emm...打出来一些题吧,说题目是比去年简单,也学到了很多

asm_re

比较简单,直接gpt一把梭的,但是数据提取有些问题

![image](assets/image-20240531101216-a7bg74p.png)

加密数据在这,但是主要要小端序存储,即第一个数据是0x1FD7,第二个数据是0x21B7,以此类推

![image](assets/image-20240531101413-l22qikh.png)

最后写脚本解密:

#include <stdio.h>
int main()
{
  long a[] = {0x1fd7, 0x21b7, 0x1e47, 0x2027, 0x26e7, 0x10d7, 0x1127, 0x2007, 0x11c7, 0x1e47, 0x1017, 0x1017, 0x11f7, 0x2007, 0x1037, 0x1107, 0x1f17, 0x10d7, 0x1017, 0x1017, 0x1f67, 0x1017, 0x11c7, 0x11c7, 0x1017, 0x1fd7, 0x1f17, 0x1107, 0x0f47, 0x1127, 0x1037, 0x1e47, 0x1037, 0x1fd7, 0x1107, 0x1fd7, 0x1107, 0x2787};
  for (int i = 0; i < 39; i++)
  {
    for (int j = 30; j < 129; j++)
    {
      if ((((j * 'P') + 0x14 ^ 'M') + 0x1e) == a[i])
        printf("%c", j);
    }
  }
  return 0;
}

gdb_debug

主要的题目思路就是获取伪随机数进行异或等加密操作,最后比较,有三处取随机数的操作

1.v28[i]=input^rand()判断长度为38,取随机数与输入异或吗,这里有点迷为什么种子是v3 = time(0LL);srand(v3 & 0xF0000000);但是随机数是伪随机数??

![image](assets/image-20240531190913-52wzho7.png)

2.想给ptr[i]赋值到 strlen(input), swap(ptr[i],ptr[rand()%(i+1)] 注意是倒过来的,这里要注意ptr的值是37个

![image](assets/image-20240531191448-55ivo58.png)

3.v31[i]=v28[ptr[m]],v31[i]^=rand()这两步操作

![image](assets/image-20240531192040-4falejr.png)

4.动态调试拿伪随机数,或者是写脚本拿随机数,因为是elf文件,所以需要在linux环境下运行

动态调试:

第一个,第二个随机数需要记下来,第三个有些麻烦,因为不知道rand()是几,所以只能取去拿v12和异或之后的v31值,两者再异或拿到rand()的随机值,这种动态调试还是有些麻烦

(1)

![image](assets/image-20240531200837-7or27a9.png)

![image](assets/image-20240531200843-vd8bw1f.png)

![image](assets/image-20240531200828-lrvb82w.png)

(2)写脚本获取随机数,这里要注意ptr的值是37个

#include <stdio.h>
#include <stdlib.h>
#include <time.h>
int main()
{
  int i, j;
  srand(time(0LL) & 0xF0000000);
  int r1[38];
  int r2[38];
  int r3[38];
  printf("r1[]={");
  for (int i = 0; i < 38; i++)
  {
    r1[i] = rand() % 256;
    printf("0x%x,", r1[i]);
  }
  printf("}\nr2[]={");
  for (int i = 0; i < 37; i++)
  {
    r2[i] = rand() % 256;
    printf("0x%x,", r2[i]);
  }
  printf("}\nr3[]={");
  for (int i = 0; i < 38; i++)
  {
    r3[i] = rand() % 256;
    printf("0x%x,", r3[i]);
  }
  printf("}");
  return 0;
}

![image](assets/image-20240531213745-oi63wq1.png)

5.写脚本逆向

#include <stdio.h>
int main()
{
  int arr[38];
  int brr[38];
  int input[38];
  int a[] = {
      94, 30, 2, 68, 157, 32, 134, 99, 227, 214,
      182, 105, 24, 193, 153, 168, 188, 5, 121, 159,
      25, 110, 218, 76, 117, 174, 192, 185, 247, 122,
      149, 77, 23, 135, 148, 84, 191, 185};
  unsigned char b[] =
      {
          128, 180, 64, 184, 148, 200, 52, 101, 238, 69,
          215, 157, 60, 136, 140, 169, 107, 174, 125, 135,
          214, 135, 15, 218, 70, 100, 57, 147, 169, 144,
          184, 113, 131, 232, 172, 201, 231, 83};
  unsigned int random3[38];
  for (int i = 0; i < 38; i++)
  {
    random3[i] = a[i] ^ b[i];
  }
  int random1[] = {0xd9, 0x0f, 0x18, 0xBD, 0xC7, 0x16, 0x81, 0xbe, 0xf8, 'J', 'e', 0xf2, ']', 0xab, 't', '3', 0xd4, 0xa5, 'g', 0x98, 0x9f, '~', '+', ']', 0xc2, 0xaf, 0x8e, ':', 'L', 0xa5, 'u', '%', 0xb4, 0x8d, 0xe3, '{', 0xa3, 'd'};
  int random2[] = {33, 0, 10, 0, 32, 31, 10, 29, 9, 24, 26, 11, 20, 24, 21, 3, 12, 10, 13, 2, 15, 4, 13, 10, 8, 3, 3, 6, 0, 4, 1, 1, 5, 4, 0, 0, 1};
  // int random3[] = {222, 170, 66, 252, 9, 232, 178, 6, 13, 147, 97, 244, 36, 73, 21, 1, 215, 171, 4, 24, 207, 233, 213, 150, 51, 202, 249, 42, 94, 234, 45, 60, 148, 111, 56, 157, 88, 234};
  unsigned char xordata[] = {0xBF, 0xD7, 0x2E, 0xDA, 0xEE, 0xA8, 0x1A, 0x10, 0x83, 0x73, 0xAC, 0xF1, 0x06, 0xBE, 0xAD, 0x88, 0x04, 0xD7, 0x12, 0xFE, 0xB5, 0xE2, 0x61, 0xB7, 0x3D, 0x07, 0x4A, 0xE8, 0x96, 0xA2, 0x9D, 0x4D, 0xBC, 0x81, 0x8C, 0xE9, 0x88, 0x78};
  char data[] = "congratulationstoyoucongratulationstoy";
  for (int i = 0; i < 38; i++)
  {
    arr[i] = i;
  }
  for (int k = 37; k; --k)
  {
    int v18 = random2[37 - k] % (k + 1);
    int v19 = arr[k];
    arr[k] = arr[v18];
    arr[v18] = v19;
  }
  for (int i = 0; i < 38; i++)
  {
    brr[i] = random3[i] ^ data[i] ^ xordata[i];
    input[arr[i]] = random1[arr[i]] ^ brr[i];
  }
  for (int i = 0; i < 38; i++)
  {
    printf("%c", input[i]);
  }
  return 0;
}

whereThel1b

没见过这种题.....,给了两个文件一个是.py文件,一个是so文件

![image](assets/image-20240531220854-5mxvmbt.png)

方法一:

让GPT重写成可读性更强的代码

import base64
import random

def trytry(*args, **kwargs):
    if len(args) == 1 and 'pla' not in kwargs:
        pla = args[0]
    elif 'pla' in kwargs:
        pla = kwargs['pla']
    else:
        raise TypeError("trytry() takes exactly 1 positional argument (or 'pla' keyword argument)")

    if not isinstance(pla, str):
        raise TypeError("Expected a string")

    # Base64 encode the input string
    encoded = base64.b64encode(pla.encode()).decode()
    print(f"Base64 encoded string: {encoded}")

    # Get the random module and call its seed method
    random.seed()
  
    # Example sequence to demonstrate random.choice
    sequence = list(range(10))  # Example sequence from 0 to 9
    random_element = random.choice(sequence)
    print(f"Random element from sequence: {random_element}")

    # Constructing and returning a result for demonstration
    result = whereistheflag1(pla)
    return result

def whereistheflag1(pla):
    encoded = base64.b64encode(pla.encode()).decode()
    print(f"Base64 encoded string in whereistheflag1: {encoded}")

    sequence = list(range(10))
    random_element = random.choice(sequence)
    print(f"Random element from sequence in whereistheflag1: {random_element}")

    return {
        "encoded": encoded,
        "random_element": random_element
    }

# Example usage
pla = "example string"
result = trytry(pla)
print(result)

重写的trytry如上,主要进行的操作是先进行base64加密,然后异或随机数,随机数的种子是时间(有点猜的感觉....),解密脚本的思路就是先异或随机数,然后base64解密

这个是脚本解密

import random
import base64
enc=[108, 117, 72, 80, 64, 49, 99, 19, 69, 115, 94, 93, 94, 115, 71, 95, 84, 89, 56, 101, 70, 2, 84, 75, 127, 68, 103, 85, 105, 113, 80, 103, 95, 67, 81, 7, 113, 70, 47, 73, 92, 124, 93, 120, 104, 108, 106, 17, 80, 102, 101, 75, 93, 68, 121, 26]
random.seed(0)
flag=""
for i in range(len(enc)):
    enc[i]^=random.randint(0,len(enc))
flag=base64.b64decode(bytes(enc))
print(flag)