浙江省省赛2023初赛wp

Re

Pyccc

在线反编译得到python脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
a = input('please input your flag:\n')
check = [
    102,
    109,
    99,
    100,
    127,
    52,
    114,
    88,
    97,
    122,
    85,
    125,
    105,
    127,
    119,
    80,
    120,
    112,
    98,
    39,
    109,
    52,
    55,
    106]
if len(a) == 24:
    for i in range(len(a)):
        if check[i] == ord(a[i]) ^ i:
            continue
            print(yes)

        print('nononono')
    continue
else:
    print('nononono')

一步异或

1
2
3
4
5
6
7
8
9
s=[0x34, 0x39, 0xEE, 0xED, 0xAD, 0x2C, 0x61, 0x4B, 0x68, 0xC3,
0xC9, 0x49, 0x2C, 0x1C, 0x7C, 0xD1, 0x29, 0xB9, 0xC6, 0xCD]
s1=[0x71, 0x41, 0x54, 0x50, 0x50, 0x5C, 0x6C, 0x3C, 0x10, 0x3C,
  0x54, 0x6C, 0x7C, 0x7C, 0x7C, 0x7C, 0x7C, 0x7C, 0x60, 0x60,
  0x60, 0x68, 0x22]
flag=''
for i in s:
    flag+=chr(i^j)
print(flag)

或者用pycdc

Easyapk

用jadx打开,看到des.encrypt,并发现key和iv

找到des.encrypt,实际上是aes,还发现是PKCS5填充方式

看师傅的wp也能解,忘记return的时候有base64加密了

让gpt写aes解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import base64

def aes_decrypt(ciphertext, iv, key):
    # 解码密文和IV
    ciphertext = base64.b64decode(ciphertext)
    iv = bytes.fromhex(iv)

    # 创建AES解密器对象
    cipher = AES.new(key.encode(), AES.MODE_CBC, iv)

    # 解密密文并去除填充
    plaintext = unpad(cipher.decrypt(ciphertext), AES.block_size)

    return plaintext.decode()

ciphertext = "HPjVMiy4FxSPc1n0eq52t4jaZ7FNr/qvJMjkusqbG6t8IVzztqflA0VQmVZYgiaC"
iv = "30313233343536373839414243444546"
key = "r3v3rs3car3fully"

decrypted_text = aes_decrypt(ciphertext, iv, key)
print("解密结果:", decrypted_text)

或者在线,工具里面只有PKCS7,但是对的

luare-1

lua语言

找到一段像密文的

点开由0和O组成的函数,看到一堆数据,但是没法处理

lua_pushcclosure:将 C 函数 Oo00Oo0 压入 Lua 栈中,作为一个闭包(Closure),并且没有附加的 upvalues(第 3 个参数为 0)

lua_setglobal:将栈顶的闭包设为全局变量 Oo00Oo0,使其可以在 Lua 中通过这个名字调用

在buf处打下断点,导出lua的字节码

我就说当时看到这个怎么这么怪

不想动调也可以直接改文件头

导出out

java -jar unluac.jar out > out.lua反编译得到lua文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
function CheckAns(data)
  if #data ~= 40 then
    return false
  end
  dataOut = Oo00Oo0(data)
  enc = {
    109,
    -73,
    -72,
    46,
    -73,
    -5,
    99,
    -100,
    46,
    59,
    32,
    -76,
    109,
    3,
    59,
    20,
    -61,
    -56,
    -119,
    48,
    100,
    118,
    36,
    118,
    82,
    3,
    95,
    106,
    14,
    -80,
    5,
    -89,
    89,
    -85,
    5,
    14,
    46,
    -73,
    7,
    127
  }
  i = 1
  while i <= #dataOut do
    if dataOut[i] ~= enc[i] then
      return false
    end
    i = i + 1
  end
  return true
end
print("input: ")
local data = io.read()
if CheckAns(data) then
  print("true")
else
  print("false")
end

一前一后两个v5得到v7的下标

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
enc = [109, -73, -72, 46, -73, -5, 99, -100, 46, 59, 32, -76, 109, 3, 59, 20, -61, -56, -119, 48, 100, 118, 36, 118, 82,
       3, 95, 106, 14, -80, 5, -89, 89, -85, 5, 14, 46, -73, 7, 127]
b = [0x3C, 0x95, 0xC8, 0x28, 0x10, 0x6D, 0x85, 0x60, 0x59, 0x03, 0xB3, 0x4C, 0x76, 0x49, 0x48, 0x96, 0xB8, 0x5F, 0xB7,
     0x79, 0xC4, 0x64, 0x71, 0x2E, 0x38, 0x8C, 0xAC, 0xA7, 0x91, 0x72, 0x63, 0x80, 0xB0, 0x9E, 0x33, 0x4B, 0xAE, 0xF3,
     0x8B, 0x7B, 0x4D, 0x5B, 0xB4, 0x52, 0xEC, 0x6F, 0xE0, 0xCF, 0xAD, 0xC3, 0x20, 0xAB, 0xEA, 0x67, 0xDC, 0x05, 0x00,
     0x9F, 0x40, 0x56, 0xD6, 0xFB, 0xFC, 0x24, 0x92, 0xCA, 0x0B, 0x3D, 0x46, 0x0D, 0xF0, 0x4A, 0x5A, 0x55, 0x11, 0x1A,
     0x3B, 0x8A, 0xBC, 0x7D, 0x6C, 0xE7, 0xA9, 0x13, 0x75, 0xCE, 0x61, 0x30, 0x14, 0xA6, 0x6A, 0x27, 0x07, 0xD0, 0x54,
     0x9C, 0x5C, 0x8E, 0x89, 0xD8, 0x58, 0x01, 0xC2, 0x34, 0xE8, 0x69, 0x35, 0x2F, 0xC0, 0x2A, 0xA0, 0x50, 0x36, 0x88,
     0xFF, 0x39, 0x1D, 0x68, 0x0E, 0x0C, 0x93, 0xE6, 0xB1, 0xFE, 0x18, 0x7F, 0x6E, 0xB6, 0x78, 0x53, 0x31, 0x2B, 0xE9,
     0xD2, 0xF5, 0x29, 0x0F, 0x2C, 0x17, 0x84, 0xDE, 0xDB, 0xD9, 0x41, 0x06, 0x19, 0xF7, 0xA1, 0x99, 0xA8, 0x45, 0x7A,
     0x3E, 0x23, 0xA5, 0x1B, 0xAF, 0x0A, 0xAA, 0xE5, 0xEF, 0xA4, 0xE1, 0xF8, 0xFA, 0x82, 0x3A, 0x9A, 0xDF, 0x8F, 0x1C,
     0x65, 0xC7, 0x73, 0xD1, 0xC1, 0xC5, 0xD7, 0xA2, 0x5E, 0x87, 0xDD, 0x9D, 0x8D, 0xF9, 0xC9, 0x81, 0xCD, 0x90, 0x97,
     0xEE, 0x66, 0xDA, 0x4F, 0x42, 0x3F, 0xC6, 0x74, 0x08, 0x37, 0x25, 0xCB, 0x77, 0x26, 0xE3, 0x83, 0x32, 0xB9, 0xBD,
     0xD3, 0xF2, 0x44, 0xD5, 0x4E, 0x2D, 0xBA, 0x62, 0x98, 0x04, 0x1E, 0x12, 0x21, 0xE4, 0xBF, 0x47, 0xF6, 0x86, 0xF4,
     0xFD, 0x94, 0x16, 0xA3, 0xEB, 0x1F, 0x70, 0x7C, 0xB2, 0x51, 0x02, 0x43, 0x22, 0x15, 0xCC, 0x7E, 0x09, 0x6B, 0xE2,
     0x5D, 0xBB, 0x9B, 0xBE, 0xB5, 0xD4, 0xED, 0x57, 0xF1]

# for i in range(len(enc)):
#     if enc[i]<0:
#         enc[i]+=256
#     print(hex(enc[i]),end=",")
enc1=[0x6d,0xb7,0xb8,0x2e,0xb7,0xfb,0x63,0x9c,0x2e,0x3b,0x20,0xb4,0x6d,0x3,0x3b,0x14,0xc3,0xc8,0x89,0x30,0x64,0x76,0x24,0x76,0x52,0x3,0x5f,0x6a,0xe,0xb0,0x5,0xa7,0x59,0xab,0x5,0xe,0x2e,0xb7,0x7,0x7f]
flag='DA'

for i in range(1,len(enc)-1):
    flag+=chr(b.index(enc1[i])^ord(flag[-1:]))
print(flag)
import ctypes

enc = [109, -73, -72, 46, -73, -5, 99, -100, 46, 59, 32, -76, 109, 3, 59, 20, -61, -56, -119, 48, 100, 118, 36, 118, 82,
       3, 95, 106, 14, -80, 5, -89, 89, -85, 5, 14, 46, -73, 7, 127]
b = [0x3C, 0x95, 0xC8, 0x28, 0x10, 0x6D, 0x85, 0x60, 0x59, 0x03, 0xB3, 0x4C, 0x76, 0x49, 0x48, 0x96, 0xB8, 0x5F, 0xB7,
     0x79, 0xC4, 0x64, 0x71, 0x2E, 0x38, 0x8C, 0xAC, 0xA7, 0x91, 0x72, 0x63, 0x80, 0xB0, 0x9E, 0x33, 0x4B, 0xAE, 0xF3,
     0x8B, 0x7B, 0x4D, 0x5B, 0xB4, 0x52, 0xEC, 0x6F, 0xE0, 0xCF, 0xAD, 0xC3, 0x20, 0xAB, 0xEA, 0x67, 0xDC, 0x05, 0x00,
     0x9F, 0x40, 0x56, 0xD6, 0xFB, 0xFC, 0x24, 0x92, 0xCA, 0x0B, 0x3D, 0x46, 0x0D, 0xF0, 0x4A, 0x5A, 0x55, 0x11, 0x1A,
     0x3B, 0x8A, 0xBC, 0x7D, 0x6C, 0xE7, 0xA9, 0x13, 0x75, 0xCE, 0x61, 0x30, 0x14, 0xA6, 0x6A, 0x27, 0x07, 0xD0, 0x54,
     0x9C, 0x5C, 0x8E, 0x89, 0xD8, 0x58, 0x01, 0xC2, 0x34, 0xE8, 0x69, 0x35, 0x2F, 0xC0, 0x2A, 0xA0, 0x50, 0x36, 0x88,
     0xFF, 0x39, 0x1D, 0x68, 0x0E, 0x0C, 0x93, 0xE6, 0xB1, 0xFE, 0x18, 0x7F, 0x6E, 0xB6, 0x78, 0x53, 0x31, 0x2B, 0xE9,
     0xD2, 0xF5, 0x29, 0x0F, 0x2C, 0x17, 0x84, 0xDE, 0xDB, 0xD9, 0x41, 0x06, 0x19, 0xF7, 0xA1, 0x99, 0xA8, 0x45, 0x7A,
     0x3E, 0x23, 0xA5, 0x1B, 0xAF, 0x0A, 0xAA, 0xE5, 0xEF, 0xA4, 0xE1, 0xF8, 0xFA, 0x82, 0x3A, 0x9A, 0xDF, 0x8F, 0x1C,
     0x65, 0xC7, 0x73, 0xD1, 0xC1, 0xC5, 0xD7, 0xA2, 0x5E, 0x87, 0xDD, 0x9D, 0x8D, 0xF9, 0xC9, 0x81, 0xCD, 0x90, 0x97,
     0xEE, 0x66, 0xDA, 0x4F, 0x42, 0x3F, 0xC6, 0x74, 0x08, 0x37, 0x25, 0xCB, 0x77, 0x26, 0xE3, 0x83, 0x32, 0xB9, 0xBD,
     0xD3, 0xF2, 0x44, 0xD5, 0x4E, 0x2D, 0xBA, 0x62, 0x98, 0x04, 0x1E, 0x12, 0x21, 0xE4, 0xBF, 0x47, 0xF6, 0x86, 0xF4,
     0xFD, 0x94, 0x16, 0xA3, 0xEB, 0x1F, 0x70, 0x7C, 0xB2, 0x51, 0x02, 0x43, 0x22, 0x15, 0xCC, 0x7E, 0x09, 0x6B, 0xE2,
     0x5D, 0xBB, 0x9B, 0xBE, 0xB5, 0xD4, 0xED, 0x57, 0xF1]
enc = [ctypes.c_uint8(i) for i in enc]#给定的整数列表enc转换为无符号8位整数类型的数组
enc[39].value = b.index(enc[39].value)#源代码for循环出来后值作为下标,所以这里下标作为值
flag = chr(enc[39].value)
for i in range(len(enc) - 1, 0, -1):
    enc[i - 1].value = b.index(enc[i - 1].value) ^ enc[i].value#将enc列表中每个元素的值作为索引,在列表b中找到对应的索引位置,并与前一个元素的值进行异或运算,将结果赋给前一个元素的值
    flag = chr(enc[i-1].value) + flag#同时,将每次计算得到的值转换为字符形式,并将其依次拼接到变量flag的前面。

print(flag)
DASCTF{e:-aSy|u9aPR0gr~AMfo~$RrE^VeR$3!}

AndroidELF-1

打开之后函数很少,搜字符串发现有upx壳

找到三个UPX标志位,后两个是小写,改成大写后保存

现在有壳了

脱壳

找flag找到关键函数

有四个子函数

第一个

gpt说是按bit反转

再问gpt正逆向脚本一样,一开始1<->7,逆向还是1<->7

第二个函数,有下标置换

第三个函数

是8*,而不是8的次方

最后的密文

比赛的时候就差写脚本,还是很菜,没gpt根本写不了一点

用python每一轮都要考虑范围问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
a=[0x3D, 0x45, 0x38, 0x7E, 0x78, 0x4B, 0x6A, 0x5C, 0x5B, 0x52,
  0x4C, 0x73, 0x4E, 0x39, 0x49, 0x5F, 0x49, 0x40, 0x38, 0x5E,
  0x74, 0x40, 0x66, 0x44, 0x46, 0x7A, 0x39, 0x3B, 0x67, 0x39,
  0x70, 0x6C, 0x71, 0x5E, 0x6D, 0x4D, 0x5A, 0x4C, 0x7F, 0x3B,
  0x4D, 0x63, 0x5E, 0x4E, 0x44, 0x5A, 0x7B, 0x51, 0x38, 0x61,
  0x29, 0x63, 0x75, 0x5B, 0x67, 0x46, 0x4E, 0x5D, 0x79, 0x29,
  0x4D, 0x29, 0x6D, 0x71]
v4=[0xd,4,0,5,2,0xc,0xb,8,0xa,6,1,9,3,0xf,7,0xe]
b=[0]*64
tmp=[0]*16
for m in range(4):
    for i in range(15,-1,-1):
        for j in range(16):
            a[16*m+j]^=(120*i)
            a[16*m+j]=(a[16*m+j]+256)%256
        for j in range(16):
            a[16*m+j]=(a[16*m+j]<<5)|(a[16*m+j]>>3)
            a[16*m+j]=(a[16*m+j]+256)%256
        for j in range(16):
            tmp[j]=a[16*m+j]
        for j in range(16):
            b[16*m+j]=tmp[v4[j]]
        for j in range(16):
            v1=0
            for k in range(8):
                v1|=((b[16*m+j]>>k)&1)<<(7-k)
            b[16*m+j]=v1
        for j in range(16):
            a[16*m+j]=b[16*m+j]
for i in range(64):
    print(chr((b[i]+256)%256),end="")

用c可以直接定义类型,但要注意unsigned

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#include<stdio.h>
int main(){
	char mi[64]={0x3D, 0x45, 0x38, 0x7E, 0x78, 0x4B, 0x6A, 0x5C, 0x5B, 0x52,
	0x4C, 0x73, 0x4E, 0x39, 0x49, 0x5F, 0x49, 0x40, 0x38, 0x5E,
	0x74, 0x40, 0x66, 0x44, 0x46, 0x7A, 0x39, 0x3B, 0x67, 0x39,
	0x70, 0x6C, 0x71, 0x5E, 0x6D, 0x4D, 0x5A, 0x4C, 0x7F, 0x3B,
	0x4D, 0x63, 0x5E, 0x4E, 0x44, 0x5A, 0x7B, 0x51, 0x38, 0x61,
	0x29, 0x63, 0x75, 0x5B, 0x67, 0x46, 0x4E, 0x5D, 0x79, 0x29,
	0x4D, 0x29, 0x6D, 0x71};
	unsigned char s[16]={0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
	char v4[16]={0xd,4,0,5,2,0xc,0xb,8,0xa,6,1,9,3,0xf,7,0xe};	
	unsigned char tmp[16]={0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
	for(int k=0;k<4;k++){
		for(int n=0;n<16;n++){
			s[n]=mi[16*k+n];
		}
		for(int m=15;m>=0;m--){
			for(int i=0;i<16;i++){
				s[i]=s[i]^(120*m);
			}
			for(int i=0;i<16;i++){
				s[i]=(s[i]<<5)|(s[i]>>3);
			}
			for(int i=0;i<16;i++){
				tmp[i]=s[v4[i]];
			}

			for(int i=0;i<16;i++){
				char v1=0;
				for(int j=0;j<8;j++){
					v1|=((tmp[i]>>j)&1)<<(7-j);
				}
				tmp[i]=v1;
			}
			for(int i=0;i<16;i++){
				s[i]=tmp[i];
			}
		}
		for(int m=0;m<16;m++){
			printf("%c",s[m]);
		}
	}
	
	return 0;
}s

或者用ctypes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import ctypes

xmm = [0x0000000D, 0x00000004, 0x00000000, 0x00000005,
       0x00000002, 0x0000000C, 0x0000000B, 0x00000008,
       0x0000000A,0x00000006, 0x00000001, 0x00000009,
       0x00000003, 0xf, 0x7, 0xe]

enc = [0x3D, 0x45, 0x38, 0x7E, 0x78, 0x4B, 0x6A, 0x5C, 0x5B, 0x52, 0x4C, 0x73, 0x4E, 0x39, 0x49, 0x5F, 0x49, 0x40, 0x38,
       0x5E, 0x74, 0x40, 0x66, 0x44, 0x46, 0x7A, 0x39, 0x3B, 0x67, 0x39, 0x70, 0x6C, 0x71, 0x5E, 0x6D, 0x4D, 0x5A, 0x4C,
       0x7F, 0x3B, 0x4D, 0x63, 0x5E, 0x4E, 0x44, 0x5A, 0x7B, 0x51, 0x38, 0x61, 0x29, 0x63, 0x75, 0x5B, 0x67, 0x46, 0x4E,
       0x5D, 0x79, 0x29, 0x4D, 0x29, 0x6D, 0x71]

enc = [ctypes.c_uint8(i) for i in enc]#确保enc中的每个元素都是8位无符号整数。

#print(enc)

for mm in range(4):
    for i in range(15, -1, -1):
        # enc1
        for j in range(16):
            enc[j+mm*16].value ^= (0x78 * i)
        # enc2
        for j in range(16):
            enc[j+mm*16].value = (enc[j+mm*16].value >> 3) | (enc[j+mm*16].value << 5)
        # enc3
        '''
        正向
        tmp[xmm[j]] = enc[j]
        '''
        tmp = [0 for xx in range(16)]
        for j in range(16):
            tmp[j] = enc[xmm[j]+mm*16].value
        for j in range(16):
            enc[j+mm*16].value = tmp[j]
        # enc4
        '''
        0-->7
        1-->6
        2-->5
        3-->4
        '''
        for j in range(16):
            v1 = 0
            for k in range(8):
                v1 |= ((enc[j+mm*16].value >> k) & 1) << (7 - k)
            # print(bin(enc[j].value),bin(v1))
            enc[j+mm*16].value = v1

for i in range(len(enc)):
    print(chr(enc[i].value),end='')
DASCTF{51bWZvM0p1xNHLo3A1ndrVH0|VsED3LFyRwYkEVeRqeFSNE!0!oyUki!}
比赛wp
浙江省省赛2023初赛wp
https://j1ya-22.github.io/2023/11/06/浙江省省赛2023初赛wp/
作者
j1ya
发布于
2023年11月6日
许可协议