2020 第十三届全国大学生信息安全竞赛Misc&RE部分wp
Misc
电脑被黑
先binwalk一下,得到
0 0x0 Linux EXT filesystem, rev 1.0, ext3 filesystem data, UUID=4a3914c4-f9c1-4ec7-b682-c5554ce24ce2
225280 0x37000 Linux EXT filesystem, rev 1.0, ext3 filesystem data, UUID=4a3914c4-f9c1-4ec7-b682-c5554ce24ce2
235520 0x39800 Linux EXT filesystem, rev 1.0, ext3 filesystem data, UUID=4a3914c4-f9c1-4ec7-b682-c5554ce24ce2
254976 0x3E400 Linux EXT filesystem, rev 1.0, ext3 filesystem data, UUID=4a3914c4-f9c1-4ec7-b682-c5554ce24ce2
8388608 0x800000 Linux EXT filesystem, rev 1.0, ext3 filesystem data, UUID=4a3914c4-f9c1-4ec7-b682-c5554ce24ce2
8919040 0x881800 PNG image, 1016 x 1016, 8-bit/color RGBA, non-interlaced
8919102 0x88183E Zlib compressed data, default compression
8935424 0x885800 ELF, 64-bit LSB executable, AMD x86-64, version 1 (SYSV)
用ext3grep走一遍流程
ext3grep disk_dump --ls --inode 2
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 2
Loading group metadata... done
Minimum / maximum journal block: 215 / 1244
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1590570902 = Wed May 27 17:15:02 2020
Number of descriptors in journal: 28; min / max sequence numbers: 5 / 12
Inode is Allocated
Loading disk_dump.ext3grep.stage2... done
The first block of the directory is 201.
Inode 2 is directory "".
Directory block 201:
.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+----------------data-from-inode------+-----------+=========
0 1 d 2 drwxr-xr-x .
1 2 d 2 drwxr-xr-x ..
2 3 d 11 drwx------ lost+found
3 4 d 1257 drwxr-xr-x misc01
4 end d 1263 drwx------ .Trash-0
右键打开压缩包,翻到目录.Trash-0\info中查看到删除文件的信息:
[Trash Info]
Path=misc01/flag.txt
DeletionDate=2020-05-27T17:14:18
继续恢复
ext3grep disk_dump --restore-file misc01/flag.txt
Running ext3grep version 0.10.2
WARNING: I don't know what EXT3_FEATURE_COMPAT_EXT_ATTR is.
Number of groups: 2
Minimum / maximum journal block: 215 / 1244
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1590570902 = Wed May 27 17:15:02 2020
Number of descriptors in journal: 28; min / max sequence numbers: 5 / 12
Writing output to directory RESTORED_FILES/
Loading disk_dump.ext3grep.stage2... done
Restoring misc01/flag.txt
得到删除的文件flag.txt,打开发现乱码。怀疑加密。在misc01中有个可疑文件demo,提取出来,用detect it easy分析下文件,发现是64位ELF。
拖入IDA64,整个文件很简单,主要加密函数就在main。
while ( 1 )
{
v6 = fgetc(v7);
if ( v6 == -1 )
break;
fputc(v4 ^ (v5 + v6), stream);
v4 += 34;
v5 = (v5 + 2) & 15;
}
根据加密函数反写解密脚本。
#include <stdio.h>
int main()
{
int result; // eax
int v4; // [rsp+1Dh] [rbp-13h]
int v5;
int v6; // [rsp+1Fh] [rbp-11h]
FILE *v7; // [rsp+20h] [rbp-10h]
v4 = 34;
v5 = 0;
v7 = fopen("E:\\Clion document\\C\\flag.txt", "rb");
while ( 1 )
{
v6 = fgetc(v7);
if ( v6 == -1 )
break;
for (int i = 0; i < 10000; ++i) {
if (v6 == (v4 ^(i + v5)))
printf("%c",i);
}
v4 += 34;
v5 = (v5 + 2) & 15;
}
fclose(v7);
result = 0;
return result;
}
得到
flag{e5d7c4ed-b8f6-4417-8317-b809fc26c047}
RE
z3
拖入detect it easy,查看到是64位文件,拖入到IDA64中
程序很简单,就是输入42个字符后进行一系列运算,接着与Dst一一对比
printf("plz input your flag:");
scanf("%42s", &v46);
v4 = 34 * v49 + 12 * v46 + 53 * v47 + 6 * v48 + 58 * v50 + 36 * v51 + v52;
v5 = 27 * v50 + 73 * v49 + 12 * v48 + 83 * v46 + 85 * v47 + 96 * v51 + 52 * v52;
v6 = 24 * v48 + 78 * v46 + 53 * v47 + 36 * v49 + 86 * v50 + 25 * v51 + 46 * v52;
v7 = 78 * v47 + 39 * v46 + 52 * v48 + 9 * v49 + 62 * v50 + 37 * v51 + 84 * v52;
v8 = 48 * v50 + 14 * v48 + 23 * v46 + 6 * v47 + 74 * v49 + 12 * v51 + 83 * v52;
v9 = 15 * v51 + 48 * v50 + 92 * v48 + 85 * v47 + 27 * v46 + 42 * v49 + 72 * v52;
v10 = 26 * v51 + 67 * v49 + 6 * v47 + 4 * v46 + 3 * v48 + 68 * v52;
v11 = 34 * v56 + 12 * v53 + 53 * v54 + 6 * v55 + 58 * v57 + 36 * v58 + v59;
v12 = 27 * v57 + 73 * v56 + 12 * v55 + 83 * v53 + 85 * v54 + 96 * v58 + 52 * v59;
v13 = 24 * v55 + 78 * v53 + 53 * v54 + 36 * v56 + 86 * v57 + 25 * v58 + 46 * v59;
v14 = 78 * v54 + 39 * v53 + 52 * v55 + 9 * v56 + 62 * v57 + 37 * v58 + 84 * v59;
v15 = 48 * v57 + 14 * v55 + 23 * v53 + 6 * v54 + 74 * v56 + 12 * v58 + 83 * v59;
v16 = 15 * v58 + 48 * v57 + 92 * v55 + 85 * v54 + 27 * v53 + 42 * v56 + 72 * v59;
v17 = 26 * v58 + 67 * v56 + 6 * v54 + 4 * v53 + 3 * v55 + 68 * v59;
v18 = 34 * v63 + 12 * v60 + 53 * v61 + 6 * v62 + 58 * v64 + 36 * v65 + v66;
v19 = 27 * v64 + 73 * v63 + 12 * v62 + 83 * v60 + 85 * v61 + 96 * v65 + 52 * v66;
v20 = 24 * v62 + 78 * v60 + 53 * v61 + 36 * v63 + 86 * v64 + 25 * v65 + 46 * v66;
v21 = 78 * v61 + 39 * v60 + 52 * v62 + 9 * v63 + 62 * v64 + 37 * v65 + 84 * v66;
v22 = 48 * v64 + 14 * v62 + 23 * v60 + 6 * v61 + 74 * v63 + 12 * v65 + 83 * v66;
v23 = 15 * v65 + 48 * v64 + 92 * v62 + 85 * v61 + 27 * v60 + 42 * v63 + 72 * v66;
v24 = 26 * v65 + 67 * v63 + 6 * v61 + 4 * v60 + 3 * v62 + 68 * v66;
v25 = 34 * v70 + 12 * v67 + 53 * v68 + 6 * v69 + 58 * v71 + 36 * v72 + v73;
v26 = 27 * v71 + 73 * v70 + 12 * v69 + 83 * v67 + 85 * v68 + 96 * v72 + 52 * v73;
v27 = 24 * v69 + 78 * v67 + 53 * v68 + 36 * v70 + 86 * v71 + 25 * v72 + 46 * v73;
v28 = 78 * v68 + 39 * v67 + 52 * v69 + 9 * v70 + 62 * v71 + 37 * v72 + 84 * v73;
v29 = 48 * v71 + 14 * v69 + 23 * v67 + 6 * v68 + 74 * v70 + 12 * v72 + 83 * v73;
v30 = 15 * v72 + 48 * v71 + 92 * v69 + 85 * v68 + 27 * v67 + 42 * v70 + 72 * v73;
v31 = 26 * v72 + 67 * v70 + 6 * v68 + 4 * v67 + 3 * v69 + 68 * v73;
v32 = 34 * v77 + 12 * v74 + 53 * v75 + 6 * v76 + 58 * v78 + 36 * v79 + v80;
v33 = 27 * v78 + 73 * v77 + 12 * v76 + 83 * v74 + 85 * v75 + 96 * v79 + 52 * v80;
v34 = 24 * v76 + 78 * v74 + 53 * v75 + 36 * v77 + 86 * v78 + 25 * v79 + 46 * v80;
v35 = 78 * v75 + 39 * v74 + 52 * v76 + 9 * v77 + 62 * v78 + 37 * v79 + 84 * v80;
v36 = 48 * v78 + 14 * v76 + 23 * v74 + 6 * v75 + 74 * v77 + 12 * v79 + 83 * v80;
v37 = 15 * v79 + 48 * v78 + 92 * v76 + 85 * v75 + 27 * v74 + 42 * v77 + 72 * v80;
v38 = 26 * v79 + 67 * v77 + 6 * v75 + 4 * v74 + 3 * v76 + 68 * v80;
v39 = 34 * v84 + 12 * v81 + 53 * v82 + 6 * v83 + 58 * v85 + 36 * v86 + v87;
v40 = 27 * v85 + 73 * v84 + 12 * v83 + 83 * v81 + 85 * v82 + 96 * v86 + 52 * v87;
v41 = 24 * v83 + 78 * v81 + 53 * v82 + 36 * v84 + 86 * v85 + 25 * v86 + 46 * v87;
v42 = 78 * v82 + 39 * v81 + 52 * v83 + 9 * v84 + 62 * v85 + 37 * v86 + 84 * v87;
v43 = 48 * v85 + 14 * v83 + 23 * v81 + 6 * v82 + 74 * v84 + 12 * v86 + 83 * v87;
v44 = 15 * v86 + 48 * v85 + 92 * v83 + 85 * v82 + 27 * v81 + 42 * v84 + 72 * v87;
v45 = 26 * v86 + 67 * v84 + 6 * v82 + 4 * v81 + 3 * v83 + 68 * v87;
for ( i = 0; i <= 41; ++i )
{
if ( *(&v4 + i) != Dst[i] )
{
printf("error");
exit(0);
}
}
printf("win");
用脚本跑一下Dst,直接用z3来解方程组
from z3 import *
dist = [20247, 40182, 36315, 36518, 26921, 39185, 16546, 12094, 25270, 19330, 18540, 16386, 21207, 11759, 10460, 25613, 21135, 24891, 18305, 27415, 12855,
10899, 24927, 20670, 22926, 18006, 23345, 12602, 12304, 26622, 19807, 22747, 14233, 24736, 10064, 14169, 35155, 28962, 33273, 21796, 35185, 14877]
v46 = Int('v46')
v47 = Int('v47')
v48 = Int('v48')
v49 = Int('v49')
v50 = Int('v50')
v51 = Int('v51')
v52 = Int('v52')
v53 = Int('v53')
v54 = Int('v54')
v55 = Int('v55')
v56 = Int('v56')
v57 = Int('v57')
v58 = Int('v58')
v59 = Int('v59')
v60 = Int('v60')
v61 = Int('v61')
v62 = Int('v62')
v63 = Int('v63')
v64 = Int('v64')
v65 = Int('v65')
v66 = Int('v66')
v67 = Int('v67')
v68 = Int('v68')
v69 = Int('v69')
v70 = Int('v70')
v71 = Int('v71')
v72 = Int('v72')
v73 = Int('v73')
v74 = Int('v74')
v75 = Int('v75')
v76 = Int('v76')
v77 = Int('v77')
v78 = Int('v78')
v79 = Int('v79')
v80 = Int('v80')
v81 = Int('v81')
v82 = Int('v82')
v83 = Int('v83')
v84 = Int('v84')
v85 = Int('v85')
v86 = Int('v86')
v87 = Int('v87')
solve(dist[0] == 34 * v49 + 12 * v46 + 53 * v47 + 6 * v48 + 58 * v50 + 36 * v51 + v52,
dist[1] == 27 * v50 + 73 * v49 + 12 * v48 + 83 * v46 + 85 * v47 + 96 * v51 + 52 * v52,
dist[2] == 24 * v48 + 78 * v46 + 53 * v47 + 36 * v49 + 86 * v50 + 25 * v51 + 46 * v52,
dist[3] == 78 * v47 + 39 * v46 + 52 * v48 + 9 * v49 + 62 * v50 + 37 * v51 + 84 * v52,
dist[4] == 48 * v50 + 14 * v48 + 23 * v46 + 6 * v47 + 74 * v49 + 12 * v51 + 83 * v52,
dist[5] == 15 * v51 + 48 * v50 + 92 * v48 + 85 * v47 + 27 * v46 + 42 * v49 + 72 * v52,
dist[6] == 26 * v51 + 67 * v49 + 6 * v47 + 4 * v46 + 3 * v48 + 68 * v52,
dist[7] == 34 * v56 + 12 * v53 + 53 * v54 + 6 * v55 + 58 * v57 + 36 * v58 + v59,
dist[8] == 27 * v57 + 73 * v56 + 12 * v55 + 83 * v53 + 85 * v54 + 96 * v58 + 52 * v59,
dist[9] == 24 * v55 + 78 * v53 + 53 * v54 + 36 * v56 + 86 * v57 + 25 * v58 + 46 * v59,
dist[10] == 78 * v54 + 39 * v53 + 52 * v55 + 9 * v56 + 62 * v57 + 37 * v58 + 84 * v59,
dist[11] == 48 * v57 + 14 * v55 + 23 * v53 + 6 * v54 + 74 * v56 + 12 * v58 + 83 * v59,
dist[12] == 15 * v58 + 48 * v57 + 92 * v55 + 85 * v54 + 27 * v53 + 42 * v56 + 72 * v59,
dist[13] == 26 * v58 + 67 * v56 + 6 * v54 + 4 * v53 + 3 * v55 + 68 * v59,
dist[14] == 34 * v63 + 12 * v60 + 53 * v61 + 6 * v62 + 58 * v64 + 36 * v65 + v66,
dist[15] == 27 * v64 + 73 * v63 + 12 * v62 + 83 * v60 + 85 * v61 + 96 * v65 + 52 * v66,
dist[16] == 24 * v62 + 78 * v60 + 53 * v61 + 36 * v63 + 86 * v64 + 25 * v65 + 46 * v66,
dist[17] == 78 * v61 + 39 * v60 + 52 * v62 + 9 * v63 + 62 * v64 + 37 * v65 + 84 * v66,
dist[18] == 48 * v64 + 14 * v62 + 23 * v60 + 6 * v61 + 74 * v63 + 12 * v65 + 83 * v66,
dist[19] == 15 * v65 + 48 * v64 + 92 * v62 + 85 * v61 + 27 * v60 + 42 * v63 + 72 * v66,
dist[20] == 26 * v65 + 67 * v63 + 6 * v61 + 4 * v60 + 3 * v62 + 68 * v66,
dist[21] == 34 * v70 + 12 * v67 + 53 * v68 + 6 * v69 + 58 * v71 + 36 * v72 + v73,
dist[22] == 27 * v71 + 73 * v70 + 12 * v69 + 83 * v67 + 85 * v68 + 96 * v72 + 52 * v73,
dist[23] == 24 * v69 + 78 * v67 + 53 * v68 + 36 * v70 + 86 * v71 + 25 * v72 + 46 * v73,
dist[24] == 78 * v68 + 39 * v67 + 52 * v69 + 9 * v70 + 62 * v71 + 37 * v72 + 84 * v73,
dist[25] == 48 * v71 + 14 * v69 + 23 * v67 + 6 * v68 + 74 * v70 + 12 * v72 + 83 * v73,
dist[26] == 15 * v72 + 48 * v71 + 92 * v69 + 85 * v68 + 27 * v67 + 42 * v70 + 72 * v73,
dist[27] == 26 * v72 + 67 * v70 + 6 * v68 + 4 * v67 + 3 * v69 + 68 * v73,
dist[28] == 34 * v77 + 12 * v74 + 53 * v75 + 6 * v76 + 58 * v78 + 36 * v79 + v80,
dist[29] == 27 * v78 + 73 * v77 + 12 * v76 + 83 * v74 + 85 * v75 + 96 * v79 + 52 * v80,
dist[30] == 24 * v76 + 78 * v74 + 53 * v75 + 36 * v77 + 86 * v78 + 25 * v79 + 46 * v80,
dist[31] == 78 * v75 + 39 * v74 + 52 * v76 + 9 * v77 + 62 * v78 + 37 * v79 + 84 * v80,
dist[32] == 48 * v78 + 14 * v76 + 23 * v74 + 6 * v75 + 74 * v77 + 12 * v79 + 83 * v80,
dist[33] == 15 * v79 + 48 * v78 + 92 * v76 + 85 * v75 + 27 * v74 + 42 * v77 + 72 * v80,
dist[34] == 26 * v79 + 67 * v77 + 6 * v75 + 4 * v74 + 3 * v76 + 68 * v80,
dist[35] == 34 * v84 + 12 * v81 + 53 * v82 + 6 * v83 + 58 * v85 + 36 * v86 + v87,
dist[36] == 27 * v85 + 73 * v84 + 12 * v83 + 83 * v81 + 85 * v82 + 96 * v86 + 52 * v87,
dist[37] == 24 * v83 + 78 * v81 + 53 * v82 + 36 * v84 + 86 * v85 + 25 * v86 + 46 * v87,
dist[38] == 78 * v82 + 39 * v81 + 52 * v83 + 9 * v84 + 62 * v85 + 37 * v86 + 84 * v87,
dist[39] == 48 * v85 + 14 * v83 + 23 * v81 + 6 * v82 + 74 * v84 + 12 * v86 + 83 * v87,
dist[40] == 15 * v86 + 48 * v85 + 92 * v83 + 85 * v82 + 27 * v81 + 42 * v84 + 72 * v87,
dist[41] == 26 * v86 + 67 * v84 + 6 * v82 + 4 * v81 + 3 * v83 + 68 * v87)
得到
v84 = 54
v65 = 52
v63 = 57
v74 = 45
v47 = 108
v62 = 98
v81 = 97
v64 = 45
v48 = 97
v51 = 55
v58 = 51
v53 = 49
v49 = 103
v55 = 49
v57 = 52
v67 = 49
v54 = 55
v70 = 57
v69 = 45
v56 = 100
v86 = 56
v72 = 48
v60 = 54
v78 = 52
v68 = 56
v79 = 99
v75 = 54
v46 = 102
v77 = 49
v76 = 101
v50 = 123
v61 = 51
v71 = 57
v82 = 102
v83 = 101
v85 = 52
v87 = 125
v80 = 50
v73 = 101
v66 = 101
v59 = 45
v52 = 101
转成字符
v84 = 54
v65 = 52
v63 = 57
v74 = 45
v47 = 108
v62 = 98
v81 = 97
v64 = 45
v48 = 97
v51 = 55
v58 = 51
v53 = 49
v49 = 103
v55 = 49
v57 = 52
v67 = 49
v54 = 55
v70 = 57
v69 = 45
v56 = 100
v86 = 56
v72 = 48
v60 = 54
v78 = 52
v68 = 56
v79 = 99
v75 = 54
v46 = 102
v77 = 49
v76 = 101
v50 = 123
v61 = 51
v71 = 57
v82 = 102
v83 = 101
v85 = 52
v87 = 125
v80 = 50
v73 = 101
v66 = 101
v59 = 45
v52 = 101
print(chr(v46)+
chr(v47)+
chr(v48)+
chr(v49)+
chr(v50)+
chr(v51)+
chr(v52)+
chr(v53)+
chr(v54)+
chr(v55)+
chr(v56)+
chr(v57)+
chr(v58)+
chr(v59)+
chr(v60)+
chr(v61)+
chr(v62)+
chr(v63)+
chr(v64)+
chr(v65)+
chr(v66)+
chr(v67)+
chr(v68)+
chr(v69)+
chr(v70)+
chr(v71)+
chr(v72)+
chr(v73)+
chr(v74)+
chr(v75)+
chr(v76)+
chr(v77)+
chr(v78)+
chr(v79)+
chr(v80)+
chr(v81)+
chr(v82)+
chr(v83)+
chr(v84)+
chr(v85)+
chr(v86)+
chr(v87))
得到
flag{7e171d43-63b9-4e18-990e-6e14c2afe648}
