iscc2023_reversewp

Reverse

easyctf2

安卓apk 打开看 image.png jeb 反编译找到MainActivity

image.png 进入zzsence方法 image.png image.png 编写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

# 密文
ciphertext = bytes(x & 0xFF for x in  [0x7F, 41, 0x20, -23, 53, 0xFFFFFF8F, -59, 0x9A, 5, 16, 52, 0xBC, 91, 150, 43, 0xA3, 140, 170, 0x9E, 36, 0x91, 140, 0xD3, 17, 18, 0x4F, 200, 0xB1, 0x7A, 78, 0xDB, 0xF7])
# # 密钥
key = bytes(x & 0xFF for x in  [-95,109,22,-2,26,-6,48,95,-41,126,94,-98,-20,107,-97,-35])
# 偏移iv
iv = bytes([0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30])
# 创建AES解密器
cipher = AES.new(key, AES.MODE_CBC, iv)
# 解密密文并删除填充
plaintext = unpad(cipher.decrypt(ciphertext), AES.block_size).decode("utf-8")
print(plaintext)

#flag{jsdg632t12}

crackme

使用c# 工具反编译出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
// CrackmeApp, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// CrackmeApp.Form1
using System;
using System.ComponentModel;
using System.Drawing;
using System.Windows.Forms;
using CrackmeApp;

public class Form1 : Form
{
private IContainer components;

private Button button1;

private TextBox textBox1;

public Form1()
{
InitializeComponent();
}

private void button1_Click(object sender, EventArgs e)
{
int a_ = 2;
int[] array = new int[10] { 123, 148, 62, 53, 24, 116, 244, 126, 63, 90 };
string text = ((TextBox)base.Controls.Find(Form1.b("戕紗戙栛尝伟娡ᔣ", a_), searchAllChildren: false)[0]).Text;
int[] array2 = new int[10];
int[] array3 = new int[10];
if (text.Length == 10)
{
for (int i = 0; i < text.Length; i++)
{
array2[i] = text[i];
byte b = (byte)((uint)array2[i] & 7u);
byte b2 = (byte)((uint)(array2[i] >> 3) & 0xFFu);
array3[i] = (b << 5) | b2;
array3[i] ^= 18;
if (array3[i] != array[i])
{
MessageBox.Show(Form1.b("䄕樗甙爛礝ğ", a_));
return;
}
}
MessageBox.Show(Form1.b("䔕洗礙缛笝匟儡ԣ", a_));
}
else
{
MessageBox.Show(Form1.b("䄕樗甙爛礝ğ", a_));
}
}

protected override void Dispose(bool disposing)
{
if (disposing && components != null)
{
components.Dispose();
}
base.Dispose(disposing);
}

private void InitializeComponent()
{
int a_ = 9;
this.button1 = new System.Windows.Forms.Button();
this.textBox1 = new System.Windows.Forms.TextBox();
base.SuspendLayout();
this.button1.Location = new System.Drawing.Point(88, 163);
this.button1.Name = CrackmeApp.Form1.b("缜樞唠圢䨤䤦ᠨ", a_);
this.button1.Size = new System.Drawing.Size(110, 27);
this.button1.TabIndex = 0;
this.button1.Text = CrackmeApp.Form1.b("帜猞䠠䀢两樦䰨", a_);
this.button1.UseVisualStyleBackColor = true;
this.button1.Click += new System.EventHandler(button1_Click);
this.textBox1.Location = new System.Drawing.Point(56, 67);
this.textBox1.Name = CrackmeApp.Form1.b("検稞夠圢朤䠦儨ᨪ", a_);
this.textBox1.Size = new System.Drawing.Size(184, 21);
this.textBox1.TabIndex = 1;
base.ClientSize = new System.Drawing.Size(284, 262);
base.Controls.Add(this.textBox1);
base.Controls.Add(this.button1);
base.Name = CrackmeApp.Form1.b("嬜瀞匠丢ᐤ", a_);
this.Text = CrackmeApp.Form1.b("帜洞䀠䀢两樦䰨", a_);
base.ResumeLayout(false);
base.PerformLayout();
}

internal static string b(string A_0, int A_1)
{
char[] array = A_0.ToCharArray();
int num = 320078560 + A_1 + 51;
int num2 = 0;
if (num2 >= 1)
{
goto IL_001a;
}
goto IL_004d;
IL_004d:
if (num2 >= array.Length)
{
return string.Intern(new string(array));
}
goto IL_001a;
IL_001a:
int num3 = num2;
char num4 = array[num3];
byte b = (byte)((num4 & 0xFFu) ^ (uint)num++);
byte b2 = (byte)(((int)num4 >> 8) ^ num++);
byte num5 = b2;
b2 = b;
b = num5;
array[num3] = (char)((b2 << 8) | b);
num2++;
goto IL_004d;
}
}

python z3 模块一键梭哈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from z3 import *

arr3 = [x ^ 18 for x in [123, 148, 62, 53, 24, 116, 244, 126, 63, 90]]

s = Solver()
flag_value = [BitVec(("%d" % i), 8) for i in range(10)]  # range(32) 是 flag_value 长度
for i in range(10):
    s.add((((flag_value[i] & 7) << 5) | ((flag_value[i] >> 3) & 255)) == arr3[i])
flag = ""
if s.check() == sat:
    model = s.model()
    sorted_keys = sorted(model, key=lambda x: int(x.name()))
    for key in sorted_keys:
        value = model[key].as_long()
        flag += chr(value)
        char = chr(value)
        print(f"{key} = {char}")
else:
    print("No solution")
print("\n[+]-->\t\t" + flag, end="")
#[+] flag-->> K4a9P37ciB

cpp

image.png 一段 key 和enc[abi:cxx11] 进行判断

enc[abi:cxx11], "#!'"''%+-&##"&'."

image.png image.png 加密逻辑 z3 一把梭哈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from z3 import *

arr3 = [18,19,20,22,18,17,18,19,20,22,18,17,17,18,18,24]

arr1  = [0x23, 0x21, 0x27, 0x22, 0x27, 0x27, 0x25, 0x2B, 0x2D, 0x26, 0x23, 0x23, 0x22, 0x26, 0x27, 0x2E]
print(len(arr1))
s = Solver()
flag_value = [BitVec(("%d" % i), 8) for i in range(16)]  # range(32) 是 flag_value 长度
for i in range(16):
    s.add(((flag_value[i] ^ arr3[i] )) == arr1[i])
flag = ""
if s.check() == sat:
    model = s.model()
    sorted_keys = sorted(model, key=lambda x: int(x.name()))
    for key in sorted_keys:
        value = model[key].as_long()
        flag += chr(value)
        char = chr(value)
        print(f"{key} = {char}")
else:
    print("No solution")
print("\n[+]-->\t\t" + flag, end="")



#[+]--> flag 1234567890123456

image.png

Reverse_wp iscc_2023
#ctf #逆向wp #比赛 #reverse #iscc_2023
iscc2023_reversewp
https://huajien.gitee.io/2023/59627/
作者
HUAJI
发布于
2023年7月8日
许可协议