Jarvis OJ - DD-Hello -Writeup
阿新 • • 發佈:2017-07-26
真的 ida os x jpg 又一 可執行 idt block 題目
Jarvis OJ - DD-Hello -Writeup
轉載請註明出處http://www.cnblogs.com/WangAoBo/p/7239216.html
題目:
分析:
第一次做這道題時,file查看發現是OS X和IOS的可執行文件,就果斷放棄了
後來又一想,OS X是基於FreeBSD的,那Mach-O文件和elf應該也有相通之處,於是就嘗試用IDA打開文件,居然真的打開了
函數較少,並且都可F5出偽代碼,逐個分析,整理如下:
關鍵代碼:
if ( !(result & 1) ) { i = 0; while ( i < 55 ) { key[(signed __int64)i]-= 2; key[(signed __int64)i] ^= k; ++i; ++k; }
key[]是已知的,i是循環變量,因此只需要找到k的值,從偽代碼看不出什麽
但k肯定是固定的,因此首先嘗試爆破,腳本如下:
for kk in range(0, 256): key = [0x41, 0x10, 0x11, 0x11, 0x1B, 0x0A, 0x64, 0x67, 0x6A, 0x68, 0x62, 0x68, 0x6E, 0x67, 0x68, 0x6B, 0x62, 0x3D, 0x65, 0x6A, 0x6A, 0x3D, 0x68, 0x4, 0x5, 0x8, 0x3, 0x2, 0x2, 0x55, 0x8, 0x5D, 0x61, 0x55, 0x0A, 0x5F, 0x0D, 0x5D, 0x61, 0x32, 0x17, 0x1D, 0x19, 0x1F, 0x18, 0x20, 0x4, 0x2, 0x12, 0x16, 0x1E, 0x54, 0x20, 0x13, 0x14, 0x0, 0x0]try: k = kk i = 0 while i < 55: key[i] -= 2 key[i] ^= k i += 1 k += 1 ans = ‘‘ for c in key: ans += chr(c) print ans except: pass
運行並提取flag如下:
後來請教了學長,從匯編代碼裏找出了k的值,就不用爆破了
於是k即為dummy_function與welcome_function的地址差值右移兩位在與key[0]亦或,從IDA中可以看出dummy_function和welcome_function的地址
得到新的非爆破腳本如下:
key = [0x41, 0x10, 0x11, 0x11, 0x1B, 0x0A, 0x64, 0x67, 0x6A, 0x68, 0x62, 0x68, 0x6E, 0x67, 0x68, 0x6B, 0x62, 0x3D, 0x65, 0x6A, 0x6A, 0x3D, 0x68, 0x4, 0x5, 0x8, 0x3, 0x2, 0x2, 0x55, 0x8, 0x5D, 0x61, 0x55, 0x0A, 0x5F, 0x0D, 0x5D, 0x61, 0x32, 0x17, 0x1D, 0x19, 0x1F, 0x18, 0x20, 0x4, 0x2, 0x12, 0x16, 0x1E, 0x54, 0x20, 0x13, 0x14, 0x0, 0x0] k = ((0x0000000100000CB0 - 0x0000000100000C90) >> 2) ^ key[0] i = 0 while i < 55: key[i] -= 2 key[i] ^= k i += 1 k += 1 ans = ‘‘ for c in key: ans += chr(c) print ans[1: ]
運行
於是flag即為[email protected]
Jarvis OJ - DD-Hello -Writeup