Moectf第二周

最新推荐文章于 2024-09-06 11:17:40 发布

神明亦是罪人

最新推荐文章于 2024-09-06 11:17:40 发布

阅读量760

点赞数 5

文章标签：网络安全

本文链接：https://blog.csdn.net/2303_81165358/article/details/141362003

版权

UPX

脱壳

打开

moectf{ec5390dd-f8cf-4b02-bc29-3bb0c5604c29}就是flag

dymanic

打开后寻找字符串

定位到可疑字符串

交叉引用进新函数

这里提示“Your Flag has REencrypted.”也就是在这句话前面还是正确的flag，在合适的位置下断点

调试

跟踪进v5

flag就是这个了

upx_revenge

upx -d 脱壳失败了，那么需要手动脱壳

用ESP定律脱完壳后用插件生成去壳的文件，用ida打开

跟进aMoectf554ea35c里面

flag直接就出了。

xtea

打开

寻找字符串

跟进去

输入十二个字节的数据，然后前面8个字节进行一次加密，后面第5到第12个字节再进行加密，两次加密后的结果再与数据比较。跟进加密函数

是一个魔改了的tea加密，编写脚本如下：

#include<stdio.h> 
#include<stdint.h>
void decrypt(uint32_t* v,uint32_t* key)
{
	uint32_t k0,k2,k3,k1;
	uint32_t v0,v1;
	v0=v[0],v1=v[1];
	k0=key[0],k1=key[1],k2=key[2],k3=key[3];
	uint32_t delta=0x33004445,sum=0-0x33004445*32;
	for(int i=0;i<32;i++)
	{
		v1-=(v0 + ((v0 >> 5) ^ (16 * v0)) ) ^ (key[ ((sum >> 11) & 3)]+ sum);
		sum+=delta;
		v0-=(key[ (sum & 3)]+ sum) ^ (v1 + ((v1 >> 5) ^ (16 * v1)));
	}
	v[0]=v0,v[1]=v1;
}
int main()
{
	char s[12]={0xA3, 0x69, 0x96, 0x26, 0xBD, 0x78, 0x0B, 0x3D, 0x9D, 0xA5, 0x28, 0x62 };
	uint32_t key[4]={2,0,2,4};
	decrypt((uint32_t*)&s[4],key);
	decrypt((uint32_t*)&s[0],key);
	printf("%s",s);		  
 }

运行

d0tN3t

用dnspy打开

输入数据进行加密后比较，加密流程：

直接暴力解法：

#include <stdio.h>
#include <stdint.h>
int main()
{

	uint8_t arr[]={173, 146, 161, 174, 132, 179, 187, 234, 231, 244,
			177, 161, 65, 13, 18, 12, 166, 247, 229, 207,
			125, 109, 67, 180, 230, 156, 125, 127, 182, 236,
			105, 21, 215, 148, 92, 18, 199, 137, 124, 38,
			228, 55, 62, 164};
	int x;
	for(int i=0;i<44;i++)
	{
		for(int j=0;j<127;j++)
		{
			if((uint8_t)((int)(((uint8_t)j + 114) ^ 114) ^ (i * i)) == arr[i])
			{
				printf("%c",j);
			}
		}
	}
    return 0;
}

运行：

rc4

打开后查找字符串

跟进

这里进行了RC4加密

写脚本

#include<stdio.h>
#include<string.h>
typedef unsigned longULONG;
/*初始化函数*/
void rc4_init(unsigned char*s, unsigned char*key, unsigned long Len)
{
    int i = 0, j = 0;
    char k[256] = { 0 };
    unsigned char tmp = 0;
    for (i = 0; i<256; i++)
    {
        s[i] = i;
        k[i] = key[i%Len];
    }
    for (i = 0; i<256; i++)
    {
        j = (j + s[i] + k[i]) % 256;
        tmp = s[i];
        s[i] = s[j];//交换s[i]和s[j]
        s[j] = tmp;
    }
} 
/*加解密*/
void rc4_crypt(unsigned char*s, unsigned char*Data, unsigned long Len)
{
    int i = 0, j = 0, t = 0;
    unsigned long k = 0;
    unsigned char tmp;
    for (k = 0; k<Len; k++)
    {
        i = (i + 1) % 256;
        j = (j + s[i]) % 256;
        tmp = s[i];
        s[i] = s[j];//交换s[x]和s[y]
        s[j] = tmp;
        t = (s[i] + s[j]) % 256;
        Data[k] ^= s[t];
    }
}

int main()
{
    unsigned char flag[]=
    {
     	 0xA7,0x1A,0x68,0xEC,0xD8,0x27,0x11,0xCC,0x8C,0x9B,0x16,0x15,0x5C,0xD2,0x67,0x3E,0x82,0xAD,0xCE,0x75,0xD4,
		 0xBC,0x57,0x56,0xC2,0x8A,0x52,0xB8,0x6B,0xD6,0xCC,0xF8,0xA4,0xBA,0x72,0x2F,0xE0,0x57,0x15,0xB9,0x24,0x11
    };
    unsigned char key[]="RC4_1s_4w3s0m3";
    unsigned  char s[256]={0};
    rc4_init(s,key,14);
    rc4_crypt(s,flag,42);
    int i;
    for(i=0;i<=42;i++){
		printf("%c",flag[i]);
	}

运行