-
-
[原创]2021KCTF秋季赛 迷失丛林
-
发表于: 2021-11-26 01:29
-
0x4013CC 获得输入
输入长度0x20,输入只能是数字+大写字母,会在sub_4014A0做hex,变成4个DWORD
0x404000 开头8字节
取0x404000 256字节发现缺少以下内容
不想逆
frida爆破,需要在x64dbg里的两个hook处跳回去
堆栈平衡 jmp 0x00401584
12547 75,109,40,140,251,210,30,163
前面部分确定 B4D682C8BF2DE13A
part2
得出D9B6AEF24A80CB22
B4D682C8BF2DE13AD9B6AEF24A80CB22
//全排列爆破
function swap(arr,i,j) { if(i!=j) {
var temp=arr[i];
arr[i]=arr[j];
arr[j]=temp;
}
} var count=0;
var burst=[];
function show(arr) { var t=[];
for(var i=0;i<8;i++){
t.push(arr[i]);
}
burst.push(t);
} function perm(arr) { (function fn(n) { //为第n个位置选择元素
for(var i=n;i<arr.length;i++) {
swap(arr,i,n);
if(n+1<arr.length-1) //判断数组中剩余的待全排列的元素是否大于1个
fn(n+1); //从第n+1个下标进行全排列
else
show(arr); //显示一组结果
swap(arr,i,n);
}
})(0);
} perm([0x1e,0x28,0x4b,0xd2,0x6d,0x8c,0xa3,0xfb]);
var base_data = [0xa2,0x9b,0xf4,0xdf,0xac,0x7c,0xa1,0xc6,0x16,0xd0,0x0f,0xdd,0xdc,0x73,0xc5,0x6b,0xd1,0x96,0x47,0xc2,0x26,0x67,0x4e,0x41,0x82,0x20,0x56,0x9a,0x6e,0x33,0x92,0x88,0x29,0xb5,0xb4,0x71,0xa9,0xce,0xc3,0x34,0x50,0x59,0xbf,0x2d,0x57,0x22,0xa6,0x30,0x04,0xb2,0xcd,0x36,0xd5,0x68,0x4d,0x5b,0x45,0x9e,0x85,0xcf,0x9d,0xcc,0x61,0x78,0x32,0x76,0x31,0xe3,0x80,0xad,0x39,0x4f,0xfa,0x72,0x83,0x4c,0x86,0x60,0xb7,0xd7,0x63,0x0c,0x44,0x35,0xb3,0x7b,0x19,0xd4,0x69,0x08,0x0b,0x1f,0x3d,0x11,0x79,0xd3,0xee,0x93,0x42,0xde,0x23,0x3b,0x5d,0x8d,0xa5,0x77,0x5f,0x58,0xdb,0x97,0xf6,0x7a,0x18,0x52,0x15,0x74,0x25,0x62,0x2c,0x05,0xe8,0x0d,0x98,0x2a,0x43,0xe2,0xef,0x48,0x87,0x49,0x1c,0xca,0x2b,0xa7,0x8a,0x09,0x81,0xe7,0x53,0xaa,0xff,0x6f,0x8e,0x91,0xf1,0xf0,0xa4,0x46,0x3a,0x7d,0x54,0xeb,0x2f,0xc1,0xc0,0x0e,0xbd,0xe1,0x6c,0x64,0xbe,0xe4,0x02,0x3c,0x5a,0xa8,0x9f,0x37,0xaf,0xa0,0x13,0xed,0x1b,0xec,0x8b,0x3e,0x7e,0x27,0x99,0x75,0xab,0xfe,0xd9,0x3f,0xf3,0xea,0x70,0xf7,0x95,0xba,0x1d,0x40,0xb0,0xf9,0xe5,0xf8,0x06,0xbc,0xb6,0x03,0xc9,0x10,0x9c,0x2e,0x89,0x5c,0x7f,0xb1,0x1a,0xd6,0x90,0xae,0xda,0xe6,0x5e,0xb9,0x84,0xe9,0x55,0xbb,0xc7,0x0a,0xe0,0x66,0xf2,0xd8,0xcb,0x00,0x12,0xb8,0x17,0x94,0x6a,0x4a,0x01,0x24,0x14,0x51,0x07,0x65,0x21,0xc8,0x38,0xfd,0x8f,0xc4,0xf5,0xfc];
var empty=[]
for(var e=0;e<0x10200;e++){
empty.push(0);
}var count = 0;
var table = ptr(0x404000)
var temp = ptr(0x404220)
function reset(that){ if(count < burst.length){
table.writeByteArray(burst[count].concat(base_data));
temp.writeByteArray(empty);
if(count%1000==0)console.log(count);
count +=1;
// /that.context.eip = ptr(0x401590);
}else{
Interceptor.detachAll();
}
}//Success
Interceptor.attach(ptr(0x4016bc),{
onEnter: function(args){
//Success
console.log(count-1,burst[count-1]);
reset(this);
//this.context.eip = ptr(0x401583);
},onLeave:function(){
}
});Interceptor.attach(ptr(0x4017e5),{
onEnter: function(args){
//Fail
reset(this);
//this.context.eip = ptr(0x401583);
//reset
},onLeave:function(){
}
});//全排列爆破
function swap(arr,i,j) { if(i!=j) {
var temp=arr[i];
arr[i]=arr[j];
arr[j]=temp;
}
} var count=0;
var burst=[];
function show(arr) { var t=[];
for(var i=0;i<8;i++){
t.push(arr[i]);
}
burst.push(t);
} function perm(arr) { (function fn(n) { //为第n个位置选择元素
for(var i=n;i<arr.length;i++) {
swap(arr,i,n);
if(n+1<arr.length-1) //判断数组中剩余的待全排列的元素是否大于1个
fn(n+1); //从第n+1个下标进行全排列
else
show(arr); //显示一组结果
swap(arr,i,n);
}
})(0);
} perm([0x1e,0x28,0x4b,0xd2,0x6d,0x8c,0xa3,0xfb]);
var base_data = [0xa2,0x9b,0xf4,0xdf,0xac,0x7c,0xa1,0xc6,0x16,0xd0,0x0f,0xdd,0xdc,0x73,0xc5,0x6b,0xd1,0x96,0x47,0xc2,0x26,0x67,0x4e,0x41,0x82,0x20,0x56,0x9a,0x6e,0x33,0x92,0x88,0x29,0xb5,0xb4,0x71,0xa9,0xce,0xc3,0x34,0x50,0x59,0xbf,0x2d,0x57,0x22,0xa6,0x30,0x04,0xb2,0xcd,0x36,0xd5,0x68,0x4d,0x5b,0x45,0x9e,0x85,0xcf,0x9d,0xcc,0x61,0x78,0x32,0x76,0x31,0xe3,0x80,0xad,0x39,0x4f,0xfa,0x72,0x83,0x4c,0x86,0x60,0xb7,0xd7,0x63,0x0c,0x44,0x35,0xb3,0x7b,0x19,0xd4,0x69,0x08,0x0b,0x1f,0x3d,0x11,0x79,0xd3,0xee,0x93,0x42,0xde,0x23,0x3b,0x5d,0x8d,0xa5,0x77,0x5f,0x58,0xdb,0x97,0xf6,0x7a,0x18,0x52,0x15,0x74,0x25,0x62,0x2c,0x05,0xe8,0x0d,0x98,0x2a,0x43,0xe2,0xef,0x48,0x87,0x49,0x1c,0xca,0x2b,0xa7,0x8a,0x09,0x81,0xe7,0x53,0xaa,0xff,0x6f,0x8e,0x91,0xf1,0xf0,0xa4,0x46,0x3a,0x7d,0x54,0xeb,0x2f,0xc1,0xc0,0x0e,0xbd,0xe1,0x6c,0x64,0xbe,0xe4,0x02,0x3c,0x5a,0xa8,0x9f,0x37,0xaf,0xa0,0x13,0xed,0x1b,0xec,0x8b,0x3e,0x7e,0x27,0x99,0x75,0xab,0xfe,0xd9,0x3f,0xf3,0xea,0x70,0xf7,0x95,0xba,0x1d,0x40,0xb0,0xf9,0xe5,0xf8,0x06,0xbc,0xb6,0x03,0xc9,0x10,0x9c,0x2e,0x89,0x5c,0x7f,0xb1,0x1a,0xd6,0x90,0xae,0xda,0xe6,0x5e,0xb9,0x84,0xe9,0x55,0xbb,0xc7,0x0a,0xe0,0x66,0xf2,0xd8,0xcb,0x00,0x12,0xb8,0x17,0x94,0x6a,0x4a,0x01,0x24,0x14,0x51,0x07,0x65,0x21,0xc8,0x38,0xfd,0x8f,0xc4,0xf5,0xfc];
var empty=[]
for(var e=0;e<0x10200;e++){
empty.push(0);
}var count = 0;
var table = ptr(0x404000)
var temp = ptr(0x404220)
function reset(that){ if(count < burst.length){
table.writeByteArray(burst[count].concat(base_data));
temp.writeByteArray(empty);
if(count%1000==0)console.log(count);
count +=1;
// /that.context.eip = ptr(0x401590);
}else{
Interceptor.detachAll();
}
}//Success
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
