简介

异常常用于动态反调试技术。正常运行的进程发生异常时,在**SEH(Structured Exception Handling)**机制的作用下,OS会接收异常,然后调用进程中注册的SEH处理。但是,若进程正被调试器调试,那么调试器就会先于SEH接收处理。利用该特征可判断进程是正常运行还是调试运行,然后根据不同的结果执行不同的操作,这就是利用异常处理机制不同的反调试原理。

上面回答 好官方 呃呃

下面我就一道题来讲解

NewStarCTF week4 - exception

一看题目 就是考察异常处理的

(题目算法就一个tea加密)

拖入ida静态分析

image-20230228101328765

image-20230228101253061

跟进35100A

image-20230228101435562

搜一下贴一下(看不懂 )

https://blog.csdn.net/u011279649/article/details/12840937

对于这道题 就是干扰我们得到delta

动调一下

image-20230228101937653

触发异常后, 将[ebp+var_48] ^ 0x1234578

(点击查看[ebp+var_48] 其实就是result(记着大小端序的问题))

image-20230228102246893

所以说可以写个脚本跑出值

贴exp

1
2
3
4
5
6
sum = 0 
tmp = 0xde3779B9
for i in range(32):
    sum += tmp
    tmp ^= 0x12345678
    print(hex(sum & 0xffffffff), end=')
1
2
3
4
5
[0x9E3779B9, 0x2a3aa97a, 0xc8722333, 0x547552f4, 0xF2ACCCAD, 0x7EAFFC6E, 0x1CE77627
    , 0xA8EAA5E8, 0x47221FA1, 0xD3254F62, 0x715CC91B, 0xFD5FF8DC, 0x9B977295, 0x279AA256
    , 0xC5D21C0F, 0x51D54BD0, 0xF00CC589, 0x7C0FF54A, 0x1A476F03, 0xA64A9EC4, 0x4482187D
    , 0xD085483E, 0x6EBCC1F7, 0xFABFF1B8, 0x98F76B71, 0x24FA9B32, 0xC33214EB, 0x4F3544AC
    , 0xED6CBE65, 0x796FEE26, 0x17A767DF, 0xA3AA97A0]

当然 你也可以通过动调获得delta的值 就是循环后result的值

就是运行查看result的值 一直循环32次(。。。。)

image-20230228102628776

image-20230228102736994

得到delta后即可以写exp了

image-20230228103218215

image-20230228103555171

1
[0x88E821CE, 0x0B009D70, 0x91B1E68F, 0x0131EA96, 0xA3209D7D, 0xA9187DFB, 0xC452C5CA, 0xA9696753]

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
encData = [0x88E821CE, 0x0B009D70, 0x91B1E68F, 0x131EA96, 0x0A3209D7D, 0x0A9187DFB, 0x0C452C5CA, 0x0A9696753]

cipher = [0x9E3779B9, 0x2a3aa97a, 0xc8722333, 0x547552f4, 0xF2ACCCAD, 0x7EAFFC6E, 0x1CE77627
    , 0xA8EAA5E8, 0x47221FA1, 0xD3254F62, 0x715CC91B, 0xFD5FF8DC, 0x9B977295, 0x279AA256
    , 0xC5D21C0F, 0x51D54BD0, 0xF00CC589, 0x7C0FF54A, 0x1A476F03, 0xA64A9EC4, 0x4482187D
    , 0xD085483E, 0x6EBCC1F7, 0xFABFF1B8, 0x98F76B71, 0x24FA9B32, 0xC33214EB, 0x4F3544AC
    , 0xED6CBE65, 0x796FEE26, 0x17A767DF, 0xA3AA97A0]

key = [1, 2, 3, 4]

for i in range(0, 8, 2):
    v11 = encData[i]
    v10 = encData[i+1]
    for k in range(32):
        v9 = cipher[31-k]
        v10 -= (key[3] + (v11 >> 5)) ^ (v9 + v11) ^ (key[2] + 16 * v11)
        v10 = v10 & 0xffffffff
        v11 -= (key[1] + (v10 >> 5)) ^ (v9 + v10) ^ (key[0] + 16 * v10)
        v11 = v11 & 0xffffffff

        encData[i] = v11
        encData[i + 1] = v10
for i in range(len(encData)):
    print(hex(encData[i])[2:], end=',')


# 33433434,31463741,41443231,37454232,34463832,35433135,30443245,38353539,

这是大端序 转成小端序

转字符就是flag了

flag{44C3A7F112DA2BE728F451C5E2D09558}

总结

简单的tea加密

加上一个异常处理

异常处理不是很麻烦

慢慢看 就好了

好的 本期结束

感谢观看

Orz Orz