技术教程 2018 CISCN reverse wp 正文

2018 CISCN reverse wp

2022-10-21,,

2018 CISCN reverse

这题比赛的时候没做出来,主要是心态崩了看不下去。。赛后看了下网上的wp发现不难,是自己想复杂了。这里将我的思路和exp放出来,希望大家一起交流学习。

main函数

它首先是check了输入的前六个字符是否与“CISCN{”匹配,接着使用strtok函数将字符串以“_”分割为三部分,然后分别对这三部分check。

sub_4012DE函数

关键部分如下

将第一部分的字符串经过以上变换后与一串MD5值5BH8170528842F510K70EGH31F44M24B比较。

那么我们可以直接逆出原本的md5,这个函数的脚本如下。

def change1(str0):

	#str0即要逆的md5

	str00 = ''

	for i in range(len(str0)):

		temp = ord(str0[i])-i%10

		if temp <= ord('A') + 5 and temp >= ord('A'):

			str00 += chr(temp)

		else:

			str00 += str0[i]

	return str00

得到5AF8170528842C510D70EFF31A44E24A ,在线解密得到tima

sub_401411函数

这个函数相较上个只是多了个亦或的过程,同样可逆,脚本如下。

def change2(str0):

  	#str0是已经经过change1处理的md5

	byte_603860 = [0x92,0x84,0x3d,0xa7,0x14,0xf2,0xfb,0x4b,0xee,0x8a,0xc2,0xc3,0x76,0x68,0x13,0x1e]

	str2 = '['

	for i in range(32):

		if i%2 == 0:

			str2 += '0x' + str0[i]

		elif i != len(str1) - 1 :

			str2 += str0[i] + ','

		else:

			str2 += str0[i] + ']'

	#print str2

	str2 = eval(str2)

	str2_2 = ''

	for i in range(len(str2)):

		str2_2 += str( hex(str2[i] ^ byte_603860[i])[2:] )

	return str2_2

得到c87c2aa23c76d71ae3fa2d306c2cf154 ,在线解密得到yefb

sub_401562函数

这个函数除了有sub_401411的全部加密过程,还会生成一个flag文件,但由于其中未知数太多,所以不采用逆向全部过程,生成flag文件的代码如下。

可以看到,我们只需爆破出v15,v16的值即可得到正确的flag文件,爆破脚本如下,这里我只取了前500个byte,能识别出文件格式即可,其实更少也行。

(这里使用了python的库filetype,pip安装即可)

import filetype

data = [0xc7,0xb7,0xc7,0x8f,0x38,0x7f,0x72,0x29,0x71,0x29,0x38,0x6e,0x39,0x6e,0x39,0x43,0x39,0x43,0x38,0x6f,0xc7,0xb4,0x38,0x2c,0x38,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x90,0xe3,0x6f,0x7b,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0xc7,0xaf,0x38,0x7e,0x30,0x6f,0x2e,0x6f,0xb8,0x6c,0x39,0x4e,0x38,0x6d,0x29,0x6e,0x3b,0x7e,0x39,0x90,0xfc,0x6f,0x27,0x6f,0x38,0x6e,0x3d,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6f,0x38,0x6f,0x38,0x6f,0x38,0x6f,0x38,0x6e,0x3a,0x6c,0x3c,0x6a,0x3e,0x68,0x30,0x66,0x32,0x64,0xc7,0xab,0x38,0xda,0x28,0x6f,0x3a,0x6e,0x3b,0x6c,0x3a,0x6b,0x3b,0x6a,0x3d,0x6b,0x3c,0x6f,0x38,0x6e,0x45,0x6e,0x3a,0x6c,0x38,0x6b,0x29,0x6a,0x2a,0x4e,0x9,0x2e,0x3e,0x7c,0x69,0xe,0x3f,0x4d,0x49,0x7b,0xa,0xee,0xa9,0xce,0x30,0x4c,0x7a,0xde,0xf9,0x7a,0x6a,0xbe,0xc8,0x4b,0xb,0xd,0x4a,0xed,0x31,0x65,0x2e,0x78,0x20,0x76,0x22,0x4a,0x1e,0x48,0x10,0x46,0x12,0x5b,0xd,0x59,0xf,0x57,0x1,0x55,0x7b,0x2b,0x7d,0x29,0x7f,0x27,0x71,0x25,0x6b,0x3b,0x6d,0x39,0x6f,0x37,0x61,0x35,0x5b,0xb,0x5d,0x9,0x5f,0x7,0x51,0x5,0x4b,0x1b,0x4d,0x19,0x4f,0x17,0x41,0x15,0xbb,0xeb,0xbd,0xe9,0xbf,0xe7,0xb1,0xe5,0xaa,0xfc,0xac,0xfa,0xae,0xf8,0xa0,0xf6,0xa2,0xcd,0x9b,0xcb,0x9d,0xc9,0x9f,0xc7,0x91,0xc5,0x8a,0xdc,0x8c,0xda,0x8e,0xd8,0x80,0xd6,0x82,0xad,0xfb,0xab,0xfd,0xa9,0xff,0xa7,0xf1,0xa5,0xea,0xbc,0xec,0xba,0xee,0xb8,0xe0,0xb6,0xe2,0x8e,0xda,0x8c,0xdc,0x8a,0xde,0x88,0xd0,0x86,0xd2,0x9e,0xca,0x9c,0xcc,0x9a,0xce,0x98,0xc0,0x96,0xc2,0x90,0xfc,0x6f,0x27,0x6e,0x38,0x6c,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6f,0x38,0x6f,0x38,0x6f,0x38,0x6e,0x3a,0x6c,0x3c,0x6a,0x3e,0x68,0x30,0x66,0x32,0x64,0xc7,0xab,0x38,0xda,0x29,0x6f,0x3a,0x6e,0x3a,0x6b,0x3c,0x6c,0x3c,0x68,0x3d,0x6b,0x3c,0x6f,0x39,0x6d,0x4f,0x6f,0x39,0x6d,0x3b,0x7e,0x3c,0x6a,0x19,0x5e,0x3e,0x7d,0x79,0x3e,0x3f,0xe,0x49,0x7c,0x1a,0x5d,0xb9,0x67,0x2c,0x2d,0xa9,0xce,0x89,0xae,0x31,0x4c,0xb,0x3d,0xc8,0x7a,0x5a,0x1d,0xe9,0x65,0x2e,0x4b,0xc,0x8e,0x1d,0x9e,0x2f,0x77,0x21,0x75,0x1e,0x48,0x10,0x46,0x12,0x5a]

for i in range(256):

	for j in range(256):

		result = ''

		for k in range(len(data)):

			if k&1 :

				result += chr( data[k]^i )

			else:

				result += chr( data[k]^j )

		a = open('re_guess','w')

		a.write(result)

		a.close()

		kind = filetype.guess('re_guess')

		if kind is None:

			continue

		else:

			print i,j,kind.extension

结果如下

23 216 Z

42 216 Z

76 56 mp3

111 56 jpg

150 226 ps

237 138 exe

250 133 bmp

jpg很可疑,于是生成完整文件看看。

x = open('data.txt','r').read().replace('\n','')

data = eval('[' + x + ']')

i = 111

j = 56

a = open('flag.jpg','w')

temp = ''

for k in range(len(data)):

	if k&1:

		temp += chr( data[k] ^ i )

	else:

		temp += chr( data[k] ^ j )

a.write(temp)

a.close()

idc提取data.txt的脚本如下(shift+F2打开Execute script)

auto addr1 = 0x006020E0;

auto i,x;

for(i=0; i < 6016 ; i ++ )

{

    Message("0x%x,",Byte(i+addr1));

}

得到第三部分的flag

验证

将以上得到的三部分以下划线拼接得到

CISCN{tima_yefb_MayDetyU$hhtIm2}

运行结果如下图

作者: LB919

出处:http://www.cnblogs.com/L1B0/

如有转载,荣幸之至!请随手标明出处;

2018 CISCN reverse wp的相关教程结束。

《2018 CISCN reverse wp.doc》

下载本文的Word格式文档,以方便收藏与打印。

Copyright 2023. 昆居客 - IT编程,互联网信息技术文档大全!