[原创] 看雪 2022·KCTF 秋季赛第八题商贸往来 WriteUP-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创] 看雪 2022·KCTF 秋季赛第八题商贸往来 WriteUP

发表于: 2022-12-4 16:49 10754

[原创] 看雪 2022·KCTF 秋季赛第八题商贸往来 WriteUP

上学困难户

2022-12-4 16:49

10754

快乐的周末，从KCTF开始吧。

由于分析完后六次函数调用后就到饭点了，所以WP中对第一次函数调用的分析是由队内 ThTsOd 师傅完成的

拿到题目，我们初步调试分析后可以得到以下信息

虽然无效代码的量非常大，但是模式比较统一，而且正常代码非常分散，我们做如下处理后再对程序进程分析

我们从最后一次函数分析，从后向前分七步，每一步可以逆向出如下信息

对输入值进行xor，每个字节有不同的xor值

正确输入如下

重排序(前0x40字节倒序)，按表替换，xor不同的值

正确输入如下

每个字节加特定值

正确输入如下

输入值两两换位，按特殊位置关系与内置表xor，之后倒序排列异或结果，再每字节+0x80

正确输入如下

按表代换，倒序排列，之后以0x20字节为一组，分成四组，先交换1、3组，整体xor不同的值，再交换2、4组，整体xor不同的值

正确输入值如下

通过如上的分析，我们便可以得到正确的flag了

下面是遇到的几个坑的总结

79 17 42 6B 3B 50 7A E3 46 D0 DE 4E 24 A7 8A 6A 69 D0 02 06 F0 27 24 BD C0 BB E3 1E 09 A3 97 30 3C B6 EB 68 90 09 D0 EA 11 F2 C4 60 A5 CB C3 FC 45 FB 5C 53 C0 80 3A 99 59 6F 2F 54 4A D9 0E 6A 34 DE D2 EC AF 4A 0B A4 8A B6 FA 93 1F 04 10 44 EE E4 D6 9E F4 45 12 4D 37 3C F0 11 F8 C8 44 76 63 10 73 2D 68 D7 9D 2F C3 84 2A B6 CC B5 37 61 4F 0F 16 BC BB 8C 53 27 EE 77 AA 1F 9C C2 18 DE

BA 1B 1F 2A F3 C0 82 65 DC 43 41 FB 50 8D 8C CC C5 43 9B 09 2F 6C 50 E5 EC C2 65 95 71 08 A5 9F 1A BF D9 17 D6 71 43 3C 35 DF 46 7F B2 66 32 94 44 10 60 6B EC 80 FA 91 31 77 EB 4E 4B 9A 0D CC 54 41 96 06 79 4B A6 2B 8C BF 4C 99 D1 7D 68 78 7C C1 8A 56 A2 44 30 B5 26 1A 2F 35 45 6D 78 33 B3 68 28 8F 17 E9 03 EB 32 67 48 BF 20 F7 26 1C 76 52 83 90 C2 AC 6B 6C 7C B6 0B D1 74 C6 D0 41

2F 09 BF 8A E0 C8 8E 66 DD C3 B5 F0 F5 01 8B CA D5 33 FB E9 7F EC C0 F5 CC F2 25 65 B1 D8 85 BF 0A 8F D8 1A D1 70 4C 3E 3C CF 66 EF 52 96 F2 A4 CD B1 50 2B 8C E0 BA B1 71 57 AB BE 8B 4A 2D EC 64 31 A6 F6 CA 40 A4 1B 9D AE 4D 91 D1 03 E2 42 CC E1 CA E6 D2 D4 29 85 66 58 0F 5E 0F 79 50 25 E1 EB 58 D2 67 89 23 7B 22 67 18 2F 30 A7 76 4C 66 72 13 A0 B2 8C 5B 1C 4C C5 9D D1 78 C4 FD 31

B6 A3 1B 99 5E 35 31 1E A2 A5 79 A7 40 30 43 4C 1A 20 C5 9F C4 99 02 58 DD D3 D3 C2 B9 CC 9A 20 79 5F B4 CA C5 BA 65 C6 EA C6 FE C0 A3 56 65 06 E3 0F BC 20 EC 32 55 65 C5 D8 F4 63 49 30 85 8A A9 10 3E 50 2C 81 7B BC E8 20 49 E3 AC 4A F9 D6 4C 12 9A E0 86 36 7B 7B 3E 1A E0 42 25 2B 4F E5 16 FC EC 05 DD FE 55 07 CA 3B B6 E9 08 80 8D F2 1F 53 1C F8 16 6C C1 8D 3C 56 7A 04 0F 92 6F C4

B5 A0 16 8E 48 28 FD 0F 3F A7 81 AB 6D FE 10 18 E5 56 FC 67 9A AB 11 44 EE D0 D0 BF B6 C9 97 1D 76 5C B1 C7 C2 B7 62 C3 E7 C3 FB BD A0 53 6C 0D EA 16 C3 27 F3 39 5C 6C CC DF FB 6A 50 37 8A 8F AE 15 43 55 31 86 80 C1 ED 25 4E E8 B1 4F F2 CF 45 0B 93 D9 7F 2F 74 74 37 13 D9 3B 1E 24 48 E5 16 FC EC 05 DD FE 55 07 CA 3B B6 E9 08 78 85 EA 17 4B 14 F0 0E 64 B9 85 34 4E 72 FC 07 9D 7A CF

05 A1 13 6B 81 A0 85 19 08 90 4A FB CE FD BF C1 15 D8 1D 8D 1E FB 5C 1C BC BD A7 8B C6 F4 93 A8 B4 E5 78 CC AB F2 CB DC 05 D2 A3 EB 0F D0 F5 A1 68 E0 19 FC 98 8F D2 4E 9E 67 56 D7 37 07 EC 8A 41 5C 6A 58 10 3D 48 46 4C 67 62 72 09 6F AC 75 27 50 3C 2C DE 60 70 9B 44 83 AE CB CA F0 47 88 7D F1 E4 EA D4 C4 00 CC BA DF B7 BC 5F A8 AA A6 81 F2 0E 96 8B 87 85 E2 BC EF D9 B5 26 2E FE CB

01 21 9B FB 64 FD 72 09 7B 32 6A 5B 2B CE 26 76 0C 2C 32 BB 24 1C 34 BD 1A 62 22 44 70 B8 6C 35 27 58 1C 6A 4D 59 42 05 7D C0 5D 76 43 73 08 FD 5D 59 16 1C 3F E7 60 7C 7A 18 18 52 7D A4 4C 7C 61 6F 7A FD 01 1D 6B 53 5D 24 26 32 2D 7D 5C 40 45 51 4F C6 53 03 1B 59 10 FD 08 56 34 3F 0A 76 63 9B 46 40 41 45 14 A2 10 FD A0 26 C4 9B C7 E3 91 60 CE E7 FA 8A 83 9C B0 B8 A5 80 C6 C2 CE E7

import math

def isPrime(n):

    if(n<=1):

        return False

    for i in range(2,n):

        if(n%i == 0):

            return False

    return True
 
A=[0x3B, 0x0B, 0x02, 0x0E, 0x2B, 0x35, 0x2D, 0x15, 0x48, 0x09, 0x0A, 0x01, 0x1B, 0x34, 0x40, 0x26,

0x21, 0x29, 0x00, 0x47, 0x0F, 0x45, 0x16, 0x2C, 0x24, 0x23, 0x1A, 0x17, 0x46, 0x07, 0x20, 0x3E,

0x13, 0x1F, 0x27, 0x3F, 0x05, 0x3C, 0x03, 0x30, 0x10, 0x22, 0x32, 0x00, 0x1D, 0x18, 0x33, 0x08,

0x12, 0x31, 0x41, 0x2E, 0x1E, 0x43, 0x25, 0x36, 0x1C, 0x28, 0x3A, 0x0D, 0x42, 0x3D, 0x38, 0x49,

0x0C, 0x14, 0x39, 0x04, 0x44, 0x37, 0x2A, 0x19, 0x2F, 0x06, 0x02, 0x03, 0x05, 0x07, 0x0B, 0x0D,

0x11, 0x13, 0x17, 0x1D, 0x1F, 0x25, 0x29, 0x2B, 0x2F, 0x35, 0x3B, 0x3D, 0x43, 0x47, 0x49, 0x4F,

0x53, 0x59, 0x61, 0x65, 0x67, 0x6B, 0x6D, 0x71, 0x7F, 0x83, 0x89, 0x8B, 0x95, 0x97, 0x9D, 0xA3,

0xA7, 0xAD, 0xB3, 0xB5, 0xBF, 0xC1, 0xC5, 0xC7, 0xD3, 0xDF, 0xE3, 0xE5, 0xE9, 0xEF, 0xF1, 0xFB]

T=[0xB4, 0x66, 0xEF, 0xCA, 0xD9, 0xEB, 0xB6, 0x42, 0x36, 0x14, 0xB1, 0x23, 0xB5, 0xAB, 0xD4, 0x00,

0xB0, 0xBB, 0x96, 0xE4, 0x30, 0xA8, 0x7E, 0x5E, 0x87, 0x2D, 0xAA, 0x01, 0x47, 0xA0, 0x3D, 0xD2,

0xDA, 0xE1, 0x85, 0xF5, 0xFF, 0x0C, 0xFD, 0xAD, 0x07, 0xAF, 0xF2, 0xC8, 0x73, 0x94, 0x46, 0xFC,

0xE7, 0x7F, 0x15, 0x70, 0xBA, 0xF3, 0x08, 0x5F, 0x0A, 0xA3, 0x8D, 0x1F, 0xE6, 0x05, 0x6D, 0xC4,

0x4D, 0x31, 0x88, 0x17, 0x99, 0xC6, 0xB2, 0x6B, 0x83, 0x1C, 0x80, 0xDB, 0x69, 0x27, 0xFA, 0xC2,

0x2E, 0xEC, 0x4B, 0x2F, 0x62, 0xA4, 0xD3, 0x39, 0xBC, 0x6A, 0x4A, 0x86, 0x33, 0xBF, 0x92, 0x91,

0x44, 0xB9, 0xCD, 0xAC, 0xF6, 0x97, 0x6C, 0xE9, 0x90, 0x65, 0x54, 0x74, 0x76, 0x09, 0xE2, 0x49,

0xF0, 0xF9, 0xA2, 0x13, 0x9A, 0x16, 0x32, 0xF4, 0x82, 0x3F, 0x6F, 0x29, 0x0B, 0x5A, 0x22, 0xB3,

0x9C, 0x4E, 0x68, 0xD0, 0xC1, 0xE0, 0x41, 0xAE, 0x64, 0x28, 0xD5, 0x04, 0x8F, 0x9F, 0x78, 0xCC,

0x1D, 0x18, 0x0D, 0x67, 0x5B, 0xE5, 0x48, 0x7B, 0x19, 0xED, 0xD7, 0xDD, 0x55, 0x59, 0x0E, 0x25,

0x8E, 0x2C, 0x40, 0x12, 0x60, 0x1E, 0x10, 0xBD, 0xC5, 0x71, 0xF8, 0x51, 0xC7, 0x21, 0xC0, 0x1B,

0x45, 0xE8, 0x3B, 0xA1, 0xF7, 0x6E, 0x2B, 0x8C, 0xB7, 0xD6, 0x0F, 0xDE, 0x35, 0x89, 0x2A, 0x1A,

0x7D, 0x95, 0xD1, 0x72, 0x3C, 0xA5, 0x34, 0x11, 0xB8, 0x52, 0x5C, 0x75, 0xEE, 0x9B, 0xF1, 0xFB,

0xA9, 0x61, 0x79, 0xC9, 0x20, 0x3E, 0xC3, 0x37, 0x81, 0x7C, 0xCB, 0x57, 0x98, 0xDC, 0xBE, 0x24,

0x3A, 0x58, 0x63, 0x02, 0xD8, 0xEA, 0x4F, 0x43, 0x84, 0x9D, 0x06, 0x4C, 0x9E, 0xFE, 0xE3, 0xA7,

0xA6, 0x8A, 0x03, 0x56, 0x93, 0x8B, 0x7A, 0xCE, 0x38, 0x53, 0x26, 0xCF, 0xDF, 0x77, 0x5D, 0x50]
# 3b 0b e3 9e 2b bc 2d 32 48 09 0a 1b 1b c6 40 26 21 7b 00 1c 0f 45 16 a1 24 23 1a 17 46 28 20 d5 13 1f 27 3f 05 c4 03 30 10 7e 32 0f 1d 18 33 36 12 31 41 2e 1e e7 25 36 1c 28 3a 92 42 1e 38 49 0c 14 39 8b 44 37 2a 98 2f ea 02 03 05 07 0b 92 11 13 17 90 1f 25 29 2b 2f bc 3b 3d 43 47 49 4f 53 9d 61 65 67 47 6d a9 7f 83 89 f5 95 65 9d a3 a7 27 b3 b5 bf c1 c5 c7 d3 df e3 e5 e9 ef f1 cf ->> 0

def E1(INP):

    data = []

    for i in range(0x80):

        if(isPrime(i)):

            data.append(0xf)

        else:

            data.append(0x0)

    for k in range(0x80):

        if(data[k]):

            print("%.2x "%(T.index(A[k]^INP[k])),end='')

        else:

            print("%.2x "%(INP[k]^A[k]),end='')
 
X = [i for i in range(0x80)]
E1(X)
#3b 0a 0f 92 2f 14 2b a3 40 00 00 38 17 57 4e 29 31 f8 12 6a 1b 50 00 b2 3c 3a 00 0c 5a bf 3e ad 33 3e 05 1c 21 98 25 17 38 7c 18 b6 31 35 1d 4d 22 00 73 1d 2a 6c 13 01 24 11 00 08 7e 0f 06 76 4c 55 7b 1c 00 72 6c 17 67 e6 48 48 49 4a 45 07 41 42 45 81 4b 70 7f 7c 77 66 61 66 1f 1a 17 10 33 f8 03 06 03 9e 0b 75 17 ea e3 85 f9 4e f3 cc d7 dd c1 c6 cb b4 b3 b0 ab a6 99 9e 95 92 8f e8

import math

def isPrime(n):

if(n<=1):

return False

for i in range(2,n):

if(n%i == 0):

return False

return True

A=[0x3B, 0x0B, 0x02, 0x0E, 0x2B, 0x35, 0x2D, 0x15, 0x48, 0x09, 0x0A, 0x01, 0x1B, 0x34, 0x40, 0x26,

0x21, 0x29, 0x00, 0x47, 0x0F, 0x45, 0x16, 0x2C, 0x24, 0x23, 0x1A, 0x17, 0x46, 0x07, 0x20, 0x3E,

0x13, 0x1F, 0x27, 0x3F, 0x05, 0x3C, 0x03, 0x30, 0x10, 0x22, 0x32, 0x00, 0x1D, 0x18, 0x33, 0x08,

0x12, 0x31, 0x41, 0x2E, 0x1E, 0x43, 0x25, 0x36, 0x1C, 0x28, 0x3A, 0x0D, 0x42, 0x3D, 0x38, 0x49,

0x0C, 0x14, 0x39, 0x04, 0x44, 0x37, 0x2A, 0x19, 0x2F, 0x06, 0x02, 0x03, 0x05, 0x07, 0x0B, 0x0D,

0x11, 0x13, 0x17, 0x1D, 0x1F, 0x25, 0x29, 0x2B, 0x2F, 0x35, 0x3B, 0x3D, 0x43, 0x47, 0x49, 0x4F,

0x53, 0x59, 0x61, 0x65, 0x67, 0x6B, 0x6D, 0x71, 0x7F, 0x83, 0x89, 0x8B, 0x95, 0x97, 0x9D, 0xA3,

0xA7, 0xAD, 0xB3, 0xB5, 0xBF, 0xC1, 0xC5, 0xC7, 0xD3, 0xDF, 0xE3, 0xE5, 0xE9, 0xEF, 0xF1, 0xFB]

T=[0xB4, 0x66, 0xEF, 0xCA, 0xD9, 0xEB, 0xB6, 0x42, 0x36, 0x14, 0xB1, 0x23, 0xB5, 0xAB, 0xD4, 0x00,

0xB0, 0xBB, 0x96, 0xE4, 0x30, 0xA8, 0x7E, 0x5E, 0x87, 0x2D, 0xAA, 0x01, 0x47, 0xA0, 0x3D, 0xD2,

0xDA, 0xE1, 0x85, 0xF5, 0xFF, 0x0C, 0xFD, 0xAD, 0x07, 0xAF, 0xF2, 0xC8, 0x73, 0x94, 0x46, 0xFC,

0xE7, 0x7F, 0x15, 0x70, 0xBA, 0xF3, 0x08, 0x5F, 0x0A, 0xA3, 0x8D, 0x1F, 0xE6, 0x05, 0x6D, 0xC4,

0x4D, 0x31, 0x88, 0x17, 0x99, 0xC6, 0xB2, 0x6B, 0x83, 0x1C, 0x80, 0xDB, 0x69, 0x27, 0xFA, 0xC2,

0x2E, 0xEC, 0x4B, 0x2F, 0x62, 0xA4, 0xD3, 0x39, 0xBC, 0x6A, 0x4A, 0x86, 0x33, 0xBF, 0x92, 0x91,

0x44, 0xB9, 0xCD, 0xAC, 0xF6, 0x97, 0x6C, 0xE9, 0x90, 0x65, 0x54, 0x74, 0x76, 0x09, 0xE2, 0x49,

0xF0, 0xF9, 0xA2, 0x13, 0x9A, 0x16, 0x32, 0xF4, 0x82, 0x3F, 0x6F, 0x29, 0x0B, 0x5A, 0x22, 0xB3,

0x9C, 0x4E, 0x68, 0xD0, 0xC1, 0xE0, 0x41, 0xAE, 0x64, 0x28, 0xD5, 0x04, 0x8F, 0x9F, 0x78, 0xCC,

0x1D, 0x18, 0x0D, 0x67, 0x5B, 0xE5, 0x48, 0x7B, 0x19, 0xED, 0xD7, 0xDD, 0x55, 0x59, 0x0E, 0x25,

0x8E, 0x2C, 0x40, 0x12, 0x60, 0x1E, 0x10, 0xBD, 0xC5, 0x71, 0xF8, 0x51, 0xC7, 0x21, 0xC0, 0x1B,

0x45, 0xE8, 0x3B, 0xA1, 0xF7, 0x6E, 0x2B, 0x8C, 0xB7, 0xD6, 0x0F, 0xDE, 0x35, 0x89, 0x2A, 0x1A,

0x7D, 0x95, 0xD1, 0x72, 0x3C, 0xA5, 0x34, 0x11, 0xB8, 0x52, 0x5C, 0x75, 0xEE, 0x9B, 0xF1, 0xFB,

0xA9, 0x61, 0x79, 0xC9, 0x20, 0x3E, 0xC3, 0x37, 0x81, 0x7C, 0xCB, 0x57, 0x98, 0xDC, 0xBE, 0x24,

0x3A, 0x58, 0x63, 0x02, 0xD8, 0xEA, 0x4F, 0x43, 0x84, 0x9D, 0x06, 0x4C, 0x9E, 0xFE, 0xE3, 0xA7,

0xA6, 0x8A, 0x03, 0x56, 0x93, 0x8B, 0x7A, 0xCE, 0x38, 0x53, 0x26, 0xCF, 0xDF, 0x77, 0x5D, 0x50]

# 3b 0b e3 9e 2b bc 2d 32 48 09 0a 1b 1b c6 40 26 21 7b 00 1c 0f 45 16 a1 24 23 1a 17 46 28 20 d5 13 1f 27 3f 05 c4 03 30 10 7e 32 0f 1d 18 33 36 12 31 41 2e 1e e7 25 36 1c 28 3a 92 42 1e 38 49 0c 14 39 8b 44 37 2a 98 2f ea 02 03 05 07 0b 92 11 13 17 90 1f 25 29 2b 2f bc 3b 3d 43 47 49 4f 53 9d 61 65 67 47 6d a9 7f 83 89 f5 95 65 9d a3 a7 27 b3 b5 bf c1 c5 c7 d3 df e3 e5 e9 ef f1 cf ->> 0

def E1(INP):

data = []

for i in range(0x80):

if(isPrime(i)):

data.append(0xf)

else:

登录后可查看完整内容

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・0

免费・3

支持