SCTF-2014 misc100 writeup (post-match analysis)

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/56/BD/wKiom1SL0sXh7uooAACSbf0skt8098.jpg "title=" 4.png " alt= "Wkiom1sl0sxh7uooaacsbf0skt8098.jpg"/>

After downloading the files, the file command looks at the ELF32 program, the Strings Command Discovery program is UPX shell.

Upx-d Snake-final.exe

After shelling and throwing it into IDA. Analysis, the main function found that call signal registered a number of callback functions:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/56/BD/wKiom1SL3JfiJCVHAAMVb8TCdSE916.jpg "title=" 2.png " alt= "Wkiom1sl3jfijcvhaamvb8tcdse916.jpg"/>

In particular, a few 38h, 32h, 34h, 36h. In fact, it defines 4 game keys that control snake action. But obviously on this program, according to the corresponding key is not produce the corresponding signal signal. (There are teams using the way to send corresponding signal to the process, indirect control of the snake, the game can win flag). After further analysis, it is found that the most important callback function is handler, while there is an "INT 3" counter-debug in handler, when the normal execution will produce signal==5 signal, the processing function here is nullsub_1. is actually ignored, so we can also directly nop out int 3. Of course, completely follow the static analysis method of this article, without debugging, can completely ignore int 3.

Further analysis of handler, found to be an extremely complex function. If you don't mind, look for any other entrance.

Strings window Found "Mission complete", XRef found this string reference location sub_80492e0+14c.

Analysis SUB_80492E0:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/56/BA/wKioL1SL2c-RUcRwAAIQb2QwU8I103.jpg "title=" 1.png " Width= "426" height= "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:426px;height:200px; "alt=" Wkiol1sl2c-rucrwaaiqb2qwu8i103.jpg "/>

This function is really a symbol to determine the success of the game, if successful, you also need to determine a ebx = = 3, where the ebx is actually the function of the incoming parameters. But the problem is finding the sign of success, but not following the output flag, but simply calling SetTimer to reset the new semaphore. The execution flow of this program goes back to handler.

Based on the current information, find the place with parameter 3 call SUB_80492E0, XRef only found two 8049941, 8049ff1. In fact, the code in both places is the same (after the final analysis, the code behind this is actually the place where the flag is output, but I've been lost here for a long time). Oddly enough, neither of these places is in the scope of the handle function that Ida recognizes. The reason is that IDA recognizes the Canary protection mechanism of the handler function as the beginning and end of the handler function.

Further analysis of handler findings:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/56/BD/wKiom1SL4IrBG9WfAAFy171R1mE002.jpg "title=" 3.png " alt= "Wkiom1sl4irbg9wfaafy171r1me002.jpg"/>

After successfully eating 30 foods successfully, the SUB_80492E0 (3) is invoked through the C + + exception handling mechanism.

Find the two places on the xref above, pick the second one and see the calling code:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/56/BB/wKioL1SL4naidfCiAAGgnOUVw3A868.jpg "title=" 4.png " alt= "Wkiol1sl4naidfciaaggnouvw3a868.jpg"/>

Since there is no flag in sub_80492e0, just resetting the settimer, it is probable that flag is printed by the exception handling chain. The above code found that after calling Sub_80492e0, an exception was thrown again. So keep looking at the following code:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/56/BE/wKiom1SL4-rzzLQJAAKdjnlOFe0947.jpg "title=" 5.png " alt= "Wkiom1sl4-rzzlqjaakdjnlofe0947.jpg"/>

Note Here A comparison of the 804a039, which is the last hurdle in the exception handling chain before the flag is printed. It is also why the SUB_80492E0 has run to "Mission complete" during commissioning, but there is no reason for flag to appear.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/56/BE/wKiom1SL5DLDBRT2AAFSVJuwZnQ673.jpg "title=" 6.png " alt= "Wkiom1sl5dldbrt2aafsvjuwznq673.jpg"/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/56/BB/wKioL1SL5c_Sey2MAAPhaEUDdkg326.jpg "title=" 7.png " alt= "Wkiol1sl5c_sey2maaphaeuddkg326.jpg"/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/56/BB/wKioL1SL5dyDo1A1AAGBv3nYrLg299.jpg "title=" 8.png " alt= "Wkiol1sl5dydo1a1aagbv3nyrlg299.jpg"/>

Note that one of the loops here is actually printf "[Ebp-50+i] xor 2Ah". (2Ah is ASCII ' * ')

Import sysa= ' \x7f\x1a\x64\7f\x78\x44\x5e\x50\x67\x7d\x4e\x5f ' for I in range (0, Len (a)): Sys.stdout.write (Chr (Ord A[i ] ^ ord (' * ')))

Gets: U0n-lrntzmwdu

This is not finished yet, keep looking down:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/56/BB/wKioL1SL6PeA1UL-AAHIEkHq5kw587.jpg "title=" 9.png " alt= "Wkiol1sl6pea1ul-aahiekhq5kw587.jpg"/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/56/BE/wKiom1SL6G7BuZ1XAAHlx20assk918.jpg "title=" 10.png "alt=" Wkiom1sl6g7buz1xaahlx20assk918.jpg "/>

There are two parts of the flag, where [ebp-84h] is the value at the beginning of the handler function (stating that exception handling should actually be in the handler, but the use of IDA analysis is excluded for canary reasons):

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/56/BB/wKioL1SL6bqzUhrlAAEmr9_0vDI437.jpg "title=" 11.png "alt=" Wkiol1sl6bqzuhrlaaemr9_0vdi437.jpg "/>

The last part of the data is the global data at 804C0C0, the three-part algorithm is the same, and the final decoding gets:

u0nurntzmwdungxfmxnfznvubnk6kx0=

echo u0nurntzmwdungxfmxnfznvubnk6kx0= | Base64-d

Get flag.

Postscript:

This question to see 360 first hair of SCTF writeup on, only said "Mission complete" and sub_80492e0, then directly base64 string, do not know how the great God "see" out.

C + + Throw--catch Reverse analysis is the first time encountered, or should write a simple C + + corresponding program, and then reverse study of its structure. This is to know handler inside Canary and exception handling is intentional for it, or the compiler is the way to deal with it.

Due to the characteristics of the signal processing of the thread re-entry, the exception will also involve cross-threading problems, so the program flow to fully study, need to understand a lot of content. Further study is needed.

If you debug this topic, if you follow the code of exception handling, please do not hesitate to enlighten me.

This article is from the "Everything is a Dog" blog, please be sure to keep this source http://cugou.blog.51cto.com/9637775/1589577

SCTF-2014 misc100 writeup (post-match analysis)