2020国赛总决赛re

多亏易霖博,国赛总决赛都能给整成解题了。之前就喷过ylb平台垃圾运维态度整的和你欠他钱一样,好了这次国赛又来了。俩个re原题大赛

babyriscv

http://217.logdown.com/posts/235490-isg2014-bt

易霖博可能从哪嫖到了源码,本来是arm的硬是整成了riscv架构

脚本复制粘贴改下数据出flag

没错这就是国赛

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
s = 'BpmvcuriVayeQLIKJ  f  U2  l  od  Z  hx  5  _T  s  t{  k  7F  n  Ej  X  C}  O  AN  w  D8  Y  bq  9  gP  W  63  G  MR  4  Sz  H  '
i = 0
tb = {}

def dfs(x,y):
global i,tb
if i<len(s):
z = s[i]
i += 1
if z!=' ':
tb[y] = z
dfs(x+1,48*(x+1)+y)
dfs(x+1,49*(x+1)+y)

dfs(0,0)
v = [6544, 6559, 2160, 484, 3755, 484, 2177, 2177, 5774, 3756, 6528, 5054, 0, 5067, 3756, 1008, 3168, 288, 483, 1008, 5067, 3168, 3756, 725, 1351, 725, 2640, 3756, 290, 6559, 4393, 480, 1728, 2168]
print ''.join(tb[x] for x in v)
#flag{gOOd_JoB5_rev3r5e_bAby_RlscV}

实在是妙,下次办比赛再换个架构又是一道新题

不愧是ylb

反汇编有现成工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
103a8:       fea42623                sw      x10,-20(x8)
103ac: feb42423 sw x11,-24(x8)
103b0: fec42783 lw x15,-20(x8)
103b4: 4398 c.lw x14,0(x15)
103b6: 6789 c.lui x15,0x2
103b8: 99078793 addi x15,x15,-1648 # 0x1990
103bc: 28f71363 bne x14,x15,0x10642
103c0: fec42783 lw x15,-20(x8)
103c4: 0791 c.addi x15,4
103c6: 4398 c.lw x14,0(x15)
103c8: 6789 c.lui x15,0x2
103ca: 99f78793 addi x15,x15,-1633 # 0x199f
103ce: 26f71a63 bne x14,x15,0x10642
103d2: fec42783 lw x15,-20(x8)
103d6: 07a1 c.addi x15,8
103d8: 4398 c.lw x14,0(x15)
103da: 6785 c.lui x15,0x1
103dc: 87078793 addi x15,x15,-1936 # 0x870
103e0: 26f71163 bne x14,x15,0x10642
103e4: fec42783 lw x15,-20(x8)
103e8: 07b1 c.addi x15,12
103ea: 4398 c.lw x14,0(x15)
103ec: 1e400793 addi x15,x0,484
103f0: 24f71963 bne x14,x15,0x10642
103f4: fec42783 lw x15,-20(x8)
103f8: 07c1 c.addi x15,16
103fa: 4398 c.lw x14,0(x15)
103fc: 6785 c.lui x15,0x1
103fe: eab78793 addi x15,x15,-341 # 0xeab
10402: 24f71063 bne x14,x15,0x10642
10406: fec42783 lw x15,-20(x8)
1040a: 07d1 c.addi x15,20
1040c: 4398 c.lw x14,0(x15)
1040e: 1e400793 addi x15,x0,484
10412: 22f71863 bne x14,x15,0x10642
10416: fec42783 lw x15,-20(x8)
1041a: 07e1 c.addi x15,24
1041c: 4398 c.lw x14,0(x15)
1041e: 6785 c.lui x15,0x1
10420: 88178793 addi x15,x15,-1919 # 0x881
10424: 20f71f63 bne x14,x15,0x10642
10428: fec42783 lw x15,-20(x8)
1042c: 07f1 c.addi x15,28
1042e: 4398 c.lw x14,0(x15)
10430: 6785 c.lui x15,0x1
10432: 88178793 addi x15,x15,-1919 # 0x881
10436: 20f71663 bne x14,x15,0x10642
1043a: fec42783 lw x15,-20(x8)
1043e: 02078793 addi x15,x15,32
10442: 4398 c.lw x14,0(x15)
10444: 6785 c.lui x15,0x1
10446: 68e78793 addi x15,x15,1678 # 0x168e
1044a: 1ef71c63 bne x14,x15,0x10642
1044e: fec42783 lw x15,-20(x8)
10452: 02478793 addi x15,x15,36
10456: 4398 c.lw x14,0(x15)
10458: 6785 c.lui x15,0x1
1045a: eac78793 addi x15,x15,-340 # 0xeac
1045e: 1ef71263 bne x14,x15,0x10642
10462: fec42783 lw x15,-20(x8)
10466: 02878793 addi x15,x15,40
1046a: 4398 c.lw x14,0(x15)
1046c: 6789 c.lui x15,0x2
1046e: 98078793 addi x15,x15,-1664 # 0x1980
10472: 1cf71863 bne x14,x15,0x10642
10476: fec42783 lw x15,-20(x8)
1047a: 02c78793 addi x15,x15,44
1047e: 4398 c.lw x14,0(x15)
10480: 6785 c.lui x15,0x1
10482: 3be78793 addi x15,x15,958 # 0x13be
10486: 1af71e63 bne x14,x15,0x10642
1048a: fec42783 lw x15,-20(x8)
1048e: 03078793 addi x15,x15,48
10492: 439c c.lw x15,0(x15)
10494: 1a079763 bne x15,x0,0x10642
10498: fec42783 lw x15,-20(x8)
1049c: 03478793 addi x15,x15,52
104a0: 4398 c.lw x14,0(x15)
104a2: 6785 c.lui x15,0x1
104a4: 3cb78793 addi x15,x15,971 # 0x13cb
104a8: 18f71d63 bne x14,x15,0x10642
104ac: fec42783 lw x15,-20(x8)
104b0: 03878793 addi x15,x15,56
104b4: 4398 c.lw x14,0(x15)
104b6: 6785 c.lui x15,0x1
104b8: eac78793 addi x15,x15,-340 # 0xeac
104bc: 18f71363 bne x14,x15,0x10642
104c0: fec42783 lw x15,-20(x8)
104c4: 03c78793 addi x15,x15,60
104c8: 4398 c.lw x14,0(x15)
104ca: 3f000793 addi x15,x0,1008
104ce: 16f71a63 bne x14,x15,0x10642
104d2: fec42783 lw x15,-20(x8)
104d6: 04078793 addi x15,x15,64
104da: 4398 c.lw x14,0(x15)
104dc: 6785 c.lui x15,0x1
104de: c6078793 addi x15,x15,-928 # 0xc60
104e2: 16f71063 bne x14,x15,0x10642
104e6: fec42783 lw x15,-20(x8)
104ea: 04478793 addi x15,x15,68
104ee: 4398 c.lw x14,0(x15)
104f0: 12000793 addi x15,x0,288
104f4: 14f71763 bne x14,x15,0x10642
104f8: fec42783 lw x15,-20(x8)
104fc: 04878793 addi x15,x15,72
10500: 4398 c.lw x14,0(x15)
10502: 1e300793 addi x15,x0,483
10506: 12f71e63 bne x14,x15,0x10642
1050a: fec42783 lw x15,-20(x8)
1050e: 04c78793 addi x15,x15,76
10512: 4398 c.lw x14,0(x15)
10514: 3f000793 addi x15,x0,1008
10518: 12f71563 bne x14,x15,0x10642
1051c: fec42783 lw x15,-20(x8)
10520: 05078793 addi x15,x15,80
10524: 4398 c.lw x14,0(x15)
10526: 6785 c.lui x15,0x1
10528: 3cb78793 addi x15,x15,971 # 0x13cb
1052c: 10f71b63 bne x14,x15,0x10642
10530: fec42783 lw x15,-20(x8)
10534: 05478793 addi x15,x15,84
10538: 4398 c.lw x14,0(x15)
1053a: 6785 c.lui x15,0x1
1053c: c6078793 addi x15,x15,-928 # 0xc60
10540: 10f71163 bne x14,x15,0x10642
10544: fec42783 lw x15,-20(x8)
10548: 05878793 addi x15,x15,88
1054c: 4398 c.lw x14,0(x15)
1054e: 6785 c.lui x15,0x1
10550: eac78793 addi x15,x15,-340 # 0xeac
10554: 0ef71763 bne x14,x15,0x10642
10558: fe842703 lw x14,-24(x8)
1055c: 02200793 addi x15,x0,34
10560: 0ef71163 bne x14,x15,0x10642
10564: fec42783 lw x15,-20(x8)
10568: 05c78793 addi x15,x15,92
1056c: 4398 c.lw x14,0(x15)
1056e: 2d500793 addi x15,x0,725
10572: 0cf71863 bne x14,x15,0x10642
10576: fec42783 lw x15,-20(x8)
1057a: 06078793 addi x15,x15,96
1057e: 4398 c.lw x14,0(x15)
10580: 54700793 addi x15,x0,1351
10584: 0af71f63 bne x14,x15,0x10642
10588: fec42783 lw x15,-20(x8)
1058c: 06478793 addi x15,x15,100
10590: 4398 c.lw x14,0(x15)
10592: 2d500793 addi x15,x0,725
10596: 0af71663 bne x14,x15,0x10642
1059a: fec42783 lw x15,-20(x8)
1059e: 06878793 addi x15,x15,104
105a2: 4398 c.lw x14,0(x15)
105a4: 6785 c.lui x15,0x1
105a6: a5078793 addi x15,x15,-1456 # 0xa50
105aa: 08f71c63 bne x14,x15,0x10642
105ae: fec42783 lw x15,-20(x8)
105b2: 06c78793 addi x15,x15,108
105b6: 4398 c.lw x14,0(x15)
105b8: 6785 c.lui x15,0x1
105ba: eac78793 addi x15,x15,-340 # 0xeac
105be: 08f71263 bne x14,x15,0x10642
105c2: fec42783 lw x15,-20(x8)
105c6: 07078793 addi x15,x15,112
105ca: 4398 c.lw x14,0(x15)
105cc: 12200793 addi x15,x0,290
105d0: 06f71963 bne x14,x15,0x10642
105d4: fec42783 lw x15,-20(x8)
105d8: 07478793 addi x15,x15,116
105dc: 4398 c.lw x14,0(x15)
105de: 6789 c.lui x15,0x2
105e0: 99f78793 addi x15,x15,-1633 # 0x199f
105e4: 04f71f63 bne x14,x15,0x10642
105e8: fec42783 lw x15,-20(x8)
105ec: 07878793 addi x15,x15,120
105f0: 4398 c.lw x14,0(x15)
105f2: 6785 c.lui x15,0x1
105f4: 12978793 addi x15,x15,297 # 0x1129
105f8: 04f71563 bne x14,x15,0x10642
105fc: fec42783 lw x15,-20(x8)
10600: 07c78793 addi x15,x15,124
10604: 4398 c.lw x14,0(x15)
10606: 1e000793 addi x15,x0,480
1060a: 02f71c63 bne x14,x15,0x10642
1060e: fec42783 lw x15,-20(x8)
10612: 08078793 addi x15,x15,128
10616: 4398 c.lw x14,0(x15)
10618: 6c000793 addi x15,x0,1728
1061c: 02f71363 bne x14,x15,0x10642
10620: fec42783 lw x15,-20(x8)
10624: 08478793 addi x15,x15,132
10628: 4398 c.lw x14,0(x15)
1062a: 6785 c.lui x15,0x1
1062c: 87878793 addi x15,x15,-1928 # 0x878
10630: 00f71963 bne x14,x15,0x10642

截取部分反汇编代码,搜索关键字符串地址就能定位到比较处

re_rs4

tea

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#define _CRT_SECURE_NO_DEPRECATE
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#include <stdlib.h>
unsigned char index[] = { 0,3,1,2,2,1,3,0,0,0,1,3,2,2,3,1,0,0,1,0,2,3,3,2,0,1,1,1,2,0,3,3,0,2,1,1,2,1,3,0,0,3,1,2,2,1,3,1,0,0,1,3,2,2,3,2,0,1,1,0,2,3,3,2 };
FILE* c = fopen("C:\\Users\\pisanbao\\Dropbox\\My PC (DESKTOP-TIPJDRO)\\Desktop\\temp.jpg", "ab+");
unsigned int aaa = 0;
void decode(unsigned char flag[], DWORD* filebuffer)
{
unsigned int a = 0;
int i;
unsigned int v19 = *(DWORD *)filebuffer, v20 = *(DWORD *)(filebuffer+1);//jpg开头前8字节,👴猜这jpg必是标准jpg
for (i = 0; i < 0x20; i++)
{
a -= 1640531527;
}
for (i = 0; i < 0x20; i++)
{
v20 -= (((v19 >> 5) ^ (16 * v19)) + v19) ^ (flag[index[63-2*i]] + a);
a += 1640531527;
v19 -= ((((unsigned int)v20 >> 5) ^ (16 * v20)) + v20) ^ (flag[index[63-2*i-1]] + a);
}
fwrite(&v19, 4, 1, c);
fwrite(&v20, 4, 1, c);
/*
if (v19 == 0xE0FFD8FF && v20 == 0x464A1000)
{
printf("ylb_sb\n");
printf("%s", flag);
}*/
}
int main()
{
unsigned char table[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{}-_[]`@";
int i,j,k,l;
unsigned int data[3];
unsigned char flag[5] = "xbvu";
FILE* a;
const char srcaddr[] = "C:\\Users\\pisanbao\\Dropbox\\My PC (DESKTOP-TIPJDRO)\\Desktop\\output.jpg";
a = fopen(srcaddr, "rb");
fseek(a, 0, SEEK_END);
unsigned long long filesize = ftell(a);
fseek(a, 0, SEEK_SET);
DWORD* filebuffer = (DWORD*)calloc(1, filesize);
fread(filebuffer, filesize, 1, a);
int temp = filesize / 8;
for (i = 0; i < temp; i++)
{
decode(flag, (DWORD*)(filebuffer+2*i));
}
/*decode(flag);*/
/*
for (i = 0; i < 70; i++)
{
for (j = 0; j < 70; j++)
{
for (k = 0; k < 70; k++)
{
for (l = 0; l < 70; l++)
{
flag[0] = table[i];
flag[1] = table[j];
flag[2] = table[k];
flag[3] = table[l];
decode(flag);
}
}
}
}*/
return 0;
}

爆破出key”xbvu”;
然后解密

出题人貌似写的有问题,tea的key录入16字节

但是函数返回一字节,说白了就是16字节分4组,每组4字节加密,本来应该是这样的但是出题人写的函数返回值是1字节就是16字节输入只要每4个开头哪一个字节被用到了

所以只需要爆破4字节然后写解密即可

文章目录
  1. 1. babyriscv
  2. 2. re_rs4
|