Munan's blog
0%

2024鹏城杯初赛 Re部分WP

发表于

joyVBS-pcb2024

1
2
3
4
5
6
7
8
9
10
11
12
import re

# 定义正则表达式,用于匹配符合条件的数字和运算符序列
pattern = re.compile(r"\s[0-9+\-/*]+\s")

# 读取文件并进行匹配和转换
with open("chall.vbs", "r") as file:
    content = file.read()
    matches = pattern.findall(content)
    decoded_text = ''.join(chr(int(eval(match.strip()))) for match in matches)
    print(decoded_text, end="")

然后是一个vbs脚本,改成msgbox可以输出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
MsgBox "VBScript, often abbreviated as VBS, is an event-driven programming language developed by Microsoft, primarily used for scripting in the Windows environment."
MsgBox "It is based on the Visual Basic programming language and is designed to be simple and easy to use, especially for those familiar with the BASIC programming language."
MsgBox "And for me, it is the first programming language that I've leart"
MsgBox "Hackers! Have fun with this VBS challenge!"
flag = InputBox("Enter the FLAG:", "Hack for fun")
wefbuwiue = "NalvN3hKExBtALBtInPtNHTnKJ80L3JtqxTboRA/MbF3LnT0L2zHL2SlqnPtJLAnFbIlL2SnFT8lpzFzA2JHrRTiNmT9"

qwfe = 9+2+2+1

Function Base64Decode(base64EncodedString)
    Dim xml, elem
    Set xml = CreateObject("MSXML2.DOMDocument")
    Set elem = xml.createElement("tmp")
    elem.dataType = "bin.base64"
    elem.text = base64EncodedString
    Dim stream
    Set stream = CreateObject("ADODB.Stream")
    stream.Type = 1 'Binary
    stream.Open
    stream.Write elem.nodeTypedValue
    stream.Position = 0
    stream.Type = 2 'Text
    stream.Charset = "utf-8"
    Base64Decode = stream.ReadText
    stream.Close
End Function
Function Caesar(str,offset)
        Dim length,char,i
        Caesar = ""
        length = Len(str)
        For i = 1 To length
                char = Mid(str,i,1)
                If char >= "A" And char <= "Z" Then
                        char = Asc("A") + (Asc(char) - Asc("A") + offset) Mod 26
                        Caesar = Caesar & Chr(char)
                ElseIf char >= "a" And char <= "z" Then
                        char = Asc("a") + (Asc(char) - Asc("a") + offset) Mod 26
                        Caesar = Caesar & Chr(char)
                Else
                        Caesar = Caesar & char
                End If
        Next
End Function

If flag = Base64Decode(Caesar(wefbuwiue, 26-qwfe)) Then
    MsgBox "Congratulations! Correct  FLAG!"
Else
    MsgBox "Wrong flag."
End If

RE5-pcb2024

Xtea,但是用了一些异常处理函数使得每次的delta均不相同

可以动调记录sum的变化值

然后在trace里面把sum的值手动记录下来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import re
str = open("C:\\Users\\22101\\Downloads\\trace4.txt","r").read()

def hex_to_decimal_little_endian(hex_str):
    # 去掉空格
    hex_str = hex_str.replace(" ", "")
    
    # 将16进制字符串按照每2个字符为一个字节拆分并翻转字节顺序
    reversed_hex_str = ''.join([hex_str[i:i+2] for i in range(0, len(hex_str), 2)][::-1])
    
    # 将翻转后的16进制字符串转为10进制
    decimal_value = int(reversed_hex_str, 16)
    
    return decimal_value

regex = r"Stack\[000029E8\]:0019FE70: .*"
data = []
matches = re.findall(regex, str)
print(len(matches))
for match in matches:
    hex_str = match[len("Stack[000029E8]:0019FE70: "):-1]
    # data.append(int(match[:-1], 16))
    data.append(hex_to_decimal_little_endian(hex_str))
data2 = []
for i in range(len(data)-1):
    if data[i+1] == data[i]:
        continue
    data2.append(data[i])
    print(hex(data[i]))
data2.append(0x873fc)
print(data2)
print(len(data2))

然后逆回去即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#include<bits/stdc++.h>
#include"../defs.h"
using namespace std;
_DWORD key[4] = {2,2,3,3};
unsigned int input[9] = {
    0x33323130, 0x37363534, 0x33323130, 0x37363534, 0x33323130, 0x37363534, 0x33323130, 0x37363534, 
};
unsigned int Destination2[8] = {
    0x5E487035, 0x0DC30FB7, 0x73E48B63, 0x20CDF292, 0x46C3CD6F, 0x1F2DB262, 0x73D8C2E6, 0x1222FCB8
};
unsigned int out[8] = {
    0x0EA2063F8 ,0x8F66F252, 0x902A72EF, 0x411FDA74, 0x19590D4D, 0xCAE74317, 0x63870F3F, 0xD753AE61
};
unsigned int key1[32] = {
	38, 7757, 28995, 31432, 40287, 52084, 60449, 92734, 103184, 133796, 139649, 167749, 168891, 169172, 189709, 205630, 214575, 240860, 243857, 258537, 279513, 311404, 333059, 358965, 377422, 378745, 407626, 409866, 419591, 451869, 454315, 454905
};
unsigned int key2[32] = {
	840, 19427, 36334, 57571, 81182, 93799, 106255, 107122, 136655, 143533, 171756, 189643, 221240, 241824, 254036, 285147, 292725, 309791, 317420, 
	346824, 359103, 372608, 396996, 408645, 420974, 428150, 430481, 449745, 471859, 485995, 512923, 514025};
unsigned int key3[32] = {
	21652, 30056, 54393, 82249, 87847, 112619, 126716, 139929, 144612, 161315, 176575, 192517, 195264, 222639, 251510, 269514, 286187, 289339, 301158, 324662, 324901, 329087, 331891, 360828, 363851, 374186, 394719, 416112, 432132, 443706, 469689, 483650
};
unsigned int key4[32] = {
	624, 7689, 35258, 48088, 72255, 84491, 115740, 139376, 154995, 180722, 193422, 217745, 232667, 255441, 262252, 274314, 277879, 303070, 303189, 321936, 347986, 367606, 383940, 389908, 407432, 411009, 426055, 451586, 466044, 495316, 521846, 553980
};
int __cdecl encrypt(unsigned int *a1, _DWORD *a2)
{
  int result; // eax
  unsigned int i; // [esp+64h] [ebp-28h]
  int v4; // [esp+68h] [ebp-24h]
  unsigned int v5; // [esp+6Ch] [ebp-20h]
  unsigned int v6; // [esp+70h] [ebp-1Ch]

  v6 = *a1;
  v5 = a1[1];
  v4 = 0;
      printf("%x\n",v6);
      printf("%x\n",v5);
  for ( i = 0; i < 0x20; ++i )
  {
//    v4 -= 0x61C88647;
	v4 = key1[i];
    v6 += (a2[1] + (v5 >> 5)) ^ (v4 + v5) ^ (*a2 + 16 * v5);
    v5 += (a2[3] + (v6 >> 5)) ^ (v4 + v6) ^ (a2[2] + 16 * v6);
    printf("%x\n",v6);
    printf("%x\n",v5);
    printf("%x\n",v4);
  }
  *a1 = v6;
//  printf("%d\n",v4);
  result = 4;
  a1[1] = v5;
  return result;
}

int __cdecl decrypt(unsigned int *a1, _DWORD *a2,_DWORD *a3)
{
  int result; // eax
  unsigned int i; // [esp+64h] [ebp-28h]
  int v4; // [esp+68h] [ebp-24h]
  unsigned int v5; // [esp+6Ch] [ebp-20h]
  unsigned int v6; // [esp+70h] [ebp-1Ch]

  v6 = *a1;
  v5 = a1[1];
  v4 = a3[31];
//      printf("%x\n",v6);
//      printf("%x\n",v5);
//      printf("%x\n",v4);?
  for ( i = 0; i < 0x20; ++i )
  {
  	v5 -= (a2[3] + (v6 >> 5)) ^ (v4 + v6) ^ (a2[2] + 16 * v6);
  	v6 -= (a2[1] + (v5 >> 5)) ^ (v4 + v5) ^ (*a2 + 16 * v5);
    v4 =a3[30-i];
//        printf("%x\n",v6);
//	    printf("%x\n",v5);
//	    printf("%x\n",v4);
  }
  *a1 = v6;
  result = 4;
  a1[1] = v5;
  printf("%x\n",v6);
  printf("%x\n",v5);
  return result;
}

int main(){
	unsigned int data[2] = {1,2};
//	encrypt(&input[0],key);
	printf("%x %x\n",input[0],input[1]);
	decrypt(&out[0],key,key1);
	decrypt(&out[2],key,key2);
	decrypt(&out[4],key,key3);
	decrypt(&out[6],key,key4);
	char *flag = (char *)out;
	
	for(int i = 0;i<=31;i++){
		printf("%c",*(flag+i));
	}
//	decrypt(&out[2],key);
//	decrypt(&out[4],key);
//	decrypt(&out[6],key);
//	char *flag = (char *)out;

}

Rafflesia-pcb2024

1
flag{8edae458-4tf3-2ph2-9f26-1f8719ec8f8d}

入口处有几个花指令 patch完如下

image.png

TLS callBack的地方有改base表和调试检查

image.png
image.png

base64最后做了一个xor 0x18

把flag字符串base64后Xor 0x18 发现结果H@^jH和常量字符串开头很像,猜测其实根本没改过这里的Buf1

1
qmemcpy(Buf1, "H@^jHwpsH)[jH{M/\\tBBK_|-O{W.iJZ7\\)|~zaB^H+Lwv{SS|-j@\\_[Y", 4 * v3 + 1);

直接解回去

image.png

exec-pcb202

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
data = base64.b64decode(data)
# print(data[-7:-5])
while True:
    if data[12:15] == b'b32':
        print(data[:100])
        data = base64.b32decode(data[26:-5])
        continue
    if data[12:15] == b'b64':
        print(data[:100])
        data = base64.b64decode(data[26:-5])
        continue
    if data[12:15] == b'b16':
        print(data[:100])
        data = base64.b16decode(data[26:-5])
        continue
    if data[12:15] == b'a85':
        print(data[:100])
        data = base64.a85decode(data[26:-5])
        continue
    if data[12:15] == b'b85':
        print(data[:100])
        data = base64.b85decode(data[26:-5])
        continue
    else:
        file = open('output.txt', 'wb')
        file.write(data)
        print(data)
        break
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

# output.py
a=True
d=len
G=list
g=range
s=next
R=bytes
o=input
Y=print
def l(S):
 i=0
 j=0
 while a:
  i=(i+1)%256
  j=(j+S[i])%256
  S[i],S[j]=S[j],S[i]
  K=S[(S[i]+S[j])%256]
  yield K
def N(key,O):
 I=d(key)
 S=G(g(256))
 j=0
 for i in g(256):
  j=(j+S[i]+key[i%I])%256
  S[i],S[j]=S[j],S[i]
 z=l(S)
 n=[]
 for k in O:
  n.append(k^s(z)+2)
 return R(n)
def E(s,parts_num):
 Q=d(s.decode())
 S=Q//parts_num
 u=Q%parts_num
 W=[]
 j=0
 for i in g(parts_num):
  T=j+S
  if u>0:
   T+=1
   u-=1
  W.append(s[j:T])
  j=T
 return W
if __name__=='__main__':
 L=o('input the flag: >>> ').encode()
 assert d(L)%2==0,'flag length should be even'
 t=b'v3ry_s3cr3t_p@ssw0rd'
 O=E(L,2)
 U=[]
 for i in O:
  U.append(N(t,i).hex())
 if U==['1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60',2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a']:
  Y('Congratulations! You got the flag!')
 else:
  Y('Wrong flag!')
  
# 注意到是魔改的RC4,懒得自己改了
# 让他自己RC4回去

# O=E(L,2)
# U=[]
# O = []
# O.append(bytes.fromhex('1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60'))
# O.append(bytes.fromhex('2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a'))

image.png

1
flag{thEn_I_Ca5_BE_YoUR_Onl7_ExeCUti6n_So_Use_m3_t0_R0n_tH17_Ex3Cuti0n}