继续在去年的比赛找，再水一篇

Re

EasyRe

发现关键函数

int __cdecl main_0(int argc, const char **argv, const char **envp)
{char v4; // [esp+0h] [ebp-E4h]char v5; // [esp+0h] [ebp-E4h]int i; // [esp+D0h] [ebp-14h]char *Str; // [esp+DCh] [ebp-8h]__CheckForDebuggerJustMyCode(&unk_41C015);Str = (char *)malloc(0x64u);sub_4110CD("Please input:", v4);sub_411401("%s", (char)Str);if ( j_strlen(Str) != 32 ){sub_4110CD("Sorry! Try again!\n", v5);exit(1);}dword_41A14C = sub_411406(Str);for ( i = 0; i < 8; ++i ){if ( *(_DWORD *)(dword_41A14C + 4 * i) != *(_DWORD *)&byte_41A058[4 * i] ){sub_4110CD("Sorry! Try again!\n", v5);exit(1);}}sub_4110CD("good! flag is flag{your input}!\n", v5);return 0;
}

然后发现在byte_41A058数组上有个奇怪的字符串,结果就是flag
flag{fc5e038d38a57032085441e7fe7010b0}

findme

int __cdecl main(int argc, const char **argv, const char **envp)
{sub_4024E0();puts("Please input your flag:");scanf("%s", Str);if ( sub_401610(Str) ){if ( off_403844("SETCTF2021", Str) )printf("Success!");elseprintf("Wrong!");}system("pause");return 0;
}

主函数，看起来好像挺简单。

然后发现strcmp？用交叉引用继续跟踪off_403844，发现函数sub_401A0E

int (__cdecl *sub_401A0E())(char *Str, char *)
{int (__cdecl *result)(char *, char *); // eaxresult = off_403840;off_403844 = (int (__cdecl *)(_DWORD, _DWORD))off_403840;return result;
}

是函数off_403840代替了strcmp，然后就是在上面的sub_401866
经过分析是RC4加密

int __cdecl sub_401866(char *Str, char *a2)
{unsigned int len; // eaxchar Data[512]; // [esp+1Ch] [ebp-51Ch] BYREFchar key[256]; // [esp+21Ch] [ebp-31Ch] BYREFchar v6[256]; // [esp+31Ch] [ebp-21Ch] BYREFchar s[256]; // [esp+41Ch] [ebp-11Ch] BYREFunsigned int v8; // [esp+51Ch] [ebp-1Ch]int m; // [esp+520h] [ebp-18h]int k; // [esp+524h] [ebp-14h]size_t j; // [esp+528h] [ebp-10h]size_t i; // [esp+52Ch] [ebp-Ch]memset(s, 0, sizeof(s));memset(v6, 0, sizeof(v6));memset(key, 0, sizeof(key));for ( i = 0; i < strlen(Str); ++i )key[i] = Str[i];memset(Data, 0, sizeof(Data));for ( j = 0; j < strlen(a2); ++j )Data[j] = a2[j];v8 = strlen(Data);len = strlen(key);RC4_init(s, key, len);for ( k = 0; k <= 255; ++k )v6[k] = s[k];RC4_crpto((int)v6, (int)Data, v8);for ( m = 0; m <= 511; ++m ){if ( Data[m] != byte_403040[m] )return 0;}return 1;
}

脚本

#include <stdio.h>
void rc4_init(unsigned char *s, unsigned char *key, unsigned long Len)
{int i = 0, j = 0;char k[256] = {0};unsigned char tmp = 0;for (i = 0; i < 256; i++){s[i] = i;            // v6[i] = i1;k[i] = key[i % Len]; // v7 = i1++ % len;  *v6 = *(_BYTE *)(v7 + a2);}for (i = 0; i < 256; i++){j = (j + s[i] + k[i]) % 256; // v3 = ((unsigned __int8)*result + result[v8] + v3) % 256;tmp = s[i];s[i] = s[j]; //交换s[i]和s[j]s[j] = tmp;}
}
void rc4_crypt(unsigned char *s, unsigned char *Data, unsigned long Len)
{int i = 0, j = 0, t = 0;unsigned long k = 0;unsigned char tmp;for (k = 0; k < Len; k++){i = (i + 1) % 256;j = (j + s[i]) % 256;tmp = s[i];s[i] = s[j]; //交换s[x]和s[y]s[j] = tmp;t = (s[i] + s[j]) % 256;Data[k] ^= s[t]; //生成流密钥}
}
int main()
{unsigned char s[256] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255};unsigned char k[256] = {"SETCTF2021"};unsigned char pData[] = {0xB7, 0x52, 0x85, 0xC1, 0x90,0xE9, 0x07, 0xB8, 0xE4, 0x1A,0xC3, 0xBD, 0x1D, 0x8E, 0x85,0x46, 0x00, 0x21, 0x44, 0xAF,0xEF, 0x70, 0x32, 0xB5, 0x11,0xC6}; // byte_403040rc4_init(s, k, 10);rc4_crypt(s, (unsigned char *)pData, 26); //解密for (int i = 0; i < 26; i++){printf("%c", (*((char *)pData + i)) & 0xff);}return 0;
}

SETCTF{Th1s_i5_E2_5tRcm9!}

power

arm-linux-gnueabi-as power -o power.o

int __cdecl main(int argc, const char **argv, const char **envp)
{aes *v3; // r4int i; // [sp+0h] [bp+0h]char v6[20]; // [sp+8h] [bp+8h] BYREFint v7[25]; // [sp+1Ch] [bp+1Ch] BYREFchar v8[100]; // [sp+80h] [bp+80h] BYREFstrcpy(v6, "this_is_a_key!!!");memset(v7, 0, sizeof(v7));memset(v8, 0, sizeof(v8));puts("input flag:");fgets((char *)v7, 100, (FILE *)stdin);v3 = (aes *)operator new(0xB0u);aes::aes(v3, v6);if ( strlen((const char *)v7) != 33 )exit(0);LOBYTE(v7[8]) = 0;for ( i = 0; i <= 31; i += 16 )aes::encryption_cbc(v3, (char *)&v7[i / 4u], &v8[2 * i]);if ( !strcmp(v8, "1030a9254d44937bed312da03d2db9adbec5762c2eca7b5853e489d2a140427b") )puts("yeah, you get it!");elseputs("wrong!");return 0;
}

AES 加密 EBC模式

flag{y0u_found_the_aes_12113112}

EasyRE_Revenge

//IDC脚本
auto addr_start = 0x004117A0;//函数起始地址
auto addr_end = 0x00411E58;//函数结束地址
auto i=0,j=0;
for(i=addr_start;i<addr_end;i++){if(Dword(i) == 0x1E8){for(j=0 ; j<6; j++,i++ ){PatchByte(i,0x90);//0x90是nop表示的字节}i=i+4;for(j=0 ; j<3; j++,i++ ){PatchByte(i,0x90);}i=i+10;for(j=0 ; j<3; j++,i++ ){PatchByte(i,0x90);}i=i+5;for(j=0 ; j<1; j++,i++ ){PatchByte(i,0x90);}   i=i+3;for(j=0 ; j<2; j++,i++ ){PatchByte(i,0x90);}     i--;    }
}

void __cdecl __noreturn sub_4117A0(int a1)
{int j; // [esp+D0h] [ebp-90h]int i; // [esp+DCh] [ebp-84h]int v3[27]; // [esp+E8h] [ebp-78h] BYREF_DWORD *v4; // [esp+154h] [ebp-Ch]v4 = malloc(0x64u);j_memset(v3, 0, 0x64u);v3[0] = 0x271E150C;v3[1] = 993143072;v3[2] = 1599491396;v3[3] = 1936351576;v3[4] = -1752267396;v3[5] = -1415407216;v3[6] = -809058892;v3[7] = -472198712;for ( i = 0; i < 8; ++i )v4[i] = *(_DWORD *)(a1 + 4 * i) ^ v3[(7 * i + 2) % 8];for ( j = 0; j < 8; ++j ){v4[j] ^= v4[j] << 7;v4[j] ^= v3[(7 * j + 3) % 8];v4[j] ^= v4[(5 * j + 3) % 8];v4[j] ^= v4[j] << 13;v4[j] ^= v3[(7 * j + 5) % 8];v4[j] ^= v4[j] << 17;}
}

脚本

from z3 import *
key = [0] * 8
v = [0] * 8
key[0] = BitVecVal(0x271E150C, 32)
key[1] = BitVecVal(0x3B322920, 32)
key[2] = BitVecVal(0x5F564D44, 32)
key[3] = BitVecVal(0x736A6158, 32)
key[4] = BitVecVal(0x978E857C, 32)
key[5] = BitVecVal(0xABA29990, 32)
key[6] = BitVecVal(0xCFC6BDB4, 32)
key[7] = BitVecVal(0xE3DAD1C8, 32)
flag = [BitVec(f"flag[{i}]", 32) for i in range(8)]
sol = Solver()
for i in range(8):v[i] = flag[i] ^ key[(7 * i + 2) % 8]
for j in range(8):v[j] ^= v[j] << 7v[j] ^= key[(7 * j + 3) % 8]v[j] ^= v[(5 * j + 3) % 8]v[j] ^= v[j] << 13v[j] ^= key[(7 * j + 5) % 8]v[j] ^= v[j] << 17
enc = [0xEEE8B042, 0x57D0EE6C, 0xF3F54B32, 0xD3F0B7D6,0x0A61C389, 0x38C7BA40, 0x0C3D9E2C, 0xD64A9284]
for i in range(8):sol.add(v[i] == enc[i])
if sol.check() == sat:mol = sol.model()
flag = [int.to_bytes(mol.eval(i).as_long(), 4,byteorder="little").decode() for i in flag]
print("".join(flag))

Eat_something

拿webt反编译得到.o文件

int __cdecl w2c_checkright(int a1)
{int result; // eax__int64 v2; // [esp+20h] [ebp-168h]int v3; // [esp+30h] [ebp-158h]__int64 v4; // [esp+40h] [ebp-148h]__int64 v5; // [esp+48h] [ebp-140h]__int64 v6; // [esp+50h] [ebp-138h]__int64 v7; // [esp+58h] [ebp-130h]__int64 v8; // [esp+60h] [ebp-128h]__int64 v9; // [esp+68h] [ebp-120h]char v10; // [esp+C8h] [ebp-C0h]int v11; // [esp+CCh] [ebp-BCh]int v12; // [esp+D4h] [ebp-B4h]int v13; // [esp+D8h] [ebp-B0h]char *v14; // [esp+E4h] [ebp-A4h]int v15; // [esp+158h] [ebp-30h]unsigned int v16; // [esp+174h] [ebp-14h]if ( ++wasm_rt_call_stack_depth > 0x1F4u )wasm_rt_trap(7);v16 = w2c_g0 - 96;i32_store(w2c_memory, w2c_g0 - 96 + 88, ((unsigned __int64)(unsigned int)(w2c_g0 - 96) + 88) >> 32, a1);v15 = i32_load16_u(w2c_memory, 1048, 0);i32_store16(w2c_memory, v16 + 72, 0, v15);v9 = i64_load(w2c_memory, 1040, 0);i64_store(w2c_memory, v16 + 64, 0, v9, HIDWORD(v9));v8 = i64_load(w2c_memory, 1032, 0);i64_store(w2c_memory, v16 + 56, 0, v8, HIDWORD(v8));v7 = i64_load(w2c_memory, 1024, 0);i64_store(w2c_memory, v16 + 48, 0, v7, HIDWORD(v7));v6 = i64_load(w2c_memory, 1057, 0);i64_store(w2c_memory, v16 + 40, 0, v6, HIDWORD(v6));v5 = i64_load(w2c_memory, 1050, 0);i64_store(w2c_memory, v16 + 33, 0, v5, HIDWORD(v5));v4 = i64_load(w2c_memory, 1072, 0);i64_store(w2c_memory, v16 + 25, 0, v4, HIDWORD(v4));v2 = i64_load(w2c_memory, 1065, 0);i64_store(w2c_memory, v16 + 18, 0, v2, HIDWORD(v2));i32_store(w2c_memory, v16 + 12, ((unsigned __int64)v16 + 12) >> 32, 0);// iwhile ( i32_load(w2c_memory, v16 + 12LL) < 26 )// i<26{v14 = (char *)(i32_load(w2c_memory, v16 + 12LL) + v16 + 48);v13 = (unsigned __int8)i32_load8_u(w2c_memory, v14, 0);// v13=enc[i]v12 = i32_load(w2c_memory, v16 + 88LL);v11 = i32_load(w2c_memory, v16 + 12LL) + v12;v10 = i32_load8_u(w2c_memory, v11, 0);      // v10=flag[i]if ( v13 != (i32_load(w2c_memory, v16 + 12LL) ^ (2 * v10)) ){i32_store(w2c_memory, v16 + 92, ((unsigned __int64)v16 + 92) >> 32, v16 + 18);goto LABEL_9;}v3 = i32_load(w2c_memory, v16 + 12LL) + 1;  // i+=1i32_store(w2c_memory, v16 + 12, ((unsigned __int64)v16 + 12) >> 32, v3);}i32_store(w2c_memory, v16 + 92, ((unsigned __int64)v16 + 92) >> 32, v16 + 33);
LABEL_9:result = i32_load(w2c_memory, v16 + 92LL);--wasm_rt_call_stack_depth;return result;
}

发现数据

脚本

enc =   [0x86, 0x8B, 0xAA, 0x85, 0xAC, 0x89, 0xF0, 0xAF, 0xD8, 0x69, 0xD6, 0xDD, 0xB2, 0xBF, 0x6E, 0xE5, 0xAE, 0x99, 0xCC, 0xD5, 0xBC, 0x8B, 0xF2, 0x7D, 0x7A, 0xE3, 0x59, 0x6F, 0x75, 0x20, 0x61, 0x72, 0x65, 0x20, 0x72, 0x69, 0x67, 0x68, 0x74, 0x21, 0x00, 0x59, 0x6F, 0x75, 0x20, 0x61, 0x72, 0x65, 0x20, 0x77, 0x72, 0x6F, 0x6E, 0x67, 0x21, 0x00]
flag  = []
for i in range(26):flag .append(chr((i ^ enc[i]) // 2))
print("".join(flag))
# CETCTF{Th0nk_Y0u_DocTOr51}

O

java里什么也没有
run.log 好像在某比赛见过这东西，openjdk写的IdealGraph
发现奇怪的长数字

然后是b’V@QFQC~=a<<5dd==5<121c63<4c260`706cafd`x’
在run中找到了xorI 可以试着爆破最后发现异或5即可

脚本

import binascii
flag = [19703596266291286, 17170514749620305, 14918431467634785, 17170235578908772, 14073959292862517, 14355455746965553,14074174040703036, 15481536039092278, 27303497946234928, 33777409528692838]
s = ""
for i in flag:temp = hex(i)[2:].replace("00", "")s = s + temp[6:8] + temp[4:6] + temp[2:4] + temp[0:2]s = binascii.a2b_hex(s)
for j in s:print(chr(j ^ 5), end="")

陇原战“疫“2021 复现Re相关推荐

陇原战疫2021网络安全大赛_Crypto_复现
陇原战疫2021网络安全大赛_Crypto_复现 mostlycommon D e c r y p t i o n c o d e Decryption~code Decryptioncode eas ...
陇原战“疫“2021网络安全大赛 Web eaaasyphp
eaaasyphp 文章目录 eaaasyphp 读取phpinfo 打fastcgi 恶意的ftp服务构造pop链参考链接题目给出了源码读取phpinfo 尝试反序列化读取phpinfo 但 ...
陇原战“疫“2021网络安全大赛Writeup
Web CheckIN 源代码的这两处: 先尝试访问/wget:/wget?argv=a,看出来这里应该是可以进行攻击的了接着尝试利用wget的--post-file进行数据外带,读取源代码在自己 ...
陇原战疫2021网络安全大赛 Web
前言题挺有意思的,Web有点难,而且后面三道难题放的有点晚了,时间不够(肝了一下午的Java).这个比赛的难度,能早9晚9的话可能还好一些,早9晚5就有点紧了. Java还是太菜了,需要学很多的东西 ...
四个有关文件传输的CTF WEB题(深育杯FakeWget、极客大挑战where_is_my_FUMO、2021陇原战疫CheckIN、N1CTF-curl trick)
文章目录深育杯FakeWget 极客大挑战where_is_my_FUMO 2021陇原战疫CheckIN N1CTF-curl trick wp来自官方发布和个人想法,觉得这四个题挺有意思的所以整 ...
2021【陇原战“疫”】crypto部分writeup
这次BUUCTF月赛对我来说确实还行了,不会太难,也能学到东西,主要想说说比特翻转攻击的问题,最近这种题碰的特别多,CBC的,CFB的,GCM的,各种各样的AES模式的攻击问题,从最基本的CBC开始, ...
2021长安“战疫”网络安全卫士守护赛 misc部分writeup
2021长安"战疫"网络安全卫士守护赛 misc部分writeup 八卦迷宫朴实无华的取证西安加油 ez_Encrypt 一百多名,我觉得还行欸,多亏了队里的crypto手八 ...
长安“战疫”网络安全卫士守护赛_crypto_复现
长安"战疫"网络安全卫士守护赛_Crypto math 涉及的知识点:RSA加密未知模数,已知p对q的逆元以及q对p的逆元求RSA的模数N 题目描述题目没有描述,只有已知量c,e ...
防控疫情，我们在行动——爱奇艺战“疫”全纪录
2020年春节前夕,一场突如其来的新冠肺炎疫情悄然袭来,实时更新的疫情数据牵动着每一个中国人的心.爱奇艺密切关注疫情发展情况,积极履行社会责任,承担网络视听媒体的责任担当,爱奇艺社会责任通过湖北慈善总 ...

陇原战“疫“2021 复现Re

Re