SUSCTF-2022-wp

本文最后更新于:2022年3月7日 下午

Reverse

DigitalCircuits

py文件编译的exe,使用pyinstxtractor.py反编译,找到DigitalCircuits,修改文件头,然后使用uncompyle6反编译pyc文件,得到源码。

分析代码,,发现有与或非,左移右移,又根据f10的代码:

1
2
3
4
5
6
7
8
9
def f10(v0, v1, k0, k1, k2, k3):
    s = '00000000000000000000000000000000'
    d = '10011110001101110111100110111001'
    for i in range(32):
        s = f6(s, d)
        v0 = f6(v0, f9(f9(f6(f7(v1, 4), k0), f6(v1, s)), f6(f8(v1, 5), k1)))
        v1 = f6(v1, f9(f9(f6(f7(v0, 4), k2), f6(v0, s)), f6(f8(v0, 5), k3)))

    return v0 + v1

左移4位,右移5位,好熟悉,再将d转为16进制,0x9e3779b9。

不出意外就是tea算法了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#include<stdio.h>
#include <stdint.h>

void DecryptTEA(unsigned int firstChunk, unsigned int secondChunk, unsigned int* key)
{
    unsigned int y = firstChunk;
    unsigned int z = secondChunk;
    unsigned int sum = 0;

    unsigned int delta = 0x9e3779b9;
    //unsigned int delta = 0x73637466;
    sum = delta << 5; //32轮运算,所以是2的5次方;16轮运算,所以是2的4次方;8轮运算,所以是2的3次方

    for (int i = 0; i < 32; i++) //8轮运算
        {
        z -= ((y << 4) + key[2]) ^ (y + sum) ^ ((y >> 5) + key[3]);
        y -= ((z << 4) + key[0]) ^ (z + sum) ^ ((z >> 5) + key[1]);
        sum -= delta;
        }

    firstChunk = y;
    secondChunk = z;
    for(int j=0;j<4;j++){
        printf("%c", (firstChunk >> ((3-j) * 8) & 0xff));
    }
    for(int j=0;j<4;j++){
        printf("%c", (secondChunk >> ((3-j) * 8) & 0xff));
    }
    //    printf("%x\n", firstChunk);
    //    printf("%x\n", secondChunk);
}

void EncryptTEA(unsigned int firstChunk, unsigned int secondChunk, unsigned int* key)
{
    unsigned int y = firstChunk;
    unsigned int z = secondChunk;
    unsigned int sum = 0;

    unsigned int delta = 0x73637466;

    for (int i = 0; i < 32; i++)//8轮运算(需要对应下面的解密核心函数的轮数一样)
    {
        sum += delta;
        y += ((z << 4) + key[2]) ^ (z + sum) ^ ((z >> 5) + key[3]) ^ (sum + i);
        z += ((y << 4) + key[0]) ^ (y + sum) ^ ((y >> 5) + key[1]) ^ (sum + i);

    }

    firstChunk = y;
    secondChunk = z;
    printf("%x\n", firstChunk);
    printf("%x\n", secondChunk);
}

int main(){
    //unsigned int key1[4] = {0x636c6557, 0x5f656d6f, 0x735f6f74, 0x21667463};
    unsigned int key2[4] = {0x4445, 0x4144, 0x4245, 0x4546};
    //unsigned int first = 0xf949cc4b;
    //unsigned int second = 0xeba67fd9;
//    unsigned int first1 = 4220738518;
//    unsigned int second1 = 747149351;
//    unsigned int first2 = 2116178774;
//    unsigned int second2 = 3150771052;
//    unsigned int first3 = 1335065768;
//    unsigned int second3 = 382031369;
//    unsigned int first4 = 4149600313;
//    unsigned int second4 = 4127860735;
    unsigned int first1 = 0x3e8947cb;
    unsigned int second1 = 0xcc944639;
    unsigned int first2 = 0x31358388;
    unsigned int second2 = 0x3b0b6893;
    unsigned int first3 = 0xda627361;
    unsigned int second3 = 0x3b2e6427;
//    EncryptTEA(first, second, key1);
    DecryptTEA(first1, second1, key2);
    DecryptTEA(first2, second2, key2);
    DecryptTEA(first3, second3, key2);
    return 0;
}

SUSCTF{XBvfaEdQvbcrxPBh8AOcJ6gA}

hell_world

将输入转化为二进制,2是0,3是1,,,这题好像在哪见过类似的,,不知道是不是原题,也没找见。

动态调试推测函数功能。

case 9 是将输入转为二进制

case 10将数组1转为二进制

case 11将数组2转为二进制,并且与数组1和输入异或后的值进行比较,相等则计数加1.

1
2
3
4
5
6
7
arr1 = [0x00000056, 0x000000DA, 0x000000CD, 0x0000003A, 0x0000007E, 0x00000086, 0x00000013, 0x000000B5, 0x0000001D, 0x0000009D, 0x000000FC, 0x00000097, 0x0000008C, 0x00000031, 0x0000006B, 0x000000C9, 0x000000FB, 0x0000001A, 0x000000E2, 0x0000002D, 0x000000DC, 0x000000D3, 0x000000F1, 0x000000F4, 0x00000036, 0x00000009, 0x00000020, 0x00000042, 0x00000004, 0x0000006A, 0x00000071, 0x00000053, 0x00000078, 0x000000A4, 0x00000097, 0x0000008F, 0x0000007A, 0x00000072, 0x00000039, 0x000000E8, 0x0000003D, 0x000000FA, 0x00000040, 0x0000003D]
arr2 = [0x00000005, 0x0000008F, 0x0000009E, 0x00000079, 0x0000002A, 0x000000C0, 0x00000068, 0x00000081, 0x0000002D, 0x000000FC, 0x000000CF, 0x000000A4, 0x000000B5, 0x00000055, 0x0000005F, 0x000000E4, 0x0000009D, 0x00000023, 0x000000D6, 0x0000001D, 0x000000F1, 0x000000E7, 0x00000097, 0x00000091, 0x00000006, 0x00000024, 0x00000042, 0x00000071, 0x0000003C, 0x00000058, 0x0000005C, 0x00000030, 0x00000019, 0x000000C6, 0x000000F5, 0x000000BC, 0x0000004B, 0x00000042, 0x0000005D, 0x000000DA, 0x00000058, 0x0000009B, 0x00000024, 0x00000040]

flag = ""
for i in range(44):
    flag += chr(arr1[i] ^ arr2[i])
print(flag)

SUSCTF{40a339d4-f940-4fe0-b382-cabb310d2ead}

dddart

刚开始看没解,就没看,最后只有Nep的大佬解了,赛后复现。

Misc

misc很多解,但是就是不会做,复现一下吧。

Tanner

完全不懂,后来搜索Tanner,知道是Tanner,知道是校验矩阵,知道求码字,但是没搜到怎么求码字……..

1
2
3
4
5
6
Tanner 图转矩阵:
		|1 1 1 1 0 0 0 0 0 0|
		|1 0 0 0 1 1 1 0 0 0|
H = |0 1 0 0 1 0 0 1 1 0|
		|0 0 1 0 0 1 0 1 0 1|
		|0 0 0 1 0 0 1 0 1 1|
CTF赛题writeup
CTF

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!