just_run_it
<p>[TOC]</p>
<h1>🌓分析</h1>
<p><img src="https://pic.imgdb.cn/item/638b67f216f2c2beb14b8402.png" alt="Img" />
file识别是DOS/MBR boot sector文件
<img src="https://pic.imgdb.cn/item/638b687016f2c2beb14c7b06.png" alt="Img" />
直接执行出来也直接报错
<img src="https://pic.imgdb.cn/item/638b689716f2c2beb14ccd52.png" alt="Img" />
但是用加上sh就可以执行了
<img src="https://pic.imgdb.cn/item/638b68c216f2c2beb14d1d76.png" alt="Img" />
发现它用ape来执行的
<img src="https://pic.imgdb.cn/item/638b695016f2c2beb14e4531.png" alt="Img" />
直接搜这个网站
<a href="https://justine.lol/ape.html">https://justine.lol/ape.html</a>
<a href="https://nosec.org/home/detail/4687.html">https://nosec.org/home/detail/4687.html</a>
找到官网和一个中文翻译网站
在github上面找到了对应项目
<a href="https://github.com/jart/cosmopolitan">https://github.com/jart/cosmopolitan</a>
<img src="https://pic.imgdb.cn/item/638b6a7916f2c2beb15106d0.png" alt="Img" />
这里提示说如果提示识别不是二进制文件,那么用 <code>--assimilate</code>参数来执行可以切换
<img src="https://pic.imgdb.cn/item/638b6acc16f2c2beb15197f6.png" alt="Img" />
同时网站给定了gdb配置
<img src="https://pic.imgdb.cn/item/638b6afc16f2c2beb151f0ca.png" alt="Img" />
如果直接gdb调试会直接报错
<img src="https://pic.imgdb.cn/item/638b6b5116f2c2beb1528f97.png" alt="Img" />
我的gdb配置为
<img src="https://pic.imgdb.cn/item/638b6b7516f2c2beb152d84f.png" alt="Img" />
接着直接来看IDA反汇编
<img src="https://pic.imgdb.cn/item/638b6bc216f2c2beb1537cf1.png" alt="Img" />
找到了关键字字符串
<img src="https://pic.imgdb.cn/item/638b6c2416f2c2beb1546989.png" alt="Img" />
输入满16字节后执行change函数
<img src="https://pic.imgdb.cn/item/638b6c7016f2c2beb155579a.png" alt="Img" />
直接看change函数过于麻烦,直接gdb调试来看
<img src="https://pic.imgdb.cn/item/638b6cf616f2c2beb1563b1f.png" alt="" />
可以写出交换函数和逆交换函数</p>
<pre><code class="language-python">def change(s, key):
s[0] = key[0]
s[1] = key[1]
s[2] = key[5]
s[3] = key[6]
s[4] = key[2]
s[5] = key[4]
s[6] = key[7]
s[7] = key[0xc]
s[8] = key[3]
s[9] = key[8]
s[10] = key[0xb]
s[11] = key[0xd]
s[12] = key[0x9]
s[13] = key[0xa]
s[14] = key[0xe]
s[15] = key[0xf]
def reChange(key, s):
key[0] = s[0]
key[1] = s[1]
key[5] = s[2]
key[6] = s[3]
key[2] = s[4]
key[4] = s[5]
key[7] = s[6]
key[0xc] = s[7]
key[3] = s[8]
key[8] = s[9]
key[0xb] = s[10]
key[0xd] = s[11]
key[0x9] = s[12]
key[0xa] = s[13]
key[0xe] = s[14]
key[0xf] = s[15]</code></pre>
<p><img src="https://pic.imgdb.cn/item/638b6d5316f2c2beb156d29f.png" alt="Img" />
交换后的字符串和固定字符串进行异或运算
<img src="https://pic.imgdb.cn/item/638b6dc316f2c2beb1579be8.png" alt="Img" />
再执行一次交换函数,然后后面那个函数根据参数可以大概推测为对比函数,在这我们可以直接写出key的逆向部分</p>
<pre><code class="language-python">def change(s, key):
s[0] = key[0]
s[1] = key[1]
s[2] = key[5]
s[3] = key[6]
s[4] = key[2]
s[5] = key[4]
s[6] = key[7]
s[7] = key[0xc]
s[8] = key[3]
s[9] = key[8]
s[10] = key[0xb]
s[11] = key[0xd]
s[12] = key[0x9]
s[13] = key[0xa]
s[14] = key[0xe]
s[15] = key[0xf]
def reChange(key, s):
key[0] = s[0]
key[1] = s[1]
key[5] = s[2]
key[6] = s[3]
key[2] = s[4]
key[4] = s[5]
key[7] = s[6]
key[0xc] = s[7]
key[3] = s[8]
key[8] = s[9]
key[0xb] = s[10]
key[0xd] = s[11]
key[0x9] = s[12]
key[0xa] = s[13]
key[0xe] = s[14]
key[0xf] = s[15]
def xor(s, key):
for i in range(len(s)):
s[i] = s[i]^key[i]
key1 = [0x11, 0x4d, 0x92, 0xda, 0xac, 0x0b, 0x62, 0xf7, 0x54, 0x51, 0x27, 0x5a, 0x72, 0x62, 0x7b, 0x76]
key2 = [0x46, 0x7c, 0xc1, 0x31, 0x67, 0xa2, 0xb4, 0x0d, 0x32, 0x11, 0x50, 0x15, 0x83, 0x3c, 0x14, 0x57]
s = [i for i in range(len(key1))]
key = [i for i in range(16)]
reChange(s, key1)
xor(s, key2)
reChange(key, s)
for i in key:
print(chr(i), end="")
# W1lc0menctf2o2o!</code></pre>
<p><img src="https://pic.imgdb.cn/item/638b6e5316f2c2beb158b652.png" alt="Img" />
尝试输入
<img src="https://pic.imgdb.cn/item/638b6e8316f2c2beb15955bf.png" alt="Img" />
没有问题,接下来就是flag部分
<img src="https://pic.imgdb.cn/item/638b6eae16f2c2beb159d4a4.png" alt="Img" />
输入部分问题不大,主要是后面的判断部分
<img src="https://pic.imgdb.cn/item/638b6f2716f2c2beb15a94cc.png" alt="Img" />
对key做处理的函数为
<img src="https://pic.imgdb.cn/item/638b6f3f16f2c2beb15abac4.png" alt="Img" />
可以发现和国密SM4的密钥扩展部分很像,那么猜测中间就是对输入进行SM4加密,最后和固定字符串进行对比
<img src="https://pic.imgdb.cn/item/638b6fc616f2c2beb15ba7b9.png" alt="Img" />
固定字符串十六进制为</p>
<pre><code>4d93be162ede3374da53f68a43636284d5f62ac3d0a5042d03682e1294243310f9f65b615c165dde9086bfdf3d0bcd3b</code></pre>
<p>所以尝试用解出来的key去解密固定字符串
<a href="https://the-x.cn/cryptography/Sm4.aspx">https://the-x.cn/cryptography/Sm4.aspx</a>
<img src="https://pic.imgdb.cn/item/638b6ffd16f2c2beb15c051f.png" alt="Img" />
解出flag</p>
<h1>🌓附件</h1>
<p>题目附件:<a href="https://cowtransfer.com/s/240db8579ff34b">https://cowtransfer.com/s/240db8579ff34b</a>
IDA database:<a href="https://cowtransfer.com/s/25a7879433c449">https://cowtransfer.com/s/25a7879433c449</a></p>