Ghidra勉強会に参加した時の記録
Table of Contents
Seccamp事前課題(6_bin)
main関数の解読
- これの中にある6_binの解析をする
- 0x001013c1からの関数が
main- entryから呼び出しているので
- 逆アセンブル結果
undefined8 FUN_001013c1(int param_1,undefined8 *param_2)
{
undefined *__s2;
int iVar1;
char *__s1;
undefined local_138 [272];
void *local_28;
size_t local_20;
if (param_1 < 2) {
printf("Usage: %s <plaintext>",*param_2);
/* WARNING: Subroutine does not return */
exit(1);
}
puts((char *)param_2[1]);
local_20 = strlen((char *)param_2[1]);
local_28 = malloc(local_20);
FUN_00101195(local_138,"seccamp2020",DAT_00104060 & 0xffffffff,0x3b);
__s2 = PTR_DAT_00104068;
__s1 = (char *)FUN_00101285(local_138,param_2[1],local_28,local_20);
iVar1 = strcmp(__s1,__s2);
if (iVar1 == 0) {
puts("Correct!");
}
else {
puts("Wrong...");
}
free(local_28);
return 0;
}
- 読みやすくするために変数等を再命名
lで変数名の変更Ctrl-lで変数の型の変更
int main(int argc,char *argv)
{
undefined *__s2;
int iVar1;
char *__s1;
undefined local_138 [272];
void *buf;
size_t size;
if (argc < 2) {
printf("Usage: %s <plaintext>",*(undefined8 *)argv);
/* WARNING: Subroutine does not return */
exit(1);
}
puts(*(char **)(argv + 8));
size = strlen(*(char **)(argv + 8));
buf = malloc(size);
FUN_00101195(local_138,"seccamp2020",DAT_00104060 & 0xffffffff,0x3b);
__s2 = PTR_DAT_00104068;
__s1 = (char *)FUN_00101285(local_138,*(undefined8 *)(argv + 8),buf,size);
iVar1 = strcmp(__s1,__s2);
if (iVar1 == 0) {
puts("Correct!");
}
else {
puts("Wrong...");
}
free(buf);
return 0;
}
FUN_00101195の調査
- 途中で呼ばれている
FUN_00101195の中身を見る
void FUN_00101195(long param_1,long param_2,int param_3,char param_4)
{
undefined uVar1;
int local_14;
uint local_10;
int local_c;
*(undefined4 *)(param_1 + 0x100) = 0;
*(undefined4 *)(param_1 + 0x104) = 0;
local_c = 0;
while (local_c < 0x100) {
*(char *)(param_1 + local_c) = param_4 + (char)local_c;
local_c = local_c + 1;
}
local_10 = 0;
local_14 = 0;
while (local_14 < 0x41) {
local_10 = (int)*(char *)(param_2 + local_14 % param_3) +
(int)*(char *)(param_1 + local_14) + local_10 & 0xff;
uVar1 = *(undefined *)(param_1 + local_14);
*(undefined *)(param_1 + local_14) = *(undefined *)(param_1 + (int)local_10);
*(undefined *)(param_1 + (int)local_10) = uVar1;
local_14 = local_14 + 1;
}
return;
}
- 読みやすくするために再命名
*(undefined4 *)(param_1 + 0x100) = 0;や*(undefined4 *)(param_1 + 0x104) = 0;が構造体アクセスっぽいparam1に対してauto Create Structureを実施- Edit Data Typeで修正
- サイズ等はアセンブリを読めば分かる
- char[0x100], int, int
- local_10とlocal_14は変数として使ってるっぽいので, iとjと命名
- whileの中の処理は, swap(str[i], str[j])っぽい
void FUN_00101195(CTX *ctx,char *seccamp2020,int 11,char offset)
{
int j;
uint i;
int idx;
char tmp;
ctx->i = 0;
ctx->j = 0;
idx = 0;
while (idx < 0x100) {
/* offset is ; */
ctx->S[idx] = offset + (char)idx;
idx = idx + 1;
}
i = 0;
/* loop 64 times */
j = 0;
while (j < 0x41) {
i = (int)seccamp2020[j % 11] + (int)ctx->S[j] + i & 0xff;
/* swap(S[j], S[i]); */
tmp = ctx->S[j];
ctx->S[j] = ctx->S[(int)i];
ctx->S[(int)i] = tmp;
j = j + 1;
}
return;
}
FUN_00101285の調査
- もう一方のFUN_00101285も調査して変更
char * FUN_00101285(CTX *ctx,long input,char *buf,ulong len)
{
int idx;
uint j;
uint i;
char tmp;
i = ctx->i;
j = ctx->j;
if (buf == (char *)0x0) {
/* WARNING: Subroutine does not return */
exit(1);
}
idx = 0;
while ((ulong)(long)idx < len) {
i = i + 1 & 0xff;
j = j + (int)ctx->S[(int)i] & 0xff;
/* swap(S[i], S[j]) */
tmp = ctx->S[(int)i];
ctx->S[(int)i] = ctx->S[(int)j];
ctx->S[(int)j] = tmp;
buf[idx] = *(byte *)(input + idx) ^
ctx->S[(int)((int)ctx->S[(int)j] + (int)ctx->S[(int)i] & 0xff)];
idx = idx + 1;
}
ctx->i = i;
ctx->j = j;
return buf;
}
- xorを取っているので, RC4の亜種っぽい
- 純粋なRC4との違いは, swap前のadd処理
- そのため, よくあるRC4を多少編集すれば良い
rev用スクリプト作成
#@author
#@tags _NEW_
#@keybinding
#@menupath
#@toolbar
def init(key,size,offset):
idx = 0
S = [0] * 0x100
while idx < 0x100:
S[idx] = (ord(offset) + idx) % 0x100
idx += 1
print(S)
i=0
j=0
while j<0x41:
i = (key[j%size] + S[j] + i) & 0xff
S[i], S[j] = S[j], S[i]
j += 1
return S
def encrypt(enc, size, S):
i = 0
j = 0
buf = ""
idx = 0
while idx < size:
i = (i + 1) & 0xff
j = (j + S[i]) & 0xff
S[j], S[i] = S[i], S[j]
buf += chr(enc[idx] ^ S[(S[j] + S[i]) & 0xff])
idx += 1
return buf
def main():
key = bytearray(getBytes(toAddr(0x00102008), 11))
enc = bytearray(getBytes(toAddr(0x00102014), 16))
S = init(key, 11, ';')
dec = encrypt(enc, 16, S)
print(dec)
main()
結果
- 結果
S3CC4MP_R3V_l01
solve.py> Running...
[59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58]
S3CC4MP_R3V_l01¬
solve.py> Finished!