[XCTF-Reverse] 69 XCTF 3rd-RCTF-2017_MyDriver2-397

一个.sys文件，应该是驱动程序。反正当个exe文件处理吧。

在数据区找到两个串，感觉是加密用的qword_16310，qword_16390，顺着这个线索找引用处。于是找到sub_113c8 手工找也行，因为一共也没几个函数。

__int64 sub_113C8()
{
  PVOID v0; // rbx
  int v1; // er11
  int v2; // edx
  _DWORD *v3; // rax
  int v4; // ecx
  __int64 v5; // rax
  signed __int64 v6; // r8
  __int64 result; // rax
  char Dst; // [rsp+20h] [rbp-38h]

  memmove(&Dst, sub_11DF0, 0x22ui64);
  v0 = ExAllocatePool(0, 0x22ui64);
  memmove(v0, &Dst, 0x22ui64);
  dword_16414 = ((__int64 (__fastcall *)(signed __int64, signed __int64))v0)(3435209541i64, 1412570316i64);// 0xccc12345,0x54321ccc
  ExFreePoolWithTag(v0, 0);
  v1 = dword_16414;                             // 0x5c3113c5
  v2 = dword_16414 - 1546720155;                // 42
  v3 = qword_16310;
  do
  {
    *v3 ^= v1;
    ++v3;
  }
  while ( (signed __int64)v3 < (signed __int64)qword_16390 );
  v4 = 0;
  v5 = v2;
  SubStr = (wchar_t *)qword_16310;
  word_16432 = v2;
  word_16430 = v2;
  qword_16310[v5] = 0;
  qword_16310[v5 + 1] = 0;
  v6 = 0i64;
  do
  {
    qword_16390[v6] ^= qword_16310[v4];
    ++v6;
    result = (unsigned int)((v4 + 1) / (unsigned __int16)v2);
    v4 = (v4 + 1) % (unsigned __int16)v2;
  }
  while ( v6 < 128 );
  return result;
}

这里先把sub_11DF0给Dst再殷Dst给v0再运行v0其实就是运行sub_11DF0

unsigned __int64 __fastcall sub_11DF0(__int64 a1, __int64 a2)
{
  return a2 & 0xF0F0F0F0F0F0F0F0ui64 ^ a1 & 0xF0F0F0F0F0F0F0Fi64;
}

所有参数都已经给出了，可以顺序得到dword_16414 = 0x5c3113c5 再逄出v2=42（从数据也可看出长度）

然后给qword_16310和v1做个异或（因为v3是dword类型的，每4字节作一次)，再然后就是390和310异或了。

解码

from pwn import *

v = 0x54321ccc & 0xF0F0F0F0F0F0F0F0 ^ 0xccc12345 & 0x0F0F0F0F0F0F0F0F #0x5c3113c5

a = [0x5C5813A25C6E1395,0x5C5413885C5413B3,0x5C5013A95C57139A,0x5C0213F75C6E13A2,0x5C4913B15C1F13F6,0x13B1]
b = b''
for i in a:
    b +=p64(i^ 0x5c3113c55c3113c5)
print(b)

c = [0x6105664765377470,0x733A416D730C2011,0x6E285F096C166D36,0x6F5C686D6531690B,0x780002726A5F58,0x67005F00500074,
     0x4D006500760069,0x6C0066005F0065,0x32005F00670061,0x74002E00330033,0x5F005000740078,0x65007600690067,
     0x66005F0065004D,0x5F00670061006C,0x2E003300330032,0x50007400780074]
d = b''
for i in c:
    d +=p64(i)
print(d)

e = []
for i,v in enumerate(d):
    e.append(v^b[i%42])

print(bytes(e))
#A_simple_Inline_hook_Drv
#RCTF{A_simple_Inline_hook_Drv}