d3ctf RE复现 WP
所有题目都是复现
d3mug
音游题目 根据逻辑来说可能是全点中了会有flag 但是谱太长太快
简单分析是个unity游戏
逻辑部分都在so
Il2CppDumper
https://github.com/Perfare/Il2CppDumper/releases/tag/v6.7.8
选择libil2cpp.so 和 global-metadata.dat 导出目录即可
可以解出unity的符号表 用里面的两个脚本可以给ida用
重点分析 libil2cpp.so
根据音游常识 点击的块叫note 我们直接搜 可以看到相关hit和miss的函数()
感觉没啥用
搜索字符串 ctf flag d3ctf d3等
定位到d3mug字符串处
X来到GameManager__update函数
通过sub_5609A4里面的字符串 
猜测应该是执行libd3mug.so文件的函数updata 其中又调用了run函数
而ScoreScene__get 调用了libd3mug.so文件的函数get 是最后显示flag的函数
简单分析libd3mug.so可以知道run函数就是解密flag函数
现在寻找run函数参数是哪个
X GameManager__update
找到GameManager__NoteHit 发现每次击中都调用updata函数 传入击中时间
所以我们可以看看这个note的生成算法 生成的时间和perfect的击中时间是一样的
从GameManager__ loadBeatmap_d __ 8 __MoveNext里面找到读取了hitpoint资源
使用AssetStudio导出hitpoint chromevox的(
易知第一个参数是note位置 第二个应该是时间了
然后用frida调用脚本
(frida可以手动下安装包 再pip安装 再把frida-server push进去 用su运行)
(frida-ps -Uai 查看进程 再把pid填到脚本里)
import frida
import sys
jscode = """
console.log("111");
var trueValue =[0, 0, 0, 146, 292, 292, 439, 512, 585, 585, 658, 731, 804, 878, 1024, 1170, 1170, 1317, 1463, 1463, 1609, 1682, 1756, 1756, 1902, 2048, 2195, 2341, 2341, 2487, 2634, 2634, 2780, 2853, 2926, 2926, 3073, 3146, 3219, 3219, 3365, 3439, 3512, 3512, 3658, 3804, 3878, 3951, 4024, 4097, 4097, 4243, 4390, 4682, 4682, 4682, 4829, 4975, 4975, 5121, 5195, 5268, 5341, 5414, 5487, 5560, 5560, 5853, 5853, 5999, 6146, 6146, 6292, 6365, 6439, 6439, 6585, 6731, 6731, 6731, 7024, 7024, 7170, 7317, 7317, 7463, 7536, 7609, 7609, 7682, 7756, 7829, 7902, 7902, 7975, 8048, 8121, 8195, 8341, 8487, 8634, 8780, 9073, 9073, 9073, 9219, 9365, 9365, 9512, 9658, 9658, 9804, 9878, 9951, 9951, 10097, 10243, 10243, 10243, 10390, 10463, 10536, 10536, 10682, 10829, 10829, 10975, 11121, 11121, 11268, 11414, 11414, 11560, 11707, 11707, 11853, 11999, 11999, 11999, 12146, 12292, 12292, 12439, 12439, 12585, 12585, 12585, 12731, 12878, 12951, 13024, 13097, 13170, 13170, 13317, 13463, 13463, 13463, 13609, 13756, 13756, 13756, 13902, 14048, 14048, 14195, 14341, 14487, 14634, 14634, 14926, 14926, 14926, 15219, 15219, 15219, 15365, 15365, 15512, 15512, 15658, 15804, 15804, 15951, 16024, 16097, 16097, 16170, 16243, 16317, 16390, 16390, 16536, 16682, 16682, 16829, 16902, 16975, 16975, 17121, 17268, 17268, 17268, 17414, 17560, 17634, 17707, 17780, 17853, 17926, 17999, 18073, 18146, 18146, 18292, 18439, 18439, 18731, 18731, 18731, 18878, 19024, 19024, 19024, 19170, 19243, 19317, 19463, 19609, 19609, 19609, 19756, 19829, 19902, 20048, 20195, 20195, 20341, 20487, 20487, 20634, 20780, 20780, 20926, 21073, 21073, 21219, 21365, 21365, 21365, 21512, 21585, 21658, 21658, 21804, 21951, 21951, 21951, 22097, 22243, 22317, 22390, 22463, 22536, 22536, 22609, 22682, 22756, 22829, 22829, 22975, 23121, 23121, 23268, 23414, 23560, 23707, 23780, 23853, 23926, 23999, 23999, 24073, 24146, 24219, 24292, 24365, 24439, 24512, 24585, 24585, 24731, 24731, 24878, 24878, 24878, 25024, 25170, 25170, 25317, 25390, 25463, 25463, 25609, 25756, 25756, 25756, 25902, 25902, 26048, 26048, 26195, 26195, 26341, 26341, 26414, 26487, 26487, 26560, 26634, 26634, 26780, 26780, 26926, 27219, 27512, 27585, 27658, 27731, 27804, 27804, 28097, 28097, 28390, 28682, 28682, 28975, 29268, 29268, 29560, 29560, 29853, 29853, 30146, 30439, 30439, 30731, 31024, 31024, 31317, 31609, 31609, 31902, 32195, 32195, 32487, 32780, 32780, 32780, 33365, 33365, 33365, 33951, 33951, 34243, 34536, 34536, 34829, 35121, 35121, 35414, 35707, 35707, 35707, 35999, 36292, 36585, 36878, 36878, 37024, 37024, 37170, 37170, 37463, 37463, 37463, 37609, 37756, 37756, 37902, 38048, 38048, 38195, 38341, 38341, 38487, 38634, 38634, 38780, 38926, 39073, 39219, 39365, 39512, 39658, 39804, 39804, 39951, 40097, 40097, 40243, 40390, 40390, 40536, 40682, 40829, 40975, 40975, 41121, 41268, 41414, 41560, 41707, 41853, 41999, 42146, 42146, 42292, 42292, 42439, 42585, 42731, 42731, 42878, 42878, 43024, 43170, 43317, 43317, 43463, 43463, 43609, 43609, 43682, 43756, 43756, 43829, 43902, 43902, 44048, 44048, 44195, 44195, 44341, 44341, 44487, 44560, 44634, 44707, 44780, 44853, 44926, 44999, 45073, 45146, 45219, 45292, 45365, 45439, 45512, 45585, 45658, 45658, 45804, 45951, 45951, 46097, 46243, 46243, 46536, 46536, 46536, 46829, 46829, 46902, 46975, 47121, 47121, 47268, 47414, 47414, 47560, 47634, 47707, 47707, 47853, 47926, 47999, 47999, 48146, 48292, 48292, 48439, 48585, 48585, 48731, 48878, 48878, 49024, 49170, 49170, 49243, 49317, 49463, 49463, 49609, 49756, 49756, 49902, 49975, 50048, 50048, 50121, 50195, 50268, 50341, 50341, 50487, 50487, 50707, 50707, 50926, 50926, 51073, 51219, 51365, 51512, 51512, 51585, 51658, 51804, 51804, 51951, 52097, 52097, 52170, 52243, 52317, 52390, 52390, 52536, 52609, 52682, 52682, 52829, 52975, 52975, 53121, 53268, 53268, 53414, 53560, 53560, 53707, 53853, 53853, 53926, 53999, 54073, 54146, 54146, 54219, 54292, 54365, 54439, 54439, 54512, 54585, 54658, 54731, 54731, 54878, 54878, 55024, 55024, 55024, 55317, 55317, 55317, 55609, 55609, 55609, 55902, 55902, 55902, 56195, 56268, 56341, 56487, 56487, 56634, 56780, 56780, 56926, 56999, 57073, 57073, 57219, 57292, 57365, 57365, 57512, 57658, 57658, 57804, 57951, 57951, 58097, 58243, 58243, 58390, 58536, 58536, 58609, 58682, 58829, 58829, 58975, 59121, 59121, 59268, 59341, 59414, 59414, 59560, 59634, 59707, 59707, 59853, 59926, 59999, 59999, 60073, 60292, 60292, 60439, 60585, 60585, 60731, 60878, 60878, 60951, 61024, 61024, 61170, 61170, 61317, 61317, 61463, 61463, 61463, 61536, 61609, 61609, 61756, 61756, 61902, 61902, 62048, 62048, 62048, 62121, 62195, 62195, 62341, 62341, 62414, 62487, 62560, 62634, 62634, 62780, 62780, 62926, 62926, 63073, 63073, 63219, 63219, 63292, 63365, 63439, 63512, 63512, 63585, 63658, 63731, 63804, 63804, 63878, 63951, 64024, 64097, 64097, 64170, 64243, 64317, 64390, 64390, 64536, 64536, 64609, 64682, 64829, 64975, 65121, 65268, 65414, 65560, 65560, 65707, 65853, 65999, 66146, 66146, 66439, 66585, 66878, 67170, 67317, 67317, 67609, 67902, 68048, 68195, 68341, 68487, 68487, 68780, 68926, 69073, 69219, 69365, 69512, 69658, 69658, 69804, 69951, 70243, 70390, 70536, 70682, 70829, 70829, 71121, 71268, 71560, 71853, 71999, 71999, 72292, 72585, 72731, 72878, 73024, 73170, 73317, 73463, 73609, 73609, 73756, 73975, 74195, 74341, 74341, 74634, 74707, 74780, 74926, 74926, 75073, 75073, 75219, 75219, 75219, 75365, 75512, 75512, 75658, 75658, 75804, 75804, 75804, 75951, 76097, 76097, 76390, 76390, 76390, 76536, 76682, 76682, 76829, 76829, 76975, 76975, 76975, 77268, 77268, 77414, 77560, 77560, 77561, 77707, 77853, 77853, 77999, 77999, 78146, 78146, 78146, 78292, 78439, 78439, 78731, 78732, 78732, 78878, 79024, 79024, 79170, 79171, 79317, 79317, 79463, 79609, 79609, 79756, 79902, 79902, 80048, 80195, 80341, 80341, 80487, 80487, 80634, 80780, 80780, 80926, 80926, 81073, 81073, 81073, 81219, 81365, 81512, 81512, 81658, 81658, 81658, 81951, 81951, 81951, 82097, 82243, 82243, 82390, 82536, 82682, 82682, 82829, 82829, 82829, 82975, 83121, 83121, 83268, 83414, 83414, 83560, 83707, 83853, 83853, 83999, 83999, 83999, 84292, 84292, 84365, 84439, 84512, 84585, 84585, 84731, 84804, 84878, 84878, 84951, 85024, 85097, 85170, 85170, 85317, 85390, 85463, 85463, 85536, 85609, 85682, 85756, 85756, 85829, 85902, 85975, 86048, 86048, 86121, 86195, 86268, 86341, 86341, 86487, 86634, 86634, 86707, 86780, 86853, 86926, 86926, 87073, 87146, 87219, 87219, 87292, 87365, 87439, 87512, 87512, 87658, 87804, 87804, 87878, 87951, 88024, 88097, 88097, 88170, 88243, 88317, 88390, 88390, 88536, 88609, 88682, 88682, 88829, 88975, 88975, 89121, 89121, 89268, 89268, 89414, 89414, 89560, 89560, 89707, 89707, 89853, 89853, 89999, 89999, 90146, 90146, 90292, 90292, 90439, 90439, 90585, 90585, 90731, 90731, 90878, 90878, 91024, 91024, 91170, 91170, 91317, 91317, 91390, 91463, 91536, 91609, 91682, 91756, 91829, 91902, 91975, 92048, 92121, 92195, 92268, 92341, 92634, 92780, 92926, 93219, 93365, 93365, 93365, 93365, 93658, 93658, 93804, 93878, 93951, 93951, 94097, 94243, 94317, 94390, 94463, 94536, 94536, 94682, 94829, 94829, 94975, 95121, 95121, 95268, 95414, 95487, 95560, 95634, 95707, 95707, 95853, 95853, 95999, 95999, 96146, 96292, 96292, 96292, 96439, 96585, 96585, 96658, 96731, 96804, 96878, 96878, 97024, 97170, 97170, 97317, 97390, 97463, 97463, 97609, 97756, 97756, 97829, 97902, 98048, 98048, 98048, 98195, 98341, 98341, 98487, 98560, 98634, 98634, 98780, 98926, 98926, 99073, 99219, 99219, 99365, 99512, 99512, 99658, 99804, 99804, 99951, 100097, 100170, 100243, 100317, 100390, 100390, 100536, 100682, 100682, 100829, 100975, 100975, 100975, 101121, 101268, 101268, 101341, 101414, 101487, 101560, 101560, 101707, 101853, 101853, 101926, 101999, 102073, 102146, 102146, 102292, 102439, 102439, 102439, 102585, 102658, 102731, 102731, 102878, 103024, 103024, 103024, 103170, 103243, 103317, 103317, 103317, 103463, 103609, 103682, 103756, 103829, 103902, 103902, 104048, 104195, 104195, 104341, 104487, 104487, 104487, 104634, 104780, 104853, 104926, 104999, 105073, 105073, 105219, 105365, 105365, 105512, 105658, 105658, 105658, 105804, 105951, 105951, 106097, 106170, 106243, 106243, 106317, 106390, 106536, 106536, 106682, 106756, 106829, 106829, 106829, 106975, 107121, 107121, 107268, 107268, 107414, 107414, 107414, 107560, 107707, 107707, 107707, 107853, 107999, 107999, 107999, 108146, 108292, 108292, 108439, 108585, 108585, 108731, 108878, 108878, 108878, 109024, 109170, 109170, 109317, 109463, 109463, 109536, 109609, 109682, 109756, 109756, 109902, 110048, 110048, 110048, 110195, 110195, 110341, 110341, 110341, 110487, 110487, 110634, 110634, 110634, 110780, 110780, 110926, 110926, 110926, 111073, 111073, 111219, 111219, 111219, 111365, 111512, 111658, 111731, 111804, 111878, 111951, 112024, 112097, 112097, 112097, 112390, 112390, 112536, 112682, 112682, 112682, 112829, 112975, 112975, 113121, 113268, 113268, 113414, 113560, 113560, 113707, 113853, 113853, 113999, 114146, 114219, 114292, 114365, 114439, 114439, 114585, 114731, 114731, 114878, 115024, 115024, 115024, 115170, 115317, 115317, 115463, 115536, 115609, 115609, 115756, 115902, 115902, 115975, 116048, 116121, 116195, 116195, 116268, 116341, 116414, 116487, 116487, 116560, 116634, 116707, 116780, 116780, 116926, 117073, 117073, 117219, 117365, 117365, 117512, 117658, 117658, 117804, 117878, 117951, 117951, 118097, 118243, 118243, 118390, 118536, 118536, 118682, 118829, 118902, 118975, 119048, 119121, 119121, 119268, 119414, 119414, 119560, 119707, 119707, 119853, 119999, 119999, 120146, 120292, 120292, 120439, 120439, 120731, 121024, 121170, 121463, 121536, 121609, 121682, 121756, 121756, 121756, 121902, 122048, 122048, 122048, 122195, 122341, 122341, 122341, 122487, 122560, 122634, 122634, 122634, 122780, 122926, 122926, 122926, 123073, 123219, 123219, 123219, 123365, 123512, 123512, 123512, 123585, 123658, 123731, 123804, 123804, 123804, 123951, 124097, 124097, 124097, 124243, 124390, 124390, 124390, 124536, 124682, 124682, 124682, 124829, 124975, 124975, 124975, 125121, 125268, 125268, 125268, 125414, 125487, 125560, 125560, 125560, 125707, 125853, 125853, 125853, 125999, 126146, 126146, 126146, 126292, 126439, 126439, 126439, 126585, 126585, 126731, 126731, 126878, 126878, 127024, 127024, 127024, 127170, 127170, 127317, 127317, 127463, 127463, 127609, 127609, 127609, 127756, 127756, 127902, 127902, 128048, 128048, 128195, 128195, 128268, 128341, 128341, 128414, 128487, 128487, 128560, 128634, 128707, 128780, 128780, 128853, 128926, 128999, 129073, 129146, 129219, 129292, 129365, 129365, 129439, 129512, 129585, 129658, 129731, 129804, 129878, 129951, 129951, 130024, 130097, 130170, 130243, 130243, 130317, 130390, 130463, 130536, 130536, 130682, 130756, 130829, 130829, 130829, 130975, 130975, 131121, 131195, 131268, 131341, 131560, 131707, 131707, 131780, 131853, 131926, 132146, 132292, 132365, 132439, 132512, 132731, 132878, 132878, 132951, 133024, 133097, 133463, 133463, 133756, 134048, 134048, 134048, 134341, 134634, 134634, 134926, 134926, 135219, 135219, 135219, 135512, 135512, 135658, 135658, 135804, 135804, 135951, 135951, 136097, 136097, 136243, 136243, 136390, 136390, 136536, 136536, 136609, 136682, 136682, 136829, 136829, 136902, 136975, 136975, 137121, 137121, 137268, 137268, 137414, 137414, 137560, 137560, 137707, 137707, 137780, 137853, 137926, 137999, 137999, 138073, 138146, 138146, 138219, 138292, 138365, 138439, 138439, 138512, 138585, 138658, 138731, 138731, 138804, 138878, 138951, 139024, 139024, 139097, 139170, 139243, 139317, 139317, 139463, 139463, 139609, 139609, 139756, 139756, 139902, 139902, 140195, 140195, 140195, 140195]
var UpdatePtr = new NativeFunction(Module.findExportByName("libd3mug.so", "update"), 'void', ['int'])
for (var i = 0; i < trueValue.length; i++)
{ UpdatePtr(trueValue[i]) }
var GetFlag = new NativeFunction(Module.findExportByName("libd3mug.so", "get"), 'pointer', []);
var result = GetFlag();
console.log(ptr(result));
console.log(hexdump(result, { length: 32 }));
"""
def printMessage(message,data):
if message['type'] == 'send':
print(' {0}'.format(message['payload']))
else:
print(message)
process = frida.get_usb_device(timeout=1000).attach(25519) //pid 不知道为什么用应用名和包名attach不上
script = process.create_script(jscode)
script.on('message',printMessage)
script.load()
sys.stdin.read()
console.log("111");
var trueValue =[0, 0, 0, 146, 292, 292, 439, 512, 585, 585, 658, 731, 804, 878, 1024, 1170, 1170, 1317, 1463, 1463, 1609, 1682, 1756, 1756, 1902, 2048, 2195, 2341, 2341, 2487, 2634, 2634, 2780, 2853, 2926, 2926, 3073, 3146, 3219, 3219, 3365, 3439, 3512, 3512, 3658, 3804, 3878, 3951, 4024, 4097, 4097, 4243, 4390, 4682, 4682, 4682, 4829, 4975, 4975, 5121, 5195, 5268, 5341, 5414, 5487, 5560, 5560, 5853, 5853, 5999, 6146, 6146, 6292, 6365, 6439, 6439, 6585, 6731, 6731, 6731, 7024, 7024, 7170, 7317, 7317, 7463, 7536, 7609, 7609, 7682, 7756, 7829, 7902, 7902, 7975, 8048, 8121, 8195, 8341, 8487, 8634, 8780, 9073, 9073, 9073, 9219, 9365, 9365, 9512, 9658, 9658, 9804, 9878, 9951, 9951, 10097, 10243, 10243, 10243, 10390, 10463, 10536, 10536, 10682, 10829, 10829, 10975, 11121, 11121, 11268, 11414, 11414, 11560, 11707, 11707, 11853, 11999, 11999, 11999, 12146, 12292, 12292, 12439, 12439, 12585, 12585, 12585, 12731, 12878, 12951, 13024, 13097, 13170, 13170, 13317, 13463, 13463, 13463, 13609, 13756, 13756, 13756, 13902, 14048, 14048, 14195, 14341, 14487, 14634, 14634, 14926, 14926, 14926, 15219, 15219, 15219, 15365, 15365, 15512, 15512, 15658, 15804, 15804, 15951, 16024, 16097, 16097, 16170, 16243, 16317, 16390, 16390, 16536, 16682, 16682, 16829, 16902, 16975, 16975, 17121, 17268, 17268, 17268, 17414, 17560, 17634, 17707, 17780, 17853, 17926, 17999, 18073, 18146, 18146, 18292, 18439, 18439, 18731, 18731, 18731, 18878, 19024, 19024, 19024, 19170, 19243, 19317, 19463, 19609, 19609, 19609, 19756, 19829, 19902, 20048, 20195, 20195, 20341, 20487, 20487, 20634, 20780, 20780, 20926, 21073, 21073, 21219, 21365, 21365, 21365, 21512, 21585, 21658, 21658, 21804, 21951, 21951, 21951, 22097, 22243, 22317, 22390, 22463, 22536, 22536, 22609, 22682, 22756, 22829, 22829, 22975, 23121, 23121, 23268, 23414, 23560, 23707, 23780, 23853, 23926, 23999, 23999, 24073, 24146, 24219, 24292, 24365, 24439, 24512, 24585, 24585, 24731, 24731, 24878, 24878, 24878, 25024, 25170, 25170, 25317, 25390, 25463, 25463, 25609, 25756, 25756, 25756, 25902, 25902, 26048, 26048, 26195, 26195, 26341, 26341, 26414, 26487, 26487, 26560, 26634, 26634, 26780, 26780, 26926, 27219, 27512, 27585, 27658, 27731, 27804, 27804, 28097, 28097, 28390, 28682, 28682, 28975, 29268, 29268, 29560, 29560, 29853, 29853, 30146, 30439, 30439, 30731, 31024, 31024, 31317, 31609, 31609, 31902, 32195, 32195, 32487, 32780, 32780, 32780, 33365, 33365, 33365, 33951, 33951, 34243, 34536, 34536, 34829, 35121, 35121, 35414, 35707, 35707, 35707, 35999, 36292, 36585, 36878, 36878, 37024, 37024, 37170, 37170, 37463, 37463, 37463, 37609, 37756, 37756, 37902, 38048, 38048, 38195, 38341, 38341, 38487, 38634, 38634, 38780, 38926, 39073, 39219, 39365, 39512, 39658, 39804, 39804, 39951, 40097, 40097, 40243, 40390, 40390, 40536, 40682, 40829, 40975, 40975, 41121, 41268, 41414, 41560, 41707, 41853, 41999, 42146, 42146, 42292, 42292, 42439, 42585, 42731, 42731, 42878, 42878, 43024, 43170, 43317, 43317, 43463, 43463, 43609, 43609, 43682, 43756, 43756, 43829, 43902, 43902, 44048, 44048, 44195, 44195, 44341, 44341, 44487, 44560, 44634, 44707, 44780, 44853, 44926, 44999, 45073, 45146, 45219, 45292, 45365, 45439, 45512, 45585, 45658, 45658, 45804, 45951, 45951, 46097, 46243, 46243, 46536, 46536, 46536, 46829, 46829, 46902, 46975, 47121, 47121, 47268, 47414, 47414, 47560, 47634, 47707, 47707, 47853, 47926, 47999, 47999, 48146, 48292, 48292, 48439, 48585, 48585, 48731, 48878, 48878, 49024, 49170, 49170, 49243, 49317, 49463, 49463, 49609, 49756, 49756, 49902, 49975, 50048, 50048, 50121, 50195, 50268, 50341, 50341, 50487, 50487, 50707, 50707, 50926, 50926, 51073, 51219, 51365, 51512, 51512, 51585, 51658, 51804, 51804, 51951, 52097, 52097, 52170, 52243, 52317, 52390, 52390, 52536, 52609, 52682, 52682, 52829, 52975, 52975, 53121, 53268, 53268, 53414, 53560, 53560, 53707, 53853, 53853, 53926, 53999, 54073, 54146, 54146, 54219, 54292, 54365, 54439, 54439, 54512, 54585, 54658, 54731, 54731, 54878, 54878, 55024, 55024, 55024, 55317, 55317, 55317, 55609, 55609, 55609, 55902, 55902, 55902, 56195, 56268, 56341, 56487, 56487, 56634, 56780, 56780, 56926, 56999, 57073, 57073, 57219, 57292, 57365, 57365, 57512, 57658, 57658, 57804, 57951, 57951, 58097, 58243, 58243, 58390, 58536, 58536, 58609, 58682, 58829, 58829, 58975, 59121, 59121, 59268, 59341, 59414, 59414, 59560, 59634, 59707, 59707, 59853, 59926, 59999, 59999, 60073, 60292, 60292, 60439, 60585, 60585, 60731, 60878, 60878, 60951, 61024, 61024, 61170, 61170, 61317, 61317, 61463, 61463, 61463, 61536, 61609, 61609, 61756, 61756, 61902, 61902, 62048, 62048, 62048, 62121, 62195, 62195, 62341, 62341, 62414, 62487, 62560, 62634, 62634, 62780, 62780, 62926, 62926, 63073, 63073, 63219, 63219, 63292, 63365, 63439, 63512, 63512, 63585, 63658, 63731, 63804, 63804, 63878, 63951, 64024, 64097, 64097, 64170, 64243, 64317, 64390, 64390, 64536, 64536, 64609, 64682, 64829, 64975, 65121, 65268, 65414, 65560, 65560, 65707, 65853, 65999, 66146, 66146, 66439, 66585, 66878, 67170, 67317, 67317, 67609, 67902, 68048, 68195, 68341, 68487, 68487, 68780, 68926, 69073, 69219, 69365, 69512, 69658, 69658, 69804, 69951, 70243, 70390, 70536, 70682, 70829, 70829, 71121, 71268, 71560, 71853, 71999, 71999, 72292, 72585, 72731, 72878, 73024, 73170, 73317, 73463, 73609, 73609, 73756, 73975, 74195, 74341, 74341, 74634, 74707, 74780, 74926, 74926, 75073, 75073, 75219, 75219, 75219, 75365, 75512, 75512, 75658, 75658, 75804, 75804, 75804, 75951, 76097, 76097, 76390, 76390, 76390, 76536, 76682, 76682, 76829, 76829, 76975, 76975, 76975, 77268, 77268, 77414, 77560, 77560, 77561, 77707, 77853, 77853, 77999, 77999, 78146, 78146, 78146, 78292, 78439, 78439, 78731, 78732, 78732, 78878, 79024, 79024, 79170, 79171, 79317, 79317, 79463, 79609, 79609, 79756, 79902, 79902, 80048, 80195, 80341, 80341, 80487, 80487, 80634, 80780, 80780, 80926, 80926, 81073, 81073, 81073, 81219, 81365, 81512, 81512, 81658, 81658, 81658, 81951, 81951, 81951, 82097, 82243, 82243, 82390, 82536, 82682, 82682, 82829, 82829, 82829, 82975, 83121, 83121, 83268, 83414, 83414, 83560, 83707, 83853, 83853, 83999, 83999, 83999, 84292, 84292, 84365, 84439, 84512, 84585, 84585, 84731, 84804, 84878, 84878, 84951, 85024, 85097, 85170, 85170, 85317, 85390, 85463, 85463, 85536, 85609, 85682, 85756, 85756, 85829, 85902, 85975, 86048, 86048, 86121, 86195, 86268, 86341, 86341, 86487, 86634, 86634, 86707, 86780, 86853, 86926, 86926, 87073, 87146, 87219, 87219, 87292, 87365, 87439, 87512, 87512, 87658, 87804, 87804, 87878, 87951, 88024, 88097, 88097, 88170, 88243, 88317, 88390, 88390, 88536, 88609, 88682, 88682, 88829, 88975, 88975, 89121, 89121, 89268, 89268, 89414, 89414, 89560, 89560, 89707, 89707, 89853, 89853, 89999, 89999, 90146, 90146, 90292, 90292, 90439, 90439, 90585, 90585, 90731, 90731, 90878, 90878, 91024, 91024, 91170, 91170, 91317, 91317, 91390, 91463, 91536, 91609, 91682, 91756, 91829, 91902, 91975, 92048, 92121, 92195, 92268, 92341, 92634, 92780, 92926, 93219, 93365, 93365, 93365, 93365, 93658, 93658, 93804, 93878, 93951, 93951, 94097, 94243, 94317, 94390, 94463, 94536, 94536, 94682, 94829, 94829, 94975, 95121, 95121, 95268, 95414, 95487, 95560, 95634, 95707, 95707, 95853, 95853, 95999, 95999, 96146, 96292, 96292, 96292, 96439, 96585, 96585, 96658, 96731, 96804, 96878, 96878, 97024, 97170, 97170, 97317, 97390, 97463, 97463, 97609, 97756, 97756, 97829, 97902, 98048, 98048, 98048, 98195, 98341, 98341, 98487, 98560, 98634, 98634, 98780, 98926, 98926, 99073, 99219, 99219, 99365, 99512, 99512, 99658, 99804, 99804, 99951, 100097, 100170, 100243, 100317, 100390, 100390, 100536, 100682, 100682, 100829, 100975, 100975, 100975, 101121, 101268, 101268, 101341, 101414, 101487, 101560, 101560, 101707, 101853, 101853, 101926, 101999, 102073, 102146, 102146, 102292, 102439, 102439, 102439, 102585, 102658, 102731, 102731, 102878, 103024, 103024, 103024, 103170, 103243, 103317, 103317, 103317, 103463, 103609, 103682, 103756, 103829, 103902, 103902, 104048, 104195, 104195, 104341, 104487, 104487, 104487, 104634, 104780, 104853, 104926, 104999, 105073, 105073, 105219, 105365, 105365, 105512, 105658, 105658, 105658, 105804, 105951, 105951, 106097, 106170, 106243, 106243, 106317, 106390, 106536, 106536, 106682, 106756, 106829, 106829, 106829, 106975, 107121, 107121, 107268, 107268, 107414, 107414, 107414, 107560, 107707, 107707, 107707, 107853, 107999, 107999, 107999, 108146, 108292, 108292, 108439, 108585, 108585, 108731, 108878, 108878, 108878, 109024, 109170, 109170, 109317, 109463, 109463, 109536, 109609, 109682, 109756, 109756, 109902, 110048, 110048, 110048, 110195, 110195, 110341, 110341, 110341, 110487, 110487, 110634, 110634, 110634, 110780, 110780, 110926, 110926, 110926, 111073, 111073, 111219, 111219, 111219, 111365, 111512, 111658, 111731, 111804, 111878, 111951, 112024, 112097, 112097, 112097, 112390, 112390, 112536, 112682, 112682, 112682, 112829, 112975, 112975, 113121, 113268, 113268, 113414, 113560, 113560, 113707, 113853, 113853, 113999, 114146, 114219, 114292, 114365, 114439, 114439, 114585, 114731, 114731, 114878, 115024, 115024, 115024, 115170, 115317, 115317, 115463, 115536, 115609, 115609, 115756, 115902, 115902, 115975, 116048, 116121, 116195, 116195, 116268, 116341, 116414, 116487, 116487, 116560, 116634, 116707, 116780, 116780, 116926, 117073, 117073, 117219, 117365, 117365, 117512, 117658, 117658, 117804, 117878, 117951, 117951, 118097, 118243, 118243, 118390, 118536, 118536, 118682, 118829, 118902, 118975, 119048, 119121, 119121, 119268, 119414, 119414, 119560, 119707, 119707, 119853, 119999, 119999, 120146, 120292, 120292, 120439, 120439, 120731, 121024, 121170, 121463, 121536, 121609, 121682, 121756, 121756, 121756, 121902, 122048, 122048, 122048, 122195, 122341, 122341, 122341, 122487, 122560, 122634, 122634, 122634, 122780, 122926, 122926, 122926, 123073, 123219, 123219, 123219, 123365, 123512, 123512, 123512, 123585, 123658, 123731, 123804, 123804, 123804, 123951, 124097, 124097, 124097, 124243, 124390, 124390, 124390, 124536, 124682, 124682, 124682, 124829, 124975, 124975, 124975, 125121, 125268, 125268, 125268, 125414, 125487, 125560, 125560, 125560, 125707, 125853, 125853, 125853, 125999, 126146, 126146, 126146, 126292, 126439, 126439, 126439, 126585, 126585, 126731, 126731, 126878, 126878, 127024, 127024, 127024, 127170, 127170, 127317, 127317, 127463, 127463, 127609, 127609, 127609, 127756, 127756, 127902, 127902, 128048, 128048, 128195, 128195, 128268, 128341, 128341, 128414, 128487, 128487, 128560, 128634, 128707, 128780, 128780, 128853, 128926, 128999, 129073, 129146, 129219, 129292, 129365, 129365, 129439, 129512, 129585, 129658, 129731, 129804, 129878, 129951, 129951, 130024, 130097, 130170, 130243, 130243, 130317, 130390, 130463, 130536, 130536, 130682, 130756, 130829, 130829, 130829, 130975, 130975, 131121, 131195, 131268, 131341, 131560, 131707, 131707, 131780, 131853, 131926, 132146, 132292, 132365, 132439, 132512, 132731, 132878, 132878, 132951, 133024, 133097, 133463, 133463, 133756, 134048, 134048, 134048, 134341, 134634, 134634, 134926, 134926, 135219, 135219, 135219, 135512, 135512, 135658, 135658, 135804, 135804, 135951, 135951, 136097, 136097, 136243, 136243, 136390, 136390, 136536, 136536, 136609, 136682, 136682, 136829, 136829, 136902, 136975, 136975, 137121, 137121, 137268, 137268, 137414, 137414, 137560, 137560, 137707, 137707, 137780, 137853, 137926, 137999, 137999, 138073, 138146, 138146, 138219, 138292, 138365, 138439, 138439, 138512, 138585, 138658, 138731, 138731, 138804, 138878, 138951, 139024, 139024, 139097, 139170, 139243, 139317, 139317, 139463, 139463, 139609, 139609, 139756, 139756, 139902, 139902, 140195, 140195, 140195, 140195]
var UpdatePtr = new NativeFunction(Module.findExportByName("libd3mug.so", "update"), 'void', ['int'])
for (var i = 0; i < trueValue.length; i++)
{ UpdatePtr(trueValue[i]) }
//每次note都调用一次
var GetFlag = new NativeFunction(Module.findExportByName("libd3mug.so", "get"), 'pointer', []);
var result = GetFlag();
console.log(ptr(result));
console.log(hexdump(result, { length: 32 }));
在WM战队的wp中有这个解密的脚本
#include <stdio.h>
#include <random>
#include <Windows.h>
using namespace std;
const DWORD hitp[] = { 0,0,0,146,292,292,439,512,585,585,658,731,804,878,1024,1170,1170,1317,1463,1463,1609,1682,1756,1756,1902,2048,2195,2341,2341,2487,2634,2634,2780,2853,2926,2926,3073,3146,3219,3219,3365,3439,3512,3512,3658,3804,3878,3951,4024,4097,4097,4243,4390,4682,4682,4682,4829,4975,4975,5121,5195,5268,5341,5414,5487,5560,5560,5853,5853,5999,6146,6146,6292,6365,6439,6439,6585,6731,6731,6731,7024,7024,7170,7317,7317,7463,7536,7609,7609,7682,7756,7829,7902,7902,7975,8048,8121,8195,8341,8487,8634,8780,9073,9073,9073,9219,9365,9365,9512,9658,9658,9804,9878,9951,9951,10097,10243,10243,10243,10390,10463,10536,10536,10682,10829,10829,10975,11121,11121,11268,11414,11414,11560,11707,11707,11853,11999,11999,11999,12146,12292,12292,12439,12439,12585,12585,12585,12731,12878,12951,13024,13097,13170,13170,13317,13463,13463,13463,13609,13756,13756,13756,13902,14048,14048,14195,14341,14487,14634,14634,14926,14926,14926,15219,15219,15219,15365,15365,15512,15512,15658,15804,15804,15951,16024,16097,16097,16170,16243,16317,16390,16390,16536,16682,16682,16829,16902,16975,16975,17121,17268,17268,17268,17414,17560,17634,17707,17780,17853,17926,17999,18073,18146,18146,18292,18439,18439,18731,18731,18731,18878,19024,19024,19024,19170,19243,19317,19463,19609,19609,19609,19756,19829,19902,20048,20195,20195,20341,20487,20487,20634,20780,20780,20926,21073,21073,21219,21365,21365,21365,21512,21585,21658,21658,21804,21951,21951,21951,22097,22243,22317,22390,22463,22536,22536,22609,22682,22756,22829,22829,22975,23121,23121,23268,23414,23560,23707,23780,23853,23926,23999,23999,24073,24146,24219,24292,24365,24439,24512,24585,24585,24731,24731,24878,24878,24878,25024,25170,25170,25317,25390,25463,25463,25609,25756,25756,25756,25902,25902,26048,26048,26195,26195,26341,26341,26414,26487,26487,26560,26634,26634,26780,26780,26926,27219,27512,27585,27658,27731,27804,27804,28097,28097,28390,28682,28682,28975,29268,29268,29560,29560,29853,29853,30146,30439,30439,30731,31024,31024,31317,31609,31609,31902,32195,32195,32487,32780,32780,32780,33365,33365,33365,33951,33951,34243,34536,34536,34829,35121,35121,35414,35707,35707,35707,35999,36292,36585,36878,36878,37024,37024,37170,37170,37463,37463,37463,37609,37756,37756,37902,38048,38048,38195,38341,38341,38487,38634,38634,38780,38926,39073,39219,39365,39512,39658,39804,39804,39951,40097,40097,40243,40390,40390,40536,40682,40829,40975,40975,41121,41268,41414,41560,41707,41853,41999,42146,42146,42292,42292,42439,42585,42731,42731,42878,42878,43024,43170,43317,43317,43463,43463,43609,43609,43682,43756,43756,43829,43902,43902,44048,44048,44195,44195,44341,44341,44487,44560,44634,44707,44780,44853,44926,44999,45073,45146,45219,45292,45365,45439,45512,45585,45658,45658,45804,45951,45951,46097,46243,46243,46536,46536,46536,46829,46829,46902,46975,47121,47121,47268,47414,47414,47560,47634,47707,47707,47853,47926,47999,47999,48146,48292,48292,48439,48585,48585,48731,48878,48878,49024,49170,49170,49243,49317,49463,49463,49609,49756,49756,49902,49975,50048,50048,50121,50195,50268,50341,50341,50487,50487,50707,50707,50926,50926,51073,51219,51365,51512,51512,51585,51658,51804,51804,51951,52097,52097,52170,52243,52317,52390,52390,52536,52609,52682,52682,52829,52975,52975,53121,53268,53268,53414,53560,53560,53707,53853,53853,53926,53999,54073,54146,54146,54219,54292,54365,54439,54439,54512,54585,54658,54731,54731,54878,54878,55024,55024,55024,55317,55317,55317,55609,55609,55609,55902,55902,55902,56195,56268,56341,56487,56487,56634,56780,56780,56926,56999,57073,57073,57219,57292,57365,57365,57512,57658,57658,57804,57951,57951,58097,58243,58243,58390,58536,58536,58609,58682,58829,58829,58975,59121,59121,59268,59341,59414,59414,59560,59634,59707,59707,59853,59926,59999,59999,60073,60292,60292,60439,60585,60585,60731,60878,60878,60951,61024,61024,61170,61170,61317,61317,61463,61463,61463,61536,61609,61609,61756,61756,61902,61902,62048,62048,62048,62121,62195,62195,62341,62341,62414,62487,62560,62634,62634,62780,62780,62926,62926,63073,63073,63219,63219,63292,63365,63439,63512,63512,63585,63658,63731,63804,63804,63878,63951,64024,64097,64097,64170,64243,64317,64390,64390,64536,64536,64609,64682,64829,64975,65121,65268,65414,65560,65560,65707,65853,65999,66146,66146,66439,66585,66878,67170,67317,67317,67609,67902,68048,68195,68341,68487,68487,68780,68926,69073,69219,69365,69512,69658,69658,69804,69951,70243,70390,70536,70682,70829,70829,71121,71268,71560,71853,71999,71999,72292,72585,72731,72878,73024,73170,73317,73463,73609,73609,73756,73975,74195,74341,74341,74634,74707,74780,74926,74926,75073,75073,75219,75219,75219,75365,75512,75512,75658,75658,75804,75804,75804,75951,76097,76097,76390,76390,76390,76536,76682,76682,76829,76829,76975,76975,76975,77268,77268,77414,77560,77560,77561,77707,77853,77853,77999,77999,78146,78146,78146,78292,78439,78439,78731,78732,78732,78878,79024,79024,79170,79171,79317,79317,79463,79609,79609,79756,79902,79902,80048,80195,80341,80341,80487,80487,80634,80780,80780,80926,80926,81073,81073,81073,81219,81365,81512,81512,81658,81658,81658,81951,81951,81951,82097,82243,82243,82390,82536,82682,82682,82829,82829,82829,82975,83121,83121,83268,83414,83414,83560,83707,83853,83853,83999,83999,83999,84292,84292,84365,84439,84512,84585,84585,84731,84804,84878,84878,84951,85024,85097,85170,85170,85317,85390,85463,85463,85536,85609,85682,85756,85756,85829,85902,85975,86048,86048,86121,86195,86268,86341,86341,86487,86634,86634,86707,86780,86853,86926,86926,87073,87146,87219,87219,87292,87365,87439,87512,87512,87658,87804,87804,87878,87951,88024,88097,88097,88170,88243,88317,88390,88390,88536,88609,88682,88682,88829,88975,88975,89121,89121,89268,89268,89414,89414,89560,89560,89707,89707,89853,89853,89999,89999,90146,90146,90292,90292,90439,90439,90585,90585,90731,90731,90878,90878,91024,91024,91170,91170,91317,91317,91390,91463,91536,91609,91682,91756,91829,91902,91975,92048,92121,92195,92268,92341,92634,92780,92926,93219,93365,93365,93365,93365,93658,93658,93804,93878,93951,93951,94097,94243,94317,94390,94463,94536,94536,94682,94829,94829,94975,95121,95121,95268,95414,95487,95560,95634,95707,95707,95853,95853,95999,95999,96146,96292,96292,96292,96439,96585,96585,96658,96731,96804,96878,96878,97024,97170,97170,97317,97390,97463,97463,97609,97756,97756,97829,97902,98048,98048,98048,98195,98341,98341,98487,98560,98634,98634,98780,98926,98926,99073,99219,99219,99365,99512,99512,99658,99804,99804,99951,100097,100170,100243,100317,100390,100390,100536,100682,100682,100829,100975,100975,100975,101121,101268,101268,101341,101414,101487,101560,101560,101707,101853,101853,101926,101999,102073,102146,102146,102292,102439,102439,102439,102585,102658,102731,102731,102878,103024,103024,103024,103170,103243,103317,103317,103317,103463,103609,103682,103756,103829,103902,103902,104048,104195,104195,104341,104487,104487,104487,104634,104780,104853,104926,104999,105073,105073,105219,105365,105365,105512,105658,105658,105658,105804,105951,105951,106097,106170,106243,106243,106317,106390,106536,106536,106682,106756,106829,106829,106829,106975,107121,107121,107268,107268,107414,107414,107414,107560,107707,107707,107707,107853,107999,107999,107999,108146,108292,108292,108439,108585,108585,108731,108878,108878,108878,109024,109170,109170,109317,109463,109463,109536,109609,109682,109756,109756,109902,110048,110048,110048,110195,110195,110341,110341,110341,110487,110487,110634,110634,110634,110780,110780,110926,110926,110926,111073,111073,111219,111219,111219,111365,111512,111658,111731,111804,111878,111951,112024,112097,112097,112097,112390,112390,112536,112682,112682,112682,112829,112975,112975,113121,113268,113268,113414,113560,113560,113707,113853,113853,113999,114146,114219,114292,114365,114439,114439,114585,114731,114731,114878,115024,115024,115024,115170,115317,115317,115463,115536,115609,115609,115756,115902,115902,115975,116048,116121,116195,116195,116268,116341,116414,116487,116487,116560,116634,116707,116780,116780,116926,117073,117073,117219,117365,117365,117512,117658,117658,117804,117878,117951,117951,118097,118243,118243,118390,118536,118536,118682,118829,118902,118975,119048,119121,119121,119268,119414,119414,119560,119707,119707,119853,119999,119999,120146,120292,120292,120439,120439,120731,121024,121170,121463,121536,121609,121682,121756,121756,121756,121902,122048,122048,122048,122195,122341,122341,122341,122487,122560,122634,122634,122634,122780,122926,122926,122926,123073,123219,123219,123219,123365,123512,123512,123512,123585,123658,123731,123804,123804,123804,123951,124097,124097,124097,124243,124390,124390,124390,124536,124682,124682,124682,124829,124975,124975,124975,125121,125268,125268,125268,125414,125487,125560,125560,125560,125707,125853,125853,125853,125999,126146,126146,126146,126292,126439,126439,126439,126585,126585,126731,126731,126878,126878,127024,127024,127024,127170,127170,127317,127317,127463,127463,127609,127609,127609,127756,127756,127902,127902,128048,128048,128195,128195,128268,128341,128341,128414,128487,128487,128560,128634,128707,128780,128780,128853,128926,128999,129073,129146,129219,129292,129365,129365,129439,129512,129585,129658,129731,129804,129878,129951,129951,130024,130097,130170,130243,130243,130317,130390,130463,130536,130536,130682,130756,130829,130829,130829,130975,130975,131121,131195,131268,131341,131560,131707,131707,131780,131853,131926,132146,132292,132365,132439,132512,132731,132878,132878,132951,133024,133097,133463,133463,133756,134048,134048,134048,134341,134634,134634,134926,134926,135219,135219,135219,135512,135512,135658,135658,135804,135804,135951,135951,136097,136097,136243,136243,136390,136390,136536,136536,136609,136682,136682,136829,136829,136902,136975,136975,137121,137121,137268,137268,137414,137414,137560,137560,137707,137707,137780,137853,137926,137999,137999,138073,138146,138146,138219,138292,138365,138439,138439,138512,138585,138658,138731,138731,138804,138878,138951,139024,139024,139097,139170,139243,139317,139317,139463,139463,139609,139609,139756,139756,139902,139902,140195,140195,140195,140195 };
DWORD __ROR4__(DWORD a1, char a2)
{
return (a1 >> a2) | (a1 << (32 - a2));
}
int rounds(uint8_t* bytes, unsigned int a2, int a3)
{
DWORD* v3; // r4
DWORD v4; // r12
DWORD v5[2]; // r5
DWORD v6; // r3
DWORD result; // r0
v3 = (DWORD*)((char*)bytes + a3);
v4 = *(DWORD*)((char*)bytes + a3);
*(DWORD64*)&v5[0] = *(DWORD64*)((char*)bytes + a3 + 4);
v6 = *(DWORD*)((char*)bytes + a3 + 12);
*(DWORD*)((char*)bytes + a3) = *(&v5[0] + 1);
result = v4 ^ __ROR4__(*(&v5[0] + 1) ^ a2, 19);
v3[3] = v5[0] ^ __ROR4__(v6, 18) ^ __ROR4__(*(&v5[0] + 1) ^ a2, 19);
v3[1] = v6;
v3[2] = result;
return result;
}
int main(int argc, char const* argv[])
{
unsigned char enc_bytes[] =
{
0x3C, 0xAC, 0x92, 0x6F, 0x44, 0xA1, 0xC1, 0x17, 0xFD, 0x62,
0x60, 0xDD, 0x63, 0xF8, 0xE3, 0x2A, 0x5E, 0x75, 0x78, 0xBE,
0x59, 0x46, 0x33, 0xF6, 0x2E, 0x64, 0x61, 0x8A, 0x27, 0x93,
0x21, 0x7D, 0x00
};
mt19937 rng(-196167794);
for (int i = 0; i < 1608; ++i)
{
if (rng() % 7 >= 3)
{
rounds(enc_bytes, rng(), hitp[i] & 0xF);
}
}
printf("%s\n", enc_bytes);
getchar();
return 0;
}
d3wow
是32位跑64位程序
标志是push 33 retf
整体逻辑很简单
输入的flag经过e1 e2变换后检测
int __cdecl e1(char *a1, int *a2)
{
int v3; // [esp+0h] [ebp-10h]
int v4; // [esp+8h] [ebp-8h]
int v5; // [esp+Ch] [ebp-4h]
v5 = 0;
v4 = 0;
v3 = 6;
if ( *(_DWORD *)a1 != 'tc3d' )
return 1;
if ( *((_WORD *)a1 + 2) != '{f' )
return 1;
if ( a1[6] != '2' )
return 1;
while ( a1[v3] != '}' )
{
switch ( a1[v3] )
{
case '1':
a2[6 * v5 + v4] |= 8u;
a2[6 * v5-- - 6 + v4] |= 2u;
goto LABEL_14;
case '2':
a2[6 * v5 + v4] |= 2u;
a2[6 * v5++ + 6 + v4] |= 8u;
goto LABEL_14;
case '3':
a2[6 * v5 + v4] |= 4u;
a2[6 * v5 - 1 + v4--] |= 1u;
goto LABEL_14;
case '4':
a2[6 * v5 + v4] |= 1u;
a2[6 * v5 + 1 + v4++] |= 4u;
LABEL_14:
if ( v5 < 0 || v4 < 0 || v5 > 5 || v4 > 5 )
return 1;
++v3;
break;
default:
return 1;
}
}
return 0;
}
对于e1函数来说 检测了flag格式为d3ctf{2开头 }结尾
根据1234来变换迷宫a2
对于e2函数来说 sub_352510是
是切换64位的函数
所以直接dump出e2函数对应代码 ida64分析
e2函数分析
约束 数独?
先上个真值表
i % 0x10 / 8 % 8 / 4 % 4 / 2 % 2 求和
0 0 0 0 0 0
1 0 0 0 1 1
2 0 0 1 0 1
3 0 0 1 1 2
4 0 1 0 0 1
5 0 1 0 1 2
6 0 1 1 0 2
7 0 1 1 1 3
8 1 0 0 0 1
9 1 0 0 1 2
10 1 0 1 0 2
11 1 0 1 1 3
12 1 1 0 0 2
13 1 1 0 1 3
14 1 1 1 0 3
15 1 1 1 1 4
47到64行
for ( i = 0; i < 6; ++i )
{
for ( j = 0; j < 6; ++j )
{
if ( data[6 * i + j] > 0xFu )
return MEMORY[0x1301]();
v14 = data[6 * i + j] % 0x10u / 8;
v15 = data[6 * i + j] % 8u / 4 + v14;
v16 = data[6 * i + j] % 4u / 2 + v15;
if ( data[6 * i + j] % 2u + v16 > 2 || !j && data[6 * i] % 8u / 4 )
return MEMORY[0x1301]();
if ( j == 5 && data[6 * i + 5] % 2u || !i && data[j] % 0x10u / 8 || i == 5 && data[j + 30] % 4u / 2 )
return MEMORY[0x1301]();
}
}
小tip
item%2 看二进制最后一位是不是1
item%4/2 看倒数第二位是不是1
所以
data[6 * i + j] % 2u + v16 > 2检测里面有几个1 (不能为7 11 13 14 15)
!j && data[6 * i] % 8u / 4第一列不能为(4 5 6 7 12 13 14 15)
j == 5 && data[6 * i + 5] % 2u 最后一列不能为奇数
!i && data[j] % 0x10u / 8 第一行不能是(8-15)
i == 5 && data[j + 30] % 4u / 2最后一行不能是(2 3 6 7 10 11 14 15)
65-100行
for ( k = 0; (unsigned __int64)k < 3; ++k )
{
v2 = v20[k] / 10; //是0 1 2
v5 = v20[k] % 10; //是0 4 0
//检测 (0,0) (1,4) (2,0)三个位置
if ( data[6 * v2 + v5] % 0x10u / 8 && data[6 * v2 + v5] % 4u / 2 )
return MEMORY[0x1301]();//不能是 10 11 14 15
if ( data[6 * v2 + v5] % 8u / 4 && data[6 * v2 + v5] % 2u )
return MEMORY[0x1301]();//不能是 5 7 13 15
v17 = data[6 * v2 + v5] % 0x10u / 8;
v25 = v5;
v18 = data[6 * v2 + v5] % 4u / 2 + v17;
v26 = v5;
v19 = data[6 * v2 + v5] % 2u + v18;
v27 = v5;
if ( data[6 * v2 + v5] % 8u / 4 + v19 != 2 )//这三个位置的二进制必须有2个1
return MEMORY[0x1301]();
//以上限制条件约束出这三个位置只能是3 6 9 12
//以下的都是当前格和周围四个格真值情况不一样
if ( data[6 * v2 + v5] % 0x10u / 8 ) //在9 12 为真
{
if ( !(data[6 * v2 - 6 + v5] % 0x10u / 8) )
return MEMORY[0x1301]();
}
else if ( data[6 * v2 + v5] % 4u / 2 )//在3 6 为真
{
if ( !(data[6 * v2 + 6 + v5] % 4u / 2) )
return MEMORY[0x1301]();
}
else if ( data[6 * v2 + v5] % 8u / 4 )//在6 12为真
{
if ( !(data[6 * v2 - 1 + v5] % 8u / 4) )
return MEMORY[0x1301]();
}
//在 3 9 为真
else if ( data[6 * v2 + v5] % 2u && !(data[6 * v2 + 1 + v5] % 2u) )
{
return MEMORY[0x1301]();
}
}
101 -122行
for ( m = 0; (unsigned __int64)m < 10; ++m )
{
v3 = v21[m] / 10;//0 1 1 2 2 3 3 4 4 5
v6 = v21[m] % 10;//4 3 5 1 4 1 2 1 5 3
if ( (!(data[6 * v3 + v6] % 0x10u / 8) || !(data[6 * v3 + v6] % 4u / 2))
&& (!(data[6 * v3 + v6] % 8u / 4) || !(data[6 * v3 + v6] % 2u))
|| data[6 * v3 + v6] % 0x10u / 8
&& data[6 * v3 + v6] % 4u / 2
&& !(data[6 * v3 - 6 + v6] % 8u / 4)
&& !(data[6 * v3 - 6 + v6] % 2u)
&& !(data[6 * v3 + 6 + v6] % 8u / 4)
&& !(data[6 * v3 + 6 + v6] % 2u)
|| data[6 * v3 + v6] % 8u / 4
&& data[6 * v3 + v6] % 2u
&& !(data[6 * v3 + 1 + v6] % 0x10u / 8)
&& !(data[6 * v3 + 1 + v6] % 4u / 2)
&& !(data[6 * v3 - 1 + v6] % 0x10u / 8)
&& !(data[6 * v3 - 1 + v6] % 4u / 2) )
{
return MEMORY[0x1301]();
}
}
123 - 182行
v10 = 0;
v11 = 0;
v4 = 0;
v7 = 0;
if ( *data % 0x10u / 8 ) //若(0,0)为8-15
{
v4 = -1;
while ( 1 )
{
LABEL_67:
if ( !(data[6 * v4 + v7] % 0x10u / 8) || v4 - 1 == v10 && v7 == v11 )
{
if ( !(data[6 * v4 + v7] % 4u / 2) || v4 + 1 == v10 && v7 == v11 )
{
if ( !(data[6 * v4 + v7] % 8u / 4) || v4 == v10 && v7 - 1 == v11 )
{
if ( !(data[6 * v4 + v7] % 2u) || v4 == v10 && v7 + 1 == v11 )
return MEMORY[0x1301]();
v10 = v4;
v11 = v7++;
}
else
{
v10 = v4;
v11 = v7--;
}
}
else
{
v10 = v4;
v11 = v7;
++v4;
}
}
else
{
v10 = v4;
v11 = v7;
--v4;
}
if ( !v4 && !v7 )
return MEMORY[0x1301]();
}
}
//检测(0,0) 四个均为假的情况只能是0
if ( *data % 4u / 2 )
{
v4 = 1;
goto LABEL_67;
}
if ( *data % 8u / 4 )
{
v7 = -1;
goto LABEL_67;
}
if ( *data % 2u )
{
v7 = 1;
goto LABEL_67;
}
return MEMORY[0x1301]();
脚本
脚本是抄的b3f0re的
from z3 import *
res = [0, 14, 20, 0, 4, 13, 15, 21, 24, 31, 32, 41, 45, 53]
m = [BitVec('m%i' % i, 32) for i in range(36)]
m += [2, 0, 0, 0, 0, 0, 0]
solver = Solver()
for i in range(6):
for j in range(6):
solver.add(m[6 * i + j] < 0x10)
solver.add(m[6 * i + j] >= 0)
#还是看01 个数 与%8/4之类功能一样
tmp = (m[6 * i + j] & 0xf) >> 3
tmp += (m[6 * i + j] & 7) >> 2
tmp += (m[6 * i + j] & 3) >> 1
tmp += (m[6 * i + j] & 1)
solver.add(tmp & 1 == 0)
solver.add(tmp <= 2)
if j == 0:
solver.add((m[6 * i + j] & 7) >> 2 == 0)
if j == 5:
solver.add((m[6 * i + j] & 1) == 0)
if i == 0:
solver.add((m[j] & 0xf) >> 3 == 0)
if i == 5:
solver.add((m[j + 30] & 3) >> 1 == 0)
for q in range(3):
i = res[q] // 10
j = res[i] % 10
solver.add(Or((m[6 * i + j] & 0xf) >> 3 == 0, (m[6 * i + j] & 0x3) >> 1 == 0))
solver.add(Or((m[6 * i + j] & 0x7) >> 2 == 0, (m[6 * i + j] & 1) == 0))
tmp = (m[6 * i + j] & 0xf) >> 3
tmp += (m[6 * i + j] & 7) >> 2
tmp += (m[6 * i + j] & 3) >> 1
tmp += (m[6 * i + j] & 1)
solver.add(tmp == 2)
solver.add(Or((m[6 * i + j] & 0xf) >> 3 == 0, (m[6 * (i - 1) + j] & 0xf) >> 3 != 0))
solver.add(Or((m[6 * i + j] & 0x3) >> 1 == 0, (m[6 * (i + 1) + j] & 0x3) >> 1 != 0))
solver.add(Or((m[6 * i + j] & 0x7) >> 2 == 0, (m[6 * i - 1 + j] & 0x7) >> 2 != 0))
solver.add(Or(m[6 * i + j] & 1 == 0, (m[6 * i + 1 + j] & 1) != 0))
for q in range(10):
i = res[q + 4] // 10
j = res[q + 4] % 10
solver.add(Or(And((m[6 * i + j] & 0xf) >> 3 != 0, (m[6 * i + j] & 3) >> 1 != 0),
And((m[6 * i + j] & 7) >> 2 != 0, (m[6 * i + j] & 1) != 0)))
solver.add(Or((m[6 * i + j] & 0xf) >> 3 == 0,
(m[6 * i + j] & 0x3) >> 1 == 0,
(m[6 * (i - 1) + j] & 7) >> 2 != 0,
(m[6 * (i - 1) + j]) & 1 != 0,
(m[6 * (i + 1) + j] & 7) >> 2 != 0,
(m[6 * (i + 1) + j] & 1) != 0,
(m[(i + 1) + j] & 7) >> 2 != 0,
(m[6 * (i + 1) + j] & 1) != 0))
solver.add(Or((m[6 * i + j] & 7) >> 2 == 0, m[6 * i + j] & 1 == 0, (m[6 * i + 1 + j] & 0xf) >> 3 != 0,
(m[6 * i + 1 + j] & 3) >> 1 != 0, (m[6 * i - 1 + j] & 0xf) >> 3 != 0, (m[6 * i - 1 + j] & 3) >> 1 != 0))
solver.add((m[0] & 3) >> 1 == 1)
solver.add((m[6] & 0xf) >> 3 == 1)
for i in range(6):
for j in range(6):
solver.add((m[6 * i + j] & 0x1) == (m[6 * i + (j + 1)] & 0x7) >> 2)
solver.add((m[6 * i + j] & 0x3) >> 1 == (m[6 * (i + 1) + j] & 0xf) >> 3)
solver.add((m[6 * i + j] & 0x7) >> 2 == (m[6 * i + (j - 1)] & 1))
solver.add((m[6 * i + j] & 0xf) >> 3 == (m[6 * (i - 1) + j] & 0x3) >> 1)
while solver.check() == sat:
s = solver.model()
print([s[i].as_long() for i in m[:36]])
solver.add(Or([m[i] != s[m[i]] for i in range(36)]))
[
3, 5, 5, 5, 5, 6,
10, 0, 3, 5, 6,10,
9, 5,12, 0, 10,10,
3, 5, 5, 6, 10,10,
9, 5, 6, 9, 12,10,
0, 0, 9, 5, 5,12,
]
易知上下左右是1234
写个脚本 手动试一下 可知flag
#include <stdio.h>
#include <stdlib.h>
int print_m(int ttt[36])
{
for (int i = 0; i < 6; i++)
{
for (int j = 0; j < 6; j++)
{
printf("%d\t", ttt[6 * i + j]);
}
printf("\n");
}
printf("\n__________________________________________________________\n");
}
int main()
{
int v3 = 6;
char a1[40] = "d3ctf{22441442223133324424441111133333}";
int a2[36] = {0};
int v5 = 0;
int v4 = 0;
while (a1[v3] != '}')
{
switch (a1[v3])
{
case '1':
a2[6 * v5 + v4] |= 8u;
a2[6 * v5-- - 6 + v4] |= 2u;
goto LABEL_14;
case '2':
a2[6 * v5 + v4] |= 2u;
a2[6 * v5++ + 6 + v4] |= 8u;
goto LABEL_14;
case '3':
a2[6 * v5 + v4] |= 4u;
a2[6 * v5 - 1 + v4--] |= 1u;
goto LABEL_14;
case '4':
a2[6 * v5 + v4] |= 1u;
a2[6 * v5 + 1 + v4++] |= 4u;
LABEL_14:
if (v5 < 0 || v4 < 0 || v5 > 5 || v4 > 5)
return 1;
print_m(a2);
++v3;
break;
default:
return 1;
}
}
system("pause");
return 0;
}
d3thon
是个python虚拟机的感觉 在 解析字节码那一堆
根据官方wp可知是python3.10.2编译的
先在ubuntu上部署python3.10.2
根据https://blog.csdn.net/weixin_43790276/article/details/89439643安装即可
可以每行测试code是什么意思
import byte_analizer as ba
with open("./lalal.txt", "r") as fi:
statmts = fi.read().split("\n")
for i in statmts:
ba.analize(i)
ZOAmcoLkGlAXXqf:start:['kZslMZYnvPBwgdCz:<<- Welcome to 2022 AntCTF & D^3CTF! ->>%nHave fun with L-VM XD']
RDDDZUiIKbxCubJEN:start
ZOAmcoLkGlAXXqf 定义一个函数
start:函数名称
RDDDZUiIKbxCubJEN:start 执行start函数
列表里面是这个函数的指令 冒号前是指令内容 冒号后是参数 %n就是\n
多次测试可知
kZslMZYnvPBwgdCz print函数 好像只能打印字符串
oGwDokoxZgoeViFcAF 赋值
KezJKhCxGRZnfLCGT input函数
IEKMEDdrPpzpdKy 加法
FLNPsiCIvICFtzpUAR 减法
kuhisCvwaXWfqCs 按位取反
OcKUQCYqhwHXfAgGZH 异或
第37行开始全是okokokok函数
不难看出是flag经过okokokok函数后 然后与-194952731925593882593246917508862867371733438849523064153861650948471779982880938对比
所以我们提取okokokok指令 写入新的txt中
然后倒着执行即可
enc=-194952731925593882593246917508862867371733438849523064153861650948471779982880938
with open("bacodeparsed.txt","r") as f:
opcodes=f.read().split("\n")
for i in opcodes[::-1]:
i=i.replace("\'","")
if "IEKMEDdrPpzpdKy:flag:" in i:
enc -= int(i.split(":")[-1])
elif "FLNPsiCIvICFtzpUAR:flag:" in i:
enc += int(i.split(":")[-1])
elif "OcKUQCYqhwHXfAgGZH:flag:"in i:
enc ^= int(i.split(":")[-1])
elif "kuhisCvwaXWfqCs:flag" in i:
enc=~enc
else:
raise SyntaxError
print(hex(enc))
0x3437323961346136626264643464373863393465363232393235376166333565
4729a4a6bbdd4d78c94e6229257af35e
d3arm
hex文件 ida直接拖入没法处理
010看到关键字符串mbed-os
google搜索可知
https://phil242.wordpress.com/2019/03/28/insomnihack-2019-ctf-perfectly-unbreakable-flag-500/
GHIDRA
文中指出可以使用ghidra的arm v7 32 little来反编译
基址为08000000!
根据官方wp知 可以搜索main函数来到该固件入口点
其中0x9621是我们的main函数地址 记得基址是8000000 再-1
该函数即为main函数
其实找不找main函数好像没啥用(
创个数据段
搜索flag定位到08005fa4函数
要求point是42
是 然后交叉引用0x200022c8出不来
改个名也出不来
他说没引用(比赛就卡这 傻逼ghidra
ida复现
arm 32 little ida32
详细设置里面选择arm v7m
rom段起始为08000000 (rom start address
ram段起始为20000000(ram start address
ram size差不多就行 我写的0x4000
全选( shift+end+end) 然后按C反编译
仍然搜flag来到sub_8005F90
交叉引用byte_200022C8 或可以改名为flag
直接拿出dword_800DB64
交叉引用iiii和btyeP_20002314来到
直接上脚本
dword_800DB64 = [0x00000020, 0x0000006D, 0x00000050, 0x00000030, 0x00000038, 0x00000048, 0x00000071, 0x00000066,
0x00000004, 0x0000007D, 0x00000069, 0x00000000, 0x00000022, 0x00000067, 0x00000002, 0x00000026,
0x0000003F, 0x0000000A, 0x00000072, 0x0000006A, 0x00000052, 0x00000075, 0x00000067, 0x00000056,
0x00000073, 0x0000006C, 0x00000051, 0x00000074, 0x00000038, 0x00000055, 0x00000077, 0x0000003B,
0x0000000A, 0x00000021, 0x0000006B, 0x0000000B, 0x00000026, 0x00000067, 0x00000007, 0x0000007C,
0x00000069, 0x0000004E]
for iii in range(len(dword_800DB64)):
print(chr((0x335E44 >> (8 * (iii % 3))) & 0xff ^ dword_800DB64[iii]), end="")
&0xff是因为是byte 单字节
d3ctf{587973f91ba964a19e72b0ff3e9e58b9487}
d3hotel
陈神说和这俩类似(
(N1CTFhotel 实战)https://www.cnblogs.com/algonote/p/15589898.html
(浅谈逆向 Unity WebGL Il2Cpp 中 WebAssembly 函数的方法 _)https://www.cnblogs.com/algonote/p/15596459.html
先F12下载
很容易知道是unity引擎
所以用AssetStudioGUI导出资源
看到main.lua 还是加密的 所以导出所有加密的lua
lua
使用java -jar unluac.jar反编译lua
main函数如下
local L0_1, L1_1, L2_1, L3_1, L4_1, L5_1, L6_1, L7_1, L8_1, L9_1, L10_1, L11_1
L0_1 = require
L1_1 = "matrix"
L0_1 = L0_1(L1_1)
matrix = L0_1
L0_1 = matrix
L1_1 = 5
L2_1 = 5
L3_1 = 0
L0_1 = L0_1(L1_1, L2_1, L3_1)
m = L0_1
L0_1 = matrix
L1_1 = {}
L2_1 = {}
L3_1 = 6422944
L4_1 = -7719232
L5_1 = 41640292
L6_1 = -1428488
L7_1 = -36954388
L2_1[1] = L3_1
L2_1[2] = L4_1
L2_1[3] = L5_1
L2_1[4] = L6_1
L2_1[5] = L7_1
L3_1 = {}
L4_1 = 43676120
L5_1 = -26534136
L6_1 = -31608964
L7_1 = -20570796
L8_1 = 22753040
L3_1[1] = L4_1
L3_1[2] = L5_1
L3_1[3] = L6_1
L3_1[4] = L7_1
L3_1[5] = L8_1
L4_1 = {}
L5_1 = -6066184
L6_1 = 30440152
L7_1 = 5229916
L8_1 = -16857572
L9_1 = -16335464
L4_1[1] = L5_1
L4_1[2] = L6_1
L4_1[3] = L7_1
L4_1[4] = L8_1
L4_1[5] = L9_1
L5_1 = {}
L6_1 = -8185648
L7_1 = -17254720
L8_1 = -22800152
L9_1 = -8484728
L10_1 = 44642816
L5_1[1] = L6_1
L5_1[2] = L7_1
L5_1[3] = L8_1
L5_1[4] = L9_1
L5_1[5] = L10_1
L6_1 = {}
L7_1 = -35858512
L8_1 = 10913104
L9_1 = -4165844
L10_1 = 37696936
L11_1 = -10061980
L6_1[1] = L7_1
L6_1[2] = L8_1
L6_1[3] = L9_1
L6_1[4] = L10_1
L6_1[5] = L11_1
L1_1[1] = L2_1
L1_1[2] = L3_1
L1_1[3] = L4_1
L1_1[4] = L5_1
L1_1[5] = L6_1
L0_1 = L0_1(L1_1)
n = L0_1
function L0_1(A0_2)
local L1_2, L2_2, L3_2, L4_2, L5_2, L6_2, L7_2, L8_2, L9_2, L10_2, L11_2, L12_2
L1_2 = #A0_2
if L1_2 ~= 25 then
L1_2 = 0
return L1_2
end
L1_2 = 1
L2_2 = 5
L3_2 = 1
for L4_2 = L1_2, L2_2, L3_2 do
L5_2 = 1
L6_2 = 5
L7_2 = 1
for L8_2 = L5_2, L6_2, L7_2 do
L9_2 = m
L9_2 = L9_2[L4_2]
L10_2 = string
L10_2 = L10_2.byte
L11_2 = A0_2
L12_2 = L4_2 - 1
L12_2 = L12_2 * 5
L12_2 = L12_2 + L8_2
L10_2 = L10_2(L11_2, L12_2)
L9_2[L8_2] = L10_2
end
end
L1_2 = tonumber
L2_2 = string
L2_2 = L2_2.format
L3_2 = "%.5f"
L4_2 = matrix
L4_2 = L4_2.det
L5_2 = m
L4_2, L5_2, L6_2, L7_2, L8_2, L9_2, L10_2, L11_2, L12_2 = L4_2(L5_2)
L2_2, L3_2, L4_2, L5_2, L6_2, L7_2, L8_2, L9_2, L10_2, L11_2, L12_2 = L2_2(L3_2, L4_2, L5_2, L6_2, L7_2, L8_2, L9_2, L10_2, L11_2, L12_2)
L1_2 = L1_2(L2_2, L3_2, L4_2, L5_2, L6_2, L7_2, L8_2, L9_2, L10_2, L11_2, L12_2)
det = L1_2
L1_2 = matrix
L2_2 = 5
L3_2 = "I"
L1_2 = L1_2(L2_2, L3_2)
L2_2 = det
L1_2 = L1_2 * L2_2
L2_2 = m
L3_2 = n
L2_2 = L2_2 * L3_2
if L1_2 == L2_2 then
L1_2 = 1
return L1_2
else
L1_2 = 0
return L1_2
end
end
f = L0_1
通过matrix det等字符可以猜测是个和矩阵有关的数学问题
搜索matrix库 lua 找到
https://github.com/davidm/lua-matrix
http://lua-users.org/wiki/LuaMatrix
det指一个矩阵的行列式 I指单位矩阵
关注第123行
L1_2来自一个单位矩阵乘det
L2_2来自于m*n n为最开始初始化的矩阵
根据这几行可以看出det矩阵来自于m的det
所以m的行列式 * 单位矩阵==m * n
所以m==m行列式 * 单位矩阵 * n逆
但我们不知道m的行列式是多少
根据常理来说m是flag变成的矩阵
flag头是d3ctf 所以我们猜测m[ 0 ] [ 0 ]是ord('d')
import numpy as np
# 5*5
n = [[6422944, -7719232, 41640292, -1428488, -36954388], [43676120, -26534136, -31608964, -20570796, 22753040],
[-6066184, 30440152, 5229916, -16857572, -16335464], [-8185648, -17254720, -22800152, -8484728, 44642816],
[-35858512, 10913104, -4165844, 37696936, -10061980]]
imatrix = [[1, 0, 0, 0, 0], [0, 1, 0, 0, 0], [0, 0, 1, 0, 0], [0, 0, 0, 1, 0], [0, 0, 0, 0, 1]]
imatrix =np.matrix(imatrix)
n = np.matrix(n)
print(n)
print(imatrix)
re_n=np.linalg.inv(n)
tem=re_n.dot(imatrix)
print(tem)
print(tem.dot(ord('d')/-4.27738117e-08))#这个数是tem[0][0]
得到
[[100.00000011 51.00000006 99.00000011 116.00000013 102.00000011]
[123.00000014 87.0000001 51.00000006 98.00000011 97.00000011]
[ 53.00000006 109.00000012 95.00000011 49.00000006 115.00000013]
[ 95.00000011 65.00000007 119.00000013 101.00000011 53.00000006]
[111.00000012 111.00000012 109.00000012 51.00000006 125.00000014]]
d3ctf{W3ba5m_1s_Awe5oom3} 但是不是这个flag
c#
根据wp复现到这里
AssetStudio 解不了BuildWebGL.wasm
没法解决 先放着
