DASCTF2024暑假挑战赛

Re

DosSnake

发现在xor DASCTF

1
2
3
4
5
6
7
8
a=[0x3F, 0x09, 0x63, 0x34, 0x32, 0x13, 0x2A, 0x2F, 0x2A, 0x37,
  0x3C, 0x23, 0x00, 0x2E, 0x20, 0x10, 0x3A, 0x27, 0x2F, 0x24,
  0x3A, 0x30, 0x75, 0x67, 0x65, 0x3C]
key='DASCTF'
flag='DASCTF'
for i in range(len(a)):
    flag+=chr(a[i]^ord(key[i%6]))
print(flag)

Strange_programe

一般main在code里面

根据经验猜测hook了memcmp

看到异或感觉有用,交叉引用往上找

异或生成DASCTF,其实是在解密.DASCTF段

nop掉反调试

进入1064发现跳到.DASCTF段,处理花指令

下面在遍历IAT获取memcmp的地址

然后就是hook

魔改tea

异或第一位和第二位

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#include <stdio.h>
#include <stdint.h>

void decrypt(uint32_t *v, uint32_t *k)
{
    uint32_t v0 = v[0], v1 = v[1], i;
    uint32_t delta = 0x9e3779b9;
    uint32_t sum = delta * 16;
    uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
    for (i = 0; i < 16; i++)
    {
        sum -= delta;
        v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
        v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);

    }
    v[0] = v0; v[1] = v1;
}

unsigned int enc[10] = {
    0xBC2B4DF9, 0x6213DD13, 0x89FFFCC9, 0x0FC94F7D, 0x526D1D63, 0xE341FD50, 0x97287633, 0x6BF93638, 
    0x83143990, 0x1F2CE22C
    };

unsigned int key[4] = {
    0x12345678, 0x09101112, 0x13141516, 0x15161718
    };

int main() {
    for (size_t i = 9; i >= 2; i-=2)
    {
        enc[i] ^= enc[1];
        enc[i - 1] ^= enc[0];
        decrypt(enc, key);
    }
    decrypt(enc, key);

    printf("%s", enc);
}
DASCTF{I4TH0ok_I5S0ooFunny_Isnotit?????}

BabyAndroid

直接搜DAS发现rc4算法

loaddata调用jpg

解密得到dex

没想到是用0d

脚本解出来一堆数字

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# -*- coding: utf-8 -*-

import base64
from Crypto.Cipher import AES

def custom_hash(input_str):
    key_bytes = bytearray(16)
    temp = [0] * 16
    for char in input_str:
        char_val = ord(char)
        for j in range(16):
            temp[j] = ((temp[j] * 31) + char_val) % 251
    for i in range(16):
        key_bytes[i] = temp[i] % 256
    return bytes(key_bytes)

def decrypt(encrypted_data, key):
    cipher = AES.new(key, AES.MODE_ECB)
    decrypted_data = cipher.decrypt(base64.b64decode(encrypted_data))
    return decrypted_data.decode('utf-8').rstrip('\x08\x07\x06\x05\x04\x03\x02\x01')  # 去掉填充字符

# 已知的密钥字符串
KEY = "DSACTF"

# 已知的密文
encrypted_data = "TwMkYUkg4bYsY0hL99ggYWnVjWyXQrWAdNmToB0eBXbS6wBzL6ktorjNWI9VOroTU4HgIUYyzGLpcHzd1zNGT+bFZZI7IoxJwpcgXfdwW1LSmiNSP+PuSUsqAzNclF1nJ07b4tYyLWg0zTypbzWsLhOIM+6uci3RFZLREUCALafi01M8mS+KMNxX1Pyn8mSP+KKKjQ5S5fasHRSn+L9qBFws0mWavpfI0QEiMgarxv0iGhYU8cfgonWyL70RvoXET5VUDP1vfYWIBLzzzaAqLC0OiMtUK3TTATSU7yijdgXm18OKMcGIke/NZIM6Sr5fL3t6psDOOkw2C/5uYrJVPn+D6U9KTL64bgREppDqMOvhvbhtuf/S3ASW/+rhtPMtoaD8FxDg0wWSLZA53fQfNA=="

# 生成解密密钥
key = custom_hash(KEY)

# 解密数据
decrypted_data = decrypt(encrypted_data, key)
print("解密后的数据:", decrypted_data)

MainActivity看不出啥

有个so层加载的,当时8.3反编译不了,后面发现7.7可以,果然不同版本的还是得试试

进到encrypt里面,问gpt发现是DCT

解密,发现最后一位是125,应该是对的

直接手动四舍五入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# -*- coding: utf-8 -*-
import numpy as np
from scipy.fftpack import idct

# 提供的加密数据
encrypted_data = [458.853181, -18.325492, -18.251911, -2.097520, -21.198660, -22.304648, 21.103162, -5.786284,
                  -15.248906, 15.329286, 16.919499, -19.669045, 30.928253, -37.588034, -16.593954, -5.505211,
                  3.014744, 6.553616, 31.131491, 16.472500, 6.802400, -78.278577, 15.280099, 3.893073, 56.493581,
                  -34.576344, 30.146729, 4.445671, 6.732204]

# 执行离散余弦反变换
decrypted_data = idct(encrypted_data, norm='ortho')

# 打印解密后的数据
print(decrypted_data)


a=[68,65,83,67,84,70,123,89,48,117,95,65,114,51,82,101,52,108,108,121,95,72,64,99,107,51,114,33,125]
for i in range(len(a)):
    print(chr(a[i]),end="")
#DASCTF{Y0u_Ar3Re4lly_H@ck3r!}
比赛wp
#SMC #app逆向 #tea魔改 #DCT
DASCTF2024暑假挑战赛
https://j1ya-22.github.io/2024/07/24/DASCTF2024暑假挑战赛/
作者
j1ya
发布于
2024年7月24日
许可协议