Record-Topic

本文最后更新于 2025年6月17日晚上

RC4

Rc4_1

Rc4变种

考察

指针的使用

理解Rc4

#include "HeaderFile/DataType.h"
#include "cstdio"
#include "cstdlib"
#include "cstring"

byte key[] = "5ew_3eme3t2r_n2w_atm03ph2re!";
//byte flag[] = "flag{Wow_you_actually_mastered_c4!}";
byte ans[] = {0xb2,0xe4,0x4e,0xa6,0x1f,0x2b,0x67,0xe6,0x94,0xae,0x84,0xaa,0xd6,0x4c,0x7e,0xc1,0x85,0x16,0xfb,0xd0,0xe4,0x5b,0x8c,0xc0,
              0xfb,0x11,0xf9,0xd8,0xb1,0xec,0x70,0xa2,0x50,0x5d,0x75,};
int main(){
    puts("New semester, I think you already know what c4 is");
    puts("Now, give me your c4");
    byte *flag = (byte*) malloc(100);
    scanf("%s",flag);

    dword key_length = strlen((const char*)key);
    dword* kye = (dword*)key;
    word S[512];
    for (auto i = 0; i < 512; ++i) S[i] = i&0xff;
    word j = 0;
    for (auto i = 0; i < 512; ++i) {
        j = i + S[i] + (*kye);
        j %= 256;
        word tmp = S[i];
        S[i] = S[j];
        S[j] = tmp;
    }
    byte *K = (byte*) malloc(key_length);
    for (auto i = 0; i < 512; ++i) {
        j = S[i] % 512;
        K[i%key_length] = S[(S[i] + S[j])%512];
    }
    byte flag_len = strlen((const char *) flag);
    if(flag) {
        for (auto i = 0; i < flag_len; ++i) {
            *(flag + i) ^= K[i%key_length] ^ *(kye + (i % 7));
            if(*(flag + i) != ans[i]){
                perror("Learn more!");
                return 0;
            }
        }
        printf("[!]\tGreat!");
    }

    free(K);
    free(flag);
    return 0;
}

Rc4_2

Rc4变种

考察

指针的使用

代码改写

理解Rc4

#include "Header/Rc4.h"
#include "HeaderFile/DataType.h"
#include "cstdio"
#include "cstring"
/*
 75,50,129,254,190,124,8,162,93,217,159,120,91,2,143,187,124,150,153,6,156,245,190,89,240,71,195,107,184,166,131
 flag{T3e_b2st_Alg0r1thm_ls_Rc4}
 D1_y3u_know_RC4
*/
void KSA(char *key, dword key_length, byte *S) {
    dword i, j = 0;

    for (i = 0; i < 256; i++) S[i] = i;

    for (i = 0; i < 256; i++) {
        j = (j + S[i] + key[i % key_length]) % 256;
        byte temp = S[i];
        S[i] = S[j];
        S[j] = temp;
    }
}

byte PRGA(byte *S) {
    static dword i = 0, j = 0;
    i = (i + 1) % 256;
    j = (j + S[i]) % 256;
    byte temp = S[i];
    S[i] = S[j];
    S[j] = temp;
    byte K = S[(S[i] + S[j]) % 256] ^ S[i];
    return K;
}

bool CheckFlag(dword plaintext_length, char* flag, byte* S,byte* Ans){
    for (dword k = 0; k < plaintext_length; k++) {
        if((flag[k] ^ PRGA(S)) != Ans[k])return false;
//        printf("%d,",ciphertext_byte);
    }
    return true;
}


void RC4(char* key,char* plaintext,byte* Ans) {

//    puts("Welcome to the world of bombs!");

    dword key_length = strlen(key);

    dword plaintext_length = strlen(plaintext);

    byte S[256];
    KSA(key, key_length, S);

    if(CheckFlag(plaintext_length,plaintext,S,Ans)){
        puts("[!]\tYou already know what Rc4 is\n");
        return;
    } else return;
}

TEA

丢丢茶

Tea变种

考点

段错误的处理

DLL 释放、载入

Tea算法理解

#include "cstdio"
#include "cstdlib"
#include "cstring"
#include "windows.h"
#include <csetjmp>
#include <csignal>
#include <cstdint>

typedef uint8_t byte;
typedef uint16_t word;
typedef uint32_t dword;
typedef uint64_t qword;
typedef qword (__stdcall *lpPlus)(qword,qword);
typedef qword (__stdcall *lpMul)(qword,qword);
typedef qword (__stdcall *lpXor)(qword,qword);
typedef bool (__stdcall *lpCheck)(char*);

dword flag_len;
struct Function{
    HMODULE h;
    lpXor aXor;
    lpMul mul;
    lpPlus plus;
    char* key;
    dword* delta;
    lpCheck Check;
}function;

byte * DllData;

void LoadFunction(){
    char Allpath[MAX_PATH];
    GetTempPath(MAX_PATH,Allpath);
    snprintf(Allpath,MAX_PATH,"%sEnc",Allpath);
    function.h = LoadLibrary(Allpath);
    function.plus = (lpPlus ) GetProcAddress(function.h,(char*)1);
    function.mul = (lpMul ) GetProcAddress(function.h, (char*)3);
    function.aXor = (lpXor ) GetProcAddress(function.h,(char*)5);
    function.delta = (dword*) GetProcAddress(function.h,(char*)11);
    function.key = (char*) GetProcAddress(function.h,(char*)10);
    function.Check = (lpCheck ) GetProcAddress(function.h,(char*)12);
}

void Encrypt(char* flag){
    dword* enc = (dword*)flag;
    for (auto i = 0; i < flag_len; i+=2) {
        dword sum = 0;
        for (auto j = 0; j < 32; ++j) {
            sum += *(function.delta);
            enc[i] += ((dword)function.mul(enc[i+1],16) + *(dword*)(function.key)) ^ (dword)function.plus(enc[i+1] , sum) ^ ((enc[i+1]>>5) + *(dword*)(function.key+1));
            enc[i+1] += ((dword)function.mul(enc[i],16) + *(dword*)(function.key+2)) ^ (dword)function.plus(enc[i] , sum) ^ ((enc[i]>>5) + *(dword*)(function.key+3));
        }
    }
}

void hello(){
    puts("Buy you a cup of tea, brother!");
    puts("You got a cup or something? Give it to me:");
}

void Check(char* flag){
    if(function.Check(flag)){
        puts("Right,Now enjoy your tea");
        exit(0);
    }else puts("Noooooooo!");

}

jmp_buf jumpBuffer;
void signalHandler(int sig) {
    if (sig == SIGSEGV) {
        longjmp(jumpBuffer, 1);
    }
}
void LoadDll(){
    FILE* fp = fopen("Enc.dll","r+b");
    if(!fp){
        puts("This file does not exist!");
        return;
    }
    fseek(fp,0,SEEK_END);
    qword DllSize = ftell(fp);
    rewind(fp);

    DllData = (byte*)malloc(DllSize);
    fread(DllData,1,DllSize,fp);
    qword e_lfanew = *(dword*)(DllData+0x3c);
    qword NumberOfSection = *(word*)(DllData+e_lfanew+0x6);
    qword OpHeaderSize = *(word*)(DllData+e_lfanew+0x14);
    qword SectionPtr = (e_lfanew+0x18+OpHeaderSize);
    for (auto i = 0; i < 0x3c; ++i)
        if(*(DllData+i))*(DllData+i) ^= NumberOfSection;

    memset(DllData+0x40,'h',0x40);
    char tell[] ="Is this really a dll? ty is lying to me, damn ty!";
    memcpy(DllData+0x40,tell, strlen(tell));
    for (auto i = 0; i < 0x24; ++i)
        if(*(DllData + SectionPtr + i))*(DllData + SectionPtr + i) ^= NumberOfSection;
    for (auto i = 0; i < 0x6; ++i)
        if(*(DllData+e_lfanew+i))*(DllData+e_lfanew+i) ^= NumberOfSection;

    char TempPath[MAX_PATH];
    GetTempPath(MAX_PATH,TempPath);
    snprintf(TempPath,MAX_PATH,"%sEnc.dll",TempPath);
    fp = fopen(TempPath,"w+b");
    fwrite(DllData,1,DllSize,fp);
    fclose(fp);
    free(DllData);
}

int main(){
    LoadDll();
    signal(SIGSEGV, signalHandler);
    char* flag = (char*) malloc(0x100);
    hello();
    scanf("%s",flag);
    flag_len = strlen((const char*)flag)/4;

    if(setjmp(jumpBuffer) == 0){
        Encrypt(flag);
        Check(flag);
    } else{
        perror("Eorrrrrrr");
        Sleep(1000);
        puts("Hold on, fixing error.......");
        Sleep(1000);
        puts("Dont!");
        Sleep(1000);
        system("CLS");
        Sleep(1000);
        LoadFunction();
        Encrypt(flag);
        Check(flag);
    }
    free(flag);

    return 0;
}

#include "Header/TestDll.h"
#include "Header/DataTpye.h"
#include "cstdio"

char key[] = "Do_y0u_kn0w_d11!";
dword delta = 0x9e3779c8;
int8_t ans[] = {122,21,-11,118,-96,65,-30,-72,-98,125,5,72,-46,30,25,-71,30,19,-76,-52,47,35,-3,-102,43,74,-29,117,-72,-44,-99,63,67,-46
        ,125,41,-18,63,-90,60,20,-109,43,89,73,-80,-90,-81,};

qword __stdcall Add(qword x,qword y){
    return x+y;
}
qword __stdcall Sub(qword x,qword y){
    return x-y;
}
qword __stdcall Mul(qword x,qword y){
    return x*y;
}

qword __stdcall Div(qword x,qword y){
    return x/y;
}

qword __stdcall Xor(qword x,qword y){
    return x^y;
}

qword __stdcall Or(qword x,qword y){
    return x|y;
}

qword __stdcall And(qword x,qword y){
    return x&y;
}

qword __stdcall Not(qword x){
    return !x;
}

bool __stdcall CheckFlag(char* flag){
    for (auto i = 0; *(flag+i); ++i) {
        if(*(flag+i) != ans[i])return false;
    }
    return true;
}
---------------------------------------------------------------------------------------
//.h
#ifndef EXTERN_LIBRARY_TESTDLL_H
#define EXTERN_LIBRARY_TESTDLL_H

#include "DataTpye.h"
qword __stdcall Add(qword x,qword y);
qword __stdcall Sub(qword x,qword y);
qword __stdcall Mul(qword x,qword y);
qword __stdcall Div(qword x,qword y);
qword __stdcall Xor(qword x,qword y);
qword __stdcall Or(qword x,qword y);
qword __stdcall And(qword x,qword y);
qword __stdcall Not(qword x);
bool __stdcall CheckFlag(char* flag);
#endif //EXTERN_LIBRARY_TESTDLL_H
----------------------------------------------------------------------------------------
//.def
EXPORTS

Add     @1 NONAME
Sub     @2 NONAME
Mul     @3 NONAME
Div     @4 NONAME
Xor     @5 NONAME
Or      @6 NONAME
And     @7 NONAME
Not     @8 NONAME
key     @10 NONAME DATA
delta   @11 NONAME DATA
CheckFlag   @12 NONAME

if (MSVC)
    add_compile_options(/Gy)  # 允许 COMDAT 折叠
#    add_link_options(/OPT:REF)  # 删除未使用的函数
    #   关闭CRT
#    set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreadedDLL")  # 设置运行时库为多线程 DLL（/MD）

#    set(CMAKE_CXX_FLAGS_DEBUG "/MDd /Od /Zi")  # 关闭优化，启用调试信息
#    set(CMAKE_CXX_FLAGS_RELEASE "/MD /O2 /Ob2 /DNDEBUG")  # 高级优化
#    set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "/MD /O2 /Zi")  # 既优化又保留调试信息
#    set(CMAKE_CXX_FLAGS_MINSIZEREL "/MD /O1")  # 以最小尺寸优化
    # 关闭随机地址
    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /DYNAMICBASE:NO")
    set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} /DYNAMICBASE:NO")
endif()

Tea_1

XTea变种

考点

XTea算法理解

#include "HeaderFile/DataType.h"
#include "Header/Tea.h"
#include "cstdio"
#include "cstring"
/*
 0xEA123BFD,0x2C1E8ED4,0xE636E8B9,0x2E007C2E,0xE23E7380,0x8771ED1E,0x6A18A637,0x1B5D352F,0x3FA20F46,0x3B2099BB,0x3EB6E547
 flag{Un3we2tened_teA_i3_th1_bes7_tea__drlnk}
 Sugar-free_tea!!
*/
void Encrypt (uint32_t* v, uint32_t* k) {
    uint32_t v0 = v[0], v1 = v[1], sum = 0, i;
    uint32_t delta = 0x9e3779a9;
    uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
    for (i=0; i < 32; i++) {
        sum += delta;
        v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
        v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
    }
    v[0]=v0; v[1]=v1;
}

bool CheckFlag(dword* flag,dword len, dword* Ans){
    for (auto i = 0; i < len; ++i) {
        if(flag[i]!= Ans[i])return false;
    }
    return true;
}

void Tea(char* key,char* plaintext,dword* Ans){
//    puts("Have a cup of unsweetened tea");

    dword plaintext_len = strlen(plaintext);
    dword* flag = (dword*) plaintext;
    for (auto i = 0; i < (plaintext_len/4)-1; ++i) {
        Encrypt(&flag[i],(dword*)key);
    }
    if(CheckFlag(flag,(plaintext_len/4),Ans)){
        puts("[!]\tEnjoy this cup of tea\n");
        return;
    } else return;
}

PE

TimeDateStamp_1

PE.TimeDateStamp(程序编译完成时间)

考点

xor

TimeDateStamp的获取

void TimeBoom(char* Timeflag){
    qword ImageBase;
    pDosMember dosMember;
    pNT_Header64 pNtHeader64;
    HMODULE hmodule;
    dword flag_len ;

    hmodule = GetModuleHandleA(nullptr);
    ImageBase = (qword) hmodule;
    dosMember = (pDosMember) ImageBase;
    pNtHeader64 = (pNT_Header64) (ImageBase + dosMember->e_lfanew);
//    printf("0x%X\n",pNtHeader64->PEHeader.TimeDateStamp);
    srand(pNtHeader64->PEHeader.TimeDateStamp);
    //flag{Y0u_r3_starting_t3_kno3_PE_br1}

    flag_len = strlen(Timeflag);
//    for (auto i = 0; i < flag_len; ++i){
//        printf("0x%x,",(byte)(Timeflag[i] ^ rand()));
//    }
    for (auto i = 0; i < flag_len; ++i){
        if((byte)(Timeflag[i] ^ rand())!= TimeAns[i])return;
    }
    puts("[!]\tYou're starting to learn PE\n");
}

TLS

TLS_1

TLS

考点

TLS执行流程

#include "Header/BaseHeader.h"
#ifdef _WIN64
#pragma comment(linker,"/INCLUDE:_tls_used")
#else
#pragma comment(linker,"/INCLUDE:__tls_used")
#endif // _WIN64

void NTAPI TLS_CALLBACK1(PVOID DllHandle, DWORD dwReason, PVOID Reserved);

extern "C"
#ifdef _WIN64
#pragma const_seg(".CRT$XLX")
const
#else
#pragma data_seg(".CRT$XLX")
#endif
//


//存储回调函数地址
PIMAGE_TLS_CALLBACK pTLS_CALLBACKs[] = { TLS_CALLBACK1, 0 };
#pragma data_seg()
BYTE BOX[0x100];
char key[] = "HELLO_MY_BOMB";
DWORD KeyLen;
DWORD SUM = 0;
DWORD Reason = -1;
// char flag1[] = "flag{Ok_You_already_know_Thread_Local_Storage}";
BYTE ans[] = {
    0x41, 0xa0, 0x1d, 0x58, 0x1, 0x75, 0xde, 0x21, 0x3d, 0x1e, 0x25, 0x5c, 0x38, 0x54, 0x84, 0xb7, 0x80, 0x3a, 0xa6,
    0x29, 0x31, 0x83, 0xb7, 0x4d, 0x6b, 0xf4, 0xf2, 0xd, 0x39, 0xcd, 0x91, 0xe5, 0x93, 0xe2, 0xfc, 0xb0, 0xb1, 0xe4,
    0xa0, 0xe5, 0x6d, 0xe9, 0x54, 0x2b, 0xcc, 0x9c,0
    };
char flag[MAX_PATH];

void KSA() {
    int i, j = 0;
    for (i = 0; i < 256 && Reason == 1; i++) BOX[i] = i;
    KeyLen = strlen(key);
    for (i = 0; i < 256; i++) {
        j = (j + BOX[i] + key[i % KeyLen]) % 256;
        BYTE temp = BOX[i];
        BOX[i] = BOX[j];
        BOX[j] = temp;
    }
}

void InitBOX() {
    int i, j = 0;
    for (i = 0; i < 256; i++) BOX[i] = i;

    char buf[41];
    sha1(key, strlen(key), buf);

    KeyLen = strlen(key);

    for (i = 0; i < 256; i++) {
        j = (j + BOX[i] + key[i % KeyLen]) % 256;
        BYTE temp = BOX[i];
        BOX[i] = BOX[j];
        BOX[j] = temp;
    }
    for (i = 0; i < 256; i++) BOX[i] ^= buf[i % strlen(buf)];
}

void Encrypt(char* flag) {
    for (int i = 0; i < strlen(flag); i++) flag[i] ^= (BOX[i] ^ (rand() & 0xff));
}

void Check() {
    int boo = 1;
    for (int i = 0; ans[i]; i++) {
        if ((flag[i]&0xff) != ans[i]) {
            boo = 0;break;
        }
    }
    if (boo) puts("Right");
    else puts("Not right");
}

void NTAPI TLS_CALLBACK1(PVOID DllHandle, DWORD dwReason, PVOID Reserved){
    Reason = dwReason;
    SUM += dwReason;
    if (dwReason != 3)KSA();
    else if (dwReason == 3) {
        srand(SUM);
        InitBOX();
        Encrypt(flag);
        Check();
        TerminateProcess(GetCurrentProcess(), 0);
    }
}
int main() {
    puts("FLAG:");
    scanf("%s", flag);
    HANDLE hThread = CreateThread(nullptr, NULL, (LPTHREAD_START_ROUTINE)KSA, nullptr, NULL, nullptr);
    WaitForSingleObject(hThread, INFINITE);
    CloseHandle(hThread);
    srand(520);
    Encrypt(flag);
    Check();
    TerminateProcess(GetCurrentProcess(), 0);
}

TLS_2

TLS

考点

TLS执行流程

PEB反调试

#include "Header/BaseHeader.h"
#ifdef _WIN64
#pragma comment(linker,"/INCLUDE:_tls_used")
#else
#pragma comment(linker,"/INCLUDE:__tls_used")
#endif // _WIN64

void NTAPI TLS_CALLBACK1(PVOID DllHandle, DWORD dwReason, PVOID Reserved);

extern "C"
#ifdef _WIN64
#pragma const_seg(".CRT$XLX")
const
#else
#pragma data_seg(".CRT$XLX")
#endif
//


//存储回调函数地址
PIMAGE_TLS_CALLBACK pTLS_CALLBACKs[] = { TLS_CALLBACK1, nullptr };
#pragma data_seg()

char key[] = "HELLO_TLS";
DWORD KeyLen;

BYTE ans[] = {
    0x13, 0x73, 0x1b, 0xe0, 0x1a, 0x73, 0xe9, 0x34, 0x26, 0x90, 0xe1, 0xf4, 0x72, 0xeb, 0x8c, 0xbf, 0xee, 0x33, 0xa9,
    0xf1, 0x9b, 0xc4, 0x8b, 0x88, 0x78, 0xbe, 0xd2, 0xc6, 0x7, 0x97, 0x85, 0x5a,
};
char flag[MAX_PATH];

DWORD sha(char* Data,DWORD DataLen) {
    DWORD HASH = 0x534c54;
    for (int i = 0; i < DataLen; i++) HASH = HASH *31 + (BYTE)Data[i];
    return HASH;
}

void HelloTLS() {
    puts("WELCOME TO TLS'S W");
    puts("Here you can learn about the process of TLS");
    puts("Start enjoying the challenges of TLS");
    puts("");
    puts("FLAG:");
    // char flag[] = "flag{WOWW_Now_you_really_can!!!}";
    scanf("%s", flag);
}

void InitBox(char* BOX) {
    int i, j = 0;
    for (i = 0; i < 256; i++) BOX[i] = key[i % KeyLen];

    for (i = 0; i < 256; i++) {
        j = (j + BOX[i] + key[i % KeyLen]) % 256;
        char temp = BOX[i];
        BOX[i] = BOX[j];
        BOX[j] = temp;
    }
}

DWORD Rc4(char* flag) {
    char BOX[256];
    int i , j = 0;
    KeyLen = strlen(key);

    InitBox(BOX);

    for (i = 0; i < strlen(flag); i++) {
        i = (i + 1) % 256;
        j = (j + BOX[i]) % 256;
        BOX[i] = BOX[j];
        BOX[j] = key[i%KeyLen];
        flag[i] ^= BOX[key[i%KeyLen] & 0xff];
    }
    return sha(BOX,256);
}

DWORD Rc4_FAKE(char* flag) {
    char BOX[256];
    int i, j = 0;
    KeyLen = strlen(key);

    InitBox(BOX);

    for (i = 0; i < strlen(flag); i++) {
        i = (i + 1) % 256;
        j = (j + BOX[i]) % 256;
        BYTE temp = BOX[i];
        BOX[i] = BOX[j];
        BOX[j] = temp;
        flag[i] ^= BOX[(BOX[i] + BOX[j]) % 256];
    }
    return sha(BOX,256);
}

void TEA(char* flag,DWORD KEY) {
    for (int j = 0; j < strlen(flag)/4; j+=2) {
        DWORD* v = (DWORD*)flag;
        DWORD v0=v[j], v1=v[j+1], sum=0, i;
        DWORD delta=0x9e3779b9;

        BYTE* k = (BYTE*)(&KEY);
        BYTE k0=k[0], k1=k[1], k2=k[2], k3=k[3];

        for (i=0; i < 32; i++) {
            sum += delta;
            v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
            v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
        }
        v[j]=v0; v[j+1]=v1;
    }
}

void Check_HASH(char* flag) {
    DWORD ANS = sha(flag,strlen(flag));
    switch (ANS) {
        case 0x68e19b96:
        case 0x534c54:
            puts("FFFAAAKKKEEE");
        break;
        case 0x78909b38:
            puts("YYYYEEEESSSS");
        default:
            ExitProcess(0);
    }
}
void Check(char* flag) {

   for (int i = 0; i < strlen(flag); i++) {
       if ((BYTE)flag[i] != ans[i]) {
           ExitProcess(0);
       }
   }
    puts("YYYYEEEESSSS");
}


void ENCRYPT(char* flag) {
    DWORD TMP = Rc4(flag);
    TEA(flag, TMP);
}

void ENCRYPT_FAKE(char* flag) {
    DWORD TMP = Rc4_FAKE(flag);
    TEA(flag, TMP);
}

void EZ_ENCRYPT(char* flag) {
    for (DWORD i = 0; i < strlen(flag); i++) flag[i] ^= 0x66;
}

void (*HELLO)() = nullptr;
void (*tENCRYPT)(char*flag) = nullptr;
void (*tCheck)(char*flag) = nullptr;
void (*Function_Change[])(char*flag) = {ENCRYPT,ENCRYPT_FAKE,nullptr};


DWORD co = 0;
void NTAPI TLS_CALLBACK1(PVOID DllHandle, DWORD dwReason, PVOID Reserved){
    switch (dwReason) {
        case 0:
            TerminateProcess(GetCurrentProcess(), 0);
        break;
        case 1:
            break;
        case 2:
            if (co)tCheck = Check;
        tENCRYPT = Function_Change[PEB_Anti_Debug()];
        co = 1;
        break;
        case 3:
            tENCRYPT = EZ_ENCRYPT;
        tCheck = Check_HASH;
        break;
        default:
            TerminateProcess(GetCurrentProcess(), 0);
    }
}

void Thread_tENCRYPT(char *param) {
    tENCRYPT(param);
}
void Thread_tCheck(char *param) {
    tCheck(param);
}

int main() {
    if (!HELLO) HELLO = HelloTLS;
    HELLO();

    if (!tENCRYPT) tENCRYPT = EZ_ENCRYPT;
    HANDLE hThread = CreateThread(nullptr, NULL, (LPTHREAD_START_ROUTINE)Thread_tENCRYPT, flag, NULL, nullptr);
    WaitForSingleObject(hThread, INFINITE);
    CloseHandle(hThread);

    if (!tCheck) tCheck = Check_HASH;
    hThread = CreateThread(nullptr, NULL, (LPTHREAD_START_ROUTINE)Thread_tCheck, flag, NULL, nullptr);
    WaitForSingleObject(hThread, INFINITE);
    CloseHandle(hThread);

    puts("BYTE BYTE");
    TerminateProcess(GetCurrentProcess(), 0);
}

#ifndef STRUCT_H
#define STRUCT_H

struct CLIENT_ID32
{
    ULONG UniqueProcess;                                                    //0x0
    ULONG UniqueThread;                                                     //0x4
};

struct CLIENT_ID64
{
    ULONGLONG UniqueProcess;                                                //0x0
    ULONGLONG UniqueThread;                                                 //0x8
};
typedef struct {
    struct _NT_TIB32 NtTib;                                                 //0x0
    ULONG EnvironmentPointer;                                               //0x1c
    struct CLIENT_ID32 ClientId;                                           //0x20
    ULONG ActiveRpcHandle;                                                  //0x28
    ULONG ThreadLocalStoragePointer;                                        //0x2c
    ULONG ProcessEnvironmentBlock;                                          //0x30
}* P_TEB32;

struct PEB_LDR_DATA
{
    ULONG Length;                                                           //0x0
    UCHAR Initialized;                                                      //0x4
    VOID* SsHandle;                                                         //0x8
    struct _LIST_ENTRY InLoadOrderModuleList;                               //0xc
    struct _LIST_ENTRY InMemoryOrderModuleList;                             //0x14
    struct _LIST_ENTRY InInitializationOrderModuleList;                     //0x1c
    VOID* EntryInProgress;                                                  //0x24
    UCHAR ShutdownInProgress;                                               //0x28
    VOID* ShutdownThreadId;                                                 //0x2c
};

//0x8 bytes (sizeof)
struct UNICODE_STRING
{
    USHORT Length;                                                          //0x0
    USHORT MaximumLength;                                                   //0x2
    WCHAR* Buffer;                                                          //0x4
};

typedef struct {
    struct _NT_TIB64 NtTib;                                                 //0x0
    ULONGLONG EnvironmentPointer;                                           //0x38
    struct CLIENT_ID64 ClientId;                                           //0x40
    ULONGLONG ActiveRpcHandle;                                              //0x50
    ULONGLONG ThreadLocalStoragePointer;                                    //0x58
    ULONGLONG ProcessEnvironmentBlock;                                      //0x60
}* P_TEB64;


typedef struct {
    UCHAR InheritedAddressSpace;                                            //0x0
    UCHAR ReadImageFileExecOptions;                                         //0x1
    UCHAR BeingDebugged;                                                    //0x2
    union
    {
        UCHAR BitField;                                                     //0x3
        struct
        {
            UCHAR ImageUsesLargePages:1;                                    //0x3
            UCHAR IsProtectedProcess:1;                                     //0x3
            UCHAR IsImageDynamicallyRelocated:1;                            //0x3
            UCHAR SkipPatchingUser32Forwarders:1;                           //0x3
            UCHAR IsPackagedProcess:1;                                      //0x3
            UCHAR IsAppContainer:1;                                         //0x3
            UCHAR IsProtectedProcessLight:1;                                //0x3
            UCHAR IsLongPathAwareProcess:1;                                 //0x3
        };
    };
    VOID* Mutant;                                                           //0x4
    VOID* ImageBaseAddress;                                                 //0x8
    struct PEB_LDR_DATA* Ldr;                                              //0xc
}*P_PEB;

//0xa8 bytes (sizeof)
typedef struct{
    struct _LIST_ENTRY InLoadOrderLinks;                                    //0x0
    struct _LIST_ENTRY InMemoryOrderLinks;                                  //0x8
    struct _LIST_ENTRY InInitializationOrderLinks;                          //0x10
    VOID* DllBase;                                                          //0x18
    VOID* EntryPoint;                                                       //0x1c
    ULONG SizeOfImage;                                                      //0x20
    struct UNICODE_STRING FullDllName;                                     //0x24
    struct UNICODE_STRING BaseDllName;                                     //0x2c
}* P_LDR_DATA_TABLE_ENTRY;
#endif //STRUCT_H

DWORD PEB_Anti_Debug() {
    P_TEB64 pteb = nullptr;
    P_PEB ppeb = nullptr;

    pteb = (P_TEB64)NtCurrentTeb();
    ppeb = (P_PEB)(pteb->ProcessEnvironmentBlock);

    return ppeb->BeingDebugged;
}

Topic

Record-Topic

https://tforevery.github.io/Record-Topic/

作者

发布于

2025年4月2日

许可协议

HEAP 上一篇

PWN-Buu 下一篇