前言
首先建议看下之前的文章,这题基本上用pin可以很快的解决。
过程
具体的pin和pintool我就不说了
0x0
拿到题目很蒙,IDA打开,发现全是gmp,mpz的东西,了解一点的同学应该能联想到RSA,但是好像对解题没什么帮助哈。总之初略的理了一下逻辑,通过两种不同的方式进行RSA加密,第一个是直接利用的RSA加密原理,第二是通过使用gmp库的API函数。如果仅仅是RSA加密其实还是好做的,但是很恶心,程序做了控制流平坦化,因此我们尝试使用pin进行解答。
首先通过程序代码能看到,flag的长度为38位,然后使用inscount0.so,输入QCTF等字符,进行猜测,发现指令数是递增的。2333,那么直接爆破一下就好了。
代码如下:
import subprocess
import os
import logging
import json
import string
import time
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)
class shell(object):
def runCmd(self, cmd):
res = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
sout, serr = res.communicate()
return res.returncode, sout, serr, res.pid
def initPin(self, cmd):
res = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
self.res = res
def pinWrite(self, input):
self.res.stdin.write(input)
def pinRun(self):
sout, serr = self.res.communicate()
return sout, serr
filename = "/home/jeb/Downloads/xman2018/reverse/ollvm/oolvm"
cmd = "/opt/pin-3.7-97619-g0d0c92f4f-gcc-linux/pin -t " + \
"/opt/pin-3.7-97619-g0d0c92f4f-gcc-linux/source/tools/ManualExamples/obj-intel64/inscount0.so" + " -- " + filename
subprocess.Popen(cmd,shell=True,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.STDOUT)
#### brup args ascii
start_time = time.time()
dic = string.letters+'_{}'+string.digits
cur=''
shell = shell()
cout_old=0
start_time = time.time()
for i in range(38):
for s in dic:
pwd = cur+s+'?'*(37-len(cur))
print len(pwd)
rcmd = cmd+' '+pwd
shell.initPin(rcmd)
sout,serr = shell.pinRun()
cout = sout.split("Count ")[1]
cout_sub= int(cout) - cout_old
cout_old = int(cout)
if cout_sub > 1000000 and cout_sub < 1500000 :
cur=cur+s
print ("current flag ", pwd,"current count:",cout,"sub_count ",cout_sub)
end_time=time.time()
times= end_time-start_time
print "need times :",times,'s'
总结
至此,除了rust语言写的那题看不懂外,基本上的re题都详细的分析了一遍,还是有收获的,菜鸡的我,表示继续努力和大佬们面基。