with Katzebin 就不传附件了 附件有checker.exe和check_drv.sys两个文件 checker.exe逻辑十分简单 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 int __cdecl main(int argc, const char **argv, const char **envp) { HANDLE FileW; // rax char *v4; // rcx char OutBuffer[4]; // [rsp+40h] [rbp-18h] BYREF DWORD BytesReturned; // [rsp+44h] [rbp-14h] BYREF FileW = CreateFileW(L"\\\\.\\hitcon_checker", 0xC0000000, 0, 0i64, 3u, 4u, 0i64); qword_140003620 = (__int64)FileW; if ( FileW == (HANDLE)-1i64 ) { sub_140001010("driver not found\n"); exit(0); } OutBuffer[0] = 0; DeviceIoControl(FileW, 0x222080u, 0i64, 0, OutBuffer, 1u, &BytesReturned, 0i64); v4 = "correct\n"; if ( !

Before Start 其实很早就开始想学区块链安全了，但是因为环境炸了、Ropsten测试链关了和懒等等原因直到Hackergame的链上记忆大师题才开始上手实操区块链题。后来在强网拟态和N1CTF等比赛中由于不熟悉ctf区块链题的交互方式也是一直在鸽子。 后来看wp找到了这个仓库才开始进行一个题的做。 先从这个靶场打起 Fallback 其实这个题是可以通过Console交互来完成的，但是我还是想试一试用神奇的Poseidon库。 题目 目标：成为合约的owner并清空Balance 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 contract Fallback { mapping(address => uint) public contributions; address payable public owner; constructor() public { owner = msg.sender; contributions[msg.sender] = 1000 * (1 ether); } modifier onlyOwner { require( msg.

[Reverse] AmazingMFC 一整场比赛Reverse就一个题，真是被看扁了啊.jpg 附件备份 经典的MFC逆向，一打开十个按钮，点一下会出base64信息提示是不是正确的flag所在位置。 理论上是要一个个解密，但是我第一次点就是正确的位置，什么是欧皇啊（后仰） 所以看了一眼base64解码结果是f14g here here直接跳过这一步。 定位函数，XSPY开 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 mfc version:140, static linked?: true, debug?: false CWnd::FromHandlePermanent = 0x0041D79C CWnd = 0x0019FE1C HWND: 0x000E0582 class:0019FE1C(CDialogEx,size=0xd0) CDialogEx:CDialog:CWnd:CCmdTarget:CObject [vtbl+0x00]GetRuntimeClass = 0x0041A3FA(AmazingMFC.

[Reverse] OhMySolidity 题面如下 1 2 3 4 5 6 7 8 9 10 11 12 13 14 input: 0x608060405234801561001057600080fd5b5061066e806100206000396000f3fe608060405234801561001057600080fd5b50600436106100625760003560e01c806314edb54d1461006757806358f5382e1461009157806393eed093146101c55780639577a145146101ef578063a7f81e6a14610253578063f0407ca71461027d575b600080fd5b61006f6102a7565b604051808263ffffffff1663ffffffff16815260200191505060405180910390f35b61014a600480360360208110156100a757600080fd5b81019080803590602001906401000000008111156100c457600080fd5b8201836020820111156100d657600080fd5b803590602001918460018302840111640100000000831117156100f857600080fd5b91908080601f016020809104026020016040519081016040528093929190818152602001838380828437600081840152601f19601f8201169050808301925050505050505091929192905050506102bd565b6040518080602001828103825283818151815260200191508051906020019080838360005b8381101561018a57808201518184015260208101905061016f565b50505050905090810190601f1680156101b75780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6101cd61056f565b604051808263ffffffff1663ffffffff16815260200191505060405180910390f35b6102516004803603608081101561020557600080fd5b81019080803563ffffffff169060200190929190803563ffffffff169060200190929190803563ffffffff169060200190929190803563ffffffff169060200190929190505050610584565b005b61025b61060d565b604051808263ffffffff1663ffffffff16815260200191505060405180910390f35b610285610623565b604051808263ffffffff1663ffffffff16815260200191505060405180910390f35b600060049054906101000a900463ffffffff1681565b606080829050600060088251816102d057fe5b06146102db57600080fd5b606081516040519080825280601f01601f1916602001820160405280156103115781602001600182028038833980820191505090505b509050600063deadbeef905060008090505b83518110156105635760008090506000809050600080905060008090505b60048160ff1610156103cd578060030360080260ff16888260ff1687018151811061036857fe5b602001015160f81c60f81b60f81c60ff1663ffffffff16901b830192508060030360080260ff168860048360ff16880101815181106103a357fe5b602001015160f81c60f81b60f81c60ff1663ffffffff16901b820191508080600101915050610341565b5060008090505b60208160ff16101561047f578584019350600060049054906101000a900463ffffffff1660058363ffffffff16901c018483016000809054906101000a900463ffffffff1660048563ffffffff16901b011818830192506000600c9054906101000a900463ffffffff1660058463ffffffff16901c01848401600060089054906101000a900463ffffffff1660048663ffffffff16901b0118188201915080806001019150506103d4565b5060008090505b60048160ff1610156105545760ff8160030360080260ff168463ffffffff16901c1660f81b878260ff168701815181106104bc57fe5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a90535060ff8160030360080260ff168363ffffffff16901c1660f81b8760048360ff168801018151811061051857fe5b60200101907effffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916908160001a9053508080600101915050610486565b50505050600881019050610323565b50819350505050919050565b6000809054906101000a900463ffffffff1681565b836000806101000a81548163ffffffff021916908363ffffffff16021790555082600060046101000a81548163ffffffff021916908363ffffffff16021790555081600060086101000a81548163ffffffff021916908363ffffffff160217905550806000600c6101000a81548163ffffffff021916908363ffffffff16021790555050505050565b600060089054906101000a900463ffffffff1681565b6000600c9054906101000a900463ffffffff168156fea265627a7a72315820c500ad9e15f8594ce1140fdf04f71759a549b8a033f78b149472bb00f68975a964736f6c63430005110032 output: None input: 0x9577a1450000000000000000000000000000000000000000000000000000000012345678000000000000000000000000000000000000000000000000000000008765432100000000000000000000000000000000000000000000000000000000aabbccdd0000000000000000000000000000000000000000000000000000000044332211 output: None input(broken): 0x58f5382e... output: 0xa625e97482f83d2b7fc5125763dcbbffd8115b208c4754eee8711bdfac9e3377622bbf0cbb785e612b82c7f5143d5333 根据题目提示和开头60806040可以知道是一个Solidity字节码的逆向。Solidity语言是在区块链的智能合约部署中被广泛使用的语言之一。 由于之前有接触过智能合约字节码逆向我们很快就找到了反编译的工具。 Online Solidity Decompiler (ethervm.io) 1 2 3 4 5 6 7 8 9 10 11 contract Contract { function main() { memory[0x40:0x60] = 0x80; var var0 = msg.value; if (var0) { revert(memory[0x00:0x00]); } memory[0x00:0x066e] = code[0x20:0x068e]; return memory[0x00:0x066e]; } } 反编译结果明显短于字节码长度。观察到memory[0x00:0x066e] = code[0x20:0x068e];行，推测是把0x20部分代码复制到memory内继续执行。

[Crypto] nanoDiamond-rev 题目 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 # from Crypto.

[Reverse] Archgame load_code处对bin文件进行了一个解密 1 2 3 for ( i = 0LL; i < size; ++i ) { g_code_data[i] ^= *((_BYTE *)&global_key + (i & 3)); } round()函数有两个switch，手动修复一下，大概逻辑是这个样子。 是一些关于unicorn虚拟机的操作，查一下unicorn引擎的文档可以得到函数作用。 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 __int64 round() { const char *v0; // rax const char *v1; // rax const char *v2; // rax int errorcode2; // eax unsigned int roundkey; // [rsp+0h] [rbp-30h] BYREF unsigned int errorcode1; // [rsp+4h] [rbp-2Ch] __int64 uc_engine; // [rsp+8h] [rbp-28h] BYREF char v8; // [rsp+10h] [rbp-20h] BYREF __int64 v9; // [rsp+18h] [rbp-18h] BYREF __int64 v10[2]; // [rsp+20h] [rbp-10h] BYREF v10[1] = __readfsqword(0x28u); errorcode1 = uc_open((unsigned int)g_arch, (unsigned int)g_mode, &uc_engine); //创建虚拟机实例 /* Error Handler */ errorcode1 = uc_mem_map(uc_engine, 0LL, 655360LL, 7LL); //创建从地址0开始 长度655360的内存，权限为RWX /* Error Handler */ uc_mem_write(uc_engine, 0LL, g_code_data, 655360LL); //向内存地址0处写入bin文件解密结果 errorcode1 = uc_mem_map(uc_engine, 0x70000000LL, 0x4000LL, 7LL); //创建从地址0x70000000开始 长度0x4000的内存，权限为RWX /* Error Handler */ uc_mem_write(uc_engine, 0x70000000LL, input_area, 0x4000LL); //向地址0x70000000写入输入的数据，长度为0x4000 errorcode2 = uc_mem_map(uc_engine, 0x20000000LL, 0x8000LL, 7LL); //创建从地址0x20000000开始 长度0x8000的内存，权限为RWX v9 = 536903424LL; v10[0] = 1879048448LL; switch ( g_arch ) { case 1: //ARM uc_reg_write(uc_engine, 12LL, &v9); uc_reg_write(uc_engine, 10LL, v10); //写寄存器 break; case 2: // ARM-64 uc_reg_write(uc_engine, 4LL, &v9); uc_reg_write(uc_engine, 2LL, v10); break; case 3: // Mips uc_reg_write(uc_engine, 31LL, &v9); uc_reg_write(uc_engine, 33LL, v10); break; case 5: // PowerPC uc_reg_write(uc_engine, 3LL, &v9); uc_reg_write(uc_engine, 74LL, v10); break; case 8: // RISCV uc_reg_write(uc_engine, 3LL, &v9); uc_reg_write(uc_engine, 2LL, v10); break; } uc_hook_add(uc_engine, (unsigned int)&v8, 1008, (unsigned int)hook_mem, 0, 1, 0LL); //hook了一些非法操作，看起来像是异常处理 hook_mem 是nop函数 errorcode1 = uc_emu_start(uc_engine, 0LL, v9, 0LL, 0LL); //从地址0执行到536903424 switch ( g_arch ) { case 1u: uc_reg_read(uc_engine, 66, (__int64)&roundkey); //读寄存器 break; case 2u: uc_reg_read(uc_engine, 199, (__int64)&roundkey); break; case 3u: uc_reg_read(uc_engine, 4, (__int64)&roundkey); break; case 5u: uc_reg_read(uc_engine, 5, (__int64)&roundkey); break; case 8u: uc_reg_read(uc_engine, 11, (__int64)&roundkey); break; default: break; } uc_close(uc_engine); return roundkey; } 程序的逻辑整体是把challs.