NSSCTF round#22逆向
NSSCTF round#22逆向
1.wp要及时写不然忘光光 2.赛题分文件夹放
ezcrypt
下载下来是python打包的exe,解包出pyc用pycdc反编译看一下
嗯不认识BEFORE_WITH命令。丢到gpt4o里看看
还蛮准确的,和作者提供的源码一样。不过对填充的处理不对,原程序是填充'\x00'。不过比自己硬看好太多了,pycdas弄出来的少一些提示信息,不太好看。
#generated by gpt4o
from Crypto.Cipher import Blowfish
from Crypto.Random import get_random_bytes
import os
def encrypt_file(input_path, output_path, key):
# 创建Blowfish加密器,使用CBC模式
cipher = Blowfish.new(key, Blowfish.MODE_CBC)
# 读取文件内容
with open(input_path, 'rb') as file:
plaintext = file.read()
# 计算需要填充的长度,使数据长度是块大小的整数倍
bs = Blowfish.block_size
padding_length = bs - len(plaintext) % bs
padding = bytes([padding_length]) * padding_length # 使用PKCS5填充 #不正确,实际上是用0填充
plaintext += padding
# 加密数据
encrypted_data = cipher.iv + cipher.encrypt(plaintext)
# 将加密后的数据写入输出文件
with open(output_path, 'wb') as file:
file.write(encrypted_data)
# 主程序
key = b'crypto.SomeEncode'
input_path = './input'
output_path = './output'
encrypt_file(input_path, output_path, key)
可以看到最后生成的out文件是由iv和加密的text拼接成的。故等会解密的时候先把iv和密文分开再弄弄。翻了翻原exe解包出的文件,还有一个crypto.cpython.pyc文件,反编译一下
这里有一个someencode,encrypt是修改过的tea加密。似乎是出题错了,SomeEncode实际应该由v和k解密所得而非经由encrypt加密。脚本
def encrypt(v, k):
v0 = v[0]
v1 = v[1]
(key0, key1, key2, key3) = (k[0], k[1], k[2], k[3])
sum = 0
delta = 0x9E3779B9
for _ in range(32):
sum = sum + delta & 0xFFFFFFFF
v0 = v0 + ((v1 << 3) + key0 ^ v1 + sum ^ (v1 >> 4) + key1 ^ 596) & 0xFFFFFFFF
v1 = v1 + ((v0 << 3) + key2 ^ v0 + sum ^ (v0 >> 4) + key3 ^ 2310) & 0xFFFFFFFF
return (v0, v1)
def decrypt(v, k):
v0 = v[0]
v1 = v[1]
(key0, key1, key2, key3) = (k[0], k[1], k[2], k[3])
delta = 0x9E3779B9
sum = (delta * 32) & 0xFFFFFFFF
for _ in range(32):
v1 = v1 - ((v0 << 3) + key2 ^ v0 + sum ^ (v0 >> 4) + key3 ^ 2310) & 0xFFFFFFFF
v0 = v0 - ((v1 << 3) + key0 ^ v1 + sum ^ (v1 >> 4) + key1 ^ 596) & 0xFFFFFFFF
sum = (sum - delta) & 0xFFFFFFFF
return (v0, v1)
def encrypt_all(v, k):
encrypted = []
for i in range(0, len(v), 2):
encrypted.extend(encrypt(v[i:i + 2], k))
return encrypted
def decrypt_all(v,k):
decrypted=[]
for i in range(0,len(v),2):
decrypted.extend(decrypt(v[i:i+2],k))
return decrypted
v = [
1396533857,
0xCC8AE275,
0x89FB8A63,
940694833]
k = [
17,
34,
51,
68]
char_output = decrypt_all(v,k)
for j in range(4):
for i in range(4)[::-1]:
print(chr(char_output[j] >> 8 * i & 255),end='')
#EzNssRevProjects
似乎不仅说明key要解密出来,而且说明主程序里的key要调用这个模块获取而不是字符串"cipher.SomeEncode"。写脚本提取下iv做Blowfish解密,output文件也是解包exe的时候解包出来的。
import os
from Crypto.Cipher import Blowfish
def decrypt_file(file_path, key):
# Read the file as a byte stream
with open(file_path, 'rb') as file:
data = file.read()
# Create a Blowfish cipher object with the provided key
iv=data[:Blowfish.block_size]
encrypted_data=data[Blowfish.block_size:]
cipher = Blowfish.new(key,Blowfish.MODE_CBC,iv)
# Decrypt the data
decrypted_data = cipher.decrypt(encrypted_data)
# Write the decrypted data back to the file
with open(file_path, 'wb') as file:
file.write(decrypted_data)
# Example usage
file_path = r'C:\Users\abc\Desktop\output'
key = b'EzNssRevProjects'
decrypt_file(file_path, key)
打开解密后的文件看一下,是个虚拟机,不过还好不同指令只是对对应数据进行不同的运算
这里还很奇怪,v5==0的时候是a2[4]-a2[1],但是实际上看wp要按照+运算才能解出来,难道是动态的时候还有操作?写脚本解一下
#include<stdio.h>
int main(){
unsigned char ida_chars[] =
{
0x37, 0x8D, 0x0F, 0xAB, 0x2D, 0x98, 0x37, 0xB5,
0x48, 0xA6, 0x30, 0xDA, 0x0C, 0xED, 0x1B, 0xB8,
0x00, 0xE9, 0x24, 0x98, 0x17, 0x81, 0xED, 0xB6,
0x26, 0x8C, 0x21, 0xDE, 0x04, 0xDE,
};
int v4[]={35,18,69,86,103};
int v5;
for(int i=29;i>=0;i--){
v5=i%4;
if(i%4==3){
ida_chars[i]-=v4[2]+v4[0];
}else if(v5<=3){
if(v5==2){
ida_chars[i]+=v4[1]^v4[3];
}else if(v5<=2){
if(v5){
if(v5==1){
ida_chars[i]^=v4[0]-v4[2];
}
}else{
ida_chars[i]^=v4[4]+v4[1];
}
}
}
}
for(int j=0;j<30;j++){
printf("%c",ida_chars[j]);
}
return 0;
}
//NSSCTF{M1xtru3_Py7h0n_1N_Rev}
简简又单单
打开app简单看一眼,要弄出来用户名和密码
username是xtea加密,异或了个918
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#define DELTA 0x9e3779b9
#define NUM_ROUNDS 32
void decrypt(uint32_t v[2], uint32_t k[4]) {
uint32_t sum = 0xC6EF3720;
for (int i = 0; i < NUM_ROUNDS; i++) {
v[1] -= (((v[0]<<4 ^ v[0]>>5) + v[0])^918) ^ (sum + k[(sum>>11) & 3]);
sum -= DELTA;
v[0] -= (((v[1]<<4 ^ v[1]>>5) + v[1])^918) ^( sum + k[sum & 3]);
}
}
void hex_to_int_array(const char* hex_str, uint32_t* int_array) {
size_t len = strlen(hex_str);
for (size_t i = 0; i < len; i += 8) {
sscanf(hex_str + i, "%8x", &int_array[i / 8]);
}
}
void int_array_to_string(const uint32_t* int_array, size_t len, char* str) {
for (size_t i = 0; i < len; i++) {
str[i * 4] = (char)((int_array[i] >> 24) & 0xFF);
str[i * 4 + 1] = (char)((int_array[i] >> 16) & 0xFF);
str[i * 4 + 2] = (char)((int_array[i] >> 8) & 0xFF);
str[i * 4 + 3] = (char)(int_array[i] & 0xFF);
}
str[len * 4] = '\0';
}
//3c36eb49 81acb0c0 fac269ae ca5bf9ec
int main() {
const char* encrypted_username_hex1 = "3c36eb4981acb0c0";
uint32_t encrypted_username_int1[4];
hex_to_int_array(encrypted_username_hex1, encrypted_username_int1);
uint32_t key[4] = {305419896, 1450748877, -1985229329, -839970252};
decrypt(encrypted_username_int1, key);
char decrypted_username[17];
int_array_to_string(encrypted_username_int1, 4, decrypted_username);
for (int i = 0; i < 4; i++) {
printf("%c", decrypted_username[3-i]);
}
for (int i = 0; i < 4; i++) {
printf("%c", decrypted_username[7-i]);
}
// printf("Decrypted Username: %s\n", decrypted_username);
const char* encrypted_username_hex2 = "fac269aeca5bf9ec";
uint32_t encrypted_username_int2[4];
hex_to_int_array(encrypted_username_hex2, encrypted_username_int2);
decrypt(encrypted_username_int2, key);
char decrypted_username2[17];
int_array_to_string(encrypted_username_int2, 4, decrypted_username2);
for (int i = 0; i < 4; i++) {
printf("%c", decrypted_username2[3-i]);
}
for (int i = 0; i < 4; i++) {
printf("%c", decrypted_username2[7-i]);
}
return 0;
}
//username NS5_R0Un6_z2_apK
password的校验是调用的native方法,用Android killer解包看下so文件,也提示了是rc4
ValidatePassword
或者可以放到模拟器里动调一下,rc4是修改过128轮的,运算完转成hex比较。写脚本试一下
def rc4_decrypt(key, ciphertext):
# Convert the key from string to a list of integers
key = [ord(char) for char in key]
# Convert the hexadecimal ciphertext to a list of integers
ciphertext = [int(ciphertext[i:i+2], 16) for i in range(0, len(ciphertext), 2)]
S = list(range(128))
j = 0
out = []
# 初始化S盒
for i in range(128):
j = (j + S[i] + key[i % len(key)]) % 128
S[i], S[j] = S[j], S[i]
# 生成密钥流并解密密文
i = j = 0
for char in ciphertext:
i = (i + 1) % 128
j = (j + S[i]) % 128
S[i], S[j] = S[j], S[i]
k = S[(S[i] + S[j]) % 128]
out.append(chr(char ^ k))
return ''.join(out)
print(rc4_decrypt('NS5_R0Un6_z2_apK', '572e180b1a680b3e5276344b241d5b52525a043173346b1355442028'))
#NSSCTF{V3ry_4z_1ib_W1th_4pk}
ezhook
看了看比较后输出right?wrong?应该主程序就不在main这了。函数列表里转了一下看到
像是有东西的样子,查了下系统调用,sub140001030把这个函数作为参数读入
动调下可以发现sub140001030用sub140001240的地址覆盖了MessageBoxA调用的地址。值得注意MessageBoxA把buf1作为参数读入。
在sub140001240里调用了sub1400014e0对输入进行处理,看起来是xxtea,delta是0x11451981
拿密文和key做下解密,flag直接出来了,其他的异或运算似乎没有影响加解密。
#include<stdio.h>
#define delta 0x11451981
int main(){
unsigned char ida_chars[] =
{
0xE4, 0xE7, 0xFE, 0xE3, 0x17, 0x1C, 0xDE, 0x32, 0xE6, 0xB8,
0x68, 0x40, 0x40, 0xD8, 0x72, 0xFA, 0x88, 0x14, 0xE1, 0x85,
0xCD, 0x81, 0xAA, 0xDE, 0x1D, 0xE8, 0x92, 0x41, 0xB8, 0x1E,
0x5E, 0xCF, 0xCE, 0x49, 0x27, 0x22, 0x39, 0x7D, 0x50, 0xDA
};
//
unsigned int v[10] = {0x0E3FEE7E4, 0x32DE1C17, 0x4068B8E6, 0x0FA72D840, 0x85E11488,0x0DEAA81CD, 0x4192E81D, 0x0CF5E1EB8, 0x222749CE, 0x0DA507D39};
unsigned int key[4] = {0x6C316548, 0x53734E30, 0x14451121, 0x811919};
unsigned int sum = 0;
unsigned int y,z,p,rounds,e;
int n = 10;
int i = 0;
rounds = 6 + 52/n;
y = v[0];
sum = rounds*delta;
do
{
e = sum >> 2 & 3;
for(p=n-1;p>0;p--)
{
z = v[p-1];
v[p] -= ((((z>>5)^(y<<2))+((y>>3)^(z<<4))) ^ ((key[(p&3)^e]^z)+(y ^ sum)));
y = v[p];
}
z = v[n-1];
v[0] -= (((key[(p^e)&3]^z)+(y ^ sum)) ^ (((y<<2)^(z>>5))+((z<<4)^(y>>3))));
y = v[0];
sum = sum-delta;
}while(--rounds);
for(i=0;i<n;i++)
{
printf("%c%c%c%c",*((char*)&v[i]+0),*((char*)&v[i]+1),*((char*)&v[i]+2),*((char*)&v[i]+3));
//printf("%c%c%c%c",*((char*)&v[i]+3),*((char*)&v[i]+2),*((char*)&v[i]+1),*((char*)&v[i]+0));
}
return 0;
}
//NSSCTF{C0ngr@tulat1ons!H0Ok_bY_1t_s3lf!}
Go!Go!Go!
看着main函数似乎是想修改shell64.exe的内容
查看一下main函数另一个参数的内容
以mz开头,似乎是包含了一个程序,用resourcehacker提取下
dump下来后用ida看看,是go语言,应该是要分析的部分了
进到Function1里看看
第一次fprintln应该是打印提示,fscan是读入第一段flag,进入crypto_md5_Sum看看
应该是标准算法。回到fun1里,看到md5下面有比较的内容
用hashcat破解一下
因为之前计算过所以用--show参数可以展示,key1: G0@K3y。下面是另一个fscan,然后调用sha256做摘要之后对比
同样用hashcat算一下
hashcat -m 1400 -a 3 c32a69f4609191a2c3e6dbe2effc329bff20617230853462e8745f2c058bec2f ?a?a?a?a?a?a
key2: n3SC1f
fun1就分析完了,下面看fun2。看起来是rc4,那么直接把密文放进去动调下应该就好
动调下可以发现前面的两个key是拼接起来作为rc4的key。替换输入为密文
flag: NSSCTF{Y0u_F1nd_1t!K3ep_YoR_fl@g_3afe!g0!GO!Og!}
