id와 패스워드 채크루틴이 있음
id를 비트단위로 분해 ->
concat : 0 obj^1 obj^before^bb^bbb^1 obj^before_byte^bbb^1
(연습삼아 정확하게 분석해 봤는데 사실은 obj^1만 알아도 id를 구할 수 있다.)
mov qword ptr [rsp], 0
mov [rsp+8], rbx
call runtime_intstring
mov rax, [rsp+18h]
mov rcx, [rsp+10h] ; _r2
mov [rsp], rcx
mov [rsp+8], rax
call strconv_Atoi
mov rax, [rsp+10h]
mov [obj_88h], rax ; obj_88h
lea rcx, [before_byte_b8h]
mov [rsp], rcx
lea rcx, [obj_b0]
mov [rsp+8], rcx
mov qword ptr [rsp+10h], 18h
call runtime_memmove b8<=b0(18)
mov rax, [obj_88h]
mov [obj_b0], rax
mov rcx, [before_byte_b8h]
xor rcx, rax
mov rdx, [beforebefore_byte_c0]
xor rcx, rdx
mov rdx, [beforebeforebefore_byte_c8] ; _r1
xor rcx, rdx rdx=0
xor rcx, 1
mov [rsp], rcx rcx^1^0=rcx^1
call strconv_Itoa
mov rax, [rsp+10h]
mov [rsp+80h], rax
mov rcx, [rsp+8]
mov [rsp+0E8h], rcx
mov rdx, [obj_b0]
mov rbx, [before_byte_b8h]
xor rdx, rbx
mov rbx, [beforebeforebefore_byte_c8]
xor rdx, rbx
xor rdx, 1 ; _r1
mov [rsp], rdx
call strconv_Itoa
mov rax, [rsp+10h]
mov [rsp+78h], rax
mov rcx, [rsp+8]
mov [rsp+0E0h], rcx
mov rdx, [obj_88h]
xor rdx, 1 ; _r1
mov [rsp], rdx
call strconv_Itoa
mov rax, [rsp+8]
mov rcx, [rsp+10h]
mov qword ptr [rsp], 0 ; a
lea rdx, _r2 ; _r2
mov [rsp+8], rdx
mov qword ptr [rsp+10h], 1
mov [rsp+18h], rax
mov [rsp+20h], rcx
mov rax, [rsp+0E8h]
mov [rsp+28h], rax
mov rax, [rsp+80h]
mov [rsp+30h], rax
mov rax, [rsp+0E0h]
mov [rsp+38h], rax
mov rax, [rsp+78h]
mov [rsp+40h], rax
call runtime_concatstring4
mov rax, [rsp+50h]
mov [rsp+60h], rax
mov rcx, [rsp+48h]
mov [rsp+0D0h], rcx
mov rdx, [rsp+68h]
lea rbx, [rdx+1]
mov rsi, [rsp+70h] ; cap
cmp rbx, rsi
jg short loc_401F9E
이와 같이 이어서 만든 4비트 숫자들과 rodata에 있는 테이블이 일치하면 secret member다
이 아이디와 패스워드를 xor해서 역시 rodata에 있는 password table과 비교하여 맞으면 flag를 내놓는다.
from pwn import *
p=process('./Goversing')
idtable='7 0 4 5 4 7 7 0 4 2 0 6 6 3 4 5 4 0 3 6 1 0 6 1 7 2 0 6 1 7 5 3 4 2 0 6 1 0 1 5 6 3 4 5 4 7 7 7 7 0 4 5 4 0 3 1 5 6 3 3 6 6 4 7'.split(' ')
table='12 56 2e 1B 5C 34 6A 5D 73 29 0F 5B 1C 67 34 6F 11 50 1E 3A 19 70 35 54 3F 45 2D 47 2E'.split(' ')
p.sendlineafter('>','1')
#concat : 0 obj^1 obj^before^bb^bbb^1 obj^before_byte^bbb^1
id=''
for i in range(64):
tmp=int(idtable[i])/4
id+=str(tmp^1)
idstr=''
for i in range(8):
idstr+=chr(int(id[i*8:i*8+8],2))
print idstr
p.sendlineafter('ID',idstr)
pw=''
for i in range(29):
pw+=chr(int(table[i],16)^ord(idstr[i%8]))
print pw
p.sendlineafter('PW',pw)
p.interactive()
'CTF' 카테고리의 다른 글
| [codegate 2017 final]real (0) | 2017.05.09 |
|---|---|
| [codegate 2017 prequal]meow (0) | 2017.05.09 |
| [plaid2017]pykemon (0) | 2017.04.24 |
| [codegate final]owner (0) | 2017.04.19 |
| [ASISctf] DLP (2) | 2017.04.13 |