2023 12月第4周周报
一、完成事项
- 64位手动脱壳!
- 使用CFF Explorer组织系统ASLR重定位
- 尝试gdb调试,ida远程调试
- 学习特征值主要算法TEA,DRS,MD5
二、未完成事项
三、下周待做事项
四、本周学习的知识
一、读师傅们周报的启发
- Fi1ix: AES和SM4,大小端序的问题,迷宫脚本
- lyp: ida伪代码里的字符串是小端序,shift+E提取地图数据
- lo1see:gmbh和flag的ASCII码值差1
二、UPX手动脱壳(64位)
示例为 [SWPUCTF 2022 新生赛]upx 中的附件(64位,UPX3.96壳),可以用工具脱壳。下面尝试手动脱壳。
XP后的系统都有ASLR(地址空间随机化),导致dump后程序运行出错,因此我们首先用CFF Explorer修改该文件的Nt Header,禁用ASLR
在Nt Header下的Optional Header里修改Characteristics,勾选Relocation info srtipped from file。关闭后记得保存。
用x64dbg打开文件,进入系统断点(push rbx)。![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703060716908-6b329cee-abd1-4cf5-9835-79e1013ecf82.png#averageHue=%23e3ded9&clientId=ua6b7ba7d-77e8-4&from=paste&height=130&id=u38d002a6&originHeight=195&originWidth=1740&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=38211&status=done&style=none&taskId=u4e2899ba-a9d1-4e74-a45a-19495785b41&title=&width=1160)
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703060767030-f651d221-a482-4430-a01d-c7c6a731304d.png#averageHue=%23f0e9df&clientId=ua6b7ba7d-77e8-4&from=paste&height=453&id=ua8a3a13d&originHeight=679&originWidth=1351&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=143456&status=done&style=none&taskId=u9cbbce0b-e3b4-4d50-8654-8c98ba5368e&title=&width=900.6666666666666)
按F9到达该断点(这里要按两次,上面还有个别的什么断点)
F7走完push压栈部分![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703060837559-04b8181c-b671-43f9-bc21-f7f56ae807bb.png#averageHue=%23f1ebe3&clientId=ua6b7ba7d-77e8-4&from=paste&height=516&id=u24c4e1f3&originHeight=774&originWidth=1859&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=244919&status=done&style=none&taskId=u25d7f22a-790c-463d-9687-edbb94f2e1d&title=&width=1239.3333333333333)
观察到RSP的变化,在其上右键“在内存窗口中转到”
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703060955810-db50d2cb-0d1e-4a02-9ccf-2d0ff50fb815.png#averageHue=%23f6ebdd&clientId=ua6b7ba7d-77e8-4&from=paste&height=311&id=u8c5520e1&originHeight=466&originWidth=995&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=134107&status=done&style=none&taskId=uac69cf53-41b4-4f7f-bd0b-9d3eb954006&title=&width=663.3333333333334)
在右下角该地址右键,设置硬件断点
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703061010937-5bdcf378-3185-45d2-84fa-b5a3eb0d41e8.png#averageHue=%23f3ece0&clientId=ua6b7ba7d-77e8-4&from=paste&height=417&id=u63bd1c1a&originHeight=625&originWidth=1175&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=107686&status=done&style=none&taskId=u24884efb-ac57-4e89-bb5a-8b3402a9fd1&title=&width=783.3333333333334)
F9运行到断点处,看到下面的jmp大跳应该是入口,设置断点,F9跳过去
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703061172571-4175ed98-2b5f-4f32-86ce-1ec40281717e.png#averageHue=%23f2eada&clientId=ua6b7ba7d-77e8-4&from=paste&height=207&id=u5659b0a0&originHeight=311&originWidth=1111&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=63399&status=done&style=none&taskId=ua17073c9-5dfc-4603-841e-3d47b146f14&title=&width=740.6666666666666)
F7步入程序
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703061190788-eaf346a0-7bc6-4c65-9308-d79601441961.png#averageHue=%23f2ebe0&clientId=ua6b7ba7d-77e8-4&from=paste&height=371&id=udae569b1&originHeight=557&originWidth=1266&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=103604&status=done&style=none&taskId=u20024793-ea6c-4674-bd39-770e7effbc2&title=&width=844)
![aaa56cef3929b32cc82624303473f0a1.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703062125756-8d93ad58-223f-459a-8e3c-7dbd4ce301ea.png#averageHue=%23f8efd9&clientId=ua6b7ba7d-77e8-4&from=paste&height=469&id=u8c252a7e&originHeight=704&originWidth=1694&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=137295&status=done&style=none&taskId=ue87adc9f-7aa1-4a53-8a0d-6878977f03a&title=&width=1129.3333333333333)
往下翻可以看到提示字符串
这就正式进入了原程序,可以进行dump了
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703062109231-15a2b86b-86ad-4413-9a07-a790ace8eb61.png#averageHue=%23e9e1aa&clientId=ua6b7ba7d-77e8-4&from=paste&height=68&id=u9d34c665&originHeight=102&originWidth=331&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=7971&status=done&style=none&taskId=ue12dfe87-e58b-4f36-861d-2f1fc3d94bd&title=&width=220.66666666666666)
先点“IAT Autosearch”,再点“Get Imports”,在“Imports”中删除掉带有红色叉叉的,再点击“Dump”,之后“Fix Dump”选中之前的Dump文件,修复成功。
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703062581014-69226ed9-fca1-456e-a3cf-156ca0f80913.png#averageHue=%23f0efed&clientId=ua6b7ba7d-77e8-4&from=paste&height=636&id=udba92b77&originHeight=954&originWidth=902&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=74809&status=done&style=none&taskId=uadb7aad3-f9e2-4d96-b05e-a2180b3006f&title=&width=601.3333333333334)
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703062591942-97d56a3e-217f-4a14-81b0-3459fb8aaaf9.png#averageHue=%23fbfaf9&clientId=ua6b7ba7d-77e8-4&from=paste&height=114&id=u21426f99&originHeight=171&originWidth=1036&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=15272&status=done&style=none&taskId=u2626571c-1b3a-428f-91af-120f4d5909a&title=&width=690.6666666666666)
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703062618831-5428b690-503d-475c-8f5c-2841b1d3a75f.png#averageHue=%23191919&clientId=ua6b7ba7d-77e8-4&from=paste&height=305&id=ua1fc9a00&originHeight=457&originWidth=868&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=33127&status=done&style=none&taskId=u42800dcd-a476-44eb-9353-dcb58c650dd&title=&width=578.6666666666666)
p04 副本_dump_SCY.exe 也可以正常运行
拖入IDA中,这里会不报错,Yes不用管它
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703062668284-38f18adb-cd36-4e99-a514-35473bbbab6c.png#averageHue=%23e9e8e7&clientId=ua6b7ba7d-77e8-4&from=paste&height=161&id=u024fbc51&originHeight=242&originWidth=1226&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=33901&status=done&style=none&taskId=ua4eb6e31-4164-4b62-991f-933a40ccc49&title=&width=817.3333333333334)
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703062691879-fbd60cb0-32f1-4bc7-b687-097502d2c410.png#averageHue=%23f7f5f3&clientId=ua6b7ba7d-77e8-4&from=paste&height=581&id=ud8c2e686&originHeight=871&originWidth=522&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=94139&status=done&style=none&taskId=u80e0d326-a6b3-4f16-b87e-bbbe6863e6e&title=&width=348)
(由于某种神秘力量?)没有main函数,只能通过字符串来找函数
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703062736078-6f63a34a-8791-4478-b1b5-eba05cd82573.png#averageHue=%23f7f5f3&clientId=ua6b7ba7d-77e8-4&from=paste&height=633&id=ud3525e5a&originHeight=950&originWidth=1317&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=189957&status=done&style=none&taskId=ufefcf24d-dd08-4fd1-8262-1f250b517f3&title=&width=878)
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703062749005-c197b4b2-b25f-4505-93f3-d480c9ab1960.png#averageHue=%23f6f5f3&clientId=ua6b7ba7d-77e8-4&from=paste&height=476&id=u11794eb0&originHeight=714&originWidth=1483&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=187192&status=done&style=none&taskId=u28e48492-6add-4d44-99d0-ae5e4414991&title=&width=988.6666666666666)
X键找一下位置
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703062768325-09ba1d74-ff67-4638-9c92-f6808fb9a3cc.png#averageHue=%23fdfdfc&clientId=ua6b7ba7d-77e8-4&from=paste&height=657&id=u57ef7929&originHeight=985&originWidth=893&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=115029&status=done&style=none&taskId=ub71ad897-be0d-4e1b-a176-784fd0e6aa7&title=&width=595.3333333333334)
可以看到大致的代码
如果想把字符串展开看,可以(退到IDA View-A中)修改Segment,取消w勾选
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703062843040-2b6a811a-8275-4198-8ad7-da7fea53bed6.png#averageHue=%23d3a764&clientId=ua6b7ba7d-77e8-4&from=paste&height=557&id=uab0310ea&originHeight=835&originWidth=842&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=95284&status=done&style=none&taskId=uf14deed4-9add-4f88-8241-7557faadb9c&title=&width=561.3333333333334)
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703062854959-f20be488-281d-44ca-9064-f7b3d530fbdd.png#averageHue=%23edecec&clientId=ua6b7ba7d-77e8-4&from=paste&height=345&id=uec00c77d&originHeight=517&originWidth=882&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=43179&status=done&style=none&taskId=u43d4f90e-92f7-40da-a84d-5c5004f895c&title=&width=588)
修复后
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703062918688-22ab31be-e768-4119-bcb9-0f84fde457da.png#averageHue=%23fcfcfb&clientId=ua6b7ba7d-77e8-4&from=paste&height=666&id=u49350ac1&originHeight=999&originWidth=1035&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=125836&status=done&style=none&taskId=ue7a7d41c-d34a-4b0e-8a01-c97900ecc21&title=&width=690)
显然sub_140001540是printf函数,脱壳结束
三、GDB调试(pwndbg)
-
打开文件:gdb ./2-simpleCrackme
Text Only |
---|
| `gdb --args ./ping -c 10 127.0.0.1`<br /> file命令
|
-
调试快捷键
- r:启动
- c:继续
- si:单步步入
- ni:单步步过
- finish:执行到当前函数返回
- b:断点
- intfo b(或l):列出所有断点
- del 序号:删除断点
- clear:删除指定位置断点(clear *main)
- 示例:
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703065545464-7dab42d4-35ba-45a3-9c1b-283920ce1995.png#averageHue=%23262a37&clientId=ua6b7ba7d-77e8-4&from=paste&height=609&id=u78684797&originHeight=913&originWidth=1373&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=622925&status=done&style=none&taskId=u086c02fd-3b11-4c8d-8806-999f9c39624&title=&width=915.3333333333334)
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703065688854-d8e2fe8e-4862-472e-945d-e08878892598.png#averageHue=%23262937&clientId=ua6b7ba7d-77e8-4&from=paste&height=616&id=u172c93ea&originHeight=924&originWidth=1375&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=676857&status=done&style=none&taskId=u31e4f8ce-08fb-4c5e-8cf3-1fc9e451cb6&title=&width=916.6666666666666)
四、IDA远程调试
- 选择调试器
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703065874506-1dc608b8-f8af-42b0-b6d3-10dbe58e56cd.png#averageHue=%23d6a465&clientId=ua6b7ba7d-77e8-4&from=paste&height=109&id=u272fcb92&originHeight=164&originWidth=292&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=13225&status=done&style=none&taskId=ua4291149-2da9-4295-a9f9-dbf0e133d97&title=&width=194.66666666666666)
- 在虚拟机里查看域名,之后要用
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703066272941-117c5959-e42a-4d2e-9b84-f022e055cef2.png#averageHue=%232a2e3b&clientId=ua6b7ba7d-77e8-4&from=paste&height=407&id=ua1361de0&originHeight=611&originWidth=1172&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=404514&status=done&style=none&taskId=ua8d33d98-cdec-4d1c-b6dc-9ed215ec23a&title=&width=781.3333333333334)
- 填写IDA
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703066367571-d0971f79-0d72-4338-80a0-5080fe655c63.png#averageHue=%23efeeed&clientId=ua6b7ba7d-77e8-4&from=paste&height=324&id=u0a2a92d5&originHeight=486&originWidth=847&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=36984&status=done&style=none&taskId=ub39e39ac-a4e0-43f9-a50a-051912d40d5&title=&width=564.6666666666666)
- 虚拟机启动 ./linux_server64(视位数而定)
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703066405826-c84e3a7b-54a3-4c28-b373-9d006c42ef19.png#averageHue=%23242835&clientId=ua6b7ba7d-77e8-4&from=paste&height=146&id=iKu22&originHeight=219&originWidth=1143&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=89551&status=done&style=none&taskId=u43f9297f-3171-434e-8704-0b8f7eaf2da&title=&width=762)
- 可以启动调试了
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703066453765-346585ae-6121-464f-81cd-203a49c55c2a.png#averageHue=%23a9c986&clientId=ua6b7ba7d-77e8-4&from=paste&height=1001&id=u5983b1f0&originHeight=1501&originWidth=2560&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=303421&status=done&style=none&taskId=u9e66573d-42fe-4e09-b290-25cf8c8330c&title=&width=1706.6666666666667)
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703066484808-bd1d1edd-b486-453e-a881-9766dd32effa.png#averageHue=%23262937&clientId=ua6b7ba7d-77e8-4&from=paste&height=177&id=u670bb728&originHeight=265&originWidth=1199&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=150839&status=done&style=none&taskId=u52219417-b998-4849-9b7d-65661fafc8d&title=&width=799.3333333333334)
五、特征值算法
TEA
例题:babyre(unsolved)
运行内容:
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703292929461-53e11d77-421b-431e-b71d-c4943a57472a.png#averageHue=%231d1d1d&clientId=uf4dcdc88-8348-4&from=paste&height=173&id=ua115b7b3&originHeight=260&originWidth=580&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=13694&status=done&style=none&taskId=u7231fdf9-58b4-4d5e-8716-322e52fec7c&title=&width=386.6666666666667)
64位无壳
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703292981028-202d01e0-93a3-45a0-b963-fb0d68bf5a17.png#averageHue=%23f7f5f4&clientId=uf4dcdc88-8348-4&from=paste&height=538&id=udeb52b30&originHeight=807&originWidth=522&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=88638&status=done&style=none&taskId=udd5bb86b-8726-4b86-a6f2-62e908d3ecb&title=&width=348)
符号表被藏了,只能通过字符串寻找主函数
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703293008091-36a02f6f-6d13-4090-bd5e-bd9b96449dff.png#averageHue=%23e2ab69&clientId=uf4dcdc88-8348-4&from=paste&height=74&id=u74c90f72&originHeight=111&originWidth=746&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=18390&status=done&style=none&taskId=u142c432b-a184-45fd-975e-75991b61150&title=&width=497.3333333333333)
从字符串长度判断切入主函数
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703293031845-2348a441-7119-45ef-ae87-212be775467f.png#averageHue=%23fefefd&clientId=uf4dcdc88-8348-4&from=paste&height=565&id=ufb3fdb93&originHeight=847&originWidth=635&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=67084&status=done&style=none&taskId=u48d592cf-2c84-4b7e-96f6-b071e843766&title=&width=423.3333333333333)
20行应当是输入部分
24行 sub_140011019 应当是存储Str到一个数组
进26行 sub_14001106E 看一下:
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703293368313-4c812dd0-d9fb-4d76-8802-d153a4263b2e.png#averageHue=%23fcfcfc&clientId=uf4dcdc88-8348-4&from=paste&height=375&id=uded1d58b&originHeight=562&originWidth=1098&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=57532&status=done&style=none&taskId=uc9a1980b-f03b-436d-838e-d057e289bf0&title=&width=732)
转换为16进制:v3 = 0x90508D47; v3 -= 0x77BF7F99;
应该是TEA加密,倒推得到解密脚本中的 delta=0x90508D47-3340x77BF7F99=
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703296456652-297fcea8-2454-4c09-94a0-a338e735ef4f.png#averageHue=%23faf9f7&clientId=u0a37b7d7-d79b-4&from=paste&height=41&id=u01db8659&originHeight=61&originWidth=583&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=7886&status=done&style=none&taskId=uc4912c45-fe0f-4f66-a305-a50f800bb2e&title=&width=388.6666666666667)
byte_14001E000为密钥:49, 183, 182, 49
27行 sub_140011087 :
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703293553367-8666c05d-3d52-430a-93ea-5dd6d598d711.png#averageHue=%23fcfcfb&clientId=uf4dcdc88-8348-4&from=paste&height=524&id=u0b336782&originHeight=786&originWidth=761&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=79146&status=done&style=none&taskId=u2827dbf6-8f00-41ab-b5c4-501e7103f65&title=&width=507.3333333333333)
是一个拆字节的函数(对于从 a1 中读取的每个32位整数,使用一个内层循环将其拆分为四个字节)
最终存储到
byte_14001E218数组内
查一下byte_14001E040应该是密文:![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703293835399-ad0e5aa9-427c-4b73-b4e8-02cb9a89bcae.png#averageHue=%23f0f0e1&clientId=uf4dcdc88-8348-4&from=paste&height=29&id=u5e4e3839&originHeight=44&originWidth=1316&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=9181&status=done&style=none&taskId=u077389f5-c45b-43d0-9193-7f9a66636eb&title=&width=877.3333333333334)
224, 243, 33, 150, 151, 199, 222, 137, 155, 202, 98, 141, 176, 93, 252, 210, 137, 85, 28, 66, 80
六、ISCTF刷题
crackme
有upx壳,但是工具脱壳失败,直接手脱即可
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703307957541-cea8e0a2-10ef-4e07-a70e-946ff55b8310.png#averageHue=%23111111&clientId=u0a37b7d7-d79b-4&from=paste&height=306&id=u66967a9f&originHeight=459&originWidth=1376&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=60264&status=done&style=none&taskId=u0d54e8e5-432a-4921-b655-5f1d392a050&title=&width=917.3333333333334)
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703307996081-fe2e3032-fc3e-4696-819b-dfa370d38126.png#averageHue=%23f9f9f8&clientId=u0a37b7d7-d79b-4&from=paste&height=251&id=u28c1e9a0&originHeight=376&originWidth=899&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=50800&status=done&style=none&taskId=ud826d87d-cb35-4468-8edb-2c82af94122&title=&width=599.3333333333334)
更简单的方法是拖进cmd可以直接运行!??
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703308016334-c4692c6e-3a9e-4650-93d4-30174891dd44.png#averageHue=%231b1b1b&clientId=u0a37b7d7-d79b-4&from=paste&height=205&id=u14d7a9c8&originHeight=308&originWidth=983&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=31612&status=done&style=none&taskId=uc0da1983-b069-4a3e-b64c-231a24f8710&title=&width=655.3333333333334)
EasyRe(疑似错题)
64位无壳直接进
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703308150391-a9782985-d013-419e-aafa-45dc9538b111.png#averageHue=%23fdfcfc&clientId=u0a37b7d7-d79b-4&from=paste&height=567&id=u2db23c44&originHeight=850&originWidth=836&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=78613&status=done&style=none&taskId=uda1ad93f-c035-447b-94b4-90ea511b269&title=&width=557.3333333333334)
可以看出 ]P_ISRF^PCY[I_YWERYC 是最终的密文(20位)
第一个循环:进行逐位异或
第二个循环:将字符串中的B和X换掉,但是IDA默认编译出来的-101-66显然是负数,本不应该输出任何字符,但是在C中却可以运行,分别换成了Y和C
![04a895d7d01f4a57ac297c45f55b1db9.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703308273345-102b1269-6164-4e70-a6ca-f4dc8228ce50.png#averageHue=%231d1d1d&clientId=u0a37b7d7-d79b-4&from=paste&height=300&id=u3314759a&originHeight=450&originWidth=819&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=42552&status=done&style=none&taskId=u6cef8774-2b3e-4cd0-8ae5-3906b868421&title=&width=546)
苦思冥想后我发现,256-101-155,155-66=89正好对应Y,电脑自动把-101转换成155进行计算,因为出现了整数溢出,完整的0-256表从后往前溢出,才造成了这样的结果
选中“-101”(一定要包括负号),先转化为16进制,再换成十进制,就会变成155~~(IDA榆木脑袋!)~~
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703308214442-644c3a3c-0ade-4440-ac97-6c7c96406612.png#averageHue=%23f9f9f9&clientId=u0a37b7d7-d79b-4&from=paste&height=84&id=u785f82ff&originHeight=126&originWidth=569&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=6121&status=done&style=none&taskId=u553be2ff-fd41-4d31-9f36-4a589b6db4c&title=&width=379.3333333333333)
第三个循环:看似是一个字符串逆序,实际上是将前半部分字符串对称到后半部分去,损失了一般的数据。这里好像是编错了,如果真是这样就没法解密。
如果当成是逆序,可以写出解密脚本:
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703308557242-5b980bf2-c48b-475f-8338-12c2cbea23c2.png#averageHue=%23201f1f&clientId=u0a37b7d7-d79b-4&from=paste&height=603&id=u93b52774&originHeight=905&originWidth=833&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=110484&status=done&style=none&taskId=uc235ed54-003b-49b0-8052-036640a97fd&title=&width=555.3333333333334)
![image.png](https://cdn.nlark.com/yuque/0/2023/png/40787854/1703308576157-d27271a3-f20b-4ed9-882b-3b6e9c60006e.png#averageHue=%231f1f1f&clientId=u0a37b7d7-d79b-4&from=paste&height=190&id=u8db2b810&originHeight=285&originWidth=1268&originalType=binary&ratio=1.5&rotation=0&showTitle=false&size=36712&status=done&style=none&taskId=uaafba0a7-f327-45ba-ad43-5bbde27b666&title=&width=845.3333333333334)
出现了正常的flag,应该是题目出错了。
babyre
pyinstaller打包,用pyinstxtractor.py和在线pyc转py可以得到python源代码:
(pyc魔术头没被抹去,可以直接用babyre.pyc进行转码)
Python |
---|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15 | import libnum
from Crypto.Util.number import *
flag = 'ISCTF{******************}'
flags = flag.encode()
e = 65537 #rsa加密
p = libnum.generate_prime(1024) #生成两个大素数
q = libnum.generate_prime(1024)
n = p * q
m = bytes_to_long(flags)
c = pow(m, e, n) #m的e次方对n取模 m^e%n=c m^e=k*n+c
output = open('output.txt', 'w')
output.write('p+q =' + str(p + q) + '\n')
output.write('(p+1)*(q+1)=' + str((p + 1) * (q + 1)) + '\n')
output.write('c=' + str(c) + '\n')
output.close()
|
可以看到是一个魔改的rsa
解密脚本如下:
Python |
---|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22 | #babyre wp
from z3 import *
import libnum
from Crypto.Util.number import *
p,q,c=Ints('p q c')
S = Solver()
S.add(p+q==292884018782106151080211087047278002613718113661882871562870811030932129300110050822187903340426820507419488984883216665816506575312384940488196435920320779296487709207011656728480651848786849994095965852212548311864730225380390740637527033103610408592664948012814290769567441038868614508362013860087396409860)
S.add((p+1)*(q+1)==
21292789073160227295768319780997976991300923684414991432030077313041762314144710093780468352616448047534339208324518089727210764843655182515955359309813600286949887218916518346391288151954579692912105787780604137276300957046899460796651855983154616583709095921532639371311099659697834887064510351319531902433355833604752638757132129136704458119767279776712516825379722837005380965686817229771252693736534397063201880826010273930761767650438638395019411119979149337260776965247144705915951674697425506236801595477159432369862377378306461809669885764689526096087635635247658396780671976617716801660025870405374520076160
)
S.check()
d = S.model()
p = d[p].as_long()
q = d[q].as_long()
e=65537
c=5203005542361323780340103662023144468501161788183930759975924790394097999367062944602228590598053194005601497154183700604614648980958953643596732510635460233363517206803267054976506058495592964781868943617992245808463957957161100800155936109928340808755112091651619258385206684038063600864669934451439637410568700470057362554045334836098013308228518175901113235436257998397401389511926288739759268080251377782356779624616546966237213737535252748926042086203600860251557074440685879354169866206490962331203234019516485700964227924668452181975961352914304357731769081382406940750260817547299552705287482926593175925396
phi = (p-1)*(q-1)
n=p*q
m = pow(c,inverse(e,phi),n)
flags=long_to_bytes(m)
flag=flags.decode('utf-8','ignore')
print(flag)
|
先用Z3强行求出p、q,算出常规rsa中的phi,然后套用公式求出m
注意各类型的转换
easy_z3
明显z3方程求解,求出l再连在一起
Python |
---|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23 | print("Please input flag:")
flag = input()
if len(flag)!=42:
print("Check your length!")
exit()
l=[]
for i in range(6):
s=""
for j in flag[i*7:i*7+7]:
s+=hex(ord(j))[2:]
l.append(int(s,16))
if (
(593*l[5] + 997*l[0] + 811*l[1] + 258*l[2] + 829*l[3] + 532*l[4])== 0x54eb02012bed42c08 and \
(605*l[4] + 686*l[5] + 328*l[0] + 602*l[1] + 695*l[2] + 576*l[3])== 0x4f039a9f601affc3a and \
(373*l[3] + 512*l[4] + 449*l[5] + 756*l[0] + 448*l[1] + 580*l[2])== 0x442b62c4ad653e7d9 and \
(560*l[2] + 635*l[3] + 422*l[4] + 971*l[5] + 855*l[0] + 597*l[1])== 0x588aabb6a4cb26838 and \
(717*l[1] + 507*l[2] + 388*l[3] + 925*l[4] + 324*l[5] + 524*l[0])== 0x48f8e42ac70c9af91 and \
(312*l[0] + 368*l[1] + 884*l[2] + 518*l[3] + 495*l[4] + 414*l[5])== 0x4656c19578a6b1170):
print("Good job!")
else:
print("Wrong\nTry again!!!")
exit()
|
解密:
Python |
---|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21 | from z3 import *
from Crypto.Util.number import *
l = [Int(f'l_{i}') for i in range(6)] #注意定义字符串数组的语法
S = Solver() #创建约束求解器
S.add((593*l[5] + 997*l[0] + 811*l[1] + 258*l[2] + 829*l[3] + 532*l[4])== 0x54eb02012bed42c08) #添加约束条件
S.add((605*l[4] + 686*l[5] + 328*l[0] + 602*l[1] + 695*l[2] + 576*l[3])== 0x4f039a9f601affc3a)
S.add((373*l[3] + 512*l[4] + 449*l[5] + 756*l[0] + 448*l[1] + 580*l[2])== 0x442b62c4ad653e7d9)
S.add((560*l[2] + 635*l[3] + 422*l[4] + 971*l[5] + 855*l[0] + 597*l[1])== 0x588aabb6a4cb26838)
S.add((717*l[1] + 507*l[2] + 388*l[3] + 925*l[4] + 324*l[5] + 524*l[0])== 0x48f8e42ac70c9af91)
S.add((312*l[0] + 368*l[1] + 884*l[2] + 518*l[3] + 495*l[4] + 414*l[5])== 0x4656c19578a6b1170)
S.check() #检测是否有解
d=S.model() #输出
flag = b'' #字节字符串
for i in range(6):
flag += long_to_bytes(d[l[i]].as_long()) #long转bytes拼接
print(flag)
|
五、本周自己学习过程中遇到的问题和疑问点
(1)z3好像炸不了指数方程
(2)反调试函数具体怎么找
(3)
(4)
六、情感、思考、观点
- 参加了安洵杯,但是水平还太低。。。啥也不会。积累经验努力学习吧
七、在团队的感触和建议