太菜了,擺爛了,寄
RE
REEEE
ida 64 分析發現有REEE_encode函數和一個有明顯特征的base64比較BOxJB3tMeXV2dkM1BLR5A2Z3ekI2fXWLBUR0fUI2ekaMA2AzA30=
跟進REEE_encode,發現有一個base64變表,用如下腳本解密
# coding=utf-8
import base64
import binascii
change = "RSTUVWXYZabcdefghijklmnoABCDEFGHIJKLMNOPQpqrstuvwxyz0123456789+/" # 非正常base64表
normal = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" # 正常base64表
key = "BOxJB3tMeXV2dkM1BLR5A2Z3ekI2fXWLBUR0fUI2ekaMA2AzA30="
ture_key= key.translate(str.maketrans(change, normal))
print('The real base64code: ' + ture_key)
decode = base64.b64decode(ture_key) # 解碼為ascii,超過則輸出轉義字符
hex_str = binascii.hexlify(decode) # 強轉為bin后編碼為hex的字串,再解碼為ascii,超過則輸出轉義字符
ascii_string = str(hex_str, 'utf-8') # 去掉b''
print(decode)
解得:flag{d4a6195f09cb75868acd0488652dcf3c}
Hard re
IDA反編譯調試,發現flag長度為32,且exe自身會釋放dll,並且使用 C:\Windows\SysWOW64\rundll32.exe FakerDll.dll,Check xx(xx為輸入的內容) 來調用dll的Check函數。
反編譯dll,定位到Check函數。跟進check_0,分析得要輸出Success !!!,需要flag == 1或a4 == 9meD3Kcb0FHDbx6jX9FzpxpZUb12345
分析flag可知,存在另一個函數,若ipMen == c2JWblhyX0dgQnk8RHBdNWdJVW1HazZ0NHg=則可使得flag = 1。
查詢交叉引用,來到主要檢查函數sub_1002E0B0中,根據上下文信息 修改類型和推測函數功能 可得
signal1 = maybe_strcpy(signal2, v19, 27, &input[v5 - 26], 26);
signal3 = maybe_strcpy(signal1, str0, 14, &v19[0], 13);
signal2 = maybe_strcpy(signal3, str1, 14, &v19[13], 13);
for ( i = 0; i < strlen(str0); ++i )
{
if ( (str0[i] ^ 5) <= 'z' && (str0[i] ^ 5) >= '0' )
str0[i] ^= 5u;
}
for ( j = 0; j < strlen(str1); ++j )
{
if ( (str1[j] ^ 0xF) <= 'z' && (str1[j] ^ 0xF) >= '0' )
str1[j] ^= 0xFu;
}
猜測:signal變量為檢查上條指令是否成功執行的依據,成功返回1;maybe_strcpy函數功能為(bool 檢查,目標字符串起始地址,目標字符串復制長度,原目標字符串起始地址,原目標字符串復制長度)
由於是異或,函數可逆,則可以寫腳本(嫖一下古月浪子師傅的腳本)
import base64
lpMen = base64.b64decode('c2JWblhyX0dgQnk8RHBdNWdJVW1HazZ0NHg=')
flag = ''
for i in lpMen[13:]:
if ord('z') >= i ^ 5 >= ord('0'):
flag += chr(i ^ 5)
else:
flag += chr(i)
for i in lpMen[:13]:
if ord('z') >= i ^ 0xf >= ord('0'):
flag += chr(i ^ 0xf)
else:
flag += chr(i)
print(flag)
Crypto
簽到
凱撒密碼 位移為3
得:flag{2a2ab40b9b031723cca883b61c15fee0}
easyras
給出了e,c,n,dp,套用腳本
import gmpy2 as gp
e = 0x10001
n = gp.mpz(101031799769686356875689677901727632087789394241694537610688487381734497153370779419148195361726900364384918762158954452844358699628272550435920733825528414623691447245900175499950458168333742756118038555364836309568598646312353874247656710732472018288962454506789615632015856961278964493826919853082813244227)
dp = gp.mpz(1089885100013347250801674176717862346181995027932544377293216564837464201546385463279055643089303360817423261428901834798955985043080308895369226243973673)
c = gp.mpz(59381302046219861703693321495442496884448849866535616496729805734326661742228038342690865965545318011599241185017546760846698815333545820228348501022889423901773651749628741238050559441761853071976079031678640014602919526148731936437472217369575554448232401310265267205034644121488774398730319347479771423197)
for x in range(1, e):
if(e*dp%x==1):
p=(e*dp-1)//x+1
if(n%p!=0):
continue
q=n//p
phin=(p-1)*(q-1)
d=gp.invert(e, phin)
m=gp.powmod(c, d, n)
if(len(hex(m)[2:])%2==1):
continue
print('--------------')
print(m)
print(hex(m)[2:])
print(bytes.fromhex(hex(m)[2:]))
得:flag{38c60aa8ddcfb50afa3021f40f0acdac}
MISC
簽到
base64
huahua
修復zip壓縮包,修復png圖片,改高度為800。得:flag{b3afc91a8fbb6cc798bdebb253b02550}
NOSIE
docx和jpg都是假flag,用foremost分離out,得到wav文件,拖入au中觀察頻譜圖,得到:
flag{98ce526ad52c409763405847185d9c6c}
DdDdDd
流量分析,一開始一頭霧水,之后重讀了一遍題目,發現打印可,能是代指3d打印,剛好DASCTF 2020 6月團隊賽復現過gcode,嘗試搜索gcode發現有wolt.gcode文件,保存為gcode文件,在https://gcode.ws/ 網站上上傳此文件,點3d圖,即可得到:flag{2fc07441-fd8f-4e1c-9f0f-72aa8c984a}
隱藏的數據
解壓改后綴,得到加密文件,用docx得到的密碼不對,上爆破工具ARCHPR.exe,得密碼為0546,又得到一個加密壓縮包,用之前在docx得到的密碼解密的新的docx文件,打開發現隱寫的flag沒有出現,直接右鍵打開壓縮包找到word下的document.xml文件,搜索flag即可得到flag{4de41c0b106051b30cb3c654901b1b06}