devbox
小舞很执着
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

DASCTF X GFCTF 2022十月挑战赛-re_ctfdas

作者:小舞很执着 | 2024-08-15 15:39:02

ctfdas

DASCTF X GFCTF 2022十月挑战赛!

贪玩CTF

TLS回调函数中有反调试

动调发现AES特征,账号就是key,用ECB直接解

image-20221023183846213

先拿name

enc=[0x04, 0x1F, 0x1F, 0x1E, 0x43, 0x4B, 0x43, 0x45, 0x44, 0x00, 0x16, 0x10, 0x55, 0x17, 0x12, 0x73]
for i in range(15):
    enc[i]^=enc[15]
print(bytes(enc))
#b'wllm08067sec&das'

  • 1
  • 2
  • 3
  • 4
  • 5

image-20221023184055895

image-20221023184109455

key是name_input

enc=[0x3C, 0x97, 0x72, 0x96, 0x5A, 0x33, 0x63, 0x9C, 0x97, 0x30, 0x4D, 0x90, 0x84, 0xE8, 0x5F, 0x56]
c=bytes(enc)
from Crypto.Cipher import AES
key=b'wllm08067sec&das'
my_aes = AES.new(key, AES.MODE_ECB)
m=my_aes.decrypt(c)
print(m)#b'e4deb7a6510a10f7'

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

DASCTF{wllm08067sec&dase4deb7a6510a10f7}

pycode

看了半天python字节码,恢复一部分后发现,在网上有类似题

搜extract_number,找到题目[(116条消息) SUCTF2019]MT(MT19937:逆向 extract_number)_宁嘉的博客-CSDN博客_mt19937算法

直接拿脚本改下

#python3
from Crypto.Random import random
from Crypto.Util import number

def convert(x):
    x=x^(x>>11)
    x=((x<<7)&2022072721)^x
    x=((x<<15)&2323163360)^x
    x=(x>>18)^x
    return x


def transform(message):
    assert len(message) % 4 == 0
    new_message = b''
    for i in range(len(message) //4):
        block = message[i * 4 : i * 4 +4]
        block = number.bytes_to_long(block)
        block = convert(block)
        block = number.long_to_bytes(block, 4)
        new_message += block
    return new_message
def circle(m):
    t=m
    while True:
        x=t
        t=transform(t)
        if t==m:
            return x
a='8b2e4e858126bc8478d6a6a485215f03'
flag = circle(bytes.fromhex(a)).hex()
print('transformed_flag:', flag)


  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33

cuteRE

代码中加了混淆,但作用不大

image-20221023184707212

RC4和base64,关键部分在异常中,但动调可以弄

image-20221023171208251

image-20221023184902720

image-20221023184922906

image-20221023185010652

奇数位,偶数位分开加密

一个base64,一个rc4

base64的表

'ghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef'

  • 1

image-20221023190112763

rc4的key

szv~

  • 1
enc=[0x72, 0xA7, 0xE5, 0xB1, 0xBF, 0xD1, 0x3A, 0xC9, 0x7E, 0x5D, 0x83, 0xA8, 0x21, 0x4F, 0x70, 0x90]
a=[0]*256
key="szv~"
for i in range(256):
    a[i]=i
v6 = 0
for j in range(256):
    v6=(ord(key[j%len(key)])+v6+a[j])%256
    v3 = a[j]
    a[j] = a[v6]
    a[v6] = v3
v7 = 0
v8 = 0
for k in range(len(enc)):
    v8 = (v8 + 1) % 256
    v7 = (v7 + a[v8]) % 256
    temp = a[v8]
    a[v8] = a[v7]
    a[v7] = temp
    enc[k] ^= a[(a[v7] + a[v8]) % 256]
print(bytes(enc))
#b'ACFg0Gw1Jo5Ix9C}'


s1='DST{Wo7Xj5Ad8Nx8'
s2='ACFg0Gw1Jo5Ix9C}'
for i in range(len(s1)):
    print(s1[i]+s2[i],end='')

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28

最后一个re蹲个wp

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小舞很执着/article/detail/984164
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号