中间短暂的拿到了第一名,可惜最后止步12名,www。。。
RRRRust:
- 简单rust逆向
- 首先找到密文,然后找关键逻辑,发现只有一个异或
- 直接脚本解密
c=''
x='e>?d7a411zakf`|e4ec16754c65>a>b4>e3f51'
for i in range(len(x)):
c+=chr(ord(x[i])^7)
print(c) - 得到b98c0f366}flag{b3bd61023d129f9e39b4a26
- 调整一下位置即可
- flag{b3bd61023d129f9e39b4a26b98c0f366}
SomethingInIt:
-
IDA64打开,发现程序实现了一个双层的vm
-
首先考虑用Inter-pin进行爆破
-
找到关键输入点以及最后的比较代码case 0x28,case0x29:
-
用pin爆破即可,下面为爆破脚本:
`from pwn import *
import subprocess
def run(msg):
cmd = [
"/home/tanggerr/Downloads/pin-3.28-98749-g6643ecee5-gcc-linux/pin",
"-t", "/home/tanggerr/Downloads/pin-3.28-98749-g6643ecee5-gcc-linux/source/tools/ManualExamples/obj-intel64/inscount0.so",
"-o", "/home/tanggerr/Downloads/pin-3.28-98749-g6643ecee5-gcc-linux/source/tools/ManualExamples/inscount0.log",
"--",
"/home/tanggerr/challenge"
]
p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)p.stdin.write(msg.encode())
p.stdin.flush()output = p.stdout.readline()
p.terminate()
return int(read("/home/tanggerr/Downloads/pin-3.28-98749-g6643ecee5-gcc-linux/source/tools/ManualExamples/inscount0.log").split(" ")[1])
def read(fname):
with open(fname) as f:
return f.read()
charset = string.printable
l = []
flag = ""
counter = 0
while(True):
max_chr = 0
first_iteration = True
for chr in charset:
tmp = run(flag + chr)
if first_iteration:
max_value = tmp
first_iteration = False
if tmp > max_value:
max_chr = chr
max_value = tmp
break
print(max_chr)
flag += str(max_chr)
print(flag)`
- 大概一个多小时即可爆破出flag
- flag{Is_thi5_VM_THAT_1s_1n_vm_beautiful?!}