CISCN2024

Posted on 2024-05-27

PREFACE：国赛，看题

# asm_re

直接把二进制导入 bin，ida 反编译即可

# androidso_re

frida hook 拿 iv key 做 DES 即可

	setImmediate(function() {
	Java.perform(function() {
	var Arrays = Java.use("java.util.Arrays");

	Arrays.copyOf.overload('[B', 'int').implementation = function(original, newLength) {
	var originalStr = Java.use("java.lang.String").$new(original, "UTF-8");
	console.log("Arrays.copyOf called with: " + originalStr + ", newLength: " + newLength);

	return this.copyOf(original, newLength);
	};

	console.log("Hooking Arrays.copyOf(byte[], int)...");
	});
	});
	setImmediate(function() {
	Java.perform(function() {
	var IvParameterSpec = Java.use("javax.crypto.spec.IvParameterSpec");

	IvParameterSpec.$init.overload('[B').implementation = function(iv) {
	var ivStr = Java.use("java.lang.String").$new(iv, "UTF-8");
	console.log("IvParameterSpec initialized with byte array: " + ivStr);

	return this.$init(iv);
	};

	console.log("Hooking IvParameterSpec constructor with single byte array argument...");
	});
	});

	setImmediate(function() {
	console.log("lld [*]");
	Java.perform(function() {
	// 使用 Java.use 方法加载 IvParameterSpec 类
	var IvParameterSpec = Java.use("javax.crypto.spec.IvParameterSpec");

	// 重载构造函数，假设只传入一个字节数组
	IvParameterSpec.$init.overload('[B').implementation = function(iv) {
	// 打印字节数组参数
	var ivArray = [];
	for (var i = 0; i < iv.length; i++) {
	ivArray.push(iv[i]);
	}
	console.log("IvParameterSpec initialized with byte array: " + ivArray.join(", "));

	// 调用原始构造函数
	return this.$init(iv);
	};

	console.log("Hooking IvParameterSpec constructor with single byte array argument...");
	});
	});

# rust_baby

动调，有 json 包，里面有密文

有 iv，有 key，是 aes，不过是流密码模式，找到异或的点 dump

然后解自写的小加密即可：

	#include <bits/stdc++.h>
	using namespace std;

	unsigned long long lld[] = {0xE71675B493928150, 0x37C65D4C7BA24118, 0x2F6E0584C3B26920, 0x0C74625ECF3321978, 0x9FFE15F4FB724940, 0x27C69D1453F2E1B0};
	unsigned char enc[] = {86, 88, 82, 84, 79, 4, 84, 7, 0, 4, 3, 81, 7, 29, 5, 91, 28, 2, 30, 7, 87, 84, 0, 28, 11, 82, 80, 3, 29, 1, 7, 6, 82, 5, 6, 85, 9, 81, 8, 7, 2, 79, 118, 118, 117, 117, 116, 116, 119, 119, 118, 118, 117, 117, 116, 116, 119, 119, 118, 118, 117, 117, 116, 116, 119, 119, 118, 118, 117, 117, 116, 116, 119, 119, 118, 118, 117, 117, 116, 116, 119, 119, 118, 118, 117, 117, 116, 116, 119, 119, 118, 118, 117, 117, 116, 116, 119, 119, 118, 118, 117, 117, 116, 116};
	unsigned char henhen[] = {1,1,4,5,1,4,1,9,1,9,8,1,0};
	void dec(unsigned char * a1, long long t)
	{
	unsigned char key[8];
	for(int i = 0; i < 8; i++)
	{
	key[i] = t & 0xFF;
	t >>= 8;
	}
	unsigned char ret[8];
	for(int i = 0; i < 4; i++)
	{
	unsigned char p0 = key[i * 2];
	unsigned char p1 = key[i * 2 + 1];
	unsigned char h0 = henhen[i * 2];
	unsigned char h1 = henhen[i * 2 + 1];
	unsigned char t0 = 1;
	ret[i * 2] = (a1[(p0 & 7)] + t0 - i) & 0xFF;
	ret[i * 2 + 1] = (a1[(p1 & 7)] + t0 - i) & 0xFF;

	}
	for(int i = 0; i < 8; i++)a1[i] = ret[i];

	}

	int main()
	{
	unsigned char v = 0;
	for(int i = 0; i < 13; i++)
	{
	for(int j = i * 8; j < i * 8 + 8; j++)enc[j] ^= 0x33;
	dec(enc + i * 8, lld[(v - 3 * ((v / 3) & 0xFE))]);
	v++;
	for(int j = i * 8; j < i * 8 + 8; j++)printf("%c", enc[j]);
	}
	}

# gdb_debug

测试随机数，发现是固定的… 以为需要爆破呢才写的

	#include<bits/stdc++.h>
	using namespace std;
	// flag{00000000000000000000000000000000}
	int main(){
	for (uint32_t i=0;i<0xf;i++){
	srand(i << 28);
	printf("%x : ",i << 28);
	uint8_t input[39]="flag{00000000000000000000000000000000}",tmp_input[38]={0};
	uint8_t xor_list1[38],map_list[38];
	for (int32_t i=0;i<32;i++){
	xor_list1[i] = rand();
	input[i] ^= xor_list1[i];
	}
	printf("rand list1:\n");
	for (uint32_t i=0;i<32;i++){
	printf("%x,",xor_list1[i]);
	}
	printf("\n");
	for (int32_t i=0;i<32;i++){
	map_list[i] = i;
	}
	for (int32_t i=31;i>=0;i--){
	uint32_t tmp,tmp1;
	tmp = rand() % (i + 1);
	tmp1 = map_list[i];
	map_list[i] = map_list[tmp];
	map_list[tmp] = tmp1;
	}
	for (int32_t i=0;i<32;i++){
	tmp_input[i] = input[map_list[i]];
	}
	for (int32_t i=0;i<32;i++){
	tmp_input[i] ^= rand();
	}
	for (uint32_t i=0;i<32;i++){
	printf("%x,",tmp_input[i]);
	}
	printf("\n");
	}
	}

那很容易了，解密就行了

	enc = "congratulationstoyoucongratulationstoy"
	enc = [ord(i) for i in enc]
	key = [0xBF, 0xD7, 0x2E, 0xDA, 0xEE, 0xA8, 0x1A, 0x10, 0x83, 0x73,
	0xAC, 0xF1, 0x06, 0xBE, 0xAD, 0x88, 0x04, 0xD7, 0x12, 0xFE,
	0xB5, 0xE2, 0x61, 0xB7, 0x3D, 0x07, 0x4A, 0xE8, 0x96, 0xA2,
	0x9D, 0x4D, 0xBC, 0x81, 0x8C, 0xE9, 0x88, 0x78, 0x00, 0x00]
	for i in range(len(enc)):
	enc[i] ^= key[i]

	rand_list3 = [0xde,0xaa,0x42,0xfc,0x9,0xe8,0xb2,0x6,0xd,0x93,0x61,0xf4,0x24,0x49,0x15,0x1,0xd7,0xab,0x4,0x18,0xcf,0xe9,0xd5,0x96,0x33,0xca,0xf9,0x2a,0x5e,0xea,0x2d,0x3c,0x94,0x6f,0x38,0x9d,0x58,0xea]

	for i in range(len(enc)):
	enc[i] ^= rand_list3[i]


	rand_list2=[0x21,0x0,0xa,0x0,0x20,0x1f,0xa,0x1d,0x9,0x18,0x1a,0xb,0x14,0x18,0x15,0x3,0xc,0xa,0xd,0x2,0xf,0x4,0xd,0xa,0x8,0x3,0x3,0x6,0x0,0x4,0x1,0x1,0x5,0x4,0x0,0x0,0x1]
	map = [ 0x12, 0x0E, 0x1B, 0x1E, 0x11, 0x05, 0x07, 0x01, 0x10, 0x22,
	0x06, 0x17, 0x16, 0x08, 0x19, 0x13, 0x04, 0x0F, 0x02, 0x0D,
	0x25, 0x0C, 0x03, 0x15, 0x1C, 0x14, 0x0B, 0x1A, 0x18, 0x09,
	0x1D, 0x23, 0x1F, 0x20, 0x24, 0x0A, 0x00, 0x21]

	tmp_enc = enc.copy()
	for i in range(37,-1,-1):
	tmp_enc[map[i]] = enc[i]

	enc = tmp_enc
	rand_list1=[0xd9,0xf,0x18,0xbd,0xc7,0x16,0x81,0xbe,0xf8,0x4a,0x65,0xf2,0x5d,0xab,0x2b,0x33,0xd4,0xa5,0x67,0x98,0x9f,0x7e,0x2b,0x5d,0xc2,0xaf,0x8e,0x3a,0x4c,0xa5,0x75,0x25,0xb4,0x8d,0xe3,0x7b,0xa3,0x64]
	for i in range(len(enc)):
	enc[i] ^= rand_list1[i]


	for i in enc:
	print(chr(i),end='')

# whereThel1b

找到表，异或和 base64

需要注意的是，运行并 attach 上去即可，观察符号，python 的数据类型需要手动恢复一下结构体，找到数据项的偏移

	# a = "KBAsECGs"
	# b = "MDAwMDAw"
	# a = [ord(i) for i in a]
	# b = [ord(i) for i in b]
	# for i in range(8):
	# print(a[i] ^ b[i],end=',')
	# print()
	# a = "KRE\|ESC\|"
	# b = "MTExMTEx"
	# a = [ord(i) for i in a]
	# b = [ord(i) for i in b]
	# for i in range(8):
	# print(a[i] ^ b[i],end=',')
	# print()
	#
	# b = "MTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTE="
	# a = [124,97,64,89,12,106,118,94,112,121,15,99,13,69,97,105,65,116,1,106,106,88,76,82,113,19,73,85,122,124,95,62,112,108,7,89,74,18,68,115,126,84,122,82,82,125,77,96,5,72,91,106,8,109,78,114,101,21,123,117,107,18,96,119,11,126,0,98,11,31,97,64,70,24,116,21]
	# b = [ord(i) for i in b]
	# for i in range(len(b)):
	# print(a[i] ^ b[i],end=',')
	# print()
	#
	# b = "MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI="
	# a = [124,95,76,88,12,84,122,95,112,71,3,98,13,123,109,104,65,74,13,107,106,102,64,83,113,45,69,84,122,66,83,63,112,82,11,88,74,44,72,114,126,106,118,83,82,67,65,97,5,118,87,107,8,83,66,115,101,43,119,116,107,44,108,118,11,64,12,99,11,33,109,65,70,38,120,21]
	# b = [ord(i) for i in b]
	# for i in range(len(b)):
	# print(a[i] ^ b[i],end=',')
	# print()
	#
	# a = [124,97,76,91,15,122,102,20,115,87,15,98,13,107,117,32,66,74,39,106,106,102,68,26,114,19,85,30,122,124,83,60,115,124,23,19,73,60,68,114,126,122,110,27,81,67,107,96,5,118,83,34,11,109,82,57,101,21,119,119,104,2,112,61,8,80,0,99,11,49,117,9,69,38,82,21]
	# b = "MTIzNDU2NzEyMzQ1NjcxMjM0NTY3MTIzNDU2NzEyMzQ1NjcxMjM0NTY3MTIzNDU2NzEyMzQ1Njc="
	# b = [ord(i) for i in b]
	# for i in range(len(b)):
	# print(a[i] ^ b[i],end=',')
	# print()
	b = [108, 117, 72, 80, 64, 49, 99, 19, 69, 115, 94, 93, 94, 115, 71, 95, 84, 89, 56, 101, 70, 2, 84, 75, 127, 68, 103, 85, 105, 113, 80, 103, 95, 67, 81, 7, 113, 70, 47, 73, 92, 124, 93, 120, 104, 108, 106, 17, 80, 102, 101, 75, 93, 68, 121, 26]
	#
	a = [123,76,117,64,87,86,85,88,82,77,119,77,94,74,83,93,64,116,77,106,69,100,67,95,126,68,103,85,126,114,76,107,75,122,65,78,102,65,91,91,75,66,94,108,106,124,72,91,83,72,114,89,93,87,118,91]
	#
	c = 'MTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTE='
	c = [ord(i) for i in c]
	# print(c)
	flag = ''
	for i in range(len(b)):
	print(chr(a[i] ^ c[i] ^ b[i]),end='')
	flag += chr(a[i] ^ c[i] ^ b[i])
	print()
	import base64
	print(base64.b64decode(flag.encode()))
	# print()

	# print(len(b) // 4 * 3)

# goreverse

还没自己做，加密套娃