-
-
[原创]DASCTF八月挑战赛 re
-
发表于: 2021-8-30 21:38
-
做完了逆向,不得不说das的re还是比较友好的
得到文件py.exe,肯定就是考python打包成exe文件了。可以参考文章https://blog.csdn.net/m0_37552052/article/details/88093427
用pyinstxtractor.py还原
python pyinstxtractor.py [filename]
得到文件夹,看到里面有个py.pyc,直接还原不行,用文章里面的方法还原pyc头文件,如果想学习pyc还可以看看这篇文章https://zhuanlan.zhihu.com/p/145811103
得到py文件。
很简单
简单的apk逆向,加密函数和密文都在so文件的mycheck中,有经验的话不难看出是rc4,看不出来也没关系,反正最后就是一个异或,动调把异或数组取出来就行了,动调apk方法在https://the_itach1.gitee.io/2021/08/02/D0g3%E6%AF%94%E8%B5%9B%E5%B9%B3%E5%8F%B0%20re%20wp/的medical_app。
由于比较懒,不想一个一个调,就直接输入了个错误flag,然后得到假密文,去得到异或的数组。好像rc4的key是12345678,可能也可以用rc4来做。
好家伙,题刚出来2分钟就有人直接秒了,可能是出题人。
就是有很多花指令,来干扰分析,动调就好了,main函数前面一大部分感觉都是用来解密函数代码的,真正要看的地方在(loc_584000)(&v19);
进去可以看到,图片里面忘了说sub_581FA0应该也是用来解密函数代码的。
然后先看看rc4吧
retn后,32字节转4*8
魔改的tea。
然后解密
照着博客做就行,关键是flag.jpg在哪,开始以为是头像,结果没解出来,后面f12看网页,也没找到,然后试了试直接在网页后面加上\flag.jpg,还真的有。
本人blog:https://the_itach1.gitee.io/
# uncompyle6 version 3.7.4# Python bytecode 2.7 (62211)# Decompiled from: Python 3.8.6 (tags/v3.8.6:db45529, Sep 23 2020, 15:52:53) [MSC v.1927 64 bit (AMD64)]# Embedded file name: py.py# Compiled at: 1995-09-28 00:18:56def encode(s):
str = ''
for i in range(len(s)):
res = ord(s[i]) ^ 32
res += 31
str += chr(res)
return str
m = 'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
strings = ''
strings = input('Input:')
if encode(strings) == m:
print 'Correct!'
else:
print 'Try again!'
# uncompyle6 version 3.7.4# Python bytecode 2.7 (62211)# Decompiled from: Python 3.8.6 (tags/v3.8.6:db45529, Sep 23 2020, 15:52:53) [MSC v.1927 64 bit (AMD64)]# Embedded file name: py.py# Compiled at: 1995-09-28 00:18:56def encode(s):
str = ''
for i in range(len(s)):
res = ord(s[i]) ^ 32
res += 31
str += chr(res)
return str
m = 'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
strings = ''
strings = input('Input:')
if encode(strings) == m:
print 'Correct!'
else:
print 'Try again!'
m = 'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
str=''
for i in m:
str+=chr((ord(i)-31)^32)
print(str)
#flag{24c4d6f158cacea10d379f711f8d6e2a}m = 'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
str=''
for i in m:
str+=chr((ord(i)-31)^32)
print(str)
#flag{24c4d6f158cacea10d379f711f8d6e2a}fake_code=[ 0xDD, 0x9F, 0x58, 0xB3, 0x72, 0xD0, 0xBC, 0xC4, 0x94, 0x56,
0x6C, 0xA8, 0xCE, 0x54, 0x62, 0xCE, 0x1E, 0xF3, 0xF3, 0x26,
0xB9, 0x19, 0x0F, 0xC6, 0x2D, 0x6E, 0xA3, 0xC0, 0x21, 0xD4,
0x99, 0x13]
fake_flag='flag{abcdefghijklmnopqrstuvwxyz}'
enc=[0x8C, 0xC4, 0x00, 0xE6, 0x6A, 0x88, 0xB8, 0x90, 0xC2, 0x07,
0x6B, 0xA9, 0xC3, 0x0A, 0x3E, 0xC0, 0x44, 0xA6, 0xFE, 0x7E,
0xF0, 0x59, 0x4C, 0x83, 0x3D, 0x2B, 0xE2, 0xD3, 0x38, 0xCB,
0x82, 0x5B]
for i in range(32):
print(chr(ord(fake_flag[i])^fake_code[i]^enc[i]),end='')
#7792c9f724afe76e68c79116d07dafa5fake_code=[ 0xDD, 0x9F, 0x58, 0xB3, 0x72, 0xD0, 0xBC, 0xC4, 0x94, 0x56,
0x6C, 0xA8, 0xCE, 0x54, 0x62, 0xCE, 0x1E, 0xF3, 0xF3, 0x26,
0xB9, 0x19, 0x0F, 0xC6, 0x2D, 0x6E, 0xA3, 0xC0, 0x21, 0xD4,
0x99, 0x13]
fake_flag='flag{abcdefghijklmnopqrstuvwxyz}'
enc=[0x8C, 0xC4, 0x00, 0xE6, 0x6A, 0x88, 0xB8, 0x90, 0xC2, 0x07,
0x6B, 0xA9, 0xC3, 0x0A, 0x3E, 0xC0, 0x44, 0xA6, 0xFE, 0x7E,
0xF0, 0x59, 0x4C, 0x83, 0x3D, 0x2B, 0xE2, 0xD3, 0x38, 0xCB,
0x82, 0x5B]
for i in range(32):
print(chr(ord(fake_flag[i])^fake_code[i]^enc[i]),end='')
#7792c9f724afe76e68c79116d07dafa5#include<stdio.h> void encrypt(unsigned __int64 *code , unsigned __int64 *key)
{ unsigned __int64 delta=0x9E3779B9;
unsigned __int64 tmp1,tmp2,tmp3,tmp4,key1,key2,key3,key4,d;
int i;
tmp1=code[0];
tmp2=code[1];
tmp3=code[2];
tmp4=code[3];
key1=key[0];
key2=key[1];
key3=key[2];
key4=key[3];
for(i=0;i<32;i++)
{
d+=delta;
tmp1 += (key2 + (tmp2 >> 5)) ^ (d + tmp2) ^ (key1 + 16 * tmp2);
tmp2 += (key4 + (tmp1 >> 5)) ^ (d + tmp1) ^ (key3 + 16 * tmp1);
tmp3 += (key2 + (tmp4 >> 5)) ^ (d + tmp4) ^ (key1 + 16 * tmp4);
tmp4 += (key4 + (tmp3 >> 5)) ^ (d + tmp3) ^ (key3 + 16 * tmp3);
}
code[0]=tmp1;
code[1]=tmp2;
code[2]=tmp3;
code[3]=tmp4;
}void decrypt(unsigned __int64 *code , unsigned __int64 *key)
{ unsigned __int64 delta=0x9E3779B9;
unsigned __int64 sum=delta*32;// sum=0x13C6EF3720
unsigned __int64 tmp1,tmp2,tmp3,tmp4,key1,key2,key3,key4;
int i;
tmp1=code[0];
tmp2=code[1];
tmp3=code[2];
tmp4=code[3];
key1=key[0];
key2=key[1];
key3=key[2];
key4=key[3];
for(i=0;i<32;i++)
{
tmp4 -= (key4 + (tmp3 >> 5)) ^ (sum + tmp3) ^ (key3 + 16 * tmp3);
tmp3 -= (key2 + (tmp4 >> 5)) ^ (sum + tmp4) ^ (key1 + 16 * tmp4);
tmp2 -= (key4 + (tmp1 >> 5)) ^ (sum + tmp1) ^ (key3 + 16 * tmp1);
tmp1 -= (key2 + (tmp2 >> 5)) ^ (sum + tmp2) ^ (key1 + 16 * tmp2);
sum-=delta;
}
code[0]=tmp1;
code[1]=tmp2;
code[2]=tmp3;
code[3]=tmp4;
}int main()
{ unsigned __int64 code[4]={0x0E990A522BE80F786,0x8B836286B8A5EB59,0x2FDE61CCEFC70FF8,0x56BC19E119C8B07B},key[4]={0x54466076484C5476,0x4550504F765F4344,0x5A796F755F6D6179,0x5F6E6565645F7468};
//encrypt(code,key);
decrypt(code,key);
printf("%016llx%016llx%016llx%016llx",code[0],code[1],code[2],code[3]);
}//505a4cc462489e8003aef16b785c7501343057844ff5acb809616159f51713f3
#include<stdio.h> void encrypt(unsigned __int64 *code , unsigned __int64 *key)
{ unsigned __int64 delta=0x9E3779B9;
unsigned __int64 tmp1,tmp2,tmp3,tmp4,key1,key2,key3,key4,d;
int i;
tmp1=code[0];
tmp2=code[1];
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2021-8-30 21:39
被The_Itach1编辑
,原因:
