2020年 网鼎杯 Reverse signal WriteUp

CTF网鼎杯

题目: Signal 分类: Reverse Tips: 跟着信号一起走

 

运行提示string: 随便输入提示WRONG!

查了下PE头 没发现什么信息

上OD去看

搜索字符串

结合上面运行的结果

注意4组

string/WRONG/what a shame/good, The answer format is flag {}

继续看流程 string 到WRONG 和 what a shame 条件是15个字符

这里使用Python的angr库

angr库

什么是angr:

angr是一个二进制的代码分析工具, 能够自动化的完成二进制文件的分析并找出漏洞。可以进行动态的符号执行分析 

上代码

import angr
p = angr.Project('signa.exe')
st = p.factory.entry_state()
sm = p.factory.simulation_manager(st)
sm.explore(find=0x40179E, avoid=0x4016E6)
print(sm.found[0].posix.dumps(0))

运行

WARNING | 2020-05-11 01:22:31,194 | angr.state_plugins.symbolic_memory | The program is accessing memory or registers with an unspecified value. This could indicate unwanted behavior.
WARNING | 2020-05-11 01:22:31,194 | angr.state_plugins.symbolic_memory | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this by:
WARNING | 2020-05-11 01:22:31,194 | angr.state_plugins.symbolic_memory | 1) setting a value to the initial state
WARNING | 2020-05-11 01:22:31,194 | angr.state_plugins.symbolic_memory | 2) adding the state option ZERO_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to make unknown regions hold null
WARNING | 2020-05-11 01:22:31,194 | angr.state_plugins.symbolic_memory | 3) adding the state option SYMBOL_FILL_UNCONSTRAINED_{MEMORY_REGISTERS}, to suppress these messages.
WARNING | 2020-05-11 01:22:31,195 | angr.state_plugins.symbolic_memory | Filling register ebp with 4 unconstrained bytes referenced from 0x402130 (offset 0x2130 in 11.exe (0x402130))
WARNING | 2020-05-11 01:22:31,196 | angr.state_plugins.symbolic_memory | Filling register edi with 4 unconstrained bytes referenced from 0x402131 (offset 0x2131 in 11.exe (0x402131))
WARNING | 2020-05-11 01:22:31,198 | angr.state_plugins.symbolic_memory | Filling register esi with 4 unconstrained bytes referenced from 0x402132 (offset 0x2132 in 11.exe (0x402132))
WARNING | 2020-05-11 01:22:31,199 | angr.state_plugins.symbolic_memory | Filling register ebx with 4 unconstrained bytes referenced from 0x402133 (offset 0x2133 in 11.exe (0x402133))
WARNING | 2020-05-11 01:22:31,555 | angr.state_plugins.symbolic_memory | Filling memory at 0x7ffefe70 with 4 unconstrained bytes referenced from 0x402814 (offset 0x2814 in 11.exe (0x402814))
WARNING | 2020-05-11 01:22:31,563 | angr.state_plugins.symbolic_memory | Filling memory at 0x7ffefe70 with 4 unconstrained bytes referenced from 0x402814 (offset 0x2814 in 11.exe (0x402814))
WARNING | 2020-05-11 01:22:32,455 | angr.state_plugins.symbolic_memory | Filling memory at 0x7ffefd40 with 4 unconstrained bytes referenced from 0x402814 (offset 0x2814 in 11.exe (0x402814))
WARNING | 2020-05-11 01:22:32,462 | angr.state_plugins.symbolic_memory | Filling memory at 0x7ffefd40 with 4 unconstrained bytes referenced from 0x402814 (offset 0x2814 in 11.exe (0x402814))
WARNING | 2020-05-11 01:22:32,854 | angr.state_plugins.symbolic_memory | Filling memory at 0x7ffefffc with 192 unconstrained bytes referenced from 0x10189c90 (strlen+0x0 in msvcrt.dll (0x10189c90))
WARNING | 2020-05-11 01:22:32,860 | angr.state_plugins.symbolic_memory | Filling memory at 0x7ffefffc with 192 unconstrained bytes referenced from 0x10189c90 (strlen+0x0 in msvcrt.dll (0x10189c90))
WARNING | 2020-05-11 01:22:35,500 | angr.state_plugins.symbolic_memory | Filling memory at 0x7ffefc78 with 11 unconstrained bytes referenced from 0x10189c90 (strlen+0x0 in msvcrt.dll (0x10189c90))
WARNING | 2020-05-11 01:22:35,500 | angr.state_plugins.symbolic_memory | Filling memory at 0x7ffefc60 with 8 unconstrained bytes referenced from 0x10189c90 (strlen+0x0 in msvcrt.dll (0x10189c90))
WARNING | 2020-05-11 01:22:35,501 | angr.state_plugins.symbolic_memory | Filling memory at 0x7ffefbc0 with 140 unconstrained bytes referenced from 0x10189c90 (strlen+0x0 in msvcrt.dll (0x10189c90))
WARNING | 2020-05-11 01:22:35,565 | angr.state_plugins.symbolic_memory | Filling memory at 0x7ffefc78 with 11 unconstrained bytes referenced from 0x10189c90 (strlen+0x0 in msvcrt.dll (0x10189c90))
WARNING | 2020-05-11 01:22:35,565 | angr.state_plugins.symbolic_memory | Filling memory at 0x7ffefc60 with 8 unconstrained bytes referenced from 0x10189c90 (strlen+0x0 in msvcrt.dll (0x10189c90))
WARNING | 2020-05-11 01:22:35,565 | angr.state_plugins.symbolic_memory | Filling memory at 0x7ffefbc0 with 140 unconstrained bytes referenced from 0x10189c90 (strlen+0x0 in msvcrt.dll (0x10189c90))
b'757515121f3d478\x00\x02\x01\x00\x01\x00\x03\x00\x00\x00\x08)\x02\x00\x0e\x00I\x00)I\x01\x0f\x00J\x89*\x89I\x08\x01)I\x00\x0e\x08\x06\x00I\x0e\x89\x08\x8a)\x08*'
flag{757515121f3d478}

 

总结

CTF的Re部分很吃经验....新手非常吃亏

毕竟啥工具都没有 需要用什么包 什么库 没个师傅指点指点很吃亏

云盘下载 7afs

发表评论

电子邮件地址不会被公开。必填项已用 * 标注