八嘎又拖队友后腿了……😭
Rev
晴窗细乳戏分茶
主函数内可见为分段加密,进入encrypt和encrypt2函数可确认第一段是标准TEA加密,第二段是标准XTEA加密
exp:
from ctypes import *
from Crypto.Util.number import *
def decrypt1(v,k):
v0=c_uint32(v[0])
v1=c_uint32(v[1])
delta=0x9e3779b9
sum=c_uint32(delta*32)
for i in range(32):
v1.value-=(v0.value+sum.value)^(v0.value*16+k[2])^((v0.value>>5)+k[3])
v0.value-=(v1.value+sum.value)^(v1.value*16+k[0])^((v1.value>>5)+k[1])
sum.value-=delta
print(v0.value,v1.value,end=",")
def decrypt2(v,k):
v0=c_uint32(v[0])
v1=c_uint32(v[1])
delta=0x9e3779b9
sum=c_uint32(delta*32)
for i in range(32):
v1.value-=(((v0.value>>5)^(v0.value*16))+v0.value)^(k[sum.value>>11&3]+sum.value)
v1.value=v1.value & 0xffffffff
sum.value-=delta
sum.value=sum.value & 0xffffffff
v0.value-=(((v1.value>>5)^(v1.value*16))+v1.value)^(k[sum.value&3]+sum.value)
# print(sum.value&3,(sum.value>>11)&3)
print(v0.value,v1.value,end=",")
if __name__=='__main__':
key=[0x192021,0x28256,0x28257,0x282931]
enc1=[0xA30C700E,0xF68BD6E3,0xC0D489F0,0x12BEFB25,0x80EEC5B3,0x2B95BCD0]
decrypt1(enc1[0:2],key)
decrypt1(enc1[2:4],key)
decrypt1(enc1[4:6],key)
key2=[0x15574396,0x114514,0x5201314,0x7355608]
enc2=[0x876e3624,0xa8612878,0x3f089d1c,0x4a250d5c]
decrypt2(enc2[0:2],key2)
decrypt2(enc2[2:4],key2)
soa=[1818850626,1179927396,1596998779,1601515641,1852388164,812867435,1415529837,2101297477]
for i in soa:
print(str(long_to_bytes(i)[::-1])[2:-1],end="")
自是花中第一流
在主函数及init_key函数存在jz-jnz互补跳转
将junk code e8 nop掉即可F5
分析几个加密函数不难看出这是个标准RC4,key由Is_key异或0x31得到
cyberchef解出即可
Babyre
第一部分flag由简单异或0xA得到
Buildctf{e38c8554-27c1-4c2c-99ad-0a6d3ed66d1c}
小端序
第二部分密文
0x58,0x00,0x14,0x4E,0x51,0x51,0x57,0x19,0x56,0x57,0x52,0x57,0x51,0x1D,0x49,0x05,0x1E,0x52,0x55,0x52,0x00,0x52,0x01,0x56exp:
#include<stdio.h>
int main()
{
int enc[25]={0x19,0x57,0x51,0x51,0x4e ,0x14,0x00,0x58,0x05,0x49,0x1d,0x51,0x57,0x52,0x57,0x56,0x56,0x01,0x52,0x00,0x52,0x55,0x52,0x1e};
int key='-';
int tmp='}';
for(int i=0;i<=23;i++)
{
printf("%c,%x\n",enc[i]^key,enc[i]);
key^=enc[i];
}
printf("\n\n\n\n");
for(int i=23;i>=0;i--)
{
printf("%c,%x\n",enc[i]^tmp,enc[i]);
tmp^=enc[i];
}
}Ezmfc
下载附件,发现为MFC程序,无法使用IDA常规套路分析,于是尝试用Spy++和xspy查看窗口,但是并没有发现有用信息,于是尝试按照窗口显示提示操作
最大化后显示最小化即可获得flag,但最小化被ban掉了,猜测这里预期解应该要利用spy++修改窗口属性,但是可以通过任务管理器直接最小化窗口
随后根据最小化之后的窗口提示,使用CE查看内存即可获得flag
pyc
使用在线工具反编译pyc
exp:
import base64
def decode(enc):
enc1=base64.b64decode(bytes(enc)).decode('utf-8')
s=bytearray()
for i in enc1:
if i > 255:
i+=256
i-=16
i=ord(i)^32
print(enc1)
if __name__ = '__main__':
enc="cmVZXFRzhHZrYFNpjyFjj1VRVWmPVl9ij4kgZW0="
decode(enc)
ez_xor
进入主函数,整理一下符号,不难发现v9数组为密文,encrypt函数为加密函数,密钥为aBuildctf2024
encrypt函数内的逻辑很简单,先将key传入key_init函数生成长度为256的密码盒,然后再用密码盒对明文进行加密
那么只需要获取密码盒子后逆序解密即可,动调之
exp
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include <Windows.h>
char sbox[256] = {
0xF7, 0xA0, 0xD3, 0xD5, 0xB6, 0xE2, 0x6B, 0x8F, 0xCB, 0x33,
0xA8, 0x30, 0x21, 0xEA, 0x4D, 0x7F, 0xCF, 0x69, 0x1C, 0x50,
0x84, 0x1A, 0xB8, 0x78, 0xD6, 0x72, 0xDF, 0x20, 0xFA, 0x2E,
0xBD, 0x87, 0x43, 0xCC, 0xE9, 0xBC, 0x35, 0xD8, 0x0A, 0x8A,
0xDA, 0x2C, 0xDE, 0xF1, 0x5F, 0xE6, 0xAB, 0x4C, 0xE7, 0x12,
0x41, 0x14, 0x7B, 0x46, 0x4B, 0xEE, 0x03, 0x79, 0xF3, 0xAC,
0xB9, 0x07, 0x34, 0x17, 0x96, 0x51, 0xCE, 0x0B, 0x16, 0x9E,
0xB1, 0x58, 0x8C, 0x27, 0xC5, 0x3D, 0x6D, 0xA6, 0xC1, 0x42,
0x48, 0x63, 0x9F, 0x70, 0x9B, 0x09, 0x77, 0x00, 0x9C, 0xC0,
0x38, 0xC6, 0x5D, 0xBA, 0x53, 0x66, 0xDC, 0x57, 0xF5, 0x1E,
0x0D, 0x76, 0x98, 0x22, 0x62, 0x89, 0xA7, 0x52, 0xFE, 0xFF,
0xA9, 0x95, 0x71, 0x2D, 0x59, 0x4E, 0x5B, 0xA1, 0xF8, 0xE1,
0xE4, 0x11, 0x93, 0xBE, 0x1D, 0x19, 0x80, 0x7C, 0x32, 0x25,
0x31, 0x83, 0x44, 0xBB, 0x64, 0xA2, 0x18, 0x6E, 0x1F, 0x7D,
0xA4, 0x65, 0xFD, 0xCD, 0xC2, 0xF2, 0x10, 0xE3, 0x61, 0x9A,
0xD1, 0x3E, 0x47, 0x39, 0x24, 0x2F, 0xB7, 0x54, 0x15, 0xDD,
0xA5, 0xBF, 0xEB, 0xB0, 0x56, 0xFC, 0x05, 0x60, 0xEC, 0x81,
0xE8, 0xAE, 0x55, 0x6C, 0x99, 0x4F, 0x26, 0x3C, 0xF0, 0xB2,
0xD7, 0xAF, 0xD0, 0xD2, 0x01, 0x4A, 0xD4, 0x29, 0x45, 0xCA,
0x23, 0xC8, 0xB5, 0x0F, 0x5A, 0x2A, 0x2B, 0xDB, 0x1B, 0xAD,
0x0E, 0x8D, 0x28, 0x3A, 0x74, 0x7A, 0x08, 0xC3, 0x6A, 0x88,
0xA3, 0x90, 0xF6, 0x49, 0x5E, 0xF9, 0x8E, 0x9D, 0xB4, 0xEF,
0xB3, 0x97, 0xC7, 0x02, 0xE5, 0x94, 0x73, 0x68, 0x06, 0x3B,
0x40, 0x85, 0x8B, 0x67, 0x75, 0x6F, 0x7E, 0x13, 0xAA, 0xED,
0xFB, 0x04, 0x91, 0x86, 0x3F, 0x36, 0x5C, 0x82, 0x0C, 0xC9,
0xC4, 0x37, 0xD9, 0x92, 0xF4, 0xE0 };
char* __fastcall swap(char* a1,char* a2)
{
char* result; // rax
char v3; // [rsp+0h] [rbp-18h]
v3 = *a1;
*a1 = *a2;
result = a2;
*a2 = v3;
return result;
}
//__int64 __fastcall initialize_key(char* a1)
//{
// __int64 result; // rax
// int k; // [rsp+20h] [rbp-138h]
// unsigned int i; // [rsp+24h] [rbp-134h]
// int j; // [rsp+28h] [rbp-130h]
// int v5; // [rsp+2Ch] [rbp-12Ch]
// unsigned int v6; // [rsp+30h] [rbp-128h]
// char v7[256]; // [rsp+40h] [rbp-118h] BYREF
//
// for (i = 0; i < 256; ++i)
// sbox[i] = i;
// v6 = 31;
// result = 0i64;
// memset(v7, 0, sizeof(v7));
// for (j = 0; j < 256; ++j)
// {
// v7[j] = a1[j % v6];
// result = (unsigned int)(j + 1);
// }
// v5 = 0;
// for (k = 0; k < 256; ++k)
// {
// v5 = ((unsigned __int8)v7[k] + (unsigned __int8)sbox[k] % 63 + v5) % 256;
// swap(&sbox[k], &sbox[v5]);
// result = (unsigned int)(k + 1);
// }
// for (int i = 0;i <= 255;i++)
// {
// printf("0x%x,", sbox[i]);
// }
// return result;
//}
//__int64 __fastcall encrypt(char* a1,char* a2)
//{
// __int64 result; // rax
// unsigned __int8 v3; // [rsp+20h] [rbp-18h]
// unsigned __int8 v4; // [rsp+21h] [rbp-17h]
// unsigned int i; // [rsp+24h] [rbp-14h]
// unsigned int v6; // [rsp+28h] [rbp-10h]
// v3 = 0;
// v4 = 0;
// initialize_key(a2);
// v6 = 31;
// for (i = 0; i<31; ++i)
// {
// result = v6;
// v3 += 7;
// v4 += sbox[v3];
// swap((char* ) & sbox[v3],(char* ) & sbox[v4]);
// //printf("v34=%x %x\n", v3, v4);
// a1[i] -= sbox[(unsigned __int8)(sbox[v4] + sbox[v3])];
//
// }
// return result;
//}
__int64 __fastcall decrypt(char* a1)
{
_int64 result; // rax
unsigned __int8 v3 = 0xe0;// [rsp+20h] [rbp-18h]
unsigned __int8 v4 = 0xcf; // [rsp+21h] [rbp-17h]
int i; // [rsp+24h] [rbp-14h]
unsigned int v6; // [rsp+28h] [rbp-10h]
v6 = strlen(a1);
for (i = 31;i >= 0; i--) {
a1[i] += sbox[(unsigned __int8)(sbox[v4] + sbox[v3])];
swap((char*)&sbox[v3], (char*)&sbox[v4]);
v4 -= sbox[v3];
v3 -= 7;
result = v6;
}
return result;
}
int main()
{
unsigned char key[17] = "BuildCTF2024!^_^";
unsigned char C[32] = "1234567891234567891234567891234";
unsigned char enc[]= { 0x19,0x68,0xA2,0xEF,0x7B,0xBA,0x0E,0xC5,0x5D,0x80,0xEF,0x09,0x0B,0xD1,0x81,0xF1,0xF0,0x33,0xA6,0x11,0x23,0x58,0x5C,0x2B,0x38,0x8D,0x80,0x61,0x27,0x48,0x35,0x00 };
/*encrypt((char*)C,(char*)key);*/
decrypt((char*)enc);
for (int i = 0;i <= 31;i++)
printf("%x ", enc[i]);
// initialize_key((char*)key);
}
