goGpt

分析:

使用 go_parser恢复go符号表

使用方法:

1
2
在ida64中按下按键 `alt + P` 选择`go_parser.py`
运行等待即可

image-20230730113337387

插件项目地址:GitHub - 0xjiayu/go_parser:IDAPro 的又一个 Golang 二进制解析器

恢复后image-20230730113448364

mian函数

image-20230730114134706

往下

image-20230730114357447

解密:

接着呢

动调找到key

image-20230730113836579

然后编写脚本解密即可

exp

1
2
3
4
5
6
x="fiAGBkgXN3McFy9hAHRfCwYaIjQCRDFsXC8ZYBFmEDU="
key="TcR@3t_3hp_5_G1H"
import base64
y=list(base64.b64decode(x))
for i in range(32):
    print(chr(y[i]^ord(key[i%16])),end="")

ez_code

法一:终端运行

题目描述 –>powershell脚本语言

将整个powershell代码在powershell中运行,得到

img

将 最后面的| .${-``} 去掉,得到这一段

img

这一段(上图)是假的

程序的结构大概是这样 xxx1 = "xxx2"; "xxx3" | xxx4

然后再跑这一段,这一段是 "xxx2"

img

得到真的代码

img

将此代码cv跑一遍得到python代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
class chiper():
    def __init__(self):
        self.d = 0x87654321
        k0 = 0x67452301
        k1 = 0xefcdab89
        k2 = 0x98badcfe
        k3 = 0x10325476
        self.k = [k0, k1, k2, k3]

    def e(self, n, v):
        from ctypes import c_uint32

        def MX(z, y, total, key, p, e):
            temp1 = (z.value >> 6 ^ y.value << 4) + \
                (y.value >> 2 ^ z.value << 5)
            temp2 = (total.value ^ y.value) + \
                (key[(p & 3) ^ e.value] ^ z.value)
            return c_uint32(temp1 ^ temp2)
        key = self.k
        delta = self.d
        rounds = 6 + 52//n
        total = c_uint32(0)
        z = c_uint32(v[n-1])
        e = c_uint32(0)

        while rounds > 0:
            total.value += delta
            e.value = (total.value >> 2) & 3
            for p in range(n-1):
                y = c_uint32(v[p+1])
                v[p] = c_uint32(v[p] + MX(z, y, total, key, p, e).value).value
                z.value = v[p]
            y = c_uint32(v[0])
            v[n-1] = c_uint32(v[n-1] + MX(z, y, total,
                              key, n-1, e).value).value
            z.value = v[n-1]
            rounds -= 1
        return v

    def bytes2ints(self,cs:bytes)->list:
        new_length=len(cs)+(8-len(cs)%8)%8
        barray=cs.ljust(new_length,b'\x00')
        i=0
        v=[]
        while i < new_length:
            v0 = int.from_bytes(barray[i:i+4], 'little')
            v1 = int.from_bytes(barray[i+4:i+8], 'little')
            v.append(v0)
            v.append(v1)
            i += 8
        return v

def check(instr:str,checklist:list)->int:
    length=len(instr)
    if length%8:
        print("Incorrect format.")
        exit(1)
    c=chiper()
    v = c.bytes2ints(instr.encode())
    output=list(c.e(len(v),v))
    i=0
    while(i<len(checklist)):
        if i<len(output) and output[i]==checklist[i]:
            i+=1
        else:
            break
    if i==len(checklist):
        return 1
    return 0

if __name__=="__main__":
    ans=[1374278842, 2136006540, 4191056815, 3248881376]
    # generateRes()
    flag=input('Please input flag:')
    res=check(flag,ans)
    if res:
        print("Congratulations, you've got the flag!")
        print("Flag is *ctf{your_input}!")
        exit(0)
    else:
        print('Nope,try again!')

法二:vscode动调

打开vscode,创建文件1.PS1

复制完就一行,很长

打个断点

运行,在local板块找到变量${@*}

因为,变量有两段,两段中间有个;, 第一段是真的,第二段是假的

所以下断运行,得到的是第一段的结果(真的)

然后cv结果,即可得到python源代码

image-20230730112904408

解密:

魔改xxtea

写脚本解密

Exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#define _CRT_SECURE_NO_WARNINGS 1
#include<stdio.h>
#include<stdint.h>
#define DELTA 0x87654321
#define MX (((z>>6^y<<4) + (y>>2^z<<5)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))

using namespace std;

unsigned int cipher[4] = { 1374278842, 2136006540, 4191056815, 3248881376 };
unsigned int key[4] = { 0x67452301,0xefcdab89,0x98badcfe, 0x10325476 };

void xxtea(uint32_t* v, int n, uint32_t const key[4])
{
    uint32_t y, z, sum;
    unsigned p, rounds, e;
    if (n < -1)      
    {
        n = -n;
        rounds = 6 + 52 / n;
        sum = rounds * DELTA;
        y = v[0];
        do
        {
            e = (sum >> 2) & 3;
            for (p = n - 1; p > 0; p--)
            {
                z = v[p - 1];
                y = v[p] -= MX;
            }
            z = v[n - 1];
            y = v[0] -= MX;
            sum -= DELTA;
        } while (--rounds);
    }
}

int main()
{
    xxtea(cipher, -4, key);
    for (int i = 0; i < 4; i++)
    {
        //printf("0x%x",cipher[i]);
        printf("0x%x,0x%x,0x%x,0x%x,", *((char*)&cipher[i] + 0) & 0xff, *((char*)&cipher[i] + 1) & 0xff, *((char*)&cipher[i] + 2) & 0xff, *((char*)&cipher[i] + 3) & 0xff);
    }
    printf("\n");
    int Dec[] =
    {
        0x79,0x4f,0x55,0x61,0x72,0x33,0x67,0x30,0x6f,0x44,0x40,0x74,0x50,0x77,0x35,0x48
    };
    for (int i = 0; i < 16; i++)
        printf("%c", Dec[i]);

    return 0;
}

old language

谷歌识图

image-20230730120841036

dovahkiin字体

逐个对照即可

image-20230730120941846

snippingTools

Google搜索 github CVE-2023-28303

搜出个工具

image-20230730121141684

安装好 上传图片 即可得解

image-20230730121515815