[原创] KCTF 2025 第7题危局初现wp-CTF对抗-看雪安全社区

[原创] KCTF 2025 第7题危局初现wp
发表于: 2025-8-27 15:41 4534
[原创] KCTF 2025 第7题危局初现wp

tacesrever 活跃值
2025-8-27 15:41
4534
放入ida, 主函数的第一部分为:  
虽然buf被识别为了stat结构体有点怪异, 但仍可分析出这段拿出了输入的前10个字符, 从16进制字符转换为数值存入了v39_0x19_0x29的0x19到0x29之间;
其中的string_to_code函数为单纯返回字符串到数字的映射, 映射关系在函数中很直观, 接下来会以注释的方式注明其返回值;
下一段为:  
循环赋值后v39_0x19_0x29中前25即0x19中数据为5*5的矩阵, 分析为:  
v38+0x110处看到后面5*3的循环判断为5*3的矩阵, 分析为:  
之后循环中判定条件是每行的和需要等于34;
然后:  
这段验证58+input[9] == 8*input[0]+128? 这个(v38[8] & 0x80)有点怪但是要么为0x80要么为0;
然后是最后一段:  
用123分别或加或减45, 67, 8, 9需要得到100, 计算一下得知123+45-67+8-9为100, 则 key的10到13的字符应为asas;
至此所有条件都已给出, 感觉好像有点少?. 用z3求解试试  
得到99fafef54easas, 打开虚拟机运行guess输入它得到了ok, 但是提交不对, 看来有多解.
感觉上应该是少了什么条件, 看到输出有很多相同值, 试试添加一个每位输入不能相同的条件:  
之后得到89cefabd76asas再提交就对了.  
...
p_argc = &argc;
printf("key:");
if ( fgets(key, 30, &Stdin) )
{
    v3 = strcspn(key, "\n");
    key[v3] = string_to_code("act");      // 0
    buf.st_ctim.tv_sec = string_to_code("act"); // 0
    string_to_code("act");
    for ( buf.st_ctim.tv_nsec = 0; key[buf.st_ctim.tv_nsec] && buf.st_ctim.tv_nsec <= 9; ++buf.st_ctim.tv_nsec )
    {
        if ( key[buf.st_ctim.tv_nsec] <= '0' || key[buf.st_ctim.tv_nsec] > '9' )
        {
        if ( key[buf.st_ctim.tv_nsec] == 'a' )
        {
            v39_0x19_0x29[buf.st_ctim.tv_sec++ + 0x19] = 10;
        }
        else if ( key[buf.st_ctim.tv_nsec] == 'b' )
        {
            v39_0x19_0x29[buf.st_ctim.tv_sec++ + 0x19] = 11;
        }
        else if ( key[buf.st_ctim.tv_nsec] == 'c' )
        {
            v39_0x19_0x29[buf.st_ctim.tv_sec++ + 0x19] = 12;
        }
        else if ( key[buf.st_ctim.tv_nsec] == 'd' )
        {
            v39_0x19_0x29[buf.st_ctim.tv_sec++ + 0x19] = 13;
        }
        else if ( key[buf.st_ctim.tv_nsec] == 'e' )
        {
            v39_0x19_0x29[buf.st_ctim.tv_sec++ + 25] = 14;
        }
        else if ( key[buf.st_ctim.tv_nsec] == 'f' )
        {
            v39_0x19_0x29[buf.st_ctim.tv_sec++ + 25] = 15;
        }
        else
        {
            if ( key[buf.st_ctim.tv_nsec] == 48 )
            v39_0x19_0x29[buf.st_ctim.tv_sec + 25] = 0;
            else
            v39_0x19_0x29[buf.st_ctim.tv_sec + 25] = 16;
            ++buf.st_ctim.tv_sec;
        }
        }
        else
        {
        v39_0x19_0x29[buf.st_ctim.tv_sec++ + 25] = key[buf.st_ctim.tv_nsec] - '0';
        }
    }
...
}
...
p_argc = &argc;
printf("key:");
if ( fgets(key, 30, &Stdin) )
{
    v3 = strcspn(key, "\n");
    key[v3] = string_to_code("act");      // 0
    buf.st_ctim.tv_sec = string_to_code("act"); // 0
    string_to_code("act");
    for ( buf.st_ctim.tv_nsec = 0; key[buf.st_ctim.tv_nsec] && buf.st_ctim.tv_nsec <= 9; ++buf.st_ctim.tv_nsec )
    {
        if ( key[buf.st_ctim.tv_nsec] <= '0' || key[buf.st_ctim.tv_nsec] > '9' )
        {
        if ( key[buf.st_ctim.tv_nsec] == 'a' )
        {
            v39_0x19_0x29[buf.st_ctim.tv_sec++ + 0x19] = 10;
        }
        else if ( key[buf.st_ctim.tv_nsec] == 'b' )
        {
            v39_0x19_0x29[buf.st_ctim.tv_sec++ + 0x19] = 11;
        }
        else if ( key[buf.st_ctim.tv_nsec] == 'c' )
        {
            v39_0x19_0x29[buf.st_ctim.tv_sec++ + 0x19] = 12;
        }
        else if ( key[buf.st_ctim.tv_nsec] == 'd' )
        {
            v39_0x19_0x29[buf.st_ctim.tv_sec++ + 0x19] = 13;
        }
        else if ( key[buf.st_ctim.tv_nsec] == 'e' )
        {
            v39_0x19_0x29[buf.st_ctim.tv_sec++ + 25] = 14;
        }
        else if ( key[buf.st_ctim.tv_nsec] == 'f' )
        {
            v39_0x19_0x29[buf.st_ctim.tv_sec++ + 25] = 15;
        }
        else
        {
            if ( key[buf.st_ctim.tv_nsec] == 48 )
            v39_0x19_0x29[buf.st_ctim.tv_sec + 25] = 0;
            else
            v39_0x19_0x29[buf.st_ctim.tv_sec + 25] = 16;
            ++buf.st_ctim.tv_sec;
        }
        }
        else
        {
        v39_0x19_0x29[buf.st_ctim.tv_sec++ + 25] = key[buf.st_ctim.tv_nsec] - '0';
        }
    }
...
}
buf.__unused4 = string_to_code("act");      // 0
buf.__unused5 = string_to_code("act");
x0 = string_to_code("con");                 // 0
x1 = string_to_code("con");
x2 = string_to_code("con");
x3 = string_to_code("con");
x4 = string_to_code("con");
sum = string_to_code("act");
// 5*5的双重循环; 假设buf.st_ctim.tv_nsec为i, buf.__unused4为j
for ( buf.st_ctim.tv_nsec = 0; buf.st_ctim.tv_nsec <= 4; ++buf.st_ctim.tv_nsec )
{
    for ( buf.__unused4 = string_to_code("act"); (int)buf.__unused4 <= 4; ++buf.__unused4 )
    {   
        v4_0 = string_to_code("con");           // 0 3
        if ( v4_0 == buf.st_ctim.tv_nsec && (v5_3 = string_to_code("stop"), v5_3 == buf.__unused4) )
        { // 条件保证 i == 0, j == 3
            v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 0x19];// v39_0x19_0x29[3] = inp 0
            *(_DWORD *)&v38[4 * x0++ + 0x110] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 0 = 3 = inp 0
        }
        else
        {
            v6 = string_to_code("abort");         // 1 0
            if ( v6 == buf.st_ctim.tv_nsec && (v7 = string_to_code("con"), v7 == buf.__unused4) )
            { // i == 1 j == 0
            v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 5 = inp 1
            *(_DWORD *)&v38[4 * x1++ + 0x11C] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 3 = 5 = inp 0
            }
            else
            {
            v8 = string_to_code("cancel");      // 1 2
            if ( v8 == buf.st_ctim.tv_nsec && (v9 = string_to_code("enable"), v9 == buf.__unused4) )
            {
                v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 7 = inp 2
                *(_DWORD *)&v38[4 * x0++ + 0x110] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 1 = 7
                *(_DWORD *)&v38[4 * x2++ + 0x128] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 6 = 7
            }
            else
            {
                v10 = string_to_code("start");    // 2 1
                if ( v10 == buf.st_ctim.tv_nsec && (v11 = string_to_code("abort"), v11 == buf.__unused4) )
                {
                v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 11 = inp 3
                *(_DWORD *)&v38[4 * x0++ + 0x110] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 2 = 11
                *(_DWORD *)&v38[4 * x1++ + 0x11C] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 4 = 11
                }
                else
                {
                v12 = string_to_code("enable"); // 2 3
                if ( v12 == buf.st_ctim.tv_nsec && (v13 = string_to_code("stop"), v13 == buf.__unused4) )
                {
                    v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 13 = inp 4
                    *(_DWORD *)&v38[4 * x2++ + 0x128] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 7 = 13
                    *(_DWORD *)&v38[4 * x3++ + 0x134] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 9 = 13
                }
                else
                {
                    v14 = string_to_code("stop"); // 3 0
                    if ( v14 == buf.st_ctim.tv_nsec && (v15 = string_to_code("con"), v15 == buf.__unused4) )
                    {
                    v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 15 = inp 5
                    *(_DWORD *)&v38[4 * x4++ + 0x140] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 12=15
                    }
                    else if ( buf.st_ctim.tv_nsec == 3 && buf.__unused4 == 2 )
                    {                             // 3 2
                    v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + 2] = v39_0x19_0x29[buf.__unused5++ + 25];// 17 = inp 6
                    *(_DWORD *)&v38[4 * x1++ + 0x11C] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 5 = 17
                    *(_DWORD *)&v38[4 * x4++ + 0x140] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 13=17
                    }
                    else
                    {
                    v16 = string_to_code("stop");// 3 3
                    if ( v16 == buf.st_ctim.tv_nsec && (v17 = string_to_code("stop"), v17 == buf.__unused4) )
                    {
                        v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 18 = inp 7
                        *(_DWORD *)&v38[4 * x3++ + 0x134] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 10 = 18
                        *(_DWORD *)&v38[4 * x4++ + 0x140] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 14 = 18
                    }
                    else
                    {
                        v18 = string_to_code("stop");// 3 4
                        if ( v18 == buf.st_ctim.tv_nsec && (v19 = string_to_code("reboot"), v19 == buf.__unused4) )
                        {
                        v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 19 = inp 8
                        *(_DWORD *)&v38[4 * x2++ + 0x128] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec
                                                                                    + buf.__unused4];// 110 8 = 19
                        }
                        else
                        {
                        v20 = string_to_code("reset");// 4 2
                        if ( v20 == buf.st_ctim.tv_nsec && (v21 = string_to_code("enable"), v21 == buf.__unused4) )
                        {
                            v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 22 = inp 9
                            *(_DWORD *)&v38[4 * x3++ + 0x134] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec
                                                                                    + buf.__unused4];// 110 11=22
                        }
                        else
                        { // v39_0x19_0x29[5i+j]其他情况为 i+j
                            v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = buf.st_ctim.tv_nsec + buf.__unused4;
                        }
                        }
                    }
                    }
                }
                }
            }
            }
        }
        v22 = string_to_code("reset");          // 4
        if ( v22 == buf.st_ctim.tv_nsec )       // i == 4; sum 统计5*5矩阵最后一行的和
            sum += v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];
    }
    if ( stat("/etc/rc.d", &buf) ) // 这里导致buf被识别为stat结构体; 
        sum += *(_DWORD *)&v38[12 * buf.st_ctim.tv_nsec + 0x110 + 4 * buf.__unused4];
}
success = 1;
// 5*3循环; v38 + 0x110处保存5*3的矩阵, v51_eq_19为每行的和-5*3
for ( buf.st_ctim.tv_nsec = 0; buf.st_ctim.tv_nsec <= 4; ++buf.st_ctim.tv_nsec )
{
    v51_eq_19 = 0;
    for ( buf.__unused4 = 0; (int)buf.__unused4 <= 2; ++buf.__unused4 )
    {
    v51_eq_19 += *(_DWORD *)&v38[12 * buf.st_ctim.tv_nsec + 0x110 + 4 * buf.__unused4];
    v51_eq_19 -= 5;
    }
    if ( v51_eq_19 != 19 )
    success = 0;
}
buf.__unused4 = string_to_code("act");      // 0
buf.__unused5 = string_to_code("act");
x0 = string_to_code("con");                 // 0
x1 = string_to_code("con");
x2 = string_to_code("con");
x3 = string_to_code("con");
x4 = string_to_code("con");
sum = string_to_code("act");
// 5*5的双重循环; 假设buf.st_ctim.tv_nsec为i, buf.__unused4为j
for ( buf.st_ctim.tv_nsec = 0; buf.st_ctim.tv_nsec <= 4; ++buf.st_ctim.tv_nsec )
{
    for ( buf.__unused4 = string_to_code("act"); (int)buf.__unused4 <= 4; ++buf.__unused4 )
    {   
        v4_0 = string_to_code("con");           // 0 3
        if ( v4_0 == buf.st_ctim.tv_nsec && (v5_3 = string_to_code("stop"), v5_3 == buf.__unused4) )
        { // 条件保证 i == 0, j == 3
            v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 0x19];// v39_0x19_0x29[3] = inp 0
            *(_DWORD *)&v38[4 * x0++ + 0x110] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 0 = 3 = inp 0
        }
        else
        {
            v6 = string_to_code("abort");         // 1 0
            if ( v6 == buf.st_ctim.tv_nsec && (v7 = string_to_code("con"), v7 == buf.__unused4) )
            { // i == 1 j == 0
            v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 5 = inp 1
            *(_DWORD *)&v38[4 * x1++ + 0x11C] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 3 = 5 = inp 0
            }
            else
            {
            v8 = string_to_code("cancel");      // 1 2
            if ( v8 == buf.st_ctim.tv_nsec && (v9 = string_to_code("enable"), v9 == buf.__unused4) )
            {
                v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 7 = inp 2
                *(_DWORD *)&v38[4 * x0++ + 0x110] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 1 = 7
                *(_DWORD *)&v38[4 * x2++ + 0x128] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 6 = 7
            }
            else
            {
                v10 = string_to_code("start");    // 2 1
                if ( v10 == buf.st_ctim.tv_nsec && (v11 = string_to_code("abort"), v11 == buf.__unused4) )
                {
                v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 11 = inp 3
                *(_DWORD *)&v38[4 * x0++ + 0x110] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 2 = 11
                *(_DWORD *)&v38[4 * x1++ + 0x11C] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 4 = 11
                }
                else
                {
                v12 = string_to_code("enable"); // 2 3
                if ( v12 == buf.st_ctim.tv_nsec && (v13 = string_to_code("stop"), v13 == buf.__unused4) )
                {
                    v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 13 = inp 4
                    *(_DWORD *)&v38[4 * x2++ + 0x128] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 7 = 13
                    *(_DWORD *)&v38[4 * x3++ + 0x134] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 9 = 13
                }
                else
                {
                    v14 = string_to_code("stop"); // 3 0
                    if ( v14 == buf.st_ctim.tv_nsec && (v15 = string_to_code("con"), v15 == buf.__unused4) )
                    {
                    v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 15 = inp 5
                    *(_DWORD *)&v38[4 * x4++ + 0x140] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 12=15
                    }
                    else if ( buf.st_ctim.tv_nsec == 3 && buf.__unused4 == 2 )
                    {                             // 3 2
                    v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + 2] = v39_0x19_0x29[buf.__unused5++ + 25];// 17 = inp 6
                    *(_DWORD *)&v38[4 * x1++ + 0x11C] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 5 = 17
                    *(_DWORD *)&v38[4 * x4++ + 0x140] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 13=17
                    }
                    else
                    {
                    v16 = string_to_code("stop");// 3 3
                    if ( v16 == buf.st_ctim.tv_nsec && (v17 = string_to_code("stop"), v17 == buf.__unused4) )
                    {
                        v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 18 = inp 7
                        *(_DWORD *)&v38[4 * x3++ + 0x134] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 10 = 18
                        *(_DWORD *)&v38[4 * x4++ + 0x140] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4];// 110 14 = 18
                    }
                    else
                    {
                        v18 = string_to_code("stop");// 3 4
                        if ( v18 == buf.st_ctim.tv_nsec && (v19 = string_to_code("reboot"), v19 == buf.__unused4) )
                        {
                        v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 19 = inp 8
                        *(_DWORD *)&v38[4 * x2++ + 0x128] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec
                                                                                    + buf.__unused4];// 110 8 = 19
                        }
                        else
                        {
                        v20 = string_to_code("reset");// 4 2
                        if ( v20 == buf.st_ctim.tv_nsec && (v21 = string_to_code("enable"), v21 == buf.__unused4) )
                        {
                            v39_0x19_0x29[5 * buf.st_ctim.tv_nsec + buf.__unused4] = v39_0x19_0x29[buf.__unused5++ + 25];// 22 = inp 9
                            *(_DWORD *)&v38[4 * x3++ + 0x134] = v39_0x19_0x29[5 * buf.st_ctim.tv_nsec
                                                                                    + buf.__unused4];// 110 11=22
                        }

		
								
				
				登录后可查看完整内容
			
			
				
	

[培训]Windows内核深度攻防：从Hook技术到Rootkit实战！

	