祥雲杯2021

本文轉載自查看原文 2021-08-24 19:49 207 ctf學習

Rev_Dizzy

ida分析

分析得出對輸入的每個字節都進行了運算，然后跟特定數據比較。

2.解題思路

只要把帶比較數據作為輸入把運算反着運行一遍就行了，利用py腳本來使運算反向。

py腳本：

f1=open('D:\桌面\祥雲\\re\\d.txt','r')#順序
f2=open('D:\桌面\祥雲\\re\\dd.txt','w')#逆序


num_row=5000
for ii in range(1):
    readstr=f1.readlines()
    print(readstr)
    writestr=[]
    for i in range(len(readstr)):
        writestr.append(readstr[len(readstr)-i-1])
    print(writestr)
    f2.writelines(writestr)

最后得出flag:flag{Try_R3vers1ng_W1th_ScR!pt!}。

勒索解密

1.ida分析

通過調試得出加密流程為，sha256特殊數據，從中生成aes128的密鑰。對文件進行aes128加密。

爆破時間（參考於天璇的wp)

void decrypt_test(void) {

    DWORD32 key[4] = { 0x0EC62FB2,0x4B54D44F,0,0x8EB1E721 };
    FILE* f;
    int mode;
    fopen_s(&f,"G:\\flag.bmp.ctf_crypter", "rb");
    BYTE * cipher =(BYTE*)malloc(0xd6830);
    memset(cipher, 0, 0xd6830);
    fread(cipher, sizeof(char), 0xd6830, f);

    for (int i = 1629097200; i < 1629553539; i++) //i=2021/08/16 15:00:00 < 當前時間
        {
        HCRYPTPROV prov = NULL;
        HCRYPTHASH hash;
        HCRYPTKEY aesKey;
        DWORD length = 16;
        key[2] = i;
        BYTE head[32];
        memset(head, 0, 32);
        memcpy(head, cipher, 16);
        if (!CryptAcquireContextA(&prov, NULL, MS_ENH_RSA_AES_PROV_A, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
            printf("error0\n");
        }
        CryptCreateHash(prov, 0x800Cu, 0, 0, &hash);
        CryptHashData(hash, (const BYTE*)key, 0x10u, 0);
        CryptDeriveKey(prov, 0x660Eu, hash, 0, &aesKey);
        mode = 1;
        CryptSetKeyParam(aesKey, 4u, (const BYTE*)&mode, 0);
        CryptSetKeyParam(aesKey, 3u, (const BYTE*)&mode, 0);
        CryptDecrypt(aesKey, 0, 0, 0, head, &length);
        if (head[0] == 'B' && head[1] == 'M') {
            printf("%x", i);
            break;
        }
    }
}

解密文件（參考於天璇的wp)

void decrypt(void) {

    DWORD32 key[4] = { 0x0EC62FB2,0x4B54D44F,1629098245,0x8EB1E721 };
    FILE *f;
    int mode;
    fopen_s(&f, "G:\\flag.bmp.ctf_crypter", "rb");
    BYTE *cipher = (BYTE*)malloc(0xd6830);
    int totalLength = 0xd6830;
    DWORD blockLen = 16;
    memset(cipher, 0, totalLength);
    fread(cipher, sizeof(char), totalLength, f);
    HCRYPTPROV prov = NULL;
    HCRYPTHASH hash;
    HCRYPTKEY aesKey;
    if (!CryptAcquireContextA(&prov, NULL, MS_ENH_RSA_AES_PROV_A, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {

        printf("error0\n");
    }
    CryptCreateHash(prov, 0x800Cu, 0, 0, &hash);
    CryptHashData(hash, (const BYTE*)key, 0x10u, 0);
    CryptDeriveKey(prov, 0x660Eu, hash, 0, &aesKey);
    mode = 1;
    CryptSetKeyParam(aesKey, 4u,(const BYTE*)&mode, 0);
    CryptSetKeyParam(aesKey, 3u,(const BYTE*)&mode, 0);
    for (int i = 0; i < totalLength; i += 16) {

        CryptDecrypt(aesKey, 0, 0, 0, cipher + i, &blockLen);
    }
    FILE* out;
    fopen_s(&out, "G:\\dec.bmp", "wb");
    fwrite(cipher, 1, totalLength, out);
    printf("");

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 2021 祥雲杯 wp 2021祥雲杯部分wp 2021祥雲杯 Misc鳴雛戀 wp | re | 2021祥雲杯逆向部分祥雲杯MISC - WP 祥雲杯2020 Misc題解 2020首屆祥雲杯部分wp 2021綠盟杯 2021長安杯wp 2021 羊城杯WriteUP