参考谷歌原题改动:https://ctf.harrisongreen.me/2022/googlectf/eldar/
重定位表当字节码,elf加载器当解释器,跑脚本用https ://gist.github.com/hgarrereyn/9e536e8b3471d3cb8ecbb5932a776b95
from collections import namedtuple
from dataclasses import dataclass
md = Cs(CS_ARCH_X86, CS_MODE_64)
b = lief.ELF.parse('./deeprev')
raise Exception('Must have the ./eldar binary in cwd')
rela = x for x in b.sections if x.name == '.rela.dyn'
dynsym = x for x in b.sections if x.name == '.dynsym'
return f'{self.sym}.{self.field}'
return f'{self.reloc}.{self.field}'
case 'r_addend': off = 16
return (self.reloc.idx * 24) + off + rela.virtual_address
return f'flag[{self.idx}]'
return f'out[{self.idx}]'
return f'arr[{self.idx}]'
BaseAddr = namedtuple('baseaddr', [])
FailAddr = namedtuple('fail', [])
def format_addr(addr: int):
if addr >= rela.virtual_address and addr < rela.virtual_address + rela.size:
offset = addr - rela.virtual_address
r_offset = (offset // 24)
if r_offset >= 3 and r_offset <= 88:
arr_idx = (r_offset - 3) * 3 + (r_rem // 8)
case 0: return RelocAddr(Reloc(r_offset), 'r_address')
case 8: return RelocAddr(Reloc(r_offset), 'r_info')
case 16: return RelocAddr(Reloc(r_offset), 'r_addend')
case _: return RelocAddr(Reloc(r_offset), r_rem)
elif addr > dynsym.virtual_address and addr < dynsym.virtual_address + dynsym.size:
offset = addr - dynsym.virtual_address
r_offset = (offset // 24)
case 0: return SymAddr(Symbol(r_offset), 'st_name')
case 8: return Symbol(r_offset)
case 16: return SymAddr(Symbol(r_offset), 'st_size')
case _: return SymAddr(Symbol(r_offset), r_rem)
elif addr >= 0x404040 and addr < 0x404040+33:
return Symbol(ord(name[0]))
Rel = namedtuple('REL', ['dst','val','ridx'])
Copy = namedtuple('CPY', ['dst', 'symbol', 'ridx'])
R64 = namedtuple('R64', ['dst','symbol','addend','ridx'])
R32 = namedtuple('R32', ['dst','symbol','addend','ridx'])
print('[*] Loading relocations...')
relocs = list(b.relocations)
for i in range(3, len(relocs)):
instructions.append(R64(format_addr(r.address), to_sym(r.symbol.name), format_addr(r.addend), i))
instructions.append(Copy(format_addr(r.address), to_sym(r.symbol.name), i))
instructions.append(Rel(format_addr(r.address), format_addr(r.addend), i))
instructions.append(R32(format_addr(r.address), to_sym(r.symbol.name), format_addr(r.addend), i))
Mov = namedtuple('mov', ['dst', 'src', 'sz', 'ridx'])
Add = namedtuple('add', ['dst', 'src', 'addend', 'ridx'])
def lift_mov_add(instructions):
for instr in instructions:
case Rel(SymAddr(Symbol(idx), 'st_size'), val, ridx):
while idx < len(instructions):
case Rel(dst, val, ridx):
instructions[idx] = Mov(dst, Ref(val), 8, ridx)
case Copy(dst, sym, ridx):
instructions[idx] = Mov(dst, sym, sizesidx, ridx)
case R64(dst, sym, add, ridx):
instructions[idx] = Add(dst, sym, add, ridx)
def remove_sizes(instructions):
while idx < len(instructions):
case Mov(SymAddr(Symbol(s), 'st_size'), _, _, _) if s != 3:
instructions[idx:idx+1] = []
def lift_indirect(instructions):
while idx < len(instructions):
match instructions[idx:idx+3]:
Mov(RelocAddr(Reloc(rel_1), 'r_addend'), Symbol(sidx_1), sz_1, ridx_1),
Add(dst_2, sym_2, _, ridx_2),
Mov(RelocAddr(Reloc(rel_3), 'r_addend'), Ref(0), sz_3, _),
(rel_1 == ridx_2) and (rel_3 == ridx_2)
instructions[idx:idx+3] = [
Add(dst_2, sym_2, Symbol(sidx_1), ridx_1)
Block = namedtuple('block', ['arr', 'flag', 'ridx'])
Output = namedtuple('output', ['out', 'arr', 'ridx'])
def lift_block(instructions):
while idx < len(instructions):
match instructions[idx:idx+18]:
instructions[idx:idx+18] = [
Reset = namedtuple('reset', ['ridx'])
ShuffleBlock = namedtuple('shuffleblock', ['f1', 'f2', 'ridx'])
def lift_reset(instructions):
while idx < len(instructions) - 256:
if dst != ArrAddr(i) or src != Ref(i):
instructions[idx:idx+256] = [Reset(instructions[idx].ridx)]
def lift_shuffle_block(instructions):
while idx < len(instructions) - 256:
if arr != Ref(ArrAddr(i)):
instructions[idx:idx+256] = [ShuffleBlock(instructions[idx].flag, instructions[idx+1].flag, instructions[idx].ridx)]
Output = namedtuple('output', ['out', 'arr', 'ridx'])
def lift_output(instructions):
while idx < len(instructions):
match instructions[idx:idx+26]:
instructions[idx:idx+26] = [Output(out, arr, ridx)]
MultAdd = namedtuple('multadd', ['out', 'val', 'k', 'ridx'])
def lift_multadd(instructions):
while idx < len(instructions):
match instructions[idx:idx+3]:
Mov(Symbol(2), out, _, ridx),
Mov(Symbol(5), Symbol(2), _, _),
Mov(Symbol(6), Ref(0), _, _),
while ptr < len(instructions):
case Mov(Symbol(2), Ref(Symbol(6)), _, _):
case Mov(Symbol(2), Ref(Symbol(5)), _, _):
case Add(Symbol(6), Symbol(6), Symbol(2), _):
k = (k * 2) if double else (k + 1)
case Add(Symbol(7), Symbol(7), Symbol(2), _):
instructions[idx:ptr] = [
MultAdd(Symbol(7), out, k, ridx)
Trunc = namedtuple('trunc', ['val', 'k', 'ridx'])
def lift_truncate(instructions):
while idx < len(instructions):
match instructions[idx:idx+2]:
Mov(Symbol(2), Ref(SymAddr(Symbol(5), 11)), _, ridx),
Mov(SymAddr(Symbol(7), 11), Symbol(2), 5, _)
instructions[idx:idx+2] = [
Trunc(Symbol(7), 0xffffff, ridx)]
ArraySlots = namedtuple('arr', ['values', 'ridx'])
def lift_array_slots(instructions):
case Mov(BaseAddr(), Ref(0), _, ridx):
while ptr < len(instructions):
if type(op) != Mov or op.dst != BaseAddr():
# Check for movs into array.
vstart = RelocAddr(Reloc(ridx), 'r_address').vaddr()
while end + offset < len(instructions) and offset < ((end - start) * 3):
op = instructions[end + offset]
if type(op) == Mov and type(op.dst) is RelocAddr and op.dst.vaddr() == vstart + (offset * 8):
data += [0] * (((end - start) * 3) - len(data))
instructions[idx:end+offset] = [
Shellcode = namedtuple('shellcode', ['dst', 'code', 'ridx'])
def lift_shellcode(instructions):
while idx < len(instructions):
match instructions[idx:idx+6]:
ArraySlots(values, ridx),
Mov(Symbol(3), Ref(RelocAddr(Reloc(rel2), 'r_address')), _, _),
Mov(SymAddr(Symbol(3), 'st_name'), _, _, _),
Add(dst, Symbol(3), _, _),
Mov(RelocAddr(Reloc(rel6), 'r_address'), Symbol(2), _, _)
] if (rel2 == ridx) and (rel6 == ridx):
instructions[idx:idx+6] = [
Shellcode(dst, b''.join([(x & 0xffffffffffffffff).to_bytes(8, 'little') for x in values]), ridx)
Aop = namedtuple('aop', ['dst', 'op', 'val', 'k', 'ridx'])
def lift_aop(instructions):
while idx < len(instructions):
match instructions[idx:idx+5]:
Mov(Symbol(2), val, _, ridx),
Mov(Symbol(5), Symbol(2), _, _),
Mov(Symbol(2), Ref(Symbol(5)), _, _),
Add(dst, dst2, Symbol(2), _)
] if len(data) == 24 and (dst == dst2):
op = next(md.disasm(data, 0))
k = int(op.op_str.split(', ')[-1], 16)
instructions[idx:idx+5] = [
Aop(dst, t, val, k, ridx)
case Mov(SymAddr(sym, 'st_name'), Ref(val), 8, ridx) if type(val) is int:
other = (val >> 5) & 0xff
shndx = (val >> 6) & 0xffff
print(f'[{ridx:04d}] :: setinfo {sym}, name=0x{name:x}, info=0x{info:x}, other=0x{other:x}, shndx=0x{shndx:x}')
case Mov(BaseAddr(), Ref(0), _, ridx):
print(f'[{ridx:04d}] :: [ARRAY SLOT]')
case Mov(dst, src, 8, ridx):
print(f'[{ridx:04d}] :: mov {dst}, {src}')
case Mov(dst, src, sz, ridx):
print(f'[{ridx:04d}] :: mov({sz}) {dst}, {src}')
case Add(dst, src, add, ridx):
print(f'[{ridx:04d}] :: add {dst}, {src}, {add}')
case R32(dst, src, add, ridx):
print(f'[{ridx:04d}] :: r32 {dst}, {src}, {add}')
case Block(arr, flag, ridx):
print(f'[{ridx:04d}] :: shuffle {arr}, {flag}')
case Output(out, arr, ridx):
print(f'[{ridx:04d}] :: output {out}, {arr}')
case ShuffleBlock(f1, f2, ridx):
print(f'[{ridx:04d}] :: shuffleblock {f1}, {f2}')
case MultAdd(dst, val, k, ridx):
print(f'[{ridx:04d}] :: madd {dst} += ({val} * {k})')
case Aop(dst, op, val, k, ridx):
print(f'[{ridx:04d}] :: aop {dst} += ({val} {op} {k})')
print(f'[{ridx:04d}] :: reset')
case Trunc(val, k, ridx):
print(f'[{ridx:04d}] :: trunc {val} &= 0x{k:x}')
case ArraySlots(values, ridx):
print(f'[{ridx:04d}] :: array [{", ".join([hex(x) for x in values])}]')
case Shellcode(dst, code, ridx):
print(f'[{ridx:04d}] :: exec {dst} <- {code.hex()}')
for i in md.disasm(code, 0):
print(" 0x%x:t%st%s" %(i.address, i.mnemonic, i.op_str.replace('0x8040e4', 's5').replace('0x8040cc', 's4')))
print(f'[*] {lift_fn.name}...')
instructions = lift_fn(instructions)
instructions = lift(instructions)
.rela.dyn RELA 804272 24fd08 4272 0.767243 ALLOC LOAD
[*] Loading relocations...
[*] lift_shuffle_block...
REL(dst=baseaddr(), val=0, ridx=3)
REL(dst=baseaddr(), val=0, ridx=4)
[0005] :: mov s2, &flag[0]
[0009] :: mov arr[15], &1585408084625667200
//16008040CC253480 803425CC40800016
[0010] :: mov arr[16], &195
[0011] :: mov s3, &arr[15]
[0012] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0013] :: add arr[15], s3, 0
[0014] :: mov s2, &r101002.r_address
[0016] :: mov(24) arr[15], s2
[0018] :: mov arr[42], &141015791240320
[0019] :: mov arr[43], &195
[0020] :: mov s3, &arr[42]
[0021] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0022] :: add arr[42], s3, 0
[0023] :: mov arr[42], s2
[0026] :: mov(1) arr[0], s2
[0027] :: mov s2, &flag[1]
[0030] :: mov arr[78], &1657465678663595136
[0031] :: mov arr[79], &195
[0032] :: mov s3, &arr[78]
[0033] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0034] :: add arr[78], s3, 0
[0035] :: mov s2, &r101002.r_address
[0037] :: mov(24) arr[78], s2
[0039] :: mov arr[105], &72198609829168256
[0040] :: mov arr[106], &195
[0041] :: mov s3, &arr[105]
[0042] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0043] :: add arr[105], s3, 0
[0044] :: mov arr[105], s2
[0047] :: mov(1) arr[0], s2
[0048] :: mov s2, &flag[2]
[0051] :: mov arr[141], &1153062520398099584 //10008040CC253480 10
[0052] :: mov arr[142], &195
[0053] :: mov s3, &arr[141]
[0054] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0055] :: add arr[141], s3, 0
[0056] :: mov s2, &r101002.r_address
[0058] :: mov(24) arr[141], s2
[0060] :: mov arr[168], &144256203867096192
//2008040CC250480 //08040CC25048 //20
[0061] :: mov arr[169], &195
[0062] :: mov s3, &arr[168]
[0063] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0064] :: add arr[168], s3, 0
[0065] :: mov arr[168], s2
[0068] :: mov(1) arr[0], s2
[0069] :: mov s2, &flag[3]
[0072] :: mov arr[204], &1297177708473955456
//12008040CC253480 //803452CC40800012
[0073] :: mov arr[205], &195
[0074] :: mov s3, &arr[204]
[0075] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0076] :: add arr[204], s3, 0
[0077] :: mov s2, &r101002.r_address
[0079] :: mov(24) arr[204], s2
[0081] :: mov arr[231], &216313797905024128
[0082] :: mov arr[232], &195
[0083] :: mov s3, &arr[231]
[0084] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0085] :: add arr[231], s3, 0
[0086] :: mov arr[231], s2
[0089] :: mov(1) arr[0], s2
[0090] :: mov s2, &flag[4]
[0092] :: exec r92.r_address <- 803425cc40800010c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x10
[0101] :: array [0x4008040cc250480, 0xc3, 0x0]
[0104] :: mov s3, &r101.r_address
[0105] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0106] :: add r101.r_address, s3, 0
[0107] :: mov r101.r_address, s2
[0110] :: mov(1) arr[0], s2
[0111] :: mov s2, &flag[5]
[0113] :: exec r113.r_address <- 803425cc40800011c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x11
[0122] :: array [0x5008040cc250480, 0xc3, 0x0]
0x5008040cc250480 800425cc4080005
[0125] :: mov s3, &r122.r_address
[0126] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0127] :: add r122.r_address, s3, 0
[0128] :: mov r122.r_address, s2
[0131] :: mov(1) arr[0], s2
[0132] :: mov s2, &flag[6]
[0134] :: exec r134.r_address <- 803425cc40800012c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x12
[0143] :: array [0x6008040cc250480, 0xc3, 0x0]
[0146] :: mov s3, &r143.r_address
[0147] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0148] :: add r143.r_address, s3, 0
[0149] :: mov r143.r_address, s2
[0152] :: mov(1) arr[0], s2
[0153] :: mov s2, &flag[7]
[0155] :: exec r155.r_address <- 803425cc40800013c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x13
[0164] :: array [0x7008040cc250480, 0xc3, 0x0]
[0167] :: mov s3, &r164.r_address
[0168] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0169] :: add r164.r_address, s3, 0
[0170] :: mov r164.r_address, s2
[0173] :: mov(1) arr[0], s2
[0174] :: mov s2, &flag[8]
[0176] :: exec r176.r_address <- 803425cc40800014c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x14
[0185] :: array [0x8008040cc250480, 0xc3, 0x0]
[0188] :: mov s3, &r185.r_address
[0189] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0190] :: add r185.r_address, s3, 0
[0191] :: mov r185.r_address, s2
[0194] :: mov(1) arr[1], s2
[0195] :: mov s2, &flag[9]
[0197] :: exec r197.r_address <- 803425cc40800015c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x15
[0206] :: array [0x9008040cc250480, 0xc3, 0x0]
[0209] :: mov s3, &r206.r_address
[0210] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0211] :: add r206.r_address, s3, 0
[0212] :: mov r206.r_address, s2
[0215] :: mov(1) arr[1], s2
[0216] :: mov s2, &flag[10]
[0218] :: exec r218.r_address <- 803425cc40800016c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x16
[0227] :: array [0xa008040cc250480, 0xc3, 0x0]
[0230] :: mov s3, &r227.r_address
[0231] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0232] :: add r227.r_address, s3, 0
[0233] :: mov r227.r_address, s2
[0236] :: mov(1) arr[1], s2
[0237] :: mov s2, &flag[11]
[0239] :: exec r239.r_address <- 803425cc40800017c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x17
[0248] :: array [0xb008040cc250480, 0xc3, 0x0]
[0251] :: mov s3, &r248.r_address
[0252] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0253] :: add r248.r_address, s3, 0
[0254] :: mov r248.r_address, s2
[0257] :: mov(1) arr[1], s2
[0258] :: mov s2, &flag[12]
[0260] :: exec r260.r_address <- 803425cc40800018c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x18
[0269] :: array [0xc008040cc250480, 0xc3, 0x0]
[0272] :: mov s3, &r269.r_address
[0273] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0274] :: add r269.r_address, s3, 0
[0275] :: mov r269.r_address, s2
[0278] :: mov(1) arr[1], s2
[0279] :: mov s2, &flag[13]
[0281] :: exec r281.r_address <- 803425cc40800019c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x19
[0290] :: array [0xd008040cc250480, 0xc3, 0x0]
[0293] :: mov s3, &r290.r_address
[0294] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0295] :: add r290.r_address, s3, 0
[0296] :: mov r290.r_address, s2
[0299] :: mov(1) arr[1], s2
[0300] :: mov s2, &flag[14]
[0302] :: exec r302.r_address <- 803425cc40800024c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x24
[0311] :: array [0xe008040cc250480, 0xc3, 0x0]
[0314] :: mov s3, &r311.r_address
[0315] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0316] :: add r311.r_address, s3, 0
[0317] :: mov r311.r_address, s2
[0320] :: mov(1) arr[1], s2
[0321] :: mov s2, &flag[15]
[0323] :: exec r323.r_address <- 803425cc4080002cc3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x2c
[0332] :: array [0xf008040cc250480, 0xc3, 0x0]
[0335] :: mov s3, &r332.r_address
[0336] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0337] :: add r332.r_address, s3, 0
[0338] :: mov r332.r_address, s2
[0341] :: mov(1) arr[1], s2
[0342] :: mov s2, &flag[16]
[0344] :: exec r344.r_address <- 803425cc40800026c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x26
[0353] :: array [0x10008040cc250480, 0xc3, 0x0]
[0356] :: mov s3, &r353.r_address
[0357] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0358] :: add r353.r_address, s3, 0
[0359] :: mov r353.r_address, s2
[0362] :: mov(1) arr[2], s2
[0363] :: mov s2, &flag[17]
[0365] :: exec r365.r_address <- 803425cc4080001ec3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x1e
[0374] :: array [0x11008040cc250480, 0xc3, 0x0]
[0377] :: mov s3, &r374.r_address
[0378] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0379] :: add r374.r_address, s3, 0
[0380] :: mov r374.r_address, s2
[0383] :: mov(1) arr[2], s2
[0384] :: mov s2, &flag[18]
[0386] :: exec r386.r_address <- 803425cc4080001fc3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x1f
[0395] :: array [0x12008040cc250480, 0xc3, 0x0]
[0398] :: mov s3, &r395.r_address
[0399] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0400] :: add r395.r_address, s3, 0
[0401] :: mov r395.r_address, s2
[0404] :: mov(1) arr[2], s2
[0405] :: mov s2, &flag[19]
[0407] :: exec r407.r_address <- 803425cc40800020c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x20
[0416] :: array [0x13008040cc250480, 0xc3, 0x0]
[0419] :: mov s3, &r416.r_address
[0420] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0421] :: add r416.r_address, s3, 0
[0422] :: mov r416.r_address, s2
[0425] :: mov(1) arr[2], s2
[0426] :: mov s2, &flag[20]
[0428] :: exec r428.r_address <- 803425cc40800020c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x20
[0437] :: array [0x14008040cc250480, 0xc3, 0x0]
[0440] :: mov s3, &r437.r_address
[0441] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0442] :: add r437.r_address, s3, 0
[0443] :: mov r437.r_address, s2
[0446] :: mov(1) arr[2], s2
[0447] :: mov s2, &flag[21]
[0449] :: exec r449.r_address <- 803425cc40800021c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x21
[0458] :: array [0x15008040cc250480, 0xc3, 0x0]
[0461] :: mov s3, &r458.r_address
[0462] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0463] :: add r458.r_address, s3, 0
[0464] :: mov r458.r_address, s2
[0467] :: mov(1) arr[2], s2
[0468] :: mov s2, &flag[22]
[0470] :: exec r470.r_address <- 803425cc40800023c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x23
[0479] :: array [0x16008040cc250480, 0xc3, 0x0]
[0482] :: mov s3, &r479.r_address
[0483] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0484] :: add r479.r_address, s3, 0
[0485] :: mov r479.r_address, s2
[0488] :: mov(1) arr[2], s2
[0489] :: mov s2, &flag[23]
[0491] :: exec r491.r_address <- 803425cc40800027c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x27
[0500] :: array [0x17008040cc250480, 0xc3, 0x0]
[0503] :: mov s3, &r500.r_address
[0504] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0505] :: add r500.r_address, s3, 0
[0506] :: mov r500.r_address, s2
[0509] :: mov(1) arr[2], s2
[0510] :: mov s2, &flag[24]
[0512] :: exec r512.r_address <- 803425cc40800024c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x24
[0521] :: array [0x18008040cc250480, 0xc3, 0x0]
[0524] :: mov s3, &r521.r_address
[0525] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0526] :: add r521.r_address, s3, 0
[0527] :: mov r521.r_address, s2
[0530] :: mov(1) arr[3], s2
[0531] :: mov s2, &flag[25]
[0533] :: exec r533.r_address <- 803425cc40800025c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x25
[0542] :: array [0x19008040cc250480, 0xc3, 0x0]
[0545] :: mov s3, &r542.r_address
[0546] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0547] :: add r542.r_address, s3, 0
[0548] :: mov r542.r_address, s2
[0551] :: mov(1) arr[3], s2
[0552] :: mov s2, &flag[26]
[0554] :: exec r554.r_address <- 803425cc40800026c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x26
[0563] :: array [0x1a008040cc250480, 0xc3, 0x0]
[0566] :: mov s3, &r563.r_address
[0567] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0568] :: add r563.r_address, s3, 0
[0569] :: mov r563.r_address, s2
[0572] :: mov(1) arr[3], s2
[0573] :: mov s2, &flag[27]
[0575] :: exec r575.r_address <- 803425cc40800027c3000000000000000000000000000000
0x0: xor byte ptr [s4], 0x27
[0584] :: array [0x1b008040cc250480, 0xc3, 0x0]
[0587] :: mov s3, &r584.r_address
[0588] :: setinfo s3, name=0x1a, info=0x1, other=0x0, shndx=0x0
[0589] :: add r584.r_address, s3, 0
[0590] :: mov r584.r_address, s2
[0593] :: mov(1) arr[3], s2
[0597] :: mov s2, &arr[0]
[0600] :: exec r600.r_address <- 803425fc40800070c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x70
[0615] :: mov s2, &arr[0]
[0617] :: exec r617.r_address <- 803425fc4080007cc3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x7c
[0632] :: mov s2, &arr[0]
[0634] :: exec r634.r_address <- 803425fc40800073c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x73
[0649] :: mov s2, &arr[0]
[0651] :: exec r651.r_address <- 803425fc40800078c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x78
[0666] :: mov s2, &arr[0]
[0668] :: exec r668.r_address <- 803425fc4080006fc3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x6f
[0683] :: mov s2, &arr[0]
[0685] :: exec r685.r_address <- 803425fc40800027c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x27
[0700] :: mov s2, &arr[0]
[0702] :: exec r702.r_address <- 803425fc4080002ac3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x2a
[0717] :: mov s2, &arr[0]
[0719] :: exec r719.r_address <- 803425fc4080002cc3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x2c
[0734] :: mov s2, &arr[1]
[0736] :: exec r736.r_address <- 803425fc4080007fc3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x7f
[0751] :: mov s2, &arr[1]
[0753] :: exec r753.r_address <- 803425fc40800035c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x35
[0768] :: mov s2, &arr[1]
[0770] :: exec r770.r_address <- 803425fc4080002dc3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x2d
[0785] :: mov s2, &arr[1]
[0787] :: exec r787.r_address <- 803425fc40800032c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x32
[0802] :: mov s2, &arr[1]
[0804] :: exec r804.r_address <- 803425fc40800037c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x37
[0819] :: mov s2, &arr[1]
[0821] :: exec r821.r_address <- 803425fc4080003bc3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x3b
[0836] :: mov s2, &arr[1]
[0838] :: exec r838.r_address <- 803425fc40800022c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x22
[0853] :: mov s2, &arr[1]
[0855] :: exec r855.r_address <- 803425fc40800059c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x59
[0870] :: mov s2, &arr[2]
[0872] :: exec r872.r_address <- 803425fc40800053c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x53
[0887] :: mov s2, &arr[2]
[0889] :: exec r889.r_address <- 803425fc4080008ec3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x8e
[0904] :: mov s2, &arr[2]
[0906] :: exec r906.r_address <- 803425fc4080003dc3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x3d
[0921] :: mov s2, &arr[2]
[0923] :: exec r923.r_address <- 803425fc4080002ac3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x2a
[0938] :: mov s2, &arr[2]
[0940] :: exec r940.r_address <- 803425fc40800059c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x59
[0955] :: mov s2, &arr[2]
[0957] :: exec r957.r_address <- 803425fc40800027c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x27
[0972] :: mov s2, &arr[2]
[0974] :: exec r974.r_address <- 803425fc4080002dc3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x2d
[0989] :: mov s2, &arr[2]
[0991] :: exec r991.r_address <- 803425fc40800029c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x29
[1006] :: mov s2, &arr[3]
[1008] :: exec r1008.r_address <- 803425fc40800034c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x34
[1023] :: mov s2, &arr[3]
[1025] :: exec r1025.r_address <- 803425fc4080002dc3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x2d
[1040] :: mov s2, &arr[3]
[1042] :: exec r1042.r_address <- 803425fc40800061c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x61
[1057] :: mov s2, &arr[3]
[1059] :: exec r1059.r_address <- 803425fc40800032c3000000000000000000000000000000
0x0: xor byte ptr [0x8040fc], 0x32
[1074] :: mov s2, &flag[28]
[1076] :: mov s2, &flag[29]
[1097] :: add s10, s8, s2
[1100] :: exec r1100.r_address <- 8034255c4180006cc3000000000000000000000000000000
0x0: xor byte ptr [0x80415c], 0x6c
[1119] :: mov s2, &flag[28]
[1121] :: mov s2, &flag[29]
[1146] :: add s10, s8, s2
[1149] :: exec r1149.r_address <- 8034255c418000a1c3000000000000000000000000000000
0x0: xor byte ptr [0x80415c], 0xa1
[1168] :: mov s2, &flag[30]
[1170] :: mov s2, &flag[31]
[1191] :: add s10, s8, s2
[1194] :: exec r1194.r_address <- 8034255c418000b1c3000000000000000000000000000000
0x0: xor byte ptr [0x80415c], 0xb1
[1213] :: mov s2, &flag[30]
[1215] :: mov s2, &flag[31]
[1240] :: add s10, s8, s2
[1243] :: exec r1243.r_address <- 8034255c418000e5c3000000000000000000000000000000
0x0: xor byte ptr [0x80415c], 0xe5
[1264] :: mov(1) fail(), s2
from hashlib import sha256
import hashlib
# flag= [0x70, 0x7c, 0x73, 0x78, 0x6f ,0x27, 0x2a ,0x2c, 0x7f,0x35 ,0x2d ,0x32 ,0x37 ,0x3b ,0x22, 0x59, 0x53, 0x8e, 0x3d ,0x2a, 0x59 ,0x27, 0x2d ,0x29 ,0x34 ,0x2d ,0x61 ,0x32]
# enc = [0x16, 0x17, 0x10, 0x12,0x10 ,0x11 ,0x12 ,0x13 ,0x14 ,0x15 ,0x16 ,0x17 ,0x18 ,0x19 ,0x24 ,0x2c ,0x26, 0x1e ,0x1f ,0x20 ,0x20 ,0x21 ,0x23, 0x27 ,0x24 ,0x25 ,0x26, 0x27]
# flagg = b''
# for i in range(len(flag)):
# flagg += bytes([(flag[i]-i)^enc[i]])
#
# print(flagg)
#b'flag{366c950370fec47e34581a0'
flagg = "flag{366c950370fec47e34581a0"
k = "1234567890abcdef"
for a in k:
for b in k:
for c in k:
flag = flagg+a+b+c+"}"
enc = hashlib.sha256(flag.encode("utf-8")).hexdigest()
if enc[0:16] == "f860464d767610bb":
print(flag)
break
原文始发于微信公众号(山石网科安全技术研究院):强网杯WriteUp|Reverse 方向
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
点赞
https://cn-sec.com/archives/1218853.html
复制链接
复制链接
-
左青龙
- 微信扫一扫
-
-
右白虎
- 微信扫一扫
-
评论