DASCTF 2023六月挑战赛 | 二进制专项 Reverse

careful

题目给出了一个恶意样本,请分析出样本请求服务器的域名(flag的形式为DASCTF{md5(域名)}) 其中md5值都是小写

首先动调可以得到这串

然而发现并不对
翻函数 翻到这里

得到真正的域名: Just_An_APIH00k11.com

babyre

Load了自身的cod后xor解密
注意动调的时候Input是作为命令行参数输入的

瞎翻函数列表翻到个RC4 而解压的资源强行F5得到的也是一个变形的RC4
在原来函数有修改!

#include<bits/stdc++.h>
using namespace std;
signed main(){
	unsigned char base64_table[44]={0xF7, 0x2E, 0x34, 0xF0, 0x72, 0xCF, 0x5E, 0x0A, 0xBB, 0xEC, 0xB1, 0x2B, 0x70, 0x88, 0x88, 0xED,
0x46, 0x38, 0xDB, 0xDA, 0x6C, 0xBD, 0xD4, 0x06, 0x77, 0xF2, 0xCF, 0x56, 0x88, 0xC6, 0x31, 0xD2,
0xB7, 0x5A, 0xC1, 0x42, 0xB0, 0xF4, 0x48, 0x37, 0xF5, 0x2C, 0xF5, 0x58};
	
	int s[256],k[256];
	int j=0;
	int key[10];
	key[0] = 93;
  key[1] = 66;
  key[2] = 98;
  key[3] = 41;
  key[4] = 3;
  key[5] = 54;
  key[6] = 71;
  key[7] = 65;
  key[8] = 21;
  key[9] = 54;
  int v8=0;unsigned int v7=0;
	for (int i = 0; i < 256; i++) {
            s[i] = i;
        }
    for(int i=0;i<256;i++){
    	int v9=s[i];
    	v7=(key[v8]+v9+2*v7)&255;
    	s[i]=s[v7];
    	s[v7]=v9;
    	if(++v8>=0xA)
    		v8=0;
	}
	int j2 = 0;
        int i3 = 0;
        int cnt=0;
        for (unsigned __int8 i4 : base64_table) {
        	i4 -= cnt%0xD;
        	i4 &= 255;
        	cnt++;
            i3 = (i3 + j2) & 255;
            j2 = (s[i3] + j2) & 255;
            int temp2 = s[i3];
            s[i3] = s[j2];
            s[j2] = temp2;
            int rnd = s[(s[i3] + j2+ s[j2]) & 255];
            cout<<( char(i4 ^ rnd))<<"";
        }


}

DASCTF{03446c2c-dff7-11ed-9285-54e1ad98d649}



... 没有IDA强行F5在那儿瞪了半天...233

ezexe

exe是py
解包后py反编译不完整

# Visit https://www.lddgo.net/string/pyc-compile-decompile for more information
# Version : Python 3.11

import ctypes
from time import *
from ctypes import *
from ctypes import wintypes
from hashlib import md5

class _STARTUPINFO(Structure):
    _fields_ = [
        ('cb', c_ulong),
        ('lpReserved', c_char_p),
        ('lpDesktop', c_char_p),
        ('lpTitle', c_char_p),
        ('dwX', c_ulong),
        ('dwY', c_ulong),
        ('dwXSize', c_ulong),
        ('dwYSize', c_ulong),
        ('dwXCountChars', c_ulong),
        ('dwYCountChars', c_ulong),
        ('dwFillAttribute', c_ulong),
        ('dwFlags', c_ulong),
        ('wShowWindow', c_ushort),
        ('cbReserved2', c_ushort),
        ('lpReserved2', c_char_p),
        ('hStdInput', c_ulong),
        ('hStdOutput', c_ulong),
        ('hStdError', c_ulong)]


class _PROCESS_INFORMATION(Structure):
    _fields_ = [
        ('hProcess', c_void_p),
        ('hThread', c_void_p),
        ('dwProcessId', c_ulong),
        ('dwThreadId', c_ulong)]

StartupInfo = _STARTUPINFO()
ProcessInfo = _PROCESS_INFORMATION()
key1 = bytes(md5(b'bin1bin1bin1').hexdigest().encode())
file = open('bin1', 'rb').read()
arr = range(len(file))()
open('bin1', 'wb').write(bytes(arr))
sleep(0)
bet = ctypes.windll.kernel32.CreateProcessA(b'bin1', ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(0), byref(StartupInfo), byref(ProcessInfo))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ProcessInfo.hProcess), ctypes.c_int(-1))
open('bin1', 'wb').write(file)

得到key1后没找到怎么对bin2进行的加密
其实这种都猜的出来 要么AES 要么循环xor
所以查看pyc字节码:

from marshal import *
from dis import *

f = open(r"C:\Users\asus\Desktop\tmp\ez_exe.exe_extracted\ez_py.pyc","rb+").read()
dis(loads(f[16:]))

关键加密部分


Disassembly of <code object <listcomp> at 0x00000198A0EAB0E0, file "ez_py.py", line 59>:
 59           0 RESUME                   0
              2 BUILD_LIST               0
              4 LOAD_FAST                0 (.0)
        >>    6 FOR_ITER                50 (to 108)
              8 STORE_FAST               1 (i)
             10 LOAD_GLOBAL              0 (key1)
             22 LOAD_FAST                1 (i)
             24 LOAD_GLOBAL              3 (NULL + len)
             36 LOAD_GLOBAL              0 (key1)
             48 PRECALL                  1
             52 CALL                     1
             62 BINARY_OP                6 (%)
             66 BINARY_SUBSCR
             76 LOAD_GLOBAL              4 (file)
             88 LOAD_FAST                1 (i)
             90 BINARY_SUBSCR
            100 BINARY_OP               12 (^)
            104 LIST_APPEND              2
            106 JUMP_BACKWARD           51 (to 6)
        >>  108 RETURN_VALUE

发现是一个循环xor
根据提示... 把bin1bin1bin1换成bin2bin2bin2 作为key

一个xxtea
魔改了DELTA和加密的rounds

逆回去得到flag
DASCTF{7eb20cb2-deac-11ed-ae42-94085339ce84}

unsym

go逆向
lumina还原符号(貌似IDA8.3能自动还原go的符号)
可以看到大量与BigNum相关的Math运算库
FindCrypt找到 AES,b64特征

main_main:

__int64 __fastcall main_main()
{
  __int64 v0; // r14
  __int128 v1; // xmm15
  _QWORD *v2; // rax
  __int64 v3; // rax
  __int64 v4; // rbx
  __int64 v5; // rcx
  __int64 v6; // rdi
  __int64 v7; // rax
  __int64 v8; // rax
  __int64 v9; // rcx
  __int64 v10; // rdi
  __int64 v11; // rsi
  __int64 v12; // rax
  __int64 v13; // rbx
  __int64 v14; // rbx
  __int64 v15; // rax
  unsigned __int64 v16; // rcx
  __int64 i; // rdx
  unsigned __int64 v18; // rbx
  __int64 v19; // rax
  __int64 v20; // rax
  unsigned __int64 v21; // rcx
  __int64 File; // rax
  __int64 v23; // rax
  __int64 v24; // rcx
  __int64 v25; // rax
  __int64 v26; // rax
  __int64 j; // rcx
  __int64 v28; // rbx
  __int64 v29; // rax
  __int64 v31; // rax
  __int64 v32; // [rsp-38h] [rbp-230h]
  __int64 v33; // [rsp-38h] [rbp-230h]
  __int64 v34; // [rsp-38h] [rbp-230h]
  __int64 v35; // [rsp-38h] [rbp-230h]
  __int64 v36; // [rsp-30h] [rbp-228h]
  __int64 v37; // [rsp-30h] [rbp-228h]
  __int64 v38; // [rsp-30h] [rbp-228h]
  __int64 v39; // [rsp-28h] [rbp-220h]
  __int64 v40; // [rsp+18h] [rbp-1E0h]
  __int64 v41; // [rsp+28h] [rbp-1D0h]
  unsigned __int64 v42; // [rsp+38h] [rbp-1C0h]
  unsigned __int64 v43; // [rsp+38h] [rbp-1C0h]
  __int64 v44; // [rsp+48h] [rbp-1B0h] BYREF
  __int64 v45; // [rsp+50h] [rbp-1A8h]
  __int64 v46; // [rsp+58h] [rbp-1A0h] BYREF
  _QWORD v47[2]; // [rsp+62h] [rbp-196h]
  int v48; // [rsp+72h] [rbp-186h]
  __int16 v49; // [rsp+76h] [rbp-182h]
  __int64 v50; // [rsp+B8h] [rbp-140h]
  __int64 v51; // [rsp+C0h] [rbp-138h]
  __int64 v52; // [rsp+C8h] [rbp-130h]
  __int64 v53; // [rsp+D0h] [rbp-128h]
  __int64 v54; // [rsp+D8h] [rbp-120h]
  __int64 v55; // [rsp+E0h] [rbp-118h]
  __int64 v56; // [rsp+E8h] [rbp-110h]
  __int64 v57; // [rsp+F0h] [rbp-108h]
  __int64 v58; // [rsp+F8h] [rbp-100h]
  __int64 v59; // [rsp+100h] [rbp-F8h]
  _QWORD *v60; // [rsp+108h] [rbp-F0h]
  const char *v61; // [rsp+110h] [rbp-E8h]
  _QWORD *v62; // [rsp+118h] [rbp-E0h]
  void *v63; // [rsp+120h] [rbp-D8h]
  char **v64; // [rsp+128h] [rbp-D0h]
  __int128 v65; // [rsp+130h] [rbp-C8h]
  void *v66; // [rsp+140h] [rbp-B8h]
  char **v67; // [rsp+148h] [rbp-B0h]
  void *v68; // [rsp+150h] [rbp-A8h]
  char **v69; // [rsp+158h] [rbp-A0h]
  __int128 v70; // [rsp+160h] [rbp-98h]
  char v71; // [rsp+170h] [rbp-88h]
  __int64 v72; // [rsp+178h] [rbp-80h]
  __int128 v73; // [rsp+180h] [rbp-78h]
  char v74; // [rsp+190h] [rbp-68h]
  __int64 v75; // [rsp+198h] [rbp-60h]
  __int128 v76; // [rsp+1A0h] [rbp-58h]
  unsigned __int8 v77; // [rsp+1B0h] [rbp-48h]
  __int64 v78; // [rsp+1B8h] [rbp-40h]
  __int128 v79; // [rsp+1C0h] [rbp-38h]
  char v80; // [rsp+1D0h] [rbp-28h]
  __int64 *v81; // [rsp+1D8h] [rbp-20h]
  __int64 v82; // [rsp+1E0h] [rbp-18h]
  __int64 v83; // [rsp+1E8h] [rbp-10h]

  if ( (unsigned __int64)&v44 <= *(_QWORD *)(v0 + 16) )
    runtime_morestack_noctxt();
  v71 = 0;
  v72 = 0LL;
  v73 = v1;
  math_big__Int_SetString();
  v32 = runtime_newobject();
  v60 = v2;
  *v2 = 0LL;
  v63 = &unk_4C9780;
  v64 = &off_506CD0;
  fmt_Fprint();
  v61 = "\b";
  v62 = v60;
  fmt_Fscanln();
  v3 = *v60;
  v59 = *v60;
  v4 = v60[1];
  v45 = v4;
  v5 = 0LL;
  v6 = 0LL;
  while ( v5 < v4 )
  {
    v55 = v6;
    if ( *(unsigned __int8 *)(v3 + v5) >= 0x80u )
    {
      runtime_decoderune();
      v9 = v4;
    }
    else
    {
      v9 = v5 + 1;
    }
    v44 = v9;
    v65 = v1;
    v7 = runtime_convT64();
    *(_QWORD *)&v65 = "\b";
    *((_QWORD *)&v65 + 1) = v7;
    fmt_Sprintf();
    v8 = runtime_concatstring2();
    v5 = v44;
    v6 = v8;
    v3 = v59;
    v4 = v45;
  }
  v46 = 65537LL;
  v80 = 0;
  v81 = &v46;
  v82 = 1LL;
  v83 = 1LL;
  v77 = 0;
  v78 = 0LL;
  v79 = v1;
  v74 = 0;
  v75 = 0LL;
  v76 = v1;
  math_big__Int_SetString();
  sub_4AFAA0();
  v10 = v77;
  v11 = 16LL;
  v36 = sub_4BA240(v32);
  v13 = v12;
  v52 = runtime_slicebytetostring();
  runtime_makeslice();
  if ( v13 == 57 && (unsigned __int8)runtime_memequal() )
  {
    v14 = *v60;
    v15 = runtime_stringtoslicebyte();
    v47[0] = 0x504D5404501D282FLL;
    v47[1] = 0x3D5B2A485C5917LL;
    v48 = 54333973;
    v49 = 4888;
    for ( i = 0LL; i < 22; ++i )
      *((_BYTE *)v47 + i) ^= aVghpc19pc19hx2[i];
    v43 = v16;
    v54 = v15;
    v70 = v1;
    runtime_slicebytetostring();
    v31 = runtime_convTstring();
    *(_QWORD *)&v70 = &unk_4C9780;
    *((_QWORD *)&v70 + 1) = v31;
    v10 = 1LL;
    v11 = 1LL;
    sub_4A2160();
    v21 = v43;
    v20 = v54;
  }
  else
  {
    v18 = encoding_base64__Encoding_DecodeString();
    v19 = runtime_slicebytetostring();
    if ( v18 < 0x10 )
      runtime_panicSliceAlen(v33, v36);
    v14 = v19;
    v20 = runtime_stringtoslicebyte();
  }
  v42 = v21;
  v54 = v20;
  File = os_ReadFile();
  if ( v10 )
  {
LABEL_26:
    v50 = v11;
    v68 = &unk_4C9780;
    v69 = &off_506CE0;
    sub_4A2160();
    while ( 1 )
      runtime_gopanic(v33, v36);
  }
  v51 = File;
  v23 = crypto_aes_NewCipher();
  if ( v24 )
  {
    runtime_gopanic(v33, v36);
    goto LABEL_26;
  }
  v56 = v14;
  v59 = v23;
  v25 = (*(__int64 (**)(void))(v23 + 24))();
  if ( !v25 )
    runtime_panicdivide();
  v40 = v25 - 7 % v25;
  v39 = runtime_makeslicecopy(v33, v36);
  for ( j = 7LL; j < v40 + 7; ++j )
    *(_BYTE *)(v26 + j) = v40;
  v58 = v26;
  if ( (*(__int64 (**)(void))(v59 + 24))() > v42 )
LABEL_23:
    runtime_panicSliceAcap(v34, v37);
  v28 = v56;
  crypto_cipher_NewCBCEncrypter(v34, v37, v39);
  v41 = v29;
  v53 = v28;
  v57 = runtime_makeslice();
  (*(void (**)(void))(v41 + 32))();
  if ( os_WriteFile() )
  {
    runtime_gopanic(v35, v38);
    goto LABEL_23;
  }
  v66 = &unk_4C9780;
  v67 = &off_506CF0;
  return sub_4A2160();
}

用7.5才能调... 7.7 IDA encouteredxxx 8.3 user credential...
方法就是 8.3识别出go的main_main位置4bee60 然后7.5 Lumina恢复符号后动调...
而且7.xF5不带显示大整数的... 还要从8.3的来看... 难绷...
第一层是RSA 解出来 key: E@sy_RSA_enc7ypt
然后后面的CBC调试猜测IV和key一样
解个CBC即可

from Crypto.Cipher import AES
from Crypto.Util.number import *

data = open(r"D:\浏览器下载\unsym\encrypted.bin","rb+").read()
key = b'E@sy_RSA_enc7ypt'
iv = b'E@sy_RSA_enc7ypt'
cbc = AES.new(key,AES.MODE_CBC,iv)
with open(r"D:\浏览器下载\unsym\encrypted.bin","rb+") as f:
    f.write(cbc.decrypt(data))

运行即可得到flag

DASCTF{bbcd7a90e82cd4a32355f05871fc33}

cap

以前Reversing.kr做过位图相关 一般都是一个屏幕截图进行位图操作
这里由于已知是BMP文件 文件头: 42 4D 固定 xor后得到 n c
再动调这里
 


发现是一个循环xor 那么就是从n开始的循环xor

from Crypto.Util.number import *
key = [0x5F,0x62,0x79,0x5F,0x64,0x61,0x73,0x63,0x74,0x66,0x65,0x6E,0x63,0x5F,0x62]

key = "enc_by_dasctf"
data = open(r"D:\浏览器下载\cap\cap2.bin","rb+").read()
with open(r"D:\浏览器下载\cap\dec.bmp","rb+") as f:
    for i in range(len(data)):
        x = data[i]^ord(key[(i+1)%len(key)])
        f.write(long_to_bytes(x))
print(chr(0x2C^0x42))

得到图片

DASCTF{3d0bd550-edbe-11ed-b2a3-f1d90bff20c4}

  • 19
    点赞
  • 28
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值