roger 发表于 2021-3-26 15:07:32

沧海遗珠wp


## Hackover CTF: i-like-to-move-it

----------
## Challenge details
| Contest      | Challenge   | Category| Points |
|:---------------|:--------------|:----------|-------:|
| Hackover CTF | i-like-to-move-it| Reversing | 350|


*Description*

>I like to move it, move it
>I like to move it, move it
>I like to move it, move it
>You like to move it

----------
## Write-up

It's a mov-uscated binary:

Pintool go!

>```python
>#!/usr/bin/python
>
>import string
>from subprocess import Popen, PIPE, STDOUT
>
>
>pinpath = './pin'
>countpath = './source/tools/ManualExamples/obj-ia32/inscount0.so'
>apppath = './move_it'
>
>key = ''
>
>while True:
>    maximum = 0,0
>    for i in string.letters + string.digits + " _-!+":
>                inputtry = key + i
>                cmd =
>                p = Popen(cmd, stdout=PIPE, stdin=PIPE, stderr=STDOUT)
>                stdout = p.communicate(inputtry+'\n' )
>                with open('inscount.out') as f:
>                        f.seek(6)
>                        nb_instructions = int(f.read())
>                        f.close()
>                if nb_instructions > maximum:
>                        maximum = nb_instructions, i
>   key += maximum
>   print key
>```

Running:

>```
>~/pin$ ./pin.py
>t
>tH
>tH1
>tH1s
>tH1sd
>....
>```

After a bit of fidgeting I found that the program expects a "_" to delimit words, but it does not increase the count. Therefor pintool won't find these characters. Add them manually after each word end to continue until:

>```
>$ ./pin.py
>tH1s_I5_FuN
>```

Feeding the program this string changes the output of the program:

>```
>~/pin$ ./move_it
>tH1s_I5_FuN
>Never Gonna Give You Up
>```

After some franatic keyboard mashing:

>```
>~/pin$ ./move_it a
>tH1s_I5_FuN
>hackover15{I_L1k3_t0_m0V3_1t_M0v3_1T_Y0u_L1k3_t0_m0v3_1t}
>```

The flag is:

>```
>hackover15{I_L1k3_t0_m0V3_1t_M0v3_1T_Y0u_L1k3_t0_m0v3_1t}
>```
页: [1]
查看完整版本: 沧海遗珠wp