2022-长城杯初赛Write up-by EchoSec安全团队
前言
EchoSec安全团队参加的首场比赛,在各位师傅们的输出下,也拿到第8名的成绩,虽然不算特别好,也是EchoSec安全团队迈出的第一步。同时欢迎各位有兴趣的师傅加入我们,一起学习进步。可+v:He1l_T4lk
re
rabbit_hole
打开之后很多花,我感觉没多少就直接手动patch,结果还真不少
patch完之后可以看到主函数
30[0] = v3;
v30[1] = retaddr;
v6 = alloca(4532);
atexit(end);
cout(std::cout, "Help Alice find a way out of the rabbit hole:");
gets_s(input, 0x100u);
input_length = strlen(input); // input_length 16,134..
v8 = BYTE2(input_length) ^ (16777619 * (BYTE1(input_length) ^ (16777619 * ((unsigned __int8)input_length ^ 0x50C5D1F))));
v9 = HIBYTE(input_length) ^ (16777619 * v8);
if ( v9 == 0x458766D3 ) // input length = 134
{
strcpy(key, "The quick brown fox jumps over the lazy dog.");
blow_fish_init((int)this, v4, v5, (int)key, v8);
memset(key, 0, 40);
blow_fish_encrypt(this, (int)key, (int)input, v19);
v20 = 0;
while ( key[v20] == not[v20] )
{
if ( ++v20 >= 40 )
{
v21 = cout(std::cout, "Can you get h3re? :>");
std::ostream::operator<<(v21);
return 0;
}
}
v17 = (const char *)&unk_44C88; // :<
LABEL_16:
其实主函数没什么用,主函数可以看到blow_fish,aes等相关的东西,仔细分析发现是无关的
从主函数的逻辑,也就是最后的结果字符串看
for ( k = 0;
(HIBYTE(k) ^ (16777619 * (BYTE2(k) ^ (16777619 * (BYTE1(k) ^ (16777619 * ((unsigned __int8)k ^ 0x50C5D1F))))))) != 1563082853;
++k )
{
if ( *((_BYTE *)&v30[-1130] + k) != cipher[k] )
{
v15 = cout(std::cout, "That is toooooooo bad :(");// to bad
std::ostream::operator<<(v15);
exit(-1);
}
}
v16 = cout(std::cout, "Not a very good path dont you think? :)");
std::ostream::operator<<(v16);
return 0;
}
哪怕通过了check也不是flag
仔细观察后发现在blow_fish_encrypt里面有seh,触发异常会调用,进入sub_411e0函数
.text:00041595 loc_41595: ; DATA XREF: .rdata:stru_45340↓o
.text:00041595 ; __except(loc_41577) // owned by 41538
.text:00041595 8B 65 E8 mov esp, [ebp+ms_exc.old_esp]
.text:00041598 8B 4D 0C mov ecx, [ebp