从C源码中提取Shellcode的尝试

字数统计: 3.3k字   |   阅读时长≈ 18分

尝试一下在拥有C语言源码的情况下,将编译出来的函数shellcode扣出来,可以直接利用。

从C源码中提取Shellcode的尝试

前提

这里说的是Windows程序。Linux程序可能会简单不少。

提取的函数,如果要轻松提取的话,可以选择满足以下条件:

  1. 没有POSIX库函数调用(Windows上的printf那种会有一大堆的内敛库函数代码
  2. 没有Windows库函数调用(可能可行,但太麻烦了)
  3. 没有子函数调用

Demo——RC4加密程序

这里选择的是用一个RC4的脚本来尝试。

初始版本

decode.c:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#include <stdio.h>
#include <string.h>
// #include "base64.h"

typedef unsigned long ULONG;

void rc4_init(unsigned char *s, unsigned char *key, unsigned long Len) //初始化函数
{
    int i =0, j = 0;
    char k[256] = {0};
    unsigned char tmp = 0;
    for (i=0;i<256;i++) {
        s[i] = i;
        k[i] = key[i%Len];
    }
    for (i=0; i<256; i++) {
        j=(j+s[i]+k[i])%256;
        tmp = s[i];
        s[i] = s[j]; //交换s[i]和s[j]
        s[j] = tmp;
    }
 }

void rc4_crypt(unsigned char *s, unsigned char *Data, unsigned long Len) //加解密
{
    int i = 0, j = 0, t = 0;
    unsigned long k = 0;
    unsigned char tmp;
    for(k=0;k<Len;k++) {
        i=(i+1)%256;
        j=(j+s[i])%256;
        tmp = s[i];
        s[i] = s[j]; //交换s[x]和s[y]
        s[j] = tmp;
        t=(s[i]+s[j])%256;
        Data[k] ^= s[t];
     }
} 

int main()
{ 
    unsigned char s[256] = {0}; //S-box
    unsigned char key[256] = {"thisiskkk"};
    unsigned char pData[0x24] = {
        0xD8, 0xE5, 0x85, 0xBE, 0xE7, 0xF8, 0x58, 0x75, 0x95, 0x65, 
        0x85, 0xE3, 0xA6, 0x47, 0x59, 0xB9, 0x14, 0x6F, 0x33, 0xB5, 
        0xCA, 0x84, 0x0B, 0xE7, 0x92, 0x0E, 0xD2, 0xFD, 0x64, 0x18, 
        0x96, 0xD0, 0x0F, 0x5E, 0x44, 0x3E
    };
    ULONG len = strlen(pData);
    // printf("key : %s\n", key);
    // printf("raw : %s\n", pData);
    
    rc4_init(s,(unsigned char *)key,strlen(key)); //已经完成了初始化

    rc4_crypt(s,(unsigned char *)pData,len);//加密

    puts(pData);
    // printf("encrypt  : %s\n", pData);
    // printf("encrypt64: %s\n", base64_encode(pData, len));
    
    // rc4_init(s,(unsigned char *)key, strlen(key)); //初始化密钥
    // rc4_crypt(s,(unsigned char *)pData,len);//解密
    // printf("decrypt  : %s\n",pData);
    return 0;
}

现在编译,在Linux下执行:

1
gcc -pie -m32 decode.c -o decode

获得了PIE的ELF32位程序。

然后用capa去解析,发现确确实实的能搜到rc4_initrc4_crypt这两个函数,只不过地址有点奇怪,PIE程序在IDA里面加载出来直接是从0开始的,而Capa分析的默认基址时0x20000000

anyway,项目稍微报了些错,不过这是因为没有传入动态report的问题,以及基址设置有问题。这里后续再解决。

version2

首先为了方便,把rc4_initrc4_crypt两个函数整合在一个函数里面。然后要把编译时的一些保护机制给关掉。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#include <stdio.h>
#include <string.h>
// #include "base64.h"

typedef unsigned long ULONG;

void rc4_init(unsigned char *s, unsigned char *key, unsigned long Len) //初始化函数
{
    int i =0, j = 0;
    char k[256] = {0};
    unsigned char tmp = 0;
    for (i=0;i<256;i++) {
        s[i] = i;
        k[i] = key[i%Len];
    }
    for (i=0; i<256; i++) {
        j=(j+s[i]+k[i])%256;
        tmp = s[i];
        s[i] = s[j]; //交换s[i]和s[j]
        s[j] = tmp;
    }
 }

void rc4_crypt(unsigned char *s, unsigned char *Data, unsigned long Len) //加解密
{
    int i = 0, j = 0, t = 0;
    unsigned long k = 0;
    unsigned char tmp;
    for(k=0;k<Len;k++) {
        i=(i+1)%256;
        j=(j+s[i])%256;
        tmp = s[i];
        s[i] = s[j]; //交换s[x]和s[y]
        s[j] = tmp;
        t=(s[i]+s[j])%256;
        Data[k] ^= s[t];
    }
} 

void rc4(unsigned char *key, unsigned long key_len, unsigned char *data, unsigned long data_len) {
    // rc4_init
    unsigned char sbox[256] = {0}; //S-box
    int i =0, j = 0;
    char kbox[256] = {0};
    unsigned char tmp = 0;
    for (i=0;i<256;i++) {
        sbox[i] = i;
        kbox[i] = key[i%key_len];
    }
    for (i=0; i<256; i++) {
        j=(j+sbox[i]+kbox[i])%256;
        tmp = sbox[i];
        sbox[i] = sbox[j]; //交换s[i]和s[j]
        sbox[j] = tmp;
    }
    // rc4_crypt
    i = 0; j = 0; int t = 0;
    unsigned long k = 0;
    // unsigned char tmp;
    for(k=0;k<data_len;k++) {
        i=(i+1)%256;
        j=(j+sbox[i])%256;
        tmp = sbox[i];
        sbox[i] = sbox[j]; //交换s[x]和s[y]
        sbox[j] = tmp;
        t=(sbox[i]+sbox[j])%256;
        data[k] ^= sbox[t];
    }
}

int main()
{ 
    unsigned char s[256] = {0}; //S-box
    unsigned char key[256] = {"thisiskkk"};
    unsigned char pData[0x24] = {
        0xD8, 0xE5, 0x85, 0xBE, 0xE7, 0xF8, 0x58, 0x75, 0x95, 0x65, 
        0x85, 0xE3, 0xA6, 0x47, 0x59, 0xB9, 0x14, 0x6F, 0x33, 0xB5, 
        0xCA, 0x84, 0x0B, 0xE7, 0x92, 0x0E, 0xD2, 0xFD, 0x64, 0x18, 
        0x96, 0xD0, 0x0F, 0x5E, 0x44, 0x3E
    };
    ULONG len =  0x24;
    
    rc4_init(s,(unsigned char *)key,strlen(key)); //已经完成了初始化

    rc4_crypt(s,(unsigned char *)pData,len);//加密


    // puts(pData);
    for(int i=0; i<len; ++i){
        printf("%02x,", pData[i]);
    }
    puts("");

    rc4(key, strlen(key), pData, len);

    for(int i=0; i<len; ++i){
        printf("%02x,", pData[i]);
    }
    puts("");
    return 0;
}

其中,新增函数rc4,此函数只需要传入key和data就好了(以及分别的长度)。

编译源码

现在只保留rc4,编译一次。(Linux上)

1
gcc -pie -m32 -fno-pic -fno-stack-protector decode.c -o decode

去除编译器为我们生成的__x86.get_pc_thunk.ax - 知乎 (zhihu.com)

执行TTP定位项目

(整体项目有点bug没完全跑完,但是部分可用)

然后走一下项目,看看找到的结果:

1
2
{'T1027': {'function': {33559053}, 'basic block': set()}}
{'T1027': {None}}

第一个是capa分析的结果,看了一下指向的就是rc4函数的头。

提取shellcode

现在尝试提取shellcode。

先注意一下传参规则,看一下汇编:

1
2
3
4
5
6
7
8
9
.text:00001536                 add     esp, 10h
.text:00001539                 push    [ebp+a4]        ; a4
.text:0000153C                 lea     edx, [ebp+data]
.text:00001542                 push    edx             ; a3
.text:00001543                 push    eax             ; a2
.text:00001544                 lea     eax, [ebp+key]
.text:0000154A                 push    eax             ; a1
.text:0000154B                 call    rc4
.text:00001550                 add     esp, 10h

简单来说就是从右到左传参,同时用栈传递参数。

然后可能还需要注意一下栈的平衡。

用IDA脚本直接提取shellcode:

1
2
3
4
5
6
7
8
9
import ida_funcs
import ida_bytes

rc4_func = ida_funcs.get_func(0x120d)

shellcode = ida_bytes.get_bytes(rc4_func.start_ea, rc4_func.end_ea-rc4_func.start_ea)

with open("D:/Anal/adda/output/shellcode.bin", "wb") as f:
    f.write(shellcode)

然后读取出来,得到Python bytes对象,然后再美化成可以塞入C语言里的列表:

1
m = ",".join([hex(i) for i in a])

装填shellcode

现在是抠出来重组的结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>

// #include "base64.h"

typedef unsigned long ULONG;

// void rc4(unsigned char *key, unsigned long key_len, unsigned char *data, unsigned long data_len) {

typedef void (*fptr_rc4)(unsigned char *, unsigned long, unsigned char *, unsigned long);



int main()
{ 
    unsigned char rc4[] = {
    0xf3,0xf,0x1e,0xfb,0x55,0x89,0xe5,0x57,0x53,0x81,0xec,0x20,0x2,0x0,0x0,0xc7,0x85,0xe4,0xfe,0xff,0xff,0x0,0x0,0x0,0x0,0x8d,0x95,0xe8,0xfe,0xff,0xff,0xb8,0x0,0x0,0x0,0x0,0xb9,0x3f,0x0,0x0,0x0,0x89,0xd7,0xf3,0xab,0xc7,0x45,0xf4,0x0,0x0,0x0,0x0,0xc7,0x45,0xf0,0x0,0x0,0x0,0x0,0xc7,0x85,0xe4,0xfd,0xff,0xff,0x0,0x0,0x0,0x0,0x8d,0x95,0xe8,0xfd,0xff,0xff,0xb8,0x0,0x0,0x0,0x0,0xb9,0x3f,0x0,0x0,0x0,0x89,0xd7,0xf3,0xab,0xc6,0x45,0xeb,0x0,0xc7,0x45,0xf4,0x0,0x0,0x0,0x0,0xeb,0x38,0x8b,0x45,0xf4,0x89,0xc1,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0x88,0x8,0x8b,0x45,0xf4,0xba,0x0,0x0,0x0,0x0,0xf7,0x75,0xc,0x8b,0x45,0x8,0x1,0xd0,0xf,0xb6,0x0,0x89,0xc1,0x8d,0x95,0xe4,0xfd,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0x88,0x8,0x83,0x45,0xf4,0x1,0x81,0x7d,0xf4,0xff,0x0,0x0,0x0,0x7e,0xbf,0xc7,0x45,0xf4,0x0,0x0,0x0,0x0,0xe9,0x80,0x0,0x0,0x0,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0xf,0xb6,0x0,0xf,0xb6,0xd0,0x8b,0x45,0xf0,0x8d,0xc,0x2,0x8d,0x95,0xe4,0xfd,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0xf,0xb6,0x0,0xf,0xbe,0xc0,0x8d,0x14,0x1,0x89,0xd0,0xc1,0xf8,0x1f,0xc1,0xe8,0x18,0x1,0xc2,0xf,0xb6,0xd2,0x29,0xc2,0x89,0xd0,0x89,0x45,0xf0,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0xf,0xb6,0x0,0x88,0x45,0xeb,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf0,0x1,0xd0,0xf,0xb6,0x0,0x8d,0x8d,0xe4,0xfe,0xff,0xff,0x8b,0x55,0xf4,0x1,0xca,0x88,0x2,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf0,0x1,0xc2,0xf,0xb6,0x45,0xeb,0x88,0x2,0x83,0x45,0xf4,0x1,0x81,0x7d,0xf4,0xff,0x0,0x0,0x0,0xf,0x8e,0x73,0xff,0xff,0xff,0xc7,0x45,0xf4,0x0,0x0,0x0,0x0,0xc7,0x45,0xf0,0x0,0x0,0x0,0x0,0xc7,0x45,0xe4,0x0,0x0,0x0,0x0,0xc7,0x45,0xec,0x0,0x0,0x0,0x0,0xc7,0x45,0xec,0x0,0x0,0x0,0x0,0xe9,0xd0,0x0,0x0,0x0,0x8b,0x45,0xf4,0x8d,0x50,0x1,0x89,0xd0,0xc1,0xf8,0x1f,0xc1,0xe8,0x18,0x1,0xc2,0xf,0xb6,0xd2,0x29,0xc2,0x89,0xd0,0x89,0x45,0xf4,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0xf,0xb6,0x0,0xf,0xb6,0xd0,0x8b,0x45,0xf0,0x1,0xc2,0x89,0xd0,0xc1,0xf8,0x1f,0xc1,0xe8,0x18,0x1,0xc2,0xf,0xb6,0xd2,0x29,0xc2,0x89,0xd0,0x89,0x45,0xf0,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0xf,0xb6,0x0,0x88,0x45,0xeb,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf0,0x1,0xd0,0xf,0xb6,0x0,0x8d,0x8d,0xe4,0xfe,0xff,0xff,0x8b,0x55,0xf4,0x1,0xca,0x88,0x2,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf0,0x1,0xc2,0xf,0xb6,0x45,0xeb,0x88,0x2,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0xf,0xb6,0x10,0x8d,0x8d,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf0,0x1,0xc8,0xf,0xb6,0x0,0x1,0xd0,0xf,0xb6,0xc0,0x89,0x45,0xe4,0x8b,0x55,0x10,0x8b,0x45,0xec,0x1,0xd0,0xf,0xb6,0x18,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xe4,0x1,0xd0,0xf,0xb6,0x8,0x8b,0x55,0x10,0x8b,0x45,0xec,0x1,0xd0,0x31,0xcb,0x89,0xda,0x88,0x10,0x83,0x45,0xec,0x1,0x8b,0x45,0xec,0x3b,0x45,0x14,0xf,0x82,0x24,0xff,0xff,0xff,0x90,0x90,0x81,0xc4,0x20,0x2,0x0,0x0,0x5b,0x5f,0x5d,0xc3
    };

    unsigned char s[256] = {0}; //S-box
    unsigned char key[256] = {"thisiskkk"};
    unsigned char pData[0x24] = {
        0xD8, 0xE5, 0x85, 0xBE, 0xE7, 0xF8, 0x58, 0x75, 0x95, 0x65, 
        0x85, 0xE3, 0xA6, 0x47, 0x59, 0xB9, 0x14, 0x6F, 0x33, 0xB5, 
        0xCA, 0x84, 0x0B, 0xE7, 0x92, 0x0E, 0xD2, 0xFD, 0x64, 0x18, 
        0x96, 0xD0, 0x0F, 0x5E, 0x44, 0x3E
    };
    ULONG len =  0x24;

    // void * mrc4 = (void*)malloc(592);
    // memcpy(mrc4, rc4, 592);
    // mprotect(mrc4, 592, PROT_EXEC);


    ((fptr_rc4)(&rc4))(key, strlen(key), pData, len);

    for(int i=0; i<len; ++i){
        printf("%02x,", pData[i]);
    }
    puts("");
    return 0;
}

编译并执行装入shellcode的程序(Linux)

编译:

1
gcc -m32 -z execstack test.c -o test

执行:

1
2
❯ ./test
16,15,46,1b,10,15,1a,17,0e,45,1a,14,15,0e,12,12,46,41,0e,41,10,17,10,0e,45,42,45,45,40,11,13,12,40,1b,46,13,

shellcode被正确执行了。

当然这样做不是很严谨,应该尝试使用mprotect+malloc来执行shellcode。关闭栈保护有点安全隐患。

编译并执行装入shellcode的程序(Windows)

如果要用cuckoo动态分析的话,需要编译成Windows的版本。

MSVC应该可以做到

我的mingw似乎没准备32位程序的编译器,-m32选项会有bug

偷懒了最后,选择用Visual Studio。并且对代码进行了少许的调整,选择使用VirtualProtect修改堆属性,从而执行。这算是比较正常的方式了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <Windows.h>
// #include "base64.h"

typedef unsigned long ULONG;

// void rc4(unsigned char *key, unsigned long key_len, unsigned char *data, unsigned long data_len) {

typedef void (*fptr_rc4)(unsigned char*, unsigned long, unsigned char*, unsigned long);

unsigned char rc4[] = {
0xf3,0xf,0x1e,0xfb,0x55,0x89,0xe5,0x57,0x53,0x81,0xec,0x20,0x2,0x0,0x0,0xc7,0x85,0xe4,0xfe,0xff,0xff,0x0,0x0,0x0,0x0,0x8d,0x95,0xe8,0xfe,0xff,0xff,0xb8,0x0,0x0,0x0,0x0,0xb9,0x3f,0x0,0x0,0x0,0x89,0xd7,0xf3,0xab,0xc7,0x45,0xf4,0x0,0x0,0x0,0x0,0xc7,0x45,0xf0,0x0,0x0,0x0,0x0,0xc7,0x85,0xe4,0xfd,0xff,0xff,0x0,0x0,0x0,0x0,0x8d,0x95,0xe8,0xfd,0xff,0xff,0xb8,0x0,0x0,0x0,0x0,0xb9,0x3f,0x0,0x0,0x0,0x89,0xd7,0xf3,0xab,0xc6,0x45,0xeb,0x0,0xc7,0x45,0xf4,0x0,0x0,0x0,0x0,0xeb,0x38,0x8b,0x45,0xf4,0x89,0xc1,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0x88,0x8,0x8b,0x45,0xf4,0xba,0x0,0x0,0x0,0x0,0xf7,0x75,0xc,0x8b,0x45,0x8,0x1,0xd0,0xf,0xb6,0x0,0x89,0xc1,0x8d,0x95,0xe4,0xfd,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0x88,0x8,0x83,0x45,0xf4,0x1,0x81,0x7d,0xf4,0xff,0x0,0x0,0x0,0x7e,0xbf,0xc7,0x45,0xf4,0x0,0x0,0x0,0x0,0xe9,0x80,0x0,0x0,0x0,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0xf,0xb6,0x0,0xf,0xb6,0xd0,0x8b,0x45,0xf0,0x8d,0xc,0x2,0x8d,0x95,0xe4,0xfd,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0xf,0xb6,0x0,0xf,0xbe,0xc0,0x8d,0x14,0x1,0x89,0xd0,0xc1,0xf8,0x1f,0xc1,0xe8,0x18,0x1,0xc2,0xf,0xb6,0xd2,0x29,0xc2,0x89,0xd0,0x89,0x45,0xf0,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0xf,0xb6,0x0,0x88,0x45,0xeb,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf0,0x1,0xd0,0xf,0xb6,0x0,0x8d,0x8d,0xe4,0xfe,0xff,0xff,0x8b,0x55,0xf4,0x1,0xca,0x88,0x2,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf0,0x1,0xc2,0xf,0xb6,0x45,0xeb,0x88,0x2,0x83,0x45,0xf4,0x1,0x81,0x7d,0xf4,0xff,0x0,0x0,0x0,0xf,0x8e,0x73,0xff,0xff,0xff,0xc7,0x45,0xf4,0x0,0x0,0x0,0x0,0xc7,0x45,0xf0,0x0,0x0,0x0,0x0,0xc7,0x45,0xe4,0x0,0x0,0x0,0x0,0xc7,0x45,0xec,0x0,0x0,0x0,0x0,0xc7,0x45,0xec,0x0,0x0,0x0,0x0,0xe9,0xd0,0x0,0x0,0x0,0x8b,0x45,0xf4,0x8d,0x50,0x1,0x89,0xd0,0xc1,0xf8,0x1f,0xc1,0xe8,0x18,0x1,0xc2,0xf,0xb6,0xd2,0x29,0xc2,0x89,0xd0,0x89,0x45,0xf4,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0xf,0xb6,0x0,0xf,0xb6,0xd0,0x8b,0x45,0xf0,0x1,0xc2,0x89,0xd0,0xc1,0xf8,0x1f,0xc1,0xe8,0x18,0x1,0xc2,0xf,0xb6,0xd2,0x29,0xc2,0x89,0xd0,0x89,0x45,0xf0,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0xf,0xb6,0x0,0x88,0x45,0xeb,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf0,0x1,0xd0,0xf,0xb6,0x0,0x8d,0x8d,0xe4,0xfe,0xff,0xff,0x8b,0x55,0xf4,0x1,0xca,0x88,0x2,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf0,0x1,0xc2,0xf,0xb6,0x45,0xeb,0x88,0x2,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf4,0x1,0xd0,0xf,0xb6,0x10,0x8d,0x8d,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xf0,0x1,0xc8,0xf,0xb6,0x0,0x1,0xd0,0xf,0xb6,0xc0,0x89,0x45,0xe4,0x8b,0x55,0x10,0x8b,0x45,0xec,0x1,0xd0,0xf,0xb6,0x18,0x8d,0x95,0xe4,0xfe,0xff,0xff,0x8b,0x45,0xe4,0x1,0xd0,0xf,0xb6,0x8,0x8b,0x55,0x10,0x8b,0x45,0xec,0x1,0xd0,0x31,0xcb,0x89,0xda,0x88,0x10,0x83,0x45,0xec,0x1,0x8b,0x45,0xec,0x3b,0x45,0x14,0xf,0x82,0x24,0xff,0xff,0xff,0x90,0x90,0x81,0xc4,0x20,0x2,0x0,0x0,0x5b,0x5f,0x5d,0xc3
};

int main()
{


    unsigned char s[256] = { 0 }; //S-box
    unsigned char key[256] = { "thisiskkk" };
    unsigned char pData[0x24] = {
        0xD8, 0xE5, 0x85, 0xBE, 0xE7, 0xF8, 0x58, 0x75, 0x95, 0x65,
        0x85, 0xE3, 0xA6, 0x47, 0x59, 0xB9, 0x14, 0x6F, 0x33, 0xB5,
        0xCA, 0x84, 0x0B, 0xE7, 0x92, 0x0E, 0xD2, 0xFD, 0x64, 0x18,
        0x96, 0xD0, 0x0F, 0x5E, 0x44, 0x3E
    };
    ULONG len = 0x24;

    void * mrc4 = (void*)malloc(592);
    memcpy(mrc4, rc4, 592);
    //mprotect(mrc4, 592, PROT_EXEC);
    
    DWORD old_protect = NULL;
    VirtualProtect(mrc4, 592, PAGE_EXECUTE_READWRITE, &old_protect);

    //((fptr_rc4)(&rc4))(key, strlen(key), pData, len);
    ((fptr_rc4)(mrc4))(key, strlen(key), pData, len);	// 这里要注意,mrc4前面不要加&

    for (int i = 0; i < len; ++i) {
        printf("%02x,", pData[i]);
    }
    puts("");
    return 0;
}

编译出来成功执行。

参考

mprotect(2) - Linux manual page (man7.org)

virtualProtect 函数 (memoryapi.h) - Win32 apps | Microsoft Learn

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

A junior undergraduate
studying in the college of cyber science and engineering
in Sichuan University
in Sichuan , China.
Pronouns:He/him.
A core member of 0x401 CTF team
majorly focus on Reverse Engineering chanllenges.