太菜了,摆烂了,寄
RE
REEEE
ida 64 分析发现有REEE_encode函数和一个有明显特征的base64比较BOxJB3tMeXV2dkM1BLR5A2Z3ekI2fXWLBUR0fUI2ekaMA2AzA30=
跟进REEE_encode,发现有一个base64变表,用如下脚本解密
# coding=utf-8
import base64
import binascii
change = "RSTUVWXYZabcdefghijklmnoABCDEFGHIJKLMNOPQpqrstuvwxyz0123456789+/" # 非正常base64表
normal = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" # 正常base64表
key = "BOxJB3tMeXV2dkM1BLR5A2Z3ekI2fXWLBUR0fUI2ekaMA2AzA30="
ture_key= key.translate(str.maketrans(change, normal))
print('The real base64code: ' + ture_key)
decode = base64.b64decode(ture_key) # 解码为ascii,超过则输出转义字符
hex_str = binascii.hexlify(decode) # 强转为bin后编码为hex的字串,再解码为ascii,超过则输出转义字符
ascii_string = str(hex_str, 'utf-8') # 去掉b''
print(decode)
解得:flag{d4a6195f09cb75868acd0488652dcf3c}
Hard re
IDA反编译调试,发现flag长度为32,且exe自身会释放dll,并且使用 C:WindowsSysWOW64
undll32.exe FakerDll.dll,Check xx(xx为输入的内容) 来调用dll的Check函数。
反编译dll,定位到Check函数。跟进check_0,分析得要输出Success !!!,需要flag == 1或a4 == 9meD3Kcb0FHDbx6jX9FzpxpZUb12345
分析flag可知,存在另一个函数,若ipMen == c2JWblhyX0dgQnk8RHBdNWdJVW1HazZ0NHg=则可使得flag = 1。
查询交叉引用,来到主要检查函数sub_1002E0B0中,根据上下文信息 修改类型和推测函数功能 可得
signal1 = maybe_strcpy(signal2, v19, 27, &input[v5 - 26], 26);
signal3 = maybe_strcpy(signal1, str0, 14, &v19[0], 13);
signal2 = maybe_strcpy(signal3, str1, 14, &v19[13], 13);
for ( i = 0; i < strlen(str0); ++i )
{
if ( (str0[i] ^ 5) <= 'z' && (str0[i] ^ 5) >= '0' )
str0[i] ^= 5u;
}
for ( j = 0; j < strlen(str1); ++j )
{
if ( (str1[j] ^ 0xF) <= 'z' && (str1[j] ^ 0xF) >= '0' )
str1[j] ^= 0xFu;
}
猜测:signal变量为检查上条指令是否成功执行的依据,成功返回1;maybe_strcpy函数功能为(bool 检查,目标字符串起始地址,目标字符串复制长度,原目标字符串起始地址,原目标字符串复制长度)
由于是异或,函数可逆,则可以写脚本(嫖一下古月浪子师傅的脚本)
import base64
lpMen = base64.b64decode('c2JWblhyX0dgQnk8RHBdNWdJVW1HazZ0NHg=')
flag = ''
for i in lpMen[13:]:
if ord('z') >= i ^ 5 >= ord('0'):
flag += chr(i ^ 5)
else:
flag += chr(i)
for i in lpMen[:13]:
if ord('z') >= i ^ 0xf >= ord('0'):
flag += chr(i ^ 0xf)
else:
flag += chr(i)
print(flag)
Crypto
签到
凯撒密码 位移为3
得:flag{2a2ab40b9b031723cca883b61c15fee0}
easyras
给出了e,c,n,dp,套用脚本
import gmpy2 as gp
e = 0x10001
n = gp.mpz(101031799769686356875689677901727632087789394241694537610688487381734497153370779419148195361726900364384918762158954452844358699628272550435920733825528414623691447245900175499950458168333742756118038555364836309568598646312353874247656710732472018288962454506789615632015856961278964493826919853082813244227)
dp = gp.mpz(1089885100013347250801674176717862346181995027932544377293216564837464201546385463279055643089303360817423261428901834798955985043080308895369226243973673)
c = gp.mpz(59381302046219861703693321495442496884448849866535616496729805734326661742228038342690865965545318011599241185017546760846698815333545820228348501022889423901773651749628741238050559441761853071976079031678640014602919526148731936437472217369575554448232401310265267205034644121488774398730319347479771423197)
for x in range(1, e):
if(e*dp%x==1):
p=(e*dp-1)//x+1
if(n%p!=0):
continue
q=n//p
phin=(p-1)*(q-1)
d=gp.invert(e, phin)
m=gp.powmod(c, d, n)
if(len(hex(m)[2:])%2==1):
continue
print('--------------')
print(m)
print(hex(m)[2:])
print(bytes.fromhex(hex(m)[2:]))
得:flag{38c60aa8ddcfb50afa3021f40f0acdac}
MISC
签到
base64
huahua
修复zip压缩包,修复png图片,改高度为800。得:flag{b3afc91a8fbb6cc798bdebb253b02550}
NOSIE
docx和jpg都是假flag,用foremost分离out,得到wav文件,拖入au中观察频谱图,得到:
flag{98ce526ad52c409763405847185d9c6c}
DdDdDd
流量分析,一开始一头雾水,之后重读了一遍题目,发现打印可,能是代指3d打印,刚好DASCTF 2020 6月团队赛复现过gcode,尝试搜索gcode发现有wolt.gcode文件,保存为gcode文件,在https://gcode.ws/ 网站上上传此文件,点3d图,即可得到:flag{2fc07441-fd8f-4e1c-9f0f-72aa8c984a}
隐藏的数据
解压改后缀,得到加密文件,用docx得到的密码不对,上爆破工具ARCHPR.exe,得密码为0546,又得到一个加密压缩包,用之前在docx得到的密码解密的新的docx文件,打开发现隐写的flag没有出现,直接右键打开压缩包找到word下的document.xml文件,搜索flag即可得到flag{4de41c0b106051b30cb3c654901b1b06}