首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. CTF对抗
    3. 发新帖
[原创] 看雪 2025 KCTF 签到题 废材少年觉醒
发表于: 2025-8-15 13:20 87

[原创] 看雪 2025 KCTF 签到题 废材少年觉醒

mb_mgodlfyn 活跃值
16
2025-8-15 13:20
87

通过二进制里的字符串得知是rust程序

从入口点依次找到rust的主函数:
(sub_140001400 -> sub_140001010 -> sub_140001AF0 -> sub_140001620)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
__int64 __fastcall sub_140001620()
{
  __int64 v0; // rax
  char **v1; // rdx
  char *v2; // r9
  unsigned __int8 *v3; // rdx
  unsigned __int8 *v4; // r10
  char v5; // bl
  unsigned __int8 *v6; // rbx
  unsigned __int8 *v7; // rax
  unsigned int v8; // edi
  int v9; // edx
  int v10; // r14d
  int v11; // ebp
  unsigned int v12; // ebx
  char v13; // bl
  char *v14; // rdi
  unsigned int v15; // ebx
  char v16; // bp
  char v17; // r14
  int v18; // r14d
  int v19; // ebp
  unsigned int v20; // ebp
  __int64 result; // rax
  char **v22; // [rsp+28h] [rbp-B0h] BYREF
  __int64 v23; // [rsp+30h] [rbp-A8h]
  __int64 v24; // [rsp+38h] [rbp-A0h]
  __int128 v25; // [rsp+40h] [rbp-98h]
  __int64 v26; // [rsp+58h] [rbp-80h] BYREF
  LPVOID lpMem; // [rsp+60h] [rbp-78h]
  __int64 v28; // [rsp+68h] [rbp-70h]
  _QWORD v29[2]; // [rsp+70h] [rbp-68h] BYREF
  _QWORD v30[2]; // [rsp+80h] [rbp-58h] BYREF
 
  v22 = &off_1400A10A0;
  v23 = 1;
  v24 = 8;
  v25 = 0;
  sub_140031F30(&v22);
  v22 = &off_1400A10C8;
  v23 = 1;
  v24 = 8;
  v25 = 0;
  sub_140031F30(&v22);
  v26 = sub_14002FCF0();
  v0 = sub_14002FDA0((__int64)&v26);
  if ( v0 )
  {
    v22 = (char **)v0;
    sub_140087C50(
      (unsigned int)aCalledResultUn,
      43,
      (unsigned int)&v22,
      (unsigned int)&off_1400A1030,
      (__int64)&off_1400A10D8);
  }
  v26 = 0;
  lpMem = (LPVOID)1;
  v28 = 0;
  v29[0] = sub_14002E310();
  if ( (sub_14002E3A0(v29, &v26) & 1) != 0 )
  {
    v22 = v1;
    sub_140087C50(
      (unsigned int)aCalledResultUn,
      43,
      (unsigned int)&v22,
      (unsigned int)&off_1400A1030,
      (__int64)&off_1400A10F0);
  }
  v2 = (char *)lpMem + v28;
  if ( v28 )
  {
    v3 = 0;
    v4 = (unsigned __int8 *)lpMem;
    while ( 1 )
    {
      v6 = v4;
      v7 = v3;
      v8 = *v4;
      if ( (v8 & 0x80u) != 0 )
      {
        v9 = v8 & 0x1F;
        v10 = v4[1] & 0x3F;
        if ( (unsigned __int8)v8 <= 0xDFu )
        {
          v4 += 2;
          v8 = v10 | (v9 << 6);
        }
        else
        {
          v11 = (v10 << 6) | v4[2] & 0x3F;
          if ( (unsigned __int8)v8 < 0xF0u )
          {
            v4 += 3;
            v8 = (v9 << 12) | v11;
          }
          else
          {
            v4 += 4;
            v8 = ((v8 & 7) << 18) | (v11 << 6) | v6[3] & 0x3F;
          }
        }
      }
      else
      {
        ++v4;
      }
      v3 = &v7[v4 - v6];
      if ( v8 - 9 >= 5 && v8 != 32 )
      {
        if ( v8 < 0x80 )
          goto LABEL_27;
        v12 = v8 >> 8;
        if ( v8 >> 8 > 0x1F )
        {
          if ( v12 == 32 )
          {
            v5 = *((_BYTE *)off_1400A0AC0 + (unsigned __int8)v8) >> 1;
          }
          else
          {
            if ( v12 != 48 )
              goto LABEL_27;
            v5 = v8 == 12288;
          }
        }
        else if ( v12 )
        {
          if ( v12 != 22 )
            goto LABEL_27;
          v5 = v8 == 5760;
        }
        else
        {
          v5 = *((_BYTE *)off_1400A0AC0 + (unsigned __int8)v8);
        }
        if ( (v5 & 1) == 0 )
          goto LABEL_27;
      }
      if ( v4 == (unsigned __int8 *)v2 )
        goto LABEL_53;
    }
  }
  v7 = 0;
  v3 = 0;
  v4 = (unsigned __int8 *)lpMem;
LABEL_27:
  if ( v4 == (unsigned __int8 *)v2 )
  {
LABEL_52:
    if ( v28 )
      goto LABEL_54;
LABEL_53:
    v7 = 0;
    v3 = 0;
    goto LABEL_54;
  }
  while ( 1 )
  {
    v14 = v2;
    v15 = *(v2 - 1);
    if ( (v15 & 0x80000000) != 0 )
    {
      v16 = *(v2 - 2);
      if ( v16 >= -64 )
      {
        v2 -= 2;
        v19 = v16 & 0x1F;
      }
      else
      {
        v17 = *(v2 - 3);
        if ( v17 >= -64 )
        {
          v2 -= 3;
          v18 = v17 & 0xF;
        }
        else
        {
          v2 -= 4;
          v18 = ((*(v14 - 4) & 7) << 6) | v17 & 0x3F;
        }
        v19 = (v18 << 6) | v16 & 0x3F;
      }
      v15 = (v19 << 6) | v15 & 0x3F;
      if ( v15 - 9 < 5 )
        goto LABEL_31;
    }
    else
    {
      --v2;
      if ( v15 - 9 < 5 )
        goto LABEL_31;
    }
    if ( v15 == 32 )
      goto LABEL_31;
    if ( v15 < 0x80 )
      break;
    v20 = v15 >> 8;
    if ( v15 >> 8 <= 0x1F )
    {
      if ( v20 )
      {
        if ( v20 != 22 )
          break;
        v13 = v15 == 0x1680;
      }
      else
      {
        v13 = *((_BYTE *)off_1400A0AC0 + (unsigned __int8)v15);
      }
      goto LABEL_30;
    }
    if ( v20 == 32 )
    {
      v13 = *((_BYTE *)off_1400A0AC0 + (unsigned __int8)v15) >> 1;
      goto LABEL_30;
    }
    if ( v20 != 48 )
      break;
    v13 = v15 == 12288;
LABEL_30:
    if ( (v13 & 1) == 0 )
      break;
LABEL_31:
    if ( v4 == (unsigned __int8 *)v2 )
      goto LABEL_52;
  }
  v3 = (unsigned __int8 *)&v14[v3 - v4];
LABEL_54:
  v30[0] = (char *)lpMem + (_QWORD)v7;
  v30[1] = v3 - v7;
  if ( sub_140001560((_BYTE *)lpMem + (_QWORD)v7, v3 - v7) )
  {
    v29[0] = v30;
    v29[1] = sub_140001480;
    v22 = &off_1400A1140;
    v23 = 2;
    v24 = (__int64)v29;
    v25 = 1u;
  }
  else
  {
    v22 = &off_1400A1118;
    v23 = 1;
    v24 = 8;
    v25 = 0;
  }
  result = sub_140031F30(&v22);
  if ( v26 )
    return sub_140001B50(lpMem);
  return result;
}

末尾的 sub_140001560 的返回结果经过 if 判断,两个分支的 off_1400A1140 和 off_1400A1118 分别指向成功和失败

打开 sub_140001560 ,把 ascii 数字转换为字符,直接是flag的明文

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
bool __fastcall sub_140001560(_BYTE *a1, __int64 a2)
{
  return a2 == 25
      && *a1 == 'f'
      && a1[1] == 'l'
      && a1[2] == 'a'
      && a1[3] == 'g'
      && a1[4] == '{'
      && a1[5] == 'k'
      && a1[6] == 'c'
      && a1[7] == 't'
      && a1[8] == 'f'
      && a1[9] == '_'
      && a1[10] == 't'
      && a1[11] == 'i'
      && a1[12] == 'm'
      && a1[13] == 'e'
      && a1[14] == '_'
      && a1[15] == 'l'
      && a1[16] == 'e'
      && a1[17] == 'a'
      && a1[18] == 'p'
      && a1[19] == '_'
      && a1[20] == '2'
      && a1[21] == '0'
      && a1[22] == '2'
      && a1[23] == '5'
      && a1[24] == '}';
}

最终flag:flag{kctf_time_leap_2025}

至于主函数的逻辑,AI直接识别出来是UTF-8字符处理,并给出结论其作用为去除输入前后的空白字符,对应到rust则是标准库str::trim的内联


[培训]Windows内核深度攻防:从Hook技术到Rootkit实战!

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回