Pinguw
Pinguw
Articles10
Tags3
Categories2
回到首页
文章归档
我的朋友
给我赞助
关于博主

Categories

Archive

Recent Posts

© 2024 Pinguw Powered by Hexo & Nexmoe
H&NCTF2024-Reverse部分题解

H&NCTF2024-Reverse部分题解

2024年05月13日 比赛WP

其他的re就没时间做了(我承认是我菜)

H&NCTF

Baby_OBVBS

打开之后看见是VBS混淆,将混淆部分打印出来(base64内容部分略去):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
eAqi = "59fc6b263c3d0fcbc331ade699e62d3473bbf85522d588e3423e6c751ca091528a3c0186e460483917192c14"
ANtg = "baacc7ffa8232d28f814bb14c428798b"
Function Base64Decode(base64EncodedString)
    Dim xml, elem
    Set xml = CreateObject("MSXML2.DOMDocument")
    Set elem = xml.createElement("tmp")
    elem.dataType = "bin.base64" 
    elem.text = base64EncodedString 
    Dim stream
    Set stream = CreateObject("ADODB.Stream")
    stream.Type = 1 'Binary
    stream.Open
    stream.Write elem.nodeTypedValue 
    stream.Position = 0
    stream.Type = 2 'Text
    stream.Charset = "utf-8"
    Base64Decode = stream.ReadText
    stream.Close
End Function
nbbt="RnVuY3Rpb24gSW5pdGlhbGl6ZShzdHJQd2QpDQogICAgRGltIGJveCgyNTYpDQogICAgRGltIHRlbXBTd2FwDQogICAgRGltIGENCiAg"
execute base64Decode(nbbt)
NFqt="RnVuY3Rpb24gTXlmdW5jKHNZCBGdW5jdGlvbg=="
execute base64Decode(NFqt)
NsFw="RnVuY3Rpb24gRWNTYpDQogICAgICAgIGVuY3J5cHRlZERhdGEgPSBlbmNyeXB0ZWREYXRhICYgTENhc2UoUmlnaHQoIjAiICYgSGV4KHkpLCAyKSkNCiAgICBOZXh0DQogICAgRW5DcnlwdCA9IGVuY3J5cHRlZERhdGENCkVuZCBGdW5jdGlvbg=="
execute base64Decode(NsFw)
hYLu="bXNnYm94ICJEbyB5b3Uga28gImJ5ZSEi"
execute base64Decode(hYLu)

base64解密后得到加密代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
Function RC4_init(strPwd)
    Dim box(256)
    Dim tempSwap
    Dim a
    Dim b

    For i = 0 To 255
        box(i) = i
    Next

    a = 0
    b = 0

    For i = 0 To 255
        a = (a + box(i) + Asc(Mid(strPwd, (i Mod Len(strPwd)) + 1, 1))) Mod 256
        tempSwap = box(i)
        box(i) = box(a)
        box(a) = tempSwap
    Next

    RC4_init = box
End Function

Function MD5(strToHash)
    Dim tmpFile, strCommand, objFSO, objWshShell, out
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objWshShell = CreateObject("WScript.Shell")
    tmpFile = objFSO.GetSpecialFolder(2).Path & "\" & objFSO.GetTempName
    objFSO.CreateTextFile(tmpFile).Write(strToHash)
    strCommand = "certutil -hashfile " & tmpFile & " MD5"
    out = objWshShell.Exec(strCommand).StdOut.ReadAll
    objFSO.DeleteFile tmpFile
    MD5 = Replace(Split(Trim(out), vbCrLf)(1), " ", "")
End Function

Function RC4(box, strData)
    Dim tempSwap
    Dim a
    Dim b
    Dim x
    Dim y
    Dim encryptedData
    encryptedData = ""
    For x = 1 To Len(strData)
        a = (a + 1) Mod 256
        b = (b + box(a)) Mod 256
        tempSwap = box(a)
        box(a) = box(b)
        box(b) = tempSwap
        y = Asc(Mid(strData, x, 1)) Xor box((box(a) + box(b)) Mod 256)
        encryptedData = encryptedData & LCase(Right("0" & Hex(y), 2))
    Next
    RC4 = encryptedData
End Function

msgbox "Do you know VBScript?"
msgbox "VBScript (""Microsoft Visual Basic Scripting Edition"") is a deprecated Active Scripting language developed by Microsoft that is modeled on Visual Basic."
msgbox "It allows Microsoft Windows system administrators to generate powerful tools for managing computers without error handling and with subroutines and other advanced programming constructs. It can give the user complete control over many aspects of their computing environment."
msgbox "Interestingly, although VBScript has long since been deprecated, you can still run VBScript scripts on the latest versions of Windows 11 systems."
msgbox "A VBScript script must be executed within a host environment, of which there are several provided with Microsoft Windows, including: Windows Script Host (WSH), Internet Explorer (IE), and Internet Information Services (IIS)."
msgbox "For .vbs files, the host is Windows Script Host (WSH), aka wscript.exe/cscript.exe program in your system."
msgbox "If you can not stop a VBScript from running (e.g. a dead loop), go to the task manager and kill wscript.exe/cscript.exe."
msgbox "cscript and wscript are executables for the scripting host that are used to run the scripts. cscript and wscript are both interpreters to run VBScript (and other scripting languages like JScript) on the Windows platform."
msgbox "cscript is for console applications and wscript is for Windows applications. It has something to do with STDIN, STDOUT and STDERR."
msgbox "OK! Now, let us begin our journey."

key = InputBox("Enter the key:", "CTF Challenge")
if (key = False) then wscript.quit
if (len(key)<>6) then
    wscript.echo "wrong key length!"
    wscript.quit
end if
If (MD5(key) = md5_key) Then
    wscript.echo "You get the key!Move to next challenge."
Else
    wscript.echo "Wrong key!Try again!"
    wscript.quit
End If

userInput = InputBox("Enter the flag:", "CTF Challenge")
if (userInput = False) then wscript.quit
if (len(userInput)<>44) then
    wscript.echo "wrong!"
    wscript.quit
end if
box = RC4_init(key)
encryptedInput = RC4(box, userInput)

If (encryptedInput = enc_flag) Then
    MsgBox "Congratulations! You have learned VBS!"
Else
    MsgBox "Wrong flag. Try again."
End If

wscript.echo "bye!"

' enc_flag = 0x59fc6b263c3d0fcbc331ade699e62d3473bbf85522d588e3423e6c751ca091528a3c0186e460483917192c14
' md5(key) = baacc7ffa8232d28f814bb14c428798b

RC4加密,key只有md5后的哈希,用hashcat爆破拿到key

解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# ./hashcat.exe -a 3 -m 0 -d 1 "baacc7ffa8232d28f814bb14c428798b" ?a?a?a?a?a?a
def rc4_decrypt(key, ciphertext):
    S = list(range(256))
    j = 0
    out = []

    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]

    i = j = 0
    for char in ciphertext:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        out.append(char ^ S[(S[i] + S[j]) % 256])

    return bytes(out)

key = 'H&NKEY'
ciphertext = bytes.fromhex('59fc6b263c3d0fcbc331ade699e62d3473bbf85522d588e3423e6c751ca091528a3c0186e460483917192c14')

plaintext = rc4_decrypt(key.encode(), ciphertext)
print(plaintext)

H&NCTF{VBS_1s_@_s0_7unny_an4_pow3rfu1_t00l!}

hnwanna

找到主函数,申清加密逻辑:

hnwanna1.png

hnwanna2.png

写解密代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#include <cstdio>

void a(char* input, int shift)
{
	char text[19];
	printf("H&NCTF{");
	for(int i = 0; i < 18; i++)
	{
		if(input[i] >= 'a' && input[i] <= 'z')
			text[i] = ((char)(((int)(input[i] - 'a') + shift) % 26 + 97));
		else
			text[i] += input[i];
		printf("%c", text[i]);
	}
	printf("}");
}

int main()
{
	char enc[] = "justaeasyunitygame";
	int key = 5;
	a(enc, key);
    
    return 0;
}

H&NCTF{ozxyfjfxdzsnydlfrj}

DO YOU KNOW SWDD?

在异常处发现有SMC,找到SMC函数:

SMC1.png

写IDC脚本解密:

SMC2.png

得到加密函数:

SMC3.png

解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include <cstdio>

int main()
{
    char enc[] = "S_VYFO_CGNN_GRKD_KLYED_IYE";
    int v4 = 10;
    printf("H&NCTF{");
    for(int i = 0; enc[i]; ++i)
    {
        if(enc[i] >= 65 && enc[i] <= 90)
            enc[i] = (enc[i] - v4 + 65) % 26 + 65;
        printf("%c", enc[i]);
    }
    printf("}");
    return 0;
}
/*
#include <idc.idc>

static main()
{
    auto addr = 0x00417001;
    auto i = 0;
    auto j = 0;
    auto v5 = "swdd";
    for(j = addr; j < 0x0041815B; j++)
        PatchByte(j, Byte(j) ^ 4);
}
*/

H&NCTF{I_LOVE_SWDD_WHAT_ABOUT_YOU}

最喜欢的逆向题

自己看图:

not_re1.png

not_re2.png

not_re3.png

H&NCTF{Do_Y0u_like_F5_1n_Rev}

Author:Pinguw
Link:https://pinguw.github.io/2024/05/13/%E6%AF%94%E8%B5%9BWP/H&NCTF2024/
看完了吗,再去看看博主的其他文章叭:)
×