-
-
[原创]第五空间 crackme深度分析
-
2022-9-22 12:44
-
题目分析
题目给了一堆启动鸿蒙liteos的套件,用jefferson解压rootfs.img得到文件系统,在bin目录里即可找到crakeme文件。直接拖进ida分析
首先清理了一个全局变量bss_struct,然后进入了judge函数
judge函数首先读取了/etc/config文件并将其读取到了内存里,所以我们首先来写脚本解析一下/etc/config文件:四个字节为一组,将每一组的值打印出来
1 2 3 4 5 6 7 | from pwn import *file1=open("./rootfs/etc/config","rb+").read()length=len(file1)nums=[]for i in range(length//4): num=u32(file1[0+(i*4):4+(i*4)]) success(hex(num)) |
先不用管每个数值的具体用处,继续用ida进行静态分析
这个地方取出config中的第一个数值用作偏移从栈中取值,变量newS到bp的距离是0x74,而这里取得值为&newS+4*0x1e即&newS+0x78,正好是返回地址的位置,所以这里取得值为返回地址。
Constructor函数会初始化一个结构体S,并将其指针放入全局变量bss_struct中,S结构体结构如下
为了方便,给全局变量bss_struct也定义了一个结构体,结构如下
其中offset是从config中取值时用的下标,s_ptr是储存S结构体用的数组。初始化S结构体时会经历以下步骤:
- malloc出来一个chunk用作储存S结构体
- 以Constructor函数的第一个参数为下标将指针储存在bss_struct.s_ptr数组中
- 将Constructor函数的第二个参数指向的字符串拷贝进入S.content中
- 以第三个参数作为size,malloc出来一个新的chunk并将指针存入S.target_ptr中(如果size为0就将S.target_ptr指向0),将size赋值给S.target_length
- 如果S.target_length不等于0,将第四个参数执行的字符串拷贝到S.target_ptr中
- 根据第五个参数设置S的函数指针,如果为0则设置为读取函数,为1设置为输出函数
初始化完成结构体之后进入Parser函数,该函数首先会打印S.content的内容,再就会调用call_vfunc函数
call_vfunc函数会先根据传入的参数从bss_struct.s_ptr取出相应的S结构体,如果S.target_ptr!=0就将target_ptr作为第一个参数(r0)来调用S的函数指针
将target_ptr作为第一个参数是从汇编中看出来的
下面又取出了config[1]并储存了起来,取出了config[2]作为了循环次数,之后进入了大循环,在循环里构造了一个新的S结构体,并且它的函数指针是通过"返回地址+config中的偏移"得到的(config的下标从3开始),经过两个永真的if之后,将新的S结构体的内容整体复制给了位于bss_struct.s_ptr[0]的结构体
第一次逆到这里的时候完全看不懂在干什么。。只能动态调试看看发生甚么事了,在调试中就可以发现,bss_struct.s_ptr[0]->target_ptr的值和bss_struct.s_ptr[2]的值是一样的,并且bss_struct.s_ptr[0]和bss_struct.s_ptr[1]储存的指针也是一样的。要搞清楚发生了什么,得回到上面构造结构体的时候看一下
首先构造了1、2号结构体,然后有销毁了1、2号结构体,我们查看Destructor函数就可以发现它free结构体指针之后没有清空。。。造成了一个uaf
所以情况是这样的
1 2 3 4 5 | free(S1)free(S2)malloc S0malloc S0.taret_ptr#伪代码,仅作为示范用 |
所以S0.target_ptr和S2指向的是同一个chunk,循环里实际上是在对S2结构体也就是bss_struct.s_ptr[2]中的结构体进行操作。
循环后半段就是取出bss_struct.s_ptr[2]结构体,将bss_struct.s_ptr[2]->target_ptr赋值为 bss_struct.s_ptr[6]->target_ptr(输入的位置),然后调用bss_struct.s_ptr[2]的函数指针,并判断返回值是不是1。
所以整体的逻辑就非常清晰了:每个循环依次调用ret_addr+confg[3+i]处的函数,以输入为参数,并判断返回值,循环九次
config中的后九个值解析成int是显然是负数,返回地址可以直接在ida里面找,为0x58DC(main函数中call judge的下一条指令的地址),由此可以还原出九个函数地址:
1 2 3 4 5 6 7 8 9 10 11 12 13 | from pwn import *file1=open("./rootfs/etc/config","rb+").read()length=len(file1)nums=[]for i in range(length//4): num=u32(file1[0+(i*4):4+(i*4)]) # success(hex(num)) if(i>2): nums.append(num)# print(nums)for i in nums: tmp=(i^0xffffffff)+1 success(hex(0x58DC-tmp)) |
前八个函数是简单的换表,最后一个函数是对换表后的输入进行了一串运算并判断,所以用z3解方程之后再反向代换回去就能得到flag。
exp:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 | from z3 import *s=Solver()flag=[Int('%d'%i) for i in range(22)]for i in range(22): s.add(flag[i]<256) s.add(flag[i]>0)v25 = (159947 * flag[0] - 17274276) v24 = (-76194 * flag[1] - 288728 * flag[0] + 36973368) v23 = (-247146 * flag[1] - 291401 * flag[0] - 166371 * flag[2] + 75709167) v22 = (-1741 * flag[1] + 218084 * flag[3] + 280814 * flag[0] - 149372 * flag[2] - 33947928) v21 = (174323 * flag[3] + 136024 * flag[2] - 141923 * flag[1] - 301049 * flag[4] + 323059 * flag[0] - 53238195) v20 = ( -12269 * flag[3] + 286713 * flag[1] - 78320 * flag[0] + 301362 * flag[2] + 269836 * flag[5] - 255324 * flag[4] - 99312448) v19 = ( -103798 * flag[2] + 201146 * flag[5] - 285406 * flag[3] - 188094 * flag[4] - 104025 * flag[0] - 50098 * flag[1] - 109789 * flag[6] + 50727897) v18 = ( 117443 * flag[7] + 275692 * flag[3] + 349275 * flag[1] - 381943 * flag[2] + 332376 * flag[4] - 269146 * flag[5] + 222994 * flag[6] - 267344 * flag[0] + 9817748) v17 = ( 19156 * flag[6] + -281586 * flag[7] - 168850 * flag[0] + 363716 * flag[3] - 32886 * flag[1] + 44299 * flag[4] + 170590 * flag[8] + 81061 * flag[5] + 201865 * flag[2] - 32987442) v16 = ( 22459 * flag[6] + -80349 * flag[1] + 239015 * flag[5] - 42367 * flag[9] - 113712 * flag[7] - 146568 * flag[2] + 241696 * flag[3] + 232212 * flag[0] - 162511 * flag[8] + 61621 * flag[4] - 41031017) v15 = ( -1754 * flag[0] + 128062 * flag[7] - 329492 * flag[3] - 167316 * flag[2] - 178991 * flag[4] + 186377 * flag[10] + 307270 * flag[6] - 328477 * flag[8] + 248665 * flag[1] + 374863 * flag[9] + 373711 * flag[5] - 86829517) v14 = ( 11843 * flag[5] + 17087 * flag[3] - 35818 * flag[0] - 182330 * flag[7] - 354816 * flag[4] - 126036 * flag[2] + 114656 * flag[8] - 90442 * flag[9] + 330888 * flag[11] + 78226 * flag[10] - 260641 * flag[1] + 105414 * flag[6] + 63250156) v13 = ( 7469 * flag[9] + 6283 * flag[11] + -87345 * flag[2] + 248111 * flag[5] + 213581 * flag[4] + 89194 * flag[8] + 36305 * flag[6] + 98667 * flag[1] + 300755 * flag[12] + 191415 * flag[7] + 350540 * flag[0] + 359565 * flag[10] - 185365 * flag[3] - 165783260) v12 = ( 8209 * flag[8] + 131781 * flag[1] + 152898 * flag[0] + 40158 * flag[11] - 86271 * flag[12] - 105755 * flag[6] + 264037 * flag[3] - 130948 * flag[10] - 243572 * flag[7] - 48159 * flag[2] - 269443 * flag[9] - 376534 * flag[5] - 67954 * flag[4] - 119669 * flag[13] + 117580744) v11 = ( -3429 * flag[6] + 102230 * flag[5] + 126967 * flag[10] - 344174 * flag[8] - 225911 * flag[11] + 118364 * flag[14] - 72044 * flag[1] + 280519 * flag[0] - 241789 * flag[2] - 274918 * flag[9] - 91055 * flag[12] - 122403 * flag[3] + 118907 * flag[7] - 34240 * flag[13] + 240524 * flag[4] + 35507568) v10 = ( -24137 * flag[9] + 28203 * flag[13] + 150213 * flag[1] + 311204 * flag[0] - 94750 * flag[7] + 130029 * flag[2] - 305057 * flag[14] + 176246 * flag[5] - 256662 * flag[8] - 331010 * flag[12] - 301118 * flag[4] - 309379 * flag[10] + 187867 * flag[3] - 102250 * flag[11] - 340412 * flag[15] + 144084 * flag[6] + 39635710) v9 = ( -27445 * flag[12] + -289483 * flag[10] - 164045 * flag[16] - 218276 * flag[1] + 183266 * flag[3] - 311967 * flag[8] - 55127 * flag[14] - 211824 * flag[13] - 375628 * flag[9] - 201931 * flag[0] - 324618 * flag[4] + 52026 * flag[6] + 93926 * flag[5] - 105199 * flag[7] - 254102 * flag[15] - 159881 * flag[11] + 378091 * flag[2] + 106013500) v2 = flag[3] # v8 = (# 27619 * flag[4]# + 9873 * flag[1]# + -23276 * flag[8]# + -196254 * flag[9]# + 181235 * flag[0]# + 150865 * flag[16]# - 148807 * flag[14]# - 272020 * flag[17]# - 346803 * flag[2]# - (flag[3] | (flag[3] << 16))# + 132879 * flag[10]# + 239833 * flag[6]# - 151023 * flag[11]# + 224631 * flag[12]# + 294607 * flag[5]# - 362447 * flag[7]# - 110250 * flag[15]# + 153229 * flag[13]# + 56953741) v7 = ( -1159 * flag[1] + 6659 * flag[6] + -25875 * flag[7] + 80743 * flag[10] + 38124 * flag[9] + 40844 * flag[13] - 259165 * flag[12] + 340584 * flag[16] + 107346 * flag[2] - 124400 * flag[8] - 34846 * flag[11] - 338119 * flag[17] - 220860 * flag[5] + 167374 * flag[3] + 71134 * flag[15] - 143594 * flag[14] - 115172 * flag[4] - 104789 * flag[0] + 108066 * flag[18] + 50659353) v3 = ( -26438 * flag[19] + 14055 * flag[10] + 31477 * flag[12] + -179950 * flag[4] + 79775 * flag[17] + 70516 * flag[5] + 330549 * flag[2] + 169852 * flag[11] + 51486 * flag[7] + 123944 * flag[13] - 370154 * flag[14] - 132851 * flag[18] + 237187 * flag[3] - 89341 * flag[9] - 256083 * flag[1] + 317327 * flag[0] + 42009 * flag[15] + 336122 * flag[6] + 128554 * flag[8] - 205903 * flag[16] - 112255597) v4 = ( 30250 * flag[5] + 127076 * flag[16] - 218938 * flag[0] + 162996 * flag[14] + 141792 * flag[12] - 197967 * flag[9] - 247332 * flag[4] - 286218 * flag[7] - 168508 * flag[18] + 300020 * flag[2] - 46255 * flag[10] - 78960 * flag[19] + 213181 * flag[6] - 329333 * flag[13] + 126938 * flag[8] - 266759 * flag[11] + 182266 * flag[17] - 41677 * flag[1] + 158645 * flag[15] - 61925 * flag[3] + 67755 * flag[20] - 52014431) v5 = ( -281 * flag[0] + 10712 * flag[19] + 14584 * flag[4] + -167168 * flag[13] + 308120 * flag[7] - 233003 * flag[8] + 114047 * flag[14] + 330767 * flag[10] - 71246 * flag[6] - 259485 * flag[2] + 374645 * flag[21] - 116397 * flag[3] + 64115 * flag[20] + 281339 * flag[9] + 321916 * flag[15] - 272240 * flag[12] - 135149 * flag[16] - 288340 * flag[18] + 71833 * flag[11] - 233821 * flag[1] - 223297 * flag[17] + 141256 * flag[5] + 17267952) s.add(v5 == 0)s.add(v4 == 0)s.add(v3 == 0)s.add(v7 == 0)s.add(v9 == 0)s.add(v10 == 0)s.add(v11 == 0)s.add(v12 == 0)s.add(v13 == 0)s.add(v14 == 0)s.add(v15 == 0)s.add(v16 == 0)s.add(v17 == 0)s.add(v18 == 0)s.add(v19 == 0)s.add(v20 == 0)s.add(v21 == 0)s.add(v22 == 0)s.add(v23 == 0)s.add(v24 == 0)s.add(v25 == 0)if s.check()==sat: res=s.model()data=[]for i in flag: data.append(res[i])print(data)a=[0]*8a[0]=[ 0xB6, 0xC7, 0xC5, 0x51, 0xE3, 0x1C, 0x97, 0x8B, 0x84, 0x3C, 0xA3, 0x92, 0xFB, 0x01, 0xF2, 0xA1, 0x14, 0x30, 0xAF, 0x5D, 0x19, 0x1F, 0x11, 0x7F, 0x2B, 0x4E, 0xCB, 0xFE, 0x6C, 0x7D, 0x43, 0xAB, 0xC6, 0xE4, 0xFC, 0x17, 0xD1, 0xDB, 0x00, 0x41, 0x9F, 0x76, 0x42, 0x22, 0xD9, 0x1D, 0xFA, 0xB2, 0xC0, 0xB5, 0xDF, 0xB1, 0xCA, 0xD0, 0x28, 0xD2, 0xB9, 0xCC, 0xF7, 0xBB, 0x18, 0xD6, 0x31, 0x83, 0xB3, 0x55, 0x5A, 0x95, 0x3E, 0x25, 0x49, 0x73, 0x2F, 0xB7, 0x62, 0xA6, 0xF0, 0x8D, 0x90, 0x50, 0xB0, 0x6A, 0x2C, 0xF4, 0xBA, 0xA4, 0xF3, 0x6D, 0x81, 0x03, 0x3D, 0xC3, 0x02, 0xE2, 0x74, 0x7E, 0x40, 0x7C, 0xAE, 0xAC, 0x7B, 0x99, 0x52, 0x8C, 0x35, 0xEB, 0x82, 0xDA, 0x38, 0x07, 0x4B, 0xEE, 0xA9, 0x6F, 0x89, 0x46, 0x60, 0x9E, 0xBF, 0x80, 0x48, 0x56, 0xEA, 0xDE, 0x70, 0xCF, 0x13, 0xBC, 0xC9, 0x39, 0xFF, 0x68, 0xA0, 0xE6, 0xA7, 0xA2, 0x32, 0x64, 0xE1, 0x2A, 0x3A, 0x86, 0x24, 0xE8, 0xAD, 0x71, 0x6B, 0x9C, 0x91, 0x66, 0xB4, 0xAA, 0xFD, 0x20, 0xC1, 0x5C, 0x7A, 0xEC, 0x5F, 0x87, 0xD7, 0x93, 0xD5, 0x05, 0xE0, 0x3B, 0x59, 0x79, 0x0B, 0x4C, 0x61, 0x10, 0x0E, 0x0A, 0x67, 0x29, 0xBD, 0xE9, 0x75, 0x36, 0x4A, 0xD4, 0x9D, 0x08, 0x4D, 0x16, 0xC8, 0x96, 0x0C, 0xC4, 0xA8, 0x12, 0x9B, 0x72, 0xF9, 0xDD, 0x54, 0x63, 0x4F, 0x6E, 0xE5, 0x94, 0x27, 0x5E, 0x8A, 0x21, 0x65, 0xEF, 0x45, 0xF8, 0x47, 0x1B, 0x1E, 0x3F, 0x77, 0x8F, 0x2D, 0xED, 0xF5, 0x58, 0x78, 0x23, 0x88, 0xD3, 0x33, 0xBE, 0x06, 0x15, 0x09, 0x26, 0x53, 0xE7, 0x85, 0x9A, 0x5B, 0xF6, 0xCD, 0x2E, 0xC2, 0x8E, 0x34, 0x57, 0xDC, 0x1A, 0x0D, 0x0F, 0x37, 0x69, 0x44, 0xA5, 0xF1, 0xB8, 0x04, 0x98, 0xCE, 0xD8]a[1]=[ 0x19, 0xCE, 0xC7, 0x80, 0x23, 0xE7, 0xDB, 0xB5, 0x9E, 0xF8, 0xC6, 0x89, 0x27, 0x63, 0xAA, 0x8E, 0xF5, 0x4C, 0x52, 0x77, 0x6D, 0xA5, 0xDF, 0xAE, 0x18, 0x38, 0x65, 0x9C, 0x0F, 0xF4, 0xA7, 0xAC, 0x8B, 0x0E, 0xFE, 0x58, 0x15, 0xA9, 0x8C, 0xC8, 0x3E, 0xDA, 0x2F, 0xC0, 0x64, 0x0A, 0x47, 0xA6, 0x6C, 0xFB, 0x35, 0xD7, 0x87, 0x9D, 0xF2, 0xA3, 0x49, 0x85, 0x86, 0xCF, 0xB4, 0x26, 0x74, 0x95, 0x66, 0x9F, 0xA1, 0x68, 0xE8, 0x96, 0x9B, 0x1A, 0x13, 0x1C, 0x51, 0xCA, 0xB0, 0xD8, 0x4A, 0x57, 0xDE, 0x5C, 0xF9, 0x0D, 0x36, 0x46, 0x98, 0xE6, 0xDC, 0xE9, 0x94, 0xE1, 0x7D, 0x33, 0x7C, 0x4E, 0x45, 0x7F, 0xEB, 0x12, 0xBC, 0xD1, 0xA2, 0x41, 0x8A, 0xA8, 0x05, 0x2D, 0xE0, 0x7B, 0xDD, 0x1F, 0xB8, 0xBF, 0x5D, 0x93, 0x01, 0xAF, 0x17, 0xAB, 0x09, 0xB7, 0xA0, 0x02, 0x4F, 0x40, 0xC3, 0x70, 0xF7, 0x20, 0x56, 0xF0, 0xBB, 0x90, 0x5F, 0xE2, 0x24, 0xE5, 0xED, 0x08, 0x50, 0x7A, 0x00, 0x3C, 0x84, 0x2B, 0x1D, 0x9A, 0x11, 0x53, 0x34, 0x54, 0xB3, 0x4D, 0xFF, 0x62, 0x2C, 0xC9, 0xF6, 0x06, 0xCD, 0xA4, 0xB2, 0x5B, 0xEE, 0x28, 0xF3, 0x83, 0x8F, 0xFA, 0x1E, 0x6A, 0xD3, 0x16, 0x97, 0x79, 0x2A, 0xC4, 0x21, 0xD9, 0xE3, 0x6E, 0xB1, 0xB6, 0x73, 0x4B, 0x6F, 0xB9, 0x25, 0x30, 0xC5, 0xC1, 0x0B, 0xD5, 0x22, 0x0C, 0xFD, 0x75, 0xD2, 0x55, 0x32, 0x37, 0x14, 0x60, 0xBE, 0x48, 0x31, 0x3D, 0x6B, 0x07, 0xD0, 0xE4, 0x03, 0xEF, 0x5A, 0x78, 0xF1, 0x5E, 0x7E, 0xD4, 0x3A, 0xBA, 0x91, 0x3B, 0xCC, 0x88, 0x44, 0x59, 0x69, 0xD6, 0xFC, 0x2E, 0x82, 0x8D, 0x1B, 0x10, 0x81, 0x72, 0xAD, 0x04, 0x67, 0xBD, 0xEA, 0x39, 0x99, 0x42, 0x76, 0x29, 0x92, 0x61, 0x3F, 0x71, 0xC2, 0x43, 0xEC, 0xCB]a[2]=[ 0x42, 0x2E, 0xF0, 0x03, 0xFE, 0x01, 0x27, 0x49, 0xF7, 0x3F, 0x2B, 0x2D, 0x7A, 0xBF, 0xA5, 0x75, 0x34, 0xD3, 0xD7, 0x28, 0x26, 0x44, 0x8D, 0x9A, 0xC1, 0x40, 0x5C, 0x69, 0x56, 0xF4, 0x07, 0x3D, 0x0F, 0x9B, 0xFB, 0xF2, 0x94, 0x2C, 0x59, 0x7D, 0x6F, 0x25, 0x38, 0xBC, 0x3E, 0xA7, 0x93, 0x54, 0x64, 0xC3, 0x7F, 0x76, 0xCC, 0xB1, 0x22, 0x72, 0x31, 0x35, 0x80, 0xDB, 0x51, 0xAF, 0xCD, 0xFD, 0x1B, 0xE2, 0x77, 0xB7, 0x09, 0xA4, 0xE5, 0xB3, 0x6B, 0xE1, 0xD6, 0x7B, 0xB4, 0xC2, 0x55, 0x81, 0x1C, 0x3C, 0x0C, 0x98, 0xA3, 0x10, 0x11, 0xE6, 0x71, 0x9F, 0xE8, 0x06, 0xFA, 0xD1, 0x58, 0x6D, 0x6A, 0xC8, 0x5F, 0xC7, 0xCA, 0x6E, 0x66, 0xCB, 0xE4, 0x82, 0xDE, 0xC9, 0x85, 0xAB, 0x8C, 0xAA, 0x1E, 0x70, 0x4C, 0x57, 0xBD, 0x4A, 0xBB, 0xA2, 0x4D, 0x53, 0xA9, 0xF6, 0x92, 0x97, 0x2A, 0x20, 0xC6, 0xDC, 0x0A, 0x60, 0x99, 0x96, 0xA6, 0x8B, 0x0B, 0x30, 0xEA, 0xAD, 0xAC, 0xD8, 0xDF, 0xA8, 0x1A, 0xC5, 0x05, 0x02, 0xD9, 0x7E, 0xDA, 0x5D, 0x8E, 0x18, 0x39, 0xC4, 0x48, 0x0E, 0x9D, 0x50, 0x3B, 0x7C, 0xCF, 0xED, 0x87, 0x15, 0x95, 0x83, 0xD0, 0x90, 0xB2, 0xF3, 0x1D, 0xB0, 0x73, 0x5A, 0x00, 0x16, 0x24, 0x47, 0xE7, 0xB8, 0x63, 0x3A, 0x78, 0x43, 0xAE, 0x65, 0x32, 0xD2, 0xC0, 0x13, 0x23, 0xA1, 0xFF, 0xCE, 0x29, 0x08, 0xEE, 0x36, 0xF1, 0x9E, 0x0D, 0x52, 0xBA, 0x41, 0xE0, 0xE3, 0x1F, 0x6C, 0xEC, 0x84, 0x12, 0xF9, 0x2F, 0x9C, 0x67, 0x33, 0xF8, 0x62, 0xD5, 0x4E, 0xA0, 0xD4, 0x79, 0x5E, 0xEB, 0x19, 0xBE, 0x4B, 0xB6, 0x5B, 0x74, 0xDD, 0xFC, 0x8F, 0x8A, 0x86, 0xB5, 0xEF, 0x17, 0x4F, 0x89, 0x88, 0x61, 0xE9, 0x04, 0x21, 0xF5, 0xB9, 0x45, 0x91, 0x46, 0x14, 0x68, 0x37]a[3]=[ 0x0D, 0x3D, 0xA2, 0x93, 0x60, 0x00, 0x36, 0x8E, 0x25, 0x91, 0x79, 0x15, 0x7B, 0xFD, 0x81, 0xF8, 0xAD, 0xD9, 0x1E, 0xB7, 0xAC, 0xD5, 0x84, 0xA5, 0x2A, 0xED, 0xAE, 0x28, 0x29, 0xDC, 0x1A, 0x74, 0xEA, 0xE6, 0x16, 0x77, 0xB9, 0x6E, 0x24, 0x5E, 0x66, 0xD8, 0x6A, 0xD2, 0x41, 0xB5, 0x7D, 0xE1, 0xCA, 0x72, 0xF7, 0x31, 0x05, 0xBC, 0x14, 0x4E, 0x10, 0x48, 0x3C, 0xD7, 0x52, 0xC4, 0x71, 0xC7, 0xB3, 0xCF, 0xD1, 0xB0, 0xCC, 0x23, 0xB2, 0xA7, 0xE9, 0x8C, 0x0C, 0x0B, 0x35, 0x96, 0x56, 0x6C, 0xE8, 0x37, 0xD6, 0x86, 0x4D, 0xE4, 0x51, 0x4F, 0x69, 0x09, 0x6B, 0xFC, 0x13, 0xA3, 0x7E, 0xC0, 0x04, 0xD4, 0x42, 0x44, 0x20, 0xBD, 0xE2, 0x59, 0xFA, 0xCE, 0x0A, 0xF2, 0x5C, 0x6D, 0xCB, 0x5A, 0xBF, 0xBB, 0x1D, 0xD3, 0xB1, 0xEE, 0x61, 0x22, 0xF1, 0x8F, 0x49, 0x0E, 0x2B, 0xB4, 0x3E, 0x75, 0x08, 0x8D, 0x17, 0x80, 0xE3, 0x6F, 0x8A, 0x92, 0x54, 0x83, 0x03, 0xC2, 0xE0, 0x58, 0x47, 0xEC, 0xA6, 0x88, 0xDB, 0x63, 0x18, 0x4A, 0x27, 0x02, 0xB6, 0x89, 0x40, 0x12, 0x3A, 0x5F, 0x2E, 0x3B, 0x7C, 0xEF, 0xA9, 0xAB, 0x82, 0x34, 0x1B, 0x5B, 0x85, 0x98, 0x87, 0x11, 0xD0, 0xDD, 0x9A, 0xBE, 0x01, 0xEB, 0x06, 0x53, 0xF5, 0x78, 0xC1, 0xF0, 0xE7, 0x4C, 0xA1, 0x65, 0xB8, 0x67, 0xDF, 0xAF, 0xA8, 0x68, 0x3F, 0x2D, 0x9F, 0xE5, 0x9D, 0xC8, 0x2C, 0x33, 0x45, 0x7F, 0xA4, 0x1F, 0x7A, 0xBA, 0xDA, 0x38, 0x70, 0x99, 0xC9, 0x57, 0x62, 0x26, 0x97, 0x21, 0x9C, 0x95, 0x50, 0xC6, 0xFB, 0xC3, 0xF4, 0xCD, 0x94, 0x39, 0x46, 0x90, 0xFF, 0x73, 0x2F, 0x64, 0x1C, 0x0F, 0xAA, 0x5D, 0x9E, 0xFE, 0xF9, 0x30, 0x4B, 0xDE, 0x07, 0xF6, 0xF3, 0x8B, 0x9B, 0x55, 0xA0, 0x32, 0x43, 0x19, 0xC5, 0x76]a[4]=[ 0xC1, 0xB1, 0xE9, 0x30, 0x6B, 0xB7, 0xFC, 0x2F, 0x65, 0x8A, 0x31, 0x63, 0x56, 0x80, 0xF5, 0x7B, 0xF0, 0xA1, 0x42, 0xCA, 0x27, 0xA6, 0x0A, 0x3D, 0x59, 0xB2, 0x76, 0x08, 0xDE, 0xC2, 0x33, 0xEB, 0x6F, 0xCB, 0x21, 0x40, 0xD5, 0x5D, 0x4E, 0x60, 0x44, 0x9E, 0x46, 0x4D, 0x8F, 0xE4, 0x8D, 0x15, 0xCF, 0x68, 0x5E, 0xE6, 0xE7, 0x90, 0x86, 0x55, 0xB5, 0x8C, 0xDC, 0x67, 0x91, 0xFF, 0x48, 0x6A, 0x6D, 0x1F, 0x14, 0x89, 0x39, 0x05, 0x0E, 0x82, 0x41, 0xE0, 0x20, 0xF9, 0xCC, 0xEC, 0xE1, 0x8B, 0x97, 0xFE, 0x3C, 0x6E, 0xB0, 0xBD, 0x22, 0x1E, 0xFA, 0x4B, 0x04, 0x73, 0xFD, 0xD6, 0x07, 0x9F, 0x3E, 0x99, 0x2E, 0xED, 0x95, 0x7C, 0x35, 0xC3, 0x77, 0xAA, 0x87, 0xD1, 0x01, 0x78, 0x3A, 0xA8, 0xC4, 0xBF, 0x53, 0xFB, 0x5A, 0x2B, 0xD4, 0x45, 0xAC, 0xA0, 0xCE, 0xBC, 0x50, 0x1C, 0xF7, 0xC8, 0x4A, 0xBE, 0x23, 0x0D, 0xDD, 0xB8, 0xF2, 0x12, 0xDF, 0x28, 0x69, 0x9A, 0xB3, 0x54, 0xE2, 0xF1, 0x92, 0xE3, 0x36, 0xF3, 0x25, 0xA3, 0xE8, 0x1A, 0x19, 0x37, 0x9D, 0x02, 0x38, 0xA9, 0xE5, 0x3F, 0xDB, 0xC6, 0xB6, 0x57, 0xB9, 0x5B, 0x84, 0xAD, 0xA4, 0x0F, 0x26, 0x49, 0xDA, 0x18, 0x00, 0x2D, 0xC5, 0xD7, 0xAF, 0x93, 0xC7, 0x3B, 0x11, 0x13, 0x32, 0x94, 0xAE, 0x10, 0x51, 0x0C, 0xD9, 0x7F, 0x24, 0x43, 0x7D, 0x8E, 0xAB, 0x98, 0x75, 0xD8, 0x71, 0xEA, 0x09, 0x96, 0x29, 0xF8, 0xEE, 0x81, 0x6C, 0xD3, 0x62, 0x7A, 0xC9, 0x88, 0xD2, 0x66, 0x64, 0x5F, 0x0B, 0xEF, 0xA7, 0xA5, 0x79, 0x9B, 0x2A, 0x52, 0x58, 0xA2, 0x47, 0x4F, 0x4C, 0x5C, 0x2C, 0x72, 0xCD, 0xC0, 0x70, 0x85, 0x61, 0x1D, 0x74, 0xD0, 0xBB, 0x9C, 0x34, 0x7E, 0x03, 0xBA, 0x17, 0xF4, 0x16, 0xB4, 0xF6, 0x83, 0x06, 0x1B]a[5]=[ 0x9E, 0x45, 0xAC, 0x87, 0x64, 0xCD, 0x7E, 0x92, 0x77, 0xA3, 0xC0, 0x34, 0x63, 0xA5, 0x1D, 0x93, 0x01, 0x98, 0xF1, 0xBA, 0x0B, 0x3B, 0x51, 0xFB, 0xE7, 0xB0, 0xD2, 0x03, 0x15, 0x4C, 0x89, 0x90, 0x8A, 0xA0, 0x99, 0x3F, 0x76, 0x82, 0x41, 0xDC, 0x62, 0x3E, 0xC1, 0x33, 0x53, 0xCA, 0x3D, 0x17, 0x04, 0x0E, 0x84, 0x26, 0x48, 0xEB, 0xF4, 0x23, 0x52, 0x6D, 0x0D, 0x74, 0xB1, 0x02, 0x36, 0x5E, 0xAD, 0x79, 0xF6, 0x32, 0x56, 0x39, 0xA6, 0x08, 0xFC, 0xAB, 0xE3, 0x6B, 0xCF, 0x65, 0x7B, 0x46, 0x37, 0x25, 0xBD, 0x85, 0xF5, 0x50, 0x05, 0x8D, 0x4E, 0xD4, 0x5D, 0xAA, 0xFF, 0x28, 0x95, 0x6E, 0x61, 0x2B, 0x4D, 0x14, 0xFE, 0x7D, 0xED, 0x6F, 0x81, 0x8C, 0x2C, 0x86, 0x0F, 0x69, 0x31, 0x8F, 0xD9, 0xDE, 0xB6, 0xDB, 0x9A, 0xC7, 0x22, 0x71, 0xD7, 0xC5, 0x54, 0x1F, 0x44, 0xBF, 0xB3, 0x7C, 0x9B, 0x3A, 0x9C, 0x58, 0x1A, 0xB8, 0x0A, 0xA1, 0x91, 0x1E, 0x6C, 0x66, 0xFD, 0x55, 0x70, 0x5B, 0x57, 0xE8, 0x47, 0xA4, 0xCB, 0x16, 0x10, 0x5F, 0xDA, 0xDD, 0xCE, 0xE6, 0x3C, 0xEF, 0x5C, 0xB4, 0xB7, 0x2F, 0xA9, 0x8E, 0xE4, 0x96, 0x27, 0x7F, 0x78, 0x07, 0xA2, 0xF2, 0xB2, 0xF8, 0x68, 0xCC, 0x18, 0xBE, 0x80, 0xF7, 0x4F, 0xB9, 0xA7, 0xEA, 0xBB, 0x4A, 0x1C, 0xC2, 0xC4, 0x88, 0x00, 0xDF, 0xF0, 0xD5, 0x11, 0x72, 0x94, 0x67, 0xD6, 0xC6, 0xD8, 0x4B, 0x29, 0xD1, 0x30, 0x73, 0xAE, 0xFA, 0xEE, 0xE9, 0x2D, 0x75, 0x09, 0x43, 0xC3, 0xB5, 0xEC, 0x1B, 0xE5, 0x97, 0x20, 0xD3, 0x5A, 0x21, 0xC8, 0x35, 0xAF, 0xD0, 0x60, 0x9F, 0x40, 0x19, 0x83, 0x2A, 0xA8, 0x06, 0x12, 0x2E, 0xE1, 0xBC, 0x49, 0x42, 0x8B, 0x59, 0xC9, 0x0C, 0xF9, 0x6A, 0xF3, 0x7A, 0x24, 0x38, 0x13, 0xE2, 0x9D, 0xE0]a[6]=[ 0x94, 0x53, 0xC8, 0xEC, 0xE3, 0x9A, 0x87, 0x8E, 0xE4, 0x1D, 0x49, 0x24, 0x7E, 0xDE, 0xE2, 0xFF, 0x6A, 0xD0, 0x55, 0x85, 0x56, 0xCC, 0xB1, 0x0F, 0xC1, 0x3F, 0x78, 0xC3, 0x64, 0xA7, 0xC4, 0x4C, 0xAD, 0x7F, 0xD3, 0xB3, 0xE7, 0x50, 0x62, 0xEA, 0x2C, 0xAC, 0x5A, 0x86, 0x5B, 0x5D, 0x6F, 0x46, 0xBA, 0x6E, 0xF8, 0x1A, 0xFE, 0xAF, 0xF4, 0xDF, 0xA1, 0x12, 0x3D, 0xD2, 0x32, 0x45, 0x9F, 0x21, 0xB8, 0x95, 0x6B, 0xED, 0xE5, 0x1E, 0x66, 0x96, 0x43, 0x06, 0xAB, 0x35, 0x3B, 0x9C, 0xC2, 0x05, 0xA9, 0x5C, 0x6D, 0x07, 0x34, 0xBC, 0x26, 0xA6, 0x37, 0x98, 0x93, 0x15, 0xDC, 0x0E, 0xF2, 0xCF, 0x60, 0x81, 0x2B, 0xB0, 0xCD, 0x80, 0x4D, 0x38, 0x72, 0xD9, 0xAE, 0xC6, 0xA2, 0xF7, 0x8C, 0x04, 0x71, 0x4B, 0x2E, 0xE9, 0xD8, 0x9B, 0xBF, 0x8B, 0x59, 0x2D, 0x33, 0x39, 0x77, 0x1C, 0xB9, 0xD7, 0x7C, 0x28, 0xF9, 0x7A, 0xA8, 0xE8, 0x11, 0x0D, 0x18, 0xF3, 0x4A, 0x10, 0x54, 0xD5, 0x3A, 0xFC, 0xCE, 0xFB, 0xE6, 0x44, 0xD4, 0x76, 0xA0, 0x09, 0x82, 0x00, 0x65, 0x47, 0x70, 0xA5, 0x58, 0x0C, 0xBD, 0xD1, 0x42, 0xA4, 0x5F, 0x67, 0x68, 0x2F, 0x61, 0x40, 0xA3, 0x75, 0x57, 0x7B, 0x0A, 0x63, 0xCA, 0x3E, 0x22, 0xF1, 0x52, 0xB6, 0x0B, 0xBE, 0xFA, 0xAA, 0x7D, 0x9D, 0xB5, 0x74, 0x20, 0x8F, 0x29, 0x13, 0xC7, 0x92, 0xB7, 0x73, 0x88, 0xD6, 0x14, 0x4F, 0x97, 0xE0, 0x91, 0x8D, 0xE1, 0xBB, 0xDA, 0xF6, 0xC0, 0xF0, 0x30, 0xB4, 0x1B, 0xDB, 0x90, 0xEB, 0x8A, 0x03, 0x36, 0x79, 0x89, 0x6C, 0x08, 0x31, 0x2A, 0x02, 0x5E, 0xEF, 0x01, 0x83, 0x41, 0x99, 0x84, 0xDD, 0x23, 0x27, 0x69, 0xF5, 0xC9, 0xB2, 0x51, 0x48, 0x4E, 0x9E, 0xCB, 0x3C, 0x25, 0xEE, 0x19, 0x17, 0x1F, 0xFD, 0x16, 0xC5]a[7]=[ 0x76, 0x49, 0x26, 0x0C, 0xD3, 0xCE, 0xC8, 0x9E, 0x01, 0x71, 0xDC, 0x5B, 0xA6, 0x8E, 0xCA, 0x6E, 0xAA, 0xEB, 0x24, 0xC0, 0x50, 0x79, 0x44, 0x56, 0xAC, 0x95, 0x38, 0x12, 0x92, 0x74, 0xFE, 0x46, 0x1D, 0x2D, 0xB3, 0xA4, 0xC5, 0xFD, 0x9F, 0x1B, 0xB2, 0x87, 0x1E, 0x86, 0x81, 0x23, 0x3E, 0x19, 0xB4, 0x67, 0x75, 0x8B, 0x9B, 0xE0, 0x00, 0x3B, 0xF4, 0x31, 0xE4, 0xC7, 0x05, 0xEA, 0xA1, 0x7B, 0x82, 0x3D, 0x35, 0x54, 0x97, 0xD9, 0x0A, 0xBD, 0x8F, 0x40, 0xED, 0xF8, 0xEF, 0x7C, 0x4F, 0xA7, 0x68, 0xA0, 0xB6, 0x11, 0xBB, 0x60, 0x59, 0xA5, 0xE7, 0x77, 0xDA, 0x53, 0x83, 0xD2, 0x9D, 0x18, 0x17, 0x99, 0x57, 0x41, 0xCF, 0x5D, 0xD1, 0x5E, 0x9C, 0xEC, 0xFB, 0xB9, 0x9A, 0xD0, 0x98, 0xB0, 0xC6, 0x21, 0xB1, 0x91, 0xC1, 0xF7, 0x72, 0xAB, 0x70, 0x34, 0x51, 0xF6, 0x6B, 0xDB, 0x28, 0x4A, 0xF5, 0xB8, 0x90, 0xCB, 0x2A, 0x09, 0x7D, 0x80, 0xC3, 0x61, 0x48, 0xB7, 0x2E, 0xAE, 0x36, 0xD5, 0xA8, 0x5C, 0xD8, 0x22, 0x07, 0x39, 0x8D, 0x65, 0x16, 0x8A, 0x10, 0x66, 0x6D, 0x3F, 0xF1, 0xF2, 0x64, 0x20, 0xE6, 0x2B, 0x43, 0xF0, 0xDE, 0x1F, 0x93, 0xFF, 0x84, 0x06, 0x63, 0x30, 0xBF, 0xAD, 0x7E, 0x4C, 0x85, 0x02, 0xBA, 0xE5, 0x4D, 0x14, 0x4B, 0x04, 0x3A, 0x89, 0x0B, 0xEE, 0x4E, 0xD4, 0xC4, 0x15, 0x6A, 0x58, 0xB5, 0xCD, 0x55, 0x5A, 0x94, 0x52, 0xFC, 0x7A, 0x73, 0x96, 0x5F, 0x1C, 0x88, 0x6C, 0x37, 0xA9, 0x25, 0xA2, 0xDF, 0xE2, 0xDD, 0xFA, 0xD7, 0xCC, 0x0F, 0xAF, 0x69, 0x27, 0xC9, 0x7F, 0x08, 0x32, 0x45, 0x6F, 0xA3, 0x0E, 0x47, 0x2F, 0xC2, 0xE3, 0xBE, 0xF9, 0x29, 0xBC, 0x3C, 0xE1, 0x42, 0xD6, 0x03, 0x8C, 0xE9, 0x62, 0xF3, 0xE8, 0x33, 0x0D, 0x2C, 0x78, 0x13, 0x1A]for i in range(8): for k in range(22): for j in range(256): if(data[k]==a[i][j]): data[k]=j breakprint(bytes(bytearray(data))) |
得到flag:
结构体逆向过程
可以看到主逻辑函数中多次调用了函数sub_3154,分析其逻辑
首先malloc了一个ptr,然后以第一个参数+1为下标idx,将ptr放在了0x712C处的dword数组中,这个malloc的size就是结构体的大小。
下面将a2中的字符串复制到ptr中,所以结构体开头是存储字符串的空间,大小暂时未知,如果a3不等于0就申请一个target_ptr,放在结构体+0x10的位置,下面又将a3放在了结构体+0x14的位置,所以现在结构体应该包括一个16字节的char数组,一个4字节的指针,一个4字节的长度。
最后又再结构体+0x18的地方放了一个函数地址,这时结构体大小正好为0x1c。所以结构体结构如下图所示
附件
完整附件:https://pan.baidu.com/s/1g5mlSO_o-pOG4uLNB9zEYw?pwd=eqty
上传的附件为crackme和crackme.idb
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2022-10-10 18:44
被/x01编辑
,原因: 应评论要求,增加结构体逆向步骤
|
|
|---|---|
|
|
|
|
|
|
|
|
更新在文章里了 |
