2020 网鼎杯

昨日公布结果,应该可以把Write up放出来啦~ 自己还是好菜…….

bang

2018年的梆梆加固免费版

找到个工具可以脱https://github.com/hluwa/FRIDA-DEXDump

脱壳得一个dex,用JEB3 直接可以打开,发现flag

flag{borring_things}

jocker

omg解出来一个假的flag,真正flag在

encrypt函数经历了代码自修改

IDA patch脚本:

import ida_bytes

ida_bytes buf = map(ord, ida_bytes.get_bytes(0x0401500, 186))
buf = map(lambda x: x ^ 0x41, buf) ida_bytes.patch_bytes(0x0401500,str(bytearray(buf)))

Patch完发现是个简单异或

这里解出前半段 ,后半段在finally

这里猜了一下应该也是简单异或,直接拿最后一个异或‘}’,得到71,然后全部异或71

拿到flag

def omg(flag):
    for i in range(24):
        if i & 1:
            flag[i] += i
        else:
            flag[i] ^= i
    print(''.join(list(map(chr, flag))))


find_me = list(map(ord, "hahahaha_do_you_find_me?"))

cmp = [0x66, 0x6B, 0x63,
       0x64, 0x7F,
       0x61, 0x67, 0x64,
       0x3B, 0x56,
       0x6B, 0x61, 0x7B,
       0x26, 0x3B,
       0x50, 0x63, 0x5F,
       0x4D, 0x5A,
       0x71, 0x0C, 0x37,
       0x66]

# print(len(cmp))

omg(cmp)

real = [0x0E, 0x0D, 0x09,
        0x06, 0x13,
        0x05, 0x58, 0x56,
        0x3E, 0x06,
        0x0C, 0x3C, 0x1F,
        0x57, 0x14,
        0x6B, 0x57, 0x59,
        0x0D]

for i in range(len(real)):
    real[i] ^= find_me[i]


print(''.join(list(map(chr, real))), end="")

v3 = ['0'] * 5
v3[0] = '%'
v3[1] = 't'
v3[2] = 'p'
v3[3] = '&'
v3[4] = ':'


for i in range(len(v3)):
    print(chr(ord(v3[i]) ^ 71), end="")

flag{d07abccf8a410cb37a}

singal

IDA 打开,主逻辑是个虚拟机,观察了一下,主流程就是加减乘除异或,最后进行对比,那么直接模拟流程,用z3暴力解即可

from z3 import *
x = [BitVec("x%d" % i, 8) for i in range(15)]
res = x[:]
op = [0x0000000A, 0x00000004, 0x00000010, 0x00000008, 0x00000003, 0x00000005, 0x00000001, 0x00000004, 0x00000020, 0x00000008, 0x00000005, 0x00000003, 0x00000001, 0x00000003, 0x00000002, 0x00000008, 0x0000000B, 0x00000001, 0x0000000C, 0x00000008, 0x00000004, 0x00000004, 0x00000001, 0x00000005, 0x00000003, 0x00000008, 0x00000003, 0x00000021, 0x00000001, 0x0000000B, 0x00000008, 0x0000000B, 0x00000001, 0x00000004, 0x00000009, 0x00000008, 0x00000003, 0x00000020, 0x00000001, 0x00000002, 0x00000051, 0x00000008, 0x00000004, 0x00000024, 0x00000001, 0x0000000C, 0x00000008, 0x0000000B, 0x00000001, 0x00000005, 0x00000002, 0x00000008, 0x00000002, 0x00000025, 0x00000001, 0x00000002, 0x00000036,
        0x00000008, 0x00000004, 0x00000041, 0x00000001, 0x00000002, 0x00000020, 0x00000008, 0x00000005, 0x00000001, 0x00000001, 0x00000005, 0x00000003, 0x00000008, 0x00000002, 0x00000025, 0x00000001, 0x00000004, 0x00000009, 0x00000008, 0x00000003, 0x00000020, 0x00000001, 0x00000002, 0x00000041, 0x00000008, 0x0000000C, 0x00000001, 0x00000007, 0x00000022, 0x00000007, 0x0000003F, 0x00000007, 0x00000034, 0x00000007, 0x00000032, 0x00000007, 0x00000072, 0x00000007, 0x00000033, 0x00000007, 0x00000018, 0x00000007, 0xFFFFFFA7, 0x00000007, 0x00000031, 0x00000007, 0xFFFFFFF1, 0x00000007, 0x00000028, 0x00000007, 0xFFFFFF84, 0x00000007, 0xFFFFFFC1, 0x00000007, 0x0000001E, 0x00000007, 0x0000007A]
s = Solver()

index = 0
j = 0
t = 0
check_num = [0 for i in range(100)]
check_numi = 0
check_numj = 0

ip = 0
while (ip < len(op)):
    if op[ip] == 1:
        check_num[check_numi] = t
        ip += 1
        index += 1
        check_numi += 1
    elif op[ip] == 2:
        t = x[index]+op[ip+1]
        ip += 2
    elif op[ip] == 3:
        t = x[index]-op[ip+1]
        ip += 2
    elif op[ip] == 4:
        t = x[index] ^ op[ip+1]
        ip += 2
    elif op[ip] == 5:
        t = x[index]*op[ip+1]
        ip += 2
    elif op[ip] == 6:
        ip += 1
    elif op[ip] == 7:
        s.add(check_num[check_numj] == op[ip+1])
        check_numj += 1
        ip += 2
    elif op[ip] == 8:
        x[j] = t
        j += 1
        ip += 1
    elif op[ip] == 10:
        ip += 1
    elif op[ip] == 11:
        t = x[index] - 1
        ip += 1
    elif op[ip] == 12:
        t = x[index] + 1
        ip += 1


if s.check() == sat:
    m = s.model()
    flag = ""
    print(m)
    for i in res:
        flag += chr(m[i].as_long())
    print(flag)

flag{757515121f3d478}