å‰å›ž ã¯ã€picoCTF ã® picoCTF 2024 ã®ã†ã¡ã€Binary Exploitation ã‚’ã‚„ã£ã¦ã¿ã¾ã—ãŸã€‚å…¨10å•ã®ã†ã¡ã€Hard ã® 1å•ç›®ã¯è§£ã‘ãšã€2å•ç›®ã¯å¾Œå›žã—ã«ãªã‚Šã¾ã—ãŸã€‚Hard å•é¡Œã¯ã€ã„ããªã‚Šãƒ¬ãƒ™ãƒ«ãŒä¸ŠãŒã£ãŸæ°—ãŒã—ã¾ã™ã€‚
今回ã¯ã€å¼•ã続ãã€picoCTF ã® picoCTF 2024 ã®ã†ã¡ã€Reverse Engineering ã¨ã„ã†ã‚«ãƒ†ã‚´ãƒªã®å…¨7å•ã‚’ã‚„ã£ã¦ã„ããŸã„ã¨æ€ã„ã¾ã™ã€‚Medium ㌠7å•ã§ã™ã€‚
ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚
ã¯ã˜ã‚ã«
「セã‚ュリティã€ã®è¨˜äº‹ä¸€è¦§ã§ã™ã€‚良ã‹ã£ãŸã‚‰å‚考ã«ã—ã¦ãã ã•ã„。
ã‚»ã‚ュリティã®è¨˜äº‹ä¸€è¦§
picoCTF ã®å…¬å¼ã‚µã‚¤ãƒˆã¯ä»¥ä¸‹ã§ã™ã€‚英語ã®ã‚µã‚¤ãƒˆã§ã™ãŒã€ã‚·ãƒ³ãƒ—ルã§åˆ†ã‹ã‚Šã‚„ã™ã„ã®ã§å›°ã‚‰ãšã«é€²ã‚ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚
picoctf.com
ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚
picoCTF 2024:Reverse Engineering
ãƒã‚¤ãƒ³ãƒˆã®ä½Žã„é †ã«ã‚„ã£ã¦ã„ãã¾ã™ã€‚
packer(100ãƒã‚¤ãƒ³ãƒˆï¼‰
Medium ã®å•é¡Œã§ã™ã€‚ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆout)㌠1ã¤ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚
packerå•é¡Œ
packer ã¨ã„ã†åå‰ã®å•é¡Œã§ã™ãŒã€ãã†ã„ãˆã°ã€ä»¥ä¸‹ã®è¨˜äº‹ã§èªã‚“ã 付録㮠1 ã«ã€ãƒ‘ッカーã¨ã„ã†ãƒã‚¤ãƒŠãƒªãŒã‚ã‚‹ã¨å‡ºã¦ãã¦ã¾ã—ãŸã€‚
daisuke20240310.hatenablog.com
ã¾ãšã¯ã€ç°¡å˜ã«è¡¨å±¤è§£æžã‚’è¡Œã„ã¾ã™ã€‚strip ã®è¡¨ç¤ºãŒã‚ã‚Šã¾ã›ã‚“ãã€No Symbols ãªã®ã§ã€stripã•ã‚Œã¦ãã†ã§ã™ãŒã€ã“ã†ã„ã†ã®ã¯åˆã‚ã¦ã§ã™ã€‚RELRO ãŒç„¡åŠ¹ï¼ˆPLTã€GOT ã®ä¸¡æ–¹ãŒæ›¸ãè¾¼ã¿å¯èƒ½ï¼‰ã€ã‚¹ã‚¿ãƒƒã‚¯å®Ÿè¡Œå¯èƒ½ã€ãƒ—ãƒã‚°ãƒ©ãƒ ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã®ãƒ©ãƒ³ãƒ€ãƒ 化ãŒç„¡åŠ¹ã§ã™ã€‚
$ file out
out: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, no section header
$ checksec --file=out
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
No RELRO No canary found NX enabled No PIE N/A N/A No Symbols N/A 0 0 out
ãªã‚“ã‹å¤‰ãªã®ã§ã€è©¦ã—ã«ã€upxコマンドを実行ã—ã¦ã¿ã¾ã™ã€‚ã‚„ã¯ã‚Šè§£å‡ã§ãã¾ã—ãŸã€‚
$ upx -d out
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2024
UPX 4.2.2 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 3rd 2024
File size Ratio Format Name
-------------------- ------ ----------- -----------
877724 <- 336520 38.34% linux/amd64 out
Unpacked 1 file.
ã‚‚ã†ä¸€åº¦ã€è¡¨å±¤è§£æžã‚’è¡Œã„ã¾ã™ã€‚普通ã®è¦‹ãˆæ–¹ã«ãªã‚Šã¾ã—ãŸã€‚RELRO ㌠Partial RELRO ã«å¤‰åŒ–ã—ã¾ã—ãŸã€‚
$ file out
out: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, BuildID[sha1]=36bf0fdfd791fee2c1cc45dff9ddb2a4f48f6d53, for GNU/Linux 3.2.0, not stripped
$ checksec --file=out
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE N/A N/A 1879 Symbols N/A 0 22 out
実行ã§ãã‚‹ã‹ã©ã†ã‹ã€ã‚„ã£ã¦ã¿ã¾ã™ã€‚ãªã‚‹ã»ã©ã€æ£ã—ã„パスワードを入力ã™ã‚Œã°ãƒ•ãƒ©ã‚°ãŒå¾—られるã¨ã„ã†ã“ã¨ã§ã—ょã†ã‹ã€‚ã§ã‚‚ã€ã‚µãƒ¼ãƒæŽ¥ç¶šãŒç„¡ã„ã®ã§ã€é€†ã‚³ãƒ³ãƒ‘イルã™ã‚‹ã¨åˆ†ã‹ã£ã¦ã—ã¾ã†ã®ã§ã€ãれも変ã§ã™ã‹ã。
$ ./out
Enter the password to unlock this file: AAA
You entered: AAA
Access denied
続ã„ã¦ã€é™çš„解æžã¨ã—ã¦ã€Ghidra ã§ã‚½ãƒ¼ã‚¹ã‚³ãƒ¼ãƒ‰ã‚’眺ã‚ã¦ã¿ã¾ã™ã€‚スタティックリンクãªã®ã§ã‚µã‚¤ã‚ºãŒå¤§ãã„ã§ã™ã€‚
main関数ã§ã™ã€‚ã¨ã„ã†ã‹ã€main関数ã ã‘ã®ã‚ˆã†ã§ã™ã€‚
0x66(f)ãŒè¦‹ãˆã‚‹ã¨ã€ã€ã€ã‚“ï¼ï¼Ÿã¨è¦‹ã¦ã—ã¾ã„ã¾ã™ãŒã€ä»Šå›žã¯ picoCTF ãªã®ã§ã€ä»¥ä¸‹ã®æ•°å€¤ã‚’æ°—ã«ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã。直接ã®å€¤ã¯ç„¡ã„よã†ã§ã™ã€‚
$ python -c 'print("picoCTF".encode("utf-8").hex())'
7069636f435446`
ã§ã¯ã€æ™®é€šã«è¦‹ã¦ã„ãã¾ã™ã€‚
最åˆã® foræ–‡ã‚ãŸã‚Šã®ã‚¢ã‚»ãƒ³ãƒ–ラを見ã¦ãŸã‚“ã§ã™ãŒã€é€†ã‚³ãƒ³ãƒ‘イルã«ãªã„内容ãŒçµæ§‹ã‚ã‚Šã¾ã™ã€‚最åˆã® div命令(div rsi)ã¯ã€RDX:RAX / ESI(115 / 16) ã§ã€å•†ãŒ RAX:7ã€ã‚ã¾ã‚ŠãŒ RDX:3 ã«ãªã‚Šã¾ã™ãŒã€ä½•ã«ä½¿ã£ã¦ã‚‹ã®ã‹åˆ†ã‹ã‚Šã¾ã›ã‚“。次ã®å‘½ä»¤ã®ä¹—算(imul rax, rax, 0x10)ã¯ã€ç¬¬2オペランド㮠RAX ã¨å®šæ•°ã‚’ä¹—ç®—ã—ã¦ã€ä¸Šä½32bitã‚’ RDXã€ä¸‹ä½32bitを第1オペランド㮠RAX ã«æ ¼ç´ã—ã¾ã™ã€‚
ã¨ã€çœŸé¢ç›®ã«èªã‚‚ã†ã¨ã—ã¾ã—ãŸãŒã€ç–²ã‚Œã¦ãã¦ã€ä¸‹ã®æ–¹ã‚’見るã¨ç”ãˆãŒã‚ã‚‹ã®ã«æ°—ã¥ãã¾ã—ãŸï¼ˆç¬‘)。Password correct, please see flag: 7069636f4354467b5539585f556e5034636b314e365f42316e345269 33535f39343130343638327d ã¨ã„ã†ã‚„ã¤ã§ã™ã€‚途ä¸ã«ã‚¹ãƒšãƒ¼ã‚¹ãŒã‚ã‚‹ã®ã§æ³¨æ„ãŒå¿…è¦ã§ã™ãŒã€ã“れを ASCIIコード ã«ã™ã‚‹ã ã‘ã§ã—ãŸã€‚全体åƒã‚’見ã¦ã‹ã‚‰å–り掛ã‹ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã。
undefined8 main(void)
{
size_t sVar1;
char *pcVar2;
int iVar3;
undefined *puVar4;
long in_FS_OFFSET;
undefined auStack_a8 [8];
size_t local_a0;
undefined8 local_98;
char *local_90;
undefined8 local_88;
undefined8 local_80;
undefined8 local_78;
undefined8 local_70;
undefined8 local_68;
undefined8 local_60;
undefined8 local_58;
undefined8 local_50;
undefined8 local_48;
undefined8 local_40;
undefined8 local_38;
undefined8 local_30;
undefined4 local_28;
long local_20;
local_20 = *(long *)(in_FS_OFFSET + 0x28);
local_a0 = 100;
local_98 = 99;
for (puVar4 = auStack_a8; puVar4 != auStack_a8; puVar4 = puVar4 + -0x1000) {
*(undefined8 *)(puVar4 + -8) = *(undefined8 *)(puVar4 + -8);
}
*(undefined8 *)(puVar4 + -8) = *(undefined8 *)(puVar4 + -8);
local_88 = 0x6636333639363037;
local_80 = 0x6237363434353334;
local_78 = 0x6635383539333535;
local_70 = 0x3433303565363535;
local_68 = 0x6534313362363336;
local_60 = 0x3133323466353633;
local_58 = 0x3936323534336536;
local_50 = 0x3933663533353333;
local_48 = 0x3433303331333433;
local_40 = 0x6437323338333633;
local_38 = 0;
local_30 = 0;
local_28 = 0;
local_90 = puVar4 + -0x70;
*(undefined8 *)(puVar4 + -0x78) = 0x401eee;
printf("Enter the password to unlock this file: ");
pcVar2 = local_90;
sVar1 = local_a0;
*(undefined8 *)(puVar4 + -0x78) = 0x401f0f;
fgets(pcVar2,(int)sVar1,(FILE *)stdin);
pcVar2 = local_90;
*(undefined8 *)(puVar4 + -0x78) = 0x401f2a;
printf("You entered: %s\n",pcVar2);
pcVar2 = local_90;
sVar1 = local_a0;
*(undefined8 *)(puVar4 + -0x78) = 0x401f47;
iVar3 = strncmp(pcVar2,(char *)&local_88,sVar1);
if (iVar3 == 0) {
*(undefined8 *)(puVar4 + -0x78) = 0x401f57;
puts(
"Password correct, please see flag: 7069636f4354467b5539585f556e5034636b314e365f42316e345269 33535f39343130343638327d"
);
*(undefined8 *)(puVar4 + -0x78) = 0x401f63;
puts((char *)&local_88);
}
else {
*(undefined8 *)(puVar4 + -0x78) = 0x401f71;
puts("Access denied");
}
if (local_20 == *(long *)(in_FS_OFFSET + 0x28)) {
return 0;
}
__stack_chk_fail();
}
FactCheck(200ãƒã‚¤ãƒ³ãƒˆï¼‰
å…ˆã»ã©ã¨åŒã˜ Medium ã®å•é¡Œã§ã™ãŒã€å…ˆã»ã©ã¯ 100ãƒã‚¤ãƒ³ãƒˆã§ã€200ãƒã‚¤ãƒ³ãƒˆã§ã™ã€‚ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆbin)㌠1ã¤ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚何ã‹ä¸éƒ½åˆãŒã‚ã£ã¦ã€ãƒã‚¤ãƒŠãƒªã¨ãƒ•ãƒ©ã‚°ãŒå¤‰æ›´ã•ã‚ŒãŸã‚ˆã†ã§ã™ãŒã€æ–°ã—ã„ãƒã‚¤ãƒŠãƒªã§ã‚‚å•é¡Œãªã解決ã§ãã‚‹ã¨ã„ã†ã“ã¨ãªã®ã§é€²ã‚ã¦ã„ãã¾ã™ã€‚
FactCheckå•é¡Œ
表層解æžã‚’è¡Œã„ã¾ã™ã€‚何ã¨ãªã strings も実行ã—ã¦ã¿ã¾ã—ãŸãŒã€ãƒ•ãƒ©ã‚°ãŒå°‘ã—見ãˆã¦ã„ã¾ã™ã€‚ãƒã‚¤ãƒŠãƒªã‚¨ãƒ‡ã‚£ã‚¿ã§è¦‹ã¦ã¿ã¾ã™ã€‚ã†ãƒ¼ã‚“ã€ã‚¢ãƒ³ãƒ€ãƒ¼ã‚¹ã‚³ã‚¢ã®å¾Œã¯ 0(NULLæ–‡å—)ãªã®ã§ã€é€”ä¸ã¾ã§ã—ã‹ãªã„よã†ã§ã™ã€‚
$ file bin
bin: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9bb8d1ca536f0b458a00221fc6bada49da9e9e3b, for GNU/Linux 3.2.0, not stripped
$ checksec --file=bin
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 83 Symbols N/A 0 0 bin
$ strings bin | grep pico
picoCTF{wELF_d0N3_mate_
Ghidra ã§è¦‹ã¦ã¿ã¾ã™ã€‚C++ ã£ã½ã„ã§ã™ã€‚é•·ã„ main関数ã ã‘ã§ã™ã€‚ã•ã™ãŒã«èªã‚€æ°—ã«ãªã‚‰ãªã„ã®ã§ã€GDB ã§å‹•ã‹ã—ã¾ã™ã€‚最後ã®æ–¹ã«ãƒ–レークãƒã‚¤ãƒ³ãƒˆã‚’è¨å®šã—ã¦ã‚„ã£ã¦ã¿ã‚‹ã¨ã†ã¾ãã„ãã¾ã›ã‚“ã。
仕方ãªã„ã®ã§ã€ni ã§ãƒãƒãƒãƒé€²ã‚ã¾ã™ã€‚途ä¸ã¾ã§ã¯ã€ã‚¹ã‚¿ãƒƒã‚¯ä¸Šã«ãƒ•ãƒ©ã‚°ãŒå°‘ã—ãšã¤å‡ºæ¥ä¸ŠãŒã£ã¦ã„ãæ„Ÿã˜ã§ã—ãŸãŒã€æœ€å¾Œã®æ–¹ã§ã€çªç„¶ã€ã‚¹ã‚¿ãƒƒã‚¯ä¸Šã«è¦‹ãˆã¦ã„ãŸãƒ•ãƒ©ã‚°ãŒè¦‹ãˆãªããªã‚Šã¾ã—ãŸã€‚GDB ãªã®ã§ç”»é¢ã‚’スクãƒãƒ¼ãƒ«ã—ã¦ã€è¦‹ãˆãªããªã‚‹ç›´å‰ã®ãƒ•ãƒ©ã‚°ã‚’æ出ã™ã‚‹ã¨ã‚¯ãƒªã‚¢ã§ã—ãŸã€‚
undefined8 main(void)
{
char cVar1;
char *pcVar2;
long in_FS_OFFSET;
allocator<char> local_249;
basic_string<> local_248 [32];
basic_string local_228 [32];
basic_string<> local_208 [32];
basic_string local_1e8 [32];
basic_string local_1c8 [32];
basic_string local_1a8 [32];
basic_string local_188 [32];
basic_string local_168 [32];
basic_string<> local_148 [32];
basic_string local_128 [32];
basic_string<> local_108 [32];
basic_string<> local_e8 [32];
basic_string local_c8 [32];
basic_string<> local_a8 [32];
basic_string local_88 [32];
basic_string local_68 [32];
basic_string<> local_48 [40];
long local_20;
local_20 = *(long *)(in_FS_OFFSET + 0x28);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string
((char *)local_248,(allocator *)"picoCTF{wELF_d0N3_mate_");
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_228,(allocator *)&DAT_0010201d);
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_208,(allocator *)&DAT_0010201f);
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_1e8,(allocator *)&DAT_00102021);
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_1c8,(allocator *)&DAT_00102023);
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_1a8,(allocator *)&DAT_00102025);
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_188,(allocator *)&DAT_00102027);
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_168,(allocator *)&DAT_00102029);
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_148,(allocator *)&DAT_0010202b);
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_128,(allocator *)&DAT_00102029);
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_108,(allocator *)&DAT_0010202d);
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_e8,(allocator *)&DAT_0010202f);
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_c8,(allocator *)&DAT_00102031);
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_a8,(allocator *)&DAT_00102033);
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_88,(allocator *)&DAT_00102027);
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_68,(allocator *)&DAT_00102023);
std::allocator<char>::~allocator(&local_249);
std::allocator<char>::allocator();
std::__cxx11::basic_string<>::basic_string((char *)local_48,(allocator *)&DAT_00102035);
std::allocator<char>::~allocator(&local_249);
pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)local_208);
if (*pcVar2 < 'B') {
std::__cxx11::basic_string<>::operator+=(local_248,local_c8);
}
pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)local_a8);
if (*pcVar2 != 'A') {
std::__cxx11::basic_string<>::operator+=(local_248,local_68);
}
pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)local_1c8);
cVar1 = *pcVar2;
pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)local_148);
if ((int)cVar1 - (int)*pcVar2 == 3) {
std::__cxx11::basic_string<>::operator+=(local_248,local_1c8);
}
std::__cxx11::basic_string<>::operator+=(local_248,local_1e8);
std::__cxx11::basic_string<>::operator+=(local_248,local_188);
pcVar2 = (char *)std::__cxx11::basic_string<>::operator[]((ulong)local_168);
if (*pcVar2 == 'G') {
std::__cxx11::basic_string<>::operator+=(local_248,local_168);
}
std::__cxx11::basic_string<>::operator+=(local_248,local_1a8);
std::__cxx11::basic_string<>::operator+=(local_248,local_88);
std::__cxx11::basic_string<>::operator+=(local_248,local_228);
std::__cxx11::basic_string<>::operator+=(local_248,local_128);
std::__cxx11::basic_string<>::operator+=(local_248,'}');
std::__cxx11::basic_string<>::~basic_string(local_48);
std::__cxx11::basic_string<>::~basic_string((basic_string<> *)local_68);
std::__cxx11::basic_string<>::~basic_string((basic_string<> *)local_88);
std::__cxx11::basic_string<>::~basic_string(local_a8);
std::__cxx11::basic_string<>::~basic_string((basic_string<> *)local_c8);
std::__cxx11::basic_string<>::~basic_string(local_e8);
std::__cxx11::basic_string<>::~basic_string(local_108);
std::__cxx11::basic_string<>::~basic_string((basic_string<> *)local_128);
std::__cxx11::basic_string<>::~basic_string(local_148);
std::__cxx11::basic_string<>::~basic_string((basic_string<> *)local_168);
std::__cxx11::basic_string<>::~basic_string((basic_string<> *)local_188);
std::__cxx11::basic_string<>::~basic_string((basic_string<> *)local_1a8);
std::__cxx11::basic_string<>::~basic_string((basic_string<> *)local_1c8);
std::__cxx11::basic_string<>::~basic_string((basic_string<> *)local_1e8);
std::__cxx11::basic_string<>::~basic_string(local_208);
std::__cxx11::basic_string<>::~basic_string((basic_string<> *)local_228);
std::__cxx11::basic_string<>::~basic_string(local_248);
if (local_20 == *(long *)(in_FS_OFFSET + 0x28)) {
return 0;
}
__stack_chk_fail();
}
WinAntiDbg0x100(200ãƒã‚¤ãƒ³ãƒˆï¼‰
Medium ã® 200ãƒã‚¤ãƒ³ãƒˆã®å•é¡Œã§ã™ã€‚ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆWinAntiDbg0x100.zip)㌠1ã¤ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚パスワード付ãã® ZIPファイルã§ã€ãƒ‘スワードを入力ã™ã‚‹ã¨è§£å‡ã§ãã¾ã™ã€‚Windows ã® CUIプãƒã‚°ãƒ©ãƒ ã®ã‚ˆã†ã§ã™ã€‚config.bin ã¨ã„ã†ãƒ•ã‚¡ã‚¤ãƒ«ã‚‚å«ã¾ã‚Œã¦ã„ã¾ã—ãŸã€‚
WinAntiDbg0x100å•é¡Œ
表層解æžã‚’è¡Œã„ã¾ã™ã€‚Windowsプãƒã‚°ãƒ©ãƒ ã§ã™ã。
$ file WinAntiDbg0x100.exe
WinAntiDbg0x100.exe: PE32 executable (console) Intel 80386, for MS Windows, 5 sections
$ checksec --file=WinAntiDbg0x100.exe
Error: Not an ELF file: WinAntiDbg0x100.exe: PE32 executable (console) Intel 80386, for MS Windows, 5 sections
$ strings WinAntiDbg0x100.exe | grep pico
ã¨ã‚Šã‚ãˆãšã€å®Ÿè¡Œã—ã¦ã¿ã¾ã™ã€‚ã¾ãšæœ€åˆã«ãƒ‡ãƒãƒƒã‚¬ã‚’èµ·å‹•ã™ã‚‹å¿…è¦ãŒã‚ã‚‹ã¨è¨€ã£ã¦ã‚‹ã§ã—ょã†ã‹ã€‚
$ ./WinAntiDbg0x100.exe
_ _____ _______ ______
(_) / ____|__ __| ____|
_ __ _ ___ ___ | | | | | |__
| '_ \| |/ __/ _ \| | | | | __|
| |_) | | (_| (_) | |____ | | | |
| .__/|_|\___\___/ \_____| |_| |_|
| |
|_|
Welcome to the Anti-Debug challenge!
### To start the challenge, you'll need to first launch this program using a debugger!
Windowsプãƒã‚°ãƒ©ãƒ ã¯å…¨ç„¶åˆ†ã‹ã‚‰ãªã„ã®ã§ã€å¾Œå›žã—ã«ã—ã¾ã™ã€‚
Classic Crackme 0x100(300ãƒã‚¤ãƒ³ãƒˆï¼‰
Medium ã®å•é¡Œã§ã™ã€‚æ›´æ–°ã•ã‚ŒãŸãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆcrackme100)㌠1ã¤ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚ã¾ãŸã€æœ€å¾Œã¯ã‚µãƒ¼ãƒã‚’èµ·å‹•ã—ã¦å®Ÿè¡Œã™ã‚‹å¿…è¦ãŒã‚るよã†ã§ã™ã€‚
Classic Crackme 0x100å•é¡Œ
表層解æžã‚’è¡Œã„ã¾ã™ã€‚stringsコマンドã§ãƒ•ãƒ©ã‚°ãŒè¦‹ãˆã¦ã¾ã™ãŒã€ãƒãƒ¼ã‚«ãƒ«ãƒ•ã‚¡ã‚¤ãƒ«ç”¨ã®ãƒ•ãƒ©ã‚°ã¨ã„ã†ã“ã¨ã§ã—ょã†ã‹ã€‚
$ file crackme100
crackme100: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f680c44f890f619e9d88949f9048709d008b18f1, for GNU/Linux 3.2.0, with debug_info, not stripped
$ checksec --file=crackme100
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 40 Symbols No 0 1 crackme100
$ strings crackme100 | grep pico
picoCTF{sample_flag}
ã¾ãšã€å®Ÿè¡Œã—ã¦ã¿ã¾ã™ã€‚æ£ã—ã„パスワードを入力ã™ã‚‹å¿…è¦ãŒã‚ã‚Šãã†ã§ã™ã€‚
$ ./crackme100
Enter the secret password: aaa
FAILED!
Ghidra を使ã£ã¦ã€ã‚½ãƒ¼ã‚¹ã‚’見ã¦ã„ãã¾ã™ã€‚ãªã‚“ã‹æ£çµ±æ´¾ãªå•é¡Œã£ã¦æ„Ÿã˜ã§ã™ã€‚
二é‡ãƒ«ãƒ¼ãƒ—ã®ã¨ã“ã‚ã‚’èªã¿è§£ã„ã¦ã¿ã¾ã™ã€‚外å´ã¯ 3回ã€å†…å´ã¯ é…列変数㮠output ã®æ–‡å—æ•°ãªã®ã§ 50回実行ã•ã‚Œãã†ã§ã™ã€‚
検討ãŒé•·ããªã‚Šãã†ãªã®ã§ã€ã‚½ãƒ¼ã‚¹ã‚³ãƒ¼ãƒ‰ã®ä¸‹ã«æ›¸ã„ã¦ã„ãã¾ã™ã€‚
int main(void)
{
uint uVar1;
int iVar2;
size_t sVar3;
char input [51];
char output [51];
int random2;
int random1;
char fix;
int secret3;
int secret2;
int secret1;
int len;
int i_1;
int i;
output[0] = 'k';
output[1] = 'g';
output[2] = 'x';
output[3] = 'm';
output[4] = 'w';
output[5] = 'p';
output[6] = 'b';
output[7] = 'p';
output[8] = 'u';
output[9] = 'q';
output[10] = 't';
output[0xb] = 'o';
output[0xc] = 'r';
output[0xd] = 'z';
output[0xe] = 'a';
output[0xf] = 'p';
output[0x10] = 'j';
output[0x11] = 'h';
output[0x12] = 'f';
output[0x13] = 'm';
output[0x14] = 'e';
output[0x15] = 'b';
output[0x16] = 'm';
output[0x17] = 'c';
output[0x18] = 'c';
output[0x19] = 'v';
output[0x1a] = 'w';
output[0x1b] = 'y';
output[0x1c] = 'c';
output[0x1d] = 'y';
output[0x1e] = 'v';
output[0x1f] = 'e';
output[0x20] = 'w';
output[0x21] = 'p';
output[0x22] = 'x';
output[0x23] = 'i';
output[0x24] = 'h';
output[0x25] = 'e';
output[0x26] = 'i';
output[0x27] = 'f';
output[0x28] = 'v';
output[0x29] = 'n';
output[0x2a] = 'u';
output[0x2b] = 'q';
output[0x2c] = 's';
output[0x2d] = 'r';
output[0x2e] = 'g';
output[0x2f] = 'e';
output[0x30] = 'x';
output[0x31] = 'l';
output[0x32] = '\0';
setvbuf(stdout,(char *)0x0,2,0);
printf("Enter the secret password: ");
__isoc99_scanf(&DAT_00402024,input);
i = 0;
sVar3 = strlen(output);
for (; i < 3; i = i + 1) {
for (i_1 = 0; i_1 < (int)sVar3; i_1 = i_1 + 1) {
uVar1 = (i_1 % 0xff >> 1 & 0x55U) + (i_1 % 0xff & 0x55U);
uVar1 = ((int)uVar1 >> 2 & 0x33U) + (uVar1 & 0x33);
iVar2 = ((int)uVar1 >> 4) + input[i_1] + -0x61 + (uVar1 & 0xf);
input[i_1] = (char)iVar2 + (char)(iVar2 / 0x1a) * -0x1a + 'a';
}
}
iVar2 = memcmp(input,output,(long)(int)sVar3);
if (iVar2 == 0) {
printf("SUCCESS! Here is your flag: %s\n","picoCTF{sample_flag}");
}
else {
puts("FAILED!");
}
return 0;
}
ループã®å†…å´ã® 4行を詳ã—ã見ã¾ã™ã€‚
1行目ã¯ã€æ¼”ç®—åã®å„ªå…ˆé †ä½ã‚’æ£ã—ã見る必è¦ãŒã‚ã‚‹ã®ã§æ‹¬å¼§ã‚’付ã‘ã¾ã™ã€‚ã¾ãŸã€i_1 㯠0 ã‹ã‚‰ 49 ã‚’ã¨ã‚‹ã®ã§ã€% 0xff ã¯ç„¡è¦–ã§ãã¾ã™ã€‚
uVar1 = (((i_1 % 0xff) >> 1) & 0x55U) + ((i_1 % 0xff) & 0x55U);
よã£ã¦ã€ä»¥ä¸‹ã®ã‚ˆã†ã«ç°¡å˜ã«ã§ãã¾ã™ã€‚
uVar1 = ((i_1 >> 1) & 0x55U) + (i_1 & 0x55U);
ã†ãƒ¼ã‚“ã€ã“ã®ã‚„ã‚Šæ–¹ã¯ç„¡è¬€ã§ã—ãŸã€‚ã‚„ã‚ã¾ã™ã€‚
4è¡Œã®ã†ã¡ã€input 以外ã¯å€¤ãŒæ±ºã¾ã£ã¦ã„ã‚‹ã“ã¨ã¨ã€i 㯠4è¡Œã«å‡ºã¦ã“ãªã„ã“ã¨ã€ã‚ã‚‹ input ã®è¨ˆç®—ã«ã€ä»–ã® input ãŒé–¢ä¿‚ã—ãªã„ã“ã¨ãŒåˆ†ã‹ã‚Šã¾ã™ã€‚ã¤ã¾ã‚Šã€ã‚ã‚‹ input ã®å ´åˆã«ã€ã“ã® 4行を 3回連続ã§ã‚„ã£ãŸçµæžœã¨åŒã˜ã§ã™ã€‚プãƒã‚°ãƒ©ãƒ 㧠ASCIIコードをç·å½“ãŸã‚Šã§è¨ˆç®—ã™ã‚‹ã®ãŒã„ã„ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“。英å°æ–‡å—ã ã‘ã§ã„ã‘ãã†ã§ã™ã—。
Pythonスクリプトを実装ã—ã¾ã™ã€‚
C言語ã‹ã‚‰ã€Python ã«å¤‰æ›ã™ã‚‹ã ã‘ã§ã—ãŸã€‚ã“れを実行ã™ã‚‹ã¨ã€æ£ã—ã„パスワードãŒè¡¨ç¤ºã•ã‚Œã¾ã™ã€‚サーãƒã§åŒã˜ãƒ‘スワードを入力ã™ã‚‹ã¨ã€ãƒ•ãƒ©ã‚°ãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚
import os, sys
output = "kgxmwpbpuqtorzapjhfmebmccvwycyvewpxiheifvnuqsrgexl"
ret = []
for i_1, out in enumerate(output):
tmps = [ aa for aa in range(0x21, 0x7f) ]
flag = False
for tmp in tmps:
input = tmp
for ii in range(3):
uVar1 = ((((i_1 % 0xff) >> 1)) & 0x55) + ((i_1 % 0xff) & 0x55)
uVar1 = ((uVar1 >> 2) & 0x33) + (uVar1 & 0x33)
iVar2 = (uVar1 >> 4) + input - 0x61 + (uVar1 & 0xf)
input = (iVar2 & 0xff) - ((iVar2 // 0x1a) & 0xff) * (0x1a) + 0x61
if input == ord( out ):
ret.append( chr(tmp) )
flag = True
break
assert flag, f"fail, ret={ret}"
print( f"ret={''.join(ret)}" )
ã‚„ã£ã¦ã¿ã¾ã™ã€‚
$ python crackme100.py
ret=kdugtjvgrknflqrdgb`d_sdqwmnmtmjptjr`bv`tpelejfuprc
$ ./crackme100
Enter the secret password: kdugtjvgrknflqrdgb`d_sdqwmnmtmjptjr`bv`tpelejfuprc
SUCCESS! Here is your flag: picoCTF{sample_flag}
サーãƒã«å¯¾ã—ã¦å®Ÿæ–½ã™ã‚‹ã¨ãƒ•ãƒ©ã‚°ãŒè¡¨ç¤ºã•ã‚Œã¾ã™ã€‚
weirdSnake(300ãƒã‚¤ãƒ³ãƒˆï¼‰
Medium ã®å•é¡Œã§ã™ã€‚æ›´æ–°ã•ã‚ŒãŸãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆsnake)㌠1ã¤ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚
weirdSnakeå•é¡Œ
表層解æžã‚’è¡Œã„ã¾ã™ã€‚テã‚ストファイルã§ã—ãŸã€‚
$ file snake
snake: ASCII text
エディタã§é–‹ã„ã¦ã¿ã¾ã—ãŸã€‚ã†ãƒ¼ã‚“ã€ãªã‚“ã§ã—ょã†ã‹ã€‚特徴的ãªåå‰ï¼ˆUNPACK_SEQUENCE)ã§ã€Web検索ã—ã¦ã¿ãŸã¨ã“ã‚ã€Python ã®å…¬å¼ã‚µã‚¤ãƒˆãŒãƒ’ットã—ã¾ã—ãŸã€‚Python ã®ãƒã‚¤ãƒˆã‚³ãƒ¼ãƒ‰ã®é€†ã‚¢ã‚»ãƒ³ãƒ–ラらã—ã„ã§ã™ã€‚ã“ã®ã‚¢ã‚»ãƒ³ãƒ–ラã‹ã‚‰ Pythonスクリプトを構築ã™ã‚‹æ„Ÿã˜ã§ã—ょã†ã‹ã€‚é †ç•ªã«è¦‹ã¦ã„ãã¾ã™ã€‚
解æžãŒé•·ããªã‚Šãã†ãªã®ã§ã€ã‚½ãƒ¼ã‚¹ã‚³ãƒ¼ãƒ‰ã®ä¸‹ã«æ›¸ã„ã¦ã„ãã¾ã™ã€‚
1 0 LOAD_CONST 0 (4)
2 LOAD_CONST 1 (54)
4 LOAD_CONST 2 (41)
6 LOAD_CONST 3 (0)
8 LOAD_CONST 4 (112)
10 LOAD_CONST 5 (32)
12 LOAD_CONST 6 (25)
14 LOAD_CONST 7 (49)
16 LOAD_CONST 8 (33)
18 LOAD_CONST 9 (3)
20 LOAD_CONST 3 (0)
22 LOAD_CONST 3 (0)
24 LOAD_CONST 10 (57)
26 LOAD_CONST 5 (32)
28 LOAD_CONST 11 (108)
30 LOAD_CONST 12 (23)
32 LOAD_CONST 13 (48)
34 LOAD_CONST 0 (4)
36 LOAD_CONST 14 (9)
38 LOAD_CONST 15 (70)
40 LOAD_CONST 16 (7)
42 LOAD_CONST 17 (110)
44 LOAD_CONST 18 (36)
46 LOAD_CONST 19 (8)
48 LOAD_CONST 11 (108)
50 LOAD_CONST 16 (7)
52 LOAD_CONST 7 (49)
54 LOAD_CONST 20 (10)
56 LOAD_CONST 0 (4)
58 LOAD_CONST 21 (86)
60 LOAD_CONST 22 (43)
62 LOAD_CONST 17 (110)
64 LOAD_CONST 22 (43)
66 LOAD_CONST 23 (88)
68 LOAD_CONST 3 (0)
70 LOAD_CONST 24 (67)
72 LOAD_CONST 25 (104)
74 LOAD_CONST 26 (125)
76 LOAD_CONST 14 (9)
78 LOAD_CONST 27 (78)
80 BUILD_LIST 40
82 STORE_NAME 0 (input_list)
2 84 LOAD_CONST 28 ('J')
86 STORE_NAME 1 (key_str)
3 88 LOAD_CONST 29 ('_')
90 LOAD_NAME 1 (key_str)
92 BINARY_ADD
94 STORE_NAME 1 (key_str)
4 96 LOAD_NAME 1 (key_str)
98 LOAD_CONST 30 ('o')
100 BINARY_ADD
102 STORE_NAME 1 (key_str)
5 104 LOAD_NAME 1 (key_str)
106 LOAD_CONST 31 ('3')
108 BINARY_ADD
110 STORE_NAME 1 (key_str)
6 112 LOAD_CONST 32 ('t')
114 LOAD_NAME 1 (key_str)
116 BINARY_ADD
118 STORE_NAME 1 (key_str)
9 120 LOAD_CONST 33 (<code object <listcomp> at 0x7ffb38066d40, file "snake.py", line 9>)
122 LOAD_CONST 34 ('<listcomp>')
124 MAKE_FUNCTION 0
126 LOAD_NAME 1 (key_str)
128 GET_ITER
130 CALL_FUNCTION 1
132 STORE_NAME 2 (key_list)
11 >> 134 LOAD_NAME 3 (len)
136 LOAD_NAME 2 (key_list)
138 CALL_FUNCTION 1
140 LOAD_NAME 3 (len)
142 LOAD_NAME 0 (input_list)
144 CALL_FUNCTION 1
146 COMPARE_OP 0 (<)
148 POP_JUMP_IF_FALSE 162
12 150 LOAD_NAME 2 (key_list)
152 LOAD_METHOD 4 (extend)
154 LOAD_NAME 2 (key_list)
156 CALL_METHOD 1
158 POP_TOP
160 JUMP_ABSOLUTE 134
15 >> 162 LOAD_CONST 35 (<code object <listcomp> at 0x7ffb38066df0, file "snake.py", line 15>)
164 LOAD_CONST 34 ('<listcomp>')
166 MAKE_FUNCTION 0
168 LOAD_NAME 5 (zip)
170 LOAD_NAME 0 (input_list)
172 LOAD_NAME 2 (key_list)
174 CALL_FUNCTION 2
176 GET_ITER
178 CALL_FUNCTION 1
180 STORE_NAME 6 (result)
18 182 LOAD_CONST 36 ('')
184 LOAD_METHOD 7 (join)
186 LOAD_NAME 8 (map)
188 LOAD_NAME 9 (chr)
190 LOAD_NAME 6 (result)
192 CALL_FUNCTION 2
194 CALL_METHOD 1
196 STORE_NAME 10 (result_text)
198 LOAD_CONST 37 (None)
200 RETURN_VALUE
Disassembly of <code object <listcomp> at 0x7ffb38066d40, file "snake.py", line 9>:
9 0 BUILD_LIST 0
2 LOAD_FAST 0 (.0)
>> 4 FOR_ITER 12 (to 18)
6 STORE_FAST 1 (char)
8 LOAD_GLOBAL 0 (ord)
10 LOAD_FAST 1 (char)
12 CALL_FUNCTION 1
14 LIST_APPEND 2
16 JUMP_ABSOLUTE 4
>> 18 RETURN_VALUE
Disassembly of <code object <listcomp> at 0x7ffb38066df0, file "snake.py", line 15>:
15 0 BUILD_LIST 0
2 LOAD_FAST 0 (.0)
>> 4 FOR_ITER 16 (to 22)
6 UNPACK_SEQUENCE 2
8 STORE_FAST 1 (a)
10 STORE_FAST 2 (b)
12 LOAD_FAST 1 (a)
14 LOAD_FAST 2 (b)
16 BINARY_XOR
18 LIST_APPEND 2
20 JUMP_ABSOLUTE 4
>> 22 RETURN_VALUE
1行目(左端ã®åˆ—ã®ç•ªå·ãŒ Pythonスクリプトã®è¡Œç•ªå·ï¼‰ã¯ã€40個ã®è¦ç´ ã‚’æŒã¤ã€input_list ã¨ã„ã†åå‰ã®ãƒªã‚¹ãƒˆã‚’作ã£ã¦ã„るよã†ã§ã™ã€‚括弧内ãŒå€¤ã§ã™ã€‚
2行目ã‹ã‚‰ 6行目ã¾ã§ã¯ã€ãŠãらãセットã§è€ƒãˆãŸæ–¹ãŒã‚ˆã•ãã†ã§ã™ã€‚以下ã§ã—ょã†ã‹ã€‚
key_str = 'J'
key_str += '_'
key_str += 'o'
key_str += '3'
key_str += 't'
試ã—ã«ã€ãƒªã‚¹ãƒˆã®ä½œæˆã¨ã€ä¸Šã®ã‚³ãƒ¼ãƒ‰ã®é€†ã‚¢ã‚»ãƒ³ãƒ–ラを求ã‚ã¦ã¿ã¾ã™ã€‚以下ã®ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚ã†ãƒ¼ã‚“ã€è¿‘ã„ã‘ã©ã€ã¡ã‚‡ã£ã¨é•ã„ã¾ã™ã。ã¾ãã€ã§ã‚‚ã“ã‚Œã§ä»®æ±ºã‚ã—ã¾ã™ã€‚
$ python -m dis hello_world.py
0 0 RESUME 0
3 2 BUILD_LIST 0
4 LOAD_CONST 0 ((4, 54, 41, 0, 112, 32, 25, 49, 33, 3, 0, 0, 57, 32, 108, 23, 48, 4, 9, 70, 7, 110, 36, 8, 108, 7, 49, 10, 4, 86, 43, 110, 43, 88, 0, 67, 104, 125, 9, 78))
6 LIST_EXTEND 1
8 STORE_NAME 0 (input_list)
5 10 LOAD_CONST 1 ('J')
12 STORE_NAME 1 (key_str)
6 14 LOAD_NAME 1 (key_str)
16 LOAD_CONST 2 ('_')
18 BINARY_OP 13 (+=)
22 STORE_NAME 1 (key_str)
7 24 LOAD_NAME 1 (key_str)
26 LOAD_CONST 3 ('o')
28 BINARY_OP 13 (+=)
32 STORE_NAME 1 (key_str)
8 34 LOAD_NAME 1 (key_str)
36 LOAD_CONST 4 ('3')
38 BINARY_OP 13 (+=)
42 STORE_NAME 1 (key_str)
9 44 LOAD_NAME 1 (key_str)
46 LOAD_CONST 5 ('t')
48 BINARY_OP 13 (+=)
52 STORE_NAME 1 (key_str)
54 LOAD_CONST 6 (None)
56 RETURN_VALUE
9行目ã¯é–¢æ•°ã®ç”Ÿæˆã§é–¢æ•°ã®å®Ÿä½“ã¯ã€ä¸‹ã®æ–¹ã«ã‚ã‚‹ Disassembly ã‹ã‚‰å§‹ã¾ã‚‹ã¨ã“ã‚ã ã¨æ€ã„ã¾ã™ã€‚åŒã˜ãã€15行目も関数ã®ç”Ÿæˆã ã¨æ€ã„ã¾ã™ã€‚
関数ã¨ã„ã†ã‹ã€ãƒªã‚¹ãƒˆå†…包表記ã§ã—ょã†ã‹ã€‚çµæžœãŒ key_list ã«å…¥ã‚Šã€å¼•æ•°ãŒ key_str ã§ã™ã€‚関数ã®å®Ÿä½“ã‚’è¸ã¾ãˆã‚‹ã¨ã€key_list = [ord(char) for char in key_str] ã®ã‚ˆã†ã«ãªã‚Šãã†ã§ã™ã€‚
11行目ã¯ã€if len(key_list) < len(input_list): ã ã¨æ€ã„ã¾ã™ã€‚
12行目ã¯ã€key_list.extend(key_list) ã§ã—ょã†ã‹ï¼Ÿ
15行目もリスト内包表記ã¨è€ƒãˆã‚‹ã¨ã€çµæžœãŒ result ã«å…¥ã‚Šã€zip(input_list, key_list) ã®å½¢ã§ã€é–¢æ•°ã®å®Ÿä½“ã‚’è¸ã¾ãˆã‚‹ã¨ã€result = [a ^ b for a, b in zip(input_list, key_list)]
最後㮠18行目ã¯ã€çµæžœãŒ result_text ã«å…¥ã‚Šã€join関数を使ã£ã¦ã€result_text = ''.join(map(chr, result)) ã§ã—ょã†ã‹ã€‚
以下ã®ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚
input_list = [4, 54, 41, 0, 112, 32, 25, 49, 33, 3, 0, 0, 57, 32, 108, 23, 48, 4, 9, 70, 7, 110, 36, 8, 108, 7, 49, 10, 4, 86, 43, 110, 43, 88, 0, 67, 104, 125, 9, 78]
key_str = 'J'
key_str += '_'
key_str += 'o'
key_str += '3'
key_str += 't'
key_list = [ord(char) for char in key_str]
if len(key_list) < len(input_list):
key_list.extend(key_list)
result = [a ^ b for a, b in zip(input_list, key_list)]
result_text = ''.join(map(chr, result))
print(result_text)
ã“れを逆アセンブルã—ã¾ã™ã€‚
$ python -m dis hello_world.py
0 0 RESUME 0
1 2 BUILD_LIST 0
4 LOAD_CONST 0 ((4, 54, 41, 0, 112, 32, 25, 49, 33, 3, 0, 0, 57, 32, 108, 23, 48, 4, 9, 70, 7, 110, 36, 8, 108, 7, 49, 10, 4, 86, 43, 110, 43, 88, 0, 67, 104, 125, 9, 78))
6 LIST_EXTEND 1
8 STORE_NAME 0 (input_list)
2 10 LOAD_CONST 1 ('J')
12 STORE_NAME 1 (key_str)
3 14 LOAD_NAME 1 (key_str)
16 LOAD_CONST 2 ('_')
18 BINARY_OP 13 (+=)
22 STORE_NAME 1 (key_str)
4 24 LOAD_NAME 1 (key_str)
26 LOAD_CONST 3 ('o')
28 BINARY_OP 13 (+=)
32 STORE_NAME 1 (key_str)
5 34 LOAD_NAME 1 (key_str)
36 LOAD_CONST 4 ('3')
38 BINARY_OP 13 (+=)
42 STORE_NAME 1 (key_str)
6 44 LOAD_NAME 1 (key_str)
46 LOAD_CONST 5 ('t')
48 BINARY_OP 13 (+=)
52 STORE_NAME 1 (key_str)
9 54 LOAD_CONST 6 (<code object <listcomp> at 0x7fba221673c0, file "hello_world.py", line 9>)
56 MAKE_FUNCTION 0
58 LOAD_NAME 1 (key_str)
60 GET_ITER
62 PRECALL 0
66 CALL 0
76 STORE_NAME 2 (key_list)
11 78 PUSH_NULL
80 LOAD_NAME 3 (len)
82 LOAD_NAME 2 (key_list)
84 PRECALL 1
88 CALL 1
98 PUSH_NULL
100 LOAD_NAME 3 (len)
102 LOAD_NAME 0 (input_list)
104 PRECALL 1
108 CALL 1
118 COMPARE_OP 0 (<)
124 POP_JUMP_FORWARD_IF_FALSE 21 (to 168)
12 126 LOAD_NAME 2 (key_list)
128 LOAD_METHOD 4 (extend)
150 LOAD_NAME 2 (key_list)
152 PRECALL 1
156 CALL 1
166 POP_TOP
15 >> 168 LOAD_CONST 7 (<code object <listcomp> at 0x7fba22177130, file "hello_world.py", line 15>)
170 MAKE_FUNCTION 0
172 PUSH_NULL
174 LOAD_NAME 5 (zip)
176 LOAD_NAME 0 (input_list)
178 LOAD_NAME 2 (key_list)
180 PRECALL 2
184 CALL 2
194 GET_ITER
196 PRECALL 0
200 CALL 0
210 STORE_NAME 6 (result)
18 212 LOAD_CONST 8 ('')
214 LOAD_METHOD 7 (join)
236 PUSH_NULL
238 LOAD_NAME 8 (map)
240 LOAD_NAME 9 (chr)
242 LOAD_NAME 6 (result)
244 PRECALL 2
248 CALL 2
258 PRECALL 1
262 CALL 1
272 STORE_NAME 10 (result_text)
20 274 PUSH_NULL
276 LOAD_NAME 11 (print)
278 LOAD_NAME 10 (result_text)
280 PRECALL 1
284 CALL 1
294 POP_TOP
296 LOAD_CONST 9 (None)
298 RETURN_VALUE
Disassembly of <code object <listcomp> at 0x7fba221673c0, file "hello_world.py", line 9>:
9 0 RESUME 0
2 BUILD_LIST 0
4 LOAD_FAST 0 (.0)
>> 6 FOR_ITER 17 (to 42)
8 STORE_FAST 1 (char)
10 LOAD_GLOBAL 1 (NULL + ord)
22 LOAD_FAST 1 (char)
24 PRECALL 1
28 CALL 1
38 LIST_APPEND 2
40 JUMP_BACKWARD 18 (to 6)
>> 42 RETURN_VALUE
Disassembly of <code object <listcomp> at 0x7fba22177130, file "hello_world.py", line 15>:
15 0 RESUME 0
2 BUILD_LIST 0
4 LOAD_FAST 0 (.0)
>> 6 FOR_ITER 10 (to 28)
8 UNPACK_SEQUENCE 2
12 STORE_FAST 1 (a)
14 STORE_FAST 2 (b)
16 LOAD_FAST 1 (a)
18 LOAD_FAST 2 (b)
20 BINARY_OP 12 (^)
24 LIST_APPEND 2
26 JUMP_BACKWARD 11 (to 6)
>> 28 RETURN_VALUE
ã†ãƒ¼ã‚“ã€if ã®ã¨ã“ã‚ãŒãŠã‹ã—ã„ã§ã™ã€‚while ã«å¤‰ãˆã¦ã¿ã‚‹ã¨ã€ã„ã„æ„Ÿã˜ã«ãªã£ã¦ãã¾ã—ãŸã€‚
実行ã—ã¦ã¿ã¾ã™ã€‚惜ã—ã„æ„Ÿã˜ã§ã™ã€‚ç´°ã‹ã„ã¨ã“ã‚ã§é–“é•ãˆã¦ãã†ã§ã™ã€‚
$ python hello_world.py
NiF3jF^wJ_V]ok:2M1K;Mne7"a1Dkt 7::
逆算ã§ã„ãã¾ã™ã€‚p(0x70)ã«ãªã‚‹ãŸã‚ã«ã€4 㨠J(0x4A)を使ã£ã¦ã„ã¾ã™ãŒã€çµæžœã¯ N(0x4E)ã«ãªã£ã¦ã„ã¾ã™ã€‚4 ã¯ãŠãらãæ£ã—ãã¦ã€J ã¯æ€ªã—ã„ã§ã™ã€‚4 ã¨ä½•ã‹ã® XOR ㌠0x70 ã«ãªã‚‹ã«ã¯ã€0x74(t)ãŒå¿…è¦ã§ã™ã€‚key_str ã®æœ€å¾ŒãŒ t ã§ã™ã€‚key_str ã®ä½œã‚Šæ–¹ãŒé–“é•ã£ã¦ã„ãã†ã§ã™ã€‚
key_str を以下ã«ä¿®æ£ã—ã¾ã—ãŸã€‚ã“ã‚Œã ã¨ã€å…ˆé ã« t ãŒãã¾ã™ã€‚
key_str = 'J'
key_str = '_' + key_str
key_str = 'o' + key_str
key_str = '3' + key_str
key_str = 't' + key_str
実行ã—ã¾ã™ã€‚p ã ã‘åˆã£ã¦ã¾ã™ï¼ˆç¬‘)。
$ python hello_world.py
pF_:T*^~It3V&ckV
s]KW&se[_]DJ7[V
key_str ã®ã¨ã“ã‚ã¯ã€ä»Šã¯ã€BAINARY_OP (+) ã¨ãªã£ã¦ã¾ã™ãŒã€å•é¡Œæ–‡ã§ã¯ã€BAINARY_ADD ãªã‚“ã§ã™ã‚ˆãã€ã“ã“ãŒé•ã„ãã†ã§ã™ã€‚ã„ã‚„ã€J 㨠_ 㨠t ã¯ã€å·¦ã‚ªãƒšãƒ©ãƒ³ãƒ‰ã§ã™ãŒã€o 㨠3 ã¯å³ã‚ªãƒšãƒ©ãƒ³ãƒ‰ã«ãªã£ã¦ã¾ã™ï¼
ãれを修æ£ã™ã‚‹ã¨ã€ã€ã€ãƒ•ãƒ©ã‚°ã‚²ãƒƒãƒˆã§ã™ï¼300ãƒã‚¤ãƒ³ãƒˆãªã®ã«ã ã„ã¶è‹¦åŠ´ã—ã¾ã—ãŸã€‚
Pythonスクリプトã®æœ€çµ‚版ã§ã™ã€‚
input_list = [4, 54, 41, 0, 112, 32, 25, 49, 33, 3, 0, 0, 57, 32, 108, 23, 48, 4, 9, 70, 7, 110, 36, 8, 108, 7, 49, 10, 4, 86, 43, 110, 43, 88, 0, 67, 104, 125, 9, 78]
key_str = 'J'
key_str = '_' + key_str
key_str = key_str + 'o'
key_str = key_str + '3'
key_str = 't' + key_str
key_list = [ord(char) for char in key_str]
print(key_list)
while len(key_list) < len(input_list):
key_list.extend(key_list)
result = [a ^ b for a, b in zip(input_list, key_list)]
result_text = ''.join(map(chr, result))
print(result_text)
実行ã—ã¾ã™ã€‚
$ python snake.py
[116, 95, 74, 111, 51]
picoCTF{N0t_sO_coNfus1ng_sn@ke_1a73777f}
WinAntiDbg0x200(300ãƒã‚¤ãƒ³ãƒˆï¼‰
Medium ã® 300ãƒã‚¤ãƒ³ãƒˆã®å•é¡Œã§ã™ã€‚ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆWinAntiDbg0x200.zip)㌠1ã¤ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚パスワード付ãã® ZIPファイルã§ã€ãƒ‘スワードを入力ã™ã‚‹ã¨è§£å‡ã§ãã¾ã™ã€‚Windows ã® CUIプãƒã‚°ãƒ©ãƒ ã®ã‚ˆã†ã§ã™ã€‚config.bin(上㮠WinAntiDbg0x100 ã¨åŒã˜ãƒ•ã‚¡ã‚¤ãƒ«åãªã®ã§æ³¨æ„ã§ã™ï¼ï¼‰ã¨ã„ã†ãƒ•ã‚¡ã‚¤ãƒ«ã‚‚å«ã¾ã‚Œã¦ã„ã¾ã—ãŸã€‚
WinAntiDbg0x200å•é¡Œ
一応ã€è¡¨å±¤è§£æžã‚’è¡Œã„ã¾ã™ã€‚ã‚„ã¯ã‚Šã€Windows ã® CUIプãƒã‚°ãƒ©ãƒ ã®ã‚ˆã†ã§ã™ã€‚
$ file WinAntiDbg0x200.exe
WinAntiDbg0x200.exe: PE32 executable (console) Intel 80386, for MS Windows, 5 sections
Windowsプãƒã‚°ãƒ©ãƒ ã¯å¾Œå›žã—ã«ã—ã¾ã™ã€‚
WinAntiDbg0x300(400ãƒã‚¤ãƒ³ãƒˆï¼‰
Medium ã® 400ãƒã‚¤ãƒ³ãƒˆã®å•é¡Œã§ã™ã€‚ãƒã‚¤ãƒŠãƒªãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆWinAntiDbg0x300.zip)㌠1ã¤ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚パスワード付ãã® ZIPファイルã§ã€ãƒ‘スワードを入力ã™ã‚‹ã¨è§£å‡ã§ãã¾ã™ã€‚Windowsプãƒã‚°ãƒ©ãƒ ã®ã‚ˆã†ã§ã™ã€‚config.bin(上㮠WinAntiDbg0x100 ã‚„ WinAntiDbg0x200 ã¨åŒã˜ãƒ•ã‚¡ã‚¤ãƒ«åãªã®ã§æ³¨æ„ã§ã™ï¼ï¼‰ã¨ã„ã†ãƒ•ã‚¡ã‚¤ãƒ«ã¨ã€WinAntiDbg0x300.pdb ã‚‚å«ã¾ã‚Œã¦ã„ã¾ã—ãŸã€‚
WinAntiDbg0x300å•é¡Œ
一応ã€è¡¨å±¤è§£æžã‚’è¡Œã„ã¾ã™ã€‚Windows ã® GUIプãƒã‚°ãƒ©ãƒ ã®ã‚ˆã†ã§ã™ã€‚
$ file WinAntiDbg0x300.exe
WinAntiDbg0x300.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
$ file WinAntiDbg0x300.pdb
WinAntiDbg0x300.pdb: MSVC program database ver 7.00, 4096*215 bytes
Windowsプãƒã‚°ãƒ©ãƒ ã¯å¾Œå›žã—ã«ã—ã¾ã™ã€‚
ãŠã‚ã‚Šã«
今回ã¯ã€picoCTF ã® picoCTF 2024 ã®ã†ã¡ã€Reverse Engineering ã¨ã„ã†ã‚«ãƒ†ã‚´ãƒªã®å…¨7å•ã®ã†ã¡ã€Windowsプãƒã‚°ãƒ©ãƒ ã® 3å•ã‚’除ãã€4å•ã‚’ã‚„ã‚Šã¾ã—ãŸã€‚4å•ã¨ã‚‚解ã‘ãŸã®ã§è‰¯ã‹ã£ãŸã§ã™ã€‚
次ã¯ã€picoCTF 2024 ã® General Skills ã‹ã€Web Exploitation ã«æŒ‘戦ã—ã¦ã¿ãŸã„ã¨æ€ã„ã¾ã™ã€‚
最後ã«ãªã‚Šã¾ã—ãŸãŒã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã‚°ãƒ«ãƒ¼ãƒ—ã®ãƒ©ãƒ³ã‚ングã«å‚åŠ ä¸ã§ã™ã€‚
気楽ã«ãƒãƒãƒƒã¨ã‚ˆã‚ã—ããŠé¡˜ã„ã„ãŸã—ã¾ã™ðŸ™‡
今回ã¯ä»¥ä¸Šã§ã™ï¼
最後ã¾ã§ãŠèªã¿ã„ãŸã ãã€ã‚ã‚ŠãŒã¨ã†ã”ã–ã„ã¾ã—ãŸã€‚
