这个题算是诈胡出来的
参考链接:
https://linux.die.net/man/7/inotify
https://zh.wikipedia.org/wiki/Inotify
这个感觉和git有点点像, 监控文件的变动, 变动会生成事件
这里涉及的事件
这里4字节长度刚好对应index += ((_DWORD )byte + 3) + 16;的加16
除了2,3不能有名称之外都有2字节的名称
这里的字符串没有新建操作, 前面的文件初始化已经完成了(监控开启之前)
注意:df之后不能再打开文件, 否则会出现新建操作,(这里有一处就是这样df之后才mf的, 这里应该再df之前就打开, 我把这个操作放在了最前面, mf之前和cw之前一定要打开文件指针, 打开操作只需要一次, (mf, cw相同的文件只打开一次, 每次mf都会有cw收尾), exit会关闭所有的文件指针(这里也会被记录, 后打开的先关闭)
生成输入脚本: (因为mf操作不多, 我就直接手动删除多余的新建操作, 最后再加个8)
得到1hV4tT41B1HX25oQ6La6yQ4hV5jz55P325eh6GU5IZ4tN1AJ326Ti4XN5bX4wt6HW5ae5Fg4S11eP263U4Zv5gG16f25aq4Q94fz6Wy4I51l324dj1Pf326uM4bp61Q4Et6Cu4cj6fU4mV1mL21bl24hH6Qk5zr6Sm5VF49P1wV21xB326jg5Qc4fX4nZ6YO4CF1sF24Bp1vB21TR21Ax21gL26SI6Ye5q61BN25XE5Tn5Jt1Ah325Fr5t540x64i1Dz321Pz325gB5rl4f16yO5RN1Bl31Lx31Pd31JH311V3221Xt219321uj21Cx2221Xl21EZ221KP28
最后输入发现有错误, 调试之后发现, 从SafVR之后开始, 这里完全倒了过来,
要求的s1:mfFpmfP|mfThmfNLmf5ZcwFpcwP|cw\xcw=7cwyncwG|cwThcwNLcw\pcwI^cw5ZcwOT
生成的s1:mf5Zcw5ZmfNLcwNLcw\xcw=7cwyncwG|mfThcwThmfP|cwP|cw\pcwI^mfFpcwFpcwOT
具体调试了函数之后(前面有一个闹钟记得patch掉), 这里mf之后并没有把字符串写入, 是在fclose文件指针之后把文件修改, 那到底怎么连续修改之后再关闭文件指针呢, 这里我试了一下exit来关闭文件指针,把输入后面改成:
1hV4tT41B1HX25oQ6La6yQ4hV5jz55P325eh6GU5IZ4tN1AJ326Ti4XN5bX4wt6HW5ae5Fg4S11eP263U4Zv5gG16f25aq4Q94fz6Wy4I51l324dj1Pf326uM4bp61Q4Et6Cu4cj6fU4mV1mL21bl24hH6Qk5zr6Sm5VF49P1wV21xB326jg5Qc4fX4nZ6YO4CF1sF24Bp1vB21TR21Ax21gL26SI6Ye5q61BN25XE5Tn5Jt1Ah325Fr5t540x64i1Dz321Pz325gB5rl4f16yO5RN(这里开始修改)
1KP11V31EZ1Xl1JH31Pd31Cx1uj1931Xt1Lx31Bl38, 成功得到flag
if ( !strcmp(
s1,
"dfxXdf5FcwL\\adsUddPedd}UdflZafn~af9TmflZcwlZafilddKYafM^dfxRmfENcwENddXmdf\\Raff\\df{xddL[adeiadJkdfW5cwiTdd7"
"Ydf^zadkKcw:jadeudfU=dfj~dd[}dfM9cwp7dfhnmfTjcwTjddyQdfftdd5UdfIxddGydfgnddjYdfqZcwqPcwfpdflLddUoaf~vddWqafZJd"
"f=Tcw{Zmf|Fcw|FddnkadUgdfj\\dfr^dd]SdfGJcwwJdfFtcwzFcwXVcwE|cwkPddWMdd]iadu:cwFRad\\IafXrafNxmfElcwElafJvafx9d"
"f4|dd8mmfH~cwH~mfT~cwT~afkFafvpdfj5dd}SafVRmfFpmfP|mfThmfNLmf5ZcwFpcwP|cw\\xcw=7cwyncwG|cwThcwNLcw\\pcwI^cw5ZcwOT") )
if ( !strcmp(
s1,
"dfxXdf5FcwL\\adsUddPedd}UdflZafn~af9TmflZcwlZafilddKYafM^dfxRmfENcwENddXmdf\\Raff\\df{xddL[adeiadJkdfW5cwiTdd7"
"Ydf^zadkKcw:jadeudfU=dfj~dd[}dfM9cwp7dfhnmfTjcwTjddyQdfftdd5UdfIxddGydfgnddjYdfqZcwqPcwfpdflLddUoaf~vddWqafZJd"
"f=Tcw{Zmf|Fcw|FddnkadUgdfj\\dfr^dd]SdfGJcwwJdfFtcwzFcwXVcwE|cwkPddWMdd]iadu:cwFRad\\IafXrafNxmfElcwElafJvafx9d"
"f4|dd8mmfH~cwH~mfT~cwT~afkFafvpdfj5dd}SafVRmfFpmfP|mfThmfNLmf5ZcwFpcwP|cw\\xcw=7cwyncwG|cwThcwNLcw\\pcwI^cw5ZcwOT") )
v45 = __readfsqword(0x28u);
index = 0;
s_index = 0;
sub_55D31246E16A();
sub_55D31246E1FA();
fd = inotify_init(); //初始化一个 inotify 实例
if ( fd < 0 )
perror("inotify_init");
sub_55D31246E4B7("/tmp/chall/"); //初始化文件
wd = inotify_add_watch(fd, "/tmp/chall/", 0x33Fu); // 将监视添加到初始化的 inotify 实例
pid = fork(); //新建进程
if ( !pid )
sub_55D31246E668("/tmp/chall/"); //用户输入处理,文件变动
if ( waitpid(pid, &stat_loc, 0) == -1 )
{
perror("waitpid failed\n");
goto LABEL_35;
}
v40 = BYTE1(stat_loc);
printf("%d", BYTE1(stat_loc));
v45 = __readfsqword(0x28u);
index = 0;
s_index = 0;
sub_55D31246E16A();
sub_55D31246E1FA();
fd = inotify_init(); //初始化一个 inotify 实例
if ( fd < 0 )
perror("inotify_init");
sub_55D31246E4B7("/tmp/chall/"); //初始化文件
wd = inotify_add_watch(fd, "/tmp/chall/", 0x33Fu); // 将监视添加到初始化的 inotify 实例
pid = fork(); //新建进程
if ( !pid )
sub_55D31246E668("/tmp/chall/"); //用户输入处理,文件变动
if ( waitpid(pid, &stat_loc, 0) == -1 )
{
perror("waitpid failed\n");
goto LABEL_35;
}
v40 = BYTE1(stat_loc);
printf("%d", BYTE1(stat_loc));
size = read(fd, buf, 0x8000uLL);
if ( size < 0 )
perror("read");
while ( index < size )
{
byte = &buf[index];
if ( !*((_DWORD *)byte + 3) )
goto LABEL_30;
if ( (*((_DWORD *)byte + 1) & 0x100) != 0 ) // IN_CREATE
{
v3 = s_index;
if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )// IN_ISDIR
{
++s_index;
s1[v3] = 'c';
v4 = s_index++;
s1[v4] = 'd';
}
else
{
++s_index;
s1[v3] = 'c';
v5 = s_index++;
s1[v5] = 'f';
}
LABEL_26:
v23 = byte[16] + 4;
v24 = s_index++;
s1[v24] = v23;
v25 = byte[17] + 4;
v26 = s_index++;
s1[v26] = v25;
goto LABEL_30;
}
if ( (*((_DWORD *)byte + 1) & 0x200) != 0 ) // IN_DELETE
{
v6 = s_index;
if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )
{
++s_index;
s1[v6] = 'd';
v7 = s_index++;
s1[v7] = 'd';
}
else
{
++s_index;
s1[v6] = 'd';
v8 = s_index++;
s1[v8] = 'f';
}
goto LABEL_26;
}
if ( (*((_DWORD *)byte + 1) & 8) != 0 ) // IN_CLOSE_WRITE
{
v9 = s_index++;
s1[v9] = 'c';
v10 = s_index++;
s1[v10] = 'w';
v11 = byte[16] + 4;
v12 = s_index++;
s1[v12] = v11;
v13 = byte[17] + 4;
v14 = s_index++;
s1[v14] = v13;
goto LABEL_30;
}
if ( (*((_DWORD *)byte + 1) & 1) != 0 ) // IN_ACCESS
{
v15 = s_index++;
s1[v15] = 'a';
v16 = s_index++;
s1[v16] = 'c';
v17 = byte[16] + 4;
v18 = s_index++;
s1[v18] = v17;
v19 = byte[17] + 4;
v20 = s_index++;
s1[v20] = v19;
goto LABEL_30;
}
if ( (*((_DWORD *)byte + 1) & 4) != 0 ) // IN_ATTRIB
{
v21 = s_index;
if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )
{
++s_index;
s1[v21] = 'a';
v22 = s_index++;
s1[v22] = 'd';
}
else
{
++s_index;
s1[v21] = 'a';
v27 = s_index++;
s1[v27] = 'f';
}
goto LABEL_26;
}
if ( (*((_DWORD *)byte + 1) & 2) != 0 ) // IN_MODIFY
{
v28 = s_index++;
s1[v28] = 'm';
v29 = s_index++;
s1[v29] = 'f';
v30 = byte[16] + 4;
v31 = s_index++;
s1[v31] = v30;
v32 = byte[17] + 4;
v33 = s_index++;
s1[v33] = v32;
}
LABEL_30:
index += *((_DWORD *)byte + 3) + 16;
}
size = read(fd, buf, 0x8000uLL);
if ( size < 0 )
perror("read");
while ( index < size )
{
byte = &buf[index];
if ( !*((_DWORD *)byte + 3) )
goto LABEL_30;
if ( (*((_DWORD *)byte + 1) & 0x100) != 0 ) // IN_CREATE
{
v3 = s_index;
if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )// IN_ISDIR
{
++s_index;
s1[v3] = 'c';
v4 = s_index++;
s1[v4] = 'd';
}
else
{
++s_index;
s1[v3] = 'c';
v5 = s_index++;
s1[v5] = 'f';
}
LABEL_26:
v23 = byte[16] + 4;
v24 = s_index++;
s1[v24] = v23;
v25 = byte[17] + 4;
v26 = s_index++;
s1[v26] = v25;
goto LABEL_30;
}
if ( (*((_DWORD *)byte + 1) & 0x200) != 0 ) // IN_DELETE
{
v6 = s_index;
if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )
{
++s_index;
s1[v6] = 'd';
v7 = s_index++;
s1[v7] = 'd';
}
else
{
++s_index;
s1[v6] = 'd';
v8 = s_index++;
s1[v8] = 'f';
}
goto LABEL_26;
}
if ( (*((_DWORD *)byte + 1) & 8) != 0 ) // IN_CLOSE_WRITE
{
v9 = s_index++;
s1[v9] = 'c';
v10 = s_index++;
s1[v10] = 'w';
v11 = byte[16] + 4;
v12 = s_index++;
s1[v12] = v11;
v13 = byte[17] + 4;
v14 = s_index++;
s1[v14] = v13;
goto LABEL_30;
}
if ( (*((_DWORD *)byte + 1) & 1) != 0 ) // IN_ACCESS
{
v15 = s_index++;
s1[v15] = 'a';
v16 = s_index++;
s1[v16] = 'c';
v17 = byte[16] + 4;
v18 = s_index++;
s1[v18] = v17;
v19 = byte[17] + 4;
v20 = s_index++;
s1[v20] = v19;
goto LABEL_30;
}
if ( (*((_DWORD *)byte + 1) & 4) != 0 ) // IN_ATTRIB
{
v21 = s_index;
if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )
{
++s_index;
s1[v21] = 'a';
v22 = s_index++;
s1[v22] = 'd';
}
else
{
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2021-8-18 23:39
被margina1编辑
,原因:
