hgame week2 week3

harmonica11

RE

1,babypy

对字节码硬怼,就可分析出大致逻辑是倒序后异或

c=[0x7d,0x03,0x7d,0x04,0x57,0x17,0x72,0x2d,0x62,0x11,0x4e,0x6a,0x5b,0x04,0x4f,0x2c,0x18,0x4c,0x3f,0x44,0x21,0x4c,0x2d,0x4a,0x22]
c.reverse()
flag=[]
for i in range(len(c)):
    if i!=len(c)-1:
        print(chr(c[i]^c[i+1]),end=\'\')
    else:
        print(chr(c[i]))

得到flag

2,unpack

题如其名,手脱upx壳,虽然简单,但linux上还是第一次脱

用ida调试,f8不跑飞就不用f7,一直到

 

 f7进去,再一直f8

 

 到了一个跳转,f8

 

 可以看到入口点0x400890,继续f8

 

 来到了入口,dump出来

#include <idc.idc>
#define PT_LOAD              1
#define PT_DYNAMIC           2
static main(void)
{
         auto ImageBase,StartImg,EndImg;
         auto e_phoff;
         auto e_phnum,p_offset;
         auto i,dumpfile;
         ImageBase=0x400000;
         StartImg=0x400000;
         EndImg=0x0;
         if (Dword(ImageBase)==0x7f454c46 || Dword(ImageBase)==0x464c457f )
  {
     if(dumpfile=fopen("G:\\dumpfile","wb"))
    {
      e_phoff=ImageBase+Qword(ImageBase+0x20);
      Message("e_phoff = 0x%x\n", e_phoff);
      e_phnum=Word(ImageBase+0x38);
      Message("e_phnum = 0x%x\n", e_phnum);
      for(i=0;i<e_phnum;i++)
      {
         if (Dword(e_phoff)==PT_LOAD || Dword(e_phoff)==PT_DYNAMIC)
                         {
                                 p_offset=Qword(e_phoff+0x8);
                                 StartImg=Qword(e_phoff+0x10);
                                 EndImg=StartImg+Qword(e_phoff+0x28);
                                 Message("start = 0x%x, end = 0x%x, offset = 0x%x\n", StartImg, EndImg, p_offset);
                                 dump(dumpfile,StartImg,EndImg,p_offset);
                                 Message("dump segment %d ok.\n",i);
                         }
         e_phoff=e_phoff+0x38;
      }

      fseek(dumpfile,0x3c,0);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);

      fseek(dumpfile,0x28,0);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);

      fclose(dumpfile);
        }else Message("dump err.");
 }
}
static dump(dumpfile,startimg,endimg,offset)
{
        auto i;
        auto size;
        size=endimg-startimg;
        fseek(dumpfile,offset,0);
        for ( i=0; i < size; i=i+1 )
        {
        fputc(Byte(startimg+i),dumpfile);
        }
}

再看dump出来的文件,用ida打开,

 

 逻辑就十分简单了,脚本就不放了。

1,crackme

c#写的,关键代码

private void button1_Click(object sender, EventArgs e)
{
    if (this.status == 1)
    {
        MessageBox.Show("你已经激活成功啦,快去提交flag吧~~~");
        return;
    }
    string text = this.textBox1.Text;
    if (text.Length != 46 || text.IndexOf("hgame{") != 0 || text.IndexOf("}") != 45)
    {
        MessageBox.Show("Illegal format");
        return;
    }
    string base64iv = text.Substring(6, 24);
    string str = text.Substring(30, 15);
    try
    {
        Aes aes = new Aes("SGc0bTNfMm8yMF9XZWVLMg==", base64iv);
        Aes aes2 = new Aes("SGc0bTNfMm8yMF9XZWVLMg==", "MFB1T2g5SWxYMDU0SWN0cw==");
        string text2 = aes.DecryptFromBase64String("mjdRqH4d1O8nbUYJk+wVu3AeE7ZtE9rtT/8BA8J897I=");
        if (text2.Equals("Same_ciphertext_"))
        {
            byte[] array = new byte[16];
            Array.Copy(aes2.EncryptToByte(text2 + str), 16, array, 0, 16);
            if (Convert.ToBase64String(array).Equals("dJntSWSPWbWocAq4yjBP5Q=="))
            {
                MessageBox.Show("注册成功!");
                this.Text = "已激活,欢迎使用!";
                this.status = 1;
            }
            else
            {
                MessageBox.Show("注册失败!\nhint: " + aes2.DecryptFromBase64String("mjdRqH4d1O8nbUYJk+wVu3AeE7ZtE9rtT/8BA8J897I="));
            }
        }
        else
        {
            MessageBox.Show("注册失败!\nhint: " + aes2.DecryptFromBase64String("mjdRqH4d1O8nbUYJk+wVu3AeE7ZtE9rtT/8BA8J897I="));
        }
    }
    catch
    {
        MessageBox.Show("注册失败!");
    }
}

可见又是将输入分为两半,第一部分作为初始向量,使加密后的mjdRqH4d1O8nbUYJk+wVu3AeE7ZtE9rtT/8BA8J897I=变为Same_ciphertext_

第二部分将Same_ciphertext_和第二部分相加后加密为byte后将后十六位转为base64等于dJntSWSPWbWocAq4yjBP5Q==

就第一部分,已经得到了明文,密文,和密钥,根据aes加密的方式,只要将明文作为向量对密文进行解密就可得到真实的初始向量,

第二部分,因为只给了后半部分base64,将其转为十六进制,为了知道前面的部分,我以Same_ciphertext_123456789012345的格式进行加密,从而得到了其前半部分的十六进制,拼在一起后转为base64,再进行aes解密,得到第二部分

拼起来得到flag

hgame{L1R5WFl6UG5ZOyQpXHdlXw==DiFfer3Nt_w0r1d}

 

WEEK3

Misc

1,三重隐写

给了三个音频,其中一个播放时

 

 扫码得到

AES key: 1ZmmeaLL^Typbcg3

第二个文件名有LSB可知是LSB隐写,用slienteye得到

Stegano key: uFSARLVNwVIewCY5

那么可猜到第三个音频是mp3隐写,用mp3stego得到

Zip Password: VvLvmGjpJ75GdJDP

打开压缩包得到flag.crypto

题目贴心的给了解密软件,得到flag

 RE

1,oooollvm

其实这题我连混淆都没去~

本来看到ollvm,第一反应是想用deflat去的,结果总有几个流程算不清,就一直没再看,快结束了时候想起来看了看

 

 这十分可疑啊

table1=[\'0x31\',\'0x0E\',\'0x10\',\'0x38\',\'0x06\',\'0xA1\',\'0x64\',\'0x26\',\'0x04\',\'0x36\',\'0xC1\',\'0x2B\',\'0xA4\',\'0x07\',\'0x7C\',\'0x0C\',\'0x94\',\'0x06\',\'0xC2\',\'0x51\',\'0xC4\',\'0x01\',\'0x4E\',\'0xC1\',\'0xB9\',\'0x50\',\'0xCE\',\'0x8D\',\'0xB1\',\'0x45\',\'0x44\',\'0x9D\',\'0x3F\',\'0xA1\']
table2=[\'0x59\',\'0x68\',\'0x73\',\'0x56\',\'0x6F\',\'0xDD\',\'0x25\',\'0x61\',\'0x40\',\'0x69\',\'0xA6\',\'0x69\',\'0xD9\',\'0x47\',\'0xD5\',\'0x78\',\'0xCB\',\'0x7A\',\'0xA4\',\'0x28\',\'0xBD\',\'0x6E\',\'0x4F\',\'0xBA\',\'0xA4\',\'0x3D\',\'0xB6\',\'0xFB\',\'0xEC\',\'0x2F\',\'0x12\',\'0xF0\',\'0x1A\',\'0xBF\']

for i in range(len(table1)):
    table1[i]=int(table1[i],16)
    table2[i]=int(table2[i],16)

for i in range(len(table2)):
    for s in range(30,127):
        if((~s & (table1[i]+i) | ~(table1[i]+i) & s)==table2[i]):
            print(chr(s),end=\'\')
            continue

得到flag

 

分类:

技术点:

相关文章:

猜你喜欢
相关资源
相似解决方案
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode