碼上歡樂
相關內容    簡體    繁體

2021 湖湘杯 Reverse WP

本文轉載自   查看原文   2021-11-22 16:14   110    CTF/ CTF_WP

Hideit

經分析過程中感覺有點像,內存直接加載並運行了一個PE文件,不過並未仔細看。根據控制太輸出輸入等特征,猜測應該是調用標准庫IO進行輸出的,可以直接在標准庫函數內下一系列斷點,發現最終可以在scanf內部段下來,跳出scanf函數后就直接進入加密函數了。
第一次輸入是一個xtea加密驗證,key和密文都有直接解密即可。

#include <Windows.h>
#include <stdio.h>
#include <string.h>
#include <stdint.h>

void XTeaDecipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
    unsigned int i;
    uint32_t v0 = v[0], v1 = v[1], delta = 0x9E3779B9, sum = delta * num_rounds;
    uint32_t idx = 0;
    uint32_t v1_0 = 0;
    uint32_t v8, v10, v6;


    v6 = num_rounds;
    v8 = v1;
    do
    {
        v10 = (sum >> 2) & 3;
        v1 -= ((sum ^ v0) + (v0 ^ key[v10 ^ 1])) ^ (((16 * v0) ^ (v0 >> 3)) + ((v0 >> 5) ^ (4 * v0)));
        v8 = v1;
        v0 -= ((sum ^ v1) + (v8 ^ key[v10])) ^ (((16 * v8) ^ (v1 >> 3)) + ((v8 >> 5) ^ (4 * v1)));
        sum -= delta;
        --v6;
    } while (v6);

    v[0] = v0; v[1] = v1;
}


int main()
{
    uint32_t enc[] = { 0x1130BE1B , 0x63747443 ,0 };
    uint32_t key[] = { 0x72, 0x202,0x13,0x13 };
    XTeaDecipher(32, enc, key); //dotitsit {0x69746f64, 0x74697374

    puts((char*)enc); // dotitsit 

    return 0;
}

第二層是一個哈希加密,似乎是md5算法結合了一些額外的操作,以至於輸出結果並不像正常MD5。這里一共要求32個字節的輸入數據,隨后輸出32個字節的加密數據,再比較密文,但令人困惑的是這里並沒有獲取輸入。經過對算法的分析,每個位置的字節都有一一映射,所以可以直接枚舉出可見字符的映射,將密文映射回去。(這里糾正一下,賽后看其他師傅的WP發現是chacha20,當時看得太快並未仔細看,后面經過算法的黑盒分析發現了這個輸入輸出特征,雖然有點疑惑哈希算法為什么會存在單字節的變換,但沒多想。)

import hashlib
import string
enc = [
  0xEB, 0x8E, 0x5C, 0xA5, 0x62, 0xB4, 0x1C, 0x84, 0x5C, 0x59,
  0xFC, 0x0D, 0x43, 0x3C, 0xAB, 0x20, 0xD8, 0x93, 0x33, 0x13,
  0xA1, 0x9E, 0x39, 0x00, 0x76, 0x14, 0xB5, 0x04, 0x58, 0x9D,
  0x06, 0xB8
]
table = [
[0XBD,0xD2,0x0D,0xF2,0x29,0xC2,0x1D,0xFA,0x28,0x24,0xFF,0x62,0x47,0x6A,0xAC,0x23,0x9A,0xFC,0x34,0x6B,0xA2,0xF1,0x3C,0x58,0x75,0x68,0xC9,0x77,0x58,0xE9,0x05,0xF5],
[0XBC,0xD3,0x0C,0xF3,0x28,0xC3,0x1C,0xFB,0x29,0x25,0xFE,0x63,0x46,0x6B,0xAD,0x22,0x9B,0xFD,0x35,0x6A,0xA3,0xF0,0x3D,0x59,0x74,0x69,0xC8,0x76,0x59,0xE8,0x04,0xF4],
[0XBF,0xD0,0x0F,0xF0,0x2B,0xC0,0x1F,0xF8,0x2A,0x26,0xFD,0x60,0x45,0x68,0xAE,0x21,0x98,0xFE,0x36,0x69,0xA0,0xF3,0x3E,0x5A,0x77,0x6A,0xCB,0x75,0x5A,0xEB,0x07,0xF7],
[0XBE,0xD1,0x0E,0xF1,0x2A,0xC1,0x1E,0xF9,0x2B,0x27,0xFC,0x61,0x44,0x69,0xAF,0x20,0x99,0xFF,0x37,0x68,0xA1,0xF2,0x3F,0x5B,0x76,0x6B,0xCA,0x74,0x5B,0xEA,0x06,0xF6],
[0XB9,0xD6,0x09,0xF6,0x2D,0xC6,0x19,0xFE,0x2C,0x20,0xFB,0x66,0x43,0x6E,0xA8,0x27,0x9E,0xF8,0x30,0x6F,0xA6,0xF5,0x38,0x5C,0x71,0x6C,0xCD,0x73,0x5C,0xED,0x01,0xF1],
[0XB8,0xD7,0x08,0xF7,0x2C,0xC7,0x18,0xFF,0x2D,0x21,0xFA,0x67,0x42,0x6F,0xA9,0x26,0x9F,0xF9,0x31,0x6E,0xA7,0xF4,0x39,0x5D,0x70,0x6D,0xCC,0x72,0x5D,0xEC,0x00,0xF0],
[0XBB,0xD4,0x0B,0xF4,0x2F,0xC4,0x1B,0xFC,0x2E,0x22,0xF9,0x64,0x41,0x6C,0xAA,0x25,0x9C,0xFA,0x32,0x6D,0xA4,0xF7,0x3A,0x5E,0x73,0x6E,0xCF,0x71,0x5E,0xEF,0x03,0xF3],
[0XBA,0xD5,0x0A,0xF5,0x2E,0xC5,0x1A,0xFD,0x2F,0x23,0xF8,0x65,0x40,0x6D,0xAB,0x24,0x9D,0xFB,0x33,0x6C,0xA5,0xF6,0x3B,0x5F,0x72,0x6F,0xCE,0x70,0x5F,0xEE,0x02,0xF2],
[0XB5,0xDA,0x05,0xFA,0x21,0xCA,0x15,0xF2,0x20,0x2C,0xF7,0x6A,0x4F,0x62,0xA4,0x2B,0x92,0xF4,0x3C,0x63,0xAA,0xF9,0x34,0x50,0x7D,0x60,0xC1,0x7F,0x50,0xE1,0x0D,0xFD],
[0XB4,0xDB,0x04,0xFB,0x20,0xCB,0x14,0xF3,0x21,0x2D,0xF6,0x6B,0x4E,0x63,0xA5,0x2A,0x93,0xF5,0x3D,0x62,0xAB,0xF8,0x35,0x51,0x7C,0x61,0xC0,0x7E,0x51,0xE0,0x0C,0xFC],
[0XEC,0x83,0x5C,0xA3,0x78,0x93,0x4C,0xAB,0x79,0x75,0xAE,0x33,0x16,0x3B,0xFD,0x72,0xCB,0xAD,0x65,0x3A,0xF3,0xA0,0x6D,0x09,0x24,0x39,0x98,0x26,0x09,0xB8,0x54,0xA4],
[0XEF,0x80,0x5F,0xA0,0x7B,0x90,0x4F,0xA8,0x7A,0x76,0xAD,0x30,0x15,0x38,0xFE,0x71,0xC8,0xAE,0x66,0x39,0xF0,0xA3,0x6E,0x0A,0x27,0x3A,0x9B,0x25,0x0A,0xBB,0x57,0xA7],
[0XEE,0x81,0x5E,0xA1,0x7A,0x91,0x4E,0xA9,0x7B,0x77,0xAC,0x31,0x14,0x39,0xFF,0x70,0xC9,0xAF,0x67,0x38,0xF1,0xA2,0x6F,0x0B,0x26,0x3B,0x9A,0x24,0x0B,0xBA,0x56,0xA6],
[0XE9,0x86,0x59,0xA6,0x7D,0x96,0x49,0xAE,0x7C,0x70,0xAB,0x36,0x13,0x3E,0xF8,0x77,0xCE,0xA8,0x60,0x3F,0xF6,0xA5,0x68,0x0C,0x21,0x3C,0x9D,0x23,0x0C,0xBD,0x51,0xA1],
[0XE8,0x87,0x58,0xA7,0x7C,0x97,0x48,0xAF,0x7D,0x71,0xAA,0x37,0x12,0x3F,0xF9,0x76,0xCF,0xA9,0x61,0x3E,0xF7,0xA4,0x69,0x0D,0x20,0x3D,0x9C,0x22,0x0D,0xBC,0x50,0xA0],
[0XEB,0x84,0x5B,0xA4,0x7F,0x94,0x4B,0xAC,0x7E,0x72,0xA9,0x34,0x11,0x3C,0xFA,0x75,0xCC,0xAA,0x62,0x3D,0xF4,0xA7,0x6A,0x0E,0x23,0x3E,0x9F,0x21,0x0E,0xBF,0x53,0xA3],
[0XEA,0x85,0x5A,0xA5,0x7E,0x95,0x4A,0xAD,0x7F,0x73,0xA8,0x35,0x10,0x3D,0xFB,0x74,0xCD,0xAB,0x63,0x3C,0xF5,0xA6,0x6B,0x0F,0x22,0x3F,0x9E,0x20,0x0F,0xBE,0x52,0xA2],
[0XE5,0x8A,0x55,0xAA,0x71,0x9A,0x45,0xA2,0x70,0x7C,0xA7,0x3A,0x1F,0x32,0xF4,0x7B,0xC2,0xA4,0x6C,0x33,0xFA,0xA9,0x64,0x00,0x2D,0x30,0x91,0x2F,0x00,0xB1,0x5D,0xAD],
[0XE4,0x8B,0x54,0xAB,0x70,0x9B,0x44,0xA3,0x71,0x7D,0xA6,0x3B,0x1E,0x33,0xF5,0x7A,0xC3,0xA5,0x6D,0x32,0xFB,0xA8,0x65,0x01,0x2C,0x31,0x90,0x2E,0x01,0xB0,0x5C,0xAC],
[0XE7,0x88,0x57,0xA8,0x73,0x98,0x47,0xA0,0x72,0x7E,0xA5,0x38,0x1D,0x30,0xF6,0x79,0xC0,0xA6,0x6E,0x31,0xF8,0xAB,0x66,0x02,0x2F,0x32,0x93,0x2D,0x02,0xB3,0x5F,0xAF],
[0XE6,0x89,0x56,0xA9,0x72,0x99,0x46,0xA1,0x73,0x7F,0xA4,0x39,0x1C,0x31,0xF7,0x78,0xC1,0xA7,0x6F,0x30,0xF9,0xAA,0x67,0x03,0x2E,0x33,0x92,0x2C,0x03,0xB2,0x5E,0xAE],
[0XE1,0x8E,0x51,0xAE,0x75,0x9E,0x41,0xA6,0x74,0x78,0xA3,0x3E,0x1B,0x36,0xF0,0x7F,0xC6,0xA0,0x68,0x37,0xFE,0xAD,0x60,0x04,0x29,0x34,0x95,0x2B,0x04,0xB5,0x59,0xA9],
[0XE0,0x8F,0x50,0xAF,0x74,0x9F,0x40,0xA7,0x75,0x79,0xA2,0x3F,0x1A,0x37,0xF1,0x7E,0xC7,0xA1,0x69,0x36,0xFF,0xAC,0x61,0x05,0x28,0x35,0x94,0x2A,0x05,0xB4,0x58,0xA8],
[0XE3,0x8C,0x53,0xAC,0x77,0x9C,0x43,0xA4,0x76,0x7A,0xA1,0x3C,0x19,0x34,0xF2,0x7D,0xC4,0xA2,0x6A,0x35,0xFC,0xAF,0x62,0x06,0x2B,0x36,0x97,0x29,0x06,0xB7,0x5B,0xAB],
[0XE2,0x8D,0x52,0xAD,0x76,0x9D,0x42,0xA5,0x77,0x7B,0xA0,0x3D,0x18,0x35,0xF3,0x7C,0xC5,0xA3,0x6B,0x34,0xFD,0xAE,0x63,0x07,0x2A,0x37,0x96,0x28,0x07,0xB6,0x5A,0xAA],
[0XFD,0x92,0x4D,0xB2,0x69,0x82,0x5D,0xBA,0x68,0x64,0xBF,0x22,0x07,0x2A,0xEC,0x63,0xDA,0xBC,0x74,0x2B,0xE2,0xB1,0x7C,0x18,0x35,0x28,0x89,0x37,0x18,0xA9,0x45,0xB5],
[0XFC,0x93,0x4C,0xB3,0x68,0x83,0x5C,0xBB,0x69,0x65,0xBE,0x23,0x06,0x2B,0xED,0x62,0xDB,0xBD,0x75,0x2A,0xE3,0xB0,0x7D,0x19,0x34,0x29,0x88,0x36,0x19,0xA8,0x44,0xB4],
[0XFF,0x90,0x4F,0xB0,0x6B,0x80,0x5F,0xB8,0x6A,0x66,0xBD,0x20,0x05,0x28,0xEE,0x61,0xD8,0xBE,0x76,0x29,0xE0,0xB3,0x7E,0x1A,0x37,0x2A,0x8B,0x35,0x1A,0xAB,0x47,0xB7],
[0XFE,0x91,0x4E,0xB1,0x6A,0x81,0x5E,0xB9,0x6B,0x67,0xBC,0x21,0x04,0x29,0xEF,0x60,0xD9,0xBF,0x77,0x28,0xE1,0xB2,0x7F,0x1B,0x36,0x2B,0x8A,0x34,0x1B,0xAA,0x46,0xB6],
[0XF9,0x96,0x49,0xB6,0x6D,0x86,0x59,0xBE,0x6C,0x60,0xBB,0x26,0x03,0x2E,0xE8,0x67,0xDE,0xB8,0x70,0x2F,0xE6,0xB5,0x78,0x1C,0x31,0x2C,0x8D,0x33,0x1C,0xAD,0x41,0xB1],
[0XF8,0x97,0x48,0xB7,0x6C,0x87,0x58,0xBF,0x6D,0x61,0xBA,0x27,0x02,0x2F,0xE9,0x66,0xDF,0xB9,0x71,0x2E,0xE7,0xB4,0x79,0x1D,0x30,0x2D,0x8C,0x32,0x1D,0xAC,0x40,0xB0],
[0XFB,0x94,0x4B,0xB4,0x6F,0x84,0x5B,0xBC,0x6E,0x62,0xB9,0x24,0x01,0x2C,0xEA,0x65,0xDC,0xBA,0x72,0x2D,0xE4,0xB7,0x7A,0x1E,0x33,0x2E,0x8F,0x31,0x1E,0xAF,0x43,0xB3],
[0XFA,0x95,0x4A,0xB5,0x6E,0x85,0x5A,0xBD,0x6F,0x63,0xB8,0x25,0x00,0x2D,0xEB,0x64,0xDD,0xBB,0x73,0x2C,0xE5,0xB6,0x7B,0x1F,0x32,0x2F,0x8E,0x30,0x1F,0xAE,0x42,0xB2],
[0XF5,0x9A,0x45,0xBA,0x61,0x8A,0x55,0xB2,0x60,0x6C,0xB7,0x2A,0x0F,0x22,0xE4,0x6B,0xD2,0xB4,0x7C,0x23,0xEA,0xB9,0x74,0x10,0x3D,0x20,0x81,0x3F,0x10,0xA1,0x4D,0xBD],
[0XF4,0x9B,0x44,0xBB,0x60,0x8B,0x54,0xB3,0x61,0x6D,0xB6,0x2B,0x0E,0x23,0xE5,0x6A,0xD3,0xB5,0x7D,0x22,0xEB,0xB8,0x75,0x11,0x3C,0x21,0x80,0x3E,0x11,0xA0,0x4C,0xBC],
[0XF7,0x98,0x47,0xB8,0x63,0x88,0x57,0xB0,0x62,0x6E,0xB5,0x28,0x0D,0x20,0xE6,0x69,0xD0,0xB6,0x7E,0x21,0xE8,0xBB,0x76,0x12,0x3F,0x22,0x83,0x3D,0x12,0xA3,0x4F,0xBF],
[0XCC,0xA3,0x7C,0x83,0x58,0xB3,0x6C,0x8B,0x59,0x55,0x8E,0x13,0x36,0x1B,0xDD,0x52,0xEB,0x8D,0x45,0x1A,0xD3,0x80,0x4D,0x29,0x04,0x19,0xB8,0x06,0x29,0x98,0x74,0x84],
[0XCF,0xA0,0x7F,0x80,0x5B,0xB0,0x6F,0x88,0x5A,0x56,0x8D,0x10,0x35,0x18,0xDE,0x51,0xE8,0x8E,0x46,0x19,0xD0,0x83,0x4E,0x2A,0x07,0x1A,0xBB,0x05,0x2A,0x9B,0x77,0x87],
[0XCE,0xA1,0x7E,0x81,0x5A,0xB1,0x6E,0x89,0x5B,0x57,0x8C,0x11,0x34,0x19,0xDF,0x50,0xE9,0x8F,0x47,0x18,0xD1,0x82,0x4F,0x2B,0x06,0x1B,0xBA,0x04,0x2B,0x9A,0x76,0x86],
[0XC9,0xA6,0x79,0x86,0x5D,0xB6,0x69,0x8E,0x5C,0x50,0x8B,0x16,0x33,0x1E,0xD8,0x57,0xEE,0x88,0x40,0x1F,0xD6,0x85,0x48,0x2C,0x01,0x1C,0xBD,0x03,0x2C,0x9D,0x71,0x81],
[0XC8,0xA7,0x78,0x87,0x5C,0xB7,0x68,0x8F,0x5D,0x51,0x8A,0x17,0x32,0x1F,0xD9,0x56,0xEF,0x89,0x41,0x1E,0xD7,0x84,0x49,0x2D,0x00,0x1D,0xBC,0x02,0x2D,0x9C,0x70,0x80],
[0XCB,0xA4,0x7B,0x84,0x5F,0xB4,0x6B,0x8C,0x5E,0x52,0x89,0x14,0x31,0x1C,0xDA,0x55,0xEC,0x8A,0x42,0x1D,0xD4,0x87,0x4A,0x2E,0x03,0x1E,0xBF,0x01,0x2E,0x9F,0x73,0x83],
[0XCA,0xA5,0x7A,0x85,0x5E,0xB5,0x6A,0x8D,0x5F,0x53,0x88,0x15,0x30,0x1D,0xDB,0x54,0xED,0x8B,0x43,0x1C,0xD5,0x86,0x4B,0x2F,0x02,0x1F,0xBE,0x00,0x2F,0x9E,0x72,0x82],
[0XC5,0xAA,0x75,0x8A,0x51,0xBA,0x65,0x82,0x50,0x5C,0x87,0x1A,0x3F,0x12,0xD4,0x5B,0xE2,0x84,0x4C,0x13,0xDA,0x89,0x44,0x20,0x0D,0x10,0xB1,0x0F,0x20,0x91,0x7D,0x8D],
[0XC4,0xAB,0x74,0x8B,0x50,0xBB,0x64,0x83,0x51,0x5D,0x86,0x1B,0x3E,0x13,0xD5,0x5A,0xE3,0x85,0x4D,0x12,0xDB,0x88,0x45,0x21,0x0C,0x11,0xB0,0x0E,0x21,0x90,0x7C,0x8C],
[0XC7,0xA8,0x77,0x88,0x53,0xB8,0x67,0x80,0x52,0x5E,0x85,0x18,0x3D,0x10,0xD6,0x59,0xE0,0x86,0x4E,0x11,0xD8,0x8B,0x46,0x22,0x0F,0x12,0xB3,0x0D,0x22,0x93,0x7F,0x8F],
[0XC6,0xA9,0x76,0x89,0x52,0xB9,0x66,0x81,0x53,0x5F,0x84,0x19,0x3C,0x11,0xD7,0x58,0xE1,0x87,0x4F,0x10,0xD9,0x8A,0x47,0x23,0x0E,0x13,0xB2,0x0C,0x23,0x92,0x7E,0x8E],
[0XC1,0xAE,0x71,0x8E,0x55,0xBE,0x61,0x86,0x54,0x58,0x83,0x1E,0x3B,0x16,0xD0,0x5F,0xE6,0x80,0x48,0x17,0xDE,0x8D,0x40,0x24,0x09,0x14,0xB5,0x0B,0x24,0x95,0x79,0x89],
[0XC0,0xAF,0x70,0x8F,0x54,0xBF,0x60,0x87,0x55,0x59,0x82,0x1F,0x3A,0x17,0xD1,0x5E,0xE7,0x81,0x49,0x16,0xDF,0x8C,0x41,0x25,0x08,0x15,0xB4,0x0A,0x25,0x94,0x78,0x88],
[0XC3,0xAC,0x73,0x8C,0x57,0xBC,0x63,0x84,0x56,0x5A,0x81,0x1C,0x39,0x14,0xD2,0x5D,0xE4,0x82,0x4A,0x15,0xDC,0x8F,0x42,0x26,0x0B,0x16,0xB7,0x09,0x26,0x97,0x7B,0x8B],
[0XC2,0xAD,0x72,0x8D,0x56,0xBD,0x62,0x85,0x57,0x5B,0x80,0x1D,0x38,0x15,0xD3,0x5C,0xE5,0x83,0x4B,0x14,0xDD,0x8E,0x43,0x27,0x0A,0x17,0xB6,0x08,0x27,0x96,0x7A,0x8A],
[0XDD,0xB2,0x6D,0x92,0x49,0xA2,0x7D,0x9A,0x48,0x44,0x9F,0x02,0x27,0x0A,0xCC,0x43,0xFA,0x9C,0x54,0x0B,0xC2,0x91,0x5C,0x38,0x15,0x08,0xA9,0x17,0x38,0x89,0x65,0x95],
[0XDC,0xB3,0x6C,0x93,0x48,0xA3,0x7C,0x9B,0x49,0x45,0x9E,0x03,0x26,0x0B,0xCD,0x42,0xFB,0x9D,0x55,0x0A,0xC3,0x90,0x5D,0x39,0x14,0x09,0xA8,0x16,0x39,0x88,0x64,0x94],
[0XDF,0xB0,0x6F,0x90,0x4B,0xA0,0x7F,0x98,0x4A,0x46,0x9D,0x00,0x25,0x08,0xCE,0x41,0xF8,0x9E,0x56,0x09,0xC0,0x93,0x5E,0x3A,0x17,0x0A,0xAB,0x15,0x3A,0x8B,0x67,0x97],
[0XDE,0xB1,0x6E,0x91,0x4A,0xA1,0x7E,0x99,0x4B,0x47,0x9C,0x01,0x24,0x09,0xCF,0x40,0xF9,0x9F,0x57,0x08,0xC1,0x92,0x5F,0x3B,0x16,0x0B,0xAA,0x14,0x3B,0x8A,0x66,0x96],
[0XD9,0xB6,0x69,0x96,0x4D,0xA6,0x79,0x9E,0x4C,0x40,0x9B,0x06,0x23,0x0E,0xC8,0x47,0xFE,0x98,0x50,0x0F,0xC6,0x95,0x58,0x3C,0x11,0x0C,0xAD,0x13,0x3C,0x8D,0x61,0x91],
[0XD8,0xB7,0x68,0x97,0x4C,0xA7,0x78,0x9F,0x4D,0x41,0x9A,0x07,0x22,0x0F,0xC9,0x46,0xFF,0x99,0x51,0x0E,0xC7,0x94,0x59,0x3D,0x10,0x0D,0xAC,0x12,0x3D,0x8C,0x60,0x90],
[0XDB,0xB4,0x6B,0x94,0x4F,0xA4,0x7B,0x9C,0x4E,0x42,0x99,0x04,0x21,0x0C,0xCA,0x45,0xFC,0x9A,0x52,0x0D,0xC4,0x97,0x5A,0x3E,0x13,0x0E,0xAF,0x11,0x3E,0x8F,0x63,0x93],
[0XDA,0xB5,0x6A,0x95,0x4E,0xA5,0x7A,0x9D,0x4F,0x43,0x98,0x05,0x20,0x0D,0xCB,0x44,0xFD,0x9B,0x53,0x0C,0xC5,0x96,0x5B,0x3F,0x12,0x0F,0xAE,0x10,0x3F,0x8E,0x62,0x92],
[0XD5,0xBA,0x65,0x9A,0x41,0xAA,0x75,0x92,0x40,0x4C,0x97,0x0A,0x2F,0x02,0xC4,0x4B,0xF2,0x94,0x5C,0x03,0xCA,0x99,0x54,0x30,0x1D,0x00,0xA1,0x1F,0x30,0x81,0x6D,0x9D],
[0XD4,0xBB,0x64,0x9B,0x40,0xAB,0x74,0x93,0x41,0x4D,0x96,0x0B,0x2E,0x03,0xC5,0x4A,0xF3,0x95,0x5D,0x02,0xCB,0x98,0x55,0x31,0x1C,0x01,0xA0,0x1E,0x31,0x80,0x6C,0x9C],
[0XD7,0xB8,0x67,0x98,0x43,0xA8,0x77,0x90,0x42,0x4E,0x95,0x08,0x2D,0x00,0xC6,0x49,0xF0,0x96,0x5E,0x01,0xC8,0x9B,0x56,0x32,0x1F,0x02,0xA3,0x1D,0x32,0x83,0x6F,0x9F],
[0XAA,0x99,0x46,0xB9,0x62,0x89,0x56,0xB1,0x63,0x6F,0xB4,0x29,0x0C,0x21,0xE7,0x68,0xD1,0xB7,0x7F,0x20,0xE9,0xBA,0x77,0x13,0x3E,0x23,0x82,0x3C,0x13,0xA2,0x4E,0xBE],
[0XF0,0x9F,0x40,0xBF,0x64,0x8F,0x50,0xB7,0x65,0x69,0xB2,0x2F,0x0A,0x27,0xE1,0x6E,0xD7,0xB1,0x79,0x26,0xEF,0xBC,0x71,0x15,0x38,0x25,0x84,0x3A,0x15,0xA4,0x48,0xB8],
[0XD2,0xBD,0x62,0x9D,0x46,0xAD,0x72,0x95,0x47,0x4B,0x90,0x0D,0x28,0x05,0xC3,0x4C,0xF5,0x93,0x5B,0x04,0xCD,0x9E,0x53,0x37,0x1A,0x07,0xA6,0x18,0x37,0x86,0x6A,0x9A],
[0XAA,0xA2,0x7D,0x82,0x59,0xB2,0x6D,0x8A,0x58,0x54,0x8F,0x12,0x37,0x1A,0xDC,0x53,0xEA,0x8C,0x44,0x1B,0xD2,0x81,0x4C,0x28,0x05,0x18,0xB9,0x07,0x28,0x99,0x75,0x85],
]
flag = ['+']*32
for i in range(len(enc)):
    for n in range(len(table)):
        if table[n][i] == enc[i]:
            flag[i] = n
ret = string.digits + string.ascii_lowercase + string.ascii_uppercase + "{}_@" 
for e in flag:
    if type(e) == int:
        print(ret[e],end='') # 
    else:
        print(e,end='')

flag{F1NDM3_4f73r_7H3_5h3LLC0D3}

Shell

這個題目有一個關鍵函數ZwUnmapViewOfSection,一般用於傀儡進程技術,多進程相關的安全技術。繼續逆向分析,的確如此,shell.exe中的.psb段是真正進行加密驗證的PE文件,不過加密了。
程序運行時首先會解密psb段中的PE文件,並且啟動解密后的PE文件作為一個進程。
image
可以通過任務管理器將子進程的內存轉儲dump下來,IDA能夠直接分析並且附加。
子進程PE的入口點損壞了,不過不要緊直接通過搜索特征碼定位main的父函數。
image
image
main的最后有個int3,似乎是與父進程有關,到這里不是很清楚怎么往下分析。最終是通過指令

48 8D 35 20 2F 00 00 lea rsi, input

提取特征碼48 8D ?? ?? ?? ?? ??,找到main附近的所有lea指令,查看那些lea指令引用了input,意外的是還發現了win字符串引用的地方,win的引用處是最終數據比較的地方。
image
對子進程中唯一一處引用input的是如下操作。
image
對win的引用如下。
image
另一側引用了input的是父進程,這里將輸入用ReadProcessMemory從子進程讀取出來,隨后與0x78異或,再寫回子進程。
image
簡言之,輸入在父進程和子進程都有一處運算。提取加密數據寫個解密腳本即可。

#include <stdint.h>
#include <stdio.h>

int main()
{
	uint8_t input[] = {
		  0x1E, 0x15, 0x1B, 0x1C, 0x07, 0x4D, 0x1F, 0x1B, 0x12, 0x17,
		  0x4B, 0x44, 0x47, 0x58, 0x12, 0x47, 0x58, 0x58, 0x47, 0x5F,
		  0x54, 0x54, 0x58, 0x42, 0x59, 0x57, 0x50, 0x01, 0x49, 0x51,
		  0x53, 0x57, 0x3D, 0x6B, 0x3E, 0x6F, 0x3D, 0x6D, 0x6C, 0x3E,
		  0x69, 0x2C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
	};
	for (int i = 0; i < 42; ++i)
	{
		input[i] = ~(~(i & ~(i & input[i])) & ~(input[i] & ~(i & input[i])));
		input[i] ^= 0x78;
	}

	printf("%s", input); // flag{0adbf973-d001-4896-962b-450e2d4a02a9}
	
	return 0;
}


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 2021湖湘杯pwn-wp 2020湖湘杯復現 2018湖湘杯web、misc記錄 湖湘杯2020 Misc題解 Bugku Writeup —文件上傳2(湖湘杯) CTF 湖湘杯 2018 WriteUp (部分) 【CTF】2019湖湘杯 miscmisc writeup 湖湘杯2020misc 2020湖湘杯-CRYPTO-LFSRXOR WriteUp 2021長安杯wp
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM