re

babytea

题目描述: 最简单的tea

v1为密文,sub_140001450加密函数进行分组加密

image-20241009161621927

xtea,加解密可逆,delta被换了

image-20241009161735683

解密脚本

#include<stdio.h>
#include<stdint.h>

void decipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
	unsigned int i;
	uint32_t v0 = v[0], v1 = v[1], sum = 0, delta = 0x9E3778B9;
	for (i = 0;i < num_rounds;i++) {
		v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ v1 ^ (sum + key[sum & 3]);
		sum += delta;
		v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ v0 ^ (sum + key[(sum >> 11) & 3]);
	}
	v[0] = v0;v[1] = v1;
}
	

int main() {
	uint32_t v1[10] = { 0x18C2E339 ,0xE9550982 ,0x108A30F7,0x18430DD,0xD5DE57B0,0xD43E0740,0xF42FDDE4,0x968886E8,0xE5D77B79,0x685D758F };
	uint32_t const k[4] = { 1,1,2,3 };
	unsigned int r = 64;				//这里是加密轮数,自己设置 
	for (int i = 0; i < 10; i+=2)
	{
		decipher(r, &v1[i], k);
	}
	printf("%s", v1);

	return 0;
}

发现一个像flag的字符串

image-20241009231746099

分析一下,尝试解密

a = "}ggagllllff_fau_hisY_keF{CTSH"

a_list = list(a[::-1])

for i in range(0, len(a_list) - 1, 2):
    a_list[i], a_list[i+1] = a_list[i+1], a_list[i]

a = ''.join(a_list)
print(a)

动调发现多了个!

image-20241009232025952

且在第14位比较时不同,

image-20241009231709108

p

image-20241009235732370

修改脚本

a = "!}ggagllllff_fau_hisY_keF{CTSH"

a_list = list(a)
for i in range(0, 14):
    a_list[i], a_list[-i-1] = a_list[-i-1], a_list[i]
print(a_list)
for i in range(0, len(a_list) - 1, 2):
    a_list[i], a_list[i+1] = a_list[i+1], a_list[i]

a = ''.join(a_list)
print(a)

后来学习了一下,花指令

以下jz和jnz确保跳转到loc_414526+1地址

.text:00414522                 jz      short near ptr loc_414526+1
.text:00414524                 jnz     short near ptr loc_414526+1

image-20241010010735002

undefine重新p一下

image-20241010011034382

Loader

跟iscc有一题有点像

动态加载dex

image-20241015030837737

hook一下,输出dex二进制内容

Java.perform(function() {
    // 获取目标类
    var MainActivity = Java.use("com.android.loader.MainActivity");

    // Hook MainActivity 的 GetData 方法
    MainActivity.GetData.implementation = function(context) {
        // 调用原始的 GetData 方法
        var dexData = this.GetData(context);

        // 打印并导出 dex 数据
        console.log("Dex data captured: " + dexData);

        // 将 dex 数据写入文件

        return dexData;
    };
});
frida -U -n 'DexLoader' -l f.js

image-20241015031235733

写入文件

dex=[100,101,120,10,48,51,53,0,-82,-67,72,-120,2,-95,-10,-84,64,109,-97,59,8,-75,102,78,-114,58,92,52,-106,96,81,-127,100,5,0,0,112,0,0,0,120,86,52,18,0,0,0,0,0,0,0,0,-72,4,0,0,30,0,0,0,112,0,0,0,10,0,0,0,-24,0,0,0,11,0,0,0,16,1,0,0,1,0,0,0,-108,1,0,0,12,0,0,0,-100,1,0,0,1,0,0,0,-4,1,0,0,72,3,0,0,28,2,0,0,42,3,0,0,106,3,0,0,114,3,0,0,117,3,0,0,-127,3,0,0,-123,3,0,0,-109,3,0,0,-106,3,0,0,-102,3,0,0,-99,3,0,0,-96,3,0,0,-92,3,0,0,-87,3,0,0,-57,3,0,0,-37,3,0,0,-17,3,0,0,10,4,0,0,30,4,0,0,33,4,0,0,37,4,0,0,41,4,0,0,53,4,0,0,56,4,0,0,60,4,0,0,68,4,0,0,76,4,0,0,84,4,0,0,106,4,0,0,114,4,0,0,123,4,0,0,2,0,0,0,6,0,0,0,8,0,0,0,12,0,0,0,13,0,0,0,14,0,0,0,15,0,0,0,16,0,0,0,17,0,0,0,21,0,0,0,4,0,0,0,0,0,0,0,-4,2,0,0,6,0,0,0,1,0,0,0,0,0,0,0,7,0,0,0,1,0,0,0,-4,2,0,0,9,0,0,0,5,0,0,0,0,0,0,0,11,0,0,0,5,0,0,0,4,3,0,0,10,0,0,0,6,0,0,0,12,3,0,0,17,0,0,0,8,0,0,0,0,0,0,0,18,0,0,0,8,0,0,0,-4,2,0,0,19,0,0,0,8,0,0,0,20,3,0,0,22,0,0,0,9,0,0,0,28,3,0,0,22,0,0,0,9,0,0,0,36,3,0,0,3,0,5,0,3,0,0,0,3,0,6,0,1,0,0,0,3,0,10,0,20,0,0,0,3,0,4,0,26,0,0,0,4,0,6,0,1,0,0,0,5,0,0,0,24,0,0,0,5,0,9,0,25,0,0,0,5,0,1,0,27,0,0,0,6,0,7,0,1,0,0,0,6,0,5,0,23,0,0,0,6,0,3,0,29,0,0,0,7,0,8,0,1,0,0,0,7,0,2,0,28,0,0,0,3,0,0,0,1,0,0,0,4,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,-95,4,0,0,-98,4,0,0,4,0,1,0,1,0,0,0,-123,4,0,0,6,0,0,0,7,48,7,2,112,16,3,0,2,0,14,0,7,0,1,0,2,0,0,0,-118,4,0,0,18,0,0,0,7,96,19,4,-42,16,19,5,12,0,113,32,2,0,84,0,12,4,7,66,7,4,7,37,110,32,5,0,84,0,10,4,1,64,15,0,15,0,2,0,3,0,0,0,-111,4,0,0,63,0,0,0,1,-48,1,-31,34,8,7,0,7,-116,7,-56,7,-55,1,10,-127,-86,112,48,10,0,-87,11,7,-125,34,8,6,0,7,-116,7,-56,7,-55,1,26,112,32,7,0,-87,0,7,-124,18,8,1,-123,1,88,1,25,52,-104,9,0,7,72,110,16,9,0,8,0,12,8,7,-128,17,0,7,56,98,9,0,0,110,16,6,0,9,0,10,9,110,32,11,0,-104,0,10,8,1,-122,7,72,98,9,0,0,1,106,110,32,4,0,-87,0,10,9,110,32,8,0,-104,0,12,8,-40,5,5,1,40,-37,0,0,1,0,0,0,1,0,0,0,2,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,1,0,0,0,4,0,0,0,1,0,0,0,5,0,62,48,49,50,51,52,53,54,55,56,57,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,0,6,60,105,110,105,116,62,0,1,67,0,10,67,72,65,82,65,67,84,69,82,83,0,2,67,73,0,12,71,101,116,70,108,97,103,46,106,97,118,97,0,1,73,0,2,73,73,0,1,74,0,1,76,0,2,76,67,0,3,76,73,73,0,28,76,99,111,109,47,97,110,100,114,111,105,100,47,108,111,97,100,101,114,47,71,101,116,70,108,97,103,59,0,18,76,106,97,118,97,47,108,97,110,103,47,79,98,106,101,99,116,59,0,18,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,0,25,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,66,117,105,108,100,101,114,59,0,18,76,106,97,118,97,47,117,116,105,108,47,82,97,110,100,111,109,59,0,1,86,0,2,86,73,0,2,86,74,0,10,86,101,114,105,102,121,70,108,97,103,0,1,90,0,2,90,76,0,6,97,112,112,101,110,100,0,6,99,104,97,114,65,116,0,6,101,113,117,97,108,115,0,20,103,101,110,101,114,97,116,101,82,97,110,100,111,109,83,116,114,105,110,103,0,6,108,101,110,103,116,104,0,7,110,101,120,116,73,110,116,0,8,116,111,83,116,114,105,110,103,0,22,0,7,14,0,8,1,0,7,14,-91,0,13,2,0,0,7,14,-46,-90,109,115,-61,-64,0,1,23,0,1,0,3,0,0,26,0,-127,-128,4,-100,4,1,9,-72,4,1,9,-20,4,0,0,0,14,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,30,0,0,0,112,0,0,0,2,0,0,0,10,0,0,0,-24,0,0,0,3,0,0,0,11,0,0,0,16,1,0,0,4,0,0,0,1,0,0,0,-108,1,0,0,5,0,0,0,12,0,0,0,-100,1,0,0,6,0,0,0,1,0,0,0,-4,1,0,0,1,32,0,0,3,0,0,0,28,2,0,0,1,16,0,0,6,0,0,0,-4,2,0,0,2,32,0,0,30,0,0,0,42,3,0,0,3,32,0,0,3,0,0,0,-123,4,0,0,5,32,0,0,1,0,0,0,-98,4,0,0,0,32,0,0,1,0,0,0,-95,4,0,0,0,16,0,0,1,0,0,0,-72,4,0,0]
with open("1", "wb") as f:
    for i in range(0, len(dex)):
        dex[i] = dex[i].to_bytes(signed=1)
        f.write(dex[i])

jeb反编译,连解密都没有

image-20241015031332689

套上SHCTF{}

SHCTF{QdUOJ7V7Xruo}

cancanneed

题目描述: 你会frida嘛?反正我是不会

两种做法

image-20241015133239084

直接hook绕过md5判断

Java.perform(function() {
    var MainActivity = Java.use("com.example.test.MainActivity");

    // Hook check 方法
    MainActivity.check.implementation = function(v4) {
        console.log("Hooked check method, input: " + v4);
        return 1; // 强制返回 1
    };
    MainActivity.decryptAESKey.implementation = function(arg4, enc) {
        // 调用原始的解密方法
        var decrypted = this.decryptAESKey(arg4, enc);
        console.log("DecryptAESKey called, key value: " + arg4);

        // 打印解密结果
        console.log("DecryptAESKey called, decrypted value: " + decrypted);

        return decrypted;
    };
});

image-20241015132622376

或者分析源码,发现key是从Resources/raw中的xxnd读取的key

image-20241015132854140

key,十六字节

image-20241015132250368

直接解

image-20241015133158065

web

guess_the_number

题目描述: 听说预言家之所以能预知未来,是获得了这个世界的seed

F12

image-20241009192104651

import flask
import random
from flask import Flask, request, render_template, send_file

app = Flask(__name__)

@app.route('/')
def index():
    return render_template('index.html', first_num = first_num)  

@app.route('/s0urce')
def get_source():
    file_path = "app.py"
    return send_file(file_path, as_attachment=True)
    
@app.route('/first')
def get_first_number():
    return str(first_num)
    
@app.route('/guess')
def verify_seed():
    num = request.args.get('num')
    if num == str(second_num):
        with open("/flag", "r") as file:
            return file.read()
    return "nonono"
 
def init():
    global seed, first_num, second_num
    seed = random.randint(1000000,9999999)
    random.seed(seed)
    first_num = random.randint(1000000000,9999999999)
    second_num = random.randint(1000000000,9999999999)

init()
app.run(debug=True)
import random
for seed in range(1000000, 9999999):
    random.seed(seed)
    first_num = random.randint(1000000000, 9999999999)
    if first_num==6636424299:
        print(seed)

image-20241009195956018

image-20241009200006362

入侵者禁入

题目描述: 你谁?这咋注入啊

from flask import Flask, session, request, render_template_string

app = Flask(__name__)
app.secret_key = '0day_joker'

@app.route('/')
def index():
    session['role'] = {'is_admin': 0, 'flag': 'your_flag_here'}
    with (open(__file__, 'r') as file):
        code = file.read()
        return code

@ app.route('/admin')
def admin_handler():
    try:
        role = session.get('role')
        if not isinstance(role, dict):
            raise Exception
    except Exception:
        return 'Without you, you are an intruder!'
    if role.get('is_admin') == 1:
        flag = role.get('flag') or 'admin'
        message = "Oh,I believe in you! The flag is: %s" % flag
        return render_template_string(message)
    else:
        return "Error: You don't have the power!"
if __name__ == '__main__':
    app.run('0.0.0.0', port=80)

给了key,可以解session

image-20241013195453764

is_admin改为1,render_template_string存在ssti

image-20241013195556680

image-20241013195422347

image-20241015005048794

image-20241015011630100

image-20241015011657541

misc

遮遮掩掩?CCRC!

题目描述: 我说今天必须爆破出来, 熊说:不可

一开始用CRC工具爆不出来,发现是三字节,结合熊曰想到大概是中文

image-20241013155122021

利用Dr34nn/CRC_Cracker: 自动爆破crc32值并输出,支持中文crc32爆破 (github.com)

image-20241013155342408

image-20241013155355628