ida 丢进去 脱花 跟下 RC4判断一下 密钥 一串wowo….. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#include<bits/stdc++.h>
using namespace std;n
signed mian(){
    int base64_table[] = {0xF4, 0x87, 0xD4, 0xFA, 0x61, 0xA6, 0x71, 0x12, 0x75, 0x09, 
  0xFE, 0xD8, 0xE4, 0x38, 0x97, 0x51, 0xA8, 0xDF, 0x85, 0x65, 
  0xC2, 0xB2, 0x15, 0xEF, 0x1F, 0xEC, 0x69, 0xDD, 0x6E, 0xE9, 
  0xCF, 0x07, 0xAE, 0xC8, 0x17, 0xF0, 0x65, 0x72, 0xE6, 0x73, 
  0xA4, 0x0C, 0x87, 0x64, 0x9E, 0x9E, 0x71, 0x8C, 0x7F, 0xD7, 
  0x75, 0x84};
	string key = "WOWOWOWWOWOWOW";
	int s[256],k[256];
	int j=0;
	for (int i = 0; i < 256; i++) {
            s[i] = i;
            k[i] = key[i % key.length()];
        }
        for (int i2 = 0; i2 < 256; i2++) {
            j = (s[i2] + j + k[i2]) & 255;
            int temp = s[i2];
            s[i2] = s[j];
            s[j] = temp;
        }
	int j2 = 0;
    int i3 = 0;
        for (int i4 : base64_table) {
            i3 = (i3 + 1) & 255;
            j2 = (s[i3] + j2) & 255;
            int temp2 = s[i3];
            s[i3] = s[j2];
            s[j2] = temp2;
            int rnd = s[(s[i3] + s[j2]) & 255];
            cout<<((char) (i4 ^ rnd));
        }
}

STL

跑v7

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include<bits/stdc++.h>
#include<windows.h>
using namespace std;
signed main(){
    __int64 v15[64];
    v15[0] = 0x2882D802120ELL;
    v15[1] = 0x28529A05954LL;
    v15[2] = 0x486088C03LL;
    v15[3] = 0xC0FB3B55754LL;
    v15[4] = 0xC2B9B7F8651LL;
    v15[5] = 0xAE83FB054CLL;
    v15[6] = 0x29ABF6DDCB15LL;
    v15[7] = 0x10E261FC807LL;
    v15[8] = 0x2A82FE86D707LL;
    v15[9] = 0xE0CB79A5706LL;
    v15[10] = 0x330560890D06LL;
    /*
    1359286798,84564308,592899,404707156,408356433,22873420,1398229781,35407879,1426413319,471422726,1711934726
    */
    for(int i=0;i<11;i++){
//          cout<<v15[i]<<"---\n";
        for(__int64 v7=0;v7<=LONG_LONG_MAX-1;v7++){
            if((((unsigned __int64)(unsigned int)v7 << 15) ^ (unsigned int)v7) == v15[i]){
                cout<<v7<<",";
                break;
              }
        }   
    }
}

带入v7 跑v13

1
2
3
4
5
6
7
8
9
10
v7 =[1359286798,84564308,592899,404707156,408356433,22873420,1398229781,35407879,1426413319,471422726,1711934726]
v3 = [0x0e,0x12,0x05,0x51,0x54,0x59,0x0a,0x05,0x03,0x0c,0x09,0x00,0x54,0x57,0x1f,0x18,0x51,0x06,0x57,0x18,0x4c,0x05,0x5d,0x01,0x15,0x4b,0x57,0x53,0x07,0x48,0x1c,0x02,0x07,0x57,0x05,0x55,0x06,0x57,0x19,0x1c,0x06,0x0d,0x0a,0x66]
for i in range(len(v3)):
    j = len(v3)-i-2
    v3[j]^=v3[j+1]
flag = ""
for v in v3:
    flag += chr(v)
print(flag)
print(flag[::-1])

EzDLL

main往上走的几个函数 可以看到调用了TLSCallback 函数 跑路跑路
image.png
尝试跟进1_0试试 XTEA逆向 反编译 跟入
image.png
image.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#include<stdio.h>
void encrypt(unsigned int* v, unsigned int* key){
    unsigned int y = v[0], x = v[1], sum = 1, delta = 999999999;
    for (size_t i = 0; i < 33; i++) {
        y += (((x << 3) ^ (x >> 4)) + x) ^ (sum + key[sum & 3]);
        sum += delta;
        x += (((y << 3) ^ (y >> 4)) + y) ^ (sum + key[(sum >> 11) & 3]);
        }
    v[0] = y;
    v[1] = x;
}
void decrypt(unsigned int* v, unsigned int* key) {
    unsigned int y = v[0], x = v[1], sum = 0, delta = 999999999;
    sum = 1+delta * 33;
    for (size_t i = 0; i < 33; i++) {
        x -= (((y << 3) ^ (y >> 4)) + y) ^ (sum + key[(sum >> 11) & 3]);
        sum -= delta;
        y -= (((x << 3) ^ (x >> 4)) + x) ^ (sum + key[sum & 3]);
        }
    v[0] = y;
    v[1] = x;
}
unsigned char a[41] ={130,67,163,137,111,186,128,200,248,180,86,189,179,65,178,141,218,68,14,4,3,46,56,222,18,84,173,137,149,48,99,33,223,13,148,17,220,178,208,17};
unsigned int key[]={5,20,13,14};
signed main(){
    unsigned int *t=(unsigned int*)a;
    for(int i=0;i<9;i+=2){
        decrypt(t+i,key);
    }
    for (int i = 0; i < 10; i++){
        printf("%c%c%c%c", *((char*)&t[i] + 0), *((char*)&t[i] + 1), *((char*)&t[i] + 2), *((char*)&t[i] + 3));}
}

ez_chal

第一次用ida 调试 先开始静态分析 这边判断的是 输入32个值 也就是 要进到循环 得要过这个判断 。
image.png
动态开始从路口函数开跑 在第一个指出进到输入往下 进入写 在第二个指出call 进行
image.png
尝试 大于 32 和 小于 32可以绕过 在这个call f5反编译
image.png
跟进 qword_46F0B0 十进制 转 字符串
image.png

1
2
3
4
5
char a[40]={0};
memcpy(a,"NewStar!NewStar!",strlen("NewStar!NewStar!"));
for (int i = 0; i < strlen(a); i+=4) 
{a2[i / 4] = *(uint32_t*)(a + i);}

满足jz 就是等于32位值 进行跳转到加密 走到下一个 jz 也就是v6的比较断点
image.png
var_60更近
image.png
这是自己的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#include<bits/stdc++.h>
#include<stdint.h>
using namespace std;
signed main(){
unsigned __int64 v7[8]={0xc19ea29c,0xdc091f87,0x91f6e33b,0xf69a5c7a,0x93529f20,0x8a5b94e1,0xf91d069b,0x23b0e340};
// unsigned __int64 v7[8]={0xdc091d87,0xc19ea29c,0xf69a5c7a,0x91f6e33b,0x8a5b94e1,0x93529f20,0x23b0e340,0xf91d069b};
// v7[0] = 0xDC091F87C19EA29CLL;
// v7[1] = 0xF69A5C7A91F6E33BLL;
// v7[2] = 0x8A5B94E193529F20LL;
// v7[3] = 0x23B0E340F91D069BLL;
unsigned int a2[8]={0x4e657753,0x74617221,0x4e657753,0x74617221};
// unsigned int a2[4]={0x74617221,0x4e657753,0x74617221,0x4e657753};
// 0x4e657753746172214e65775374617221
//481B081D3A1E0C27
char a[40]={0};
memcpy(a,"NewStar!NewStar!",strlen("NewStar!NewStar!"));
for (int i = 0; i < strlen(a); i+=4) {
	a2[i / 4] = *(unsigned int*)(a + i);
	}
for(int i=0;i<8;i++)cout<<a2[i]<<" ";cout<<"\n\n";
unsigned int *result; // rax
 unsigned int v3; // [rsp+4h] [rbp-24h]
 unsigned int v4; // [rsp+8h] [rbp-20h]
 unsigned int v5; // [rsp+Ch] [rbp-1Ch]
 unsigned int i ;
for(int j=0;j<4;j+=1){
	v5 = v7[2*j];
	v4 = v7[2*j+1];
	v3 = -1640531783*64;
for(i = 0 ; i < 64; ++i)
	{
	v4 -= v5 ^((a2 [((v3 >> 11) & 3)]) + v3) ^ (v5 + ((v5 >> 5) ^ (16 * v5)));
	v3 += 1640531783;
	v5 -= v4 ^ ((a2 [(v3 & 3)]) + v3) ^ (v4 + ((v4 >> 5) ^ (16 * v4)));
	}
	v7[j*2] = v5;
// result = a1;
	v7[j*2+1] = v4;
// return result;
}
for(int i=0;i<8;i++){
	for(int m=0;m<=3;m++){
		printf("%c",(v7[i]>>(8*m))&0xff);
		}
	}
}

这是官方

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

 #include <stdio.h>
 #include <cstdint>
 #include <string>
 #include<string.h>
 void xtea_decipher(uint32_t v[2], uint32_t const key[4]){
	const unsigned int num_rounds = 64;
	unsigned int i;
	uint32_t v0 = v[0], v1 = v[1], delta = 0x9E3778B9, sum = delta * num_rounds;
	for (i = 0; i < num_rounds; i++){
		v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]) ^ v0;
		sum -= delta;
		v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]) ^ v1;
	}
	v[0] = v0; v[1] = v1;
}
char a[40] = {0};

int main(){
	uint32_t enc[8] = { 0xC19EA29C,0xDC091F87,0x91F6E33B,0xF69A5C7A,0x93529F20,0x8A5B94E1,0xF91D069B,0x23B0E340};
	uint32_t key[8] = { 0 };
	uint32_t data[10] = { 0 };
	memcpy(a,"NewStar!NewStar!",strlen("NewStar!NewStar!"));
	for (int i = 0; i < strlen(a); i+=4){
		key[i / 4] = *(uint32_t*)(a + i);
	}
	for (int i = 0; i < 8; i += 2){
		xtea_decipher(&enc[i], key);
	}
	for (int i = 0; i < 32; i++){
		printf("%c", *((char*)enc + i));
	}
	return 0;
	
}

Let’s Go

go 的语言在调用 main_main 之前要先调用main_init ! ! !这道题就是在mian_init
image.png
继续尝试往后面进行审计看看 是CBC算法加密
image.png
开始动调把断点设置在 crypto_aes_NewCipher 进行动调输入 
main_init 的 32个值 call跳转进去点 进rax 的赋值
image.png
说明key就是NewStar!NewStar 还要一个 iv值分析堆栈汇编
image.png

1
2
3
s= 'NewStar!NewStar!'
for c in s:
    print(hex(ord(c)^0x32),end=' ')

iv值是 0x7c 0x57 0x45 0x61 0x46 0x53 0x40 0x13 0x7c 0x57 0x45 0x61 0x46 0x53 0x40 0x13
得到 iv key 密文

1
2
3
4
5
6
7
8
from Crypto.Cipher import AES

ctf = bytes.fromhex("ee01674b13ff8dd86f8e481aa86f5d25e773a3fd0338f60988cb738b8b178c44")
key = b'NewStar!NewStar!'
iv = b"\x7C\x57\x45\x61\x46\x53\x40\x13\x7C\x57\x45\x61\x46\x53\x40\x13"
aes = AES.new(key,AES.MODE_CBC,iv)
flag = aes.decrypt(ctf)
print(flag)