iT邦幫忙

0

資安學習路上-picoCTF 解題(Web)3

10.Some Assembly Required 2

跟Some Assembly Required 1 一樣

處理完比較可讀的結果是這樣

(async() => {
  const edgeId = _0x5c00;
  let _0x1adb5f = await fetch(./aD8SvhyVkb);
  let rpm_traffic = await WebAssembly["instantiate"](await _0x1adb5f["arrayBuffer"]());
  let updatedEdgesById = rpm_traffic[instance];
  exports = updatedEdgesById[exports];
})();
/**
 * @return {undefined}
 */
function onButtonPress() {
  const navigatePop = _0x5c00;
  let params = document[getElementById](input)[value];
  for (let i = 0; i < params["length"]; i++) {
    exports[copy_char](params[charCodeAt](i), i);
  }
  exports["copy_char"](0, params[length]);
  if (exports[check_flag]() == 1) {
    document["getElementById"](result)[ninnerHTML] = Correct;
  } else {
    document[getElementById](result)["innerHTML"] = Incorrect;
  }
}


感覺是下面這行,但目前還是不對

把wasm檔轉成c檔,還是不行

反編譯wasm成dcmp檔

看到check_flag(),可以看到是跟8做xor的結果

export function check_flag():int {
  var a:int = 0;
  var b:int = 1072;
  var c:int = 1024;
  var d:int = strcmp(c, b);
  var e:int = d;
  var f:int = a;
  var g:int = e != f;
  var h:int = -1;
  var i:int = g ^ h;
  var j:int = 1;
  var k:int = i & j;
  return k;
}

在看上面這段程式碼,可以知道offset為1024,也就是8跟"xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u\00\00"這段做XOR,而flag應該是在1024位元後面,所以
data d_xakgKNsnjl909mjn9m0n9088100u(offset: 1024) =
"xakgK\Ns>n;jl90;9:mjn9m<0n9::0::881<00?>u\00\00";

進入python環境執行指令


圖片
  直播研討會
圖片
{{ item.channelVendor }} {{ item.webinarstarted }} |
{{ formatDate(item.duration) }}
直播中

尚未有邦友留言

立即登入留言