码迷,mamicode.com
首页 > 其他好文 > 详细

hgame week2 week3

时间:2020-03-18 14:02:59      阅读:95      评论:0      收藏:0      [点我收藏+]

标签:upx   new   equals   x64   i++   put   mba   decrypt   第一部分   

RE

1,babypy

对字节码硬怼,就可分析出大致逻辑是倒序后异或

c=[0x7d,0x03,0x7d,0x04,0x57,0x17,0x72,0x2d,0x62,0x11,0x4e,0x6a,0x5b,0x04,0x4f,0x2c,0x18,0x4c,0x3f,0x44,0x21,0x4c,0x2d,0x4a,0x22]
c.reverse()
flag=[]
for i in range(len(c)):
    if i!=len(c)-1:
        print(chr(c[i]^c[i+1]),end=‘‘)
    else:
        print(chr(c[i]))

得到flag

2,unpack

题如其名,手脱upx壳,虽然简单,但linux上还是第一次脱

用ida调试,f8不跑飞就不用f7,一直到

技术图片

 

 f7进去,再一直f8

技术图片

 

 到了一个跳转,f8

技术图片

 

 可以看到入口点0x400890,继续f8

技术图片

 

 来到了入口,dump出来

#include <idc.idc>
#define PT_LOAD              1
#define PT_DYNAMIC           2
static main(void)
{
         auto ImageBase,StartImg,EndImg;
         auto e_phoff;
         auto e_phnum,p_offset;
         auto i,dumpfile;
         ImageBase=0x400000;
         StartImg=0x400000;
         EndImg=0x0;
         if (Dword(ImageBase)==0x7f454c46 || Dword(ImageBase)==0x464c457f )
  {
     if(dumpfile=fopen("G:\\dumpfile","wb"))
    {
      e_phoff=ImageBase+Qword(ImageBase+0x20);
      Message("e_phoff = 0x%x\n", e_phoff);
      e_phnum=Word(ImageBase+0x38);
      Message("e_phnum = 0x%x\n", e_phnum);
      for(i=0;i<e_phnum;i++)
      {
         if (Dword(e_phoff)==PT_LOAD || Dword(e_phoff)==PT_DYNAMIC)
                         {
                                 p_offset=Qword(e_phoff+0x8);
                                 StartImg=Qword(e_phoff+0x10);
                                 EndImg=StartImg+Qword(e_phoff+0x28);
                                 Message("start = 0x%x, end = 0x%x, offset = 0x%x\n", StartImg, EndImg, p_offset);
                                 dump(dumpfile,StartImg,EndImg,p_offset);
                                 Message("dump segment %d ok.\n",i);
                         }
         e_phoff=e_phoff+0x38;
      }

      fseek(dumpfile,0x3c,0);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);

      fseek(dumpfile,0x28,0);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);
      fputc(0x00,dumpfile);

      fclose(dumpfile);
        }else Message("dump err.");
 }
}
static dump(dumpfile,startimg,endimg,offset)
{
        auto i;
        auto size;
        size=endimg-startimg;
        fseek(dumpfile,offset,0);
        for ( i=0; i < size; i=i+1 )
        {
        fputc(Byte(startimg+i),dumpfile);
        }
}

再看dump出来的文件,用ida打开,

技术图片

 

 逻辑就十分简单了,脚本就不放了。

1,crackme

c#写的,关键代码

private void button1_Click(object sender, EventArgs e)
{
    if (this.status == 1)
    {
        MessageBox.Show("你已经激活成功啦,快去提交flag吧~~~");
        return;
    }
    string text = this.textBox1.Text;
    if (text.Length != 46 || text.IndexOf("hgame{") != 0 || text.IndexOf("}") != 45)
    {
        MessageBox.Show("Illegal format");
        return;
    }
    string base64iv = text.Substring(6, 24);
    string str = text.Substring(30, 15);
    try
    {
        Aes aes = new Aes("SGc0bTNfMm8yMF9XZWVLMg==", base64iv);
        Aes aes2 = new Aes("SGc0bTNfMm8yMF9XZWVLMg==", "MFB1T2g5SWxYMDU0SWN0cw==");
        string text2 = aes.DecryptFromBase64String("mjdRqH4d1O8nbUYJk+wVu3AeE7ZtE9rtT/8BA8J897I=");
        if (text2.Equals("Same_ciphertext_"))
        {
            byte[] array = new byte[16];
            Array.Copy(aes2.EncryptToByte(text2 + str), 16, array, 0, 16);
            if (Convert.ToBase64String(array).Equals("dJntSWSPWbWocAq4yjBP5Q=="))
            {
                MessageBox.Show("注册成功!");
                this.Text = "已激活,欢迎使用!";
                this.status = 1;
            }
            else
            {
                MessageBox.Show("注册失败!\nhint: " + aes2.DecryptFromBase64String("mjdRqH4d1O8nbUYJk+wVu3AeE7ZtE9rtT/8BA8J897I="));
            }
        }
        else
        {
            MessageBox.Show("注册失败!\nhint: " + aes2.DecryptFromBase64String("mjdRqH4d1O8nbUYJk+wVu3AeE7ZtE9rtT/8BA8J897I="));
        }
    }
    catch
    {
        MessageBox.Show("注册失败!");
    }
}

可见又是将输入分为两半,第一部分作为初始向量,使加密后的mjdRqH4d1O8nbUYJk+wVu3AeE7ZtE9rtT/8BA8J897I=变为Same_ciphertext_

第二部分将Same_ciphertext_和第二部分相加后加密为byte后将后十六位转为base64等于dJntSWSPWbWocAq4yjBP5Q==

就第一部分,已经得到了明文,密文,和密钥,根据aes加密的方式,只要将明文作为向量对密文进行解密就可得到真实的初始向量,

第二部分,因为只给了后半部分base64,将其转为十六进制,为了知道前面的部分,我以Same_ciphertext_123456789012345的格式进行加密,从而得到了其前半部分的十六进制,拼在一起后转为base64,再进行aes解密,得到第二部分

拼起来得到flag

hgame{L1R5WFl6UG5ZOyQpXHdlXw==DiFfer3Nt_w0r1d}

 

WEEK3

Misc

1,三重隐写

给了三个音频,其中一个播放时

技术图片

 

 扫码得到

AES key: 1ZmmeaLL^Typbcg3

第二个文件名有LSB可知是LSB隐写,用slienteye得到

Stegano key: uFSARLVNwVIewCY5

那么可猜到第三个音频是mp3隐写,用mp3stego得到

Zip Password: VvLvmGjpJ75GdJDP

打开压缩包得到flag.crypto

题目贴心的给了解密软件,得到flag

 RE

1,oooollvm

其实这题我连混淆都没去~

本来看到ollvm,第一反应是想用deflat去的,结果总有几个流程算不清,就一直没再看,快结束了时候想起来看了看

技术图片

 

 这十分可疑啊

table1=[0x31,0x0E,0x10,0x38,0x06,0xA1,0x64,0x26,0x04,0x36,0xC1,0x2B,0xA4,0x07,0x7C,0x0C,0x94,0x06,0xC2,0x51,0xC4,0x01,0x4E,0xC1,0xB9,0x50,0xCE,0x8D,0xB1,0x45,0x44,0x9D,0x3F,0xA1]
table2=[0x59,0x68,0x73,0x56,0x6F,0xDD,0x25,0x61,0x40,0x69,0xA6,0x69,0xD9,0x47,0xD5,0x78,0xCB,0x7A,0xA4,0x28,0xBD,0x6E,0x4F,0xBA,0xA4,0x3D,0xB6,0xFB,0xEC,0x2F,0x12,0xF0,0x1A,0xBF]

for i in range(len(table1)):
    table1[i]=int(table1[i],16)
    table2[i]=int(table2[i],16)

for i in range(len(table2)):
    for s in range(30,127):
        if((~s & (table1[i]+i) | ~(table1[i]+i) & s)==table2[i]):
            print(chr(s),end=‘‘)
            continue

得到flag

 

hgame week2 week3

标签:upx   new   equals   x64   i++   put   mba   decrypt   第一部分   

原文地址:https://www.cnblogs.com/harmonica11/p/12231840.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!