1、申 请 I D:Ssss
2、个人邮箱:1354828643@qq.com
3、原创技术文章:
https://bbs.pediy.com/thread-261786.htm
2020GACTF逆向部分wp,题目地址:https://adworld.xctf.org.cn/competitionCheckin逆向签到题,一直f8步过,跑飞就f7补入,最后发现调用CreateProcess()函数创建了一个新进程新进程运行ruby解释器加载ruby源文件ruby源文件如下:require 'openssl'
require 'base64'
​
def aes_encrypt(key,encrypted_string)
aes = OpenSSL::Cipher.new("AES-128-ECB")
aes.encrypt
aes.key = key
cipher = aes.update(encrypted_string) << aes.final
return Base64.encode64(cipher)
end
​
print "Enter flag: "
flag = gets.chomp
​
key = "Welcome_To_GACTF"
cipher = "4KeC/Oj1McI4TDIM2c9Y6ahahc6uhpPbpSgPWktXFLM=\n"
​
text = aes_encrypt(key,flag)
if cipher == text
puts "good!"
else
puts "no!"
end解密脚本如下:from Crypto.Cipher import AES
import base64
key = b"Welcome_To_GACTF" # 16个字节
aes = AES.new(key, AES.MODE_ECB)
cipher="4KeC/Oj1McI4TDIM2c9Y6ahahc6uhpPbpSgPWktXFLM=\n"
cipher=base64.b64decode(cipher)
print(cipher)
s = aes.decrypt(cipher) # 16字节的倍数
print(s)EasyRe虚拟机题程序首先进行smc还原关键函数loc_8048838的代码,这里我动态调试的时候没办法反编译(有一处奇怪的交叉引用不会处理),于是我把这个函数dump出来另开一个IDA反编译分析程序大概分为三个部分:第一部分要输入一个数经过一系列运算后等于0x26F8D100,不等于则程序退出第二部分用这个输入的数生成四个数,用于后面的异或操作第三部分输入flag,每个字符会根据opcode选择四个数中的一个进行异或,然后与密文数据比较,不相等同样退出这里要输入的第一个数我没有求出来,z3解不出来,运算中有逻辑右移逻辑左移应该不可逆,我这里的四个数是用flag格式GACTF{}求出来的模拟执行的脚本:# from z3 import *
opcode=[0x09, 0x10, 0x80, 0x02, 0x0D, 0x00, 0x00, 0x00, 0x22, 0x77, 0x10, 0x80, 0x02, 0x09, 0x00, 0x00, 0x00, 0x23, 0x80, 0x02, 0x00, 0x96, 0xF3, 0x78, 0x31, 0x77, 0x10, 0x80, 0x02, 0x11, 0x00, 0x00, 0x00, 0x23, 0x80, 0x02, 0x00, 0x00, 0xD4, 0x85, 0x31, 0x77, 0x10, 0x80, 0x02, 0x13, 0x00, 0x00, 0x00, 0x22, 0x77, 0xA0, 0x09, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x31, 0x80, 0x03, 0x02, 0x00, 0x00, 0x00, 0x43, 0x80, 0x02, 0x18, 0x00, 0x00, 0x00, 0x41, 0xA4, 0x00, 0x00, 0x00, 0x09, 0x80, 0x02, 0x08, 0x00, 0x00, 0x00, 0x22, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x31, 0x80, 0x05, 0x07, 0x00, 0x00, 0x00, 0x44, 0x80, 0x02, 0x21, 0x00, 0x00, 0x00, 0x41, 0xA4, 0x01, 0x00, 0x00, 0x09, 0x80, 0x02, 0x10, 0x00, 0x00, 0x00, 0x22, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x31, 0x80, 0x09, 0xBB, 0x00, 0x00, 0x00, 0x77, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x41, 0xA4, 0x02, 0x00, 0x00, 0x09, 0x80, 0x02, 0x18, 0x00, 0x00, 0x00, 0x22, 0x80, 0x02, 0xFF, 0x00, 0x00, 0x00, 0x31, 0x80, 0x04, 0xA0, 0x00, 0x00, 0x00, 0x42, 0x80, 0x02, 0x77, 0x00, 0x00, 0x00, 0x41, 0xA4, 0x03, 0x00, 0x00, 0xA1, 0xC1, 0x00, 0xB1, 0x77, 0xC2, 0x0B, 0x01, 0x00, 0x00, 0xC1, 0x01, 0xB2, 0x77, 0xC2, 0x7A, 0x00, 0x00, 0x00, 0xC1, 0x02, 0xB4, 0x77, 0xC2, 0x95, 0x00, 0x00, 0x00, 0xC1, 0x03, 0xB3, 0x77, 0xC2, 0x06, 0x01, 0x00, 0x00, 0xC1, 0x04, 0xB2, 0x77, 0xC2, 0x7D, 0x00, 0x00, 0x00, 0xC1, 0x05, 0xB4, 0x77, 0xC2, 0xAD, 0x00, 0x00, 0x00, 0xC1, 0x06, 0xB1, 0x77, 0xC2, 0x2F, 0x01, 0x00, 0x00, 0xC1, 0x07, 0xB3, 0x77, 0xC2, 0x65, 0x01, 0x00, 0x00, 0xC1, 0x08, 0xB1, 0x77, 0xC2, 0x2D, 0x01, 0x00, 0x00, 0xC1, 0x09, 0xB1, 0x77, 0xC2, 0x2F, 0x01, 0x00, 0x00, 0xC1, 0x0A, 0xB3, 0x77, 0xC2, 0x39, 0x01, 0x00, 0x00, 0xC1, 0x0B, 0xB3, 0x77, 0xC2, 0x0D, 0x01, 0x00, 0x00, 0xC1, 0x0C, 0xB4, 0x77, 0xC2, 0xBB, 0x00, 0x00, 0x00, 0xC1, 0x0D, 0xB2, 0x77, 0xC2, 0x08, 0x00, 0x00, 0x00, 0xC1, 0x0E, 0xB3, 0x77, 0xC2, 0x0D, 0x01, 0x00, 0x00, 0xC1, 0x0F, 0xB1, 0x77, 0xC2, 0x3F, 0x01, 0x00, 0x00, 0xC1, 0x10, 0xB3, 0x77, 0xC2, 0x3A, 0x01, 0x00, 0x00, 0xC1, 0x11, 0xB3, 0x77, 0xC2, 0x61, 0x01, 0x00, 0x00, 0xC1, 0x12, 0xB2, 0x77, 0xC2, 0x57, 0x00, 0x00, 0x00, 0xC1, 0x13, 0xB1, 0x77, 0xC2, 0x20, 0x01, 0x00, 0x00, 0xC1, 0x14, 0xB3, 0x77, 0xC2, 0x0D, 0x01, 0x00, 0x00, 0xC1, 0x15, 0xB1, 0x77, 0xC2, 0x3F, 0x01, 0x00, 0x00, 0xC1, 0x16, 0xB3, 0x77, 0xC2, 0x3F, 0x01, 0x00, 0x00, 0xC1, 0x17, 0xB4, 0x77, 0xC2, 0xB5, 0x00, 0x00, 0x00, 0xC1, 0x18, 0xB1, 0x77, 0xC2, 0x13, 0x01, 0x00, 0x00, 0xC1, 0x19, 0xB4, 0x77, 0xC2, 0xA0, 0x00, 0x00, 0x00, 0xC1, 0x1A, 0xB1, 0x77, 0xC2, 0x21, 0x01, 0x00, 0x00, 0xC1, 0x1B, 0xB3, 0x77, 0xC2, 0x0D, 0x01, 0x00, 0x00, 0xC1, 0x1C, 0xB2, 0x77, 0xC2, 0x0B, 0x00, 0x00, 0x00, 0xC1, 0x1D, 0xB3, 0x77, 0xC2, 0x39, 0x01, 0x00, 0x00, 0xC1, 0x1E, 0xB1, 0x77, 0xC2, 0x73, 0x01, 0x00, 0x00, 0xC1, 0x1F, 0xB2, 0x77, 0xC2, 0x46, 0x00, 0x00, 0x00,0x99]
print(len(opcode))
# print(hex(opcode[18]))
a1=[0 for i in range(10)]
data=[0,0,0,0]
# print(a1)
# flag=BitVecs('x',32)
flag=123456789
i=0
result1=0x26F8D100
inputflag=0
index=0
# s = Solver()
while i<467:
print(i,hex(opcode),list(map(hex,a1)),list(map(hex,data)))
if opcode==0x9:
a1[1]=flag
i+=1
continue
if opcode==0x10:
a1[9]=a1[1]
i+=1
continue
if opcode==0x11:
i+=1
continue
if opcode==0x22:
# print(a1[1],a1[2])
a1[1] = a1[1]>>a1[2]
i+=1
continue
if opcode==0x23:
a1[1] <<= a1[2]
a1[1]&=0xffffffff
i+=1
continue
if opcode==0x30:
a1[1] |= a1[2]
i+=1
continue
if opcode==0x31:
a1[1] &= a1[2]
i+=1
continue
if opcode==0x41:
a1[1] += a1[2]
i+=1
continue
if opcode==0x42:
a1[1] -= a1[4]
# a1[1]&=0xff
i+=1
continue
if opcode==0x43:
a1[1] *= a1[3]
i+=1
continue
if opcode==0x44:
a1[1] /= a1[5]
# print(a1[1])
a1[1]=int(a1[1])
# print(a1[1])
i+=1
continue
if opcode==0x54:
i+=1
continue
if opcode==0x71:
i+=1
continue
if opcode==0x76:
i+=1
continue
if opcode==0x77:
a1[1] ^= a1[9]
i+=1
continue
if opcode==0x80:
a1[opcode[i+1]]=opcode[i+2]+(opcode[i+3]<<8)+(opcode[i+4]<<16)+(opcode[i+5]<<24)
# print(hex(opcode[i+2]),hex(opcode[i+3]),hex(opcode[i+4]),hex(opcode[i+5]))
# print(hex(a1[opcode[i+1]]))
a1[opcode[i+1]]&=0xffffffff
i+=6
continue
if opcode==0x99:
break
if opcode==0xa0:
print(i)
# print(a1[1])
print(hex(a1[1]))
# s.add(a1[1]==result1)
# if a1[1]==result1:
# print("okkk")
# break
i+=1
continue
if opcode==0xa1:
inputflag=input()
# 12345678912345678912345678912345
inputflag=list(map(ord,inputflag))
print(len(inputflag))
print(inputflag)
i+=1
continue
if opcode==0xa4:
print(hex(a1[1]),hex(opcode[i+1]))
data[opcode[i+1]]=a1[1]
i+=4
continue
if opcode==0xb1:
a1[9]=data[0]
i+=1
continue
if opcode==0xb2:
a1[9]=data[1]
i+=1
continue
if opcode==0xb3:
a1[9]=data[2]
i+=1
continue
if opcode==0xb4:
a1[9]=data[3]
i+=1
continue
if opcode==0xc1:
a1[1]=inputflag[opcode[i+1]]
i+=2
continue
if opcode==0xc2:
print(index)
index+=1
print(hex(a1[1]),hex(opcode[i+1]+(opcode[i+2]<<8)+(opcode[i+3]<<16)+(opcode[i+4]<<24)))
i+=5
continue
else:
i+=1
continue
# answer=s.check()
# print(answer)
# if answer==sat:
# print("okkk")可以从输出中拿到密文数据,最后求解flag的脚本:data=[0x14c,0x3b,0x152,0xd6]
xor=[0x10b,1,0x7a,2,0x95,4,0x106,3,0x7d,2,0xad,4,0x12f,1,0x165,3,0x12d,1,0x12f,1,0x139,3,0x10d,3,0xbb,4,0x8,2,0x10d,3,0x13f,1,0x13a,3,0x161,3,0x57,2,0x120,1,0x10d,3,0x13f,1,0x13f,3,0xb5,4,0x113,1,0xa0,4,0x121,1,0x10d,3,0xb,2,0x139,3,0x173,1,0x46,2]
​
# print(hex(0x10b^ord('G')))
# print(hex(0x7a^ord('A')))
# print(hex(0x95^ord('C')))
# print(hex(0x106^ord('T')))
print(len(xor))
for i in range(32):
print(chr(xor[i*2]^data[xor[i*2+1]-1]),end="")WannaFlag要求keyxdbg定位关键函数GetWindowText,或者可以看到一串奇怪的字符串"ANNAWGALFYBKVIAHMXTFCAACLAAAAYK"(这个字符串后面会被用来异或)查找引用,即可跟踪到关键代码验证逻辑也很清晰,首先会根据输入的字符串input中的一个字符生成一个异或值,数据取值范围是1.2.6.24.120.720...然后进过三步加密与密文做比较第一步是与这个生成值进行异或第二步是异或字符串"ANNAWGALFYBKVIAHMXTFCAACLAAAAYK"第三步是循环左移首先逆后两步,脚本如下:from binascii import *
xor="ANNAWGALFYBKVIAHMXTFCAACLAAAAYK"
print(len(xor))
data="4E AE 61 BA E4 2B 55 AA 59 FC 4D 02 17 6B 13 A1 41 FE 35 0B B4 0B 52 2F 46 CC 35 82 E5 88 50"
data=data.split(" ")
print(len(data))
​
def circular_shift_right(int_value,k):
bin_value = "{:08b}".format(int_value) # 8 bit binary
bin_value = bin_value[-k:] + bin_value[:-k]
int_value = int(bin_value,2)
return int_value
​
data=list(map(ord,map(a2b_hex,data)))
# print(data)
for i in range(31):
data=circular_shift_right(data,i%8)
data^=ord(xor)
print(data)生成的data就是key与某个值异或后的数据这个值取值范围是1.2.6.24.120.720...尝试几个数后便得到正确的key(或者直接爆破也行):data=[15, 25, 22, 22, 25, 30, 20, 25, 31, 39, 17, 11, 39, 18, 13, 11, 12, 39, 25, 39, 8, 25, 8, 29, 10, 39, 12, 17, 31, 29, 10]
# for j in range(256):
for i in range(31):
print(chr(data^120),end="")输入正确的key后会在当前目录生成flag.txt,里面就是最后的flagSimulator同样是虚拟机题lc3汇编,复习了下计算机系统概论,下好模拟器后直接跑,代码很短,直接分析就好整理程序执行流程如下:data=[19, 1, 0, 20, 0, 0, 19, 2, 1, 20, 1, 1, 19, 3, 2, 20, 2, 2, 19, 4, 3, 20, 3, 3, 19, 5, 4, 20, 4, 4, 19, 6, 5, 20, 5, 5, 19, 7, 6, 20, 6, 6, 19, 8, 7, 20, 7, 7, 19, 9, 8, 20, 8, 8, 19, 10, 9, 20, 9, 9, 19, 11, 10, 20, 10, 10, 19, 12, 11, 20, 11, 11, 19, 13, 12, 20, 12, 12, 19, 14, 13, 20, 13, 13, 19, 15, 14, 20, 14, 14, 19, 16, 15, 20, 15, 15, 19, 17, 16, 20, 16, 16, 19, 18, 17, 20, 17, 17, 19, 19, 18, 20, 18, 18, 19, 20, 19, 20, 19, 19, 19, 21, 20, 20, 20, 20, 19, 22, 21, 20, 21, 21, 19, 23, 22, 20, 22, 22, 19, 24, 23, 20, 23, 23, 20, 24, 24]
res=[108, 15, 80, 108, 110, 66, 44, 44, 30, 12, 13, 0, 51, 61, 23, 1, 43, 60, 12, 2, 29, 28, 9, 17, 17]
print(len(data))
input=list(map(ord,"7654321987654321987654321"))
i=0
while i<147:
if data[3*i]==19:
R1=data[3*i+1]
R6=input[R1]
R1=data[3*i+2]
R5=R1
R7=input[R1]
print(hex(R6),hex(R7))
R0=(~R6)&R7
R1=(~R7)&R6
R0=R0+R1
# print(R0)
input[R5]=R0
i+=3
continue
if data[3*i]==20:
R1=data[3*i+1]
R6=R1
R1=data[3*i+2]
R5=0x18-R1
R0=input[R6]
R1=res[R5]
if R0==R1:
print("okkk")
else:
print("error")
i+=3
continue然后会发现其实就是相邻两个数进行异或,res是最后异或完的结果,最后一个字符不用进行异或,直接根据这一个字符依次异或即可得到flag脚本如下:res=[108, 15, 80, 108, 110, 66, 44, 44, 30, 12, 13, 0, 51, 61, 23, 1, 43, 60, 12, 2, 29, 28, 9, 17, 17]
i=1
print(chr(108),end="")
flag=[108]
while i<25:
x=res^flag[i-1]
print(chr(x),end="")
flag.append(x)
i+=1
|
吾爱游客
发表于 2021-1-31 15:59
