728x90
반응형
1. intro
2. code 및 분석
2.1. code
int __cdecl main(int argc, const char **argv, const char **envp)
{
unsigned int i; // [rsp+10h] [rbp-170h]
unsigned int j; // [rsp+10h] [rbp-170h]
unsigned int k; // [rsp+10h] [rbp-170h]
unsigned int m; // [rsp+10h] [rbp-170h]
unsigned int n; // [rsp+10h] [rbp-170h]
int ii; // [rsp+10h] [rbp-170h]
int jj; // [rsp+10h] [rbp-170h]
unsigned int kk; // [rsp+10h] [rbp-170h]
int v12; // [rsp+14h] [rbp-16Ch]
__int16 v13[10]; // [rsp+18h] [rbp-168h] BYREF
__int16 v14[10]; // [rsp+2Ch] [rbp-154h] BYREF
char v15[32]; // [rsp+40h] [rbp-140h] BYREF
char v16[32]; // [rsp+60h] [rbp-120h] BYREF
char v17[48]; // [rsp+80h] [rbp-100h] BYREF
char v18[48]; // [rsp+B0h] [rbp-D0h] BYREF
char s[64]; // [rsp+E0h] [rbp-A0h] BYREF
char v20[72]; // [rsp+120h] [rbp-60h] BYREF
unsigned __int64 v21; // [rsp+168h] [rbp-18h]
v21 = __readfsqword(0x28u);
init(argc, argv, envp);
strcpy(v17, "You don't have access to KrackMe 1.0 !");
strcpy(v18, "Since you are here let me ask you something...");
strcpy(v15, "Please enter the flag : ");
strcpy(v16, "Oh My God ! What is that ?");
strcpy(v20, "Did you know, Bangladesh has the longest natural beach?...");
if ( argc != 5 )
{
for ( i = 0; i <= 0x26; ++i )
{
putchar(v17[i]);
fflush(_bss_start);
usleep(0x186A0u);
}
putchar(10);
for ( j = 0; j <= 0x2E; ++j )
{
putchar(v18[j]);
fflush(_bss_start);
usleep(0x186A0u);
}
putchar(10);
for ( k = 0; k <= 0x3A; ++k )
{
putchar(v20[k]);
fflush(_bss_start);
usleep(0x186A0u);
}
putchar(10);
exit(0);
}
for ( m = 0; m <= 0x18; ++m )
{
putchar(v15[m]);
fflush(_bss_start);
usleep(0x186A0u);
}
fgets(s, 50, stdin);
if ( strlen(s) != 40 )
{
for ( n = 0; n <= 0x1A; ++n )
{
putchar(v16[n]);
fflush(_bss_start);
usleep(0x186A0u);
}
putchar(10);
exit(0);
}
strcpy(v13, "mer`]MtGe");
strcpy(&v13[5], "aUG9UeDoU");
strcpy(v14, "(G~Ty_G{(");
strcpy(&v14[5], "v}QlOto|s");
v12 = 0;
for ( ii = 0; ii < strlen(v13); ++ii )
{
if ( *(v13 + ii) != ((v20[14] ^ v16[8]) ^ s[ii]) )
{
v12 = 0;
break;
}
if ( *(&v14[5] + ii) != ((v17[11] ^ v17[1]) ^ s[ii + 27]) )
{
v12 = 0;
break;
}
if ( *(&v13[5] + ii) != ((v17[1] ^ HIBYTE(v13[0])) ^ s[ii + 9]) )
{
v12 = 0;
break;
}
if ( *(v14 + ii) != ((HIBYTE(v14[5]) ^ HIBYTE(v13[0])) ^ s[ii + 18]) )
{
v12 = 0;
break;
}
v12 = 1;
}
if ( v12 == 1 )
{
puts("Congratulations !! ");
printf("Flag : ");
for ( jj = 0; jj <= 35; ++jj )
{
putchar(s[jj]);
fflush(_bss_start);
usleep(0x186A0u);
}
putchar(10);
}
else
{
for ( kk = 0; kk <= 0x1A; ++kk )
{
putchar(v16[kk]);
fflush(_bss_start);
usleep(0x186A0u);
}
}
return 0;
}2.2. 분석
처음으로 풀어본 CTF 리버싱 문제.
결국은 마지막 for 문과 if 문을 토대로 값을 비교하고 이 값이 맞으면 correct를 출력해준다.
for ( ii = 0; ii < strlen(v13); ++ii )
{
if ( *(v13 + ii) != ((v20[14] ^ v16[8]) ^ s[ii]) )
{
...
조금 헷갈리는 부분이 HIBYTE 부분이었는데, 우선은 아래 문서를 참조하였고,
HIBYTE macro (Windows) | Microsoft Learn
HIBYTE macro (Windows)
Table of contents HIBYTE macro Article 03/30/2018 2 minutes to read In this article --> Retrieves the high-order byte from the given 16-bit value. Syntax BYTE HIBYTE( WORD wValue ); Parameters wValue The value to be converted. Return value Type: BYTE The
learn.microsoft.com
해당 변수의 가장 높은 byte 값을 return 한다.
혹시나하여 이 부분은 gdb로 직접 값을 확인해보았으며, 아래와 같았다.
스택의 값
0x00007ffdfe0f8578│+0x0018: 0x47744d5d6072656d (mer`]MtG)
0x00007ffdfe0f8580│+0x0020: 0x6555394755610065 ("e"?)
0x00007ffdfe0f8588│+0x0028: 0x547e472800556f44 ("DoU"?)
0x00007ffdfe0f8590│+0x0030: 0x7d7600287b475f79 ("y_G{("?)
0x00007ffdfe0f8598│+0x0038: 0x00737c6f744f6c51 ("QlOto|s"?)어셈블러 코드
#HIBYTE(v14[5])의 어셈블러코드
0x564f49e8c84f <main+1354> movzbl -0x149(%rbp), %esi
#HIBYTE(v13[0])의 어셈블러코드
0x564f49e8c856 <main+1361> movzbl -0x167(%rbp), %ecx실제 리턴된 값
gef➤ x/x $rbp-0x149
0x7ffdfe0f8597: 0x7d
gef➤ x/x $rbp-0x167
0x7ffdfe0f8579: 0x65
그래서 이 부분만 고정값으로 두고 역연산을 하였다.
3. exploit
v13 = b"mer`]MtGe"
v13_1 = b"aUG9UeDoU"
v14 = b"(G~Ty_G{("
v14_1 = b"v}QlOto|s"
v16 = b"Oh My God ! What is that ?"
v17 = b"You don't have access to KrackMe 1.0 !"
v20 = b"Did you know, Bangladesh has the longest natural beach?..."
d = ''
for i in range(9):
d += chr((v20[14]^v16[8])^v13[i])
for i in range(9):
d += chr((v17[1]^0x65)^v13_1[i])
for i in range(9):
d += chr((0x7d^0x65)^v14[i])
for i in range(9):
d += chr((v17[11]^v17[1])^v14_1[i])
print(d)
ps. 이게 200점짜리라고?!
728x90
반응형
'CTF > Solved' 카테고리의 다른 글
| BB CTF 2023 - Easy pwn (0) | 2023.02.06 |
|---|---|
| DiceCTF 2023 - pwn/bop (0) | 2023.02.06 |
| idekCTK 2022 - Typop (0) | 2023.01.16 |
| IRIS CTF - ret2libm (0) | 2023.01.10 |
| Hackappatoi CTF 2022 - [PWN] heap baby v2 (0) | 2022.12.11 |