祥云杯2021

转载

mb5fe94bf10ac65 2021-08-24 19:49:00

文章标签 d3 数据逆序 i++ 特殊数据 文章分类 代码人生

Rev_Dizzy

ida分析

祥云杯2021_逆序

分析得出对输入的每个字节都进行了运算，然后跟特定数据比较。

2.解题思路

只要把带比较数据作为输入把运算反着运行一遍就行了，利用py脚本来使运算反向。

py脚本：

f1=open('D:\桌面\祥云\\re\\d.txt','r')#顺序
f2=open('D:\桌面\祥云\\re\\dd.txt','w')#逆序


num_row=5000
for ii in range(1):
    readstr=f1.readlines()
    print(readstr)
    writestr=[]
    for i in range(len(readstr)):
        writestr.append(readstr[len(readstr)-i-1])
    print(writestr)
    f2.writelines(writestr)

最后得出flag:flag{Try_R3vers1ng_W1th_ScR!pt!}。

勒索解密

1.ida分析

祥云杯2021_特殊数据_02

祥云杯2021_特殊数据_03

祥云杯2021_d3_04

祥云杯2021_i++_05

通过调试得出加密流程为，sha256特殊数据，从中生成aes128的密钥。对文件进行aes128加密。

爆破时间（参考于天璇的wp)

void decrypt_test(void) {

    DWORD32 key[4] = { 0x0EC62FB2,0x4B54D44F,0,0x8EB1E721 };
    FILE* f;
    int mode;
    fopen_s(&f,"G:\\flag.bmp.ctf_crypter", "rb");
    BYTE * cipher =(BYTE*)malloc(0xd6830);
    memset(cipher, 0, 0xd6830);
    fread(cipher, sizeof(char), 0xd6830, f);

    for (int i = 1629097200; i < 1629553539; i++) //i=2021/08/16 15:00:00 < 当前时间
        {
        HCRYPTPROV prov = NULL;
        HCRYPTHASH hash;
        HCRYPTKEY aesKey;
        DWORD length = 16;
        key[2] = i;
        BYTE head[32];
        memset(head, 0, 32);
        memcpy(head, cipher, 16);
        if (!CryptAcquireContextA(&prov, NULL, MS_ENH_RSA_AES_PROV_A, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
            printf("error0\n");
        }
        CryptCreateHash(prov, 0x800Cu, 0, 0, &hash);
        CryptHashData(hash, (const BYTE*)key, 0x10u, 0);
        CryptDeriveKey(prov, 0x660Eu, hash, 0, &aesKey);
        mode = 1;
        CryptSetKeyParam(aesKey, 4u, (const BYTE*)&mode, 0);
        CryptSetKeyParam(aesKey, 3u, (const BYTE*)&mode, 0);
        CryptDecrypt(aesKey, 0, 0, 0, head, &length);
        if (head[0] == 'B' && head[1] == 'M') {
            printf("%x", i);
            break;
        }
    }
}

解密文件（参考于天璇的wp)

void decrypt(void) {

    DWORD32 key[4] = { 0x0EC62FB2,0x4B54D44F,1629098245,0x8EB1E721 };
    FILE *f;
    int mode;
    fopen_s(&f, "G:\\flag.bmp.ctf_crypter", "rb");
    BYTE *cipher = (BYTE*)malloc(0xd6830);
    int totalLength = 0xd6830;
    DWORD blockLen = 16;
    memset(cipher, 0, totalLength);
    fread(cipher, sizeof(char), totalLength, f);
    HCRYPTPROV prov = NULL;
    HCRYPTHASH hash;
    HCRYPTKEY aesKey;
    if (!CryptAcquireContextA(&prov, NULL, MS_ENH_RSA_AES_PROV_A, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {

        printf("error0\n");
    }
    CryptCreateHash(prov, 0x800Cu, 0, 0, &hash);
    CryptHashData(hash, (const BYTE*)key, 0x10u, 0);
    CryptDeriveKey(prov, 0x660Eu, hash, 0, &aesKey);
    mode = 1;
    CryptSetKeyParam(aesKey, 4u,(const BYTE*)&mode, 0);
    CryptSetKeyParam(aesKey, 3u,(const BYTE*)&mode, 0);
    for (int i = 0; i < totalLength; i += 16) {

        CryptDecrypt(aesKey, 0, 0, 0, cipher + i, &blockLen);
    }
    FILE* out;
    fopen_s(&out, "G:\\dec.bmp", "wb");
    fwrite(cipher, 1, totalLength, out);
    printf("");