gactf 2020 writeup

考试考完,来吧咕咕咕掉的比赛重新写一下

re

checkin

ruby打包,直接定位createfile找到创建的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
require 'openssl'  
require 'base64'


def aes_encrypt(key,encrypted_string)
aes = OpenSSL::Cipher.new("AES-128-ECB")
aes.encrypt
aes.key = key
cipher = aes.update(encrypted_string) << aes.final
return Base64.encode64(cipher)
end

print "Enter flag: "
flag = gets.chomp

key = "Welcome_To_GACTF"
cipher = "4KeC/Oj1McI4TDIM2c9Y6ahahc6uhpPbpSgPWktXFLM=\n"

text = aes_encrypt(key,flag)
if cipher == text
puts "good!"
else
puts "no!"
end

1

解密即可

WannaFlag

image-20200913211634186

WINMAIN可以看到很明显的消息循环,向上面找一下能找到回调函数

image-20200913211709335

image-20200913211725012

进去查看主要分析这个函数,录入key,加密后比较如果正确则弹msgbox然后解密flag

1
2
3
4
5
6
7
8
9
10
11
12
a = [0x4E, 0xAE, 0x61, 0xBA, 0xE4, 0x2B, 0x55, 0xAA, 0x59, 0xFC,
0x4D, 0x02, 0x17, 0x6B, 0x13, 0xA1, 0x41, 0xFE, 0x35, 0x0B,
0xB4, 0x0B, 0x52, 0x2F, 0x46, 0xCC, 0x35, 0x82, 0xE5, 0x88,
0x50]
b = 'ANNAWGALFYBKVIAHMXTFCAACLAAAAYK'
flag = ''
for i in range(len(a)):
ror = i%8
temp = ((a[i]>>ror)&0xff)|((a[i]<<(8-ror))&0xff)
flag += chr(temp^120^ord(b[i]))
print flag
#wannaflag_is_just_a_paper_tiger

加密部分不难

GACTF{WannaFlag_is_just_a_easy_re_with_a_beautiful_appearance}

EasyRe

先来个smc

然后是根据第一次输入的数据进行一次加密check,手动打log看

1
2
3
4
5
6
7
8
9
10
11
12
13
input = 75BCD15h
input >> 0xd = 0x00003ADE
0x00003ADE^input = 0x075BF7CB
0x075BF7CB<<9 = 0xB7EF9600
0xB7EF9600&0x78F39600 = 0x30E39600
0x30E39600^0x075BF7CB=0x37B861CB
0x37B861CB<<0x11=0xC3960000
0xC3960000&0x85D40000=0x81940000
0x81940000^0x37B861CB=0xB62C61CB
0xB62C61CB>>0x13=0x000016C5
0x000016C5^0xB62C61CB=0xB62C770E
result = 0xB62C770E
check if result == 0x26F8D100

弱智z3解出来是错的,这工具以后必卸,直接用c爆破出0xffe8bc9a,所以输入是4293442714

后面就是个xor

1
2
3
4
5
6
7
a = [0x0000014C,0x0000003B,0x000000D6,0x00000152,0x0000003B,0x000000D6,0x0000014C,0x00000152,0x0000014C,0x0000014C,0x00000152,0x00000152,0x000000D6,0x0000003B,0x00000152,0x0000014C,0x00000152,0x00000152,0x0000003B,0x0000014C,0x00000152,0x0000014C,0x00000152,0x000000D6,0x0000014C,0x000000D6,0x0000014C,0x00000152,0x0000003B,0x00000152,0x0000014C,0x0000003B]
b = [0x0000010B,0x0000007A,0x00000095,0x00000106,0x0000007D,0x000000AD,0x0000012F,0x00000165,0x0000012D,0x0000012F,0x00000139,0x0000010D,0x000000BB,0x00000008,0x0000010D,0x0000013F,0x0000013A,0x00000161,0x00000057,0x00000120,0x0000010D,0x0000013F,0x0000013F,0x000000B5,0x00000113,0x000000A0,0x00000121,0x0000010D,0x0000000B,0x00000139,0x00000173,0x00000046]
flag = ''
for i in range(len(a)):
flag += chr((a[i]^b[i])&0xff)
print flag
#GACTF{c7ack_m3_sh3ll_smc_vm_0k?}

Simulator

lc3汇编

用Simulate打开即可

image-20200914205517536

类似调试器,慢慢看,和mips有点像//考完计组后还没忘

前面就是疯狂录入到0x4000处

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#define _CRT_SECURE_NO_DEPRECATE
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#include <stdlib.h>

int main()
{
unsigned char a[] = { 0x6C,0x0F,0x50,0x6C,0x6E,0x42,0x2C,0x2C,0x1E,0x0C,0x0D,0x00,0x33,0x3D,0x17,0x01,0x2B,0x3C,0x0C,0x02,0x1D,0x1C,0x09,0x11,0x11 };
unsigned char temp1, temp2,temp=0x6c;
int i;
for (i = 1; i < 26; i++)
{
printf("%c", temp);
for (temp2 = 32; temp2 < 128; temp2++)
{
if ((((~temp) & temp2) + ((~temp2) & temp)) == a[i])
{
temp = temp2;
break;
}
}
}
return 0;
}

image-20200915101908957

加密部分不难

PicCompress

一个图片压缩程序。。。一般情况下都不会去逆的,找一下源码

1
2
3
4
5
6
7
>>> import lzss
>>> a = open('flag','rb')
>>> b = a.read()
>>> c = open('temp','wb')
>>> buffer = lzss.decompress(b)
>>> c.write(buffer)
>>>

image-20200916131152802

InfaintRe

静态编译,hint提示了可以搜索下

image-20200915200535696

基本可以猜出gmp库

image-20200916180102022

自己做签名文件试了下效果不咋地,只能识别出部分函数。。。

有些函数像mul因为有一点不同就没识别出

image-20200916180359570

静态编译还是挺难受的

貌似是椭圆曲线。。。学完了再来看看把

文章目录
  1. 1. re
    1. 1.1. checkin
    2. 1.2. WannaFlag
    3. 1.3. EasyRe
    4. 1.4. Simulator
    5. 1.5. PicCompress
    6. 1.6. InfaintRe
|