首页
社区
课程
招聘
[原创]RCTF bloker_vm 侧信道爆破解法
发表于: 2024-6-14 19:56 2239

[原创]RCTF bloker_vm 侧信道爆破解法

2024-6-14 19:56
2239

RCTF bloker_vm

看了https://bbs.kanxue.com/thread-281796.htm#msg_header_h3_8 想着找题练练手QAQ
通过字符串可以找到主逻辑 程序有反调试 但是在主逻辑里没看着 用ida attach 即可起调试

通过对比输入与最终的字符串可以确定是单字节加密

校验逻辑应该在这

image-20240614191628043

尝试使用侧信道爆破

但是这里是用侧信道爆破发现结果都是相同的 尝试patch二进制文件让其能够泄露一定的信息

如果校验发现不相同则直接让他跳出循环

image-20240614193039350

image-20240614193455408

脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
import subprocess
import frida
import sys
import win32api
import win32con
  
number = 0
flaglen = 43
filename = "bloker_vm.exe"
#                  flag{O1SC_VM_1s_h4rd_to_r3v3rs3_#a78abffaa#}
flag = bytearray(b'!'*25)
jscode = open("blockvm.js", "rb").read().decode()
new_number = 0
  
  
result = 0
def brute(F):
  
    def on_message(message, data):
        global result
        if message['type'] == 'send':
            result = message['payload']
            # print(result)
        else:
            print(message)
    process = subprocess.Popen(filename, stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE,
                               universal_newlines=True)
  
    session = frida.attach(filename)
    script = session.create_script(jscode)
    script.on('message', on_message)
    script.load()
    process.stdin.write(F.decode())
    #print(F.decode())
    output, error = process.communicate()
    #print(output,error)
  
    #print(f"number:{result}")
    process.terminate()
    return result
import time
  
count = 0
  
new_number = brute(flag)
number = new_number
t = time.time()
st = t
  
while count < flaglen:
    number = brute(flag)
    # print(flag.decode())
    if number != new_number:
        print(f"本位耗时:{time.time()-t}s,正确字符为:{chr(flag[count])}")
        t = time.time()
        print(flag.decode())
        new_number = number
        count += 1
    else:
        flag[count] += 1
        while(flag[count] > 127):
            flag[count] = 33
            count -= 1
            flag[count] += 1
print(flag.decode())
print(f"总耗时{time.time()-st}")

js脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
var number = 0
function main()
{
    var base =  Module.findBaseAddress("bloker_vm.exe")
 
        // 获取标准库中的 exit 函数地址
    var exitFunc = Module.findExportByName(null, "exit");
    var exit = new NativeFunction(exitFunc, 'void', ['int']);
    if(base){
        Interceptor.attach(base.add(0x11f58), {
    
                onEnter: function(args) {
                    number+=1
                       
                }
   
            });
        Interceptor.attach(base.add(0x120b6), {
            onEnter: function(args) {
                send(number)
                Thread.sleep(0.0001)
                exit(0)
            }
        });
    }
}
setImmediate(main);

运行结果如下

image-20240614194245165

最终flag:RCTF{a_baby_debug_blokes}


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

上传的附件:
收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//