# Ghidra勉強会

# Seccamp事前課題(6_bin)

# main関数の解読

  • これの中にある6_binの解析をする
  • 0x001013c1からの関数がmain
    • entryから呼び出しているので
  • 逆アセンブル結果

undefined8 FUN_001013c1(int param_1,undefined8 *param_2)

{
  undefined *__s2;
  int iVar1;
  char *__s1;
  undefined local_138 [272];
  void *local_28;
  size_t local_20;
  
  if (param_1 < 2) {
    printf("Usage: %s <plaintext>",*param_2);
                    /* WARNING: Subroutine does not return */
    exit(1);
  }
  puts((char *)param_2[1]);
  local_20 = strlen((char *)param_2[1]);
  local_28 = malloc(local_20);
  FUN_00101195(local_138,"seccamp2020",DAT_00104060 & 0xffffffff,0x3b);
  __s2 = PTR_DAT_00104068;
  __s1 = (char *)FUN_00101285(local_138,param_2[1],local_28,local_20);
  iVar1 = strcmp(__s1,__s2);
  if (iVar1 == 0) {
    puts("Correct!");
  }
  else {
    puts("Wrong...");
  }
  free(local_28);
  return 0;
}


  • 読みやすくするために変数等を再命名
    • lで変数名の変更
    • Ctrl-lで変数の型の変更

int main(int argc,char *argv)

{
  undefined *__s2;
  int iVar1;
  char *__s1;
  undefined local_138 [272];
  void *buf;
  size_t size;
  
  if (argc < 2) {
    printf("Usage: %s <plaintext>",*(undefined8 *)argv);
                    /* WARNING: Subroutine does not return */
    exit(1);
  }
  puts(*(char **)(argv + 8));
  size = strlen(*(char **)(argv + 8));
  buf = malloc(size);
  FUN_00101195(local_138,"seccamp2020",DAT_00104060 & 0xffffffff,0x3b);
  __s2 = PTR_DAT_00104068;
  __s1 = (char *)FUN_00101285(local_138,*(undefined8 *)(argv + 8),buf,size);
  iVar1 = strcmp(__s1,__s2);
  if (iVar1 == 0) {
    puts("Correct!");
  }
  else {
    puts("Wrong...");
  }
  free(buf);
  return 0;
}


# FUN_00101195の調査

  • 途中で呼ばれているFUN_00101195の中身を見る

void FUN_00101195(long param_1,long param_2,int param_3,char param_4)

{
  undefined uVar1;
  int local_14;
  uint local_10;
  int local_c;
  
  *(undefined4 *)(param_1 + 0x100) = 0;
  *(undefined4 *)(param_1 + 0x104) = 0;
  local_c = 0;
  while (local_c < 0x100) {
    *(char *)(param_1 + local_c) = param_4 + (char)local_c;
    local_c = local_c + 1;
  }
  local_10 = 0;
  local_14 = 0;
  while (local_14 < 0x41) {
    local_10 = (int)*(char *)(param_2 + local_14 % param_3) +
               (int)*(char *)(param_1 + local_14) + local_10 & 0xff;
    uVar1 = *(undefined *)(param_1 + local_14);
    *(undefined *)(param_1 + local_14) = *(undefined *)(param_1 + (int)local_10);
    *(undefined *)(param_1 + (int)local_10) = uVar1;
    local_14 = local_14 + 1;
  }
  return;
}

  • 読みやすくするために再命名
  • *(undefined4 *)(param_1 + 0x100) = 0;*(undefined4 *)(param_1 + 0x104) = 0;が構造体アクセスっぽい
  • param1に対してauto Create Structureを実施
  • Edit Data Typeで修正
    • サイズ等はアセンブリを読めば分かる
    • char[0x100], int, int
  • local_10とlocal_14は変数として使ってるっぽいので, iとjと命名
  • whileの中の処理は, swap(str[i], str[j])っぽい

void FUN_00101195(CTX *ctx,char *seccamp2020,int 11,char offset)

{
  int j;
  uint i;
  int idx;
  char tmp;
  
  ctx->i = 0;
  ctx->j = 0;
  idx = 0;
  while (idx < 0x100) {
                    /* offset is ; */
    ctx->S[idx] = offset + (char)idx;
    idx = idx + 1;
  }
  i = 0;
                    /* loop 64 times */
  j = 0;
  while (j < 0x41) {
    i = (int)seccamp2020[j % 11] + (int)ctx->S[j] + i & 0xff;
                    /* swap(S[j], S[i]); */
    tmp = ctx->S[j];
    ctx->S[j] = ctx->S[(int)i];
    ctx->S[(int)i] = tmp;
    j = j + 1;
  }
  return;
}



# FUN_00101285の調査

  • もう一方のFUN_00101285も調査して変更

char * FUN_00101285(CTX *ctx,long input,char *buf,ulong len)

{
  int idx;
  uint j;
  uint i;
  char tmp;
  
  i = ctx->i;
  j = ctx->j;
  if (buf == (char *)0x0) {
                    /* WARNING: Subroutine does not return */
    exit(1);
  }
  idx = 0;
  while ((ulong)(long)idx < len) {
    i = i + 1 & 0xff;
    j = j + (int)ctx->S[(int)i] & 0xff;
                    /* swap(S[i], S[j]) */
    tmp = ctx->S[(int)i];
    ctx->S[(int)i] = ctx->S[(int)j];
    ctx->S[(int)j] = tmp;
    buf[idx] = *(byte *)(input + idx) ^
               ctx->S[(int)((int)ctx->S[(int)j] + (int)ctx->S[(int)i] & 0xff)];
    idx = idx + 1;
  }
  ctx->i = i;
  ctx->j = j;
  return buf;
}
  • xorを取っているので, RC4の亜種っぽい
  • 純粋なRC4との違いは, swap前のadd処理
  • そのため, よくあるRC4を多少編集すれば良い

# rev用スクリプト作成

#@author 
#@category _NEW_
#@keybinding 
#@menupath 
#@toolbar 

def init(key,size,offset):
    idx = 0
    S = [0] * 0x100
    while idx < 0x100:
        S[idx] = (ord(offset) + idx) % 0x100
        idx += 1
    print(S)
    
    i=0
    j=0
    while j<0x41:
        i = (key[j%size] + S[j] + i) & 0xff
        S[i], S[j] = S[j], S[i]
        j += 1
    return S

def encrypt(enc, size, S):
    i = 0
    j = 0

    buf = ""
    
    idx = 0
    while idx < size:
        i = (i + 1) & 0xff
        j = (j + S[i]) & 0xff

        S[j], S[i] = S[i], S[j]
        buf += chr(enc[idx] ^ S[(S[j] + S[i]) & 0xff])
        idx += 1
    return buf

def main():
    key = bytearray(getBytes(toAddr(0x00102008), 11))
    enc = bytearray(getBytes(toAddr(0x00102014), 16))
    
    S = init(key, 11, ';')
    dec = encrypt(enc, 16, S)
    print(dec)

main()

# 結果

  • 結果
    • S3CC4MP_R3V_l01
solve.py> Running...
[59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58]
S3CC4MP_R3V_l01¬
solve.py> Finished!
Last Updated: 2021-1-4 14:27:05