Pinguw
Articles10
Tags3
Categories2

Categories

Archive

H&NCTF2024-Reverse部分题解

H&NCTF2024-Reverse部分题解

其他的re就没时间做了(我承认是我菜)

H&NCTF

Baby_OBVBS

打开之后看见是VBS混淆,将混淆部分打印出来(base64内容部分略去):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
eAqi = "59fc6b263c3d0fcbc331ade699e62d3473bbf85522d588e3423e6c751ca091528a3c0186e460483917192c14"
ANtg = "baacc7ffa8232d28f814bb14c428798b"
Function Base64Decode(base64EncodedString)
Dim xml, elem
Set xml = CreateObject("MSXML2.DOMDocument")
Set elem = xml.createElement("tmp")
elem.dataType = "bin.base64"
elem.text = base64EncodedString
Dim stream
Set stream = CreateObject("ADODB.Stream")
stream.Type = 1 'Binary
stream.Open
stream.Write elem.nodeTypedValue
stream.Position = 0
stream.Type = 2 'Text
stream.Charset = "utf-8"
Base64Decode = stream.ReadText
stream.Close
End Function
nbbt="RnVuY3Rpb24gSW5pdGlhbGl6ZShzdHJQd2QpDQogICAgRGltIGJveCgyNTYpDQogICAgRGltIHRlbXBTd2FwDQogICAgRGltIGENCiAg"
execute base64Decode(nbbt)
NFqt="RnVuY3Rpb24gTXlmdW5jKHNZCBGdW5jdGlvbg=="
execute base64Decode(NFqt)
NsFw="RnVuY3Rpb24gRWNTYpDQogICAgICAgIGVuY3J5cHRlZERhdGEgPSBlbmNyeXB0ZWREYXRhICYgTENhc2UoUmlnaHQoIjAiICYgSGV4KHkpLCAyKSkNCiAgICBOZXh0DQogICAgRW5DcnlwdCA9IGVuY3J5cHRlZERhdGENCkVuZCBGdW5jdGlvbg=="
execute base64Decode(NsFw)
hYLu="bXNnYm94ICJEbyB5b3Uga28gImJ5ZSEi"
execute base64Decode(hYLu)

base64解密后得到加密代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
Function RC4_init(strPwd)
Dim box(256)
Dim tempSwap
Dim a
Dim b

For i = 0 To 255
box(i) = i
Next

a = 0
b = 0

For i = 0 To 255
a = (a + box(i) + Asc(Mid(strPwd, (i Mod Len(strPwd)) + 1, 1))) Mod 256
tempSwap = box(i)
box(i) = box(a)
box(a) = tempSwap
Next

RC4_init = box
End Function

Function MD5(strToHash)
Dim tmpFile, strCommand, objFSO, objWshShell, out
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWshShell = CreateObject("WScript.Shell")
tmpFile = objFSO.GetSpecialFolder(2).Path & "\" & objFSO.GetTempName
objFSO.CreateTextFile(tmpFile).Write(strToHash)
strCommand = "certutil -hashfile " & tmpFile & " MD5"
out = objWshShell.Exec(strCommand).StdOut.ReadAll
objFSO.DeleteFile tmpFile
MD5 = Replace(Split(Trim(out), vbCrLf)(1), " ", "")
End Function

Function RC4(box, strData)
Dim tempSwap
Dim a
Dim b
Dim x
Dim y
Dim encryptedData
encryptedData = ""
For x = 1 To Len(strData)
a = (a + 1) Mod 256
b = (b + box(a)) Mod 256
tempSwap = box(a)
box(a) = box(b)
box(b) = tempSwap
y = Asc(Mid(strData, x, 1)) Xor box((box(a) + box(b)) Mod 256)
encryptedData = encryptedData & LCase(Right("0" & Hex(y), 2))
Next
RC4 = encryptedData
End Function

msgbox "Do you know VBScript?"
msgbox "VBScript (""Microsoft Visual Basic Scripting Edition"") is a deprecated Active Scripting language developed by Microsoft that is modeled on Visual Basic."
msgbox "It allows Microsoft Windows system administrators to generate powerful tools for managing computers without error handling and with subroutines and other advanced programming constructs. It can give the user complete control over many aspects of their computing environment."
msgbox "Interestingly, although VBScript has long since been deprecated, you can still run VBScript scripts on the latest versions of Windows 11 systems."
msgbox "A VBScript script must be executed within a host environment, of which there are several provided with Microsoft Windows, including: Windows Script Host (WSH), Internet Explorer (IE), and Internet Information Services (IIS)."
msgbox "For .vbs files, the host is Windows Script Host (WSH), aka wscript.exe/cscript.exe program in your system."
msgbox "If you can not stop a VBScript from running (e.g. a dead loop), go to the task manager and kill wscript.exe/cscript.exe."
msgbox "cscript and wscript are executables for the scripting host that are used to run the scripts. cscript and wscript are both interpreters to run VBScript (and other scripting languages like JScript) on the Windows platform."
msgbox "cscript is for console applications and wscript is for Windows applications. It has something to do with STDIN, STDOUT and STDERR."
msgbox "OK! Now, let us begin our journey."

key = InputBox("Enter the key:", "CTF Challenge")
if (key = False) then wscript.quit
if (len(key)<>6) then
wscript.echo "wrong key length!"
wscript.quit
end if
If (MD5(key) = md5_key) Then
wscript.echo "You get the key!Move to next challenge."
Else
wscript.echo "Wrong key!Try again!"
wscript.quit
End If

userInput = InputBox("Enter the flag:", "CTF Challenge")
if (userInput = False) then wscript.quit
if (len(userInput)<>44) then
wscript.echo "wrong!"
wscript.quit
end if
box = RC4_init(key)
encryptedInput = RC4(box, userInput)

If (encryptedInput = enc_flag) Then
MsgBox "Congratulations! You have learned VBS!"
Else
MsgBox "Wrong flag. Try again."
End If

wscript.echo "bye!"

' enc_flag = 0x59fc6b263c3d0fcbc331ade699e62d3473bbf85522d588e3423e6c751ca091528a3c0186e460483917192c14
' md5(key) = baacc7ffa8232d28f814bb14c428798b

RC4加密,key只有md5后的哈希,用hashcat爆破拿到key

解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# ./hashcat.exe -a 3 -m 0 -d 1 "baacc7ffa8232d28f814bb14c428798b" ?a?a?a?a?a?a
def rc4_decrypt(key, ciphertext):
S = list(range(256))
j = 0
out = []

for i in range(256):
j = (j + S[i] + key[i % len(key)]) % 256
S[i], S[j] = S[j], S[i]

i = j = 0
for char in ciphertext:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
out.append(char ^ S[(S[i] + S[j]) % 256])

return bytes(out)

key = 'H&NKEY'
ciphertext = bytes.fromhex('59fc6b263c3d0fcbc331ade699e62d3473bbf85522d588e3423e6c751ca091528a3c0186e460483917192c14')

plaintext = rc4_decrypt(key.encode(), ciphertext)
print(plaintext)

H&NCTF{VBS_1s_@_s0_7unny_an4_pow3rfu1_t00l!}

hnwanna

找到主函数,申清加密逻辑:

hnwanna1.png

hnwanna2.png

写解密代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#include <cstdio>

void a(char* input, int shift)
{
char text[19];
printf("H&NCTF{");
for(int i = 0; i < 18; i++)
{
if(input[i] >= 'a' && input[i] <= 'z')
text[i] = ((char)(((int)(input[i] - 'a') + shift) % 26 + 97));
else
text[i] += input[i];
printf("%c", text[i]);
}
printf("}");
}

int main()
{
char enc[] = "justaeasyunitygame";
int key = 5;
a(enc, key);

return 0;
}

H&NCTF{ozxyfjfxdzsnydlfrj}

DO YOU KNOW SWDD?

在异常处发现有SMC,找到SMC函数:

SMC1.png

写IDC脚本解密:

SMC2.png

得到加密函数:

SMC3.png

解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include <cstdio>

int main()
{
char enc[] = "S_VYFO_CGNN_GRKD_KLYED_IYE";
int v4 = 10;
printf("H&NCTF{");
for(int i = 0; enc[i]; ++i)
{
if(enc[i] >= 65 && enc[i] <= 90)
enc[i] = (enc[i] - v4 + 65) % 26 + 65;
printf("%c", enc[i]);
}
printf("}");
return 0;
}
/*
#include <idc.idc>

static main()
{
auto addr = 0x00417001;
auto i = 0;
auto j = 0;
auto v5 = "swdd";
for(j = addr; j < 0x0041815B; j++)
PatchByte(j, Byte(j) ^ 4);
}
*/

H&NCTF{I_LOVE_SWDD_WHAT_ABOUT_YOU}

最喜欢的逆向题

自己看图:

not_re1.png

not_re2.png

not_re3.png

H&NCTF{Do_Y0u_like_F5_1n_Rev}

Author:Pinguw
Link:https://pinguw.github.io/2024/05/13/%E6%AF%94%E8%B5%9BWP/H&NCTF2024/
看完了吗,再去看看博主的其他文章叭:)