December 30, 2021

CISCN2018-2ex

0x00 日常查壳

好像这样的算MIPS32?我也是今天才注意到

image-20211230173516643

0x01 找到主函数

首先有个out文件 无疑就是加密后的flag 于是丢尽ida去找

image-20211230173600258

image-20211230173730853

image-20211230173820114

0x02 GetFlag

加密后的out里第一个是 ‘|’ 我就纳闷了,码表里根本找不到,我就以为又是什么hook 或者其他函数改了码表,改了加密字符串等等,结果只要去掉即可(雾)。

自己写的base加解密,准备开始收录各种魔改后的base,之前写的都没收录,最终目的是为了写成黑匣子。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#include <stdio.h>
#include <string.h>

static int i, j;
static char Base64Code[] =
{
'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J',
'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T',
'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd',
'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x',
'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', '+', '/', '='
};

int main(void)
{
char input[] = "_r-+_Cl5;vgq_pdme7#7eC0";
char flag[strlen(input)];

unsigned char data[] =
{
0x40, 0x2C, 0x2E, 0x31, 0x66, 0x67, 0x76, 0x77, 0x23, 0x60,
0x2F, 0x32, 0x65, 0x68, 0x75, 0x78, 0x24, 0x7E, 0x22, 0x33,
0x64, 0x69, 0x74, 0x79, 0x25, 0x5F, 0x3B, 0x34, 0x63, 0x6A,
0x73, 0x7A, 0x5E, 0x2B, 0x7B, 0x35, 0x62, 0x6B, 0x72, 0x41,
0x26, 0x3D, 0x7D, 0x36, 0x61, 0x6C, 0x71, 0x42, 0x2A, 0x2D,
0x5B, 0x37, 0x30, 0x6D, 0x70, 0x43, 0x28, 0x29, 0x5D, 0x38,
0x39, 0x6E, 0x6F, 0x44
};

for ( i = 0; i < strlen(input); i++ )
{
for ( j = 0; j < 64; j++ )
{
if ( input[i] == data[j] )
{
input[i] = j;
// printf("0x%-2x, ", input[i]);
break;
}
}
}
for (i = 0, j = 0; j < strlen(input); i += 3, j +=4 )
{
flag[i] = (input[j] << 2) | ((input[j + 1] & 0x30) >> 4);
flag[i + 1] = ((input[j + 1] & 0xF) << 4) | ((input[j + 2] & 0x3C) >> 2);
flag[i + 2] = ((input[j + 2] & 0x3) << 6) | input[j + 3] ;
// printf("%x %x %x ", flag[i], flag[i + 1], flag[i + 2]);
}

for ( i = 0; i < strlen(flag); i++ )
printf("%c", flag[i]);


/* 标准base64解密 4位变3位*/
// for (i = 0, j = 0; j < strlen(input); i += 3, j +=4 )
// {
// flag[i] = (input[j] << 2) | ((input[j + 1] & 0x30) >> 4);
// flag[i + 1] = ((input[j + 1] & 0xF) << 4) | ((input[j + 2] & 0x3C) >> 2);
// flag[i + 2] = ((input[j + 2] & 0x3) << 6) | input[j + 3] ;
// printf("%x %x %x ", flag[i], flag[i + 1], flag[i + 2]);
// }



/* 标准base64加密 3位变4位*/
// for ( i = 0, j = 0; i <= strlen(flag); i += 3, j += 4 )
// {
// input[j] = (flag[i] >> 2) & 0x3F;
// input[j + 1] = ((flag[i] & 0x3) << 4) | (flag[i + 1] & 0xF0 ) >> 4;
// input[j + 2] = ((flag[i + 1] & 0xF ) << 2) | (flag[i + 2] & 0xC0) >> 6;
// input[j + 3] = flag[i + 2] & 0x3F;
// }
}

GetFlag!

image-20211230175403676

DASCTF X SU
🍬
HFCTF2022
🍪

About this Post

This post is written by P.Z, licensed under CC BY-NC 4.0.