avatar
Articles
38
Tags
15
Categories
32

Home
Archives
Tags
Categories
About
ret2ver
Home
Archives
Tags
Categories
About

ret2ver

2021AntCTF x D^3CTF - Crypto方向题解
Created2021-03-10|CryptoWriteUp
本文第一发布平台为安全客:https://www.anquanke.com/post/id/233827 简介AntCTF x D^3CTF 2021中共有四道Crypto方向的题目,题目难度适中,本文对这四道题目及本人的解题思路进行介绍,如有错误还请各位师傅指教。 babyLattice题目分析这道题的题目如下 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960from collections import namedtuplePublicKey = namedtuple('PublicKey', ['n', 'b'])SecretKey = namedtuple('SecretKey', ['p', 'q', 'A'])def gen_key(): p = rand ...
浅析SM4中的DFA attack
Created2021-03-09|CryptoSM4DFA
本文第一发布平台为安全客:https://www.anquanke.com/post/id/231483 简介本文将简单介绍一下SM4中的DFA攻击。 SM4SM4是我国采用的一种分组密码标准,由国家密码管理局于2012年3月21日发布,其是国密算法中的一种。与DES和AES算法类似,SM4算法是一种迭代分组密码算法,其分组长度为128bit,密钥长度也为128bit。加密算法与密钥扩展算法均采用32轮非线性迭代结构,以字(32位)为单位进行加密运算,每一次迭代运算均为一轮变换函数F。SM4算法加/解密算法的结构相同,只是使用轮密钥相反,其中解密轮密钥是加密轮密钥的逆序。 SM4中的大概结构如下图所示,有32轮: 其中的轮函数F如下图所示: S为非线性变换的S-box(单字节),L为线性变换,设L的输入为B,输出为C,则有:非线性变换S和线性变换L复合而成的可逆变换称为T,即:在最后一轮中,SM4会在后面加一道反序变换R,设R的输入为X,输出为Y,则有:最后再来看看轮密钥的生成过程,设加密密钥为MK:轮密钥rk生成方法为: 其中:T’是将上文中的T中的线性变换L替换为了下 ...
2021UnionCTF - WriteUp
Created2021-02-23|WriteUpCrypto
IntroductionThis is a small write up and recurrence for 2021UnionCTF. Cryptohuman_serverAnalysisThis is a Diffie-Hellman key exchange challenge: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114import os, random, hashlib, textwrap, jsonfrom Crypto.Cipher import AESfrom Crypto.Util.Padding import pad, unpadfrom Cry ...
Chrome issue-1793分析
Created2021-02-23|PwnBrowserV8
本文第一发布平台为安全客:https://www.anquanke.com/post/id/231399 Chrome的issue-1793报告了一个整数溢出的漏洞,本文将简单对此issue进行分析。 漏洞分析在v8/src/heap/factory.cc文件的NewFixedDoubleArray函数中可以发现开发人员对length进行了长度的检查,即DCHECK_LE(0, length)。但由于DCHECK只在debug中起作用,而在release中并不起作用,则该检查对正式版本并没有什么作用。如果length为负数,则会绕过if (length > FixedDoubleArray::kMaxLength)的检查,而由于int size = FixedDoubleArray::SizeFor(length)会使用length来计算出size,如果我们合理控制length,则可以让size计算出来为正数。 123456789101112131415// v8/src/heap/factory.ccHandle<FixedArrayBase> Factory: ...
2021DiceCTF - WriteUp
Created2021-02-08|PwnWriteUpCrypto
IntroductionThis is a small write up and recurrence for 2021DiceCTF. PwnbabyropAnalysisJust a stack overflow and use csu to solve it. Notice that some registers are different for csu. Exp123456789101112131415161718192021222324252627282930313233343536373839404142434445464748from pwn import *context.log_level = "debug"context.terminal = ['tmux', 'splitw', '-h']LOCAL = 0DEBUG = 0if LOCAL: r = process("./babyrop") libc = ELF("/lib/x86_64-l ...
How to Build Chromium
Created2021-02-07|PwnBrowserChromium
Download the source code of Chromium1fetch chromium Build dependencies1sudo src/build/install-build-deps.sh Patch and compile123456cd srcgit reset --hard +hashgclient syncgit apply < "path/to/a.diff"gn gen out/asan_debug --args="is_debug=true is_component_build=true is_asan=true"autoninja -C out/asan_debug chrome Set ASAN_OPTIONS1export ASAN_OPTIONS=detect_odr_violation=0 Start Chromium1./out/asan_debug/chrome
How to Build V8
Created2021-02-07|PwnBrowserV8
Install depot_tools1234git clone https://chromium.googlesource.com/chromium/tools/depot_tools.gitvim /etc/profileAdd `export PATH=$PATH:"/path/to/depot_tools"` to `.profile`cd /depot_tools && ./gclient Install ninja12345git clone https://github.com/ninja-build/ninja.gitcd ninja && ./configure.py --bootstrap && cd ..vim /etc/profileAdd `export PATH=$PATH:"/path/to/ninja"` to `.profile`source /etc/profile Download the source code of V81fetch v8 Patch ...
2021WMCTF - 1+2=3
Created0202-09-06|BlockChainWriteUp
本文第一发布平台为安全客:https://www.anquanke.com/post/id/251985 题目描述题目在经过 pow 验证后交互的内容如下: 123456789101112131415We design a pretty easy contract game. Enjoy it!1. Create a game account2. Deploy a game contract3. Request for flag4. Get source codeOption 1, get an account which will be used to deploy the contract;Before option 2, please transfer some eth to this account (for gas);Option 2, the robot will use the account to deploy the contract for the challenge;Option 3, use this option to obtain the flag wh ...
1…34
avatar
Vergissmeinnicht
Articles
38
Tags
15
Categories
32
Follow Me
Announcement
Live Long And Pwn.
Recent Post
AFL源码阅读 - afl-fuzz2022-03-14
AFL源码阅读 - afl-clang-fast2022-03-14
AFL源码阅读 - afl-as2022-03-13
AFL源码阅读 - afl-gcc2022-03-13
CVE-2021-43226 :CLFS 中的栈溢出漏洞2022-02-05
Categories
  • AFL4
  • BlockChain2
    • WriteUp2
  • Crypto3
    • FMS1
    • SM41
      • DFA1
    • WriteUp1
Tags
Back-End CFG HEVD JerryScript Kernel Linux Musl-gcc Pwn SEH SMEP SafeSEH UAF Windows WriteUp rop
Archives
  • March 20224
  • February 20222
  • January 20223
  • December 20213
  • October 20218
  • September 20213
  • June 20212
  • April 20212
Info
Article :
38
UV :
PV :
Last Push :
©2020 - 2022 By Vergissmeinnicht
Framework Hexo|Theme Butterfly