{"id":132,"date":"2023-02-03T23:34:56","date_gmt":"2023-02-03T15:34:56","guid":{"rendered":"https:\/\/zysgmzb.club\/?p=132"},"modified":"2023-02-04T17:19:37","modified_gmt":"2023-02-04T09:19:37","slug":"%e8%a5%bf%e6%b9%96%e8%ae%ba%e5%89%912022-misc-isolated-machine-memory-analysis-writeup","status":"publish","type":"post","link":"https:\/\/zysgmzb.club\/index.php\/archives\/132","title":{"rendered":"\u897f\u6e56\u8bba\u52512022-Misc Isolated Machine Memory Analysis Writeup"},"content":{"rendered":"
\n

\u672c\u9898\u8d5b\u540e\u4e0e\u7a7a\u767d\u5171\u540c\u5b8c\u6210<\/p>\n<\/blockquote>\n

\u4e0a\u624b\u5148imageinfo<\/p>\n

\"\"<\/p>\n

\u7136\u540e\u770b\u770b\u8fdb\u7a0b<\/p>\n

\"\"<\/p>\n

\u5176\u4e2d\u6709\u51e0\u4e2a\u6709\u70b9\u53ef\u7591<\/p>\n

VBoxTray.exe\uff1a\u7c7b\u4f3cvmtool\nClipboardMonitor\uff1a\u526a\u5207\u677f\u76d1\u63a7\u8f6f\u4ef6\nmstsc.exe\uff1a\u8fdc\u7a0b\u684c\u9762\u8fde\u63a5<\/code><\/pre>\n
\u4e8e\u662f\u53ef\u4ee5\u5148\u770b\u770b\u526a\u5207\u677f<\/p>\n
\"\"<\/p>\n
\u5f97\u5230\u4e00\u4e2a\u516c\u94a5\uff0c\u5148\u653e\u7740<\/p>\n
-----BEGIN PUBLIC KEY-----\nMFowDQYJKoZIhvcNAQEBBQADSQAwRgJBAIEZTxxle7+5rywC5byIuBkPhwkyv57R\n756DUCD9i2MWYyUs0Acc6JZwyqVOmR74uMvreI2slle4Gy7Hl6PcXxECAQI=\n-----END PUBLIC KEY-----<\/code><\/pre>\n
\u518d\u770b\u770b\u622a\u5c4f<\/p>\n
volatility -f CharlieBrown-PC.elf --profile=Win7SP1x64 screenshot -D .\/file\/<\/code><\/pre>\n
\"\"<\/p>\n
\u53ef\u4ee5\u770b\u51fa\u7a97\u53e3\u4e0a\u4e00\u4e2a\u5730\u5740\uff0c\u7ed3\u5408\u9898\u76ee\u63cf\u8ff0\uff0c\u8fd9\u53ef\u80fd\u662f\u4e0e\u7814\u53d1\u670d\u52a1\u5668\u4e4b\u95f4\u7684\u8fdc\u7a0b\u8fde\u63a5\uff0cnetscan\u4e5f\u8bc1\u5b9e\u4e86\u8fd9\u4e00\u70b9<\/p>\n
\"\"<\/p>\n
\u4e8e\u662f\u60f3\u5230\u53bb\u627e\u4e00\u627ebmc\u6587\u4ef6\u770b\u770b\u80fd\u4e0d\u80fd\u63d0\u53d6\u4e00\u4e9b\u7ebf\u7d22\uff0c\u7ed3\u679c\u627e\u5230\u662f\u627e\u5230\u4e86\uff0c\u4f46\u662f\u4e0d\u80fd\u4ece\u91cc\u9762\u63d0\u53d6\u51fa\u6765\u4e1c\u897f<\/p>\n
\u4e8e\u662fdump\u4e0bmstsc.exe\u7684\u5185\u5b58\uff0c\u5c06\u5176\u540e\u7f00\u6539\u4e3adata\u5e76\u7528gimp\u6253\u5f00\uff0c\u627e\u4e2a\u5e38\u89c1\u5206\u8fa8\u73871280x720\u5c31\u5f00\u59cb\u8c03\u4f4d\u79fb\uff0c\u7ed3\u679c\u770b\u5230\u8fd9\u6837\u4e00\u5e45\u56fe<\/p>\n
\"\"<\/p>\n
\u8bf4\u662f\u627e\u7684\u4e1c\u897f\u4e0d\u5728\u5185\u5b58\u91cc\uff0cemmm\u4e0d\u597d\u8bf4<\/p>\n
\u63a5\u4e0b\u6765\u770b\u770bhint\uff0c\u7b2c\u4e00\u6761hint\u7ed9\u4e86\u4e00\u5f20\u56fe\u7247\uff0c\u4f3c\u4e4e\u662fvbox\u663e\u793a\u5668\u548c\u663e\u5361\u7684\u4e00\u4e9b\u914d\u7f6e<\/p>\n
\uff1f\u663e\u5361\uff1f\uff01\u663e\u5b58\uff01<\/p>\n
\u6839\u636ehint3\u53ef\u4ee5\u4f7f\u7528volatility\u7684vboxinfo\u63d2\u4ef6\u627e\u5230\u8be5\u5185\u5b58\u4e2d\u663e\u5b58\u7684\u4f4d\u7f6e<\/p>\n
\"\"<\/p>\n
\u4e8e\u662f\u53ef\u4ee5\u627e\u5230\u663e\u5b58\u5728\u5185\u5b58\u6587\u4ef6\u4e2d\u7684\u504f\u79fb0xdffcda2c=3757890092\u4ee5\u53ca\u5927\u5c0f0x2000000=33554432\uff0c\u7528dd\u547d\u4ee4\u63d0\u53d6\u4e00\u4e0b<\/p>\n
dd if=CharlieBrown-PC.elf of=vram skip=3757890092 bs=1 count=33554432<\/code><\/pre>\n
\u8fd9\u6837\u5f97\u5230\u7684\u5c31\u662f\u663e\u5b58\uff0c\u663e\u5b58\u91cc\u9762\u7684\u5219\u662f\u56fe\u50cf\u6570\u636e\uff0c\u7ed3\u5408hint\u6240\u7ed9\u76841440x900\u7684\u5206\u8fa8\u7387\u4ee5\u53ca32\u7684\u4f4d\u6df1\u5ea6\uff0c\u5199\u4e2a\u811a\u672c\u8fd8\u539f\u4e0b\u539f\u56fe<\/p>\n
from PIL import Image\n\nwidth = 1440\nheight = 900\nflag = open('vram','rb').read()\n\ndef makeSourceImg():\n    img = Image.new('RGBA', (width, height))\n    x = 0\n    for i in range(height):\n        for j in range(width):\n            img.putpixel((j, i), (flag[x], flag[x + 1], flag[x + 2],flag[x+3]))\n            x += 4\n    return img\n\nimg = makeSourceImg()\nimg.save('1.png')<\/code><\/pre>\n
\u54c8\u54c8\u6210\u529f\u4e86<\/p>\n
\"\"<\/p>\n
\u8fd9\u4e0b\u5c31\u77e5\u9053\u4e86flag\u7684\u52a0\u5bc6\u7b97\u6cd5\uff0c\u4f7f\u7528\u4e0a\u9762\u7684\u516c\u94a5\u89e3\u5bc6\u5c31\u597d\u4e86<\/p>\n
c:451471540081589674653974518512438308733093273213393434162105049845933212224386755831134427109878720380821421287108607669893882611307516611482749725279433<\/code><\/pre>\n
\"\"<\/p>\n
e:2\nn:6761456110411637567688581808417563265129495172728559363264959694161676396727177452588827048488546653264235848263182009106217734439508352645687684489830161<\/code><\/pre>\n
\u5f97\u5230pq<\/p>\n
p:79346858353882639199177956883793426898254263343390015030885061293456810296567\nq:85213910804835068776008762162103815863113854646656693711835550035527059235383<\/code><\/pre>\n
\u89e3\u5bc6<\/p>\n
import gmpy2\n\ndef rabin_decrypt(c, p, q, e=2):\n    n = p * q\n    mp = pow(c, (p + 1) \/\/ 4, p)\n    mq = pow(c, (q + 1) \/\/ 4, q)\n    yp = gmpy2.invert(p, q)\n    yq = gmpy2.invert(q, p)\n    r = (yp * p * mq + yq * q * mp) % n\n    rr = n - r\n    s = (yp * p * mq - yq * q * mp) % n\n    ss = n - s\n    return (r, rr, s, ss)\n\nc = 451471540081589674653974518512438308733093273213393434162105049845933212224386755831134427109878720380821421287108607669893882611307516611482749725279433\np = 79346858353882639199177956883793426898254263343390015030885061293456810296567\nq = 85213910804835068776008762162103815863113854646656693711835550035527059235383\nm = rabin_decrypt(c,p,q)\nfor i in range(4):\n    try:\n        print(bytes.fromhex(hex(m[i])[2:]))\n    except:\n        pass<\/code><\/pre>\n
\"\"<\/p>\n
DASCTF{It5_dIr3c7Ly_c0rR3l4T3d_t0_7He_d1M35}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u672c\u9898\u8d5b\u540e\u4e0e\u7a7a\u767d\u5171\u540c\u5b8c\u6210 \u4e0a\u624b\u5148imageinfo \u7136\u540e\u770b\u770b\u8fdb\u7a0b \u5176\u4e2d\u6709\u51e0\u4e2a\u6709\u70b9\u53ef\u7591 VBoxTray.exe\uff1a\u7c7b\u4f3cvmtool ClipboardMonitor\uff1a\u526a\u5207\u677f\u76d1\u63a7\u8f6f\u4ef6 mstsc.exe\uff1a\u8fdc\u7a0b\u684c\u9762\u8fde\u63a5 \u4e8e\u662f\u53ef\u4ee5\u5148\u770b\u770b\u526a\u5207\u677f \u5f97\u5230\u4e00\u4e2a\u516c\u94a5\uff0c\u5148\u653e\u7740 —–BEGIN PUBLIC KEY—– MFowDQYJKoZIhvcNAQEBBQADSQAwRgJBAIEZTxxle7+5r […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-132","post","type-post","status-publish","format-standard","hentry","category-wp"],"_links":{"self":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/comments?post=132"}],"version-history":[{"count":4,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/132\/revisions"}],"predecessor-version":[{"id":136,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/132\/revisions\/136"}],"wp:attachment":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/media?parent=132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/categories?post=132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/tags?post=132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}