Download - 9447 writeup reverse_rolling
Transcript
![Page 1: 9447 writeup reverse_rolling](https://reader036.vdocuments.pub/reader036/viewer/2022062523/58f212061a28ab7c5a8b45f9/html5/thumbnails/1.jpg)
Rolling
![Page 2: 9447 writeup reverse_rolling](https://reader036.vdocuments.pub/reader036/viewer/2022062523/58f212061a28ab7c5a8b45f9/html5/thumbnails/2.jpg)
• Windows 8.1• IDA 6.6
• Kali Linux adm64• EDB ( 動態調適器 )
![Page 3: 9447 writeup reverse_rolling](https://reader036.vdocuments.pub/reader036/viewer/2022062523/58f212061a28ab7c5a8b45f9/html5/thumbnails/3.jpg)
Libc 6 required• To solve it, add the following line to the sources.list:• deb http://ftp.debian.org/debian sid main
• Then install a new linbc:• apt-get update• apt-get -t sid install libc6-dev
![Page 4: 9447 writeup reverse_rolling](https://reader036.vdocuments.pub/reader036/viewer/2022062523/58f212061a28ab7c5a8b45f9/html5/thumbnails/4.jpg)
main
![Page 5: 9447 writeup reverse_rolling](https://reader036.vdocuments.pub/reader036/viewer/2022062523/58f212061a28ab7c5a8b45f9/html5/thumbnails/5.jpg)
4006c7
![Page 6: 9447 writeup reverse_rolling](https://reader036.vdocuments.pub/reader036/viewer/2022062523/58f212061a28ab7c5a8b45f9/html5/thumbnails/6.jpg)
Call rax?• 轉動態調適• 過 4006c7 直接 F7 進 call rax
• 觀察 1• 參數給 test
![Page 7: 9447 writeup reverse_rolling](https://reader036.vdocuments.pub/reader036/viewer/2022062523/58f212061a28ab7c5a8b45f9/html5/thumbnails/7.jpg)
• "57 102 108 97 103 115 115 116 97 114 116 119 105 116 104 57", • which is "9flagsstartwith9"
![Page 8: 9447 writeup reverse_rolling](https://reader036.vdocuments.pub/reader036/viewer/2022062523/58f212061a28ab7c5a8b45f9/html5/thumbnails/8.jpg)
• 觀察二• Start with 9: 參數給 “ 9abc123”• rax 指向另一檢查 function
![Page 9: 9447 writeup reverse_rolling](https://reader036.vdocuments.pub/reader036/viewer/2022062523/58f212061a28ab7c5a8b45f9/html5/thumbnails/9.jpg)
![Page 10: 9447 writeup reverse_rolling](https://reader036.vdocuments.pub/reader036/viewer/2022062523/58f212061a28ab7c5a8b45f9/html5/thumbnails/10.jpg)
![Page 11: 9447 writeup reverse_rolling](https://reader036.vdocuments.pub/reader036/viewer/2022062523/58f212061a28ab7c5a8b45f9/html5/thumbnails/11.jpg)
結論• 開頭是 9447• 接下來 ith char 都 relate 到 (i-4)th char• 用 (i-4)th char + {offset}• Offsets: +57 +59 +56 +53 -9 -1 -5 -3 +10 -8 +14 +5• => flag is: “9447{9447rollingisfun}”
![Page 12: 9447 writeup reverse_rolling](https://reader036.vdocuments.pub/reader036/viewer/2022062523/58f212061a28ab7c5a8b45f9/html5/thumbnails/12.jpg)
Ref.• http://theevilbit.blogspot.tw/2014/12/9447-ctf-2014-writeup-reversi
ng-125100.html