RE

chall_py

发现全是base,用解密脚本解密为代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from prism import *
from base64 import *
import re
strr = b''
with open ('./chall.py','rb') as f:
    strr = f.read()
while True:
    pattern = re.compile(r'"""\s*(.*?)\s*"""', re.DOTALL) 
    matches = pattern.findall(strr.decode())
    if b'b32decode' in strr:
        strr = b32decode(matches[0])
    elif b'b64decode' in strr:
        strr = b64decode(matches[0])
    elif b'b85decode' in strr:
        strr = b85decode(matches[0])    
    elif b'a85decode' in strr:
        strr = a85decode(matches[0])
    else :
        break
with open('./res.txt','wb') as f:
    f.write(strr)

输出为

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
a=True
d=len
G=list
g=range
s=next
R=bytes
o=input
Y=print
def l(S):
 i=0
 j=0
 while a:
  i=(i+1)%256
  j=(j+S[i])%256
  S[i],S[j]=S[j],S[i]
  K=S[(S[i]+S[j])%256]
  yield K
def N(key,O):
 I=d(key)
 S=G(g(256))
 j=0
 for i in g(256):
  j=(j+S[i]+key[i%I])%256
  S[i],S[j]=S[j],S[i]
 z=l(S)
 n=[]
 for k in O:
  n.append(k^s(z)+2)
 return R(n)
def E(s,parts_num):
 Q=d(s.decode())
 S=Q//parts_num
 u=Q%parts_num
 W=[]
 j=0
 for i in g(parts_num):
  T=j+S
  if u>0:
   T+=1
   u-=1
  W.append(s[j:T])
  j=T
 return W
if __name__=='__main__':
 L=o('input the flag: >>> ').encode()
 assert d(L)%2==0,'flag length should be even'
 t=b'v3ry_s3cr3t_p@ssw0rd'
 O=E(L,2)
 U=[]
 for i in O:
  U.append(N(t,i).hex())
 if U==['1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60',2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a']:
  Y('Congratulations! You got the flag!')
 else:
  Y('Wrong flag!')

image-20241109172858511

发现这里少了一个\‘,补上,然后看看感觉是RC4,所以直接把结果在调试的时候粘贴进去解出来得到

1
666c61677b7468456e5f495f4361355f42455f596f55525f4f6e6c375f45786543557469366e5f536f5f5573655f6d335f74305f52306e5f744831375f45783343757469306e7d
1
flag{thEn_I_Ca5_BE_YoUR_Onl7_ExeCUti6n_So_Use_m3_t0_R0n_tH17_Ex3Cuti0n}

joyVBS

和上一个题的思路

开头添加

1
2
3
Dim fso, file
Set fso = CreateObject("Scripting.FileSystemObject")
Set file = fso.CreateTextFile("output.txt", True)

改为file.Write

得到文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
MsgBox "VBScript, often abbreviated as VBS, is an event-driven programming language developed by Microsoft, primarily used for scripting in the Windows environment."
MsgBox "It is based on the Visual Basic programming language and is designed to be simple and easy to use, especially for those familiar with the BASIC programming language."
MsgBox "And for me, it is the first programming language that I've leart"
MsgBox "Hackers! Have fun with this VBS challenge!"
flag = InputBox("Enter the FLAG:", "Hack for fun")
wefbuwiue = "NalvN3hKExBtALBtInPtNHTnKJ80L3JtqxTboRA/MbF3LnT0L2zHL2SlqnPtJLAnFbIlL2SnFT8lpzFzA2JHrRTiNmT9"

qwfe = 9+2+2+1

Function Base64Decode(base64EncodedString)
    Dim xml, elem
    Set xml = CreateObject("MSXML2.DOMDocument")
    Set elem = xml.createElement("tmp")
    elem.dataType = "bin.base64" 
    elem.text = base64EncodedString 
    Dim stream
    Set stream = CreateObject("ADODB.Stream")
    stream.Type = 1 'Binary
    stream.Open
    stream.Write elem.nodeTypedValue 
    stream.Position = 0
    stream.Type = 2 'Text
    stream.Charset = "utf-8"
    Base64Decode = stream.ReadText
    stream.Close
End Function
Function Caesar(str,offset)
	Dim length,char,i
	Caesar = ""
	length = Len(str)
	For i = 1 To length
		char = Mid(str,i,1)
		If char >= "A" And char <= "Z" Then
			char = Asc("A") + (Asc(char) - Asc("A") + offset) Mod 26
			Caesar = Caesar & Chr(char)
		ElseIf char >= "a" And char <= "z" Then
			char = Asc("a") + (Asc(char) - Asc("a") + offset) Mod 26
			Caesar = Caesar & Chr(char)
		Else
			Caesar = Caesar & char
		End If
	Next
End Function

If flag = Base64Decode(Caesar(wefbuwiue, 26-qwfe)) Then
    MsgBox "Congratulations! Correct  FLAG!"
Else
    MsgBox "Wrong flag."
End If

尝试直接输出Base64Decode

image-20241109173144980

1
flag{VB3_1s_S0_e1sY_4_u_r1gh3?btw_1t_iS_a1s0_Us3Fu1_a3D_1nTe3eSt1ng!}

re5

调试可以看出,每次的SEH都使用rand()修改了delta,

image-20241109173349124

这里可以看到srand初始化是0,那么直接输出每次的delta即可,同时key不是1234而是2233很怪不知道为什么

然后直接写脚本解即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#include <stdio.h>
#include <stdlib.h>
unsigned int delta[] = { 0x26, 0x1e27, 0x52f6, 0x985, 0x2297, 0x2e15, 0x20ad, 0x7e1d, 0x28d2, 0x7794, 0x16dd, 0x6dc4, 0x476, 0x119, 0x5039, 0x3e31, 0x22f1, 0x66ad, 0xbb5, 0x3958, 0x51f0, 0x7c93, 0x5497, 0x6532, 0x4819, 0x52b, 0x70d1, 0x8c0, 0x25fd, 0x7e16, 0x98e, 0x24e, 0x348, 0x489b, 0x420b, 0x52f5, 0x5c3b, 0x3149, 0x30a8, 0x363, 0x735d, 0x1ade, 0x6e3f, 0x45df, 0x7b6d, 0x5068, 0x2fb4, 0x7987, 0x1d9a, 0x42aa, 0x1dcd, 0x72dc, 0x2ff7, 0x34c1, 0x5f44, 0x2d81, 0x3029, 0x1c08, 0x91b, 0x4b40, 0x5662, 0x3738, 0x6930, 0x44e, 0x5494, 0x20d4, 0x5f11, 0x6cd0, 0x15de, 0x60c4, 0x3711, 0x339d, 0x124b, 0x413f, 0x3b9c, 0x3e46, 0xabb, 0x6aef, 0x70c7, 0x4654, 0x4121, 0xc50, 0x2e2b, 0x5bd0, 0xef, 0x105a, 0xaf4, 0x7109, 0xbcf, 0x285f, 0x5035, 0x5391, 0x3e94, 0x2d36, 0x657f, 0x3689, 0x270, 0x1b99, 0x6bb1, 0x321e, 0x5e67, 0x2fcc, 0x7a11, 0x5c54, 0x3d03, 0x647f, 0x319c, 0x5f03, 0x3a4a, 0x58f6, 0x1a9b, 0x2f1e, 0xded, 0x6267, 0x77, 0x493b, 0x65c2, 0x4ca4, 0x3fce, 0x1750, 0x4474, 0xdf9, 0x3ac6, 0x63bb, 0x387a, 0x7258, 0x67a2, 0x7d86 };
unsigned int sum[] = { 0x6f0f9, 0x7d7e9, 0x76142, 0x873fc };


void TEA_encrypt(unsigned int* v, const unsigned int* k)
{
	unsigned int v0 = v[0], v1 = v[1];
	unsigned int delta = 0x61C88647, sum = 0;

	for (int i = 0; i < 32; ++i)
	{
		delta = rand();
		printf("0x%x, ", delta);
		sum += delta;
		v0 += (k[1] + (v1 >> 5)) ^ (sum + v1) ^ (k[0] + (v1 << 4));
		v1 += (k[3] + (v0 >> 5)) ^ (sum + v0) ^ (k[2] + (v0 << 4));
	}

	v[0] = v0;
	v[1] = v1;
	printf("0x%x,", sum);
}

void TEA_decrypt(unsigned int* v, int* k, int round)
{
	unsigned int v0 = v[0], v1 = v[1];


	for (int i = 31; i > -1; i--)
	{
		v1 -= (k[3] + (v0 >> 5)) ^ (sum[round] + v0) ^ (k[2] + (v0 << 4));
		v0 -= (k[1] + (v1 >> 5)) ^ (sum[round] + v1) ^ (k[0] + (v1 << 4));
		sum[round] -= delta[round * 32 + i];
	}

	v[0] = v0;
	v[1] = v1;
}

int main() {
	srand(0);
	unsigned int last[9] = {
		0xEA2063F8, 0x8F66F252, 0x902A72EF, 0x411FDA74, 0x19590D4D, 0xCAE74317, 0x63870F3F, 0xD753AE61,0
	};
	int key[4] = { 2, 2, 3, 3 };

	//for (int i = 0; i < 8; i += 2)
	//{
	//	TEA_encrypt(&last[i], key);
	//}

	int round = 3;
	for (int i = 6; i > -1; i -= 2)
	{

		TEA_decrypt(&last[i], key, round);
		round--;
	}

	printf("\nDecrypted values:\n");
	for (int i = 0; i < 8; i += 2)
	{
		printf("0x%X 0x%X\n", last[i], last[i + 1]);
	}
	printf("%s", (char*)last);
	return 0;
}
1
d555ce75ec293c8ed232d83dffb0ff82

Rafflesia

main里面有花,去了,然后看到tls里有反调,改跳转跳过

image-20241109175055679

这个花不会去,但是大概能看懂

好像就是一个base64变表

直接调试

1
HElRNYGmBOMWnbDvUCgcpu1QdPqJIS+iTry39KXse4jLh/x26Ff5Z7Vokt8wzAa0
1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *
last = b'H@^jHwpsH)[jH{M/\\tBBK_|-O{W.iJZ7\\)|~zaB^H+Lwv{SS|-j@\\_[Y'
last = xor(last,0x18).decode()
from base64 import b64decode
table = 'HElRNYGmBOMWnbDvUCgcpu1QdPqJIS+iTry39KXse4jLh/x26Ff5Z7Vokt8wzAa0'
otable = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
result = ''
for ch in last:
    result += otable[table.index(ch)]

print((b64decode(result)))
# flag{8edae458-4tf3-2ph2-9f26-1f8719ec8f8d}