SUCTF2019-Akira Homework

🏄

输入点:

1
2
3
4
5
6
7
8
9
10
11
12
13
memset(&v4, 0, 0x13ui64);
memset(&Dst, 0, 0x6Dui64);
memcpy(&Dst, aJLJLJL1pzxcp6b, 0x6Cui64);
for ( i = 0; (unsigned __int64)i < 0x6C; ++i )
aJLJLJL1pzxcp6b[i] ^= key[0];
puts(aJLJLJL1pzxcp6b);
sub_7FF7D6BC9FF0((__int64)"%18s", &v4, 19i64);// Akira_aut0_ch3ss_!
if ( sub_7FF7D6BC9200((__int64)&v4) )
{
sub_7FF7D6BC8300((__int64)&v3, 2i64, 1048579);
sub_7FF7D6BC6C10(qword_7FF7D6BD6178, v3, (__int64)&v4);
v1 = 1;
}

输出的字符串储存时都是加密的,通过异或可以得到程序中输出的字符串。

这里要求输入password,逆出password为Akira_aut0_ch3ss_!,但是此时会提示Have no sign!

后发现对byte_7FF7D6BD11A0处分组异或得到了DLL文件,并且程序会与其share memory。

提取出DLL:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
memset(&Str2, 0, 0x11ui64);
puts("Now check the sign:");
sub_1800027A0((__int64)"%32s", &Str2);
hHandle = OpenEventW(0x1F0003u, 1, L"DLLInput");
if ( !hHandle )
return 0;
WaitForSingleObject(hHandle, 0xFFFFFFFF);
CloseHandle(hHandle);
hFileMappingObject = OpenFileMappingW(0xF001Fu, 0, L"ShareMemory");// src=[0x94,0xBF,0x7A,0xC,0xA4,0x35,0x50,0xD1,0xC2,0x15,0xEC,0xEF,0x9D,0x9A,0xAA,0x56,]
if ( !hFileMappingObject )
return 0;
Src = MapViewOfFile(hFileMappingObject, 4u, 0, 0, 0x8000ui64);
if ( Src )
{
CloseHandle(hFileMappingObject);
Dst = malloc(0x8000ui64);
memset(Dst, 0, 0x8000ui64);
memcpy(Dst, Src, 0x8000ui64);
strcpy(&v7, "Ak1i3aS3cre7K3y");
memset(&Str1, 0, 0x11ui64);
sub_180002800((__int64)&v7, &Str1, Dst);
if ( !strcmp(&Str1, &Str2) )
sub_1800026F0((__int64)"Get finally answer!\n");
else
sub_1800026F0((__int64)"wow... game start!\n");
result = 1;
}
else
{
CloseHandle(hFileMappingObject);
result = 0;
}

观察到输入与之前share的memory中的数据通过sub_180002800后进行比较。跟进sub_180002800

1
2
3
4
5
Src = a3;
Dst = a2;
initkey((__int64)&v3, a1);
memcpy(Dst, Src, 0x10ui64);
Concurrency::details::HardwareAffinity::ApplyTo((Concurrency::details::HardwareAffinity *)&v3, Dst);

发现是以Ak1i3aS3cre7K3y为密钥对share的memory中的数据进行解密,然后输入并没有产生变化,因此只需要aes解密就可以得到flag。

aes解密:

1
2
3
4
5
6
7
8
9
10
11
12
from Crypto.Cipher import AES
from binascii import b2a_hex, a2b_hex
def decrypt(text):
key = 'Ak1i3aS3cre7K3y\x00'
iv = b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
mode = AES.MODE_CBC
cryptos = AES.new(key, mode, iv)
plain_text = cryptos.decrypt(a2b_hex(text))
return bytes.decode(plain_text).rstrip('/0')
dd="94BF7A0CA43550D1C215ECEF9D9AAA56"
print decrypt(dd)
#flag{Ak1rAWin!}
文章目录
|