[MRCTF2020]hello_world_go
首先查壳,为elf文件64位
反编译后代码如下:
void __cdecl main_main()
{
int v0; // edi
__int64 v1; // rsi
__int64 v2; // r8
__int64 v3; // r9
__int64 v4; // r8
__int64 v5; // r9
int v6; // edx
__int64 v7; // r8
__int64 v8; // r9
__int64 v9; // rcx
__int64 v10; // rax
int v11; // edx
__int64 v12; // rax
__int64 *v13; // [rsp+8h] [rbp-A8h]
char v14; // [rsp+18h] [rbp-98h]
__int64 v15; // [rsp+20h] [rbp-90h]
__int64 v16; // [rsp+28h] [rbp-88h]
__int64 v17; // [rsp+58h] [rbp-58h]
__int64 *v18; // [rsp+60h] [rbp-50h]
__int128 v19; // [rsp+68h] [rbp-48h] BYREF
void *v20; // [rsp+78h] [rbp-38h] BYREF
void **v21; // [rsp+80h] [rbp-30h] BYREF
__int128 v22; // [rsp+88h] [rbp-28h] BYREF
__int128 v23; // [rsp+98h] [rbp-18h] BYREF
if ( (unsigned __int64)&v21 <= *(_QWORD *)(__readfsqword(0xFFFFFFF8) + 16) )
runtime_morestack_noctxt();
runtime_newobject(v0, v1);
v18 = v13;
*(_QWORD *)&v23 = &unk_4AC9C0;
*((_QWORD *)&v23 + 1) = &off_4EA530;
fmt_Fprint(
v0,
v1,
(unsigned int)&v23,
(unsigned int)&unk_4AC9C0,
v2,
v3,
(__int64)&go_itab__os_File_io_Writer,
os_Stdout,
(__int64)&v23);
*(_QWORD *)&v22 = &unk_4A96A0;
*((_QWORD *)&v22 + 1) = v18;
fmt_Fscanf(
v0,
v1,
(unsigned int)&go_itab__os_File_io_Reader,
(unsigned int)&v22,
v4,
v5,
(__int64)&go_itab__os_File_io_Reader,
os_Stdin,
(__int64)&unk_4D07C9,
2LL,
(__int64)&v22,
1LL);
v9 = v18[1];
v10 = *v18;
if ( v9 != 24 )
goto LABEL_3;
v17 = *v18;
runtime_memequal(v0, v1, v6, (unsigned int)&unk_4D3C58, v7, v8, (__int64)&unk_4D3C58, v10);
if ( !v14 )
{
LOBYTE(v10) = v17;
LODWORD(v9) = 24;
LABEL_3:
runtime_cmpstring(v0, v1, (unsigned int)&unk_4D3C58, v9, v7, v8, (__int64)&unk_4D3C58, 24LL, v10);
if ( v15 >= 0 )
v12 = 1LL;
else
v12 = -1LL;
goto LABEL_5;
}
v12 = 0LL;
LABEL_5:
if ( v12 )
{
*(_QWORD *)&v19 = &unk_4AC9C0;
*((_QWORD *)&v19 + 1) = &off_4EA550;
fmt_Fprintln(
v0,
v1,
v11,
(unsigned int)&go_itab__os_File_io_Writer,
v7,
v8,
(__int64)&go_itab__os_File_io_Writer,
os_Stdout,
(__int64)&v19,
1LL,
1LL,
v16);
}
else
{
v20 = &unk_4AC9C0;
v21 = &off_4EA540;
fmt_Fprintln(
v0,
v1,
v11,
(unsigned int)&go_itab__os_File_io_Writer,
v7,
v8,
(__int64)&go_itab__os_File_io_Writer,
os_Stdout,
(__int64)&v20,
1LL,
1LL,
v16);
}
}
这道题已经存储了现成的flag,即unk_4D3C58
.rodata:00000000004D3C58 unk_4D3C58 db 66h ; f ; DATA XREF: main_main:loc_49A40A↑o
.rodata:00000000004D3C58 ; main_main+25C↑o
.rodata:00000000004D3C59 db 6Ch ; l
.rodata:00000000004D3C5A db 61h ; a
.rodata:00000000004D3C5B db 67h ; g
.rodata:00000000004D3C5C db 7Bh ; {
.rodata:00000000004D3C5D db 68h ; h
.rodata:00000000004D3C5E db 65h ; e
.rodata:00000000004D3C5F db 6Ch ; l
.rodata:00000000004D3C60 db 6Ch ; l
.rodata:00000000004D3C61 db 6Fh ; o
.rodata:00000000004D3C62 db 5Fh ; _
.rodata:00000000004D3C63 db 77h ; w
.rodata:00000000004D3C64 db 6Fh ; o
.rodata:00000000004D3C65 db 72h ; r
.rodata:00000000004D3C66 db 6Ch ; l
.rodata:00000000004D3C67 db 64h ; d
.rodata:00000000004D3C68 db 5Fh ; _
.rodata:00000000004D3C69 db 67h ; g
.rodata:00000000004D3C6A db 6Fh ; o
.rodata:00000000004D3C6B db 67h ; g
.rodata:00000000004D3C6C db 6Fh ; o
.rodata:00000000004D3C6D db 67h ; g
.rodata:00000000004D3C6E db 6Fh ; o
.rodata:00000000004D3C6F db 7Dh ; }
flag
题目完成,但是我们还是了解一下Go语言逆向,go语言的语言特点
- Go 语言内置一些复杂的数据类型,并支持类型的组合与方法绑定,这些复杂数据类型在汇编层面有独特的表示方式和用法
- 独特的调用约定和栈管理机制
- 全静态链接构建
为了便于go语言的逆向,去符号信息还原,主要使用的IDA pro脚本是IDAGolangHelper
IDAGolangHelper项目地址:https://github.com/sibears/IDAGolangHelper
- 像专业人士一样反转 GO 二进制文件:https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/
- Go二进制文件逆向分析从基础到进阶——综述:https://zhuanlan.zhihu.com/p/193096088
浙公网安备 33010602011771号