NewStar CTF 2024 re方向 week2 wp

文章目录

前言

PangBai泰拉记(1)没做出来,其他题目都有wp

upx

根据题目提示,附件有upx壳,直接upx -d 碰运气

脱壳成功,证明没有其他混淆

ida打开看main函数,逻辑很清晰。使用rc4加密,接着是对比验证

直接点击data,发现是空的,可能在main函数前还执行了其他函数为其赋值

观察右侧函数列表,发现before main函数

直接赛博厨子一把梭哈

flag{Do_you_know_UPX?}

drink_TEA

根据题意猜测是tea算法

查看main函数,很明显的tea算法标志

分析tea算法,发现没有魔改

由于tea算法密文长度为64位(相当于16个十六进制数),所以知道进行了四次tea加密

python 复制代码
# 收集密文
address = 0x140004080
print('')
for i in range(0, 32, 4):
    num = ida_bytes.get_byte(address + i) | \
           (ida_bytes.get_byte(address + i + 1) << 8) | \
           (ida_bytes.get_byte(address + i + 2) << 16) | \
           (ida_bytes.get_byte(address + i + 3) << 24)
    print(hex(num), end=', ')

直接上解密脚本

cpp 复制代码
#define _CRT_SECURE_NO_WARNINGS 1
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#define DELTA 0x9e3779b9

void DTea(uint32_t *flag, const uint32_t *Key)
{
    uint32_t sum = DELTA * 32;
    int i;
    uint32_t v1 = flag[0];
    uint32_t v2 = flag[1];
    for (i = 0; i < 32; i++)
    {

        v2 -= ((v1 << 4) + Key[2]) ^ (v1 + sum) ^ ((v1 >> 5) + Key[3]);
        v1 -= ((v2 << 4) + Key[0]) ^ (v2 + sum) ^ ((v2 >> 5) + Key[1]);
        sum -= DELTA;
    }
    flag[0] = v1;
    flag[1] = v2;
}
int Check(uint32_t *enc, uint32_t *Input)
{
    int i = 0;
    for (i; i < 10; i++)
    {
        if (enc[i] != Input[i])
        {
            return 0;
        }
    }
    return 1;
}

int main()
{
    char *Key = "WelcomeToNewStar";
    // uint32_t Key[4] = {0x65736162, 0x6F783436, 0x61657472, 0x61657478};
    uint32_t enc[11] = {0xb3f72078, 0xdace42c5, 0x1a215985, 0x595a5626, 0xed0d0229, 0xeeb9a807, 0x87115936, 0x24235cfd};
    for (int i = 0; i < 4; i++)
    {
        DTea(&enc[i * 2], (uint32_t *)Key);
    }
    puts((char *)enc);

    return 0;
}

flag{There_R_TEA_XTEA_and_XXTEA}

ptrace

有两个文件,用ida看了看,应该是父进程和子进程的意思

这是father文件的内容

cpp 复制代码
  v11 = fork();
  if ( v11 )
  {
    if ( v11 <= 0 )
    {
      perror("fork");
      return -1;
    }
    wait(stat_loc);
    ptrace(PTRACE_POKEDATA, addr, addr, 3);
    ptrace(PTRACE_CONT, 0, 0, 0);
    wait(0);
  }
  else
  {
    ptrace(PTRACE_TRACEME, 0, 0, 0);
    execl("./son", "son", &s, 0);
  }
  return 0;

值得注意的是,ptrace(PTRACE_POKEDATA, addr, addr, 3);将addr0x60004040地址中存放的值改为3。

用ida打开sum文件,找到60004040,对应值如下

cpp 复制代码
data:60004040 num             dd 4       

这是本题坑人的地方,实际应该是3而不是4,绕过之后按照son中的加密逻辑,很容易写出解密脚本

cpp 复制代码
int __cdecl sub_600011AD(int a1, int a2)
{
signed int i; // [esp+2h] [ebp-28h]
signed int j; // [esp+6h] [ebp-24h]
char *s; // [esp+Ah] [ebp-20h]
signed int v6; // [esp+Eh] [ebp-1Ch]

s = *(char **)(a2 + 4);
v6 = strlen(s);
for ( i = 0; i < v6; ++i )
  result[i] = ((int)(unsigned __int8)s[i] >> num) | (s[i] << (8 - num));
for ( j = 0; j < v6; ++j )
{
  if ( result[j] != byte_60004020[j] )
  {
    puts("this is Wrong~");
    return 0;
  }
}
puts("this is right~");
return 0;
}
python 复制代码
list = [204 ,141 ,44 ,236 ,111 ,136 ,237 ,235 ,47 ,237 ,174 ,235 ,78 ,172 ,44 ,141 ,141 ,47 ,235 ,109 ,205 ,237 ,238 ,235 ,14 ,142 ,78 ,44 ,108 ,172 ,231 ,175]
result = []

for i in range(32):
   for num in range(0,255):
       tmp =((num >> 3) |(num << (8-3))) % 256 # 这里要注意取模运算
       if tmp == list[i]:
           result.append(chr(num))
           break
print(''.join(result))

flag{Do_you_really_know_ptrace?}

ezencrypt

在MainActivity中找到加密函数

双击,发现完整的加密函数

其中doEncCheck函数没有给出定义,由于题目提示,去so文件里找

找到了验证函数,点进去enc函数看看,发现使用了异或和rc4(这是通过分析算法特征发现的:有s盒,循环256次,%256,swap(s[i],s[j])等等,刷多题目就知道了)

总结整个加密流程如下

接下来按照这个顺序解密。 先rc4,后异或

python 复制代码
key = 'meow'
def init_Sbox(seed):
    k_b = [ord(seed[i % len(seed)]) for i in range(256)]
    s = list(range(256))
    j = 0
    for i in range(256):
        j = (j + s[i] + k_b[i]) % 256
        s[i], s[j] = s[j], s[i]
    return s

def KeyStream(text, Sbox):
    s = Sbox.copy()
    i, j = 0, 0
    k = [0] * len(text)
    for r in range(len(text)):
        i = (i + 1) % 256
        j = (j + s[i]) % 256
        s[i], s[j] = s[j], s[i]
        t = (s[i] + s[j]) % 256
        k[r] = s[t]
    return k

def Encrypt(text, seed):
    Sbox = init_Sbox(seed)
    key = KeyStream(text, Sbox)
    enc = [text[i] ^ key[i] for i in range(len(text))]
    return bytes(enc)

# Encrypted flag (this should be provided or replaced with actual data)
enc = [0xc2,0x6c,0x73,0xf4,0x3a,0x45,0xe,0xba,0x47,0x81,0x2a,0x26,0xf6,0x79,0x60,0x78,0xb3,0x64,0x6d,0xdc,0xc9,0x4,0x32,0x3b,0x9f,0x32,0x95,0x60,0xee,0x82,0x97,0xe7,0xca,0x3d,0xaa,0x95,0x76,0xc5,0x9b,0x1d,0x89,0xdb,0x98,0x5d]

# Input handling
tmp1 = enc
#flag = [ord(i) for i in flag]
tmp1 = Encrypt(tmp1, key)
print(tmp1)
tmp2 = []
for i in range(44):
    tmp2.append(tmp1[i]^ord(key[i%4]))

print(tmp2)
tmp3 = ''.join(chr(i) for i in tmp2)
print(tmp3)
# 2BB+GQampKmsrfDG85+0A7n18M+kT2zBDiZSO28Ich4=

接下来用赛博厨子一把梭哈

flag{0hh_U_kn0w_7h15_5ki11}

Dirty_flowers

根据题目字符串的提示,将调用$5函数和ret之间的汇编代码nop掉

python 复制代码
for i in range(0x4012f1 , 0x401302):
    patch_byte(i,0x90)
python 复制代码
for i in range(0x401166, 0x401176):
    patch_byte(i,0x90)

接下来编辑函数的起始和终止地址

另外一个函数同理

反编译后的代码是简单的异或逻辑代码

python 复制代码
tmp = "dirty_flower"
v3 = [ 0 for _ in range(36)]

v3[0] = 2
v3[1] = 5
v3[2] = 19
v3[3] = 19
v3[4] = 2
v3[5] = 30
v3[6] = 83
v3[7] = 31
v3[8] = 92
v3[9] = 26
v3[10] = 39
v3[11] = 67
v3[12] = 29
v3[13] = 54
v3[14] = 67
v3[15] = 7
v3[16] = 38
v3[17] = 45
v3[18] = 85
v3[19] = 13
v3[20] = 3
v3[21] = 27
v3[22] = 28
v3[23] = 45
v3[24] = 2
v3[25] = 28
v3[26] = 28
v3[27] = 48
v3[28] = 56
v3[29] = 50
v3[30] = 85
v3[31] = 2
v3[32] = 27
v3[33] = 22
v3[34] = 84
v3[35] = 15
result = []
for i in range(36):
    result.append(v3[i]^ord(tmp[i%len(tmp)]))

print(''.join(chr(i)for i in result))

flag{A5s3mB1y_1s_r3ally_funDAm3nta1}

相关推荐
吾即是光3 天前
[HNCTF 2022 Week1]你想学密码吗?
ctf
吾即是光3 天前
[NSSCTF 2022 Spring Recruit]factor
ctf
吾即是光3 天前
[LitCTF 2023]easy_math (中级)
ctf
吾即是光4 天前
[HNCTF 2022 Week1]baby_rsa
ctf
云梦姐姐5 天前
Bugku-CTF getshell
ctf·wp
l2xcty6 天前
【网络安全】Web安全基础- 第一节:web前置基础知识
安全·web安全·网络安全·ctf
CH13hh9 天前
常回家看看之Tcache Stashing Unlink Attack
pwn·ctf
摸鱼也很难11 天前
文件包含漏洞下 日志文件的利用 && session文件竞争
ctf·ctfshow·文件包含进阶·web 80 81·web 87
lally.11 天前
CTF misc 流量分析特训
ctf·misc·流量分析
吾即是光12 天前
[SWPUCTF 2021 新生赛]crypto4
ctf