-
-
[原创]KCTF2021秋 万事俱备 writeup
-
发表于: 2021-12-7 21:11 18427
-
e语言32位,ida拖进去看看,发现了zlib,随即运行起来看看进程,多了个python27.exe
把temp目录下面的 pub 整个目录copy出来, 发现可以正常验证通过,说明跟E语言没关系,就是一个python题
用官方版python27执行脚本check.py,发现报错,所以,python27.exe是个改版的。
python.dll拖进ida,提示pdb路径,知道python版本,2.7.18
下一个python源码,编译release,64位出来,跟python.dll对比,发现opcode改了
经过N......个小时,把opcode找对,下面的opcode.h,编译出来的python可以正常通过check.py的验证
用python反编译工具,替换opcode,运行直接崩溃
用python反汇编一看:
全是垃圾指令,而且有INVALID,说明还有混淆,无奈放弃。
直接使用源码编译,单步调试
源码中有个lltrace,打开后,python崩溃。。
发现在输入完name/serial后打开,才能成功。
。。。。。。中间省略N小时。。。。。。。。。
最终,过滤掉垃圾代码
注意:COMPARE_OP ,oparg == 3的时候是垃圾,其他是正常的if语句
增加几个宏:
把关键操作用show打印出调用前后堆栈信息,开始log,先通过COMPARE_OP,发现KCTF最终比较的是 'KCTF@021GoodLuck',这个字符串,16字节
然后看中间过程,又是漫长的N。。。。。小时
先md5字符串:helloctf_pediy_Archaia,结果
bfdc823fca7d85034d70f650df268108,全小写字符串
扩展5遍,得到256字节的数组
这个数组作为 rc4的key,rc4是变种的,rc4_setup_key不是标准的,rc4_crypt也不是标准的,等setup_key结束后,抓到rc4_table
然后单步逆了crypt过程,处理了两遍,前一遍多异或一次161,后16轮多异或一次61,注意后一轮的i是从16开始的
然后的算法,叫 “喵指令”,跟第三题 中娅之戒里面的算法很像,不过这是16位长度的,一共8个,有一个交换顺序
最终keygen代码:
ret里面打印成大写16进制即可
flag: AD0A1F8179ABE48ED3B073F840DA52A7
/
*
Instruction opcodes
for
compiled code
*
/
#define SLICE 0
#define SLICE_1 1
#define SLICE_2 2
#define SLICE_3 3
#define STORE_SLICE 4
#define STORE_SLICE_1 5
#define STORE_SLICE_2 6
#define STORE_SLICE_3 7
#define DELETE_SLICE 8
#define DELETE_SLICE_1 9
#define DELETE_SLICE_2 10
#define DELETE_SLICE_3 11
#define DUP_TOP 13
#define BINARY_MODULO 14
#define PRINT_NEWLINE 15
#define ROT_FOUR 16
#define INPLACE_ADD 17
#define BINARY_AND 18
#define BINARY_RSHIFT 19
#define INPLACE_MULTIPLY 20
#define POP_BLOCK 22
#define DELETE_SUBSCR 23
#define PRINT_NEWLINE_TO 24
#define UNARY_INVERT 25
#define INPLACE_FLOOR_DIVIDE 26
#define IMPORT_STAR 28
#define INPLACE_OR 29
#define POP_TOP 30
#define END_FINALLY 31
#define UNARY_POSITIVE 32
#define INPLACE_POWER 33
#define INPLACE_XOR 37
#define PRINT_EXPR 39
#define BINARY_SUBSCR 40
#define INPLACE_LSHIFT 41
#define WITH_CLEANUP 42
#define INPLACE_AND 45
#define RETURN_VALUE 46
#define BINARY_TRUE_DIVIDE 48
#define BREAK_LOOP 50
#define EXEC_STMT 51
#define ROT_TWO 52
#define BINARY_SUBTRACT 53
#define BUILD_CLASS 54
#define ROT_THREE 56
#define UNARY_NOT 57
#define STOP_CODE 58
#define PRINT_ITEM 59
#define YIELD_VALUE 60
#define PRINT_ITEM_TO 62
#define INPLACE_TRUE_DIVIDE 63
#define STORE_MAP 64
#define NOP 65
#define BINARY_LSHIFT 66
#define INPLACE_MODULO 67
#define BINARY_MULTIPLY 69
#define GET_ITER 70
#define BINARY_DIVIDE 71
#define INPLACE_RSHIFT 72
#define STORE_SUBSCR 73
#define INPLACE_DIVIDE 74
#define BINARY_FLOOR_DIVIDE 76
#define BINARY_POWER 77
#define BINARY_ADD 81
#define LOAD_LOCALS 83
#define BINARY_OR 85
#define INPLACE_SUBTRACT 86
#define UNARY_CONVERT 87
#define BINARY_XOR 88
#define UNARY_NEGATIVE 89
#define CALL_FUNCTION 90
#define SETUP_LOOP 93
#define SETUP_EXCEPT 130
#define SETUP_FINALLY 111
#define LOAD_NAME 94
#define COMPARE_OP 95
#define STORE_GLOBAL 98
#define CALL_FUNCTION_VAR 99
#define CALL_FUNCTION_KW 100
#define CALL_FUNCTION_VAR_KW 101
#define STORE_ATTR 102
#define BUILD_SLICE 105
#define BUILD_TUPLE 106
#define UNPACK_SEQUENCE 107
#define FOR_ITER 108
#define LOAD_FAST 109
#define DUP_TOPX 110
#define STORE_NAME 112
#define CONTINUE_LOOP 113
#define DELETE_GLOBAL 114
#define JUMP_FORWARD 115
#define BUILD_SET 116
#define JUMP_ABSOLUTE 118
#define STORE_FAST 119
#define STORE_DEREF 122
#define POP_JUMP_IF_FALSE 92
#define POP_JUMP_IF_TRUE 120
#define JUMP_IF_FALSE_OR_POP 128
#define JUMP_IF_TRUE_OR_POP 123
#define IMPORT_NAME 124
#define LOAD_DEREF 125
#define MAKE_FUNCTION 126
#define DELETE_NAME 127
#define LOAD_CONST 131
#define LOAD_CLOSURE 132
#define BUILD_LIST 133
#define RAISE_VARARGS 134
#define IMPORT_FROM 135
#define MAKE_CLOSURE 136
#define DELETE_ATTR 137
#define LOAD_GLOBAL 138
#define BUILD_MAP 139
#define LOAD_ATTR 140
#define LIST_APPEND 141
#define DELETE_FAST 142
#define SETUP_WITH 143
#define EXTENDED_ARG 145
#define SET_ADD 146
#define MAP_ADD 147
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
#define HAVE_ARGUMENT 90 /* Opcodes from here have an argument: */
enum cmp_op {PyCmp_LT
=
Py_LT, PyCmp_LE
=
Py_LE, PyCmp_EQ
=
Py_EQ, PyCmp_NE
=
Py_NE, PyCmp_GT
=
Py_GT, PyCmp_GE
=
Py_GE,
PyCmp_IN, PyCmp_NOT_IN, PyCmp_IS, PyCmp_IS_NOT, PyCmp_EXC_MATCH, PyCmp_BAD};
#define HAS_ARG(op) ((op) >= HAVE_ARGUMENT)
/
*
Instruction opcodes
for
compiled code
*
/
#define SLICE 0
#define SLICE_1 1
#define SLICE_2 2
#define SLICE_3 3
#define STORE_SLICE 4
#define STORE_SLICE_1 5
#define STORE_SLICE_2 6
#define STORE_SLICE_3 7
#define DELETE_SLICE 8
#define DELETE_SLICE_1 9
#define DELETE_SLICE_2 10
#define DELETE_SLICE_3 11
#define DUP_TOP 13
#define BINARY_MODULO 14
#define PRINT_NEWLINE 15
#define ROT_FOUR 16
#define INPLACE_ADD 17
#define BINARY_AND 18
#define BINARY_RSHIFT 19
#define INPLACE_MULTIPLY 20
#define POP_BLOCK 22
#define DELETE_SUBSCR 23
#define PRINT_NEWLINE_TO 24
#define UNARY_INVERT 25
#define INPLACE_FLOOR_DIVIDE 26
#define IMPORT_STAR 28
#define INPLACE_OR 29
#define POP_TOP 30
#define END_FINALLY 31
#define UNARY_POSITIVE 32
#define INPLACE_POWER 33
#define INPLACE_XOR 37
#define PRINT_EXPR 39
#define BINARY_SUBSCR 40
#define INPLACE_LSHIFT 41
#define WITH_CLEANUP 42
#define INPLACE_AND 45
#define RETURN_VALUE 46
#define BINARY_TRUE_DIVIDE 48
#define BREAK_LOOP 50
#define EXEC_STMT 51
#define ROT_TWO 52
#define BINARY_SUBTRACT 53
#define BUILD_CLASS 54
#define ROT_THREE 56
#define UNARY_NOT 57
#define STOP_CODE 58
#define PRINT_ITEM 59
#define YIELD_VALUE 60
#define PRINT_ITEM_TO 62
#define INPLACE_TRUE_DIVIDE 63
#define STORE_MAP 64
#define NOP 65
#define BINARY_LSHIFT 66
#define INPLACE_MODULO 67
#define BINARY_MULTIPLY 69
#define GET_ITER 70
#define BINARY_DIVIDE 71
#define INPLACE_RSHIFT 72
#define STORE_SUBSCR 73
#define INPLACE_DIVIDE 74
#define BINARY_FLOOR_DIVIDE 76
#define BINARY_POWER 77
#define BINARY_ADD 81
#define LOAD_LOCALS 83
#define BINARY_OR 85
#define INPLACE_SUBTRACT 86
#define UNARY_CONVERT 87
#define BINARY_XOR 88
#define UNARY_NEGATIVE 89
#define CALL_FUNCTION 90
#define SETUP_LOOP 93
#define SETUP_EXCEPT 130
#define SETUP_FINALLY 111
#define LOAD_NAME 94
#define COMPARE_OP 95
#define STORE_GLOBAL 98
#define CALL_FUNCTION_VAR 99
#define CALL_FUNCTION_KW 100
#define CALL_FUNCTION_VAR_KW 101
#define STORE_ATTR 102
#define BUILD_SLICE 105
#define BUILD_TUPLE 106
#define UNPACK_SEQUENCE 107
#define FOR_ITER 108
#define LOAD_FAST 109
#define DUP_TOPX 110
#define STORE_NAME 112
#define CONTINUE_LOOP 113
#define DELETE_GLOBAL 114
#define JUMP_FORWARD 115
#define BUILD_SET 116
#define JUMP_ABSOLUTE 118
#define STORE_FAST 119
#define STORE_DEREF 122
#define POP_JUMP_IF_FALSE 92
#define POP_JUMP_IF_TRUE 120
#define JUMP_IF_FALSE_OR_POP 128
#define JUMP_IF_TRUE_OR_POP 123
#define IMPORT_NAME 124
#define LOAD_DEREF 125
#define MAKE_FUNCTION 126
#define DELETE_NAME 127
#define LOAD_CONST 131
#define LOAD_CLOSURE 132
#define BUILD_LIST 133
#define RAISE_VARARGS 134
#define IMPORT_FROM 135
#define MAKE_CLOSURE 136
#define DELETE_ATTR 137
#define LOAD_GLOBAL 138
#define BUILD_MAP 139
#define LOAD_ATTR 140
#define LIST_APPEND 141
#define DELETE_FAST 142
#define SETUP_WITH 143
#define EXTENDED_ARG 145
#define SET_ADD 146
#define MAP_ADD 147
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
/
#define HAVE_ARGUMENT 90 /* Opcodes from here have an argument: */
enum cmp_op {PyCmp_LT
=
Py_LT, PyCmp_LE
=
Py_LE, PyCmp_EQ
=
Py_EQ, PyCmp_NE
=
Py_NE, PyCmp_GT
=
Py_GT, PyCmp_GE
=
Py_GE,
PyCmp_IN, PyCmp_NOT_IN, PyCmp_IS, PyCmp_IS_NOT, PyCmp_EXC_MATCH, PyCmp_BAD};
#define HAS_ARG(op) ((op) >= HAVE_ARGUMENT)
[Disassembly]
0
LOAD_CONST
0
:
0x42DB1D32A8D2872F2A53EFD66A2L
3
STORE_FAST
16
: �������u���� ȩ�ੳ�G��Ǣ��L2$
6
JUMP_ABSOLUTE
11
9
<INVALID>
10
<INVALID>
11
NOP
12
LOAD_FAST
16
: �������u���� ȩ�ੳ�G��Ǣ��L2$
15
LOAD_CONST
1
:
0x3849DC465F5559FE912DC348448L
18
COMPARE_OP
3
(!
=
)
21
POP_JUMP_IF_FALSE
11110
24
JUMP_ABSOLUTE
30
27
<INVALID>
28
<INVALID>
29
<INVALID>
30
LOAD_FAST
16
: �������u���� ȩ�ੳ�G��Ǣ��L2$
33
LOAD_CONST
2
:
0x28C3F2ACCDBCFA7333B7D99FA80L
36
COMPARE_OP
3
(!
=
)
39
POP_JUMP_IF_FALSE
8158
42
JUMP_ABSOLUTE
46
45
NOP
46
LOAD_FAST
16
: �������u���� ȩ�ੳ�G��Ǣ��L2$
[Disassembly]
0
LOAD_CONST
0
:
0x42DB1D32A8D2872F2A53EFD66A2L
3
STORE_FAST
16
: �������u���� ȩ�ੳ�G��Ǣ��L2$
6
JUMP_ABSOLUTE
11
9
<INVALID>
10
<INVALID>
11
NOP
12
LOAD_FAST
16
: �������u���� ȩ�ੳ�G��Ǣ��L2$
15
LOAD_CONST
1
:
0x3849DC465F5559FE912DC348448L
18
COMPARE_OP
3
(!
=
)
21
POP_JUMP_IF_FALSE
11110
24
JUMP_ABSOLUTE
30
27
<INVALID>
28
<INVALID>
29
<INVALID>
30
LOAD_FAST
16
: �������u���� ȩ�ੳ�G��Ǣ��L2$
33
LOAD_CONST
2
:
0x28C3F2ACCDBCFA7333B7D99FA80L
36
COMPARE_OP
3
(!
=
)
39
POP_JUMP_IF_FALSE
8158
42
JUMP_ABSOLUTE
46
45
NOP
46
LOAD_FAST
16
: �������u���� ȩ�ੳ�G��Ǣ��L2$
if
(lltrace) {
if
(opcode
=
=
JUMP_ABSOLUTE || opcode
=
=
LOAD_FAST
|| opcode
=
=
LOAD_CONST
|| opcode
=
=
STORE_FAST
|| opcode
=
=
NOP
|| (opcode
=
=
COMPARE_OP && oparg
=
=
3
)
|| opcode
=
=
INPLACE_XOR
) {
;
g_myDbgTrace
=
0
;
}
else
{
g_myDbgTrace
=
1
;
if
(HAS_ARG(opcode)) {
printf(
"instr tracing: %d: opcode = %d[%s], oparg = %d\n"
,
f
-
>f_lasti, opcode, opcode_name[opcode], oparg);
}
else
{
printf(
"instr tracing: %d: opcode = %d[%s]\n"
,
f
-
>f_lasti, opcode, opcode_name[opcode]);
}
}
}
if
(lltrace) {
if
(opcode
=
=
JUMP_ABSOLUTE || opcode
=
=
LOAD_FAST
|| opcode
=
=
LOAD_CONST
|| opcode
=
=
STORE_FAST
|| opcode
=
=
NOP
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
- [原创]KCTF2021秋 第十一题 图穷匕见 writeup 18800
- [原创]KCTF2021秋 生命的馈赠 writeup 18970
- [原创]KCTF2021秋 万事俱备 writeup 18428
- 第七题 声名远扬 WriteUp 13617
- [原创]KCTF2021秋季赛第二题WriteUp 12782