陇原战“疫“2021网络安全大赛 Re

1、 EasyRe

IDA载入附件，搜索字符串得 flag：

FLAG：flag{fc5e038d38a57032085441e7fe7010b0}

2、 findme

常规的流程，flag的加密和校验都在 off_403844：

跟进去发现指向strcmp：

然后它又被 sub_401A0E 动过，向上回溯：

所以我们的目标是 sub_401866：

大概看了一下，确定是 RC4，整体还是挺干净的就一个库函数 strlen，当时是想偷懒，用以前的Unicorn脚本改了一下直接跑出来的：

from unicorn import *
from unicorn.x86_const import *
from capstone import *
import binasciichall_base = 0x400000  # 程序加载的地址
chall_stack_base = 0x470000
with open("chall.exe", "rb") as f:f.seek(0x400)code = f.read()f.close()
with open("chall.mem", "rb") as f:chall_mem = f.read()f.close()ascii_code = [b'\x00', b'\x01', b'\x02', b'\x03', b'\x04', b'\x05', b'\x06', b'\x07', b'\x08', b'\x09', b'\x0a', b'\x0b',b'\x0c', b'\x0d', b'\x0e', b'\x0f', b'\x10', b'\x11', b'\x12', b'\x13', b'\x14', b'\x15', b'\x16', b'\x17',b'\x18', b'\x19', b'\x1a', b'\x1b', b'\x1c', b'\x1d', b'\x1e', b'\x1f', b'\x20', b'\x21', b'\x22', b'\x23',b'\x24', b'\x25', b'\x26', b'\x27', b'\x28', b'\x29', b'\x2a', b'\x2b', b'\x2c', b'\x2d', b'\x2e', b'\x2f',b'\x30', b'\x31', b'\x32', b'\x33', b'\x34', b'\x35', b'\x36', b'\x37', b'\x38', b'\x39', b'\x3a', b'\x3b',b'\x3c', b'\x3d', b'\x3e', b'\x3f', b'\x40', b'\x41', b'\x42', b'\x43', b'\x44', b'\x45', b'\x46', b'\x47',b'\x48', b'\x49', b'\x4a', b'\x4b', b'\x4c', b'\x4d', b'\x4e', b'\x4f', b'\x50', b'\x51', b'\x52', b'\x53',b'\x54', b'\x55', b'\x56', b'\x57', b'\x58', b'\x59', b'\x5a', b'\x5b', b'\x5c', b'\x5d', b'\x5e', b'\x5f',b'\x60', b'\x61', b'\x62', b'\x63', b'\x64', b'\x65', b'\x66', b'\x67', b'\x68', b'\x69', b'\x6a', b'\x6b',b'\x6c', b'\x6d', b'\x6e', b'\x6f', b'\x70', b'\x71', b'\x72', b'\x73', b'\x74', b'\x75', b'\x76', b'\x77',b'\x78', b'\x79', b'\x7a', b'\x7b', b'\x7c', b'\x7d']class Unidbg:def __init__(self, flag, except_hit):self.except_hit = except_hitself.hit = 0self.flag = flagself.fff = 0self.temp = 0mu = Uc(UC_ARCH_X86, UC_MODE_32)# 程序基址为 0x1000，分配 128 KB内存mu.mem_map(chall_base, 0x100000)mu.mem_write(0x401000, code)mu.mem_write(0x420000, b'SETCTF2021\x00')mu.mem_write(0x420022, self.flag)mu.mem_write(0x403000, chall_mem)mu.mem_write(chall_stack_base + 0, b'\x00\x00\x42\x00')mu.mem_write(chall_stack_base + 4, b'\x00\x00\x42\x00')mu.mem_write(chall_stack_base + 8, b'\x22\x00\x42\x00')# 设置寄存器的值mu.reg_write(UC_X86_REG_EAX, 0x00401866)mu.reg_write(UC_X86_REG_EBX, 0x00000001)mu.reg_write(UC_X86_REG_ECX, 0x00406040)mu.reg_write(UC_X86_REG_EDX, 0)mu.reg_write(UC_X86_REG_ESI, 0)mu.reg_write(UC_X86_REG_EDI, 0)mu.reg_write(UC_X86_REG_EBP, chall_stack_base + 0x50)mu.reg_write(UC_X86_REG_ESP, chall_stack_base)mu.reg_write(UC_X86_REG_EIP, 0x00401866)# patch strlenmu.mem_write(0x004018DB, b'\x6A\x0A\x58\x90\x90')mu.mem_write(0x0040192D, b'\x6A\x1A\x58\x90\x90')mu.mem_write(0x0040193F, b'\x6A\x1A\x58\x90\x90')mu.mem_write(0x00401950, b'\x6A\x0A\x58\x90\x90')mu.hook_add(UC_HOOK_CODE, self.trace)self.mu = muself.md = Cs(CS_ARCH_X86, CS_MODE_32)def trace(self, mu, address, size, data):if address == 0x004019E5:self.temp += 1def solve(self):try:self.mu.emu_start(0x00401866, 0x00401A0D)except:passreturn self.temp - 1flag = b''
for j in range(26):for i in b'0123456789abcdef{}-_#!?ABCDEFGHIJKLMNOPQRSTUVWXYZghijklmnopqrstuvwxyz':tem = bytearray(flag + b'x' * (26 - len(flag)))tem[j] = irecv = Unidbg(bytes(tem), 127).solve()if recv == j + 1 :flag += ascii_code[i]print(flag.decode())

后面发现，把对应位置的值dump出来与结果进行异或解密好像还更快一点。

FLAG：SETCTF{Th1s_i5_E2_5tRcm9!}

3、 power

一段 Arm 汇编，看得头挺大的，跳过代码，在里面翻找看有没有一些特征比较明显的函数或者字符串：
在某处发现了这个：

好像有点搞头，希望不是出题人自写的魔鬼算法。
再往下翻：

AES实锤，后面就是找个站解密的事了：

FLAG：flag{y0u_found_the_aes_12113112}

4、 EasyRE_Revenge

main函数长得和第一题 EasyRe 一样，很遗憾不是白给：

那个加密函数也是有问题，一堆的花指令，根本没法看，动调吧：

开始一串连跑带跳的，初始化了一个数组：

再往后到这里是第一轮加密：

没别的，就是异或。

再往后就是另一轮加密，后面说，把这两轮加密的硬编码直接dump下来，扔到IDA里面：

虽然看着还是难受，但逻辑好歹是出来了，整理了一下：

char flag[] = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
DWORD key[] = { 0x271E150C, 0x3B322920, 0x5F564D44, 0x736A6158, 0x978E857C, 0xABA29990, 0xCFC6BDB4, 0xE3DAD1C8 };
DWORD v5[10]{0};
for (i = 0; i < 8; i++) {v5[i] = *(DWORD*)(flag+i*4) ^ key[(7 * i + 2) % 8];}
for (i = 0; i < 8; i++) {v5[i] ^= v5[i] << 7;v5[i] ^= key[(7 * i + 3) % 8];v5[i] ^= v5[(5 * i + 3) % 8];v5[i] ^= v5[i] << 13;v5[i] ^= key[(7 * i + 5) % 8];v5[i] ^= v5[i] << 17;}

EXP：

DWORD key[] = { 0x271E150C, 0x3B322920, 0x5F564D44, 0x736A6158, 0x978E857C, 0xABA29990, 0xCFC6BDB4, 0xE3DAD1C8 };
BYTE v6[] = { 0x42,0xb0,0xe8,0xee,0x6c,0xee,0xd0,0x57,0x32,0x4b,0xf5,0xf3,0xd6,0xb7,0xf0,0xd3,0x89,0xc3,0x61,0x0a,0x40,0xba,0xc7,0x38,0x2c,0x9e,0x3d,0x0c,0x84,0x92,0x4a,0xd6,0x00};
int i = 0;
DWORD* v5 = (DWORD*)v6;
DWORD xx, yy = 0;
for (i = 7; i >= 0; i--) {v5[i] ^= (v5[i] & 0b111111111111111) << 17;v5[i] ^= key[(7 * i + 5) % 8];xx = v5[i] & 0b1111111111111;  // 后 13 位v5[i] ^= xx << 13;  // 修复 6 - 19 位xx = (v5[i] & 0b1111110000000000000) << 13;v5[i] ^= xx;v5[i] ^= v5[(5 * i + 3) % 8];v5[i] ^= key[(7 * i + 3) % 8];yy = v5[i] & 0b1111111;  // 获取 25 - 32 位v5[i] ^= yy << 7;  // 修复 18 - 25 位yy = v5[i] & 0b11111110000000;  // 后 7 位v5[i] ^= yy << 7;  // 修复 11 - 18 位yy = v5[i] & 0b111111100000000000000;v5[i] ^= yy << 7;  // 修复 4 - 11 位yy = ((v5[i] << 7) & 0xFFFFFFFF) & 0b11110000000000000000000000000000;v5[i] ^= yy;  // 修复 4 - 11 位}
for (i = 0; i < 8; i++) {*(DWORD*)(v6 + i * 4) ^= key[(7 * i + 2) % 8];}
printf("%s\n", (char*)v5);

FLAG : flag{bd6a64f17bb3dc065b41a0aad1e48e98}

5、O

打开 run.log ，在其中发现一些比较可疑的长整型数：

试着将其转为hex：

有Unicode字符串那味了。全部提取出来看看：

V@QFQC~=a<<5dd==5<121c63<4c260`706cafd`x

回 log 里面翻了一下，有这个 XorI，应该是异或，然后试着简单爆破一下

import binasciixxx = [19703596266291286, 17170514749620305, 14918431467634785, 17170235578908772, 14073959292862517, 14355455746965553,14074174040703036, 15481536039092278, 27303497946234928, 33777409528692838]
xx = ""
for i in xxx:temp = hex(i)[2:].replace("00", "")xx = xx + temp[6:8] + temp[4:6] + temp[2:4] + temp[0:2]
print()xx = binascii.a2b_hex(xx)for i in range(1, 256):for j in xx:print(chr(j ^ i), end="")print()

FLAG: SETCTF{8d990aa8809474f3691f735e253fdcae}

6、Eat_something