DASCTF 2023-07 & 0x401 TCP

前言

过了好久才想起来这道题,如果不是某课程中有逆向一个Linux下的CS模式的Socket,不然还想不起来写这篇文

TCP

本题实现了一个在Linux下的一个Socket TCP通信,题目给了一个客户端,以及一个流量包,提供我们分析

在程序的开始的init,便初始化了一个随机数字符:

之后设置对应的服务器地址以及对应端口信息

随后通过recv进行接收数据,我们根据对应的接收长度可以从流量包中进行提取:

之后通过sub_2090来进行一定处理,同时观察sub_1F9C查询对应sub_1E6E中的__modti3可以大致看出来实现了一个快速幂的操作

前面的for循环将随机数每8个组合成一个QWORD数据

同时对于此我们可以联想到通信间的数据加密,同时RSA在实现过程中也存在有(m * n) % p的操作刚好与__modti3相同,我们可以识别出来对应采用的是一个RSA的公钥加密体系,其开头传送的便为32位的一个公钥信息

对此我们已经获取到了32位的数据:5fcef0e867349fc68f40763a6b0bde0101000100000000000000000000000000

简单调试看一下我们可以得到RSA中的 N 值以及 e 值:

1
2
N: 0x1de0b6b3a76408fc69f3467e8f0ce5f 
e: 0x10001

因为 N 值比较小,我们直接采用yafu对其进行分解:

之后我们可以得到RSA中的 p 和 q

1
2
p: 1152921504606848051
q: 2152921504606847269

同时往下观察对应的加密后的数据,发送了一个长96的数据,同样的我们从流量包中进行提取

提取到数据:

7a3202cc78acb66216341041b18ea201a3eb93301b27a2b6e77cb244d2e02c0082cd6369f3a7c1d2a1dd9b561c98510017c911f2ac5ec565e2d9b9016df34900661212d889172b99954d25018b5d43012e81783c2d8cebedeb053ccd651de400

我们已经获取到对应的公钥以及加密后的信息之后我们尝试求解出对应的一个随机数密钥信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import gmpy2
from Crypto.Util.number import *
enc='7a3202cc78acb66216341041b18ea201a3eb93301b27a2b6e77cb244d2e02c0082cd6369f3a7c1d2a1dd9b561c98510017c911f2ac5ec565e2d9b9016df34900661212d889172b99954d25018b5d43012e81783c2d8cebedeb053ccd651de400'

n = 0x1de0b6b3a76408fc69f3467e8f0ce5f
p = 1152921504606848051
q = 2152921504606847269
e = 0x10001
phi = (q-1)*(p-1)
d = gmpy2.invert(e,phi)
m = b''
for i in range(0,len(enc),32):
   c =(bytes.fromhex(enc[i:i+32])[::-1]) # 将密文分组,每组16个,然后反转
   c = int(c.hex(), 16)
   m += long_to_bytes(pow(c, d, n))
print(m)

之后我们可以得到对应的随机数密钥流:

1
\xfd\x94\xf6\x11\x00\x00\x00\x00rPK\x1d\x00\x00\x00\x00\x04\xde\xc0\\\x00\x00\x00\x00\xe1\xf4\xd9P\x00\x00\x00\x00\x17\xcbV\xc1z\x19\xfb-\xfe\xdb\x84r\x97(\xc8\x94

之后程序又接收了12位的控制命令,可以看到其小于16的长度的时候是采用异或进行解密,反之则使用之前解密的随机数密钥作为TEA加密的密钥来进行加密信息

同样的我们编写一个脚本对其进行还原处理:

1
2
3
4
5
6
7
8
key=b'\xfd\x94\xf6\x11\x00\x00\x00\x00rPK\x1d\x00\x00\x00\x00\x04\xde\xc0\\\x00\x00\x00\x00\xe1\xf4\xd9P\x00\x00\x00\x00\x17\xcbV\xc1z\x19\xfb-\xfe\xdb\x84r\x97(\xc8\x94'
choose_data=bytearray(bytes.fromhex('16cb56c17a19fb2ddcdb8472'))
for i in range(12):
    choose_data[i]^=key[i+32]
for i in range(0,12,4):
    x = int.from_bytes(choose_data[i:i+4],'little') # 将字节转换为整数
    print(x,end=',')
    # 1,0,34,

之后我们根据下方的switch case以及对应case的函数可以大致猜测出对应的数据格式

指令为12字节一组(分为三个DWORD),第一个为对应的case值,第二个为对应存储时的偏移(实际计算时还要乘以 100),第三个为对应的读取数据的个数

需要注意的是在解密之前需要将对应的随机数key写入到内存中去:

1
2
3
4
5
6
import binascii

data = b'\xfd\x94\xf6\x11\x00\x00\x00\x00rPK\x1d\x00\x00\x00\x00\x04\xde\xc0\\\x00\x00\x00\x00\xe1\xf4\xd9P\x00\x00\x00\x00\x17\xcbV\xc1z\x19\xfb-\xfe\xdb\x84r\x97(\xc8\x94'
hex_data = binascii.hexlify(data).decode('utf-8')

print(hex_data)

通过下面的函数可以得到第二个指令的含义,相当于求解一个偏移后在 a3 的堆空间进行读写之类的操作:

那么之后的重点便是解析对应的指令了,即在流量包中的:

对于TEA的解密我们可以直接抄IDA里面的内容:

我们简单的搓一个解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#include<iostream>
#include<Windows.h>
#include<string>
#include <iomanip>
using namespace std;

void tea(unsigned __int64* key, unsigned __int64* msg) {
	int i;
	unsigned __int64 v3;
	unsigned __int64 v4;
	__int64 sum;

	v3 = msg[0];
	v4 = msg[1];
	sum = 0x13C6EF3720LL;
	for (i = 0; i <= 31; ++i) {
		v4 -= (v3 + sum) ^ (16 * v3 + key[2]) ^ ((v3 >> 5) + key[3]);
		v3 -= (v4 + sum) ^ (16 * v4 + *key) ^ ((v4 >> 5) + key[1]);
		sum -= 0x9E3779B9LL;
	}
	*msg = v3;
	msg[1] = v4;
}

unsigned __int32 decryptInstruction(unsigned __int8* instruction) {
	// decode
	unsigned __int8 key[] = { 0xfd,0x94,0xf6,0x11,0x00,0x00,0x00,0x00,0x72,0x50,0x4b,0x1d,0x00,0x00,0x00,0x00,
							 0x04,0xde,0xc0,0x5c,0x00,0x00,0x00,0x00,0xe1,0xf4,0xd9,0x50,0x00,0x00,0x00,0x00,
							 0x17,0xcb,0x56,0xc1,0x7a,0x19,0xfb,0x2d,0xfe,0xdb,0x84,0x72,0x97,0x28,0xc8,0x94
	};

	for (int i = 0; i < 12; i++) {
		instruction[i] ^= key[i + 32];
	}

	//transform
	unsigned __int32 a = *(unsigned __int32*)&(instruction[0]);
	unsigned __int32 b = *(unsigned __int32*)&(instruction[4]);
	unsigned __int32 c = *(unsigned __int32*)&(instruction[8]);

	// [a, b, c]
	cout << endl;
	string result = "[" + to_string(a) + "," + to_string(b) + "," + to_string(c) + "]";
	cout << result << endl; // echo order
	return c; // return lenth
}

unsigned __int32 decryptData(unsigned __int8* msg, unsigned __int32 pos) {
	unsigned __int32 len = 0;
	if (msg[pos + 1] == 0xcb && msg[pos + 2] == 0x56 && msg[pos + 3] == 0xc1) {
		len = decryptInstruction(&msg[pos]);
		pos += 12;// update pos
	}
	if (len) {
		unsigned __int64 key64[] = { 0x11F694FD,0x1D4B5072,0x5CC0DE04,0x50D9F4E1 };
		for (int i = len - 16; i >= 0; i--) {
			tea(key64, (unsigned __int64*)&msg[i + pos]);
		}
		int flag = 1; // whether to print char
		cout << "------------------------------- HEX -------------------------------------" << endl;
		for (int i = 0; i < len-1; i++) {
			cout << setw(2) << setfill('0') << hex << (int)msg[pos + i] << " ";
			if (msg[pos + i] < 32 || msg[pos + i] > 127 ) {
				flag = 0;
			}
		}
		cout << endl;
		cout << "------------------------------- CHR -------------------------------------" << endl;
		if (flag) {
			for (int i = 0; i < len; i++) {
				cout << (char)msg[pos + i];
			}
		}
		
		cout << endl;
		pos += len;
	}
	return pos;
}


int main() {
	// TEST TEA DECODE 
	// 
	//	unsigned __int64 key64[] = {0x11F694FD,0x1D4B5072,0x5CC0DE04,0x50D9F4E1};
	//	unsigned __int8 msg[] = {0xd5,0x2d,0x1d,0x6b,0x16,0x93,0x16,0x4a,0x13,0x31,0x6a,0x33,0xbe,0x05,0xbc,0x1c,0x4a,0x20,0x29,0xb9,0xef,0xbf,0x96,0xdc,0x91,0x7d,0xa5,0x05,0x6d,0x3e,0xe4,0x6c,0x2b,0x08};
	//
	//	for(int i = sizeof(msg) - 16 ; i>=0; i --) {
	//		tea(key64,  (unsigned __int64 *)&msg[i]);
	//	}
	//	for(int i=0; i<sizeof(msg) ; i++) {
	//		cout << (char)msg[i];
	//	}

	// TEST CODE
	//
	// unsigned __int8 instruction[] = {0x15,0xcb,0x56,0xc1,0x7b,0x19,0xfb,0x2d,0xe6,0xdb,0x84,0x72};
	// decryptInstruction(instruction);

	unsigned __int8 msg[] = { 0x15,0xcb,0x56,0xc1,0x7b,0x19,0xfb,0x2d,0xe6,0xdb,0x84,0x72,0x11,0xfd,0x38,0x2b,0xc3,0xeb,0x73,0x90,0x37,0xf7,0xdf,0xa4,0xb0,0xca,0x55,0x3f,0x4d,0xc6,0x7f,0x81,0xb7,0x1b,0x7f,0x92,0x15,0xcb,0x56,0xc1,0x78,0x19,0xfb,0x2d,0xd6,0xdb,0x84,0x72,0x7c,0x85,0x26,0xcc,0x3d,0x63,0x83,0xbb,0xcf,0x01,0x59,0x59,0x06,0x48,0x58,0x6e,0x7d,0xd0,0x8b,0x49,0xcc,0x1e,0xe7,0xf5,0x19,0xec,0x20,0x65,0x92,0x25,0x48,0x42,0xb7,0xf3,0x3d,0x25,0x64,0x66,0x40,0xab,0x16,0xcb,0x56,0xc1,0x7a,0x19,0xfb,0x2d,0xe5,0xdb,0x84,0x72,0xc0,0x08,0xba,0x6c,0x15,0x33,0x4f,0x76,0x48,0x5d,0x8c,0x17,0x08,0x2f,0x44,0x68,0xad,0xdb,0xb3,0xa6,0x2d,0x20,0xe7,0x54,0x10,0x5d,0x10,0x14,0xcb,0x56,0xc1,0x7a,0x19,0xfb,0x2d,0xfe,0xdb,0x84,0x72,0x15,0xcb,0x56,0xc1,0x72,0x19,0xfb,0x2d,0xbd,0xd9,0x84,0x72,0x34,0x19,0xb3,0xea,0x63,0x30,0x6f,0xf1,0x22,0x41,0x73,0xd8,0x34,0xb1,0xf9,0xc4,0x36,0x33,0x2f,0x39,0xec,0x2a,0xa1,0x02,0xbb,0x77,0x47,0x85,0x9d,0x50,0x79,0x36,0x74,0xb0,0x5a,0x56,0xf1,0x4e,0xe2,0x94,0x91,0x89,0x59,0x44,0xcb,0xf1,0xf6,0x84,0x6a,0x98,0x31,0xf8,0xdd,0x56,0x66,0x20,0x2c,0x4b,0x0d,0x55,0x8a,0x69,0x02,0x39,0xb1,0xde,0xce,0x43,0x22,0xfe,0x53,0x5c,0x07,0x42,0xcc,0x2f,0x37,0x37,0x85,0x77,0xb9,0x99,0xea,0xab,0x71,0x3d,0x85,0x36,0x43,0xbc,0x37,0x9d,0xac,0x7f,0x7f,0x47,0x1e,0xf2,0x24,0x0b,0x88,0x98,0xfa,0xc4,0x43,0x11,0x49,0xaa,0x27,0xa6,0x55,0x07,0xdb,0x39,0xa9,0x11,0x1d,0xea,0x80,0x2a,0x80,0x35,0x06,0xfb,0xd4,0xa2,0xd5,0x58,0x06,0x89,0x74,0xf9,0x93,0xdc,0xab,0x45,0x87,0xa5,0x62,0x0d,0xb6,0x90,0x9a,0x95,0x1d,0xcf,0x8b,0xb6,0x5d,0x4f,0x8e,0x92,0xac,0x83,0x00,0xfd,0x04,0x9b,0xb3,0x21,0x81,0x99,0x70,0x5b,0xab,0xb2,0x55,0xe7,0xda,0xef,0x40,0xa2,0x8c,0x1d,0x7e,0x3f,0x74,0xcb,0x1d,0x44,0x68,0x7b,0xe1,0x27,0x25,0x8a,0xaf,0xc4,0xdb,0xda,0xf0,0x92,0x66,0xda,0xa6,0x86,0x05,0xe2,0x50,0xaa,0x24,0x4c,0x17,0x9d,0x75,0x9d,0x22,0xe9,0x0e,0xd3,0xd8,0xa9,0xbf,0x15,0x5f,0xae,0x86,0xc7,0x21,0xed,0x8e,0xe5,0x60,0x3c,0x46,0x13,0xac,0x47,0xe5,0xa8,0x00,0x79,0xb9,0x09,0x72,0x72,0x77,0xff,0xf3,0x1d,0x20,0x52,0x9b,0x3c,0x02,0x2e,0x3b,0x1a,0x36,0x16,0xd6,0x39,0xca,0x03,0x65,0x86,0xef,0x17,0xd3,0xdc,0x9b,0xdf,0x1e,0xee,0xc5,0x85,0x9f,0x00,0x22,0x51,0x4f,0x29,0xb2,0x40,0xf3,0x0c,0x81,0x8e,0x7f,0xdd,0x47,0x8f,0x36,0x77,0x99,0x78,0xc0,0x88,0x85,0xb2,0x26,0x6e,0x3c,0xf5,0x99,0xd0,0xa4,0xc2,0x7b,0xca,0x46,0x15,0x72,0x0a,0x08,0xe1,0x39,0x16,0xec,0x4a,0x6e,0xf5,0xc9,0x43,0xdd,0xb2,0x55,0x66,0xe6,0x20,0x72,0x6f,0x56,0xc5,0x16,0x09,0x13,0x56,0x4d,0x68,0x3b,0xad,0xcc,0x72,0x04,0xec,0x8e,0x70,0x80,0x22,0x1d,0xe3,0x25,0xa4,0x31,0xa0,0x68,0x0e,0x9e,0x10,0x8e,0x42,0x7c,0x7b,0xc3,0x80,0x7b,0x86,0xc7,0x88,0x20,0xbc,0x9c,0x23,0x40,0x70,0x9d,0xa3,0x52,0xd9,0x53,0xae,0xa8,0x05,0xa0,0x4b,0x53,0xf2,0xd8,0x8f,0x7b,0x8f,0xae,0x50,0xe5,0xba,0x2d,0xe5,0x56,0x15,0xbc,0x9b,0x2e,0x52,0x61,0x67,0x22,0x6e,0x75,0xf5,0xc8,0x82,0x75,0x93,0x28,0x1f,0x23,0xa6,0x5e,0x50,0x98,0xe0,0xe8,0xe2,0x62,0x3e,0xe4,0xf8,0x92,0xba,0xc7,0x6e,0x69,0x87,0xa0,0x58,0x32,0xbc,0x0b,0x84,0x21,0x5b,0xb7,0x4e,0xd8,0x37,0x86,0xbd,0x55,0x26,0x5e,0x61,0xba,0x57,0x02,0x17,0x0f,0xda,0x63,0xe0,0x1a,0x44,0xd6,0xb8,0xa6,0xf1,0x74,0x0a,0x6c,0x03,0x80,0x30,0x95,0xe5,0x17,0x6b,0xde,0x18,0xee,0x87,0x3d,0xcd,0x63,0x80,0xde,0x9f,0x32,0x5f,0x1c,0x43,0x6c,0x11,0xe3,0x25,0x0c,0xeb,0xce,0xce,0xb3,0x19,0xa4,0x9a,0x4e,0x3f,0x2f,0x62,0xcf,0xd1,0x37,0xb6,0x02,0xe2,0x7f,0x39,0x74,0xa1,0x13,0xdf,0x41,0x42,0x87,0xda,0x48,0xaf,0xd9,0xe8,0xc7,0xef,0x0b,0xdb,0x4d,0x34,0x53,0x13,0xb5,0x2d,0x66,0x22,0x02,0xf5,0x43,0xf4,0x26,0xf8,0x27,0x14,0x32,0xa2,0x01,0x86,0xb1,0xdc,0x7f,0x70,0xd4,0x12,0x3d,0xef,0x1c,0x37,0x45,0xc1,0xff,0xe7,0xf4,0x01,0x7f,0xf6,0x0e,0x0b,0x74,0x86,0xf0,0xe8,0xdb,0x90,0x88,0x9a,0x36,0x07,0x25,0x83,0xdd,0xb2,0x6d,0xbd,0x37,0x77,0x81,0x15,0xcb,0x56,0xc1,0x7e,0x19,0xfb,0x2d,0x5e,0xdb,0x84,0x72,0x63,0x42,0x4f,0xb4,0x92,0x1f,0x22,0x4e,0xb2,0xd4,0x45,0x18,0x3f,0x9b,0xc6,0x54,0x1d,0x1a,0xc7,0x70,0x72,0xa6,0xe6,0x16,0xe6,0x82,0x6c,0xbb,0xeb,0xe9,0x6a,0xf2,0x29,0xe7,0x96,0x20,0x46,0x28,0x69,0xe5,0x16,0x86,0xd4,0xd5,0x23,0xf7,0x82,0xb2,0xe5,0xb4,0x3a,0x76,0x94,0x03,0xbf,0x62,0xf1,0xb8,0x75,0x12,0x01,0x3f,0x95,0xd0,0x68,0xdc,0x04,0xbe,0xb3,0x37,0xf8,0x74,0x1b,0x47,0x13,0x86,0xa7,0x74,0x6e,0xbc,0x7b,0x9c,0x7a,0x95,0x68,0xed,0x9b,0x59,0x09,0x36,0xcd,0xc5,0x33,0xf6,0xf9,0x43,0xe3,0xa3,0x79,0x66,0x36,0x2b,0x62,0x09,0x2c,0xe5,0xa3,0xc5,0x3a,0x95,0xb3,0x3d,0x0f,0xf1,0xac,0x2c,0x58,0x00,0xb6,0x7b,0x8c,0xc4,0x0d,0x61,0x4b,0x8d,0xf7,0x4d,0x41,0x14,0xd4,0xbb,0x71,0x04,0xb5,0x45,0xac,0x7d,0x0b,0x9e,0xb6,0x06,0x57,0x8f,0xd6,0x35,0x61,0x57,0x87,0x40,0xce,0x7e,0xea,0xa1,0x89,0xba,0xac,0xd4,0x36,0xae,0x15,0xcb,0x56,0xc1,0x7f,0x19,0xfb,0x2d,0x5e,0xdb,0x84,0x72,0xec,0xc4,0x94,0x2b,0xbc,0x4e,0x2b,0xbe,0xc5,0xc4,0xad,0xb7,0x91,0xa7,0x09,0x62,0x98,0xf6,0x34,0x7c,0x4a,0x27,0x73,0x64,0xce,0xa8,0x94,0x23,0x4b,0xdc,0xf6,0x98,0x11,0xf3,0x1c,0xe6,0x44,0xba,0xe1,0x0e,0xdc,0x0d,0xe4,0xcc,0xc2,0x00,0xa4,0x4f,0xa0,0xe2,0xfa,0xa4,0xd2,0xeb,0x3b,0x28,0xdc,0xec,0xc3,0xa4,0x68,0xef,0xdb,0xfa,0x7d,0xe2,0x72,0x8b,0x27,0xdf,0xaf,0xd1,0xa5,0xdf,0x48,0x03,0xa7,0x98,0x6c,0xfa,0x76,0x8f,0xb1,0xf9,0x75,0x1b,0xa1,0xa7,0xd4,0x7c,0x9a,0x69,0x28,0x97,0x88,0x10,0xd7,0x6d,0xce,0xb8,0x19,0x73,0x8f,0x46,0x84,0x63,0x7d,0x3d,0xdd,0x2c,0xc4,0x1e,0x2a,0x45,0x85,0xa3,0x66,0xd4,0xa4,0x6b,0x32,0xdb,0x59,0x50,0x8f,0x34,0xbf,0x5c,0x65,0x4b,0xe7,0xb5,0xc8,0x6e,0x24,0xcc,0xa5,0xd1,0x01,0x37,0x38,0xc3,0x2b,0xa9,0xb6,0x08,0x3e,0x76,0xe0,0xf9,0x3c,0x80,0xfe,0x71,0x22,0x61,0x84,0x1e,0x54,0x63,0x15,0xcb,0x56,0xc1,0x7c,0x19,0xfb,0x2d,0x5e,0xdb,0x84,0x72,0x60,0xfd,0x33,0x8f,0xdc,0xec,0xb0,0x96,0xe2,0x6a,0x56,0x60,0x30,0x82,0xa5,0x8f,0x5b,0x1f,0xb0,0xff,0xb7,0xfc,0x8f,0xaa,0xc3,0x35,0x89,0xec,0x52,0xed,0x02,0x25,0x6a,0xba,0x88,0xb2,0xc2,0x83,0x64,0x33,0xa5,0xd1,0x46,0xc6,0xef,0xe7,0x84,0xd4,0x7d,0xa7,0xa7,0xff,0xc4,0x25,0x6f,0x3d,0xce,0x73,0x31,0x4c,0x01,0x71,0xf8,0x9e,0x9a,0x4f,0x6a,0x95,0xf5,0x9e,0x84,0x60,0xd2,0xb6,0x5f,0xe1,0x78,0xda,0xba,0x5f,0xaf,0x8d,0x34,0xd9,0x9e,0x32,0xa5,0x0a,0xef,0xbb,0xb7,0xed,0x9c,0x95,0x07,0x76,0x59,0x58,0x87,0x0d,0xd2,0xe1,0x83,0x6f,0xe6,0x08,0x21,0x5c,0xa7,0x53,0xa7,0x12,0x5f,0x3c,0xb8,0x6a,0xc3,0x2d,0x11,0x49,0xcf,0x2a,0x14,0x4b,0x87,0x3f,0xc7,0xa9,0x69,0x14,0xd3,0x76,0xed,0x2f,0xe8,0x8d,0x36,0xa6,0x09,0x59,0x6a,0x68,0xd8,0xbb,0x76,0xe7,0x1d,0x1b,0x81,0xa8,0xdb,0x36,0x18,0x27,0x1f,0x00,0x2f,0xf6,0xfb,0x58,0x15,0xcb,0x56,0xc1,0x7d,0x19,0xfb,0x2d,0x5e,0xdb,0x84,0x72,0xb7,0x2d,0x65,0x7a,0xbc,0x1a,0x3c,0x21,0x33,0xfa,0x45,0xfd,0x83,0x4d,0x28,0xfc,0xe3,0xb5,0xbd,0xd8,0xf1,0x11,0xbf,0xa6,0x13,0x86,0xa3,0x06,0xaa,0x74,0x59,0x8e,0xa6,0xe5,0x02,0x2f,0x4a,0xac,0x8d,0x9a,0xcd,0x44,0x2c,0x44,0x46,0x5e,0xb3,0x34,0xc2,0x6d,0x06,0x0d,0xfc,0x8f,0x4f,0x59,0xc1,0x3f,0x32,0x25,0xa5,0xea,0x11,0x1f,0x9e,0x3e,0x9e,0xf4,0xc7,0x5f,0x40,0xb8,0x5c,0x43,0xdb,0xdd,0x5d,0x30,0x97,0x0c,0xde,0x50,0x7c,0xd9,0x6f,0xa6,0xa8,0x89,0x70,0xe2,0x3c,0x1d,0xc1,0xcb,0x9a,0x1e,0xab,0x2f,0x4c,0xc1,0x64,0x44,0x22,0x6a,0xff,0x6c,0x49,0xdd,0x13,0xe0,0x30,0x24,0x0e,0xa3,0x22,0x67,0xa1,0x69,0x9b,0x5b,0x8c,0x83,0xd0,0x5c,0x1c,0xc2,0x57,0xf5,0x02,0x8d,0x64,0x9e,0x2b,0x58,0xd9,0x6a,0x1f,0x59,0xfc,0xd4,0x2f,0x02,0x71,0x79,0xe7,0x40,0x0f,0x2c,0x64,0xc3,0x06,0x3a,0xe1,0xf9,0xc4,0x96,0xec,0x01,0x9e,0xba,0x12,0xcb,0x56,0xc1,0x72,0x19,0xfa,0x2d };
	unsigned __int32 pos = 0;
	while (pos != sizeof(msg)) {
		pos = decryptData(msg, pos);
	}
}

之后我们大致可以整理出对应的数据如下:

指令信息 数据信息 信息解析
[1,0,34] [0xd5,0x2d,0x1d,0x6b,0x16,0x93,0x16,0x4a,0x13,0x31,0x6a,0x33,
0xbe,0x05,0xbc,0x1c,0x4a,0x20,0x29,0xb9,0xef,0xbf,0x96,0xdc,
0x91,0x7d,0xa5,0x05,0x6d,0x3e,0xe4,0x6c,0x2b,0x08]		 Hello, this is the remote server.
[2,1,24] [0x11,0xfd,0x38,0x2b,0xc3,0xeb,0x73,0x90,0x37,0xf7,0xdf,0xa4,
0xb0,0xca,0x55,0x3f,0x4d,0xc6,0x7f,0x81,0xb7,0x1b,0x7f,0x92]		 Your input is incorrect
[2,2,40] [0x7c,0x85,0x26,0xcc,0x3d,0x63,0x83,0xbb,0xcf,0x01,0x59,0x59,
0x06,0x48,0x58,0x6e,0x7d,0xd0,0x8b,0x49,0xcc,0x1e,0xe7,0xf5,
0x19,0xec,0x20,0x65,0x92,0x25,0x48,0x42,0xb7,0xf3,0x3d,0x25,
0x64,0x66,0x40,0xab]		 Your input is correct , Congratulations
[1,0,27] [0xc0,0x08,0xba,0x6c,0x15,0x33,0x4f,0x76,0x48,0x5d,0x8c,0x17,
0x08,0x2f,0x44,0x68,0xad,0xdb,0xb3,0xa6,0x2d,0x20,0xe7,0x54,
0x10,0x5d,0x10]		 Please enter your password
[3,0,0] - 要求输入信息
[2,8,579] 过长,此处省略 发送的 ShellCode
[2,4,160] 过长,此处省略 发送的 ShellCode 数据部分
[2,5,160] 过长,此处省略 发送的 ShellCode 数据部分
[2,6,160] 过长,此处省略 发送的 ShellCode 数据部分
[2,7,160] 过长,此处省略 发送的 ShellCode 数据部分

之后我们找个空的地方(创建一个段信息)把发送的ShellCode写入进去:

1
2
3
4
s=[0xf3,0xf,0x1e,0xfa,0x55,0x48,0x89,0xe5,0x48,0x83,0xec,0x30,0x48,0x89,0x7d,0xd8,0xc7,0x45,0xe8,0x0,0x0,0x0,0x0,0xeb,0x4,0x83,0x45,0xe8,0x1,0x8b,0x45,0xe8,0x48,0x98,0x48,0x8d,0x14,0x85,0x0,0x0,0x0,0x0,0x48,0x8b,0x45,0xd8,0x48,0x1,0xd0,0x8b,0x0,0x85,0xc0,0x75,0xe2,0x83,0x7d,0xe8,0x28,0xf,0x85,0xea,0x0,0x0,0x0,0x48,0x8b,0x45,0xd8,0x48,0x89,0xc7,0xe8,0x2e,0x1,0x0,0x0,0xc7,0x45,0xec,0x0,0x0,0x0,0x0,0xeb,0x7e,0x8b,0x45,0xec,0x48,0x98,0x48,0x8d,0x14,0x85,0x0,0x0,0x0,0x0,0x48,0x8b,0x45,0xd8,0x48,0x1,0xd0,0x8b,0x0,0xc1,0xf8,0x10,0x89,0x45,0xf8,0x8b,0x45,0xec,0x48,0x98,0x48,0x8d,0x14,0x85,0x0,0x0,0x0,0x0,0x48,0x8b,0x45,0xd8,0x48,0x1,0xd0,0x8b,0x0,0x25,0xff,0xff,0x0,0x0,0x89,0x45,0xfc,0x8b,0x45,0xec,0x5,0x58,0x2,0x0,0x0,0x48,0x98,0x48,0x8d,0x14,0x85,0x0,0x0,0x0,0x0,0x48,0x8b,0x45,0xd8,0x48,0x1,0xd0,0x8b,0x0,0x39,0x45,0xf8,0x75,0x7e,0x8b,0x45,0xec,0x5,0xbc,0x2,0x0,0x0,0x48,0x98,0x48,0x8d,0x14,0x85,0x0,0x0,0x0,0x0,0x48,0x8b,0x45,0xd8,0x48,0x1,0xd0,0x8b,0x0,0x39,0x45,0xfc,0x75,0x5e,0x83,0x45,0xec,0x1,0x83,0x7d,0xec,0x27,0xf,0x8e,0x78,0xff,0xff,0xff,0xc7,0x45,0xf0,0x0,0x0,0x0,0x0,0xeb,0x3c,0x8b,0x45,0xf0,0x5,0xc8,0x0,0x0,0x0,0x48,0x98,0x48,0x8d,0x14,0x85,0x0,0x0,0x0,0x0,0x48,0x8b,0x45,0xd8,0x48,0x1,0xd0,0x8b,0x55,0xf0,0x81,0xc2,0x2c,0x1,0x0,0x0,0x48,0x63,0xd2,0x48,0x8d,0xc,0x95,0x0,0x0,0x0,0x0,0x48,0x8b,0x55,0xd8,0x48,0x1,0xca,0x8b,0x0,0x89,0x2,0x83,0x45,0xf0,0x1,0x83,0x7d,0xf0,0x63,0x7e,0xbe,0xeb,0x4e,0x90,0xeb,0x1,0x90,0xc7,0x45,0xf4,0x0,0x0,0x0,0x0,0xeb,0x3a,0x8b,0x45,0xf4,0x83,0xc0,0x64,0x48,0x98,0x48,0x8d,0x14,0x85,0x0,0x0,0x0,0x0,0x48,0x8b,0x45,0xd8,0x48,0x1,0xd0,0x8b,0x55,0xf4,0x81,0xc2,0x2c,0x1,0x0,0x0,0x48,0x63,0xd2,0x48,0x8d,0xc,0x95,0x0,0x0,0x0,0x0,0x48,0x8b,0x55,0xd8,0x48,0x1,0xca,0x8b,0x0,0x89,0x2,0x83,0x45,0xf4,0x1,0x83,0x7d,0xf4,0x63,0x7e,0xc0,0x90,0xc9,0xc3,0xf3,0xf,0x1e,0xfa,0x55,0x48,0x89,0xe5,0x48,0x89,0x7d,0xe8,0xc7,0x45,0xf8,0x0,0x0,0x0,0x0,0xeb,0x4d,0x8b,0x45,0xf8,0x48,0x98,0x48,0x8d,0x14,0x85,0x0,0x0,0x0,0x0,0x48,0x8b,0x45,0xe8,0x48,0x1,0xd0,0x8b,0x8,0x8b,0x45,0xf8,0x5,0x90,0x1,0x0,0x0,0x48,0x98,0x48,0x8d,0x14,0x85,0x0,0x0,0x0,0x0,0x48,0x8b,0x45,0xe8,0x48,0x1,0xd0,0x8b,0x10,0x8b,0x45,0xf8,0x48,0x98,0x48,0x8d,0x34,0x85,0x0,0x0,0x0,0x0,0x48,0x8b,0x45,0xe8,0x48,0x1,0xf0,0x31,0xca,0x89,0x10,0x83,0x45,0xf8,0x1,0x83,0x7d,0xf8,0x27,0x7e,0xad,0xc7,0x45,0xfc,0x0,0x0,0x0,0x0,0xeb,0x4d,0x8b,0x45,0xfc,0x48,0x98,0x48,0x8d,0x14,0x85,0x0,0x0,0x0,0x0,0x48,0x8b,0x45,0xe8,0x48,0x1,0xd0,0x8b,0x8,0x8b,0x45,0xfc,0x5,0xf4,0x1,0x0,0x0,0x48,0x98,0x48,0x8d,0x14,0x85,0x0,0x0,0x0,0x0,0x48,0x8b,0x45,0xe8,0x48,0x1,0xd0,0x8b,0x10,0x8b,0x45,0xfc,0x48,0x98,0x48,0x8d,0x34,0x85,0x0,0x0,0x0,0x0,0x48,0x8b,0x45,0xe8,0x48,0x1,0xf0,0x1,0xca,0x89,0x10,0x83,0x45,0xfc,0x1,0x83,0x7d,0xfc,0x27,0x7e,0xad,0x90,0x90,0x5d,0xc3,]
import  idc
address=0
ida_bytes.patch_bytes(address,bytes(s))

之后我们可以看到以下内容:

之后我们根据之前总结的信息表项可以推测出对应的逻辑,我们所输入的内容会写入客户端之前所开辟的一个堆空间中,偏移为 0,而输出信息写入在偏移为 300 的地方,对应提示信息分别保存于偏移 100、200 的空间。

sub_17B则是将我们的输入与偏移为 400和 500 的地方进行加密:

对此我们需要提取对应不同偏移处的数据即可逆向。

1
2
3
4
5
6
7
8
9
10
11
12
13
xorkey=[573039632, 2068632126, 717331104, 414644155, 1516244536, 2049100586, 919112284, 1370927355, 1688461516, 296738990, 30793177, 1104738666, 1002227121, 81432144, 1583270004, 2054573071, 783479672, 1266338941, 1034668768, 558606240, 547807159, 256262942, 2127993155, 914948707, 488709952, 1073398467, 406513095, 848785473, 822400734, 2034231750, 1267232331, 1395440366, 1955380228, 1984563435, 1810084521, 1324141116, 1886180373, 581713157, 547584824, 1427158242]
addkey=[89, 51, 10, 46, 33, 25, 64, 84, 66, 82, 16, 74, 56, 88, 37, 52, 25, 97, 37, 86, 49, 8, 74, 31, 9, 21, 21, 77, 38, 49, 65, 79, 52, 75, 78, 37, 53, 42, 22, 19]
low=[8743, 31564, 10945, 6326, 23136, 31266, 14024, 20918, 25763, 4527, 469, 16856, 15292, 1242, 24158, 31350, 11954, 19322, 15787, 8523, 8358, 3910, 32470, 13961, 7457, 16378, 6202, 12951, 12548, 31039, 19336, 21292, 29836, 30282, 27619, 20204, 28780, 8876, 8355, 21776]
high=[58541, 53938, 39677, 63526, 3725, 52101, 35431, 45346, 57600, 57651, 56735, 63913, 50623, 36538, 51299, 19566, 62266, 52393, 51893, 43051, 57293, 17203, 39276, 557, 7991, 49930, 58802, 28801, 54990, 59941, 28234, 47914, 48281, 2307, 45846, 51758, 54414, 15766, 31583, 46258]
flag=''
for i in range(40):
    x=(high[i]&0xffff)|(low[i]<<16)
    x-=addkey[i]
    x^=xorkey[i]
    flag+=chr(x)
print(flag)

#DASCTF{5rOV562J5Y5pu+5amn6Zuv2B5aSa5Liq}
Reverse
DASCTF 2023-07 & 0x401 TCP
https://equinox-shame.github.io/2023/12/04/DASCTF 2023-07 & 0x401 TCP/
作者
梓曰
发布于
2023年12月4日
许可协议