ISCC2022 writeup

Reverse

GetTheTable

下载附件，查个壳

64位程序无加壳

用IDA打开，反编译一下查看主函数伪代码

将str字符串拉去base58解码即可得到flag

Amy’s Code

下载附件，打开提示我们输入flag

先用PEID查个壳

可以看到是用C语言写的32位exe文件，没有加壳

将附件丢进IDA反编译

f5查看伪代码

源代码如下：

int __cdecl main_0(int argc, const char **argv, const char **envp)
{
  char Destination[520]; // [esp+DCh] [ebp-410h] BYREF
  char Source[516]; // [esp+2E4h] [ebp-208h] BYREF

  j__printf(aPleaseInputFla);               // printf "Please input flag"
  sub_411717((va_list)"%s", (char)Source);  // scanf 输入字符串 
  j__strcpy(Destination, Source);           // 将输入的字符串Source 复制给Destination
  sub_4115FF(Destination);       
  if ( sub_411433(Destination) )
    j__printf("Correct!\n");
  else
    j__printf("Wrong!\n");
  j__system("pause");
  return 0;
}

int __cdecl sub_4115FF(char *Str)
{
  int result; // eax
  int i; // [esp+D0h] [ebp-14h]
  signed int v3; // [esp+DCh] [ebp-8h]

  v3 = j__strlen(Str);    // 返回字符串长度
  for ( i = 0; ; ++i )
  {
    result = i;
    if ( i >= v3 )
      break;
    Str[i] ^= i;    //异或赋值
  }
  return result;
}

int __cdecl sub_411433(char *Str)
{
  int j; // [esp+D0h] [ebp-14Ch]
  int i; // [esp+DCh] [ebp-140h]
  int v4[32]; // [esp+E8h] [ebp-134h] BYREF
  int v5; // [esp+168h] [ebp-B4h]
  _WORD v6[12]; // [esp+174h] [ebp-A8h] BYREF
  int v7; // [esp+18Ch] [ebp-90h]
  __int16 v8; // [esp+190h] [ebp-8Ch]
  int v9[31]; // [esp+19Ch] [ebp-80h] BYREF

  v9[0] = 149;
  v9[1] = 169;
  v9[2] = 137;
  v9[3] = 134;
  v9[4] = 212;
  v9[5] = 188;
  v9[6] = 177;
  v9[7] = 184;
  v9[8] = 177;
  v9[9] = 197;
  v9[10] = 192;
  v9[11] = 179;
  v9[12] = 153;
  v9[13] = 131;
  v9[14] = 150;
  v9[15] = 159;
  v9[16] = 145;
  v9[17] = 171;
  v9[18] = 136;
  v9[19] = 184;
  memset(&v9[20], 0, 40);     // 将v9中的值都初始化为0
  strcpy((char *)v6, "LWHFUENGDJGEFHYDHIGJ");   
  HIBYTE(v6[10]) = 0;   //取16位数的高八位
  v6[11] = 0;
  v7 = 0;
  v8 = 0;
  v5 = j__strlen(Str);  //获取Destination字符串的长度
  j__memset(v4, 0, 0x78u);    //初始化v4中的值为0
  for ( i = 0; i < v5; ++i )
    v4[i] = v6[i] + Str[i]; 
  for ( j = 0; j < v5; ++j )
  {
    if ( v4[j] != v9[j] )
      return 0;
  }
  return 1;
}

简单分析一下源代码

sub_4115FF函数的作用是将flag中每一位字符和其相对应的位数进行异或。

sub_411433函数的作用是定义新列表v6和v9，将v6中的每一位字符和进行异或后的flag中的对应位的字符相加得到新列表v4，再和v9比较，相同则返回1，不同则返回0.

分析完毕，得到逆向思路：

先将v9和v6中的对应位相减，得到异或后的flag

由于异或是可逆的运算，所以将得到的flag再次异或就可以得到正确的flag

代码如下：

#获取异或后的flag
v6 = [76, 87, 72, 70, 85, 69, 78, 71, 68, 74, 71, 69, 70, 72, 89, 68, 72, 73, 71, 74]
v9 = [149,169,137,134,212,188,177,184,177,197,192,179,153,131,150,159,145,171,136,184]
str = {}   #这边不能定义空列表，不然会报错
for i in range (0,19):
    str[i] =  v9[i] - v6[i]
print(str)

#再次异或得到正确的flag
str=[73,82,65,64,127,119,99,113,109,123,121,110,83,59,61,91,73,98,65]
list=[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19]
d = {}
for i in range (0,19):
    d[i]=str[i] ^ list[i]
print(d)

How_decode

老规矩 先查个壳

丢进IDA找到主函数反编译一下查看伪代码

简单分析一下源代码

发现是魔改过的XXTEA加密

加密过程如下

int __cdecl main(int argc, const char **argv, const char **envp)
{
  void *v3; // rsp
  _DWORD *v4; //rax
  int result;
  int v6[32];
  int v7[4];
  char Str[44];
  int v9;
  _DWORD *v10;
  __int64 v11;
  int v12;
  int i;
  int j;


  _main(argc, argv, envp);
  v12 = 18;  
  v11 = 17i64;
  v3 = alloca(80i64);  // allcoa 内存分配函数
  v10 = (_DWORD *)(4 * (((unsigned __int64)v6 + 3) >> 2));  //(_DWORD *)进行强制类型转换
  v4 = v10;
  *v10 = 894982267;

  v10[0] = -2111139703;
  v10[1] = 878858181;
  v10[2] = 884300284;
  v10[3] = -1264682606;
  v10[4] = 1128394556;
  v10[5] = 1404156693;
  v10[6] = 797232303;
  v10[7] = 1413863939;
  v10[8] = -491980113;
  v10[9] = -6257288;
  v10[10] = 835658921;
  v10[11] = 2114944498;
  v10[12] = -1607097402;
  v10[13] = -776672633;
  v10[14] = 1607055703;
  v10[15] = -2053522129;
  v10[16] = 1520701475;
  v10[17] = 2058940411;
  v7[0] = 73;
  v7[1] = 83;
  v7[2] = 67;
  v7[3] = 67;

  scanf("%s", str);
  v9 = strlen(str);   
  if ( v9 == v12 )  
  {
    for ( i = 0; i < v9; ++i )
      v6[i] = str[i];     // v6 = flag
    encode(v6, v9, v7);   //对flag进行加密
    for ( j = 0; j < v9; ++j )
    {
      if ( v2[j] != v6[j] )  
        goto LABEL_2;
    }
    printf("Your input is the right answer!");
    system("pause");
    return 0;
  }
  else
  {
LABEL_2:
    printf("Wrong answer!");
    system("pause");
    return 0;
  }
}



// xxtea加密   有特征值DELTA
void __cdecl encode(int *v, int n, const int *key) //v 为明文数组，n对应明文的数组长度
{                                                  //key 为密钥数组
  int *v4; // rax
  int *v5; // rax
  int y; // [rsp+8h] [rbp-18h]
  int e; // [rsp+Ch] [rbp-14h]
  int rounds; // [rsp+10h] [rbp-10h]
  int p; // [rsp+14h] [rbp-Ch]
  int sum; // [rsp+18h] [rbp-8h]
  int z; // [rsp+1Ch] [rbp-4h]

  rounds = 52 / n + 6;   //加密循环的轮数      
  sum = 0;                                 
  for ( z = v[n - 1]; rounds--; z = *v5 )
  {
    sum -= 1640531527;   // sum += DELTA  DELTA = -1640531527
    e = (sum >> 2) & 3;  // & 与运算
    for ( p = 0; p < n - 1; ++p )
    {
      y = v[p + 1];
      v4 = &v[p];  // z=v[p] += MX 
      *v4 += ((y ^ sum) + (z ^ key[e ^ p & 3])) ^ (((4 * y) ^ (z >> 5)) + ((y >> 3) ^ (16 * z)));
      z = *v4;
    }
    v5 = &v[n - 1];
    *v5 += ((*v ^ sum) + (z ^ key[e ^ p & 3])) ^ (((4 * *v) ^ (z >> 5)) + ((*v >> 3) ^ (16 * z)));
    // z = v[n-1] += MX
  }
}

IDA快捷键H可以把十进制数转为16进制!(关键)

解密脚本如下：

from ctypes import *
import re
//将IDA主函数中v10数组代入
str = """  v5[0] = ;
  v5[1] = ;
  v5[2] = ;
  v5[3] = ;
  v5[4] = ;
  v5[5] = ;
  v5[6] = ;
  v5[7] = ;
  v5[8] = ;
  v5[9] = ;
  v5[10] = ;
  v5[11] = ;
  v5[12] = ;
  v5[13] = ;
  v5[14] = ;
  v5[15] = ;
  v5[16] = ;
  v5[17] = ;"""

v2str = re.findall(" = (.*?);", str)
v2 = []
for i in v2str:
    v2.append(int(i, 16))

def sar(i, index):
    if i > 0x7fffffff:
        c = i >> index
        m = bin(c)[2:]
        m = '1' * (32 - len(m)) + m
        return int(m, 2)
    else:
        return i >> index

def MX(z, y, total, key, p, e):
    temp1 = ((sar(z.value, 5)) ^ (y.value * 4)) + ((sar(y.value, 3)) ^ (16 * z.value))
    temp2 = (total.value ^ y.value) + (key[e.value ^ p & 3] ^ z.value)
    return c_uint32(temp1 ^ temp2)

def decrypt(n, v, key):
    delta = 0x9e3779b9
    rounds = 6 + 52 // n
    total = c_uint32(rounds * delta)
    y = c_uint32(v[0])
    e = c_uint32(0)
    while rounds > 0:
        e.value = (total.value >> 2) & 3
        for p in range(n - 1, 0, -1):
            z = c_uint32(v[p - 1])
            v[p] = c_uint32((v[p] - MX(z, y, total, key, p, e).value)).value
            y.value = v[p]
        z = c_uint32(v[n - 1])
        v[0] = c_uint32(v[0] - MX(z, y, total, key, 0, e).value).value
        y.value = v[0]
        total.value -= delta
        rounds -= 1
    return v

k = [73, 83, 67, 67]
n = 18
res = decrypt(n, v2, k)
f = ''
for i in range(len(res)):
    f += chr(res[i])
print(f)

Sad Code

下载附件，查壳软件查一下壳

32位的 C++

丢进IDA里面反编译一下查看主函数

加密函数如下：

int __cdecl main_0(int argc, const char **argv, const char **envp)
{
  __int64 v4; // rax
  int v5; // ecx
  char Destination[60]; // [esp+D8h] [ebp-348h] BYREF
  int k; // [esp+114h] [ebp-30Ch]
  char v8; // [esp+120h] [ebp-300h]
  char v9[49]; // [esp+121h] [ebp-2FFh] BYREF
  size_t v10; // [esp+15Ch] [ebp-2C4h]
  int j; // [esp+168h] [ebp-2B8h]
  int i; // [esp+174h] [ebp-2ACh]
  _BYTE v13[56]; // [esp+180h] [ebp-2A0h] BYREF
  __int64 v14[10]; // [esp+1B8h] [ebp-268h] BYREF
  int v15; // [esp+208h] [ebp-218h]
  int v16; // [esp+20Ch] [ebp-214h]
  char Str[516]; // [esp+218h] [ebp-208h] BYREF

  v15 = 0;
  v16 = 0;
  memset(v14, 0, 72);
  memset(v13, 0, 45);
  j__printf(&byte_439F18);
  sub_413834((va_list)"%s", (char)Str);
  if ( j__strlen(Str) != 32 )
    return 0;
  for ( i = 0; i < 8; ++i )
  {
    for ( j = 0; j < 4; ++j )
      v13[5 * i + j] = Str[4 * i + j];
  }
  v10 = 0;
  v8 = 0;
  j__memset(v9, 0, sizeof(v9));
  for ( k = 0; k < 8; ++k )
  {
    memset(Destination, 0, 50);
    sub_4130CD((int)&v13[5 * k], Destination);
    v10 = j__strlen(Destination);
    v4 = sub_413BDB(v10, Destination, v15, v16);
    v5 = k;
    LODWORD(v14[k]) = v4;
    HIDWORD(v14[v5]) = HIDWORD(v4);
  }
  if ( v14[2] + 7 * v14[1] - 4 * v14[0] - 2 * v14[3] == 0x1D89CCBDD
    && 5 * v14[3] + 3 * v14[2] - v14[1] - 2 * v14[0] == 0x1AEBC858E
    && 2 * v14[1] + 8 * v14[3] + 10 * v14[0] - 5 * v14[2] == 0x504ED828F
    && 7 * v14[0] + 15 * v14[1] - 3 * v14[3] - 2 * v14[2] == 0x785842242 )
  {
    if ( 15 * v14[4] + 35 * v14[7] - v14[5] - v14[6] == 0xE90536790
      && 38 * v14[6] + v14[4] + v14[7] - 24 * v14[5] == 0x6D3EE3D59
      && 38 * v14[5] + 32 * v14[4] - v14[6] - v14[7] == 0x138623380A
      && v14[4] + 41 * v14[6] - v14[5] - 25 * v14[7] == 0x66626A46A )
    {
      j__printf("Correct!\n");
    }
    else
    {
      j__printf("Keep trying!\n");
    }
  }
  else
  {
    j__printf("Wrong!\n");
  }
  j__system("pause");
  return 0;
}

简单分析一下源代码

重点是if语句中的代码，是一个八元一次方程组

编写解密脚本如下：

 // 解方程组
from z3 import *
a0, a1, a2, a3, a4, a5, a6, a7 = Ints('a0 a1 a2 a3 a4 a5 a6 a7')
x = Solver()
x.add(a2 + 7 * a1 - 4 * a0 - 2 * a3 == 0x1D89CCBDD)
x.add(5 * a3 + 3 * a2 - a1 - 2 * a0 == 0x1AEBC858E)
x.add(2 * a1 + 8 * a3 + 10 * a0 - 5 * a2 == 0x504ED828F)
x.add(7 * a0 + 15 * a1 - 3 * a3 - 2 * a2 == 0x785842242)
x.add(15 * a4 + 35 * a7 - a5 - a6 == 0xE90536790)
x.add(38 * a6 + a4 + a7 - 24 * a5 == 0x6D3EE3D59)
x.add(38 * a5 + 32 * a4 - a6 - a7 == 0x138623380A)
x.add(a4 + 41 * a6 - a5 - 25 * a7 == 0x66626A46A)
if x.check() == sat:
    model = x.model()
    print(model)

 得到方程组的八个未知数 a0,a1,a2,a3,a4,a5,a6,a7

 //将方程组的解代入，得到flag
flag = b''
for i in [a0,a1,a2,a3,a4,a5,a6,a7]:
    flag += i.to_bytes(4,'big')
print(flag)

Bob’s Code

查个壳

32位C程序，无加壳

IDA反编译一下，查看主函数

主函数

代码如下

int __cdecl main_0(int argc, const char **argv, const char **envp)
{
  size_t v4; // [esp+DCh] [ebp-E98h]
  size_t v5; // [esp+E8h] [ebp-E8Ch]
  char Str2[1112]; // [esp+F4h] [ebp-E80h] BYREF
  char Str1[520]; // [esp+54Ch] [ebp-A28h] BYREF
  char v8[520]; // [esp+754h] [ebp-820h] BYREF
  char v9[520]; // [esp+95Ch] [ebp-618h] BYREF
  char v10[520]; // [esp+B64h] [ebp-410h] BYREF
  char Str[516]; // [esp+D6Ch] [ebp-208h] BYREF

  memset(Str, 0, 512);
  memset(v10, 0, 512);
  memset(v9, 0, 512);
  memset(v8, 0, 512);
  memset(Str1, 0, 512);
  memset(&Str2[592], 0, 512);
  memset(&Str2[72], 0, 512);
  j__printf(&byte_430F98);
  sub_411721((va_list)"%s", (char)Str);      // scanf 输入字符串
  strcpy(Str2, ".W1BqthGbfjBLdNWzVVlyA.W5FoZttcM5JXhXmd055oFhqoiJwAMBUtW1koF0.");   // 给 str2 赋值
  v5 = j__strlen(Str);   
  sub_412560(Str, v5, v10, 0);    // 加密1 
  v4 = j__strlen(v10);
  sub_411389(v10, v4, v9, 1);     // 加密2
  sub_411023(v9, v8, 46, 0);      // 加密3
  sub_411023(v8, Str1, 46, 22);       
  sub_4116E0(Str1, 2);            // 加密4
  if ( !j__strcmp(Str1, Str2) )   // str1 = str2 --> correct
    j__printf("flag is Correct!\n");
  else
    j__printf("flag is wrong!\n");
  j__system("pause");
  return 0;
}
// str = flag
// str2 = .W1BqthGbfjBLdNWzVVlyA.W5FoZttcM5JXhXmd055oFhqoiJwAMBUtW1koF0.

简单分析一下

分布加密，依次看一下

加密1

加密代码如下

unsigned int __cdecl sub_412560(int a1, unsigned int a2, int a3, unsigned __int8 a4)
{                            // a1 = str, a2 = strlen(str) , a3 = v10[] , a4 = 0
  unsigned int result; // eax
  unsigned int i; // [esp+D0h] [ebp-38h]
  int v6; // [esp+DCh] [ebp-2Ch]
  int v7; // [esp+DCh] [ebp-2Ch]
  int v8; // [esp+DCh] [ebp-2Ch]
  int v9; // [esp+DCh] [ebp-2Ch]
  int v10; // [esp+DCh] [ebp-2Ch]
  char *v11; // [esp+E8h] [ebp-20h]
  char v12; // [esp+F7h] [ebp-11h]

  v12 = a4 != 0 ? 46 : 61;    
  v11 = off_436000[a4];
  v6 = 0;
  for ( i = 0; ; i += 3 )
  {
    result = i;
    if ( i >= a2 )
      break;
    *(_BYTE *)(v6 + a3) = v11[(*(_BYTE *)(i + a1) & 0xFC) >> 2];
    v7 = v6 + 1;
    if ( i + 1 >= a2 )
    {
      *(_BYTE *)(v7 + a3) = v11[16 * (*(_BYTE *)(i + a1) & 3)];
      v10 = v7 + 1;
      *(_BYTE *)(v10 + a3) = v12;
      *(_BYTE *)(++v10 + a3) = v12;
      v6 = v10 + 1;
    }
    else
    {
      *(_BYTE *)(v7 + a3) = v11[16 * (*(_BYTE *)(i + a1) & 3) + ((*(_BYTE *)(i + a1 + 1) & 0xF0) >> 4)];
      v8 = v7 + 1;
      if ( i + 2 >= a2 )
      {
        *(_BYTE *)(v8 + a3) = v11[4 * (*(_BYTE *)(i + a1 + 1) & 0xF)];
        v9 = v8 + 1;
        *(_BYTE *)(v9 + a3) = v12;
      }
      else
      {
        *(_BYTE *)(v8 + a3) = v11[4 * (*(_BYTE *)(i + a1 + 1) & 0xF) + ((*(_BYTE *)(i + a1 + 2) & 0xC0) >> 6)];
        v9 = v8 + 1;
        *(_BYTE *)(v9 + a3) = v11[*(_BYTE *)(i + a1 + 2) & 0x3F];
      }
      v6 = v9 + 1;
    }
  }
  return result;
}

加密2

加密代码如下

unsigned int __cdecl sub_4127C0(int a1, unsigned int a2, int a3, char a4)
{
  unsigned int result; // eax
  unsigned int j; // [esp+D0h] [ebp-25Ch]
  int v6; // [esp+DCh] [ebp-250h]
  int v7; // [esp+DCh] [ebp-250h]
  int v8; // [esp+DCh] [ebp-250h]
  int v9; // [esp+DCh] [ebp-250h]
  int v10; // [esp+DCh] [ebp-250h]
  int i; // [esp+F4h] [ebp-238h]
  char v12; // [esp+103h] [ebp-229h]
  char Destination; // [esp+10Ch] [ebp-220h] BYREF
  char v14[522]; // [esp+10Dh] [ebp-21Fh] BYREF
  char v15; // [esp+317h] [ebp-15h]
  unsigned int v16; // [esp+320h] [ebp-Ch]

  v16 = 4 * ((a2 + 2) / 3);
  v15 = a4 != 0 ? 46 : 61;
  Destination = 0;
  j__memset(v14, 0, 0x1FFu);
  j__strcpy(&Destination, Source);
  for ( i = 5; i < 19; ++i )
  {
    v12 = *(&Destination + i);
    *(&Destination + i) = Source[i + 26];
    v14[i + 25] = v12;
  }
  v6 = 0;
  for ( j = 0; ; j += 3 )
  {
    result = j;
    if ( j >= a2 )
      break;
    *(_BYTE *)(v6 + a3) = *(&Destination + ((*(_BYTE *)(j + a1) & 0xFC) >> 2));
    v7 = v6 + 1;
    if ( j + 1 >= a2 )
    {
      *(_BYTE *)(v7 + a3) = *(&Destination + 16 * (*(_BYTE *)(j + a1) & 3));
      v10 = v7 + 1;
      *(_BYTE *)(v10 + a3) = v15;
      *(_BYTE *)(++v10 + a3) = v15;
      v6 = v10 + 1;
    }
    else
    {
      *(_BYTE *)(v7 + a3) = *(&Destination + 16 * (*(_BYTE *)(j + a1) & 3) + ((*(_BYTE *)(j + a1 + 1) & 0xF0) >> 4));
      v8 = v7 + 1;
      if ( j + 2 >= a2 )
      {
        *(_BYTE *)(v8 + a3) = *(&Destination + 4 * (*(_BYTE *)(j + a1 + 1) & 0xF));
        v9 = v8 + 1;
        *(_BYTE *)(v9 + a3) = v15;
      }
      else
      {
        *(_BYTE *)(v8 + a3) = *(&Destination
                              + 4 * (*(_BYTE *)(j + a1 + 1) & 0xF)
                              + ((*(_BYTE *)(j + a1 + 2) & 0xC0) >> 6));
        v9 = v8 + 1;
        *(_BYTE *)(v9 + a3) = *(&Destination + (*(_BYTE *)(j + a1 + 2) & 0x3F));
      }
      v6 = v9 + 1;
    }
  }
  return result;
}

加密3

加密代码如下

int __cdecl sub_412D10(int a1, int a2, char a3, int a4)
{
  int result; // eax
  int j; // [esp+D0h] [ebp-14h]
  int i; // [esp+DCh] [ebp-8h]

  for ( i = 0; *(_BYTE *)(i + a1); ++i )
    *(_BYTE *)(i + a2) = *(_BYTE *)(i + a1);
  *(_BYTE *)(a4 + a2) = a3;
  for ( j = a4; ; ++j )
  {
    result = j + a2;
    if ( !*(_BYTE *)(j + a2) )
      break;
    *(_BYTE *)(j + a2 + 1) = *(_BYTE *)(j + a1);
  }
  return result;
}

分析一下’

int a1 = v8
int a2 = str1
char a3 = 46 
int a4 = 22


for(i = 0; i + v8; ++i)
     i + str1 = i + v8;
a3 = 22 + str1;
for(j = 22; ;++j)
{
    result = j + a2;
    if(!(j + str1))
        break;
    (j + str1 + 1) = (j + v8);
}
return result;

加密4

加密代码如下

size_t __cdecl sub_412BF0(char *Str, int a2)  //  a2 = 2
{
  size_t result; // eax
  unsigned int i; // [esp+D0h] [ebp-8h]

  for ( i = 0; ; ++i )
  {
    result = j__strlen(Str);
    if ( i >= result )
      break;
    if ( Str[i] < 65 || Str[i] > 90 )       
    {
      if ( Str[i] >= 97 && Str[i] <= 122 )     
        Str[i] = (Str[i] + a2 - 97) % 26 + 97;   // str[i] = (str[i] - 95)%26 + 97
    }
    else  // str[i] >= 65 and str[i] <= 90
    {
      Str[i] = (Str[i] + a2 - 65) % 26 + 65;    // str[i] = (str[i] - 63)%26 + 65
    }
  }
  return result;
}

解密脚本

我是憨批

import base64
a = input()
b = ''
for i in a:
    if 'a' <= i <= 'z':
        b += chr(((ord(i) - 97 - 2) % 26) + 97)
    elif 'A' <= i <= 'Z':
        b += chr(((ord(i) - 65 - 2) % 26) + 65)
    else:
        b += i
b += '\=\=\='
string1 = "ABCDEfghijklmnopqrsTUVWXYZabcdeFGHIJKLMNOPQRStuvwxyz0123456789-_"
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
flag1 = base64.b64decode(b.translate(str.maketrans(string1, string2)))
flag = base64.b64decode(flag1)
print(flag)

输入源代码中的str2

即可得到flag

VigenereLike

下载附件 IDA反编译查看主函数

找到main 函数打开

main 函数代码如下:

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  __int64 v3; // rdx
  bool v4; // bl
  __int64 v5; // rax
  __int64 v6; // rdx
  __int64 v7; // rax
  __int64 v8; // rdx
  __int64 v9; // rax
  __int64 v10; // rsi
  __int64 v11; // rdx
  __int64 v12; // rax
  char v14; // [rsp+Fh] [rbp-1E1h] BYREF
  char v15[32]; // [rsp+10h] [rbp-1E0h] BYREF
  char v16[32]; // [rsp+30h] [rbp-1C0h] BYREF
  int v17[8]; // [rsp+50h] [rbp-1A0h] BYREF
  char v18[32]; // [rsp+70h] [rbp-180h] BYREF
  char v19[32]; // [rsp+90h] [rbp-160h] BYREF
  char v20[32]; // [rsp+B0h] [rbp-140h] BYREF
  char v21[32]; // [rsp+D0h] [rbp-120h] BYREF
  char v22[32]; // [rsp+F0h] [rbp-100h] BYREF
  char v23[32]; // [rsp+110h] [rbp-E0h] BYREF
  char v24[32]; // [rsp+130h] [rbp-C0h] BYREF
  char v25[136]; // [rsp+150h] [rbp-A0h] BYREF
  unsigned __int64 v26; // [rsp+1D8h] [rbp-18h]

  v26 = __readfsqword(0x28u);
  v17[0] = 1;
  v17[1] = 2;
  v17[2] = 3;
  v17[3] = 4;
  v17[4] = 5;
  v17[5] = 6;
  v17[6] = 7;
  std::allocator<char>::allocator(v16, a2, a3);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v18, "ISCCYES", v16);
  std::allocator<char>::~allocator(v16);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v19);
  std::operator<<<std::char_traits<char>>(&std::cout, "id: ");
  std::operator>><char>(&std::cin, v19);
  std::istream::get((std::istream *)&std::cin);
  sub_4A5A(v25, v19);
  std::allocator<char>::allocator(v16, v19, v3);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(
    v20,
    "cfe6902ba6404626f1bcabc81e72767b",
    v16);
  std::allocator<char>::~allocator(v16);
  sub_4CE4(v24, v25);
  v4 = (unsigned int)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::compare(v24, v20) == 0;
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v24);
  if ( v4 )
  {
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v21);
    v5 = std::operator<<<std::char_traits<char>>(&std::cout, "Please give me the flag:");
    std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);
    std::operator>><char>(&std::cin, v21);
    std::allocator<char>::allocator(v16, v21, v6);
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v24, "{", v16);
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v23, v21);
    sub_2A5F(v15, v23, v24);
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v23);
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v24);
    std::allocator<char>::~allocator(v16);
    v7 = sub_38CA(v15);
    if ( (unsigned __int8)sub_38F4(v7, "ISCC") )
    {
      std::allocator<char>::allocator(&v14, "ISCC", v8);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v24, "}", &v14);
      v9 = sub_391E(v15);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v23, v9);
      sub_2A5F(v16, v23, v24);
      v10 = sub_38CA(v16);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator=(v21, v10);
      sub_3704(v16);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v23);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v24);
      std::allocator<char>::~allocator(&v14);
      std::allocator<char>::allocator(&v14, v10, v11);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v23, "4", &v14);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v22, v19);
      sub_2A5F(v16, v22, v23);
      v12 = sub_38CA(v16);
      std::operator+<char>(v24, v21, v12);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator=(v21, v24);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v24);
      sub_3704(v16);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v22);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v23);
      std::allocator<char>::~allocator(&v14);
      sub_2914(v21, v17);
      sub_29C9(v24, v21, v18);
      if ( (unsigned int)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::compare(
                           v24,
                           "rJFsLqVyFKZEjnGjj5S1vQLuEGH q2qnzommCrv=") )
        std::operator<<<std::char_traits<char>>(&std::cout, "Wrong!");
      else
        std::operator<<<std::char_traits<char>>(&std::cout, "Correct!");
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v24);
    }
    else
    {
      std::operator<<<std::char_traits<char>>(&std::cout, "head! head! head!");
    }
    sub_3704(v15);
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v21);
  }
  else
  {
    std::operator<<<std::char_traits<char>>(&std::cout, "You don't have permission to acess the file!");
  }
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v20);
  sub_3636(v25);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v19);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v18);
  return 0LL;
}

定位到v24字符串

代入解密脚本如下：

# -*- coding: utf-8 -*-
s = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"


def My_base64_decode(inputs):
    # 将字符串转化为2进制
    bin_str = []
    for i in inputs:
        if i != '=':
            x = str(bin(s.index(i))).replace('0b', '')
            bin_str.append('{:0>6}'.format(x))
    # print(bin_str)
    # 输出的字符串
    outputs = ""
    nums = inputs.count('=')
    while bin_str:
        temp_list = bin_str[:4]
        temp_str = "".join(temp_list)
        # print(temp_str)
        # 补足8位字节
        if (len(temp_str) % 8 != 0):
            temp_str = temp_str[0:-1 * nums * 2]
        # 将四个6字节的二进制转换为三个字符
        for i in range(0, int(len(temp_str) / 8)):
            outputs += chr(int(temp_str[i * 8:(i + 1) * 8], 2))
        bin_str = bin_str[4:]
    return outputs


a = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
b = "rJFsLqVyFKZEjnGjj5S1vQLuEGH q2qnzommCrv="#ida打开找到main函数里找到这一行并修改
key = "ISCCYES"
v17 = [1, 2, 3, 4, 5, 6, 7]
flag = ""
flag1 = ""

for i in range(len(b) - 1):
    flag += a[(a.find(b[i]) - a.find(key[i % 7]) + 63) % 63]
flag += "="
flag = My_base64_decode(flag)
for i in range(len(flag)):
    flag1 += chr(ord(flag[i]) ^ v17[i % 7])
print("ISCC{" + flag1[:-4] + "}")

Ruststr

用IDA打开附件中的文件

F5反编译查看主函数

可以找到一串base64的字符串

代入解密脚本

import base64
// IDA中的字符串填到这
str = b"  "

baseDecodeStr = base64.b64decode(str)

hexed = "".join("0x{:02x},".format(c) for c in baseDecodeStr)
c = []
for i in hexed.split(",")[:-1]:
    c.append(int(i, 16))

b = [ 0x9A, 0x78, 0xB6, 0x12, 0xBE, 0x66, 0x8D, 0xCF, 0x51, 0x9E,  0x63, 0xCB, 0x4A, 0xD1, 0x1A, 0x59, 0x78, 0x1C, 0x17, 0x73, 0xF2, 0x1D, 0x05, 0x2F, 0xF0, 0xD7, 0xB3, 0x22, 0x5D, 0xAD, 0x0B, 0xE2 ]
m = []
for i in range(len(c)):
    m.append(c[i]^b[i])
key = [0x32, 0x63, 0x65, 0x61, 0x39, 0x66, 0x30, 0x34, 0x63, 0x36, 0x33, 0x62, 0x34, 0x32, 0x38, 0x33, 0x39, 0x34, 0x30, 0x65, 0x63, 0x30, 0x65, 0x36, 0x64, 0x32, 0x39, 0x62, 0x65, 0x32, 0x38, 0x64]
def lll(a,b):
    if a>b:
        return 0
    else:
        return -1
f = ''
for i in range(len(m)):
    for j in range(128):
        if (lll((key[i]+0xd0)&0xff,0xa) + j +2)&0xff == m[i]:
            f += chr(j)
            print(f)
            break
p = list(f[::-1])

print()
def ppp(num):
    a = num&1
    return a==0
for i in range(len(p)):
    if ord('a')<=ord(p[i])<=ord('z'):
        p[i] = chr(ord(p[i])^0x20)
    elif ord('A')<=ord(p[i])<=ord('Z'):
        p[i] = chr(ord(p[i])^0x20)
    elif ord('0') <=ord(p[i])<=ord('9'):
        a = ord(p[i]) + 1
        b = ord(p[i]) - 1
        if ppp(ord(p[i])):
            p[i] = chr(a)
        else:
            p[i] = chr(b)
    else:
        pass
for i in range(len(p)):
    print(p[i],end='')

Mobile

MobileA

安卓逆向题，用Jeb打开附件，寻找MainActivity

Jeb快捷操作： Q-转换成为代码

完整代码如下：

package com.example.mobilea;

import android.os.Bundle;
import android.util.Base64;
import android.view.View$OnClickListener;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.TextView;
import androidx.appcompat.app.AppCompatActivity;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.MessageDigest;
import java.security.spec.AlgorithmParameterSpec;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

public class MainActivity extends AppCompatActivity {
    class C1 implements View$OnClickListener {
        C1(MainActivity arg1) {
            MainActivity.this = arg1;
            super();
        }

        public void onClick(View arg2) {
            if(MainActivity.this.Jformat(MainActivity.this.edt_1.getText().toString())) {
                MainActivity.this.tv_1.setText("闯关成功！！！");
            }
            else {
                MainActivity.this.tv_1.setText("输入错误，继续加油！");
            }
        }
    }

    Button but_1;
    EditText edt_1;
    TextView tv_1;

    public MainActivity() {
        super();
    }

    private boolean Jformat(String arg10) {
        String v0 = "";
        String v1 = "\n";
        int v2 = arg10.lastIndexOf("_");
        if(v2 == -1) {
            return 0;
        }

        if(arg10.length() < 10) {
            return 0;
        }

        int v4 = 5;
        if(!arg10.substring(0, v4).equals("ISCC{")) {
            return 0;
        }

        if(arg10.charAt(arg10.length() - 1) != 125) {
            return 0;
        }

        ++v2;
        if(!this.Jlast(arg10.substring(v2, arg10.length() - 1))) {
            return 0;
        }

        try {
            byte[] v5 = new String(Base64.encode("K@e2022%%y".getBytes(StandardCharsets.UTF_8), 0)).replace(((CharSequence)v1), ((CharSequence)v0)).getBytes(StandardCharsets.UTF_8);
            byte[] v7 = new String(Base64.encode("I&V2022***".getBytes(StandardCharsets.UTF_8), 0)).replace(((CharSequence)v1), ((CharSequence)v0)).getBytes(StandardCharsets.UTF_8);
            byte[] v10_1 = arg10.substring(v4, v2).getBytes(StandardCharsets.UTF_8);
            SecretKeySpec v2_1 = new SecretKeySpec(v5, "AES");
            IvParameterSpec v4_1 = new IvParameterSpec(v7);
            Cipher v5_1 = Cipher.getInstance("AES/CBC/PKCS7Padding");
            v5_1.init(1, ((Key)v2_1), ((AlgorithmParameterSpec)v4_1));
            if(!new String(Base64.encode(Base64.encodeToString(v5_1.doFinal(v10_1), 2).getBytes(StandardCharsets.UTF_8), 0)).replace(((CharSequence)v1), ((CharSequence)v0)).equals("L2MvdWE1NDNIclk3dmZ6b1lmSHorbmZYRXNEVlE0cGgreUQ5Z3U1bUFsWT0=")) {
                return 0;
            }
        }
        catch(Exception v10) {
            v10.printStackTrace();
            return 0;
        }

        return 1;
    }

    private boolean Jlast(String arg8) {
        try {
            MessageDigest v1 = MessageDigest.getInstance("MD5");
            new BASE64Encoder();
            arg8 = BASE64Encoder.encode(v1.digest(arg8.getBytes("utf-8")));
            if(arg8.length() != 24) {
                return 0;
            }

            char[] v1_1 = new char[arg8.length()];
            int v2 = 5;
            int v3 = 0;
            int v4 = 0;
            while(v2 >= 0) {
                int v6 = 3;
                if(v3 == 0) {
                    while(v6 >= 0) {
                        v1_1[v4] = arg8.charAt(v6 * 6 + v2);
                        ++v4;
                        --v6;
                    }

                    v3 = 1;
                }
                else {
                    for(v3 = 0; v3 <= v6; ++v3) {
                        v1_1[v4] = arg8.charAt(v3 * 6 + v2);
                        ++v4;
                    }

                    v3 = 0;
                }

                --v2;
            }

            if(!String.valueOf(v1_1).equals("=pX19GV=QooOeCquHjrkMGSY")) {
                return 0;
            }
        }
        catch(Exception v8) {
            goto label_51;
        }

        return 1;
    label_51:
        v8.printStackTrace();
        return 0;
    }

    static boolean access$000(MainActivity arg0, String arg1) {
        return arg0.Jformat(arg1);
    }

    protected void onCreate(Bundle arg2) {
        super.onCreate(arg2);
        this.setContentView(2131427356);
        this.but_1 = this.findViewById(2131230728);
        this.edt_1 = this.findViewById(2131230725);
        this.tv_1 = this.findViewById(2131230736);
        this.but_1.setOnClickListener(new C1(this));
    }
}

MSIC

2022冬奥会

题目提示 本次冬奥会吉祥物的设计原型

下载附件 发现其中有一个加密的jpg文件

猜测密码为 ‘熊猫’ 或者 ‘灯笼’

‘灯笼’实验成功， 但发现图片打不开，拖到010里面查看即可得到flag

单板小将苏翊鸣

附件是中包含一张图片和一个名为flag.txt的加密文件

可见突破口在图片中

显然这个图片的长宽不匹配

将图片用010editor打开

将图片的长改成与宽一致

保存后就可以得到一张大小完整的图片

扫码后可以得到一串编码

可以看出是汉字unicode编码

百度搜索在线转换解码

得到提示：密码应该是本次冬奥会中我国的总奖牌数和金银铜牌数

得到密码打开加密的txt文件就可以得到flag

藏在星空中的诗

下载附加，可以看到一共给了三个文件：一个txt，一个加密的excel还有一个.psd文件

用photoshop打开.psd文件可以看到有两个图层

将第一个图层的不透明度拉高，可以看到有一个五角星

结合txt文件中的内容猜测是告诉我们排列顺序

将记事本中的字符按照图片中的顺序排列后尝试当做excel的密码

打开excel后看到每一个字符对应的字母

翻译一下，得到flag：

藏在星空中的诗2

下载附件 得到一个txt文件，乍一看毫无头绪

联系题目 ， 藏在星空中的诗2 ，根据藏在星空中的诗那道题的excel附件

尝试翻译一下 txt文件中的内容

可以看出前三个字符是相同的，猜测为unicode 编码

每一个符号只取最后一位

在线翻译一下即可得到flag

隐秘的信息

下载附件，发现是一个加密的图片，没有其他有用信息

看到题目中有一串怪异的字符串，拉去尝试解码，在base64下成功解出

尝试当作密码，成功解开文件的加密，得到下面的图片

图片隐写，用stegsolve打开，查看LSB隐写

看到hex信息的前三行有所不同，拉去解密

Web

冬奥会

php代码审计

题目代码如下

<?php

show_source(__FILE__);

$Step1=False; 
$Step2=False;

$info=(array)json_decode(@$_GET['Information']);   //array 定义数组

if(is_array($info)){

    var_dump($info);   //打印显示info变量的内容和结构

    is_numeric(@$info["year"])?die("Sorry~"):NULL;   // is_numeric检测变量是否为数字或字符串
    if(@$info["year"]){    
        ($info["year"]=2022)?$Step1=True:NULL;       // 三元运算符判断输入的year是否为2022
    }   


    // is_array函数，若变量为数组类型则返回True，否则返回False
    if(is_array(@$info["items"])){        //count 返回数组中元素的数目
        if(!is_array($info["items"][1])OR count($info["items"])!==3 ) die("Sorry~");
        $status = array_search("skiing", $info["items"]); //array_search 在数组中搜索给定的值，如果成功则返回首个相应的键名
        $status===false?die("Sorry~"):NULL;
        // foreach(array_expression as $key => $value)
        // 遍历给定的数组，每次循环中，当前单元的值被同时赋给变量$key和$value,并且数组内部的指针向前移一步，下一次循环中将会得到下一个单元
        foreach($info["items"] as $key=>$val){
            $val==="skiing"?die("Sorry~"):NULL;
        }
        $Step2=True;
    }
} 

if($Step1 && $Step2){
    include "2022flag.php";echo $flag;   // echo 输出字符串
}
?> array(0) { }

year的判断条件中要求数组不是数字数组但要和2022相等

应该是php的弱类型比较

get传参即可得到flag

/?Information={"year":"2022a","items":[0,[0],0]}