NSSCTF Round17 Reverse & Crypto WriteUp(全)

NSSCTF Round17 Reverse & Crypto WriteUp(全)

Reverse

一. snake

  • go1.19写的,直接找到main函数,下断点动调

  • 以下为输入函数(输入wasd):

  •   for ( i = 0LL; i < 1; i = v11 + 1 )
      {
        v11 = i;
        snake_pkg_app_Run();
        v22 = v1;
        v3 = runtime_convT64();
        *(_QWORD *)&v22 = &unk_50C3C0;
        *((_QWORD *)&v22 + 1) = v3;
        fmt_Fprintf();
      }
    
  • 这里找到汇编代码,直接patch

  • .text:0000000000503301
    .text:0000000000503301 loc_503301:
    .text:0000000000503301 cmp     rax, 1
    .text:0000000000503305 jl      short loc_50328D
    
    
    
  • 以下为输出及check函数

  •   if ( i == 1 && !qword_5C9E78 )
      {
        v20 = &unk_50CB00;
        v21 = &off_545D98;
        fmt_Fprintln();
        v18 = snake_pkg_game_All_rand;
        v4 = qword_5C9E78;
        v13 = qword_5C9E78;
        v5 = 0LL;
        v6 = 0LL;
        while ( v5 < v4 )
        {
          v12 = v5;
          v17 = v6;
          v23 = v1;
          v7 = runtime_convT64();
          *(_QWORD *)&v23 = &unk_50C3C0;
          *((_QWORD *)&v23 + 1) = v7;
          fmt_Sprintf();
          v8 = runtime_concatstring2();
          v4 = v13;
          v9 = v8;
          v5 = v12 + 1;
          v6 = v9;
        }
        *((_QWORD *)&v14 + 1) = *((_QWORD *)&v1 + 1);
        sub_4BF36B();
        *((_QWORD *)&v14 + 1) = 0x1032547698BADCFELL;
        v15 = -1009589776;
        v16 = v1;
        runtime_stringtoslicebyte();
        crypto_sha1___digest__Write();
        crypto_sha1___digest__Sum();
        v19 = v1;
        v10 = runtime_convTslice();
        *(_QWORD *)&v19 = &unk_50BAC0;
        *((_QWORD *)&v19 + 1) = v10;
        fmt_Fprintf();
      }
    
  • 把score为400改成0:

  • .text:000000000050330D cmp     cs:qword_5C9E78, 0
    .text:0000000000503318 jnz     short loc_50338B
    
  • 然后一直动调到最后就行

  • flag{da39a3ee5e6b4b0d3255bfef95601890afd80709}

二. can_can_need_pxory

  • 解包后反编译

  • # uncompyle6 version 3.9.0
    # Python bytecode version base 3.6 (3379)
    # Decompiled from: Python 3.6.12 (default, Feb  9 2021, 09:19:15) 
    # [GCC 8.3.0]
    # Embedded file name: can_can_need_pxory.py
    print('ccccccccccccccccccccccccccccccccccc!')
    print('D0 U know C?')
    print('\n#include \nv01d bnssst(int FTC[], int lenggggggg) {\n    int i, j, SSN;\n')
    print('This is CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC')
    print('6L+Z5piv5L2g6KaB55qEZmxhZ+WQl++8nwpOU1NDVEZ7YjVlMzlkMDktODg3Yy1hZGI0LTE4OWMtMWI0OGEwNWJmOTY2fQ==')
    A = {'flag': 'NSSCTF{a81c0d5e-ec6d-2b80'}
    print('\n                SSN = FTC[j];\n                printf("flag");\n            }\n}\nint mian() {\n    int FTC[] = [ -,\n')
    print('ccccccccccccccccccc')
    print('\nb, 2, 6, 7, -, d, 5, 8, 4, -, 6, 8, 7, 4, -, f, 1, 2, 6, e, 3, a, 5, 1, 0, 6, 1, }];\n    int lenggggggg = (int) sizeof(FTC) / sizeof(*FTC);\n    bnsScrt(FTC, lenggggggg);\n    int i;\n    for (i = 0; i < lenggggggg; i++)\n        printf("%d ", FTC[i]);\n    remake 0;\n}\n')
    print('----------------------------------------------------')
    import base64
    flag = '************************************'
    r = ''
    for x in range(len(flag)):
        if (x + 1) % 4 == 0:
            res = str(ord(chr(ord(flag[x]) ^ 2421)))
        else:
            res = str(ord(chr(ord(flag[x]) << 6 << 7 >> 2 >> 1 ^ 92)))
        r = r + res + ','
    
    print(base64.b64encode(base64.b16encode(base64.b32encode(r.encode('utf-8')))).decode('utf-8'))
    
  • 写脚本

  • r='NDc1NTMyNTQ0NzRGNDI1OTQ2NTEzMjU0NDc0RDVBNTU0NzQxNTc0NDQzNEQ0QTUzNDczNDVBNTQ0NTRDNDI1MzQ3NEQ1OTU0NEQ0QzQyNTI0NzQ1MzM1NDUxNEU0QTUzNDY1MTMyNDQ1MzRENTI1NTQ3NTE1NzQ0NEI0RDRBNTM0ODQ1NUE0MzU5NEQ1MjU0NDczNDM0NDM1OTRFNDI1NzQ3NDUzMzU0NDU0QzQyNTI0NzQxMzM1NDRENEQ0QTUzNDY1MTU5NTQ0MzRGNDI1OTQ3MzQzMzQzNTk0RDUyNTQ0NzQ5MzM0MzU5NEQ0QTUyNDczNDM0NDQ0QjRENTI0RDQ3NTEzMzQ0NDM0RTVBNTM0NjUxNTk1NDQ1NEQ0MjVBNDc0OTMyNDM1OTRENTI1NDQ3NEQ1OTQzNTk0RDRBNTI0NzU5MzQ0NDQ1NEY0MjRENDc0NTVBNDQ0NzRGNEE1QTQ3NTk1NzQ0NDk0RTUyNTI0NzM0NUE0MzU5NEQ1MjU0NDc0OTM0NTM1OTRENEE1MjQ4NDUzNDU0NDE0RDQyNEQ0NzQ1NTk1NDQ1NEU1QTU0NDc0OTU3NDQ0MzRENEE1MzQ3MzQ1QTU0NDU0QzQyNTM0NzREMzQ0NDRENEM0MjUyNDc0OTVBNTQ1MzRGNEE1NzQ2NTEzMjU0NDE0RDUyNTc0ODQxNTc0NDRCNEY0MjU1NDc1OTU5NDM1OTRENTI1NDQ3NDUzNDUzNTk0RDRBNTM0NzREMzQ1NDUzNEU1MjRENDc0NTU5NDQ0MzRFNDI1NzQ4NDE1NzQ0NDM0RDUyNTQ0ODQ1MzQ1NDRENEM0MjUzNDc0RDU5NTQ1MzRDNDI1NTQ4NDU1QTQ0NDk0RTQyNEQ0NzU1MzM1NDQ5NEQ1QTU3NDY1MTMyNTQ0RDRFNDI1MjQ3NDk1NzQ0NDU0RDVBNTQ0NzQ1NTc0MTNEM0QzRDNE'
    rr=base64.b32decode(base64.b16decode(base64.b64decode(r.encode('utf-8')))).decode('utf-8')
    print(rr)
    rr=[55388,53340,112732,2316,117852,49244,51292,2378,46172,107612,118876,2326,117852,46172,120924,2330,116828,123996,46172,2329,119900,112732,112732,2386,123996,50268,58460,2319,123996,101468,123996,2319,49244,57436,56412,2331]
    
    for s in range(36):
        for i in range(32, 128):
            if (s + 1) % 4 == 0:
                res = ord(chr(i ^ 2421))
            else:
                res = ord(chr(i << 6 << 7 >> 2 >> 1 ^ 92))
    
            if res == rr[s]:
                print(chr(i), end='')
    
    
  • 得到64nys02?-itcs-vory-lunn’y19zycyz087n

  • 还是不对的,我看到very和itis这两个词,然后猜了一下,发现是异或10,然后就得到

  • NSSCTF{64nss025-itis-very-funn-y19pycyp087d}

  • 纯纯谜语题,不做评价

Crypto

一. Level1

  • 签到,共模攻击

  • import libnum
    import gmpy2
    
    n = 22517647586235353449147432825948355885962082318127038138351524894369583539246623545565501496312996556897362735789505076324197072008392656511657262430676945685471397862981216472634785622155317188784494912316440866051402627470561626691472280850273482836308002341429493460677206562201947000047718275995355772707947408688836667011206588727438261189233517003341094758634490421007907582147392858070623641389171229435187248184443645883661560636995548332475573072064240073037558031928639832259001407585962782698021735648128101459118863015844905452823095147248865104102562991382119836061161756978764495337874807458182581421229
    c1 = 1432393096266401187029059077791766305797845826173887492889260179348416733820890797101745501984437201566364579129066414005659742104885321270122634155922766503333859812540068278962999824043206496595825886026095484801291802992082454776271149083516187121160475839108002133113254134626407840182541809478892306748590016896975053434021666376203540725254480252049443975835307793528287818262102688334515632062552114342619781840154202525919769192765621085008206581226486157149883898548933475155236509073675387541466324512294079413938239828341890576923100769181401944289365386552139418728492565319685207500539721582552448971814
    c2 = 13299679392897297864252207869444022461237574801991239380909482153705185317634241850084078027230394830079554676426505967970943836811048777462696506309466535820372917756458083553031417406403895116557560548183674144457502601887632495739472178857537011190162283185735114683172731936834993707871636782206418680404006299140864001776588991141011500807549645227520128216130966268810165946959810884593793452437010902774726405217517557763322690215690606067996057037379898630878638483268362526985225092000670251641184960698506349245915816808028210142606700394584541282682338561482561343076218115042099753144875658666459825545602
    e1 = 155861690390761931560700906834977917646203451142415617638229284868013723431003139974975998354830978765979365632120896717380895021936387027045347260400512396388028781862427862974453223157509702913026222541667006325100878113871620322023188372501930117363623076837619478555007555970810681502521309925774889678793
    e2 = 144471983652821947847253052623701746810204736865723159569786739658583884214397562204788127484897909964898113250509653721265240138487697822089282456150238116811225975640330930854549232972314642221382625614304415750165289831040623741828600283778523993251940904896081111235859249916040849697146542311990869696453
    
    def exp_def(e1,e2,c1,c2,n):
        s,s1,s2 = gmpy2.gcdext(e1, e2)
        m = (pow(c1,s1,n) * pow(c2 ,s2 ,n)) % n
        return int(m)
    
    m=exp_def(e1,e2,c1,c2,n)
    print(libnum.n2s(m))
    
  • NSSCTF{Y0u_Hav3_S01v3d_Crypt0_Leve1_i}

二.Level2

  • 读取文件,猜e=65537

  • f=open("C:\\Users\\lenovo\\Desktop\\ps.txt")
    data = f.readlines()
    f.close()
    for i in range(len(data)):
        p=int(data[i],10)
        q=145721736470529261146573065574028992352505611489859183763269215489708531333597694809923949026781460438320576519639268582565188719134157402292313959218961804213310847081787824780075530751842057663327444602428455144829447776271394663729996984613471623158126083062443634493708467568220146024273763894704649472957
        c=17441814714407189483380175736850663249578989775568187792928771544069162420510939242665830363276698262009780462912108642025299275146709817979705069095332726251759039923303627023610865046363171692163473939115438686877494878334016463787558794121885354719336139401336137097548305393030069499625065664884238710759260231321106291200849044147840392021931720902340003746946851806025722944795391356835342258387797980787437188976704677008092850181043891802072500430200735973581081228711070923822341261809453662427341958883142789220800541626034573952425948295446202775198692920613709157662831071515700549093766182579873408465779
        e=65537
        n=p*q
        phi=(p-1)*(q-1)
        d=inverse(e,phi)
        m=long_to_bytes(pow(c,d,n))
        if b'NSSCTF{' in m:
            print(m)
    
  • NSSCTF{Y0u_g0t_1t!!!}

三. Level3

  • 利用pwn库写个交互脚本

  • from pwn import *
    from Crypto.Util.number import *
    def func(a, b):
        if a == 0:
            return b, 0, 1
        else:
            g, x, y = func(b % a, a)
            return g, y - (b // a) * x, x
    
    io = remote("node1.anna.nssctf.cn",28458)
    for i in range(666):
        lines = io.recvuntil("Pl Give Me flaag :").decode().split('\n')
        
        if i < 2:
            n=int(lines[12].split('=')[1])
            e1=int(lines[13].split('=')[1])
            e2=int(lines[14].split('=')[1])
            c1=int(lines[15].split('=')[1])
            c2=int(lines[16].split('=')[1])
        elif i >=2:
            n=int(lines[13].split('=')[1])
            e1=int(lines[14].split('=')[1])
            e2=int(lines[15].split('=')[1])
            c1=int(lines[16].split('=')[1])
            c2=int(lines[17].split('=')[1])
        g, b1, b2 = func(e1, e2)
    
        if g != 1:
            raise ValueError("e1 and e2 are not coprime")
    
        m = pow(c1, b1, n) * pow(c2, b2, n) % n
        flag = long_to_bytes(m)
        io.sendline(flag.decode("utf-8"))
        print(f"count{i}")
    io.recvuntil("You get flag!")
    print(io.recvlines(2))
    #NSSCTF{220b5065-4e42-47b2-ac83-6656d77fa102}
    
    
  • NSSCTF{220b5065-4e42-47b2-ac83-6656d77fa102}

你可能感兴趣的:(安全,CTF,NSSCTF)