swpuctf-re
文章目录
0x1 Re1:
0x2 Re2:
- 概述:这道题创建并调试一个子进程,通过*IsDebuggerPresent()*判断,如果调试器存在的话就运行check流程,不存在则等待子进程触发int3异常,父进程再对子进程相应位置进行Patch。所以对应解决方案可以Patch好程序直接走check路线调试。
- 调试细节:
上面两个数组是Patch1和Patch2,下面通过一个if判断跳转,因为父进程正常情况下不会被调试,所以不会进入check,子进程被父进程调试进入check
父进程通过WriteProcessMemory对子进程Patch,lpBaseAddress可以通过动态调试获得,也可以看check函数里被nop的位置及长度查看,如下:
-
patch好后就直接调试子进程
-
exp:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
#爆破的方式 x = [977,752,82,1141,466,752,548,1308,1254,671,750,923,1017,811,754,1461,588,1114,844,1389,10,1254,1142,729] v10 = [0x52,0x7b,0x11f,0x53,0xf8,0x175,0xa,0x1d7] result = "" for jj in range(24): for i in range(32,127): if jj ==0: kk = 0x1234 else: kk = x[jj-1] t = bin((i^kk)&0xff).replace("0b","").rjust(8,"0") print t s = 0 for m in range(0,8): s +=v10[m] * int(t[m]) #print s if s == x[jj]: result += chr(i) print result
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
#官方wp说是超递增背包算法,学到了 from Crypto.Util.number import * PrivateKey=[2,3,7,14,30,57,120,251] #私钥 CiperTxt=[0x3d1,0x2f0,0x52,0x475,0x1d2,0x2f0,0x224,0x51c,0x4e6,0x29f,0x2ee,0x39b,0x3f9,0x32b,0x2f2,0x5b5,0x24c,0x45a,0x34c,0x56d,0xa,0x4e6,0x476,0x2d9] PlaintTxt="" iv=0x1234 m=41 n=491 conv=inverse(41,491) #计算转换因子 for i in range(0,24): tem=(CiperTxt[i]*conv)% n txt=["0","0","0","0","0","0","0","0"] sum=0 for j in range(0,8): if((PrivateKey[7-j])+sum>tem): continue else: sum+=PrivateKey[7-j] txt[7-j]="1" if(i==0): PlaintTxt+=chr((int("".join(txt),2)^iv)&0xff) else: PlaintTxt += chr((int("".join(txt), 2) ^ CiperTxt[i-1])&0xff) print(PlaintTxt)
flag:*swpuctf{y0u_@re_s0_coo1}*