티스토리 뷰
최종 수정: 2015-11-08
hackability@TenDollar
안녕하세요. Hackability 입니다.
이번에 포스팅 할 내용은 2015 School CTF 의 Reverse 400 문제 입니다.
개인적으로 이번 School CTF 에서 가장 흥미로웠던 문제였습니다.
문제에 HTML과 Javascript 파일을 제공하는데 이 javascript 를 리버싱 하는것이 문제였습니다.
문제 HTML 코드는 다음과 같습니다. (HTML 코드는 별거 없음)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | <html> <head> <title>JSMachine</title> <meta charset="UTF-8"> <script type='text/javascript' src='Machine.js'></script> </head> <body> <h1>Secret key</h1><br/> <h2>Test your luck! Enter valid string and you will know flag!</h2><br/> <input type='text'></input><br/> <br/> <input type='button' onclick="check()" value='Проверить'></button> </body> </html> | cs |
문제의 Javascript 코드는 다음과 같습니다.
| function createRegisters(obj){ obj.registers = []; for(i=0; i < 256; ++i){ obj.registers.push(0); } }; function Machine() { createRegisters(this); this.code = [0] this.PC = 0; this.callstack = []; this.pow = Math.pow(2,32) }; Machine.prototype = { opcodesCount: 16, run: run, loadcode: function(code){this.code = code}, end: function(){this.code=[]} }; function run(){ while(this.PC < this.code.length){ var command = parseCommand.call(this) command.execute(this); } //this.end() } function getOpcodeObject(){ var opNum = (this.code[this.PC] % this.opcodesCount); this.PC += 1; return eval('new Opcode'+opNum); } function parseCommand(){ var opcode = getOpcodeObject.call(this); opcode.consumeArgs(this); return opcode; } var opcCreate = ""; for(i=0;i<16;++i){ opcCreate += "function Opcode"+i+"(){this.args=[]}\n"; } eval(opcCreate); function makeFromImm(obj) { var res = obj.code[obj.PC + 2]; res <<=8; res += obj.code[obj.PC + 1]; res <<=8; res += obj.code[obj.PC]; res <<=8; res += obj.code[obj.PC+3]; res = res >>> 0; return res; } function getRegImm(obj){ this.args[0] = obj.code[obj.PC]; obj.PC += 1; this.args[1] = makeFromImm(obj); obj.PC += 4; } function getImm(obj){ this.args[0] = makeFromImm(obj); obj.PC += 4; } function getTwoRegs(obj){ this.args[0] = obj.code[obj.PC]; obj.PC += 1; this.args[1] = obj.code[obj.PC]; obj.PC += 1; } function getThreeRegs(obj){ this.args[0] = obj.code[obj.PC]; obj.PC += 1; this.args[1] = obj.code[obj.PC]; obj.PC += 1; this.args[2] = obj.code[obj.PC]; obj.PC += 1; } function getRegString(obj){ this.args[0] = obj.code[obj.PC]; obj.PC += 1; this.args[1] = getString(obj); } function getRegRegString(obj){ this.args[0] = obj.code[obj.PC]; obj.PC += 1; this.args[1] = obj.code[obj.PC]; obj.PC += 1; this.args[2] = getString(obj); } function getRegTwoString(obj){ this.args[0] = obj.code[obj.PC]; obj.PC += 1; this.args[1] = getString(obj); this.args[2] = getString(obj); } function getString(obj){ var res = ""; while(obj.code[obj.PC] != 0) { res += String.fromCharCode(obj.code[obj.PC]); obj.PC += 1; } obj.PC += 1; return res; } Opcode0.prototype = { consumeArgs : function(obj){}, execute: function(){} }; Opcode1.prototype = { consumeArgs: getRegImm, execute: function(obj){ obj.registers[this.args[0]] = (obj.registers[this.args[0]] + this.args[1]) % 0x100000000; } } Opcode2.prototype = { consumeArgs: getTwoRegs, execute: function(obj){ obj.registers[this.args[0]] = (obj.registers[this.args[0]] + obj.registers[this.args[1]]) % 0x100000000; } } Opcode3.prototype = { consumeArgs: getRegImm, execute: function(obj){ obj.registers[this.args[0]] = ((obj.registers[this.args[0]] - this.args[1]) % 0x100000000) >>> 0; } } Opcode4.prototype = { consumeArgs: getTwoRegs, execute: function(obj){ obj.regsiters[this.args[0]] = ((obj.registers[this.args[0]] - this.registers[this.args[1]])%100000000) >>> 0 } } Opcode5.prototype = { consumeArgs: getThreeRegs, execute: function(obj){ var mult = obj.registers[this.args[0]] * obj.registers[this.args[1]]; console.log(mult.toString(16)); obj.registers[this.args[2]] = (mult / obj.pow) >>> 0; obj.registers[this.args[2]+1] = (mult & 0xffffffff) >>> 0; } } Opcode6.prototype = { consumeArgs: getThreeRegs, execute: function(obj){ var divs = obj.registers[this.args[0]] * obj.pow + obj.registers[this.args[0]+1]; obj.registers[this.args[2]] = (divs / obj.registers[this.args[1]]) >>> 0; obj.registers[this.args[2]+1]= (divs % obj.registers[this.args[1]]) >>> 0; } } Opcode7.prototype = { consumeArgs: getRegImm, execute: function(obj) { obj.registers[this.args[0]] = this.args[1]; } } Opcode8.prototype = { consumeArgs: getImm, execute: function(obj){ obj.callstack.push(obj.PC); obj.PC = this.args[0]; } } Opcode9.prototype = { consumeArgs: getImm, execute: function(obj){ obj.PC = (obj.PC + this.args[0]) % obj.code.length; } } Opcode10.prototype = { consumeArgs: function(){}, execute: function(obj){ obj.PC = obj.callstack.pop(); } } Opcode11.prototype = { consumeArgs: getRegString, execute: function(obj){ obj.registers[this.args[0]] = eval('new '+this.args[1]); } } Opcode12.prototype = { consumeArgs: getRegTwoString, execute: function(obj){ obj.registers[this.args[0]][this.args[1]] = Function(this.args[2]); } } Opcode13.prototype = { consumeArgs: getRegRegString, execute: function(obj){ obj.registers[this.args[0]] = obj.registers[this.args[1]][this.args[2]]; } } Opcode14.prototype = { consumeArgs: getRegRegString, execute: function(obj){ obj.registers[this.args[1]][this.args[2]] = obj.registers[this.args[0]]; } } Opcode15.prototype = { consumeArgs: getRegRegString, execute: function(obj){ obj.registers[this.args[0]] = obj.registers[this.args[1]][this.args[2]](); } } function check(){ machine = new Machine; machine.loadcode([11, 1, 79, 98, 106, 101, 99, 116, 0, 12, 1, 120, 0, 114, 101, 116, 117, 114, 110, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 105, 110, 112, 117, 116, 39, 41, 91, 48, 93, 46, 118, 97, 108, 117, 101, 47, 47, 0, 15, 3, 1, 120, 0, 14, 3, 1, 117, 115, 101, 114, 105, 110, 112, 117, 116, 0, 12, 1, 121, 0, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 101, 110, 100, 32, 61, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 123, 116, 104, 105, 115, 46, 99, 111, 100, 101, 61, 91, 93, 59, 116, 104, 105, 115, 46, 80, 67, 61, 49, 55, 51, 125, 47, 47, 0, 15, 3, 1, 121, 0, 12, 1, 122, 0, 97, 108, 101, 114, 116, 40, 49, 41, 59, 47, 47, 11, 234, 79, 98, 106, 101, 99, 116, 255, 9, 255, 255, 255, 12, 10, 97, 108, 101, 114, 116, 40, 50, 41, 59, 47, 47, 12, 234, 120, 255, 118, 97, 114, 32, 102, 61, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 114, 101, 103, 105, 115, 116, 101, 114, 115, 91, 49, 93, 46, 117, 115, 101, 114, 105, 110, 112, 117, 116, 47, 47, 10, 118, 97, 114, 32, 105, 32, 61, 32, 102, 46, 108, 101, 110, 103, 116, 104, 47, 47, 10, 118, 97, 114, 32, 110, 111, 110, 99, 101, 32, 61, 32, 39, 103, 114, 111, 107, 101, 39, 59, 47, 47, 10, 118, 97, 114, 32, 106, 32, 61, 32, 48, 59, 47, 47, 10, 118, 97, 114, 32, 111, 117, 116, 32, 61, 32, 91, 93, 59, 47, 47, 10, 118, 97, 114, 32, 101, 113, 32, 61, 32, 116, 114, 117, 101, 59, 47, 47, 10, 119, 104, 105, 108, 101, 40, 106, 32, 60, 32, 105, 41, 123, 47, 47, 10, 111, 117, 116, 46, 112, 117, 115, 104, 40, 102, 46, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 40, 106, 41, 32, 94, 32, 110, 111, 110, 99, 101, 46, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 40, 106, 37, 53, 41, 41, 47, 47, 10, 106, 43, 43, 59, 47, 47, 10, 125, 47, 47, 10, 118, 97, 114, 32, 101, 120, 32, 61, 32, 32, 91, 49, 44, 32, 51, 48, 44, 32, 49, 52, 44, 32, 49, 50, 44, 32, 54, 57, 44, 32, 49, 52, 44, 32, 49, 44, 32, 56, 53, 44, 32, 55, 53, 44, 32, 53, 48, 44, 32, 52, 48, 44, 32, 51, 55, 44, 32, 52, 56, 44, 32, 50, 52, 44, 32, 49, 48, 44, 32, 53, 54, 44, 32, 53, 53, 44, 32, 52, 54, 44, 32, 53, 54, 44, 32, 54, 48, 93, 59, 47, 47, 10, 105, 102, 32, 40, 101, 120, 46, 108, 101, 110, 103, 116, 104, 32, 61, 61, 32, 111, 117, 116, 46, 108, 101, 110, 103, 116, 104, 41, 32, 123, 47, 47, 10, 106, 32, 61, 32, 48, 59, 47, 47, 10, 119, 104, 105, 108, 101, 40, 106, 32, 60, 32, 101, 120, 46, 108, 101, 110, 103, 116, 104, 41, 123, 47, 47, 10, 105, 102, 40, 101, 120, 91, 106, 93, 32, 33, 61, 32, 111, 117, 116, 91, 106, 93, 41, 47, 47, 10, 101, 113, 32, 61, 32, 102, 97, 108, 115, 101, 59, 47, 47, 10, 106, 32, 43, 61, 32, 49, 59, 47, 47, 10, 125, 47, 47, 10, 105, 102, 40, 101, 113, 41, 123, 47, 47, 10, 97, 108, 101, 114, 116, 40, 39, 89, 79, 85, 32, 87, 73, 78, 33, 39, 41, 59, 47, 47, 10, 125, 101, 108, 115, 101, 123, 10, 97, 108, 101, 114, 116, 40, 39, 78, 79, 80, 69, 33, 39, 41, 59, 10, 125, 125, 101, 108, 115, 101, 123, 97, 108, 101, 114, 116, 40, 39, 78, 79, 80, 69, 33, 39, 41, 59, 125, 47, 47, 255, 9, 255, 255, 255, 12, 10, 97, 108, 101, 114, 116, 40, 51, 41, 59, 47, 47, 15, 1, 234, 120, 255, 9, 255, 255, 255, 12, 10, 97, 108, 101, 114, 116, 40, 52, 41, 59, 47, 47, 10, 97, 108, 101, 114, 116, 40, 53, 41, 59, 47, 47, 10, 97, 108, 101, 114, 116, 40, 54, 41, 59, 47, 47, 10, 97, 108, 101, 114, 116, 40, 55, 41, 59, 47, 47, 0, 12, 1, 103, 0, 118, 97, 114, 32, 105, 32, 61, 48, 59, 119, 104, 105, 108, 101, 40, 105, 60, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 99, 111, 100, 101, 46, 108, 101, 110, 103, 116, 104, 41, 123, 105, 102, 40, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 99, 111, 100, 101, 91, 105, 93, 32, 61, 61, 32, 50, 53, 53, 32, 41, 32, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 99, 111, 100, 101, 91, 105, 93, 32, 61, 32, 48, 59, 105, 43, 43, 125, 47, 47, 0, 12, 1, 104, 0, 119, 105, 110, 100, 111, 119, 46, 109, 97, 99, 104, 105, 110, 101, 46, 80, 67, 61, 49, 55, 50, 47, 47, 0, 15, 0, 1, 103, 0, 15, 0, 1, 104, 0]) machine.run(); } | cs |
javascript code 로 어셈블리처럼 동작하도록 만든 코드 입니다. (EIP 개념도 있고 Register 개념도 있고...)
문제는 check 함수에서 loadcode 할 시 저 바이트 코드 시퀀스가 어떤 행동을 하는지 아는게 문제 였습니다.
그래서 저는 저 바이트 코드 시퀀스는 Operator (Opcode) 와 Operand (Argument)로 구성되어 있다고 가정하고 자바 스크립트의 모든 Opcode prototype에 있는 execute function쪽에 console.log 를 찍었습니다.
예를들어,
1 2 3 4 5 6 7 | Opcode1.prototype = { consumeArgs: getRegImm, execute: function(obj){ console.log("Opcode1 executed : [" + obj.registers[this.args[0]].toString() + " + " + this.args[1]); obj.registers[this.args[0]] = (obj.registers[this.args[0]] + this.args[1]) % 0x100000000; } } | cs |
이런식으로 console.log 를 두게 되면 크롬 F12를 눌러 Console tab 에서 임시적으로 디버깅이 가능합니다. 모든 Opcode에 저렇게 달아 놓고 실행을 시키면 어떤 Opcode들이 호출이 되었고 어떤 순서로 호출되었으며 어떤 argument 들이 들어 갓는지 알 수 있습니다.
이미 이 로그만으로도 풀기 충분해 보입니다. 키 길이는 ex 와 동일하다는 조건문이 있기 때문에 20 글자 이며 위에서 nonce 를 "groke" 라고 주었고 사용자 입력 값과 xor 시킵니다. 결과적으로
nonce 변수 = X
사용자 입력 변수 = Y
최종 결과 변수 = Z
라고 한다면
X[i % 5] ^ Y[i] = Z[i], {i | i = 0 ... 19}
Y[i] = Z[i] ^ X[i % 5]
이를 파이썬 코드로 작성하면 다음과 같습니다.
1 2 3 4 5 | ex = [1, 30, 14, 12, 69, 14, 1, 85, 75, 50, 40, 37, 48, 24, 10, 56, 55, 46, 56, 60] nonce = "groke" for i in range(0, 20): print chr(ord(nonce[i%5]) ^ ex[i]), | cs |
f l a g i s : W O W _ s o _ E A S Y
'CTF_WriteUps > 2015_CTF' 카테고리의 다른 글
[2015_School_CTF] (Stegano 100) pure color (0) | 2015.11.08 |
---|---|
[2015_School_CTF] (Reverse 500) What's the hell?! (0) | 2015.11.08 |
[2015_School_CTF] (Reverse 300) Secret Galaxy (0) | 2015.11.08 |
[2015_School_CTF] (Reverse 200) Parallel Comparator (2) | 2015.11.08 |
[2015_School_CTF] (Exploit 500) Try to guess (0) | 2015.11.08 |
댓글
최근에 올라온 글
최근에 달린 댓글
- Total
- Today
- Yesterday
링크
TAG
- IE 10 리버싱
- 힙 스프레잉
- 데이터 마이닝
- Mona 2
- Use after free
- data mining
- 2015 School CTF
- School CTF Write up
- UAF
- 2014 SU CTF Write UP
- IE 11 UAF
- IE 11 exploit development
- shellcode
- 윈도우즈 익스플로잇 개발
- IE 10 Exploit Development
- shellcode writing
- 쉘 코드 작성
- IE 11 exploit
- expdev 번역
- WinDbg
- TenDollar
- heap spraying
- IE UAF
- School CTF Writeup
- Windows Exploit Development
- IE 10 익스플로잇
- TenDollar CTF
- CTF Write up
- IE 10 God Mode
- 쉘 코드
일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | |||
5 | 6 | 7 | 8 | 9 | 10 | 11 |
12 | 13 | 14 | 15 | 16 | 17 | 18 |
19 | 20 | 21 | 22 | 23 | 24 | 25 |
26 | 27 | 28 | 29 | 30 | 31 |
글 보관함