碼上歡樂
相關內容    簡體    繁體

2022 虎符CTF&HFCTF Reverse Writeup

本文轉載自   查看原文   2022-03-22 11:59   514    CTF/ CTF_WP

fpbe

根據二進制文件API符號信息,發現是使用一個叫做eBPF框架編寫的程序,Google學習一下。發現eBPF是Linux下的一個程序框架,eBPF在Linux內核中運行一個BPF虛擬機,可以接收來自用戶層的BPF bytecode,經過安全檢查后經由BPF虛擬機可在內核態執行,這個字節碼二進制程序通常叫做xxx.bpf.c。本題目的核心邏輯便是存在一個叫做fpbe.bpf.c編程成的ELF文件,這個文件編譯進了題目附件的rodata段中,提取出來即可。

基本信息如下,可以看見是Linux BPF框架。

里面有一個叫做uprobe/func的段,存儲的就是BPF bytecode,可以用LLVM-objdum反匯編。

100行左右,主要是求解四個四元一次方程組。

import libnum
from z3 import *

r1 = Int('r1')
r2 = Int('r2')
r3 = Int('r3')
r4 = Int('r4')

s = Solver()

s.add(r3*28096 + r2*64392 + r4*29179 + r1*52366 == 209012997183893)
s.add(r3*61887 + r2*27365 + r4*44499 + r1*37508 == 181792633258816)
s.add(r3*56709 + r2*32808 + r4*25901 + r1*59154 == 183564558159267)
s.add(r3*33324 + r2*51779 + r4*31886 + r1*62010 == 204080879923831)


if s.check() == sat:
    s = s.model()
    flag = libnum.n2s(s[r1].as_long()) + libnum.n2s(s[r4].as_long()) + libnum.n2s(s[r2].as_long()) + libnum.n2s(s[r3].as_long())
    print(flag[::-1]) # 0vR3sAlbs8pD2h53

the shellcode

有Themida / Winlicense 3.x殼,直接上x64看看什么情況。因為控制台有輸出,先嘗試在標准IO函數下斷點,發現斷在了printf和scanf里面,走出來就是main,這個時候代碼已經復原,動態脫殼完成。

直接轉到IDA中看,第一段輸入經過下面幾個部分。先是一個base家系的解碼操作,接着字節循環位移,然后稍有改動的xxtea加密,最后比較。

#include "defs.h"
#include <stdio.h>
#include <stdint.h>


void XXTeaDecrypt(int n, uint32_t* v, uint32_t const key[4])
{

    uint32_t y, z, sum;
    unsigned p, rounds, e;
    uint32_t DELTA = -0x61C88647;
    rounds = 6 + 52 / n;
    sum = rounds * DELTA;
    y = v[0];
    do {
        e = (sum >> 2) & 3;
        for (p = n - 1; p > 0; p--)
        {
            z = v[p - 1];
            y = v[p] -= ((sum ^ y) + (z ^ key[e ^ p & 3])) ^ (((16 * z) ^ (y >> 3)) + ((z >> 6) ^ (4 * y)));
        }
        z = v[n - 1];
        y = v[0] -= ((sum ^ y) + (z ^ key[e ^ p & 3])) ^ (((16 * z) ^ (y >> 3)) + ((z >> 6) ^ (4 * y)));
        sum -= DELTA;
    } while (--rounds);
}

uint8_t Translate(uint8_t e, uint8_t* table)
{
    for (size_t i = 0; i < 256; i++)
    {
        if (table[i] == e)
            return i;
    }
    return 0;
}

void* decode(int inlen, uint8_t* data, int* outlen)
{
    uint8_t table[] = {
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x40, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x3E, 0x42, 0x42, 0x42, 0x3F, 0x34, 0x35,
    0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x42, 0x42,
    0x42, 0x41, 0x42, 0x42, 0x42, 0x00, 0x01, 0x02, 0x03, 0x04,
    0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E,
    0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
    0x19, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x1A, 0x1B, 0x1C,
    0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26,
    0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30,
    0x31, 0x32, 0x33, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
    0x42, 0x42, 0x42, 0x42, 0x42, 0x42
    };



    *outlen = (inlen / 3) << 2;
    uint8_t* outdata = (uint8_t*)malloc(*outlen);
    if (outdata != NULL)
    {
        memset(outdata, 0, *outlen);
        int pos = 0;
        for (size_t i = 0; i < inlen; i += 3)
        {
            uint8_t e1, e2, e3, e4;
            int e;
            e = data[i + 2] + (((uint32_t)data[i + 1] + ((uint32_t)data[i] << 8)) << 8);
            e4 = e & 0b111111;
            e3 = (e >> 6) & 0b111111;
            e2 = (e >> 6*2) & 0b111111;
            e1 = (e >> 6*3) & 0b111111;

            
            outdata[pos++] = Translate(e1, table);
            outdata[pos++] = Translate(e2, table);
            outdata[pos++] = Translate(e3, table);
            outdata[pos++] = Translate(e4, table);
        }
    }
    return (void*)outdata;
}


int main()
{


    uint32_t key[4] = { 116, 111, 114, 97 };
    uint8_t enc[] = {
          0xA1, 0x89, 0x6B, 0x4B, 0x53, 0x54, 0xC1, 0x74, 0x6E, 0xA0,
          0x92, 0x40, 0x07, 0x0C, 0x9B, 0x42, 0x84, 0x1E, 0x28, 0x40,
          0xC9, 0x44, 0x5B, 0x8B, 0x7B, 0xB3, 0xFE, 0x66, 0x03, 0xA6,
          0x77, 0x3C, 0x2D, 0x89, 0xC5, 0x79, 0x97, 0xDA, 0x7A, 0x0D,
          0x56, 0xAA, 0x51, 0x1D, 0x03, 0xD7, 0xD4, 0x02, 0xBA, 0x26,
          0xA5, 0x4F, 0x4A, 0xD6, 0xFA, 0x32, 0x91, 0x60, 0x0F, 0x0C,
          0x93, 0x75, 0x2B, 0x56, 0x67, 0xDD, 0x9A, 0xDB, 0x63, 0x55,
          0x16, 0x76, 0x15, 0x93, 0xF7, 0xA5, 0x1D, 0x99, 0xEB, 0x3A,
          0xD4, 0x21, 0xB7, 0x1A, 0x2C, 0x9D, 0xCD, 0xAA, 0x27, 0x2B,
          0x5C, 0x82, 0x1A, 0x76, 0xA7, 0x76, 0x18, 0x5F, 0x00, 0xB4,
          0x63, 0x37, 0x7F, 0x11, 0x40, 0xC5, 0x2C, 0x51, 0x6F, 0xA1,
          0x94, 0xC5, 0x8C, 0x4F, 0xE2, 0xD0, 0xE9, 0xE2, 0xA3, 0x9C,
          0xD5, 0xC2, 0x9C, 0x0A, 0x1D, 0xE6, 0x29, 0x46, 0xE3, 0x29,
          0x71, 0x63, 0xD7, 0x8A, 0x4E, 0xCA, 0x71, 0xAF, 0xDF, 0xF5,
          0xAB, 0x68, 0x4E, 0x47, 0x3A, 0xBC, 0x2F, 0x54, 0x17, 0x16,
          0x74, 0xD6, 0xE5, 0xBB, 0x0D, 0xAD, 0xE3, 0xBB, 0xF7, 0x62,
          0x07, 0x8C, 0xD6, 0xC8, 0x0E, 0x95, 0x0E, 0x88, 0xBA, 0x25,
          0x0F, 0xF8, 0x4C, 0x26, 0x7A, 0x76, 0x14, 0xE0, 0x7C, 0x9A,
          0xEE, 0xC9, 0x8B, 0x5C, 0xD4, 0xF7, 0x9E, 0x5D, 0xDE, 0xAC,
          0x99, 0xB9, 0x13, 0x8E, 0xEC, 0xB2, 0x2D, 0x23, 0x68, 0xEE,
          0xCE, 0x5F, 0x7C, 0x92, 0x5D, 0xA8, 0xE3, 0xC9, 0x6B, 0xB5,
          0x74, 0xAC, 0x12, 0xE7, 0xB6, 0x42, 0xDA, 0x98, 0x28, 0xCD,
          0x58, 0x1C, 0xF1, 0xFC, 0xEE, 0x75, 0x70, 0xF5, 0x78, 0xE6,
          0x76, 0x50, 0x35, 0x6A, 0xD6, 0xD4, 0xB9, 0x5A, 0x10, 0x95,
          0x03, 0x44, 0xB0, 0x1B, 0x59, 0xB9, 0x40, 0xB2, 0x1A, 0x26,
          0x4E, 0x7B, 0xD8, 0x29, 0xD1, 0x23, 0xCD, 0x52, 0xE7, 0xF5,
          0x70, 0x8F, 0xA7, 0x4E
    };

    XXTeaDecrypt(66, (uint32_t*)enc, key);

    for (size_t i = 0; i < 264; i++)
    {
        enc[i] = __ROR1__(enc[i], 3);
    }


    int size;
    uint8_t* out = (uint8_t*)decode(0x108, enc, &size);

    for (size_t i = 0; i < size; i++)
    {
        putchar(out[i]);
    }// YPxoTHcmBzPSZItSMItSDItSFItyKA+3SiYz/zPArDxhfAIsIMHPDQP44vBSV4tSEItCPAPCi0B4hcAPhL4AAAADwlCLSBiLWCAD2oP5AA+EqQAAAEmLNIsD8jP/M8Cswc8NA/g6xHX0A3wkBDt8JAx12TP/M8mDwlAPtgQKwc8NA/hBg/kOdfHBzw1XM/8zyYtUJDxSD7YcDrhnZmZm9+vR+ovCwegfA8KNBIAr2FoPtgQKK8PBzw0D+EGD+Q511MHPDTs8JHQWaCVzAACLxGhubwAAVFCLXCRI/9PrFGglcwAAi8RoeWVzAFRQi1wkSP/TWFhYWFhYWFhYYcNYX1qLEukL////
    
    if (out)
        free(out);

    return 0;
}

第二段輸入進去后,會執行動態解密的一個函數,關鍵點如下。經分析,發現是程序自帶的兩個符號信息進行了同樣的運算,互相參照結果,還原即可。

a = [  0x69, 0x73, 0x20, 0x70, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D,
  0x20, 0x63, 0x61, 0x6E]
b = [
    0x4C, 0x6F, 0x61, 0x64, 0x4C, 0x69, 0x62, 0x72, 0x61, 0x72,
    0x79, 0x45, 0x78, 0x41
]
flag = []
for i in range(14):
    flag.append(a[i] + b[i] % 5)
print(''.join(map(chr, flag))) # jt"psojvcq!gan


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 虎符CTF web復現 南郵CTF - Writeup NUC_CTF-writeup 0ops CTF/0CTF writeup X-CTF(REVERSE入門) re1 安鸞CTF Writeup wordpress 01 Writeup - CTF - WEB - 練習平台(123.206.31.85) Writeup - CTF - MISC - 練習平台(123.206.31.85) ctf小學生-rsa writeup CTF-Reverse-[GXYCTF2019]luck_guy
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM