baby_maze

看题目本来以为是一道简单的迷宫题,进去之后才发现这么多函数

先找一下string,发现了一个God job这应该就是最后的结果

3

那可以想到通过这个函数去查看调用它的函数,一步步逆推回去,都是发现是行不通的,函数太多了有7000多个,没有办法找回去,做的时候前后都走不通

5

后来才知道可以用后向调用为gen_r_call_chain函数,它递归地调用了get_my_caller函数来实现后向调用的追踪.接下来就可以在下面的交互终端run我们的函数:

1
gen_r_call_chain('sub_54DE35', 600, 'sub_40187C')

1

可以的到几个路径,看第一个符合,再加上第一个函数的S就是最后的结果

MD5一下就可以得到最后的flag

6

1
flag{078c8fbc1d0d033f663dcc58e899c101}

MedicalApp

题目给了一个安卓APK,APK的主要逻辑都在native里面。

再chk函数里面就是加密过程,用到了RC4+xxtea

7

找到密钥

8

xxtea的解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#include <bits/stdc++.h> 
#define DELTA 0x9f5776b6  
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))  
  
void btea(uint32_t *v, int n, uint32_t const key[4])  
{  
    uint32_t y, z, sum;  
    unsigned p, rounds, e;  
    if (n > 1)            /* Coding Part */  
    {  
        rounds = 6 + 52/n;  
        sum = 0;  
        z = v[n-1];  
        do  
        {  
            sum += DELTA;  
            e = (sum >> 2) & 3;  
            for (p=0; p<n-1; p++)  
            {  
                y = v[p+1];  
                z = v[p] += MX;  
            }  
            y = v[0];  
            z = v[n-1] += MX;  
        }  
        while (--rounds);  
    }  
    else if (n < -1)      /* Decoding Part */  
    {  
        n = -n;  
        rounds = 6 + 52/n;  
        sum = rounds*DELTA;  
        y = v[0];  
        do  
        {  
            e = (sum >> 2) & 3;  
            for (p=n-1; p>0; p--)  
            {  
                z = v[p-1];  
                y = v[p] -= MX;  
            }  
            z = v[n-1];  
            y = v[0] -= MX;  
            sum -= DELTA;  
        }  
        while (--rounds);  
    }  
}  
  
  
int main()  
{  
    unsigned char d[] =
    {
    0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x01, 
    0x00, 0x00, 0x00, 0x10, 0x00, 0x00
    };
    unsigned char ida_chars[] =
    {
    0x3E, 0x97, 0xE5, 0x68, 0x67, 0x73, 0x0C, 0xC2, 0x1B, 0xD4, 
    0xAF, 0x98, 0xE2, 0x9D, 0x4B, 0xFE, 0x0B, 0xB6, 0xA5, 0x01, 
    0x46, 0xD6, 0x36, 0x3D, 0xAF, 0x7B, 0xCC, 0xDB, 0x00, 0x4F, 
    0x41, 0xA0, 0x1A, 0xE7, 0x2C, 0x76
    };
    uint32_t key[4];
    uint32_t cipher[9];
    puts("AOLIGEI111");
    memcpy(key, d, sizeof(d));
    memcpy(cipher, ida_chars, sizeof(ida_chars));
    puts("AOLIGEI222"); 
    int n= 9;
    btea(cipher, -n, key);
    for (int i = 0; i < 36; i++) {
        printf("%02x", *((unsigned char*)cipher + i));
    }  
    return 0;  
}

RC4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
import binascii

def rc4_crypt(PlainBytes:bytes, KeyBytes:bytes) -> str:
    '''[summary]
    rc4 crypt
    Arguments:
        PlainBytes {[bytes]} -- [plain bytes]
        KeyBytes {[bytes]} -- [key bytes]
    
    Returns:
        [string] -- [hex string]
    '''
 
    keystreamList = []
    cipherList = []
 
    keyLen = len(KeyBytes)
    plainLen = len(PlainBytes)
    S = list(range(256))
 
    j = 0
    for i in range(256):
        j = (j + S[i] + KeyBytes[i % keyLen]) % 256
        S[i], S[j] = S[j], S[i]
 
    print(bytes(S).hex())

    i = 0
    j = 0
    for m in range(plainLen):
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        print(i, j)
        S[i], S[j] = S[j], S[i]
        k = S[(S[i] + S[j]) % 256]
        print(S[i], S[j])
        cipherList.append(k ^ PlainBytes[m])
 
    return bytes(cipherList)
 
 
if __name__ == "__main__":
    data = '5604b0d49c634d3096cec00593be3b82524b16b28a33b74d6d7b9950c2b10c12e1840a93'
    key = '01000000100000000001000000100000'
    data = bytes.fromhex(data)
    key = bytes.fromhex(key)
    m = rc4_crypt(data, key)
    print(m)

RC4解密结果为:

1
flag{194836950ae9df840e8a94348b901a}

xxtea

XXTEA,又称Corrected Block TEA,是XTEA的升级版

,设计者是Roger Needham, David Wheeler

加密过程:

img