-
-
[原创]RCTF bloker_vm 侧信道爆破解法
-
发表于: 2024-6-14 19:56 2239
-
RCTF bloker_vm
看了https://bbs.kanxue.com/thread-281796.htm#msg_header_h3_8 想着找题练练手QAQ
通过字符串可以找到主逻辑 程序有反调试 但是在主逻辑里没看着 用ida attach 即可起调试
通过对比输入与最终的字符串可以确定是单字节加密
校验逻辑应该在这
尝试使用侧信道爆破
但是这里是用侧信道爆破发现结果都是相同的 尝试patch二进制文件让其能够泄露一定的信息
如果校验发现不相同则直接让他跳出循环
脚本如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 | import subprocess import frida import sys import win32api import win32con number = 0 flaglen = 43 filename = "bloker_vm.exe" # flag{O1SC_VM_1s_h4rd_to_r3v3rs3_#a78abffaa#} flag = bytearray(b '!' * 25 ) jscode = open ( "blockvm.js" , "rb" ).read().decode() new_number = 0 result = 0 def brute(F): def on_message(message, data): global result if message[ 'type' ] = = 'send' : result = message[ 'payload' ] # print(result) else : print (message) process = subprocess.Popen(filename, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE, universal_newlines = True ) session = frida.attach(filename) script = session.create_script(jscode) script.on( 'message' , on_message) script.load() process.stdin.write(F.decode()) #print(F.decode()) output, error = process.communicate() #print(output,error) #print(f"number:{result}") process.terminate() return result import time count = 0 new_number = brute(flag) number = new_number t = time.time() st = t while count < flaglen: number = brute(flag) # print(flag.decode()) if number ! = new_number: print (f "本位耗时:{time.time()-t}s,正确字符为:{chr(flag[count])}" ) t = time.time() print (flag.decode()) new_number = number count + = 1 else : flag[count] + = 1 while (flag[count] > 127 ): flag[count] = 33 count - = 1 flag[count] + = 1 print (flag.decode()) print (f "总耗时{time.time()-st}" ) |
js脚本如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | var number = 0 function main() { var base = Module.findBaseAddress( "bloker_vm.exe" ) // 获取标准库中的 exit 函数地址 var exitFunc = Module.findExportByName( null , "exit" ); var exit = new NativeFunction(exitFunc, 'void' , [ 'int' ]); if (base){ Interceptor.attach(base.add(0x11f58), { onEnter: function (args) { number+=1 } }); Interceptor.attach(base.add(0x120b6), { onEnter: function (args) { send(number) Thread.sleep(0.0001) exit(0) } }); } } setImmediate(main); |
运行结果如下
的
最终flag:RCTF{a_baby_debug_blokes}
赞赏
他的文章
- [原创]强网杯MINIRE 4796
- [原创]第七届强网拟态RE WP 8793
- [原创] 2 1240
- [原创]RCTF bloker_vm 侧信道爆破解法 2240
看原图
赞赏
雪币:
留言: