銆愭妧鏈垎浜€戞煇娓告垙xLua鍒嗘瀽

Posted 2021-04-23 瀹夊叏瀹?/a> 銆愭妧鏈

浠ュ墠鍋氳繃寰堝鍚岀被CTF棰橈紝闂插緱鏃犺亰锛屾濂藉湪鍒嗘瀽鏍锋湰鐨勬椂鍊欓亣鍒颁簡xLua锛屽疄鎴樹竴涓嬪姛鑳界殑鍒嗘瀽锛屾€荤粨涓€涓嬪叧浜嶭ua鐨勭浉鍏崇煡璇嗐€?/span>

 

闈欐€佸垎鏋?/span>

鎳掑緱娉ㄥ叆鐒跺悗dump杩涜opcode姣斿锛岀洿鎺ラ潤鎬佸垎鏋愩€?/span>

宸紓锛歀ua鍙樹负Mua锛岎煒?/span>

鐗堟湰53鏍煎紡1锛屾槸xLua鐨勫樊寮傦紝鎵撳紑浜哃UAC_COMPATIBLE_FORMAT锛屽洜姝ゆ牸寮忔槸1锛屽苟涓斿幓鎺変簡size_t鐨勬牎楠?/span>

骞朵笖鏍规嵁鏄惁涓篗ua锛宑heckHeader鏈夋墍涓嶅悓

LoadState澧炲姞Mua鐨勪俊鎭?/span>

 
   
   
 

  
    
    
  
 
   
 
   
 
   
 
   
 
   
 
   
 
   
 
   
 
  
  
    
    
  
struct LoadState{ struct lua_State *L; struct ZIO *Z; const char *name; uint8_t isMua; uint32_t mua;};
 
   
   
 

LoadFunction涔熸槸瀵筰sMua杩涜浜嗗垽鏂紝濡傛灉鏄疢ua鐨勮瘽锛屼細鍏圠oadConstant鍐峀oadCode锛岃皟鎹簡椤哄簭銆傚叾浣欎技涔庢病鏈夊樊鍒?/span>

瀛楄妭鐮佷笉鍑烘剰鏂欒鎵撲贡浜嗛『搴忥紝涓嬮潰寮€濮嬪垎鏋愬垎鏋愬搴斿叧绯伙紝棣栧厛鍙互鎼滅储local瑙ｅ喅閮ㄥ垎瀵瑰簲鍏崇郴

 
   
   
 

  
    
    
  
 
   
 
   
 
   
 
   
 
   
 
   
 
   
 
  
  
    
    
  
OP_MOVE = 21,OP_LOADK = 22,OP_GETUPVAL = 26,OP_LOADKX = 28,OP_SELF = 29,OP_GETTABUP = 36,OP_GETTABLE = 41,
 
   
   
 

 
   
   
 

  
    
    
  
 
   
 
   
 
   
 
   
 
   
 
  
  
    
    
  
OP_LOADNIL = 38,OP_TFORCALL = 39,OP_CALL = 44,OP_TAILCALL = 32,OP_JMP = 17
 
   
   
 

鍏跺疄涔熷彲浠ラ€氳繃杩欎釜琛ㄧ湅鍑轰竴浜涚鍊紝杩欓噷鏄竴瀹氭寜OpCode椤哄簭瀛樻斁鐨?/span>

鍙互鐚滄兂鏈変竴娈碉紙鏁板杩愮畻锛夋槸鏁翠綋骞崇Щ鐨勶紝璨屼技浠ュ墠CTF涔熷仛杩囪繖鏍风殑

缁х画鎵惧搴斿叧绯伙紝姣斿鐩稿悓鐨勫彲浠ョ缉灏忚寖鍥?/span>

浠ユ绫绘帹锛屽緱鍑哄搴斿叧绯汇€備箣鍚庡氨鍙互鎴愬姛鍙嶇紪璇戜簡锛屼笉杩囩湅缁撴灉杩樺浜嗛澶栦竴灞備笢瑗匡紝缁х画鐮旂┒銆?/span>

 

鍔ㄦ€佸垎鏋?/span>

鏈€鍚庤繕鏄緱娉ㄥ叆鐪嬬湅sb鍑芥暟鏄粈涔堜笢瑗匡紝棣栧厛鍒嗘瀽杩欎釜CreateLuaTable锛屼粠璧勬簮涓彁鍙栧嚭鏉?/span>

鎻愬彇浜嗗崐澶╋紝涔熸病鎵惧埌浠€涔堟湁鐢ㄧ殑涓滆タ锛屽喅瀹氳瘯璇曠帺鐜╀粬鐨刲ua锛屽彂鐜颁粬鎷掔粷缂栬瘧鏂囨湰锛屽彧鑳借繍琛岄缂栬瘧鐨勶紝鍥犳闇€瑕佺敤鏇挎崲濂絆P鐨勭▼搴忕紪璇戜竴浠藉嚭鏉ャ€?/span>

鐒跺悗鎵嬪姩璋冪敤DoString锛岃繖閲屽彲浠ョ敤Base64鍒涘缓鏁扮粍銆?/span>

鎴愪簡锛岃鏄庡彲浠ョ敤锛屾帴涓嬫潵鐪嬬湅閭ｄ釜瑙ｅ瘑鍑芥暟鏄粈涔堜笢瑗裤€?/span>

涓嶇粰dump锛岀湅鐪嬫槸涓轰粈涔堬紝浼间箮鏄洜涓轰笉鏄痩ua鍑芥暟鑰屾槸CS绔垨鑰呮槸native鐨勶紵缁х画鐪嬬湅CustomLoader

缁忚繃娴嬭瘯搴旇鏄湪杩欏嚑涓狪nit閲岃祴鍊肩殑

Hook xlua鐨剆etglobal锛岀湅鐪嬫槸鍦ㄥ摢閲岃祴鍊肩殑

绔熺劧鏄湪xLua鐨処nit涔嬪墠锛屾墦鍗板爢鏍?/span>

瀹氫綅鍒皒lua.dll鐨勮繖閲岋紝鏈夋贩娣嗕唬鐮?/span>

鏄湪lua_newstate閲岃繘琛屽垵濮嬪寲鐨?/span>

鍏堢湅鐪嬫眹缂栵紝瀹炲湪涓嶈瑙ｆ贩娣嗭紝杩欏効鏄兘鐪嬪埌鎶婅繖涓嚱鏁版敞鍐屽埌sb_1184180438

涓嶈锛岃繕鏄瑙ｆ贩娣嗭紝鍒濇鎬濊矾鏄娴嬭繖涓壒寰侊紝鐒跺悗鐢╝ngr绗﹀彿鎵ц鏇挎崲瀹屼簨锛屽啓鑴氭湰寮€骞?/span>

濂藉浼欙紝涓€涓囧涓紝鎱㈡參鐖嗗惂

鍏堢湅涓€鐪硷紝杩欓噷搴旇鏄В瀵嗗瓧绗︿覆锛岃В瀵嗕箣鍚庡氨鏄痵b鍑芥暟鍚嶄簡搴旇

缁х画淇锛岃繖閲岃淇鏉′欢锛岀◢寰鏉備簡涓€鐐圭偣

杩樻湁涓€浜涢浂纰庣殑鍦版柟锛屽厛涓嶄慨浜嗭紝鍏堢湅鐪媠b

寰堝sub_180024390閮芥槸鑰嶄汉鐜╃殑锛屽眰灞俿witch_case鏈€鍚庡彧鏄畝鍗曠殑鍔熻兘锛屾垜浠彧鐪嬪叧閿唬鐮侊紝浼间箮鏄浉閭诲紓鎴栵紝浠庢渶鍚庝竴浣嶅紑濮嬶紝鏈€鍚庝竴浣嶇敱0xA3寮€濮嬶紝閭ｄ箞瑙ｅ瘑鐪嬬湅銆?/span>

鍐嶅弽姹囩紪涓€涓嬶紝鎴愬姛

 

鎬荤粨

Lua涓昏灏辨槸OpCode Swap锛屽彲浠ユ墜鍔ㄧ垎涔熷彲浠ョ敤妯℃澘鑴氭湰缂栬瘧鐒跺悗瀵圭収锛屼絾瀹為檯涓婂鏈枃鐨勬牱鏈紝鎶婄紪璇戝姛鑳藉叧浜嗗氨鍙兘鎵嬪姩鐖嗕簡銆傚叾浠栫殑鍙嶆贩娣嗗ソ鍍忓拰Lua涔熸病鍟ュ叧绯伙紝浣嗕篃鏄繖涓牱鏈噷鐨勪笢瑗匡紝灏遍『渚挎彁涓€涓嬪惂锛屽彟澶栬繖绉嶅灞傜殑switch-case鍑芥暟娣锋穯璨屼技涔熸病娉曚慨澶嶏紝鏈夋病鏈夋噦鍝ユ杩庤瘎璁恒€?/span>

锛堢偣鍑烩€滈槄璇诲師鏂団€濇煡鐪嬮摼鎺ワ級

 
   
   
 

  
    
    
  
 
   
 
    
 
     
 
    
 
   
 
  
  
    
    
  
 
   
 
    - End -
 
   
 
   
 
    绮惧僵鎺ㄨ崘 
   
 
   
 
    
 
   
 
   
 
    
 
   
 
   
 
    
 
   
 
   
 
     
   
 
   

 
   
    
      
      
    

     
       
       
     
 
      
 
       
 
        
 
         鎴斥€滈槄璇诲師鏂団€濇煡鐪嬫洿澶氬唴瀹?/strong>