2021 ciscn Re部分wp

2021 ciscn Re部分wp

glass

java层没什么多余的调用，直接native调用checkflag

bool __fastcall Java_com_ciscn_glass_MainActivity_checkFlag(int a1, int a2, int a3)
{
	char *v3; // r4
	int v4; // r5
	char v6[256]; // [sp+0h] [bp-220h] BYREF
	char v7[260]; // [sp+100h] [bp-120h] BYREF
	v3 = (char *)sub_F0C(a1, a3);
	if ( strlen(v3) != 39 )
		return 0;
	memset(v7, 0, 0x100u);
	qmemcpy(v6, "12345678", 		sizeof(v6));
	v4 = strlen(v6);
	sub_FFC((int)v7, (int)v6, v4);
	sub_1088((int)v7, v3, 39);
	sub_10D4((int)v3, 39, (int)v6, v4);
	return memcmp(v3, &unk_497C, 0x27u) == 0;
}

长度检查，密钥拷贝，进行三步操作之后和已知结果比较，前两个显然是进行rc4加密，最后一个函数三个一组，相互异或，最后再逐位和密钥异或，逆运算即可

target = [0xA3, 0x1A, 0xE3, 0x69, 0x2F, 0xBB, 0x1A, 0x84, 0x65, 0xC2, 0xAD, 0xAD, 0x9E, 0x96, 0x05, 0x02, 0x1F, 0x8E, 0x36,
0x4F, 0xE1, 0xEB, 0xAF, 0xF0, 0xEA, 0xC4, 0xA8, 0x2D, 0x42, 0xC7, 0x6E, 0x3F, 0xB0, 0xD3, 0xCC, 0x78, 0xF9, 0x98, 0x3F]

def sub_10D4(ss,  a2,  a3,  a4):
	result = []
	for i in ss:
		result.append(i)
	for j in range(a2):
		result[j] ^= a3[j % a4]
	for i in range(0, a2, 3):
		result[i+1] ^= result[i]
		result[i+2] ^= result[i+1]
		result[i] ^= result[i+2]

	return result

def Rc4_init(S, K):
	j = 0
	k = []
	for i in range(256):
		S.append(i)
		k.append(K[i % len(K)])
	for i in range(256):
		j = (j + S[i] + ord(k[i])) % 256
		S[i], S[j] = S[j], S[i]

def rc4_Decrypt(S, D):
	i = j = 0
	result = ''
	for a in D:
		i = (i + 1) % 256
		j = (j + S[i]) % 256
		S[i], S[j] = S[j], S[i]
		t = (S[i] + S[j]) % 256
		k = chr(a ^ S[(S[i] + S[j]) % 256])
		result += k
	return result

key = '12345678'

s = []
Rc4_init(s, key)
k0 = [49, 50, 51, 52, 53, 54, 55, 56]
c = sub_10D4(target, 39, k0, 8)
print(c)
z = rc4_Decrypt(s, c)
print("Decrypt:"+z)
# CISCN{6654d84617f627c88846c172e0f4d46c}

little_evil

程序本身解压squashfs，得到里面ruby环境和需要执行的rb代码，binwalk跑一下解压出来，得到一个混淆过后的ruby代码

$l1Il="";$l1lI="";def llIl()$lI1lll=$lI1lll|7;end;def l1lll()$lI1lll=10;end;def llI1l()$lI1lll=$lI1lll|4;end;def lIlI()$lI1lll=$lI1lll+3;end;def l111()$lI1lll=$lI1lll%3;end;def lI1IlI()$lI1lll=$lI1lll|3;end;def ll1l1()$lI1lll=$lI1lll*8;end;def l1lI()$lI1lll=$lI1lll-3;end;def lI1lII()$lI1lll=$lI1lll%1;end;def lIlIl()$lI1lll=$lI1lll&10;end;def lIll()$lI1lll=$lI1lll-4;end;def lII1()$lI1lll=$lI1lll%2;end;def l1III()$lI1lll=$lI1lll|1;end;def l1l111()$lI1lll=$lI1lll|5;end;def l1IIII()$lI1lll=$lI1lll%10;end;def l11I()$l1Il=$l1Il+$lI1lll.chr;end;def lIlll()$lI1lll=$lI1lll*9;end;def l11IlI()$lI1lll=$lI1lll-8;end;def lI1I1()$lI1lll=$lI1lll+5;end;def ll11lI()$lI1lll=$lI1lll&9;end;def lII1l1()send($l1Il[0,4], $l1Il[4,$l1Il.length]);end;l1lll;lIlI;ll1l1;l1lI;l11I;l1lll;llI1l;lIlll;l11IlI;l11I;l1lll;lIlll;llI1l;lIlI;l11I;l1lll;llIl;l1lI;lIlll;l11I;l1lll;llI1l;l1IIII;lIlll;l11I;l1lll;llIl;l1lI;lIlll;l11I;l1lll;llIl;l1lI;lIlll;l11I;l1lll;llIl;l1lI;lIlll;l11I;l1lll;llIl;l1lI...

发现进行了许多赋值和字符串拼接，没有输入输出等操作，因此将send改为puts输出最终结果，可以看到使用eval执行了另一段代码

$llll="";
$llII="";
def l1llI()
$l1lI1l=$l1lI1l|7;
end;
def ll1III()
$l1lI1l=$l1lI1l%7;
end;
def lllI()
$l1lI1l=$l1lI1l/4;
end;
def lIl1l()
$l1lI1l=$l1lI1l-3;
end;
def l1lll()
$l1lI1l=$l1lI1l|10;
end;
def l11I1I()
$l1lI1l=10;
end;
def l1l1()
$l1lI1l=$l1lI1l&7;
end;
def l1II()
$l1lI1l=$l1lI1l%8;
end;
def ll1I()
$l1lI1l=$l1lI1l|8;
end;
def ll11()
$l1lI1l=$l1lI1l^6;
end;
def ll1l1I()
$l1lI1l=$l1lI1l|1;
end;
def lI1Il()
$l1lI1l=$l1lI1l|3;
end;
def llI1I()
$l1lI1l=$l1lI1l+6;
end;
def llIl1()
$l1lI1l=$l1lI1l*4;
end;
def lI1ll()
$l1lI1l=$l1lI1l*5;
end;
def l1111()
$l1lI1l=$l1lI1l^7;
end;
def l1lII()
$l1lI1l=$l1lI1l^4;
end;
def lIIl()
$l1lI1l=$l1lI1l%5;
end;
def lII11()
$l1lI1l=$l1lI1l+9;
end;
def lI11I()
$llll=$llll+$l1lI1l.chr;
end;
def l1IlI()
puts($llll[0,4], $llll[4,$llll.length]);
end;
l11I1I;lII11;lI1ll;llI1I;lI11I;...

同样的方法改成puts之后输出

begin $_=$$/$$;
    @_=$_+$_;
    $-_=$_-@_
    $__=->_{_==[]||_==''?$.:$_+$__[_[$_..$-_]]} #len
    @__=->_,&__{_==[]?[]:[__[_[$.]]]+@__[_[$_..$-_],&__]}
    $_____=->_{@__[[*_],&->__{__[$.]}]}
    @_____=->_{@__[[*_],&->__{__[$-_]}]}
    $______=->_{___,______=$_____[_],@_____[_];_____=$__[___];____={};__=$.;(_=->{
      ____[______[__]]=___[__];(__+=$_)==_____ ?____:_[]})[]}
    @______=->_,__{_=[*_]+[*__];____=$__[_];___={};__=$.;(_____=->{
      ___[_[__][$.]]=_[__][$_];(__+=$_)==____ ?___:_____[]})[]}
    $_______=->_{$___=[];@___=$__[_];__=___=____=$.;$____,@____={},[]
    (_____=->{
      _[____]=='5'?(@____<<____):$.
      _[____]=='6'?($____[@____[$-_]]=____;@____=@____[$...$.-@_]):$.
      (____+=$_)==@___?$.:_____[]})[]
    $____=$____=={}?{}:@______[$____,$______[$____]]
    puts($____);
    # puts(@____);
    (______=->{
    # puts(_[__])
    _[__]==
    '0'?($___[___]||=$.;$___[___]+=$_):_[__]==
    '1'?($___[___]||=$.;$___[___]-=$_):_[__]==
    '2'?($___[___]||=$.;$___[___]=STDIN.getc.ord):_[__]==
    '3'?(___+=$_):_[__]==
    '4'?(___-=$_):_[__]==
    '5'?(__=($___[___]||$.)==$.?$____[__]:__):_[__]==
    '6'?(__=($___[___]||$.)!=$.?$____[__]:__):_[__]==
    '7'?($><<(''<<$___[___])):$.
    (__+=$_)==@___?_:______[]})[]}
    $_______['3351635164300000000540000000003164073000000540000003164070070000071730000000541111111131641175160343516445163530440316354031643451634235163516000000054000000000003164344354131645335163435164444516333530444403331635403164344451665163423516351600000054000000000316413443541316453351634351644445163335304444033316354031643444516651634235163516000000005400000000000316403443541316453351634351644445163335304444033316354031643444516651634235163516000000005400000000000031640344354131645335163435164444516333530444403331635403164344451665163423516351600000540000000000031643443541316453351634351644445163335304444033316354031643444516651635164453030441633544033164533516351643000000005400000000003164171111744516644'];rescue Exception;end

虚拟机，按指令运行，5和6之间进行循环，读取一下指令

op='3351635164300000000540000000003164073000000540000003164070070000071730000000541111111131641175160343516445163530440316354031643451634235163516000000054000000000003164344354131645335163435164444516333530444403331635403164344451665163423516351600000054000000000316413443541316453351634351644445163335304444033316354031643444516651634235163516000000005400000000000316403443541316453351634351644445163335304444033316354031643444516651634235163516000000005400000000000031640344354131645335163435164444516333530444403331635403164344451665163423516351600000540000000000031643443541316453351634351644445163335304444033316354031643444516651635164453030441633544033164533516351643000000005400000000003164171111744516644'
for i in op:
    if i=='0':
        print("stack[idx]+=1")
    elif i=='1':
        print("stack[idx]-=1")
    elif i=='2':
        print("stack[idx]=getch()")
    elif i=='3':
        print("idx++")
    elif i=='4':
        print("idx--")
    elif i=='5':
        print("while stack[idx]!=0:")
    elif i=='6':
        print("end while")
    elif i=='7':
        print("puts(stack[idx])")
    else:
        print('error!!!!!')

之后分析解析的指令，使用这种方式进行输出

stack[idx]+=8
while stack[idx]!=0:
idx--
stack[idx]+=9
idx++
stack[idx]-=1
end while
idx--
stack[idx]+=1
puts(stack[idx])

前几段代码输出Input:
之后进行输入并验证，验证方法时进行循环，如果循环可以正常结束则最终会输出ok，如果不能则异常结束，没有输出

stack[idx]=getch()
idx++
stack[idx]=0
idx++
stack[idx]=0
stack[idx]+=7
while stack[idx]!=0:
idx--
stack[idx]+=11
idx++
stack[idx]-=1
end while

idx--
while stack[idx]!=0:
idx--
stack[idx]-=1
idx++
stack[idx]-=1
end while
#ch-77
idx--
while stack[idx]!=0:
idx+=2
stack[idx]=0
idx++
stack[idx]=0
idx-=4
stack[idx]=0
idx+=3
while stack[idx]!=0:
idx++
stack[idx]+=1
idx-=4
stack[idx]+=1
idx+=3
stack[idx]-=1
end while
idx++
while stack[idx]!=0:
idx--
stack[idx]+=1
idx++
stack[idx]-=1
end while
idx-=3
stack[idx]=0
end while
stack[idx]=0

每一个循环都这样处理，循环本身是跑不出来的，所以成功的条件就是ch-77为0，不会进入循环，对于每一个循环都会得到一个数，一共5个输入，得到M5Ya7，测试成功，计算md5即可