前言

题目质量不错

打穿逆向区跟杂项区(bushi)

累死了,我靠,比赛刚结束就得赶高铁去青岛,在高铁上写Wp,我的天,要晕过去的节奏

嗨嗨嗨 Orz

Rev

RE1 - tls/小花指令/RC4

主要是RC4加密有个tls,不用管

image-20231206162912166

主要RC4的call在这儿

这儿应该算是花指令的一种吧

image-20231206162953066

unk_473040是RC4函数的地址

c一下即可

image-20231206163019542

image-20231206163044222

image-20231206163057446

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#include <stdio.h>
#include <iostream>

__int64  RC4_encode(unsigned __int8* a1, int a2)
{
    int v3[515] = { 0 }; // [rsp+0h] [rbp-80h]
    int v4; // [rsp+80Ch] [rbp+78Ch]
    char v5; // [rsp+813h] [rbp+793h]
    int j; // [rsp+814h] [rbp+794h]
    int v7; // [rsp+818h] [rbp+798h]
    int i; // [rsp+81Ch] [rbp+79Ch]

    v7 = 0;
    for (i = 0; i <= 255; ++i)
    {
        v3[i] = i;
        v3[i + 256] = *a1;
    }
    for (j = 1; j < a2; ++j)
    {
        for (i = 0; i <= 255; ++i)
            v3[i + 256] = a1[j - 1];
        for (i = 0; i <= 255; ++i)
        {
            v7 = (v3[i + 256] + v7 + v3[i]) % 256;
            v4 = v3[v7];
            v3[v7] = v3[i];
            v3[i] = v4;
        }
        v5 = 0;
        for (i = 0; i <= 255; i += 2)
        {
            v5 += v3[i];
            v5 ^= v3[i + 256];
        }
       // printf("秘钥流: 0x%x\n", v5&0xff);
        a1[j] ^= v5;
    }
    return 0i64;
}

__int64  RC4_decode(unsigned __int8* a1, int a2)
{
    int v3[515] = { 0 }; // [rsp+0h] [rbp-80h]
    int v4; // [rsp+80Ch] [rbp+78Ch]
    char v5; // [rsp+813h] [rbp+793h]
    int j; // [rsp+814h] [rbp+794h]
    int v7; // [rsp+818h] [rbp+798h]
    int i; // [rsp+81Ch] [rbp+79Ch]

    v7 = 0;
    for (i = 0; i <= 255; ++i)
    {
        v3[i] = i;
        v3[i + 256] = *a1;
    }
    for (j = 1; j < a2; ++j)
    {
        //用前一个flag值作为秘钥流,单字节爆破
        for (i = 0; i <= 255; ++i)
            v3[i + 256] = a1[j - 1];
        //打乱
        for (i = 0; i <= 255; ++i)
        {
            v7 = (v3[i + 256] + v7 + v3[i]) % 256;
            v4 = v3[v7];
            v3[v7] = v3[i];
            v3[i] = v4;
        }
        v5 = 0;
        for (i = 0; i <= 255; i += 2)
        {
            v5 += v3[i];
            v5 ^= v3[i + 256];
        }
        printf("秘钥流: 0x%x\n", v5 & 0xff);
        a1[j] ^= v5;
    }
    return 0i64;
}

int main()
{

    unsigned char a1[] =
    {
      0x31, 0x5D, 0x00, 0x97, 0x70, 0xCA, 0x80, 0x42, 0x47, 0xA8,
      0xA1, 0x56, 0x19, 0x2F, 0x2E, 0xD9, 0x48, 0x36, 0x03, 0x52,
      0x03, 0xB2, 0x63, 0x42, 0x5B, 0xD8, 0x32, 0x07, 0x73, 0x6E,
      0x88, 0xF5, 0x0D, 0xF0, 0xAD, 0xBA, 0x0D
    };
    
    RC4_encode(a1,32);
    //加密之后
    unsigned char crypto_flag[] =
    {
        //c
      0x63, 0x61, 0x31, 0x61, 0x63, 0x64, 0x30, 0x63, 0x37, 0x64,
      0x37, 0x31, 0x31, 0x31, 0x65, 0x65, 0x61, 0x66, 0x30, 0x32,
      0x39, 0x36, 0x30, 0x38, 0x35, 0x33, 0x33, 0x39, 0x63, 0x65,
      0x38, 0x33
    };
    unsigned char crypto[] = { 0x31,0x32,0xbd,0x54,0xa3,0x8c,0x75,0xd2,0x17,0x6c,0xd4,0xc2,0xf,0x75,0x1,0x28,0xe,0xe3,0x14,0x38,0x98,0xcd,0x53,0x3b,0x29,0xad,0xb2,0x0,0x4c,0x0,0xa8,0x6b };

    int mm = 32;
    //RC4_decode(crypto_flag, mm);
    for (size_t i = 0; i < mm; i++)
    {
        printf("0x%x,", crypto_flag[i]);
    }
    printf("\n");
    for (size_t i = 0; i < 32; i++)
    {
        printf("%c", crypto_flag[i]);
    }
    return 0;
}

image-20231206163136721

flag{ca1acd0c7d7111eeaf0296085339ce83}

Android -SM4/so动调

发现是SM4标准加密

img

包名

com.moible.midand

so名

lib midand

寻找方法:

readResourceFileBytes

img

要解密的密文:

73 1e 13 3e f7 6a 5c d1 ef 96 26 a9 94 7c f4 a4 6c e2 37 b7 d 49 5 e9 21 e3 5e 2e 7d 7a 1a 74

这是两串秘钥,分别解密

C4 83 84 72 B8 E1 60 BA 5D 99 5A 6B E3 67 40 17

7C 3F 33 21 91 1C FA 54 8F 35 30 73 DD 2B 80 A7

分别解密(解密两次)

两部分的flag

image-20231206163929564

image-20231206163943947

flag{fad1c7e27ec411eebe3a3e4419a1b3cc}

MISC

来都来了 - 伪加密

伪加密使用java -jar ZipCenOp.jar r 压缩包

打开的字符base64解密

image-20231206163249023

芙宁娜 - pyc隐写=stegosaurus

图片上的base64解码差5位

ZmxhZ3tiYzgzOTRhYS03ZTMyLTQ3ZTgtYTlmZC0xYmY2ODNhZg==

flag{bc8394aa-7e32-47e8-a9fd-1bf683af

010可以找到图片下方盖住的16进制hex->string

image-20231206163350007

发现可能是python代码,将所有16进制代码取出来重组成pyc文件,stegosaurus-master pyc隐写得出剩下的几位

8e8f}

flag{bc8394aa-7e32-47e8-a9fd-1bf683af8e8f}

honor - steghide隐写

binwalk发现藏了张jpg图片

foremost 分离出来

image-20231206163448985

steghide隐写

stegseek暴破密码

解题步骤如下

image-20231206163507103

image-20231206163521405

解出来 工具梭

fence密码

image-20231206163538316

flag{c58496-706a3-4e-6cb7e6l6cbc2e4700693a}

Crypto

hakiehs

塞尔达传说(Pi)

塞尔达文字

席卡古文

格鲁德文

海利亚文

image-20231206163646781

image-20231206163657748

image-20231206163709160

flag{linkzeldaganon}

我看看谁还不会RSA

RSA =.=

image-20231206163751601

1
2
3
4
5
6
7
8
9
10
11
12
import gmpy2
import binascii

c=8232151627233115772131180151146951323147507324390914513031444555762539986162650
e=37777
p=8666789885346075954502743436174521501697
q=2449101960789395782044494299423558347143

m = gmpy2.powmod(c, e, p * q)
print(binascii.unhexlify(hex(m)[2:]))

b'flag{r5a_Who_w0nt}'