浙江省省赛2024初赛Reverse与信创安全wp

Re

个人感觉今年的初赛re没签到题,但是难题没有前几年的难

ezRe

010发现是pyc文件

nnd,pycdc反编译不了,可能是pyc文件被改了

只能用pycdas,先对key进行异或

类似rc4但是只生成了密钥流,并没有异或密文

后续异或key和51

最后是base64

逆的时候异或密文可以放在最后,不能反编译真恶心

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import base64

encoded = 'w53Cj3HDgzTCsSM5wrg6FMKcw58Qw7RZSFLCljRxwrxbwrVdw4AEwqMjw7/DkMKTw4/Cv8Onw4NGw7jDmSdcwq4GGg=='
ciphertext = base64.b64decode(encoded).decode()
key = '7e021a7dd49e4bd0837e22129682551b'

s = list(range(256))
j = 0
key = [ord(c) ^ 102 for c in key] 

for i in range(256):
    j = (j + s[i] + key[i % len(key)]) % 256
    s[i], s[j] = s[j], s[i]

i = j = 0
data = []

for _ in range(50):
    i = (i + 1) % 256
    j = (j + s[i]) % 256
    s[i], s[j] = s[j], s[i]
    k = s[(s[i] + s[j]) % 256]
    data.append(k)


result = ''
for c, k in zip(ciphertext, data):
    result += chr(ord(c) ^ k ^ 51)

print( result)

Midmath

修改特征码DAS为UPX

然后脱壳

发现是找最大路径,用动态规划做

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#include <bits/stdc++.h>
using namespace std;

#define MAX_SUM 6668912
int a[510][510], f[510][510], path[510];

int main() {
    srand(time(NULL));
    int x = 1, y = 1;
    FILE *fp = fopen("out", "rb");
    

    while (fscanf(fp, "%d", &a[x][y]) != EOF) {
        if (x == y) {
            y = 1;
            x++;
            continue;
        }
        y++;
    }
    fclose(fp);
    x--; 


    f[1][1] = a[1][1];
    for (int i = 2; i <= x; i++) {
        for (int j = 1; j <= i; j++) {

            f[i][j] = f[i - 1][j] + a[i][j];
            if (j > 1) {
                f[i][j] = max(f[i][j], f[i - 1][j - 1] + a[i][j]); 
            }
        }
    }

    for (int i = 1; i <= x; i++) {
        if (f[x][i] > MAX_SUM) {
            int cx = x, cy = i;
            while (cx > 1) {
                if (f[cx][cy] == f[cx - 1][cy] + a[cx][cy]) {
                    path[cx] = 1; 
                } else {
                    path[cx] = 2; 
                    cy--;
                }
                cx--;
            }
            break;
        }
    }

    for (int i = 2; i <= x; i++) {
        printf("%d", path[i]);
    }
    
    return 0;
}


***
2121111112222111112111111111112121211221122121111121122222222222212222122122212121111121122111121111111112211121221111222222222212111122221111211111221122111111121121212112211222121222222222112222111122222121222222222212211111111211112112212112222111211222122222122222222212221222212122211211222122221121222121212112112212121122111121122111221221221111121211211112122222211111212122221222222112111112122221111121221111111111111112111211111122122111111111111211212122212222111222212212111121112221211
***

最后输出16进制小写

1
2
3
4
5
6
7
8
import hashlib
data = "2121111112222111112111111111112121211221122121111121122222222222212222122122212121111121122111121111111112211121221111222222222212111122221111211111221122111111121121212112211222121222222222112222111122222121222222222212211111111211112112212112222111211222122222122222222212221222212122211211222122221121222121212112112212121122111121122111221221221111121211211112122222211111212122221222222112111112122221111121221111111111111112111211111122122111111111111211212122212222111222212212111121112221211"

md5_full = hashlib.md5(data.encode()).hexdigest()
md5_16 = md5_full[8:24]

print(md5_16)
#f4135424cb2f161c

MidRe-1

有花指令

中间一段始终无法处理,使得congratulatuion显示在main中

一开始对输入有循环异或

往上翻找到两个字符串

第一个是key,第二个是iv

看上去有点像aes,findcrypt一下果然是

当时解出来是这个,没有多想为什么前几位是正常的,赛后发现是0xb看成0x8了🥲

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes

ciphertext = bytes([
    0x52, 0x06, 0xC4, 0x9D, 0x28, 0x71, 0x26, 0x04, 0xBA, 0x98,
    0x4D, 0x20, 0x03, 0x81, 0x39, 0x39, 0x8C, 0x6E, 0x14, 0x8C,
    0x7E, 0xBF, 0x44, 0x5A, 0x67, 0xF5, 0x0A, 0x7F, 0x61, 0x7F,
    0xCE, 0x72
])

key = "5855eab53a2275d3".encode('utf-8')
iv = "b051a57d6d05b393".encode('utf-8')


cipher = Cipher(algorithms.AES(key), modes.CBC(iv))
decryptor = cipher.decryptor()


plaintext = decryptor.update(ciphertext) + decryptor.finalize()


plaintext_list = list(plaintext)


a=[0x77, 0x68, 0x61, 0x74, 0x27, 0x73, 0x20, 0x74, 0x68, 0x69,0x73]

for i in range(len(plaintext_list)):
    print(chr(plaintext_list[i]^a[i%len(a)]), end="")

#726974812f6d9e532f9d838924e6c05f

这里key和iv哪怕显示的是16进制依旧是utf-8格式

信创安全

sm4rev-1

附件先是sh脚本,后续是未知文件

看到dir和decompress,猜测可能是在解压,于是修改后缀为zip,解压得到elf

题目提示是sm4,发现key和iv

比赛wp
#pydas #sm4加密 #动态规划
浙江省省赛2024初赛Reverse与信创安全wp
https://j1ya-22.github.io/2024/11/03/浙江省省赛2024初赛Reverse与信创安全wp/
作者
j1ya
发布于
2024年11月3日
许可协议