2023-全国智能驾驶测试赛-车联网安全专项赛WP (Re)

中间短暂的拿到了第一名，可惜最后止步12名，www。。。
RRRRust：

• 简单rust逆向
• 首先找到密文，然后找关键逻辑，发现只有一个异或
• 直接脚本解密
  c=‘’
  x=‘e>?d7a411zakf`|e4ec16754c65>a>b4>e3f51’
  for i in range(len(x)):
  c+=chr(ord(x[i])^7)
  print©
• 得到b98c0f366}flag{b3bd61023d129f9e39b4a26
• 调整一下位置即可
• flag{b3bd61023d129f9e39b4a26b98c0f366}

SomethingInIt：

• IDA64打开，发现程序实现了一个双层的vm

• 首先考虑用Inter-pin进行爆破

• 找到关键输入点以及最后的比较代码case 0x28,case0x29：

• 用pin爆破即可，下面为爆破脚本：
  `from pwn import *
  import subprocess
  def run(msg):
  cmd = [
  “/home/tanggerr/Downloads/pin-3.28-98749-g6643ecee5-gcc-linux/pin”,
  “-t”, “/home/tanggerr/Downloads/pin-3.28-98749-g6643ecee5-gcc-linux/source/tools/ManualExamples/obj-intel64/inscount0.so”,
  “-o”, “/home/tanggerr/Downloads/pin-3.28-98749-g6643ecee5-gcc-linux/source/tools/ManualExamples/inscount0.log”,
  “–”,
  “/home/tanggerr/challenge”
  ]
  p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)

  p.stdin.write(msg.encode())
  p.stdin.flush()

  output = p.stdout.readline()

  p.terminate()
  return int(read(“/home/tanggerr/Downloads/pin-3.28-98749-g6643ecee5-gcc-linux/source/tools/ManualExamples/inscount0.log”).split(" ")[1])

def read(fname):
with open(fname) as f:
return f.read()

charset = string.printable

l = []
flag = “”
counter = 0

while(True):
max_chr = 0
first_iteration = True
for chr in charset:
tmp = run(flag + chr)
if first_iteration:
max_value = tmp
first_iteration = False
if tmp > max_value:
max_chr = chr
max_value = tmp
break
print(max_chr)
flag += str(max_chr)
print(flag)`

• 大概一个多小时即可爆破出flag
• flag{Is_thi5_VM_THAT_1s_1n_vm_beautiful?!}