首页
社区
课程
招聘
[原创]inctf-noodes
发表于: 2021-8-18 18:22 9769

[原创]inctf-noodes

2021-8-18 18:22
9769

这个题算是诈胡出来的

参考链接:

https://linux.die.net/man/7/inotify

https://zh.wikipedia.org/wiki/Inotify

这个感觉和git有点点像, 监控文件的变动, 变动会生成事件

这里涉及的事件

这里4字节长度刚好对应index += ((_DWORD )byte + 3) + 16;的加16

除了2,3不能有名称之外都有2字节的名称

这里的字符串没有新建操作, 前面的文件初始化已经完成了(监控开启之前)

注意:df之后不能再打开文件, 否则会出现新建操作,(这里有一处就是这样df之后才mf的, 这里应该再df之前就打开, 我把这个操作放在了最前面, mf之前和cw之前一定要打开文件指针, 打开操作只需要一次, (mf, cw相同的文件只打开一次, 每次mf都会有cw收尾), exit会关闭所有的文件指针(这里也会被记录, 后打开的先关闭)

生成输入脚本: (因为mf操作不多, 我就直接手动删除多余的新建操作, 最后再加个8)

得到1hV4tT41B1HX25oQ6La6yQ4hV5jz55P325eh6GU5IZ4tN1AJ326Ti4XN5bX4wt6HW5ae5Fg4S11eP263U4Zv5gG16f25aq4Q94fz6Wy4I51l324dj1Pf326uM4bp61Q4Et6Cu4cj6fU4mV1mL21bl24hH6Qk5zr6Sm5VF49P1wV21xB326jg5Qc4fX4nZ6YO4CF1sF24Bp1vB21TR21Ax21gL26SI6Ye5q61BN25XE5Tn5Jt1Ah325Fr5t540x64i1Dz321Pz325gB5rl4f16yO5RN1Bl31Lx31Pd31JH311V3221Xt219321uj21Cx2221Xl21EZ221KP28

最后输入发现有错误, 调试之后发现, 从SafVR之后开始, 这里完全倒了过来,

要求的s1:mfFpmfP|mfThmfNLmf5ZcwFpcwP|cw\xcw=7cwyncwG|cwThcwNLcw\pcwI^cw5ZcwOT

生成的s1:mf5Zcw5ZmfNLcwNLcw\xcw=7cwyncwG|mfThcwThmfP|cwP|cw\pcwI^mfFpcwFpcwOT

具体调试了函数之后(前面有一个闹钟记得patch掉), 这里mf之后并没有把字符串写入, 是在fclose文件指针之后把文件修改, 那到底怎么连续修改之后再关闭文件指针呢, 这里我试了一下exit来关闭文件指针,把输入后面改成:

1hV4tT41B1HX25oQ6La6yQ4hV5jz55P325eh6GU5IZ4tN1AJ326Ti4XN5bX4wt6HW5ae5Fg4S11eP263U4Zv5gG16f25aq4Q94fz6Wy4I51l324dj1Pf326uM4bp61Q4Et6Cu4cj6fU4mV1mL21bl24hH6Qk5zr6Sm5VF49P1wV21xB326jg5Qc4fX4nZ6YO4CF1sF24Bp1vB21TR21Ax21gL26SI6Ye5q61BN25XE5Tn5Jt1Ah325Fr5t540x64i1Dz321Pz325gB5rl4f16yO5RN(这里开始修改)

1KP11V31EZ1Xl1JH31Pd31Cx1uj1931Xt1Lx31Bl38, 成功得到flag

 
 
 
if ( !strcmp(
          s1,
          "dfxXdf5FcwL\\adsUddPedd}UdflZafn~af9TmflZcwlZafilddKYafM^dfxRmfENcwENddXmdf\\Raff\\df{xddL[adeiadJkdfW5cwiTdd7"
          "Ydf^zadkKcw:jadeudfU=dfj~dd[}dfM9cwp7dfhnmfTjcwTjddyQdfftdd5UdfIxddGydfgnddjYdfqZcwqPcwfpdflLddUoaf~vddWqafZJd"
          "f=Tcw{Zmf|Fcw|FddnkadUgdfj\\dfr^dd]SdfGJcwwJdfFtcwzFcwXVcwE|cwkPddWMdd]iadu:cwFRad\\IafXrafNxmfElcwElafJvafx9d"
          "f4|dd8mmfH~cwH~mfT~cwT~afkFafvpdfj5dd}SafVRmfFpmfP|mfThmfNLmf5ZcwFpcwP|cw\\xcw=7cwyncwG|cwThcwNLcw\\pcwI^cw5ZcwOT") )
if ( !strcmp(
          s1,
          "dfxXdf5FcwL\\adsUddPedd}UdflZafn~af9TmflZcwlZafilddKYafM^dfxRmfENcwENddXmdf\\Raff\\df{xddL[adeiadJkdfW5cwiTdd7"
          "Ydf^zadkKcw:jadeudfU=dfj~dd[}dfM9cwp7dfhnmfTjcwTjddyQdfftdd5UdfIxddGydfgnddjYdfqZcwqPcwfpdflLddUoaf~vddWqafZJd"
          "f=Tcw{Zmf|Fcw|FddnkadUgdfj\\dfr^dd]SdfGJcwwJdfFtcwzFcwXVcwE|cwkPddWMdd]iadu:cwFRad\\IafXrafNxmfElcwElafJvafx9d"
          "f4|dd8mmfH~cwH~mfT~cwT~afkFafvpdfj5dd}SafVRmfFpmfP|mfThmfNLmf5ZcwFpcwP|cw\\xcw=7cwyncwG|cwThcwNLcw\\pcwI^cw5ZcwOT") )
v45 = __readfsqword(0x28u);
  index = 0;
  s_index = 0;
  sub_55D31246E16A();
  sub_55D31246E1FA();
  fd = inotify_init();   //初始化一个 inotify 实例
  if ( fd < 0 )
    perror("inotify_init");
  sub_55D31246E4B7("/tmp/chall/"); //初始化文件
  wd = inotify_add_watch(fd, "/tmp/chall/", 0x33Fu); // 将监视添加到初始化的 inotify 实例
  pid = fork(); //新建进程
  if ( !pid )
    sub_55D31246E668("/tmp/chall/");   //用户输入处理,文件变动
  if ( waitpid(pid, &stat_loc, 0) == -1 )
  {
    perror("waitpid failed\n");
    goto LABEL_35;
  }
  v40 = BYTE1(stat_loc);
  printf("%d", BYTE1(stat_loc));
v45 = __readfsqword(0x28u);
  index = 0;
  s_index = 0;
  sub_55D31246E16A();
  sub_55D31246E1FA();
  fd = inotify_init();   //初始化一个 inotify 实例
  if ( fd < 0 )
    perror("inotify_init");
  sub_55D31246E4B7("/tmp/chall/"); //初始化文件
  wd = inotify_add_watch(fd, "/tmp/chall/", 0x33Fu); // 将监视添加到初始化的 inotify 实例
  pid = fork(); //新建进程
  if ( !pid )
    sub_55D31246E668("/tmp/chall/");   //用户输入处理,文件变动
  if ( waitpid(pid, &stat_loc, 0) == -1 )
  {
    perror("waitpid failed\n");
    goto LABEL_35;
  }
  v40 = BYTE1(stat_loc);
  printf("%d", BYTE1(stat_loc));
size = read(fd, buf, 0x8000uLL);
  if ( size < 0 )
    perror("read");
  while ( index < size )
  {
    byte = &buf[index];
    if ( !*((_DWORD *)byte + 3) )
      goto LABEL_30;
    if ( (*((_DWORD *)byte + 1) & 0x100) != 0 ) // IN_CREATE
    {
      v3 = s_index;
      if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )// IN_ISDIR
      {
        ++s_index;
        s1[v3] = 'c';
        v4 = s_index++;
        s1[v4] = 'd';
      }
      else
      {
        ++s_index;
        s1[v3] = 'c';
        v5 = s_index++;
        s1[v5] = 'f';
      }
LABEL_26:
      v23 = byte[16] + 4;
      v24 = s_index++;
      s1[v24] = v23;
      v25 = byte[17] + 4;
      v26 = s_index++;
      s1[v26] = v25;
      goto LABEL_30;
    }
    if ( (*((_DWORD *)byte + 1) & 0x200) != 0 ) // IN_DELETE  
    {
      v6 = s_index;
      if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )
      {
        ++s_index;
        s1[v6] = 'd';
        v7 = s_index++;
        s1[v7] = 'd';
      }
      else
      {
        ++s_index;
        s1[v6] = 'd';
        v8 = s_index++;
        s1[v8] = 'f';
      }
      goto LABEL_26;
    }
    if ( (*((_DWORD *)byte + 1) & 8) != 0 )     // IN_CLOSE_WRITE
    {
      v9 = s_index++;
      s1[v9] = 'c';
      v10 = s_index++;
      s1[v10] = 'w';
      v11 = byte[16] + 4;
      v12 = s_index++;
      s1[v12] = v11;
      v13 = byte[17] + 4;
      v14 = s_index++;
      s1[v14] = v13;
      goto LABEL_30;
    }
    if ( (*((_DWORD *)byte + 1) & 1) != 0 )     // IN_ACCESS
    {
      v15 = s_index++;
      s1[v15] = 'a';
      v16 = s_index++;
      s1[v16] = 'c';
      v17 = byte[16] + 4;
      v18 = s_index++;
      s1[v18] = v17;
      v19 = byte[17] + 4;
      v20 = s_index++;
      s1[v20] = v19;
      goto LABEL_30;
    }
    if ( (*((_DWORD *)byte + 1) & 4) != 0 )     // IN_ATTRIB
    {
      v21 = s_index;
      if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )
      {
        ++s_index;
        s1[v21] = 'a';
        v22 = s_index++;
        s1[v22] = 'd';
      }
      else
      {
        ++s_index;
        s1[v21] = 'a';
        v27 = s_index++;
        s1[v27] = 'f';
      }
      goto LABEL_26;
    }
    if ( (*((_DWORD *)byte + 1) & 2) != 0 )     // IN_MODIFY
    {
      v28 = s_index++;
      s1[v28] = 'm';
      v29 = s_index++;
      s1[v29] = 'f';
      v30 = byte[16] + 4;
      v31 = s_index++;
      s1[v31] = v30;
      v32 = byte[17] + 4;
      v33 = s_index++;
      s1[v33] = v32;
    }
LABEL_30:
    index += *((_DWORD *)byte + 3) + 16;
  }
size = read(fd, buf, 0x8000uLL);
  if ( size < 0 )
    perror("read");
  while ( index < size )
  {
    byte = &buf[index];
    if ( !*((_DWORD *)byte + 3) )
      goto LABEL_30;
    if ( (*((_DWORD *)byte + 1) & 0x100) != 0 ) // IN_CREATE
    {
      v3 = s_index;
      if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )// IN_ISDIR
      {
        ++s_index;
        s1[v3] = 'c';
        v4 = s_index++;
        s1[v4] = 'd';
      }
      else
      {
        ++s_index;
        s1[v3] = 'c';
        v5 = s_index++;
        s1[v5] = 'f';
      }
LABEL_26:
      v23 = byte[16] + 4;
      v24 = s_index++;
      s1[v24] = v23;
      v25 = byte[17] + 4;
      v26 = s_index++;
      s1[v26] = v25;
      goto LABEL_30;
    }
    if ( (*((_DWORD *)byte + 1) & 0x200) != 0 ) // IN_DELETE  
    {
      v6 = s_index;
      if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )
      {
        ++s_index;
        s1[v6] = 'd';
        v7 = s_index++;
        s1[v7] = 'd';
      }
      else
      {
        ++s_index;
        s1[v6] = 'd';
        v8 = s_index++;
        s1[v8] = 'f';
      }
      goto LABEL_26;
    }
    if ( (*((_DWORD *)byte + 1) & 8) != 0 )     // IN_CLOSE_WRITE
    {
      v9 = s_index++;
      s1[v9] = 'c';
      v10 = s_index++;
      s1[v10] = 'w';
      v11 = byte[16] + 4;
      v12 = s_index++;
      s1[v12] = v11;
      v13 = byte[17] + 4;
      v14 = s_index++;
      s1[v14] = v13;
      goto LABEL_30;
    }
    if ( (*((_DWORD *)byte + 1) & 1) != 0 )     // IN_ACCESS
    {
      v15 = s_index++;
      s1[v15] = 'a';
      v16 = s_index++;
      s1[v16] = 'c';
      v17 = byte[16] + 4;
      v18 = s_index++;
      s1[v18] = v17;
      v19 = byte[17] + 4;
      v20 = s_index++;
      s1[v20] = v19;
      goto LABEL_30;
    }
    if ( (*((_DWORD *)byte + 1) & 4) != 0 )     // IN_ATTRIB
    {
      v21 = s_index;
      if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )
      {
        ++s_index;
        s1[v21] = 'a';
        v22 = s_index++;
        s1[v22] = 'd';
      }
      else
      {

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2021-8-18 23:39 被margina1编辑 ,原因:
上传的附件:
收藏
免费 1
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//