Justctf2025

Satellite

一道misc+re的题

给了一个流量包，直接wireshark分析，这一行非常清楚的flag字样，点击看到了text，猜测是密文

{“text”: “5771D410 CFFE844D
24B50FCB BBDC1973
A7A935E5 C3468242
950DFCCE 94794B06
7F876A21 5D96EE09”}

可以通过查找字符串，找到相关语句，然后交叉引用找到主函数，这里就是找到的加密函数位置，是一个tea加密，没啥变化，可以直接写脚本解密

注意key的提取，从dword_14B98[98]开始取，一共四位

from ctypes import c_uint32

def tea_decrypt(v, key, delta, rounds=32):
    v0 = c_uint32(v[0])
    v1 = c_uint32(v[1])
    sum = c_uint32(0xC6EF3720)

    for _ in range(rounds):
        v1.value -= ((v0.value << 4) + key[2]) ^ (v0.value + sum.value) ^ ((v0.value >> 5) + key[3])
        v0.value -= ((v1.value << 4) + key[0]) ^ (v1.value + sum.value) ^ ((v1.value >> 5) + key[1])
        sum.value += delta

    return v0.value, v1.value

key = [0x12345678, 0x9ABCDEF0, 0x11111111, 0x22222222]

cipher_hex = "5771D410CFFE844D24B50FCBBBDC1973A7A935E5C3468242950DFCCE94794B067F876A215D96EE09"
cipher_bytes = bytes.fromhex(cipher_hex)

cipher_blocks = [int.from_bytes(cipher_bytes[i:i + 4], byteorder="little") for i in range(0, len(cipher_bytes), 4)]

delta = 0x61C88647

plaintext = b""
for i in range(0, len(cipher_blocks), 2):
    dec_v0, dec_v1 = tea_decrypt(cipher_blocks[i:i + 2], key, delta)
    plaintext += dec_v0.to_bytes(4, byteorder='little') + dec_v1.to_bytes(4, byteorder='little')

try:
    print("\n[+] UTF-8 Decode (fallback with replacement):")
    print(plaintext.decode('utf-8', errors='replace'))
except UnicodeDecodeError:
    print("\n[!] UTF-8 decode failed.")

justCTF{TheConnection_w4s_interrupted}

baby-goes-re

一个go语言程序，先来简单了解一下

接口调用方式（itab, rtype, interface{}）

标准库调用（fmt.Fprintln, fmt.Fprint, fmt.Fscanln）

调用 main_CheckFlag-加密函数

主函数就是从这个大数据模块：从 aSmallMapWithNo + 3605 开始，共 338660 字节，然后调用main_CheckFlag函数

加密过程简单的来说就是

flag 的第 k 个字符必须等于 babymemory[51*k + 4919]

flag的字符长度为53，k从0-52，即babymemory 起始地址：0x4CA8C0 + 3605 = 0x4CB5F5

为了方便直接用idapython，也可以把aSmallMapWithNo内容dump出来然后解

import idc
import idautils

def extract_flag():
    base_addr = 0x4CA8C0
    offset = 3605
    positions = []
    current = 4919 
    positions.append(current)
    
    for i in range(1, 53):
        current += 4971 + 51 * (i - 1)
        positions.append(current)

    flag = []
    for pos in positions:
        addr = base_addr + offset + pos
        byte_val = idc.get_wide_byte(addr)

        flag_char = chr(byte_val)
        flag.append(flag_char)

    full_flag = ''.join(flag)
    print("\nflag:")
    print(full_flag)
    
    return full_flag

if __name__ == "__main__":
    extract_flag()

justCTF{W3lc0m3_t0_R3v1NG!_Th4t_w45nt-s0-B4d-w45_1t?}

6pack

依旧是misc+re的题

先看go语言程序，找到main函数位置

接着分析调用的一些函数

sub_4C8820函数用于创建ipv6 header

sub_4CA0E0函数发送数据包

sub_4CABA0函数使用flate/zlib解压并读取所有数据，从这里就可以推测要分析的代码应该就在给的流量包里面

流量包分析提取数据只能交给misc师傅来提取了，过程也是很艰辛的，最后得到了一个exe文件

---

得到的exe文件有一层upx壳，一键脱壳就行

1. 主函数的逻辑就是，先输入一个参数，要求在30720-32767之间，这里得要爆破，如果传入的参数不对，后续通过动调得到的代码就不对，这里的v12是密钥，密钥判断

   

2. sub_7FF65E8E2730函数的作用是读取给的6-pack文件，找到.go.runtimeinfo节，然后读取加密的shellcode

   注意放在同一个文件夹下，动调的时候要用到，不然动调不起来。

3. sub_7FF65E8E26E0函数，使用 SystemFunction033 解密 shellcode，这里就涉及到第二个参数，其实就是flag。这里真实的逻辑是一个smc，动调的时候能够解密得到可执行代码

   

   这里经过动调之后把SystemFunction033的字节按c/p可以识别成函数，这里有一个长度判断，就是第二个参数（flag的长度，我们要把传入的参数改为36

这里就是一个很明显的smc，动调过之后把byte_1B8CCB50100字节进行反编译就能得到我们要分析的代码

主要代码：

_BOOL8 __fastcall sub_1A3CCFA0100(__int64 a1, unsigned __int64 a2)
{
  void (__fastcall *v2)(char *); // rax
  __int64 v3; // rcx
  __int64 v4; // rax
  __int64 n12; // [rsp+28h] [rbp-48h]
  _QWORD v7[4]; // [rsp+30h] [rbp-40h] BYREF
  unsigned __int64 v8; // [rsp+50h] [rbp-20h]
  __int64 v9; // [rsp+58h] [rbp-18h]
  unsigned __int64 v10; // [rsp+60h] [rbp-10h]
  __int64 v11; // [rsp+68h] [rbp-8h]

  v11 = a1;
  v10 = a2;
  v9 = 0LL;
  v8 = 0LL;
  memset(v7, 0, sizeof(v7));
  n12 = 0LL;
  v2 = sub_1A3CCFA01F8(NtCurrentPeb()->Ldr->InMemoryOrderModuleList.Flink->Flink->Flink[2].Flink, dword_1A3CCFA0253);
  v2(aBcryptDll);                               // "bcrypt.dll"
  v8 = v10 / 3;
  do
  {
    v3 = v11;
    v11 += 3LL;
    ((&loc_1A3CCFA026D + 2))(v3, v7);
    v4 = v9;
    LOBYTE(v4) = memcmp(&loc_1A3CCFA03CF + 8 * v9 + 1, v7, 0x20uLL) == 0;
    n12 += v4;
    v9 += 4LL;
    --v8;
  }
  while ( v8 );
  return n12 != 12;
}

这里的加密函数（loc_2320BE5026D + 2），这个是没有自动识别的函数，自己手动编译一下，这是主要的加密内容，这个函数对 3 字节输入计算 SHA256 哈希，输出 32 字节

哈希值就是unk_1B8CCB503D0[384]内容，一共12个正确的哈希值

爆破脚本：

import hashlib

hashes = [
    # 1
    0x20, 0x40, 0x01, 0xDE, 0x61, 0xEE, 0x2B, 0x59, 0xF7, 0x71, 0xF5, 0x3F, 0xEB, 0x64, 0x0F, 0x35,
    0x09, 0x32, 0xC5, 0xCD, 0xE6, 0x99, 0xE2, 0x3B, 0x27, 0x66, 0x29, 0x95, 0xD4, 0xBD, 0x04, 0x16,
    # 2
    0x73, 0xFE, 0x4A, 0x5E, 0x48, 0x6A, 0xE1, 0xF4, 0xD0, 0x33, 0xC5, 0x95, 0xC5, 0xAA, 0xC7, 0x9E,
    0x6A, 0xFE, 0xAE, 0x7A, 0x28, 0xB7, 0x82, 0x9C, 0x3E, 0xA9, 0x7F, 0x0C, 0x74, 0x75, 0xFF, 0x30,
    # 3
    0xA3, 0x8D, 0xF0, 0x1B, 0x42, 0xFE, 0x10, 0x09, 0xF1, 0xDA, 0x3C, 0x3B, 0xF7, 0x78, 0x7B, 0xEA,
    0xCD, 0x5C, 0xE1, 0x74, 0x3E, 0x6D, 0x19, 0xF6, 0xD4, 0x6D, 0x09, 0x6F, 0xD0, 0xBB, 0xA9, 0x0A,
    # 4
    0x67, 0x75, 0x62, 0xC4, 0x99, 0x09, 0x49, 0xFB, 0x8E, 0x8C, 0x2F, 0x81, 0x66, 0xF8, 0x0D, 0x81,
    0x51, 0xA4, 0xA1, 0xC0, 0xE0, 0x67, 0x9A, 0xC2, 0x4D, 0x45, 0x46, 0x33, 0xC1, 0x70, 0x9C, 0x29,
    # 5
    0x16, 0xDB, 0x9A, 0xE9, 0xD8, 0xA6, 0xB5, 0xDC, 0x76, 0x16, 0xFB, 0x3B, 0x0B, 0x74, 0xE2, 0x87,
    0xE4, 0x92, 0xE7, 0xD2, 0x95, 0x96, 0x1A, 0x0A, 0x14, 0xB9, 0xEE, 0x93, 0x5C, 0x82, 0x5D, 0x59,
    # 6
    0xAA, 0xC5, 0x13, 0xEA, 0x30, 0x6B, 0x59, 0xB9, 0xAA, 0x9A, 0xF9, 0x87, 0xD3, 0x90, 0xE3, 0x8D,
    0xF0, 0x92, 0x89, 0x18, 0xB2, 0x56, 0x56, 0xC1, 0x80, 0xC2, 0x35, 0xB9, 0xAF, 0x7B, 0xE2, 0x96,
    # 7
    0xB7, 0xCF, 0x5A, 0x8D, 0x7E, 0xB9, 0x3D, 0x4D, 0x82, 0x5A, 0x40, 0x0F, 0xA1, 0x73, 0x02, 0x0A,
    0x0D, 0x5C, 0xD3, 0x4A, 0x8C, 0x2F, 0x4F, 0x81, 0x8D, 0x01, 0xCA, 0x2B, 0xD9, 0x91, 0xC2, 0x15,
    # 8
    0x48, 0x7D, 0x3C, 0xFD, 0x82, 0xC3, 0x91, 0x54, 0x66, 0x51, 0x3E, 0x09, 0x7C, 0x6B, 0x00, 0x59,
    0x3D, 0x8C, 0x67, 0x7C, 0xE5, 0x4B, 0x2A, 0x29, 0x2F, 0xDE, 0x8B, 0x14, 0xF8, 0x8C, 0xCB, 0x89,
    # 9
    0x93, 0x31, 0x30, 0xB1, 0x01, 0x31, 0x09, 0x3C, 0x44, 0x63, 0xF7, 0xC3, 0x72, 0xBA, 0x43, 0x5C,
    0x09, 0x1A, 0x87, 0xA9, 0xB7, 0x78, 0x03, 0x85, 0x3F, 0x2C, 0x5A, 0xB5, 0xA3, 0xF3, 0x3C, 0xAA,
    # 10
    0x54, 0x7D, 0x5E, 0x2A, 0x74, 0x0B, 0x5D, 0x7D, 0x7C, 0x94, 0xC9, 0xB9, 0x33, 0x3C, 0x81, 0x83,
    0xE1, 0x3A, 0x85, 0x8A, 0x52, 0x8C, 0x81, 0x88, 0xFD, 0xDD, 0x2F, 0xE1, 0x87, 0xA0, 0x7C, 0xC0,
    # 11
    0x7C, 0x5C, 0xD8, 0x1D, 0x84, 0x04, 0x6C, 0xAA, 0xC3, 0x35, 0xC2, 0xAF, 0xD9, 0x67, 0x37, 0x29,
    0xBA, 0x0F, 0xBA, 0x09, 0xFB, 0x7C, 0xB2, 0x25, 0xFE, 0xDB, 0x64, 0x99, 0xBE, 0x5E, 0xFC, 0x29,
    # 12
    0xEE, 0x34, 0x0E, 0xA3, 0xEC, 0xF7, 0x7D, 0x89, 0x24, 0x7E, 0x26, 0x40, 0x15, 0xC0, 0x71, 0xD8,
    0xBB, 0xD6, 0x6B, 0x30, 0xFB, 0x49, 0x47, 0x9A, 0x55, 0xC9, 0x22, 0x52, 0x82, 0xB1, 0x92, 0x87
]

# 转为 bytes
hashes_bytes = bytes(hashes)
# 分割为 12 个 32 字节块
hash_list = [hashes_bytes[i:i+32] for i in range(0, 384, 32)]

def brute_force_3byte_sha256(target_hash):
    for i in range(0, 0x1000000):  # 0x000000 ~ 0xFFFFFF
        b1 = (i >> 16) & 0xFF
        b2 = (i >> 8) & 0xFF
        b3 = i & 0xFF
        data = bytes([b1, b2, b3])
        h = hashlib.sha256(data).digest()
        if h == target_hash:
            return data
    return None

result = []
for idx, h in enumerate(hash_list):
    print(f"[+] Brute-forcing block {idx+1}/12...")
    plain = brute_force_3byte_sha256(h)
    if plain is None:
        print(f"[-] Failed to crack block {idx+1}")
        result.append(b"???")
    else:
        print(f"    Found: {plain.hex()} -> {repr(plain)}")
        result.append(plain)

flag = b"".join([block[::-1] for block in result[::-1]])
print(f"argv[1] = {flag}")
print(f"Length: {len(flag)} bytes")