * v33; // rbx

? ? unsigned char * v34; // rbx

? ? unsigned char * v35; // rbx

? ? unsigned char * v36; // rbx

? ? unsigned char * v37; // rbx

? ? unsigned char * v38; // rbx

? ? unsigned char * v39; // rbx

? ? unsigned char * v40; // rbx

? ? unsigned char * v41; // rbx

? ? unsigned char * v42; // rbx

? ? unsigned char * v43; // rbx

? ? unsigned char * v44; // rbx

? ? unsigned char * v45; // rbx

? ? v1 = a1;

? ? *(_BYTE*)qword_140013180 ^= *(_BYTE*)(v1 + qword_140003030);// 修改這16個(gè)值,dword_140003000+48

? ? *(_BYTE*)(qword_140013180 + 1) ^= *(_BYTE*)((unsigned int)(v1 + 1) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 2) ^= *(_BYTE*)((unsigned int)(v1 + 2) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 3) ^= *(_BYTE*)((unsigned int)(v1 + 3) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 4) ^= *(_BYTE*)((unsigned int)(v1 + 4) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 5) ^= *(_BYTE*)((unsigned int)(v1 + 5) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 6) ^= *(_BYTE*)((unsigned int)(v1 + 6) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 7) ^= *(_BYTE*)((unsigned int)(v1 + 7) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 8) ^= *(_BYTE*)((unsigned int)(v1 + 8) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 9) ^= *(_BYTE*)((unsigned int)(v1 + 9) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 10) ^= *(_BYTE*)((unsigned int)(v1 + 10) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 11) ^= *(_BYTE*)((unsigned int)(v1 + 11) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 12) ^= *(_BYTE*)((unsigned int)(v1 + 12) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 13) ^= *(_BYTE*)((unsigned int)(v1 + 13) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 14) ^= *(_BYTE*)((unsigned int)(v1 + 14) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 15) ^= *(_BYTE*)((unsigned int)(v1 + 15) + qword_140003030);

? ? v3 = (char*)qword_140013170;? ? ? ? ? ? ? ? ?// 修改這43字節(jié)，通過函數(shù)1B30（1B30是被篡改過的函數(shù)）

? ? *v3 = sub_140001B30(*(_BYTE*)qword_140013170);

? ? v4 = qword_140013170;

? ? *(_BYTE*)(v4 + 1) = sub_140001B30(*(_BYTE*)(qword_140013170 + 1));

? ? v5 = qword_140013170;

? ? *(_BYTE*)(v5 + 2) = sub_140001B30(*(_BYTE*)(qword_140013170 + 2));

? ? v6 = qword_140013170;

? ? *(_BYTE*)(v6 + 3) = sub_140001B30(*(_BYTE*)(qword_140013170 + 3));

? ? v7 = qword_140013170;

? ? *(_BYTE*)(v7 + 4) = sub_140001B30(*(_BYTE*)(qword_140013170 + 4));

? ? v8 = qword_140013170;

? ? *(_BYTE*)(v8 + 5) = sub_140001B30(*(_BYTE*)(qword_140013170 + 5));

? ? v9 = qword_140013170;

? ? *(_BYTE*)(v9 + 6) = sub_140001B30(*(_BYTE*)(qword_140013170 + 6));

? ? v10 = qword_140013170;

? ? *(_BYTE*)(v10 + 7) = sub_140001B30(*(_BYTE*)(qword_140013170 + 7));

? ? v11 = qword_140013170;

? ? *(_BYTE*)(v11 + 8) = sub_140001B30(*(_BYTE*)(qword_140013170 + 8));

? ? v12 = qword_140013170;

? ? *(_BYTE*)(v12 + 9) = sub_140001B30(*(_BYTE*)(qword_140013170 + 9));

? ? v13 = qword_140013170;

? ? *(_BYTE*)(v13 + 10) = sub_140001B30(*(_BYTE*)(qword_140013170 + 10));

? ? v14 = qword_140013170;

? ? *(_BYTE*)(v14 + 11) = sub_140001B30(*(_BYTE*)(qword_140013170 + 11));

? ? v15 = qword_140013170;

? ? *(_BYTE*)(v15 + 12) = sub_140001B30(*(_BYTE*)(qword_140013170 + 12));

? ? v16 = qword_140013170;

? ? *(_BYTE*)(v16 + 13) = sub_140001B30(*(_BYTE*)(qword_140013170 + 13));

? ? v17 = qword_140013170;

? ? *(_BYTE*)(v17 + 14) = sub_140001B30(*(_BYTE*)(qword_140013170 + 14));

? ? v18 = qword_140013170;

? ? *(_BYTE*)(v18 + 15) = sub_140001B30(*(_BYTE*)(qword_140013170 + 15));

? ? v19 = qword_140013170;

? ? *(_BYTE*)(v19 + 16) = sub_140001B30(*(_BYTE*)(qword_140013170 + 16));

? ? v20 = qword_140013170;

? ? *(_BYTE*)(v20 + 17) = sub_140001B30(*(_BYTE*)(qword_140013170 + 17));

? ? v21 = qword_140013170;

? ? *(_BYTE*)(v21 + 18) = sub_140001B30(*(_BYTE*)(qword_140013170 + 18));

? ? v22 = qword_140013170;

? ? *(_BYTE*)(v22 + 19) = sub_140001B30(*(_BYTE*)(qword_140013170 + 19));

? ? v23 = qword_140013170;

? ? *(_BYTE*)(v23 + 20) = sub_140001B30(*(_BYTE*)(qword_140013170 + 20));

? ? v24 = qword_140013170;

? ? *(_BYTE*)(v24 + 21) = sub_140001B30(*(_BYTE*)(qword_140013170 + 21));

? ? v25 = qword_140013170;

? ? *(_BYTE*)(v25 + 22) = sub_140001B30(*(_BYTE*)(qword_140013170 + 22));

? ? v26 = qword_140013170;

? ? *(_BYTE*)(v26 + 23) = sub_140001B30(*(_BYTE*)(qword_140013170 + 23));

? ? v27 = qword_140013170;

? ? *(_BYTE*)(v27 + 24) = sub_140001B30(*(_BYTE*)(qword_140013170 + 24));

? ? v28 = qword_140013170;

? ? *(_BYTE*)(v28 + 25) = sub_140001B30(*(_BYTE*)(qword_140013170 + 25));

? ? v29 = qword_140013170;

? ? *(_BYTE*)(v29 + 26) = sub_140001B30(*(_BYTE*)(qword_140013170 + 26));

? ? v30 = qword_140013170;

? ? *(_BYTE*)(v30 + 27) = sub_140001B30(*(_BYTE*)(qword_140013170 + 27));

? ? v31 = qword_140013170;

? ? *(_BYTE*)(v31 + 28) = sub_140001B30(*(_BYTE*)(qword_140013170 + 28));

? ? v32 = qword_140013170;

? ? *(_BYTE*)(v32 + 29) = sub_140001B30(*(_BYTE*)(qword_140013170 + 29));

? ? v33 = qword_140013170;

? ? *(_BYTE*)(v33 + 30) = sub_140001B30(*(_BYTE*)(qword_140013170 + 30));

? ? v34 = qword_140013170;

? ? *(_BYTE*)(v34 + 31) = sub_140001B30(*(_BYTE*)(qword_140013170 + 31));

? ? v35 = qword_140013170;

? ? *(_BYTE*)(v35 + 32) = sub_140001B30(*(_BYTE*)(qword_140013170 + 32));

? ? v36 = qword_140013170;

? ? *(_BYTE*)(v36 + 33) = sub_140001B30(*(_BYTE*)(qword_140013170 + 33));

? ? v37 = qword_140013170;

? ? *(_BYTE*)(v37 + 34) = sub_140001B30(*(_BYTE*)(qword_140013170 + 34));

? ? v38 = qword_140013170;

? ? *(_BYTE*)(v38 + 35) = sub_140001B30(*(_BYTE*)(qword_140013170 + 35));

? ? v39 = qword_140013170;

? ? *(_BYTE*)(v39 + 36) = sub_140001B30(*(_BYTE*)(qword_140013170 + 36));

? ? v40 = qword_140013170;

? ? *(_BYTE*)(v40 + 37) = sub_140001B30(*(_BYTE*)(qword_140013170 + 37));

? ? v41 = qword_140013170;

? ? *(_BYTE*)(v41 + 38) = sub_140001B30(*(_BYTE*)(qword_140013170 + 38));

? ? v42 = qword_140013170;

? ? *(_BYTE*)(v42 + 39) = sub_140001B30(*(_BYTE*)(qword_140013170 + 39));

? ? v43 = qword_140013170;

? ? *(_BYTE*)(v43 + 40) = sub_140001B30(*(_BYTE*)(qword_140013170 + 40));

? ? v44 = qword_140013170;

? ? *(_BYTE*)(v44 + 41) = sub_140001B30(*(_BYTE*)(qword_140013170 + 41));

? ? v45 = qword_140013170;

? ? *(_BYTE*)(v45 + 42) = sub_140001B30(*(_BYTE*)(qword_140013170 + 42));

? ? *(_BYTE*)qword_140013180 ^= *(_BYTE*)((unsigned int)(v1 + 16) + qword_140003030);// 然后再次修改這16個(gè)值

? ? *(_BYTE*)(qword_140013180 + 1) ^= *(_BYTE*)((unsigned int)(v1 + 17) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 2) ^= *(_BYTE*)((unsigned int)(v1 + 18) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 3) ^= *(_BYTE*)((unsigned int)(v1 + 19) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 4) ^= *(_BYTE*)((unsigned int)(v1 + 20) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 5) ^= *(_BYTE*)((unsigned int)(v1 + 21) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 6) ^= *(_BYTE*)((unsigned int)(v1 + 22) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 7) ^= *(_BYTE*)((unsigned int)(v1 + 23) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 8) ^= *(_BYTE*)((unsigned int)(v1 + 24) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 9) ^= *(_BYTE*)((unsigned int)(v1 + 25) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 10) ^= *(_BYTE*)((unsigned int)(v1 + 26) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 11) ^= *(_BYTE*)((unsigned int)(v1 + 27) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 12) ^= *(_BYTE*)((unsigned int)(v1 + 28) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 13) ^= *(_BYTE*)((unsigned int)(v1 + 29) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 14) ^= *(_BYTE*)((unsigned int)(v1 + 30) + qword_140003030);

? ? *(_BYTE*)(qword_140013180 + 15) ^= *(_BYTE*)((unsigned int)(v1 + 31) + qword_140003030);

}

int main()

{

? ? // 得到修改后的函數(shù)，可能是干擾動(dòng)態(tài)調(diào)試的

? ? init();

? ? // 順序問題??！按照特定順序執(zhí)行才能運(yùn)行成功

? ? sub_1400014D0(0xE0);? ? // 1

? ? sub_1400014D0(0x40);? ? // 2

? ? sub_1400014D0(0xC0);? ? // 3

? ? sub_1400014D0(0x00);? ? // 4

? ? sub_1400014D0(0x20);? ? // 5

? ? sub_1400014D0(0x80);? ? // 6

? ? sub_1400014D0(0x60);? ? //?

? ? sub_1400014D0(0xA0);? ? //?

? ? printf("%s", qword_140013170);

}

運(yùn)行結(jié)果：hitcon{r3ally_re4lly_rea11y_normal_checker}