前言
继续ctf的旅程
攻防世界Reverse高手进阶区的2分题
本篇是re1-100的writeup
发现攻防世界的题目分数是动态的
就仅以做题时的分数为准了
解题过程
PE查壳
扔进IDA
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
__pid_t v3; // eax
size_t v4; // rax
ssize_t v5; // rbx
bool v6; // al
char **argva; // [rsp+0h] [rbp-1D0h]
bool bCheckPtrace; // [rsp+13h] [rbp-1BDh]
ssize_t numRead; // [rsp+18h] [rbp-1B8h]
ssize_t numReada; // [rsp+18h] [rbp-1B8h]
char bufWrite[200]; // [rsp+20h] [rbp-1B0h]
char bufParentRead[200]; // [rsp+F0h] [rbp-E0h]
unsigned __int64 v13; // [rsp+1B8h] [rbp-18h]
argva = (char **)argv;
v13 = __readfsqword(0x28u);
bCheckPtrace = detectDebugging();
if ( pipe(pParentWrite) == -1 )
exit(1);
if ( pipe(pParentRead) == -1 )
exit(1);
v3 = fork();
if ( v3 != -1 )
{
if ( v3 )
{
close(pParentWrite[0]);
close(pParentRead[1]);
while ( 1 )
{
printf("Input key : ", argva);
memset(bufWrite, 0, 0xC8uLL);
gets(bufWrite, 0LL);
v4 = strlen(bufWrite);
v5 = write(pParentWrite[1], bufWrite, v4);
if ( v5 != strlen(bufWrite) )
printf("parent - partial/failed write", bufWrite);
do
{
memset(bufParentRead, 0, 0xC8uLL);
numReada = read(pParentRead[0], bufParentRead, 0xC8uLL);
v6 = bCheckPtrace || checkDebuggerProcessRunning();
if ( v6 )
{
puts("Wrong !!!\n");
}
else if ( !checkStringIsNumber(bufParentRead) )
{
puts("Wrong !!!\n");
}
else
{
if ( atoi(bufParentRead) )
{
puts("True");
if ( close(pParentWrite[1]) == -1 )
exit(1);
exit(0);
}
puts("Wrong !!!\n");
}
}
while ( numReada == -1 );
}
}
close(pParentWrite[1]);
close(pParentRead[0]);
while ( 1 )
{
memset(bufParentRead, 0, 0xC8uLL);
numRead = read(pParentWrite[0], bufParentRead, 0xC8uLL);
if ( numRead == -1 )
break;
if ( numRead )
{
if ( childCheckDebugResult() )
{
responseFalse();
}
else if ( bufParentRead[0] == 123 )
{
if ( strlen(bufParentRead) == 42 )
{
if ( !strncmp(&bufParentRead[1], "53fc275d81", 0xAuLL) )
{
if ( bufParentRead[strlen(bufParentRead) - 1] == 125 )
{
if ( !strncmp(&bufParentRead[31], "4938ae4efd", 0xAuLL) )
{
if ( !confuseKey(bufParentRead, 42) )
{
responseFalse();
}
else if ( !strncmp(bufParentRead, "{daf29f59034938ae4efd53fc275d81053ed5be8c}", 0x2AuLL) )
{
responseTrue();
}
else
{
responseFalse();
}
}
else
{
responseFalse();
}
}
else
{
responseFalse();
}
}
else
{
responseFalse();
}
}
else
{
responseFalse();
}
}
else
{
responseFalse();
}
}
}
exit(1);
}
exit(1);
}
先看到return true这里一堆判断
- 第一个字符为
{
- 总长42
- 前10位为
53fc275d81
- 最后一个字符为
}
- 最后的字符为
4938ae4efd
confuseKey
函数判断- 然后与
{daf29f59034938ae4efd53fc275d81053ed5be8c}
比较
跟踪confuseKey
函数
发现就是前半和后半互换了
那就换回来得到53fc275d81053ed5be8cdaf29f59034938ae4efd
提交时一开始加了{}
说错误
后来发现不用括号
结语
简单题