首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. CTF对抗
    3. 发新帖
[原创]2025 HGAME WEEK1 RE WP
发表于: 2025-2-12 11:10 6459

[原创]2025 HGAME WEEK1 RE WP

SleepAlone 活跃值
3
2025-2-12 11:10
6459

2025 HGAME WEEK1 RE WP

过完年了也开学了,该玩的也都玩了,在盛大的欢乐之后就是无尽的空虚。收收心回归老本行,两周没有做题了还好宝刀未老,花了两天的时间ak了week1的逆向题目,个人不太满意,还是有点慢。

Compress dot new - 300 pts (re/misc)

这道题意外的卡了很久,做的时候猜测是哈夫曼编码了,但是当时不太符合我心中的哈夫曼预期,后面专门看了下哈夫曼算法然后结合代码发现匹配,这才确定是。。。。忘的太快了,想当年也是408考119的男人。

0x01 题目介绍

题目很新颖,给的是nu脚本文件,还有个加密文件,通过理解脚本文件的加密逻辑,解密文件

0x02 求解

这里因为我哈夫曼算法记忘了,在这里卡了很久,结合chatgpt和加入输出语句“调试”的情况下,得出是哈夫曼算法。

加密脚本由两部分组成,第一行为加密内容字符哈夫曼树,第二行则是根据第一行哈夫曼树的生成的字符转义。

写脚本求解:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
# 假设我们已经有了哈夫曼树
def decode_huffman_tree(huffman_tree, binary_path):
    flag = ""
    node = huffman_tree
    for bit in binary_path:
        if "s" in node:
            flag += chr(node['s'])
            node = huffman_tree
        if bit == '0':
            node = node['a']
        elif bit == '1':
            node = node['b']
    return flag
 
# 示例的路径和哈夫曼树(简化版本)
huffman_tree ={
    "a": {
        "a": {
            "a": {
                "a": {
                    "a": {
                        "s": 125
                    },
                    "b": {
                        "a": {
                            "s": 119
                        },
                        "b": {
                            "s": 123
                        }
                    }
                },
                "b": {
                    "a": {
                        "s": 104
                    },
                    "b": {
                        "s": 105
                    }
                }
            },
            "b": {
                "a": {
                    "s": 101
                },
                "b": {
                    "s": 103
                }
            }
        },
        "b": {
            "a": {
                "a": {
                    "a": {
                        "s": 10
                    },
                    "b": {
                        "s": 13
                    }
                },
                "b": {
                    "s": 32
                }
            },
            "b": {
                "a": {
                    "s": 115
                },
                "b": {
                    "s": 116
                }
            }
        }
    },
    "b": {
        "a": {
            "a": {
                "a": {
                    "a": {
                        "a": {
                            "s": 46
                        },
                        "b": {
                            "s": 48
                        }
                    },
                    "b": {
                        "a": {
                            "a": {
                                "s": 76
                            },
                            "b": {
                                "s": 78
                            }
                        },
                        "b": {
                            "a": {
                                "s": 83
                            },
                            "b": {
                                "a": {
                                    "s": 68
                                },
                                "b": {
                                    "s": 69
                                }
                            }
                        }
                    }
                },
                "b": {
                    "a": {
                        "a": {
                            "s": 44
                        },
                        "b": {
                            "a": {
                                "s": 33
                            },
                            "b": {
                                "s": 38
                            }
                        }
                    },
                    "b": {
                        "s": 45
                    }
                }
            },
            "b": {
                "a": {
                    "a": {
                        "s": 100
                    },
                    "b": {
                        "a": {
                            "s": 98
                        },
                        "b": {
                            "s": 99
                        }
                    }
                },
                "b": {
                    "a": {
                        "a": {
                            "s": 49
                        },
                        "b": {
                            "s": 51
                        }
                    },
                    "b": {
                        "s": 97
                    }
                }
            }
        },
        "b": {
            "a": {
                "a": {
                    "a": {
                        "s": 117
                    },
                    "b": {
                        "s": 118
                    }
                },
                "b": {
                    "a": {
                        "a": {
                            "s": 112
                        },
                        "b": {
                            "s": 113
                        }
                    },
                    "b": {
                        "s": 114
                    }
                }
            },
            "b": {
                "a": {
                    "a": {
                        "s": 108
                    },
                    "b": {
                        "s": 109
                    }
                },
                "b": {
                    "a": {
                        "s": 110
                    },
                    "b": {
                        "s": 111
                    }
                }
            }
        }
    }
}
 
# 示例路径
binary_path = '00010001110111111010010000011100010111000100111000110000100010111001110010011011010101111011101100110100011101101001110111110111011011001110110011110011110110111011101101011001111011001111000111001101111000011001100001011011101100011100101001110010111001111000011000101001010000000100101000100010011111110110010111010101000111101000110110001110101011010011111111001111111011010101100001101110101101111110100100111100100010110101111111111100110001010101101110010011111000110110101101111010000011110100000110110101011000111111000110101001011100000110111100000010010100010001011100011100111001011101011111000101010110101111000001100111100011100101110101111100010110101110000010100000010110001111011100011101111110101010010011101011100100011110010010110111101110111010111110110001111010101110010001011100100101110001011010100001110101000101111010100110001110101011101100011011011000011010000001011000111011111111100010101011100000'  # 假设这是一个从根到叶子的路径
 
# 解码
decoded_char = decode_huffman_tree(huffman_tree, binary_path)
print(decoded_char)  # 输出 '}'

Turtle - 400 pts

之前做的题目都是找工具脱壳,第一次遇到手动脱壳的,也当练练手,好在不难

0x01 题目介绍

题目说明的暗示也给够了,也是一道考脱壳的题。脱壳之后的逻辑一目了然

0x02 求解

放入DIE查一下壳,发现是UPX 3.91 modified,使用ida打开查看节区信息,发现是.add0, .add1等很奇怪的名字,也能猜个差不多是个魔改的加壳

接下来就是脱壳,不过我并没有发现可以使用esp定律定位oep的地方。不过我发现程序运行起来有个io,在程序等待输入的时候回到x64dbg中,发现代码已经脱壳完毕,此时正是一个很好的demp时机,使用插件一键dump,完成脱壳

将脱完壳的程序放入ida分析,程序很简单,两段rc4加密,写脚本求解:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
from Crypto.Cipher.ARC4 import *
 
enc_key = bytes([
 0xCD,
 0x8F,
 0x25,
 0x3D,
 0xE1,
 ])
 
enc_key += b'QJ'
 
cipher = new(b'yekyek')
dec_key = cipher.decrypt(enc_key)
print(dec_key)
#ecg4ab6
 
enc_flag = [0 for i in range(40)]
v2 = enc_flag
v2[0] = 0xF8
v2[1] = -43
v2[2] = 98
v2[3] = -49
v2[4] = 67
v2[5] = -70
v2[6] = -62
v2[7] = 35
v2[8] = 21
v2[9] = 74
v2[10] = 81
v2[11] = 16
v2[12] = 39
v2[13] = 16
v2[14] = -79
v2[15] = -49
v2[16] = -60
v2[17] = 9
v2[18] = -2
v2[19] = -29
v2[20] = -97
v2[21] = 73
v2[22] = -121
v2[23] = -22
v2[24] = 89
v2[25] = -62
v2[26] = 7
v2[27] = 59
v2[28] = -87
v2[29] = 17
v2[30] = -63
v2[31] = -68
v2[32] = -3
v2[33] = 75
v2[34] = 87
v2[35] = -60
v2[36] = 126
v2[37] = -48
v2[38] = -86
v2[39] = 10
 
add_bytes = new(b'ecg4ab6').encrypt(b'\x00' * 40)
 
flag = ''
for i in range(40):
    flag += chr((enc_flag[i] + add_bytes[i]) & 0xff)
 
print(flag)

Delta Erro0000ors - 600 pts

这道题也很新,或者说,我没做过,完全就是现挂(看今年春晚学的词)

0x01 题目介绍

一道考察Delta的题目,通过应用Detla还原出文件,但是Detla的hash被修改了,需要找到正确的hash,才能还原flag。


[注意]看雪招聘,专注安全领域的专业人才平台!

最后于 2025-2-12 11:20 被SleepAlone编辑 ,原因:
收藏
免费 0
支持
分享
最新回复 (3)
soapsama
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
2
大佬,能讲解一下Delta Erro0000ors这道题的”最后无奈尝试土办法,在hash的内存起始处下入内存断点,然后成功在memcmp中定位到了真正的hash,我这是正确的解法吗??? 感觉我这样做出来有点简单。”这个方法吗?具体是如何实现的?这道题我当时动态调试了很久,好像一直会报异常而无法继续调试,没有做出来,想学习一下这个方法
2025-2-16 16:40
0
Matriy
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
3
soapsama 大佬,能讲解一下Delta Erro0000ors这道题的”最后无奈尝试土办法,在hash的内存起始处下入内存断点,然后成功在memcmp中定位到了真正的hash,我这是正确的解法吗??? 感觉我这样 ...
你做出来了吗,我现在还没做出来,可以交流下吗
2025-2-20 21:22
0
SleepAlone
雪    币: 4260
活跃值: (1385)
能力值: ( LV10,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
4
soapsama 大佬,能讲解一下Delta Erro0000ors这道题的”最后无奈尝试土办法,在hash的内存起始处下入内存断点,然后成功在memcmp中定位到了真正的hash,我这是正确的解法吗??? 感觉我这样 ...
就是在hash内存其实处下内存断点啊,然后程序断在memcmp里
2025-2-24 17:32
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回