TEA on PseudorandomDog's Blog

DASCTF2024年10月赛留档

Thu, 07 Nov 2024 00:00:00 +0000

ezelf #

Drink the tea and go to find the fish！！

ollvm 平坦化过的控制流

使用 deflat 去平坦化

首先要过一个魔改过的 xxtea，这里的明文是密钥 DASCTF{dr1nk_te@_4nd_cont1nu3..}

然后过一个魔改过得 blowfish，粗略看了下用的似乎是 rc4 的 sbox，但无所谓，sbox 和 pbox 都调试 dump 出来

算法也魔改过，照着抄一个解密

from pwn import u32, p32
from Crypto.Cipher import Blowfish

xxtea_ct=b'\xb4\xb5ZB\xa6y\x0b\xac\x0e#x\xde\xe1-\xc6\x1d\xbb)\x8c\xe2\x94\xfe\x14\xd9\xaa\x03\xe3\x8a\x14\x92\x1cd'
#xxtea_key=[1234,2341,3412,4123]
xxtea_key=[11,45,14,777]

def shift(z, y, x, k, p, e):
    return ((((z >> 5) ^ (y << 2)) + ((y >> 3) ^ (z << 4))) ^ ((x ^ y) + (k[(p & 3) ^ e] ^ z)))

def decrypt(v, k):
    delta = 0x11451400
    n = len(v)
    rounds = 16
    x = (rounds * delta) & 0xFFFFFFFF
    y = v[0]
    for i in range(rounds):
        e = (x >> 2) & 3
        for p in range(n - 1, 0, -1):
            z = v[p - 1]
            v[p] = (v[p] - shift(z, y, x, k, p, e)) & 0xFFFFFFFF
            y = v[p]
        p -= 1
        z = v[n - 1]
        v[0] = (v[0] - shift(z, y, x, k, p, e)) & 0xFFFFFFFF
        y = v[0]
        x = (x - delta) & 0xFFFFFFFF
    return v

#xxtea_vec = [u32(xxtea_ct[i:i+4]) for i in range(0,32,4)]
#decrypt(xxtea_vec, xxtea_key)
#blowfish_key = b''.join(p32(xxtea_vec[i]) for i in range(8))

blowfish_key = b'DASCTF{dr1nk_te@_4nd_cont1nu3..}'
blowfish_ct = b'p\xb7\xf0\x8d\x8e\xb2\x1eK\x1c\\\xc6s\xfdH\xdeS4\xdf.\x98#\x91"\xd8\x82\x11\'\x90\xe7qB\x1f'

pbox = [
0x00000125,0x243f6a8b,0x243f6b5f,0x000000e0,
0x000001a4,0x243f6b08,0x243f6b6f,0x000001c9,
0x00000044,0x243f6b78,0x243f6b15,0x000000af,
0x000000be,0x243f6a3b,0x243f6ba7,0x00000026,
0x0000009a,0x243f6ba8
]

sbox=[
[],
[],
[],
[],
]

with open("ezelf.dump", "rb") as fp:
    buf = fp.read()

for i in range(256):
    sbox[0].append(u32(buf[i*4:i*4+4]))
    sbox[1].append(u32(buf[(i+256)*4:(i+256)*4+4]))
    sbox[2].append(u32(buf[(i+512)*4:(i+512)*4+4]))
    sbox[3].append(u32(buf[(i+768)*4:(i+768)*4+4]))

def swap(x,y):
    return y, x

def fes(v):
    a = (v>>24)&0xff
    b = (v>>16)&0xff
    c = (v>>8)&0xff
    d = v&0xff
    sa = sbox[0][a]
    sb = sbox[1][b]
    sc = sbox[2][c]
    sd = sbox[3][d]
    m = (sa+sb)&0xffff_ffff
    n = (sc+sd) &0xffff_ffff
    return m ^ n

def bfdec(L, R):
    L = L^(pbox[17])
    for i in range(17, 1, -1):
        R = R ^ fes(L)
        L, R = swap(L, R)
    
    L, R = swap(L, R)

    L = L ^ pbox[0]

    return L, R

flag = b''

for i in range(0,4):
    L = u32(blowfish_ct[i*8:i*8+4])
    R = u32(blowfish_ct[i*8+4:i*8+8])
    L, R = bfdec(L, R)
    flag += p32(L)
    flag += p32(R)
print(flag)
# DASCTF{Y0u_fin@l1y_f1nd_@nswer!}

EZRE #

Themida 保护的 exe

DASCTF2023年7月赛留档

Mon, 31 Jul 2023 00:00:00 +0000

controlflow #

这个程序的控制流好像有点奇怪

可以通过识别 push ebp 来确定真实的函数的位置

设置函数起始处跳过这些插入的代码块并勾选 BP-Based Frame 可以成功 F5

每个小函数上下断点可以找到执行的顺序如下

main -> func3 -> func5 -> func6 -> func2b -> func1 -> func4

main 函数中最后一段还有一部分加密代码

main: a[i]^=0x401
func3: a[i]+=i**2
func5: a[j]^=j*(j+1) for j in range(10,30)
func6: a[i]-=i
func2b: a[i]*=3
func4: swap(a[k+1],a[k]) for k in range(10,30,2)

解密并不难

s = [
    3279, 3264, 3324, 3288, 3363, 3345, 3528, 3453, 3498, 3627, 3708,
    3675, 3753, 3786, 3930, 3930, 4017, 4173, 4245, 4476, 4989, 4851,
    5166, 5148, 4659, 4743, 4596, 5976, 5217, 4650, 6018, 6135, 6417,
    6477, 6672, 6891, 7056, 7398, 7650, 7890
]

# func4
for i in range(10, 30, 2):
    s[i + 1], s[i] = s[i], s[i + 1]

# func2b
for i in range(40):
    assert s[i] % 3 == 0
    s[i] //= 3

# func6
for i in range(40):
    s[i] += i

# func5
for i in range(20):
    s[10 + i] ^= i * (i + 1)

# func3
for i in range(40):
    s[i] -= i * i

# main
for i in range(40):
    s[i] ^= 0x401

flag = "".join(chr(b) for b in s)
print(flag)
#DASCTF{TWpnemRuSTRkVzVsWVhOMmJqZzNOREoy}

感觉这题其实是可以 angr 一把梭的，没试

AmateursCTF2023 RE Writeup

Fri, 21 Jul 2023 00:00:00 +0000

大部分比较水，有几题有点价值，所以贴一下

volcano #

Inspired by recent "traumatic" events.
nc amt.rs 31010

过关要求输入 b, v, p 使得：

b % 22890 == 18476
17 <= binary_ones(v) <= 26
p % 2 == 1
digit_len(b) == digit_len(v)
digit_sum(b) == digit_sum(v)
4919^b % p == 4919^v % p

建立 z3 方程组并爆破条件 2，取条件 4 的十进制长度为 10

这个模板也可以用来排除 z3 的多解

def fn(m):
    n=m[vv].as_long()
    cnt=0
    while n:
        n&=(n-1)
        cnt+=1
    print(f"Tried {m[vv].as_long()=}, {cnt=}")
    return cnt>16 and cnt<=26

def z3gen(conds,fn):
    s=z3.Solver()
    s.add(conds)
    result=s.check()
    while result==z3.sat:
        m=s.model()
        if fn(m) is True:
            yield m
        # exclude the previous result by 'AND' a 'NOT'
		# 'NOT AND' is implemented by 'OR NEQ'
        extra=[var()!=m[var] for var in m]
        s.add(z3.Or(extra))
        result=s.check()

求出一组解 (b, v) = (1080403586, 9422911007)

国赛2022年初赛

Sun, 05 Jun 2022 00:00:00 +0000

baby_tree #

swift 语言的抽象语法树

AST 的主体是一个 check 函数

写一个语法树到源码的程序太浪费时间，为了减少逆向的难度，可以分层折叠语法树单元，尽量以语句为单位

归纳出源码

def check(b, k):
    r0, r1, r2, r3 = 0, 0, 0, 0

    for i in range(0, len(b)-3):
        r0, r1, r2, r3 = b[i], b[i+1], b[i+2], b[i+3]
        b[i] = r2 ^ ((k[0] + (r0>>4)) & 0xff)
        b[i+1] = r3 ^ ((k[1] + (r1>>2)) & 0xff)
        b[i+2] = r0 ^ k[2]
        b[i+3] = r1 ^ k[3]
        k[0], k[1], k[2], k[3] = k[1], k[2], k[3], k[0]

    return b == [88, 35, 88, 225, 7, 201, 57, 94,
				77, 56, 75, 168, 72, 218, 64, 91,
				16, 101, 32, 207, 73, 130, 74, 128,
				76, 201, 16, 248, 41, 205, 103, 84,
				91, 99, 79, 202, 22, 131, 63, 255, 20, 16]

assert(check(input(), k='5y34'))

可以看到是 4 字节一组步进加密，解密时从尾到头反过来即可

s = bytearray([88, 35, 88, 225, 7, 201, 57, 94, 77, 56, 75, 168, 72, 218, 64, 91, 16, 101, 32, 207,
                   73, 130, 74, 128, 76, 201, 16, 248, 41, 205, 103, 84, 91, 99, 79, 202, 22, 131, 63, 255, 20, 16])
k = bytearray(b'5y34')

f = s.copy()
for i in range(38, -1, -1):
    r1 = f[i+3] ^ k[3]
    r0 = f[i+2] ^ k[2]
    r3 = f[i+1] ^ ((k[1] + (r1>>2)) & 0xff)
    r2 = f[i] ^ ((k[0] + (r0>>4)) & 0xff)
    f[i], f[i+1], f[i+2], f[i+3] = r0, r1, r2, r3
    k[0], k[1], k[2], k[3] = k[3], k[0], k[1], k[2]

print(f.decode())
#flag{30831242-56db-45b4-96fd-1f47e60da99d}

baby_code #

文件开头字节是 RITE0300

查了一下，这是 mruby bytecode

扒下所有字节码

mruby -b babycode.mrb

几个关键要点：

最后一个函数显然是 check 函数
XX 看起来像魔数 0x12345678
YY 看起来像块长或者轮数 16 而从 times 的调用可以知道这是轮数
mask 为 0xffffffff 确定块长为 32

可以看出是魔改的 XTEA