maybe_xor
这个题目怎么怪怪的
解题的方法有多,qiling就是其中之一
I am about to send you 128 base64-encoded ELF files, which load a value onto the stack, then do an XOR operation.
But I forgot to write the value after the XOR back onto the stack. Can you send back the value after XOR as a hex string for me?
You must analyze them all in under 120 seconds
Let's start with a warmup
ELF: f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAr4IECAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAFAAAAAAAAAAAAAAAAgAQIAAAAAACABAgAAAAAuQQAAAAAAAC5BAAAAAAAAAAQAAAAAAAAgnWHHL8dKNyMgnom0vbGmcuxc+fHdqftH6keWZsGgZpC+Vptf407UW8SiDjTrdNlamxvDCciXnqZLPKenk2UMTFILwMjKZyDysEwuq9WIEsI4gQa5mf0blBaPek0iZglz8xwMSuR145kDqAMYGVNeQpbKWq+R1b5APgyzGF9GRNJJ1DgAtj8Ur5AdxODiiGLw1FcVF+rIU49jITmX+w1g85caPYB+dS8CW4AwvsWu+8V/uT3ENk4vt5e3VCwuhGv+Y0K4a7t9IU0Cz/GHLEUwiqT+RmmubkeBEqmQnaDd6SCNbhHket9Pr/voituM/Wz6yqerIBkFbr5QTbf6Ln/zRtqicvUIE8fazv0Yv2A7nTDu1dZ7AIyQ1fp4ImquabfTup4zvdwoJRDiXusI46Ys0XWFJKDlg2YxSd+L2211rmrwAXCeU1edDY9b6rdUVvn1EQWRJM4qKjeFXBQlak3DTqduUZ0onYPP5HbJaZm93/DAiPtoKSDLVRCkQhIL+YSVfT4BWpoalzBiSMAOtJ8Ub6wyIRY2x3HTaZQC/wJu5eZmqXkQN3PF1LpHf2vMQtU9cMnQcxeNyfjZ2u5kyaepEUgb+VyPL8055BT0EX07tP0Jbyjs5FRdH8HA17Co+PjVDC6Q0CQR5WATl7Z5gkEIatbqvsYi5fF/a4OcYj9xfZZMWZFgD1RGveA8Jx50duxKb4fw4ouo70g31li6wPMNIMLIEsY9sJSWnOeSLSnJw9Jp6dSxGbtSIPsGEiNNf/9//9Iiee5GAAAAPOkSDHJigQMNBFIg8EBigQMNP5Ig8EBigQMNNpIg8EBigQMNHpIg8EBigQMNKpIg8EBigQMNARIg8EBigQMNNJIg8EBigQMNB9Ig8EBigQMNA5Ig8EBigQMNH1Ig8EBigQMND5Ig8EBigQMNAJIg8EBigQMNIFIg8EBigQMNFVIg8EBigQMNCFIg8EBigQMNJxIg8EBigQMNEFIg8EBigQMNEpIg8EBigQMNBVIg8EBigQMNIBIg8EBigQMNIBIg8EBigQMNItIg8EBigQMNMtIg8EBigQMNE5Ig8EBuDwAAAAPBcfXPwOhn8iy2K6EFLVZxUg7l/FdaM3KmkSv3i2Y4jt8m/1xFFN4HbiReq2oZ8Z+0Ykjd7WtD6aj6v2f/wDP7Op/JD7PA0tP2Zwb19Rs2edEZ3mjkb6PR6LvnMkoolfTY4cg81HkqlLx5bKbMA8/dZIIr2IXUrPolpPvnOar1+/rot2g50rsXDleybZxOiwSziF4DklID99HIPMd5LFSzO8b6oaIglZuzVzJo7vEs19qkSFrgMTVtAkhP+8NF6xa/MiyCOMMr8SYNAWc+88la5oCONJKjTA2VXTJt0n1XCvGe9pXPtx32d3XmG5INT4uaf4Rx0kZiXkPkOwbeZW4dixAx0XgIMwOzO2NB182+i6niFVd
Expected bytes: 59d1d959839851d5cf4d84add7756a94a34e0f66e77fa51e
Bytes? y
Incorrect...
Try again
exp:
from qiling import *
from qiling.const import QL_VERBOSE
from pwn import *
from Crypto.Util.number import *
xor_key = []
def hook_code(ql, address, size, user_data):
buf = ql.mem.read(address, size)
asm = next(user_data.disasm(buf, address))
x = f"{asm.mnemonic} {asm.op_str}"
if 'xor' in x and 'al' in x:
xor_key.append(int(asm.op_str[(asm.op_str.index(',')) + 2:], 16))
context(os='linux', arch='amd64', log_level='debug')
io = remote('hnctf.imxbt.cn', 33534)
io.recvuntil(b'Expected bytes: ')
a = io.recv(48)
io.sendlineafter(b'Bytes? ', a)
for i in range(128):
io.recvuntil(b'ELF: ')
encrypted_data = io.recvuntil(b'\n').strip()
decoded_data = base64.b64decode(encrypted_data)
with open("./111", "wb") as file:
file.write(decoded_data)
ql = Qiling(["./111"], verbose=QL_VERBOSE.OFF)
ql.arch.disassembler.detail = True
ql.mem.map(0x10000, 0x10000)
ql.hook_code(hook_code, user_data=ql.arch.disassembler)
ql.run()
ecx_value = ql.arch.regs.rsi
memory_address = ql.mem.read(ecx_value - 25, 25)
enc = hex(bytes_to_long(bytes([bytes(memory_address[1:25])[j] ^ xor_key[j] for j in range(0x18)])))
enc = enc[2:].rjust(48, '0').encode()
io.sendlineafter(b'Bytes? ', enc)
print(i)
xor_key = []
io.interactive()
Qiling Framework入门,11个挑战快速上手 - 知乎
Shielder - QilingLab – Release
Baby_OBVBS
494 pts
听说你是VBS糕手,来van一下吧
用 wscript 或者 csctipt 运行。
要求输入key,通过测试可以发现key的长度为6
查看源代码:
大体都是四则运算。可以先解混淆。
解混淆可以考虑正则表达式,但我觉得太麻烦