Xhy's Blog

Reverse and Think

0%

isc2019 Reverse&Misc&Crypto&Android Writeup

发表于

Reverse

Very easy

得到一个pyc文件,在线反编译得到python源码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 import base64
correct = 'VlxRV2uAiXOPeSWPhiOCaY91JGOJj4Qgj4JVhlVigyNt'
def encode(message):
    s = ''
    for i in message:
        x = ord(i) ^ 32
        print ord(i)
        x = x + 16
        s += chr(x)
    return base64.b64encode(s)


flag = ''
decode()
print 'Input flag:'
flag = raw_input()
if encode(flag) == correct:
    print 'correct'
else:
    print 'wrong'

逻辑是将输入的字符串逐位与32异或,再加十六,转回ascii码。

解密函数

1
2
3
4
5
6
7
8
9
10
 import base64

correct = 'VlxRV2uAiXOPeSWPhiOCaY91JGOJj4Qgj4JVhlVigyNt'
def decode():
    s = ''
    message = base64.b64decode(correct)
    for i in message:
        x = (ord(i)-16)^32
        s+= chr(x)
    print s

调用解得flag
flag{PYC_I5_V3Ry_E4sY_T0_ReVerS3}

Rev1

运行发现点击动态菜单后左上角会出现菜单,点击后弹出提示flag不在这里,一定是你的打开方式不对

应该是C++编写的GUI程序,IDA打开。Shift+F12找到该字符串,定位到关键代码

Show flag菜单并没有出现,对应的点击事件是7u,非常可疑。于是把点击flag不在这里...对应的id改成7(截图中已修改,原本为6),这样就会跳转到case 7u了。
保存后运行:

直接点击确定弹出提示框failed,于是搜索字符串定位到DialogFunc函数:

可以看到它取了前两个输入框字符串的前十位,再转化成int,点开sub_4022C0函数,功能是将这两个int值存入数组,由下面两个数字看出,是md5算法(后面动态调试也验证了),所以a b分别为:1732584193,-271733879;

看关键函数sub_401920,只有它返回1才会提示”success”

(sub_4019B0是一个计算的函数,后面会贴出来。)
逻辑就是将md5后得到的字节集逐位比较,如果16位的计算结果全部符合才不会返回0。Dump出dword_407060 和dword_407064写程序爆破即可。
代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#include <iostream>

using namespace std;
int check1(int a1)
{
    int xx = ((4 * (4 * (4 * (a1 ^ 276) ^ 1300) ^ 6425) ^ 2064) >> 4) & 255;
    return xx;
}
int main(void)
{
    unsigned int arr0[] = {0xAF, 0x97, 0x9B, 0xBF, 0xAF, 0xAB, 0x93, 0x97, 0x97, 0xAF, 0x9B, 0xAF, 0x83, 0xAB, 0xB3, 0xB3, 0x8F, 0x9F, 0x9F, 0xBF, 0xB3, 0x83, 0xA3, 0x97, 0x83, 0xBF, 0x9F, 0xA3, 0xB3, 0xA3, 0x9F, 0xBB};
    unsigned int arr1[] = {0x97, 0x9B, 0xBF, 0xAF, 0xAB, 0x93, 0x97, 0x97, 0xAF, 0x9B, 0xAF, 0x83, 0xAB, 0xB3, 0xB3, 0x8F, 0x9F, 0x9F, 0xBF, 0xB3, 0x83, 0xA3, 0x97, 0x83, 0xBF, 0x9F, 0xA3, 0xB3, 0xA3, 0x9F, 0xBB};
    unsigned int arrRes[16] = {};

    for (int i = 0; i < 16; ++i)
    {
        for (int j = 0; j < 0xff; ++j)
        {
            if (check1(j / 16) == arr1[2 * i] && check1(j % 16) == arr1[2 * i])
            {
                arrRes[i] = j;
            }
        }
}
//处理arrRes
}

arrRes转成16进制字符串得到b56fba455b6b0acc377fc0850f78c87e
cmd5查询得到inithex
所以flag为:
flag{inithex}

Rev2

是一个.Net编写的程序,使用DnSpy反编译,定位到按钮点击事件btnLogin_Click,关键代码:(将53个int转换为char并提示框输出)


直接将这块if判断去掉(省得输入账户名和密码,其实只是明文比较),然后删掉提示框和退出代码,改为this.txtUsername.Text = expr_1B;(方便复制)
点击登录后得到flag:
flag{ST0RING_STAT1C_PA55WORDS_1N_FIL3S_1S_N0T_S3CUR3}

Confused

这题是DDCTF2019的原题改编,大致思路是还原成vm分支,并反编译出原始的字节码,再看逻辑。但是由于有官方以及其他大佬的writeup,就可以直接跳过这一步了。
直接dump出vmp的字节码(0000000100001984到0000000100001A5F段),使用脚本提取并转换得到flag,脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import string
import binascii
import re

def rot2(s):
    res = ''
    for i in s:
        if i in string.ascii_lowercase:
            res += chr((ord(i)+2-97)%26+97)
        else:
            res += chr((ord(i)+2-65)%26+65)
    return res

f=open('code' ,'rb')
byte = f.read()
hexstr = binascii.b2a_hex(byte).decode("utf-8")
f.close()
code = str(bytes.fromhex(hexstr))
data = re.findall(r"\\xf0\\x10(.)", code)
for x in data:
    print(rot2(x),end="")

得到wellDoneYouGotFlag,补上flag{}, 即为
flag{wellDoneYouGotFlag}

Driver

这是一道windows x64驱动题,IDAx64打开,发现是kmdf驱动,在驱动入口(DriverEntry)找到初始化函数sub_14000136C

sub_14000136C伪代码(已重命名DeviceIOControl对应的函数为EvtIoDeviceControl):

MajorFunction ARRAY得知MajorFunction[14]对应的就是DeviceIOControl的回调事件,点开该函数:

有一个判断,比较IRP结构体中的某个参数,猜测2236608就是DeviceIOControl的控制码,转为16进制得到0x2220C0,得到flag:flag{0x2220C0}

Crypto

这不是RSA

解压得到加密脚本和密文txt,加密脚本如下:

1
2
3
4
5
6
7
from Crypto.Util.number import *
n=78254248636015593835240633798863091700627717386691577477092682528163871016876505150029125504913239471031625603543714863111930320484046060277104490993992760201739654592985790646481874929501002685674693070932718419433233282362127481768346180682337775258548134665766168438958869215232287958331412209851903015993147813403335636241185471268696861237357489
e=65537
flag=""
m = bytes_to_long(flag)
cipher= pow(m, e, n)
print 'enc =\n', long_to_bytes(cipher).encode('base64')

使用yafu分解n得到三个素数,所以并不是常见的双素数RSA(照应标题)
计算逆元d=gmpy2.invert(e,(p-1)*(q-1)*(r-1)),然后解密
完整解密脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import gmpy2
import base64
import binascii

e = 65537
p = 770844001450150079027
q = 770844001450150079027
r = 131696711774631388724696374141133302602864637655367012223684455998047506211758798362800780190209887743575322213844983227253151336958534430970453483593114760962550640332722427237065424337658925348481895740606075180895738536517015514878001551520897972712812008434603925106486775952953967700332121413344165370441
p = gmpy2.mpz(p)
q = gmpy2.mpz(q)
r = gmpy2.mpz(r)
N = p*q*r

phi = (p)*(q-1)*(r-1)
d = gmpy2.invert(e,phi)
c = "6BVlzzRsSLMRXld3VuLjsFLWMk4BbsF/o5aCfj/CMv4HCnLeBX6Iejhy4+NstQtTL/zb6cPv5RJVpddt7ddoT0iyTBmKZl2qmwMg7aoXqCobfhbj/hstU0T/Rod0TPIteLWUKUXMvdPZZYXSeMyqAy9ZrkD2uDvetieZaMZD0BpmyERB4nVSVxPhG9NPq+P36Q=="
c = base64.b64decode(c)
c = binascii.hexlify(c)
c = int(c,16)
res = gmpy2.powmod(c,d,N)
print("dec",res)
hexstr = hex(res)[2:]
print("dec_hex",hexstr)
print("dec_ascii",binascii.unhexlify(hexstr).decode("utf-8"))

Misc

签到题

提示查看公告,公告部分内容如下:

1
2
3
5. 未特殊说明, flag的形式均为flag{xxx}
6. Have fun;
▢我已阅读并同意遵守公告内容

xxx我已阅读并同意遵守公告内容的背景色相同,所以flag为:
flag{我已阅读并同意遵守公告内容}

流浪地球

2019iscc Misc中的welcome,稍作修改
文本中只出现了这两个词组,频率如下:

點燃 木星:6270
流浪地球 計劃:3802
所以把前者替换为0,后者替换为1,得到一大串二进制数。
根据提示:八位小端,写脚本转换

1
2
3
4
5
6
7
8
9
10
11
b = "0110101000000100110100101110101011110010100100100000010011000010111010101111001001101010100100101000101000110100000001000010101000011010011100100000010001101010000001000101001011101010000010101000101001101010101100101001001001001010000001001100001011101010100010100111001000000100111010101000001000000100011100101010101010010010110000100000010000100010010010101001001000000100000010101110101001110010000001000101101011101010010010100111001010101010000001001110101010000010000001001100101011101010011010100000101011001010000001000111001011101010000001000111001010101010100100100000010001110010101010101001001000100010011100101001001001001010011101000000010001110010101010101001001000000100011100100100101000100010011010101101001010010010010010100000010000101010111010100001101011001010101010100111001000000100110000101001001000000100011100101110101000000100011100101010101010010010000001000111001010101010100100100010001001110010100100100100101000000100100000101110101001001010000001001000101010010010111100101001001001001010001000101101001000000100010010101001001000100010100010101110101000001010100010100111010001010000010100000100010001011010101010100010001001110010000001000101101001101010110100101101001000000100101010100010001000110010001100101001001000001010000001000110101010000010000001000111001010101010100100100000010010001010000110100000101000000100101100100110101010001010001000100011001000110010100100100010001001001010111111000100010000000100010001001010101011101010010110100000010010101010000110101100001000100010000010100000010000101010100100100110101000001010110010101000101000000100100010100001101001001010111100100110101011110010100100100000010001101010100000100000010001110010101010101001001000000100100010100001101000001010000001001001001010100010001100101101001011101010101100101001001010001010111111000100010000000100011100101010101010010010010010101001001000000100001000100100101010010010000001001100101011101010111010101011001000000100100000100110101001010010011100100110101011101010000010101000101000000100001000100000101010110010000001001000101010010010010010100110101011101010000110101000101000000100100010100101001001101010100100100000101001010010100100100000010000101010100100101010101001101010000010101011001000000100011100101010101010010010000001000111001001011010111010100000010001000010000110101001001010001010011100100110101011101010000010101000101000110100000001000010101000011010011100100000010001110010101010101001001001001010100100100000010001101010100010100000010000001010100100101111001010010010010010100000010000100010000001001100001011101010111100100110101010010010000001000111001000100010110100101110001001101010000010101100101000000100001000100010101011101010000110100111001000000100011010100111001001110100010100000101000011000010001000101110001001101010000010101100101000000100001000100000010011001010111010101110101010110010000001001000101001010010011010101011010010000010011010100011010000000100100110101110101000011010000001000000101010010010100100101011001000000100110010101110101011101010101100100000010010001010010100100110101010010010000010100101001010010010000001000010101010010010101010100110101000001010101100100000010001101010011100100111010000000100011100101010101010010010010010101001001000000100001000100100101010010010000001000010001000000100110100101110101001110010000001001110101010000010000001000011001010101010100110101000101001101010010100101000101000000100010000100110010000100010000001001000001011101010010010100000010010001010110000100010001011010010110100100000010010110010100100100111001000100010011010101101001010001010000001000110101000001010000001000111001010101010011010101000101000000100110000101110101011110010011010101001001001110100000001000100010001011010101010101001101000000100000010101110101001110010000001000110001000011010100010100111001000000100001010100001101001101010110100101011001000000100010010101110101001010010111000101001001001110010000001001000101010101010011010100011001010001010000001000010001000001010101100100000010001110010001000101110001010010010000001001010101000011010110000100010001000001010000001000010101010010010011010100000101011001010100010100000010001110010111010100000010000100010000010101110101001110010101010101001001001001010000001000011001011010010001000100000101010010010011100101111110001000100000001000100010001011010101010101001101000000100001000100111001011000010111010101000101000110010101010101001001001001010100100100000010000110010010010101001001010001010100010100001101001001010100100100000010010101010001000101000101000000100001000100000101010011010011100101010101001101010000010101100101000000100011100101110101000000100101100101110101000000100010110100110101001110010101010100000010011010010011010101000001001110010000001001000001011101010010010100101001010010010000001001000001011101010010010100000010000100010000010100000010000100010011010100100101001010010010010100010001010000010011100101111110001000100000001000101101010101010100100100000101000000100011010100000010001011010001000101000101000000100001000100000010011100010011010101011001000110100000001000110101000000100000110101000101010010010101100100000010001110010111010100000010001110010101010100110101000001010111000100000010000100010110100101101001000000100100010100101001001101010101101001000001001101010000001001100001011101010111100100110101010010010100010100000010010001010101010101110101000011010110100101011001000000100110000100010001011100010100100100000010010001010010100100110101010010010000010100111001001101010100000100110101001010010000001001000101010010010000010101000101010010010011101000000010001101010000001000100101010010010001000101101001001101010000100101001001010110010000001001010101011101010010110100000010000110010010010101001001001010010011010101110101000011010100010100000010001101010011100100000010001101010100010100000010000100010000001001000101001010010011010101011010010000010011010100000010011000010111010101111001001101010100100100000010001010010101010101110101011101010100010101001001000000100011100101110101000000100100010100111001001101010010100101110001000000100011100101110101000000100100010100101001001101010100100100000101001110010011010101000001001101010010100100000010000100010010100100101001000011010010010100010001001110010100100100111010000000100100100101111001010010010000010100000010001011010101010101001001000001010000001000110101000001010111100101001001010001010011100101110101001001010000001000101101001101010011100101010101010110010010010101001001001011010000001000111001010101010100100100000010011000010111010100000101010010010100110100000010000101010100100100101001000100010000110101000101010010010000001000111001010101010100100101001101000000100011100101010101001101010000010101110001000000100011010101000101000000100011100101110101011101010000001001010101000100010010010101011001010110100010100101110101001001010100100100000010000100010000010101011001000000100010110100110101011010010110100100000010010101010001000101111001010010010000001000000101011101010000001001100001000100010010010101110001010010010011100100111010001010000010100000111001010101010100100100000010010001010011100101110101001001010100110100011010000000100011010101000101000000100010010101001001000100010110100101101001010011010000001000010001000101010111010100001101001110010000001001010101011101010010110100000010000110010100100101110101000110010110100101001001000000100010100101010101011101010111010101000101010010010000001000111001011101010000001001010101010010010110100100011001000000100100100100010001001010010101010100000010011101010011100101010101010010010010010100000010000100010000010101011001000000100001010101110101000001010101100100000010001011010011010100111001010101010000001001001001000100010010100101010101000000100111010100111001010101010100100100100101000000100001000100000101010110010000001001010101011101010010110100000010000110010100100101110101000110010110100101001001000000100010100101010101011101010111010101000101010010010000001000111001011101010000001001000101000100010010100100100101001101010100000100110101001010010100100100111010000000100011100101010101010010010000001001110101000001010110100101001101000000100100010100011001011101010011010101101001010010010010010100000010001101010000001000101101001101010110100101101001000000100011100101001001011010010110100100000010010011010111010100001101000000100011010101000101001011100010100000101000000101010100100100110101001100010011010100000101011001010000001000000101011101010011101001100110000000100011100100100101000100010000010101000101000110010111010100100101001110010001000100111001001101010111010100000101000000100101100100110101011110010011010101000101001101010111010100000101000000100010010101001001011000010011010100000101010110010100010100000010010011010111010100001101001110100000001000100101011101010000110100111001010010010100010100000010000100010010010101001001000000100010100101110101000011010000010100111001011010010100100101000101010001010011101000000010010001010001000101000001010010010011100101001101000000100011010101000101000000100100000101110101001001010100100101100001011101010100010100111001001110100000001000001101000001010010010101001001011001010000110101101001000100010011100101001001010110010000001001011001001001010011010101111001001101010000010101100101001110100000001001101001011101010111100101001001010110010000001001110101000001010100100101000101000000100100100100000101010110010000001000001101000110010000001000110101000001010000001000111001010010010001000100100101010001010011101000101000001010000001000100000101010110010000001000011001001001010100100100011001000100010010010101001001000000100011100101110101000000100010100100100101010011010000001001000001011101010010010100000010001110010101010101001001000000100100010100111001011101010010010101001101001110100010100000101000010000010110100100010001011001010110111100111001010101010100100100101101000100010000010101011001010010010010010100110101000001010110010101001001000100010010010100111001010101010111110101001101001100010111000100100001001000010100110100111001001000010110100101101001010111110"

flag = ""
i = 0
while i < len(b):
    s = b[i:i+8]#8位
    s= s[::-1]#小端
    flag += chr(int(s,2))
    i += 8

print(flag)

得到:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
V KWOI CWOVIQ, TXN V JWPQVMIR CWQN WA NUIC DRI PWN ZWRNU WA SWVPS NW NUI NUIDNIR. NUI NRDVKIR TWXSUN CI NW NUI NUIDNIR AWR QIOIRDK RIDQWPQ.

"ZUDN ZVKK UDLLIP VA NUI QXP MVQDLLIDR?" "UWZ UXCDP TIVPSQ QXROVOI VA NUI QXP IELKWMIQ?" NUIRI DRI SWWM AVJNVWPQ DPM QIRVWXQ QJVIPJI TIUVPM NUI NZW BXIQNVWPQ, TXN NUIRI VQ PIOIR D CWOVI NDKGVPS DTWXN VN.

CDGVPS D SWWM QJV-AV, YWX PIIM SWWM QJVIPJI TIUVPM VN. NUIRI DRI D KWN WA LUYQVJQ B&D AWR QCDKK MINDVKQ VP NUVQ CWOVI. "ZUY PWN FXQN TXVKM RWJGIN QUVLQ DPM
NDGI UXCDP TIVPSQ NW DPWNUIR LKDPIN?" "ZUY DNCWQLUIRI LRIQQXRI UDQ DPYNUVPS NW MW ZVNU KVAN AWRJI AWR DP DVRJRDAN?" ZUIP V ZDQ D GVM, V XQIM NW NUVPG DKK QJV-AV CWOVIQ QUWXKM CDGI QJVIPNVAVJ QIPQI. V RIDKVHIM UWZ LRIJVWXQ VN VQ D QJV-AV CWOVI JUWWQI NW QNVJG NW QJVIPNVAVJ DJJXRDNI. IOIP ZUIP VPOIQNWR ZVNUMRIZ NUI CWPIY TIJDXQI NUIY NUVPG VQ NWW UDRM-JWRI DPM ZVKK UDOI PW CDRGIN.

NUI QNWRY, VQ RIDKKY DTWXN UWZ LIWLKI JUWWQI NW UIKL IDJU WNUIR DPM TWPM ZVNU IDJU WNUIR DPM UWZ LIWLKI JUWWQI NW QDJRVAVJI. NUI WPKY QLWVKIR V ZVKK NIKK YWX VQ:

TIVFVPS PW.3 NRDPQLWRNDNVWP MVOVQVWP RICVPMQ YWX. RWXNIQ DRI JWXPNKIQQ. QDAINY VQ AWRICWQN. XPRISXKDNIM MRVOVPS. KWOIM WPIQ IPM XL VP NIDRQ.

DPM LRILDRI NW JRY AWR NUI QNWRY.

AKDS{NUIZDPMIRVPSIDRNU_YFGBBYNBKK}

使用WinCrypto进行词频分析,得到flag
FLAG{THEWANDERINGEARTH_YJKQQYTQLL}

Executable

得到一个后缀名为exe的文件,使用010Editor打开,发现实际上是由PNG和ZIP拼接而成,第一个字节做了修改,修正后得到一张二维码,解析得到
pass{Nope!}
压缩包密码:Nope!
压缩包中有100个二维码png,使用脚本解析发现是base64后的字符串,再次解码得到提示:flag_is_not_here
所以flag不在二维码中
查看这一百个文件发现有一个大小异常,10k(其他都是1k, 2k)
使用010Editor打开,发现后面附有一个zip文件,解压后打开txt得到flag
flag{U_R_S0_Sp3ciA1}

Android

HelloCTF

逆向发现是Flutter框架写的,以前没逆向过这种app,所以这题卡了很久。
查看网上关于该框架源码的解析,突然想到会不会输出日志。
于是打开Android Studio,连上手机,查看LogCat
点击获取flag按钮后,app输出了一串base64后的字符串,尝试输入base64解码后的字符串,提示密码错误。
直接填入base64后的字符串得到flag
flag{h4l10_Ctffff}

参考

2019DDCTF部分wp
DDCTF2019官方Write Up——Reverse篇
iscc2019 misc