DASCTF八月挑战赛 re#

做完了逆向,不得不说das的re还是比较友好的

py

得到文件py.exe,肯定就是考python打包成exe文件了。可以参考文章https://blog.csdn.net/m0_37552052/article/details/88093427

用pyinstxtractor.py还原

python pyinstxtractor.py [filename]

得到文件夹,看到里面有个py.pyc,直接还原不行,用文章里面的方法还原pyc头文件,如果想学习pyc还可以看看这篇文章https://zhuanlan.zhihu.com/p/145811103
得到py文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

# uncompyle6 version 3.7.4
# Python bytecode 2.7 (62211)
# Decompiled from: Python 3.8.6 (tags/v3.8.6:db45529, Sep 23 2020, 15:52:53) [MSC v.1927 64 bit (AMD64)]
# Embedded file name: py.py
# Compiled at: 1995-09-28 00:18:56


def encode(s):
    str = ''
    for i in range(len(s)):
        res = ord(s[i]) ^ 32
        res += 31
        str += chr(res)

    return str


m = 'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
strings = ''
strings = input('Input:')
if encode(strings) == m:
    print 'Correct!'
else:
    print 'Try again!'

很简单

1
2
3
4
5
6
7

m = 'ek`fz13b3c5e047b`bd`0/c268e600e7c5d1`|'
str=''
for i in m:
  str+=chr((ord(i)-31)^32)
print(str)
#flag{24c4d6f158cacea10d379f711f8d6e2a}

apkrev

简单的apk逆向,加密函数和密文都在so文件的mycheck中,有经验的话不难看出是rc4,看不出来也没关系,反正最后就是一个异或,动调把异或数组取出来就行了,动调apk方法在https://the_itach1.gitee.io/2021/08/02/D0g3%E6%AF%94%E8%B5%9B%E5%B9%B3%E5%8F%B0%20re%20wp/的medical_app。

由于比较懒,不想一个一个调,就直接输入了个错误flag,然后得到假密文,去得到异或的数组。好像rc4的key是12345678,可能也可以用rc4来做。

1
2
3
4
5
6
7
8
9
10
11
12
13

fake_code=[   0xDD, 0x9F, 0x58, 0xB3, 0x72, 0xD0, 0xBC, 0xC4, 0x94, 0x56,
  0x6C, 0xA8, 0xCE, 0x54, 0x62, 0xCE, 0x1E, 0xF3, 0xF3, 0x26,
  0xB9, 0x19, 0x0F, 0xC6, 0x2D, 0x6E, 0xA3, 0xC0, 0x21, 0xD4,
  0x99, 0x13]
fake_flag='flag{abcdefghijklmnopqrstuvwxyz}'
enc=[0x8C, 0xC4, 0x00, 0xE6, 0x6A, 0x88, 0xB8, 0x90, 0xC2, 0x07,
  0x6B, 0xA9, 0xC3, 0x0A, 0x3E, 0xC0, 0x44, 0xA6, 0xFE, 0x7E,
  0xF0, 0x59, 0x4C, 0x83, 0x3D, 0x2B, 0xE2, 0xD3, 0x38, 0xCB,
  0x82, 0x5B]
for i in range(32):
  print(chr(ord(fake_flag[i])^fake_code[i]^enc[i]),end='')
#7792c9f724afe76e68c79116d07dafa5

LittleJunk

好家伙,题刚出来2分钟就有人直接秒了,可能是出题人。

就是有很多花指令,来干扰分析,动调就好了,main函数前面一大部分感觉都是用来解密函数代码的,真正要看的地方在(loc_584000)(&v19);

进去可以看到,图片里面忘了说sub_581FA0应该也是用来解密函数代码的。

然后先看看rc4吧

retn后,32字节转4*8


魔改的tea。

然后解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

#include<stdio.h> 
void encrypt(unsigned __int64 *code , unsigned __int64 *key)
{
    unsigned __int64 delta=0x9E3779B9;
   unsigned __int64 tmp1,tmp2,tmp3,tmp4,key1,key2,key3,key4,d;
   int i;

    tmp1=code[0];
    tmp2=code[1];
    tmp3=code[2];
    tmp4=code[3];
    
    key1=key[0];
    key2=key[1];
    key3=key[2];
    key4=key[3];
    
    for(i=0;i<32;i++)
    {
    	d+=delta;
    	tmp1 += (key2 + (tmp2 >> 5)) ^ (d + tmp2) ^ (key1 + 16 * tmp2);
    	tmp2 += (key4 + (tmp1 >> 5)) ^ (d + tmp1) ^ (key3 + 16 * tmp1);
    	tmp3 += (key2 + (tmp4 >> 5)) ^ (d + tmp4) ^ (key1 + 16 * tmp4);
	    tmp4 += (key4 + (tmp3 >> 5)) ^ (d + tmp3) ^ (key3 + 16 * tmp3);
    }
    code[0]=tmp1;
    code[1]=tmp2;
    code[2]=tmp3;
    code[3]=tmp4;
}

void decrypt(unsigned __int64 *code , unsigned __int64 *key)
{
    unsigned __int64 delta=0x9E3779B9;
   unsigned __int64 sum=delta*32;// sum=0x13C6EF3720
   unsigned __int64 tmp1,tmp2,tmp3,tmp4,key1,key2,key3,key4;
   int i;

    tmp1=code[0];
    tmp2=code[1];
    tmp3=code[2];
    tmp4=code[3];
    
    key1=key[0];
    key2=key[1];
    key3=key[2];
    key4=key[3];
    
    for(i=0;i<32;i++)
    {
	    tmp4 -= (key4 + (tmp3 >> 5)) ^ (sum + tmp3) ^ (key3 + 16 * tmp3);
	    tmp3 -= (key2 + (tmp4 >> 5)) ^ (sum + tmp4) ^ (key1 + 16 * tmp4);
	    tmp2 -= (key4 + (tmp1 >> 5)) ^ (sum + tmp1) ^ (key3 + 16 * tmp1);
	    tmp1 -= (key2 + (tmp2 >> 5)) ^ (sum + tmp2) ^ (key1 + 16 * tmp2);
	    sum-=delta;
    }
    code[0]=tmp1;
    code[1]=tmp2;
    code[2]=tmp3;
    code[3]=tmp4;
}

int main()
{
    unsigned __int64 code[4]={0x0E990A522BE80F786,0x8B836286B8A5EB59,0x2FDE61CCEFC70FF8,0x56BC19E119C8B07B},key[4]={0x54466076484C5476,0x4550504F765F4344,0x5A796F755F6D6179,0x5F6E6565645F7468};

	//encrypt(code,key);
    decrypt(code,key);
    printf("%016llx%016llx%016llx%016llx",code[0],code[1],code[2],code[3]);
}
//505a4cc462489e8003aef16b785c7501343057844ff5acb809616159f51713f3 
1
2
3
4
5
6
7
8
9
10

enc = bytearray.fromhex('505a4cc462489e8003aef16b785c7501343057844ff5acb809616159f51713f3')
fake_flag='abcdefghijklmnopqrstuvwxyzabcdea'
xor=[0x00000005,0x00000059,0x0000001a,0x000000c3,0x00000037,0x00000048,0x000000c8,0x0000008a,0x0000005f,0x000000a7,0x000000f9,0x00000030,0x00000073,0x00000004,0x0000002a,0x00000014,0x0000007c,0x00000073,0x0000001c,0x000000c6,0x0000000b,0x000000b2,0x000000ec,0x000000f2,0x00000041,0x00000078,0x00000038,0x0000000c,0x000000f4,0x00000012,0x00000046,0x000000a5]
flag=''
for i in range(32):
  flag+=chr((ord(fake_flag[i])^xor[i]^enc[i]))
flag='flag{'+flag+'}'
print(flag)
#flag{4a5c0f1b5cc7f60e918611721c87ba07}

寒王’sblog

照着博客做就行,关键是flag.jpg在哪,开始以为是头像,结果没解出来,后面f12看网页,也没找到,然后试了试直接在网页后面加上\flag.jpg,还真的有。

本人blog:https://the_itach1.gitee.io/