2022 虎符CTF&HFCTF Reverse Writeup
fpbe
根据二进制文件API符号信息,发现是使用一个叫做eBPF框架编写的程序,Google学习一下。发现eBPF是Linux下的一个程序框架,eBPF在Linux内核中运行一个BPF虚拟机,可以接收来自用户层的BPF bytecode,经过安全检查后经由BPF虚拟机可在内核态执行,这个字节码二进制程序通常叫做xxx.bpf.c。本题目的核心逻辑便是存在一个叫做fpbe.bpf.c编程成的ELF文件,这个文件编译进了题目附件的rodata段中,提取出来即可。
基本信息如下,可以看见是Linux BPF框架。
里面有一个叫做uprobe/func的段,存储的就是BPF bytecode,可以用LLVM-objdum反汇编。
100行左右,主要是求解四个四元一次方程组。
import libnum
from z3 import *
r1 = Int('r1')
r2 = Int('r2')
r3 = Int('r3')
r4 = Int('r4')
s = Solver()
s.add(r3*28096 + r2*64392 + r4*29179 + r1*52366 == 209012997183893)
s.add(r3*61887 + r2*27365 + r4*44499 + r1*37508 == 181792633258816)
s.add(r3*56709 + r2*32808 + r4*25901 + r1*59154 == 183564558159267)
s.add(r3*33324 + r2*51779 + r4*31886 + r1*62010 == 204080879923831)
if s.check() == sat:
s = s.model()
flag = libnum.n2s(s[r1].as_long()) + libnum.n2s(s[r4].as_long()) + libnum.n2s(s[r2].as_long()) + libnum.n2s(s[r3].as_long())
print(flag[::-1]) # 0vR3sAlbs8pD2h53
the shellcode
有Themida / Winlicense 3.x壳,直接上x64看看什么情况。因为控制台有输出,先尝试在标准IO函数下断点,发现断在了printf和scanf里面,走出来就是main,这个时候代码已经复原,动态脱壳完成。
直接转到IDA中看,第一段输入经过下面几个部分。先是一个base家系的解码操作,接着字节循环位移,然后稍有改动的xxtea加密,最后比较。
#include "defs.h"
#include <stdio.h>
#include <stdint.h>
void XXTeaDecrypt(int n, uint32_t* v, uint32_t const key[4])
{
uint32_t y, z, sum;
unsigned p, rounds, e;
uint32_t DELTA = -0x61C88647;
rounds = 6 + 52 / n;
sum = rounds * DELTA;
y = v[0];
do {
e = (sum >> 2) & 3;
for (p = n - 1; p > 0; p--)
{
z = v[p - 1];
y = v[p] -= ((sum ^ y) + (z ^ key[e ^ p & 3])) ^ (((16 * z) ^ (y >> 3)) + ((z >> 6) ^ (4 * y)));
}
z = v[n - 1];
y = v[0] -= ((sum ^ y) + (z ^ key[e ^ p & 3])) ^ (((16 * z) ^ (y >> 3)) + ((z >> 6) ^ (4 * y)));
sum -= DELTA;
} while (--rounds);
}
uint8_t Translate(uint8_t e, uint8_t* table)
{
for (size_t i = 0; i < 256; i++)
{
if (table[i] == e)
return i;
}
return 0;
}
void* decode(int inlen, uint8_t* data, int* outlen)
{
uint8_t table[] = {
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x40, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x3E, 0x42, 0x42, 0x42, 0x3F, 0x34, 0x35,
0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x42, 0x42,
0x42, 0x41, 0x42, 0x42, 0x42, 0x00, 0x01, 0x02, 0x03, 0x04,
0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E,
0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
0x19, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x1A, 0x1B, 0x1C,
0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26,
0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30,
0x31, 0x32, 0x33, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
0x42, 0x42, 0x42, 0x42, 0x42, 0x42
};
*outlen = (inlen / 3) << 2;
uint8_t* outdata = (uint8_t*)malloc(*outlen);
if (outdata != NULL)
{
memset(outdata, 0, *outlen);
int pos = 0;
for (size_t i = 0; i < inlen; i += 3)
{
uint8_t e1, e2, e3, e4;
int e;
e = data[i + 2] + (((uint32_t)data[i + 1] + ((uint32_t)data[i] << 8)) << 8);
e4 = e & 0b111111;
e3 = (e >> 6) & 0b111111;
e2 = (e >> 6*2) & 0b111111;
e1 = (e >> 6*3) & 0b111111;
outdata[pos++] = Translate(e1, table);
outdata[pos++] = Translate(e2, table);
outdata[pos++] = Translate(e3, table);
outdata[pos++] = Translate(e4, table);
}
}
return (void*)outdata;
}
int main()
{
uint32_t key[4] = { 116, 111, 114, 97 };
uint8_t enc[] = {
0xA1, 0x89, 0x6B, 0x4B, 0x53, 0x54, 0xC1, 0x74, 0x6E, 0xA0,
0x92, 0x40, 0x07, 0x0C, 0x9B, 0x42, 0x84, 0x1E, 0x28, 0x40,
0xC9, 0x44, 0x5B, 0x8B, 0x7B, 0xB3, 0xFE, 0x66, 0x03, 0xA6,
0x77, 0x3C, 0x2D, 0x89, 0xC5, 0x79, 0x97, 0xDA, 0x7A, 0x0D,
0x56, 0xAA, 0x51, 0x1D, 0x03, 0xD7, 0xD4, 0x02, 0xBA, 0x26,
0xA5, 0x4F, 0x4A, 0xD6, 0xFA, 0x32, 0x91, 0x60, 0x0F, 0x0C,
0x93, 0x75, 0x2B, 0x56, 0x67, 0xDD, 0x9A, 0xDB, 0x63, 0x55,
0x16, 0x76, 0x15, 0x93, 0xF7, 0xA5, 0x1D, 0x99, 0xEB, 0x3A,
0xD4, 0x21, 0xB7, 0x1A, 0x2C, 0x9D, 0xCD, 0xAA, 0x27, 0x2B,
0x5C, 0x82, 0x1A, 0x76, 0xA7, 0x76, 0x18, 0x5F, 0x00, 0xB4,
0x63, 0x37, 0x7F, 0x11, 0x40, 0xC5, 0x2C, 0x51, 0x6F, 0xA1,
0x94, 0xC5, 0x8C, 0x4F, 0xE2, 0xD0, 0xE9, 0xE2, 0xA3, 0x9C,
0xD5, 0xC2, 0x9C, 0x0A, 0x1D, 0xE6, 0x29, 0x46, 0xE3, 0x29,
0x71, 0x63, 0xD7, 0x8A, 0x4E, 0xCA, 0x71, 0xAF, 0xDF, 0xF5,
0xAB, 0x68, 0x4E, 0x47, 0x3A, 0xBC, 0x2F, 0x54, 0x17, 0x16,
0x74, 0xD6, 0xE5, 0xBB, 0x0D, 0xAD, 0xE3, 0xBB, 0xF7, 0x62,
0x07, 0x8C, 0xD6, 0xC8, 0x0E, 0x95, 0x0E, 0x88, 0xBA, 0x25,
0x0F, 0xF8, 0x4C, 0x26, 0x7A, 0x76, 0x14, 0xE0, 0x7C, 0x9A,
0xEE, 0xC9, 0x8B, 0x5C, 0xD4, 0xF7, 0x9E, 0x5D, 0xDE, 0xAC,
0x99, 0xB9, 0x13, 0x8E, 0xEC, 0xB2, 0x2D, 0x23, 0x68, 0xEE,
0xCE, 0x5F, 0x7C, 0x92, 0x5D, 0xA8, 0xE3, 0xC9, 0x6B, 0xB5,
0x74, 0xAC, 0x12, 0xE7, 0xB6, 0x42, 0xDA, 0x98, 0x28, 0xCD,
0x58, 0x1C, 0xF1, 0xFC, 0xEE, 0x75, 0x70, 0xF5, 0x78, 0xE6,
0x76, 0x50, 0x35, 0x6A, 0xD6, 0xD4, 0xB9, 0x5A, 0x10, 0x95,
0x03, 0x44, 0xB0, 0x1B, 0x59, 0xB9, 0x40, 0xB2, 0x1A, 0x26,
0x4E, 0x7B, 0xD8, 0x29, 0xD1, 0x23, 0xCD, 0x52, 0xE7, 0xF5,
0x70, 0x8F, 0xA7, 0x4E
};
XXTeaDecrypt(66, (uint32_t*)enc, key);
for (size_t i = 0; i < 264; i++)
{
enc[i] = __ROR1__(enc[i], 3);
}
int size;
uint8_t* out = (uint8_t*)decode(0x108, enc, &size);
for (size_t i = 0; i < size; i++)
{
putchar(out[i]);
}// YPxoTHcmBzPSZItSMItSDItSFItyKA+3SiYz/zPArDxhfAIsIMHPDQP44vBSV4tSEItCPAPCi0B4hcAPhL4AAAADwlCLSBiLWCAD2oP5AA+EqQAAAEmLNIsD8jP/M8Cswc8NA/g6xHX0A3wkBDt8JAx12TP/M8mDwlAPtgQKwc8NA/hBg/kOdfHBzw1XM/8zyYtUJDxSD7YcDrhnZmZm9+vR+ovCwegfA8KNBIAr2FoPtgQKK8PBzw0D+EGD+Q511MHPDTs8JHQWaCVzAACLxGhubwAAVFCLXCRI/9PrFGglcwAAi8RoeWVzAFRQi1wkSP/TWFhYWFhYWFhYYcNYX1qLEukL////
if (out)
free(out);
return 0;
}
第二段输入进去后,会执行动态解密的一个函数,关键点如下。经分析,发现是程序自带的两个符号信息进行了同样的运算,互相参照结果,还原即可。
a = [ 0x69, 0x73, 0x20, 0x70, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D,
0x20, 0x63, 0x61, 0x6E]
b = [
0x4C, 0x6F, 0x61, 0x64, 0x4C, 0x69, 0x62, 0x72, 0x61, 0x72,
0x79, 0x45, 0x78, 0x41
]
flag = []
for i in range(14):
flag.append(a[i] + b[i] % 5)
print(''.join(map(chr, flag))) # jt"psojvcq!gan
to be or not to be, is a question.
