2023-全国智能驾驶测试赛-车联网安全专项赛WP (Re)

中间短暂的拿到了第一名,可惜最后止步12名,www。。。
RRRRust

  • 简单rust逆向
  • 首先找到密文,然后找关键逻辑,发现只有一个异或
  • 直接脚本解密
    c=‘’
    x=‘e>?d7a411zakf`|e4ec16754c65>a>b4>e3f51’
    for i in range(len(x)):
    c+=chr(ord(x[i])^7)
    print©
  • 得到b98c0f366}flag{b3bd61023d129f9e39b4a26
  • 调整一下位置即可
  • flag{b3bd61023d129f9e39b4a26b98c0f366}

SomethingInIt:

  • IDA64打开,发现程序实现了一个双层的vm

  • 首先考虑用Inter-pin进行爆破

  • 找到关键输入点以及最后的比较代码case 0x28,case0x29:

  • 用pin爆破即可,下面为爆破脚本:
    `from pwn import *
    import subprocess
    def run(msg):
    cmd = [
    “/home/tanggerr/Downloads/pin-3.28-98749-g6643ecee5-gcc-linux/pin”,
    “-t”, “/home/tanggerr/Downloads/pin-3.28-98749-g6643ecee5-gcc-linux/source/tools/ManualExamples/obj-intel64/inscount0.so”,
    “-o”, “/home/tanggerr/Downloads/pin-3.28-98749-g6643ecee5-gcc-linux/source/tools/ManualExamples/inscount0.log”,
    “–”,
    “/home/tanggerr/challenge”
    ]
    p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)

    p.stdin.write(msg.encode())
    p.stdin.flush()

    output = p.stdout.readline()

    p.terminate()
    return int(read(“/home/tanggerr/Downloads/pin-3.28-98749-g6643ecee5-gcc-linux/source/tools/ManualExamples/inscount0.log”).split(" ")[1])

def read(fname):
with open(fname) as f:
return f.read()

charset = string.printable

l = []
flag = “”
counter = 0

while(True):
max_chr = 0
first_iteration = True
for chr in charset:
tmp = run(flag + chr)
if first_iteration:
max_value = tmp
first_iteration = False
if tmp > max_value:
max_chr = chr
max_value = tmp
break
print(max_chr)
flag += str(max_chr)
print(flag)`

  • 大概一个多小时即可爆破出flag
  • flag{Is_thi5_VM_THAT_1s_1n_vm_beautiful?!}

你可能感兴趣的:(安全)