SeKaiCTF 2025 Reverse 方向 Miku Music Machine 复现
反编译
ida 打开,找到 main 函数
1 | |
要求命令行参数 argv[1] 的长度为 50 ,否则退出程序
尝试打开 MIDI 设备 (midiOutOpen)
对 argv[1] 的每个字节与 byte_7FF6662F3000 数组进行异或,然后把每次字节分成 4 段进行处理,每次处理 2 bit 片段,根据片段的值来修改 v7,v8;利用 v8 作为索引调用 off_7FF6662F3040v8 (函数指针表);处理完 50 个字节后,等待一秒关闭 MIDI
可以看出这是一个 21 * 21 的迷宫,后面检查 v7 是否等于 0x1A2(418)即为迷宫重点
1 | |
动态调试
在 ida 的 Debugger -> Process options 里设置 50 字节长度的参数
调到一半程序异常退出
查看汇编看到有拓展控制流保护(XFG) eXtended Flow Guard
CFG 和 XFG 都是防止 Windows 上函数指针覆盖的保护;XFG 是 CFG 的强化版本,除了检查调用的函数指针是否在有效地址的位图中注册,它还使用哈希值来检查函数原型,此哈希值由参数数 、 每个参数的类型 、 函数是否为可变参数 、 调用约定和返回类型组成
XFG 保护的函数指针调用
1 | |
使用 dumpbin 提取 CGuard CF Function Table, 这是由编译器/连接器生成的函数入口地址白名单,当程序执行间接调用的时候,系统会先检验这个地址是否在表中
1 | |
X 标记该地址在表里有效
推测出函数列表(一共 441 个函数刚好符合 21 * 21)中在有效地址内的函数是路径,其他是墙,取出是路径的函数的索引值
1 | |
得到结果
1 | |
索引的最后一个是 418,刚好是迷宫的终点位置
构造迷宫
1 | |
得到 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21111111111111111111111
1_1___1_____________1
1_111_1111111_1_1_1_1
1_________1___1_1_1_1
111_11111_111_1_11111
1___1_1_1_____1_____1
11111_1_11111_111_111
1_______________1___1
1_111111111_1111111_1
1_1_1_1_______1_1_1_1
111_1_1_1_111_1_1_1_1
1_1_____1___1_1_____1
1_11111_1111111_111_1
1_____________1_1___1
1_111_1_1_1_1_1_1_1_1
1_1___1_1_1_1_1_1_1_1
111_1_111_111_1_111_1
1___1_1_____1_1___1_1
1_1_1_111_11111_1_1_1
1_1_1___1___1___1_1_1
111111111111111111111
但是目前这个迷宫只有一条路,而且一共走的路径长度也不是 200(50 * 4)
调试的时候观察到列表中的大部分函数结构如下
除此之外还有另外的结构
而最终触发异常退出的地方是是这样的,int 29h,在 Windows 8+ 上会被用作快速失败(等价 RtlFailFast(ecx)),会导致进程立即终止
x 交叉引用往上找看到
所以可以知道这种结构下有 xor 的函数就能使 int 29h 被改写成继续执行的指令
写 ida 脚本找到 6 个这种模式的函数
1 | |
分析出这个含有 xor 指令的函数是一个开关一样的功能,走到这里会把目标位置的阻塞消除,但是上面得到的 Target address 还不是真正的目标位置的地址,是函数内的一个标签,如下:
1 | |
观察后发现 6 个真正的目标地址都是标签地址减去 0xE
构建迷宫 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192white_list = [
0x0000000140001010, 0x0000000140001050, 0x0000000140001070, 0x0000000140001090,
0x00000001400010B0, 0x0000000140001110, 0x0000000140001170, 0x00000001400011B0,
0x00000001400011F0, 0x0000000140001250, 0x00000001400012D0, 0x0000000140001370,
0x0000000140001390, 0x00000001400013F0, 0x0000000140001410, 0x0000000140001430,
0x0000000140001470, 0x0000000140001490, 0x00000001400014D0, 0x00000001400014F0,
0x0000000140001510, 0x0000000140001570, 0x00000001400015B0, 0x00000001400015F0,
0x0000000140001610, 0x0000000140001630, 0x00000001400016B0, 0x00000001400016D0,
0x0000000140001710, 0x0000000140001730, 0x0000000140001790, 0x00000001400017D0,
0x00000001400017F0, 0x0000000140001810, 0x00000001400018F0, 0x0000000140001910,
0x0000000140001990, 0x00000001400019F0, 0x0000000140001A50, 0x0000000140001AF0,
0x0000000140001B10, 0x0000000140001B30, 0x0000000140001BB0, 0x0000000140001BF0,
0x0000000140001C70, 0x0000000140001CB0, 0x0000000140001CF0, 0x0000000140001D70,
0x0000000140001DB0, 0x0000000140001E50, 0x0000000140001EB0, 0x0000000140001ED0,
0x0000000140001F50, 0x0000000140001F70, 0x0000000140001F90, 0x0000000140001FD0,
0x0000000140001FF0, 0x0000000140002010, 0x0000000140002030, 0x0000000140002050,
0x0000000140002070, 0x0000000140002090, 0x00000001400020F0, 0x0000000140002110,
0x0000000140002150, 0x00000001400021B0, 0x0000000140002210, 0x0000000140002250,
0x0000000140002270, 0x0000000140002290, 0x00000001400022F0, 0x0000000140002350,
0x0000000140002390, 0x00000001400023D0, 0x0000000140002410, 0x0000000140002430,
0x0000000140002450, 0x0000000140002490, 0x00000001400024B0, 0x00000001400024D0,
0x0000000140002530, 0x0000000140002570, 0x00000001400025B0, 0x0000000140002610,
0x0000000140002650, 0x0000000140002690, 0x00000001400026D0, 0x0000000140002710,
0x0000000140002730, 0x0000000140002790, 0x00000001400027F0, 0x0000000140002850,
0x00000001400028B0, 0x00000001400028D0, 0x0000000140002970, 0x00000001400029D0,
0x00000001400029F0, 0x0000000140002A10, 0x0000000140002A70, 0x0000000140002A90,
0x0000000140002AB0, 0x0000000140002AF0, 0x0000000140002BF0, 0x0000000140002C50,
0x0000000140002C90, 0x0000000140002CD0, 0x0000000140002D90, 0x0000000140002DF0,
0x0000000140002E90, 0x0000000140002EB0, 0x0000000140002ED0, 0x0000000140002EF0,
0x0000000140002F10, 0x0000000140002F50, 0x0000000140002F90, 0x0000000140002FF0,
0x0000000140003030, 0x0000000140003050, 0x0000000140003090, 0x0000000140003110,
0x0000000140003150, 0x0000000140003190, 0x00000001400031B0, 0x0000000140003210,
0x0000000140003270, 0x0000000140003290, 0x00000001400032D0, 0x00000001400032F0,
0x0000000140003330, 0x0000000140003410, 0x0000000140003430, 0x0000000140003450,
0x0000000140003470, 0x0000000140003490, 0x00000001400034B0, 0x0000000140003590,
0x0000000140003610, 0x0000000140003650, 0x0000000140003670, 0x00000001400036B0,
0x00000001400036D0, 0x0000000140003710, 0x00000001400037D0, 0x00000001400037F0,
0x0000000140003810, 0x0000000140003850, 0x0000000140003970, 0x00000001400039D0,
0x00000001400039F0, 0x0000000140003A30, 0x0000000140003AB0, 0x0000000140003AD0,
0x0000000140003AF0, 0x0000000140003B10, 0x0000000140003B30, 0x0000000140003BD0,
0x0000000140003C10, 0x0000000140003C50, 0x0000000140003C70, 0x0000000140003CD0,
0x0000000140003CF0, 0x0000000140003DD0, 0x0000000140003E10, 0x0000000140003E50,
0x0000000140003E70, 0x0000000140003E90, 0x0000000140003EF0, 0x0000000140003F10,
0x0000000140003F30, 0x0000000140003F70, 0x0000000140003FD0, 0x0000000140003FF0,
0x0000000140004010, 0x0000000140004070, 0x00000001400040B0, 0x00000001400040F0,
0x0000000140004170, 0x00000001400041B0, 0x00000001400041D0, 0x0000000140004210,
0x0000000140004230, 0x0000000140004270, 0x0000000140004290, 0x00000001400042B0,
0x00000001400042D0, 0x00000001400042F0, 0x0000000140004310, 0x0000000140004390,
0x00000001400043D0, 0x0000000140004410, 0x0000000140004430, 0x00000001400044F0,
0x0000000140004590, 0x00000001400045D0, 0x0000000140004610, 0x0000000140004630,
0x0000000140004650, 0x00000001400046D0, 0x00000001400046F0, 0x0000000140015420,
0x0000000140015560, 0x000000014003ADA0, 0x000000014003ADD0, 0x000000014003AE90,
0x000000014003B830, 0x000000014003D7E0, 0x000000014003D800, 0x000000014003D830,
0x000000014003D840, 0x000000014003D850, 0x000000014003D870, 0x000000014003D880,
0x000000014003D890, 0x000000014003D8E0, 0x000000014003D8F0, 0x000000014003D940,
0x000000014003D9B0, 0x000000014003DCB0, 0x0000000140040BC0, 0x0000000140042670,
0x0000000140042780, 0x0000000140043280, 0x00000001400432D0, 0x0000000140046650,
0x0000000140046E80, 0x0000000140046ED0, 0x0000000140047630, 0x0000000140047650,
0x000000014004A040, 0x000000014004B760, 0x000000014004B7D0, 0x000000014004C1C0,
0x000000014004C360, 0x000000014004CB30, 0x000000014004D100, 0x000000014004D9D0,
0x000000014004E570, 0x000000014004E860, 0x000000014004EE10, 0x000000014004F120,
0x000000014004F370, 0x000000014004FA40, 0x000000014004FA70, 0x000000014004FD90,
0x0000000140057710, 0x000000014005C840, 0x000000014005D270, 0x000000014005D310
]
func_list = [
0x1400025F0, 0x140001EF0, 0x1400039B0, 0x140004090, 0x140002F70, 0x140003B70,
0x140002590, 0x140001210, 0x140002E70, 0x140004370, 0x140001E70, 0x140003A50,
0x140003D70, 0x1400033F0, 0x140002B50, 0x140003070, 0x140004250, 0x140003230,
0x1400013D0, 0x140002E30, 0x140002B10, 0x140001D50, 0x140001ED0, 0x140002190,
0x140001370, 0x1400016B0, 0x140004430, 0x140001770, 0x140004230, 0x140002530,
0x140002290, 0x140001710, 0x1400010B0, 0x1400015B0, 0x1400037D0, 0x140003290,
0x1400041B0, 0x140004270, 0x140001F70, 0x140003F70, 0x140003B10, 0x1400023B0,
0x1400034D0, 0x140003610, 0x1400018D0, 0x140004490, 0x140004450, 0x140003E70,
0x140003A70, 0x140001CD0, 0x140002D30, 0x1400020B0, 0x140003570, 0x140002DB0,
0x1400045F0, 0x140002EF0, 0x140003770, 0x140001910, 0x140002DD0, 0x1400029D0,
0x140002AD0, 0x140001F50, 0x140001A30, 0x140003D30, 0x140001DB0, 0x140003AD0,
0x140001B30, 0x1400017D0, 0x140002450, 0x140003FD0, 0x140002390, 0x140002350,
0x140001790, 0x1400013B0, 0x140003CD0, 0x140003030, 0x140002110, 0x140002770,
0x1400016D0, 0x1400019B0, 0x140003E10, 0x140001A90, 0x140003CF0, 0x1400017B0,
0x140002BB0, 0x140001F10, 0x140001890, 0x1400045D0, 0x140003C30, 0x1400011D0,
0x140001BD0, 0x140004510, 0x140001650, 0x140002150, 0x140003B50, 0x1400040D0,
0x140002830, 0x140004650, 0x1400012B0, 0x140003AB0, 0x140002C30, 0x1400019D0,
0x140003BB0, 0x140002B90, 0x140002370, 0x140003930, 0x140003810, 0x1400042F0,
0x140002F50, 0x140003250, 0x1400015F0, 0x140002630, 0x1400024D0, 0x140001830,
0x140003BD0, 0x1400046F0, 0x140002AF0, 0x140001C70, 0x140003710, 0x140002C70,
0x1400042D0, 0x140004010, 0x1400019F0, 0x140003050, 0x140002410, 0x140001DD0,
0x1400046B0, 0x140002230, 0x140004710, 0x140003DF0, 0x140001450, 0x140004070,
0x140003730, 0x140001090, 0x140003ED0, 0x140002670, 0x140003DB0, 0x1400016F0,
0x140003350, 0x1400034B0, 0x140004570, 0x140002CF0, 0x140003870, 0x140001B10,
0x1400032B0, 0x140002F30, 0x140001310, 0x140003D10, 0x140003850, 0x140003430,
0x140001430, 0x140001010, 0x1400042B0, 0x140003650, 0x140002850, 0x1400022F0,
0x140002710, 0x140003F10, 0x1400014D0, 0x140004590, 0x140003E90, 0x140001810,
0x140003E50, 0x140003EB0, 0x140001AF0, 0x140002270, 0x140002430, 0x140004130,
0x140003E30, 0x1400039D0, 0x140001970, 0x140001870, 0x140001290, 0x140002130,
0x1400035F0, 0x140003C90, 0x140002BD0, 0x140003550, 0x1400033D0, 0x140001FF0,
0x140002A30, 0x140002330, 0x1400010D0, 0x140001190, 0x140001530, 0x1400015D0,
0x140002810, 0x140001570, 0x1400043B0, 0x140002B30, 0x140002F10, 0x140001670,
0x140001CB0, 0x140002930, 0x1400040B0, 0x1400045B0, 0x140001730, 0x140002210,
0x1400017F0, 0x1400032F0, 0x1400046D0, 0x140001390, 0x1400039F0, 0x140002550,
0x140003590, 0x1400035D0, 0x1400026D0, 0x1400022B0, 0x140001FD0, 0x140003CB0,
0x140003A10, 0x1400041F0, 0x1400033B0, 0x140003A30, 0x140002910, 0x1400024B0,
0x140003A90, 0x1400021B0, 0x1400024F0, 0x1400041D0, 0x140004330, 0x1400034F0,
0x1400038D0, 0x140001630, 0x140001590, 0x140002DF0, 0x140003530, 0x140002C90,
0x140001F30, 0x140002A10, 0x1400023F0, 0x1400044D0, 0x140002AB0, 0x140003130,
0x140003DD0, 0x140004210, 0x140001510, 0x1400011B0, 0x140002030, 0x1400030B0,
0x140003470, 0x140002ED0, 0x1400040F0, 0x140003910, 0x1400011F0, 0x140002170,
0x1400012D0, 0x140002FF0, 0x140003C70, 0x140002090, 0x140003FF0, 0x1400018B0,
0x140002CB0, 0x140002C50, 0x140001550, 0x140003B90, 0x1400043F0, 0x140001D10,
0x140001D90, 0x140004170, 0x140003690, 0x140003510, 0x140003890, 0x140002A50,
0x140003370, 0x1400012F0, 0x1400037B0, 0x1400013F0, 0x140001C90, 0x1400028F0,
0x140002D10, 0x140004390, 0x140001DF0, 0x140001150, 0x140003AF0, 0x140002490,
0x1400043D0, 0x140003090, 0x140001470, 0x140003110, 0x1400014F0, 0x140001410,
0x140003EF0, 0x140004290, 0x140002050, 0x1400018F0, 0x140003270, 0x140002470,
0x140002610, 0x140003F90, 0x1400037F0, 0x140004310, 0x140004630, 0x140001270,
0x140002C10, 0x140002A90, 0x1400038B0, 0x140001AB0, 0x140001230, 0x140002F90,
0x140001C10, 0x140002250, 0x1400030F0, 0x1400036B0, 0x140002750, 0x140003210,
0x140001690, 0x140001BF0, 0x1400036F0, 0x1400028D0, 0x140004030, 0x140002A70,
0x1400021D0, 0x1400029F0, 0x140002870, 0x140002E10, 0x140003330, 0x1400031F0,
0x140001E50, 0x140003C10, 0x140001A50, 0x140001A70, 0x1400028B0, 0x140001B70,
0x1400025B0, 0x1400029B0, 0x140001990, 0x140003FB0, 0x140003670, 0x140001130,
0x140002010, 0x1400030D0, 0x140001F90, 0x140004690, 0x140001CF0, 0x140004190,
0x140004530, 0x140001E30, 0x1400027D0, 0x1400044F0, 0x1400025D0, 0x140001D70,
0x1400022D0, 0x140001950, 0x1400021F0, 0x140004410, 0x140003170, 0x140004670,
0x140001C50, 0x140002730, 0x140002B70, 0x1400020F0, 0x140003750, 0x140002FD0,
0x140001E90, 0x140003150, 0x1400038F0, 0x140002D70, 0x140001BB0, 0x140003410,
0x140002CD0, 0x1400026F0, 0x140002D90, 0x140001B50, 0x140002EB0, 0x1400032D0,
0x140002790, 0x140002070, 0x140002970, 0x140001850, 0x140001170, 0x140002950,
0x140001610, 0x140003490, 0x140004610, 0x140004470, 0x140001EB0, 0x140003830,
0x1400020D0, 0x140002BF0, 0x140002E50, 0x140003C50, 0x140004150, 0x140003F30,
0x140001350, 0x140001D30, 0x1400035B0, 0x1400027F0, 0x140003D90, 0x140004550,
0x140002FB0, 0x140003990, 0x140004050, 0x140002690, 0x140001930, 0x140002650,
0x140002990, 0x1400023D0, 0x1400044B0, 0x140001E10, 0x140002E90, 0x140001FB0,
0x140001250, 0x140003D50, 0x140001110, 0x140003970, 0x140001050, 0x140001A10,
0x140003450, 0x140001070, 0x140002570, 0x1400026B0, 0x1400031B0, 0x1400036D0,
0x140003190, 0x140001B90, 0x140003B30, 0x140002D50, 0x140001490, 0x140001750,
0x140001330, 0x140001C30, 0x140003790, 0x140002890, 0x140001AD0, 0x1400031D0,
0x1400014B0, 0x140003BF0, 0x140002310, 0x1400027B0, 0x140002510, 0x1400010F0,
0x140004350, 0x140003F50, 0x140003390, 0x140001030, 0x140003010, 0x140003630,
0x140003950, 0x140003310, 0x140004110
]
# 创建地址到索引的映射字典
func_to_index = {addr: i for i, addr in enumerate(func_list)}
# 使用集合操作提高效率
available_functions = set(white_list)
switch_func = [0x140001570, 0x140002970, 0x140003650, 0x140003F30, 0x140004210, 0x140004430]
target_func = [0x1400014F0, 0x1400023D0, 0x140001410, 0x140002710, 0x140002110, 0x140001790]
# 获取索引
checked = [i for i, addr in enumerate(func_list) if addr in available_functions]
switch = [func_to_index[addr] for addr in switch_func if addr in func_to_index]
target = [func_to_index[addr] for addr in target_func if addr in func_to_index]
print(f"switch = {switch}")
print(f"target = {target}")
def build_maze():
maze = [['#' for _ in range(21)] for _ in range(21)]
for idx in checked:
x, y = divmod(idx, 21)
if 0 <= x < 21 and 0 <= y < 21:
maze[x][y] = '_'
for i, idx in enumerate(switch):
x, y = divmod(idx, 21)
if 0 <= x < 21 and 0 <= y < 21:
maze[x][y] = f'S{i+1}'
for i, idx in enumerate(target):
x, y = divmod(idx, 21)
if 0 <= x < 21 and 0 <= y < 21:
maze[x][y] = f'T{i+1}'
return maze
def print_maze(maze):
for row in maze:
formatted_row = [f"{cell:<3}" for cell in row]
print(''.join(formatted_row))
# def print_mapping():
# for i in range(len(switch)):
# switch_pos = divmod(switch[i], 21)
# target_pos = divmod(target[i], 21)
# print(f"S{i+1} at {switch_pos} -> T{i+1} at {target_pos}")
maze = build_maze()
print_maze(maze)
# print_mapping()
手动走了一下
