1、 EasyRe
IDA载入附件,搜索字符串得 flag:
FLAG:flag{fc5e038d38a57032085441e7fe7010b0}
2、 findme
常规的流程,flag的加密和校验都在 off_403844:
跟进去发现 指向strcmp:
然后它又被 sub_401A0E 动过,向上回溯:
所以我们的目标是 sub_401866:
大概看了一下,确定是 RC4,整体还是挺干净的就一个库函数 strlen,当时是想偷懒,用以前的Unicorn脚本改了一下直接跑出来的:
from unicorn import *
from unicorn.x86_const import *
from capstone import *
import binascii
chall_base = 0x400000 # 程序加载的地址
chall_stack_base = 0x470000
with open("chall.exe", "rb") as f:
f.seek(0x400)
code = f.read()
f.close()
with open("chall.mem", "rb") as f:
chall_mem = f.read()
f.close()
ascii_code = [
b'\x00', b'\x01', b'\x02', b'\x03', b'\x04', b'\x05', b'\x06', b'\x07', b'\x08', b'\x09', b'\x0a', b'\x0b',
b'\x0c', b'\x0d', b'\x0e', b'\x0f', b'\x10', b'\x11', b'\x12', b'\x13', b'\x14', b'\x15', b'\x16', b'\x17',
b'\x18', b'\x19', b'\x1a', b'\x1b', b'\x1c', b'\x1d', b'\x1e', b'\x1f', b'\x20', b'\x21', b'\x22', b'\x23',
b'\x24', b'\x25', b'\x26', b'\x27', b'\x28', b'\x29', b'\x2a', b'\x2b', b'\x2c', b'\x2d', b'\x2e', b'\x2f',
b'\x30', b'\x31', b'\x32', b'\x33', b'\x34', b'\x35', b'\x36', b'\x37', b'\x38', b'\x39', b'\x3a', b'\x3b',
b'\x3c', b'\x3d', b'\x3e', b'\x3f', b'\x40', b'\x41', b'\x42', b'\x43', b'\x44', b'\x45', b'\x46', b'\x47',
b'\x48', b'\x49', b'\x4a', b'\x4b', b'\x4c', b'\x4d', b'\x4e', b'\x4f', b'\x50', b'\x51', b'\x52', b'\x53',
b'\x54', b'\x55', b'\x56', b'\x57', b'\x58', b'\x59', b'\x5a', b'\x5b', b'\x5c', b'\x5d', b'\x5e', b'\x5f',
b'\x60', b'\x61', b'\x62', b'\x63', b'\x64', b'\x65', b'\x66', b'\x67', b'\x68', b'\x69', b'\x6a', b'\x6b',
b'\x6c', b'\x6d', b'\x6e', b'\x6f', b'\x70', b'\x71', b'\x72', b'\x73', b'\x74', b'\x75', b'\x76', b'\x77',
b'\x78', b'\x79', b'\x7a', b'\x7b', b'\x7c', b'\x7d']
class Unidbg:
def __init__(self, flag, except_hit):
self.except_hit = except_hit
self.hit = 0
self.flag = flag
self.fff = 0
self.temp = 0
mu = Uc(UC_ARCH_X86, UC_MODE_32)
# 程序基址为 0x1000,分配 128 KB内存
mu.mem_map(chall_base, 0x100000)
mu.mem_write(0x401000, code)
mu.mem_write(0x420000, b'SETCTF2021\x00')
mu.mem_write(0x420022, self.flag)
mu.mem_write(0x403000, chall_mem)
mu.mem_write(chall_stack_base + 0, b'\x00\x00\x42\x00')
mu.mem_write(chall_stack_base + 4, b'\x00\x00\x42\x00')
mu.mem_write(chall_stack_base + 8, b'\x22\x00\x42\x00')
# 设置寄存器的值
mu.reg_write(UC_X86_REG_EAX, 0x00401866)
mu.reg_write(UC_X86_REG_EBX, 0x00000001)
mu.reg_write(UC_X86_REG_ECX, 0x00406040)
mu.reg_write(UC_X86_REG_EDX, 0)
mu.reg_write(UC_X86_REG_ESI, 0)
mu.reg_write(UC_X86_REG_EDI, 0)
mu.reg_write(UC_X86_REG_EBP, chall_stack_base + 0x50)
mu.reg_write(UC_X86_REG_ESP, chall_stack_base)
mu.reg_write(UC_X86_REG_EIP, 0x00401866)
# patch strlen
mu.mem_write(0x004018DB, b'\x6A\x0A\x58\x90\x90')
mu.mem_write(0x0040192D, b'\x6A\x1A\x58\x90\x90')
mu.mem_write(0x0040193F, b'\x6A\x1A\x58\x90\x90')
mu.mem_write(0x00401950, b'\x6A\x0A\x58\x90\x90')
mu.hook_add(UC_HOOK_CODE, self.trace)
self.mu = mu
self.md = Cs(CS_ARCH_X86, CS_MODE_32)
def trace(self, mu, address, size, data):
if address == 0x004019E5:
self.temp += 1
def solve(self):
try:
self.mu.emu_start(0x00401866, 0x00401A0D)
except:
pass
return self.temp - 1
flag = b''
for j in range(26):
for i in b'0123456789abcdef{}-_#!?ABCDEFGHIJKLMNOPQRSTUVWXYZghijklmnopqrstuvwxyz':
tem = bytearray(flag + b'x' * (26 - len(flag)))
tem[j] = i
recv = Unidbg(bytes(tem), 127).solve()
if recv == j + 1 :
flag += ascii_code[i]
print(flag.decode())
后面发现,把对应位置的值dump出来与结果进行异或解密好像还更快一点。
FLAG:SETCTF{Th1s_i5_E2_5tRcm9!}
3、 power
一段 Arm 汇编,看得头挺大的,跳过代码,在里面翻找看有没有一些特征比较明显的函数或者字符串:
在某处发现了这个:
好像有点搞头,希望不是出题人自写的魔鬼算法。
再往下翻:
AES实锤,后面就是找个站解密的事了:
FLAG:flag{y0u_found_the_aes_12113112}
4、 EasyRE_Revenge
main函数长得和第一题 EasyRe 一样,很遗憾不是白给:
那个加密函数也是有问题,一堆的花指令,根本没法看,动调吧:
开始一串连跑带跳的,初始化了一个数组:
再往后到这里是第一轮加密:
没别的,就是异或。
再往后就是另一轮加密,后面说,把这两轮加密的硬编码直接dump下来,扔到IDA里面:
虽然看着还是难受,但逻辑好歹是出来了,整理了一下:
char flag[] = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
DWORD key[] = { 0x271E150C, 0x3B322920, 0x5F564D44, 0x736A6158, 0x978E857C, 0xABA29990, 0xCFC6BDB4, 0xE3DAD1C8 };
DWORD v5[10]{0};
for (i = 0; i < 8; i++) {
v5[i] = *(DWORD*)(flag+i*4) ^ key[(7 * i + 2) % 8];
}
for (i = 0; i < 8; i++) {
v5[i] ^= v5[i] << 7;
v5[i] ^= key[(7 * i + 3) % 8];
v5[i] ^= v5[(5 * i + 3) % 8];
v5[i] ^= v5[i] << 13;
v5[i] ^= key[(7 * i + 5) % 8];
v5[i] ^= v5[i] << 17;
}
EXP:
DWORD key[] = { 0x271E150C, 0x3B322920, 0x5F564D44, 0x736A6158, 0x978E857C, 0xABA29990, 0xCFC6BDB4, 0xE3DAD1C8 };
BYTE v6[] = { 0x42,0xb0,0xe8,0xee,0x6c,0xee,0xd0,0x57,0x32,0x4b,0xf5,0xf3,0xd6,0xb7,0xf0,0xd3,0x89,0xc3,0x61,0x0a,0x40,0xba,0xc7,0x38,0x2c,0x9e,0x3d,0x0c,0x84,0x92,0x4a,0xd6,0x00};
int i = 0;
DWORD* v5 = (DWORD*)v6;
DWORD xx, yy = 0;
for (i = 7; i >= 0; i--) {
v5[i] ^= (v5[i] & 0b111111111111111) << 17;
v5[i] ^= key[(7 * i + 5) % 8];
xx = v5[i] & 0b1111111111111; // 后 13 位
v5[i] ^= xx << 13; // 修复 6 - 19 位
xx = (v5[i] & 0b1111110000000000000) << 13;
v5[i] ^= xx;
v5[i] ^= v5[(5 * i + 3) % 8];
v5[i] ^= key[(7 * i + 3) % 8];
yy = v5[i] & 0b1111111; // 获取 25 - 32 位
v5[i] ^= yy << 7; // 修复 18 - 25 位
yy = v5[i] & 0b11111110000000; // 后 7 位
v5[i] ^= yy << 7; // 修复 11 - 18 位
yy = v5[i] & 0b111111100000000000000;
v5[i] ^= yy << 7; // 修复 4 - 11 位
yy = ((v5[i] << 7) & 0xFFFFFFFF) & 0b11110000000000000000000000000000;
v5[i] ^= yy; // 修复 4 - 11 位
}
for (i = 0; i < 8; i++) {
*(DWORD*)(v6 + i * 4) ^= key[(7 * i + 2) % 8];
}
printf("%s\n", (char*)v5);
FLAG : flag{bd6a64f17bb3dc065b41a0aad1e48e98}
5、O
打开 run.log ,在其中发现一些比较可疑的长整型数:
试着将其转为hex:
有Unicode字符串那味了。全部提取出来看看:
V@QFQC~=a<<5dd==5<121c63<4c260`706cafd`x
回 log 里面翻了一下,有这个 XorI,应该是异或,然后试着简单爆破一下
import binascii
xxx = [19703596266291286, 17170514749620305, 14918431467634785, 17170235578908772, 14073959292862517, 14355455746965553,
14074174040703036, 15481536039092278, 27303497946234928, 33777409528692838]
xx = ""
for i in xxx:
temp = hex(i)[2:].replace("00", "")
xx = xx + temp[6:8] + temp[4:6] + temp[2:4] + temp[0:2]
print()
xx = binascii.a2b_hex(xx)
for i in range(1, 256):
for j in xx:
print(chr(j ^ i), end="")
print()
FLAG: SETCTF{8d990aa8809474f3691f735e253fdcae}
4172
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
