DASCTF 2024暑期挑战赛WP

clev1L Lv3
  2024-07-20 12:50:36 2024-07-20 12:50:36 Created   2025-02-23 12:29:57 2025-02-23 12:29:57 Updated  805 Words  4 Mins  

DosSnake

瞪眼一个异或

1
2
3
4
5
6
enc=[0x3F, 0x09, 0x63, 0x34, 0x32, 0x13, 0x2A, 0x2F, 0x2A, 0x37,
  0x3C, 0x23, 0x00, 0x2E, 0x20, 0x10, 0x3A, 0x27, 0x2F, 0x24,
  0x3A, 0x30, 0x75, 0x67, 0x65, 0x3C]
key="DASCTF"
for i in range(len(enc)):
    print(chr(enc[i]^ord(key[i%len(key)])),end="")

DASCTF{H0wfUnnytheDosSnakeis!!!}

Strangeprograme

找到DASCTF段,往上跟

先是smc解密DASCTF段代码,然后注册hook

绕反调试

输入后打硬件断点跟到关键代码,魔改tea,照着解密就行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from ctypes import *
import libnum
enc=[-7, 77, 43, -68, 19, -35, 19, 98, -55, -4, -1, -119, 125, 79, -55, 15, 99, 29, 109, 82, 80, -3, 65, -29, 51, 118, 40, -105, 56, 54, -7, 107, -112, 57, 20, -125, 44, -30, 44, 31]
for i in range(len(enc)):
    enc[i]&=0xff
enc=[0xF9, 0x4D, 0x2B, 0xBC, 0x13, 0xDD, 0x13, 0x62, 0xC9, 0xFC,
  0xFF, 0x89, 0x7D, 0x4F, 0xC9, 0x0F, 0x63, 0x1D, 0x6D, 0x52,
  0x50, 0xFD, 0x41, 0xE3, 0x33, 0x76, 0x28, 0x97, 0x38, 0x36,
  0xF9, 0x6B, 0x90, 0x39, 0x14, 0x83, 0x2C, 0xE2, 0x2C, 0x1F]
a1=[int.from_bytes(enc[i:i+4],"little") for i in range(0,len(enc),4)]
a2=[0x12345678, 0x09101112, 0x13141516, 0x15161718]
decode=[]
v5=c_uint32(0)
times=16
delta=0x61C88647
for k in range(len(a1)-2,-1,-2):
    decode.append(a1[k+1] ^ a1[1])
    decode.append(a1[k] ^ a1[0])
    v5=c_uint32(-delta*times)
    v1=c_uint32(a1[0])
    v2=c_uint32(a1[1])
    for i in range(times):
        v5.value += delta
        v2.value -= (v1.value + v5.value) ^ ((v1.value*16) + a2[2]) ^ ((v1.value >> 5) + a2[3])
        # v2.value -= (a2[(v5.value >> 11) & 3] + v5.value) ^ (v1.value + ((v1.value >> 5) ^ (16 * v1.value)))
        v1.value -= (v2.value + v5.value) ^ ((v2.value*16) + a2[0]) ^ ((v2.value >> 5) + a2[1])
        # v1.value -= (a2[(v5.value) & 3] + v5.value) ^ (v2.value + ((v2.value >> 5) ^ (16 * v2.value)))
    a1[0]=v1.value
    a1[1]=v2.value
decode.append(a1[1])
decode.append(a1[0])
for i in decode[::-1]:
    print(libnum.n2s(i).decode()[::-1],end="")

DASCTF{I4TH0ok_I5S0ooFunny_Isnotit?????}

BabyAndroid

资源文件找到一个Sex.jpg,直接搜

动态加载类,先用rc4解密一下

aes+base64

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Base64;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;


public class RC4 {
    private static final String KEY = "DSACTF";

    private static byte[] customHash(String input) {
        byte[] keyBytes = new byte[16];
        int[] temp = new int[16];
        for (int i = 0; i < input.length(); i++) {
            int charVal = input.charAt(i);
            for (int j = 0; j < 16; j++) {
                temp[j] = ((temp[j] * 31) + charVal) % 251;
            }
        }
        for (int i2 = 0; i2 < 16; i2++) {
            keyBytes[i2] = (byte) (temp[i2] % 256);
        }
        return keyBytes;
    }

    public static void main(String[] args) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException {
        byte[] keyBytes = customHash(KEY);
        // Create the secret key spec
        SecretKeySpec secretKeySpec = new SecretKeySpec(keyBytes, "AES");
        // Initialize the cipher for decryption
        Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
        cipher.init(Cipher.DECRYPT_MODE, secretKeySpec);
        // Decode the base64 encoded string
        byte[] encryptedBytes = Base64.getDecoder().decode("TwMkYUkg4bYsY0hL99ggYWnVjWyXQrWAdNmToB0eBXbS6wBzL6ktorjNWI9VOroTU4HgIUYyzGLpcHzd1zNGT+bFZZI7IoxJwpcgXfdwW1LSmiNSP+PuSUsqAzNclF1nJ07b4tYyLWg0zTypbzWsLhOIM+6uci3RFZLREUCALafi01M8mS+KMNxX1Pyn8mSP+KKKjQ5S5fasHRSn+L9qBFws0mWavpfI0QEiMgarxv0iGhYU8cfgonWyL70RvoXET5VUDP1vfYWIBLzzzaAqLC0OiMtUK3TTATSU7yijdgXm18OKMcGIke/NZIM6Sr5fL3t6psDOOkw2C/5uYrJVPn+D6U9KTL64bgREppDqMOvhvbhtuf/S3ASW/+rhtPMtoaD8FxDg0wWSLZA53fQfNA==");
        // Decrypt the data
        byte[] decryptedBytes = cipher.doFinal(encryptedBytes);

        // Convert bytes to string and return
        System.out.println(new String(decryptedBytes));



    }
}
#458.853181,-18.325492,-18.251911,-2.097520,-21.198660,-22.304648,21.103162,-5.786284,-15.248906,15.329286,16.919499,-19.669045,30.928253,-37.588034,-16.593954,-5.505211,3.014744,6.553616,31.131491,16.472500,6.802400,-78.278577,15.280099,3.893073,56.493581,-34.576344,30.146729,4.445671,6.732204

代码中还调用了sendInit,在native层

扔给gpt秒了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import numpy as np
from scipy.fftpack import idct

# 定义数据数组
data = [458.853181, -18.325492, -18.251911, -2.097520, -21.198660, -22.304648, 21.103162,
        -5.786284, -15.248906, 15.329286, 16.919499, -19.669045, 30.928253, -37.588034,
        -16.593954, -5.505211, 3.014744, 6.553616, 31.131491, 16.472500, 6.802400, -78.278577,
        15.280099, 3.893073, 56.493581, -34.576344, 30.146729, 4.445671, 6.732204]

# 计算逆离散余弦变换
inverse_dct = idct(data, norm='ortho')

# 打印结果
for i in inverse_dct:
    print(chr(round(i)),end="")

DASCTF{Y0u_Ar3Re4lly_H@ck3r!}

  • Title: DASCTF 2024暑期挑战赛WP
  • Author: clev1L
  • Created at : 2024-07-20 12:50:36
  • Updated at : 2025-02-23 12:29:57
  • Link: https://github.com/clev1l/2024/07/20/DASCTF-2024暑期挑战赛WP/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
DASCTF 2024暑期挑战赛WP
  1. DosSnake
  2. Strangeprograme
  3. BabyAndroid