March 16, 2022

D^3CTF2022-D3thon

哈哈,搭环境,有趣有趣
(关于搭了一天环境搞烂一台虚拟机又重装一遍坚持不懈装完一个强迫症快照归0)

难受入睡 无力起床 鼓起勇气 回到机房 熟悉报错 瞬间解决

0x00 日常查壳

python虚拟机题,出题人自己弄了个so文件,于是要去linux下弄个python3.10

1
2
3
4
5
6
import byte_analizer as ba

with open("bcode.lbc", "r") as fi:
  statmts = fi.read().split("\n")
  for i in statmts:
    ba.analize(i)

0x01 分析opcodes

用好用的ipython反复调试可以发现

image-20220316151903337

1
2
3
4
5
6
ZOAmcoLkGlAXXqf:xxx 		// 定义函数xxx
RDDDZUiIKbxCubJEN:xxx		// 执行函数xxx
kuhisCvwaXWfqCs:flag		// ~flag
IEKMEDdrPpzpdKy:flag:1		// flag += 1
OcKUQCYqhwHXfAgGZH:flag:1	// flag ^= 1
FLNPsiCIvICFtzpUAR:flag:	// fkag -= 1

help(ba)可以查看这个库的说明文件

image-20220316151735418

再看结尾的几个执行操作,所以我们只要关心okokokok函数怎么执行的

image-20220316151807225

0x02 GetFlag!

把okokokok函数的内容单独拿出来

上脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# IEKMEDdrPpzpdKy +
# OcKUQCYqhwHXfAgGZH ^
# FLNPsiCIvICFtzpUAR -
# kuhisCvwaXWfqCs ~

enflag = -194952731925593882593246917508862867371733438849523064153861650948471779982880938

with open("bcode.txt", "r") as fi:
    opcodes = fi.read().split(',')

for i in opcodes[::-1]:
    t = i.split(":")
    # print(t)
    if "'IEKMEDdrPpzpdKy" == t[0]:
        enflag -= int(t[2].replace('\'', ''))
    elif "'OcKUQCYqhwHXfAgGZH" == t[0]:
        enflag ^= int(t[2].replace('\'', ''))
    elif "'FLNPsiCIvICFtzpUAR" == t[0]:
        enflag += int(t[2].replace('\'', ''))
    else:
        enflag = ~enflag

print(hex(enflag))
# 十六进制转字符串
print("d3ctf{" + str(bytes.fromhex(hex(enflag)[2:]))[2:-1] + "}")

GetFlag!

image-20220316152038727

About this Post

This post is written by P.Z, licensed under CC BY-NC 4.0.