-
-
[原创]看雪.京东 2018CTF第十五题 智能设备 writeup
-
2018-7-15 14:37 2933
-
题目给出了一个完整的qemu环境。
跑起来看看,发现要输入key。
于是先定位这个要求输入key的程序。
$ mkdir test $ sudo mount -t ext3 -o loop ./a9rootfs test $ sudo rg -a "key:" bin/sh 5600:0CS40pPD4P@ 0S:?:0UU 0p0 X 2@-0123456789ABCDEFFDB08642ECA9753113579BDF02468ACE0369CF258BE147ADFA50B61C72D83E94please input your key:%100sC1371DA51A9030079E21DCDC5B78E38563872139C13F6F5B7B541D49541B0847551A16435D060D0A66%s%s%c
把sh载入IDA分析,搜字符串,找到入口点为0x11374,如下图。
动态调试即可发现满足break出while循环那个条件即为正解。
主要的加密函数就是图中标注的hash2。如下图,函数功能比较简单,基本就是unhex和enhex,结合简单的单表替换,故均可逆。
func1比较冗长,动态调试发现好像没干什么事,就此忽略。
于是编写出这些编码函数的解码函数,
from pwn import * v9 = unhex("C1371DA51A9030079E21DCDC5B78E38563872139C13F6F") def dexor(s): ret = s[0] for i in range(1, len(s)): ret += xor(s[i], s[i-1]) ret = ret[::-1] return ret def deunhex1(s): dic = "13579BDF02468ACE" s = enhex(s) s = [int(i, 16) for i in s] s = ''.join([dic[i] for i in s]) return s def deunhex2(s): dic = "FA50B61C72D83E94" s = enhex(s) s = [int(i, 16) for i in s] s = ''.join([dic[i] for i in s]) ret = '' for i in range(0, len(s)/2): ret += s[2*i+1] ret += s[2*i] return ret def deenhex1(s): ret = '' dic = "FDB08642ECA97531" for i in s: ret += hex(dic.index(i))[2:] return unhex(ret) def deenhex2(s): ret = '' dic = "0369CF258BE147AD" for i in s: ret += hex(dic.index(i))[2:] return unhex(ret) print deenhex1(deunhex1(dexor(deenhex2(deunhex2(dexor(deenhex1(deunhex2(dexor(deenhex2(deunhex1(dexor(v9))))))))))))
得到答案为2018ctf0520pediy1314yyp
,提交发现不对。然后再动态跑一下,输入这个key,
$ qemu-arm ./sh please input your key:2018ctf0520pediy1314yyp flag:you got it [B1732120572455BAFD30F062F9C49A8A996A8A9DDB4283] you have a chance to exploit it: qweoijqwjq : applet not found
提交B1732120572455BAFD30F062F9C49A8A996A8A9DDB4283
对了。
这里看起来是可以通过busybox执行命令了,对应逻辑如图。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
看原图