Simple Reverse 0x08(Lab - GetProcAddress)

Posted on | Post modified | In |

Simple Reverse 0x08(Lab - GetProcAddress)

Background

GetModuleFileNameA 函式 createFileA 函式 setFilePointer 函式 ReadFile 函式

Source Code

:::spoiler IDA main function

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char *v3; // rdi
  __int64 i; // rcx
  char v6[32]; // [rsp+0h] [rbp-40h] BYREF
  char v7; // [rsp+40h] [rbp+0h] BYREF
  char lpFilename[304]; // [rsp+50h] [rbp+10h] BYREF
  char lpBuffer[136]; // [rsp+180h] [rbp+140h] BYREF
  char flag[64]; // [rsp+208h] [rbp+1C8h] BYREF
  __int64 File_HANDLE_VALUE; // [rsp+248h] [rbp+208h]
  int j; // [rsp+264h] [rbp+224h]

  v3 = &v7;
  for ( i = 146i64; i; --i )
  {
    *v3 = 0xCCCCCCCC;
    v3 += 4;
  }
  sub_140011375(&unk_1400230B5);
  sub_1400113AC();
  printf("Give me flag: ");
  scanf("%39s", flag);
  (GetModuleFileNameA_0)(0i64, lpFilename, 260i64);
  File_HANDLE_VALUE = (CreateFileA)(
                        lpFilename,
                        0x80000000i64,
                        FILE_SHARE_READ,
                        0i64,
                        OPEN_EXISTING,
                        FILE_ATTRIBUTE_NORMAL,
                        0i64);
  if ( File_HANDLE_VALUE == -1
    || ((SetFilePointer)(File_HANDLE_VALUE, 0x4Ei64, 0i64, FILE_BEGIN),
        !(ReadFile)(File_HANDLE_VALUE, lpBuffer, 39i64, 0i64, 0i64)) )
  {
LABEL_11:
    puts("Wrong...");
  }
  else
  {
    for ( j = 0; j < 39; ++j )
    {
      if ( (flag[j] ^ lpBuffer[j]) != byte_14001E000[8 * j] )
        goto LABEL_11;
    }
    puts("Correct!!!");
  }
  sub_140011311(v6, &unk_14001BB18);
  return 0;
}

:::

Recon

這一題一樣,如果是以解題為目的話,其實很簡單,但還是想要提到重要的主題也就是PEB,但我覺得與其用IDA一個一個分析,不如直接用x64dbg幫你跑好就可以直接知道哪個API在哪個address,會比較方便,雖然不排除會有一些方式可以繞過或是混淆,但…有遇到在說吧,反正之後在還債吧!

  1. 先執行看看,看有沒有甚麼string可以在IDA中trace
  2. 找到main function後轉而用x64dbg,並且找到main function entry address,然後設定breakpoint,並且trace code
  3. 如果遇到x64dbg中顯示一些import dll function,可以對照IDA並且rename,這樣大概就可以用IDA的反組譯的方式查看整體的流程
  4. 看到main function最下面的else$\to$if statement,在看回去x64dbg就可以知道byte_14001e000的那些char是哪些
  5. 開寫script

Exploit

str1 = [0x12, 0x24, 0x28, 0x34, 0x5B, 0x3A, 0x07, 0x1C, 0x13, 0x2D, 0x00, 0x32, 0x43, 0x16, 0x12, 0x1A, 0x01, 0x02, 0x1D, 0x5A, 0x07, 0x01, 0x7F, 0x35, 0x10, 0x1A, 0x70, 0x1B, 0x01, 0x43, 0x05, 0x2B, 0x37, 0x52, 0x08, 0x1C, 0x17, 0x44, 0x53]
str2 = [0x54, 0x68, 0x69, 0x73, 0x20, 0x70, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x63, 0x61, 0x6E, 0x6E, 0x6F, 0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x75, 0x6E, 0x20, 0x69, 0x6E, 0x20, 0x44, 0x4F, 0x53, 0x20, 0x6D, 0x6F, 0x64, 0x65, 0x2E]


FLAG = []

for i in range(39):
    tmp = str1[i] ^ str2[i]
    FLAG.append(bytes.fromhex('{:x}'.format(tmp)).decode('utf-8'))

print("".join(FLAG))

Flag: FLAG{Just_a_customized_GetProcAddress!}