长城杯2024决赛RE

写在前面

长城杯决赛只看了CTF的RE题目，题目挺常规，坐牢8小时拿下3.5道题，勉强混个逆向专项奖。

mapamp

迷宫题，输入wasd控制移动方向，x == 38, y == 38出口，迷宫没有直接存在内存中，需要每步计算判断是否die

__int64 sub_404340()
{
  unsigned __int64 v0; // rsi
  unsigned __int64 v1; // rdx
  __int64 v2; // rcx
  __int64 v3; // r12
  unsigned __int64 v4; // r14
  int y; // ebx
  int x; // r13d
  char v7; // al
  __int64 v8; // rbp
  __int64 v9; // r15
  __int64 v10; // rax
  __int64 v11; // rax
  __int64 v12; // rdx
  _BOOL8 v13; // rdi
  unsigned __int64 v14; // rdi
  __int64 *v15; // rax
  unsigned __int64 v16; // r12
  __int64 v17; // rax
  __int64 v19; // [rsp+0h] [rbp-78h]
  __int64 v20; // [rsp+0h] [rbp-78h]
  __int64 *v21; // [rsp+10h] [rbp-68h] BYREF
  unsigned __int64 len; // [rsp+18h] [rbp-60h]
  __int64 v23[3]; // [rsp+20h] [rbp-58h] BYREF
  unsigned __int64 v24; // [rsp+38h] [rbp-40h]

  v24 = __readfsqword(0x28u);
  sub_404C00();
  v0 = (unsigned __int64)&v21;
  len = 0LL;
  v21 = v23;
  LOBYTE(v23[0]) = 0;
  scanf(&unk_648560, &v21);
  v3 = qword_647530;
  if ( len != 140 )
    die();
  v4 = 0LL;
  y = 0;
  x = 0;
  do
  {
    v7 = *((_BYTE *)v21 + v4);
    if ( v7 == 'w' )
    {
      v8 = *(_QWORD *)(v3 + 16);
      --y;
      v9 = v3 + 8;
      if ( !v8 )
        goto LABEL_40;
    }
    else
    {
      switch ( v7 )
      {
        case 's':
          ++y;
          break;
        case 'a':
          --x;
          break;
        case 'd':
          ++x;
          break;
        default:
          die();
      }
      v8 = *(_QWORD *)(v3 + 16);
      v9 = v3 + 8;
      if ( !v8 )
      {
LABEL_40:
        v8 = v9;
LABEL_18:
        v19 = v8;
        v8 = sub_470DE0(96LL, v0, v1, v2);
        *(_DWORD *)(v8 + 32) = y;
        *(_OWORD *)(v8 + 56) = 0LL;
        *(_OWORD *)(v8 + 72) = 0LL;
        *(_QWORD *)(v8 + 88) = 0LL;
        *(_QWORD *)(v8 + 40) = v8 + 88;
        *(_QWORD *)(v8 + 48) = 1LL;
        *(_DWORD *)(v8 + 72) = 1065353216;
        v11 = sub_46F910(v3, v19, v8 + 32);
        if ( v12 )
        {
          v13 = v11 || v9 == v12 || y < *(_DWORD *)(v12 + 32);
          v0 = v8;
          sub_479520(v13, v8, v12, v9);
          ++*(_QWORD *)(v3 + 40);
        }
        else
        {
          v0 = 96LL;
          v20 = v11;
          sub_46FF40(v8, 96LL);
          v8 = v20;
        }
        goto LABEL_23;
      }
    }
    v2 = v9;
    while ( 1 )
    {
      v1 = *(_QWORD *)(v8 + 16);
      v10 = *(_QWORD *)(v8 + 24);
      if ( y > *(_DWORD *)(v8 + 32) )
        break;
LABEL_13:
      if ( !v1 )
        goto LABEL_16;
      v2 = v8;
      v8 = v1;
    }
    while ( v10 )
    {
      v8 = v10;
      v1 = *(_QWORD *)(v10 + 16);
      v10 = *(_QWORD *)(v10 + 24);
      if ( y <= *(_DWORD *)(v8 + 32) )
        goto LABEL_13;
    }
    v8 = v2;
LABEL_16:
    if ( v8 == v9 || y < *(_DWORD *)(v8 + 32) )
      goto LABEL_18;
LABEL_23:
    v14 = *(_QWORD *)(v8 + 48);
    v1 = x % v14;
    v15 = *(__int64 **)(*(_QWORD *)(v8 + 40) + 8 * v1);
    v16 = v1;
    if ( v15 )
    {
      v2 = *v15;
      v0 = *(unsigned int *)(*v15 + 8);
      while ( x != (_DWORD)v0 )
      {
        v2 = *(_QWORD *)v2;
        if ( v2 )
        {
          v0 = *(int *)(v2 + 8);
          v1 = v0 % v14;
          if ( v16 == v0 % v14 )
            continue;
        }
        goto LABEL_28;
      }
      v2 += 16LL;
    }
    else
    {
LABEL_28:
      v17 = sub_470DE0(24LL, v0, v1, v2);
      *(_QWORD *)v17 = 0LL;
      v0 = x % v14;
      *(_DWORD *)(v17 + 8) = x;
      *(_QWORD *)(v17 + 16) = 0LL;
      v2 = sub_46FD80(v8 + 40, v16, x, v17, 1LL) + 16;
    }
    v3 = *(_QWORD *)v2;
    if ( !*(_QWORD *)v2 )
      die();
    ++v4;
  }
  while ( len > v4 );
  if ( x == 38 && y == 38 )
    printf(qword_648440, "flag{md5(your input)}", 21LL);
  else
    printf(qword_648440, "wrong", 5LL);
  sub_404B60(qword_648440);
  if ( v21 != v23 )
    sub_46FF40(v21, v23[0] + 1);
  if ( v24 != __readfsqword(0x28u) )
    sub_59B4A0();
  return 0LL;
}

由于是逐字符校验，出错直接die，可以考虑获取die的时候已校验的长度，即已走的步数，通过遍历4个方向检查走的步数是否增加，如果步数增加，则表明新的方向可以走，如果步数不变，表示新的方向不可走，使用dfs即可走出迷宫

已走的步数存在r14寄存器中，可以修改die函数，在die函数内输出r14寄存器的值，也可以patch main函数，将die修改为返回r14寄存器的值，这里选择patch main函数

接下来使用dfs遍历迷宫，找到正确路径

#!/usr/bin/en python

import subprocess

maze = [[0 for _ in range(40)] for _ in range(40)]

def dfs(x=0, y=0, idx=0, path=[]):
    if (idx >= len(path)):
        return
    global maze
    for d in "wasd":
        tmp_path = path.copy()
        tmp_x = x
        tmp_y = y
        tmp_path[idx] = d.encode()
        match(d):
            case 'w':
                tmp_y -= 1
            case 's':
                tmp_y += 1
            case 'a':
                tmp_x -= 1
            case 'd':
                tmp_x += 1
        if (maze[tmp_x][tmp_y] == 1):
            # 已经走过的 避免死循环
            continue
        proc = subprocess.run("./mapmap", input=b''.join(tmp_path))
        next_idx = proc.returncode
        if (tmp_x == 38 and tmp_y == 38):
            print(b''.join(tmp_path))
        if (next_idx == idx):
            # 路径长度不变 不可走
            continue
        maze[tmp_x][tmp_y] = 1
        dfs(tmp_x, tmp_y, idx+1, tmp_path)

maze[0][0] = 1
path = [b'w' for _ in range(140)]
dfs(0, 0, 0, path)
for y in range(40):
    for x in range(40):
        print(maze[x][y], end=' ')
    print()

❯ python ex.py
wrong
wrong
wrong
wrong
b'ssssddwwwwddddssaassssssaassddssaassddssddssssssddssaassddssddwwddssssddwwddddssssssssssddddddddddwwddssddddddwwwdsssdwwwwwwwwwwwwwwwwwwwwww'
wrong
wrong
wrong
wrong
wrong
wrong
flag{md5(your input)}
b'ssssddwwwwddddssaassssssaassddssaassddssddssssssddssaassddssddwwddssssddwwddddssssssssssddddddddddwwddssddddddwwaawwddwwaaaawwddddddssssssss'
wrong
wrong
wrong
wrong
wrong
wrong
wrong
wrong
wrong
wrong

正确的迷宫路径ssssddwwwwddddssaassssssaassddssaassddssddssssssddssaassddssddwwddssssddwwddddssssssssssddddddddddwwddssddddddwwaawwddwwaaaawwddddddssssssss

kernel

windows sys驱动题，exe文件利用驱动提供的功能处理输入的flag

int __fastcall main_0(int argc, const char **argv, const char **envp)
{
  char *v3; // rdi
  __int64 i; // rcx
  char v6; // [rsp+40h] [rbp+0h] BYREF
  int v7[2]; // [rsp+48h] [rbp+8h] BYREF
  char ret_str[60]; // [rsp+68h] [rbp+28h] BYREF
  int v9[9]; // [rsp+A4h] [rbp+64h] BYREF
  char flag[60]; // [rsp+C8h] [rbp+88h] BYREF
  char v11; // [rsp+104h] [rbp+C4h]
  char v12; // [rsp+124h] [rbp+E4h]

  v3 = &v6;
  for ( i = 66i64; i; --i )
  {
    *(_DWORD *)v3 = 0xCCCCCCCC;
    v3 += 4;
  }
  j___CheckForDebuggerJustMyCode((__int64)&unk_1400E90A2, (__int64)argv, (__int64)envp);
  if ( (unsigned __int8)dev_open((__int64)v7) )
  {
    memset(ret_str, 0, 0x1Eui64);
    v9[0] = 0;
    memset(flag, 0, 0x20ui64);
    v11 = 0;
    v12 = 0;
    printf(&byte_1400C5138);
    while ( v11 != 10 )
    {
      v11 = j__fgetchar();
      flag[v12++] = v11;
    }
    dev_check_flag(v7[0], 0x222000, (int)flag, 32, ret_str, 0x20u, (LPDWORD)v9);
    dev_close(*(_QWORD *)v7);
    printf("%s\n");
    ((void (__fastcall *)(const char *))system)("pause");
    return 0;
  }
  else
  {
    printf(&byte_1400C5120);
    return 0;
  }
}

flag的校验逻辑在sys驱动中

__int64 __fastcall kernel_check(__int64 a1, __int64 a2)
{
  int j; // [rsp+20h] [rbp-C8h]
  int v4; // [rsp+28h] [rbp-C0h] BYREF
  int v5; // [rsp+2Ch] [rbp-BCh]
  unsigned int i; // [rsp+30h] [rbp-B8h]
  int k; // [rsp+34h] [rbp-B4h]
  int v8; // [rsp+38h] [rbp-B0h]
  int v9; // [rsp+3Ch] [rbp-ACh]
  int v10; // [rsp+40h] [rbp-A8h]
  unsigned int v11; // [rsp+44h] [rbp-A4h]
  PCSTR Format; // [rsp+48h] [rbp-A0h]
  int v13; // [rsp+50h] [rbp-98h]
  int v14; // [rsp+54h] [rbp-94h]
  _DWORD *v15; // [rsp+58h] [rbp-90h]
  int v16; // [rsp+60h] [rbp-88h]
  int v17; // [rsp+64h] [rbp-84h]
  PCSTR v18; // [rsp+68h] [rbp-80h]
  int v19[4]; // [rsp+70h] [rbp-78h] BYREF
  int encrypted_flag[8]; // [rsp+80h] [rbp-68h] BYREF
  char flag[40]; // [rsp+A0h] [rbp-48h] BYREF

  v9 = 0;
  v4 = 0;
  v5 = 0;
  v15 = (_DWORD *)sub_1400016E0(a2);
  v13 = v15[6];
  Format = *(PCSTR *)(a2 + 24);
  v11 = v15[4];
  v16 = v15[2];
  v10 = v13;
  if ( v13 == 0x222000 )
  {
    DbgPrint(&byte_140001FA0);
    v8 = 0;
    memset(flag, 0, sizeof(flag));
    memset(encrypted_flag, 0, sizeof(encrypted_flag));
    v18 = Format;
    for ( i = 0; i < v11; ++i )
      flag[i] = v18[i];
    for ( j = 0; j < 32; j += 8 )
    {
      v4 = 0;
      v5 = 0;
      v4 = (unsigned __int8)flag[j] << 24;
      v4 += (unsigned __int8)flag[j + 1] << 16;
      v4 += (unsigned __int8)flag[j + 2] << 8;
      v4 += (unsigned __int8)flag[j + 3];
      v5 = (unsigned __int8)flag[j + 4] << 24;
      v5 += (unsigned __int8)flag[j + 5] << 16;
      v5 += (unsigned __int8)flag[j + 6] << 8;
      v5 += (unsigned __int8)flag[j + 7];
      v19[0] = 0x1234;
      v19[1] = 0x3A4D;
      v19[2] = 0x5E6F;
      v19[3] = 0xAA33;
      v17 = 2;
      v14 = 33;
      xxtea_encrypt(33i64, &v4, v19);
      encrypted_flag[v8] = v4;
      encrypted_flag[v8 + 1] = v5;
      v8 += 2;
    }
    for ( k = 0; k < 8; ++k )
    {
      if ( encrypted_flag[k] == ans[k] )
        ++v9;
    }
    DbgPrint(&byte_140001FB0);
    if ( v9 == 8 )
    {
      strcpy((char *)Format, "flag is you input");
      *(_QWORD *)(a2 + 56) = 18i64;
      DbgPrint(&byte_140001FE0);
    }
    else
    {
      strcpy((char *)Format, "wrong");
      *(_QWORD *)(a2 + 56) = 6i64;
      DbgPrint(&byte_140002000);
    }
  }
  else if ( v10 != 2237440 )
  {
    goto LABEL_19;
  }
  DbgPrint(aIrpdevicecontr, v11);
  DbgPrint("CODE_WRITE %X\n", 2237440i64);
  DbgPrint(Format);
  *(_QWORD *)(a2 + 56) = 0i64;
LABEL_19:
  *(_QWORD *)(a2 + 56) = 65i64;
  IofCompleteRequest((PIRP)a2, 0);
  return 0i64;
}

xxtea加密，每次加密8个字节，大端序

__int64 __fastcall sub_140001740(unsigned int a1, unsigned int *a2, __int64 a3)
{
  __int64 result; // rax
  unsigned int v4; // [rsp+0h] [rbp-28h]
  unsigned int v5; // [rsp+4h] [rbp-24h]
  unsigned int v6; // [rsp+8h] [rbp-20h]
  unsigned int i; // [rsp+Ch] [rbp-1Ch]

  v5 = *a2;
  v6 = a2[1];
  v4 = 0;
  for ( i = 0; i < a1; ++i )
  {
    v5 += (*(_DWORD *)(a3 + 4i64 * (v4 & 3)) + v4) ^ (v6 + ((v6 >> 6) ^ (4 * v6)));
    v4 -= 0x61CEEEEF;
    v6 += (*(_DWORD *)(a3 + 4i64 * ((v4 >> 11) & 3)) + v4) ^ (v5 + ((v5 >> 6) ^ (8 * v5)));
  }
  *a2 = v5;
  result = 4i64;
  a2[1] = v6;
  return result;
}

写对应的xxtea解密

#!/usr/bin/env python

ans = [0x8CCAF011, 0x835A03B8, 0x6DCC9BAD, 0xE671FA99, 0xE6011F35, 0xE5A56CC8, 0xD4847CFA, 0x5D8E0B8E]

key = [0x1234, 0x3A4D, 0x5E6F, 0xAA33]


flag = [0 for _ in range(8)]

for i in range(4):
    x = ans[i*2]
    y = ans[i*2+1]
    sum = 0x100000000 - ((0x61CEEEEF * 33) & 0xFFFFFFFF)
    for _ in range(33):
        y = 0x100000000 + y - (((key[(sum>>11)&3])+sum)^(x+((x>>6)^(x<<3))))
        y &= 0xFFFFFFFF
        sum = (sum + 0x61CEEEEF) & 0xFFFFFFFF
        x = 0x100000000 + x - (((key[sum&3])+sum)^(y+((y>>6)^(y<<2))))
        x &= 0xFFFFFFFF
    flag[i*2] = x
    flag[i*2+1] = y

flag_s = b""
for f in flag:
    flag_s += f.to_bytes(4, byteorder='big')

print(flag_s)

文字谜题

输入字符串后使用parse处理字符串，返回值与l1使用list_eq进行比较，校验通过后计算输入字符串hash得到flag

分析list_eq发现是两个链表的比较

std::operator<<<std::char_traits<char>>(_bss_start, "Enter your magic code: ", envp);
vars10 = 0;
flag = &vars10;
vars8 = 0LL;
v3 = std::ios::widen(*(__int64 *)((char *)&std::cin[30] + *(_QWORD *)(std::cin[0] - 24)), 10LL);
std::getline<char,std::char_traits<char>,std::allocator<char>>(std::cin, &flag, (unsigned int)v3);
std::endl<char,std::char_traits<char>>((std::ostream *)_bss_start);
*(_QWORD *)&v4 = parse(&flag);
*((_QWORD *)&v4 + 1) = &l1;
if ( list_eq(v4) && vars8 == 0x23B )
{
  SHA256_Init(vars20);
  SHA256_Update(vars20, flag, vars8);
  v8 = &vars90;
  SHA256_Final(&vars90, vars20);
  v9 = (unsigned __int64)"Congratulations! Your flag is: flag{W0w_U_Ar3_V3ry_G00d_A7_C0unt1n9_";
  std::operator<<<std::char_traits<char>>(
    _bss_start,
    "Congratulations! Your flag is: flag{W0w_U_Ar3_V3ry_G00d_A7_C0unt1n9_",
    v10);

分析处理输入的parse，只接收ab-3个字符，3个字符分别对应3种处理

__int64 __fastcall parse0(__int64 a1, __int64 a2, __int64 a3)
{
// a2 = 1
// a3 = 0
  v3 = (char *)a1;
  v4 = a3;
LABEL_2:
  for ( i = a2; ; i = (i - 1) / 3u )
  {
    v6 = *v3;
    if ( !*v3 )
      break;
    while ( 1 )
    {
      ++v3;
      if ( v6 == 'a' )
      {
        i *= 2;
        goto LABEL_2;
      }
      if ( v6 == 'b' )
        break;
      if ( v6 != '-' )
        goto LABEL_18;
      v7 = operator new(0x10uLL);
      v8 = v4;
      v9 = v7;
      v10 = 1LL;
      if ( v4 )
      {
        do
        {
          v8 = *(_QWORD *)(v8 + 8);
          v11 = v10++;
        }
        while ( v8 );
      }
      else
      {
        v11 = 0;
      }
      a1 = (unsigned int)(i + v11);
      v12 = num2ch(a1, a2, v8);
      *(_QWORD *)(v9 + 8) = v4;
      i = 1;
      v4 = v9;
      *(_BYTE *)v9 = v12;
      v6 = *v3;
      if ( !*v3 )
        goto LABEL_9;
    }
    a3 = (unsigned int)(3 * (i / 3));
    if ( i % 3 != 1 || (i & 1) != 0 )
LABEL_18:
      bad_input(a1, a2, a3);
  }
LABEL_9:
  v13 = operator new(0x10uLL);
  v14 = v4;
  v15 = v13;
  v16 = 1LL;
  if ( v4 )
  {
    do
    {
      v14 = *(_QWORD *)(v14 + 8);
      v17 = v16++;
    }
    while ( v14 );
  }
  else
  {
    v17 = 0;
  }
  *(_BYTE *)v15 = num2ch((unsigned int)(i + v17), a2, v14);
  result = v15;
  *(_QWORD *)(v15 + 8) = v4;
  return result;
}

关注第一个for循环，初始化i = 1

LABEL_2:
  for ( i = a2; ; i = (i - 1) / 3u )

依次取出一个字符进行比较，若字符为a，i *= 2，goto进行下一次循环，跳过for循环结尾的i = (i - 1) / 3

if ( v6 == 'a' )
{
  i *= 2;
  goto LABEL_2;
}

若字符为b，使用break跳出while循环，需要确保i % 3 == 1和i & 1 == 0，随后执行for循环结尾的i = (i - 1) / 3

      if ( v6 == 'b' )
        break;
   if ( i % 3 != 1 || (i & 1) != 0 )
LABEL_18:
      bad_input(a1, a2, a3);

若字符为-，创建一个新的链表节点v9，计算链表长度v11，计算v12 = num2ch(i+v11)，将计算得到的v12储存在节点v9中，并将v9插入到结果链表头部

v7 = operator new(0x10uLL);
v8 = v4;
v9 = v7;
v10 = 1LL;
if ( v4 )
{
  do
  {
    v8 = *(_QWORD *)(v8 + 8);
    v11 = v10++;
  }
  while ( v8 );
}
else
{
  v11 = 0;
}
a1 = (unsigned int)(i + v11);
v12 = num2ch(a1, a2, v8);
*(_QWORD *)(v9 + 8) = v4;
i = 1;
v4 = v9;
*(_BYTE *)v9 = v12;

num2ch对输入的字符异或0x8D，并且要求输入字符小于0x100，即为一个字节

__int64 __fastcall num2ch(__int64 a1, __int64 a2, __int64 a3)
{
  LOBYTE(a1) = a1 ^ 0x8D;
  if ( (unsigned int)(a1 - 1) > 0xFE )
    bad_input(a1, a2, a3);
  return (unsigned int)a1;
}

若字符不为ab-，parse返回

parse对应的算法如下(这里使用列表代替链表，方向相反)

def parse(s:str):
    i = 1
    ls = []
    for c in s:
        if (c == 'a'):
            i *= 2
        elif (c == 'b'):
            assert((i % 3 == 1) and (i % 2 == 0))
            i = (i - 1) // 3
        elif (c == '-'):
            deep = len(ls)
            new_c = (i + deep) ^ 0x8D
            ls.append(new_c)
            i = 1

动态调试获取校验链表l1的值

.bss:00005D849CA5F300 ; l1
.bss:00005D849CA5F300 _ZL2l1          db 49h                  ; DATA XREF: main+97↑o
.bss:00005D849CA5F300                                         ; _GLOBAL__sub_I__Z9bad_inputv+9B↑w
.bss:00005D849CA5F301                 align 8
.bss:00005D849CA5F308 qword_5D849CA5F308 dq 5D849CA5F310h     ; DATA XREF: _GLOBAL__sub_I__Z9bad_inputv+A2↑w
.bss:00005D849CA5F310 ; l2
.bss:00005D849CA5F310 _ZL2l2          db 53h                  ; DATA XREF: _GLOBAL__sub_I__Z9bad_inputv+5B↑o
.bss:00005D849CA5F310                                         ; _GLOBAL__sub_I__Z9bad_inputv+94↑w
.bss:00005D849CA5F311                 align 8
.bss:00005D849CA5F318 qword_5D849CA5F318 dq 5D849CA5F320h     ; DATA XREF: _GLOBAL__sub_I__Z9bad_inputv+54↑w
.bss:00005D849CA5F320 ; l3
.bss:00005D849CA5F320 _ZL2l3          db 43h                  ; DATA XREF: _GLOBAL__sub_I__Z9bad_inputv+4D↑o
.bss:00005D849CA5F320                                         ; _GLOBAL__sub_I__Z9bad_inputv+8D↑w
.bss:00005D849CA5F321                 align 8
.bss:00005D849CA5F328 qword_5D849CA5F328 dq 5D849CA5F330h     ; DATA XREF: _GLOBAL__sub_I__Z9bad_inputv+46↑w
.bss:00005D849CA5F330 ; l4
.bss:00005D849CA5F330 _ZL2l4          db 43h                  ; DATA XREF: _GLOBAL__sub_I__Z9bad_inputv+3F↑o
.bss:00005D849CA5F330                                         ; _GLOBAL__sub_I__Z9bad_inputv+86↑w
.bss:00005D849CA5F331                 align 8
.bss:00005D849CA5F338 qword_5D849CA5F338 dq 5D849CA5F340h     ; DATA XREF: _GLOBAL__sub_I__Z9bad_inputv+38↑w
.bss:00005D849CA5F340 ; l5
.bss:00005D849CA5F340 _ZL2l5          db 32h                  ; DATA XREF: _GLOBAL__sub_I__Z9bad_inputv+31↑o
.bss:00005D849CA5F340                                         ; _GLOBAL__sub_I__Z9bad_inputv+7F↑w
.bss:00005D849CA5F341                 align 8
.bss:00005D849CA5F348 qword_5D849CA5F348 dq 5D849CA5F350h     ; DATA XREF: _GLOBAL__sub_I__Z9bad_inputv+2A↑w
.bss:00005D849CA5F350 ; l6
.bss:00005D849CA5F350 _ZL2l6          db 30h                  ; DATA XREF: _GLOBAL__sub_I__Z9bad_inputv+23↑o
.bss:00005D849CA5F350                                         ; _GLOBAL__sub_I__Z9bad_inputv+78↑w
.bss:00005D849CA5F351                 align 8
.bss:00005D849CA5F358 qword_5D849CA5F358 dq 5D849CA5F360h     ; DATA XREF: _GLOBAL__sub_I__Z9bad_inputv+1C↑w
.bss:00005D849CA5F360 ; l7
.bss:00005D849CA5F360 _ZL2l7          db 32h                  ; DATA XREF: _GLOBAL__sub_I__Z9bad_inputv+7↑w
.bss:00005D849CA5F360                                         ; _GLOBAL__sub_I__Z9bad_inputv+15↑o
.bss:00005D849CA5F361                 align 8
.bss:00005D849CA5F368 qword_5D849CA5F368 dq 5D849CA5F370h     ; DATA XREF: _GLOBAL__sub_I__Z9bad_inputv+E↑w
.bss:00005D849CA5F370 ; l8
.bss:00005D849CA5F370 _ZL2l8          dq 34h                  ; DATA XREF: _GLOBAL__sub_I__Z9bad_inputv↑o
.bss:00005D849CA5F370                                         ; _GLOBAL__sub_I__Z9bad_inputv+62↑w
.bss:00005D849CA5F378 qword_5D849CA5F378 dq 0                 ; DATA XREF: _GLOBAL__sub_I__Z9bad_inputv+6D↑w

ans_ls = [0x34, 0x32, 0x30, 0x32, 0x43, 0x43, 0x53, 0x49]

需要计算每个值对应的字符串输入，由于逆推难度较大，考虑使用递归暴力计算

计算逻辑中存在(i-1)//3的操作，因此实际计算的最大值可能远大于0x100，此处选择100000，保留最短输入字符串

ans_ls = [0x34, 0x32, 0x30, 0x32, 0x43, 0x43, 0x53, 0x49]
ls = [(ans_ls[i] ^ 0x8D) - i for i in range(8)]

parse_ls = [None for _ in range(0x100)]

def recur(k, s):
    if (k > 100000):
        return
    global parse_ls
    try:
        if (parse_ls[k] == None or len(s) < len(parse_ls[k])):
            parse_ls[k] = s
    except:
        pass
    try:
        recur(k*2, s+'a')
    except:
        pass
    if ((k % 3 == 1) and (k % 2 == 0)):
        try:
            recur((k-1)//3, s+'b')
        except:
            pass

recur(1, "")

for i in range(0x100):
    print(hex(i), parse_ls[i])

for d in ls:
    print(parse_ls[d], end='-')

爆破得到正确的输入字符串，得到flag

❯ ./puzzle
Enter your magic code: aaaabaaabaababaaababaaaababaababaaabaababaab-aaaabaaaaabababaaabaaaabaabaabaaaababababaaababababababaababaabababaaabaababababaabababaababaaaabababababa-aaaabaaabaababaaababaaaabaaabababaaababaabab-aaaabaaaaabababaaabaaaabaabaabaaaababababaaababababababaababaabababaaabaababababaabababaababaabaababababaa-aaaabaaabaababaaababaaaaba-aaaaaaaaaabababaab-aaaabaaaaabababaaabaaaabaabaabaaaababababaaababababababaababaabababaaabaababababaabababaababaabaabababababaababaaa-aaaabaaaaabababaaabaaaabaabaabaaaababababaaababababababaababaabababaaabaababababaabababaababaabaabababaaab 

Congratulations! Your flag is: flag{W0w_U_Ar3_V3ry_G00d_A7_C0unt1n9_3c968eb5d72c3dca}

crazyaes

PE文件头表示被修改，手动恢复

UPX加壳，将PPP0和PPP1还原为UPX0和UPX1，upx -d脱壳

比赛中没注意到里面的UPX表示，用x64dbg手动脱的，没符号还没法调

有几处花指令手动修复下

.text:0043B4CF             loc_43B4CF:                             ; CODE XREF: _main_0+FB↑j
.text:0043B4CF 74 03       jz      short near ptr loc_43B4D3+1
.text:0043B4CF
.text:0043B4D1 75 01       jnz     short near ptr loc_43B4D3+1
.text:0043B4D1
.text:0043B4D3
.text:0043B4D3             loc_43B4D3:                             ; CODE XREF: _main_0:loc_43B4CF↑j
.text:0043B4D3                                                     ; _main_0+111↑j
.text:0043B4D3 E8 68 00 E0+call    near ptr 4B23B540h

main里面输入输出

int __cdecl main_0(int argc, const char **argv, const char **envp)
{
  char v4; // [esp+0h] [ebp-130h]
  char v5; // [esp+0h] [ebp-130h]
  char v6; // [esp+0h] [ebp-130h]
  unsigned int j; // [esp+D0h] [ebp-60h]
  int i; // [esp+DCh] [ebp-54h]
  int v9; // [esp+E8h] [ebp-48h]
  char v10; // [esp+F7h] [ebp-39h]
  char encrypted[24]; // [esp+100h] [ebp-30h] BYREF
  char ans[20]; // [esp+118h] [ebp-18h]

  ans[0] = -76;
  ans[1] = 56;
  ans[2] = 54;
  ans[3] = 48;
  ans[4] = 30;
  ans[5] = 104;
  ans[6] = 72;
  ans[7] = 87;
  ans[8] = 81;
  ans[9] = 1;
  ans[10] = -73;
  ans[11] = 3;
  ans[12] = -101;
  ans[13] = -104;
  ans[14] = -29;
  ans[15] = 126;
  memset(encrypted, 17, 15);
  encrypted[15] = 1;
  v10 = 0;
  v9 = 0;
  printf((int)&unk_4A2114, v4);
  while ( v10 != 10 )
  {
    v10 = getchar();
    flag[v9++] = v10;
  }
  for ( i = 0; i < 16; ++i )
    encrypted[i] = flag[i];
  aes_encrypt(0, encrypted, 16, &aes_key);
  for ( j = 0; j < 0x10; ++j )
  {
    if ( encrypted[j] != ans[j] )
    {
      printf((int)"wrong!!!", v5);
      Sleep(0x1388u);
      j___loaddll(0);
    }
  }
  printf((int)"WOW!!!", v5);
  system("pause");
  return printf((int)"\n", v6);
}

标准的aes解密出来是错误的，应该是魔改了奇怪的东西

aes加密在add_round_key后面多了一轮异或操作

int __cdecl aes_encrypt(int _0, int data, int len, int key)
{
  int j; // [esp+D0h] [ebp-14Ch]
  int m; // [esp+D0h] [ebp-14Ch]
  int n; // [esp+D0h] [ebp-14Ch]
  int i; // [esp+DCh] [ebp-140h]
  int k; // [esp+E8h] [ebp-134h]
  char xor_box[24]; // [esp+F4h] [ebp-128h]
  int state[6]; // [esp+10Ch] [ebp-110h] BYREF
  char expaned_key[244]; // [esp+124h] [ebp-F8h] BYREF

  j__memset(expaned_key, 0, 0xF0u);
  memset(state, 0, 16);
  xor_box[0] = 0;
  xor_box[1] = 1;
  xor_box[2] = 2;
  xor_box[3] = 3;
  xor_box[4] = 1;
  xor_box[5] = 0;
  xor_box[6] = 3;
  xor_box[7] = 2;
  xor_box[8] = 2;
  xor_box[9] = 3;
  xor_box[10] = 0;
  xor_box[11] = 1;
  xor_box[12] = 3;
  xor_box[13] = 2;
  xor_box[14] = 1;
  xor_box[15] = 0;
  aes_key_expansion(_0, key, expaned_key);
  for ( i = 0; i < len; i += 4 * 4[_0] )
  {
    for ( j = 0; j < 4 * 4[_0]; ++j )
      *((_BYTE *)state + j) = *(_BYTE *)(data + j + i);
    for ( k = 0; k <= 10[_0]; ++k )
    {
      if ( k > 0 )
      {
        sub_bytes(_0, state);
        shift_rows(_0, state);
        if ( k < 10[_0] )
          mix_columns(_0, state);
      }
      add_round_key(_0, state, expaned_key, k);
      for ( m = 0; m < 4 * 4[_0]; ++m )
        *((_BYTE *)state + m) ^= xor_box[m];
    }
    for ( n = 0; n < 4 * 4[_0]; ++n )
      *(_BYTE *)(data + n + i) = *((_BYTE *)state + n);
  }
  return 0;
}

S盒代换后多了一个异或0xA1

int __cdecl sub_43AAA0(int a1, int a2)
{
  int result; // eax
  int j; // [esp+D0h] [ebp-14h]
  int i; // [esp+DCh] [ebp-8h]

  __CheckForDebuggerJustMyCode(&unk_4B20F4);
  for ( i = 0; ; ++i )
  {
    result = a1;
    if ( i >= 4[a1] )
      break;
    for ( j = 0; j < 4; ++j )
    {
      *(_BYTE *)(a2 + j + 4 * i) = sub_434D0B(*(_BYTE *)(a2 + j + 4 * i));
      *(_BYTE *)(a2 + j + 4 * i) ^= 0xA1u;
    }
  }
  return result;
}

列混合后多了一个异或0x54

void __cdecl sub_43A530(int a1, int a2)
{
  char v2; // bl
  int j; // [esp+DCh] [ebp-44h]
  int m; // [esp+DCh] [ebp-44h]
  int k; // [esp+E8h] [ebp-38h]
  int i; // [esp+F4h] [ebp-2Ch]
  char v7[12]; // [esp+100h] [ebp-20h]
  char v8[20]; // [esp+10Ch] [ebp-14h]

  v8[0] = 2;
  v8[1] = 3;
  v8[2] = 1;
  v8[3] = 1;
  v8[4] = 1;
  v8[5] = 2;
  v8[6] = 3;
  v8[7] = 1;
  v8[8] = 1;
  v8[9] = 1;
  v8[10] = 2;
  v8[11] = 3;
  v8[12] = 3;
  v8[13] = 1;
  v8[14] = 1;
  v8[15] = 2;
  for ( i = 0; i < 4[a1]; ++i )
  {
    for ( j = 0; j < 4; ++j )
    {
      if ( (unsigned int)j >= 4 )
        j____report_rangecheckfailure();
      v7[j] = 0;
      for ( k = 0; k < 4; ++k )
      {
        v2 = v7[j];
        v7[j] = sub_433C3A(*(_BYTE *)(a2 + k + 4 * i), v8[4 * j + k]) ^ v2;
      }
    }
    for ( m = 0; m < 4; ++m )
    {
      *(_BYTE *)(a2 + m + 4 * i) = v7[m];
      *(_BYTE *)(a2 + m + 4 * i) ^= 0x54u;
    }
  }
}

修改AES对应的代码部分进行解密

比赛的时候电脑上没AES源码，嗯逆了两个小时，还原了加密，解密的时候列混合不会写

#!/usr/bin/env python

ans = [0xB4, 0x38, 0x36, 0x30, 0x1E, 0x68, 0x48, 0x57, 0x51, 0x01, 0xB7, 0x03, 0x9B, 0x98, 0xE3, 0x7E]

key = "gah43jJKgfjGMeAR"

# 密钥生成过程直接dump
key_box = [0x67, 0x61, 0x68, 0x34, 0x33, 0x6A, 0x4A, 0x4B, 0x67, 0x66, 0x6A, 0x47, 0x4D, 0x65, 0x41, 0x52,
 0x2B, 0xE2, 0x68, 0xD7, 0x18, 0x88, 0x22, 0x9C, 0x7F, 0xEE, 0x48, 0xDB, 0x32, 0x8B, 0x09, 0x89,
 0x14, 0xE3, 0xCF, 0xF4, 0x0C, 0x6B, 0xED, 0x68, 0x73, 0x85, 0xA5, 0xB3, 0x41, 0x0E, 0xAC, 0x3A,
 0xBB, 0x72, 0x4F, 0x77, 0xB7, 0x19, 0xA2, 0x1F, 0xC4, 0x9C, 0x07, 0xAC, 0x85, 0x92, 0xAB, 0x96,
 0xFC, 0x10, 0xDF, 0xE0, 0x4B, 0x09, 0x7D, 0xFF, 0x8F, 0x95, 0x7A, 0x53, 0x0A, 0x07, 0xD1, 0xC5,
 0x29, 0x2E, 0x79, 0x87, 0x62, 0x27, 0x04, 0x78, 0xED, 0xB2, 0x7E, 0x2B, 0xE7, 0xB5, 0xAF, 0xEE,
 0xDC, 0x57, 0x51, 0x13, 0xBE, 0x70, 0x55, 0x6B, 0x53, 0xC2, 0x2B, 0x40, 0xB4, 0x77, 0x84, 0xAE,
 0x69, 0x08, 0xB5, 0x9E, 0xD7, 0x78, 0xE0, 0xF5, 0x84, 0xBA, 0xCB, 0xB5, 0x30, 0xCD, 0x4F, 0x1B,
 0x54, 0x8C, 0x1A, 0x9A, 0x83, 0xF4, 0xFA, 0x6F, 0x07, 0x4E, 0x31, 0xDA, 0x37, 0x83, 0x7E, 0xC1,
 0xA3, 0x7F, 0x62, 0x00, 0x20, 0x8B, 0x98, 0x6F, 0x27, 0xC5, 0xA9, 0xB5, 0x10, 0x46, 0xD7, 0x74,
 0xCF, 0x71, 0xF0, 0xCA, 0xEF, 0xFA, 0x68, 0xA5, 0xC8, 0x3F, 0xC1, 0x10, 0xD8, 0x79, 0x16, 0x64]

s_box = [
  0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 
  0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 
  0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 
  0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 
  0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 
  0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 
  0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 
  0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 
  0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 
  0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 
  0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 
  0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 
  0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 
  0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 
  0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 
  0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 
  0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 
  0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 
  0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 
  0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 
  0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 
  0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 
  0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 
  0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 
  0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 
  0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
]
t_box = [2, 3, 1, 1, 1, 2, 3, 1, 1, 1, 2, 3, 3, 1, 1, 2]

def sub_2A353C(a, k):
    for i in range(k):
        a = (27 * ((a >> 7) & 1)) ^ (2 * a)
        a &= 0xFF
    return a
def sub_2A3C3A(a, b):
    x = 0
    for i in range(8):
        x ^= sub_2A353C(a, i) * ((b >> i) & 1)
    return x


# 加密过程
data = [0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66]

xor_box = [0, 1, 2, 3, 1, 0, 3, 2, 2, 3, 0, 1, 3, 2, 1, 0]
for i in range(11):
    if (i > 0):
        for j in range(16):
            data[j] = s_box[data[j]] ^ 0xA1

        for j in range(4):
            for k in range(j):
                tmp = data[j]
                data[j+0] = data[j+4]
                data[j+4] = data[j+8]
                data[j+8] = data[j+12]
                data[j+12] = tmp

        if (i < 10):
            tmp_box = [0, 0, 0, 0]
            for j in range(4):
                for k in range(4):
                    tmp_box[k] = 0
                    for r in range(4):
                        a = data[r+4*j]
                        b = t_box[r+4*k]
                        tmp_box[k] ^= sub_2A3C3A(a, b)
                for k in range(4):
                    data[k+4*j] = tmp_box[k] ^ 0x54

    for j in range(16):
        data[j] ^= key_box[i*16+j]
    for j in range(16):
        data[j] ^= xor_box[j]
for d in data:
    print(hex(d), end=' ')
print()

exit()

要地守护

安卓题，AS刚好没装对应的SDK，没法调试，给的MUMU虚拟机对linux用户很不友好，静态分析了镜像没思路放弃了