function seeHexA(addr, length) {
console.log(hexdump(ptr(addr), { length: parseInt(length) }))
}
var base
=
Module.getBaseAddress(
"ctf_app.exe"
)
/
/
Interceptor.attach(ptr(
0x00BC28E0
+
parseInt(base)
-
0xBC0000
),
/
/
{
/
/
onEnter: function (args) {
/
/
console.log(Process.getCurrentThreadId(), this.context.ecx, this.context.esp.add(
4
).readPointer(),
"caller ="
, this.context.esp.readPointer().sub(base))
/
/
/
/
console. log (
' Context : '
+
JSON. stringify (this. context));
/
/
console.log(Process.getCurrentThreadId(),
"string_from_u16:"
, this.context.esp.add(
4
).readPointer().readUtf16String())
/
/
console.log()
/
/
/
/
seeHexA(this.context.esp)
/
/
console.log(Process.getCurrentThreadId(),
"------------------------"
)
/
/
}
/
/
})
/
/
Interceptor.attach(ptr(
0xBC28C0
+
parseInt(base)
-
0xBC0000
),
/
/
{
/
/
onEnter: function (args) {
/
/
console.log(Process.getCurrentThreadId(),
"wrap_SendMessageW "
/
/
, this.context.esp.add(
0x4
).readPointer()
/
/
, this.context.esp.add(
0x8
).readPointer()
/
/
, this.context.esp.add(
0xc
).readPointer()
/
/
, this.context.esp.add(
0x10
).readPointer()
/
/
,
"caller ="
, this.context.esp.readPointer().sub(base)
/
/
)
/
/
console.log()
/
/
/
/
seeHexA(this.context.esp)
/
/
console.log(Process.getCurrentThreadId(),
"------------------------"
)
/
/
}
/
/
}
/
/
)
/
/
Interceptor.attach(ptr(
0xBC6850
+
parseInt(base)
-
0xBC0000
),
/
/
{
/
/
onEnter: function (args) {
/
/
console.log(Process.getCurrentThreadId(),
"enc1 "
/
/
, this.context.ecx
/
/
, this.context.edx
/
/
, this.context.ebp
/
/
, this.context.esp.add(
0x4
).readPointer()
/
/
,
"caller ="
, this.context.esp.readPointer()
/
/
)
/
/
console.log()
/
/
/
/
seeHexA(this.context.esp)
/
/
console.log(Process.getCurrentThreadId(),
"------------------------"
)
/
/
}
/
/
}
/
/
)
/
/
Interceptor.attach(ptr(
0xBC6D20
+
parseInt(base)
-
0xBC0000
),
/
/
{
/
/
onEnter: function (args) {
/
/
console.log(Process.getCurrentThreadId(),
"enc2 "
/
/
, this.context.edx
/
/
, this.context.ecx
/
/
, this.context.ebp
/
/
, this.context.edi
/
/
, this.context.esi
/
/
, this.context.esp.add(
0x4
).readPointer()
/
/
,
"caller ="
, this.context.esp.readPointer().sub(base)
/
/
)
/
/
console.log()
/
/
/
/
seeHexA(this.context.esp)
/
/
console.log(Process.getCurrentThreadId(),
"------------------------"
)
/
/
}
/
/
}
/
/
)
/
/
Interceptor.attach(ptr(
0xBCE670
+
parseInt(base)
-
0xBC0000
),
/
/
{
/
/
onEnter: function (args) {
/
/
console.log(Process.getCurrentThreadId(),
"encn "
/
/
, this.context.ecx
/
/
, this.context.ebp
/
/
, this.context.edi
/
/
, this.context.esi
/
/
, this.context.esp.add(
0x4
).readPointer()
/
/
,
"caller ="
, this.context.esp.readPointer().sub(base)
/
/
)
/
/
console.log()
/
/
/
/
seeHexA(this.context.esp)
/
/
console.log(Process.getCurrentThreadId(),
"------------------------"
)
/
/
}
/
/
}
/
/
)
/
/
Interceptor.attach(ptr(
0xBC9B90
+
parseInt(base)
-
0xBC0000
),
/
/
{
/
/
onEnter: function (args) {
/
/
console.log(this.context.ecx, this.context.esp.add(
4
).readPointer(), this.context.esp.add(
8
).readPointer(),
"caller ="
, this.context.esp.readPointer().sub(base))
/
/
/
/
console. log (
' Context : '
+
JSON. stringify (this. context));
/
/
/
/
console.log(
"newstring:"
,this.context.esp.add(
4
).readPointer().readUtf8String())
/
/
console.log(
"newstring:"
)
/
/
seeHexA(this.context.esp.add(
4
).readPointer(), parseInt(this.context.esp.add(
8
).readPointer()))
/
/
/
/
seeHexA(this.context.esp)
/
/
console.log(
"------------------------"
)
/
/
}
/
/
})
/
/
Interceptor.attach(ptr(
0x40A4B0
+
parseInt(base)
-
0x00400000
),
/
/
{
/
/
onEnter: function (args) {
/
/
console.log(this.context.ecx, this.context.esp.add(
4
).readPointer(), this.context.esp.add(
8
).readPointer(),
"caller ="
, this.context.esp.readPointer().sub(base))
/
/
/
/
console. log (
' Context : '
+
JSON. stringify (this. context));
/
/
/
/
console.log(
"newstring:"
,this.context.esp.add(
4
).readPointer().readUtf8String())
/
/
console.log(
"newstring2:"
)
/
/
seeHexA(this.context.esp.add(
4
).readPointer(), parseInt(this.context.esp.add(
8
).readPointer()))
/
/
/
/
seeHexA(this.context.esp)
/
/
console.log(
"------------------------"
)
/
/
}
/
/
})
Interceptor.attach(ptr(
0xBCDA90
+
parseInt(base)
-
0xBC0000
),
{
onEnter: function (args) {
this.arg0
=
this.context.edx
this.arg1
=
this.context.ecx
console.log(Process.getCurrentThreadId(), this.context.edx, this.context.ecx, this.context.esp.add(
4
).readPointer(),
"caller ="
, this.context.esp.readPointer().sub(base))
/
/
console. log (
' Context : '
+
JSON. stringify (this. context));
console.log(Process.getCurrentThreadId(),
"getcodedat:"
, this.context.esp.add(
4
).readPointer().readUtf8String())
console.log()
}
}
)
Interceptor.attach(ptr(
0x00C0E460
+
parseInt(base)
-
0xBC0000
),
{
onEnter: function (args) {
console.log(Process.getCurrentThreadId(),
"uc_mem_write:"
, this.context.esp.add(
4
).readPointer(),
this.context.esp.add(
8
).readPointer(),
this.context.esp.add(
0xc
).readPointer(),
this.context.esp.add(
0x10
).readPointer(),
this.context.esp.add(
0x14
).readPointer(),
"caller ="
, this.context.esp.readPointer().sub(base))
/
/
console. log (
' Context : '
+
JSON. stringify (this. context));
seeHexA(this.context.esp.add(
0x10
).readPointer(), this.context.esp.add(
0x14
).readPointer())
console.log(Process.getCurrentThreadId(),
"------------------------"
)
}
}
)
Interceptor.attach(ptr(
0x00C0E1F0
+
parseInt(base)
-
0xBC0000
),
{
onEnter: function (args) {
this.dst
=
this.context.esp.add(
0x10
).readPointer()
this.size
=
this.context.esp.add(
0x14
).readPointer()
console.log(Process.getCurrentThreadId(),
"uc_mem_read:"
,
this.context.esp.add(
4
).readPointer(),
this.context.esp.add(
8
).readPointer(),
this.context.esp.add(
0xc
).readPointer(),
this.context.esp.add(
0x10
).readPointer(),
this.context.esp.add(
0x14
).readPointer(),
"caller ="
, this.context.esp.readPointer().sub(base))
/
/
console. log (
' Context : '
+
JSON. stringify (this. context));
console.log()
}
,
onLeave: function (retval) {
console.log(Process.getCurrentThreadId(),
"uc_mem_read->"
, retval)
seeHexA(this.dst, this.size)
/
/
this.dst.writeU32(
1
)
/
/
this.dst.add(
0x18
).writeU32(
1
)
seeHexA(this.dst, this.size)
console.log(Process.getCurrentThreadId(),
"------------------------"
)
}
}
)
/
/
if
(
hash
(
input
)
=
=
"6749dae311865d64db83d5ae75bac3c9e36b3aa6f24caba655d9682f7f071023"
){}
