首页
论坛
课程
招聘
[原创]2021KCTF秋季赛 迷失丛林
2021-11-26 01:29 12953

[原创]2021KCTF秋季赛 迷失丛林

2021-11-26 01:29
12953

0x4013CC 获得输入
输入长度0x20,输入只能是数字+大写字母,会在sub_4014A0做hex,变成4个DWORD

 

0x404000 开头8字节
取0x404000 256字节发现缺少以下内容
图片描述
不想逆
frida爆破,需要在x64dbg里的两个hook处跳回去
堆栈平衡 jmp 0x00401584
图片描述
图片描述

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
//全排列爆破
function swap(arr,i,j) { 
    if(i!=j) { 
        var temp=arr[i]; 
        arr[i]=arr[j]; 
        arr[j]=temp; 
    
var count=0;
var burst=[];
function show(arr) {
    var t=[];
    for(var i=0;i<8;i++){
        t.push(arr[i]);
    }
    burst.push(t);
function perm(arr) { 
    (function fn(n) { //为第n个位置选择元素 
        for(var i=n;i<arr.length;i++) { 
            swap(arr,i,n); 
            if(n+1<arr.length-1) //判断数组中剩余的待全排列的元素是否大于1个 
                fn(n+1); //从第n+1个下标进行全排列 
            else
                show(arr); //显示一组结果 
            swap(arr,i,n); 
        
    })(0); 
perm([0x1e,0x28,0x4b,0xd2,0x6d,0x8c,0xa3,0xfb]); 
 
var base_data = [0xa2,0x9b,0xf4,0xdf,0xac,0x7c,0xa1,0xc6,0x16,0xd0,0x0f,0xdd,0xdc,0x73,0xc5,0x6b,0xd1,0x96,0x47,0xc2,0x26,0x67,0x4e,0x41,0x82,0x20,0x56,0x9a,0x6e,0x33,0x92,0x88,0x29,0xb5,0xb4,0x71,0xa9,0xce,0xc3,0x34,0x50,0x59,0xbf,0x2d,0x57,0x22,0xa6,0x30,0x04,0xb2,0xcd,0x36,0xd5,0x68,0x4d,0x5b,0x45,0x9e,0x85,0xcf,0x9d,0xcc,0x61,0x78,0x32,0x76,0x31,0xe3,0x80,0xad,0x39,0x4f,0xfa,0x72,0x83,0x4c,0x86,0x60,0xb7,0xd7,0x63,0x0c,0x44,0x35,0xb3,0x7b,0x19,0xd4,0x69,0x08,0x0b,0x1f,0x3d,0x11,0x79,0xd3,0xee,0x93,0x42,0xde,0x23,0x3b,0x5d,0x8d,0xa5,0x77,0x5f,0x58,0xdb,0x97,0xf6,0x7a,0x18,0x52,0x15,0x74,0x25,0x62,0x2c,0x05,0xe8,0x0d,0x98,0x2a,0x43,0xe2,0xef,0x48,0x87,0x49,0x1c,0xca,0x2b,0xa7,0x8a,0x09,0x81,0xe7,0x53,0xaa,0xff,0x6f,0x8e,0x91,0xf1,0xf0,0xa4,0x46,0x3a,0x7d,0x54,0xeb,0x2f,0xc1,0xc0,0x0e,0xbd,0xe1,0x6c,0x64,0xbe,0xe4,0x02,0x3c,0x5a,0xa8,0x9f,0x37,0xaf,0xa0,0x13,0xed,0x1b,0xec,0x8b,0x3e,0x7e,0x27,0x99,0x75,0xab,0xfe,0xd9,0x3f,0xf3,0xea,0x70,0xf7,0x95,0xba,0x1d,0x40,0xb0,0xf9,0xe5,0xf8,0x06,0xbc,0xb6,0x03,0xc9,0x10,0x9c,0x2e,0x89,0x5c,0x7f,0xb1,0x1a,0xd6,0x90,0xae,0xda,0xe6,0x5e,0xb9,0x84,0xe9,0x55,0xbb,0xc7,0x0a,0xe0,0x66,0xf2,0xd8,0xcb,0x00,0x12,0xb8,0x17,0x94,0x6a,0x4a,0x01,0x24,0x14,0x51,0x07,0x65,0x21,0xc8,0x38,0xfd,0x8f,0xc4,0xf5,0xfc];
 
var empty=[]
for(var e=0;e<0x10200;e++){
    empty.push(0);
}
 
var count = 0;
var table = ptr(0x404000)
var temp = ptr(0x404220)
function reset(that){
    if(count < burst.length){
        table.writeByteArray(burst[count].concat(base_data));
        temp.writeByteArray(empty);
        if(count%1000==0)console.log(count);
        count +=1;
        // /that.context.eip = ptr(0x401590);
    }else{
        Interceptor.detachAll();
    }
}
//Success
Interceptor.attach(ptr(0x4016bc),{
    onEnter: function(args){
        //Success
        console.log(count-1,burst[count-1]);
        reset(this);
        //this.context.eip = ptr(0x401583);
    },onLeave:function(){
 
    }
});
Interceptor.attach(ptr(0x4017e5),{
    onEnter: function(args){
        //Fail
        reset(this);
        //this.context.eip = ptr(0x401583);
        //reset
    },onLeave:function(){
 
    }
});

12547 75,109,40,140,251,210,30,163
前面部分确定 B4D682C8BF2DE13A
图片描述
part2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
box=[0xc1,0x9b,0x7f,0x58,0x64,0xd5,0x77,0x21,0x74,0xeb,0x14,0xbf,0xdf,0x25,0x5a,0x37,
0x85,0x2c,0xaf,0x8c,0xda,0x26,0xe2,0x7a,0x87,0x4c,0x60,0x99,0x54,0x3c,0x95,0xc0,
0xb9,0x0c,0xbc,0x0e,0xe7,0x2d,0x86,0xbe,0x67,0xd3,0xd8,0xfc,0x30,0xb6,0xc8,0x57,
0x1e,0x62,0x3e,0xce,0xa0,0xcd,0xf5,0xee,0xa7,0xcf,0x45,0xfe,0xd0,0x80,0x05,0xad,
0x13,0xf3,0xb7,0x6b,0x22,0x2b,0xbd,0x69,0x42,0x4b,0xa5,0xea,0xa6,0xd2,0x6f,0x4f,
0x4e,0x07,0xe1,0x36,0x01,0xb5,0xaa,0xb1,0x94,0x0b,0x35,0x3a,0xc7,0x49,0x53,0x82,
0xc3,0x7b,0x32,0xff,0x19,0xc4,0xf1,0xc9,0xe8,0xf7,0x56,0x15,0xa3,0x46,0x89,0x43,
0x9d,0x8f,0x20,0xef,0xbb,0x2a,0xcb,0x09,0x93,0x4a,0x1c,0xe3,0x33,0xd1,0xe0,0x1d,
0x72,0x7c,0x27,0xe9,0x17,0x28,0x6d,0x6a,0xd9,0x00,0x9a,0xe5,0x63,0xde,0x23,0x9f,
0x0d,0x47,0x3b,0x65,0x08,0x84,0x6c,0x1a,0x88,0x12,0xa1,0xa4,0xb3,0x18,0x24,0x1b,
0xd7,0x44,0xdb,0xac,0x6e,0x7d,0x51,0x5e,0xed,0x50,0xd6,0x11,0x5b,0x9c,0xb4,0x68,
0x3d,0x2f,0x03,0x40,0xba,0x2e,0xca,0x02,0xe6,0xa8,0xec,0x83,0x06,0x5d,0xb8,0x4d,
0x97,0x66,0xf0,0xfb,0x8a,0x55,0xab,0xb2,0x04,0xfa,0x0a,0x31,0x71,0xcc,0x8b,0x73,
0xa9,0x48,0x5c,0xf9,0x98,0xe4,0xc6,0x34,0xc5,0x7e,0x81,0x75,0x90,0x1f,0x92,0x3f,
0x9e,0x10,0x29,0x52,0x39,0xf4,0x41,0x78,0x5f,0x16,0x79,0xc2,0xb0,0xdd,0xf2,0x61,
0x0f,0x70,0xd4,0x91,0xdc,0xf6,0xf8,0xfd,0x59,0x38,0x8d,0x96,0xae,0x8e,0x76,0xa2]
 
def trans(num,k):
    for t in range(8):
        if k&1:
            num=(num+1)&0xff
        else:
            num=box[num]
        k=k>>1
    return num
 
C = [0xC1, 0x9B, 0x7F, 0x58, 0x64, 0xD5, 0x77, 0x21]
A = [0x47, 0x6F, 0x6F, 0x64, 0x4A, 0x6F, 0x62, 0x7E]
A[0]+=1
A[7]+=1
for i in range(8):
    for j in range(256):
        if(trans(C[i],j)==A[i]):
            print("%.1X%.1X"%(j&0xf,j>>4),end='')
    #print()

得出D9B6AEF24A80CB22
图片描述
B4D682C8BF2DE13AD9B6AEF24A80CB22


【公告】 讲师招募 | 全新“预付费”模式,不想来试试吗?

收藏
点赞0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回