HNCTF 2022 WEEK2

[HNCTF 2022 WEEK2]e@sy_flower

image

发现花指令

image

change type 90 nop掉

image

在主函数p重构,然后就可以反编译了

image

编写脚本
enc = "c~scvdzKCEoDEZ[^roDICUMC"
flag = [1] * 24
for j in range(24):
    flag[j] = chr(ord(enc[j]) ^ 48)
for i in range(12):
    v5 = flag[2 * i + 1]
    flag[2 * i + 1] = flag[2 * i]
    flag[2 * i] = v5
print("".join(flag))
#NSSCTF{Just_junk_Bytess}

[HNCTF 2022 WEEK2]Packet

image

有UPX壳,脱壳

image
image

打开do_something查看

image

是一个base64

image

码表,enc都在上边

image

[HNCTF 2022 WEEK2]TTTTTTTTTea

image
image

听名字就知道是tea加密,点开key看看,将db转换成dd

image

在打开加密函数看看

image

接下来就可以编写脚本了
#include <iostream>
#include <stdio.h>  
#include <stdint.h>
using namespace std;
int main()
{
    uint32_t enc[6] = { 0xC11EE75A, 0xA4AD0973, 0xF61C9018, 0x32E37BCD, 0x2DCC1F26, 0x344380CC, };
    uint32_t key[4] = { 0x10203, 0x4050607, 0x8090A0B, 0x0C0D0E0F, };
    uint32_t a1, a2;
    for (int i = 0; i <= 2; i++)
    {
        a1 = enc[2 * i];
        a2 = enc[2 * i + 1];
        uint32_t dt = -1640531527 * 32;
        for (int j = 0; j < 32; ++j)
        {
            a2 -= (((a1 >> 5) ^ (16 * a1)) + a1) ^ (key[(dt >> 11) & 3] + dt);
            dt += 1640531527;
            a1 -= (((a2 >> 5) ^ (16 * a2)) + a2) ^ (key[dt & 3] + dt);
            enc[2 * i] = a1;
            enc[2 * i + 1] = a2;
        }
    }
    for (int i = 0; i < 6; i++)
    {
        printf("%X\n", enc[i]);
    }
    return 0;
}
//NSSCTF{Tea_TEA_TeA_TEa+}

[HNCTF 2022 WEEK2]来解个方程?

image
image

打开check函数看看

image

这么看来是要用z3去解方程组了,那么编写脚本
from z3 import *
s = Solver()
v2,v3,v4,v5,v6,v7,v8,v9,v10,v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23 = Ints('v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16 v17 v18 v19 v20 v21 v22 v23')
allints = [
    245 * v6 + 395 * v5 + 3541 * v4 + 2051 * v3 + 3201 * v2 + 1345 * v7 == 855009,
    3270 * v6 + 3759 * v5 + 3900 * v4 + 3963 * v3 + 1546 * v2 + 3082 * v7 == 1515490,
    526 * v6 + 2283 * v5 + 3349 * v4 + 2458 * v3 + 2012 * v2 + 268 * v7 == 854822,
    3208 * v6 + 2021 * v5 + 3146 * v4 + 1571 * v3 + 2569 * v2 + 1395 * v7 == 1094422,
    3136 * v6 + 3553 * v5 + 2997 * v4 + 1824 * v3 + 1575 * v2 + 1599 * v7 == 1136398,
    2300 * v6 + 1349 * v5 + 86 * v4 + 3672 * v3 + 2908 * v2 + 1681 * v7 == 939991,
    212 * v22 + 153 * v21 + 342 * v20 + 490 * v12 + 325 * v11 + 485 * v10 + 56 * v9 + 202 * v8 + 191 * v23 == 245940,
    348 * v22 + 185 * v21 + 134 * v20 + 153 * v12 + 460 * v9 + 207 * v8 + 22 * v10 + 24 * v11 + 22 * v23 == 146392,
    177 * v22 + 231 * v21 + 489 * v20 + 339 * v12 + 433 * v11 + 311 * v10 + 164 * v9 + 154 * v8 + 100 * v23 == 239438,
    68 * v20 + 466 * v12 + 470 * v11 + 22 * v10 + 270 * v9 + 360 * v8 + 337 * v21 + 257 * v22 + 82 * v23 == 233887,
    246 * v22 + 235 * v21 + 468 * v20 + 91 * v12 + 151 * v11 + 197 * v8 + 92 * v9 + 73 * v10 + 54 * v23 == 152663,
    241 * v22 + 377 * v21 + 131 * v20 + 243 * v12 + 233 * v11 + 55 * v10 + 376 * v9 + 242 * v8 + 343 * v23 == 228375,
    356 * v22 + 200 * v21 + 136 * v11 + 301 * v10 + 284 * v9 + 364 * v8 + 458 * v12 + 5 * v20 + 61 * v23 == 211183,
    154 * v22 + 55 * v21 + 406 * v20 + 107 * v12 + 80 * v10 + 66 * v8 + 71 * v9 + 17 * v11 + 71 * v23 == 96788,
    335 * v22 + 201 * v21 + 197 * v11 + 280 * v10 + 409 * v9 + 56 * v8 + 494 * v12 + 63 * v20 + 99 * v23 == 204625,
    428 * v18 + 1266 * v17 + 1326 * v16 + 1967 * v15 + 3001 * v14 + 81 * v13 + 2439 * v19 == 1109296,
    2585 * v18 + 4027 * v17 + 141 * v16 + 2539 * v15 + 3073 * v14 + 164 * v13 + 1556 * v19 == 1368547,
    2080 * v18 + 358 * v17 + 1317 * v16 + 1341 * v15 + 3681 * v14 + 2197 * v13 + 1205 * v19 == 1320274,
    840 * v18 + 1494 * v17 + 2353 * v16 + 235 * v15 + 3843 * v14 + 1496 * v13 + 1302 * v19 == 1206735,
    101 * v18 + 2025 * v17 + 2842 * v16 + 1559 * v15 + 2143 * v14 + 3008 * v13 + 981 * v19 == 1306983,
    1290 * v18 + 3822 * v17 + 1733 * v16 + 292 * v15 + 816 * v14 + 1017 * v13 + 3199 * v19 == 1160573,
    186 * v18 + 2712 * v17 + 2136 * v16 + 98 * v13 + 138 * v14 + 3584 * v15 + 1173 * v19 == 1005746,
]
s.add(allints)
flag = []
if s.check() == sat:
    ans = s.model()
    flag.append(ans[v2])
    flag.append(ans[v3])
    flag.append(ans[v4])
    flag.append(ans[v5])
    flag.append(ans[v6])
    flag.append(ans[v7])
    flag.append(ans[v8])
    flag.append(ans[v9])
    flag.append(ans[v10])
    flag.append(ans[v11])
    flag.append(ans[v12])
    flag.append(ans[v13])
    flag.append(ans[v14])
    flag.append(ans[v15])
    flag.append(ans[v16])
    flag.append(ans[v17])
    flag.append(ans[v18])
    flag.append(ans[v19])
    flag.append(ans[v20])
    flag.append(ans[v21])
    flag.append(ans[v22])
    flag.append(ans[v23])
print(flag)
realflag = [78, 83, 83, 67, 84, 70, 123, 112, 105, 112, 95, 105, 110, 115, 116, 64, 108, 108, 95, 90, 51, 125]
endflag = ''.join(chr(i) for i in realflag)
print(endflag)
#NSSCTF{pip_inst@ll_Z3}

[HNCTF 2022 WEEK2]getflag

image
image
image

要点击多次才能拿到flag,那么我们可以直接去修改他的check函数

image

把99999999修改成1就行了(或者将jg改为jle,即将">"改为"<"),在汇编中找到指定位置

image

右键Assemble将99999999改为1

image

再在patch program中的apply patches to里修改

image
image

[HNCTF 2022 WEEK2]Easy_Android

首先使用jadx打开下载文件,关键代码如下图

image

首先将username通过一个MD5加密,然后再在下一个for循环里取奇数构成flag

image

那么编写脚本
enc = 'b9c77224ff234f27ac6badf83b855c76'
flag = []
for i in range(0,len(enc),2):
    flag.append(enc[i])
print("".join(flag))
#bc72f242a6af3857

[HNCTF 2022 WEEK2]Try2Bebug_Plus

下载下来后是一个elf文件

image
image

打开encrypt函数是一个TEA加密

image

key是这个

image

enc是这个

image

然后看到function函数有一个异或

image

那么可以编写脚本了
#include <stdio.h>
#include <string.h>
#include <stdint.h>
int main(void)
{
    uint32_t enc[12] = { 0x489A0BFD, 0x38DE3838, 0x16D1DA51, 0x710510ED, 0x1E619392, 0x0B487955, 0x0AB44987, 0x5DB378E5, 0x9F9DA4CD, 0x49F2D9A8, 0x608F269E, 0x6261B831, };
    uint32_t key[4] = { 0x0AA, 0x0BB, 0x0CC, 0x0DD, };
    uint32_t v1, v2, sum;
    unsigned char flag[12];
    for (int k = 0; k < 12; k += 2)
    {
        v1 = enc[k];
        v2 = enc[k + 1];
        sum = -1640531527 * 32;
        for (int i = 0; i < 32; ++i)
        {
            v2 -= (v1 + sum) ^ (16 * v1 + key[2]) ^ ((v1 >> 5) + key[3]);
            v1 -= (v2 + sum) ^ (16 * v2 + *key) ^ ((v2 >> 5) + key[1]);
            sum += 1640531527;
        }
        enc[k] = v1;
        enc[k + 1] = v2;
    }
    for (int i = 0; i < 12; i++)
    {
        flag[i] = (enc[i]) ^ (16 * i);
        printf("%c", flag[i]);
    }
}
//th1s_1s_flag
posted @ 2024-03-05 22:03  kelec0ka  阅读(202)  评论(0编辑  收藏  举报