前言

主要是做了星盟的招新赛,内容很多且很难,借助了AI,一些知识点后面会再汇总出文章

ez_uds

题目给了算法逻辑,进入程序后发现给了如下提示

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
==============================
   ECU UDS Security Server
==============================

Supported Service:
  0x27  SecurityAccess

Usage:
  27 01             -> Request Seed
  27 02 <4byteskey> -> Send Key

Example:
  27 01
  27 02 12 34 56 78

Type 'exit' to disconnect.
================================

输入我们输入27 01后程序回显67 01 74 EF CD D0,由于uds返还的规则是请求+0x40,那么0x27+0x40=0x67,所以我们就不用管67,直接得到逆向脚本如下

1
2
3
4
5
6
7
8
9
10
#include <bits/stdc++.h>
int main()
{
    uint32_t seed=0x74EFCDD0;
    uint32_t key;
    key = seed ^ 0xA5A5A5A5;
    key = ((key << 3) | (key >> 29)) & 0xFFFFFFFF;
    key = (key + 0x12345678) & 0xFFFFFFFF;
    printf("%x",key);
}

可得答案9c879a26

回显得

[+] Access Granted

polarisctf{dd4d3bdd-d3f6-4abd-8d48-f55ffbf8ac66}

illusion

一进来可以进入虚假的main函数,是RC4,解出来发现是虚假的flag,没思路就去查找字符串发现有real world,进入后发现是标准的AES-128,就能很快破解flag为xmctf{R3a1_w0rld_M47ters}

移动的秘密

进入后发现是少量正常语句和大量混淆,进入程序后找来找去发现MD5的标准初始化向量

xmmword_3060 xmmword 1032547698BADCFEEFCDAB8967452301h

初步怀疑为MD5加密

继续看可以看到xmmword_3070在最后的比较被引用了,大抵可以判断出是目标MD5密文,再看到有位移,至于后面的高度混淆的代码经查阅是MD5的标准处理。再看执行流

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 if ( __isoc99_scanf("%29s", s) == 1 )
  {
    v3 = 1;
    v4 = strlen(s);
    if ( v4 )
    {
      v6 = (v4 - 1);
      for ( i = 0; i != v4; ++i )
        *(v17 + i) = s[i] >> 1;
      v5 = 0;
      *v16 = _mm_load_si128(&xmmword_3080);
      *&v16[13] = _mm_load_si128(&xmmword_3090);
      while ( v16[v5] == *(v17 + v5) )
      {
        if ( v5 == v6 )
          goto LABEL_10;
        ++v5;
      }
      v3 = 0;
    }
LABEL_10:
    v12 = 0;
    v11 = _mm_load_si128(&xmmword_3060);
    (sub_1DF0)(&v11, s, v4, v5, v6, v7);
    sub_1F60(v13, &v11);
    v9 = 0;
    while ( v13[v9] == si128.m128i_i8[v9] )
    {
      if ( ++v9 == 16 )
      {
        if ( v3 )
        {
          puts("right");
          return 0;
        }
        break;
      }
    }

将我们的输入进行位移,与xmmword_3080与xmmword_3090进行对比,但这里与MD5无关,后面也没拿来调用,只是拿来混淆视听检验的,或者说这是爆破MD5时的约束条件,所以我们可以直接来逆向MD5,爆破可得flag

ezFinger

这道题由于我完全没有写固件的经验,所以我是AI一把梭的

hajimi

一道很抽象的题目不借助AI我完全没思路。打开后发现直接给了源码和一个未知的压缩包。源码中有语句

1
VALID_DIGITS = set("1234")

那大抵是只能输入1234。还能看到

1
if len(prompt) != 16:

那意味着我们输入的长度必须为16,我首先考虑爆破,但是爆破组合太多显然一个个试不是个合理的方案,询问AI,AI说这可能是一个4*4网格的数独。拿着就很好办了,我们直接爆破数独,AI给的爆破数独脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from itertools import permutations

def is_valid_sudoku(grid):
    # 列约束
    if not all(len({grid[j+k*4] for k in range(4)}) == 4 for j in range(4)):
        return False
    # 2×2 宫格约束
    for br in range(0, 4, 2):
        for bc in range(0, 4, 2):
            box = {grid[br*4+bc], grid[br*4+bc+1],
                   grid[(br+1)*4+bc], grid[(br+1)*4+bc+1]}
            if len(box) != 4:
                return False
    return True

hits = []
for r1 in permutations("1234"):
    for r2 in permutations("1234"):
        for r3 in permutations("1234"):
            for r4 in permutations("1234"):
                grid = list(r1 + r2 + r3 + r4)
                if is_valid_sudoku(grid):
                    s = "".join(grid)
                    r = check(s)
                    if "Wrong" not in r:
                        hits.append((s, r))
                        print(f"HIT: {s} -> {r}")

太抽象太抽象了。

Hulua

进入程序查阅后发现有34个case和超过10位的小数,那肯定有问题,查找字符串可得

1
@$LuaVersion: Lua 5.3.6  Copyright (C) 1994-2020 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $

可以直接锁定Lua解释器及其版本。然后就没思路了,但是查找字符串可以看到很多重复的lua,查阅并交叉引用后发现突破口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
unsigned __int64 sub_1400014A4()
{
  unsigned __int64 result; // rax
  unsigned __int64 v1; // [rsp+18h] [rbp-18h]
  unsigned __int64 i; // [rsp+28h] [rbp-8h]

  v1 = dword_1400333DC;
  for ( i = 0; ; ++i )
  {
    result = i;
    if ( i >= v1 )
      break;
    byte_140033000[i] ^= aHulua[i % 5];
  }
  return result;
}

异或后可得lua字节码,将字节码编译为luac文件之后发现unluac怎么搞都搞不出来,顿感不妙,上网一查发现是这个luac被篡改了导致文件头长度缩短,notepad++也没用,没招了,给AI看给出逻辑,发现是魔改的RC4,就多了个0x66,key为xmctf2026,密文为0x8B,0x8B,0x77,0xBE,0x68,0x61,0x86,0x68,0xE5,0x63,0xEE,0x84,0x35,0x6F,0x58,0xC8,0x51,0x0F,0x6E,0x94,0x70,0xE7,0x26,0x90,0xB6,0x75,0xEC,0x28,0xAF,0x14,0xE2,0xE3

那这样就可以得到flag了,逆向脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#include <bits/stdc++.h>

void RC4_crypt(const unsigned char* key, int key_len, unsigned char* input, int input_len)
{
    unsigned char S[256];
    int i = 0, j = 0;

    for (i = 0; i < 256; i++)
    {
        S[i] = i;
    }

    for (i = 0; i < 256; i++)
    {
        j = (j + S[i] + key[i % key_len]) % 256;
        unsigned char temp = S[i];
        S[i] = S[j];
        S[j] = temp;
    }

    i = 0;
    j = 0;
    for (int k = 0; k < input_len; k++)
    {
        i = (i + 1) % 256;
        j = (j + S[i]) % 256;
        unsigned char temp = S[i];
        S[i] = S[j];
        S[j] = temp;
        input[k] ^= S[(S[i] + S[j]) % 256]^0x66;
    }
}

int main()
{
    char key[] = "xmctf2026";  
    int key_len = strlen(key);

    int encrypted_data[] = {0x8B,0x8B,0x77,0xBE,0x68,0x61,0x86,0x68,0xE5,0x63,0xEE,0x84,0x35,0x6F,0x58,0xC8,0x51,0x0F,0x6E,0x94,0x70,0xE7,0x26,0x90,0xB6,0x75,0xEC,0x28,0xAF,0x14,0xE2,0xE3};  // 替换为你的实际数据
    int data_len = sizeof(encrypted_data) / sizeof(encrypted_data[0]);  // 自动计算数据长度0xE8,0x2B,0x33,0x25,0xB2,0x55,0xE9,0x0D,0x5D,0xAA,0x69,0xFD,0x1B,0x47,0xD1,0x7C,0xA6,0xFF,0x52,0xE1,0x6C,0xE8,0x4C


    unsigned char* data = (unsigned char*)malloc(data_len);
    for (int i = 0; i < data_len; i++)
    {
        data[i] = (unsigned char)encrypted_data[i];
    }

    RC4_crypt((unsigned char*)key, key_len, data, data_len);

    for (int i = 0; i < data_len; i++)
    {
        printf("%c", data[i]);
    }
    printf("\n"); 

    free(data);
    return 0;
}
//xmctf{lu4t1c_r3v3rs3_ch4ll3ng3!}
//(字节码解析是问AI的但脚本是手敲的)

MixTielele

一道很有意思的安卓逆向。进入jadx中,主逻辑看不到什么,native调用啥都都没看到,看主逻辑周围的逻辑发现出现SHA256字样和一个native层调用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
package com.example.titlele;

import android.content.Context;
import dalvik.system.PathClassLoader;
import java.io.File;

/* loaded from: classes4.dex */
public final class OO00OO0OO0000OOOOO {
    private static boolean sLoaded;

    public static void load(Context ctx) {
        if (sLoaded) {
            return;
        }
        File so = new File(ctx.getApplicationInfo().nativeLibraryDir, "libflutter.so");
        PathClassLoader pcl = new PathClassLoader(so.getAbsolutePath(), ctx.getClassLoader());
        try {
            Class.forName("com.example.titlele.OO00OO0OO00O0OO000", true, pcl);
            sLoaded = true;
        } catch (Throwable t) {
            throw new RuntimeException("load payload failed", t);
        }
    }
}

调用了libflutter.so,解包看IDA。但是发现这个so文件的IDA不一样

出现了前所未有的选择界面,DIE看一眼

那就是apk伪装成so文件了,改后缀后还是jadx,发现定位不到主逻辑,开始乱翻,遍历完大部分功能后发现

发现lib文件中有一个so文件的名字与题目名字一摸一样,并且在mainactivity里被load了,丢进IDA,发现如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
__int64 __fastcall AES(__int64 a1, __int64 a2, __int64 a3)
{
  __int64 v3; // x0
  __int64 v4; // x0
  const unsigned __int8 *v5; // x0
  __int64 result; // x0
  int v7; // [xsp+18h] [xbp-98h]
  void *src; // [xsp+20h] [xbp-90h]
  __int64 v9; // [xsp+40h] [xbp-70h]
  int v10; // [xsp+5Ch] [xbp-54h]
  int v11; // [xsp+5Ch] [xbp-54h]
  __int64 v12; // [xsp+60h] [xbp-50h]
  _QWORD v16[3]; // [xsp+88h] [xbp-28h] BYREF
  int v17; // [xsp+A4h] [xbp-Ch] BYREF
  __int64 v18; // [xsp+A8h] [xbp-8h]

  v18 = *(_ReadStatusReg(TPIDR_EL0) + 40);
  v12 = EVP_CIPHER_CTX_new();
  v3 = sub_D65E4(a1);
  sub_D62B0(v16, v3 + 16);
  v9 = EVP_aes_128_cbc();
  EVP_EncryptInit_ex(v12, v9, 0, a2, a3);
  v7 = sub_D63C4(v16);
  src = sub_D6608(a1);
  sub_D65E4(a1);
  EVP_EncryptUpdate(v12, v7, &v17, src);
  v10 = v17;
  v4 = sub_D63C4(v16);
  EVP_EncryptFinal_ex(v12, v4 + v17, &v17);
  v11 = v10 + v17;
  EVP_CIPHER_CTX_free(v12);
  v5 = sub_D63C4(v16);
  base64Encode(v5, v11);
  result = sub_D63EC(v16);
  _ReadStatusReg(TPIDR_EL0);
  return result;
}

发现调用了base64和AESCBC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
__int64 __usercall rsaEncryptKey@<X0>(const unsigned __int8 *a1@<X0>, unsigned int a2@<W1>, __int64 a3@<X8>)
{
  __int64 result; // x0
  __int64 v4; // x0
  const unsigned __int8 *v5; // x0
  int v7; // [xsp+38h] [xbp-58h]
  int v8; // [xsp+3Ch] [xbp-54h]
  __int64 bio_RSA_PUBKEY; // [xsp+40h] [xbp-50h]
  __int64 v10; // [xsp+48h] [xbp-48h]
  _QWORD v13[4]; // [xsp+70h] [xbp-20h] BYREF

  v13[3] = *(_ReadStatusReg(TPIDR_EL0) + 40);
  v10 = BIO_new_mem_buf(
          "-----BEGIN PUBLIC KEY-----\n"
          "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAovOZy74DuQ55Nr/mOKROqHjcjVF8V2OrRPEAXz6x61z+jgUBZ6aIFLh3S0/6YSO9/O"
          "lWIsrkaJlISCPdrLOjnvSwt6IOiWKVbzcxqyblR8MHbM74Lp7l9T8M9rKqQmjiCFPcbcpyAsABg5CwgthfBo26BIusvptmb+rHXO5kylRHTMbX"
          "rBfC5Yagp25M7bCbpg7JqtR4uaaKg9c849+BrvYq5PHtfDMAbUVSCbXG17/lR/1WENQSbPTAgdtmkUvdcwV14iHYIhuspiXnIa/Z5Ze/xekUvw"
          "YVk09/pU7T0zSVxR+gRUhNPtKZYiZ/w7alSAVjvGooOSc+ps+7KVCkyQIDAQAB\n"
          "-----END PUBLIC KEY-----",
          0xFFFFFFFFLL);
  bio_RSA_PUBKEY = PEM_read_bio_RSA_PUBKEY(v10, 0, 0);
  BIO_free(v10);
  if ( bio_RSA_PUBKEY )
  {
    v8 = RSA_size(bio_RSA_PUBKEY);
    sub_D62B0(v13, v8);
    sub_D63C4(v13);
    v7 = RSA_public_encrypt(a2, a1, v4, bio_RSA_PUBKEY, 1);
    RSA_free(bio_RSA_PUBKEY);
    if ( v7 == -1 )
    {
      sub_D6234(a3, &byte_96973);
    }
    else
    {
      sub_D63C4(v13);
      base64Encode(v5, v7);
    }
    result = sub_D63EC(v13);
  }
  else
  {
    result = sub_D6234(a3, &byte_96973);
  }
  _ReadStatusReg(TPIDR_EL0);
  return result;
}

发现有RSA和base64。至此很多逻辑都出来了但是执行流还不知道,没找到数据也不知道怎么个逆向法,重新研究一遍。发现apk中调用了libflutter.so进行异或,处理完后回来又调用了一次base64,但后面的执行流和攻击手段我没研究出来,就给AI跑了一次,得到如下逆向脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#!/usr/bin/env python3
"""
MixTielele APK - CTF Exploit
Challenge: please login as admin
Flag: xmctf{adde035c89b5fb477e43b1ef78c8d890}

pip install pycryptodome
"""

import os, base64, struct, json, urllib.request, urllib.error
from Crypto.PublicKey import RSA
from Crypto.Cipher import AES, PKCS1_v1_5
from Crypto.Util.Padding import pad

# RSA public key extracted from libmixtitlele.so .rodata at 0x97b15
RSA_PUB_KEY = """-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAovOZy74DuQ55Nr/mOKRO
qHjcjVF8V2OrRPEAXz6x61z+jgUBZ6aIFLh3S0/6YSO9/OlWIsrkaJlISCPdrLOj
nvSwt6IOiWKVbzcxqyblR8MHbM74Lp7l9T8M9rKqQmjiCFPcbcpyAsABg5CwgthfB
o26BIusvptmb+rHXO5kylRHTMbXrBfC5Yagp25M7bCbpg7JqtR4uaaKg9c849+Brv
Yq5PHtfDMAbUVSCbXG17/lR/1WENQSbPTAgdtmkUvdcwV14iHYIhuspiXnIa/Z5Z
e/xekUvwYVk09/pU7T0zSVxR+gRUhNPtKZYiZ/w7alSAVjvGooOSc+ps+7KVCkyQ
IDAQAB
-----END PUBLIC KEY-----"""


def lcg_xor(data: bytes) -> bytes:
    """LCG-based XOR stream cipher from com.example.utils.Encrypt (classes6.dex in libflutter.so)"""
    INITIAL_SEED = 622918
    MULTIPLIER   = 1664525
    INCREMENT    = 1013904223
    MASK32       = 0xFFFFFFFF
    result = bytearray(len(data))
    key = INITIAL_SEED
    for i, b in enumerate(data):
        result[i] = b ^ (key & 0xFF)
        key = (MULTIPLIER * key + INCREMENT) & MASK32
    return bytes(result)


def build_protobuf(user: str, is_hacker: bool) -> bytes:
    """Serialize LoginInfo{user, isHacker} protobuf (field 1=string, field 2=bool)"""
    buf = bytearray()
    ub = user.encode('utf-8')
    buf += bytes([0x0a, len(ub)]) + ub     # field 1: string user
    buf += bytes([0x10, 0x01 if is_hacker else 0x00])  # field 2: bool isHacker
    return bytes(buf)


def build_login_info(user: str, is_hacker: bool = False) -> str:
    """Mimics LogInfo() hidden in libflutter.so: proto → LCG-XOR → base64"""
    return base64.b64encode(lcg_xor(build_protobuf(user, is_hacker))).decode()


def enc_titlele(login_info_b64: str) -> str:
    """
    Reimplements native EncTitlele() from libmixtitlele.so:
      - AES-128-CBC with random key, zero IV (memset after RAND_bytes)
      - RSA-PKCS1v15 wraps the AES key
      - Returns JSON: {"a1":"<rsa_b64>", "b2":"<aes_b64>"}
    """
    rsa_key = RSA.import_key(RSA_PUB_KEY)

    aes_key = os.urandom(16)          # RAND_bytes(buf, 16)
    iv      = bytes(16)               # __memset_chk zeroes the IV buffer

    plaintext  = login_info_b64.encode('ascii')
    ciphertext = AES.new(aes_key, AES.MODE_CBC, iv).encrypt(pad(plaintext, 16))
    enc_key    = PKCS1_v1_5.new(rsa_key).encrypt(aes_key)

    return json.dumps({
        "a1": base64.b64encode(enc_key).decode(),
        "b2": base64.b64encode(ciphertext).decode(),
    })


def exploit():
    SERVER_URL = "http://120.48.104.4:2788/24ab99d75d3327cf3c46/login"

    login_info = build_login_info("admin", is_hacker=False)
    payload    = enc_titlele(login_info)

    print(f"[*] LoginInfo (admin): {login_info}")
    req = urllib.request.Request(
        SERVER_URL,
        data=payload.encode('utf-8'),
        headers={"Content-Type": "application/json"},
        method="POST",
    )
    with urllib.request.urlopen(req, timeout=10) as r:
        flag = r.read().decode()
    print(f"[+] Flag: {flag}")
    return flag


if __name__ == "__main__":
    exploit()

easyre

第一次遇到这种双端调试的题,搞了很久,问了些师傅才勉勉强强做出来。

双端同时进入IDA动调,一步步步过,可以调到一些比较关键的输出地址。

首先可以在server的base+0x33650处下长度为0x20的读写断点,然后在client的main随便下一个断点,直接开跑一直步过可以得到

在这个地方会因为我们之前下的读写断点而停下来,一直F9可以得到

目标MD5值,解出来发现是ctfer,于是推出调试,退掉之前下的断点重新调试一次,按住F8不松手,等出现字符串的时候立刻松手F2下断点就可以找到

那么全都出了。