35c3_Re
2019-01-01 本文已影响3人
Kirin_say
0x01 0pack
./0pack.elf
ps -ef|grep 0pack.elf
gdb attach
while input:
0x55561c698a28 movzx eax, byte ptr [rbp - 0x80] ;get input
0x55561c698a2c mov byte ptr [rbp - 0x82], al ;store input[0]
0x55561c698a32 mov rax, r15
0x55561c698a35 add rax, 0x12475 ;RAX 0x55561c698475 ◂— push rsp /* 0x67657265645f4d54 */
0x55561c698a3b movzx eax, byte ptr [rax]
0x55561c698a3e mov byte ptr [rbp - 0x81], al
0x55561c698a44 movzx eax, byte ptr [rbp - 0x82]
0x55561c698a4b cmp al, byte ptr [rbp - 0x81] ;cmp input&*0x55561c698475
0x55561c698a51 jne 0x55561c698a61
pwndbg> x/10xg 0x55561c698475
0x55561c698475: 0x67657265645f4d54 0x434d547265747369
0x55561c698485: 0x6c626154656e6f6c 0x725f4d54495f0065
0x55561c698495: 0x5472657473696765 0x6154656e6f6c434d
0x55561c6984a5: 0x5f764a5f00656c62 0x7265747369676552
0x55561c6984b5: 0x0073657373616c43 0x735f6362696c5f5f
>>> from pwn import *
>>> p64(0x67657265645f4d54)+p64(0x434d547265747369)+p64(0x6c626154656e6f6c)+p64(0x725f4d54495f0065)
'TM_deregisterTMCloneTable\x00_ITM_r'
this is wrong
本以为直接是这串字符串,不过动态调试发现比较字符并不连续
为了方便直接ida动态提取一下字符
debug with ida:
v29 = __readfsqword(0x28u);
v3 = 1;
v18 = 'ap tupnI';
v19 = ' :drowss';
v20 = 0;
printf("%s", &v18, a1);
fgets(&s, 15, stdin);
putchar(10);
if ( s != a2[74869] || (unsigned __int8)wrong() )
v3 = 0;
if ( v5 != a2[74968] || (unsigned __int8)wrong() )
v3 = 0;
if ( v6 != a2[74298] || (unsigned __int8)wrong() )
v3 = 0;
if ( v7 != a2[74319] || (unsigned __int8)wrong() )
v3 = 0;
if ( v8 != a2[74868] || (unsigned __int8)wrong() )
v3 = 0;
if ( v9 != a2[74319] || (unsigned __int8)wrong() )
v3 = 0;
if ( v10 != a2[74664] || (unsigned __int8)wrong() )
v3 = 0;
if ( v11 != a2[74869] || (unsigned __int8)wrong() )
v3 = 0;
if ( v12 != a2[74874] || (unsigned __int8)wrong() )
v3 = 0;
if ( v13 != a2[74298] || (unsigned __int8)wrong() )
v3 = 0;
if ( v14 != a2[74309] || (unsigned __int8)wrong() )
v3 = 0;
if ( v15 != a2[74954] || (unsigned __int8)wrong() )
v3 = 0;
if ( v16 != a2[74792] || (unsigned __int8)wrong() )
v3 = 0;
if ( v17 != a2[74968] || (unsigned __int8)wrong() )
v3 = 0;
if ( v3 )
{
v21 = '��_��� (';
v22 = '��� (\n)�';
v23 = '��>)���_';
v24 = '���-����';
v25 = '��␌�(\n';
v26 = 'uf )���_';
v27 = '!haey kc';
v28 = 10;
}
else
{
v21 = -5557406242697676991LL;
LODWORD(v22) = -1293918304;
WORD2(v22) = 2720;
BYTE6(v22) = 0;
}
printf("%s", &v21);
return 0LL;
key=[0x54,0x68,0x69,0x73,0x49,0x73,0x41,0x54,0x72,0x69,0x75,0x6d,0x70,0x68]
flag=""
for i in key:
flag+=chr(i)
print flag
#ThisIsATriumph
something wrong:
类似一个利用CPU处理指令的速度来反调试的过程
可是当我正常输入也会错误,不知道是不是我的环境问题,或者有细节没注意到
提交平台关了,没办法验证。这题就到这里
wrong():
_BOOL8 wrong()
{
signed int i; // [rsp+4h] [rbp-Ch]
unsigned __int64 v3; // [rsp+8h] [rbp-8h]
unsigned __int64 v4; // [rsp+8h] [rbp-8h]
v3 = 0LL;
for ( i = 0; i <= 9; ++i )
{
v3 += sub_5627FBABD8E0();
sleep(0);
}
v4 = (unsigned __int64)(0xCCCCCCCCCCCCCCCDLL * (unsigned __int128)v3 >> 64) >> 3;
return v4 > 0x3E7 || !v4;
}
sub_5627FBABD8E0():
unsigned __int64 sub_5627FBABD8E0()
{
unsigned __int64 v0; // ST08_8
v0 = __rdtsc();
_RAX = 0LL;
__asm { cpuid }
return __rdtsc() - v0;
}
0x02 box of blink
35C3
#Model,MDO3014
#Firmware Version,1.26
#
#Waveform Type,DIGITAL,,,,,,,,,,,,,
#Point Format,Y,,,,,,,,,,,,,
#Horizontal Units,s,,,,,,,,,,,,,
#Horizontal Scale,0.004,,,,,,,,,,,,,
#,,,,,,,,,,,,,,
#Sample Interval,4e-09,,,,,,,,,,,,,
#Record Length,1e+07,,,,,,,,,,,,,
#Gating,0.0% to 100.0%,,,,,,,,,,,,,
#,,,,,,,,,,,,,,
#Vertical Units,V,V,V,V,V,V,V,V,V,V,V,V,V,V
#Threshold Used,1.65,1.65,1.65,1.65,1.65,1.65,1.65,1.65,1.65,1.65,1.65,1.65,1.65,1.65
#,,,,,,,,,,,,,,
#,,,,,,,,,,,,,,
#,,,,,,,,,,,,,,
#,,,,,,,,,,,,,,
#,,,,,,,,,,,,,,
#Label,OE,LAT,CLK,E,D,C,B,A,B2,B1,G2,G1,R2,R1
#TIME,D13,D12,D11,D10,D9,D8,D7,D6,D5,D4,D3,D2,D1,D0
-1.0000000e-03,0,0,0,0,1,0,0,0,0,0,0,1,0,1
-9.9999600e-04,0,0,0,0,1,0,0,0,0,0,0,1,0,1
-9.9999200e-04,0,0,0,0,1,0,0,0,0,0,0,1,0,1
......#data~
MDO3014型示波器&&RGB LED Matrix
Label,OE,LAT,CLK,E,D,C,B,A,B2,B1,G2,G1,R2,R1
Google相似的引脚定义:
Label Name Function
1 DR1 High R data
2 DG1 High G data
3 DB1 High B data
4 GND GND
5 DR2 Low R data
6 DG2 Low G data
7 DB2 Low B data
8 GND GND
9 A A line selection
10 B B line selection
11 C C line selection
12 D D line selection
13 CLK CLOCK
14 LAT LATCH
15 OE Output Enable
16 GND GND
很显然是要通过给出的数据还原一个LED组成的图案:
找了一个32x32的文档:
https://cdn-learn.adafruit.com/downloads/pdf/32x16-32x32-rgb-led-matrix.pdf
主要看到:
CLK:The CLK (clock) signal marks the arrival of each bit of
data.#应该是上升沿触发
OE:OE (output enable) switches the LEDs off when
transitioning from one row to the next.
LAT:The LAT (latch) signal marks the end of a row of
data
Upper RGB Data:Pins R1, G1 and B1 (labeled R0, B0 and G0 on some
matrices) deliver data to the top half of the display.
Lower RGB Data:Pins R2, G2 and B2 (labeled R1, G1 and B1 on some
matrices) deliver data to the bottom half of the display.
Row Select Lines:Pins A, B, C and D select which two rows of the display
are currently lit. (32x16 matrices don’t have a “D” pin —
it’s connected to ground instead.)
按照数据格式和引脚定义解出图案:
from PIL import Image
MAX=128
pic=Image.new("RGB",(MAX*10,MAX*5*10))
oe,lat,clk,row,color1,color2=[],[],[],[],[],[]
f=open("./blink.csv","r")
for line in f:
data = line.strip().split(",")
oe.append(data[1])
lat.append(data[2])
clk.append(data[3])
row.append(int(data[4]+data[5]+data[6]+data[7]+data[8],2))
color1.append(((256-int(data[-1]))%256,(256-int(data[-3]))%256,(256-int(data[-5]))%256))
color2.append(((256-int(data[-2]))%256,(256-int(data[-4]))%256,(256-int(data[-6]))%256))
f.close()
end = [0]
for i in range(len(lat)-1):
if lat[i] == '0' and lat[i+1] == '1':
end.append(i+1)
end.append(10000000)
pic_x=0
pic_y=0
blink=0
for i in range(len(end)-1):
draw=[]
for j in range(len(clk[end[i]:end[i+1]])-1):
if clk[end[i]+j]=='0' and clk[end[i]+j+1]=='1':
draw.append((row[end[i]+j],color1[end[i]+j],color2[end[i]+j]))
pic_x=0
for d in draw:
for k in range(10):
for h in range(10):
pic.putpixel([pic_x*10+k,(blink*64+d[0])*10+h],d[1])
pic.putpixel([pic_x*10+k,(blink*64+d[0]+32)*10+h],d[2])
pic_x+=1
pic_y+=1
if pic_y%32==0:
blink+=1
pic.show()
pic.save("flag.png")
flag
未完待续(突然有事)
