长期更新把,基本上是buu上的题,记录下wp

year3000

buu随便翻的一题

给了3000个bin文件,都是elf文件,随便拿了几个看,有些是32位有些64位

但都有一个相似的特征就是

image-20210906213155486

满足每个bin文件对应的输入,让其返回well done

image-20210906213306438

但是这3000个玩意有啥用呢

搜一下WP,发现此题需要nc,好在有发docker

git clone https://github.com/nullcon/hackim-2020
cd /root/tmp/hackim-2020/re/year3000
docker build -t year3000 .
docker run -it --name year3000 -p 8000:1234 year3000

nc之后,发现提示

image-20210906213527979

所以,猜测是随机bin文件要求输入对应的base64字符串,使其每个都返回well done

很简单,下面就是自动化分析

from elftools.elf.elffile import ELFFile
import capstone as cap

code = []
path = r"D:\Downloads\Compressed\year3000"

for num in range(1, 3000 + 1):
    with open("{path}\\{name}.bin".format(path=path, name=str(num)), "rb") as f:
        e = ELFFile(f)

        section = e.get_section_by_name(".text")
        text = section.data()
        section = e.get_section_by_name(".data")
        data = section.data()

        length = 0
        tmp = b""
        if e.structs.e_machine == "EM_386":
            md = cap.Cs(cap.CS_ARCH_X86, cap.CS_MODE_32)
            for i in md.disasm(text, 0x510):
                if i.address == 0x65E:
                    length = i.bytes[-4]
                elif i.address == 0x665:
                    tmp += chr(i.bytes[-1]).encode() * length
                    tmp += data[8:]
                    break

        elif e.structs.e_machine == "EM_X86_64":
            md = cap.Cs(cap.CS_ARCH_X86, cap.CS_MODE_64)
            for i in md.disasm(text, 0x700):
                if i.address == 0x816:
                    length = i.bytes[-4]
                elif i.address == 0x81D:
                    tmp += chr(i.bytes[-1]).encode() * length
                    tmp += data[16:]
                    break
                


        code.append(tmp)
print(code)


base64一下,直接pwntools

import base64
sendArr = []

for i in code:
    sendArr.append(base64.b64encode(i).decode())
print(sendArr)
from pwn import *

r = remote("192.168.3.46", 8000)

while 1:
    data = r.recvline().decode()
    print("recv",data)
    if not data.endswith(".bin\n"):
        break
    
    nums = int(data.split(".bin")[0])
    print(code[nums-1])
    r.sendline(sendArr[nums-1].encode())
    
    data = r.recvline()
    print("recv",data)
    if not b"Well done" in data:
        r.interactive()
        break
    
image-20210907162422342

rev3

题目是一个师傅发我看的,简单加了点花指令,写个脚本删,或者直接手动patch

正常F5之后,还是一堆的无用指令,但是不妨碍看主逻辑

前段主要判断输入的格式,取中括号中间32位

主要的算法之一在sub_401310

image-20210906215820341

前段把flag转成DWORD,而后加密

一看就知道是xtea算法

image-20210906215913943

换表base64之后比对密文

image-20210906220106777

撸脚本解密就行了

#include<stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <stdint.h>

unsigned int __fastcall sub_401160(unsigned int *a1, char* a2)
{
    unsigned int result; // eax
    unsigned int v3; // esi
    unsigned int v4; // edi
    unsigned int v5; // ecx
    int v7; // [esp+14h] [ebp-4h]

    v7 = 32;
    result = 0;
    v3 = *a1;
    v4 = a1[1];
    do
    {
        v5 = result + *(DWORD *)(a2 + 4 * (result & 3));
        result -= 1640531527;
        v3 += v5 ^ (v4 + ((16 * v4) ^ (v4 >> 5)));
        v4 += (result + *(DWORD *)(a2 + 4 * ((result >> 11) & 3))) ^ (v3 + ((16 * v3) ^ (v3 >> 5)));
        --v7;
    }
    while ( v7 );
    a1[1] = v4;
    *a1 = v3;
    return result;
}

unsigned int __fastcall xteaDec(DWORD *a1, unsigned char* a2)
{
    unsigned int result; // eax
    unsigned int v3; // esi
    unsigned int v4; // edi
    unsigned int v5; // ecx
    int v7; // [esp+14h] [ebp-4h]

    v7 = 32;
    result = 0;
    v3 = *a1;
    v4 = a1[1];

    for (int i = 0; i < 32; ++i) {
        result -= 1640531527;
    }


    do
    {
        v4 -= (result + (DWORD)(a2[((result >> 11) & 3)])) ^ (v3 + ((16 * v3) ^ (v3 >> 5)));
        result += 1640531527;
        v5 = result + (DWORD)(a2[(result & 3)]);
        v3 -= v5 ^ (v4 + ((16 * v4) ^ (v4 >> 5)));
        --v7;
    }
    while ( v7 );
    a1[1] = v4;
    *a1 = v3;
    return result;
}

int main() {
    unsigned char key[4] = {0};
    key[0] = 'j';
    key[1] = 'x';
    key[2] = 's';
    key[3] = 'z';

    unsigned char v[] = {0x37,0x80,0x9e,0x80,0xb3,0xf5,0xc2,0xc3,0x8d,0xcc,0xac,0x57,0x95,0x78,0x72,0xb5,0xac,0xbd,0xee,0xfc,0x38,0x13,0xb3,0xed,0xfa,0xc,0x63,0x37,0xdf,0x20,0xf1,0x84};
    DWORD * vs = (DWORD *)v;

    for (int i = 0; i < 4; ++i) {
        xteaDec(&vs[i * 2], key);

        printf("%lx %lx ",vs[i*2], vs[i*2+1]);
    }

}

解出来是

img

输入下,发现并没有预料中的Congratulations,you found it!!!

然把打印出来的base64字串再带进去运行一遍

image-20210906220409672