第三届陕西省赛Rewp

发表于2023-06-09更新于2023-06-09

第三届陕西省赛 Reverse WP

ezupx

估计抹掉了upx头,手脱

看到upx的标志,两个call ebp,加上里面还是VirtualProtect

image-20230609212359377

那么后面的那个jump估计就是了,dump出来静态分析

image-20230609214509124

迷宫题,迷宫长这样

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
***************
*S000*0000000**
*0**000*****0**
*0*00*0*000*0**
*000**0*0*0*0**
*0***00*0*0*00*
*0***0**0*0**0*
*000*0*00*00*0*
***0*0******0#*
***0*00000000**
*000********0**
*0***00000*00**
*0*0*****0**0**
*0000000*00000*
***************

找到最短路径:RRRDRRURRRRRRDDDDRDDD

1
flag{ae2de0be8285f69db701d4dba8721a40}

babypy

py字节码

image-20230609214901768

在txt的最后还附上了密文

1
=1nb0A3b7AUQwB3b84mQ/E0MvJUb+EXbx5TQwF3bt52bAZncsd9c

大概就是将密文运算后base64加密后再进行字符串替换

但是不知道哪些是本来就有的那些是替换而来的,选择爆破flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import base64
f = "=1nb0A3b7AUQwB3b84mQ/E0MvJUb+EXbx5TQwF3bt52bAZncsd9c"
print(f[::-1])
for x in range(2):
    for y in range(2):
        for j in range(2):
            x1 = "cWdscnZAb25tb"
            x2 = "FwQT5xbXE+bUJvM0E/Qm48b"
            x3 = "BwQUA7b"
            x4 = "A0bng="
            if x == 1:
                x1 += '3'
            else:
                x1 += 'H'
            x1 += x2

            if y == 1:
                x1 += '3'
            else:
                x1 += 'H'
            x1 += x3

            if j == 1:
                x1 += '3'
            else:
                x1 += 'H'
            x1 += x4

            org = x1
            f = base64.b64decode(bytes(org.encode()))
            for i in range(len(f)):
                x = f[i]
                x = x - 3
                x = x ^ 8
                print(chr(x), end="")
            print()

flag{5dcbafe63fbf3b7d8647c1aee650ae9c}

BadCoffee

javaScript

丢进phpstudy跑

image-20230609222006019

index.html

1
<script src="./BadCoffee.js" type="text/javascript" charset="utf-8"></script>

直接动调

关键在于enc函数的两个for循环

image-20230609222426241

在调试的过程中发现程序只进行了异或操作,那么直接跑完整个加密然后再把加密后的字符串和输入异或即可得到用于加密的key

判断:

image-20230609222654993

写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 输入为 flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
# 第一次循环的key
enc1 = [233, 129, 127, 238, 145, 144, 11, 43, 87, 134, 243, 158, 197, 216, 111, 136, 152, 29, 204, 31, 26, 228, 39, 148,
        215, 220, 90, 76, 251, 57, 183, 184, 150, 157, 156, 176, 13, 41, 30, 86, 244, 8]

# 第二次循环的key
enc2 = [8, 244, 86, 30, 41, 13, 176, 156, 157, 150, 184, 183, 57, 251, 76, 90, 220, 215, 148, 39, 228, 26, 31, 204, 29,
        152, 136, 111, 216, 197, 158, 243, 134, 87, 43, 11, 144, 145, 238, 127, 129, 233]

# 提取出来的密文
flag = [135, 25, 72, 151, 195, 212, 228, 212, 250, 101, 39, 77, 163, 77, 70, 167, 119, 184, 7, 77, 144, 154, 93, 10,
        185, 48, 179, 77, 71, 163, 67, 61, 113, 156, 196, 136, 239, 241, 128, 93, 84, 156]

for i in range(len(enc1)):
    x = flag[i] ^ enc2[i] ^ enc1[i]
    print(chr(x), end="")

flag{I_c0uld_neu3r_undeRstand_jvaVs3rIpt!}

Web&Assembly

wasm题,jeb倒是能打开但是反编译依托答辩

推荐ghidra并使用wasm插件

项目地址:https://github.com/nneonneo/ghidra-wasm-plugin

打开网址,题目已经给了足够的提示了

image-20230609210746035

ghidra打开

image-20230609211248218

直接将输入和enc输入check函数

分析check函数

image-20230609211442713

主要是分为三部,最后再与enc进行比较

接下来分析dosomething函数

image-20230609211527542

简单的异或,但是要注意,+法的优先级高于位运算

最后即可写出脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
def dosomerthing(enc, a, b, c, d):
    enc[a] ^= (enc[b] + enc[d]) & 0xff
    enc[b] ^= (enc[c] + enc[d]) & 0xff
    enc[c] ^= (enc[a] + enc[b]) & 0xff
    enc[d] ^= (enc[a] + enc[c]) & 0xff
    return enc

key = b"114!514!"
e = "91fba5ccfef6e0905eeeb47940d25543c286b10de778fbb268ab7580414c0758"
enc = bytes.fromhex(e)
for i in range(0, len(enc), 8):
    tmp = bytearray(enc[i:i + 8])
    for x in range(0x72):
        tmp = dosomerthing(tmp, 2, 3, 6, 7)
        tmp = dosomerthing(tmp, 0, 1, 4, 5)
        tmp = dosomerthing(tmp, 4, 5, 6, 7)
        tmp = dosomerthing(tmp, 0, 1, 2, 3)
    for a in range(8):
        x = tmp[a] ^ key[a]
        print(chr(x & 0xff), end="")

flag{Y0u_Kn0w_W45M_n0w!!W0oO0ow}