长期更新把,基本上是buu上的题,记录下wp
year3000
buu随便翻的一题
给了3000个bin文件,都是elf文件,随便拿了几个看,有些是32位有些64位
但都有一个相似的特征就是
满足每个bin文件对应的输入,让其返回well done
但是这3000个玩意有啥用呢
搜一下WP,发现此题需要nc,好在有发docker
git clone https://github.com/nullcon/hackim-2020
cd /root/tmp/hackim-2020/re/year3000
docker build -t year3000 .
docker run -it --name year3000 -p 8000:1234 year3000
nc之后,发现提示
所以,猜测是随机bin文件要求输入对应的base64字符串,使其每个都返回well done
很简单,下面就是自动化分析
from elftools.elf.elffile import ELFFile
import capstone as cap
code = []
path = r"D:\Downloads\Compressed\year3000"
for num in range(1, 3000 + 1):
with open("{path}\\{name}.bin".format(path=path, name=str(num)), "rb") as f:
e = ELFFile(f)
section = e.get_section_by_name(".text")
text = section.data()
section = e.get_section_by_name(".data")
data = section.data()
length = 0
tmp = b""
if e.structs.e_machine == "EM_386":
md = cap.Cs(cap.CS_ARCH_X86, cap.CS_MODE_32)
for i in md.disasm(text, 0x510):
if i.address == 0x65E:
length = i.bytes[-4]
elif i.address == 0x665:
tmp += chr(i.bytes[-1]).encode() * length
tmp += data[8:]
break
elif e.structs.e_machine == "EM_X86_64":
md = cap.Cs(cap.CS_ARCH_X86, cap.CS_MODE_64)
for i in md.disasm(text, 0x700):
if i.address == 0x816:
length = i.bytes[-4]
elif i.address == 0x81D:
tmp += chr(i.bytes[-1]).encode() * length
tmp += data[16:]
break
code.append(tmp)
print(code)
base64一下,直接pwntools
import base64
sendArr = []
for i in code:
sendArr.append(base64.b64encode(i).decode())
print(sendArr)
from pwn import *
r = remote("192.168.3.46", 8000)
while 1:
data = r.recvline().decode()
print("recv",data)
if not data.endswith(".bin\n"):
break
nums = int(data.split(".bin")[0])
print(code[nums-1])
r.sendline(sendArr[nums-1].encode())
data = r.recvline()
print("recv",data)
if not b"Well done" in data:
r.interactive()
break
rev3
题目是一个师傅发我看的,简单加了点花指令,写个脚本删,或者直接手动patch
正常F5之后,还是一堆的无用指令,但是不妨碍看主逻辑
前段主要判断输入的格式,取中括号中间32位
主要的算法之一在sub_401310
前段把flag转成DWORD,而后加密
一看就知道是xtea算法
换表base64之后比对密文
撸脚本解密就行了
#include<stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <stdint.h>
unsigned int __fastcall sub_401160(unsigned int *a1, char* a2)
{
unsigned int result; // eax
unsigned int v3; // esi
unsigned int v4; // edi
unsigned int v5; // ecx
int v7; // [esp+14h] [ebp-4h]
v7 = 32;
result = 0;
v3 = *a1;
v4 = a1[1];
do
{
v5 = result + *(DWORD *)(a2 + 4 * (result & 3));
result -= 1640531527;
v3 += v5 ^ (v4 + ((16 * v4) ^ (v4 >> 5)));
v4 += (result + *(DWORD *)(a2 + 4 * ((result >> 11) & 3))) ^ (v3 + ((16 * v3) ^ (v3 >> 5)));
--v7;
}
while ( v7 );
a1[1] = v4;
*a1 = v3;
return result;
}
unsigned int __fastcall xteaDec(DWORD *a1, unsigned char* a2)
{
unsigned int result; // eax
unsigned int v3; // esi
unsigned int v4; // edi
unsigned int v5; // ecx
int v7; // [esp+14h] [ebp-4h]
v7 = 32;
result = 0;
v3 = *a1;
v4 = a1[1];
for (int i = 0; i < 32; ++i) {
result -= 1640531527;
}
do
{
v4 -= (result + (DWORD)(a2[((result >> 11) & 3)])) ^ (v3 + ((16 * v3) ^ (v3 >> 5)));
result += 1640531527;
v5 = result + (DWORD)(a2[(result & 3)]);
v3 -= v5 ^ (v4 + ((16 * v4) ^ (v4 >> 5)));
--v7;
}
while ( v7 );
a1[1] = v4;
*a1 = v3;
return result;
}
int main() {
unsigned char key[4] = {0};
key[0] = 'j';
key[1] = 'x';
key[2] = 's';
key[3] = 'z';
unsigned char v[] = {0x37,0x80,0x9e,0x80,0xb3,0xf5,0xc2,0xc3,0x8d,0xcc,0xac,0x57,0x95,0x78,0x72,0xb5,0xac,0xbd,0xee,0xfc,0x38,0x13,0xb3,0xed,0xfa,0xc,0x63,0x37,0xdf,0x20,0xf1,0x84};
DWORD * vs = (DWORD *)v;
for (int i = 0; i < 4; ++i) {
xteaDec(&vs[i * 2], key);
printf("%lx %lx ",vs[i*2], vs[i*2+1]);
}
}
解出来是
输入下,发现并没有预料中的Congratulations,you found it!!!
然把打印出来的base64字串再带进去运行一遍
