cha's ELF - CODEGATE 2025 Quals
#CODEGATE_2025_Quals
Copy and PatchでJITを実装している
以下のスクリプトで1文字ずつ総当たりするとフラグがえられた
code:python
import gdb
import binascii
offset = 0x7ffff7fbc10e - 0x7ffff7fba000
def xor(a, b):
return bytes(x ^ y for x, y in zip(a, b))
with open('enc.orig', 'r') as f:
enc = binascii.unhexlify(f.read())
results = []
gdb.execute('file ./chas_elf')
gdb.execute('starti')
gdb.execute('b *0x407966')
for i in range(0x21, 0x7f):
c = chr(i)
with open('input', 'w') as f:
input = 'a'*64 + c
f.write(input)
gdb.execute('r < input')
print('a')
gdb.execute('si')
gdb.execute(f'b *($pc+{offset})')
gdb.execute('c')
rdi = int(gdb.parse_and_eval('$rdi'))
i = gdb.inferiors()0
key = i.read_memory(rdi, 0x40).tobytes()
data = xor(enc, key)
print(f'input = {input}')
print(f'key = {key.hex()}')
print(f'data = {data.hex()}({data})')
results.append(data + c.encode())
for result in results:
print(result.decode('utf-8', errors='ignore'))