2026-04-04 05:19:54 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： 本文分析了PolarisCTF逆向题目ShakeLife的解题思路，该题通过重定位表注入技术在程序装载阶段修改fini数组和代码段，隐藏真实校验逻辑。解题需动态调试获取内存中的真实代码，发现被篡改的密文后使用HPC算法解密获得flag。文档揭示了防止AI解题的三种策略，并提供了完整的解密代码实现。 综合评分： 85 文章分类： 逆向分析,CTF,二进制安全,漏洞分析,红队

cover_image

PolarisCTF Reverse-ShakeLife WriteUp

原创

TokameinE TokameinE

星盟安全团队

2026年4月3日 14:20 陕西

前言

题目设计来自于一个古老的 trick，通过劫持和注入重定位表项中的项目，使得程序在装载阶段能够向内存中注入 shellcode 以实现几乎无感的代码注入能力。

这个 trick 最早在国外的 CTF 上出现，并在五年前的 aliyunctf 上得到了改进，这次的 ShakeLife 也参考了 aliyunctf 的思路并做了一些简化，当年的题目可以参考这里：

| https://gist.github.com/Riatre/a6592f84fd49f5ac318fdf0fb098054b

相比于阿里云的题目，做了很多简化以让难度符合招新赛的标准，最初定级的时候我还犹豫过是不是定到中等难度比较好，因为找到关键信息以后剩下的工作让 AI 做也完全绰绰有余了。

出题缘由也很简单，由于最近 AI 的突飞猛进，我认为单纯的代码分析可能对 AI来说完全无法构成任何难度，甚至一些需要动态调试的题目也可以在接入 MCP 以后让 agent 自动调试来完成解题，为此我认为要防止选手通过 AI 一把梭，主要有这么几种思路：

堆积代码量，挤爆它的上下文，使得无法正常分析
用明显但错误的逻辑诱导 AI 进行错误的分析
让 AI 无法直接阅读到关键信息

我认为第二和第三种方法能够很好的防止题目被 AI 一眼顶针，反倒是善用搜索引擎更容易解出本题，属实有些文艺复兴了。

这里先提前放一张图证明真的有 flag：

正文

说回正题，相信很多选手都试过用 IDA 一把梭，一打开程序，完整的代码校验流程就出来了：

__int64 __fastcall&nbsp;main(int&nbsp;a1,&nbsp;char&nbsp;**a2,&nbsp;char&nbsp;**a3){&nbsp; ......&nbsp; v26 = __readfsqword(0x28u);&nbsp;&nbsp;alarm(0x1Eu);&nbsp; std::allocator<char>::allocator(v22, a2);&nbsp; std::string::basic_string(v23,&nbsp;"Please enter the flag: ", v22);&nbsp; v3 = std::string::data(v23);&nbsp; std::operator<<<std::char_traits<char>>(&std::cout, v3);&nbsp; std::string::~string(v23);&nbsp; std::allocator<char>::~allocator(v22);&nbsp; std::istream::getline(&std::cin, s,&nbsp;255LL);&nbsp;&nbsp;qmemcpy(v25,&nbsp;"3ff653606890a0591e204093a0d59202",&nbsp;32);&nbsp; v4 =&nbsp;sub_2CF2(v25);&nbsp; v5 =&nbsp;sub_2CE0(v25);&nbsp; v15 =&nbsp;sub_2D08(v5, v4);&nbsp;&nbsp;if&nbsp;( v15 !=&nbsp;1&nbsp;)&nbsp; {&nbsp; &nbsp;&nbsp;return&nbsp;1;&nbsp; }&nbsp;&nbsp;else&nbsp; {&nbsp; &nbsp; v18 =&nbsp;256LL;&nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;sub_3BBA(v23, v25,&nbsp;256LL) )&nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; n =&nbsp;strlen(s);&nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( n ==&nbsp;43&nbsp;)&nbsp; &nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;for&nbsp;( i =&nbsp;0LL; i < n; ++i )&nbsp; &nbsp; &nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( s[i] <=&nbsp;0x1Fu&nbsp;|| s[i] >&nbsp;0x7Eu&nbsp;)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; v7 = std::operator<<<std::char_traits<char>>(&std::cout,&nbsp;"Invalid character detected!");&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;0;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; v16 =&nbsp;sub_2D34(s, &s[n],&nbsp;0LL);&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( v16 >=&nbsp;0&nbsp;)&nbsp; &nbsp; &nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;sub_25D2();&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;sub_2593();&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;sub_26C1();&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; v20 =&nbsp;8&nbsp;* n;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; v24 =&nbsp;0x807060504030201LL;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; v8 =&nbsp;sub_2D6A(&v24);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; v9 =&nbsp;sub_2D7C(&v24);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; v10 =&nbsp;sub_2D6A(&v24);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;sub_2D92(v10, v9, v8);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; v21 =&nbsp;64LL;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;sub_41D9(v23, s, byte_C4A0,&nbsp;8&nbsp;* n, &v24,&nbsp;64LL) )&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;sub_2DE4(byte_C4A0[0]) >=&nbsp;0.0&nbsp;)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;sub_2E04(&v14);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;sub_2E44(v22, byte_C4A0, &byte_C4A0[n], &v14);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;sub_2E24(&v14);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;sub_2F2A(v22) && n )&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; v6 =&nbsp;1;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;else&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( !memcmp(byte_C4A0, &unk_80E0, n) )&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; std::operator<<<std::char_traits<char>>(&std::cout, aCorrect);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; v6 =&nbsp;0;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;sub_2EE2(v22);&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; .....&nbsp;&nbsp;return&nbsp;v6;}

一道经典的校验明文输入类型的题目，并且在比赛期间也已经有很多选手正确还原出了算法，但是却会发现，如果用 unk_80E0 处的数据进行解密，根本无法解出正确的明文！而且因为题目还提前过滤了输入必须是可见字符，因此不会有真的能够让程序直接输出 Correct 的输入，但是，真的如此吗？

不知道选手在做题过程中是否留意到了 IDA 分析出的函数列表里有这样两个没有被正常标记为外部函数的两个函数：

这两个函数的函数名确实来自于 std 标准库，但是我们可以发现它们的实现却根本不是库函数的标准实现，而且这种函数如果真的是外部引入，那就应该像上面的这些函数一样跳转到 plt 才对，所以这里的函数名其实是故意用来误导 IDA 和 AI 的，因为它们会把这两个函数当作标准库函数，而不会关心它们有没有问题。况且，如果尝试交叉引用跟踪，我们会发现这两个函数根本没有被使用到，一个标准库的函数，如果没被使用，理论上不会特地被编译进函数表里。

那么既然这两个函数并不是真正的标准库，它们的用途是什么呢？观察到用于对符号进行重定向所需的符号表：

这里可以很明显的看到，数据是异常的，IDA 也发现了这个问题，只不过它不会特地去提示你这里有问题。

而作为重定位的符号表，那么对应重定位项中的哪一项呢？

如果我们观察这份重定位表，就会发现用于重定向这两个符号时所用的偏移很奇怪，它根本不是 got 表，而且这两个明明是函数符号，却跟其他外部函数不一样，用的是 R_X86_64_COPY 类型而非 R_X86_64_GLOB_DAT

当然，除此之外还有一些额外的注入项目是 IDA 没办法直接识别到的：

但是如果我们仔细观察它们所用到的地址，也会发现这些内容本不该出现在这里。

相信到这一步，对于了解过 PWN 的选手应该会意识到什么。由于主要的流程发生在重定向阶段，也就是说，通过动态调试将断点下到程序的 start 函数以后，就能在内存里找到完整的执行程序了。

此时，不管是通过动态调试，还是直接把整块内存 dump 出来，我们都能够得到一个真正的，实际被运行的程序。而此时如果尝试去 diff 两个程序的不同之处，就能很容易发现有不少地方代码被篡改了。

发现了吗，第一个 fini 函数对应的偏移有些怪异，它实际上指向了 0x7345，但是你在 IDA 里是找不到这段代码的，因为它位于代码段冗余加载的部分。

最终我们会找到真正用于比较的地方，从这里拿到真正的密文，并通过之前还原出的解密函数解密即可。

#include&nbsp;<iostream>#include&nbsp;<vector>#include&nbsp;<string>#include&nbsp;<cstring>#include&nbsp;<iomanip>#include&nbsp;<cstdlib>#include&nbsp;<ctime>#include&nbsp;"hpc/hpc.h"
void&nbsp;print_hex(const&nbsp;std::string& label,&nbsp;const&nbsp;uint8_t* data,&nbsp;size_t&nbsp;len)&nbsp;{&nbsp; &nbsp; std::cout << label <<&nbsp;": ";&nbsp; &nbsp; std::cout << std::hex << std::setfill('0');&nbsp; &nbsp;&nbsp;for&nbsp;(size_t&nbsp;i =&nbsp;0; i < len; i++) {&nbsp; &nbsp; &nbsp; &nbsp; std::cout << std::setw(2) <<&nbsp;static_cast<int>(data[i]);&nbsp; &nbsp; }&nbsp; &nbsp; std::cout << std::dec << std::endl;&nbsp;// Reset to decimal}
int&nbsp;main()&nbsp;{&nbsp; &nbsp; std::cout <<&nbsp;"HPC Decryptor"&nbsp;<< std::endl;&nbsp; &nbsp; std::cout <<&nbsp;"============="&nbsp;<< std::endl;
&nbsp; &nbsp;&nbsp;// 1. Initialize Key&nbsp; &nbsp;&nbsp;uint8_t&nbsp;key[32];&nbsp; &nbsp; std::string key_str =&nbsp;"3ff653606890a0591e204093a0d59202";&nbsp; &nbsp; std::memcpy(key, key_str.data(),&nbsp;32);
&nbsp; &nbsp;&nbsp;size_t&nbsp;key_bit_size =&nbsp;32&nbsp;*&nbsp;8;
&nbsp; &nbsp; std::cout <<&nbsp;"Key size: "&nbsp;<< key_bit_size <<&nbsp;" bits"&nbsp;<< std::endl;&nbsp; &nbsp;&nbsp;print_hex("Key", key,&nbsp;32);
&nbsp; &nbsp;&nbsp;struct&nbsp;HpcState&nbsp;state;&nbsp; &nbsp;&nbsp;if&nbsp;(!hpc_init(&state, key, key_bit_size)) {&nbsp; &nbsp; &nbsp; &nbsp; std::cerr <<&nbsp;"Failed to initialize HPC state"&nbsp;<< std::endl;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;1;&nbsp; &nbsp; }&nbsp; &nbsp; std::cout <<&nbsp;"HPC State initialized successfully."&nbsp;<< std::endl;&nbsp; &nbsp;&nbsp;// Ciphertext: 4d95d2d6a07921024ea81cb440d8c3f669c606176957d497ce7f4eab279638d7e35bf397bd5ee301f06e15&nbsp; &nbsp;&nbsp;const&nbsp;uint8_t&nbsp;ciphertext_raw[] = {&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;0x4d,&nbsp;0x95,&nbsp;0xd2,&nbsp;0xd6,&nbsp;0xa0,&nbsp;0x79,&nbsp;0x21,&nbsp;0x02,&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;0x4e,&nbsp;0xa8,&nbsp;0x1c,&nbsp;0xb4,&nbsp;0x40,&nbsp;0xd8,&nbsp;0xc3,&nbsp;0xf6,&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;0x69,&nbsp;0xc6,&nbsp;0x06,&nbsp;0x17,&nbsp;0x69,&nbsp;0x57,&nbsp;0xd4,&nbsp;0x97,&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;0xce,&nbsp;0x7f,&nbsp;0x4e,&nbsp;0xab,&nbsp;0x27,&nbsp;0x96,&nbsp;0x38,&nbsp;0xd7,&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;0xe3,&nbsp;0x5b,&nbsp;0xf3,&nbsp;0x97,&nbsp;0xbd,&nbsp;0x5e,&nbsp;0xe3,&nbsp;0x01,&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;0xf0,&nbsp;0x6e,&nbsp;0x15&nbsp; &nbsp; };&nbsp; &nbsp;&nbsp;size_t&nbsp;message_len =&nbsp;sizeof(ciphertext_raw);&nbsp; &nbsp;&nbsp;size_t&nbsp;data_bit_size = message_len *&nbsp;8;
&nbsp; &nbsp;&nbsp;std::vector<uint8_t>&nbsp;ciphertext(message_len);&nbsp; &nbsp;&nbsp;std::vector<uint8_t>&nbsp;decrypted(message_len);
&nbsp; &nbsp; std::memcpy(ciphertext.data(), ciphertext_raw, message_len);
&nbsp; &nbsp;&nbsp;print_hex("Ciphertext (Hex)", ciphertext.data(), message_len);
&nbsp; &nbsp;&nbsp;// 4. Decrypt&nbsp; &nbsp;&nbsp;uint8_t&nbsp;tweak[8] = {0x01,&nbsp;0x02,&nbsp;0x03,&nbsp;0x04,&nbsp;0x05,&nbsp;0x06,&nbsp;0x07,&nbsp;0x08};&nbsp; &nbsp;&nbsp;size_t&nbsp;tweak_bit_size =&nbsp;64;
&nbsp; &nbsp;&nbsp;if&nbsp;(!hpc_decrypt(&state, ciphertext.data(), decrypted.data(), data_bit_size, tweak, tweak_bit_size)) {&nbsp; &nbsp; &nbsp; &nbsp; std::cerr <<&nbsp;"Decryption failed"&nbsp;<< std::endl;&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return&nbsp;1;&nbsp; &nbsp; }&nbsp; &nbsp;&nbsp;print_hex("Decrypted (Hex)", decrypted.data(), message_len);
&nbsp; &nbsp;&nbsp;// 5. Output
&nbsp; &nbsp;&nbsp;std::string&nbsp;decrypted_str(reinterpret_cast<char*>(decrypted.data()), message_len);&nbsp; &nbsp; std::cout <<&nbsp;"Decrypted Message: "&nbsp;<< decrypted_str << std::endl;
&nbsp; &nbsp;&nbsp;return&nbsp;0;}

后话

前面的内容就已经足够完成本题的解题了，接下来主要是聊点关于实现的问题。尽管前文我们说过，通过动态调试或运行时dump的方式已经能够完成本题，但是我相信有些选手可能会好奇，fini array 是如何被修改的，毕竟正常来说，开启了 FULL RELRO 的程序，运行时应该是无法修改的才对。

当然这也很好解答，正如所有 got 表项都在装载期间被写入，然后在写入后重新被改为只读一样，只需要在装载期间把 fini array 的数据改掉就行了。

但是如果直接在重定位表里添加对应的项目，智能的 IDA 会直接解析项目，然后把会被修改的地方提前改好。为了避免题目过于容易，因此我参考了之前 aliyunctf 用到的办法，说实话，真的很炫酷：通过修改重定位表项的数量，使得 ELF RELA Relocation Table 和 ELF JMPREL Relocation Table 相互重叠，造成对 ELF JMPREL Relocation Table 的二次解析。并在解析的过程中，修改 ELF JMPREL Relocation Table 的内容，这会让整个重定向表看起来正常不少。

具体来说：

R_X86_64_RELATIVE – *(uint64_t*)(elf_base+addr) = (elf_base+addend);
R_X86_64_COPY – 记指定 symbol 解析出来的地址为 symbol_value，则实际效果为 memcpy(elf_base+addr, symbol_value, symbol_size);

记得前面我们提到的那几份注入用的项目，其中新注入的几个 R_X86_64_RELATIVE 是用来修改 ELF Symbol Table 中 _ZNSt8ios_baseC2Ev 符号的 st_value 值，将其改为 0x1D18，不过 IDA 已经帮我们分析出来，并发现地址无法访问而标红了。

当程序解析到 R_X86_64_COPY _ZNSt8ios_baseC2Ev 时，会做类似 memcpy(base+0x0C7Ch,base+0x1D18,0xe) 的操作，目的是为了将 _ZNSt8ios_baseD2Ev 的元数据，这样，在接下来执行 R_X86_64_COPY _ZNSt8ios_baseD2Ev 的时候，就能将我们的目标数据写入到意想不到的地方去了。

具体来说，我们将 _ZNSt8ios_baseD2Ev 的符号值改为了 0x1a00 ，并修改了它的类型为 LOCAL，这样在执行 R_X86_64_COPY _ZNSt8ios_baseD2Ev 时，我们能够得到类似 memcpy(base+0x13D0,base+0x1a00,0x300)，这里的 0x13d0 就对应了 ELF JMPREL Relocation Table，相当于我们直接将下面的跳转重定向表的内容改掉，转而注入了新的项目。而注入内容来自于 0x1a00 处：

R_X86_64_SIZE64 – 指定 symbol index = 0，则该重定位项的实际效果为写 *(uint64_t*)(elf_base+addr) = (addend+0);
R_X86_64_RELATIVE – *(uint64_t*)(elf_base+addr) = (elf_base+addend);
R_X86_64_64 – *(uint64_t*)(elf_base+addr) = (symbol_value + addend);

其实就相当于一个任意地址读写，这里就对应我们向内存写入 shellcode 的实际项目了，当然除此之位还包含了原本的表项，否则正常数据不能解析会导致程序执行过程中 crash。

最后我们注入了这样的 shellcode：

/* The following constants will be overriden during build. */.equ ARRAY_OFFSET,&nbsp;0.equ CORRECT_OFFSET,&nbsp;0.equ MAIN_OFFSET_FROM_SHELLCODE,&nbsp;0.equ MAIN_SIZE,&nbsp;0
_begin:&nbsp; &nbsp; endbr64&nbsp; &nbsp;&nbsp;/* Save registers if needed, but we are in a shellcode that exits or returns */
&nbsp; &nbsp;&nbsp;/* Calculate shellcode base address and main address */&nbsp; &nbsp;&nbsp;call&nbsp;get_ripget_rip:&nbsp; &nbsp; pop r8 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/* r8 = address of get_rip */&nbsp; &nbsp; sub r8, get_rip&nbsp;-&nbsp;_begin &nbsp; &nbsp;/* r8 = address of _begin (shellcode base) */
&nbsp; &nbsp; mov r9, r8 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/* r9 = shellcode base */&nbsp; &nbsp;&nbsp;add&nbsp;r8, MAIN_OFFSET_FROM_SHELLCODE&nbsp;/* r8 = main address */
&nbsp; &nbsp;&nbsp;/* Calculate Magic Byte */&nbsp; &nbsp;&nbsp;/* r8 = main_addr */&nbsp; &nbsp; mov rcx, MAIN_SIZE&nbsp; &nbsp; xor r10, r10 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/* r10 = accumulator for magic byte */&nbsp; &nbsp; xor r11, r11 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/* r11 = temp for byte load */
calc_magic_loop:&nbsp; &nbsp; mov r11b, byte ptr [r8]&nbsp; &nbsp; xor r10b, r11b&nbsp; &nbsp; inc r8&nbsp; &nbsp; loop calc_magic_loop
&nbsp; &nbsp;&nbsp;/* r10b is the magic byte. Broadcast to 64-bit register r10 */&nbsp; &nbsp; movzx r10, r10b&nbsp; &nbsp; mov rax,&nbsp;0x0101010101010101&nbsp; &nbsp; imul r10, rax &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* r10 now has the magic byte repeated 8 times */
&nbsp; &nbsp;&nbsp;/* Load input array address */&nbsp; &nbsp;&nbsp;/* ARRAY_OFFSET is relative to RIP at the lea instruction location?&nbsp;&nbsp; &nbsp; &nbsp; &nbsp;No, in previous script it was calculated as:&nbsp; &nbsp; &nbsp; &nbsp;offset = target_addr - prepare_sc_buf.address - 5 - 6&nbsp; &nbsp; &nbsp; &nbsp;This implies it was relative to the instruction end?
&nbsp; &nbsp; &nbsp; &nbsp;The previous code used:&nbsp; &nbsp; &nbsp; &nbsp;lea rsi, [rip + ARRAY_OFFSET]
&nbsp; &nbsp; &nbsp; &nbsp;If we want to be consistent, we should keep using RIP-relative LEA for ARRAY_OFFSET&nbsp; &nbsp; &nbsp; &nbsp;if the Python script calculates it correctly.
&nbsp; &nbsp; &nbsp; &nbsp;However, since we now have the shellcode base in r9, we can use it!&nbsp; &nbsp; &nbsp; &nbsp;ARRAY_OFFSET passed from Python is (target_addr - shellcode_addr).&nbsp; &nbsp; &nbsp; &nbsp;So:&nbsp; &nbsp; */&nbsp; &nbsp; lea rsi, [r9&nbsp;+&nbsp;ARRAY_OFFSET]
&nbsp; &nbsp;&nbsp;/* Load target data address */&nbsp; &nbsp;&nbsp;/* target_data is at the end of shellcode.&nbsp;&nbsp; &nbsp; &nbsp; &nbsp;We can use RIP relative or base relative.&nbsp; &nbsp; &nbsp; &nbsp;Let's use base relative since we have r9.&nbsp; &nbsp; */&nbsp; &nbsp; lea rdi, [r9&nbsp;+&nbsp;target_data&nbsp;-&nbsp;_begin]
&nbsp; &nbsp;&nbsp;/* Loop counter */&nbsp; &nbsp; mov ecx,&nbsp;8&nbsp;&nbsp;/* 43 bytes / 8 = 5.375 -> 6 qwords?&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;The target_data in previous tiara.s had 8 qwords.&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;The new ciphertext is 43 bytes.&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;43 bytes needs 6 qwords (48 bytes).&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;The last qword will be partially filled or 0-padded.&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Let's assume 6 qwords.&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; */
compare_loop:&nbsp; &nbsp;&nbsp;/* Load value from input array */&nbsp; &nbsp; mov rax, [rsi]
&nbsp; &nbsp;&nbsp;/* XOR with magic */&nbsp; &nbsp; xor rax, r10
&nbsp; &nbsp;&nbsp;/* Load value from target data (already XORed with magic) */&nbsp; &nbsp; mov rbx, [rdi]
&nbsp; &nbsp;&nbsp;/* Compare */&nbsp; &nbsp; cmp rax, rbx&nbsp; &nbsp; jne fail
&nbsp; &nbsp;&nbsp;/* Next element */&nbsp; &nbsp;&nbsp;add&nbsp;rsi,&nbsp;8&nbsp; &nbsp;&nbsp;add&nbsp;rdi,&nbsp;8
&nbsp; &nbsp;&nbsp;/* Decrement counter */&nbsp; &nbsp;&nbsp;dec&nbsp;ecx&nbsp; &nbsp; jnz compare_loop
success:&nbsp; &nbsp; mov eax,&nbsp;1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* sys_write */&nbsp; &nbsp; mov edi,&nbsp;1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* stdout */&nbsp; &nbsp;&nbsp;/* CORRECT_OFFSET is relative to shellcode base?&nbsp;&nbsp; &nbsp; &nbsp; &nbsp;Previous script: offset2 = correct_addr - prepare_sc_buf.address - 0x40&nbsp; &nbsp; &nbsp; &nbsp;It seems it was trying to be RIP relative but with a weird offset.&nbsp; &nbsp; &nbsp; &nbsp;Let's assume CORRECT_OFFSET is (correct_addr - shellcode_addr).&nbsp; &nbsp; */&nbsp; &nbsp; lea rsi, [r9&nbsp;+&nbsp;CORRECT_OFFSET]&nbsp; &nbsp; mov edx,&nbsp;10&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* length */&nbsp; &nbsp; syscallfail:&nbsp; &nbsp; ret
/* Data section will be appended by Python script */target_data:

最终是将用户的输入走正常流程加密后的数据，跟注入到内存里的密文进行比较，一致的情况下用 syscall 直接输出标识。当然，为了增加一点点难度，用户输入还需要跟 main 函数的代码计算的 magic byte 做一次异或，因为我们在main函数里加了一点点反调试，所以如果有选手通过 patch 进行了这个操作，计算的 magic byte 会不一样，当然，才一字节，爆破一下也不是不行。

现在看来，整体的难度应该是比较低的，相比当时 aliyunctf 的原题，删减了很多关于隐藏执行流的内容，只保留了通过重定向表注入代码这项 trick，然后再加入一点点诱导 AI 行为的小巧思，主要还是希望选手们能够多动动手，实际去跑跑看，而不是直接让 AI 包办所有内容。

| 应该有不少能力不够强的 AI 在读到主流程里的比较函数之后走不动道，写来写去就盯着那个流程去跑了吧？

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：星盟安全团队 TokameinE TokameinE《PolarisCTF Reverse-ShakeLife WriteUp》