2024 ciscn&ccb RE wp

发表于 更新于 阅读次数: 本文字数: 5.8k 阅读时长 ≈ 5 分钟

dump

运行程序 输入几个字符 观察回显

image1

随后看了一下flag头的映射

image2

跟flag的前几位一样

image3

发现是单字节加密 所以将所有的可打印字符输入进去dump一下

1
2
3
4
import string  
all_char = string.printable  
print(all_char)
#0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~

得到映射表
image4

001c1d000000000000001e1f202122232425262728292a2b2c2d2e2f303132333435363702030405060708090a0b0c0d0e0f101112131415161718191a1b00000000000000000000000000000000000100000000000000000038003900

随后将flag一一映射过去即可

1
2
3
4
5
6
7
8
9
import string  
all_char = string.printable  
#print(all_char)  
table = list(bytes.fromhex("001c1d000000000000001e1f202122232425262728292a2b2c2d2e2f303132333435363702030405060708090a0b0c0d0e0f101112131415161718191a1b000000000000000000000000000000000100000000000000000038003900"))  
flag = list(bytes.fromhex("23 29 1E 24 38 0E 15 20 37 0E 05 20 00 0E 37 12 1D 0F 24 01 01 39"))  
for x in flag:  
    if x in table:  
        print(all_char[table.index(x)], end="")
#flag_MTczMDc0MzQ2Ng;;{

手动修改一下flag 结合提示第十四位是4 直接改一下即可
flag{MTczMDc4MzQ2Ng==}

ezCsky

ida打开附件 得选择arm去分析 这里走了好多弯

发现有RC4 猜测rc4加密 找key和密文

image5

找到key 跟进unk_8AA0

image6

找到密文

image7

直接解

1
2
3
4
5
6
7
8
9
10
from Crypto.Cipher import ARC4  
encrypt_data= [0x96, 0x8F, 0xB8, 0x08, 0x5D, 0xA7, 0x68, 0x44, 0xF2, 0x64,  
  0x92, 0x64, 0x42, 0x7A, 0x78, 0xE6, 0xEA, 0xC2, 0x78, 0xB8,  
  0x63, 0x9E, 0x5B, 0x3D, 0xD9, 0x28, 0x3F, 0xC8, 0x73, 0x06,  
  0xEE, 0x6B, 0x8D, 0x0C, 0x4B, 0xA3, 0x23, 0xAE, 0xCA, 0x40,  
  0xED, 0xD1] # 加密key  
key = b'testkey'     # 加密方法  
key1=ARC4.new(key)  
print(key1.encrypt(bytes(encrypt_data)))         # 解密方法
#b'\n\r\x06\x1c\x1fTVSWQ\x00\x03\x1d\x14XV\x03\x19\x1c\x00T\x03K\x14X\x07\x02IL\x02\x07\x01Q\x0c\x08\x00\x01\x00\x03\x00O}'

最后一位是} 前面的都不对 结合左边的符号表有xor函数

image8

猜测进行了异或 但是最后一位没有异或 所以猜测加密的异或可能是
flag[i]^=flag[i+1]
直接写逆向脚本即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from Crypto.Cipher import ARC4  
encrypt_data= [0x96, 0x8F, 0xB8, 0x08, 0x5D, 0xA7, 0x68, 0x44, 0xF2, 0x64,  
  0x92, 0x64, 0x42, 0x7A, 0x78, 0xE6, 0xEA, 0xC2, 0x78, 0xB8,  
  0x63, 0x9E, 0x5B, 0x3D, 0xD9, 0x28, 0x3F, 0xC8, 0x73, 0x06,  
  0xEE, 0x6B, 0x8D, 0x0C, 0x4B, 0xA3, 0x23, 0xAE, 0xCA, 0x40,  
  0xED, 0xD1] # 加密key  
key = b'testkey'     # 加密方法  
key1=ARC4.new(key)  
print(key1.encrypt(bytes(encrypt_data)))         # 解密方法  
flag = b'\n\r\x06\x1c\x1fTVSWQ\x00\x03\x1d\x14XV\x03\x19\x1c\x00T\x03K\x14X\x07\x02IL\x02\x07\x01Q\x0c\x08\x00\x01\x00\x03\x00O}'  
# 将 flag 转换为 list,便于修改  
flag = list(flag)  
for i in range(len(flag)-1,0,-1):  
    flag[i-1] ^= flag[i]  
    print(chr(flag[i]),end='')  
chr_flag='}22110084edca-dfa9-fe11-47a9-033b5f0d{gal'  
print(chr_flag[::-1])
#lag{d0f5b330-9a74-11ef-9afd-acde48001122}

少了个f 在前面加上就是正确的flag

kiwi

打开附件 给了一个流量包和一个exe程序 分析一下exe
kiwi

跟进一下sub_140082974
首先根据word_140111152生成了一个伪随机数 起调试取出来 是0x69
kiwi-1
交叉引用这个伪随机数发现下面进行了异或 并且和随机数进行相加
kiwi-2

起调试取出随机数

1
0x7d, 0x2e, 0x10, 0x3d, 0x2d, 0x27, 0x44, 0x79, 0x27, 0x69, 0x33, 0x55, 0x5c, 0x2d, 0x7a, 0x4, 0x2, 0x65, 0x16,  0x22, 0x14, 0x2d, 0x4, 0x47, 0x1a, 0x7f, 0x26, 0x5b, 0x2a, 0x26, 0x69, 0x2c, 0x2f, 0x75, 0x25, 0x3d, 0x69, 0x38,  0x45, 0x62, 0x35, 0x6b, 0x27, 0x9, 0xf, 0x2a, 0x46, 0x5b, 0x55, 0x69, 0x16, 0x4, 0x4d, 0x65, 0x2f, 0x4e, 0x6a, 0x5a, 0x2e, 0x75, 0x4b, 0x77, 0x58, 0x37, 0x5, 0xf, 0x1, 0x2a, 0x22, 0x11, 0x2d, 0x52, 0x6a, 0x3a, 0x74, 0x73,  0x61, 0x9, 0x2b, 0x24, 0x10, 0x74, 0x40, 0x25, 0x8, 0x59, 0x66, 0x72, 0x25, 0x37, 0x72, 0x18, 0x10, 0x1e, 0x5, 0x48, 0x7, 0x64, 0x6c, 0x2a, 0x61, 0x1a, 0x44, 0x73, 0x4c, 0x3e, 0x62, 0x3a, 0x5a, 0x32, 0x72, 0x8, 0x3c, 0x6d,  0x5d, 0x2e, 0x4d, 0x71, 0x71, 0x5b, 0x52, 0x7d, 0x3c, 0x6d, 0x7f, 0x3, 0x38, 0x8, 0x3e, 0x5c, 0x2e, 0x65, 0x2d,  0x3b, 0x54, 0x6d, 0x65, 0x60, 0x38, 0x7, 0x2, 0xe, 0x62, 0x2e, 0x60, 0x3e, 0x35, 0x46, 0x22, 0x15, 0x17, 0x30, 0x79, 0x14, 0x52, 0x1c, 0x23, 0xf, 0x39, 0x1e, 0x31, 0x60, 0xe, 0x5, 0xe, 0x5c, 0x23, 0x68, 0x3d, 0x6, 0x40, 0x1, 0x62, 0x3, 0x45, 0x3e, 0x4, 0x4e, 0x10, 0x16

最后是一个变表的base64
kiwi-3
写个脚本提取一下码表

1
2
3
4
5
6
7
8
9
import idaapi
import idautils
import idc
start = 0x140111070
end = 0x1401110EE
for addr in range(start, end + 1):
    byte = idaapi.get_byte(addr)
    if 32 <= byte <= 126:
        print(chr(byte), end="")

kiwi-4

得到码表为d+F3DwWj8tUckVGZb57S1XsLqfm0vnpeMEzQ2Bg/PTrohxluiJCRIYAyH6N4aKO9
所以总的逻辑就是密文异或0x69加上随机数然后base64换表编码
随后看sub_140082774函数 发现密文是流量包的upload流
kiwi-5

去流量包里找一下
kiwi-6

发现密文
先解码一下
kiwi-7

然后写个脚本解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
enc = [0xb9, 0x48, 0x1c, 0x58, 0x81, 0x4f, 0x51, 0x7d, 0x27, 0x70, 0x33, 0x6f, 0x79, 0x48, 0x82, 0x21,  
       0x08, 0x80, 0x79, 0x49, 0x51, 0x52, 0x28, 0x9b, 0x7d, 0xbb, 0x40, 0x67, 0x45, 0x7a, 0x96, 0x38,  
       0x3e, 0x7d, 0x41, 0x42, 0x86, 0x60, 0x4f, 0x6c, 0x3b, 0x87, 0x2e, 0x26, 0x72, 0x51, 0x83, 0x80,  
       0x79, 0xbd, 0x79, 0x40, 0x67, 0x71, 0x4a, 0xa2, 0x98, 0x76, 0x3a, 0x8f, 0x68, 0xda, 0x7f, 0x74,  
       0x2a, 0x33, 0x55, 0x8d, 0x5e, 0x2b, 0x39, 0x6d, 0xbe, 0x5f, 0x74, 0x74, 0x7d, 0x11, 0x8e, 0x4b,  
       0x4d, 0x99, 0x64, 0x79, 0x63, 0xb3, 0x73, 0xca, 0x31, 0x90, 0xc3, 0x77, 0x1b, 0x6f, 0x61, 0x52,  
       0x11, 0xbc, 0xbd, 0x86, 0xb2, 0x78, 0x4f, 0x7e, 0x56, 0x8f, 0x6c, 0x94, 0xb4, 0x3a, 0x7f, 0x14,  
       0x4b, 0x79, 0xb6, 0x8c, 0xb0, 0xad, 0x8b, 0x67, 0x6d, 0xd1, 0x7a, 0x9a, 0xa7, 0x31, 0x74, 0x25,  
       0x3e, 0x61, 0x2e, 0x82, 0x3d, 0x63, 0x5e, 0x77, 0x6b, 0x7c, 0x3f, 0x24, 0x65, 0x35, 0x9f, 0x53,  
       0x84, 0x92, 0x42, 0xa0, 0x7d, 0x66, 0x70, 0x3b, 0xd3, 0x65, 0xa2, 0x6d, 0x7f, 0x19, 0x92, 0x7a,  
       0x8c, 0xb8, 0x6b, 0x12, 0x18, 0x66, 0x74, 0xc0, 0x48, 0x64, 0x9d, 0x0e, 0x6f, 0x53, 0x96, 0x49,  
       0x61, 0x5d]  
sub = [0x7d, 0x2e, 0x10, 0x3d, 0x2d, 0x27, 0x44, 0x79, 0x27, 0x69, 0x33, 0x55, 0x5c, 0x2d, 0x7a, 0x4, 0x2, 0x65, 0x16,  
       0x22, 0x14, 0x2d, 0x4, 0x47, 0x1a, 0x7f, 0x26, 0x5b, 0x2a, 0x26, 0x69, 0x2c, 0x2f, 0x75, 0x25, 0x3d, 0x69, 0x38,  
       0x45, 0x62, 0x35, 0x6b, 0x27, 0x9, 0xf, 0x2a, 0x46, 0x5b, 0x55, 0x69, 0x16, 0x4, 0x4d, 0x65, 0x2f, 0x4e, 0x6a,  
       0x5a, 0x2e, 0x75, 0x4b, 0x77, 0x58, 0x37, 0x5, 0xf, 0x1, 0x2a, 0x22, 0x11, 0x2d, 0x52, 0x6a, 0x3a, 0x74, 0x73,  
       0x61, 0x9, 0x2b, 0x24, 0x10, 0x74, 0x40, 0x25, 0x8, 0x59, 0x66, 0x72, 0x25, 0x37, 0x72, 0x18, 0x10, 0x1e, 0x5,  
       0x48, 0x7, 0x64, 0x6c, 0x2a, 0x61, 0x1a, 0x44, 0x73, 0x4c, 0x3e, 0x62, 0x3a, 0x5a, 0x32, 0x72, 0x8, 0x3c, 0x6d,  
       0x5d, 0x2e, 0x4d, 0x71, 0x71, 0x5b, 0x52, 0x7d, 0x3c, 0x6d, 0x7f, 0x3, 0x38, 0x8, 0x3e, 0x5c, 0x2e, 0x65, 0x2d,  
       0x3b, 0x54, 0x6d, 0x65, 0x60, 0x38, 0x7, 0x2, 0xe, 0x62, 0x2e, 0x60, 0x3e, 0x35, 0x46, 0x22, 0x15, 0x17, 0x30,  
       0x79, 0x14, 0x52, 0x1c, 0x23, 0xf, 0x39, 0x1e, 0x31, 0x60, 0xe, 0x5, 0xe, 0x5c, 0x23, 0x68, 0x3d, 0x6, 0x40, 0x1,  
       0x62, 0x3, 0x45, 0x3e, 0x4, 0x4e, 0x10, 0x16]  
sand = 0x69  
flag = []  
for i in range(len(enc)):  
    flag.append(((enc[i] - sub[i]) ^ sand))  
    print(chr(flag[i]), end='')

kiwi-8
找个在线网站解一下Lihua的NTML即可
kiwi-9
flag{memeallme!}