2023西湖论剑初赛

2022西湖论剑wp

babyre

这个题目主要的逻辑并不在main函数中,而是在seh链时这里,双击打开VirtualTable

image-20230203201301514

image-20230203201351920

可以看到下面有三个加密函数

然后可以看到三个函数依次调用了_onexit函数,所以加密的顺序就是Base + md5 + RC4

image-20230203201441711

第一部分的加密主要就是base8,要注意到md5函数中提前初始化好了table

找chatgpt写了脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def decode(input):
    table = "01234567"
    decoded = []
    for i in range(0, len(input), 8):
        char_1 = table.index(input[i]) << 5 | table.index(input[i + 1]) << 2 | (table.index(input[i + 2]) >> 1)
        decoded.append(char_1)
        if input[i + 3] == '=' and input[i + 4] == '=':
            break
        char_2 = (table.index(input[i + 2]) & 1) << 7 | table.index(input[i + 3]) << 4 | table.index(input[i + 4]) << 1 | (table.index(input[i + 5]) >> 2)
        decoded.append(char_2)
        if input[i + 6] == '=' and input[i + 7] == '=':
            break
        char_3 = (table.index(input[i + 5]) & 3) << 6 | table.index(input[i + 6]) << 3 | table.index(input[i + 7])
        decoded.append(char_3)
    return bytes(decoded)

input_str = '162304651523346214431471150310701503207116032063140334661543446114434066142304661563446615430464'
output = decode(input_str)
print(output)
print(len(output))
#b'915572239428449843076691286116796614'

第二个加密函数我觉得是md5,但是群内大佬说是魔改sha1,具体要做的话只能爆破了

没有继续下去

不过看了大佬的wp,这道题可以直接爆破RC4的密钥(tql, orz)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from Crypto.Cipher import ARC4

enc = [0x3F, 0x95, 0xBB, 0xF2, 0x57, 0xF1, 0x7A, 0x5A, 0x22, 0x61, 0x51, 0x43, 0xA2, 0xFA, 0x9B, 0x6F, 0x44, 0x63, 0xC0, 0x08, 0x12, 0x65, 0x5C, 0x8A, 0x8C, 0x4C, 0xED, 0x5E, 0xCA, 0x76, 0xB9, 0x85, 0xAF, 0x05, 0x38, 0xED, 0x42, 0x3E, 0x42, 0xDF, 0x5D, 0xBE, 0x05, 0x8B, 0x35, 0x6D, 0xF3, 0x1C, 0xCF, 0xF8, 0x6A, 0x73, 0x25, 0xE4, 0xB7, 0xB9, 0x36, 0xFB, 0x02, 0x11, 0xA0, 0xF0, 0x57, 0xAB, 0x21, 0xC6, 0xC7, 0x46, 0x99, 0xBD, 0x1E, 0x61, 0x5E, 0xEE, 0x55, 0x18, 0xEE, 0x03, 0x29, 0x84, 0x7F, 0x94, 0x5F, 0xB4, 0x6A, 0x29, 0xD8, 0x6C, 0xE4, 0xC0, 0x9D, 0x6B, 0xCC, 0xD5, 0x94, 0x5C, 0xDD, 0xCC, 0xD5, 0x3D, 0xC0, 0xEF, 0x0C, 0x29, 0xE5, 0xB0, 0x93, 0xF1, 0xB3, 0xDE, 0xB0, 0x70]
key = 0
for i in range(1000000):
    rc4 = ARC4.new(str(i).zfill(6).encode())
    m = rc4.decrypt(bytes(enc))
    if m.isdigit():
        key = i
        print(m)

m = '1523306115230466162304651523346214431471150310701503207116032063140334661543446114434066142304661563446615430464'
print('flag:', int(m, 8).to_bytes(42, 'big').decode() + str(key))
#b'1523306115230466162304651523346214431471150310701503207116032063140334661543446114434066142304661563446615430464'
#flag: 561516915572239428449843076691286116796614807391

Dual personality

x86里面跑x64程序,这骚操作第一次见,也是复现完了才理解这个题目名字啥意思

主要的考点就是在ida无法正确识别x64段的汇编代码,而且用x32dbg调试是经过一个动态patch的函数处理后会报异常

每次在执行x64汇编代码前,会先经过一个函数

image-20230205103834013

image-20230205103931869

开辟新的内存空间,并将后面的指令改为跳转

当跳转到x64汇编代码处时,可以看到IDA无法正确识别

image-20230205104047953

解决方案有两种:

可以手动反汇编,修改程序然后构建函数

image-20230205104237995

可以将数据提取出来写入文件然后用IDA64打开

image-20230205104312382

个人推荐第二种,看到的直观很多,而且也可以避免不正确的修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
def write_binary_file(filename):
    with open(filename, "wb") as f:
        f.write(bytearray(a))
a = [  0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, 0x8A, 
  0x40, 0x02, 0x88, 0x04, 0x25, 0x5C, 0x70, 0x40, 0x00, 0x84, 
  0xC0, 0x75, 0x0E, 0x41, 0xBC, 0xAE, 0x66, 0xF9, 0x5D, 0x44, 
  0x89, 0x24, 0x25, 0x58, 0x70, 0x40, 0x00, 0x44, 0xB8, 0x00, 
  0x70, 0x40, 0x00, 0x48, 0xFF, 0x28, 0xCC, 0xCC, 0x55, 0x48, 
  0x8B, 0xEC, 0xA0, 0x5C, 0x70, 0x40, 0x00, 0x00, 0x00, 0x00,
  
  0x00, 0x84, 0xC0, 0x74, 0x34, 0x48, 0x8B, 0x45, 0x10, 0x48, 
  0x8B, 0x18, 0x48, 0xC1, 0xC3, 0x20, 0x48, 0x89, 0x18, 0x48, 
  0x8B, 0x58, 0x08, 0x48, 0xC1, 0xC3, 0x20, 0x48, 0x89, 0x58, 
  0x08, 0x48, 0x8B, 0x58, 0x10, 0x48, 0xC1, 0xC3, 0x20, 0x48, 
  0x89, 0x58, 0x10, 0x48, 0x8B, 0x58, 0x18, 0x48, 0xC1, 0xC3, 
  0x20, 0x48, 0x89, 0x58, 0x18, 0xEB, 0x37, 0x48, 0x8B, 0x45, 
  0x10, 0x48, 0x8B, 0x18, 0x48, 0xC1, 0xC3, 0x0C, 0x48, 0x89, 
  0x18, 0x48, 0x8B, 0x58, 0x08, 0x48, 0xC1, 0xC3, 0x22, 0x48, 
  0x89, 0x58, 0x08, 0x48, 0x8B, 0x58, 0x10, 0x48, 0xC1, 0xC3, 
  0x38, 0x48, 0x89, 0x58, 0x10, 0x48, 0x8B, 0x58, 0x18, 0x48, 
  0xC1, 0xC3, 0x0E, 0x48, 0x89, 0x58, 0x18, 0xBB, 0x00, 0x00, 
  0x00, 0x00,
  
  0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x48, 0x33, 0xC0, 0x48, 0xB8, 
  0xC5, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x89, 0x04, 
  0x25, 0x00, 0x70, 0x40, 0x00, 0x48, 0x8D, 0x04, 0x25, 0x14, 
  0x70, 0x40, 0x00, 0x8A, 0x18, 0x8A, 0x48, 0x04, 0x22, 0xD9, 
  0x88, 0x18, 0x8A, 0x58, 0x04, 0x8A, 0x48, 0x08, 0x0A, 0xD9, 
  0x88, 0x58, 0x04, 0x8A, 0x58, 0x08, 0x8A, 0x48, 0x0C, 0x32, 
  0xD9, 0x88, 0x58, 0x08, 0x8A, 0x58, 0x0C, 0xF6, 0xD3, 0x88, 
  0x58, 0x0C, 0x48, 0x33, 0xC0, 0xFF, 0x24, 0x25, 0x50, 0x70, 
  0x40, 0x00, 0xCC, 0xCC, 0xCC]
write_binary_file("CODE")

可以看到第一处x64汇编代码的功能就是给dword_407058赋值为0x5DF966AE

然后执行loc_4013F4

这里可以P生成函数,然后F5看伪代码,也可以直接硬读汇编

主要的功能就是

1
2
3
4
5
dword_407058 -= 0x21524111
for(int i = 0; i < 8; i++){
	((DWORD*)Flag)[i] += dword_407058;
	dword_407058 ^= ((DWORD*)Flag)[i];
}

执行完loc_4013F4后,接下来跳转到

loc_40144C

与第一处加密前进行的操作一模一样,先SMC,然后执行第二处x64汇编代码,可以看到这里直接call fword ptr key

实际上就是call 401200h

image-20230205105132494

401200h处的函数功能主要如下,此处0x40705C处的值还是0,所以执行else,就是对第一步加密之后的Flag进行ROL操作

image-20230205105458393

1
2
3
4
*Flag = __ROL__(*Flag), 0xC);
*(Flag + 1) = __ROL__(*Flag + 1), 0x22);
*(Flag + 2) = __ROL__(*Flag + 2), 0x38);
*(Flag + 3) = __ROL__(*Flag + 3), 0xE);

第三处x64代码的执行过程也一样,先SMC,然后跳转过去执行

image-20230205105642817

可以看到是一些位运算

修改下面的值

1
data:00407014 byte_407014 db 9Dh, 3 dup(0), 44h, 3 dup(0), 37h, 3 dup(0), 0B5h, 3 dup(0)

在执行完最后的x64代码后,又有一段ida不能正常识别的数据

也可以和上面的一样,选择写入文件然后用IDA64打开,也可以自行生成函数

image-20230205110943589

阅读之后,主要功能就是

1
2
3
4
key[4] = {0x04, 0x77, 0x82, 0x4A}; //位运算之后的结果
for(int i = 0; i < 32; i++){
	Flag[i] ^= key[i % 4];
}

在异或加密之后,程序就进入了比较阶段,所以可以直接写出解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#include <cstdio>
#include <Windows.h>
#include <iostream>
template <class T>
T __ROL__(T val, int size) {
    T res = val << size;
    res |= val >> (sizeof(val) * 8 - size);
    return res;
}

/*循环右移*/
template <class T>
T __ROR__(T val, int size) {
    T res = val >> size;
    res |= val << (sizeof(val) * 8 - size);
    return res;
}

int main() {
    unsigned char data[33] = {
        0xAA, 0x4F, 0x0F, 0xE2, 0xE4, 0x41, 0x99, 0x54,
        0x2C, 0x2B, 0x84, 0x7E, 0xBC, 0x8F, 0x8B, 0x78, 
        0xD3, 0x73, 0x88, 0x5E, 0xAE, 0x47, 0x85, 0x70,
        0x31, 0xB3, 0x09, 0xCE, 0x13, 0xF5, 0x0D, 0xCA
    };
    unsigned char key[4] = {
        0x04, 0x77, 0x82, 0x4A
    };
    for (int i = 0; i < 32; i++) {
        data[i] ^= key[i % 4];
    }
    *((uint64_t*)data) = __ROR__(*((uint64_t*)data), 0xC);
    *((uint64_t*)data + 1) = __ROR__(*((uint64_t*)data + 1), 0x22);
    *((uint64_t*)data + 2) = __ROR__(*((uint64_t*)data + 2), 0x38);
    *((uint64_t*)data + 3) = __ROR__(*((uint64_t*)data + 3), 0xE);
    DWORD magic = 0x3CA7259D;
    for (int i = 0; i < 8; i++) {
        uint32_t tmp = *((uint32_t*)data + i);
        *((uint32_t*)data + i) = tmp - magic;
        magic ^= tmp;
    }
    printf("DASCTF{%s}\n", data);
	return 0;
    //DASCTF{6cc1e44811647d38a15017e389b3f704}
}

Berkeley

第一次见ebpf程序,ida直接F5看的话,可以找到check_flag处

image-20230205112441294

但是最后比较的是fake_cipher,我猜这是设计的一个坑,这题没这么简单吧

比赛时是直接放弃了。结束后看到群友说string里面有源码

image-20230205112607326

还真是有源码

加密过程如下,只不过暂时没有找到arr数组在哪。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#include <windows.h>
#include <stdio.h>
unsigned char key[] =
{
  0xC1, 0xD1, 0x02, 0x61, 0xD6, 0xF7, 0x13, 0xA2, 0x9B, 0x20,
  0xD0, 0x4A, 0x8F, 0x7F, 0xEE, 0xB9, 0x00, 0x63, 0x34, 0xB0,
  0x33, 0xB7, 0x8A, 0x8B, 0x94, 0x60, 0x2E, 0x8E, 0x21, 0xFF,
  0x90, 0x82, 0xD5, 0x87, 0x96, 0x78, 0x22, 0xB6, 0x48, 0x6C,
  0x45, 0xC7, 0x5A, 0x16, 0x80, 0xFD, 0xE4, 0x8C, 0xBF, 0x01,
  0x1F, 0x4B, 0x79, 0x24, 0xA0, 0xB4, 0x23, 0x4D, 0x3B, 0xC5,
  0x5D, 0x6F, 0x0D, 0xC9, 0xD4, 0xCA, 0x55, 0xE0, 0x39, 0xAD,
  0x2B, 0xCD, 0x2C, 0xEC, 0xC2, 0x6B, 0x30, 0xE6, 0x0C, 0xA8,
  0x9A, 0x2F, 0xF6, 0xE8, 0xBB, 0x32, 0x57, 0xFB, 0x0B, 0x9D,
  0xF2, 0x3F, 0xB5, 0xF9, 0x59, 0xE5, 0x10, 0xCF, 0x51, 0x41,
  0xE9, 0x50, 0xDF, 0x26, 0x74, 0x58, 0xCB, 0x64, 0x54, 0x73,
  0xAB, 0xF4, 0xB2, 0x9F, 0x18, 0xF8, 0x4E, 0xFE, 0x08, 0x1D,
  0x4F, 0x49, 0xD3, 0xAC, 0x38, 0x12, 0x77, 0x11, 0x69, 0x07,
  0x1C, 0x99, 0xB3, 0xE7, 0x3D, 0x05, 0xD8, 0xFC, 0x70, 0x46,
  0x93, 0x09, 0x65, 0x89, 0xB1, 0xC6, 0x52, 0xFA, 0xD2, 0x0E,
  0xA9, 0x17, 0xE3, 0x91, 0xA1, 0x68, 0x5B, 0x2A, 0xF0, 0xC3,
  0x42, 0xCC, 0x29, 0xDE, 0xDC, 0x85, 0x98, 0x31, 0x5C, 0xBC,
  0x2D, 0xEF, 0x5E, 0x7E, 0xAF, 0x67, 0x62, 0xA7, 0x56, 0x88,
  0xA4, 0x43, 0x40, 0xE1, 0x37, 0x9E, 0x36, 0x76, 0x71, 0x84,
  0xBD, 0x06, 0x8D, 0x47, 0x7D, 0x53, 0xD7, 0xC8, 0xCE, 0x15,
  0x92, 0x95, 0x4C, 0x28, 0x6D, 0x75, 0xEB, 0x7C, 0xF3, 0xBE,
  0xAA, 0xB8, 0xED, 0x03, 0x3C, 0x27, 0x3E, 0x19, 0xDD, 0xA6,
  0x66, 0x25, 0x1E, 0xC4, 0x6E, 0xC0, 0xE2, 0xDB, 0x3A, 0xD9,
  0x81, 0xA5, 0x1B, 0xF5, 0x04, 0xAE, 0xBA, 0xEA, 0x97, 0x83,
  0x35, 0x44, 0xA3, 0x7A, 0x1A, 0xF1, 0x86, 0xDA, 0x7B, 0x14,
  0x72, 0x9C, 0x6A, 0x0F, 0x5F, 0x0A
};

unsigned char cipher[] =
{
  0xF3, 0x27, 0x47, 0x1B, 0x8F, 0x09, 0xFB, 0x17, 0x70, 0x48,
  0xB0, 0x53, 0x32, 0xDB, 0xC0, 0xB8, 0x63, 0x2D, 0x40, 0x4B,
  0xF5, 0x16, 0xF0, 0x35, 0xE7, 0xDF, 0xEA, 0xA2, 0x9C, 0x41,
  0xB3, 0x25, 0xD7, 0x0C, 0x33, 0x9C, 0x7B, 0x5A, 0xCD, 0x13,
  0xBB, 0xEE, 0x3E, 0x0E, 0xF2, 0xCF, 0x35, 0xDA, 0xAF, 0xA2,
  0x66, 0x7D, 0x38, 0x37, 0x67, 0x1E, 0x1F, 0x6B, 0x7B, 0x30,
  0x0B, 0x7A, 0x02, 0xA9, 0xC8, 0x61, 0x27, 0x41, 0xDB, 0x01,
  0x22, 0x31, 0x6F, 0xB6, 0xD4, 0x1B, 0x04, 0xD3, 0x94, 0xB8,
  0x46, 0xC7, 0x24, 0xCF, 0xBD, 0xAF, 0x0B, 0xDC, 0x2E, 0xBB,
  0xB2, 0x71, 0xF4, 0x99, 0x57, 0x36, 0xD1, 0x95, 0x52, 0x92,
  0xBA, 0x6D, 0xF3, 0x30, 0x50, 0x59, 0x9B, 0xEA, 0x2F, 0x83,
  0xDC, 0xF0, 0xDE, 0x57, 0xA1, 0xAC, 0xD2, 0x51, 0xA2, 0x1D,
  0x59, 0xA8, 0x00, 0xB6, 0xE2, 0x65, 0x41, 0x0C, 0x4F, 0xEB,
  0xF0, 0x2E, 0x58, 0x2A, 0x1F, 0xF4, 0x95, 0x72, 0x88, 0x7C,
  0xA9, 0x0E, 0xCB, 0x3C, 0x42, 0xB9, 0xF3, 0x49, 0x9B, 0x52,
  0x98, 0x12, 0xA3, 0x17, 0x51, 0xC0, 0x59, 0x40, 0x0A, 0xBC,
  0xE8, 0x4C, 0x04, 0xFB, 0x13, 0x0A, 0x17, 0x3F, 0xE6, 0x36,
  0x97, 0xDF, 0xB3, 0xE2, 0x42, 0x7F, 0xF8, 0xCC, 0x0E, 0xD1,
  0x77, 0xC4, 0xA8, 0x46, 0x48, 0xE3, 0xF1, 0x0A, 0xEF, 0x94,
  0x56, 0x54, 0x5B, 0xCA, 0xBD, 0xDD, 0x7F, 0x56, 0x47, 0xC2,
  0x99, 0xFA, 0x89, 0xCC, 0xE1, 0xB9, 0x3A, 0x78, 0xE2, 0x37,
  0x58, 0x01, 0x1B, 0xC3, 0x4B, 0xE6, 0x8C, 0xF3, 0xE5, 0xB6,
  0x71, 0x9E, 0x63, 0xAF, 0x11, 0xCE, 0x87, 0xF6, 0x6E, 0xDE,
  0xC8, 0xB1, 0xD0, 0x7A, 0x15, 0x6C, 0x10, 0x08, 0x99, 0x7B,
  0x22, 0x55, 0x10, 0x7A, 0x82, 0x73, 0xFC, 0x62, 0xCB, 0x34,
  0xA7, 0xB7, 0x62, 0xFA, 0x6B, 0x9F
};
int main(int argc, char* argv[]) {
	char flag[32];
	char output[256];
	for (int i = 0; i < 256; i++) {
		unsigned char uc1 = flag[i / 8];
		unsigned char uc2 = ~(flag[i / 8] + arr[i / 8]);
		output[i] = key[uc1 ^ uc2];
		output[i] == cipher[i];
	}
    return 0;
}

快开学了,要准备考试了,暂时把这个坑留着吧,后面会补上

reverse
#西湖论剑
2023西湖论剑初赛
http://example.com/2023/01/25/2023西湖论剑初赛/
Author
Eutop1a
Posted on
January 25, 2023
Licensed under