whctf2018

(⊙﹏⊙),记录下本辣鸡这次whctf自己做的题目,然后等待wxy191大佬解决wbeas这道题的侧信道攻击方法,希望快点出writeup。

misc

py-py-py

首先是用uncompyle6反编译pyc文件,得到一个rc4的加密解密脚本,根据脚本解密得到提示The challenge is Steganography,是pyc隐写,百度到在pyc中隐藏payload的工具stegosaurus。使用工具得到flag。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
import sys
import os
import hashlib
import time
import base64
fllag = '9474yeUMWODKruX7OFzD9oekO28+EqYCZHrUjWNm92NSU+eYXOPsRPEFrNMs7J+4qautoqOrvq28pLU='
#fllag = 'The challenge is Steganography'
def crypto(string, op, public_key, expirytime):
ckey_lenth = 4
public_key = public_key and public_key or ''
key = hashlib.md5(public_key).hexdigest()
keya = hashlib.md5(key[0:16]).hexdigest()
keyb = hashlib.md5(key[16:32]).hexdigest()
keyc = ckey_lenth and (op == 'decode' and string[0:ckey_lenth] or hashlib.md5(str(time.time())).hexdigest()[32 - ckey_lenth:32]) or ''
cryptkey = keya + hashlib.md5(keya + keyc).hexdigest()
key_lenth = len(cryptkey)
string = op == 'decode' and base64.b64decode(string[4:]) or '0000000000' + hashlib.md5(string + keyb).hexdigest()[0:16] + string
string_lenth = len(string)
result = ''
box = list(range(256))
randkey = []
for i in xrange(255):
randkey.append(ord(cryptkey[i % key_lenth]))

for i in xrange(255):
j = 0
j = (j + box[i] + randkey[i]) % 256
tmp = box[i]
box[i] = box[j]
box[j] = tmp

for i in xrange(string_lenth):
a = j = 0
a = (a + 1) % 256
j = (j + box[a]) % 256
tmp = box[a]
box[a] = box[j]
box[j] = tmp
result += chr(ord(string[i]) ^ box[(box[a] + box[j]) % 256])
raw_input()
print result,op
if op == 'decode':
if not result[0:10] == '0000000000':
if int(result[0:10]) - int(time.time()) > 0:
if result[10:26] == hashlib.md5(result[26:] + keyb).hexdigest()[0:16]:
print result[26:]
return result[26:]
else:
return keyc + base64.b64encode(result)


if __name__ == '__main__':
while True:
flag = raw_input('Please input your flag:')
if flag == crypto(fllag, 'decode','ddd',0):
print('Success')
break
else:
continue
# okay decompiling ../../5061c764-2ac4-4386-afd0-2f7a69139efa.pyc

flag: Flag{HiD3_Pal0ad_1n_Python}

REVERSE && Mobile

CrackMe

MFC程序,xspy或者Resource_Hacker定位关键函数,如下图:

MFC

flag: The-Y3ll0w-turb4ns-Upri$ing

EASYHOOK

程序hook了writefile函数,找到hook的函数,即是关键函数,如下图,跑脚本,奇数位和偶数位的字符拼在一起就是flag。

EASYHOOK

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/usr/bin/env python
#-*- coding:utf-8 -*-

compare_table =[0x61,0x6A,0x79,0x67,0x6B,0x46,0x6D,0x2E,0x7F,0x5F,0x7E,0x2D,0x53,0x56,0x7B,0x38,0x6D,0x4C,0x6E]
test = ['f','l','a','g','{','H','o','0','k','_','w','1','t','h','_','F','u','n','}']
ans = ''

for i in range(19):
for ch in range(32,127):
if i == 18:
tmp = ch ^ 0x13
if tmp == compare_table[18]:
ans += chr(ch)
break
else:
if (i % 2): #偶数位
temp = ch - i
if((i ^ temp) == compare_table[i]):
ans += chr(ch)
break
else: #奇数位
print chr(compare_table[i] ^ i),
break


print ans
print ''.join(test)

BABYRE 200

程序在开始之前解密了加密的函数,即统统异或0xc,编写IDC脚本手动还原代码

1
2
3
4
5
6
7
8
9
10
#include <idc.idc>
static main()
{
auto a = 0x600b00;
auto i;
for (i=0; i<0xb5;i++)
{
PatchByte(a+i,Byte(a+i)^0xc);
}
}

得到check代码,check非常简单,即将输入的字符与其字符串下标异或后与已知字符串对比。写脚本得到flag。

flag: flag{n1c3_j0b}

FINDMYMORSE

看了半天java代码,什么都没发现,看native层,有个main函数,搜索字符串,找到”Congratulations! You got the right sequence”位置,对程序进行分析,上网查阅了几个不认识的androidAPI,关于MouseEvent的getAction操作,mouse_down是0,mouse_up是1,那么gettimeofday在mouse_down时记录一次时间,在mouse_up中记录一次时间,两次的差值和一个临界值比较,这个临界值我也没管,反正最终导致后面和硬编码的比特位异或,每次异或的值要为0。硬编码字符串的选择规则如下:
一共循环224次,28个字节,4个为一组,间隔7字节,每次把每一组的4个字节的比特位按照从低到高循环取位的原则,重新得到一个比特位字符串。猜测第一个字符位’f’,和得到得到新比特位字符串比较,发现是7个比特位组成一个字符,于是得到flag。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/usr/bin/env python
#-*- coding:utf-8 -*-

compare_table = [0xA7,0xD6,0x61,0xB5,0x6E,0xBB,0xBA,0xE3,0xA9,0xDD,0xC4,0x77,0x6F,0xEE,0xEC,0xFF,0x62,0xC3,0xCF,0xDA,0x53,0xCE,0xFF,0x71,0x71,0x14,0xFF,0xF2]

right_Sequence = ''
ans = ''

for num in range(224):
tmp = 7 * (num % 4) + num / 32
mov_bit = (num / 4) % 8
bit = (compare_table[tmp] >> mov_bit) & 1
right_Sequence += chr(bit + 0x30)

print right_Sequence

#for i in range(len(right_Sequence)):
#print bin(ord('f'))

for i in range(len(right_Sequence)/7):
tmp = right_Sequence[i*7:i*7+7]
ans += chr(int(tmp,2))
print ans

flag: flag{no7_tHE_Re@L_MoRsE_/o/2z2z}