May 18, 2022

NS2022-go2cry

(IDA7.7 行!又是经典赛后出解,呜呜呜呜呜呜80分啊)

0x00 日常查壳

无壳64位

image-20220518201741334

0x01 分析主函数

异或

我也很异或呢,和PWNHUB那题好像,flag分为每8位一组,前六位先异或

image-20220518202427836

CRC64

然后转成int64经过CRC64,阿西,比赛的时候不耐心看,当时看到go就想润了,耐心耐心还是耐心

image-20220518202629888

二进制行列转换

这里IDA编译的有点乱,但其实更两边就会很清楚

于是我们出来的密文,第一个值就是原8字节的第8位,第二个值就是原8字节的第7位…

image-20220518203116849

0x02 GetFlag

就这样简单,这题赛中没出只能说我太没耐心了,吸取教训!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#include <stdio.h>

#define ROR5(n) ( (n >> 5) & 0x7 ) | ( (n << 3) & 0xF8 ) 

int main(void)
{
    unsigned char encFlag[] = { 0xC8, 0x34, 0x59, 0x4E, 0xC0, 0xD5, 0xAD, 0x08, 0xC9, 0x2B, 0x4C, 0xDA, 0xE6, 0xC0, 0x9A, 0x19, 0xB5, 0x10, 0x55, 0x7D, 0xE8, 0xF5, 0x83, 0xFF, 0x74, 0x8B, 0xE3, 0xD4, 0x6A, 0x7D, 0x44, 0x58 };
    unsigned char orgFlag[32] = { 0 };
    unsigned char input[32];
	int i, j, x, y;
    
    for ( x = 0; x < 4; x++ )
    {
    	for ( i = 0; i < 8; i++ )
		{
			for ( j = 0; j < 8; j++ )
			{ 
				if ( (encFlag[j + x * 8] & (0x80 >> i)) )
					orgFlag[i + x * 8] |= (0x80 >> j);
			}
		}
		for ( y = 0; y < 8; y++ )
		{
			orgFlag[y + x * 8] = ROR5(orgFlag[y + x * 8]);
//			printf("0x%X, ", orgFlag[y + x * 8]);
		}
	}
		
    
    for ( i = 0; i < 4; i++ )
    {
        __int64 t = *((__int64 *)&orgFlag[i * 8]);
//        printf("%p\n", t);
        for ( j = 0; j < 64; j++ )                  //循环64次这样的操作
        {
            if ( t & 1 )        //负数时
            {
                t = ((unsigned __int64)t ^ 0x2EF20D07161E85F7) / 2;
                t |= 0x8000000000000000;
            }  
            else                //正数时
                t = (unsigned __int64)t / 2;
        }
        for ( j = 7; j >= 0; j-- )
        {
        	input[j + i * 8] = (char)t;
            t >>= 8;
        }
    }
    
//    for ( i = 0; i < 32; i++ )
//    	printf("0x%X, ", input[i]);
    
    for ( i = 0; i < 4; i++ )
    {
    	for ( j = i * 8; j < (6 + i * 8); j += 3 )
    	{
    		printf("%c", input[j] ^ input[j + 1] ^ input[j + 2]);
    		printf("%c", input[j] ^ input[j + 2]);
    		printf("%c", input[j + 1] ^ input[j + 2]);
		}
		printf("%c", input[i * 8 + 6]);
		printf("%c", input[i * 8 + 7]);
	}
    
    return 0;
}

GetFlag!

image-20220518203655654

DASCTF X SU
🍬
HFCTF2022
🍪

About this Post

This post is written by P.Z, licensed under CC BY-NC 4.0.