[原创] KCTF 2024 第二题星际生物 WriteUP-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创] KCTF 2024 第二题星际生物 WriteUP

发表于: 2024-8-21 15:59 1043

[原创] KCTF 2024 第二题星际生物 WriteUP

tacesrever 活跃值

2024-8-21 15:59

1043

使用dnspy打开brain.exe, 在_.<Module>下可以找到main函数
第一段

internal unsafe static int main()
{
    $ArrayType$$$BY0BAA@D $ArrayType$$$BY0BAA@D;
    initblk(ref $ArrayType$$$BY0BAA@D, 0, 256);
    <Module>.printf(ref <Module>.??_C@_0BJ@MNCFGMHN@Please?5input?5your?5flag?3?5?$AA@);
    <Module>.scanf(ref <Module>.??_C@_05HPMPOKFN@?$CF?$FL?$FO?6?$FN?$AA@, ref $ArrayType$$$BY0BAA@D);
    sbyte* ptr = ref $ArrayType$$$BY0BAA@D;
    if ($ArrayType$$$BY0BAA@D != null)
    {
        do
        {
            ptr += 1L;
        }
        while (*ptr != 0);
    }
    if (ptr - ref $ArrayType$$$BY0BAA@D != 70U)
    {
        <Module>.printf(ref <Module>.??_C@_0M@IIPHMAMA@Try?5again?$CB?6?$AA@);
        return -1;
    }
    if ($ArrayType$$$BY0BAA@D == 102 && *(ref $ArrayType$$$BY0BAA@D + 1) == 108 && *(ref $ArrayType$$$BY0BAA@D + 2) == 97 && *(ref $ArrayType$$$BY0BAA@D + 3) == 103 && *(ref $ArrayType$$$BY0BAA@D + 4) == 123 && *(ref $ArrayType$$$BY0BAA@D + 69) == 125)
    ...

判断输入为flag{...}
第二段

$ArrayType$$$BY0EA@E $ArrayType$$$BY0EA@E;
        cpblk(ref $ArrayType$$$BY0EA@E, ref $ArrayType$$$BY0BAA@D + 5, 64);
        uint num = 0U;
        uint num2 = 0U;
        $ArrayType$$$BY188E* ptr2 = &<Module>.sudoku;
        do
        {
            uint num3 = 0U;
            $ArrayType$$$BY188E* ptr3 = ptr2;
            do
            {
                if (*(byte*)ptr3 == 15)
                {
                    byte b = *((ulong)num + ref $ArrayType$$$BY0EA@E);
                    if (b < 48 || b > 57)
                    {
                        goto IL_109;
                    }
                    *(byte*)ptr3 = b - 48;
                    num += 1U;
                }
                num3 += 1U;
                ptr3 += 1L / (long)sizeof($ArrayType$$$BY188E);
            }
            while (num3 < 9U);
            num2 += 1U;
            ptr2 += 9L / (long)sizeof($ArrayType$$$BY188E);
        }
        while (num2 < 9U);
        uint num4 = 1U;
        uint num5 = 1U;
        uint num6 = 0U;
        long num7 = 0L;
        while (num4 == 1U)
        {
            long num8 = 0L;
            uint num9 = 1U;
            while (num4 == 1U)
            {
                uint num10 = num9;
                if (num9 < 9U)
                {
                    long num11 = (long)((ulong)num9);
                    byte b2 = *(num7 + num8 + ref <Module>.sudoku);
                    num4 = 1U;
                    $ArrayType$$$BY188E* ptr4 = num7 + num11 + ref <Module>.sudoku;

大致看出在解数独, 查看<Module>.sudoku的声明为

1 2	`// Token: 0x04000005 RID: 5 RVA: 0x00012000 File Offset: 0x00010800` `internal` `static` `$ArrayType$$$BY188E sudoku;`

于File Offset 0x00010800可以读出数独内容并解出:

bin = open('brain.exe', 'rb').read()
sudoku = bin[0x10800:0x10800+81]
for i in range(9):
    for j in range(9):
        c = sudoku[i*9+j]
        if c == 0xf:
            print('. ', end='')
        else:
            print(chr(c+48)+' ', end='')
    print('')
 
'''
. . 2 . . 7 . . .
. 6 . 9 . . 4 . .
. 9 . 2 5 . . . 3
. . . 4 . . 1 . .
7 3 . . 6 . . . .
. . 9 5 3 . . 6 .
. . 6 3 4 . . 7 .
8 . . . . . . . 9
. . . . . . . 5 .
 
3 4 2 6 8 7 9 1 5
5 6 8 9 1 3 4 2 7
1 9 7 2 5 4 6 8 3
6 8 5 4 7 9 1 3 2
7 3 4 1 6 2 5 9 8
2 1 9 5 3 8 7 6 4
9 2 6 3 4 5 8 7 1
8 5 1 7 2 6 3 4 9
4 7 3 8 9 1 2 5 6
'''

数独数字去除固定部分为输入第一段34689155813271746868579324125982187492581517263447389126
接下来

if (num4 == 1U && num5 == 1U)
        {
            $ArrayType$$$BY133E $ArrayType$$$BY133E = 33;
            *(ref $ArrayType$$$BY133E + 1) = 45;
            *(ref $ArrayType$$$BY133E + 2) = 63;
            *(ref $ArrayType$$$BY133E + 3) = 43;
            *(ref $ArrayType$$$BY133E + 4) = 43;
            *(ref $ArrayType$$$BY133E + 5) = 43;
            *(ref $ArrayType$$$BY133E + 6) = 45;
            *(ref $ArrayType$$$BY133E + 7) = 43;
            *(ref $ArrayType$$$BY133E + 8) = 45;
            *(ref $ArrayType$$$BY133E + 9) = 43;
            *(ref $ArrayType$$$BY133E + 10) = 43;
            *(ref $ArrayType$$$BY133E + 11) = 43;
            *(ref $ArrayType$$$BY133E + 12) = 43;
            *(ref $ArrayType$$$BY133E + 13) = 45;
            *(ref $ArrayType$$$BY133E + 14) = 45;
            *(ref $ArrayType$$$BY133E + 15) = 43;
            byte b4 = 0;
            byte b5 = 0;
            uint num16 = 0U;
            do
            {
                int num17 = (int)(*((ulong)num + ref $ArrayType$$$BY0EA@E));
                num += 1U;
                if (num17 != 65) // A
                {
                    if (num17 != 68) // D
                    {
                        if (num17 != 83) // S
                        {
                            if (num17 == 87) // W
                            {
                                if (b4 == 0)
                                {
                                    goto IL_323;
                                }
                                b4 -= 1;
                            }
                        }
                        else
                        {
                            if (b4 == 3)
                            {
                                goto IL_330;
                            }
                            b4 += 1;
                        }
                    }
                    else
                    {
                        if (b5 == 3)
                        {
                            goto IL_33D;
                        }
                        b5 += 1;
                    }
                }
                else
                {
                    if (b5 == 0)
                    {
                        goto IL_34A;
                    }
                    b5 -= 1;
                }