2020国赛总决赛re

多亏易霖博,国赛总决赛都能给整成解题了。之前就喷过ylb平台垃圾运维态度整的和你欠他钱一样,好了这次国赛又来了。俩个re原题大赛

babyriscv

http://217.logdown.com/posts/235490-isg2014-bt

易霖博可能从哪嫖到了源码,本来是arm的硬是整成了riscv架构

脚本复制粘贴改下数据出flag

没错这就是国赛

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
s = 'BpmvcuriVayeQLIKJ  f  U2  l  od  Z  hx  5  _T  s  t{  k  7F  n  Ej  X  C}  O  AN  w  D8  Y  bq  9  gP  W  63  G  MR  4  Sz  H  '
i = 0
tb = {}

def dfs(x,y):
  global i,tb
  if i<len(s):
    z = s[i]
    i += 1
    if z!=' ':
      tb[y] = z
      dfs(x+1,48*(x+1)+y)
      dfs(x+1,49*(x+1)+y)

dfs(0,0)
v = [6544, 6559, 2160, 484, 3755, 484, 2177, 2177, 5774, 3756, 6528, 5054, 0, 5067, 3756, 1008, 3168, 288, 483, 1008, 5067, 3168, 3756, 725, 1351, 725, 2640, 3756, 290, 6559, 4393, 480, 1728, 2168]
print ''.join(tb[x] for x in v)
#flag{gOOd_JoB5_rev3r5e_bAby_RlscV}

实在是妙,下次办比赛再换个架构又是一道新题

不愧是ylb

反汇编有现成工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
103a8:       fea42623                sw      x10,-20(x8)
103ac:       feb42423                sw      x11,-24(x8)
103b0:       fec42783                lw      x15,-20(x8)
103b4:       4398                    c.lw    x14,0(x15)
103b6:       6789                    c.lui   x15,0x2
103b8:       99078793                addi    x15,x15,-1648 # 0x1990
103bc:       28f71363                bne     x14,x15,0x10642
103c0:       fec42783                lw      x15,-20(x8)
103c4:       0791                    c.addi  x15,4
103c6:       4398                    c.lw    x14,0(x15)
103c8:       6789                    c.lui   x15,0x2
103ca:       99f78793                addi    x15,x15,-1633 # 0x199f
103ce:       26f71a63                bne     x14,x15,0x10642
103d2:       fec42783                lw      x15,-20(x8)
103d6:       07a1                    c.addi  x15,8
103d8:       4398                    c.lw    x14,0(x15)
103da:       6785                    c.lui   x15,0x1
103dc:       87078793                addi    x15,x15,-1936 # 0x870
103e0:       26f71163                bne     x14,x15,0x10642
103e4:       fec42783                lw      x15,-20(x8)
103e8:       07b1                    c.addi  x15,12
103ea:       4398                    c.lw    x14,0(x15)
103ec:       1e400793                addi    x15,x0,484
103f0:       24f71963                bne     x14,x15,0x10642
103f4:       fec42783                lw      x15,-20(x8)
103f8:       07c1                    c.addi  x15,16
103fa:       4398                    c.lw    x14,0(x15)
103fc:       6785                    c.lui   x15,0x1
103fe:       eab78793                addi    x15,x15,-341 # 0xeab
10402:       24f71063                bne     x14,x15,0x10642
10406:       fec42783                lw      x15,-20(x8)
1040a:       07d1                    c.addi  x15,20
1040c:       4398                    c.lw    x14,0(x15)
1040e:       1e400793                addi    x15,x0,484
10412:       22f71863                bne     x14,x15,0x10642
10416:       fec42783                lw      x15,-20(x8)
1041a:       07e1                    c.addi  x15,24
1041c:       4398                    c.lw    x14,0(x15)
1041e:       6785                    c.lui   x15,0x1
10420:       88178793                addi    x15,x15,-1919 # 0x881
10424:       20f71f63                bne     x14,x15,0x10642
10428:       fec42783                lw      x15,-20(x8)
1042c:       07f1                    c.addi  x15,28
1042e:       4398                    c.lw    x14,0(x15)
10430:       6785                    c.lui   x15,0x1
10432:       88178793                addi    x15,x15,-1919 # 0x881
10436:       20f71663                bne     x14,x15,0x10642
1043a:       fec42783                lw      x15,-20(x8)
1043e:       02078793                addi    x15,x15,32
10442:       4398                    c.lw    x14,0(x15)
10444:       6785                    c.lui   x15,0x1
10446:       68e78793                addi    x15,x15,1678 # 0x168e
1044a:       1ef71c63                bne     x14,x15,0x10642
1044e:       fec42783                lw      x15,-20(x8)
10452:       02478793                addi    x15,x15,36
10456:       4398                    c.lw    x14,0(x15)
10458:       6785                    c.lui   x15,0x1
1045a:       eac78793                addi    x15,x15,-340 # 0xeac
1045e:       1ef71263                bne     x14,x15,0x10642
10462:       fec42783                lw      x15,-20(x8)
10466:       02878793                addi    x15,x15,40
1046a:       4398                    c.lw    x14,0(x15)
1046c:       6789                    c.lui   x15,0x2
1046e:       98078793                addi    x15,x15,-1664 # 0x1980
10472:       1cf71863                bne     x14,x15,0x10642
10476:       fec42783                lw      x15,-20(x8)
1047a:       02c78793                addi    x15,x15,44
1047e:       4398                    c.lw    x14,0(x15)
10480:       6785                    c.lui   x15,0x1
10482:       3be78793                addi    x15,x15,958 # 0x13be
10486:       1af71e63                bne     x14,x15,0x10642
1048a:       fec42783                lw      x15,-20(x8)
1048e:       03078793                addi    x15,x15,48
10492:       439c                    c.lw    x15,0(x15)
10494:       1a079763                bne     x15,x0,0x10642
10498:       fec42783                lw      x15,-20(x8)
1049c:       03478793                addi    x15,x15,52
104a0:       4398                    c.lw    x14,0(x15)
104a2:       6785                    c.lui   x15,0x1
104a4:       3cb78793                addi    x15,x15,971 # 0x13cb
104a8:       18f71d63                bne     x14,x15,0x10642
104ac:       fec42783                lw      x15,-20(x8)
104b0:       03878793                addi    x15,x15,56
104b4:       4398                    c.lw    x14,0(x15)
104b6:       6785                    c.lui   x15,0x1
104b8:       eac78793                addi    x15,x15,-340 # 0xeac
104bc:       18f71363                bne     x14,x15,0x10642
104c0:       fec42783                lw      x15,-20(x8)
104c4:       03c78793                addi    x15,x15,60
104c8:       4398                    c.lw    x14,0(x15)
104ca:       3f000793                addi    x15,x0,1008
104ce:       16f71a63                bne     x14,x15,0x10642
104d2:       fec42783                lw      x15,-20(x8)
104d6:       04078793                addi    x15,x15,64
104da:       4398                    c.lw    x14,0(x15)
104dc:       6785                    c.lui   x15,0x1
104de:       c6078793                addi    x15,x15,-928 # 0xc60
104e2:       16f71063                bne     x14,x15,0x10642
104e6:       fec42783                lw      x15,-20(x8)
104ea:       04478793                addi    x15,x15,68
104ee:       4398                    c.lw    x14,0(x15)
104f0:       12000793                addi    x15,x0,288
104f4:       14f71763                bne     x14,x15,0x10642
104f8:       fec42783                lw      x15,-20(x8)
104fc:       04878793                addi    x15,x15,72
10500:       4398                    c.lw    x14,0(x15)
10502:       1e300793                addi    x15,x0,483
10506:       12f71e63                bne     x14,x15,0x10642
1050a:       fec42783                lw      x15,-20(x8)
1050e:       04c78793                addi    x15,x15,76
10512:       4398                    c.lw    x14,0(x15)
10514:       3f000793                addi    x15,x0,1008
10518:       12f71563                bne     x14,x15,0x10642
1051c:       fec42783                lw      x15,-20(x8)
10520:       05078793                addi    x15,x15,80
10524:       4398                    c.lw    x14,0(x15)
10526:       6785                    c.lui   x15,0x1
10528:       3cb78793                addi    x15,x15,971 # 0x13cb
1052c:       10f71b63                bne     x14,x15,0x10642
10530:       fec42783                lw      x15,-20(x8)
10534:       05478793                addi    x15,x15,84
10538:       4398                    c.lw    x14,0(x15)
1053a:       6785                    c.lui   x15,0x1
1053c:       c6078793                addi    x15,x15,-928 # 0xc60
10540:       10f71163                bne     x14,x15,0x10642
10544:       fec42783                lw      x15,-20(x8)
10548:       05878793                addi    x15,x15,88
1054c:       4398                    c.lw    x14,0(x15)
1054e:       6785                    c.lui   x15,0x1
10550:       eac78793                addi    x15,x15,-340 # 0xeac
10554:       0ef71763                bne     x14,x15,0x10642
10558:       fe842703                lw      x14,-24(x8)
1055c:       02200793                addi    x15,x0,34
10560:       0ef71163                bne     x14,x15,0x10642
10564:       fec42783                lw      x15,-20(x8)
10568:       05c78793                addi    x15,x15,92
1056c:       4398                    c.lw    x14,0(x15)
1056e:       2d500793                addi    x15,x0,725
10572:       0cf71863                bne     x14,x15,0x10642
10576:       fec42783                lw      x15,-20(x8)
1057a:       06078793                addi    x15,x15,96
1057e:       4398                    c.lw    x14,0(x15)
10580:       54700793                addi    x15,x0,1351
10584:       0af71f63                bne     x14,x15,0x10642
10588:       fec42783                lw      x15,-20(x8)
1058c:       06478793                addi    x15,x15,100
10590:       4398                    c.lw    x14,0(x15)
10592:       2d500793                addi    x15,x0,725
10596:       0af71663                bne     x14,x15,0x10642
1059a:       fec42783                lw      x15,-20(x8)
1059e:       06878793                addi    x15,x15,104
105a2:       4398                    c.lw    x14,0(x15)
105a4:       6785                    c.lui   x15,0x1
105a6:       a5078793                addi    x15,x15,-1456 # 0xa50
105aa:       08f71c63                bne     x14,x15,0x10642
105ae:       fec42783                lw      x15,-20(x8)
105b2:       06c78793                addi    x15,x15,108
105b6:       4398                    c.lw    x14,0(x15)
105b8:       6785                    c.lui   x15,0x1
105ba:       eac78793                addi    x15,x15,-340 # 0xeac
105be:       08f71263                bne     x14,x15,0x10642
105c2:       fec42783                lw      x15,-20(x8)
105c6:       07078793                addi    x15,x15,112
105ca:       4398                    c.lw    x14,0(x15)
105cc:       12200793                addi    x15,x0,290
105d0:       06f71963                bne     x14,x15,0x10642
105d4:       fec42783                lw      x15,-20(x8)
105d8:       07478793                addi    x15,x15,116
105dc:       4398                    c.lw    x14,0(x15)
105de:       6789                    c.lui   x15,0x2
105e0:       99f78793                addi    x15,x15,-1633 # 0x199f
105e4:       04f71f63                bne     x14,x15,0x10642
105e8:       fec42783                lw      x15,-20(x8)
105ec:       07878793                addi    x15,x15,120
105f0:       4398                    c.lw    x14,0(x15)
105f2:       6785                    c.lui   x15,0x1
105f4:       12978793                addi    x15,x15,297 # 0x1129
105f8:       04f71563                bne     x14,x15,0x10642
105fc:       fec42783                lw      x15,-20(x8)
10600:       07c78793                addi    x15,x15,124
10604:       4398                    c.lw    x14,0(x15)
10606:       1e000793                addi    x15,x0,480
1060a:       02f71c63                bne     x14,x15,0x10642
1060e:       fec42783                lw      x15,-20(x8)
10612:       08078793                addi    x15,x15,128
10616:       4398                    c.lw    x14,0(x15)
10618:       6c000793                addi    x15,x0,1728
1061c:       02f71363                bne     x14,x15,0x10642
10620:       fec42783                lw      x15,-20(x8)
10624:       08478793                addi    x15,x15,132
10628:       4398                    c.lw    x14,0(x15)
1062a:       6785                    c.lui   x15,0x1
1062c:       87878793                addi    x15,x15,-1928 # 0x878
10630:       00f71963                bne     x14,x15,0x10642

截取部分反汇编代码,搜索关键字符串地址就能定位到比较处

re_rs4

tea

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#define _CRT_SECURE_NO_DEPRECATE
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#include <stdlib.h>
unsigned char index[] = { 0,3,1,2,2,1,3,0,0,0,1,3,2,2,3,1,0,0,1,0,2,3,3,2,0,1,1,1,2,0,3,3,0,2,1,1,2,1,3,0,0,3,1,2,2,1,3,1,0,0,1,3,2,2,3,2,0,1,1,0,2,3,3,2 };
FILE* c = fopen("C:\\Users\\pisanbao\\Dropbox\\My PC (DESKTOP-TIPJDRO)\\Desktop\\temp.jpg", "ab+");
unsigned int aaa = 0;
void decode(unsigned char flag[], DWORD* filebuffer)
{
	unsigned int a = 0;
	int i;
	unsigned int v19 = *(DWORD *)filebuffer, v20 = *(DWORD *)(filebuffer+1);//jpg开头前8字节,👴猜这jpg必是标准jpg
	for (i = 0; i < 0x20; i++)
	{
		a -= 1640531527;
	}
	for (i = 0; i < 0x20; i++)
	{
		v20 -= (((v19 >> 5) ^ (16 * v19)) + v19) ^ (flag[index[63-2*i]] + a);
		a += 1640531527;
		v19 -= ((((unsigned int)v20 >> 5) ^ (16 * v20)) + v20) ^ (flag[index[63-2*i-1]] + a);
	}
	fwrite(&v19, 4, 1, c);
	fwrite(&v20, 4, 1, c);
	/*
	if (v19 == 0xE0FFD8FF && v20 == 0x464A1000)
	{
		printf("ylb_sb\n");
		printf("%s", flag);
	}*/
}
int main()
{
	unsigned char table[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{}-_[]`@";
	int i,j,k,l;
	unsigned int data[3];
	unsigned char flag[5] = "xbvu";
	FILE* a;
	const char srcaddr[] = "C:\\Users\\pisanbao\\Dropbox\\My PC (DESKTOP-TIPJDRO)\\Desktop\\output.jpg";
	a = fopen(srcaddr, "rb");
	fseek(a, 0, SEEK_END);
	unsigned long long filesize = ftell(a);
	fseek(a, 0, SEEK_SET);
	DWORD* filebuffer = (DWORD*)calloc(1, filesize);
	fread(filebuffer, filesize, 1, a);
	int temp = filesize / 8;
	for (i = 0; i < temp; i++)
	{
		decode(flag, (DWORD*)(filebuffer+2*i));
	}
	/*decode(flag);*/
	/*
	for (i = 0; i < 70; i++)
	{
		for (j = 0; j < 70; j++)
		{
			for (k = 0; k < 70; k++)
			{
				for (l = 0; l < 70; l++)
				{
					flag[0] = table[i];
					flag[1] = table[j];
					flag[2] = table[k];
					flag[3] = table[l];
					decode(flag);
				}
			}
		}
	}*/
	return 0;
}

爆破出key”xbvu”;
然后解密

出题人貌似写的有问题,tea的key录入16字节

但是函数返回一字节,说白了就是16字节分4组,每组4字节加密,本来应该是这样的但是出题人写的函数返回值是1字节就是16字节输入只要每4个开头哪一个字节被用到了

所以只需要爆破4字节然后写解密即可

#re #ctf
2020国赛总决赛re
http://www.psbazx.com/2020/10/03/2020国赛总决赛re/
Beitragsautor
皮三宝
Veröffentlicht am
October 2, 2020
Urheberrechtshinweis