HGAME2023

by 没有眼的鱼

Week1

test_your_IDA

ida64位打开

1	hgame{te5t_y0ur_IDA}

easyasm

核心是Str[i] ^= 0x33

flag = [
    0x5b, 0x54, 0x52, 0x5e, 0x56, 0x48, 0x44, 0x56,
    0x5f, 0x50,  0x3, 0x5e, 0x56, 0x6c, 0x47,  0x3,
    0x6c, 0x41, 0x56, 0x6c, 0x44, 0x5c, 0x41,  0x2,
    0x57, 0x12, 0x4e
]

for i in flag:
    print(chr(i^0x33), end="")

1	hgame{welc0me_t0_re_wor1d!}

easyenc

ida64位打开

核心逻辑是先异或0x32再减去86

留意v8是以小端序的形式储存密文

写脚本

flag = [
    0x09FDFF04, 0x0B0F301, 0xADF00500, 0x05170607,
    0x17FD17EB, 0x1EE01EA, 0xFA05B1EA, 0xAC170108,
    0xFDEA01EC, 0x60705F0
]
for i in range(len(flag)):
    enc = ""
    x = flag[i]
    for j in range(4):
        enc = enc + chr((((x & 0xff) + 86) ^ 0x32)&0xff)
        x = x >> 8
    print(enc, end="")
print(chr((((0xf9 & 0xff) + 86) ^ 0x32) & 0xff))

1	hgame{4ddit1on_is_a_rever5ible_0peration}

a_cup_of_tea

ida64位

每8位一组进行加密

改了delta的tea加密

写脚本

#include <iostream>
#include <Windows.h>
#include <cstring>

using namespace std;

int main(){
    unsigned long flag[] = {
        0x2E63829D, 0xC14E400F, 0x9B39BFB9, 0x5A1F8B14,
        0x61886DDE, 0x6565C6CF, 0x9F064F64, 0x236A43F6
    };

    for(int x = 0; x < 4; x++) {
        unsigned long x1 = flag[2*x];
        unsigned long x2 = flag[2*x+1];
        unsigned long v4 = 0;
        for(int i = 0; i < 32; i++) v4 -= 0x543210DD;
        for(int i = 0; i < 32; i++) {
            x2 -= (v4 + x1) ^ ((x1 >> 5) + 0x45678901) ^ (16 * (x1 + 0x3456789));
            x1 -= (v4 + x2) ^ (16 * x2 + 0x12345678) ^ ((x2 >> 5) + 0x23456789);
            v4 += 0x543210DD;
        }

        for(int i = 0; i < 4; i++) {
            printf("%c", x1&0xff);
            x1 = x1 >> 8;
        }

        for(int i = 0; i < 4; i++) {
            printf("%c", x2&0xff);
            x2 = x2 >> 8;
        }
    }
    printf("%c%c", 0x6B, 0x7D);
    return 0;
}

1	hgame{Tea_15_4_v3ry_h3a1thy_drlnk}

encode

ida32位

就单纯的把v5的前四位和后四位拆开了

写脚本

flag = [
    0x00000008, 0x00000006, 0x00000007, 0x00000006, 0x00000001, 0x00000006, 0x0000000D, 0x00000006, 0x00000005,
    0x00000006, 0x0000000B, 0x00000007, 0x00000005, 0x00000006, 0x0000000E, 0x00000006, 0x00000003, 0x00000006,
    0x0000000F, 0x00000006, 0x00000004, 0x00000006, 0x00000005, 0x00000006, 0x0000000F, 0x00000005, 0x00000009,
    0x00000006, 0x00000003, 0x00000007, 0x0000000F, 0x00000005, 0x00000005, 0x00000006, 0x00000001, 0x00000006,
    0x00000003, 0x00000007, 0x00000009, 0x00000007, 0x0000000F, 0x00000005, 0x00000006, 0x00000006, 0x0000000F,
    0x00000006, 0x00000002, 0x00000007, 0x0000000F, 0x00000005, 0x00000001, 0x00000006, 0x0000000F, 0x00000005,
    0x00000002, 0x00000007, 0x00000005, 0x00000006, 0x00000006, 0x00000007, 0x00000005, 0x00000006, 0x00000002,
    0x00000007, 0x00000003, 0x00000007, 0x00000005, 0x00000006, 0x0000000F, 0x00000005, 0x00000005, 0x00000006,
    0x0000000E, 0x00000006, 0x00000007, 0x00000006, 0x00000009, 0x00000006, 0x0000000E, 0x00000006, 0x00000005,
    0x00000006, 0x00000005, 0x00000006, 0x00000002, 0x00000007, 0x0000000D, 0x00000007, 0x00000000, 0x00000000,
    0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
    0x00000000
]

for i in range(50):
    x = flag[2*i+1] * 16 + flag[2*i]
    print(chr(x & 0xff), end="")

1	hgame{encode_is_easy_for_a_reverse_engineer}

Week2

before_main

ida64位打开

根据提示很明显有函数在main之前运行了

结合base64，猜测可能是该表，对qword_4020交叉引用

找到了该函数，换表base64

1	hgame{s0meth1ng_run_befOre_m@in}

math

ida64位打开

动态调试的话会发现这个savedregs - 368指向的就是输入的开头

下面三层循环很明显就是矩阵乘法

v12 == input * v10

用z3写脚本

from z3 import *

v10 = [0x0000007E, 0x000000E1, 0x0000003E, 0x00000028, 0x000000D8,
       0x000000FD, 0x00000014, 0x0000007C, 0x000000E8, 0x0000007A,
       0x0000003E, 0x00000017, 0x00000064, 0x000000A1, 0x00000024,
       0x00000076, 0x00000015, 0x000000B8, 0x0000001A, 0x0000008E,
       0x0000003B, 0x0000001F, 0x000000BA, 0x00000052, 0x0000004F]
v12 = [0x0000F9FE, 0x00008157, 0x000108B2, 0x0000D605, 0x0000F21B,
       0x00010FF3, 0x00009146, 0x00011212, 0x0000CF76, 0x00010C46,
       0x0000F76B, 0x000077DF, 0x000103BE, 0x0000C6F8, 0x0000ED8A,
       0x0000BE90, 0x000075EC, 0x0000EAC8, 0x0000AE37, 0x0000CC29,
       0x0000A828, 0x00005C6C, 0x0000AB4A, 0x0000836E, 0x0000ACEE]

s = Solver()

x = [Int('x[%d]' % i) for i in range(25)]
for i in range(5):
    for j in range(5):
        s.add(v12[i * 5 + j] == (
                    x[i * 5] * v10[j] + x[i * 5 + 1] * v10[1 * 5 + j] + x[i * 5 + 2] * v10[2 * 5 + j] + x[i * 5 + 3] *
                    v10[3 * 5 + j] + x[i * 5 + 4] * v10[4 * 5 + j]))

if (s.check()):
    k = 0
    while (s.check() == sat):
        condition = []
        m = s.model()
        print("[%d]" % k)
        print(m)
        k += 1
        for i in range(25):
            condition.append(x[i] != int("%s" % (m[x[i]])))

        s.add(Or(condition))
else:
    print("No")

1	hgame{y0ur_m@th_1s_gO0d}

stream

python编译的exe

pyinstxtractor.py后再把pyc丢去反编译

#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.10

import base64

def gen(key):
    s = list(range(256))
    j = 0
    for i in range(256):
        j = (j + s[i] + ord(key[i % len(key)])) % 256
        tmp = s[i]
        s[i] = s[j]
        s[j] = tmp
    i = j = 0
    data = []
    for _ in range(50):
        i = (i + 1) % 256
        j = (j + s[i]) % 256
        tmp = s[i]
        s[i] = s[j]
        s[j] = tmp
        data.append(s[(s[i] + s[j]) % 256])
    return data


def encrypt(text, key):
    result = ''
    for c, k in zip(text, gen(key)):
        result += chr(ord(c) ^ k)
    result = base64.b64encode(result.encode()).decode()
    return result

text = input('Flag: ')
key = 'As_we_do_as_you_know'
enc = encrypt(text, key)
if enc == 'wr3ClVcSw7nCmMOcHcKgacOtMkvDjxZ6asKWw4nChMK8IsK7KMOOasOrdgbDlx3DqcKqwr0hw701Ly57w63CtcOl':
    print('yes!')

直接写脚本就行了

但是要注意这个base64，一开始我以为这个encode decode只是编码和字符的转换。没想到他base64加密的是字符串编码后的数据

import base64

key = 'As_we_do_as_you_know'
text = 'wr3ClVcSw7nCmMOcHcKgacOtMkvDjxZ6asKWw4nChMK8IsK7KMOOasOrdgbDlx3DqcKqwr0hw701Ly57w63CtcOl'
x = base64.b64decode(text.encode()).decode()
print(list(x))

s = [0] * 256
for i in range(256):
    s[i] = i

j = 0
for i in range(256):
    j = (j + s[i] + ord(key[i % len(key)])) % 256
    tmp = s[i]
    s[i] = s[j]
    s[j] = tmp

i = 0
j = 0
k = [0] * 256
for x in range(66):
    i = (i + 1) % 256
    j = (j + s[i]) % 256
    tmp = s[i]
    s[i] = s[j]
    s[j] = tmp
    k[x] = s[(s[i] + s[j]) % 256]

enc = ['½', '\x95', 'W', '\x12', 'ù', '\x98', 'Ü', '\x1d', '\xa0', 'i', 'í', '2', 'K', 'Ï', '\x16', 'z', 'j', '\x96', 'É', '\x84', '¼', '"', '»', '(', 'Î', 'j', 'ë', 'v', '\x06', '×', '\x1d', 'é', 'ª', '½', '!', 'ý', '5', '/', '.', '{', 'í', 'µ', 'å']

for i in range(len(enc)):
    print(chr((ord(enc[i])^k[i]) & 0xff), end="")

1	hgame{python_reverse_is_easy_with_internet}

VidarCamera

雷电模拟器

jeb打开，直接查找字符串找到序列号不正确

找到flag

点开加密函数，魔改后的xtea

要注意轮次，一方面是嵌套的得从最后一组开始解密，另一方面下面的while总共有33轮

写脚本

#include <iostream>
#include <cstring>
#include <algorithm>

using namespace std;

int main()
{
    unsigned long flag[] = {0x260202FA, 0x1B451064, 0x867B61F1, 0x228033C5,
                            0xF15D82DC, 0x9D8430B1, 0x19F2B1E7, 0x2BBA859C,
                            0x2A08291D, 0xDC707918};
    unsigned long key[] = {2233, 4455, 6677, 8899};
    unsigned long delta = 0x34566543;
    for(int i = 8; i >= 0; i--) {
        unsigned long sum = delta * 33;
        unsigned long x1 = flag[i];
        unsigned long x2 = flag[i+1];
        for(int i = 0; i < 33; i++) {
            sum -= delta;
            x2 -=(key[(sum >> 11) & 0x3] + sum) ^ (((x1 << 4) ^ (x1 >> 5)) + x1);
            x1 -=(key[sum & 0x3] + sum) ^ (((x2 << 4) ^ (x2 >> 5)) + x2) ^ sum;
        }
        flag[i] = x1;
        flag[i+1] = x2;
    }
    
    for(int i = 0; i <= 9; i++) {
        unsigned long x = flag[i];
        for(int j = 0; j < 4; j++) {
            printf("%c", x&0xff);
            x = x >> 8;
        }
    }
    
	return 0;
}

1	hgame{d8c1d7d34573434ea8dfe5db40fbb25c0}

Week3

patchme

#include <idc.idc>
static main()
{
    auto addr = 0x014C6;
    auto i = 0;
    for(i = 0; i <= 960; i++)
    {
        PatchByte(addr+i,Byte(addr+i)^0x66);
    }
}

flag = [
    0xFa, 0x28, 0x8A, 0x80, 0x99, 0xD9, 0x16, 0x54,
    0x63, 0xB5, 0x53, 0x49, 0x09, 0x05, 0x85, 0x58,
    0x97, 0x90, 0x66, 0xDC, 0xA0, 0xF3, 0x8C, 0xCE,
    0xBD, 0x4C, 0xF4, 0x54, 0xE8, 0xF3, 0x5C, 0x4C,
    0x31, 0x83, 0x67, 0x16, 0x99, 0xE4, 0x44, 0xD1,
    0xAC, 0x6B, 0x61, 0xDA, 0xD0, 0xBB, 0x55
]

key = [
    0x92, 0x4F, 0xEB, 0xED, 0xFC, 0xA2, 0x4F, 0x3B,
    0x16, 0xEA, 0x67, 0x3B, 0x6C, 0x5A, 0xE4, 0x07,
    0xE7, 0xD0, 0x12, 0xBF, 0xC8, 0xAC, 0xE1, 0xAF,
    0xCE, 0x38, 0x91, 0x26, 0xB7, 0xC3, 0x2E, 0x13,
    0x43, 0xE6, 0x11, 0x73, 0xEB, 0x97, 0x21, 0x8E,
    0xC1, 0x0A, 0x54, 0xAE, 0xB5, 0xC9, 0x28
]

for i in range(len(flag)):
    x = flag[i] ^ key[i]
    print(chr(x&0xff), end="")

hgame{You_4re_a_p@tch_master_0r_reverse_ma5ter}

kunmusic

import re
from z3 import *

flag = [132, 47, 180, 7, 216, 45, 68, 6, 39, 246, 124, 2, 243, 137, 58, 172, 53, 200, 99, 91, 83, 13, 171, 80, 108, 235,
        179, 58, 176, 28, 216, 36, 11, 80, 39, 162, 97, 58, 236, 130, 123, 176, 24, 212, 56, 89, 72
    ]


s = Solver()

x = [BitVec('x[%d]' % i, 8) for i in range(13)]

s.add(x[0] + 52296 + x[1] - 26211 + x[2] - 11754 + (x[3] ^ 41236) + x[4] * 63747 + x[5] - 52714 + x[6] - 10512 +
      x[7] * 12972 + x[8] + 45505 + x[9] - 21713 + x[10] - 59122 + x[11] - 12840 + (x[12] ^ 21087) == 12702282)

s.add(x[0] - 25228 + (x[1] ^ 20699) + (x[2] ^ 8158) + x[3] - 65307 + x[4] * 30701 + x[5] * 47555 + x[6] - 2557 + (
        x[7] ^ 49055) + x[8] - 7992 + (x[9] ^ 57465) + (x[10] ^ 57426) + x[11] + 13299 + x[12] - 50966 == 9946829)

s.add(x[0] - 64801 + x[1] - 60698 + x[2] - 40853 + x[3] - 54907 + x[4] + 29882 + (x[5] ^ 13574) + (x[6] ^ 21310) +
      x[7] + 47366 + x[8] + 41784 + (x[9] ^ 53690) + x[10] * 58436 + x[11] * 15590 + x[12] + 58225 == 2372055)

s.add(x[0] + 61538 + x[1] - 17121 + x[2] - 58124 + x[3] + 8186 + x[4] + 21253 + x[5] - 38524 + x[6] - 48323 +
      x[7] - 20556 + x[8] * 56056 + x[9] + 18568 + x[10] + 12995 + (x[11] ^ 39260) + x[12] + 25329 == 6732474)

s.add(x[0] - 42567 + x[1] - 17743 + x[2] * 47827 + x[3] - 10246 + (x[4] ^ 16284) + x[5] + 39390 + x[6] * 11803 +
      x[7] * 60332 + (x[8] ^ 18491) + (x[9] ^ 4795) + x[10] - 25636 + x[11] - 16780 + x[12] - 62345 == 14020739)

s.add(x[0] - 10968 + x[1] - 31780 + (x[2] ^ 31857) + x[3] - 61983 + x[4] * 31048 + x[5] * 20189 + x[6] + 12337 +
      x[7] * 25945 + (x[8] ^ 7064) + x[9] - 25369 + x[10] - 54893 + x[11] * 59949 + (x[12] ^ 12441) == 14434062)

s.add(x[0] + 16689 + x[1] - 10279 + x[2] - 32918 + x[3] - 57155 + x[4] * 26571 + x[5] * 15086 + (x[6] ^ 22986) +
      (x[7] ^ 23349) + (x[8] ^ 16381) + (x[9] ^ 23173) + x[10] - 40224 + x[11] + 31751 + x[12] * 8421 == 7433598)

s.add(x[0] + 28740 + x[1] - 64696 + x[2] + 60470 + x[3] - 14752 + (x[4] ^ 1287) + (x[5] ^ 35272) + x[6] + 49467 +
      x[7] - 33788 + x[8] + 20606 + (x[9] ^ 44874) + x[10] * 19764 + x[11] + 48342 + x[12] * 56511 == 7989404)

s.add((x[0] ^ 28978) + x[1] + 23120 + x[2] + 22802 + x[3] * 31533 + (x[4] ^ 39287) + x[5] - 48576 + (x[6] ^ 28542) +
      x[7] - 43265 + x[8] + 22365 + x[9] + 61108 + x[10] * 2823 + x[11] - 30343 + x[12] + 14780 == 3504803)

s.add(x[0] * 22466 + (x[1] ^ 55999) + x[2] - 53658 + (x[3] ^ 47160) + (x[4] ^ 12511) + x[5] * 59807 + x[6] + 46242 +
      x[7] + 3052 + (x[8] ^ 25279) + x[9] + 30202 + x[10] * 22698 + x[11] + 33480 + (x[12] ^ 16757) == 11003580)

s.add(x[0] * 57492 + (x[1] ^ 13421) + x[2] - 13941 + (x[3] ^ 48092) + x[4] * 38310 + x[5] + 9884 + x[6] - 45500 + x[7] -
      19233 + x[8] + 58274 + x[9] + 36175 + (x[10] ^ 18568) + x[11] * 49694 + (x[12] ^ 9473) == 25546210)

s.add(x[0] - 23355 + x[1] * 50164 + (x[2] ^ 34618) + x[3] + 52703 + x[4] + 36245 + x[5] * 46648 + (x[6] ^ 4858) + (
        x[7] ^ 41846) + x[8] * 27122 + (x[9] ^ 42058) + x[10] * 15676 + x[11] - 31863 + x[12] + 62510 == 11333836)

s.add(x[0] * 30523 + (x[1] ^ 7990) + x[2] + 39058 + x[3] * 57549 + (x[4] ^ 53440) + x[5] * 4275 + x[6] - 48863 + (
        x[7] ^ 55436) + (x[8] ^ 2624) + (x[9] ^ 13652) + x[10] + 62231 + x[11] + 19456 + x[12] - 13195 == 13863722)


while (s.check() == sat):
    result = s.model()
    b = [0] * 13
    t = 0
    ttt = ""
    for each in x:
        a = result[each]
        b[t] = a.as_long()
        t += 1
    for i in range(len(flag)):
        y = flag[i] ^ b[i % len(b)]
        ttt += chr(y&0xff)
    if re.match("hgame", ttt, 0):
        print(ttt)

hgame{z3_1s_very_u5eful_1n_rever5e_engin3ering}

cpp

b = [
    0x40, 0x37, 0xa0, 0x4e, 0xfd, 0xda,  0x2, 0x46, 
    0x3c, 0x6e, 0xfa, 0x21, 0xcf, 0x9c, 0xd9, 0xaf, 
    0x67, 0x33, 0x47, 0xb9,  0xd, 0xec, 0x4e, 0xe0, 
    0x13, 0x80, 0xc4, 0xd1, 0x3a, 0xb2, 0xa9, 0x32, 
    0x2,  0x5d, 0x50, 0xa7, 0x83, 0x4a, 0x39, 0x82
]

flag = [
    0x28, 0x50, 0xC1, 0x23, 0x98, 0xA1, 0x41, 0x36,
    0x4C, 0x31, 0xCB, 0x52, 0x90, 0xF1, 0xAC, 0xCC, 
    0x0F, 0x6C, 0x2A, 0x89, 0x7F, 0xDF, 0x11, 0x84, 
    0x7F, 0xE6, 0xA2, 0xE0, 0x59, 0xC7, 0xC5, 0x46, 
    0x5D, 0x29, 0x38, 0x93, 0xED, 0x15, 0x7A, 0xFF
]

for i in range(len(flag)):
    x = flag[i] ^ b[i]
    print(chr(x), end="")

hgame{Cpp_1s_much_m0r3_dlff1cult_th4n_C}