0x1 Re1:

0x2 Re2:

  1. 概述:这道题创建并调试一个子进程,通过*IsDebuggerPresent()*判断,如果调试器存在的话就运行check流程,不存在则等待子进程触发int3异常,父进程再对子进程相应位置进行Patch。所以对应解决方案可以Patch好程序直接走check路线调试。
  2. 调试细节:

上面两个数组是Patch1和Patch2,下面通过一个if判断跳转,因为父进程正常情况下不会被调试,所以不会进入check,子进程被父进程调试进入check

父进程通过WriteProcessMemory对子进程Patch,lpBaseAddress可以通过动态调试获得,也可以看check函数里被nop的位置及长度查看,如下:

  1. patch好后就直接调试子进程

  2. exp:

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

    #爆破的方式
x = 
[977,752,82,1141,466,752,548,1308,1254,671,750,923,1017,811,754,1461,588,1114,844,1389,10,1254,1142,729]
   
v10 = [0x52,0x7b,0x11f,0x53,0xf8,0x175,0xa,0x1d7]
   
result = ""
   
for jj in range(24):
   
    for i in range(32,127):
   
        if jj ==0:
   
            kk = 0x1234
   
        else:
   
            kk = x[jj-1]
   
        t =  bin((i^kk)&0xff).replace("0b","").rjust(8,"0")
        print t
        s = 0
   
        for m in range(0,8):
   
            s +=v10[m] * int(t[m])
   
        #print s
   
        if s == x[jj]:
   
            result += chr(i)
   
print result
   

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

    #官方wp说是超递增背包算法,学到了
from Crypto.Util.number import *
PrivateKey=[2,3,7,14,30,57,120,251]   #私钥
CiperTxt=[0x3d1,0x2f0,0x52,0x475,0x1d2,0x2f0,0x224,0x51c,0x4e6,0x29f,0x2ee,0x39b,0x3f9,0x32b,0x2f2,0x5b5,0x24c,0x45a,0x34c,0x56d,0xa,0x4e6,0x476,0x2d9]
PlaintTxt=""
iv=0x1234
m=41
n=491
conv=inverse(41,491)             #计算转换因子
for i in range(0,24):
    tem=(CiperTxt[i]*conv)% n
   
    txt=["0","0","0","0","0","0","0","0"]
    sum=0
    for j in range(0,8):
        if((PrivateKey[7-j])+sum>tem):
            continue
        else:
            sum+=PrivateKey[7-j]
            txt[7-j]="1"
    if(i==0):
        PlaintTxt+=chr((int("".join(txt),2)^iv)&0xff)
    else:
        PlaintTxt += chr((int("".join(txt), 2) ^ CiperTxt[i-1])&0xff)
print(PlaintTxt)

    flag:*swpuctf{y0u_@re_s0_coo1}*

0x3 Re3:

0x4 Re4: