December 30, 2021

CISCN2018-2ex

0x00 日常查壳

好像这样的算MIPS32?我也是今天才注意到

image-20211230173516643

0x01 找到主函数

首先有个out文件 无疑就是加密后的flag 于是丢尽ida去找

image-20211230173600258

image-20211230173730853

image-20211230173820114

0x02 GetFlag

加密后的out里第一个是 ‘|’ 我就纳闷了,码表里根本找不到,我就以为又是什么hook 或者其他函数改了码表,改了加密字符串等等,结果只要去掉即可(雾)。

自己写的base加解密,准备开始收录各种魔改后的base,之前写的都没收录,最终目的是为了写成黑匣子。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#include <stdio.h>
#include <string.h>

static int i, j;
static char Base64Code[] =
{
    'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J',
    'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T',
    'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 
    'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
    'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 
    'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7',
    '8', '9', '+', '/', '='
};

int main(void)
{
    char input[] = "_r-+_Cl5;vgq_pdme7#7eC0";
    char flag[strlen(input)];

    unsigned char data[] =
{
  0x40, 0x2C, 0x2E, 0x31, 0x66, 0x67, 0x76, 0x77, 0x23, 0x60, 
  0x2F, 0x32, 0x65, 0x68, 0x75, 0x78, 0x24, 0x7E, 0x22, 0x33, 
  0x64, 0x69, 0x74, 0x79, 0x25, 0x5F, 0x3B, 0x34, 0x63, 0x6A, 
  0x73, 0x7A, 0x5E, 0x2B, 0x7B, 0x35, 0x62, 0x6B, 0x72, 0x41, 
  0x26, 0x3D, 0x7D, 0x36, 0x61, 0x6C, 0x71, 0x42, 0x2A, 0x2D, 
  0x5B, 0x37, 0x30, 0x6D, 0x70, 0x43, 0x28, 0x29, 0x5D, 0x38, 
  0x39, 0x6E, 0x6F, 0x44
};

    for ( i = 0; i < strlen(input); i++ )
    {
        for ( j = 0; j < 64; j++ )
        {
            if ( input[i] == data[j] )
            {
                input[i] = j;
//                printf("0x%-2x, ", input[i]);
                break;
            }
        }
    }
    for (i = 0, j = 0; j < strlen(input); i += 3, j +=4 )
    {
        flag[i] = (input[j] << 2) | ((input[j + 1] & 0x30) >> 4);
        flag[i + 1] = ((input[j + 1] & 0xF) << 4) | ((input[j + 2] & 0x3C) >> 2);
        flag[i + 2] = ((input[j + 2] & 0x3) << 6) | input[j + 3] ;
//        printf("%x %x %x ",  flag[i], flag[i + 1], flag[i + 2]);
    }

    for ( i = 0; i < strlen(flag); i++ )
        printf("%c", flag[i]);
        

/*   标准base64解密  4位变3位*/
    // for (i = 0, j = 0; j < strlen(input); i += 3, j +=4 )
    // {
    //     flag[i] = (input[j] << 2) | ((input[j + 1] & 0x30) >> 4);
    //     flag[i + 1] = ((input[j + 1] & 0xF) << 4) | ((input[j + 2] & 0x3C) >> 2);
    //     flag[i + 2] = ((input[j + 2] & 0x3) << 6) | input[j + 3] ;
    //     printf("%x %x %x ",  flag[i], flag[i + 1], flag[i + 2]);
    // }


    
/*  标准base64加密   3位变4位*/
    // for ( i = 0, j = 0; i <= strlen(flag); i += 3, j += 4 )
	// {
	// 	input[j] = (flag[i] >> 2) & 0x3F;
	// 	input[j + 1] = ((flag[i] & 0x3) << 4) | (flag[i + 1] & 0xF0 ) >> 4;
	// 	input[j + 2] = ((flag[i + 1] & 0xF ) << 2) | (flag[i + 2] & 0xC0) >> 6;
	// 	input[j + 3] = flag[i + 2] & 0x3F;	
	// }
}

GetFlag!

image-20211230175403676

DASCTF X SU
🍬
HFCTF2022
🍪

About this Post

This post is written by P.Z, licensed under CC BY-NC 4.0.