HITCON-train

| | 浏览
Words count in article: 362 字 | Reading time ≈ 1 分钟

lab1

先看看保护机制

1562811133517

打开了部分可读,而就是可以进行溢出覆盖,打开了栈溢出保护,而且NX打开,不可执行,地址随机化没有打开

现在可以用ida打开看看文件,是32位的,所以就可以直接在ida.exe里面打开

找到mian函数,反编译以下:

1562813207401

看到关键函数get_flag():

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
v67 = __readgsdword(0x14u);
  v54 = 'y_oD';
  v55 = 'k_uo';
  v56 = '_won';
  v57 = '_yhw';
  v58 = 't_ym';
  v59 = 'mmae';
  v60 = '_eta';
  v61 = 'narO';
  v62 = 'i_eg';
  v63 = 'os_s';
  v64 = 'gna_';
  v65 = '??yr';
  v66 = '?';
  v5 = 7;
  v6 = 59;
  v7 = 25;
  v8 = 2;
  v9 = 11;
  v10 = 16;
  v11 = 61;
  v12 = 30;
  v13 = 9;
  v14 = 8;
  v15 = 18;
  v16 = 45;
  v17 = 40;
  v18 = 89;
  v19 = 10;
  v20 = 0;
  v21 = 30;
  v22 = 22;
  v23 = 0;
  v24 = 4;
  v25 = 85;
  v26 = 22;
  v27 = 8;
  v28 = 31;
  v29 = 7;
  v30 = 1;
  v31 = 9;
  v32 = 0;
  v33 = 126;
  v34 = 28;
  v35 = 62;
  v36 = 10;
  v37 = 30;
  v38 = 11;
  v39 = 107;
  v40 = 4;
  v41 = 66;
  v42 = 60;
  v43 = 44;
  v44 = 91;
  v45 = 49;
  v46 = 85;
  v47 = 2;
  v48 = 30;
  v49 = 33;
  v50 = 16;
  v51 = 76;
  v52 = 30;
  v53 = 66;
  fd = open("/dev/urandom", 0);
  read(fd, &buf, 4u);
  printf("Give me maigc :");
  __isoc99_scanf("%d", &v2);
  if ( buf == v2 )
  {
    for ( i = 0; i <= 0x30; ++i )
      putchar((char)(*(&v5 + i) ^ *((_BYTE *)&v54 + i)));
  }
  return __readgsdword(0x14u) ^ v67;
}

根据这个可以直接进行逆向:

1
2
3
4
5
6
7
#-*-encoding=utf-8-*-
K = "Do_you_know_why_my_teammate_Orange_is_so_angry???"
C = [7, 59, 25, 2, 11, 16, 61, 30, 9, 8, 18, 45, 40, 89, 10, 0, 30, 22, 0, 4, 85, 22, 8, 31, 7, 1, 9, 0, 126, 28, 62, 10, 30, 11, 107, 4, 66, 60, 44, 91, 49, 85, 2, 30, 33, 16, 76, 30, 66]
print("sizeof(C):",len(C))
print("sizeof(K):",len(K))
for i in range(len(K)):
    print(chr(C[i]^ord(K[i])),end="")

lab2

-------------本文结束感谢您的阅读-------------
0%