re刷題第八天

re刷題第八天

---

0x00 Reversing-x64Elf-100

載入IDA，找到關鍵代碼

__int64 __fastcall sub_4006FD(__int64 a1)
{
  int i; // [rsp+14h] [rbp-24h]
  const char *v3; // [rsp+18h] [rbp-20h]
  const char *v4; // [rsp+20h] [rbp-18h]
  const char *v5; // [rsp+28h] [rbp-10h]

  v3 = "Dufhbmf";
  v4 = "pG`imos";
  v5 = "ewUglpt";
  for ( i = 0; i <= 11; ++i )
  {
    if ( (&v3)[i % 3][2 * (i / 3)] - *(i + a1) != 1 )
      return 1LL;
  }
  return 0LL;
}

發現是一個二維數組，稍微看一下字符的順序就知道是每隔一列按照從上到下排列，寫出腳本即可得到flag

cipher = 'Dpef`Ubmlfst'
flag = ''

for i in range(len(cipher)):
	flag += chr(ord(cipher[i]) - 1)
print flag

0x01 zorropub

int __fastcall main(__int64 a1, char **a2, char **a3)
{
  size_t v3; // rax
  int v5; // [rsp+1Ch] [rbp-104h]
  int v6; // [rsp+20h] [rbp-100h]
  int i; // [rsp+24h] [rbp-FCh]
  unsigned int seed; // [rsp+28h] [rbp-F8h]
  unsigned int v9; // [rsp+2Ch] [rbp-F4h]
  char v10; // [rsp+30h] [rbp-F0h]
  char v11[16]; // [rsp+90h] [rbp-90h]
  char v12[32]; // [rsp+A0h] [rbp-80h]
  char s; // [rsp+C0h] [rbp-60h]
  char s1[40]; // [rsp+E0h] [rbp-40h]
  unsigned __int64 v15; // [rsp+108h] [rbp-18h]

  v15 = __readfsqword(0x28u);
  seed = 0;
  puts("Welcome to Pub Zorro!!");
  printf("Straight to the point. How many drinks you want?");
  __isoc99_scanf("%d", &v5);
  if ( v5 <= 0 )
  {
    printf("You are too drunk!! Get Out!!");
    exit(-1);
  }
  printf("OK. I need details of all the drinks. Give me %d drink ids:", (unsigned int)v5);
  for ( i = 0; i < v5; ++i )
  {
    __isoc99_scanf("%d", &v6);
    if ( v6 <= 16 || v6 > 0xFFFF )
    {
      puts("Invalid Drink Id.");
      printf("Get Out!!");
      exit(-1);
    }
    seed ^= v6;
  }
  i = seed;
  v9 = 0;
  while ( i )
  {
    ++v9;
    i &= i - 1;
  }
  if ( v9 != 10 )
  {
    puts("Looks like its a dangerous combination of drinks right there.");
    puts("Get Out, you will get yourself killed");
    exit(-1);
  }
  srand(seed);
  MD5_Init((__int64)&v10);
  for ( i = 0; i <= 29; ++i )
  {
    v9 = rand() % 1000;
    sprintf(&s, "%d", v9);
    v3 = strlen(&s);
    MD5_Update(&v10, &s, v3);
    v12[i] = v9 ^ LOBYTE(dword_6020C0[i]);
  }
  v12[i] = 0;
  MD5_Final((__int64)v11, (__int64)&v10);
  for ( i = 0; i <= 15; ++i )
    sprintf(&s1[2 * i], "%02x", (unsigned __int8)v11[i]);
  if ( strcmp(s1, "5eba99aff105c9ff6a1a913e343fec67") )
  {
    puts("Try different mix, This mix is too sloppy");
    exit(-1);
  }
  return printf("\nYou choose right mix and here is your reward: The flag is nullcon{%s}\n", v12);
}

邏輯還是很清晰的，首先讓輸入drunk的個數，個數沒有要求，然後n個drunk的id，將id異或到一起爲seed，id要求大於16小於等於65535。並且send經過下邊的運算需要滿足v9>=10

while ( i )
{
    ++v9;
    i &= i - 1;
}
if ( v9 != 10 )

將seed作爲種子，隨機取餘1000，循環30次，將循環30次的結果拼接到一起做md5，與5eba99aff105c9ff6a1a913e343fec67做比較，驗證通過即可得到flag

分析完算法，感覺這題只能用爆破了，我這裏是用的pwntools爆破的，看了下網上師傅們的爆破腳本，受益頗多

from pwn import *

num = []
for i in range(65535):
        tmp = i
        j = 0
        while i:
                i = i & (i-1)
                j = j + 1
        if j == 10:
                num.append(tmp)

context.arch='amd64'
i = 0
while(1):
        p = process('./3a')

        p.recv()

        p.sendline('1')
        p.sendline(str(num[i]))
        ret = p.recv()
        if 'flag' in ret:
                print 'ids: '+str(num[i])
                raw_input()
        i = i + 1
        p.close()

0x03 Refer

https://github.com/ctfs/write-ups-2016/tree/master/nullcon-hackim-2016/re/zorropub-100