Mas0n
mailto:MasonShi@88.com
翻车鱼

绿城杯2021 Rev wp

绿城杯2021 Rev wp

re ak

先说说平台把,安恒平台不负众望的崩了。然后是题目,一题多用…安恒出题的尿性。

easy_re

加了花指令,patch之后逻辑很简单,流加密,直接patch一下带进去

https://cdn.shi1011.cn/2021/09/51435dfa2210ad3a3ef987e669daefa6.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5
# -*- coding:utf-8 -*-
"""
@Author: Mas0n
@File: ida_quick_script.py
@Time: 2021-08-17 10:41
@Desc: It's all about getting better.
"""

addr = 0x10FF8D4   # patch address

test = "F58C8DE49FA5286530F4EBD324A9911A6FD46AD70B8DE8B8834A5A6EBECBF44B99D6E6547A4F5014E5EC"  # patch hex data

ps = [i for i in b''.fromhex(test)]
for i, v in enumerate(ps):
    ida_bytes.patch_byte(addr+i, v)
https://cdn.shi1011.cn/2021/09/6a149d0bcb4a527b51c03d8d091b333b.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

babyvxworks

搜了下vxworks,说是个操作系统,看下文件格式是elf32

ida加载之后有花指令,patch下

https://cdn.shi1011.cn/2021/09/28c79d66b670af9be4411e7479c3b40c.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

猜测调用的sub_2450参数

21是行数,v41指向某个变量,0~116是偏移,4是位长度然后赋值

这段赋值应该是加密文本的对比

往下翻

https://cdn.shi1011.cn/2021/09/671a40d929edf767e0b8544e6c87d908.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

所以需要关注的是sub_330

同样patch掉花指令

https://cdn.shi1011.cn/2021/09/386397a8e0cccbb807d10447c76fbba8.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

coding

# -*- coding:utf-8 -*-
"""
@Author: Mas0n
@File: test.py
@Time: 2021-09-29 11:01
@Desc: It's all about getting better.
"""
import string

data = [0xBC, 0xA, 0xBB, 0xC1, 0xD5, 134, 127, 10, 201, 185, 81, 78, 136, 10, 130, 185, 49, 141, 10, 253, 201, 199, 127,
        185, 17, 78, 185, 232, 141, 87]
print(len(data))

for i, v in enumerate(data):
    a = v
    for j in range(len(data)):
        # a = ((a ^ 0x22) + 3) & 0xff
        a = ((a - 3) ^ 0x22) & 0xff
    print(chr(a), end="")

APP逆向-clockin

给了个apk,没有任何ndk

翻找下逻辑在com.c.clock_in.PunchCardActivity

https://cdn.shi1011.cn/2021/09/7134472ca652f0b446ab057e7b98aa6a.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

rsa生成密钥对并加密了permission2字段值not admin

构造了一个post请求,body包含了密钥对和加密的数据

@Override // okhttp3.Callback
            public void onResponse(Call call, Response response) throws IOException {
                String result = response.body().string();
                if (result.equals("")) {
                    Looper.prepare();
                    FancyToast.makeText(PunchCardActivity.this, "you are not admin", 1, FancyToast.ERROR, false).show();
                    Looper.loop();
                    return;
                }
                PunchCardActivity.this.show_flag_tv.setText(result);
            }

根据发送的not admin和回显的you are not admin,猜测只需要将not admin改成admin

反编译,先改下android:testOnly

https://cdn.shi1011.cn/2021/09/aba006d267c2a4c6e08177f61ed068ec.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

然后改下com.c.clock_in.PunchCardActivity.smali

https://cdn.shi1011.cn/2021/09/dd00abb75e7a3577a61a9fb6b8447ecf.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

回编译打包,安装,填上host回车

https://cdn.shi1011.cn/2021/09/0c4c1f9919ae14d744e6931cd0eb4e2a.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

抛石机

数学题

依次将输入转成数字

https://cdn.shi1011.cn/2021/09/5b080e0a68c39463f81d520a0b8ca678.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

然后check

_BOOL8 check()
{
  double v1; // [rsp+0h] [rbp-20h]
  double v2; // [rsp+8h] [rbp-18h]
  double v3; // [rsp+10h] [rbp-10h]
  double v4; // [rsp+18h] [rbp-8h]

  if ( *lin1 > *lin2 - 0.001 )
    return 1LL;
  if ( *lin3 > *lin4 - 0.001 )
    return 1LL;
  v4 = 149.2 * *lin1 + *lin1 * -27.6 * *lin1 - 129.0;
  v3 = 149.2 * *lin2 + *lin2 * -27.6 * *lin2 - 129.0;
  v2 = *lin3 * -39.6 * *lin3 + 59.2 * *lin3 + 37.8;
  v1 = *lin4 * -39.6 * *lin4 + 59.2 * *lin4 + 37.8;
  return v4 <= -0.00003
      || v4 >= 0.00003
      || v3 <= -0.00003
      || v3 >= 0.00003
      || v2 <= -0.00002
      || v2 >= 0.00002
      || v1 <= -0.00003
      || v1 >= 0.00003;
}

二元一次方程求解,求根公式求根

def solve(a, b, c):
    s1 = (-b + math.sqrt(b * b - 4 * a * c)) / (2 * a)
    s2 = (-b - math.sqrt(b * b - 4 * a * c)) / (2 * a)
    return s1, s2

然后把浮点数转成十六进制,取低位4字节

def double_to_hex(f):
    return hex(struct.unpack('>Q', struct.pack('<d', f))[0] & 0xffffffff)[2:].zfill(8)

下面就是范围里猜数值的波动,最后猜出来

a1 = -27.6
b1 = 149.2
c1 = -129.0

so1 = solve(a1, b1, c1)
print(so1)
lin1 = double_to_hex(so1[0])
lin2 = double_to_hex(so1[1]+0.000001)

a2 = -39.6
b2 = 59.2
c2 = 37.8
so2 = solve(a2, b2, c2)
print(so2)
lin3 = double_to_hex(so2[0])
lin4 = double_to_hex(so2[1]+0.000001)


print("flag{" + lin1 + "-" + lin2[:4] + '-' + lin2[4:] + "-" + lin3[:4] + '-' + lin3[4:] + lin4 + "}")

本文链接:https://blog.shi1011.cn/ctf/1642
本文采用 CC BY-NC-SA 3.0 Unported 协议进行许可

Mas0n

文章作者

发表评论

textsms
account_circle
email

翻车鱼

绿城杯2021 Rev wp
re ak 先说说平台把,安恒平台不负众望的崩了。然后是题目,一题多用…安恒出题的尿性。 easy_re 加了花指令,patch之后逻辑很简单,流加密,直接patch一下带进去 # -*- c…
扫描二维码继续阅读
2021-09-29