首页
社区
课程
招聘
[原创]DASCTF八月挑战赛 re
发表于: 2021-8-30 21:38 13752

[原创]DASCTF八月挑战赛 re

2021-8-30 21:38
13752

做完了逆向,不得不说das的re还是比较友好的

得到文件py.exe,肯定就是考python打包成exe文件了。可以参考文章https://blog.csdn.net/m0_37552052/article/details/88093427

用pyinstxtractor.py还原

python pyinstxtractor.py [filename]

得到文件夹,看到里面有个py.pyc,直接还原不行,用文章里面的方法还原pyc头文件,如果想学习pyc还可以看看这篇文章https://zhuanlan.zhihu.com/p/145811103
得到py文件。

很简单

简单的apk逆向,加密函数和密文都在so文件的mycheck中,有经验的话不难看出是rc4,看不出来也没关系,反正最后就是一个异或,动调把异或数组取出来就行了,动调apk方法在https://the_itach1.gitee.io/2021/08/02/D0g3%E6%AF%94%E8%B5%9B%E5%B9%B3%E5%8F%B0%20re%20wp/的medical_app。

由于比较懒,不想一个一个调,就直接输入了个错误flag,然后得到假密文,去得到异或的数组。好像rc4的key是12345678,可能也可以用rc4来做。

好家伙,题刚出来2分钟就有人直接秒了,可能是出题人。

就是有很多花指令,来干扰分析,动调就好了,main函数前面一大部分感觉都是用来解密函数代码的,真正要看的地方在(loc_584000)(&v19);

进去可以看到,图片里面忘了说sub_581FA0应该也是用来解密函数代码的。

然后先看看rc4吧

retn后,32字节转4*8


魔改的tea。

然后解密

照着博客做就行,关键是flag.jpg在哪,开始以为是头像,结果没解出来,后面f12看网页,也没找到,然后试了试直接在网页后面加上\flag.jpg,还真的有。

本人blog:https://the_itach1.gitee.io/

 
 
 
# uncompyle6 version 3.7.4
# Python bytecode 2.7 (62211)
# Decompiled from: Python 3.8.6 (tags/v3.8.6:db45529, Sep 23 2020, 15:52:53) [MSC v.1927 64 bit (AMD64)]
# Embedded file name: py.py
# Compiled at: 1995-09-28 00:18:56
 
 
def encode(s):
    str = ''
    for i in range(len(s)):
        res = ord(s[i]) ^ 32
        res += 31
        str += chr(res)
 
    return str
 
 
m = 'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
strings = ''
strings = input('Input:')
if encode(strings) == m:
    print 'Correct!'
else:
    print 'Try again!'
# uncompyle6 version 3.7.4
# Python bytecode 2.7 (62211)
# Decompiled from: Python 3.8.6 (tags/v3.8.6:db45529, Sep 23 2020, 15:52:53) [MSC v.1927 64 bit (AMD64)]
# Embedded file name: py.py
# Compiled at: 1995-09-28 00:18:56
 
 
def encode(s):
    str = ''
    for i in range(len(s)):
        res = ord(s[i]) ^ 32
        res += 31
        str += chr(res)
 
    return str
 
 
m = 'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
strings = ''
strings = input('Input:')
if encode(strings) == m:
    print 'Correct!'
else:
    print 'Try again!'
m = 'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
str=''
for i in m:
  str+=chr((ord(i)-31)^32)
print(str)
#flag{24c4d6f158cacea10d379f711f8d6e2a}
m = 'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
str=''
for i in m:
  str+=chr((ord(i)-31)^32)
print(str)
#flag{24c4d6f158cacea10d379f711f8d6e2a}
 
fake_code=[   0xDD, 0x9F, 0x58, 0xB3, 0x72, 0xD0, 0xBC, 0xC4, 0x94, 0x56,
  0x6C, 0xA8, 0xCE, 0x54, 0x62, 0xCE, 0x1E, 0xF3, 0xF3, 0x26,
  0xB9, 0x19, 0x0F, 0xC6, 0x2D, 0x6E, 0xA3, 0xC0, 0x21, 0xD4,
  0x99, 0x13]
fake_flag='flag{abcdefghijklmnopqrstuvwxyz}'
enc=[0x8C, 0xC4, 0x00, 0xE6, 0x6A, 0x88, 0xB8, 0x90, 0xC2, 0x07,
  0x6B, 0xA9, 0xC3, 0x0A, 0x3E, 0xC0, 0x44, 0xA6, 0xFE, 0x7E,
  0xF0, 0x59, 0x4C, 0x83, 0x3D, 0x2B, 0xE2, 0xD3, 0x38, 0xCB,
  0x82, 0x5B]
for i in range(32):
  print(chr(ord(fake_flag[i])^fake_code[i]^enc[i]),end='')
#7792c9f724afe76e68c79116d07dafa5
fake_code=[   0xDD, 0x9F, 0x58, 0xB3, 0x72, 0xD0, 0xBC, 0xC4, 0x94, 0x56,
  0x6C, 0xA8, 0xCE, 0x54, 0x62, 0xCE, 0x1E, 0xF3, 0xF3, 0x26,
  0xB9, 0x19, 0x0F, 0xC6, 0x2D, 0x6E, 0xA3, 0xC0, 0x21, 0xD4,
  0x99, 0x13]
fake_flag='flag{abcdefghijklmnopqrstuvwxyz}'
enc=[0x8C, 0xC4, 0x00, 0xE6, 0x6A, 0x88, 0xB8, 0x90, 0xC2, 0x07,
  0x6B, 0xA9, 0xC3, 0x0A, 0x3E, 0xC0, 0x44, 0xA6, 0xFE, 0x7E,
  0xF0, 0x59, 0x4C, 0x83, 0x3D, 0x2B, 0xE2, 0xD3, 0x38, 0xCB,
  0x82, 0x5B]
for i in range(32):
  print(chr(ord(fake_flag[i])^fake_code[i]^enc[i]),end='')
#7792c9f724afe76e68c79116d07dafa5
 
 
 
 
#include<stdio.h>
void encrypt(unsigned __int64 *code , unsigned __int64 *key)
{
    unsigned __int64 delta=0x9E3779B9;
   unsigned __int64 tmp1,tmp2,tmp3,tmp4,key1,key2,key3,key4,d;
   int i;
 
    tmp1=code[0];
    tmp2=code[1];
    tmp3=code[2];
    tmp4=code[3];
 
    key1=key[0];
    key2=key[1];
    key3=key[2];
    key4=key[3];
 
    for(i=0;i<32;i++)
    {
        d+=delta;
        tmp1 += (key2 + (tmp2 >> 5)) ^ (d + tmp2) ^ (key1 + 16 * tmp2);
        tmp2 += (key4 + (tmp1 >> 5)) ^ (d + tmp1) ^ (key3 + 16 * tmp1);
        tmp3 += (key2 + (tmp4 >> 5)) ^ (d + tmp4) ^ (key1 + 16 * tmp4);
        tmp4 += (key4 + (tmp3 >> 5)) ^ (d + tmp3) ^ (key3 + 16 * tmp3);
    }
    code[0]=tmp1;
    code[1]=tmp2;
    code[2]=tmp3;
    code[3]=tmp4;
}
 
void decrypt(unsigned __int64 *code , unsigned __int64 *key)
{
    unsigned __int64 delta=0x9E3779B9;
   unsigned __int64 sum=delta*32;// sum=0x13C6EF3720
   unsigned __int64 tmp1,tmp2,tmp3,tmp4,key1,key2,key3,key4;
   int i;
 
    tmp1=code[0];
    tmp2=code[1];
    tmp3=code[2];
    tmp4=code[3];
 
    key1=key[0];
    key2=key[1];
    key3=key[2];
    key4=key[3];
 
    for(i=0;i<32;i++)
    {
        tmp4 -= (key4 + (tmp3 >> 5)) ^ (sum + tmp3) ^ (key3 + 16 * tmp3);
        tmp3 -= (key2 + (tmp4 >> 5)) ^ (sum + tmp4) ^ (key1 + 16 * tmp4);
        tmp2 -= (key4 + (tmp1 >> 5)) ^ (sum + tmp1) ^ (key3 + 16 * tmp1);
        tmp1 -= (key2 + (tmp2 >> 5)) ^ (sum + tmp2) ^ (key1 + 16 * tmp2);
        sum-=delta;
    }
    code[0]=tmp1;
    code[1]=tmp2;
    code[2]=tmp3;
    code[3]=tmp4;
}
 
int main()
{
    unsigned __int64 code[4]={0x0E990A522BE80F786,0x8B836286B8A5EB59,0x2FDE61CCEFC70FF8,0x56BC19E119C8B07B},key[4]={0x54466076484C5476,0x4550504F765F4344,0x5A796F755F6D6179,0x5F6E6565645F7468};
 
    //encrypt(code,key);
    decrypt(code,key);
    printf("%016llx%016llx%016llx%016llx",code[0],code[1],code[2],code[3]);
}
//505a4cc462489e8003aef16b785c7501343057844ff5acb809616159f51713f3
#include<stdio.h>
void encrypt(unsigned __int64 *code , unsigned __int64 *key)
{
    unsigned __int64 delta=0x9E3779B9;
   unsigned __int64 tmp1,tmp2,tmp3,tmp4,key1,key2,key3,key4,d;
   int i;
 
    tmp1=code[0];
    tmp2=code[1];

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

最后于 2021-8-30 21:39 被The_Itach1编辑 ,原因:
收藏
免费 1
支持
分享
最新回复 (2)
雪    币: 34
活跃值: (27)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
师傅,花指令怎么去呀,我去不干净
2021-9-18 17:01
0
雪    币: 3508
活跃值: (3333)
能力值: ( LV10,RANK:160 )
在线值:
发帖
回帖
粉丝
3
重新看了下 这道题,直接把0027189A,和 002718A8地址的值改为90就行了,其他地方就c键重新分析,遇到栈帧不平衡就u键,p键。
2021-9-18 22:22
0
游客
登录 | 注册 方可回帖
返回
//