2024极客大挑战 RE部分

[2024极客大挑战]cpp_flower

思路

知识点

这题就是一个纯花指令,主要有两个部分的花指令特征:

  1. jnz/jz addr+1

​ 就像下面这种:

image-20250605211506030

patch方法可以直接将第一个jz改成jmp,再重新分析成代码:

  1. 第二种就是call一个函数,然后修改ret_addr:

image-20250605211717943

​ 就像这种,这里大致功能就是jmp到0x419db3

patch方法就是直接改成jmp到指定位置即可。

修复完成后逻辑如下:

image-20250605212307093

​ 大致意思就是先srand(0x7de9),然后每个随机数模255和input异或,最后和unk_422c30比较。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
void cpp_flower()
{
    char enc[] = { 0x3E, 0x98, 0xEB, 0x26, 0x25, 0x8E, 0x25, 0xE5, 0x86, 0xC8, 0x3F, 0x98, 0xC8, 0xDE, 0x52, 0x44,
0xA0, 0xCB, 0x2B, 0x2A, 0x3C, 0xAA, 0xBE, 0xCB, 0x88, 0x55, 0x9E, 0x6D, 0xD9, 0x94, 0x97, 0x1C,
0x52, 0x31, 0x59, 0xFE, 0x1A, 0x1A, 0xE8, 0xD0, 0x3A, 0x9C, 0x06, 0x5E, 0x25, 0x5A, 0xE4, 0x22,
0xA1, 0xC5 };

    srand(0x7DE9);
    for (int i = 0; i < 50; i++)
    {
        char tmp = rand() % 255;
        enc[i] ^= tmp;
        printf("%c", enc[i]);
    }
}

[2024极客大挑战]玩就行了

思路

​ 附件是一个Unity的游戏,先看看根目录有啥:

image-20250605212913254

启动游戏:

image-20250605212928550

有个金钱数,直接CE改一下数值比较方便,改完后出了提示:

image-20250605213059675

再看看根目录有啥:

image-20250605213138938

多了个data,看看什么东西,发现开头4d5a,写个脚本转二进制文件:

image-20250605213223661

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import re

# 输入和输出文件路径
input_file = "Data.txt"
output_file = "output.bin"

# 读取文本文件内容
with open(input_file, "r") as f:
    hex_text = f.read()

# 提取所有十六进制字节(忽略非十六进制字符)
hex_bytes = re.findall(r"[0-9a-fA-F]{2}", hex_text)

# 将十六进制字符串转换为字节数据
binary_data = bytes.fromhex(" ".join(hex_bytes))

# 写入二进制文件
with open(output_file, "wb") as f:
    f.write(binary_data)

print(f"成功生成二进制文件: {output_file}")

然后直接ida打开,简单分析了一下:

image-20250605213503585

就是先20位的凯撒,然后循环异或key,最后就是hex2str,那么就写个exp先将比较的那一串str转成hex后和key异或,然后再丢到工具当中解密凯撒:

EXP

1
2
3
4
5
6
7
8
9
enc = "0A161230300C2D0A2B303D2428233005242C2D26182206233E097F133A"
str2hex = bytes.fromhex(enc)

key = "GEEK"
dec2 = []
for i in range(len(str2hex)):
    dec2.append(str2hex[i] ^ ord(key[i%4]))

print(''.join(map(chr,dec2)))

image-20250605213720032

image-20250605213749063

[2024极客大挑战]ez_hook

思路

image-20250625234832153

main函数当中的逻辑还是比较简单的,看到sub_40167D, sub_4016E4sub_4017E0之后再进行比较,密文就是aZo那一串:

zoXpih^lhX6soX7lr~DTHtGpX|长度为26字节,接着从上到下分析这三个函数:

​ 这里直接动调,这里输入ABCDEFGHIJKLMNOPQRSTUVWXYZ 26个字符比较容易观察变化

image-20250626091600860

那么这里第一个sub_40167D就是字符串逆序。接着下一个,这里有反调试还需要绕过一下:

  可以看到这里`sub_4016E4(Str, v8, v6);`因为下面的比较也是v6比较,猜测str加密后放到了v6当中,所以v6对应的传参就是`rcx`-->`r8`,步过函数之后就是这样的:

image-20250626092508138

看到就是乱序的混淆,摘出来然后和之前的形成有个map,然后就不用逆向这个算法了

1
2
"ZYXWVUTSRQPONMLKJIHGFEDCBA"
"ZVRNJFBYWUSQOMKIGECAXTPLHD"

接着用ida分析这个函数:

image-20250626092831824

看到最后面return调用的函数传了两个函数指针下去,这个就是一个很经典的hook,将a1函数的首地址指令改成了jmp ...,那么实际上调用的其实是第二个函数

image-20250626092917423

这里看看用来替换的函数是什么:

image-20250626094127641

其实就是个异或,那么就能够直接出exp

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
enc3 = list("zoXpih^lhX6soX7lr~DTHtGpX|")
enc2 = []
for i in range(len(enc3)):
    enc2.append(ord(enc3[i])^7)
print(enc2)
# enc1 = enc1[::-1]
old_map = []
for i in range(ord('z'),ord('a')-1,-1):
    old_map.append(i)

new_map = list("zvrnjfbywusqomkigecaxtplhd")

enc1 = []
for i in range(26):
    for j in range(26):
        if old_map[i]==ord(new_map[j]):
            enc1.append(enc2[j])
            break

print(''.join(map(chr,enc1[::-1])))
# print(enc1)

flag:SYC{you_kn0w_wh@t_1s_hoOk}

[2024极客大挑战]ez_re

思路

​ 载入IDA后,main函数中有花指令,先去花

image-20250626101114941

可以看见就是一个AES加密,密钥是动态生成的密钥,还有反调试,那么直接xdbg将密钥调出来:

image-20250626101448161

这个就是生成的密钥,然后再将数据提出来就能够结合IDA的数据写exp了

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
key = bytes([0xAD, 0xDD, 0xDB, 0x08, 0x2D, 0xD9, 0x4D, 0xCA, 0xBA, 0xD5, 0xD7, 0x56, 0x39, 0xEA, 0xC9, 0xDA])
initial_iv = bytes([0xC1, 0x70, 0x1E, 0x94, 0xF4, 0x42, 0x31, 0x01, 0xB0, 0x3F, 0x0A, 0x55, 0xA1, 0xFF, 0x99, 0xD3])
v13 = bytes.fromhex("A24BA36FCE6EF7FEEC3768F76C5D7367")
target = bytes([0xDD, 0xE0, 0x4C, 0x75, 0x97, 0x33, 0x14, 0xB8, 0x17, 0xB6, 0x19, 0x11, 0x61, 0x8A, 0x60, 0x23, 0x46, 0x16, 0xE2, 0x1A, 0x65, 0xC3, 0x5B, 0x26, 0x68, 0xF5, 0xAD, 0x30, 0xB1, 0xEE, 0x4B, 0xC6, 0xAB, 0xB5, 0x9E, 0xBB, 0x73, 0x95, 0x4A, 0xC2, 0x78, 0xEF, 0xCB, 0xA9, 0xBE, 0x71, 0xE1, 0xA0])

# 计算最终的 IV
iv = bytes(a ^ b for a, b in zip(initial_iv, v13))
print(iv)
# AES-128-CBC 解密
cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted = cipher.decrypt(target)

# 移除可能的填充(PKCS#7)
flag = unpad(decrypted, AES.block_size).decode('utf-8')

print("Flag:", decrypted)

flag:SYC{W0w_Y0U_fOUNdDD_TLS_AND_AeS}

[2024极客大挑战]好像是python?

010直接打开下载的附件,是python字节码

image-20250627211155893

直接ai转成python代码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
flag = 'SYC{MD5(input)}'

def test2(s2):
    key = 'SYC'
    length = 18
    cipher = []
    for i in range(length):
        cipher.append(
            ord(s2[i]) ^ i + (~ord(key[i % 3]) + 1
        )
    return cipher

def test(s, R):
    result = []
    for i in s:
        if 'A' <= i <= 'Z':
            result.append(
                chr((ord(i) - ord('A') + R) % 26 + ord('A'))
        elif 'a' <= i <= 'z':
            result.append(
                chr((ord(i) - ord('a') + R) % 26 + ord('a'))
        elif '0' <= i <= '9':
            result.append(
                chr((ord(i) - ord('0') + R) % 10 + ord('0'))
        else:
            result.append(i)
    return ''.join(result)

a = 13
b = 14
c = (a + b) ^ a
d = b * 100
e = a ^ b
m = d - c * 4 + e - 1
r = m % 26

input0 = ''
print('Please input0:')

cipher1 = test(input0, r)
cipher2 = test2(cipher1)

num = [-1, -36, 26, -5, 14, 41, 6, -9, 60, 29, -28, 17, 21, 7, 35, 38, 26, 48]

for i in range(18):
    if cipher2[i] != num[i]:
        print('wrong!')
    else:
        print('Rrrright!')

就是个异或加凯撒,直接写解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import hashlib
def decrypt1(enc2):
    key = 'SYC'
    length = 18
    cipher = []
    for i in range(length):
        tmp = enc2[i] - (~ord(key[i % 3]) + 1)
        tmp ^= i
        cipher.append(tmp)
    return cipher

def decrypt2(s, R):
    result = []
    for i in s:
        if ord('A') <= i <= ord('Z'):
            result.append(chr((i - ord('A') - R) % 26 + ord('A')))
        elif ord('a') <= i <= ord('z'):
            result.append(chr((i - ord('a') - R) % 26 + ord('a')))
        elif ord('0') <= i <= ord('9'):
            result.append(chr((i - ord('0') - R) % 10 + ord('0')))
        else:
            result.append(chr(i))
    return ''.join(result)

a = 13
b = 14
c = a ^ (a + b)
d = b * 100
e = a ^ b
m = d - c * 4 + e - 1
r = m % 26

num = [-1, -36, 26, -5, 14, 41, 6, -9, 60, 29, -28, 17, 21, 7, 35, 38, 26, 48]
cipher1 = decrypt1(num)
cipher2 = decrypt2(cipher1,r)
md5 = hashlib.md5()
md5.update(cipher2.encode('utf-8'))
flag = md5.hexdigest()
print(f"SYC{{{flag}}}")

SYC{ed798fdd74e5c382b9c7fcca88500aca}

[2024极客大挑战]也许你也听jay

打开附件后就是简单对变量名做了混淆,美化一下,然后就能够写出解密脚本:

1
2
3
4
5
6
7
8
9
10
11
12
xorkey1 = [0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x5B, 0x5C, 0x5D, 0x5E, 0x5F, 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A, 0x7B, 0x7C, 0x7D, 0x7E, 0x7F, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x8D]
xorkey2 = [0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x32, 0x31, 0x30, 0x2F, 0x2E, 0x2D, 0x2C, 0x2B, 0x2A, 0x29, 0x28, 0x27, 0x26, 0x25, 0x24, 0x23, 0x22, 0x21, 0x20, 0x1F, 0x1E, 0x1D, 0x1C, 0x1B, 0x1A, 0x19, 0x18, 0x17, 0x16, 0x15, 0x14, 0x13, 0x12, 0x11, 0x10, 0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01]
target = [0x96, 0xa1, 0xa0, 0x9b, 0x9b, 0x5f, 0x49, 0x46, 0x85, 0x82, 0x53, 0x95, 0x7d, 0x36, 0x8d, 0x74, 0x82, 0x88, 0x46, 0x7a, 0x81, 0x65, 0x80, 0x6c, 0x78, 0x2f, 0x6b, 0x6a, 0x27, 0x50, 0x61, 0x38, 0x3f, 0x37, 0x33, 0xf1, 0x27, 0x32, 0x34, 0x1f, 0x39, 0x23, 0xde, 0x1c, 0x17, 0xd4]
key3 = [0x65, 0x64, 0x63, 0x62, 0x61, 0x60, 0x5F, 0x5E, 0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x00, 0x31, 0x30, 0x2F]

for i in range(len(target)):
    tmp = target[i]
    tmp = (tmp - xorkey2[i]) & 0xff
    tmp = (tmp + xorkey1[i+47]) & 0xff
    tmp = (tmp ^ xorkey1[i]) & 0xff
    target[i] = tmp
print(''.join(map(chr,target)))

解出来是一个网址https://am1re-sudo.github.io/Coisni.github.io/

在里面获取到了两个东西:Q7u+cyiOQtKHRMqZNzPpApgmTL4j+TE=,key:lovebeforeBC还有RC4,那么直接厨子一把梭:

image-20250627212349649

SYC{ILIKELISTENJAYSONG}

[2024极客大挑战]baby_vm

思路

​ 载入ida后分析一下vm的逻辑,看到有一个比较抽象的运算:

image-20250627212705625

就是这一块,可以简化成~(a0 & a3) & ~(~a3 & ~a0),然后辗转了解了一下,可以用德摩根律直接化简,最后就等价于a0^a3,然后将代码逻辑抄出来,然后硬看吧:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
opcode = open("baby_vm.exe","rb").read()[0x5840:0x5840+0xf0]
eip = 0

while(1):
    if(eip*4 >= len(opcode)):
        break
    Ins = opcode[eip*4]
    if Ins == ord('3'):
        print("a0 += a3")
        eip += 1
        
    elif Ins == ord('4'):
        print("a0 -= a3")
        eip += 1
        
    elif Ins == ord('5'):
        print("a0 *= a3")
        eip += 1
        
    elif Ins == ord('6'):
        print("a0 /= a3")
        eip += 1
        
    elif Ins == ord('7'):
        print("a0 = ~(a0 & a3) & ~(~a3 & ~a0)")
        eip += 1
        
    elif Ins == ord('8'):
        print(f"tmp[Int4] = a0 Int4++")
        eip += 1
        
    elif Ins == ord('9'):
        print(f"a0 = tmp[--Int4]")
        eip += 1
        
    elif Ins == ord(':'):
        print("a0 = input[a1]")
        eip += 1
        
    elif Ins == ord(';'):
        print("a0 = a3")
        eip += 1
        
    elif Ins == ord('<'):
        print("a1 = a0")
        eip += 1
        
    elif Ins == ord('='):
        print("a2 = a0")
        eip += 1
        
    elif Ins == ord('>'):
        print("a3 = a0")
        eip += 1
        
    elif Ins == ord('?'):
        print(f"a0 = {opcode[4 * (eip+1)]}")
        eip += 2
        
    elif Ins == ord('@'):
        print("a0 = a1")
        eip += 1
        
    elif Ins == ord('A'):
        print("a0 = enc[a1]")
        eip += 1
        
    elif Ins == ord('B'):
        print("a0 += 1")
        eip += 1
        
    elif Ins == ord('C'):
        print(f"if (--a2)\n v4 = eip - {opcode[(eip+1)*4]}")
        print("else\n v4 = eip + 2")
        print("eip = v4")
        eip += 2
        
    elif Ins == ord('D'):
        print("if(a0 != a3)\n a4 = 1\na1--")
        eip += 1
        
    elif Ins == ord('E'):
        print(f"a0 = {opcode[(eip + 1)*4]}")
        eip += 1
        
    elif Ins == ord('F'):
        print("input(flag)")
        eip += 1
        
    else:
        print(f"unknowed code{opcode[eip*4]}")
        eip += 1

生成出来的逻辑分析了一下,因为没有其他参数的限制,所以只执行了一轮,然后一轮当中有01下标分别对应两种加密方法,又因为是逐字节加密,可以直接使用爆破:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
flag = []

enc = [  0x0E, 0x40, 0x7E, 0x1E, 0x13, 0x34, 0x1A, 0x17, 0x6E, 0x1B, 
  0x1C, 0x17, 0x2E, 0x0C, 0x1A, 0x30, 0x69, 0x32, 0x26, 0x16, 
  0x1A, 0x15, 0x25, 0x0E, 0x1C, 0x42, 0x30, 0x32, 0x0B, 0x42, 
  0x79, 0x17, 0x6E, 0x42, 0x29, 0x17, 0x6E, 0x5A, 0x2D, 0x20, 
  0x1A, 0x16, 0x26, 0x10, 0x05, 0x15, 0x6E, 0x0D, 0x58, 0x24]

for i in range(len(enc)):
    for j in range(30,128,1):
        tmp = 0
        if i % 2 == 0:
            tmp = (j-6) ^ 67
        else:
            tmp = (j ^ 99) + 6
        if tmp == enc[i]:
            flag.append(j)
            break
print(''.join(map(chr,flag)))

SYC{VM_r3verse_I0Oks_llke_yON_@r3_pr37ty_skiLl3d!}

拓展

之前看过有位师傅的wp,vm还能够用z3直接跑出来,此处转载文章:https://blog.hxzzz.asia/archives/103/

[2024极客大挑战]贝斯!贝斯!

IDA载入发现有不少加密函数,但是真正做加密的只有两个函数,只使用了base58和base85的加密

image-20250628101324663

image-20250628101347976

但是base58和base85都进行了换表的处理,base58是通过时间戳:整天数来进行随机排序base58的表,而base85的表是通过RC4的密钥流来进行乱序,这个可以直接动调拿出来

密文:RjB6Myu#,>Bgoq&u.H(nBgdIaOKJbgEYj1GR4S.w

先将base85的表抓出来解密:eM+wr=x8aYZ/[zU$yRB&kbO;%p0P5f*7d(n]1Eug4ojc62AC,v39!h-^qQ.G?s)i:DFlS<>#@HINJTmtKLVWX

然后就是base58了,这里由于使用了时间戳的方式进行对码表的打乱顺序,所以需要进行爆破,生成所有的码表:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main()
{
    FILE* fp = fopen("base58_table.txt","w+");
    char Str[60] = {0};
    strcpy(Str, "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz");

    int len = strlen(Str);
     //2024-11-10 00:00:00 = 1731168000
    for(int k=1735660800;k>=1704038400;k-=86400)
    {
        char tmp[60]={0};
        char table[60] = {0};
        int j = 0;
        srand(k);
        for(int i = 0;i< 58;i++)
        {
            do 
                j = rand() % len;
            while(tmp[j]);
            table[i] = Str[j];
            tmp[j] = 1;
        }
        table[58] = 0;
        fprintf(fp,"%s\n",table);
    }
    fclose(fp);
    return 0;
}

然后就能够用生成的编码表集进行解密了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
b58_table = "eM+wr=x8aYZ/[zU$yRB&kbO;%p0P5f*7d(n]1Eug4ojc62AC,v39!h-^qQ.G?s)i:DFlS<>#@HINJTmtKLVWX"

def Myb85decode(enc):
    plain = b""
    for i in range(0,len(enc),5):
        value = 0
        for j in range(0,5):
            value = value*85 + b58_table.index(enc[i+j])
        decoded = value.to_bytes(4,byteorder="big")
        plain += decoded
        
    return plain

cipher = "RjB6Myu#,>Bgoq&u.H(nBgdIaOKJbgEYj1GR4S.w"  
plain = Myb85decode(cipher)
print(plain)

with open("base58_table.txt", "r", encoding="utf-8") as file:
    lines = file.readlines() 

import base58

for line in lines:
    flag = (base58.b58decode(plain,alphabet=line.strip().encode()))
    
    if flag.startswith(b"SYC{") and flag.endswith(b"}"):
        print(flag.decode('utf-8'))
        break

SYC{th1s_ls_an_ez_base}