首页
论坛
课程
招聘
[原创]2021年第四届红帽杯Re ezRev和file_store题解
2021-5-12 14:25 8018

[原创]2021年第四届红帽杯Re ezRev和file_store题解

2021-5-12 14:25
8018

和星盟小伙伴比赛的时候没有做出来这两道题,赛后复现了一下。坑点略多。

ezRev

比赛的时候更新了题目,原本题目没有字符串提示,分析起来难度较大。题目难点是设置了很多比较坑的比较点需要patch绕过。

流程分析

1.输入一个16字节的flag(需要patch长度比较)
图片描述
2.rand()生成a和b。
图片描述
3.比较a的b次方和b的a次方是否相等,且a>b。应该只有一个解就是
a=4,b=2。(需要patch rand返回值为4,2)
图片描述
4.计算xtea的key,可以将sleep nop掉,因为前面步骤2,3,所以可以动态调试得到xtea的key为0x67932,0x4f765,0x7faff,0x67932
5.得到密文,且每次运行key会进行修改。key[0] += 789;key[3] += 135
图片描述

解密代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#include<stdio.h>
#include <iostream>
#define DELTA 0x9E3779B9
void xtea_dec(unsigned int *v, unsigned int *key) {
    unsigned int v0 = v[0], v1 = v[1], sum = DELTA * 32;
    for (int i = 0; i < 32; i++) {
        v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
        sum -= DELTA;
        v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
    }
    v[0] = v0;
    v[1] = v1;
    key[0] += 789;
    key[3] += 135;
}
 
int main()
{
    unsigned int key[4] = { 0x67932,0x4f765,0x7faff,0x67932 };
    unsigned int enc_flag[] = {
        0xD118C7B2, 0x7FC3F3A8, 0x4A19F2DA, 0x472469E1,
        0x7C682864, 0x50C0E3D1, 0xc595670b, 0x2ee07578,
        0xD040A3F0, 0xC5590286, 0xD82B07A8, 0xD5978C2C,
        0x4E2BC556, 0x079E2E90, 0x0C7A353B5, 0x493995B
    };
    for (int i = 0; i < 16; i += 2) {
        xtea_dec((unsigned int*)(&enc_flag[i]), (unsigned int*)(&key));
    }
    for(i =0;i<16;i++){
        printf("%c",enc_flag[i]);
    }
    return 0;
}//dDc75e1fE98cBCe8

图片描述

file_store

这是一个文件压缩加密存储的程序。同时题目还给了打乱顺序的flag.txt.shuffled和压缩加密后的文件flag.bin

流程分析

1.程序命令为file_store inputfile outfile
2.将输入的文本,huffman编码
3.将编码后的内容,用rabbit加密存储

得到flag.txt.huffman

因为rabbit的加密解密为一个函数,密文加密后就是明文。所以可以在加密前用flag.bin的内容替换内存中的数据,就能得到解密后的内容。
使用命令file_store flag.txt.shuffled outfile进行动态调试时,
在sub_408540 rabbit加密之前用下面的脚本修改内存为flag.bin运行可以得到flag.txt.huffman
图片描述

1
2
3
4
5
6
7
8
from idaapi import *
from idautils import *
#address = 0xFD8540 #每次运行获取
address = 0x1451540
f = open('flag.bin','rb')
bin = f.read()
for i in range(len(bin)):
  patch_byte(address+i,bin[i])

解压缩flag.txt.huffman得到flag.txt

用了现成的一些库来解压缩,但是都不成功。得到的编码小部分不一样,所以只能将所有字符对应的huffman编码找到,再手动还原。(知道为什么不行的小伙可以告知一下)
通过在sub_401f7e下条件断点,得到所有字符的huffman路径
图片描述
可以将}替换成需要知道的字符可以知道huffman编码

1
2
3
4
prax = get_dword(cpu.rax)
if chr(prax) == '}':
    return True
return False

最后得到所有字符的huffman路径

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
a       '1100
b       '0000111
c       '101111
d       '10010
e       '001
f       '01010
g       '100011
h       '11010
i       '0001
k       '00001100
l       '10000
m       '101101
n       '0100
o       '0110
p       '1001101
q       '0000011010
r       '0111
s       '11011
t       '1010
u       '010111
v       '1000101
w       '101100
x       '0000010111
y       '010110
 
\x0a    '100111110
\x0d'
\x20    '111
\x27'   '000010001
\x28(   '' 10011110110
\x29)   '10011110111
\x2c,   '1011100
\x2d-   '0000101
\x2e    '1011101
\x3A:   '1001111010
\x7b{   '0000010110
\x7d}   '0000010010
;       '0000010100
 
1       '0000001
2       '000010000
3       '00001101
4       '000001111
5       '100111100
6       '00000001
7       '000010010
8       '10011101
9       '0000011011
 
A       '10011100
B       '10011111
F       '0000011000
G       '000001110
H       '1001100
J       '0000011001
L       '00000100
M       '0000010011
R       '0000010001
S       '1000100
T       '0000000
W       '000010011

将flag.txt.huffman转成01字符串,方便手动找到flag

1
2
3
4
5
6
7
8
9
def encode(s):
    return ''.join([bin(ord(c)).replace('0b', '').zfill(8) for c in s])
 
f = open('flag.txt.huffman','rb')
string = f.read()
print(string)
string_bin = encode(string)
f = open('flag2bin.txt','wb')
f.write(string_bin)

用'flag{'和'}'确定字符串的边界,然后手动将01字符串转成flag
最终得到flag{thisissoeasy1e7389e99ac23} 不知道对不对。做出来的小伙伴可以指点一下。

 

ps:最后给星盟打个广告,欢迎对安全感兴趣的小伙伴加入我们团队www.xmcve.com


[2022冬季班]《安卓高级研修班(网课)》月薪三万班招生中~

上传的附件:
收藏
点赞1
打赏
分享
最新回复 (4)
雪    币: 200
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
wx_L3m0nade 活跃值 2021-5-18 20:21
2
0

师傅您好,按照您的思路我也试了下,然后到了手动调函数拿每个字符的huffman码偷懒了,直接用的您的,后来发现还是一些编码不对,重新整理编码错误之后可以恢复文件了。




William Shakespeare (1564 - 1616) was born at Stratford-upon-Avon in a house in Henley Street. This is preserved intact. His mother, Mary Arden, was one of the daughters of Robert Arden, a yeoman farmer of Wilmcote: his father, John Shakespeare, was a glover and wool dealer of good standing who held the office of Bailiff of the Borough in 1568.


From the age of seven to about 14, he attended Stratford Grammar School receiving an excellent well rounded education. At the age of 18 he married Anne Hathaway, who was seven years his senior and three months pregnant. She was of 'yeoman' stock 


- her family owned a farm one mile west of Stratford in Shottery. He endured her until he could stand it no longer and fled to London to become an actor.


He then became actor-manager and part-owner in the Blackfriars and afterwards the Globe Theatres. flag{thisissoeasy1e7383d39ac23} He was a first-rate actor, but it is as a writer of plays that he has achieved lasting world-wide fame. His plays are thought to be the finest ever written in any language. His 37 plays vary in type; historical romances, light, fantastic comedies, some are tragedies, all including the comical and the farcical. He was a shrewd business man, amassing quite a fortune in his time.


He returned to Stratford for his latter years where he died at the age of 52 and now lies at rest in his special grave at Holy Trinity Church.


上传的附件:
雪    币: 7036
活跃值: 活跃值 (7332)
能力值: ( LV9,RANK:290 )
在线值:
发帖
回帖
粉丝
SYJ-Re 活跃值 3 2021-6-1 23:13
3
0
请问我是用的ubuntu搭配ida进行的远程调试,由于这个程序退出很快,输入命令file_store flag.txt.shuffled outfile就直接退出了,我无法理解这句话该如何实现"file_store flag.txt.shuffled outfile进行动态调试"
雪    币: 1354
活跃值: 活跃值 (1765)
能力值: ( LV7,RANK:105 )
在线值:
发帖
回帖
粉丝
tobeabel 活跃值 1 2021-6-2 13:03
4
0
SYJ-Re 请问我是用的ubuntu搭配ida进行的远程调试,由于这个程序退出很快,输入命令file_store flag.txt.shuffled outfile就直接退出了,我无法理解这句话该如何实现&quo ...
需要提前在sub_408540下断点,执行到断点后替换加密的内容。
雪    币: 1354
活跃值: 活跃值 (1765)
能力值: ( LV7,RANK:105 )
在线值:
发帖
回帖
粉丝
tobeabel 活跃值 1 2021-6-2 13:05
5
0
wx_L3m0nade 师傅您好,按照您的思路我也试了下,然后到了手动调函数拿每个字符的huffman码偷懒了,直接用的您的,后来发现还是一些编码不对,重新整理编码错误之后可以恢复文件了。William Shakespear ...
因为是手动提取的后面可能看晕了。huffman码可能有几个提取错了
游客
登录 | 注册 方可回帖
返回