-
-
ctf2018-第15题
-
2018-7-14 13:46 2467
-
binwalk -e a9rootfs
ultraedit在文件夹中搜索your key, 定位到elf文件sh
argv[0] = v6; argv[1] = 0; while ( 1 ) { printf("please input your key:"); scanf("%100s", v6); len = strlen(v6); enc_112E0(v6, v9, len); dec_11198(v6, v7, len); x_bin2hex(v7, a1, len); if ( !strcmp(a1, "C1371DA51A9030079E21DCDC5B78E38563872139C13F6F") ) break; if ( !strcmp(a1, "2A20D1EE7374B49EE12BCB5809A19") ) { x_hex2bin(v10, "5B7B541D49541B0847551A16435D060D0A66", 18);// flag:you got it [ decrypt_string(v10, 18); puts(v10); } else if ( !strcmp(a1, "8D8A79E3749EBAO60E57D00A6A") ) { x_hex2bin(v10, "721D1D001745531A49591C0E4B52071A1679", 18);// your key is error decrypt_string(v10, 18); puts(v10); } else { if ( !strcmp(v6, "exit") ) { v2 = 0; goto LABEL_17; } x_hex2bin(v10, "721D1D001745531A49591C0E4B52071A1679", 18);// your key is error decrypt_string(v10, 18); puts(v10); } } x_hex2bin(v10, "5B7B541D49541B0847551A16435D060D0A66", 18);// flag:you got it [ decrypt_string(v10, 18); dec_11198(v9, v7, len); x_bin2hex(v7, v9, len); printf("%s%s%c\n", v10, v9, ']'); puts("you have a chance to exploit it: "); memset(v6, 0, 256u); read(0, v6, 256); for ( i = 0; v6[i]; ++i ) { if ( v6[i] == '\r' || v6[i] == '\n' ) v6[i] = 0; } v0 = strlen(v6); x_hex2bin(a1, v6, v0 >> 1); v1 = strlen(a1); decrypt_string(a1, v1); strcpy(v6, a1); execve("/bin/busybox", argv);
int hex_index(char ch, const char *hex_map) { for (int i = 0; i < 16; i++) { if (ch == hex_map[i]) { return i; } } return -1; } void bin2hex_ex(PVOID p_in, PVOID p_out, int len, const char *hex_map = "0123456789ABCDEF") { PBYTE buf_in = (PBYTE)p_in; char *buf_out = (char *)p_out; int i; for (i = 0; i < len; ++i) { buf_out[2 * i + 1] = hex_map[buf_in[i] & 0xF]; buf_out[2 * i] = hex_map[(buf_in[i] >> 4) & 0xF]; } buf_out[2 * i] = 0; } void hex2bin_ex(PVOID p_in, PVOID p_out, int len, const char *hex_map = "0123456789ABCDEF") { char *buf_in = (char *)p_in; PBYTE buf_out = (PBYTE)p_out; int i; for (i = 0; i < len; ++i) { BYTE v = 0; v = hex_index(buf_in[2 * i], hex_map) << 4; v |= hex_index(buf_in[2 * i + 1], hex_map); buf_out[i] = v; } buf_out[i] = 0; } void encrypt_buf(PVOID p_in, int len) { int i; PBYTE buf = (PBYTE)p_in; for (i = len - 1; i > 0; --i) { buf[i] ^= buf[i - 1]; } for (i = 0; i < len / 2; ++i) { buf[i] ^= buf[len - 1 - i]; buf[len - 1 - i] ^= buf[i]; buf[i] ^= buf[len - 1 - i]; } } void decrypt_buf(PVOID p_in, int len) { int i; PBYTE buf = (PBYTE)p_in; for (i = 0; i < len / 2; ++i) { buf[i] ^= buf[len - 1 - i]; buf[len - 1 - i] ^= buf[i]; buf[i] ^= buf[len - 1 - i]; } for (i = 1; i < len; ++i) { buf[i] ^= buf[i - 1]; } } void enc_11198(PVOID p_in, PVOID p_out, int len) { PBYTE buf_in = (PBYTE)p_in; PBYTE buf_out = (PBYTE)p_out; BYTE temp[256]; memcpy(buf_out, buf_in, len); encrypt_buf(buf_out, len); bin2hex_ex(buf_out, temp, len, "13579BDF02468ACE"); hex2bin_ex(temp, buf_out, len, "0369CF258BE147AD"); encrypt_buf(buf_out, len); bin2hex_ex(buf_out, temp, len, "FA50B61C72D83E94"); hex2bin_ex(temp, buf_out, len, "FDB08642ECA97531"); encrypt_buf(buf_out, len); bin2hex_ex(buf_out, temp, len, "FA50B61C72D83E94"); hex2bin_ex(temp, buf_out, len, "0369CF258BE147AD"); encrypt_buf(buf_out, len); bin2hex_ex(buf_out, temp, len, "13579BDF02468ACE"); hex2bin_ex(temp, buf_out, len, "FDB08642ECA97531"); } void dec_11198(PVOID p_in, PVOID p_out, int len) { PBYTE buf_in = (PBYTE)p_in; PBYTE buf_out = (PBYTE)p_out; BYTE temp[256]; memcpy(buf_out, buf_in, len); bin2hex_ex(buf_out, temp, len, "FDB08642ECA97531"); hex2bin_ex(temp, buf_out, len, "13579BDF02468ACE"); decrypt_buf(buf_out, len); bin2hex_ex(buf_out, temp, len, "0369CF258BE147AD"); hex2bin_ex(temp, buf_out, len, "FA50B61C72D83E94"); decrypt_buf(buf_out, len); bin2hex_ex(buf_out, temp, len, "FDB08642ECA97531"); hex2bin_ex(temp, buf_out, len, "FA50B61C72D83E94"); decrypt_buf(buf_out, len); bin2hex_ex(buf_out, temp, len, "0369CF258BE147AD"); hex2bin_ex(temp, buf_out, len, "13579BDF02468ACE"); decrypt_buf(buf_out, len); } void enc_112E0(PVOID p_in, int len) { int i; PBYTE buf = (PBYTE)p_in; for (i = 0; i < len; ++i) { buf[i] = i * buf[i] + 31; } } void test() { char s[256] = "C1371DA51A9030079E21DCDC5B78E38563872139C13F6F"; char s2[256]; int len = strlen(s) / 2; hex2bin_ex(s, s2, len); enc_11198(s2, s, len); puts(s); enc_112E0(s, len); dec_11198(s, s2, len); bin2hex_ex(s2, s, len); puts(s); } int _tmain(int argc, _TCHAR* argv[]) { test(); return 0; }
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
他的文章
KCTF2022春季赛 第三题 石像病毒
8267
KCTF2022春季赛 第二题 末日邀请
15389
KCTF2021秋季赛 第二题 迷失丛林
17926
KCTF2020秋季赛 第十题 终焉之战
8097
KCTF2020秋季赛 第九题 命悬一线
5822
看原图