geekctf 2024 re wp

Last updated on April 14, 2024 pm

geekctf 2024 re wp

lucknumber

分析rust代码并结合动调可知，输入的number1 和number2分别进行siphaash后在进行一段加密后比较，实际动调测试后发现在进行第一次siphash时，是在有7个字节的number1最前面加上0xFF再进行siphash，number2是直接进行siphash，所以只要七位的number1+0xFF<<56 == number2 即可满足最后相等的条件.

Peer-Trace

简单的双进程,这里贴一下解密代码

def swap(a, b):
    return b, a

str1 = list("flag{123aaaaavaaaaahabhhhhaaaaaaaaajaaaaaaaa456}")
list1 = [0x40, 0x3F, 0x31, 0x94, 0x69, 0x3E, 0x9C, 0xA3,0x60, 0x9B, 0x5B, 0x56, 0x70, 0x24, 0x87, 0x17,0x68, 0xCA, 0x97, 0xBA, 0xAA, 0x18, 0xA9, 0x11,0xB0, 0xD3, 0x3D, 0x9B, 0xAB, 0xB0, 0xF1, 0xB8,0xE4, 0x35, 0x18, 0x6A, 0xFB, 0x49, 0x87, 0x48,0x58, 0x81, 0xE9, 0x8F, 0xF7, 0x26, 0x29, 0x08]

for i in range(0, 48, 8):
    str1[i], str1[i+5] = swap(str1[i], str1[i+5])
    str1[i+1], str1[i+7] = swap(str1[i+1], str1[i+7])
    str1[i+2], str1[i+6] = swap(str1[i+2], str1[i+6])
    for j in range(0, 8):
        str1[i+j] = chr((ord(str1[i+j]) - i - j))
    str1[i+3], str1[i+4] = swap(str1[i+3], str1[i+4])

print(''.join(str1))
print(''.join([chr(ord(i) ^ 0x28 )for i in str1]))
print([hex(ord(i) ^ 0x28) for i in str1])
print([hex(((ord(str1[i]) ^ 0x28) + list1[i])& 0xff)  for i in range(0,48)])
print([((ord(str1[i]) ^ 0x28) + list1[i])& 0xff  for i in range(0,48)])
list2 = [0x9C, 0x56, 0x89, 0xF3, 0xB5, 0x87, 0x0F, 0xF0, 0xD1, 0x9B, 0x6C, 0xA4, 0xD1, 0xA2, 0x00, 0x35, 0x81, 0xD4, 0xB0, 0x30, 0xF3, 0x89, 0x0A, 0x89, 0x13, 0x45, 0xA0, 0x08, 0xCA, 0x1F, 0x0F, 0x20, 0x00, 0x4F, 0x56, 0x81, 0x03, 0x5B, 0xAB, 0xC3, 0xC7, 0xFD, 0x57, 0xBB, 0x09, 0x3B, 0x95, 0x08]
for i in range(0,48) :
    list2[i] = ((list2[i] - list1[i]) ^0x28)& 0xff
for i in range(0, 48, 8):
    list2[i+3], list2[i+4] = swap(list2[i+3], list2[i+4])
    for j in range(0, 8):
        list2[i+j] = list2[i+j] + i + j
    list2[i+2], list2[i+6] = swap(list2[i+2], list2[i+6])
    list2[i+1], list2[i+7] = swap(list2[i+1], list2[i+7])
    list2[i], list2[i+5] = swap(list2[i], list2[i+5])
print(''.join([chr(i &0xff)for i in list2]))
#flag{falaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

TeeWorlds-Door

分析.patch补丁文件可知,添加了服务器指令”hackers’_echo_cmd”

+void CServer::MyEcho(const char *pText)
+{
+	Console()->Print(IConsole::OUTPUT_LEVEL_STANDARD, "server", pT	ext);
+}
+
 int64 CServer::TickStartTime(int Tick)
 {
 	return m_GameStartTime + (time_freq()*Tick)/SERVER_TICK_SPEED;
@@ -1536,6 +1541,11 @@ void CServer::ConKick(IConsole::IResult *pResult, void *pUser)
 		((CServer *)pUser)->Kick(pResult->GetInteger(0), "Kicked by console");
 }
 
+void CServer::ConMyEcho(IConsole::IResult *pResult, void *pUser)
+{
+	((CServer *)pUser)->MyEcho(pResult->GetString(0));
+}
+
 void CServer::ConStatus(IConsole::IResult *pResult, void *pUser)
 {
 	char aBuf[1024];
@@ -1754,6 +1764,7 @@ void CServer::RegisterCommands()
 	Console()->Register("stoprecord", "", CFGFLAG_SERVER, ConStopRecord, this, "Stop recording");
 
 	Console()->Register("reload", "", CFGFLAG_SERVER, ConMapReload, this, "Reload the map");
+	Console()->Register("hackers'_echo_cmd", "s[text]", CFGFLAG_SERVER|CFGFLAG_BASICACCESS, ConMyEcho, this, "An echo server for hackers.");

之后再分析他有关服务器连接的srv程序

定位到swap::cleanup函数分析可知只要在h6Dc_后的命令就可以执行,如hackers’_echo_cmd h6D_ls 就能执行ls之后执行hackers’_echo_cmd h6D_./readflag 就可获取flag了

VBScript

动调可知vbs脚本在执行第一个base64脚本时注册了base64函数和LHux函数

CUMJ = "fPHW" 
Function LHux(IGUw)
    x = "657865637574652022666F722069693D3120746F206C656E2849475577292226766263726C66262274743D617363286D696428494755772C69692C3129292226766263726C662622666F72206A6A3D3020746F2075626F756E642866576545295C332226766263726C6626226966202874743E3D66576545286A6A2A332B30292B66576545286A6A2A332B3229616E642074743C3D66576545286A6A2A332B31292B66576545286A6A2A332B322929207468656E2226766263726C66262274743D74742D66576545286A6A2A332B32292226766263726C6626226578697420666F722226766263726C662622656E642069662226766263726C6626226E6578742226766263726C6626224C4875783D4C4875782B636872287474292226766263726C6626226E65787422"
    y = "execute "
    z = "&chr(&h"
    w = ")"
    execute("do while len(x) > 1: if isnumeric(left(x,1)) then y=y&z&left(x,2)&w:x=mid(x,3) else y=y&z+left(x,4)+w:x=mid(x,5)" & vbCrLf & "loop"): execute(y)
End Function
execute for ii = 1 to len(IGUw) 
            tt = asc(mid(IGUw, ii, 1)) 
            for jj = 0 to ubound(fWeE) \ 3 
                if (tt >= fWeE(jj * 3 + 0) + fWeE(jj * 3 + 2) and tt <= fWeE(jj * 3 + 1) + fWeE(jj * 3 + 2)) then 
                    tt = tt - fWeE(jj * 3 + 2) 
                    exit for 
                end if
            next 
            LHux = LHux + chr(tt)
        next


Function base64Decode(inputString)
    Dim dataLength, sOut, groupBegin
    Const base64Table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
    
    ' Remove white spaces, if any
    inputString = Replace(inputString, vbCrLf, "")
    inputString = Replace(inputString, vbTab, "")
    inputString = Replace(inputString, " ", "")

    ' The source must consist of groups with Len of 4 chars
    dataLength = Len(inputString)
    If dataLength Mod 4 <> 0 Then
        Err.Raise 1, "Base64Decode", "Bad Base64 string."
        Exit Function
    End If

    ' Now decode each group:
    For groupBegin = 1 To Len(jcHl) Step 4
        Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
        
        ' Each data group encodes up to 3 actual bytes.
        numDataBytes = 3
        nGroup = 0
        
        For CharCounter = 0 To 3
            ' Convert each character into 6 bits of data, and add it to
            ' an integer for temporary storage. If a character is a '=', there
            ' is one fewer data byte. (There can only be a maximum of 2 '=' in
            ' the whole string.)
            thisChar = Mid(jcHl, groupBegin + CharCounter, 1)
            
            If thisChar = Mid(BfGI, 65, 1) Then
                numDataBytes = numDataBytes - 1
                thisData = 0
            Else
                thisData = InStr(1, BfGI, thisChar, vbBinaryCompare) - 1
            End If
            
            If thisData = -1 Then
                Err.Raise 2, "Base64Decode", "Bad character in Base64 string."
                Exit Function
            End If
            
            nGroup = 64 * nGroup + thisData
        Next
        
        ' Hex splits the long to 6 groups with 4 bits
        nGroup = Hex(nGroup)
        
        ' Add leading zeros
        nGroup = String(6 - Len(nGroup), "0") & nGroup
        
        ' Convert the 3 byte hex integer (6 chars) to 3 characters
        pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
               Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
               Chr(CByte("&H" & Mid(nGroup, 5, 2)))
        
        ' Add numDataBytes characters to out string
        sOut = sOut & Left(pOut, numDataBytes)
    Next
    
    base64Decode = sOut
End Function

BfGI = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="

LHux函数的作用大概是一个解码器，根据不同的fWeE数组解出输入的IGuW数组，fWeE数组相当于key
之后便是利用这个解码器解出新的代码和fWeE数组并运行,其中base64的码表还会不断变换，分析其check部分不难看出，这个是对每位16进制数进行检测，简单来说就是一共有16条路，除了一条路(正确的16进制数)，其余15条路都是整活，假flag，算阶乘什么的，进到对的路才会进行下一次检测，不然会直接退出代码或死循环，所以根据对的路的特征我们可以进行爆破

dim input, usau, RSzp
input = "flag{d34936b2-3290-4f87-97ab-c02c6688ccc1}"
'                                             #
if (input = False) then wscript.quit
if (len(input)<>42) then
    wscript.echo "wrong!"
    wscript.quit
end if
for i = 1 to len(input)
    usau = usau & hex(asc(mid(input, i, 1)))
next
mySum = 1
CUMJ="fPHW"

function LHux(IGUw)
    
    x="657865637574652022666F722069693D3120746F206C656E2849475577292226766263726C66262274743D617363286D696428494755772C69692C3129292226766263726C662622666F72206A6A3D3020746F2075626F756E642866576545295C332226766263726C6626226966202874743E3D66576545286A6A2A332B30292B66576545286A6A2A332B3229616E642074743C3D66576545286A6A2A332B31292B66576545286A6A2A332B322929207468656E2226766263726C66262274743D74742D66576545286A6A2A332B32292226766263726C6626226578697420666F722226766263726C662622656E642069662226766263726C6626226E6578742226766263726C6626224C4875783D4C4875782B636872287474292226766263726C6626226E65787422"
    y="execute """""
    z="&chr(&h"
    w=")"
    execute("do while len(x)>1:if isnumeric(left(x,1)) then y=y&z&left(x,2)&w:x=mid(x,3) else y=y&z+left(x,4)+w:x=mid(x,5)"&vbcrlf&"loop")
    wscript.echo ""
    wscript.echo "----------" + CStr(mySum) + "-----------"
    ' wscript.echo y
    ' wscript.echo "----------" + "2" + "-----------"
    ' wscript.echo eval(mid(y,9))
    ' wscript.echo "----------" + "3" + "-----------"
    ' wscript.echo eval(mid(eval(mid(y,9)),9))
    execute(y)
    wscript.echo LHux
    wscript.echo ""
    mySum = mySum + 1
end function

function base64Decode(inputString)
  Dim dataLength, sOut, groupBegin
  Const base64Table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="

  'remove white spaces, If any
  inputString = Replace(inputString, vbCrLf, "")
  inputString = Replace(inputString, vbTab, "")
  inputString = Replace(inputString, " ", "")

  'The source must consists from groups with Len of 4 chars
  dataLength = Len(inputString)
  If dataLength Mod 4 <> 0 Then
    Err.Raise 1, "Base64Decode", "Bad Base64 string."
    Exit Function
  End If

  ' Now decode each group:
  For groupBegin = 1 To Len(jcHl) Step 4
    Dim numDataBytes, CharCounter, thisChar, thisData, nGroup, pOut
    ' Each data group encodes up To 3 actual bytes.
    numDataBytes = 3
    nGroup = 0

    For CharCounter = 0 To 3
      ' Convert each character into 6 bits of data, And add it To
      ' an integer For temporary storage.  If a character is a '=', there
      ' is one fewer data byte.  (There can only be a maximum of 2 '=' In
      ' the whole string.)

      thisChar = Mid(jcHl, groupBegin + CharCounter, 1)

      If thisChar = Mid(BfGI, 65,1) Then
        numDataBytes = numDataBytes - 1
        thisData = 0
      Else
        thisData = InStr(1, BfGI, thisChar, vbBinaryCompare) - 1
      End If
      If thisData = -1 Then
        Err.Raise 2, "Base64Decode", "Bad character In Base64 string."
        Exit Function
      End If

      nGroup = 64 * nGroup + thisData
    Next

    'Hex splits the long To 6 groups with 4 bits
    nGroup = Hex(nGroup)

    'Add leading zeros
    nGroup = String(6 - Len(nGroup), "0") & nGroup

    'Convert the 3 byte hex integer (6 chars) To 3 characters
    pOut = Chr(CByte("&H" & Mid(nGroup, 1, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 3, 2))) + _
      Chr(CByte("&H" & Mid(nGroup, 5, 2)))

    'add numDataBytes characters To out string
    sOut = sOut & Left(pOut, numDataBytes)
  Next

  base64Decode = sOut
end function
BfGI = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="

wscript.echo base64Decode("")
jcHl = mPXF
tmp =  base64Decode(jcHl)
' wscript.echo tmp
' execute tmp
kUiA="p2B=)*<)S%=)	>()=#&&HS<={*?&	;%&S%ywp	B	>u<*;';*&%&S;B	>u<*;y1H&SZwp)><*()=)&HS<<*%&&%N&=)&;&?*?&<"
:OKjp="fWeE=ArRaY(40,49,-26,50,57,-18)"
:NayO="p0&%S<p=@	>%#>;0	&uS%)*<*Y>;Bwp)&(S	&;=	)*<H*=B]Z&&p%#&'	;&)*wpp@S<?&;B'S*=B)&<S*%p0*<&p%*<*<<p%&"
:svHC="AY$;,&?Sqo)t]1)vr"
:qeHe="p1	&<*<%	#&S;=)&*;H;*?*&(&	&S;=)uwp{%<	%	=)B	>;<B	>;'S>=@S<	=B	>;'	Bwp&&%<><=B	>SBB	>;)&S;=S=)*<%*<H	<&uwp1>#Y&$=&%=;*#>=&=	$	S%*(	?&uwp{(S*<=@)	<&'>;BS%>S=$)&%'	;$&"
:ext=":execute(LHux("
:mNvL="p.0\1](		%=*&5A*=.0\1wp4[v5)&)S%=)S=)S=)S%&B	>'S*;)S=)S%&B	>(		%=)&wp(		%&<<=)S=*<$)&SH*#&S>=BSZ&<#&S>=B#;*&'*(		%&<<"
:JgHO="3(4>,S;;SBq<xZu5=C;uxB/u)H1u]6Zu@.Auv>&u$N%u/3uC3=u%?Bu\&%u[@2;u]Au.M0u<=Hrnw01CH,01CHtnw&A&$>=&&A&$>=&(M&$qt3(4>qAY$;q*%q><S>u01CHurrrtr"
:vSln="pI{[35I]#&<&&$)B	>u<*;u(	BB	>(S<=&;%	=)&AH&$=B	>;wp;&H;	S$)wp1NI3v1	%	])*<"
:jxSG="fWeE=aRRay! !%&''&#$!%""%""#!''!!&#&$$#'#'""&$%%#!##%%$%%!'' # $$'  ""$$%$$!$##&!&""""%!%#%#""!$$ %%&%'##' ' !%&&!!""'""'%""%%""'!!'%&""&""% #$#%!'!'!'&&&'!!""!""## &% % #"" ""##& &%&%$#&#&!&%!%! "
:fut=":function "
:eft=")):end function"
:jUAq="p45145J{p*<&&=]<)	>%#&><&%<	u?&;B&&=wp	@)S?&]#&&#&)S?&%u=)S=)&*()=<=*$Zwp)&<Sp<=	H**		B&S<=*<><&y"
:nxdL="p1)&<=;*Z&>H	=)&#&x&==)&&=	#&%5A*=1&;?S=wp]<=)*<S%S((&;@)*$)]<&&#&'	;&&uwp)&)S%&=	@S;%B)S%y3	&u&=&$>=$)=)&&"
:Matx="2'x],1v*;C#}$%!""{~MA(<N	J6=3tx2GO/ZF?@&]0[\4.|IB>YS'H)5 ,nwY$,&]nw(M&$,#S<&}""4&$	%&qr"
:aft=")):end function:function "
:GqYP="p5=&;.]1{]wp3I5p*<(S;&=<p	@=)&%&?*wp]Jx5	4	;	=)BB@	S)*&=)&&H;&<&=B"
:kBsg="p{)S=&;u<	%*&;<S()*	=)*<=;&&uwp{%#B)*<<*%&)*<';>*=	'#S<=S;%Bwp{{0	>$)	==)&#	Bu)&*<	';	BS#		%"

execute OKjp
execute(LHux(jxSG))
execute(LHux(JgHO))

function gXec(lHeI)
    wscript.echo "lHeI => " & lHeI
    execute(LHux(Matx))
end function

function xjcr(IShK)
    wscript.echo "IShK => " & IShK
    execute(LHux(svHC))
end function

function RDOW()
    execute(LHux(jUAq))
end function

function MExO()
    execute(LHux(qeHe))
end function

function Jxrg()
    execute(LHux(kBsg))
end function

function gGmy()
    execute(LHux(kUiA))
end function

function cRSp()
    execute(LHux(nxdL))
end function

function XnNh()
    execute(LHux(NayO))
end function

function Kwvt()
    execute(LHux(GqYP))
end function

function IhgY()
    execute(LHux(vSln))
end function

function rCNR()
    execute(LHux(mNvL))
end function

wscript.echo mySum
wscript.echo "bye!"

人为进行第一次代码注册，然后根据输出修改input,就能得到最后的flag了

CTF

#CTF

geekctf 2024 re wp

https://txpoki.github.io/2024/04/14/geekctf-2024-re-wp/

Author

John Doe

Posted on

April 14, 2024

Updated on

April 14, 2024

Licensed under

ida_script Next