HGAME2021Week1 Writeup

小白做完了re还是很开心的

RE部分

Day 1 helloRe

第一天的第一道题~~这道题是真.签到题啊

进入ida，没有明显的main函数，F12查找字符串，看到input flag点进去

发现主函数应该是sub_1400014C0

逻辑很简单，脚本也挺好写的

#include<iostream>
using namespace std;int main()
{char memory[30] = "";int v6 = 0x0FF;char asc_[23] = "棛湋瀬憹洑毇仐畝儚攭櫁";for (int i = 0; i < 23; i++){memory[i] = asc_[i] ^ (v6--);}printf("%s", memory);}

Day 2 pypy

第一次做python反汇编，好在题目比较友好，没有太复杂

照着类似题的wp和dis–python字节码反汇编可以硬翻。。

下面写了注释的哦

 0 LOAD_GLOBAL              0 (input)2 LOAD_CONST               1 ('give me your flag:\n')4 CALL_FUNCTION            16 STORE_FAST               0 (raw_flag)5           8 LOAD_GLOBAL              1 (list)10 LOAD_FAST                0 (raw_flag)12 LOAD_CONST               2 (6)14 LOAD_CONST               3 (-1)16 BUILD_SLICE              2                    取raw_flag的第六位到倒数第一位18 BINARY_SUBSCR                                 所以最后要包上hgame{}才是flag20 CALL_FUNCTION            122 STORE_FAST               1 (cipher)6          24 LOAD_GLOBAL              2 (len)26 LOAD_FAST                1 (cipher)28 CALL_FUNCTION            1                      length=len(cipher)30 STORE_FAST               2 (length)8          32 LOAD_GLOBAL              3 (range)34 LOAD_FAST                2 (length)36 LOAD_CONST               4 (2)38 BINARY_FLOOR_DIVIDE                           40 CALL_FUNCTION            142 GET_ITER>>   44 FOR_ITER                54 (to 100)46 STORE_FAST               3 (i)9          48 LOAD_FAST                1 (cipher)50 LOAD_CONST               4 (2)52 LOAD_FAST                3 (i)54 BINARY_MULTIPLY56 LOAD_CONST               5 (1)58 BINARY_ADD60 BINARY_SUBSCR                                   cipher[2i+1]62 LOAD_FAST                1 (cipher)64 LOAD_CONST               4 (2)66 LOAD_FAST                3 (i)68 BINARY_MULTIPLY70 BINARY_SUBSCR                                   cipher[2i]72 ROT_TWO74 LOAD_FAST                1 (cipher)76 LOAD_CONST               4 (2)78 LOAD_FAST                3 (i)80 BINARY_MULTIPLY82 STORE_SUBSCR84 LOAD_FAST                1 (cipher)86 LOAD_CONST               4 (2)88 LOAD_FAST                3 (i)90 BINARY_MULTIPLY92 LOAD_CONST               5 (1)94 BINARY_ADD96 STORE_SUBSCR                             这一段就是x,y=y,x98 JUMP_ABSOLUTE           44               交换了cipher[2i+1]和cipher[2i]12     >>  100 BUILD_LIST               0102 STORE_FAST               4 (res)         #创建一个list13         104 LOAD_GLOBAL              3 (range)106 LOAD_FAST                2 (length)108 CALL_FUNCTION            1110 GET_ITER>>  112 FOR_ITER                26 (to 140)114 STORE_FAST               3 (i)14         116 LOAD_FAST                4 (res)118 LOAD_METHOD              4 (append)120 LOAD_GLOBAL              5 (ord)122 LOAD_FAST                1 (cipher)124 LOAD_FAST                3 (i)126 BINARY_SUBSCR128 CALL_FUNCTION            1130 LOAD_FAST                3 (i)132 BINARY_XOR                                res.append(ord(cipher[i])^i)134 CALL_METHOD              1136 POP_TOP138 JUMP_ABSOLUTE          11215     >>  140 LOAD_GLOBAL              6 (bytes)142 LOAD_FAST                4 (res)144 CALL_FUNCTION            1146 LOAD_METHOD              7 (hex)148 CALL_METHOD              0150 STORE_FAST               4 (res)         把res里的数据转成16进制16         152 LOAD_GLOBAL              8 (print)154 LOAD_CONST               6 ('your flag: ')156 LOAD_FAST                4 (res)158 BINARY_ADD                                            输出res160 CALL_FUNCTION            1162 POP_TOP164 LOAD_CONST               0 (None)166 RETURN_VALUE# your flag: 30466633346f59213b4139794520572b45514d61583151576638643a

其实就几行代码，因本废物只能看懂一点python但不会写，所以还是用的C++写脚本

#include<iostream>
using namespace std;int main()
{int cipher[28] = { 0x30,0x46,0x66,0x33,0x34,0x6f,0x59,0x21,0x3b,0x41,0x39,0x79,0x45,0x20,0x57,0x2b,0x45,0x51,0x4d,0x61,0x58,0x31,0x51,0x57,0x66,0x38,0x64,0x3a };int raw_flag[20] = { };char flag1[28] = {};//char temp;for (int i = 0; i < 28; i++){flag1[i] = char(cipher[i] ^ i);}for (int i = 0; i < 17; i++){swap(flag1[2 * i], flag1[2 * i + 1]);}for (int i = 0; i < 28; i++){printf("%c", flag1[i]);}return 0;
}

hgame{}包上，提交~（讲真这个flag有点，，不好看，我一直以为自己哪里写错了还

Day 3-5 apacha

压轴，对于我这种废物小白，这道题确实有一丢丢难

其实就是个xxtea加密，但也是看了好多篇wp加之超级可爱的学长的帮助下才做完的

再把dword_5020里的数据转换成16进制数

void hex()
{uint32_t v[] = { 35, 179,  78, 231,  54,  40, 167, 183, 226, 111,202,  89, 193, 197, 124, 150, 116,  38, 128, 231,230,  84,  45,  61,  86,   3, 157, 138, 156, 195,220, 153, 237, 216,  38, 112, 173, 253,  51, 106,10,  85, 150, 244, 158, 111, 156,  92,  76, 208,229,  27,  23, 174,  35, 103, 194, 165, 112,  82,10,  19,  66, 172, 178, 103, 190, 132, 121, 199,92, 112, 152,  61,  81,  92,  45, 218,  54, 251,69, 150,  23,  34, 157,  82, 227,  92, 251, 225,137, 209, 137, 212,  91, 232,  31, 209, 200, 115,150, 193, 181,  84, 144, 180, 124, 182, 202, 228,23,  33, 148, 249, 227, 157, 170, 161,  90,  47,253,   1, 232, 167, 171, 110,  13, 195, 156, 220,173,  27,  74, 176,  83,  52, 249,   6, 164, 146, };for (int i = 1; i <= 35; i++){printf("0x");for (int j = i * 4 - 1; j > (i - 1) * 4 - 1; j--)if (v[j] < 16){printf("0%x", v[j]);}else printf("%x", v[j]);printf(", ");}}

对了，密钥的位置传入的是&v6，所以密钥就是1，2，3，4

上网搜解密脚本套用即可

#include <stdio.h>
#include <stdint.h>
#include<iostream>
#define DELTA 0x9e3779b9
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))
using namespace std;uint32_t v3[] = { 0xe74eb323, 0xb7a72836, 0x59ca6fe2, 0x967cc5c1, 0xe7802674,
0x3d2d54e6, 0x8a9d0356,0x99dcc39c, 0x7026d8ed, 0x6a33fdad, 0xf496550a, 0x5c9c6f9e,
0x1be5d04c, 0x6723ae17, 0x5270a5c2, 0xac42130a,
0x84be67b2, 0x705cc779, 0x5c513d98, 0xfb36da2d, 0x22179645, 0x5ce3529d, 0xd189e1fb,
0xe85bd489, 0x73c8d11f,
0x54b5c196, 0xb67cb490, 0x2117e4ca, 0x9de3f994, 0x2f5aa1aa, 0xa7e801fd, 0xc30d6eab,
0x1baddc9c, 0x3453b04a, 0x92a406f9, };void btea(uint32_t* v, int n, uint32_t const key[4])
{uint32_t y, z, sum;unsigned p, rounds, e;if (n > 1)            /* Coding Part */{rounds = 3;sum = 0;z = v[n - 1];do{sum += DELTA;e = (sum >> 2) & 3;for (p = 0; p < n - 1; p++){y = v[p + 1];z = v[p] += MX;}y = v[0];z = v[n - 1] += MX;} while (--rounds);}else if (n < -1)      /* Decoding Part */{n = -n;rounds = 6 + 52 / n;sum = rounds * DELTA;y = v[0];do{e = (sum >> 2) & 3;for (p = n - 1; p > 0; p--){z = v[p - 1];y = v[p] -= MX;}z = v[n - 1];y = v[0] -= MX;sum -= DELTA;} while (--rounds);}
}int main()
{uint32_t const k[4] = { 1,2,3,4 };int n = 35; //n的绝对值表示v的长度，取正表示加密，取负表示解密// v为要加密的数据是两个32位无符号整数// k为加密解密密钥，为4个32位无符号整数，即密钥长度为128位//printf("加密前原始数据：%u %u\n", v[0], v[1]);//btea(v, n, k);// printf("加密后的数据：%u %u\n", v[0], v[1]);btea(v3, -n, k);for (int i = 0; i < 35; i++){printf("%c", v3[i]);}return 0;
}

呜呜呜week2就不会做了，我还是太废物了。。。

WEB

只做了常规套娃的签到题

GET不行。。改成POST。。。之后就全程跟着提示安静套娃
改一下UA

加个Referer头

加个XFF:127.0.0.1

搞定。。

唉，本来还想做一道合成大西瓜的题。。。一看全是js我就怂了

CRYPTO

题目里的那串md5想不通什么意思，而且md5也不好解，先看txt

乱中有序哈哈哈哈，替换加密，已知qypyh=hgame可以直接爆破
解密网站链接

据提示要在最后加年份。。试了2003。。不行。。头秃。。
灵光一现。。试个2021。。。成功！

打开文件，摩斯电码，找个在线网站解一下

盲猜是ASCII码，VS里跑一下是一串base64（等号结尾很明显）

据提示维吉尼亚密码，密钥Liki。。。
}KccnYt!1NlPpu!zeE1{C+9pfrhLB_Fz~uGy4n

然后我就不会了，下面是神仙操作：

栅栏 6 ：}!!Ch~K1z+LucNe9BGclEp_ynP1fF4Yp{rzntu

rot13：}!!Pu~X1m+YhpAr9OTpyRc_laC1sS4Lc{emagh

reverse：hgame{cL4Ss1Cal_cRypTO9rAphY+m1X~uP!!}

（问神仙，神仙说他是猜的。。）

MISC

真.签到题，base64，base32，base16一通解就行

唉，差点没被这道题套娃套死

给了张图片，据提示应该是藏了压缩包，binwalk分离

得到加密压缩包，提示密码是八位数字，暴力破解即可

又来一层加密，很明显的明文攻击，试了好久不行，根据提示storage

在给明文压缩时选择压缩方式为存储，密码为zip传统加密即可

又来加密压缩包。。。看了一眼不是伪加密.。。。求助学长，被秒解，原来旁边这一串是html编码。。。。是我见识太少，意识太差了呜呜呜

PWN

。。。除了最最最基础的栈溢出能对着wp做其他我都不会，于是签到题就跪了
。。。pwn太难了呜呜呜。。。