-
-
[原创]inctf-noodes
-
发表于: 2021-8-18 18:22 9759
-
这个题算是诈胡出来的
参考链接:
https://linux.die.net/man/7/inotify
https://zh.wikipedia.org/wiki/Inotify
这个感觉和git有点点像, 监控文件的变动, 变动会生成事件
这里涉及的事件
这里4字节长度刚好对应index += ((_DWORD )byte + 3) + 16;的加16
除了2,3不能有名称之外都有2字节的名称
这里的字符串没有新建操作, 前面的文件初始化已经完成了(监控开启之前)
注意:df之后不能再打开文件, 否则会出现新建操作,(这里有一处就是这样df之后才mf的, 这里应该再df之前就打开, 我把这个操作放在了最前面, mf之前和cw之前一定要打开文件指针, 打开操作只需要一次, (mf, cw相同的文件只打开一次, 每次mf都会有cw收尾), exit会关闭所有的文件指针(这里也会被记录, 后打开的先关闭)
生成输入脚本: (因为mf操作不多, 我就直接手动删除多余的新建操作, 最后再加个8)
得到1hV4tT41B1HX25oQ6La6yQ4hV5jz55P325eh6GU5IZ4tN1AJ326Ti4XN5bX4wt6HW5ae5Fg4S11eP263U4Zv5gG16f25aq4Q94fz6Wy4I51l324dj1Pf326uM4bp61Q4Et6Cu4cj6fU4mV1mL21bl24hH6Qk5zr6Sm5VF49P1wV21xB326jg5Qc4fX4nZ6YO4CF1sF24Bp1vB21TR21Ax21gL26SI6Ye5q61BN25XE5Tn5Jt1Ah325Fr5t540x64i1Dz321Pz325gB5rl4f16yO5RN1Bl31Lx31Pd31JH311V3221Xt219321uj21Cx2221Xl21EZ221KP28
最后输入发现有错误, 调试之后发现, 从SafVR之后开始, 这里完全倒了过来,
要求的s1:mfFpmfP|mfThmfNLmf5ZcwFpcwP|cw\xcw=7cwyncwG|cwThcwNLcw\pcwI^cw5ZcwOT
生成的s1:mf5Zcw5ZmfNLcwNLcw\xcw=7cwyncwG|mfThcwThmfP|cwP|cw\pcwI^mfFpcwFpcwOT
具体调试了函数之后(前面有一个闹钟记得patch掉), 这里mf之后并没有把字符串写入, 是在fclose文件指针之后把文件修改, 那到底怎么连续修改之后再关闭文件指针呢, 这里我试了一下exit来关闭文件指针,把输入后面改成:
1hV4tT41B1HX25oQ6La6yQ4hV5jz55P325eh6GU5IZ4tN1AJ326Ti4XN5bX4wt6HW5ae5Fg4S11eP263U4Zv5gG16f25aq4Q94fz6Wy4I51l324dj1Pf326uM4bp61Q4Et6Cu4cj6fU4mV1mL21bl24hH6Qk5zr6Sm5VF49P1wV21xB326jg5Qc4fX4nZ6YO4CF1sF24Bp1vB21TR21Ax21gL26SI6Ye5q61BN25XE5Tn5Jt1Ah325Fr5t540x64i1Dz321Pz325gB5rl4f16yO5RN(这里开始修改)
1KP11V31EZ1Xl1JH31Pd31Cx1uj1931Xt1Lx31Bl38, 成功得到flag
if
( !strcmp(
s1,
"dfxXdf5FcwL\\adsUddPedd}UdflZafn~af9TmflZcwlZafilddKYafM^dfxRmfENcwENddXmdf\\Raff\\df{xddL[adeiadJkdfW5cwiTdd7"
"Ydf^zadkKcw:jadeudfU=dfj~dd[}dfM9cwp7dfhnmfTjcwTjddyQdfftdd5UdfIxddGydfgnddjYdfqZcwqPcwfpdflLddUoaf~vddWqafZJd"
"f=Tcw{Zmf|Fcw|FddnkadUgdfj\\dfr^dd]SdfGJcwwJdfFtcwzFcwXVcwE|cwkPddWMdd]iadu:cwFRad\\IafXrafNxmfElcwElafJvafx9d"
"f4|dd8mmfH~cwH~mfT~cwT~afkFafvpdfj5dd}SafVRmfFpmfP|mfThmfNLmf5ZcwFpcwP|cw\\xcw=7cwyncwG|cwThcwNLcw\\pcwI^cw5ZcwOT"
) )
if
( !strcmp(
s1,
"dfxXdf5FcwL\\adsUddPedd}UdflZafn~af9TmflZcwlZafilddKYafM^dfxRmfENcwENddXmdf\\Raff\\df{xddL[adeiadJkdfW5cwiTdd7"
"Ydf^zadkKcw:jadeudfU=dfj~dd[}dfM9cwp7dfhnmfTjcwTjddyQdfftdd5UdfIxddGydfgnddjYdfqZcwqPcwfpdflLddUoaf~vddWqafZJd"
"f=Tcw{Zmf|Fcw|FddnkadUgdfj\\dfr^dd]SdfGJcwwJdfFtcwzFcwXVcwE|cwkPddWMdd]iadu:cwFRad\\IafXrafNxmfElcwElafJvafx9d"
"f4|dd8mmfH~cwH~mfT~cwT~afkFafvpdfj5dd}SafVRmfFpmfP|mfThmfNLmf5ZcwFpcwP|cw\\xcw=7cwyncwG|cwThcwNLcw\\pcwI^cw5ZcwOT"
) )
v45
=
__readfsqword(
0x28u
);
index
=
0
;
s_index
=
0
;
sub_55D31246E16A();
sub_55D31246E1FA();
fd
=
inotify_init();
/
/
初始化一个 inotify 实例
if
( fd <
0
)
perror(
"inotify_init"
);
sub_55D31246E4B7(
"/tmp/chall/"
);
/
/
初始化文件
wd
=
inotify_add_watch(fd,
"/tmp/chall/"
,
0x33Fu
);
/
/
将监视添加到初始化的 inotify 实例
pid
=
fork();
/
/
新建进程
if
( !pid )
sub_55D31246E668(
"/tmp/chall/"
);
/
/
用户输入处理,文件变动
if
( waitpid(pid, &stat_loc,
0
)
=
=
-
1
)
{
perror(
"waitpid failed\n"
);
goto LABEL_35;
}
v40
=
BYTE1(stat_loc);
printf(
"%d"
, BYTE1(stat_loc));
v45
=
__readfsqword(
0x28u
);
index
=
0
;
s_index
=
0
;
sub_55D31246E16A();
sub_55D31246E1FA();
fd
=
inotify_init();
/
/
初始化一个 inotify 实例
if
( fd <
0
)
perror(
"inotify_init"
);
sub_55D31246E4B7(
"/tmp/chall/"
);
/
/
初始化文件
wd
=
inotify_add_watch(fd,
"/tmp/chall/"
,
0x33Fu
);
/
/
将监视添加到初始化的 inotify 实例
pid
=
fork();
/
/
新建进程
if
( !pid )
sub_55D31246E668(
"/tmp/chall/"
);
/
/
用户输入处理,文件变动
if
( waitpid(pid, &stat_loc,
0
)
=
=
-
1
)
{
perror(
"waitpid failed\n"
);
goto LABEL_35;
}
v40
=
BYTE1(stat_loc);
printf(
"%d"
, BYTE1(stat_loc));
size
=
read(fd, buf,
0x8000uLL
);
if
( size <
0
)
perror(
"read"
);
while
( index < size )
{
byte
=
&buf[index];
if
( !
*
((_DWORD
*
)byte
+
3
) )
goto LABEL_30;
if
( (
*
((_DWORD
*
)byte
+
1
) &
0x100
) !
=
0
)
/
/
IN_CREATE
{
v3
=
s_index;
if
( (
*
((_DWORD
*
)byte
+
1
) &
0x40000000
) !
=
0
)
/
/
IN_ISDIR
{
+
+
s_index;
s1[v3]
=
'c'
;
v4
=
s_index
+
+
;
s1[v4]
=
'd'
;
}
else
{
+
+
s_index;
s1[v3]
=
'c'
;
v5
=
s_index
+
+
;
s1[v5]
=
'f'
;
}
LABEL_26:
v23
=
byte[
16
]
+
4
;
v24
=
s_index
+
+
;
s1[v24]
=
v23;
v25
=
byte[
17
]
+
4
;
v26
=
s_index
+
+
;
s1[v26]
=
v25;
goto LABEL_30;
}
if
( (
*
((_DWORD
*
)byte
+
1
) &
0x200
) !
=
0
)
/
/
IN_DELETE
{
v6
=
s_index;
if
( (
*
((_DWORD
*
)byte
+
1
) &
0x40000000
) !
=
0
)
{
+
+
s_index;
s1[v6]
=
'd'
;
v7
=
s_index
+
+
;
s1[v7]
=
'd'
;
}
else
{
+
+
s_index;
s1[v6]
=
'd'
;
v8
=
s_index
+
+
;
s1[v8]
=
'f'
;
}
goto LABEL_26;
}
if
( (
*
((_DWORD
*
)byte
+
1
) &
8
) !
=
0
)
/
/
IN_CLOSE_WRITE
{
v9
=
s_index
+
+
;
s1[v9]
=
'c'
;
v10
=
s_index
+
+
;
s1[v10]
=
'w'
;
v11
=
byte[
16
]
+
4
;
v12
=
s_index
+
+
;
s1[v12]
=
v11;
v13
=
byte[
17
]
+
4
;
v14
=
s_index
+
+
;
s1[v14]
=
v13;
goto LABEL_30;
}
if
( (
*
((_DWORD
*
)byte
+
1
) &
1
) !
=
0
)
/
/
IN_ACCESS
{
v15
=
s_index
+
+
;
s1[v15]
=
'a'
;
v16
=
s_index
+
+
;
s1[v16]
=
'c'
;
v17
=
byte[
16
]
+
4
;
v18
=
s_index
+
+
;
s1[v18]
=
v17;
v19
=
byte[
17
]
+
4
;
v20
=
s_index
+
+
;
s1[v20]
=
v19;
goto LABEL_30;
}
if
( (
*
((_DWORD
*
)byte
+
1
) &
4
) !
=
0
)
/
/
IN_ATTRIB
{
v21
=
s_index;
if
( (
*
((_DWORD
*
)byte
+
1
) &
0x40000000
) !
=
0
)
{
+
+
s_index;
s1[v21]
=
'a'
;
v22
=
s_index
+
+
;
s1[v22]
=
'd'
;
}
else
{
+
+
s_index;
s1[v21]
=
'a'
;
v27
=
s_index
+
+
;
s1[v27]
=
'f'
;
}
goto LABEL_26;
}
if
( (
*
((_DWORD
*
)byte
+
1
) &
2
) !
=
0
)
/
/
IN_MODIFY
{
v28
=
s_index
+
+
;
s1[v28]
=
'm'
;
v29
=
s_index
+
+
;
s1[v29]
=
'f'
;
v30
=
byte[
16
]
+
4
;
v31
=
s_index
+
+
;
s1[v31]
=
v30;
v32
=
byte[
17
]
+
4
;
v33
=
s_index
+
+
;
s1[v33]
=
v32;
}
LABEL_30:
index
+
=
*
((_DWORD
*
)byte
+
3
)
+
16
;
}
size
=
read(fd, buf,
0x8000uLL
);
if
( size <
0
)
perror(
"read"
);
while
( index < size )
{
byte
=
&buf[index];
if
( !
*
((_DWORD
*
)byte
+
3
) )
goto LABEL_30;
if
( (
*
((_DWORD
*
)byte
+
1
) &
0x100
) !
=
0
)
/
/
IN_CREATE
{
v3
=
s_index;
if
( (
*
((_DWORD
*
)byte
+
1
) &
0x40000000
) !
=
0
)
/
/
IN_ISDIR
{
+
+
s_index;
s1[v3]
=
'c'
;
v4
=
s_index
+
+
;
s1[v4]
=
'd'
;
}
else
{
+
+
s_index;
s1[v3]
=
'c'
;
v5
=
s_index
+
+
;
s1[v5]
=
'f'
;
}
LABEL_26:
v23
=
byte[
16
]
+
4
;
v24
=
s_index
+
+
;
s1[v24]
=
v23;
v25
=
byte[
17
]
+
4
;
v26
=
s_index
+
+
;
s1[v26]
=
v25;
goto LABEL_30;
}
if
( (
*
((_DWORD
*
)byte
+
1
) &
0x200
) !
=
0
)
/
/
IN_DELETE
{
v6
=
s_index;
if
( (
*
((_DWORD
*
)byte
+
1
) &
0x40000000
) !
=
0
)
{
+
+
s_index;
s1[v6]
=
'd'
;
v7
=
s_index
+
+
;
s1[v7]
=
'd'
;
}
else
{
+
+
s_index;
s1[v6]
=
'd'
;
v8
=
s_index
+
+
;
s1[v8]
=
'f'
;
}
goto LABEL_26;
}
if
( (
*
((_DWORD
*
)byte
+
1
) &
8
) !
=
0
)
/
/
IN_CLOSE_WRITE
{
v9
=
s_index
+
+
;
s1[v9]
=
'c'
;
v10
=
s_index
+
+
;
s1[v10]
=
'w'
;
v11
=
byte[
16
]
+
4
;
v12
=
s_index
+
+
;
s1[v12]
=
v11;
v13
=
byte[
17
]
+
4
;
v14
=
s_index
+
+
;
s1[v14]
=
v13;
goto LABEL_30;
}
if
( (
*
((_DWORD
*
)byte
+
1
) &
1
) !
=
0
)
/
/
IN_ACCESS
{
v15
=
s_index
+
+
;
s1[v15]
=
'a'
;
v16
=
s_index
+
+
;
s1[v16]
=
'c'
;
v17
=
byte[
16
]
+
4
;
v18
=
s_index
+
+
;
s1[v18]
=
v17;
v19
=
byte[
17
]
+
4
;
v20
=
s_index
+
+
;
s1[v20]
=
v19;
goto LABEL_30;
}
if
( (
*
((_DWORD
*
)byte
+
1
) &
4
) !
=
0
)
/
/
IN_ATTRIB
{
v21
=
s_index;
if
( (
*
((_DWORD
*
)byte
+
1
) &
0x40000000
) !
=
0
)
{
+
+
s_index;
s1[v21]
=
'a'
;
v22
=
s_index
+
+
;
s1[v22]
=
'd'
;
}
else
{
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
- [原创]SCTF low_re出题思路 14302
- [原创]l3hctf两道re的wp 8944
- [原创]强网拟态线上mobile的两道wp 22198
- [原创]android JNI静态注册和动态注册 9446
- [原创]inctf-noodes 9760