[RE] safe box - cew xp0int Posted on Sep 12 2021 父子进程调试,调试者主要有两个功能:解密被调者程序段和hook第一次srand的参数。 先用angr得到解密后的程序段,patch源程序方便F5。 ``` import angr opcode = [126, 147, 203, 166, 119, 161, 67, 203, 183, 5, 130, 131, 75, 151, 214, 116, 238, 9, 182, 8, 109, 160, 70, 191, 3, 92, 142, 150, 59, 5, 198, 162, 56, 142, 39, 65, 88, 109, 101, 30, 11, 135, 102, 50, 63, 67, 219, 213, 213, 19, 249, 189, 237, 158, 113, 246, 201, 90, 88, 97, 141, 132, 224, 161, 238, 18, 111, 25, 189, 251, 153, 158, 72, 59, 89, 67, 165, 130, 246, 62, 52, 31, 28, 41, 72, 227, 27, 151, 102, 148, 253, 230, 250, 142, 101, 107, 158, 46, 210, 23, 113, 52, 182, 132, 44, 135, 79, 31, 253, 110, 185, 224, 227, 37, 217, 16, 245, 245, 56, 210, 115, 162, 26, 171, 140, 182, 13, 11, 168, 139, 147, 231, 99, 190, 101, 9, 213, 236, 49, 178, 143, 247, 152, 29, 126, 206, 151, 52, 18, 75, 7, 180, 13, 98, 139, 252, 138, 198, 250, 249, 166, 138, 170, 213, 208, 100, 217, 195, 240, 82, 38, 26, 240, 72, 107, 176, 94, 132, 153, 212, 193, 37, 12, 102, 156, 56, 87, 40, 229, 24, 107, 192, 245, 220, 161, 104, 189, 178, 196, 67, 176, 165, 240, 5, 173, 242, 50, 46, 38, 152, 141, 219, 103, 145, 156, 204, 71, 8, 39, 67, 123, 59, 147, 150, 103, 43, 61, 51, 95, 31, 92, 182, 254, 172, 170, 175, 221, 134, 101, 23, 133, 12, 117, 217, 22, 108, 82, 4, 94, 198, 201, 43, 219, 247, 201, 46, 248, 116, 225, 7, 146, 121, 138, 51, 67, 95, 220, 42, 237, 252, 117, 50, 17, 147, 177, 222, 242, 215, 246, 13, 230, 110, 147, 114, 108, 226, 206, 188, 200, 231, 233, 113, 21, 218, 4, 161, 192, 233, 79, 246, 152, 91, 8, 10, 140, 82, 203, 128, 150, 154, 164, 177, 26, 97, 175, 41, 187, 92, 222, 243, 86, 103, 43, 75, 20, 202, 118, 36, 66, 148, 150, 154, 22, 39, 99, 137, 185, 50, 6, 81, 83, 199, 177, 11, 187, 232, 47, 33, 71, 23, 134, 74, 171, 186, 68, 8, 225, 213, 97, 111, 95, 205, 193, 77, 229, 191, 153, 181, 234, 22, 82, 49, 248, 232, 119, 22, 160, 116, 234, 170, 217, 100, 83, 142, 43, 228, 31, 20, 14, 154, 130, 22, 43, 156, 144, 145, 106, 137, 195, 80, 196, 244, 215, 144, 73, 212, 245, 229, 12, 145, 145, 244, 78, 168, 40, 211, 115, 80, 18, 97, 33, 28, 37, 232, 12, 106, 137, 173, 146, 50, 205, 99, 76, 21, 190, 196, 86, 221, 24, 99, 23, 212, 37, 0, 201, 83, 206, 146, 74, 187, 251, 50, 158, 53, 135, 146, 69, 154, 8, 138, 70, 205, 3, 112, 64, 236, 198, 51, 185, 155, 250, 105, 53, 239, 218, 91, 87, 22, 186, 107, 124, 40, 72, 162, 69, 66, 112, 218, 189, 245, 81, 8, 175, 110, 23, 112, 47, 220, 134, 221, 172, 142, 201, 237, 19, 106, 88, 182, 29, 69, 38, 181, 48, 95, 21, 226, 252, 58, 223, 144, 171, 153, 14, 106, 243, 7, 35, 100, 201, 56, 22, 89, 129, 113, 48, 197, 42, 75, 235, 136, 225, 216, 34, 232, 243, 68, 87, 180, 21, 80, 9, 103, 111, 132, 169, 20, 65, 115, 205, 171, 61, 155, 114, 12, 190, 218, 88, 129, 168, 135, 44, 193, 240, 228, 47, 115, 72, 180, 171, 124, 31, 170, 154, 5, 113, 131, 232, 99, 250, 229, 68, 142, 60, 46, 32, 95, 4, 244, 154, 77, 90, 84, 85, 141, 215, 86, 207, 209, 96, 64, 20, 171, 40, 39, 145, 238, 51, 252, 202, 203, 10, 43, 95, 208, 242, 64, 216, 69, 195, 209, 44, 142, 189, 194, 247, 105, 222, 83, 85, 46, 54, 143, 110, 134, 124, 173, 101, 172, 233, 191, 224, 40, 241, 163, 200, 173, 52, 175, 124, 22, 9, 209, 152, 117, 11, 42, 62, 39, 98, 14, 174, 130, 164, 174, 249, 49, 191, 238, 248, 195, 196, 193, 170, 33, 192, 86, 233, 110, 158, 165, 212, 250, 178, 138, 28, 248, 29, 53, 86, 159, 203, 188, 68, 169, 14, 175, 180, 31, 241, 127, 201, 244, 109, 238, 104, 238, 45, 120, 107, 133, 170, 43, 157, 146, 34, 101, 196, 140, 174, 165, 215, 107, 28, 166, 130, 169, 123, 134, 5, 238, 198, 114, 185, 216, 18, 29, 71, 240, 123, 19, 56, 233, 194, 72, 81, 91, 98, 137, 6, 211, 209, 105, 200, 100, 218, 192, 140, 150, 215, 128, 6, 10, 185, 199, 254, 208, 28, 3, 225, 246, 130, 93, 63, 188, 145, 186, 50, 196, 199, 23, 164, 36, 67, 125, 233, 84, 175, 210, 16, 49, 15, 205, 111, 103, 42, 25, 167, 180, 99, 20, 125, 120, 140, 253, 241, 74, 78, 24, 37, 43, 177, 233, 87, 149, 92, 147, 88, 26, 129, 18, 150, 165, 127, 155, 179, 178, 146, 198, 16, 52, 213, 253, 236, 42, 52, 96, 183, 66, 69, 242, 51, 28, 140, 88, 201, 89, 227, 221, 76, 157, 157, 134, 232, 10, 125, 162, 17, 69, 131, 128, 113, 85, 33, 66, 224, 217, 198, 57, 231, 163, 145, 105, 36, 152, 22, 62, 164, 62, 145, 209, 213, 21, 227, 8, 36, 34, 230, 120, 164, 228, 237, 242, 115, 86, 50, 143, 252, 158, 242, 163, 81, 243, 76, 117, 123, 18, 91, 4, 99, 62, 154, 153, 41, 13, 97, 129, 193, 167, 6, 8, 15, 176, 49, 157, 252, 126, 175, 6, 177, 230, 55, 142, 152, 175, 61, 74, 168, 67, 215, 52, 249, 197, 224, 167, 19, 192, 106, 55, 98, 205, 105, 233, 158, 234, 71, 21, 199, 2, 146, 231, 41, 168, 80, 49, 8, 25, 134, 47, 238, 137, 22, 250, 112, 233, 101, 253, 220, 168, 180, 245, 126, 106, 63, 68, 18, 134, 229, 191, 212, 91, 115, 198, 189, 98, 62, 196, 42, 200, 32, 235, 33, 28, 246, 32, 22, 6, 75, 242, 164, 10, 205, 40, 220, 209, 173, 39, 203, 112, 11, 129, 169, 206, 69, 80, 92, 87, 137, 19, 223, 238, 167, 113, 124, 171, 175, 128, 182, 85, 105, 188, 99, 138, 173, 47, 98, 66, 124, 195, 100, 159, 101, 96, 113, 225, 27, 136, 158, 107, 105, 191, 13, 68, 71, 218, 160, 116, 144, 204, 35, 57, 172, 220, 160, 245, 222, 126, 253, 156, 129, 217, 228, 137, 146, 146, 18, 216, 58, 116, 125, 75, 164, 119, 247, 192, 57, 17, 227, 163, 109, 137, 195, 119, 231, 246, 131, 248, 76, 167, 50, 49, 208, 189, 99, 75, 114, 72, 254, 65, 139, 249, 146, 115, 67, 118, 228, 164, 38, 52, 150, 206, 132, 27, 120, 183, 81, 86, 175, 110, 243, 150, 250, 205, 122, 50, 86, 62, 79, 199, 68, 142, 32, 6, 6, 1, 217, 179, 151, 223, 167, 200, 189, 230, 239, 129, 49, 245, 212, 174, 246, 213, 219, 117, 92, 54] proj = angr.Project("safe box.exe", load_options={"auto_load_libs": False}, main_opts={"base_addr":0x140000000}) state = proj.factory.blank_state(addr=0x14000137D, add_options=angr.options.unicorn) state.regs.rbp = 0x20000000 state.regs.rsp = 0x10000000 state.regs.r14 = 0 rbp = 0x20000000 state.memory.store(rbp+0x1030-0xa20, b'\x00'*512) state.memory.store(rbp+0x1030-0x820, b'\x00'*512) state.memory.store(rbp+0x810, bytes(opcode)) simgr = proj.factory.simgr(state) simgr.explore(find=0x1400014B5) print(len(simgr.found)) found = simgr.found[-1] print(found.solver.eval(found.memory.load(rbp+0x810, 1184), cast_to=bytes)) ``` 第一关输入一个数字,爆破即可。 ``` #include <stdio.h> int main(){ unsigned int v0; // esi unsigned long long v1; // rdi unsigned int v2; // er8 unsigned int v3; // ecx unsigned int v4; // er11 unsigned int v5; // er15 unsigned int v6; // er9 unsigned int v7; // ebx unsigned int v8; // ebp unsigned int v9; // er10 unsigned int v10; // er14 for(unsigned int Seed = 0; Seed < 0x100000000; Seed++){ v1 = 16; v2 = 0xff & (Seed % 0x2540BE3FF); v3 = ((Seed % 0x2540BE3FF) >> 8) & 0xF; v4 = ((Seed % 0x2540BE3FF) >> 20) & 0xFFF; v5 = v2 + 1; v6 = 0xff & (((int)Seed % 0x2540BE3FF) >> 12); v7 = v3 + 1; v8 = v4 + ~v2; v9 = v4; v10 = 21 * v6; do { v3 += v3 ^ v8; v2 += v4 | v2 & v7; v9 += (v10 + v9) % v5; v6 += v6 / v7; --v1; }while(v1); if(v3 == 58722033 && v2 == 29329 && v9 == 2227 && v6 == 128){ printf("find pass -> %d", Seed); break; } } return 0; } ``` 得到第一关pass -> 1915969329 第二关魔改xtea,依葫芦画瓢解密即可 ``` #include <stdint.h> #include <cstdio> void decipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) { unsigned int i; uint32_t v0=v[0], v1=v[1], delta=0x12345678, sum=delta*num_rounds; for (i=0; i < num_rounds; i++) { v1 -= (((v0 << 5) ^ (v0 >> 6)) + v0) ^ (sum + key[(sum>>11) & 3]); sum -= delta; v0 -= (((v1 << 5) ^ (v1 >> 6)) + v1) ^ (sum + key[sum & 3]); } v[0]=v0; v[1]=v1; } int main(){ uint32_t enc[11] = {918628549, 3296303715, 3892395628, 2851377155, 1618933066, 1412181471, 1435226140, 1699818658, 3189652741, 1011252653, 0}; uint32_t key[4] = {71, 87, 72, 84}; for(int i=0;i<10;i+=2){ decipher(32, &enc[i], key); } for(int i=0;i<10;i++) printf("%c", enc[i]&0xff); } ``` 得到第二关pass -> S_s0_fuNny 第三关先srand(0x534EB68)一次,rand()16次 再srand(1915969329+1)一次,rand()16次,然后取前16次rand值和输入做一些逻辑运算,然后和后16次rand值按一定顺序排列,与常值比较,动调可得到位置和rand值。 ``` pos = "16 03 17 13 04 14 11 12 01 02 15 00 05 06 18 19 07 08 1A 09 1B 1C 1D 1E 1F 0A 0C 0B 0D 0E 0F 10".split() pos = [int(_, 16) for _ in pos] cmp = [4263, 16242, 16703, 12130, 5594, 23568, 5963, 27755, 14298, 13907, 4612, 464, 6627, 13470, 24802, 16575, 6941, 28553, 3420, 32051, 14213, 3772, 16664, 20519, 6410, 4920, 29943, 17232, 14231, 7611, 9303, 8088] a1 = [0]*16 a2 = [0]*16 for i in range(32): if i < 0x10: a1[i] = cmp[pos[i]] else: a2[i-0x10] = cmp[pos[i]] # a1 = [hex(_) for _ in a1] # a2 = [hex(_) for _ in a2] print(a1) print(a2) ''' 47 41 00 00 06 2F 00 00 17 50 00 00 6C 7D 00 00 83 15 00 00 EA 37 00 00 DC 6F 00 00 03 0D 00 00 43 3F 00 00 56 41 00 00 D7 0E 00 00 94 10 00 00 4F 5C 00 00 3F 17 00 00 3A 19 00 00 57 13 00 00 ''' rnum = [0x4147, 0x2f06, 0x5017, 0x7d6c, 0x1583, 0x37ea, 0x6fdc, 0xd03, 0x3f43, 0x4156, 0xed7, 0x1094, 0x5c4f, 0x173f, 0x193a, 0x1357] for i in range(16): a = a1[i] v10 = rnum[i] for v9 in range(0xff): # (v9 & v10) & 0xffff # v9 ^ v10 cur = (~(v9 & v10) & 0xffff) & (v9 ^ v10) # print(hex(cur)) if (cur & 0xffff) == a: print(chr(v9), end='') break ``` 得到第三关 pass -> _d0_YoU_1ik3_t0o FLAG:GWHT{r3_1S_s0_fuNny_d0_YoU_1ik3_t0o} 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [RE] OddCode - cew [PWN] Whats your name - xf1les
没有帐号? 立即注册