February 13, 2022

watevrCTF 2019-Repyc

0x00 日常查壳

pyc文件?直接uncompyle6

image-20220213152829276

0x01 PY虚拟机

这题就很有意思了,PY的虚拟机,就是加了混淆,变量名全部换成了韩文(雾

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
佤 = 0
侰 = ~佤 * ~佤
俴 = 侰 + 侰

def 䯂():
굴 = 佤
굿 = 佤
괠 = [佤] * 俴 ** (俴 * 俴)
궓 = [佤] * 100
괣 = []
while 䵦[굴][佤] != '듃':
굸 = 䵦[굴][佤].lower()
亀 = 䵦[굴][侰:]
if 굸 == '뉃':
괠[亀[佤]] = 괠[亀[侰]] + 괠[亀[俴]]
else:
if 굸 == '렀':
괠[亀[佤]] = 괠[亀[侰]] ^ 괠[亀[俴]]
else:
if 굸 == '렳':
괠[亀[佤]] = 괠[亀[侰]] - 괠[亀[俴]]
else:
if 굸 == '냃':
괠[亀[佤]] = 괠[亀[侰]] * 괠[亀[俴]]
else:
if 굸 == '뢯':
괠[亀[佤]] = 괠[亀[侰]] / 괠[亀[俴]]
else:
if 굸 == '륇':
괠[亀[佤]] = 괠[亀[侰]] & 괠[亀[俴]]
else:
if 굸 == '맳':
괠[亀[佤]] = 괠[亀[侰]] | 괠[亀[俴]]
else:
if 굸 == '괡':
괠[亀[佤]] = 괠[亀[佤]]
else:
if 굸 == '뫇':
괠[亀[佤]] = 괠[亀[侰]]
else:
if 굸 == '꼖':
괠[亀[佤]] = 亀[侰]
else:
if 굸 == '뫻':
궓[亀[佤]] = 괠[亀[侰]]
else:
if 굸 == '딓':
괠[亀[佤]] = 궓[亀[侰]]
else:
if 굸 == '댒':
괠[亀[佤]] = 佤
else:
if 굸 == '묇':
궓[亀[佤]] = 佤
else:
if 굸 == '묟':
괠[亀[佤]] = input(괠[亀[侰]])
else:
if 굸 == '꽺':
궓[亀[佤]] = input(괠[亀[侰]])
else:
if 굸 == '돯':
print(괠[亀[佤]])
else:
if 굸 == '뭗':
print(궓[亀[佤]])
else:
if 굸 == '뭿':
굴 = 괠[亀[佤]]
else:
if 굸 == '뮓':
굴 = 궓[亀[佤]]
else:
if 굸 == '뮳':
굴 = 괣.pop()
else:
if 굸 == '믃':
if 괠[亀[侰]] > 괠[亀[俴]]:
굴 = 亀[佤]
괣.append(굴)
continue
else:
if 굸 == '꽲':
괠[7] = 佤
for i in range(len( 괠[亀[佤]])):
if 괠[亀[佤]] != 괠[亀[侰]]:
괠[7] = 侰
굴 = 괠[亀[ 俴]]
괣.append(굴)

else:
if 굸 == '꾮':
괢 = ''
for i in range(len(괠[亀[佤]])):
괢 += chr(ord(괠[亀[佤]][i]) ^ 괠[亀[侰]])

괠[亀[佤]] = 괢
else:
if 굸 == '꿚':
괢 = ''
for i in range(len(괠[亀[佤]])):
괢 += chr(ord(괠[亀[佤]][i]) - 괠[亀[侰]])

괠[亀[佤]] = 괢
else:
if 굸 == '떇':
if 괠[亀[侰]] > 괠[亀[俴]]:
굴 = 괠[亀[佤]]
괣.append(굴)
continue
else:
if 굸 == '뗋':
if 괠[亀[侰]] > 괠[亀[俴]]:
굴 = 궓[亀[佤]]
괣.append(굴)
continue
else:
if 굸 == '똷':
if 괠[亀[侰]] == 괠[亀[俴]]:
굴 = 亀[佤]
괣.append(굴)
continue
else:
if 굸 == '뚫':
if 괠[亀[侰]] == 괠[亀[俴]]:
굴 = 괠[亀[佤]]
괣.append(굴)
continue
else:
if 굸 == '띇':
if 괠[亀[侰]] == 괠[亀[俴]]:
굴 = 궓[亀[佤]]
괣.append(굴)
continue
굴 += 侰


䯂([
[
'꼖', 佤, 'Authentication token: '],
[
'꽺', 佤, 佤],
[
'꼖', 6, 'á×äÓâæíäàßåÉÛãåäÉÖÓÉäàÓÉÖÓåäÉÓÚÕæïèäßÙÚÉÛÓäàÙÔÉÓâæÉàÓÚÕÓÒÙæäàÉäàßåÉßåÉäàÓÉÚÓáÉ·Ôâ×ÚÕÓÔɳÚÕæïèäßÙÚÉÅä×ÚÔ ×æÔÉ×Úïá×ïåÉßÉÔÙÚäÉæÓ×ÜÜïÉà×âÓÉ×ÉÑÙÙÔÉâßÔÉÖãäÉßÉæÓ×ÜÜïÉÓÚÞÙïÉäàßåÉåÙÚÑÉßÉàÙèÓÉïÙãÉáßÜÜÉÓÚÞÙïÉßäÉ×åáÓÜÜ\x97ÉïÙãäãÖÓ\x9aÕÙÛ\x99á×äÕà©â«³£ï²ÕÔÈ·±â¨ë'],
[
'꼖', 俴, 俴 ** (3 * 俴 + 侰) - 俴 ** (俴 + 侰)],
[
'꼖', 4, 15],
[
'꼖', 3, 侰],
[
'냃', 俴, 俴, 3],
[
'뉃', 俴, 俴, 4],
[
'괡', 佤, 俴],
[
'댒', 3],
[
'꾮', 6, 3],
[
'꼖', 佤, 'Thanks.'],
[
'꼖', 侰, 'Authorizing access...'],
[
'돯', 佤],
[
'딓', 佤, 佤],
[
'꾮', 佤, 俴],
[
'꿚', 佤, 4],
[
'꼖', 5, 19],
[
'꽲', 佤, 6, 5],
[
'돯', 侰],
[
'듃'],
[
'꼖', 侰, 'Access denied!'],
[
'돯', 侰],
[
'듃']])

0x02 GetFlag!

花时间慢慢分析即可,不确定的拿程序跑一下就知道了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
a = 0
b = 1
c = 2

# d = [0] * 2 ** (2 * 2)
# print(d)

def VM(p):
m = 0
n = 0
t = [0] * 2 ** (2 * 2) #创建一个长度为16的数组且为0
x = [0] * 100
array = []
while p[m][0] != 'end':
opcode = p[m][0].lower() #全部转成小写
h = p[m][1:] #从第1个元素开始赋值
if opcode == 'tadd012':
t[h[0]] = t[h[1]] + t[h[2]]
else:
if opcode == 'txor012':
t[h[0]] = t[h[1]] ^ t[h[2]]
else:
if opcode == 'tsub012':
t[h[0]] = t[h[1]] - t[h[2]]
else:
if opcode == 'tmul012':
t[h[0]] = t[h[1]] * t[h[2]]
else:
if opcode == 'tdiv012':
t[h[0]] = t[h[1]] / t[h[2]]
else:
if opcode == 'tand012':
t[h[0]] = t[h[1]] & t[h[2]]
else:
if opcode == 'tor012':
t[h[0]] = t[h[1]] | t[h[2]]
else:
if opcode == 'tmov00':
t[h[0]] = t[h[0]]
else:
if opcode == 'tmov01':
t[h[0]] = t[h[1]]
else:
if opcode == 'tmovh[1]':
t[h[0]] = h[1]
else:
if opcode == 'xmov0t1':
x[h[0]] = t[h[1]]
else:
if opcode == 'tmov0x1':
t[h[0]] = x[h[1]]
else:
if opcode == 't0init':
t[h[0]] = 0
else:
if opcode == 'x0init':
x[h[0]] = 0
else:
if opcode == 't0input':
t[h[0]] = input(t[h[1]])
else:
if opcode == 'x0input':
x[h[0]] = input(t[h[1]])
else:
if opcode == 'pt0':
print(t[h[0]])
else:
if opcode == 'px0':
print(x[h[0]])
else:
if opcode == 'mmovt0':
m = t[h[0]]
else:
if opcode == 'mmovex0':
m = x[h[0]]
else:
if opcode == 'mmov_popar':
m = array.pop()
#弹出list最后一共值
else:
if opcode == 'func1':
if t[h[1]] > t[h[2]]:
m = h[0]
array.apped(m)
continue
else:
if opcode == 'func2':
t[7] = 0
for i in range(len(t[h[0]])):
if t[h[0]] != t[h[1]]:
t[7] = 1
m = t[h[2]]
array.apped(m)

else:
if opcode == 'func3':
z = ''
for i in range(len(t[h[0]])):
z += chr(ord(t[h[0]][i]) ^ t[h[1]])

t[h[0]] = z
else:
if opcode == 'func4':
z = ''
for i in range(len(t[h[0]])):
z += chr(ord(t[h[0]][i]) - t[h[1]])

t[h[0]] = z
else:
if opcode == 'func5':
if t[h[1]] > t[h[2]]:
m = t[h[0]]
array.apped(m)
continue
else:
if opcode == 'func6':
if t[h[1]] > t[h[2]]:
m = x[h[0]]
array.apped(m)
continue
else:
if opcode == 'func7':
if t[h[1]] == t[h[2]]:
m = h[0]
array.apped(m)
continue
else:
if opcode == 'func8':
if t[h[1]] == t[h[2]]:
m = t[h[0]]
array.apped(m)
continue
else:
if opcode == 'func9':
if t[h[1]] == t[h[2]]:
m = x[h[0]]
array.apped(m)
continue
m += 1


VM([
[
'tmovh[1]', 0, '0uthenti20tion token: '],
[
'x0input', 0, 0],
[
'tmovh[1]', 6, 'á×äÓâæíäàßåÉÛãåäÉÖÓÉäàÓÉÖÓåäÉÓÚÕæïèäßÙÚÉÛÓäàÙÔÉÓâæÉàÓÚÕÓÒÙæäàÉäàßåÉßåÉäàÓÉÚÓáÉ·Ôâ×ÚÕÓÔɳÚÕæïèäßÙÚÉÅä×ÚÔ×æÔÉ×Úïá×ïåÉßÉÔÙÚäÉæÓ×ÜÜïÉà×âÓÉ×ÉÑÙÙÔÉâßÔÉÖãäÉßÉæÓ×ÜÜïÉÓÚÞÙïÉäàßåÉåÙÚÑÉßÉàÙèÓÉïÙãÉáßÜÜÉÓÚÞÙïÉßäÉ×åáÓÜÜ\x97ÉïÙãäãÖÓ\x90ÕÙÛ\x99á×äÕà©â«³£ï²ÕÔÈ·±â¨ë'],
[
'tmovh[1]', 2, 2 ** (3 * 2 + 1) - 2 ** (2 + 1)],
[
'tmovh[1]', 4, 15],
[
'tmovh[1]', 3, 1],
[
'tmul012', 2, 2, 3],
[
'tadd012', 2, 2, 4],
[
'tmov00', 0, 2],
[
't0init', 3],
[
'func3', 6, 3],
[
'tmovh[1]', 0, 'Th0nks.'],
[
'tmovh[1]', 1, '0uthorizing 022ess...'],
[
'pt0', 0],
[
'tmov0x1', 0, 0],
[
'func3', 0, 2],
[
'func4', 0, 4],
[
'tmovh[1]', 5, 19],
[
'func2', 0, 6, 5],
[
'pt0', 1],
[
'end'],
[
'tmovh[1]', 1, '022ess denied!'],
[
'pt0', 1],
[
'end']])

贴上我的分析和EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
VM([
[
'tmovh[1]', 0, '0uthenti20tion token: '],
# t[0] = string1
[
'x0input', 0, 0],
# x[0] = input(string1) = flag
[
'tmovh[1]', 6, 'á×äÓâæíäàßåÉÛãåäÉÖÓÉäàÓÉÖÓåäÉÓÚÕæïèäßÙÚÉÛÓäàÙÔÉÓâæÉàÓÚÕÓÒÙæäàÉäàßåÉßåÉäàÓÉÚÓáÉ·Ôâ×ÚÕÓÔɳÚÕæïèäßÙÚÉÅä×ÚÔ×æÔÉ×Úïá×ïåÉßÉÔÙÚäÉæÓ×ÜÜïÉà×âÓÉ×ÉÑÙÙÔÉâßÔÉÖãäÉßÉæÓ×ÜÜïÉÓÚÞÙïÉäàßåÉåÙÚÑÉßÉàÙèÓÉïÙãÉáßÜÜÉÓÚÞÙïÉßäÉ×åáÓÜÜ\x97ÉïÙãäãÖÓ\x90ÕÙÛ\x99á×äÕà©â«³£ï²ÕÔÈ·±â¨ë'],
# t[6] = enflag
[
'tmovh[1]', 2, 2 ** (3 * 2 + 1) - 2 ** (2 + 1)],
# t[2] = 120
[
'tmovh[1]', 4, 15],
# t[4] = 15
[
'tmovh[1]', 3, 1],
# t[3] = 1
[
'tmul012', 2, 2, 3],
# t[2] = t[2] * t[3] = 120 * 1 = 120
[
'tadd012', 2, 2, 4],
# t[2] = t[2] + t[4] = 120 + 15 = 135
[
'tmov00', 0, 2],
# t[0] = t[0] 这里好像有问题
[
't0init', 3],
# t[3] = 0
[
'func3', 6, 3],
# for i in range(len(t[6])):
# z += chr(ord(t[6][i]) ^ t[3])
# t[6] = z
[
'tmovh[1]', 0, 'Th0nks.'],
# t[0] = string2
[
'tmovh[1]', 1, '0uthorizing 022ess...'],
# t[1] = string3
[
'pt0', 0],
# printf(t[0])
[
'tmov0x1', 0, 0],
# t[0] = x[0] = flag
[
'func3', 0, 2],
# for i in range(len(t[0])):
# z += chr(ord(t[0][i]) ^ t[2])
# t[0] = z
[
'func4', 0, 4],
# for i in range(len(t[0])):
# z += chr(ord(t[0][i]) - t[4])
# t[0] = z
[
'tmovh[1]', 5, 19],
# t[5] = 19
[
'func2', 0, 6, 5],
# t[7] = 0
# for i in range(len(t[0])):
# if t[0] != t[6]:
# t[7] = 1
# m = t[5]
# array.apped(m)
[
'pt0', 1],
# printf(t[1])
[
'end'],
[
'tmovh[1]', 1, '022ess denied!'],
# t[1] = string4
[
'pt0', 1],
# printf(t[1])
[
'end']])

enflag = 'á×äÓâæíäàßåÉÛãåäÉÖÓÉäàÓÉÖÓåäÉÓÚÕæïèäßÙÚÉÛÓäàÙÔÉÓâæÉàÓÚÕÓÒÙæäàÉäàßåÉßåÉäàÓÉÚÓáÉ·Ôâ×ÚÕÓÔɳÚÕæïèäßÙÚÉÅä×ÚÔ×æÔÉ×Úïá×ïåÉßÉÔÙÚäÉæÓ×ÜÜïÉà×âÓÉ×ÉÑÙÙÔÉâßÔÉÖãäÉßÉæÓ×ÜÜïÉÓÚÞÙïÉäàßåÉåÙÚÑÉßÉàÙèÓÉïÙãÉáßÜÜÉÓÚÞÙïÉßäÉ×åáÓÜÜ\x97ÉïÙãäãÖÓ\x9aÕÙÛ\x99á×äÕà©â«³£ï²ÕÔÈ·±â¨ë'

for i in range(len(enflag)):
t = ord(enflag[i])
t = (t + 15) ^ 135
print(chr(t), end = "")

其实就是减和异或,但是交了半天发现不对,可能是全部复制的时候少了点什么,就是少了个点(后来找了半天才发现

image-20220213153425256

DASCTF X SU
🍬
HFCTF2022
🍪

About this Post

This post is written by P.Z, licensed under CC BY-NC 4.0.