【Reverse】2023浙江省大学生网络安全技能竞赛预赛WriteUp

CTF · 25 天前 · 79 人浏览

好像好久好久没更新博客了,水一篇WP好了

排名4

AK了逆向 多亏了@woodwhale教我lua,不然歇逼了

题目没啥难度,就是老喜欢自己写算法挺恶心人的。

pyccc

pycdc直接出代码,异或脚本即可

image-20231104162834364

check = [
    102,
    109,
    99,
    100,
    127,
    52,
    114,
    88,
    97,
    122,
    85,
    125,
    105,
    127,
    119,
    80,
    120,
    112,
    98,
    39,
    109,
    52,
    55,
    106]
for i in range(len(check)):
    print(chr(check[i] ^ i),end='')

luare

断点到000055C07F31848C可以搜内存搜到\x1bLua,dump出来binary形式的lua脚本

image-20231104163113895

image-20231104163120567

用unluac即可反编译出来,可以看到调用了Oo00Oo0

image-20231104163225149

Oo00Oo0是一个取表替换的算法,写脚本解密即可

image-20231104163258749

lines = '''0x60856D1028C8953C
 0x964849764CB30359
 0x2E7164C479B75FB8
 0x80637291A7AC8C38
 0x7B8BF3AE4B339EB0
 0xCFE06FEC52B45B4D
 0x5DC67EAAB20C3AD
 0x24FCFBD656409F00
 0x4AF00D463D0BCA92
 0x7DBC8A3B1A11555A
 0x3061CE7513A9E76C
 0x9C54D007276AA614
 0x34C20158D8898E5C
 0x50A02AC02F3569E8
 0xC0E681D39FF8836
 0xB66E7F18FEB1E693
 0x29F5D2E92B315378
 0x41D9DBDE84172C0F
 0x7A45A899A1F71906
 0xE5AA0AAF1BA5233E
 0x9A3A82FAF8E1A4EF
 0xC1D173C7651C8FDF
 0x8D9DDD875EA2D7C5
 0x66EE9790CD81C9F9
 0x370874C63F424FDA
 0xB93283E32677CB25
 0xBA2D4ED544F2D3BD
 0xBFE421121E049862
 0xA31694FDF486F647
 0x430251B27C701FEB
 0x5DE26B097ECC1522
 0xF157EDD4B5BE9BBB'''

from pwn import *


global_data = []
def pares(data):
    x = p64(int(data.strip(), 16)) 
    global_data.extend(list(x))

for l in lines.splitlines():
    pares(l.strip())

print(global_data)


res = [  109,
    -73,
    -72,
    46,
    -73,
    -5,
    99,
    -100,
    46,
    59,
    32,
    -76,
    109,
    3,
    59,
    20,
    -61,
    -56,
    -119,
    48,
    100,
    118,
    36,
    118,
    82,
    3,
    95,
    106,
    14,
    -80,
    5,
    -89,
    89,
    -85,
    5,
    14,
    46,
    -73,
    7,
    127]


flag = ''
from ctypes import c_uint8
last = global_data.index(res[-1])
flag += chr(last)
for i in range(39):
    x = -i - 2
    last = c_uint8(c_uint8(global_data.index(c_uint8(res[x]).value)).value ^ last).value
    flag += chr(last)

flag = flag[::-1]
print(flag)

easyapk

DES的名,AES的心,main替换了一下key的字符

image-20231104163457908

image-20231104163433541

直接cyberchef

image-20231104163509954

AndroidELF

魔改UPX,改回来就可以unpack

image-20231104163630531

中间这个就是加密

image-20231104163718582

image-20231104163817463

具体的不截图了,看脚本即可,分别对应四个函数的解密

from ctypes import c_uint8
enc = [0x3D, 0x45, 0x38, 0x7E, 0x78, 0x4B, 0x6A, 0x5C, 0x5B, 0x52, 0x4C, 0x73, 0x4E, 0x39, 0x49, 0x5F, 0x49, 0x40, 0x38, 0x5E, 0x74, 0x40, 0x66, 0x44, 0x46, 0x7A, 0x39, 0x3B, 0x67, 0x39, 0x70, 0x6C, 0x71, 0x5E, 0x6D, 0x4D, 0x5A, 0x4C, 0x7F, 0x3B, 0x4D, 0x63, 0x5E, 0x4E, 0x44, 0x5A, 0x7B, 0x51, 0x38, 0x61, 0x29, 0x63, 0x75, 0x5B, 0x67, 0x46, 0x4E, 0x5D, 0x79, 0x29, 0x4D, 0x29, 0x6D, 0x71]
table = [0x0000000D, 0x00000004, 0x00000000, 0x00000005, 0x00000002, 0x0000000C, 0x0000000B, 0x00000008, 0x0000000A, 0x00000006, 0x00000001, 0x00000009, 0x00000003, 0x0000000F, 0x00000007, 0x0000000E]
for j in reversed(range(4)):
    for i in reversed(range(16)):
        for i1 in range(16):
            enc[i1+16*j]=c_uint8((120*i)^enc[i1+16*j]).value
        for ii in reversed(range(16)):
            enc[ii+16*j] = c_uint8(c_uint8(c_uint8(enc[ii+16*j]).value<<5).value | c_uint8(c_uint8(enc[ii+16*j]).value>>3).value).value
            # print(enc)

        temp = 16*[0]
        for iii in range(16):
            temp[iii] = enc[table[iii]+16*j]
        for iij in range(16):
            enc[iij+16*j] = temp[iij]

        for iiii in range(16):
            v1=0
            for iiij in range(8):
                v1 |= ((enc[16*j+iiii] >> iiij) & 1) << (7 - iiij)
            enc[16*j+iiii] = v1


            # break
        # break
    # break
print(''.join([chr(x) for x in enc]))
RE
Theme Jasmine by Kent Liao