TFCCTF WP

signal

每个Handle函数里的字符拼起来

license

from string import printable
enc1=list(map(ord,"Xsl3BDxP"))
for i in range(8):
    enc1[i]^=0x33
    if i%3==2:
        enc1[i]+=37
    elif i%3==1:
        enc1[i]-=16
    else:
        enc1[i]^=0x5a
payload=bytes(enc1)+b"-"
dic={}
for char in printable:
    if char.islower():
        new_char = (ord(char) - 92) % 26 + ord('a')
        dic[new_char]=char
    elif char.isupper():
        new_char = (ord(char) - 48) % 26 + ord('A')
        dic[new_char] = char
for i in 'mzXaPLzR':
    payload+=dic[ord(i)].encode()
print(payload)
from pwn import *
p=remote("challs.tfcctf.com",31541)
p.sendline(payload)
print(p.recvall())

x8

vm，硬跟

发现主要加密逻辑只有一个异或，找到比较处，用idapython写脚本拿flag

from ida_hexrays import *
from ida_dbg import *
from idaapi import *
from idautils import *
from idc import *
from ida_kernwin import *


'''自定义调试器钩子类'''
class dbg_hooks_t(ida_dbg.DBG_Hooks):
    '''继承自父类DBG_Hooks'''
    def init(self):
        ida_dbg.DBG_Hooks.init(self)

    def dbg_suspend_process(self):
        asm=GetDisasm(here())
        if "cmp" in asm:
            print(chr(cpu.cl^get_byte(cpu.rsi+cpu.rax+0x401)),end="")
        else:
            cpu.al=1
        continue_process()


'''安装/卸载钩子'''
if 'tmp_dbg_hooks' not in dir():
    tmp_dbg_hooks = dbg_hooks_t()
    tmp_dbg_hooks.hook()
    print('[+] tmp dbg hook success')
else:
    tmp_dbg_hooks.unhook()
    del tmp_dbg_hooks
    print('[+] tmp dbg unhook success')

VIRTUAL-REV

自定义指令对寄存器进行操作

例如这里的STF对应的sub_1C40对应的异或操作，分析各个函数

要通过运算让寄存器的值满足下面条件，且每个指令只能用10次

慢慢凑就行了

OAN lax
MISZ lip,lax
MISZ l0,lax
STF lax,lip
RALK l0,lax
RALK l2,lax
STF lax,lip
RALK l0,lax
RALK l2,lax
STF lax,lip
RALK l2,lax
OAN lip
STF lax,lip
MAZ lip
RALK l2,lax
STF lax,lip
RALK l2,lax
MISZ l3,l2
MISZ l4,l2
MAZ l3
RALK l2,l0
MISZ l1,l3
MAZ l1
MQZL l4,l0
MQZL l4,l0
OAN l4
MISZ lax,l4
RALK lax,lax
MAZ lax
MAZ lax
MAZ lax
XKA l0,lax
FLG

MCKNIGHT

pyarmor逆向

网上找个bypass去混淆，然后pycdc反编译

import sys
import lzma
FLAG_LEN = 17
nums = [
    203,
    99,
    1,
    219,
    19,
    54,
    46,
    170,
    180,
    120,
    22,
    249,
    236,
    87,
    27,
    223,
    81,
    252,
    232,
    66,
    241,
    61,
    235,
    40,
    217,
    74,
    145,
    196,
    7,
    131,
    75,
    56,
    105,
    134,
    48,
    49,
    149,
    127,
    73,
    65,
    70,
    45,
    53,
    121,
    198,
    193,
    207,
    138,
    32,
    0,
    132,
    122,
    10,
    210,
    189,
    44,
    164,
    25,
    166,
    195,
    5,
    47,
    157,
    20,
    119,
    247,
    199,
    97,
    152,
    14,
    148,
    124,
    123,
    36,
    30,
    76,
    58,
    192,
    110,
    178,
    175,
    202,
    155,
    23,
    50,
    168,
    156,
    106,
    84,
    186,
    197,
    95,
    140,
    79,
    43,
    15,
    244,
    125,
    205,
    3,
    234,
    212,
    13,
    182,
    233,
    255,
    71,
    163,
    254,
    150,
    26,
    90,
    33,
    109,
    183,
    37,
    92,
    248,
    167,
    9,
    173,
    91,
    107,
    133,
    253,
    88,
    31,
    220,
    153,
    83,
    55,
    141,
    62,
    101,
    28,
    242,
    112,
    52,
    89,
    6,
    17,
    135,
    211,
    181,
    39,
    208,
    209,
    85,
    158,
    69,
    137,
    229,
    93,
    231,
    226,
    41,
    114,
    42,
    215,
    108,
    68,
    77,
    18,
    177,
    246,
    191,
    64,
    86,
    190,
    218,
    102,
    185,
    160,
    142,
    172,
    171,
    237,
    238,
    245,
    59,
    146,
    213,
    151,
    113,
    139,
    144,
    230,
    143,
    98,
    8,
    194,
    29,
    221,
    115,
    34,
    82,
    11,
    57,
    78,
    214,
    12,
    80,
    251,
    111,
    184,
    162,
    224,
    201,
    4,
    206,
    204,
    227,
    38,
    169,
    130,
    67,
    116,
    128,
    35,
    187,
    51,
    216,
    126,
    96,
    147,
    72,
    100,
    174,
    103,
    118,
    239,
    161,
    188,
    129,
    240,
    222,
    16,
    24,
    243,
    228,
    165,
    2,
    200,
    225,
    104,
    60,
    21,
    159,
    117,
    94,
    176,
    154,
    250,
    63,
    179,
    136]

def generator(cnt):
    coeffs = []
    for i in range(cnt):
        aux = []
        for j in range(cnt):
            aux.append(nums[(i + j) * 1337 % 256])
        coeffs.append(aux)
    return coeffs

coeffs = generator(FLAG_LEN)

def calc_line(k, password):
    rez = 0
    for i in range(len(password)):
        rez += password[i] * coeffs[k][i]
    return rez


def hash(password):
    password = password.encode()
    rez = []
    for i in range(FLAG_LEN):
        rez.append(calc_line(i, password))
    final = []
    for k in range(FLAG_LEN):
        aux = 0
        for i in range(FLAG_LEN):
            aux += coeffs[i][i] * rez[k] ** i
        final.append(aux)
    data = 'X'.join((lambda .0: [ str(i) for i in .0 ])(final))
    data = lzma.compress(data.encode())
    return data


def protect_pytransform():
    pass

protect_pytransform()
if __name__ == '__main__':
    if len(sys.argv) != 2:
        print('Usage: python3 hasher.py <password>')
        sys.exit(1)
    password = sys.argv[1]
    f = open('flag.tfc', 'wb')
    f.write(hash(password))
    f.close()
    return None

直接二分爆破+z3求解就行

from z3 import *
import hashlib
coeffs = [
    [203, 25, 183, 185, 103, 131, 156, 181, 12, 99, 166, 37, 160, 118, 75, 106, 39],
    [25, 183, 185, 103, 131, 156, 181, 12, 99, 166, 37, 160, 118, 75, 106, 39, 80],
    [183, 185, 103, 131, 156, 181, 12, 99, 166, 37, 160, 118, 75, 106, 39, 80, 1],
    [185, 103, 131, 156, 181, 12, 99, 166, 37, 160, 118, 75, 106, 39, 80, 1, 195],
    [103, 131, 156, 181, 12, 99, 166, 37, 160, 118, 75, 106, 39, 80, 1, 195, 92],
    [131, 156, 181, 12, 99, 166, 37, 160, 118, 75, 106, 39, 80, 1, 195, 92, 142],
    [156, 181, 12, 99, 166, 37, 160, 118, 75, 106, 39, 80, 1, 195, 92, 142, 239],
    [181, 12, 99, 166, 37, 160, 118, 75, 106, 39, 80, 1, 195, 92, 142, 239, 56],
    [12, 99, 166, 37, 160, 118, 75, 106, 39, 80, 1, 195, 92, 142, 239, 56, 84],
    [99, 166, 37, 160, 118, 75, 106, 39, 80, 1, 195, 92, 142, 239, 56, 84, 208],
    [166, 37, 160, 118, 75, 106, 39, 80, 1, 195, 92, 142, 239, 56, 84, 208, 251],
    [37, 160, 118, 75, 106, 39, 80, 1, 195, 92, 142, 239, 56, 84, 208, 251, 219],
    [160, 118, 75, 106, 39, 80, 1, 195, 92, 142, 239, 56, 84, 208, 251, 219, 5],
    [118, 75, 106, 39, 80, 1, 195, 92, 142, 239, 56, 84, 208, 251, 219, 5, 248],
    [75, 106, 39, 80, 1, 195, 92, 142, 239, 56, 84, 208, 251, 219, 5, 248, 172],
    [106, 39, 80, 1, 195, 92, 142, 239, 56, 84, 208, 251, 219, 5, 248, 172, 161],
    [39, 80, 1, 195, 92, 142, 239, 56, 84, 208, 251, 219, 5, 248, 172, 161, 105]
]
def crack(data,low=0,high=10000000):
    mid=(low+high)//2
    aux = 0
    for i in range(17):
        aux += coeffs[i][i] * mid ** i
    if aux==data:
        return mid
    elif aux<data:
        return crack(data,mid,high)
    else:
        return crack(data, low, mid)
final=[241145859875641838375568265700583468186829263398544757708098347348022022884360837485710, 242902687900260771861607054566947611547896250791705390091915540312199710379559572931505, 118804805583829233872261635093267780736313101343997285490553624486731758902902725780401, 26070700698055451690987757334500139286748700065539668546268641839116937214184857128560, 80124267409396931019414660969297677614518733024335683050341802246590458710526430494155, 69120093458515678156299924155147567260652620409495938721703127474659623787444019635686, 55990617663721070662940577545659770939418406539539326788876102491498967285130967281128, 84978787096451983698491441429950667741555633384940077658282672091443454996648064495511, 23759403351528619406080196311716538538008953312734989705067168926356756839659089725251, 86486490836619119777078113830956983553852469753831999233377245135427130463065664874858, 369155978954842380984597693623469879860148040186483282201761309305365061575611768747298, 1078465608243324842613424723393406987749733612082372832634987529158514755913320850268491, 1005551112473893284689270925024882424646208832128726137262652596080759048126971564689305, 1441265309598955239402339668269380825497187261329350217287260241765013222531063230035525, 2537021592764940720429409315492500096108026182936387769778443082968491519197197436386270, 2323164916211382753227121606965322254296382499455840500352915151579032530394385955313501, 5180002787948231428431978908861257938675855102999849262356280617225584933954485735013570]
target_rez=[crack(i) for i in final]


x=Solver()
password=[Int('%d' % i) for i in range(17)]
nums = [203,99,1,219,19,54,46,170,180,120,22,249,236,87,27,223,81,252,232,66,241,61,235,40,217,74,145,196,7,131,75,56,105,134,48,49,149,127,73,65,70,45,53,121,198,193,207,138,32,0,132,122,10,210,189,44,164,25,166,195,5,47,157,20,119,247,199,97,152,14,148,124,123,36,30,76,58,192,110,178,175,202,155,23,50,168,156,106,84,186,197,95,140,79,43,15,244,125,205,3,234,212,13,182,233,255,71,163,254,150,26,90,33,109,183,37,92,248,167,9,173,91,107,133,253,88,31,220,153,83,55,141,62,101,28,242,112,52,89,6,17,135,211,181,39,208,209,85,158,69,137,229,93,231,226,41,114,42,215,108,68,77,18,177,246,191,64,86,190,218,102,185,160,142,172,171,237,238,245,59,146,213,151,113,139,144,230,143,98,8,194,29,221,115,34,82,11,57,78,214,12,80,251,111,184,162,224,201,4,206,204,227,38,169,130,67,116,128,35,187,51,216,126,96,147,72,100,174,103,118,239,161,188,129,240,222,16,24,243,228,165,2,200,225,104,60,21,159,117,94,176,154,250,63,179,136]
def generator(cnt):
    coeffs = []
    for i in range(cnt):
        aux = []
        for j in range(cnt):
            aux.append(nums[(i + j) * 1337 % 256])
        coeffs.append(aux)
    return coeffs

rez = []
for k in range(17):
    rezi=0
    for i in range(len(password)):
        rezi += password[i] * coeffs[k][i]
    rez.append(rezi)

for i in range(17):
    x.add(rez[i]==target_rez[i])
def getdigest(content):
    return hashlib.sha256(str(content).encode('utf-8')).hexdigest()
if x.check()==sat:
    ans=[]
    model = x.model()
    for i in range(17):
        ans.append(model[password[i]].as_long().real)
    print("TFCCTF{"+getdigest("".join(map(chr,ans)))+"}")

else:
    print("notfound")

BRAVE TRAVELER

bfs，更改bfs起点就行

import subprocess
file = "travel"
data=list(open(file,"rb").read())
addr=0x13be
base=""
test="._oiddleolk{aTF_a5gd_55sQ"
for i in test:
    data[addr]=ord(i)
    open(file,"wb").write(bytes(data))
    found=False
    process = subprocess.Popen([file], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    output, error = process.communicate()
    s = output.decode('gbk')
    print(s)

FUNCTIONAL

函数式编程haskell逆向，用hsdecomp进行反编译，然后再看吧，hsdecomp配不好，东西太久了找不到文章了，逆天