oin

writeup


just_run_it

<p>[TOC]</p> <h1>🌓分析</h1> <p><img src="https://pic.imgdb.cn/item/638b67f216f2c2beb14b8402.png" alt="Img" /> file识别是DOS/MBR boot sector文件 <img src="https://pic.imgdb.cn/item/638b687016f2c2beb14c7b06.png" alt="Img" /> 直接执行出来也直接报错 <img src="https://pic.imgdb.cn/item/638b689716f2c2beb14ccd52.png" alt="Img" /> 但是用加上sh就可以执行了 <img src="https://pic.imgdb.cn/item/638b68c216f2c2beb14d1d76.png" alt="Img" /> 发现它用ape来执行的 <img src="https://pic.imgdb.cn/item/638b695016f2c2beb14e4531.png" alt="Img" /> 直接搜这个网站 <a href="https://justine.lol/ape.html">https://justine.lol/ape.html</a> <a href="https://nosec.org/home/detail/4687.html">https://nosec.org/home/detail/4687.html</a> 找到官网和一个中文翻译网站 在github上面找到了对应项目 <a href="https://github.com/jart/cosmopolitan">https://github.com/jart/cosmopolitan</a> <img src="https://pic.imgdb.cn/item/638b6a7916f2c2beb15106d0.png" alt="Img" /> 这里提示说如果提示识别不是二进制文件,那么用 <code>--assimilate</code>参数来执行可以切换 <img src="https://pic.imgdb.cn/item/638b6acc16f2c2beb15197f6.png" alt="Img" /> 同时网站给定了gdb配置 <img src="https://pic.imgdb.cn/item/638b6afc16f2c2beb151f0ca.png" alt="Img" /> 如果直接gdb调试会直接报错 <img src="https://pic.imgdb.cn/item/638b6b5116f2c2beb1528f97.png" alt="Img" /> 我的gdb配置为 <img src="https://pic.imgdb.cn/item/638b6b7516f2c2beb152d84f.png" alt="Img" /> 接着直接来看IDA反汇编 <img src="https://pic.imgdb.cn/item/638b6bc216f2c2beb1537cf1.png" alt="Img" /> 找到了关键字字符串 <img src="https://pic.imgdb.cn/item/638b6c2416f2c2beb1546989.png" alt="Img" /> 输入满16字节后执行change函数 <img src="https://pic.imgdb.cn/item/638b6c7016f2c2beb155579a.png" alt="Img" /> 直接看change函数过于麻烦,直接gdb调试来看 <img src="https://pic.imgdb.cn/item/638b6cf616f2c2beb1563b1f.png" alt="" /> 可以写出交换函数和逆交换函数</p> <pre><code class="language-python">def change(s, key): s[0] = key[0] s[1] = key[1] s[2] = key[5] s[3] = key[6] s[4] = key[2] s[5] = key[4] s[6] = key[7] s[7] = key[0xc] s[8] = key[3] s[9] = key[8] s[10] = key[0xb] s[11] = key[0xd] s[12] = key[0x9] s[13] = key[0xa] s[14] = key[0xe] s[15] = key[0xf] def reChange(key, s): key[0] = s[0] key[1] = s[1] key[5] = s[2] key[6] = s[3] key[2] = s[4] key[4] = s[5] key[7] = s[6] key[0xc] = s[7] key[3] = s[8] key[8] = s[9] key[0xb] = s[10] key[0xd] = s[11] key[0x9] = s[12] key[0xa] = s[13] key[0xe] = s[14] key[0xf] = s[15]</code></pre> <p><img src="https://pic.imgdb.cn/item/638b6d5316f2c2beb156d29f.png" alt="Img" /> 交换后的字符串和固定字符串进行异或运算 <img src="https://pic.imgdb.cn/item/638b6dc316f2c2beb1579be8.png" alt="Img" /> 再执行一次交换函数,然后后面那个函数根据参数可以大概推测为对比函数,在这我们可以直接写出key的逆向部分</p> <pre><code class="language-python">def change(s, key): s[0] = key[0] s[1] = key[1] s[2] = key[5] s[3] = key[6] s[4] = key[2] s[5] = key[4] s[6] = key[7] s[7] = key[0xc] s[8] = key[3] s[9] = key[8] s[10] = key[0xb] s[11] = key[0xd] s[12] = key[0x9] s[13] = key[0xa] s[14] = key[0xe] s[15] = key[0xf] def reChange(key, s): key[0] = s[0] key[1] = s[1] key[5] = s[2] key[6] = s[3] key[2] = s[4] key[4] = s[5] key[7] = s[6] key[0xc] = s[7] key[3] = s[8] key[8] = s[9] key[0xb] = s[10] key[0xd] = s[11] key[0x9] = s[12] key[0xa] = s[13] key[0xe] = s[14] key[0xf] = s[15] def xor(s, key): for i in range(len(s)): s[i] = s[i]^key[i] key1 = [0x11, 0x4d, 0x92, 0xda, 0xac, 0x0b, 0x62, 0xf7, 0x54, 0x51, 0x27, 0x5a, 0x72, 0x62, 0x7b, 0x76] key2 = [0x46, 0x7c, 0xc1, 0x31, 0x67, 0xa2, 0xb4, 0x0d, 0x32, 0x11, 0x50, 0x15, 0x83, 0x3c, 0x14, 0x57] s = [i for i in range(len(key1))] key = [i for i in range(16)] reChange(s, key1) xor(s, key2) reChange(key, s) for i in key: print(chr(i), end="") # W1lc0menctf2o2o!</code></pre> <p><img src="https://pic.imgdb.cn/item/638b6e5316f2c2beb158b652.png" alt="Img" /> 尝试输入 <img src="https://pic.imgdb.cn/item/638b6e8316f2c2beb15955bf.png" alt="Img" /> 没有问题,接下来就是flag部分 <img src="https://pic.imgdb.cn/item/638b6eae16f2c2beb159d4a4.png" alt="Img" /> 输入部分问题不大,主要是后面的判断部分 <img src="https://pic.imgdb.cn/item/638b6f2716f2c2beb15a94cc.png" alt="Img" /> 对key做处理的函数为 <img src="https://pic.imgdb.cn/item/638b6f3f16f2c2beb15abac4.png" alt="Img" /> 可以发现和国密SM4的密钥扩展部分很像,那么猜测中间就是对输入进行SM4加密,最后和固定字符串进行对比 <img src="https://pic.imgdb.cn/item/638b6fc616f2c2beb15ba7b9.png" alt="Img" /> 固定字符串十六进制为</p> <pre><code>4d93be162ede3374da53f68a43636284d5f62ac3d0a5042d03682e1294243310f9f65b615c165dde9086bfdf3d0bcd3b</code></pre> <p>所以尝试用解出来的key去解密固定字符串 <a href="https://the-x.cn/cryptography/Sm4.aspx">https://the-x.cn/cryptography/Sm4.aspx</a> <img src="https://pic.imgdb.cn/item/638b6ffd16f2c2beb15c051f.png" alt="Img" /> 解出flag</p> <h1>🌓附件</h1> <p>题目附件:<a href="https://cowtransfer.com/s/240db8579ff34b">https://cowtransfer.com/s/240db8579ff34b</a> IDA database:<a href="https://cowtransfer.com/s/25a7879433c449">https://cowtransfer.com/s/25a7879433c449</a></p>

页面列表

ITEM_HTML