亞洲資本網(wǎng) > 產(chǎn)經(jīng) > 正文
NepCTF2023部分wp
2023-08-15 15:33:19來(lái)源: 博客園


(相關(guān)資料圖)

Reverse

九龍拉棺

ida打開,找到主函數(shù),可以看出函數(shù)是通過(guò)線程池調(diào)用的。在輸入的地方下斷點(diǎn),運(yùn)行會(huì)直接退出。猜測(cè)有反調(diào)試,搜索字符串debug,有Isdebugpresent字符串,交叉引用下斷點(diǎn)后并沒有成功斷下。這里提供一個(gè)思路。就是在所有調(diào)用exit的函數(shù)下斷點(diǎn)??纯磿?huì)斷在哪里。可以發(fā)現(xiàn)確實(shí)可以斷下來(lái)。但是沒有什么用。在輸入下斷運(yùn)行還是退出。于是去看函數(shù)表,可以看到函數(shù)比較少。于是直接一個(gè)一個(gè)翻看。果然看到了有的函數(shù)調(diào)用了系統(tǒng)函數(shù)exitprocess。然后再下斷,修改??梢蕴^(guò)反調(diào)試這里貼一下反調(diào)試關(guān)鍵函數(shù)

點(diǎn)擊查看代碼
int encrypt(){  HANDLE CurrentThread; // esi  CONTEXT Context; // [esp+4h] [ebp-2D0h] BYREF  memset(&Context.Dr0, 0, 0x2C8u);  Context.ContextFlags = 65599;  CurrentThread = GetCurrentThread();  if ( !GetThreadContext(CurrentThread, &Context) || !Context.Dr7 )    return 0;  Context.Dr7 = 0;  SetThreadContext(CurrentThread, &Context);  Context.ContextFlags = 65599;  if ( GetThreadContext(CurrentThread, &Context) )  {    if ( Context.Dr7 ) //這里下斷點(diǎn),改掉判斷      ExitProcess(0xFFFFFF9D);  }  return 1;}
先把線程池里的函數(shù)解密了
點(diǎn)擊查看代碼
#include   #include   void decrypt(uint32_t* v) {uint32_t v0 = v[0], v1 = v[1], sum = 3337565984, i; uint32_t delta = 0x61C88647;                     for (i = 0; i < 32; i++) {                         v1 -= ((v0 << 4) + 0x3) ^ (v0 + sum) ^ ((v0 >> 5) + 0x4); v0 -= ((v1 << 4) + 0x1) ^ (v1 + sum) ^ ((v1 >> 5) + 0x2);sum += delta;}                                              v[0] = v0; v[1] = v1;}int main(){uint32_t v[] = { 2293224150, 1069434279, 665506233, 2360599838, 154439674, 3785309250, 4292676998, 3988353923, 314884287, 459783449, 4154791126, 418992724, 2869955760, 13345079, 44635922, 3314355614 };uint32_t tmp[2] = { 0 };for (int i = 0; i < 16; i+=2) {tmp[0] = v[i];tmp[1] = v[i + 1];decrypt(tmp);v[i] = tmp[0];v[i + 1] = tmp[1];}unsigned char *bytes = (unsigned char *)v;for (size_t i = 0; i < sizeof(v); i++) {printf("%c", bytes[i]);}printf("\n");return 0;} //NepCTF{c9cdnwdi3iu41m0pv3x7kllzu8pdq6mt9n2nwjdp6kat8ent4dhn5r158
可以得到部分flag。然后通過(guò)調(diào)試,dump出子進(jìn)程。這里調(diào)試dump也行,自己解密也行。大致解密思路是rc4,然后base32,base64。調(diào)試過(guò)程省略,關(guān)鍵是看block變量。dump后的程序
點(diǎn)擊查看代碼
int __usercall encrypt2@(int a1@){  int v1; // ecx  unsigned int i; // ecx  unsigned int v3; // edi  unsigned int v4; // esi  int v5; // ebx  unsigned int k; // edx  unsigned int m; // ecx  unsigned int j; // [esp+0h] [ebp-A0h]  int v10; // [esp+4h] [ebp-9Ch]  _DWORD v11[16]; // [esp+8h] [ebp-98h]  int v12; // [esp+48h] [ebp-58h]  int v13; // [esp+4Ch] [ebp-54h]  int v14; // [esp+50h] [ebp-50h]  int v15; // [esp+54h] [ebp-4Ch]  int v16[15]; // [esp+58h] [ebp-48h]  __int16 v17; // [esp+94h] [ebp-Ch]  char v18; // [esp+96h] [ebp-Ah]  int v19; // [esp+97h] [ebp-9h]  char v20; // [esp+9Bh] [ebp-5h]  int v21; // [esp+9Ch] [ebp-4h]  v21 = a1;  v1 = *(_DWORD *)(a1 + 504);  v20 = HIBYTE(v1);  v10 = v1 + a1 + 20;  v16[0] = 0x1DC74989;  v16[1] = 0xD979AF77;  v16[2] = 0x888D136D;  v16[3] = 0x8E26DB7F;  v16[4] = 0xC10C3CC9;  v16[5] = 0xC3845D40;  v16[6] = 0xC6E04459;  v16[7] = 0xA2EBDF07;  v16[8] = 0xD484388D;  v16[9] = 0x12F956A2;  v16[10] = 0x5ED7EE59;  v16[11] = 0x43137F85;  v16[12] = 0xEF43F9F0;  v16[13] = 0xB29683AA;  v16[14] = 0x8E3640B4;  v17 = 0x6177;  v18 = 0xD3;  v19 = 0xC2;  for ( i = 0; i < 0x10; ++i )    v11[i] = *(_DWORD *)(v10 + 4 * i);  v12 = 18;  v13 = 52;  v14 = 86;  v15 = 120;  for ( j = 0; j < 8; ++j )  {    v3 = v11[2 * j];    v4 = v11[2 * j + 1];    v5 = 0;    for ( k = 0; k < 0x20; ++k )    {      v5 -= 1640531527;      v3 += (v13 + (v4 >> 5)) ^ (v4 + v5) ^ (v12 + 16 * v4);      v4 += (v15 + (v3 >> 5)) ^ (v5 + v3) ^ (v14 + 16 * v3);    }    v11[2 * j] = v3;    v11[2 * j + 1] = v4;  }  for ( m = 0; m < 0x10; ++m )  {    if ( v11[m] != v16[m] )      return 0;  }  return 1;}
按照上面腳本解密即,拼接整合可得最終flag

Review

先upx脫殼,程序開了aslr,使用studype++關(guān)閉aslr。然后調(diào)試就不會(huì)飄紅了。同樣,與上題類似,程序開了線程池和反調(diào)試。跟進(jìn)gets_s函數(shù)

點(diǎn)擊查看代碼
_BYTE *__cdecl common_gets(_BYTE *a1, int a2, char a3){  _BYTE *v3; // esi  _BYTE *v5; // edi  FILE *v6; // eax  FILE *v7; // eax  FILE *v8; // eax  int v9; // eax  int v10; // ecx  FILE *v11; // eax  _BYTE *v12; // edx  FILE *v13; // eax  FILE *v14; // eax  _BYTE *v15; // [esp+18h] [ebp-24h]  CPPEH_RECORD ms_exc; // [esp+24h] [ebp-18h] BYREF  v3 = a1;  if ( !a1 || !a2 )  {    *_errno() = 22;    _invalid_parameter_noinfo();    return 0;  }  v5 = a1;  v6 = __acrt_iob_func(0);  _lock_file(v6);  ms_exc.registration.TryLevel = 0;  v7 = __acrt_iob_func(0);  if ( (unsigned __int8)__acrt_stdio_char_traits::validate_stream_is_ansi_if_required(v7) )  {    v8 = __acrt_iob_func(0);    v9 = _getc_nolock(v8);    if ( v9 == -1 )    {      v5 = 0;      if ( a3 )        goto LABEL_23;    }    v10 = a2;    if ( a2 == -1 )    {      while ( v9 != 10 && v9 != -1 )      {        *v3++ = v9;        v11 = __acrt_iob_func(0);        v9 = _getc_nolock(v11);      }      *v3 = 0;      goto LABEL_23;    }    v12 = a1;    v15 = a1;    while ( v9 != 10 && v9 != -1 )    {      if ( v10 )      {        a2 = v10 - 1;        *v12 = v9;        v15 = v12 + 1;      }      v13 = __acrt_iob_func(0);      v9 = _getc_nolock(v13);      v10 = a2;      v12 = v15;    }    if ( !v10 )//這里原本是v10,這里修改為!v10即可繞過(guò)反調(diào)試    {      *v12 = 0;      goto LABEL_23;    }    *a1 = 0;    *_errno() = 34;    _invalid_parameter_noinfo();    _local_unwind4(&__security_cookie, (int)&ms_exc.registration, 0xFFFFFFFE);    return 0;  }  v5 = 0;LABEL_23:  v14 = __acrt_iob_func(0);  _unlock_file(v14);  return v5;}

然后再繞過(guò)下面的Isdebugpresent反調(diào)試。來(lái)到關(guān)鍵部分。通過(guò)findcrypto插件識(shí)別到crc32,aes,tea的特征。然后交叉引用可以發(fā)現(xiàn)程序先進(jìn)行魔改xtea加密。然后再根據(jù)加密后結(jié)果前一位與后一位是否一致來(lái)生成aes密鑰,接著aes加密后與flag密文比較。aes密鑰以為要爆破。沒想到試了第一個(gè)就是。解題代碼

點(diǎn)擊查看代碼
#include   #include   void decipher(uint32_t v[], uint32_t const key[4]) {unsigned int i;uint32_t delta = 0x61C88647, sum = 0x2e2ac13a,v6;int round = 10;do {v[11] -= ((v[0] ^ sum) + (v[10] ^ key[((sum >> 2) & 3) ^ 0xb & 3])) ^ (((16 * v[10]) ^ (v[0] >> 3)) + ((v[10] >> 5) ^ (4 * v[0])));for (i = 0xa; i >0; i--) {v[i] -= ((v[i + 1] ^ sum) + (v[i-1] ^ key[((sum >> 2) & 3) ^ i & 3])) ^ (((16 * v[i - 1]) ^ (v[i + 1] >> 3)) + ((v[i - 1] >> 5) ^ (4 * v[i + 1])));}v[0] -= ((v[1] ^ sum) + (v[11] ^ key[((sum >> 2) & 3) ^ 0 & 3])) ^ (((16 * v[11]) ^ (v[1] >> 3)) + ((v[11] >> 5) ^ (4 * v[1])));sum += delta;round -= 1;} while (round);}int main(){uint32_t v[] = { 2309579534, 3094518205, 2274467788, 4072683167, 418971191, 2065596768, 236488259, 3759075494, 2770389782, 2907179657, 384852496, 1019579761 };uint32_t const k[4] = { 0x19,0,0x6e,3 };unsigned int r = 10; decipher(v, k);unsigned char *bytes = (unsigned char *)v;for (size_t i = 0; i < sizeof(v); i++) {printf("%c", bytes[i]);}printf("\n");return 0;}

Misc

CheckIn

題目描述就有flag

與AI共舞的哈夫曼

直接問(wèn)chatgpt拿到腳本,就能解出flag為Nepctf{huffman_zip_666}

問(wèn)卷

填問(wèn)卷就有flag

Pwn

HRP-CHAT-1 HRP-CHAT-3

抽到h3,用大招打敗t佬得flag先創(chuàng)一個(gè)用戶名,然后用該用戶名進(jìn)行sql注入1"--。給了源碼中有exp沒刪

關(guān)鍵詞:

專題新聞
  • 和評(píng)理|美國(guó)政府炒作“中國(guó)威脅”破壞雙邊關(guān)系
  • 樂(lè)享云南|好禮·鶴慶紅糖
  • 阿根廷隊(duì) agtd
  • 全國(guó)中學(xué)校長(zhǎng)高峰論壇花絮:校長(zhǎng)暢談教育 現(xiàn)場(chǎng)座無(wú)虛席
  • 三伏天,選擇一款合適的運(yùn)動(dòng)搭子,讓你更健康
  • 游客在黃山拍到珍稀動(dòng)物云豹?專家初步判斷是大橘貓,因游客投喂較多體型較大
最近更新

京ICP備2021034106號(hào)-51

Copyright © 2011-2020  亞洲資本網(wǎng)   All Rights Reserved. 聯(lián)系網(wǎng)站:55 16 53 8 @qq.com