首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. CTF对抗
    3. 发新帖
[原创]KCTF2021 第一题 write up
发表于: 2021-5-10 14:15 2473

[原创]KCTF2021 第一题 write up

顾言庭 活跃值
4
2021-5-10 14:15
2473

ida 打开直接看到main:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
.text:00401180                   ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:00401180                   _main:                        ; CODE XREF: __scrt_common_main_seh(void)+FA↓p
.text:00401180 55                push    ebp
.text:00401181 8B EC             mov     ebp, esp
.text:00401183 81 EC 48 02 00 00 sub     esp, 248h
.text:00401189 A1 04 40 40 00    mov     eax, ___security_cookie
.text:0040118E 33 C5             xor     eax, ebp
.text:00401190 89 45 FC          mov     [ebp-4], eax
.text:00401193 C6 85 F4 FE FF FF+mov     byte ptr [ebp-10Ch], 0
.text:0040119A 68 FF 00 00 00    push    0FFh
.text:0040119F 6A 00             push    0
.text:004011A1 8D 85 F5 FE FF FF lea     eax, [ebp-10Bh]
.text:004011A7 50                push    eax
.text:004011A8 E8 7B 0F 00 00    call    memset
.text:004011AD 83 C4 0C          add     esp, 0Ch
.text:004011B0 C6 85 F4 FD FF FF+mov     byte ptr [ebp-20Ch], 0
.text:004011B7 68 FF 00 00 00    push    0FFh
.text:004011BC 6A 00             push    0
.text:004011BE 8D 8D F5 FD FF FF lea     ecx, [ebp-20Bh]
.text:004011C4 51                push    ecx
.text:004011C5 E8 5E 0F 00 00    call    memset
.text:004011CA 83 C4 0C          add     esp, 0Ch
.text:004011CD 68 08 31 40 00    push    offset aKctf2021      ; "KCTF 2021 春季赛!\n"
.text:004011D2 E8 19 03 00 00    call    sub_4014F0
.text:004011D7 83 C4 04          add     esp, 4
.text:004011DA 68 1C 31 40 00    push    offset aHttpBbsPediyCo ; "http://bbs.pediy.com\n"
.text:004011DF E8 0C 03 00 00    call    sub_4014F0
.text:004011E4 83 C4 04          add     esp, 4
.text:004011E7 68 34 31 40 00    push    offset aPleaseInputYou ; "Please input your flag: "
.text:004011EC E8 FF 02 00 00    call    sub_4014F0
.text:004011F1 83 C4 04          add     esp, 4
.text:004011F4 68 00 01 00 00    push    100h
.text:004011F9 8D 95 F4 FE FF FF lea     edx, [ebp-10Ch]
.text:004011FF 52                push    edx
.text:00401200 68 50 31 40 00    push    offset aS             ; "%s"
.text:00401205 E8 96 02 00 00    call    sub_4014A0

x64dbg 动态调试,发现格式控制代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
004012BD                | 83BD D8FDFFFF 0C  | cmp dword ptr ss:[ebp-228],C                                   | C:'\f'
004012C4                | 74 15             | je kctf_crackme2021.4012DB                                     |
004012C6                | 68 54314000       | push kctf_crackme2021.403154                                   | 403154:"Try again!\n"
004012CB                | E8 20020000       | call kctf_crackme2021.4014F0                                   |
004012D0                | 83C4 04           | add esp,4                                                      |
004012D3                | 83C8 FF           | or eax,FFFFFFFF                                                |
004012D6                | E9 84010000       | jmp kctf_crackme2021.40145F                                    |
004012DB                | B8 01000000       | mov eax,1                                                      |
004012E0                | 6BC8 00           | imul ecx,eax,0                                                 |
004012E3                | 0FBE940D F4FEFFFF | movsx edx,byte ptr ss:[ebp+ecx-10C]                            |
004012EB                | 83FA 66           | cmp edx,66                                                     | 66:'f'
004012EE                | 0F85 59010000     | jne kctf_crackme2021.40144D                                    |
004012F4                | B8 01000000       | mov eax,1                                                      |
004012F9                | C1E0 00           | shl eax,0                                                      |
004012FC                | 0FBE8C05 F4FEFFFF | movsx ecx,byte ptr ss:[ebp+eax-10C]                            |
00401304                | 83F9 6C           | cmp ecx,6C                                                     | 6C:'l'
00401307                | 0F85 40010000     | jne kctf_crackme2021.40144D                                    |
0040130D                | BA 01000000       | mov edx,1                                                      |
00401312                | D1E2              | shl edx,1                                                      |
00401314                | 0FBE8415 F4FEFFFF | movsx eax,byte ptr ss:[ebp+edx-10C]                            |
0040131C                | 83F8 61           | cmp eax,61                                                     | 61:'a'
0040131F                | 0F85 28010000     | jne kctf_crackme2021.40144D                                    |
00401325                | B9 01000000       | mov ecx,1                                                      |
0040132A                | 6BD1 03           | imul edx,ecx,3                                                 |
0040132D                | 0FBE8415 F4FEFFFF | movsx eax,byte ptr ss:[ebp+edx-10C]                            |
00401335                | 83F8 67           | cmp eax,67                                                     | 67:'g'
00401338                | 0F85 0F010000     | jne kctf_crackme2021.40144D                                    |
0040133E                | B9 01000000       | mov ecx,1                                                      |
00401343                | C1E1 02           | shl ecx,2                                                      |
00401346                | 0FBE940D F4FEFFFF | movsx edx,byte ptr ss:[ebp+ecx-10C]                            |
0040134E                | 83FA 7B           | cmp edx,7B                                                     | 7B:'{'
00401351                | 0F85 F6000000     | jne kctf_crackme2021.40144D                                    |
00401357                | 8B85 D8FDFFFF     | mov eax,dword ptr ss:[ebp-228]                                 |
0040135D                | 0FBE8C05 F3FEFFFF | movsx ecx,byte ptr ss:[ebp+eax-10D]                            |
00401365                | 83F9 7D           | cmp ecx,7D                                                     | 7D:'}}'

构造flag{123456}作为输入再调试:

1
2
3
4
00401392                | BA 0C000000       | mov edx,C                                                      | C:'\f'
00401397                | 8D8D F4FEFFFF     | lea ecx,dword ptr ss:[ebp-10C]                                 |
0040139D                | E8 AEFCFFFF       | call kctf_crackme2021.401050    
                     |

这里将用户输入作为base64编码函数的参数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
char *__fastcall sub_401050(int a1, int a2)
{
  int v2; // ebx
  int v3; // edi
  int v4; // edx
  unsigned int v5; // esi
  int v7; // eax
  int v8; // edi
  char v9; // al
  int v10; // edi
  int v11; // [esp+Ch] [ebp-4h]
 
  v2 = a2;
  v11 = a1;
  v3 = 0;
  v4 = 0;
  v5 = 0;
  if ( !a1 )
    return 0;
  if ( !dword_404780 )
  {
    sub_401000(a1, 0);
    a1 = v11;
  }
  if ( v2 )
  {
    do
    {
      --v2;
      if ( v5 >= 0x1FFB )
        break;
      v7 = *(unsigned __int8 *)a1;
      ++v4;
      ++a1;
      v8 = v7 + v3;
      if ( v4 == 3 )
      {
        byte_404788[v5] = byte_403188[v8 >> 18];
        byte_404789[v5] = byte_403188[(v8 >> 12) & 0x3F];
        LOBYTE(word_40478A[v5 / 2]) = byte_403188[(v8 >> 6) & 0x3F];
        v9 = byte_403188[v8 & 0x3F];
        v3 = 0;
        HIBYTE(word_40478A[v5 / 2]) = v9;
        v5 += 4;
        v4 = 0;
      }
      else
      {
        v3 = v8 << 8;
      }
    }
    while ( v2 );
    if ( v4 )
    {
      a1 = 8 * (2 - v4);
      v10 = v3 << a1;
      byte_404788[v5] = byte_403188[v10 >> 18];
      byte_404789[v5] = byte_403188[(v10 >> 12) & 0x3F];
      if ( v4 == 1 )
      {
        word_40478A[v5 / 2] = 15677;
      }
      else
      {
        LOBYTE(word_40478A[v5 / 2]) = byte_403188[(v10 >> 6) & 0x3F];
        *(_BYTE *)(v5 + 4212619) = 61;
      }
      v5 += 4;
    }
    if ( v5 >= 0x2000 )
    {
      __report_rangecheckfailure(a1);
      JUMPOUT(unk_40117B);
    }
  }
  byte_404788[v5] = 0;
  return byte_404788;
}

答案很明显了:

1
2
3
4
>>> import base64
>>> base64.b64decode('ZmxhZ3trYW54dWV9')
b'flag{kanxue}'
>>>

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//