Idaapi on PseudorandomDog's Blog https://binarydog.top/tags/idaapi/ Recent content in Idaapi on PseudorandomDog's Blog Hugo zh-CN Fri, 21 Jul 2023 00:00:00 +0000 AmateursCTF2023 RE Writeup https://binarydog.top/posts/ctf/amateursctf2023-re-writeup/ Fri, 21 Jul 2023 00:00:00 +0000 https://binarydog.top/posts/ctf/amateursctf2023-re-writeup/ <p>大部分比较水,有几题有点价值,所以贴一下</p> <h2 class="heading" id="volcano"> volcano <a class="anchor" href="#volcano">#</a> </h2> <pre tabindex="0"><code>Inspired by recent &#34;traumatic&#34; events. nc amt.rs 31010 </code></pre><p>过关要求输入 b, v, p 使得:</p> <ol> <li>b % 22890 == 18476</li> <li>17 &lt;= binary_ones(v) &lt;= 26</li> <li>p % 2 == 1</li> <li>digit_len(b) == digit_len(v)</li> <li>digit_sum(b) == digit_sum(v)</li> <li>4919^b % p == 4919^v % p</li> </ol> <p>建立 z3 方程组并爆破条件 2,取条件 4 的十进制长度为 10</p> <p>这个模板也可以用来排除 z3 的多解</p> <div class="highlight"><pre tabindex="0" style="color:#abb2bf;background-color:#282c34;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#c678dd">def</span> <span style="color:#61afef;font-weight:bold">fn</span>(<span style="color:#e06c75">m</span>): </span></span><span style="display:flex;"><span> <span style="color:#e06c75">n</span><span style="color:#56b6c2">=</span><span style="color:#e06c75">m</span>[<span style="color:#e06c75">vv</span>]<span style="color:#56b6c2">.</span><span style="color:#e06c75">as_long</span>() </span></span><span style="display:flex;"><span> <span style="color:#e06c75">cnt</span><span style="color:#56b6c2">=</span><span style="color:#d19a66">0</span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">while</span> <span style="color:#e06c75">n</span>: </span></span><span style="display:flex;"><span> <span style="color:#e06c75">n</span><span style="color:#56b6c2">&amp;=</span>(<span style="color:#e06c75">n</span><span style="color:#56b6c2">-</span><span style="color:#d19a66">1</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">cnt</span><span style="color:#56b6c2">+=</span><span style="color:#d19a66">1</span> </span></span><span style="display:flex;"><span> <span style="color:#e5c07b">print</span>(<span style="color:#98c379">f</span><span style="color:#98c379">&#34;Tried </span><span style="color:#98c379">{</span><span style="color:#e06c75">m</span>[<span style="color:#e06c75">vv</span>]<span style="color:#56b6c2">.</span><span style="color:#e06c75">as_long</span>()<span style="color:#98c379">=}</span><span style="color:#98c379">, </span><span style="color:#98c379">{</span><span style="color:#e06c75">cnt</span><span style="color:#98c379">=}</span><span style="color:#98c379">&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#c678dd">return</span> <span style="color:#e06c75">cnt</span><span style="color:#56b6c2">&gt;</span><span style="color:#d19a66">16</span> <span style="color:#56b6c2">and</span> <span style="color:#e06c75">cnt</span><span style="color:#56b6c2">&lt;=</span><span style="color:#d19a66">26</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#c678dd">def</span> <span style="color:#61afef;font-weight:bold">z3gen</span>(<span style="color:#e06c75">conds</span>,<span style="color:#e06c75">fn</span>): </span></span><span style="display:flex;"><span> <span style="color:#e06c75">s</span><span style="color:#56b6c2">=</span><span style="color:#e06c75">z3</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">Solver</span>() </span></span><span style="display:flex;"><span> <span style="color:#e06c75">s</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">add</span>(<span style="color:#e06c75">conds</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">result</span><span style="color:#56b6c2">=</span><span style="color:#e06c75">s</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">check</span>() </span></span><span style="display:flex;"><span> <span style="color:#c678dd">while</span> <span style="color:#e06c75">result</span><span style="color:#56b6c2">==</span><span style="color:#e06c75">z3</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">sat</span>: </span></span><span style="display:flex;"><span> <span style="color:#e06c75">m</span><span style="color:#56b6c2">=</span><span style="color:#e06c75">s</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">model</span>() </span></span><span style="display:flex;"><span> <span style="color:#c678dd">if</span> <span style="color:#e06c75">fn</span>(<span style="color:#e06c75">m</span>) <span style="color:#56b6c2">is</span> <span style="color:#e5c07b">True</span>: </span></span><span style="display:flex;"><span> <span style="color:#c678dd">yield</span> <span style="color:#e06c75">m</span> </span></span><span style="display:flex;"><span> <span style="color:#7f848e"># exclude the previous result by &#39;AND&#39; a &#39;NOT&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#7f848e"># &#39;NOT AND&#39; is implemented by &#39;OR NEQ&#39;</span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">extra</span><span style="color:#56b6c2">=</span>[<span style="color:#e06c75">var</span>()<span style="color:#56b6c2">!=</span><span style="color:#e06c75">m</span>[<span style="color:#e06c75">var</span>] <span style="color:#c678dd">for</span> <span style="color:#e06c75">var</span> <span style="color:#56b6c2">in</span> <span style="color:#e06c75">m</span>] </span></span><span style="display:flex;"><span> <span style="color:#e06c75">s</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">add</span>(<span style="color:#e06c75">z3</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">Or</span>(<span style="color:#e06c75">extra</span>)) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">result</span><span style="color:#56b6c2">=</span><span style="color:#e06c75">s</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">check</span>() </span></span></code></pre></div><p>求出一组解 (b, v) = (1080403586, 9422911007)</p> ByteCTF2022 maze6d 复盘 https://binarydog.top/posts/ctf/bytectf2022-maze6d/ Sat, 01 Oct 2022 00:00:00 +0000 https://binarydog.top/posts/ctf/bytectf2022-maze6d/ <p>main 函数反编译失败,原因是撞到了 <code>__stack_chk_fail</code>,而这个函数是 <code>__noreturn</code> 的</p> <p>但是调试可以发现,<code>__stack_chk_fail</code> 的 got 项在运行时被换成了 sub_403608,这个函数就是异或 0xdeadbeef</p> <p> <figure class=""> <div class="img-container" > <img loading="lazy" alt="" src="https://binarydog.top/images/image-1764320471220.webp" > </div> </figure> </p> <p>补丁打法:<code>mov eax, xxx; xor eax, 0xdeadbeef</code>,正好也是 8 字节</p> <p>F5 可以看到平坦化,每次状态转换后都将状态变量异或 0xdeadbeef</p> <p>除了平坦化之外这题还有一个 trick:从一个偏移表中动态加载函数指针,偏移是 0x13371337</p> <p> <figure class=""> <div class="img-container" > <img loading="lazy" alt="" src="https://binarydog.top/images/image-1764320429338.webp" > </div> </figure> </p> <p>可以观察到函数指针都是预先计算出来存储的,打补丁比较容易</p> <p>唯一需要注意的是函数指针最终存储的地点,有时是寄存器,有时是栈上,这里将 add 全部换成 mov imm,忽略加载表项的 mov,存回栈上的 mov 予以保留</p> <div class="highlight"><pre tabindex="0" style="color:#abb2bf;background-color:#282c34;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#c678dd">import</span> <span style="color:#e06c75">idaapi</span> </span></span><span style="display:flex;"><span><span style="color:#c678dd">import</span> <span style="color:#e06c75">ida_bytes</span> </span></span><span style="display:flex;"><span><span style="color:#c678dd">import</span> <span style="color:#e06c75">ida_ua</span> </span></span><span style="display:flex;"><span><span style="color:#c678dd">import</span> <span style="color:#e06c75">idc</span> </span></span><span style="display:flex;"><span><span style="color:#c678dd">from</span> <span style="color:#e06c75">keystone</span> <span style="color:#c678dd">import</span> <span style="color:#e06c75">Ks</span>, <span style="color:#e06c75">KS_ARCH_X86</span>, <span style="color:#e06c75">KS_MODE_64</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#e06c75">ks</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">Ks</span>(<span style="color:#e06c75">KS_ARCH_X86</span>, <span style="color:#e06c75">KS_MODE_64</span>) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#c678dd">def</span> <span style="color:#61afef;font-weight:bold">patch_dyn_resolv</span>(<span style="color:#e06c75">fake_got</span><span style="color:#56b6c2">=</span><span style="color:#d19a66">0x6E6390</span>, <span style="color:#e06c75">off</span><span style="color:#56b6c2">=</span><span style="color:#d19a66">0x13371337</span>): </span></span><span style="display:flex;"><span> <span style="color:#e06c75">insn</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">idaapi</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">insn_t</span>() </span></span><span style="display:flex;"><span> <span style="color:#e06c75">buffer</span> <span style="color:#56b6c2">=</span> [] </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">begin</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">idc</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">read_selection_start</span>() </span></span><span style="display:flex;"><span> <span style="color:#e06c75">end</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">idc</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">read_selection_end</span>() </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">ea</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">begin</span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">while</span> <span style="color:#e06c75">ea</span> <span style="color:#56b6c2">&lt;</span> <span style="color:#e06c75">end</span>: </span></span><span style="display:flex;"><span> <span style="color:#e06c75">idaapi</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">decode_insn</span>(<span style="color:#e06c75">insn</span>, <span style="color:#e06c75">ea</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">mnem</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">insn</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">get_canon_mnem</span>() </span></span><span style="display:flex;"><span> <span style="color:#c678dd">assert</span> <span style="color:#e06c75">mnem</span> <span style="color:#56b6c2">==</span> <span style="color:#98c379">&#34;mov&#34;</span> <span style="color:#56b6c2">or</span> <span style="color:#e06c75">mnem</span> <span style="color:#56b6c2">==</span> <span style="color:#98c379">&#34;add&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#c678dd">if</span> <span style="color:#e06c75">insn</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">Op2</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">type</span> <span style="color:#56b6c2">==</span> <span style="color:#e06c75">ida_ua</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">o_displ</span> <span style="color:#56b6c2">or</span> <span style="color:#e06c75">insn</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">Op2</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">type</span> <span style="color:#56b6c2">==</span> <span style="color:#e06c75">ida_ua</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">o_phrase</span>: </span></span><span style="display:flex;"><span> <span style="color:#c678dd">assert</span> <span style="color:#e06c75">insn</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">Op1</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">type</span> <span style="color:#56b6c2">==</span> <span style="color:#e06c75">ida_ua</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">o_reg</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">reg</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">idaapi</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">get_reg_name</span>(<span style="color:#e06c75">insn</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">Op1</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">reg</span>, <span style="color:#d19a66">8</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">disp</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">insn</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">Op2</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">addr</span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">value</span> <span style="color:#56b6c2">=</span> <span style="color:#e06c75">idaapi</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">get_qword</span>(<span style="color:#e06c75">disp</span> <span style="color:#56b6c2">+</span> <span style="color:#e06c75">fake_got</span>) <span style="color:#56b6c2">-</span> <span style="color:#e06c75">off</span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">asm</span> <span style="color:#56b6c2">=</span> <span style="color:#98c379">f</span><span style="color:#98c379">&#34;mov </span><span style="color:#98c379">{</span><span style="color:#e06c75">reg</span><span style="color:#98c379">}</span><span style="color:#98c379">, </span><span style="color:#98c379">{</span><span style="color:#e5c07b">hex</span>(<span style="color:#e06c75">value</span>)<span style="color:#98c379">}</span><span style="color:#98c379">&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#e5c07b">print</span>(<span style="color:#e06c75">asm</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">buffer</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">extend</span>(<span style="color:#e06c75">ks</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">asm</span>(<span style="color:#e06c75">asm</span>)[<span style="color:#d19a66">0</span>]) </span></span><span style="display:flex;"><span> <span style="color:#c678dd">elif</span> <span style="color:#e06c75">mnem</span> <span style="color:#56b6c2">==</span> <span style="color:#98c379">&#34;mov&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#e06c75">buffer</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">extend</span>(<span style="color:#e06c75">idaapi</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">get_bytes</span>(<span style="color:#e06c75">ea</span>, <span style="color:#e06c75">insn</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">size</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">ea</span> <span style="color:#56b6c2">+=</span> <span style="color:#e06c75">insn</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">size</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#e06c75">pb</span> <span style="color:#56b6c2">=</span> <span style="color:#e5c07b">bytes</span>(<span style="color:#e06c75">buffer</span> <span style="color:#56b6c2">+</span> (<span style="color:#e06c75">end</span> <span style="color:#56b6c2">-</span> <span style="color:#e06c75">begin</span> <span style="color:#56b6c2">-</span> <span style="color:#e5c07b">len</span>(<span style="color:#e06c75">buffer</span>)) <span style="color:#56b6c2">*</span> [<span style="color:#d19a66">0x90</span>]) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">idaapi</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">patch_bytes</span>(<span style="color:#e06c75">begin</span> , <span style="color:#e06c75">pb</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">ida_bytes</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">del_items</span>(<span style="color:#e06c75">begin</span>, <span style="color:#e06c75">ida_bytes</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">DELIT_SIMPLE</span>, <span style="color:#e06c75">end</span> <span style="color:#56b6c2">-</span> <span style="color:#e06c75">begin</span>) </span></span><span style="display:flex;"><span> <span style="color:#e06c75">idaapi</span><span style="color:#56b6c2">.</span><span style="color:#e06c75">create_insn</span>(<span style="color:#e06c75">begin</span>, <span style="color:#e06c75">insn</span>) </span></span></code></pre></div><p>选中需要打补丁的地方,运行上述脚本,现在 main 函数可以 F5 了</p>