Last active
August 4, 2020 13:27
-
-
Save SimonTheCoder/7ead8ca45008386c500c3d4813e19ff2 to your computer and use it in GitHub Desktop.
[UCTF2016]twi @www.jarvisoj.com writeup by SimonTheCoder
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #### | |
| # https://github.com/SimonTheCoder | |
| #### | |
| set disassemble-next-line on | |
| set pagination off | |
| define lk | |
| target remote: 1234 | |
| end | |
| define ll | |
| target remote: 1212 | |
| end | |
| define rr | |
| source help.gdb | |
| end | |
| define chr | |
| printf "0x%x : %c \n",$arg0,$arg0 | |
| end | |
| define rw | |
| printf "WHi(r25):%x\n",$r25 | |
| printf "WLo(r24):%x\n",$r24 | |
| set $W = ($r25<<8|$r24) | |
| printf "W :%x\n",$W | |
| end | |
| define rx | |
| printf "XHi(r27):%x\n",$r27 | |
| printf "XLo(r26):%x\n",$r26 | |
| set $X = ($r27<<8|$r26) | |
| printf "X :%x\n",($r27<<8|$r26) | |
| end | |
| define ry | |
| printf "YHi(r29):%x\n",$r29 | |
| printf "YLo(r28):%x\n",$r28 | |
| set $Y = ($r29<<8|$r28) | |
| printf "Y :%x\n",($r29<<8|$r28) | |
| end | |
| define rz | |
| printf "ZHi(r31):%x\n",$r31 | |
| printf "ZLo(r30):%x\n",$r30 | |
| set $Z = ($r31<<8|$r30) | |
| printf "Z :%x\n",($r31<<8|$r30) | |
| end | |
| define rp1 | |
| printf "rp1Hi(r23):%x\n",$r23 | |
| printf "rp1Lo(r22):%x\n",$r22 | |
| set $Z = ($r23<<8|$r22) | |
| printf "rp1 :%x\n",($r23<<8|$r22) | |
| end | |
| define rp2 | |
| printf "rp2Hi(r21):%x\n",$r21 | |
| printf "rp2Lo(r20):%x\n",$r20 | |
| set $Z = ($r21<<8|$r20) | |
| printf "rp2 :%x\n",($r21<<8|$r20) | |
| end | |
| define ra | |
| rw | |
| printf "\n" | |
| rx | |
| printf "\n" | |
| ry | |
| printf "\n" | |
| rz | |
| printf "-----\n" | |
| rp1 | |
| printf "\n" | |
| rp2 | |
| end | |
| define pd | |
| #program dump | |
| disassemble /r (void (*)())$arg0,(void (*)())$arg1 | |
| end | |
| define pda | |
| #program dump area | |
| set $_pstart = (void (*)())($arg0 - ($arg1>>1)) | |
| set $_pend = (void (*)())($arg0 + ($arg1>>1)) | |
| disassemble /r $_pstart,$_pend | |
| end | |
| define pd1 | |
| #program dump 1 ins | |
| disassemble /r (void (*)())$arg0,(void (*)())($arg0+2) | |
| end | |
| define pb | |
| b *(void (*)())$arg0 | |
| end | |
| define ptb | |
| tb *(void (*)())$arg0 | |
| end | |
| define pp0 | |
| set $pp0 = (void (*)()) $arg0 | |
| end | |
| define pp1 | |
| set $pp1 = (void (*)()) $arg0 | |
| end | |
| define memcpy | |
| set $_d = (char *)$arg0 | |
| set $_s = (char *)$arg1 | |
| set $_count = $arg2 | |
| set $_index = 0 | |
| while $_count > 0 | |
| set *($_d+$_index) = *($_s+$_index) | |
| x/bx ($_d+$_index) | |
| set $_index = $_index + 1 | |
| set $_count = $_count - 1 | |
| end | |
| end | |
| define memset_1byte | |
| set $_d = (char *)$arg0 | |
| set $_v = (char)$arg1 | |
| set *$_d = $_v | |
| end | |
| define sta | |
| set $stop_p = $arg0 | |
| while $stop_p != $pc | |
| ni | |
| end | |
| printf "point arrival.\n" | |
| end | |
| define nn | |
| ni | |
| printf "\ncode addr: %x\n",((unsigned int)$pc) | |
| end | |
| define run_for_me | |
| set $run_it = 1 | |
| while $run_it == 1 | |
| if $pc == 0x68 | |
| set $pc = 0x6a | |
| end | |
| ni | |
| end | |
| end | |
| define skp1 | |
| if $pc == 0xca || $pc== 0xcc || $pc == 0xce | |
| set $pc = 0xd0 | |
| end | |
| set $pc=0x6a | |
| end | |
| define skp_2ed | |
| pb 0x5da | |
| command | |
| set $pc = $pc+2 | |
| c | |
| end | |
| end | |
| define skp_2f9 | |
| pb 0x5f2 | |
| command | |
| silent | |
| set $pc = $pc + 2 | |
| c | |
| end | |
| end | |
| define skp_367 | |
| pb 0x6ce | |
| command | |
| silent | |
| set $pc = $pc + 2 | |
| c | |
| end | |
| end | |
| define skp_234 | |
| #11a | |
| #remove time delay. | |
| pb 0x234 | |
| command | |
| silent | |
| set $pc = $pc + 18 | |
| c | |
| end | |
| end | |
| define skp_038b_check | |
| pb 0x60e | |
| command | |
| #force W to be 0 | |
| set $r25 = 0 | |
| set $r24 = 0 | |
| c | |
| end | |
| end | |
| define b_38b_touch_60 | |
| pb 0x716 | |
| end | |
| define f_x60 | |
| x/bx 0x60 | |
| x/s 0x60 | |
| ni | |
| end | |
| define skp_0029f_002ad | |
| #30f | |
| pb 0x61e | |
| command | |
| silent | |
| #function FUN_code_00029f will fill 0x426 buff with 0x1 | |
| #try to skip it | |
| #function FUN_code_0002ad will fill 0x426 buff with 0x0 | |
| #try to skip it | |
| set $pc= $pc+6 | |
| c | |
| end | |
| end | |
| define write_found_key_back | |
| set $_found_index = 0 | |
| while $_found_index < $_current_bit | |
| set $_write_back = 0 | |
| eval "set $_write_back = $found_buf%d",$_found_index | |
| set $_w_addr = $key_buf + $_found_index | |
| memset_1byte $_w_addr $_write_back | |
| set $_found_index = $_found_index +1 | |
| end | |
| end | |
| define pwn | |
| d | |
| #this function blocks program... skip | |
| #skp_2ed | |
| skp_234 | |
| skp_2f9 | |
| #####1st branch point | |
| pb 0x60c | |
| # code:000306 84 d0 rcall FUN_code_00038b undefined FUN_code_00038b() | |
| command | |
| silent | |
| #cp "flag{" to test buffer. so that we can pass the check. | |
| rw | |
| memcpy $W 0x60 5 | |
| set $key_buf = $W | |
| c | |
| end | |
| #skp_038b_check | |
| #FUN_code_00038b | |
| #pb 0x716 | |
| # 0x308 | |
| #pb 0x610 | |
| #1st branch point ,resovled. | |
| #####2nd branch point | |
| #0x614 (0x30a) Y = 0x425 | |
| #check Y+0x26 == '}'(0x7d) | |
| #0x30a | |
| pb 0x614 | |
| command | |
| ry | |
| set *(char *)($Y+0x26)= 0x7d | |
| c | |
| end | |
| #skp_0029f_002ad | |
| #FUN_code_00029f | |
| #pb 0x53e | |
| #FUN_code_0002ad | |
| ###pb 0x55a | |
| #312 | |
| set $_found_state = 0 | |
| set $_current_try = 0 | |
| set $_current_bit = 0 | |
| set $_found_times = 0 | |
| pb 0x624 | |
| command | |
| silent | |
| set $_fi = $key_buf + $_current_bit | |
| write_found_key_back | |
| # memset_1byte $key_buf 0x2f | |
| # memset_1byte $key_buf+1 0x56 | |
| # memset_1byte $key_buf+2 0x7d | |
| # memset_1byte $key_buf+3 0x1b | |
| # memset_1byte $key_buf+4 0xf3 | |
| # memset_1byte $key_buf+5 0x95 | |
| # memset_1byte $key_buf+6 0x85 | |
| # memset_1byte $key_buf+7 0xb6 | |
| # memset_1byte $key_buf+8 0xd4 | |
| # memset_1byte $key_buf+9 0x3f | |
| # memset_1byte $key_buf+10 0xcb | |
| # memset_1byte $key_buf+11 0x29 | |
| # memset_1byte $key_buf+12 0xc3 | |
| # memset_1byte $key_buf+13 0x5d | |
| # memset_1byte $key_buf+14 0x77 | |
| # memset_1byte $key_buf+15 0x6a | |
| memset_1byte $_fi (char)$_current_try | |
| printf "Trying bit:%d byte:0x%x\n",$_current_bit,$_current_try | |
| c | |
| end | |
| # pb 0x628 | |
| #355 1 byte success | |
| pb 0x6aa | |
| command | |
| silent | |
| set $_found_state= 1 | |
| set $_found_times = $_found_times + 1 | |
| set $_check_bit = ($r5<<8|$r4) | |
| if $_check_bit == $_current_bit | |
| printf "Found!!!! bit:%d byte=%x\n",$_current_bit,$_current_try | |
| if $_current_bit == 15 | |
| eval "set $found_buf%d = (char)%d",$_current_bit,$_current_try | |
| printf "Found all!!! @0x%x\n",$key_buf | |
| x/16bx $key_buf | |
| set $_index = 0 | |
| #TODO: need fix print content | |
| printf "flag{" | |
| while $_index <= 15 | |
| set $_key = 0 | |
| eval "set $_key =(char)$found_buf%d",$_index | |
| printf "%02x",($_key & 0xff) | |
| set $_index = $_index + 1 | |
| end | |
| printf "}\n" | |
| else | |
| eval "set $found_buf%d = (char)%d",$_current_bit,$_current_try | |
| set $_current_bit = $_current_bit +1 | |
| set $_current_try = 0 | |
| c | |
| end | |
| else | |
| #printf "================\n" | |
| c | |
| end | |
| end | |
| #363 1 byte fail | |
| pb 0x6c6 | |
| command | |
| silent | |
| printf "Failed.bit:%d byte=%x\n",$_current_bit,$_current_try | |
| if $_current_try == 255 | |
| printf "Can not find the right byte!!!! T_T\n" | |
| else | |
| set $_current_try = $_current_try + 1 | |
| c | |
| end | |
| end | |
| #354 | |
| #pb 0x6a8 | |
| #35b | |
| # pb 0x6b6 | |
| skp_367 | |
| end | |
| define rrr | |
| pwn | |
| c | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment