search

roaris / ctf-log

0 stars 0 forks source link

CakeCTF 2022 : nimrev #75

Open roaris opened 1 month ago

roaris commented 1 month ago

https://alpacahack.com/challenges/nimrev

roaris commented 1 month ago 
$ file chall
chall: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=7d489f42d4feb5f1b402f276543f3046dfed5ab4, for GNU/Linux 3.2.0, not stripped

$ ./chall
test
Wrong...
roaris commented 1 month ago

正攻法ではない気がするが、とりあえず解けた

gdbでデバッグすると、NimMainModuleという関数が重要そうだと分かる IDAでNimMainModuleの処理を見ると、call eqStringsという箇所があり、ここで入力文字列の検証をしていると考えられる image

入力文字列は、call readLine_systemZio_271で受け付けていて、入力文字列のアドレスをrbp-0x40に格納している image

rbp-0x40はeqStringsの片方の引数である call readLine_systemZio_271からcall eqStringsまでの間に、入力文字列を変化させるような処理はされていないので、rbp-0x40と比較されるrbp-0x28を確認すれば、フラグが分かるはず

roaris commented 1 month ago

call eqStringsにbreakpointを設定し、比較対象の文字列を確認する 入力文字列としてabcdefghijklmnopqrstuvwxyzを与えた

$ gdb -q chall
Reading symbols from chall...
(No debugging symbols found in chall)
gdb-peda$ b *(NimMainModule+0x1cb)
Breakpoint 1 at 0xafc6
gdb-peda$ r
Starting program: /home/roaris/alpacahack/nimrev/chall
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
abcdefghijklmnopqrstuvwxyz
Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled off'.

Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled on'.
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7d57050 --> 0x1a
RBX: 0x7fffffffe088 --> 0x7fffffffe32f ("/home/roaris/alpacahack/nimrev/chall")
RCX: 0x7ffff7d5957d --> 0x0
RDX: 0x7ffff7d580d0 --> 0x18
RSI: 0x7ffff7d580d0 --> 0x18
RDI: 0x7ffff7d57050 --> 0x1a
RBP: 0x7fffffffdf10 --> 0x7fffffffdf20 --> 0x7fffffffdf40 --> 0x7fffffffdf70 --> 0x1
RSP: 0x7fffffffded0 --> 0x7ffff7d57050 --> 0x1a
RIP: 0x55555555efc6 (<NimMainModule+459>:       call   0x55555555ec46 <eqStrings>)
R8 : 0x5555555762bb --> 0x0
R9 : 0x410
R10: 0x1000
R11: 0x246
R12: 0x0
R13: 0x7fffffffe098 --> 0x7fffffffe354 ("HOSTTYPE=x86_64")
R14: 0x0
R15: 0x7ffff7ffd000 --> 0x7ffff7ffe2d0 --> 0x555555554000 --> 0x10102464c457f
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x55555555efbc <NimMainModule+449>:  mov    rax,QWORD PTR [rbp-0x40]
   0x55555555efc0 <NimMainModule+453>:  mov    rsi,rdx
   0x55555555efc3 <NimMainModule+456>:  mov    rdi,rax
=> 0x55555555efc6 <NimMainModule+459>:  call   0x55555555ec46 <eqStrings>
   0x55555555efcb <NimMainModule+464>:  xor    eax,0x1
   0x55555555efce <NimMainModule+467>:  test   al,al
   0x55555555efd0 <NimMainModule+469>:  jne    0x55555555efe4 <NimMainModule+489>
   0x55555555efd2 <NimMainModule+471>:  lea    rdi,[rip+0x16e7]        # 0x5555555606c0 <TM__V45tF8B8NBcxFcjfe7lhBw_4>
Guessed arguments:
arg[0]: 0x7ffff7d57050 --> 0x1a
arg[1]: 0x7ffff7d580d0 --> 0x18
arg[2]: 0x7ffff7d580d0 --> 0x18
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffded0 --> 0x7ffff7d57050 --> 0x1a
0008| 0x7fffffffded8 --> 0x7ffff7d58050 --> 0x18
0016| 0x7fffffffdee0 --> 0x7ffff7d58090 --> 0x18
0024| 0x7fffffffdee8 --> 0x7ffff7d580d0 --> 0x18
0032| 0x7fffffffdef0 --> 0x55555555eba3 (<colonanonymous__main_7>:      endbr64)
0040| 0x7fffffffdef8 --> 0x0
0048| 0x7fffffffdf00 --> 0x0
0056| 0x7fffffffdf08 --> 0x892a42c22428aa00
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x000055555555efc6 in NimMainModule ()
gdb-peda$ x/50bx $rdi
0x7ffff7d57050: 0x1a    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7ffff7d57058: 0x50    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7ffff7d57060: 0x61    0x62    0x63    0x64    0x65    0x66    0x67    0x68
0x7ffff7d57068: 0x69    0x6a    0x6b    0x6c    0x6d    0x6e    0x6f    0x70
0x7ffff7d57070: 0x71    0x72    0x73    0x74    0x75    0x76    0x77    0x78
0x7ffff7d57078: 0x79    0x7a    0x00    0x00    0x0a    0x0a    0x0a    0x0a
0x7ffff7d57080: 0x0a    0x0a
gdb-peda$ x/50bx $rsi
0x7ffff7d580d0: 0x18    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7ffff7d580d8: 0x1c    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7ffff7d580e0: 0x43    0x61    0x6b    0x65    0x43    0x54    0x46    0x7b
0x7ffff7d580e8: 0x73    0x30    0x6d    0x33    0x74    0x31    0x6d    0x33
0x7ffff7d580f0: 0x73    0x5f    0x6e    0x30    0x74    0x5f    0x43    0x7d
0x7ffff7d580f8: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7ffff7d58100: 0x00    0x00

rbp-0x40ではなく、rbp-0x30から入力文字列が始まっているのだがなぜだか分からない x/50bx $rsiの出力の0x43以降がフラグだと考えられるので、以下でフラグを取得

l = [0x43, 0x61, 0x6b, 0x65, 0x43, 0x54, 0x46, 0x7b, 0x73, 0x30, 0x6d, 0x33, 0x74, 0x31, 0x6d, 0x33, 0x73, 0x5f, 0x6e, 0x30, 0x74, 0x5f, 0x43, 0x7d]
flag = ''.join(chr(x) for x in l)
print(flag)
roaris commented 1 month ago

Nim言語で書かれたプログラムらしい ソースコード : https://github.com/theoremoon/cakectf2022-public/blob/master/rev/nimrev/challenge/main.nim