绿城杯2021 Rev wp

re ak

先说说平台把，安恒平台不负众望的崩了。然后是题目，一题多用…安恒出题的尿性。

easy_re

加了花指令，patch之后逻辑很简单，流加密，直接patch一下带进去

# -*- coding:utf-8 -*-
"""
@Author: Mas0n
@File: ida_quick_script.py
@Time: 2021-08-17 10:41
@Desc: It's all about getting better.
"""

addr = 0x10FF8D4   # patch address

test = "F58C8DE49FA5286530F4EBD324A9911A6FD46AD70B8DE8B8834A5A6EBECBF44B99D6E6547A4F5014E5EC"  # patch hex data

ps = [i for i in b''.fromhex(test)]
for i, v in enumerate(ps):
    ida_bytes.patch_byte(addr+i, v)

babyvxworks

搜了下vxworks，说是个操作系统，看下文件格式是elf32

ida加载之后有花指令，patch下

猜测调用的sub_2450参数

21是行数，v41指向某个变量，0~116是偏移，4是位长度然后赋值

这段赋值应该是加密文本的对比

往下翻

所以需要关注的是sub_330

同样patch掉花指令

coding

# -*- coding:utf-8 -*-
"""
@Author: Mas0n
@File: test.py
@Time: 2021-09-29 11:01
@Desc: It's all about getting better.
"""
import string

data = [0xBC, 0xA, 0xBB, 0xC1, 0xD5, 134, 127, 10, 201, 185, 81, 78, 136, 10, 130, 185, 49, 141, 10, 253, 201, 199, 127,
        185, 17, 78, 185, 232, 141, 87]
print(len(data))

for i, v in enumerate(data):
    a = v
    for j in range(len(data)):
        # a = ((a ^ 0x22) + 3) & 0xff
        a = ((a - 3) ^ 0x22) & 0xff
    print(chr(a), end="")

APP逆向-clockin

给了个apk，没有任何ndk

翻找下逻辑在com.c.clock_in.PunchCardActivity

rsa生成密钥对并加密了permission2字段值not admin

构造了一个post请求，body包含了密钥对和加密的数据

@Override // okhttp3.Callback
            public void onResponse(Call call, Response response) throws IOException {
                String result = response.body().string();
                if (result.equals("")) {
                    Looper.prepare();
                    FancyToast.makeText(PunchCardActivity.this, "you are not admin", 1, FancyToast.ERROR, false).show();
                    Looper.loop();
                    return;
                }
                PunchCardActivity.this.show_flag_tv.setText(result);
            }

根据发送的not admin和回显的you are not admin，猜测只需要将not admin改成admin

反编译，先改下android:testOnly

然后改下com.c.clock_in.PunchCardActivity.smali

回编译打包，安装，填上host回车

抛石机

数学题

依次将输入转成数字

然后check

_BOOL8 check()
{
  double v1; // [rsp+0h] [rbp-20h]
  double v2; // [rsp+8h] [rbp-18h]
  double v3; // [rsp+10h] [rbp-10h]
  double v4; // [rsp+18h] [rbp-8h]

  if ( *lin1 > *lin2 - 0.001 )
    return 1LL;
  if ( *lin3 > *lin4 - 0.001 )
    return 1LL;
  v4 = 149.2 * *lin1 + *lin1 * -27.6 * *lin1 - 129.0;
  v3 = 149.2 * *lin2 + *lin2 * -27.6 * *lin2 - 129.0;
  v2 = *lin3 * -39.6 * *lin3 + 59.2 * *lin3 + 37.8;
  v1 = *lin4 * -39.6 * *lin4 + 59.2 * *lin4 + 37.8;
  return v4 <= -0.00003
      || v4 >= 0.00003
      || v3 <= -0.00003
      || v3 >= 0.00003
      || v2 <= -0.00002
      || v2 >= 0.00002
      || v1 <= -0.00003
      || v1 >= 0.00003;
}

二元一次方程求解，求根公式求根

def solve(a, b, c):
    s1 = (-b + math.sqrt(b * b - 4 * a * c)) / (2 * a)
    s2 = (-b - math.sqrt(b * b - 4 * a * c)) / (2 * a)
    return s1, s2

然后把浮点数转成十六进制，取低位4字节

def double_to_hex(f):
    return hex(struct.unpack('>Q', struct.pack('<d', f))[0] & 0xffffffff)[2:].zfill(8)

下面就是范围里猜数值的波动，最后猜出来

a1 = -27.6
b1 = 149.2
c1 = -129.0

so1 = solve(a1, b1, c1)
print(so1)
lin1 = double_to_hex(so1[0])
lin2 = double_to_hex(so1[1]+0.000001)

a2 = -39.6
b2 = 59.2
c2 = 37.8
so2 = solve(a2, b2, c2)
print(so2)
lin3 = double_to_hex(so2[0])
lin4 = double_to_hex(so2[1]+0.000001)


print("flag{" + lin1 + "-" + lin2[:4] + '-' + lin2[4:] + "-" + lin3[:4] + '-' + lin3[4:] + lin4 + "}")