Nepnep2023 九龙拉棺wp

发表于2023-08-27更新于2023-08-28

Nepnep2023 九龙拉棺wp

Nepnep2023 九龙拉棺wp

ida打开

image-20230820160830867

打开了8个子线程,但是执行顺序是固定的

image-20230820161351860

image-20230820161403304

按顺序分析

首先是对Src中的数据进行解密

image-20230820161447700

解密流程是RC4,base32,base58,base64,最后解密出来的数据是exe,对应

image-20230820161544389

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#include <iostream>

using namespace std;

void decrypt(unsigned int* EntryData, unsigned int* Key)
{
    unsigned int Mup = EntryData[0];
    unsigned int Mdown = EntryData[1];

    unsigned int delta = 0x9E3779B9;
 	unsigned int n = 32;
        
   	unsigned int sum = delta * n; //视次数.
    
    for(int i=0;i<n;i++){
        Mdown -= ((Mup << 4) + Key[2]) ^ (Mup + sum) ^ ((Mup >> 5) + Key[3]);
        Mup -= ((Mdown << 4) + Key[0]) ^ (Mdown + sum) ^ ((Mdown >> 5) + Key[1]);
        sum -= delta;
    }
    
    EntryData[0] = Mup;
    EntryData[1] = Mdown;
}

int main()
{
    cout << "begin" << endl;
	unsigned int v12[16];
    v12[0] = 0x88AFD2D6;
    v12[1] = 0x3FBE45A7;
    v12[2] = 0x27AAD1B9;
    v12[3] = 0x8CB3E51E;
    v12[4] = 0x9348FFA;
    v12[5] = 0xE19F3C42;
    v12[6] = 0xFFDD0D86;
    v12[7] = 0xEDB97383;
    v12[8] = 0x12C4C0BF;
    v12[9] = 0x1B67BD19;
    v12[10] = 0xF7A514D6;
    v12[11] = 0x18F95254;
    v12[12] = 0xAB100CB0;
    v12[13] = 0xCBA137;
    v12[14] = 0x2A91712;
    v12[15] = 0xC58D0D9E;
    unsigned int key[4] = {1, 2, 3, 4};
    for (int i = 0; i < 8; i++) {
        decrypt((v12 + i * 2), key);
    }
    for(int i = 0; i < 16; i++) {
        unsigned int x = v12[i];
        for (int j = 0; j < 4; j++) {
            printf("%c", x&0xff);
            x = x >> 8;
        }
    }

    printf("\n");
    unsigned int v16[16];
    v16[0] = 0x1DC74989;
    v16[1] = 0xD979AF77;
    v16[2] = 0x888D136D;
    v16[3] = 0x8E26DB7F;
    v16[4] = 0xC10C3CC9;
    v16[5] = 0xC3845D40;
    v16[6] = 0xC6E04459;
    v16[7] = 0xA2EBDF07;
    v16[8] = 0xD484388D;
    v16[9] = 0x12F956A2;
    v16[10] = 0x5ED7EE59;
    v16[11] = 0x43137F85;
    v16[12] = 0xEF43F9F0;
    v16[13] = 0xB29683AA;
    v16[14] = 0x8E3640B4;
    v16[15] = 0xC2D36177;
    unsigned int k[4] = {18, 52, 86, 120};
    
    for (int i = 0; i < 8; i++) {
        decrypt((v16 + i * 2), k);
    }
    for(int i = 0; i < 16; i++) {
        unsigned int x = v16[i];
        for (int j = 0; j < 4; j++) {
            printf("%c", x&0xff);
            x = x >> 8;
        }
    }
    return 0;
}

NepCTF{c9cdnwdi3iu41m0pv3x7kllzu8pdq6mt9n2nwjdp6kat8ent4dhn5r158iz2f0cmr0u7yxyq}