#re刷題第五天
補交一下昨天刷題的WP,今天要打護網杯就不刷題了,最近工作太忙了,有時間總結一下最近開發學到的知識
0x00 re1-100
考察點:進程間通信,靜態調式,反反調試
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
__pid_t v3; // eax
size_t v4; // rax
ssize_t v5; // rbx
bool v6; // al
bool bCheckPtrace; // [rsp+13h] [rbp-1BDh]
ssize_t numRead; // [rsp+18h] [rbp-1B8h]
ssize_t numReada; // [rsp+18h] [rbp-1B8h]
char bufWrite[200]; // [rsp+20h] [rbp-1B0h]
char bufParentRead[200]; // [rsp+F0h] [rbp-E0h]
unsigned __int64 v12; // [rsp+1B8h] [rbp-18h]
v12 = __readfsqword(0x28u);
bCheckPtrace = detectDebugging();
if ( pipe(pParentWrite) == -1 )
exit(1);
if ( pipe(pParentRead) == -1 )
exit(1);
v3 = fork();
if ( v3 != -1 )
{
if ( v3 )
{
close(pParentWrite[0]);
close(pParentRead[1]);
while ( 1 )
{
printf("Input key : ");
memset(bufWrite, 0, 0xC8uLL);
gets(bufWrite);
v4 = strlen(bufWrite);
v5 = write(pParentWrite[1], bufWrite, v4);
if ( v5 != strlen(bufWrite) )
printf("parent - partial/failed write");
do
{
memset(bufParentRead, 0, 0xC8uLL);
numReada = read(pParentRead[0], bufParentRead, 0xC8uLL);
v6 = bCheckPtrace || checkDebuggerProcessRunning();
if ( v6 )
{
puts("Wrong !!!\n");
}
else if ( !checkStringIsNumber(bufParentRead) )
{
puts("Wrong !!!\n");
}
else
{
if ( atoi(bufParentRead) )
{
puts("True");
if ( close(pParentWrite[1]) == -1 )
exit(1);
exit(0);
}
puts("Wrong !!!\n");
}
}
while ( numReada == -1 );
}
}
close(pParentWrite[1]);
close(pParentRead[0]);
while ( 1 )
{
memset(bufParentRead, 0, 0xC8uLL);
numRead = read(pParentWrite[0], bufParentRead, 0xC8uLL);
if ( numRead == -1 )
break;
if ( numRead )
{
if ( childCheckDebugResult() )
{
responseFalse();
}
else if ( bufParentRead[0] == '{' )
{
if ( strlen(bufParentRead) == 42 )
{
if ( !strncmp(&bufParentRead[1], "53fc275d81", 0xAuLL) )
{
if ( bufParentRead[strlen(bufParentRead) - 1] == '}' )
{
if ( !strncmp(&bufParentRead[31], "4938ae4efd", 0xAuLL) )
{
if ( !confuseKey(bufParentRead, 42) )
{
responseFalse();
}
else if ( !strncmp(bufParentRead, "{daf29f59034938ae4efd53fc275d81053ed5be8c}", 0x2AuLL) )
{
responseTrue();
}
else
{
responseFalse();
}
}
else
{
responseFalse();
}
}
else
{
responseFalse();
}
}
else
{
responseFalse();
}
}
else
{
responseFalse();
}
}
else
{
responseFalse();
}
}
}
exit(1);
}
exit(1);
}
看下主函數,程序fork了一個子進程進行check,主進程主要用來反調試和輸入輸出,程序創建了兩個管道進行父子進程的通信。
這裏是我們要關注的點,在confusekey中,對輸入進行了位置變換,跟進一下
就是這個地方,我們可以看出來是分成了四個部分進行位置變換,其實準確來說就是兩個部分,前後對調了一下,我們直接將它對調回去,就會得到flag。
ps:注意只提交大括號裏邊的內容
0x01 The Maya Society
考察點:md5,dns,base64,還有腦洞?
題目給了個文件夾,我們把launcher載入IDA,看下main函數
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
size_t v3; // rbx
size_t v4; // rax
size_t v6; // rax
size_t v7; // rax
__int64 v8; // rdi
time_t timer; // [rsp+18h] [rbp-128h]
char v10[8]; // [rsp+20h] [rbp-120h]
char src; // [rsp+40h] [rbp-100h]
char s; // [rsp+60h] [rbp-E0h]
__int64 v13; // [rsp+C8h] [rbp-78h]
char v14; // [rsp+D4h] [rbp-6Ch]
char v15; // [rsp+DDh] [rbp-63h]
char v16; // [rsp+E6h] [rbp-5Ah]
char v17; // [rsp+EFh] [rbp-51h]
void (__fastcall *v18)(__int64); // [rsp+F8h] [rbp-48h]
__int64 v19; // [rsp+100h] [rbp-40h]
char *v20; // [rsp+108h] [rbp-38h]
char *dest; // [rsp+110h] [rbp-30h]
int *v22; // [rsp+118h] [rbp-28h]
size_t v23; // [rsp+120h] [rbp-20h]
struct tm *tp; // [rsp+128h] [rbp-18h]
strcpy(v10, ".fluxfingers.net");
timer = time(0LL);
tp = localtime(&timer);
strftime(&s, 0x63uLL, "%Y-%m-%d", tp);
v23 = strlen(&s);
sub_B5A(&s, v23);
v22 = &dword_2030B8;
snprintf(
&v17,
9uLL,
"%02x%02x%02x%02x",
(unsigned __int8)dword_2030B8,
BYTE1(dword_2030B8),
BYTE2(dword_2030B8),
HIBYTE(dword_2030B8));
v22 = &dword_2030C0;
snprintf(
&v16,
9uLL,
"%02x%02x%02x%02x",
(unsigned __int8)dword_2030C0,
BYTE1(dword_2030C0),
BYTE2(dword_2030C0),
HIBYTE(dword_2030C0));
v22 = &dword_2030B4;
snprintf(
&v15,
9uLL,
"%02x%02x%02x%02x",
(unsigned __int8)dword_2030B4,
BYTE1(dword_2030B4),
BYTE2(dword_2030B4),
HIBYTE(dword_2030B4));
v22 = &dword_2030BC;
snprintf(
&v14,
9uLL,
"%02x%02x%02x%02x",
(unsigned __int8)dword_2030BC,
BYTE1(dword_2030BC),
BYTE2(dword_2030BC),
HIBYTE(dword_2030BC));
snprintf(&src, 0x21uLL, "%s%s%s%s", &v17, &v16, &v15, &v14);
v3 = strlen(&src);
v4 = strlen(v10);
dest = (char *)malloc(v3 + v4 + 1);
if ( !dest )
return 1LL;
*dest = 0;
strcat(dest, &src);
strcat(dest, v10);
v20 = (char *)sub_18A4(dest);
if ( !v20 )
return 1LL;
v6 = strlen(v20);
v19 = sub_15E0(v20, v6, &v13);
v7 = strlen(v20);
v18 = (void (__fastcall *)(__int64))sub_15E0(v20, v7, &v13);
if ( !v19 )
return 1LL;
v8 = v19;
sub_1858(v19, v13, v18);
v18(v8);
return 0LL;
}
簡單的分析一下,代碼並不難,就是程序獲取了一下本地的時間,轉換爲YYYY-MM-DD的形式,然後md5加密,將($md5).fluxfingers.net這種形式拼接,做dns請求。
*)(__int64))sub_15E0(v20, v7, &v13);
if ( !v19 )
return 1LL;
v8 = v19;
sub_1858(v19, v13, v18);
v18(v8);
return 0LL;
}
簡單的分析一下,代碼並不難,就是程序獲取了一下本地的時間,轉換爲YYYY-MM-DD的形式,然後md5加密,將($md5).fluxfingers.net這種形式拼接,做dns請求。
這裏有一個腦洞。。。日期是一個問題,我們看到html上有一個2012的年份,難道要366天跑一遍?這是我最初的想法,但在寫腳本時候碰到一個問題,異常處理出了問題,只能看了下其他師傅的wp,發現提示就是題目名稱。maya預言2012-12-21是世界末日,所以日期就爲2012-12-21,修改下系統日期運行就會得到flag