-
-
[原创]看雪.京东 2018CTF第十五题 智能设备 writeup
-
2018-7-15 14:37
-
题目给出了一个完整的qemu环境。
跑起来看看,发现要输入key。
于是先定位这个要求输入key的程序。
$ mkdir test $ sudo mount -t ext3 -o loop ./a9rootfs test $ sudo rg -a "key:" bin/sh 5600:0CS40pPD4P@ 0S:?:0UU 0p0 X 2@-0123456789ABCDEFFDB08642ECA9753113579BDF02468ACE0369CF258BE147ADFA50B61C72D83E94please input your key:%100sC1371DA51A9030079E21DCDC5B78E38563872139C13F6F5B7B541D49541B0847551A16435D060D0A66%s%s%c
把sh载入IDA分析,搜字符串,找到入口点为0x11374,如下图。
动态调试即可发现满足break出while循环那个条件即为正解。
主要的加密函数就是图中标注的hash2。如下图,函数功能比较简单,基本就是unhex和enhex,结合简单的单表替换,故均可逆。
func1比较冗长,动态调试发现好像没干什么事,就此忽略。
于是编写出这些编码函数的解码函数,
from pwn import *
v9 = unhex("C1371DA51A9030079E21DCDC5B78E38563872139C13F6F")
def dexor(s):
ret = s[0]
for i in range(1, len(s)):
ret += xor(s[i], s[i-1])
ret = ret[::-1]
return ret
def deunhex1(s):
dic = "13579BDF02468ACE"
s = enhex(s)
s = [int(i, 16) for i in s]
s = ''.join([dic[i] for i in s])
return s
def deunhex2(s):
dic = "FA50B61C72D83E94"
s = enhex(s)
s = [int(i, 16) for i in s]
s = ''.join([dic[i] for i in s])
ret = ''
for i in range(0, len(s)/2):
ret += s[2*i+1]
ret += s[2*i]
return ret
def deenhex1(s):
ret = ''
dic = "FDB08642ECA97531"
for i in s:
ret += hex(dic.index(i))[2:]
return unhex(ret)
def deenhex2(s):
ret = ''
dic = "0369CF258BE147AD"
for i in s:
ret += hex(dic.index(i))[2:]
return unhex(ret)
print deenhex1(deunhex1(dexor(deenhex2(deunhex2(dexor(deenhex1(deunhex2(dexor(deenhex2(deunhex1(dexor(v9))))))))))))
得到答案为2018ctf0520pediy1314yyp,提交发现不对。然后再动态跑一下,输入这个key,
$ qemu-arm ./sh please input your key:2018ctf0520pediy1314yyp flag:you got it [B1732120572455BAFD30F062F9C49A8A996A8A9DDB4283] you have a chance to exploit it: qweoijqwjq : applet not found
提交B1732120572455BAFD30F062F9C49A8A996A8A9DDB4283对了。
这里看起来是可以通过busybox执行命令了,对应逻辑如图。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
