sedRust_happyVm rust vm逆向
vm看麻了,一层套一层的,最后还没看懂,但是发现可以利用测信道逐3位爆破出来
这里是个base加密,3对4的映射
然后就是这里,会依次对上面base加密后的两位进行校验,最后会生成一个校验位放在rsp+0C88h+var_7EC 也就是 0x65f50c处
每次调用 sub_40ABA0后就会生成一个校验位加到0x65f50c上去,而最后要求总的校验位为0,所以每一次调用 sub_40ABA0 后校验位都必须为0
在第二个校验块的地方,直接在这jmp到后面总的比较的地方,这样就只会校验3个字符的输入,如果正确就会输出相应的提示字符,使用subprocess进行爆破
轻松爆出
然后将得到的字符加上去,然后改成再第四个校验块jmp到总校验,爆破下三个字符,依次类推,拿到flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 import subprocess printable="0123456789abcdef" from itertools import * from tqdm import tqdm executable_path = "80F96BE110F9736464C5328CA22409E1570993AEFAB84BB3F326DF8B2A631027.exe" # 替换为您的可执行文件的路径 for i in tqdm(product(printable,repeat=2)): try_data ="DASCTF{"+("c669733af3ce4459b88016420b81cb"+"".join(list(i))).ljust(32,"0")+"}" process = subprocess.Popen(executable_path, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) input_bytes = try_data.encode('utf-8') # 将输入数据转换为字节 process.stdin.write(input_bytes) process.stdin.flush() # 刷新输入缓冲区 # 获取输出 output, error = process.communicate() s = output.decode('gbk') if "You Get FLAG!" in s: print(try_data) print(s) exit()
DASCTF{c669733af3ce4459b88016420b81cb15}
pic go逆向,go_parser恢复符号
代码审计,不难发现是魔改rc4,复现算法根据png头直接爆破出密钥0173d
输入密钥拿到flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 from tqdm import tqdm from itertools import * target=[137, 80, 78, 71] printable="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" def rc4decrypt(c,key): s=[] t=[] for i in range(256): s.append(i) for i in range(256): t.append(ord(key[i%len(key)])) j=0 for i in range(256): j=(j+s[i]+t[i])%256 s[i],s[j]=s[j],s[i] i=0 j=0 flag=[] for k in range(len(c)): i=(i+1)%256 j=(j+s[i])%256 s[i], s[j] = s[j], s[i] x=(s[i]+s[j])%256 flag.append(c[k]^s[x]^ord(key[1])^17) return flag for i in tqdm(product(printable,repeat=5)): data = [0x85,0x43,0x72,0x78] key="".join(list(i)) flag=rc4decrypt(data,key) if flag==[137, 80, 78, 71]: print(key) exit()
你这主函数保真吗 直接在输入处打硬件断点
运行发现了rot13加密和DCT
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 from scipy.fftpack import idct # 定义数据数组 data = [513.355, -37.7986, 8.7316, -10.7832, -1.3097, -20.5779, 6.98641, -29.2989, 15.9422, 21.4138, 29.4754, -2.77161, -6.58794, -4.22332, -7.20771, 8.83506, -4.38138, -19.3898, 18.3453, 6.88259, -14.7652, 14.6102, 24.7414, -11.6222, -9.754759999999999, 12.2424, 13.4343, -34.9307, -35.735, -20.0848, 39.689, 21.879, 26.8296 ] # 计算逆离散余弦变换 inverse_dct = idct(data, norm='ortho') # 打印结果 for i in inverse_dct: print(chr(round(i)),end="") #QNFPGS{Ju0_1f_Zn1a_@aq_ShaaL_Qpg}
DASCTF{Wh0_1s_Ma1n_@nd_FunnY_Dct}
dosCrack vba逆向,使用ole_vba拿到源码
https://github.com/decalage2/oletools/wiki/olevba
1 olevba protected_secret.docm > log.txt
先是一个简单的异或
然后使用certutil -decode temp1 temp|certutil -decode temp temp.exe解密出一个exe
将xpkdb变量的值存入temp1,然后执行命令得到exe
分析exe,只有一个左移操作
直接解密得到flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 v9=54*[0] v9[0] = 4288 v9[1] = 4480 v9[2] = 5376 v9[3] = 4352 v9[4] = 5312 v9[5] = 4160 v9[6] = 7936 v9[7] = 5184 v9[8] = 6464 v9[9] = 6528 v9[10] = 5632 v9[11] = 3456 v9[12] = 7424 v9[13] = 5632 v9[14] = 6336 v9[15] = 6528 v9[16] = 6720 v9[17] = 6144 v9[18] = 6272 v9[19] = 7488 v9[20] = 6656 v9[21] = 7296 v9[22] = 7424 v9[23] = 2432 v9[24] = 2432 v9[25] = 2432 v9[26] = 5632 v9[27] = 4416 v9[28] = 3456 v9[29] = 7168 v9[30] = 6528 v9[31] = 7488 v9[32] = 6272 v9[33] = 5632 v9[34] = 3520 v9[35] = 6208 v9[36] = 5632 v9[37] = 4736 v9[38] = 6528 v9[39] = 6400 v9[40] = 7488 v9[41] = 3520 v9[42] = 5632 v9[43] = 5184 v9[44] = 3456 v9[45] = 7488 v9[46] = 7296 v9[47] = 3200 v9[48] = 6272 v9[49] = 7424 v9[50] = 2432 v9[51] = 2432 v9[52] = 2432 v9[53] = 7808 for i in range(len(v9)): v9[i]>>=6 v9[i]^=7 print("".join(map(chr,v9)))
DASCTF{Vba_1s_dangerous!!!_B1ware_0f_Macr0_V1ru5es!!!}
