GWCTF 2019 re3

发表于2022-09-04更新于2023-01-13

[GWCTF 2019]re3

ida64打开

image-20220904150630604

发现有SMC

image-20220904150656859

使用idc脚本解码

1
2
3
4
5
6
7
8
9
10
#include <idc.idc>
static main()
{
    auto addr = 0x402219;
    auto i = 0;
    for(i = 0; i <= 223; i++)
    {
        PatchByte(addr+i,Byte(addr+i)^0x99);
    }
}

解码后再手动定义函数进行反汇编

image-20220904150756700

分析函数

sub_40207B

image-20220904150822204

里面的sub_401CF9

image-20220904150909312

image-20220904150953271

有MD5的标志数组加上线性函数

1
2
3
4
F(X,Y,Z) = (X & Y) | ((~X) & Z);
G(X,Y,Z) = (X & Z) | (Y & (~Z));
H(X,Y,Z) = X ^ Y ^ Z;
I(X,Y,Z) = Y ^ (X | (~Z));

判断这是个MD5加密,动调获得结果

1
CB8D493521B47A4CC1AE7E62229266

另一个函数则是AES,ECB模式的加密和一个判断

image-20220904151202296

使用python脚本

1
2
3
4
5
6
7
from Crypto.Cipher import AES
from Crypto.Util.number import *
key = long_to_bytes(0xcb8d493521b47a4cc1ae7e62229266ce)
mi = long_to_bytes(0xbc0aadc0147c5ecce0b140bc9c51d52b46b2b9434de5324bad7fb4b39cdb4b5b)
lun = AES.new(key, mode=AES.MODE_ECB)
flag = lun.decrypt(mi)
print(flag)
1
flag{924a9ab2163d390410d0a1f670}