rev - g0Re - elfUPX/AES/base64

查壳,发现是upx打包的elf文件

image-20230722171539102

upx -d 脱壳脱不掉,010中发现魔改的特征码

将OKXX –> UPX! 即可

image-20230722171723412

image-20230722171641041

脱壳后拖入ida64分析

main函数审计代码

image-20230722172020633

动调提取密文

image-20230722172403009

1
E6CE89C8CFC5F5C9D2D9C091CE7FACCCE9CFB7C096D4EA92E2D7DF84CBA5AE93A6CABE97DFCEF0C9B7E1AE6BC4B165DBCEED9293D68CEDC3A3DA94A5AAB2B5A755

然后提取aes的密钥 - 按a键转化为字符串 – > wvgitbygwbk2b46d

image-20230722172544052

发现base64换表了,提取表

image-20230722172920639

1
456789}#IJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123ABCDEFGH

最后动调sub,找出sub的key –> key还是这个

image-20230722173940021

cyberchef—-!!!

image-20230722175033375

flag{g0_1s_th3_b3st_1anguage_1n_the_wOrld!_xxx}

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from Crypto.Cipher import AES
import base64
enc = [0xE6, 0xCE, 0x89, 0xC8, 0xCF, 0xC5, 0xF5, 0xC9, 0xD2, 0xD9,
       0xC0, 0x91, 0xCE, 0x7F, 0xAC, 0xCC, 0xE9, 0xCF, 0xB7, 0xC0,
       0x96, 0xD4, 0xEA, 0x92, 0xE2, 0xD7, 0xDF, 0x84, 0xCB, 0xA5,
       0xAE, 0x93, 0xA6, 0xCA, 0xBE, 0x97, 0xDF, 0xCE, 0xF0, 0xC9,
       0xB7, 0xE1, 0xAE, 0x6B, 0xC4, 0xB1, 0x65, 0xDB, 0xCE, 0xED,
       0x92, 0x93, 0xD6, 0x8C, 0xED, 0xC3, 0xA3, 0xDA, 0x94, 0xA5,
       0xAA, 0xB2, 0xB5, 0xA7]
key = b"wvgitbygwbk2b46d"

base = ""
for i in range(len(enc)):
    base += chr(((enc[i] - key[i % 16]) ^ 0x1a) & 0xff)
print(base)
tableB = "456789}#IJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123ABCDEFGH"
tableA = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
aes_enc = base64.b64decode(base.translate(str.maketrans(tableB, tableA)))
aes = AES.new(key=b"wvgitbygwbk2b46d", mode=AES.MODE_ECB)
print(aes.decrypt(aes_enc))
# b'flag{g0_1s_th3_b3st_1anguage_1n_the_wOrld!_xxx}\x01'

misc - foundme

strings find.DMP | grep “flag”

image-20230722183900037

根据提示 搜索引擎搜索

avif文件是一种图像的格式,推测,找出此文件打开即为flag

image-20230722184159266

image-20230722184353792

在010中搜索avif,发现一个flag标识

image-20230722184548349

将此文件提取出来

image-20230722185422662 image-20230722185441820

flag(YOung_Ju57_fomward}

misc - song - ape=deppsound/ook

文件拖入010分析,在结尾发现PK标识,而文件无文件头,猜测时PK文件,修改

504B0304

成功打开(虽然报错-文件格式错误/

image-20230722191056932

\ppt\media中发现

image-20230722191219275

image-20230722191242953

image4.png文件过大,

其余wmf文件

image-20230722191517076

对比两个png文件

image-20230722194313658

MAC 是ape文件的标识,其中ape格式也可以用deepsound加密

image-20230722194345687

而deppsound解密需要密码

\docProps中 thumbnail.jpg文件是个压缩包,

image-20230722192150166

image-20230722192329296

解码

image-20230722192739396

常见弱口令 – 123456

使用deepsound解密image4.ape(修改后缀

image-20230722193113272

ook解码

image-20230722193226415

[Brainfuck/Ook! Obfuscation/Encoding splitbrain.org]

this_zip_password_is_QazWsx147!@#

打开flag.txt即可得解

flag{lW9tUyrh8RzzvysrswAwY7MHR4mmbLSt}