东华杯 re wp

做完了逆向,感觉题目难度还是有的,也不知道为什么题目就被打爆了(懂得都懂),打进了线下,准备去白给,不得不说,诸神之战。

这次wp写的比较简单,图片都没贴。。。感觉大二课太多了,忙都忙不过来。最近想学学python爬虫,都一直没时间搞。

ooo

这次最简单的一道re题了,就一个利用flag里面的几个数生成一个数,然后依次和flag异或,得到密文,虽然密文是4个字节一个,但是不影响。

爆破就行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#include<stdio.h>

unsigned int enc[42] = {
    0x00000006, 0x0000010C, 0x00000201, 0x00000307, 0x0000041B, 0x00000551, 0x00000653, 0x00000706, 
    0x00000853, 0x00000955, 0x00000A56, 0x00000B56, 0x00000C53, 0x00000D4D, 0x00000E55, 0x00000F50, 
    0x00001001, 0x00001154, 0x0000124D, 0x00001354, 0x00001457, 0x00001557, 0x00001602, 0x0000174D, 
    0x00001852, 0x00001957, 0x00001A58, 0x00001B02, 0x00001C4D, 0x00001D02, 0x00001E57, 0x00001F51, 
    0x00002051, 0x00002150, 0x00002252, 0x00002356, 0x00002406, 0x00002506, 0x00002657, 0x00002701, 
    0x00002804, 0x0000291D
};

int main()
{
	int Xor;
	int i,j;
	
	for(Xor=0;Xor<127;Xor++)
	{
		for(j=0;j<42;j++)
		{
			printf("%c",(enc[j]^Xor)&0xff);
		}
		printf("\n");
	}
	
}
//flag{13f35663-50a4-477b-278b-b711026ff7ad}

Hell’s Gate

表面上是一个魔改rc4,实际上每次遇到异或就会出现一个访问异常,我们需要去找到异常处理函数,在异常处理函数打个断点,发现还有个反调试,简单绕过进入加密函数,动调看数据分析后,发现是个魔改tea,开始是生成key和dealt,然后进行4轮加密,加密循环改为16。

动调出key,和dealt,写出解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

//flag{abcdefghijklmnopqrstuvwxyz012345678} 
//flag{abcdefghijklmnopqrstuvwxyz} 

// 0xB879379E, 0x87654321, 0x13243546,0x64534231
// 
// 0x12345678, 0x87654321, 0x13243546, 0x64534231, 0xB879379E
 
 
 #include<stdio.h>

void decrypt(unsigned int *code , unsigned int *key)
{
    unsigned int delta=0x0B879379E;
    unsigned int v0,v1,sum=0x0B879379E*16,i;// sum=0xC6EF3720

    v0=code[0];
    v1=code[1];
    for(i=0;i<16;i++)
    {
        v1-=( (v0<<4)+key[2] ) ^ (v0+sum) ^ ( (v0>>5)+key[3] );
        v0-=( (v1<<4)+key[0] ) ^ (v1+sum) ^ ( (v1>>5)+key[1] );
        sum-=delta;
    }
    code[0]=v0;
    code[1]=v1;

}

//0f4d0db3668dd58cabb9eb409657eaa8
int main()
{
    unsigned int key[4]={ 0x12345678, 0x87654321, 0x13243546, 0x64534231};
    unsigned int code[8]={0x2C94650B, 0x78494E9E, 0x0E7FACF44, 0x48F9DBFB, 0x547BB145, 0x925D2542, 0x69A9F4C4, 0x9A96A1D8 };
    int i; 

    for(i=0;i<4;i++)
    {
        decrypt(&code[i*2],key);
    }
	    for(i=0;i<8;i++)
    {
    	//printf("%08x:",code[i]);
        printf("%c%c%c%c",*((char*)&code[i]+0),*((char*)&code[i]+1),*((char*)&code[i]+2),*((char*)&code[i]+3));
    }
}

开始以为解出来交了就对了,结果后面会自动打印,然后动调得到flag。
flag{0f4d0db3-668d-d58c-abb9-eb409657eaa8}

hello

安卓逆向,分为两个部分,java主要就是需要得到一个签名值,so层函数就一个异或,加位运算。

运行app ,通过logcat -v time | findstr hello 获取签名值

得到异或值

1
2
3
4
5

hash=bytearray(b"308202e4308201cc020101300d06092a864886f70d010105050030373116301406035504030c0d416e64726f69642044656275673110300e060355040a0c07416e64726f6964310b30090603550406130255533020170d3231303330363134333034385a180f32303531303232373134333034385a30373116301406035504030c0d416e64726f69642044656275673110300e060355040a0c07416e64726f6964310b300906035504061302555330820122300d06092a864886f70d01010105000382010f003082010a0282010100cbf2b09e4308ebb459e8841e5a7b920497fef2b349e80648f7eb35f48d40a75e7ce7945b8b42d197bec0bf177e6c9899ed707dcc4a726cb14c1a69b0c4a02474806fa73cfb10e10f7b1665021c24762b6edad65ca63cea3c72e0d4e4ca3f98301173eec3254337af1f5a11f779ecbe04d1b74d53f5835e011222155a56f97e00d75374cd93080dfa087cd356a99fe1eebf5d6d5e31846aad5252c3a17a4656e2e210ce1c7aa4d147fb8cf440a50add61bbb2ec299a2e0dab0b4504796ac3a899da553ab1d83576691ab23409d18398014b3b5eaf12e83f4d99aa09e1e4e4cae133530730c1133da2b3dee37b58eb1a5795b221ec5a8830731a41167d295f9e1b0203010001300d06092a864886f70d010105050003820101000e4740235e9cf2be33de3e06d777139cbbc5cf0622285c17da04697b8067318aaf8df0fbb4d3166f293ea15aa2592f06eb6929af063722ac9f30ad85e2c087564931d6ac65fcd5fbc864b3dc9841e039c6e1d5fbc5c2f8adf90a547bc4ebc07d387914db24451c2cc89925359bd3bb0750c7aabf9d743b1893e98bbc8ff74b24fc0b4be2dbaaf1c917bba01496d0617ffc3a4a8b7a6e79a3036298a6ebf57bb00001e43a0b242864eebb0fcec9e323144d4447c878430f18e6e358ad97566fa04d1f07b171c1476c9af5a1eba0bf6616e219c0b9e1299d09fecded24a880397f92e0f99d8951228c7770c184fd77adff943bfc8b6aa524c5f0a6d7686fe35486")
for i in range(0, 42):
    print(hash[i * 27 + 327] + i,end=",")
#48,51,51,51,56,107,56,106,56,64,62,64,113,70,114,116,69,65,75,120,75,78,124,75,72,80,83,77,83,126,84,130,85,134,83,90,85,86,93,136,97,94

然后位运算+异或

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

#include<stdio.h>

unsigned char enc[42] = {
0xCA, 0xEB, 0x4A, 0x8A, 0x68, 0xE1, 0xA1, 0xEB, 0xE1, 0xEE, 0x6B, 0x84, 0xA2, 0x6D, 0x49, 0xC8, 0x8E, 0x0E, 0xCC, 0xE9, 0x45, 0xCF, 0x23, 0xCC, 0xC5, 0x4C, 0x0C, 0x85, 0xCF, 0xA9, 0x8C, 0xF6, 0xE6, 0xD6, 0x26, 0x6D, 0xAC, 0x0C, 0xAC, 0x77, 0xE0, 0x64
};

int main()
{
	unsigned char Xor[]={48,51,51,51,56,107,56,106,56,64,62,64,113,70,114,116,69,65,75,120,75,78,124,75,72,80,83,77,83,126,84,130,85,134,83,90,85,86,93,136,97,94};
	int i,j;
	
	for(i=0;i<42;i++)
	{
		enc[i] = ((enc[i] << 3) | (enc[i] >> 5)) & 0xff;
		enc[i]^=Xor[i];
	}
	
	printf("%s",enc);

}
//flag{d5577edd-8211-7a0e-f23a-305b0b10683f}

mod

花指令+魔改base64

只需要知道怎么魔改的就行,由于时间关系没直接利用位运算写脚本。

先得到二进制模式。

1
2
3
4
5
6
7
8
9
10
11
12

print(bin(ord('f')))
print(bin(ord('l')))
print(bin(ord('a')))
table="ABCDFEGH1JKLRSTMNP0VWQUXY2a8cdefijklmnopghwxyqrstuvzOIZ34567b9+/"
enc="2aYcdfL2fS1BTMMF1RSeMTTASS1OJ8RHTJdBYJ2STJfNMSMAYcKUJddp"
for i in enc:
    print(table.index(i),end=',')
print("\n")
mid=[25,26,24,28,29,31,11,25,31,13,8,1,14,15,15,4,8,12,13,30,15,14,14,0,13,13,8,52,9,27,12,7,14,9,29,1,24,9,25,13,14,9,31,16,15,13,15,0,24,28,10,22,9,29,29,39]
for i in mid:
    print('\'{:06b}\''.format(i),end=',\n')

然后将字符串4个为一组,进行还原为二进制。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

s=['001001',
'011101',
'011101',
'100111',]



print(s[0][0:2],end='')
print(s[2][2:4],end='')
print(s[3][0:2],end='')
print(s[1][4:6],end='')

print(s[1][0:2],end='')
print(s[0][2:4],end='')
print(s[3][2:4],end='')
print(s[2][4:6],end='')

print(s[2][0:2],end='')
print(s[1][2:4],end='')
print(s[3][4:6],end='')
print(s[0][4:6],end='')

组合起来

1
2
3
4
5
6
7
8

x = '011001100110110001100001011001110111101100110101011000010011000000110111001100110011011100110010001101000010110100111000001100100011001000110011001011010011010000110001001100110110010000101101001100010011000101100110011000010010110101100100001101010011001101100010001100010011001100110011011001000110011000111000001110010110010101111101'
print(hex(int(x, 2)))
a=0x666c61677b35613037333732342d383232332d343133642d313166612d6435336231333364663839657d
enc = bytearray.fromhex('666c61677b35613037333732342d383232332d343133642d313166612d6435336231333364663839657d')
for i in enc:
	print(chr(i),end='')
#flag{5a073724-8223-413d-11fa-d53b133df89e}