6.2.5 re PicoCTF2014 Baleful

题目解析
- 使用 Pin 求解

经过简单地检查，我们发现二进制文件被加了壳，使用 upx 脱掉就好了。

运行下看看，典型的密码验证题：


Please enter your password: ABCD
Sorry, wrong password!

打开 r2 开干吧！

[0x08048540]> pdf @ main
/ (fcn) main 96
|   main ();
|           ; var int local_8h @ ebp-0x8
|           ; var int local_10h @ esp+0x10
|           ; var int local_8ch @ esp+0x8c
|           ; DATA XREF from entry0 (0x8048557)
|           0x08049c82      push ebp
|           0x08049c83      mov ebp, esp
|           0x08049c85      push edi
|           0x08049c86      push ebx
|           0x08049c87      and esp, 0xfffffff0
|           0x08049c8a      sub esp, 0x90
|           0x08049c90      mov eax, dword gs:[0x14]                   ; [0x14:4]=-1 ; 20
|           0x08049c96      mov dword [local_8ch], eax
|           0x08049c9d      xor eax, eax
|           0x08049c9f      lea eax, [local_10h]                       ; 0x10 ; 16
|           0x08049ca5      mov eax, 0
|           0x08049caa      mov edx, 0x1f                              ; 31
|           0x08049caf      mov edi, ebx
|           0x08049cb1      mov ecx, edx
|           0x08049cb3      rep stosd dword es:[edi], eax
|           0x08049cb9      mov dword [esp], eax
|           0x08049cbc      call fcn.0804898b
|           0x08049cc1      mov eax, 0
|           0x08049cc6      mov edx, dword [local_8ch]                 ; [0x8c:4]=-1 ; 140
|           0x08049ccd      xor edx, dword gs:[0x14]
|       ,=< 0x08049cd4      je 0x8049cdb
|       |   0x08049cd6      call sym.imp.__stack_chk_fail              ; void __stack_chk_fail(void)
|       |   ; CODE XREF from main (0x8049cd4)
|       `-> 0x08049cdb      lea esp, [local_8h]
|           0x08049cde      pop ebx
|           0x08049cdf      pop edi
|           0x08049ce0      pop ebp
\           0x08049ce1      ret

使用 Pin 求解

就像上面那样逆向实在是太难了，不如 Pin 的黑科技。

编译 32 位 pintool：

随便输入几个长度不同的密码试试：

[ManualExamples]$ echo "A" | ../../../pin -t obj-ia32/inscount0.so -o inscount.out -- ~/baleful_unpack ; cat inscount.out
Please enter your password: Sorry, wrong password!
Count 437603
[ManualExamples]$ echo "AA" | ../../../pin -t obj-ia32/inscount0.so -o inscount.out -- ~/baleful_unpack ; cat inscount.out
Please enter your password: Sorry, wrong password!
Count 438397
[ManualExamples]$ echo "AAA" | ../../../pin -t obj-ia32/inscount0.so -o inscount.out -- ~/baleful_unpack ; cat inscount.out
Please enter your password: Sorry, wrong password!
Count 439191

794
794

Please enter your password: Sorry, wrong password!
count:  459041
diff:  794
Please enter your password: Sorry, wrong password!
count:  459835
diff:  794
Please enter your password: Sorry, wrong password!
count:  508273
diff:  48438
length of password:  30

好，密码长度为 30，接下来是逐字符爆破，首先要确定字符不同对 count 没有影响：

[ManualExamples]$ echo "A" | ../../../pin -t obj-ia32/inscount0.so -o inscount.out -- ~/baleful_unpack ; cat inscount.out
Please enter your password: Sorry, wrong password!
Count 437603
[ManualExamples]$ echo "b" | ../../../pin -t obj-ia32/inscount0.so -o inscount.out -- ~/baleful_unpack ; cat inscount.out
Please enter your password: Sorry, wrong password!
Count 437603
[ManualExamples]$ echo "_" | ../../../pin -t obj-ia32/inscount0.so -o inscount.out -- ~/baleful_unpack ; cat inscount.out
Please enter your password: Sorry, wrong password!
Count 437603

确实没有，写下脚本：

packers_and_vms_and_xors_oh_mx
Please enter your password: Sorry, wrong password!
count:  507925
packers_and_vms_and_xors_oh_my
Please enter your password: Congratulations!

简单到想哭。

参考资料

Pico CTF 2014 : Baleful