2020GACTF逆向部分wp,题目地址:e34K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6S2k6s2N6G2M7X3I4V1i4K6u0W2P5r3y4@1k6W2)9J5k6h3!0J5k6#2)9J5k6h3y4F1i4K6u0r3j5$3!0E0M7r3g2@1K9i4c8A6L8$3^5`.
Checkin
逆向签到题,一直f8步过,跑飞就f7补入,最后发现调用CreateProcess()函数创建了一个新进程
新进程运行ruby解释器加载ruby源文件
ruby源文件如下:
require 'openssl'
require 'base64'
def aes_encrypt(key,encrypted_string)
aes = OpenSSL::Cipher.new("AES-128-ECB")
aes.encrypt
aes.key = key
cipher = aes.update(encrypted_string) << aes.final
return Base64.encode64(cipher)
end
print "Enter flag: "
flag = gets.chomp
key = "Welcome_To_GACTF"
cipher = "4KeC/Oj1McI4TDIM2c9Y6ahahc6uhpPbpSgPWktXFLM=\n"
text = aes_encrypt(key,flag)
if cipher == text
puts "good!"
else
puts "no!"
end
解密脚本如下:
from Crypto.Cipher import AES
import base64
key = b"Welcome_To_GACTF" # 16个字节
aes = AES.new(key, AES.MODE_ECB)
cipher="4KeC/Oj1McI4TDIM2c9Y6ahahc6uhpPbpSgPWktXFLM=\n"
cipher=base64.b64decode(cipher)
print(cipher)
s = aes.decrypt(cipher) # 16字节的倍数
print(s)
EasyRe
虚拟机题
程序首先进行smc还原关键函数loc_8048838的代码,这里我动态调试的时候没办法反编译(有一处奇怪的交叉引用不会处理),于是我把这个函数dump出来另开一个ida反编译分析
程序大概分为三个部分:
第一部分要输入一个数经过一系列运算后等于0x26F8D100,不等于则程序退出
第二部分用这个输入的数生成四个数,用于后面的异或操作
第三部分输入flag,每个字符会根据opcode选择四个数中的一个进行异或,然后与密文数据比较,不相等同样退出
这里要输入的第一个数我没有求出来,z3解不出来,运算中有逻辑右移逻辑左移应该不可逆,我这里的四个数是用flag格式GACTF{}求出来的
模拟执行的脚本:
# from z3 import *
opcode=[0x09, 0x10, 0x80, 0x02, 0x0D, 0x00, 0x00, 0x00, 0x22, 0x77, 0x10, 0x80, 0x02, 0x09, 0x00, 0x00, 0x00, 0x23, 0x80, 0x02, 0x00, 0x96, 0xF3, 0x78, 0x31, 0x77, 0x10, 0x80, 0x02, 0x11, 0x00, 0x00, 0x00, 0x23, 0x80, 0x02, 0x00, 0x00, 0xD4, 0x85, 0x31, 0x77, 0x10, 0x80, 0x02, 0x13, 0x00, 0x00, 0x00, 0x22, 0x77, 0xA0, 0x09, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x31, 0x80, 0x03, 0x02, 0x00, 0x00, 0x00, 0x43, 0x80, 0x02, 0x18, 0x00, 0x00, 0x00, 0x41, 0xA4, 0x00, 0x00, 0x00, 0x09, 0x80, 0x02, 0x08, 0x00, 0x00, 0x00, 0x22, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x31, 0x80, 0x05, 0x07, 0x00, 0x00, 0x00, 0x44, 0x80, 0x02, 0x21, 0x00, 0x00, 0x00, 0x41, 0xA4, 0x01, 0x00, 0x00, 0x09, 0x80, 0x02, 0x10, 0x00, 0x00, 0x00, 0x22, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x31, 0x80, 0x09, 0xBB, 0x00, 0x00, 0x00, 0x77, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x41, 0xA4, 0x02, 0x00, 0x00, 0x09, 0x80, 0x02, 0x18, 0x00, 0x00, 0x00, 0x22, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x31, 0x80, 0x04, 0xA0, 0x00, 0x00, 0x00, 0x42, 0x80, 0x02, 0x77, 0x00, 0x00, 0x00, 0x41, 0xA4, 0x03, 0x00, 0x00, 0xA1, 0xC1, 0x00, 0xB1, 0x77, 0xC2, 0x0B, 0x01, 0x00, 0x00, 0xC1, 0x01, 0xB2, 0x77, 0xC2, 0x7A, 0x00, 0x00, 0x00, 0xC1, 0x02, 0xB4, 0x77, 0xC2, 0x95, 0x00, 0x00, 0x00, 0xC1, 0x03, 0xB3, 0x77, 0xC2, 0x06, 0x01, 0x00, 0x00, 0xC1, 0x04, 0xB2, 0x77, 0xC2, 0x7D, 0x00, 0x00, 0x00, 0xC1, 0x05, 0xB4, 0x77, 0xC2, 0xAD, 0x00, 0x00, 0x00, 0xC1, 0x06, 0xB1, 0x77, 0xC2, 0x2F, 0x01, 0x00, 0x00, 0xC1, 0x07, 0xB3, 0x77, 0xC2, 0x65, 0x01, 0x00, 0x00, 0xC1, 0x08, 0xB1, 0x77, 0xC2, 0x2D, 0x01, 0x00, 0x00, 0xC1, 0x09, 0xB1, 0x77, 0xC2, 0x2F, 0x01, 0x00, 0x00, 0xC1, 0x0A, 0xB3, 0x77, 0xC2, 0x39, 0x01, 0x00, 0x00, 0xC1, 0x0B, 0xB3, 0x77, 0xC2, 0x0D, 0x01, 0x00, 0x00, 0xC1, 0x0C, 0xB4, 0x77, 0xC2, 0xBB, 0x00, 0x00, 0x00, 0xC1, 0x0D, 0xB2, 0x77, 0xC2, 0x08, 0x00, 0x00, 0x00, 0xC1, 0x0E, 0xB3, 0x77, 0xC2, 0x0D, 0x01, 0x00, 0x00, 0xC1, 0x0F, 0xB1, 0x77, 0xC2, 0x3F, 0x01, 0x00, 0x00, 0xC1, 0x10, 0xB3, 0x77, 0xC2, 0x3A, 0x01, 0x00, 0x00, 0xC1, 0x11, 0xB3, 0x77, 0xC2, 0x61, 0x01, 0x00, 0x00, 0xC1, 0x12, 0xB2, 0x77, 0xC2, 0x57, 0x00, 0x00, 0x00, 0xC1, 0x13, 0xB1, 0x77, 0xC2, 0x20, 0x01, 0x00, 0x00, 0xC1, 0x14, 0xB3, 0x77, 0xC2, 0x0D, 0x01, 0x00, 0x00, 0xC1, 0x15, 0xB1, 0x77, 0xC2, 0x3F, 0x01, 0x00, 0x00, 0xC1, 0x16, 0xB3, 0x77, 0xC2, 0x3F, 0x01, 0x00, 0x00, 0xC1, 0x17, 0xB4, 0x77, 0xC2, 0xB5, 0x00, 0x00, 0x00, 0xC1, 0x18, 0xB1, 0x77, 0xC2, 0x13, 0x01, 0x00, 0x00, 0xC1, 0x19, 0xB4, 0x77, 0xC2, 0xA0, 0x00, 0x00, 0x00, 0xC1, 0x1A, 0xB1, 0x77, 0xC2, 0x21, 0x01, 0x00, 0x00, 0xC1, 0x1B, 0xB3, 0x77, 0xC2, 0x0D, 0x01, 0x00, 0x00, 0xC1, 0x1C, 0xB2, 0x77, 0xC2, 0x0B, 0x00, 0x00, 0x00, 0xC1, 0x1D, 0xB3, 0x77, 0xC2, 0x39, 0x01, 0x00, 0x00, 0xC1, 0x1E, 0xB1, 0x77, 0xC2, 0x73, 0x01, 0x00, 0x00, 0xC1, 0x1F, 0xB2, 0x77, 0xC2, 0x46, 0x00, 0x00, 0x00,0x99]
print(len(opcode))
# print(hex(opcode[18]))
a1=[0 for i in range(10)]
data=[0,0,0,0]
# print(a1)
# flag=BitVecs('x',32)
flag=123456789
i=0
result1=0x26F8D100
inputflag=0
index=0
# s = Solver()
while i<467:
print(i,hex(opcode[i]),list(map(hex,a1)),list(map(hex,data)))
if opcode[i]==0x9:
a1[1]=flag
i+=1
continue
if opcode[i]==0x10:
a1[9]=a1[1]
i+=1
continue
if opcode[i]==0x11:
i+=1
continue
if opcode[i]==0x22:
# print(a1[1],a1[2])
a1[1] = a1[1]>>a1[2]
i+=1
continue
if opcode[i]==0x23:
a1[1] <<= a1[2]
a1[1]&=0xffffffff
i+=1
continue
if opcode[i]==0x30:
a1[1] |= a1[2]
i+=1
continue
if opcode[i]==0x31:
a1[1] &= a1[2]
i+=1
continue
if opcode[i]==0x41:
a1[1] += a1[2]
i+=1
continue
if opcode[i]==0x42:
a1[1] -= a1[4]
# a1[1]&=0xff
i+=1
continue
if opcode[i]==0x43:
a1[1] *= a1[3]
i+=1
continue
if opcode[i]==0x44:
a1[1] /= a1[5]
# print(a1[1])
a1[1]=int(a1[1])
# print(a1[1])
i+=1
continue
if opcode[i]==0x54:
i+=1
continue
if opcode[i]==0x71:
i+=1
continue
if opcode[i]==0x76:
i+=1
continue
if opcode[i]==0x77:
a1[1] ^= a1[9]
i+=1
continue
if opcode[i]==0x80:
a1[opcode[i+1]]=opcode[i+2]+(opcode[i+3]<<8)+(opcode[i+4]<<16)+(opcode[i+5]<<24)
# print(hex(opcode[i+2]),hex(opcode[i+3]),hex(opcode[i+4]),hex(opcode[i+5]))
# print(hex(a1[opcode[i+1]]))
a1[opcode[i+1]]&=0xffffffff
i+=6
continue
if opcode[i]==0x99:
break
if opcode[i]==0xa0:
print(i)
# print(a1[1])
print(hex(a1[1]))
# s.add(a1[1]==result1)
# if a1[1]==result1:
# print("okkk")
# break
i+=1
continue
if opcode[i]==0xa1:
inputflag=input()
# 12345678912345678912345678912345
inputflag=list(map(ord,inputflag))
print(len(inputflag))
print(inputflag)
i+=1
continue
if opcode[i]==0xa4:
print(hex(a1[1]),hex(opcode[i+1]))
data[opcode[i+1]]=a1[1]
i+=4
continue
if opcode[i]==0xb1:
a1[9]=data[0]
i+=1
continue
if opcode[i]==0xb2:
a1[9]=data[1]
i+=1
continue
if opcode[i]==0xb3:
a1[9]=data[2]
i+=1
continue
if opcode[i]==0xb4:
a1[9]=data[3]
i+=1
continue
if opcode[i]==0xc1:
a1[1]=inputflag[opcode[i+1]]
i+=2
continue
if opcode[i]==0xc2:
print(index)
index+=1
print(hex(a1[1]),hex(opcode[i+1]+(opcode[i+2]<<8)+(opcode[i+3]<<16)+(opcode[i+4]<<24)))
i+=5
continue
else:
i+=1
continue
# answer=s.check()
# print(answer)
# if answer==sat:
# print("okkk")
可以从输出中拿到密文数据,最后求解flag的脚本:
data=[0x14c,0x3b,0x152,0xd6]
xor=[0x10b,1,0x7a,2,0x95,4,0x106,3,0x7d,2,0xad,4,0x12f,1,0x165,3,0x12d,1,0x12f,1,0x139,3,0x10d,3,0xbb,4,0x8,2,0x10d,3,0x13f,1,0x13a,3,0x161,3,0x57,2,0x120,1,0x10d,3,0x13f,1,0x13f,3,0xb5,4,0x113,1,0xa0,4,0x121,1,0x10d,3,0xb,2,0x139,3,0x173,1,0x46,2]
# print(hex(0x10b^ord('G')))
# print(hex(0x7a^ord('A')))
# print(hex(0x95^ord('C')))
# print(hex(0x106^ord('T')))
print(len(xor))
for i in range(32):
print(chr(xor[i*2]^data[xor[i*2+1]-1]),end="")
WannaFlag
要求key
[招生]科锐逆向工程师培训(2025年3月11日实地,远程教学同时开班, 第52期)!
最后于 2020-9-4 08:21
被Ssssone编辑
,原因: 添加附件
