DASCTF 2024金秋十月赛RE题wp

目录

3题RE,差一点就AK了,可能好久没打比赛了,技能有所下降,还是需要经常摸一摸工具。

RE1:ezRE

执行的时候dump出来,然后静态分析

发现这里是个魔改的RC4:

然后这里是个魔改的XTEA:

根据这些写出exp跑出flag:

python 复制代码
import struct
from Crypto.Cipher import ARC4
def xor(a,b):
    return bytes([i^j for i,j in zip(a,b)])
def decrypt(rounds, v, k):
    v0 = v[0]
    v1 = v[1]
    delta = 0x9E3779B8
    x = delta * rounds + 0x66778899
    for i in range(rounds):
        v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (x + k[(x >> 11) & 3])
        v1 = v1 & 0xFFFFFFFF
        x -= delta
        x = x & 0xFFFFFFFF
        v0 -= (((v1 << 5) ^ (v1 >> 6)) + v1) ^ (x + k[x & 3])
        v0 = v0 & 0xFFFFFFFF
    return [v0,v1]
if __name__ == '__main__':
    plain = [80,-44,-56,-60,-113,-124,64,-21,50,-127,-113,-123,108,-78,43,6,-65,5,53,93,46,-29,125,70,-115,53,1,112,58,0x80,-127,-59,-26,113,-45,-42,80,105,111,-30,110,120,20,-40]
    for i in range(len(plain)):
        if plain[i]<0:
            plain[i]+=256
    key = [1855465527,1144201745,287454020,925407342]
    rounds = 33
    for i in range(36,-1,-1):
        plain1=list(struct.unpack('<2I',bytes(plain[i:i+8])))
        decrypted = decrypt(rounds, plain1, key)
        plain[i:i+8]=list(struct.pack('<2I',*decrypted))
    arc4 = ARC4.new(b'th0s_i0_ke9')
    initkey = bytes.fromhex('00'*44)
    xorkey=arc4.decrypt(initkey)
    addkey=xor(xorkey,bytes([0x33]*44))
    for i in range(44):
        print(chr((plain[i]-addkey[i])&0xff),end='')
print()
#DASCTF{Th1l_t8e1a_rc4_l8s_s8o_int9r3es4t1ng

RE2:ezelf

不知道为啥用D810不起作用,费了半天劲搞deflat解了一部分,能看个大概,但程序被改的不能运行了

程序验证分两部分,第一部分就是一个变种XXTEA,写出EXP跑出来第一部分的key:

python 复制代码
import struct
def shift(z, y, x, k, p, e):
    return ((((z >> 5) ^ (y << 2)) + ((y >> 3) ^ (z << 4))) ^ ((x ^ y) + (k[(p & 3) ^ e] ^ z)))
def decrypt(v, k):
    delta = 0x11451400   # default:   0x9E3779B9
    n = 8
    rounds = 16   # default:  6+52//n
    x = rounds*delta&0xffffffff
    for i in range(rounds):
        e = (x >> 2) & 3
        for p in range(n - 1, -1, -1):
            y = v[(p + 1)&7]
            z = v[(p-1)&7]
            #print(p,hex(v[p]))
            v[p] = (v[p] - shift(z, y, x, k, p, e)) & 0xFFFFFFFF
        x = (x - delta) & 0xFFFFFFFF
    return v
key = [0x0000000B, 0x0000002D, 0x0000000E, 0x00000309]
res=bytes.fromhex('B4B55A42A6790BAC0E2378DEE12DC61DBB298CE294FE14D9AA03E38A14921C64')
decrypted=list(struct.unpack('<8I',res))
test=decrypt(list(decrypted),key)
key=struct.pack('<8I',*test)
print(key.decode())

key就是第一部分正确的输入:

DASCTF{dr1nk_te@_4nd_cont1nu3...}

第二部分主加密函数:

这里就是使用第一步的key生成了4个RC4的box,然后好像是自己定义的加密算法

然后dump出来4个box,根据加密算法写逆算法即可:

python 复制代码
array1=[0x00000179, 0x000001BE, 0x243F6B50, 0x00000164, 0x243F6ABF, 0x243F6B94, 0x00000175, 0x243F6B20, 0x0000009A, 0x00000056, 0x243F6B1F, 0x000001E3, 0x243F6BE8, 0x243F6A16, 0x000000F7, 0x243F6B88, 0x000001BD, 0x000001BC, 0x243F6A41, 0x000000FB, 0x243F6B18, 0x243F6A04, 0x0000003D, 0x243F6B22, 0x000000F0, 0x00000042, 0x243F6BF5, 0x000000E0, 0x243F6A7F, 0x243F6A9A, 0x0000009C, 0x243F6A8C, 0x000001AD, 0x00000116, 0x243F6AF7, 0x000001C0, 0x243F6BBD, 0x243F6A2F, 0x0000016A, 0x0000079B, 0x243F6D8B, 0x000001CA, 0x000006A3, 0x243F6C37, 0x243F6A65, 0x243F6A6F, 0x0000018D, 0x00000617, 0x243F6DEA, 0x00000059, 0x000007CB, 0x243F6D22, 0x243F6B05, 0x243F6A2B, 0x0000007A, 0x00000717, 0x243F6CC1, 0x000001A2, 0x000007D3, 0x243F6D93, 0x243F6A5A, 0x243F6A5C, 0x00000041, 0x000007B6, 0x243F6D71, 0x00000139, 0x000006B7, 0x243F6D90, 0x243F6A2F, 0x243F6BF5, 0x00000026, 0x0000069D, 0x243F6D9A, 0x000001BF, 0x00000709, 0x243F6C54, 0x243F6AE9, 0x243F6BF7, 0x00000054, 0x00000752, 0x243F6C2C, 0x000000FA, 0x0000073A, 0x243F6C82, 0x243F6BB7, 0x243F6A09, 0x000000DA, 0x000007AF, 0x243F6C34, 0x000001E8, 0x000006E6, 0x243F6CCC, 0x243F6B05, 0x243F6AB7, 0x00000196, 0x00000693, 0x243F6C4D, 0x0000013B, 0x00000734, 0x243F6D31, 0x243F6B96, 0x243F6BD7, 0x00000110, 0x000007C2, 0x243F6DA1, 0x00000146, 0x00000795, 0x243F6C7A, 0x243F6A1F, 0x243F6A52, 0x00000087, 0x00000645, 0x243F6D74, 0x00000199, 0x00000707, 0x243F6C52, 0x243F6B1C, 0x243F6B6C, 0x00000138, 0x000006D7, 0x243F6D5C, 0x000000CA, 0x0000077A, 0x243F6DC3, 0x243F6A68, 0x243F6BC7, 0x0000008F, 0x000006CA, 0x243F6D11, 0x000001F2, 0x0000076E, 0x243F6CA9, 0x243F6A75, 0x243F6BC9, 0x00000135, 0x0000078A, 0x243F6D76, 0x00000013, 0x00000780, 0x243F6C46, 0x243F6BEB, 0x243F6A5B, 0x000000EB, 0x00000795, 0x243F6D4B, 0x0000004A, 0x000006C0, 0x243F6DDA, 0x243F6B71, 0x243F6A17, 0x000001E3, 0x00000667, 0x243F6C1B, 0x000000AF, 0x0000062A, 0x243F6DDE, 0x243F6B53, 0x243F6B4F, 0x0000019E, 0x00000613, 0x243F6D53, 0x000001EC, 0x0000076B, 0x243F6D78, 0x243F6B84, 0x243F6A1C, 0x00000009, 0x000006D8, 0x243F6CD1, 0x0000012B, 0x00000641, 0x243F6D10, 0x243F6A1C, 0x243F6A61, 0x00000104, 0x00000646, 0x243F6D6D, 0x0000000A, 0x0000061F, 0x243F6D92, 0x243F6A81, 0x243F6AE0, 0x0000017D, 0x00000666, 0x243F6C1D, 0x0000017B, 0x000007E6, 0x243F6C39, 0x243F6BE1, 0x243F6B23, 0x000000CA, 0x000006E5, 0x243F6D5A, 0x00000034, 0x0000079C, 0x243F6C18, 0x243F6B0F, 0x243F6AB2, 0x000000FC, 0x00000702, 0x243F6D7A, 0x0000005E, 0x000007D8, 0x243F6D9E, 0x243F6B03, 0x243F6A3A, 0x00000137, 0x00000619, 0x243F6C1C, 0x00000070, 0x0000071E, 0x243F6CB7, 0x243F6A42, 0x243F6A37, 0x00000150, 0x000007BB, 0x243F6D5A, 0x00000075, 0x0000071A, 0x243F6DCA, 0x243F6A48, 0x243F6B5B, 0x000001AA, 0x0000069C, 0x243F6D9D, 0x0000001B, 0x00000720, 0x243F6D57, 0x243F6B10, 0x243F6BE8, 0x000000FD, 0x00000656, 0x243F6CF4, 0x00000047, 0x00000686, 0x243F6C0B, 0x243F6BD9, 0x243F6BD8, 0x00000130, 0x000007DE, 0x243F6D74, 0x00000002, 0x000007F3, 0x243F6D4B, 0x243F6A41, 0x243F6B50, 0x00000033, 0x00000624, 0x243F6DC5, 0x00000133, 0x00000645, 0x243F6DCC, 0x243F6B43, 0x243F6B41, 0x000000E9, 0x00000753]
array2=[0x243F6D0A, 0x000000D7, 0x243F6A70, 0x243F6CA6, 0x000006A7, 0x243F6B0C, 0x000001B5, 0x00000760, 0x243F6CEB, 0x000000EE, 0x243F6ADE, 0x243F6D02, 0x00000743, 0x243F6A5C, 0x000000DC, 0x000006D9, 0x243F6DC6, 0x000001DD, 0x243F6A12, 0x243F6DFF, 0x00000732, 0x243F6B80, 0x000001AC, 0x000007D5, 0x243F6D06, 0x000000C5, 0x243F6B51, 0x243F6D2B, 0x000006DC, 0x243F6A2D, 0x00000055, 0x000006FC, 0x243F6D7D, 0x000001D0, 0x243F6AA3, 0x243F6C75, 0x0000061A, 0x243F6A2A, 0x00000101, 0x000006F0, 0x243F6C4D, 0x00000138, 0x243F6A75, 0x243F6CA9, 0x000007FC, 0x243F6B27, 0x00000123, 0x000006C5, 0x243F6D32, 0x0000003B, 0x243F6A23, 0x243F6CB3, 0x00000686, 0x243F6B1A, 0x00000107, 0x00000608, 0x243F6DFD, 0x000001E8, 0x243F6BBB, 0x243F6D08, 0x0000062B, 0x243F6B94, 0x000000A1, 0x0000075A, 0x243F6CDC, 0x000000FB, 0x243F6B69, 0x243F6DD6, 0x00000655, 0x243F6ADD, 0x000000DD, 0x000007DC, 0x243F6DBD, 0x00000068, 0x243F6B0C, 0x243F6C95, 0x00000745, 0x243F6B15, 0x000001C9, 0x00000754, 0x243F6D3A, 0x0000003D, 0x243F6B34, 0x243F6DD6, 0x000006E1, 0x243F6A4E, 0x0000004E, 0x00000776, 0x243F6D6C, 0x000000F3, 0x243F6B5D, 0x243F6CEF, 0x000007F9, 0x243F6B68, 0x000001D0, 0x000007BB, 0x243F6DC9, 0x00000164, 0x243F6A2B, 0x243F6C43, 0x00000670, 0x243F6A8A, 0x0000007B, 0x000006DC, 0x243F6DAD, 0x000000FC, 0x243F6B51, 0x243F6CE4, 0x00000760, 0x243F6AF2, 0x00000004, 0x000006B5, 0x243F6D8E, 0x0000018C, 0x243F6B3C, 0x243F6D44, 0x0000071A, 0x243F6ADD, 0x0000002E, 0x0000075A, 0x243F6DCE, 0x00000120, 0x243F6BFB, 0x243F6D9F, 0x000007B1, 0x243F6BCC, 0x00000063, 0x0000068A, 0x243F6C2D, 0x00000034, 0x243F6A0C, 0x243F6D0A, 0x000006D7, 0x243F6B8B, 0x00000112, 0x000006EE, 0x243F6DF2, 0x000000AF, 0x243F6A7C, 0x243F6C01, 0x00000628, 0x243F6B11, 0x0000005D, 0x00000657, 0x243F6CE0, 0x0000008A, 0x243F6B43, 0x243F6C86, 0x00000682, 0x243F6B31, 0x0000003B, 0x000007A5, 0x243F6CF5, 0x00000058, 0x243F6B6B, 0x243F6DA1, 0x00000657, 0x243F6B40, 0x0000008E, 0x000006F1, 0x243F6C5E, 0x00000031, 0x243F6A50, 0x243F6CBD, 0x00000721, 0x243F6BF3, 0x0000019E, 0x00000766, 0x243F6C8A, 0x0000008D, 0x243F6B1B, 0x243F6C2B, 0x0000076D, 0x243F6BCA, 0x0000019D, 0x000007BD, 0x243F6C64, 0x000001F6, 0x243F6B7C, 0x243F6D1B, 0x00000735, 0x243F6BB3, 0x000000B0, 0x000006B1, 0x243F6D6A, 0x000000DD, 0x243F6BC6, 0x243F6CC0, 0x000007E2, 0x243F6A78, 0x0000004B, 0x00000639, 0x243F6D29, 0x000001DF, 0x243F6BB1, 0x243F6CD2, 0x000006E6, 0x243F6B54, 0x000001E0, 0x000007CC, 0x243F6C8D, 0x000000C7, 0x243F6B33, 0x243F6C98, 0x00000666, 0x243F6B02, 0x000001C8, 0x0000071D, 0x243F6CC3, 0x000000BF, 0x243F6AA3, 0x243F6DE8, 0x000006E9, 0x243F6BEF, 0x000000DB, 0x00000660, 0x243F6DB8, 0x000001DD, 0x243F6BD5, 0x243F6C87, 0x0000072C, 0x243F6BAA, 0x000001F5, 0x00000663, 0x243F6DB3, 0x00000069, 0x243F6A29, 0x243F6C6A, 0x000006EB, 0x243F6B17, 0x00000137, 0x0000071B, 0x243F6CF1, 0x00000193, 0x243F6A00, 0x243F6D1A, 0x000006FF, 0x243F6B0E, 0x00000021, 0x000007B1, 0x243F6D28, 0x000001BE, 0x243F6BEA, 0x243F6DB3, 0x00000787, 0x243F6B74, 0x00000104, 0x00000736, 0x243F6CBE, 0x00000089, 0x243F6A05, 0x243F6C0C, 0x000007AE, 0x243F6A08, 0x00000142, 0x000006B0]
array3=[0x243F6DD9, 0x0000017F, 0x243F6A57, 0x0000012C, 0x243F6A21, 0x243F6B8B, 0x000000C6, 0x000018C5, 0x243F6ACE, 0x243F6C4B, 0x0000067A, 0x243F6A2B, 0x243F6F63, 0x00001C37, 0x000019D3, 0x00000114, 0x00001C6A, 0x243F73C0, 0x00001819, 0x243F740E, 0x243F7446, 0x243F73F7, 0x243F7319, 0x00000004, 0x243F683B, 0x243F7154, 0x243F6CD1, 0x00001B40, 0x000007D2, 0x00001A18, 0x243F6047, 0x000019FF, 0x243F6828, 0x0000120F, 0x243F788D, 0x00000358, 0x243F755C, 0x00001D78, 0x243F6EC0, 0x243F7510, 0x00000CB6, 0x00000259, 0x243F6AC6, 0x243F605F, 0x000010D7, 0x243F7496, 0x000006CA, 0x00001B44, 0x243F77E8, 0x243F750D, 0x00001E97, 0x243F74E5, 0x00001F57, 0x00000388, 0x000019A3, 0x243F6DF6, 0x243F74D4, 0x00000BD2, 0x243F782D, 0x00001DE7, 0x243F7596, 0x243F6E9E, 0x000005B8, 0x243F64B7, 0x243F7743, 0x243F79C4, 0x00000D70, 0x243F7230, 0x00000167, 0x00000FD2, 0x243F67CF, 0x0000028A, 0x243F6DAA, 0x00000914, 0x00000C6C, 0x000018C1, 0x243F6FD0, 0x00000D73, 0x243F7FFB, 0x000005DB, 0x243F728A, 0x0000109A, 0x243F7838, 0x243F6A4F, 0x00000590, 0x243F60EC, 0x00001ECE, 0x000018AE, 0x243F7780, 0x243F6C0D, 0x243F6944, 0x00001F7E, 0x243F6C54, 0x00001A3C, 0x243F69BD, 0x00001C8C, 0x243F6735, 0x243F6B1C, 0x00000E62, 0x243F6BAC, 0x243F77D8, 0x00000610, 0x00001C91, 0x243F72D8, 0x000002C3, 0x000006B5, 0x243F6EFD, 0x000004FA, 0x243F7964, 0x000000C1, 0x243F6B31, 0x00000FC6, 0x243F6599, 0x243F6FC0, 0x000016D1, 0x243F7E5C, 0x0000161A, 0x000001C2, 0x243F72FB, 0x00001AF6, 0x243F630A, 0x243F677E, 0x243F75A2, 0x0000008F, 0x243F612D, 0x000005C4, 0x00001739, 0x00001A95, 0x243F7163, 0x00001517, 0x243F73A9, 0x243F7B9F, 0x243F6605, 0x243F789F, 0x243F78D9, 0x243F6481, 0x00000407, 0x00001402, 0x243F76DD, 0x243F6C84, 0x243F65DE, 0x0000085E, 0x243F613E, 0x00001BE3, 0x243F6A7D, 0x000016B9, 0x00001A72, 0x243F7DE6, 0x243F6E50, 0x243F6582, 0x000001B3, 0x243F7A6A, 0x00001A0D, 0x0000195F, 0x243F6CEE, 0x243F6B4B, 0x00001517, 0x00000F71, 0x00001733, 0x00001304, 0x243F6D4A, 0x243F73EC, 0x000014C1, 0x00000D60, 0x00001A0A, 0x243F65C5, 0x243F6362, 0x000007DF, 0x0000090D, 0x000002B4, 0x243F7F3E, 0x00000E12, 0x243F7DB5, 0x243F709F, 0x243F712C, 0x243F638E, 0x243F77A0, 0x00000089, 0x243F7B1A, 0x00000763, 0x243F7C76, 0x243F6F14, 0x243F7626, 0x000009C4, 0x243F77BC, 0x243F6C86, 0x243F7FD2, 0x00000600, 0x243F76A8, 0x243F6F27, 0x0000047F, 0x000006DE, 0x243F78B8, 0x243F6DC0, 0x00001238, 0x243F7FF0, 0x243F66DE, 0x243F6E3F, 0x00000860, 0x000019ED, 0x000007B5, 0x00000C92, 0x243F70FE, 0x243F6DB7, 0x243F7049, 0x243F6BFF, 0x243F6C8F, 0x0000017F, 0x243F7510, 0x243F7C75, 0x00001AE7, 0x000015B8, 0x000009F6, 0x0000038E, 0x243F614F, 0x243F7A8B, 0x243F696F, 0x00001871, 0x243F7670, 0x243F699C, 0x243F7707, 0x243F6622, 0x243F643A, 0x000017B5, 0x0000170B, 0x00001405, 0x243F7819, 0x243F6A96, 0x243F6815, 0x00000892, 0x243F7699, 0x243F7FB6, 0x243F7F3F, 0x00000EF4, 0x243F777E, 0x000005C3, 0x0000006B, 0x00001984, 0x00001B5F, 0x000010CC, 0x00000155, 0x243F7738, 0x00001A56, 0x00000709, 0x00001DE0, 0x243F6CA6, 0x243F7F68, 0x243F7230, 0x00001280, 0x243F6E81, 0x00001078, 0x00001D32, 0x243F68BD, 0x00000818, 0x243F6311, 0x243F675C]
array4=[0x243F78C4, 0x243F753E, 0x243F736D, 0x243F75C4, 0x243F7B49, 0x243F6182, 0x243F7736, 0x487EDA66, 0x6C41AE95, 0x00000ED2, 0x243F68E7, 0x243F51D9, 0x243F4D7E, 0x00001881, 0x487EFA5B, 0x243F50D5, 0x00003A76, 0x00004BFD, 0x000042CC, 0x243F5740, 0x4881D4F4, 0x243F3454, 0x487E9D94, 0x24C0BCA1, 0x24C0A52D, 0x6C41ECE3, 0x243FAFD6, 0x00FFCA25, 0x24C0A4AC, 0x6C418D7F, 0x0000322D, 0x24C0BC9A, 0xB4418102, 0x243F458F, 0x90FE5500, 0xFC3F4317, 0xD8003DE3, 0xD880B029, 0xD88067D2, 0xFD414299, 0x6D3F9C8A, 0x680273CD, 0x4C3D6B79, 0x907ED9F3, 0xD8005409, 0x4C3D9464, 0x04BC53DA, 0x9100426C, 0x01805807, 0x4CC294D4, 0x91FD752E, 0xB4BE1640, 0x48010E11, 0xE3032424, 0xE37C4473, 0x48012FF8, 0x48014B78, 0xE37C0627, 0x8B7EECC2, 0x6C3EE5FB, 0xFC3FB6E8, 0xAB02DFA6, 0x1E3DA9CE, 0xB3FA7DB4, 0x97C4E4E9, 0x6EBFFAE7, 0x3DBE4086, 0xDB3BD655, 0x9180AE11, 0x74402D92, 0xE4C0B226, 0x417E59CF, 0x2D3E9A98, 0x74C0161F, 0x3CBED7FF, 0x65404821, 0xBA7D1866, 0x453CFEF2, 0x4EF981B4, 0x63065FB2, 0xBBF9EB62, 0x6604C332, 0xC1409279, 0xCE3B5B30, 0xA27A27C0, 0xA402D0DB, 0xA402A165, 0x6A38B205, 0x9E4030AD, 0x8143D678, 0x81BCEF4A, 0x2A01BF61, 0xC33CB9D4, 0xA58387B8, 0xA5839152, 0x5C7FE1E9, 0x79BE6BC7, 0xD6FEA602, 0x9E80BA77, 0xD4BF5F2C, 0x7403D770, 0x63C1B0E9, 0xE683FB24, 0x8806F26D, 0x313A14C9, 0xF0FDD92D, 0x257EF53D, 0x6FFBD242, 0x93BB1CE6, 0x23F9C6D3, 0x40B9FEED, 0x247C6C25, 0xA5BE678D, 0xD1056FF7, 0x41047DD2, 0x3339C309, 0x2084BA70, 0x94B8F697, 0xBFBB7643, 0xCD40FE71, 0x18C7E438, 0x9FFA5966, 0x6DFBE110, 0xD9C73A1C, 0x8E8409F9, 0x457A62B9, 0x61BB67C5, 0xA34394F8, 0x133EC8BB, 0xD4044FDD, 0x37C2F42A, 0xD27CB5F5, 0xFA4385E6, 0xDB463532, 0xE77C83DB, 0x627AF59D, 0xB2BEF94C, 0x9538FC45, 0x94C780B8, 0xCE7D1809, 0x3600DB13, 0xD4043B07, 0x823978D3, 0xC941E157, 0xCF3B9C59, 0x1BBE0DBF, 0x45B82831, 0x2FBA2022, 0xBA404B95, 0xFBC6E8E9, 0x6BB97E01, 0xFE856CA4, 0xE0F86BE2, 0x417CFCC8, 0x593E2226, 0xCFC24E4C, 0x7A0120B8, 0x497C2328, 0xDABA34D7, 0xE4FEF97A, 0x30F9F8F0, 0xA3008CE8, 0x53042AB9, 0xDCC61F48, 0x413C8D0D, 0xF58629DF, 0xFE86F2F4, 0x9D7DC3B9, 0x78C46C05, 0x0F0042A4, 0xE0C6DC69, 0xF03965FE, 0x0D392FF5, 0x96BD28CC, 0x5007B425, 0xB23A094E, 0x78C58334, 0x554534AD, 0x76BB974C, 0xCE463A66, 0x503E5C7E, 0xECC6E9D5, 0xB2BC9A65, 0x7EFA2172, 0x9CBC1C30, 0x8ABB77E4, 0xC405B76D, 0x957E308C, 0x33C63316, 0x4538C965, 0x9E7DEEC8, 0x52429D62, 0x12477299, 0x5B06AB74, 0xE230A2BD, 0xECC0E3FC, 0x3BBB450A, 0xDD08DCAF, 0x85310C1D, 0xD6BF06E5, 0x8EFA5117, 0x008ED76D, 0xE60CBBDB, 0x153F2D29, 0x40036983, 0xCECDFD2E, 0xFBB1B2D1, 0x7545E297, 0xE8358074, 0x8DF723F0, 0xA23629D2, 0x5FCBD770, 0x94BB0B3F, 0xCC884977, 0x8DF5FC17, 0xA2F3EFA9, 0x0032BD44, 0x454EB69F, 0x52361CBE, 0x284A2C50, 0x808DB6EF, 0x100C2C87, 0xC231A257, 0xF649F162, 0x34744D4A, 0xA1C8D102, 0xA4BB9290, 0xD0889351, 0x880D0584, 0xD947E8F7, 0x6773EB5C, 0x150E2584, 0x0F75E358, 0xE5F772E0, 0x9F383204, 0x75F4A824, 0x20B41979, 0x7141F2E2, 0x2889B099, 0x3A48D877, 0x0D8FEB17, 0xBB82ED5A, 0x137E775D, 0x1489F19C, 0x1D4E3534, 0xEBF75BE4, 0x638042BA, 0x88B12A5F, 0x1B731B37, 0x7340DC9D, 0x86BF7902, 0x310D3C12, 0x00F6DEFE, 0xFF3B2E2F, 0x2748AF3A, 0xC6BE79AE]
def dec(v):
    x0=v[1]
    x1=v[0]
    x1^=0x243F6BA8
    for i in range(16):
        x=(array1[x1>>24]+array2[x1>>16&0xff])^(array3[x1>>8&0xff]+array4[x1&0xff])^x0
        x0=x1
        x1=x&0xffffffff
    x0^=0x125
    return [x0,x1]

res=[0x8DF0B770, 0x4B1EB28E, 0x73C65C1C, 0x53DE48FD, 0x982EDF34, 0xD8229123, 0x90271182, 0x1F4271E7]
for i in range(4):
    print(struct.pack('<2I',*dec(res[i*2:i*2+2])).decode(),end='')
print()
#DASCTF{Y0u_fin@l1y_f1nd_@nswer!}

RE3:ezAndroid

在luajava.so的lua程序解密部分卡了好久,结果比赛结束才做出来,还是经验不足。

搜了半天,从网上找了一个go的代码居然可以解密这种加密:https://www.bilibili.com/read/cv14099270/

分别对main.lua和pz.lua解密,发现判断flag在pz.lua中

用lua在线解密网站分析代码:https://luadec.metaworm.site/

可以得到简化后的源码:

lua 复制代码
ddddddddddddd = function(r0_2)
    -- line: [94, 97] id: 2
    return r0_2 .. string.rep("\0", 8 - #r0_2 % 8)
  end
  aaaaaaaaaaaaaa = function(r0_3, r1_3, r2_3, r3_3)
    -- line: [99, 101] id: 3
    return (r0_3 or 0) << 24 | (r1_3 or 0) << 16 | (r2_3 or 0) << 8 | (r3_3 or 0)
  end
  asjdhnbvcvvaas = function(r0_4)
    -- line: [103, 110] id: 4
    local r1_4 = {}
    for r5_4 = 1, #r0_4, 8 do
      table.insert(r1_4, aaaaaaaaaaaaaa(r0_4:byte(r5_4, r5_4 + 3)))
      table.insert(r1_4, aaaaaaaaaaaaaa(r0_4:byte(r5_4 + 4, r5_4 + 7)))
    end
    return r1_4
  end
  wqwe = function(r0_5)
    -- line: [112, 114] id: 5
    return string.char(r0_5 >> 24 & 255, r0_5 >> 16 & 255, r0_5 >> 8 & 255, r0_5 & 255)
  end
  izKMncba = function(r0_6)
    -- line: [116, 122] id: 6
    local r1_6 = {}
    for r5_6, r6_6 in ipairs(r0_6) do
      table.insert(r1_6, wqwe(r6_6))
    end
    return table.concat(r1_6)
  end
  aijusbndbv = function(r0_7, r1_7)
    -- line: [124, 147] id: 7
    local r2_7 = r0_7[1]
    local r3_7 = r0_7[2]
    local r4_7 = 0
    local r6_7 = load("return " .. "(114514+114514)*((1+1)*4514+((1+1)*4*51-4+11-4*5+14))+(114514+(114*514+(114*51*4+((1+1)*4*514+(11*(45-1)/4)))))")()
    for r12_7 = 1, load("return " .. "-11 + 45 * 1 + 4")(), 1 do
      r4_7 = r4_7 + r6_7 & 4294967295
      r2_7 = r2_7 + ((r3_7 << 4 ~ r3_7 >> 5) + r3_7 ~ r4_7 + r1_7[(r4_7 & 3) + 1]) & 4294967295
      r3_7 = r3_7 + ((r2_7 << 4 ~ r2_7 >> 5) + r2_7 ~ r4_7 + r1_7[(r4_7 >> 11 & 3) + 1]) & 4294967295
    end
    return {
      r2_7 ~ 14,
      r3_7 ~ 17
    }
  end
  oianxasdavsdvasd = {
    load("return (114514 + 114514) * ((1 + 1) * 451 * 4 + 114 + 51 - 4 + 11 * -4 + 51 - 4) + (114 * 51 * 4 + ((1 + 1) * 45 * 14 - 11 + 45 * 1 + 4))")(),
    load("return (114514 + 114514) * (1 * -(1 - 4) * 514 + 114 - 51 - 4) + (114514 + (114 * 51 * 4 + (1 + 14514 + ((1 + 1) * 45 * 14 + 11 - 4 + 5 * 14))))")(),
    load("return (114514 + 114514) * (11451 + 4 + (11 * (4 + 5) * 14 + 1 + 14 - 5 + 1 + 4)) + (114514 + (114 * 514 + (11451 * 4 + ((1 + 1) * 4 * 51 * 4 + 1 - 14 + 5 + 14))))")(),
    load("return (114514 + 114514) * (1145 * (1 + 4) - 11 + 4 + 5 + 14) + (114514 + (1 + 14514 + (11 * -45 * (1 - 4) + 11 - 4 + 5 / 1 - 4)))")(),
    load("return (114514 + 114514) * ((1 + 1) * 4514 + 1 + 145 * 14 + 11 - 4 * 5 + 14) + 114 * 514 + 1 + 14514 + 1145 - 14")(),
    load("return (114514 + 114514) * (114 * (51 - 4) + (1 + 1 * 4 * 5 * (1 + 4))) + (11 * (451 - 4) + 1 - 14 + 51 - 4)")(),
    load("return (114514 + 114514) * (1 + 14514 + (1 - 14 * -(5 + 1) * 4 + 11 * -4 + 51 - 4)) + 114 * 514 + 114 * 5 * 14 - 11 + 45 * 14 + 11 - 4 + 5 / 1 - 4")(),
    load("return (114514 + 114514) * (114 * 51 + 4 + 114 + 5 + 1 + 4) + (114514 + (114 * 51 * 4 + (1145 * 14 + (114 * -5 * (1 - 4) + 11 * 4 + 5 + 1 - 4))))")(),
    load("return (114514 + 114514) * (11451 + 4 + (11 * (45 + 1) * 4 + 11 * -4 + 51 - 4)) + (114514 + (114 * 51 * 4 + (11451 + 4 + (114 * (5 + 1) * 4 + 11 + 4 * 5 / 1 - 4))))")(),
    load("return (114514 + 114514) * (11451 + 4 + (11 * 4 * (51 - 4) + 114 - 5 * 14)) + 11451 * 4 + 11 * 4 * 5 * 14 + 11 * 4 + 5 * 14")()
  }
  local r8_0 = {
    load("return " .. "114 * 51 + 4 - 1 + 145 + 14")(),
    load("return " .. "114 * 51 * 4 + (1145 * 14 + (1 * -(1 - 4) * 514 - 11 + 45 - 1 - 4))")(),
    load("return " .. "(114514 + 114514) * (11451 + 4 + (1 + 14 * 51 * 4 + (1 * 14 * (5 + 1) + 4))) +(114514 + (114 * 514 + (11 * 4514 + (-1145 * (1 - 4) + 1 * 14 + 5 * 14))))")(),
    load("return " .. "(114514 + 114514) * (114 * (51 + 4) + (1 + 1 + 4 * 5 * 14 + (11 / (45 - 1) * 4))) +(114514 + ((1 + 1) * 4514 + 114 * 5 * 1 * 4 + 1 * 14 - 5 + 14))")()
  }
  local function r9_0(r0_8, r1_8)
    -- line: [183, 193] id: 8
    if #r0_8 ~= #r1_8 then
      return false
    end
    for r5_8 = 1, #r0_8, 1 do
      if r0_8[r5_8] ~= r1_8[r5_8] then
        return false
      end
    end
    return true
  end
  A = function(r0_9)
    -- line: [196, 230] id: 9
    str = r0_9
    if str:sub(1, 5) == "flag{" and str:sub(-1) == "}" then
      pp = str:sub(6, -2)
      local r2_9 = asjdhnbvcvvaas(ddddddddddddd(pp))
      local r3_9 = {}
      for r7_9 = 1, #r2_9, 2 do
        local r9_9 = aijusbndbv({
          r2_9[r7_9],
          r2_9[r7_9 + 1]
        }, r8_0)
        table.insert(r3_9, r9_9[1])
        table.insert(r3_9, r9_9[2])
      end
      local r5_9 = asjdhnbvcvvaas(izKMncba(r3_9))
      if r9_0(r5_9, oianxasdavsdvasd) then
        提示("Congratulations, you are right!")
      end
      if not r9_0(r5_9, oianxasdavsdvasd) then
        提示("Error")
      end
    else
      提示("Error")
    end
  end
 

发现是XTEA加密算法,可以方便的加print进行调试,得到key和比较值,最后写EXP如下:

python 复制代码
import struct

def decrypt(rounds, v, k):
    v0 = v[0]
    v1 = v[1]
    v0^=14
    v1^=17
    delta = 0x80d6732b
    x = delta * rounds
    for i in range(rounds):
        v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (x + k[(x >> 11) & 3])
        v1 = v1 & 0xFFFFFFFF
        v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (x + k[x & 3])
        v0 = v0 & 0xFFFFFFFF
        x -= delta
        x = x & 0xFFFFFFFF
#    v[0] = v0
#    v[1] = v1
    return [v0,v1]
if __name__ == '__main__':
    print()
    res = [863918170,366827450,2944604520,1314064158,2534040034,1250268803,3402278143,1361039932,3087907484,3107271874]
    key = [5976,40857,3298229483,1500946329]
    rounds = 38
    for i in range(len(res)//2):
        decrypted = decrypt(rounds, res[i*2:i*2+2], key)    print(struct.pack('>2I',*decrypted).decode(),end='')
#7a5e-55e45-1671e-df3b7-cd7a1-6f1e-27fc

提交的时候需要用flag包裹

相关推荐
阿龟在奔跑1 小时前
引用类型的局部变量线程安全问题分析——以多线程对方法局部变量List类型对象实例的add、remove操作为例
java·jvm·安全·list
.Ayang1 小时前
SSRF漏洞利用
网络·安全·web安全·网络安全·系统安全·网络攻击模型·安全架构
.Ayang1 小时前
SSRF 漏洞全解析(概述、攻击流程、危害、挖掘与相关函数)
安全·web安全·网络安全·系统安全·网络攻击模型·安全威胁分析·安全架构
好想打kuo碎1 小时前
1、HCIP之RSTP协议与STP相关安全配置
网络·安全
周全全2 小时前
Spring Boot + Vue 基于 RSA 的用户身份认证加密机制实现
java·vue.js·spring boot·安全·php
Mr.Pascal2 小时前
刚学php序列化/反序列化遇到的坑(攻防世界:Web_php_unserialize)
开发语言·安全·web安全·php
风间琉璃""3 小时前
二进制与网络安全的关系
安全·机器学习·网络安全·逆向·二进制
dot.Net安全矩阵4 小时前
.NET 通过模块和驱动收集本地EDR的工具
windows·安全·web安全·.net·交互
Hacker_Oldv5 小时前
网络安全的学习路线
学习·安全·web安全