2024极客大挑战

RE

cpp_flower

思路

知识点

这题就是一个纯花指令,主要有两个部分的花指令特征:

  1. jnz/jz addr+1

​ 就像下面这种:

image-20250605211506030

patch方法可以直接将第一个jz改成jmp,再重新分析成代码:

  1. 第二种就是call一个函数,然后修改ret_addr:

image-20250605211717943

​ 就像这种,这里大致功能就是jmp到0x419db3

patch方法就是直接改成jmp到指定位置即可。

修复完成后逻辑如下:

image-20250605212307093

​ 大致意思就是先srand(0x7de9),然后每个随机数模255和input异或,最后和unk_422c30比较。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
void cpp_flower()
{
    char enc[] = { 0x3E, 0x98, 0xEB, 0x26, 0x25, 0x8E, 0x25, 0xE5, 0x86, 0xC8, 0x3F, 0x98, 0xC8, 0xDE, 0x52, 0x44,
0xA0, 0xCB, 0x2B, 0x2A, 0x3C, 0xAA, 0xBE, 0xCB, 0x88, 0x55, 0x9E, 0x6D, 0xD9, 0x94, 0x97, 0x1C,
0x52, 0x31, 0x59, 0xFE, 0x1A, 0x1A, 0xE8, 0xD0, 0x3A, 0x9C, 0x06, 0x5E, 0x25, 0x5A, 0xE4, 0x22,
0xA1, 0xC5 };

    srand(0x7DE9);
    for (int i = 0; i < 50; i++)
    {
        char tmp = rand() % 255;
        enc[i] ^= tmp;
        printf("%c", enc[i]);
    }
}

玩就行了

思路

​ 附件是一个Unity的游戏,先看看根目录有啥:

image-20250605212913254

启动游戏:

image-20250605212928550

有个金钱数,直接CE改一下数值比较方便,改完后出了提示:

image-20250605213059675

再看看根目录有啥:

image-20250605213138938

多了个data,看看什么东西,发现开头4d5a,写个脚本转二进制文件:

image-20250605213223661

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import re

# 输入和输出文件路径
input_file = "Data.txt"
output_file = "output.bin"

# 读取文本文件内容
with open(input_file, "r") as f:
    hex_text = f.read()

# 提取所有十六进制字节(忽略非十六进制字符)
hex_bytes = re.findall(r"[0-9a-fA-F]{2}", hex_text)

# 将十六进制字符串转换为字节数据
binary_data = bytes.fromhex(" ".join(hex_bytes))

# 写入二进制文件
with open(output_file, "wb") as f:
    f.write(binary_data)

print(f"成功生成二进制文件: {output_file}")

然后直接ida打开,简单分析了一下:

image-20250605213503585

就是先20位的凯撒,然后循环异或key,最后就是hex2str,那么就写个exp先将比较的那一串str转成hex后和key异或,然后再丢到工具当中解密凯撒:

EXP

1
2
3
4
5
6
7
8
9
enc = "0A161230300C2D0A2B303D2428233005242C2D26182206233E097F133A"
str2hex = bytes.fromhex(enc)

key = "GEEK"
dec2 = []
for i in range(len(str2hex)):
    dec2.append(str2hex[i] ^ ord(key[i%4]))

print(''.join(map(chr,dec2)))

image-20250605213720032

image-20250605213749063

ez_hook

思路

image-20250625234832153

main函数当中的逻辑还是比较简单的,看到sub_40167D, sub_4016E4sub_4017E0之后再进行比较,密文就是aZo那一串:

zoXpih^lhX6soX7lr~DTHtGpX|长度为26字节,接着从上到下分析这三个函数:

​ 这里直接动调,这里输入ABCDEFGHIJKLMNOPQRSTUVWXYZ 26个字符比较容易观察变化

image-20250626091600860

那么这里第一个sub_40167D就是字符串逆序。接着下一个,这里有反调试还需要绕过一下:

  可以看到这里`sub_4016E4(Str, v8, v6);`因为下面的比较也是v6比较,猜测str加密后放到了v6当中,所以v6对应的传参就是`rcx`-->`r8`,步过函数之后就是这样的:

image-20250626092508138

看到就是乱序的混淆,摘出来然后和之前的形成有个map,然后就不用逆向这个算法了

1
2
"ZYXWVUTSRQPONMLKJIHGFEDCBA"
"ZVRNJFBYWUSQOMKIGECAXTPLHD"

接着用ida分析这个函数:

image-20250626092831824

看到最后面return调用的函数传了两个函数指针下去,这个就是一个很经典的hook,将a1函数的首地址指令改成了jmp ...,那么实际上调用的其实是第二个函数

image-20250626092917423

这里看看用来替换的函数是什么:

image-20250626094127641

其实就是个异或,那么就能够直接出exp

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
enc3 = list("zoXpih^lhX6soX7lr~DTHtGpX|")
enc2 = []
for i in range(len(enc3)):
    enc2.append(ord(enc3[i])^7)
print(enc2)
# enc1 = enc1[::-1]
old_map = []
for i in range(ord('z'),ord('a')-1,-1):
    old_map.append(i)

new_map = list("zvrnjfbywusqomkigecaxtplhd")

enc1 = []
for i in range(26):
    for j in range(26):
        if old_map[i]==ord(new_map[j]):
            enc1.append(enc2[j])
            break

print(''.join(map(chr,enc1[::-1])))
# print(enc1)

flag:SYC{you_kn0w_wh@t_1s_hoOk}

ez_re

思路

​ 载入IDA后,main函数中有花指令,先去花

image-20250626101114941

可以看见就是一个AES加密,密钥是动态生成的密钥,还有反调试,那么直接xdbg将密钥调出来:

image-20250626101448161

这个就是生成的密钥,然后再将数据提出来就能够结合IDA的数据写exp了

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
key = bytes([0xAD, 0xDD, 0xDB, 0x08, 0x2D, 0xD9, 0x4D, 0xCA, 0xBA, 0xD5, 0xD7, 0x56, 0x39, 0xEA, 0xC9, 0xDA])
initial_iv = bytes([0xC1, 0x70, 0x1E, 0x94, 0xF4, 0x42, 0x31, 0x01, 0xB0, 0x3F, 0x0A, 0x55, 0xA1, 0xFF, 0x99, 0xD3])
v13 = bytes.fromhex("A24BA36FCE6EF7FEEC3768F76C5D7367")
target = bytes([0xDD, 0xE0, 0x4C, 0x75, 0x97, 0x33, 0x14, 0xB8, 0x17, 0xB6, 0x19, 0x11, 0x61, 0x8A, 0x60, 0x23, 0x46, 0x16, 0xE2, 0x1A, 0x65, 0xC3, 0x5B, 0x26, 0x68, 0xF5, 0xAD, 0x30, 0xB1, 0xEE, 0x4B, 0xC6, 0xAB, 0xB5, 0x9E, 0xBB, 0x73, 0x95, 0x4A, 0xC2, 0x78, 0xEF, 0xCB, 0xA9, 0xBE, 0x71, 0xE1, 0xA0])

# 计算最终的 IV
iv = bytes(a ^ b for a, b in zip(initial_iv, v13))
print(iv)
# AES-128-CBC 解密
cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted = cipher.decrypt(target)

# 移除可能的填充(PKCS#7)
flag = unpad(decrypted, AES.block_size).decode('utf-8')

print("Flag:", decrypted)

flag:SYC{W0w_Y0U_fOUNdDD_TLS_AND_AeS}

好像是python?

010直接打开下载的附件,是python字节码

image-20250627211155893

直接ai转成python代码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
flag = 'SYC{MD5(input)}'

def test2(s2):
    key = 'SYC'
    length = 18
    cipher = []
    for i in range(length):
        cipher.append(
            ord(s2[i]) ^ i + (~ord(key[i % 3]) + 1
        )
    return cipher

def test(s, R):
    result = []
    for i in s:
        if 'A' <= i <= 'Z':
            result.append(
                chr((ord(i) - ord('A') + R) % 26 + ord('A'))
        elif 'a' <= i <= 'z':
            result.append(
                chr((ord(i) - ord('a') + R) % 26 + ord('a'))
        elif '0' <= i <= '9':
            result.append(
                chr((ord(i) - ord('0') + R) % 10 + ord('0'))
        else:
            result.append(i)
    return ''.join(result)

a = 13
b = 14
c = (a + b) ^ a
d = b * 100
e = a ^ b
m = d - c * 4 + e - 1
r = m % 26

input0 = ''
print('Please input0:')

cipher1 = test(input0, r)
cipher2 = test2(cipher1)

num = [-1, -36, 26, -5, 14, 41, 6, -9, 60, 29, -28, 17, 21, 7, 35, 38, 26, 48]

for i in range(18):
    if cipher2[i] != num[i]:
        print('wrong!')
    else:
        print('Rrrright!')

就是个异或加凯撒,直接写解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import hashlib
def decrypt1(enc2):
    key = 'SYC'
    length = 18
    cipher = []
    for i in range(length):
        tmp = enc2[i] - (~ord(key[i % 3]) + 1)
        tmp ^= i
        cipher.append(tmp)
    return cipher

def decrypt2(s, R):
    result = []
    for i in s:
        if ord('A') <= i <= ord('Z'):
            result.append(chr((i - ord('A') - R) % 26 + ord('A')))
        elif ord('a') <= i <= ord('z'):
            result.append(chr((i - ord('a') - R) % 26 + ord('a')))
        elif ord('0') <= i <= ord('9'):
            result.append(chr((i - ord('0') - R) % 10 + ord('0')))
        else:
            result.append(chr(i))
    return ''.join(result)

a = 13
b = 14
c = a ^ (a + b)
d = b * 100
e = a ^ b
m = d - c * 4 + e - 1
r = m % 26

num = [-1, -36, 26, -5, 14, 41, 6, -9, 60, 29, -28, 17, 21, 7, 35, 38, 26, 48]
cipher1 = decrypt1(num)
cipher2 = decrypt2(cipher1,r)
md5 = hashlib.md5()
md5.update(cipher2.encode('utf-8'))
flag = md5.hexdigest()
print(f"SYC{{{flag}}}")

SYC{ed798fdd74e5c382b9c7fcca88500aca}

也许你也听jay

打开附件后就是简单对变量名做了混淆,美化一下,然后就能够写出解密脚本:

1
2
3
4
5
6
7
8
9
10
11
12
xorkey1 = [0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x5B, 0x5C, 0x5D, 0x5E, 0x5F, 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A, 0x7B, 0x7C, 0x7D, 0x7E, 0x7F, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x8D]
xorkey2 = [0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x32, 0x31, 0x30, 0x2F, 0x2E, 0x2D, 0x2C, 0x2B, 0x2A, 0x29, 0x28, 0x27, 0x26, 0x25, 0x24, 0x23, 0x22, 0x21, 0x20, 0x1F, 0x1E, 0x1D, 0x1C, 0x1B, 0x1A, 0x19, 0x18, 0x17, 0x16, 0x15, 0x14, 0x13, 0x12, 0x11, 0x10, 0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01]
target = [0x96, 0xa1, 0xa0, 0x9b, 0x9b, 0x5f, 0x49, 0x46, 0x85, 0x82, 0x53, 0x95, 0x7d, 0x36, 0x8d, 0x74, 0x82, 0x88, 0x46, 0x7a, 0x81, 0x65, 0x80, 0x6c, 0x78, 0x2f, 0x6b, 0x6a, 0x27, 0x50, 0x61, 0x38, 0x3f, 0x37, 0x33, 0xf1, 0x27, 0x32, 0x34, 0x1f, 0x39, 0x23, 0xde, 0x1c, 0x17, 0xd4]
key3 = [0x65, 0x64, 0x63, 0x62, 0x61, 0x60, 0x5F, 0x5E, 0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x00, 0x31, 0x30, 0x2F]

for i in range(len(target)):
    tmp = target[i]
    tmp = (tmp - xorkey2[i]) & 0xff
    tmp = (tmp + xorkey1[i+47]) & 0xff
    tmp = (tmp ^ xorkey1[i]) & 0xff
    target[i] = tmp
print(''.join(map(chr,target)))

解出来是一个网址https://am1re-sudo.github.io/Coisni.github.io/

在里面获取到了两个东西:Q7u+cyiOQtKHRMqZNzPpApgmTL4j+TE=,key:lovebeforeBC还有RC4,那么直接厨子一把梭:

image-20250627212349649

SYC{ILIKELISTENJAYSONG}

baby_vm

思路

​ 载入ida后分析一下vm的逻辑,看到有一个比较抽象的运算:

image-20250627212705625

就是这一块,可以简化成~(a0 & a3) & ~(~a3 & ~a0),然后辗转了解了一下,可以用德摩根律直接化简,最后就等价于a0^a3,然后将代码逻辑抄出来,然后硬看吧:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
opcode = open("baby_vm.exe","rb").read()[0x5840:0x5840+0xf0]
eip = 0

while(1):
    if(eip*4 >= len(opcode)):
        break
    Ins = opcode[eip*4]
    if Ins == ord('3'):
        print("a0 += a3")
        eip += 1
        
    elif Ins == ord('4'):
        print("a0 -= a3")
        eip += 1
        
    elif Ins == ord('5'):
        print("a0 *= a3")
        eip += 1
        
    elif Ins == ord('6'):
        print("a0 /= a3")
        eip += 1
        
    elif Ins == ord('7'):
        print("a0 = ~(a0 & a3) & ~(~a3 & ~a0)")
        eip += 1
        
    elif Ins == ord('8'):
        print(f"tmp[Int4] = a0 Int4++")
        eip += 1
        
    elif Ins == ord('9'):
        print(f"a0 = tmp[--Int4]")
        eip += 1
        
    elif Ins == ord(':'):
        print("a0 = input[a1]")
        eip += 1
        
    elif Ins == ord(';'):
        print("a0 = a3")
        eip += 1
        
    elif Ins == ord('<'):
        print("a1 = a0")
        eip += 1
        
    elif Ins == ord('='):
        print("a2 = a0")
        eip += 1
        
    elif Ins == ord('>'):
        print("a3 = a0")
        eip += 1
        
    elif Ins == ord('?'):
        print(f"a0 = {opcode[4 * (eip+1)]}")
        eip += 2
        
    elif Ins == ord('@'):
        print("a0 = a1")
        eip += 1
        
    elif Ins == ord('A'):
        print("a0 = enc[a1]")
        eip += 1
        
    elif Ins == ord('B'):
        print("a0 += 1")
        eip += 1
        
    elif Ins == ord('C'):
        print(f"if (--a2)\n v4 = eip - {opcode[(eip+1)*4]}")
        print("else\n v4 = eip + 2")
        print("eip = v4")
        eip += 2
        
    elif Ins == ord('D'):
        print("if(a0 != a3)\n a4 = 1\na1--")
        eip += 1
        
    elif Ins == ord('E'):
        print(f"a0 = {opcode[(eip + 1)*4]}")
        eip += 1
        
    elif Ins == ord('F'):
        print("input(flag)")
        eip += 1
        
    else:
        print(f"unknowed code{opcode[eip*4]}")
        eip += 1

生成出来的逻辑分析了一下,因为没有其他参数的限制,所以只执行了一轮,然后一轮当中有01下标分别对应两种加密方法,又因为是逐字节加密,可以直接使用爆破:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
flag = []

enc = [  0x0E, 0x40, 0x7E, 0x1E, 0x13, 0x34, 0x1A, 0x17, 0x6E, 0x1B, 
  0x1C, 0x17, 0x2E, 0x0C, 0x1A, 0x30, 0x69, 0x32, 0x26, 0x16, 
  0x1A, 0x15, 0x25, 0x0E, 0x1C, 0x42, 0x30, 0x32, 0x0B, 0x42, 
  0x79, 0x17, 0x6E, 0x42, 0x29, 0x17, 0x6E, 0x5A, 0x2D, 0x20, 
  0x1A, 0x16, 0x26, 0x10, 0x05, 0x15, 0x6E, 0x0D, 0x58, 0x24]

for i in range(len(enc)):
    for j in range(30,128,1):
        tmp = 0
        if i % 2 == 0:
            tmp = (j-6) ^ 67
        else:
            tmp = (j ^ 99) + 6
        if tmp == enc[i]:
            flag.append(j)
            break
print(''.join(map(chr,flag)))

SYC{VM_r3verse_I0Oks_llke_yON_@r3_pr37ty_skiLl3d!}

拓展

之前看过有位师傅的wp,vm还能够用z3直接跑出来,此处转载文章:https://blog.hxzzz.asia/archives/103/

贝斯!贝斯!

IDA载入发现有不少加密函数,但是真正做加密的只有两个函数,只使用了base58和base85的加密

image-20250628101324663

image-20250628101347976

但是base58和base85都进行了换表的处理,base58是通过时间戳:整天数来进行随机排序base58的表,而base85的表是通过RC4的密钥流来进行乱序,这个可以直接动调拿出来

密文:RjB6Myu#,>Bgoq&u.H(nBgdIaOKJbgEYj1GR4S.w

先将base85的表抓出来解密:eM+wr=x8aYZ/[zU$yRB&kbO;%p0P5f*7d(n]1Eug4ojc62AC,v39!h-^qQ.G?s)i:DFlS<>#@HINJTmtKLVWX

然后就是base58了,这里由于使用了时间戳的方式进行对码表的打乱顺序,所以需要进行爆破,生成所有的码表:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main()
{
    FILE* fp = fopen("base58_table.txt","w+");
    char Str[60] = {0};
    strcpy(Str, "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz");

    int len = strlen(Str);
     //2024-11-10 00:00:00 = 1731168000
    for(int k=1735660800;k>=1704038400;k-=86400)
    {
        char tmp[60]={0};
        char table[60] = {0};
        int j = 0;
        srand(k);
        for(int i = 0;i< 58;i++)
        {
            do 
                j = rand() % len;
            while(tmp[j]);
            table[i] = Str[j];
            tmp[j] = 1;
        }
        table[58] = 0;
        fprintf(fp,"%s\n",table);
    }
    fclose(fp);
    return 0;
}

然后就能够用生成的编码表集进行解密了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
b58_table = "eM+wr=x8aYZ/[zU$yRB&kbO;%p0P5f*7d(n]1Eug4ojc62AC,v39!h-^qQ.G?s)i:DFlS<>#@HINJTmtKLVWX"

def Myb85decode(enc):
    plain = b""
    for i in range(0,len(enc),5):
        value = 0
        for j in range(0,5):
            value = value*85 + b58_table.index(enc[i+j])
        decoded = value.to_bytes(4,byteorder="big")
        plain += decoded
        
    return plain

cipher = "RjB6Myu#,>Bgoq&u.H(nBgdIaOKJbgEYj1GR4S.w"  
plain = Myb85decode(cipher)
print(plain)

with open("base58_table.txt", "r", encoding="utf-8") as file:
    lines = file.readlines() 

import base58

for line in lines:
    flag = (base58.b58decode(plain,alphabet=line.strip().encode()))
    
    if flag.startswith(b"SYC{") and flag.endswith(b"}"):
        print(flag.decode('utf-8'))
        break

SYC{th1s_ls_an_ez_base}

blasting_master

ida打开就能看到main函数很明显的逻辑了:

image-20250629120104686

大致就是循环做加密,然后比较字符串。看看加密的逻辑

image-20250629120144008

将input的四个字符拼接成字符串,然后做md5加密,加密后对md5的每个字节的值单独做一次加密,这里需要注意的是:

这里的字符拼接是4个4个拼接,拼接完一次后指针只后移一位,所以相当于每四次md5加密有3次是没用的,其次就是对md5加密结果的加密,这里*7的解密需要用到有限域下的逆元,然后就能够写出解密脚本了,最后的还需要将第40个md5爆破一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
from Crypto.Util.number import *
import hashlib
import string
import time
enc = [178,80,160,188,58,127,84,109,150,7,15,113,154,114,235,165,160,181,113,164,106,184,186,250,228,49,195,113,84,41,167,89,32,43,19,33,189,103,95,141,101,58,2,39,8,79,146,156,181,124,223,105,52,184,130,45,246,202,122,101,152,99,220,81,42,52,151,79,248,188,35,31,56,168,166,47,169,13,100,76,172,47,249,245,45,177,145,168,213,118,217,45,198,172,46,105,50,213,100,29,193,60,236,245,44,144,237,244,23,139,85,76,228,108,59,179,218,41,192,123,57,223,146,115,252,201,194,168,104,17,34,43,100,63,18,155,149,115,42,5,211,63,46,51,241,133,237,7,123,134,143,98,45,121,3,172,128,206,245,178,160,12,247,225,197,14,99,39,209,101,35,234,90,28,2,11,50,186,31,229,199,34,165,102,119,234,91,228,100,171,139,96,182,223,0,220,247,109,147,236,47,47,104,7,80,224,209,26,63,198,78,46,198,187,174,8,64,216,91,17,181,220,21,53,127,99,73,62,91,156,13,252,13,182,128,183,43,0,239,60,12,47,235,134,68,87,116,158,95,31,139,161,201,1,241,216,244,146,130,149,111,133,210,21,34,31,240,159,209,171,81,57,154,182,196,218,251,56,141,230,140,87,25,94,148,218,87,204,240,185,10,74,23,130,252,197,79,75,90,165,244,229,62,250,58,10,244,180,142,127,37,132,117,144,205,53,135,235,195,206,129,43,134,201,22,126,133,104,45,241,219,142,116,21,207,149,81,7,136,94,27,233,55,201,91,186,97,235,159,123,228,137,16,240,110,205,117,113,173,9,116,88,73,163,245,51,131,117,34,149,27,227,60,72,5,92,173,168,107,253,65,235,175,198,2,40,198,94,207,54,174,80,206,147,242,112,136,157,63,74,159,134,231,103,100,176,2,150,12,171,159,235,75,3,68,146,222,108,244,206,50,79,79,56,226,82,89,202,149,74,17,216,48,162,123,213,58,230,17,218,58,74,51,97,57,101,38,210,120,188,237,189,165,139,43,135,76,149,71,37,2,186,131,61,220,228,106,173,103,221,34,177,189,43,124,83,17,60,217,35,6,61,32,186,40,200,45,137,81,87,99,130,160,200,168,222,41,97,193,83,81,176,188,55,4,238,201,53,138,168,162,102,186,111,36,182,63,98,65,109,16,70,203,6,18,57,217,14,249,220,25,167,101,184,192,64,190,246,153,154,175,2,22,55,77,165,117,76,66,75,26,240,82,218,56,243,107,169,26,220,250,128,176,96,177,253,115,123,120,217,98,131,38,191,22,51,113,121,111,17,47,233,167,187,70,70,214,143,246,33,126,252,104,18,134,107,252,81,201,112,122,116,188,143,110,11,134,66,111,92,253,247,78,39,113,254,55,230,200,98,71,252,213,108,186,92,217,41,90,115,174,195,143,240,70,149,50,66,45,208]

start_time = time.time()
cipher_md5 = []

four_charTable = []
for i in string.printable:
        for j in string.printable:
            for k in string.printable:
                for c in string.printable:
                    tmp = ""
                    tmp = i+j+k+c
                    four_charTable.append(tmp)
                
for i in range(0,len(enc),16):
    tmp = []
    for j in range(16):
        tmp.append((((enc[j+i] - 82 * (j%15)) * inverse(7, 256)) ^ (j + 42)) & 0xff)
    cipher_md5.append(bytes(tmp).hex())

print(f"字典生成所用时间:{time.time()-start_time:.2f}秒")

for i in range(0,len(cipher_md5),4):
       for str in four_charTable:
            if hashlib.md5(str.encode()).hexdigest() == cipher_md5[i]:
                print(str,end="")
                break

print()

for str in four_charTable:
    if hashlib.md5(str.encode()).hexdigest() == cipher_md5[39]:
        print(str)
end_time = time.time()
print(f"耗时: {end_time-start_time:.2f} 秒")

flag:SYC{W0w!y0u_@re_th3_BeSt_blasting_Exp3rt!!}

你干嘛~~

32位程序,ida打开之后发现main函数不全,估计是有花指令,往下拉看看情况

image-20250629181846544

​ 一开始直接将这个改成了,jmp 0x401cc7,能够正常反编译,但是发现好像很不对劲

image-20250629182122352

主要是下面还有一部分不能够正常反编译,而且这里会直接调用CxxThrowException然后调试的时候整个程序会崩掉,而且因为这个seh,导致下面的部分无法正常反编译,猜测是在SEH当中做了反调试。那么直接将这一段给nop掉,然后main函数就能够正常反编译了:

image-20250629182610387

整体逻辑看了一下,如果输入正确会直接把另一个文件用我们的输入当成key进行异或的解密。但是中间一部分感觉比较恶心,做了不少的指针转换,核心部分就是:

image-20250629182850805

​ 经过调试发现,上面不少函数其实只是干扰,主要就是sm4这个加密,和下面这个比较函数(虽然不知道这个是怎么实现的),而target的值就是上面v18整个数组。

​ 而这里的sm4,传入的v31&v31[1]其实是sm4的keyIV,在函数内部发现a3也就是v31->0O00...就是加密的key,那么直接用厨子解一下:

image-20250629183152606

image-20250629183246207

正确输入:qwertyuiopasdfgh

image-20250629183404097

然后就会发现多了一张gif图,里面就有flag:

image-20250629183514024

SYC[111_YOU_WIN_THE_FLAG]

giraffe_eat_rainbow

​ 这题是一个简单的ollvm的控制流平坦化,可以直接使用angr跑出来:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import angr

# 加载文件,预设状态,执行状态
p = angr.Project("./giraffe_eat_rainbow",auto_load_libs=False)
init_state = p.factory.entry_state()
simgr = p.factory.simgr(init_state)

# puts(Good)的地址
target = 0x4021F6

# 搜索能够执行目标指令的状态
simgr.explore(find=target)

if simgr.found:
    solution_state = simgr.found[0]
    # 打印出符号条件的状态输入
    print(solution_state.posix.dumps(0))

flag:SYC{yOU_girAFe_L0Ve_EaT_W0bN1aR