exec

用赛博厨手动解base,拿到混淆源码

a=True
d=len
G=list
g=range
s=next
R=bytes
o=input
Y=print
def l(S):
    i=0
    j=0
    while a:
        i=(i+1)%256
        j=(j+S[i])%256
        S[i],S[j]=S[j],S[i]
        K=S[(S[i]+S[j])%256]
        yield K
def N(key,O):
    I=d(key)
    S=G(g(256))
    j=0
    for i in g(256):
        j=(j+S[i]+key[i%I])%256
        S[i],S[j]=S[j],S[i]
    z=l(S)
    n=[]
    for k in O:
        n.append(k^s(z)+2)
    return R(n)
def E(s,parts_num):
    Q=d(s.decode())
    S=Q//parts_num
    u=Q%parts_num
    W=[]
    j=0
    for i in g(parts_num):
        T=j+S
        if u>0:
            T+=1
            u-=1
        W.append(s[j:T])
        j=T
    return W
if __name__=='__main__':
    L=o('input the flag: >>> ').encode()
    assert d(L)%2==0,'flag length should be even'
    t=b'v3ry_s3cr3t_p@ssw0rd'
    O=E(L,2)
    U=[]
    for i in O:
        U.append(N(t,i).hex())
    if U==['1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60','2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a']:
        Y('Congratulations! You got the flag!')
    else:
        Y('Wrong flag!')

rc4直接秒了

exp

a = True
d = len
G = list
g = range
s = next
R = bytes
o = input
Y = print


def l(S):
    i = 0
    j = 0
    while a:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        K = S[(S[i] + S[j]) % 256]
        yield K


def N(key, O):
    I = len(key)
    S = G(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % I]) % 256
        S[i], S[j] = S[j], S[i]
    z = l(S)
    n = []
    for k in O:
        n.append(k ^ next(z) + 2)
    return bytes(n)


def E(s, parts_num):
    Q = len(s.decode())
    S = Q // parts_num
    u = Q % parts_num
    W = []
    j = 0
    for i in range(parts_num):
        T = j + S
        if u > 0:
            T += 1
            u -= 1
        W.append(s[j:T])
        j = T
    return W

if __name__ == '__main__':

    t = b'v3ry_s3cr3t_p@ssw0rd'
    enc=['1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60','2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a']
    for i in enc:
        dec1=bytes.fromhex(i)
        print(N(t,dec1).decode(),end="")

joyVBS

去混淆脚本

import re

def deobfuscate_vbs_from_file(file_path):
    # 用来存储最终的字符列表
    chars = []

    # 打开文件并逐行读取
    with open(file_path, 'r') as file:
        for line in file:
            # 使用 re.findall() 查找所有 chr() 调用
            matches = re.findall(r'chr\((.*?)\)', line)
            for match in matches:
                # 提取数学表达式并计算其值
                match=match.replace("/","//")
                try:
                    # 计算表达式的值

                    char_value = eval(match)
                    # 确保 char_value 在合法的 ASCII 范围内
                    if 0 <= char_value <= 255:
                        # 将计算结果转为字符并添加到 chars 列表
                        chars.append(chr(char_value))
                except Exception as e:
                    print(f"Error evaluating expression '{match}': {e}")

    # 拼接所有字符并返回最终字符串
    return ''.join(chars)

# 指定文件路径
file_path = 'chall.vbs'  # 修改为实际文件路径

# 调用函数并打印去混淆后的字符串
result = deobfuscate_vbs_from_file(file_path)
print(result)

去混淆后

MsgBox "VBScript, often abbreviated as VBS, is an event-driven programming language developed by Microsoft, primarily used for scripting in the Windows environment."
MsgBox "It is based on the Visual Basic programming language and is designed to be simple and easy to use, especially for those familiar with the BASIC programming language."
MsgBox "And for me, it is the first programming language that I've leart"
MsgBox "Hackers! Have fun with this VBS challenge!"
flag = InputBox("Enter the FLAG:", "Hack for fun")
wefbuwiue = "NalvN3hKExBtALBtInPtNHTnKJ80L3JtqxTboRA/MbF3LnT0L2zHL2SlqnPtJLAnFbIlL2SnFT8lpzFzA2JHrRTiNmT9"

qwfe = 9+2+2+1

Function Base64Decode(base64EncodedString)
    Dim xml, elem
    Set xml = CreateObject("MSXML2.DOMDocument")
    Set elem = xml.createElement("tmp")
    elem.dataType = "bin.base64" 
    elem.text = base64EncodedString 
    Dim stream
    Set stream = CreateObject("ADODB.Stream")
    stream.Type = 1 'Binary
    stream.Open
    stream.Write elem.nodeTypedValue 
    stream.Position = 0
    stream.Type = 2 'Text
    stream.Charset = "utf-8"
    Base64Decode = stream.ReadText
    stream.Close
End Function
Function Caesar(str,offset)
	Dim length,char,i
	Caesar = ""
	length = Len(str)
	For i = 1 To length
		char = Mid(str,i,1)
		If char >= "A" And char <= "Z" Then
			char = Asc("A") + (Asc(char) - Asc("A") + offset) Mod 26
			Caesar = Caesar & Chr(char)
		ElseIf char >= "a" And char <= "z" Then
			char = Asc("a") + (Asc(char) - Asc("a") + offset) Mod 26
			Caesar = Caesar & Chr(char)
		Else
			Caesar = Caesar & char
		End If
	Next
End Function

If flag = Base64Decode(Caesar(wefbuwiue, 26-qwfe)) Then
    MsgBox "Congratulations! Correct  FLAG!"
Else
    MsgBox "Wrong flag."
End If

明文对比,直接输出flag

If flag = Base64Decode(Caesar(wefbuwiue, 26-qwfe)) Then
    MsgBox "Congratulations! Correct  FLAG!"
Else
    MsgBox Base64Decode(Caesar(wefbuwiue, 26-qwfe))
End If

image-20241109114303506

VB3_1s_S0_e1sY_4_u_r1gh3?btw_1t_iS_a1s0_Us3Fu1_a3D_1nTe3eSt1ng!

Rafflesia

看似tea,但魔改

image-20241109115921684

提取enc

from idaapi import*

for i in range(0x40401F-0x404000+1):
    print(hex(get_byte(0x404000+i)),end=",")
    
#0xf8,0x63,0x20,0xea,0x52,0xf2,0x66,0x8f,0xef,0x72,0x2a,0x90,0x74,0xda,0x1f,0x41,0x4d,0xd,0x59,0x19,0x17,0x43,0xe7,0xca,0x3f,0xf,0x87,0x63,0x61,0xae,0x53,0xd7,

修改key

image-20241109163229192

key

image-20241109174339202

delta是随机数

屏幕截图 2024-11-09 165303

exp

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

uint32_t r_box[5][33];

void get_rand_box() {
	srand(0);
	for (int i = 0; i < 4; i++)
	{
		for (int j = 0; j < 32; j++)
		{
			r_box[i][31 - j] = rand();
		}
	}
	for (int i = 0; i < 4; i++)
	{
		for (int j = 0; j < 32; j++)
		{
			printf("%x ",r_box[i][j]);
		}
		printf("\n");
	}
}

uint32_t box_sum(int index) {
	uint32_t sum = 0;
	for (int j = 0; j < 32; j++)
	{
		sum+=r_box[index][j];
	}
	return sum;
}

void encrypt(uint32_t* v, uint32_t* k) {
	uint32_t v0 = v[0], v1 = v[1], sum = 0, i;
	uint32_t delta = 0x9e3779b9;
	uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
	for (i = 0;i < 32;i++) {
		sum += delta;
		v0 += ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
		v1 += ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
	}
	v[0] = v0;v[1] = v1;
}
void decrypt(uint32_t* v, uint32_t* k,int index) {
	uint32_t v0 = v[0], v1 = v[1], sum = box_sum(index), i;	//这里的sum是0x9e3779b9*32后截取32位的结果,截取很重要。

	uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
	for (i = 0;i < 32;i++) {
		v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
		v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
		sum -= r_box[index][i];
	}
	v[0] = v0;v[1] = v1;
}

int main()
{
	get_rand_box();
	char enc[] = { 0xf8,0x63,0x20,0xea,0x52,0xf2,0x66,0x8f,0xef,0x72,0x2a,0x90,0x74,0xda,0x1f,0x41,0x4d,0xd,0x59,0x19,0x17,0x43,0xe7,0xca,0x3f,0xf,0x87,0x63,0x61,0xae,0x53,0xd7 };
	uint32_t k[4] = { 2,2,3,3 };
	for (int i = 0; i < 4; ++i)
		decrypt((unsigned int*)enc + 2 * i, k,i);
	printf("%s",enc);
	return 0;
}

Rafflesia

image-20241109141722946

改ZF过反动调

image-20241109151702238

表是改过的

image-20241109150227372

HElRNYGmBOMWnbDvUCgcpu1QdPqJIS+iTry39KXse4jLh/x26Ff5Z7Vokt8wzAa0

打断点拿到enc

H@^jHwpsH)[jH{M/\tBBK_|-O{W.iJZ7\)|~zaB^H+Lwv{SS|-j@\_[Y

换表base64+异或

image-20241109151807462

image-20241109151542104

image-20241109110432680