HGAME2021Week1 Writeup

小白做完了re还是很开心的
HGAME2021Week1 Writeup

RE部分

Day 1 helloRe

第一天的第一道题~~这道题是真.签到题啊

进入ida,没有明显的main函数,F12查找字符串,看到input flag点进去
HGAME2021Week1 Writeup
发现主函数应该是sub_1400014C0
HGAME2021Week1 Writeup
HGAME2021Week1 Writeup
逻辑很简单,脚本也挺好写的
HGAME2021Week1 Writeup

#include<iostream>
using namespace std;

int main()
{
	char memory[30] = "";
	int v6 = 0x0FF;
	char asc_[23] = "棛湋瀬憹洑毇仐畝儚攭櫁";
	for (int i = 0; i < 23; i++)
	{
		memory[i] = asc_[i] ^ (v6--);
	}
	printf("%s", memory);

}

Day 2 pypy

第一次做python反汇编,好在题目比较友好,没有太复杂

照着类似题的wp和dis–python字节码反汇编可以硬翻。。

下面写了注释的哦

 0 LOAD_GLOBAL              0 (input)
              2 LOAD_CONST               1 ('give me your flag:\n')
              4 CALL_FUNCTION            1
              6 STORE_FAST               0 (raw_flag)

  5           8 LOAD_GLOBAL              1 (list)
             10 LOAD_FAST                0 (raw_flag)
             12 LOAD_CONST               2 (6)
             14 LOAD_CONST               3 (-1)
             16 BUILD_SLICE              2                    取raw_flag的第六位到倒数第一位
             18 BINARY_SUBSCR                                 所以最后要包上hgame{}才是flag
             20 CALL_FUNCTION            1
             22 STORE_FAST               1 (cipher)

  6          24 LOAD_GLOBAL              2 (len)
             26 LOAD_FAST                1 (cipher)
             28 CALL_FUNCTION            1                      length=len(cipher)
             30 STORE_FAST               2 (length)

  8          32 LOAD_GLOBAL              3 (range)
             34 LOAD_FAST                2 (length)
             36 LOAD_CONST               4 (2)
             38 BINARY_FLOOR_DIVIDE                           

             40 CALL_FUNCTION            1
             42 GET_ITER
        >>   44 FOR_ITER                54 (to 100)
             46 STORE_FAST               3 (i)

  9          48 LOAD_FAST                1 (cipher)
             50 LOAD_CONST               4 (2)
             52 LOAD_FAST                3 (i)
             54 BINARY_MULTIPLY
             56 LOAD_CONST               5 (1)
             58 BINARY_ADD
             60 BINARY_SUBSCR                                   cipher[2i+1]
             62 LOAD_FAST                1 (cipher)
             64 LOAD_CONST               4 (2)
             66 LOAD_FAST                3 (i)
             68 BINARY_MULTIPLY
             70 BINARY_SUBSCR                                   cipher[2i]
             72 ROT_TWO
             74 LOAD_FAST                1 (cipher)
             76 LOAD_CONST               4 (2)
             78 LOAD_FAST                3 (i)
             80 BINARY_MULTIPLY
             82 STORE_SUBSCR
             84 LOAD_FAST                1 (cipher)
             86 LOAD_CONST               4 (2)
             88 LOAD_FAST                3 (i)
             90 BINARY_MULTIPLY
             92 LOAD_CONST               5 (1)
             94 BINARY_ADD
             96 STORE_SUBSCR                             这一段就是x,y=y,x
             98 JUMP_ABSOLUTE           44               交换了cipher[2i+1]和cipher[2i]

 12     >>  100 BUILD_LIST               0
            102 STORE_FAST               4 (res)         #创建一个list

 13         104 LOAD_GLOBAL              3 (range)
            106 LOAD_FAST                2 (length)
            108 CALL_FUNCTION            1
            110 GET_ITER
        >>  112 FOR_ITER                26 (to 140)
            114 STORE_FAST               3 (i)

 14         116 LOAD_FAST                4 (res)
            118 LOAD_METHOD              4 (append)
            120 LOAD_GLOBAL              5 (ord)
            122 LOAD_FAST                1 (cipher)
            124 LOAD_FAST                3 (i)
            126 BINARY_SUBSCR
            128 CALL_FUNCTION            1
            130 LOAD_FAST                3 (i)
            132 BINARY_XOR                                res.append(ord(cipher[i])^i)
            134 CALL_METHOD              1
            136 POP_TOP
            138 JUMP_ABSOLUTE          112

 15     >>  140 LOAD_GLOBAL              6 (bytes)
            142 LOAD_FAST                4 (res)
            144 CALL_FUNCTION            1
            146 LOAD_METHOD              7 (hex)
            148 CALL_METHOD              0
            150 STORE_FAST               4 (res)         把res里的数据转成16进制

 16         152 LOAD_GLOBAL              8 (print)
            154 LOAD_CONST               6 ('your flag: ')
            156 LOAD_FAST                4 (res)
            158 BINARY_ADD                                            输出res
            160 CALL_FUNCTION            1
            162 POP_TOP
            164 LOAD_CONST               0 (None)
            166 RETURN_VALUE

# your flag: 30466633346f59213b4139794520572b45514d61583151576638643a

其实就几行代码,因本废物只能看懂一点python但不会写,所以还是用的C++写脚本

#include<iostream>
using namespace std;

int main()
{
    int cipher[28] = { 0x30,0x46,0x66,0x33,0x34,0x6f,0x59,0x21,0x3b,0x41,0x39,0x79,0x45,0x20,
        0x57,0x2b,0x45,0x51,0x4d,0x61,0x58,0x31,0x51,0x57,0x66,0x38,0x64,0x3a };
    int raw_flag[20] = { };
    char flag1[28] = {};
    //char temp;
    for (int i = 0; i < 28; i++)
    {
        flag1[i] = char(cipher[i] ^ i);
    }
    for (int i = 0; i < 17; i++)
    {
        swap(flag1[2 * i], flag1[2 * i + 1]);
    }
    for (int i = 0; i < 28; i++)
    {
        printf("%c", flag1[i]);
    }
    return 0;
}

HGAME2021Week1 Writeup
hgame{}包上,提交~(讲真这个flag有点,,不好看,我一直以为自己哪里写错了还

Day 3-5 apacha

压轴,对于我这种废物小白,这道题确实有一丢丢难

其实就是个xxtea加密,但也是看了好多篇wp加之超级可爱的学长的帮助下才做完的
HGAME2021Week1 Writeup

再把dword_5020里的数据转换成16进制数
HGAME2021Week1 Writeup

void hex()
{
    uint32_t v[] = { 35, 179,  78, 231,  54,  40, 167, 183, 226, 111,
  202,  89, 193, 197, 124, 150, 116,  38, 128, 231,
  230,  84,  45,  61,  86,   3, 157, 138, 156, 195,
  220, 153, 237, 216,  38, 112, 173, 253,  51, 106,
   10,  85, 150, 244, 158, 111, 156,  92,  76, 208,
  229,  27,  23, 174,  35, 103, 194, 165, 112,  82,
   10,  19,  66, 172, 178, 103, 190, 132, 121, 199,
   92, 112, 152,  61,  81,  92,  45, 218,  54, 251,
   69, 150,  23,  34, 157,  82, 227,  92, 251, 225,
  137, 209, 137, 212,  91, 232,  31, 209, 200, 115,
  150, 193, 181,  84, 144, 180, 124, 182, 202, 228,
   23,  33, 148, 249, 227, 157, 170, 161,  90,  47,
  253,   1, 232, 167, 171, 110,  13, 195, 156, 220,
  173,  27,  74, 176,  83,  52, 249,   6, 164, 146, };
    for (int i = 1; i <= 35; i++)
    {
        printf("0x");
        for (int j = i * 4 - 1; j > (i - 1) * 4 - 1; j--)
            if (v[j] < 16)
            {
                printf("0%x", v[j]);
            }
            else printf("%x", v[j]);
        printf(", ");
    }
    
}

对了,密钥的位置传入的是&v6,所以密钥就是1,2,3,4
HGAME2021Week1 Writeup
上网搜解密脚本套用即可

#include <stdio.h>
#include <stdint.h>
#include<iostream>
#define DELTA 0x9e3779b9
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))
using namespace std;

uint32_t v3[] = { 0xe74eb323, 0xb7a72836, 0x59ca6fe2, 0x967cc5c1, 0xe7802674, 
0x3d2d54e6, 0x8a9d0356,0x99dcc39c, 0x7026d8ed, 0x6a33fdad, 0xf496550a, 0x5c9c6f9e,
0x1be5d04c, 0x6723ae17, 0x5270a5c2, 0xac42130a, 
0x84be67b2, 0x705cc779, 0x5c513d98, 0xfb36da2d, 0x22179645, 0x5ce3529d, 0xd189e1fb, 
0xe85bd489, 0x73c8d11f,
0x54b5c196, 0xb67cb490, 0x2117e4ca, 0x9de3f994, 0x2f5aa1aa, 0xa7e801fd, 0xc30d6eab, 
0x1baddc9c, 0x3453b04a, 0x92a406f9, };


void btea(uint32_t* v, int n, uint32_t const key[4])
{
    uint32_t y, z, sum;
    unsigned p, rounds, e;
    if (n > 1)            /* Coding Part */
    {
        rounds = 3;
        sum = 0;
        z = v[n - 1];
        do
        {
            sum += DELTA;
            e = (sum >> 2) & 3;
            for (p = 0; p < n - 1; p++)
            {
                y = v[p + 1];
                z = v[p] += MX;
            }
            y = v[0];
            z = v[n - 1] += MX;
        } while (--rounds);
    }
    else if (n < -1)      /* Decoding Part */
    {
        n = -n;
        rounds = 6 + 52 / n;
        sum = rounds * DELTA;
        y = v[0];
        do
        {
            e = (sum >> 2) & 3;
            for (p = n - 1; p > 0; p--)
            {
                z = v[p - 1];
                y = v[p] -= MX;
            }
            z = v[n - 1];
            y = v[0] -= MX;
            sum -= DELTA;
        } while (--rounds);
    }
}



int main()
{
   
    uint32_t const k[4] = { 1,2,3,4 };
   
    int n = 35; //n的绝对值表示v的长度,取正表示加密,取负表示解密
    // v为要加密的数据是两个32位无符号整数
    // k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位
    //printf("加密前原始数据:%u %u\n", v[0], v[1]);
    //btea(v, n, k);
   // printf("加密后的数据:%u %u\n", v[0], v[1]);
   btea(v3, -n, k);
   for (int i = 0; i < 35; i++)
   {
       printf("%c", v3[i]);
    }
    
    return 0;
}

HGAME2021Week1 Writeup
呜呜呜week2就不会做了,我还是太废物了。。。

WEB

只做了常规套娃的签到题
HGAME2021Week1 Writeup
HGAME2021Week1 Writeup

GET不行。。改成POST。。。之后就全程跟着提示安静套娃
改一下UA
HGAME2021Week1 Writeup
加个Referer头
HGAME2021Week1 Writeup
加个XFF:127.0.0.1
HGAME2021Week1 Writeup
搞定。。
HGAME2021Week1 Writeup

CRYPTO

HGAME2021Week1 Writeup
题目里的那串md5想不通什么意思,而且md5也不好解,先看txt
HGAME2021Week1 Writeup
乱中有序哈哈哈哈,替换加密,已知qypyh=hgame可以直接爆破
解密网站链接
HGAME2021Week1 Writeup
据提示要在最后加年份。。试了2003。。不行。。头秃。。
灵光一现。。试个2021。。。成功!

HGAME2021Week1 Writeup

打开文件,摩斯电码,找个在线网站解一下
HGAME2021Week1 Writeup
盲猜是ASCII码,VS里跑一下是一串base64(等号结尾很明显)
HGAME2021Week1 Writeup
据提示维吉尼亚密码,密钥Liki。。。
}KccnYt!1NlPpu!zeE1{C+9pfrhLB_Fz~uGy4n

然后我就不会了,下面是神仙操作:

栅栏 6 :}!!Ch~K1z+LucNe9BGclEp_ynP1fF4Yp{rzntu

rot13:}!!Pu~X1m+YhpAr9OTpyRc_laC1sS4Lc{emagh

reverse:hgame{cL4Ss1Cal_cRypTO9rAphY+m1X~uP!!}

(问神仙,神仙说他是猜的。。)

MISC

HGAME2021Week1 Writeup
真.签到题,base64,base32,base16一通解就行

HGAME2021Week1 Writeup
唉,差点没被这道题套娃套死

给了张图片,据提示应该是藏了压缩包,binwalk分离

得到加密压缩包,提示密码是八位数字,暴力破解即可
HGAME2021Week1 Writeup
又来一层加密,很明显的明文攻击,试了好久不行,根据提示storage

在给明文压缩时选择压缩方式为存储,密码为zip传统加密即可
HGAME2021Week1 Writeup
又来加密压缩包。。。看了一眼不是伪加密.。。。求助学长,被秒解,原来旁边这一串是html编码。。。。是我见识太少,意识太差了呜呜呜
HGAME2021Week1 Writeup

PWN

。。。除了最最最基础的栈溢出能对着wp做其他我都不会,于是签到题就跪了
。。。pwn太难了呜呜呜。。。

上一篇:Bugku-Crypto Writeup


下一篇:gin中从reader读取数据数据