攻防re-1 100

Zsc_02

于 2022-04-04 22:08:40 发布

阅读量98

点赞数

分类专栏：一些题目的wp 文章标签：学习安全

本文链接：https://blog.csdn.net/m0_62690279/article/details/123961658

版权

一些题目的wp 专栏收录该内容

16 篇文章 0 订阅

订阅专栏

攻防re-1 100

拖入ida，main函数f5

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  __pid_t v3; // eax
  size_t v4; // rax
  ssize_t v5; // rbx
  bool v6; // al
  bool bCheckPtrace; // [rsp+13h] [rbp-1BDh]
  ssize_t numRead; // [rsp+18h] [rbp-1B8h]
  ssize_t numReada; // [rsp+18h] [rbp-1B8h]
  char bufWrite[200]; // [rsp+20h] [rbp-1B0h] BYREF
  char bufParentRead[200]; // [rsp+F0h] [rbp-E0h] BYREF
  unsigned __int64 v12; // [rsp+1B8h] [rbp-18h]

  v12 = __readfsqword('(');
  bCheckPtrace = detectDebugging();
  if ( pipe(pParentWrite) == -1 )
    exit(1);
  if ( pipe(pParentRead) == -1 )
    exit(1);
  v3 = fork();
  if ( v3 != -1 )
  {
    if ( v3 )
    {
      close(pParentWrite[0]);
      close(pParentRead[1]);
      while ( 1 )
      {
        printf("Input key : ");
        memset(bufWrite, 0, sizeof(bufWrite));
        gets(bufWrite);
        v4 = strlen(bufWrite);
        v5 = write(pParentWrite[1], bufWrite, v4);
        if ( v5 != strlen(bufWrite) )
          printf("parent - partial/failed write");
        do
        {
          memset(bufParentRead, 0, sizeof(bufParentRead));// 全部置零
          numReada = read(pParentRead[0], bufParentRead, 200uLL);
          v6 = bCheckPtrace || checkDebuggerProcessRunning();
          if ( !v6 && checkStringIsNumber(bufParentRead) && atoi(bufParentRead) )
          {
            puts("True");
            if ( close(pParentWrite[1]) == -1 )
              exit(1);
            exit(0);
          }
          puts("Wrong !!!\n");
        }
        while ( numReada == -1 );
      }
    }
    close(pParentWrite[1]);
    close(pParentRead[0]);
    while ( 1 )
    {
      memset(bufParentRead, 0, sizeof(bufParentRead));
      numRead = read(pParentWrite[0], bufParentRead, 0xC8uLL);
      if ( numRead == -1 )
        break;
      if ( numRead )
      {
        if ( !childCheckDebugResult()
          && bufParentRead[0] == '{'
          && strlen(bufParentRead) == 42
          && !strncmp(&bufParentRead[1], "53fc275d81", 0xAuLL)
          && bufParentRead[strlen(bufParentRead) - 1] == '}'
          && !strncmp(&bufParentRead[31], "4938ae4efd", 0xAuLL)
          && confuseKey(bufParentRead, 42)
          && !strncmp(bufParentRead, "{daf29f59034938ae4efd53fc275d81053ed5be8c}", 0x2AuLL) )
        {
          responseTrue();
        }
        else
        {
          responseFalse();
        }
      }
    }
    exit(1);
  }
  exit(1);
}

发现前面的函数在判断输入的东西长度等规格是否正确

代码的下面出现了一些像是flag的字符串，推测该部分是关键的flag部分

if ( !childCheckDebugResult()
          && bufParentRead[0] == '{'
          && strlen(bufParentRead) == 42
          && !strncmp(&bufParentRead[1], "53fc275d81", 0xAuLL)
          && bufParentRead[strlen(bufParentRead) - 1] == '}'
          && !strncmp(&bufParentRead[31], "4938ae4efd", 0xAuLL)
          && confuseKey(bufParentRead, 42)
          && !strncmp(bufParentRead, "{daf29f59034938ae4efd53fc275d81053ed5be8c}", 0x2AuLL) )
        {
          responseTrue();
        }

大概就是满足if的条件即为正确flag

bufParentRead是输入的东西

关键有一个函数confusekey（），其关键部分如下

  memset(szKey, 0, 42uLL);
  *szKey = '{';
  strcat(szKey, szPart3);
  strcat(szKey, szPart4);
  strcat(szKey, szPart1);
  strcat(szKey, szPart2);
  szKey[41] = '}';
  return 1;

可以看出是将字符串：daf29f59034938ae4efd53fc275d81053ed5be8c 按照3，4，1，2的顺序重新平分排序，得到的结果即为flag。

Zsc_02

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
打赏
0
评论
攻防re-1 100

攻防re-1 100拖入ida，main函数f5int __cdecl __noreturn main(int argc, const char **argv, const char **envp){ __pid_t v3; // eax size_t v4; // rax ssize_t v5; // rbx bool v6; // al bool bCheckPtrace; // [rsp+13h] [rbp-1BDh] ssize_t numRead; // [rsp+1
复制链接

扫一扫