Fork me on GitHub

2019全国大学生信息安全竞赛初赛PWN-Reverse-WriteUp

Reverse

0x01 easyGo

1
2
3
4
5
6
hvnt3r@LAPTOP-POUA9UHC:/mnt/e/linux$ file easygo
easygo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
hvnt3r@LAPTOP-POUA9UHC:/mnt/e/linux$ ./easyGo
Please input you flag like flag{123} to judge:
flag{1212121}
Try again! Come on!

Go的逆向,先用IDAGolangHelper恢复函数名,在main_main函数中找到base64加密,在函数位置下断点,gdb中单步运行,执行完encoding_base64__ptr_Encoding_DecodeString之后可以在RSI中看到flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[----------------------------------registers-----------------------------------]
RAX: 0x2a ('*')
RBX: 0x2a ('*')
RCX: 0x0
RDX: 0x0
RSI: 0xc000098060 ("flag{92094daf-33c9-431e-a85a-8bfbd5df98ad}")
RDI: 0x38 ('8')
RBP: 0xc000092f88 --> 0xc000092f90 --> 0x429b1c (mov eax,DWORD PTR [rip+0x16478e] # 0x58e2b0)
RSP: 0xc000092e90 --> 0xc000096580 ("6789_-abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345", '\377' <repeats 45 times>, "\005\377\377:;<=>?")
RIP: 0x4952f0 (mov rax,QWORD PTR [rsp+0x38])
R8 : 0x0
R9 : 0x0
R10: 0x2a ('*')
R11: 0x2a ('*')
R12: 0xc000098060 ("flag{92094daf-33c9-431e-a85a-8bfbd5df98ad}")
R13: 0xc000096580 ("6789_-abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345", '\377' <repeats 45 times>, "\005\377\377:;<=>?")
R14: 0x2a ('*')
R15: 0x40 ('@')
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)

flag:

1
flag{92094daf-33c9-431e-a85a-8bfbd5df98ad}

0x02 bbvvmm

0x03 strange_int

0x04 计时挑战

0x05 where_u_are

RWN

0x01

0x02 baby_pwn

0x03 daily

0x04 Double

0x05 bms

0x06 Virtual

您的支持是我最大的动力🍉