moyaoxueの小屋hnctf
type
status
date
slug
tags
summary
category
icon
password
Help_Me!
My exp:
Official exp:
A 0-1 bag problem. And notice that you should ADD, not MULTIPLY, like in the ida......
CM2
Don't understand how to debug to find the place... Though by guessing I work it out anyway.
Officail wp:
Try2debugPlusPlus
Nop the
IsDebuggerPresent()(noticed that there are two of them) and get the key(remember to set breakpoint after printf()):
Though is easy for us to decrypt the tea_encrypt, chall setter seems to have forgotten something...
What_1in_D11
Repair the upx's features(easy in this problem, to study more you can refer to this blog)
And
upx -d to unpacked the .dll, check it in ida, we got:
Official writeup:
(A btea encrypt, which I am not fimilar with yet. Shall get more study about encryption and decryption later.)
Mazes
A bit complex, wait until later...
stub
Never seen before, later...
ez_maze
We get a .exe file, from its' icon we know that we should uncompile it to .pyc with
pyinstxtractorThen, we got a package
_extracted:complex it is...
Find a file named
maze (without a suffix one!) Change its suffix into .pyc and Try compyle6 -o maze.py maze.pyc, it went wrong:That's when you find out that pyinstxtractor didn't fix your .pyc file's magic number.
The link problem setter gives you, which does no help at all...The
magic number of the file struct is destroy as well...I been trying tools like
uncompyle6(which does not support python 3.10, and install python 3.9 does not help at all. Later I should look into this problem and try to solved it...) and pycdc(which is said to support high edition, but can not identify the magic number as well) However, when I tried to add some magic number from other python edition(Python 3.8b2, if I remember it right), and put it in an online uncompiler. It just worked...a blog from my classmate that may help(though I do not really think so...)
some magic number:
uncompyle:(to long the maze is, I didn't put it here)
Dfs script(From official wp):
findit
Gets a .exe file, check whether shell exists.
Open it with ida.
A complex encryption. The key and the flag both needs to be brute forces out. I shall do a emersion later...
Official wp:
flower
From ida, there are a lot of junkcodes inside, and we have to patch them before I can analyze the code.
Some script to nop the junkcodes:
scripts1:
scripts2:
Some interlude:
Anyway, the decompilation shall look like this:
The encrypt function:
Now we get the encryption, we can know that it is a RC4- encryption, and here comes the official exp:
It base on static crack here, but a bro told me that since there is only <c style="color: #FF0000;">ONE</c>
XOR that really do something to your flag, you can dynamic debug to get the array v4. (in the upper encryption photograth) Which is really genius because whether you know how to decrypt rc4 or not you can solve this problem and it do save you tons of work!Just input a series of '1' and look into the ECX register!
And so on...
From here, the last few problems are quite hard...
MAZE
We found thounds of junkcodes here, and we nop them:
上一篇
d3ctf2023
下一篇
pythonJail
Loading...