HNCTF 2022 WEEK3

[HNCTF 2022 WEEK3]Double

image

image

一个简单的异或,arr为

image

enc为

image

导出数据,编写脚本
enc = [0x1FAC, 0x4F91, 0x3796, 0x0B584, 0x0E18, 0x0C1E2, 0x7370, 0x1FAC, 0x0A880, 0x0B8F1, 0x233B, 0x7370, 0x27B8, 0x4F91, 0x0EB08, 0x8BAC, 0x5900, 0x3081, 0x4E1A, 0x599D, 0x5BE3, 0x5C49, 0x0F53B, 0x0FFDA, 0x0BA6F, 0x3E5D, 0x27B8, 0x5B51, 0x8A30, 0x2A10, 0x1E]
arr = [15374,50828,20199,31702,49944,53123,60189,12367,65280,11322,26221,26520,53269,7766,22058,35457,23701,30880,24813,4372,44507,29484,20880,4405,58195,59849,2735,10264,9782,39718,
       15625,6335,10852,20285,44639,19994,18794,56196,9411,65498,14219,8030,53361,35953,1582,55001,36724,59478,59973,48836,1158,61760,29338,32765,45037,24376,1788,19389,13090,25822,
       17807,35376,29972,35756,46468,47345,29372,49634,45232,23625,43967,21403,56272,3500,60168,23523,15154,54581,8108,64355,3608,14230,20369,26180,38824,3590,64409,43136,51586,
       34971,20361,16356,61054,3047,35533,12808,10768,25394,10966,976,62779,22784,366,63784,23377,10168,48879,9019,382,25584,49189,58653,15684,28470,5881,12417,28767,46966,22941,
       20188,25943,48662,36622,47727,15965,29552,5958,27660,28971,23739,25433,36015,20183,44744,64423,29885,58289,23863,19790,33028,46096,34390,8566,9147,9310,43310,44314,58672,
       55164,57411,37142,60892,43794,3431,30341,15545,49102,23083,14841,37003,65086,48408,56148,3243,15446,65139,55668,3848,23432,41202,15752,40420,2357,21172,41792,60040,48754,
       28110,27179,12614,856,3919,64096,9707,56007,1898,15719,17392,40860,23398,29027,36667,32443,1489,25284,40853,7686,23896,59780,30131,3423,61016,9104,64401,10410,34781,
       62954,17468,26434,6553,35049,64782,51389,22008,47881,27664,32872,52692,10662,56735,52931,25111,48680,15994,59166,50547,1067,56838,51508,13777,61257,25507,61583,9953,
       58910,10000,46771,4320,48438,18844,33862,46612,59681,56109,19128,19595,53672,27291,55319,62281,52882,32653,19558,53056,37225,0]
flag = ""
for i in range(30):
    flag += chr(arr.index(enc[i]) ^ i)
print(flag)
#NSSCTF{I_Have_D0ub1e_Pr0cess!}

[HNCTF 2022 WEEK3]Try2debugPlusPlus

image

image

后面是一个tea加密,前面是一个dododo函数

image

image

对v6进行了加密,因此无法直接获得enc和key的值,动态调试看看
在main函数处下断点,在第一个exit处f7,然后f8跳过

image

看到了key值

image

image

再看enc的值

image

image

可以开始编写脚本了
#include <iostream>
#include <stdio.h>  
#include <stdint.h>
using namespace std;
int main()
{
    unsigned int enc[12] = { 0x0DAD5B6C5, 0x0CE5F717, 0x8BE8AF6B, 0x0D74C6EB4, 0x0EEB8B5A0, 0x0A07618E0, 0x1B425FD0, 0x0C0B77641, 0x0A30FA9BE,0x0CB4F5089, 0x0EBF9EC1D, 0x0F870EF3D, };
    unsigned int key[4] = { 0x91 ,0x71 ,0x11 ,0xbb, };
    unsigned int a1, a2;
    for (int i = 0; i < 6; i++)
    {
        a1 = enc[2 * i];
        a2 = enc[2 * i + 1];
        long dt = 2042207799 * 32;
        for (int j = 0; j < 32; ++j)
        {
            a2 -= (((a1 * 16) ^ (a1 >> 5)) + a1) ^ (dt + key[(dt >> 11) & 3]);
            dt -= 2042207799;
            a1 -= (((a2 * 16) ^ (a2 >> 5)) + a2) ^ (dt + key[(dt & 3)]);
        }
        enc[2 * i] = a1;
        enc[2 * i + 1] = a2;
    }
    for (int i = 0; i <12; i++)
    {
        printf("%X\n", enc[i]);
    }
}
//#_Ant!+Debu9

image

[HNCTF 2022 WEEK3]What's 1n DLL?

image
image
image

这里用 LoadLibrary 加载了Dll1.dll的动态链接库,之后用 GetProcAddress函数来获取加载Dll1.dll,来获取其中名为ttt的函数地址,之后将其保存在ProcAddress变量中。
在这个exe文件里可以发现enc的值和key的值

image
image

接着分析dll文件

image

发现dll有upx壳,尝试自动脱壳

image

不可以自动脱壳,放进010中查看

image

将此处的UFO改成UPX就可以了

image

再用IDA打开,找到ttt函数

image

发现是一个XXTEA加密,编写脚本
#include <stdbool.h>
#include <stdio.h>
#define MX ((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))
bool xxtea(unsigned int* v, int n, unsigned int* k) 
{
    unsigned int z = v[n - 1], y = v[0], sum = 0, e, DELTA = 0x9e3779b9;
    unsigned int p, q;
    n = -n;
    q = 6 + 52 / n;
    sum = q * DELTA;
    while (sum != 0) 
    {
        e = (sum >> 2) & 3;
        for (p = n - 1; p > 0; p--)
            z = v[p - 1], y = v[p] -= MX;
        z = v[n - 1];
        y = v[0] -= MX;
        sum -= DELTA;
    }
    return 1;
}

int main(int argc, char const* argv[]) 
{
    unsigned int v[5] = { 0x22a577c1,0x1c12c03,0xc74c3ebd,0xa9d03c85,0xadb8ffb3 }; 
    unsigned int key[4] = { 55,66,77,88 };
    int n = 5;
    xxtea(v, -n, key);
    char* p = (char*)v;
    for (int i = 0; i < 20; i++) 
    {
        printf("%c", *p);
        p++;
    }
    return 0;
}
//NSSCTF{He110_w0r1d!}

[HNCTF 2022 WEEK3]Help_Me!

image
image
image

查阅资料发现是一个动态规划问题,背包问题

image

如果超过200,就会直接嗝屁,点进func函数里看看

image

查看背包问题相关文章后写出脚本
values = [26,59,30,19,66,85,94,8,3,44,5,1,41,82,76,1,12,81,73,32,0]
weights = [71,34,82,23,1,88,12,57,10,68,5,33,37,69,98,24,26,83,16,26,0]
capacity = 200

def package(weights, values, capacity):
    n = len(weights)
    dp = [[0] * (capacity + 1) for _ in range(n + 1)]
    for i in range(1, n + 1):
        for w in range(capacity + 1):
            if weights[i - 1] <= w:
                dp[i][w] = max(dp[i - 1][w], dp[i - 1][w - weights[i - 1]] + values[i - 1])
            else:
                dp[i][w] = dp[i - 1][w]
    nunbers = []
    i, w = n, capacity
    while i > 0 and w > 0:
        if dp[i][w] != dp[i - 1][w]:
            nunbers.append(i - 1)
            w -= weights[i - 1]
        i -= 1
    return dp[n][capacity], nunbers

max_value, nunbers = package(weights, values, capacity)

print("最大含金量:", max_value)
print("作业编号:", nunbers[::-1])

# 最大含金量: 452
# 作业编号: [1, 4, 6, 10, 12, 13, 18, 19]
输入进去后发现它直接退出来了,所以我们下断点,动调

image

[HNCTF 2022 WEEK3]CM2

下载下来以后是一个安装包

image

我们直接安装一手

image

先查看exe文件

image

image
image

在String里看到了admin

image
image
image

发现用户名为admin,再来找找flag,直接查看admin的那段函数

image

发现关键函数sub_140001450,点进去查看

image

发现只有一段加密,动调看v5

image

由于__int128是(128/8)=16,16*5个v5为80,DWORD为4字节,所以一共有20个数组

image

先转换成ddshift+8 ,Array size为20

image

然后convert为DWORD

image

开始编写脚本
data = [0x000000E4, 0x00000035, 0x00000035, 0x00000034, 0x00000045, 0x00000064, 0x000000B7, 0x00000045, 0x00000086, 0x00000013, 0x00000037, 0x000000F5, 0x00000013, 0x00000037, 0x000000F5, 0x00000015, 0x00000015, 0x00000015, 0x00000045, 0x000000D7]
for i in range(0,len(data),4):
    for j in range(i,i+4):
        t1=bin(data[j])[2:].zfill(8)
        t2=int(t1[4:]+t1[:4],2)
        print(chr(t2),end='')
#NSSCTF{Th1s_1s_QQQT}
posted @ 2024-03-31 17:12  kelec0ka  阅读(139)  评论(0编辑  收藏  举报