Title: The 7th 'Huxiang Cup' Cyber Security Competition - Preliminary Game Writeup

Web

easywill

Problem Solution

Variable overlay

http://eci-2zej1goyn9jh8hty6ton.cloudeci1.icunqiu.com/?name=cfilevalue=/etc/passwd

Psychological blog's recent articles utilize pearcmd: https://tttang.com/archive/1312/

Pentest in Autumn

Ideas for solving problems

http://eci-2ze40jm526y24nv2lkl3.cloudeci1.icunqiu.com:8888/Permission bypass /;/actuator/env /;/actuator/heapdump

Decryption script

importbase64

Importstruct

print(base64.b64encode(struct.pack('bbbbbbbbbbbbbbbb',-126,-67,24,-71,-62,-122,61,-52,91,77,-110,115,-43,100,-88,103))))

#gr0YucKGPcxbTZJz1WSoZw==flag{3fa31850-8ee6-40f2-9b18-9ecf6cac176c}

Reverse

Hideit

Problem Solution

After opening it, I found that there is SMC, and I can't find the main function in a single step debugging.

Discover the output string, breakpoint under puts, and after the second break, go back to the main function, go up to the function header, decompile

__int64__fastcallsub_24D61161BB0(__int64a1)

{

//.

if(!(unsignedint)off_24D61163000(-2147483646i64,aSoftwareClasse,v24))

{

v23=0;

((void(__fastcall*)(char*,_QWORD,__int64))unk_24D61162A0C)(v21,0i64,520i64);

v22=66;

if(!(unsignedint)off_24D61163008(v24,aKeysSecret,0i64,v23,v21,v22))

off_24D61163020(0i64,0i64,v21,0xFFFFFFFi64,v14,260,0i64,0i64);

}

off_24D611630F8(aFirstSecretHer);

v10=0i64;

v11=0;

((void(__fastcall*)(void*,__int64*))unk_24D61161B50)(unk_24D6116324C,v10);

v12=0i64;

strcpy((char*)v12,(constchar*)v10);

v13[0]=114;

v13[1]=514;

v13[2]=19;

v13[3]=19;

((void(__fastcall*)(char*,_QWORD,__int64))unk_24D61162A0C)(v20,0i64,512i64);

v3=HIDWORD(v12);

v4=32;

v5=v12;

v6=HIDWORD(v12);

v7=0;

do

{

v7-=1640531527;

v8=(v72)3;

v5+=((v7^v3)+(v6^v13[v8]))^(((16*v6)^(v33))+((v65)^(4*v3)));

v3+=((v7^v5)+(v5^v13[v8^1]))^(((16*v5)^(v53))+((v55)^(4*v5)));

v6=v3;

--v4;

}

while(v4);

if(v5==288407067v3==1668576323)

{

v17=0i64;

v18=(unsigned__int8)v10|((BYTE1(v10)|(WORD1(v10)8))8);

v19=BYTE4(v10)|((BYTE5(v10)|(HIWORD(v10)8))8);

((void(__fastcall*)(_DWORD*,__int64))unk_24D61161000)(v16,a1);//Key extension

sub_24D61161150(v16,v14,v20);//Second step encryption

While(byte_24D611631D0[v2]==v20[v2])

{

if(++v2=32)

returnoff_24D611630F8(aYouFindLastSec);

}

}

return0i64;

}First perform class tea encryption. If these 8 words comply with the method, then perform the second step of encryption. Class tea encryption decodes the string dotitsit, and the second paragraph is encrypted as follows

_DWORD*__fastcallsub_24D61161150(_DWORD*a1,__int128*a2,_BYTE*a3)

{

//.

if(a2)

{

v13=(char*)a2-(char*)v122;

v14=v122;

do

{

*(_BYTE*)v14=*((_BYTE*)v14+v13);

v14=(__int128*)((char*)v14+1);

--v11;

}

while(v11);

v127=v122;

}

//keyoperation

While(1)

{

//keyoperation

}

//.

if(v127)

{

//Prepare the breakpoint here and view the value of v76. to XOR the original data

v76^=*(unsigned__int8*)v127|((*((unsigned__int8*)v127+1)|(*((unsigned__int16*)v127+1)8))8);

v77^=*((unsigned__int8*)v127+4)|((*((unsigned__int8*)v127+5)|(*((unsigned__int16*)v127+3)8))8);

v78^=*((unsigned__int8*)v127+8)|((*((unsigned__int8*)v127+9)|(*((unsigned__int16*)v127+5)8))8);

v79^=*((unsigned__int8*)v127+12)|((*((unsigned__int8*)v127+13)|(*((unsigned__int16*)v127+7)8))8);

v80^=*((unsigned__int8*)v127+16)|((*((unsigned__int8*)v127+17)|(*((unsigned__int16*)v127+9)8))8);

v129^=*((unsigned__int8*)v127+20)|((*((unsigned__int8*)v127+21)|(*((unsigned__int16*)v127+11)8))8);

LODWORD(v97)=(*((unsigned__int8*)v127+24)|((*((unsigned__int8*)v127+25)|(*((unsigned__int16*)v127

+13)8))8))^v97;

HIDWORD(v97)^=*((unsigned__int8*)v127+28)|((*((unsigned__int8*)v127+29)|(*((unsigned__int16*)v127

+15)8))8);

v81^=*((unsigned__int8*)v127+32)|((*((unsigned__int8*)v127+33)|(*((unsigned__int16*)v127+17)8))8);

v86^=*((unsigned__int8*)v127+36)|((*((unsigned__int8*)v127+37)|(*((unsigned__int16*)v127+19)8))8);

v87^=*((unsigned__int8*)v127+44)|((*((unsigned__int8*)v127+45)|(*((unsigned__int16*)v127+23)8))8);

v82^=*((unsigned__int8*)v127+48)|((*((unsigned__int8*)v127+49)|(*((unsigned__int16*)v127+25)8))8);

v83^=*((unsigned__int8*)v127+52)|((*((unsigned__int8*)v127+53)|(*((unsigned__int16*)v127+27)8))8);

v84^=*((unsigned__int8*)v127+56)|((*((unsigned__int8*)v127+57)|(*((unsigned__int16*)v127+29)8))8);

v85^=*((unsigned__int8*)v127+60)|((*((unsigned__int8*)v127+61)|(*((unsigned__int16*)v127+31)8))8);

v75^=*((unsigned__int8*)v127+40)|((*((unsigned__int8*)v127+41)|(*((unsigned__int16*)v127+21)8))8);

}

//datacopy

do

{

*v90=v90[(char*)v122-a3];

++v90;

--v91;

}

while(v91);

result=a1;

a1[12]=v105;

a1[13]=v100;

returnresult;

}This function looks complicated, but in fact it is to perform a very complex operation on the key and perform an XOR with the input, so you only need to dump the key to get the flag

exp

#includestdio.h#includestdlib.h

#includeinttypes.h

#includestring.h

#include'defs.h'

#includestdint.h

voiddecrypt(uint32_t*v)

{

uint32_tv7,v8,v6,v5,v4,v3;

v4=32;

uint32_tv11[]={114,514,19,19};

v7=0x9e3779b9*32;

v5=0x1130BE1B;

v3=0x63747443;do

{

v8=(v72)3;

v3-=((v7^v5)+(v5^v11[v8^1]))^((16*v5)^(v53))+((v55)^(4*v5)));

v6=v3;

v5-=((v7^v3)+(v6^v11[v8]))^(((16*v6)^(v33))+((v65)^(4*v3)));

--v4;

v7-=0x9e3779b9;

}while(v4);

v[0]=v5;

v[1]=v3;

}

intmain()

{

uint32_tk[]={114,514,19,19};

uint8_tp[]='12345678';

uint32_tc[]={288407067,1668576323};

decrypt(c);

printf('%sn',c);

for(size_ti=0;i8;i++)

{

printf('0x%02x,',*(uint8_t*)c[i]);

}

printf('n');

charkey[]='expand32-bytek0N3@aYI_M3l0dy_KurOm1_W_Suk1dqy0x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00dotitit';

uint8_tdata[]={0xeb,0x8e,0x5c,0xa5,0x62,0xb4,0x1c,0x84,0x5c,0x59,0xfc,0xd,0x43,0x3c,0xab,0x20,0xd8,0x93,0x33,0x13,0xa1,0x9e,0x39,0x0,0x76,0x14,0xb5,0x4,0x58,0x9d,0x6,0xb8};

uint8_tres[128]={0};

uint32_tk0=0xC23DE28D;

uint32_t*d=(uint32_t*)data;

d[0]^=k0;

d[1]^=0xca2df219;

d[2]^=0x52cf1418;

d[3]^=0x139c5a77;

d[4]^=0x5b04ccaa;

d[5]^=0x680cc192;

d[6]^=0x47F95845;

d[7]^=0xC535D968;

printf('%sn',d);

}

shell

Problem Solving Ideas

A child process is created in main, and the parent-child process is decommissioned. Find a program that dumps the child process. https://github.com/glmcdona/Process-Dump

pd-pid child process pid where child process pid can be debugged to obtain the child process after ida open dump as follows

.text:000001FA6C311160pushrsi

.text:000001FA6C311161pushrdi

.text:000001FA6C311162subrsp,28h

.text:000001FA6C311166learcx,Format;'plzinputyourflagn'

.text:000001FA6C31116Dcallsub_1FA6C3112B0

.text:000001FA6C311172learcx,a42s;'%42s'

.text:000001FA6C311179learsi,known_string; this is0x40a0

.text:000001FA6C311180movrdx,rsi

.text:000001FA6C311183callscanf

.text:000001FA6C311188int3;TraptoDebugger

.text:000001FA6C311189;---------------------------------------------------------------------------

.text:000001FA6C311189movrcx,rsi;Str

.text:000001FA6C31118Ccallstrlen

.text:000001FA6C311191cmmprax,0C9h

.text:000001FA6C311197jbshortnearptrunk_1FA6C31119E

.text:000001FA6C311199callsub_1FA6C311020

.text:000001FA6C311199;---------------------------------------------------------------------------

.text:000001FA6C31119Eunk_1FA6C31119Edb0C4h;CODEXREF:main+37↑j

.text:000001FA6C31119Fdb12h combined with debugging functions in the main process

int__fastcallsub_7FF6C56B1560(_DWORD*a1)

{

//.

if(*a1==0x80000003)

{

v5=qword_7FF6C56B5630;

if(qword_7FF6C56B5630)

{

Context.ContextFlags=1048587;

if(!GetThreadContext(hThread,Context))

{

v6=GetLastError();

printf('GetThreadContextfailed:%llxn',v6);

}

ReadProcessMemory(hProcess,(LPCVOID)(qword_7FF6C56B5638+0x40A0),v13,0x2Aui64,NumberOfBytesRead);

v7=_mm_load_si128((const__m128i*)xmmword_7FF6C56B3420