HackMD
BKCTF 2023 - REV
Checker
Ý tưởng của bài này khá là cơ bản, là một flag checker đơn giản với phần code là lua compiled. Do đó điều đầu tiên mình làm là decompile cái file checker
Okay, nó là lua version 5.4 nên mình dùng unluac thay vì decompiler khác:
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Phần code khá là đơn giản, nó chỉ modified input và compare với buffer có sẵn, cho nên việc rev cũng khá là dễ dàng:
Đây là full script solve của mình:
from pwn import xor
v7 = [
219,
117,
...
30
]
v6 = [
46,
106,
119,
...
123,
111
]
enc = v6
key = list('BKctf2023'.lower().encode())
ls = [ord('b')^46]
for i in range(1,len(enc)):
v10 = enc[i]
if i > 0:
v10 = (v10 - ls[i-1])&0xff
v10 ^= key[i % len(key)]
ls.append(v10)
print(bytes(ls))
Flag: BKSEC{Lua_len_fl@g,Long_nang_lang_lang}
Reality
Lần này đề cho 1 file PE, mình thử chạy trên vm thì nó vẫn là 1 flag checker đơn giản
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Dùng IDA để decompile thì mình thấy cũng khá là đơn giản:
- Nhập input-> do something -> compare encrypted flag.
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Tuy nhiên lúc mình debug thì nó không thực sự như vậy:
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Tại 0x4012d3, thay vì nhảy sang nhánh bên trái (luồng thực thi chính) thì nó lại nhảy sang nhánh khác và raise exception -> chắc chắn có anti-debug.
Tuy nhiên không cần quá quan tâm tới anti-debug này, chúng ta chỉ cần cho nó quay về luồng thực thi gốc bằng cách chỉnh EIP.
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Đoạn này cũng khá là đơn giản, dùng key "BKSEECCCC!!!" và xor với 1 buffer được tạo ngay sau đó:
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Okay, từ đoạn này chỉ cần xor ngược lại là có flag:
from pwn import xor
x = b'\x00\x00\x00\x00\x068&w0X~B*\x7f?)\x1a!67\x1cUI\x120x\x0c(007\x1c!\x12~R-&`\x1a$-7r\x1cEDC7,lz8'
k = b'BKSEECCCC!!!'
print(xor(x,k))
Flag : BKSEC{e4sy_ch4ll_but_th3r3_must_b3_som3_ant1_debug??}
Baby Stack
Bài này là một vm đơn giản, nhưng lần này vì chương trình khá bé nên mình cũng không thực sự cần viết 1 disassembler mà mình debug và lấy flag trực tiếp:
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Đây là hàm main của chương trình nó đơn giản chỉ làm những công việc sau:
- Khởi tạo opcode và các program
- Dùng fgets để lấy flag với length = 20
- Loop để thực thi từng instruction
Vì mình biết nó khá là đơn giản nên mình đã nói ngay từ đầu là không viết disassembler nên mình đặt breakpoint ở tất cả các instruction:
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Các instruction cũng khá dễ rev, có 2 type là word và byte, tất cả đều tương tác chung với 1 stack và dùng stack_pointer mà mình đã define.
Sau 1 lát debug thì mình thấy chương trình đã làm những thứ sau:
- push 1 word tạm gọi là
anó có giá trị là 0xC0D
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
- push 8 và dùng shift right: mục đích là lấy low_byte của
a: a>>8
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
- push 1 word tạm gọi là
blần đầu nó có giá trị là 0x2238
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
- push 0xff00 và dùng
andđể lấy high_byte của word này: b&0xff00
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
- add 2 giá trị trên lại với nhau, thành 1 word mới: (a>>8) + (b&0xff00)
- push word (2 byte của input)
- xor số vừa tính được với input: ((a>>8) + (b&0xff00))^inp
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
- compare với 1 số
c:
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Việc đơn giản cần làm lúc này là lấy được số lúc trước khi xor và số lúc cmp
xor ngược lại sẽ ra được 2 kí tự của flag:
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Okay, mình thử với 1 vài lần nữa thì vẫn như vậy, từ đây chỉ đơn giản tiếp tục vài lần nữa là ra flag, khá là nhanh thôi.
Flag: BKSEC{C0nGratul4t31}
