Pinguw
Pinguw
Articles10
Tags3
Categories2
回到首页
文章归档
我的朋友
给我赞助
关于博主

Categories

Archive

Recent Posts

© 2024 Pinguw Powered by Hexo & Nexmoe
CISCN2024-Reverse部分题解

CISCN2024-Reverse部分题解

2024年05月22日 比赛WP

很菜,初赛只出了三道题。

CISCN2024

asm_re

拿到手是IDA的view界面,

main函数逻辑交给GPT,是简单的加减乘除异或,

data段手动dump出+解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
data = [
    0xD7, 0x1F, 0x00, 0x00, 0xB7, 0x21, 0x00, 0x00,
    0x47, 0x1E, 0x00, 0x00, 0x27, 0x20, 0x00, 0x00,
    0xE7, 0x26, 0x00, 0x00, 0xD7, 0x10, 0x00, 0x00,
    0x27, 0x11, 0x00, 0x00, 0x07, 0x20, 0x00, 0x00,
    0xC7, 0x11, 0x00, 0x00, 0x47, 0x1E, 0x00, 0x00,
    0x17, 0x10, 0x00, 0x00, 0x17, 0x10, 0x00, 0x00,
    0xF7, 0x11, 0x00, 0x00, 0x07, 0x20, 0x00, 0x00,
    0x37, 0x10, 0x00, 0x00, 0x07, 0x11, 0x00, 0x00,
    0x17, 0x1F, 0x00, 0x00, 0xD7, 0x10, 0x00, 0x00,
    0x17, 0x10, 0x00, 0x00, 0x17, 0x10, 0x00, 0x00,
    0x67, 0x1F, 0x00, 0x00, 0x17, 0x10, 0x00, 0x00,
    0xC7, 0x11, 0x00, 0x00, 0xC7, 0x11, 0x00, 0x00,
    0x17, 0x10, 0x00, 0x00, 0xD7, 0x1F, 0x00, 0x00,
    0x17, 0x1F, 0x00, 0x00, 0x07, 0x11, 0x00, 0x00,
    0x47, 0x0F, 0x00, 0x00, 0x27, 0x11, 0x00, 0x00,
    0x37, 0x10, 0x00, 0x00, 0x47, 0x1E, 0x00, 0x00,
    0x37, 0x10, 0x00, 0x00, 0xD7, 0x1F, 0x00, 0x00,
    0x07, 0x11, 0x00, 0x00, 0xD7, 0x1F, 0x00, 0x00,
    0x07, 0x11, 0x00, 0x00, 0x87, 0x27, 0x00, 0x00
]
print(len(data) // 4)

tmp = ''

for i in range(0, len(data), 4):
    if(len(hex(data[i])[2:]) == 1):
        tmp = '0' + hex(data[i])[2:]
    else:
        tmp = hex(data[i])[2:]
    print('0x', hex(data[i + 1])[2:], tmp, sep = '', end = ', ')

print()

flag = [
    0x1fd7, 0x21b7, 0x1e47, 0x2027, 0x26e7, 0x10d7, 0x1127, 0x2007, 0x11c7, 0x1e47, 0x1017, 0x1017, 0x11f7, 0x2007, 0x1037, 0x1107, 0x1f17, 0x10d7, 0x1017, 0x1017, 0x1f67, 0x1017, 0x11c7, 0x11c7, 0x1017, 0x1fd7, 0x1f17, 0x1107, 0xf47, 0x1127, 0x1037, 0x1e47, 0x1037, 0x1fd7, 0x1107, 0x1fd7, 0x1107, 0x2787
]

for i in range(38):
    print(chr((((flag[i] - 30) ^ 70) - 20) // 80), end = '')

flag{67e9a228e45b622c2992fb5174a4f5f5}

androidso_re

从jadx中看到是CBC的DES,

jadx

进so看getkey和getiv的加密方式,

key是简单的RC4加异或,iv是凯撒密码。

key:

key

iv:

iv1 iv2

对key和iv的解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
RC4_key = [0x42, 0xb1, 0x66, 0xdc, 0x03, 0x6d, 0x45, 0x1b, 0xc2, 0x3b, 0x58, 0xba]
xor_key = [0x03, 0x89, 0x33, 0xB8, 0x54, 0x0C, 0x20, 0x6A]

for i in range(len(xor_key)):
    print(chr(RC4_key[i + k] ^ xor_key[i]), end = '')
print()

enc_iv = "F2IjBOh1mRW="

for i in enc_iv:
    if(i.islower()):
        print(chr(ord('a') + (ord(i) - 81) % 26), end = '')
    elif(i.isupper()):
        print(chr(ord('A') + (ord(i) - 49) % 26), end = '')
    else:
        print(i, end = '')

DES的解密:

des

flag{188cba3a5c0fbb2250b5a2e590c391ce}

gdb_debug

debug1 debug2

动调出两处xor_key和一个sbox,然后写代码解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# XOR

enc_flag = [
0xBF, 0xD7, 0x2E, 0xDA, 0xEE, 0xA8, 0x1A, 0x10, 0x83, 0x73, 
0xAC, 0xF1, 0x06, 0xBE, 0xAD, 0x88, 0x04, 0xD7, 0x12, 0xFE, 
0xB5, 0xE2, 0x61, 0xB7, 0x3D, 0x07, 0x4A, 0xE8, 0x96, 0xA2, 
0x9D, 0x4D, 0xBC, 0x81, 0x8C, 0xE9, 0x88, 0x78, 0x00, 0x00,
]
key = "congratulationstoyoucongratulationstoy"

for i in range(38):
    enc_flag[i] ^= ord(key[i])

#==============================================================================
# XOR

c = [
0x03, 0x12, 0x0C, 0x4C, 0xC6, 0x26, 0x8C, 0x63, 
0xB6, 0x87, 0xB0, 0x6F, 0x1A, 0xCB, 0x9B, 0xFD, 
0xBC, 0x52, 0x79, 0x93, 0x19, 0x6A, 0xDA, 0x4E,
0x7B, 0xF9, 0xC4, 0xBB, 0xF1, 0x7E, 0x9D, 0x1E,
0x44, 0xD6, 0xC5, 0x50, 0xBF, 0xEE, 0x00, 0x00,
]
d = [
0xDD, 0xB8, 0x4E, 0xB0, 0xCF, 0xCE, 0x3E, 0x65,
0xBB, 0x14, 0xD1, 0x9B, 0x3E, 0x82, 0x8E, 0xFC,
0x6B, 0xF9, 0x7D, 0x8B, 0xD6, 0x83, 0x0F, 0xD8,
0x48, 0x33, 0x3D, 0x91, 0xAF, 0x94, 0xB0, 0x22,
0xD0, 0xB9, 0xFD, 0xCD, 0xE7, 0x04, 0x00, 0x00,
]

# for i in c:
#     for j in range(15, -1, -2):
#         print('0x'+i[j - 1]+i[j]+', ', end = '')
#     print()
# print()
# for i in d:
#     for j in range(15, -1, -2):
#         print('0x'+i[j - 1]+i[j]+', ', end = '')
#     print()

xor_key2 = [0] * 38

for i in range(38):
    xor_key2[i] = c[i] ^ d[i]

for i in range(38):
    enc_flag[i] ^= xor_key2[i]

#==============================================================================
# ENC

s_box = [
0x12, 0x0E, 0x1B, 0x1E, 0x11, 0x05, 0x07, 0x01, 
0x10, 0x22, 0x06, 0x17, 0x16, 0x08, 0x19, 0x13, 
0x04, 0x0F, 0x02, 0x0D, 0x25, 0x0C, 0x03, 0x15,
0x1C, 0x14, 0x0B, 0x1A, 0x18, 0x09, 0x1D, 0x23,
0x1F, 0x20, 0x24, 0x0A, 0x00, 0x21, 0x00, 0x00,
]

# for i in s_box:
#     for j in range(15, -1, -2):
#         print('0x'+i[j - 1]+i[j]+', ', end = '')
#     print()

flag = [0] *38

for i in range(38):
    flag[s_box[i]] = enc_flag[i]

#==============================================================================
# XOR

a = r"flag{0123456789abcdef0123456789abcdef}"
b = [
0xBF, 0x63, 0x79, 0xDA, 0xBC, 0x26, 0xB0, 0x8C, 
0xCB, 0x7E, 0x50, 0xC4, 0x6A, 0x93, 0x12, 0x52, 
0xB6, 0xC6, 0x03, 0xFD, 0xF9, 0x4E, 0x1A, 0x6F,
0xF1, 0x9B, 0xBB, 0x0C, 0x7B, 0x9D, 0x4C, 0x44,
0xD6, 0xEE, 0x87, 0x1E, 0xC5, 0x19, 0x00, 0x00,
]

# for i in b:
#     for j in range(15, -1, -2):
#         print('0x'+i[j - 1]+i[j]+', ', end = '')
#     print()

for i in range(38):
    xor_key1[i] = ord(a[i]) ^ b[i]

for i in range(38):
    flag[i] ^= xor_key1[i]
xor_key1 = [0] * 38

#==============================================================================

for i in range(38):
    print(chr(flag[i]), end = '')

flag{78bace5989660ee38f1fd980a4b4fbcd}

Author:Pinguw
Link:https://pinguw.github.io/2024/05/22/%E6%AF%94%E8%B5%9BWP/CISCN2024/
看完了吗,再去看看博主的其他文章叭:)
×