DAS七月赛

隐秘的角落

加密后的数据在init函数有异或0x23的操作，是rc4加密

import base64


def rc4_main(key, message):
    s_box = rc4_init_sbox(key)
    crypt = rc4_excrypt(message, s_box)
    return crypt


def rc4_init_sbox(key):
    s_box = list(range(256))
    j = 0
    for i in range(256):
        j = (j + s_box[i] + ord(key[i % len(key)])) % 256
        s_box[i], s_box[j] = s_box[j], s_box[i]
    return s_box
def rc4_excrypt(plain, box):
    res = []
    i = j = 0
    for s in plain:
        i = (i + 1) % 256
        j = (j + box[i]) % 256
        box[i], box[j] = box[j], box[i]
        t = (box[i] + box[j]) % 256
        k = box[t]
        res.append(chr(s ^ k))
    for i in range (len(res)):
        print(res[i],end='')
    return res

#a=[0xE0,0xB2,0x5F,0x3D,0x8F,0xFA,0x94,0xB6,0xE7,0x9D,0x6C,0x98,0x66,0xD2,0x0F,0xEA,0x6D,0x6F,0xBE,0xC5,0x71,0x40,0x08,0x1B,0xF6,0xF3,0xBD,0xA8,0x8D,0x09,0x7B,0x7C]
a = [251, 198, 166, 157, 196, 219, 123, 86, 182, 70, 166, 192, 133, 100, 122, 154, 55, 76, 16, 150, 233, 167, 40, 196, 177, 45, 241, 222, 71, 59, 181, 243, 44, 125, 103, 29]
rc4_main("thisiskkk",a)

得到56e83694-f976-11eb-b343-faffc201c8e0

再md5加密小写就是flag

ezGo

go题一些陌生的函数以及奇怪的变量配合动调体验更加

这里的循环的作用主要是把输入的40个字符的ASCII码拼接成一个大整数

然后就是平方取余比较

加密就是如下
$$
c=m^2modn
$$
一种特殊的RSA加密形式，用rabnin算法解

用yafu分解大质数，可以发现这两个质数都是模四余三，根据e=2可知，这是一个rabin算法。

import libnum
import gmpy2
#导入公钥
n=131453094564548508772284336424680998857035326273571981446094083416917514535349876760437096547435610190391556347148927592380050533193934285571983556924577144473815598516557161
e = 2
c=33529281532734294938614341047870321616766628114182320093600990983456360122704185955921012051918080449587733939007294096845300395098833835443815283246602601870001850089370636
#n 在线分解
p=17489158711316178659
q=7516261744453902635364442762653073356746063224482072262455102025715350278471780391042196223686233375846890331396948280463168691132631674699134296333350979
inv_p = gmpy2.invert(p, q)
inv_q = gmpy2.invert(q, p)
mp = pow(c, (p + 1) // 4, p)
mq = pow(c, (q + 1) // 4, q)
a = (inv_p * p * mq + inv_q * q * mp) % n
b = n - int(a)
c = (inv_p * p * mq - inv_q * q * mp) % n
d = n - int(c)
#因为rabin 加密有四种结果，全部列出。
aa=[a,b,c,d]
for i in aa:
    # print(i)
    print(libnum.n2s(int(i)))

得到flag：DASCTF{48fa8aa2b489e9adac1750ea16ddc7b5}

fantansic maze

sha256爆破
自动化路径求解
bfs算法

首先是常规的sha256爆破

过了proof之后题目会给出远程程序的base64编码，将编码解码后写入文本再拖入IDA查看

其中有1000个相似的函数，其汇编代码大致如下(这里IDA F5看不出来啥东西)

.text:0000000000001358 function_0      proc near               ; CODE XREF: function_36+85↓p
.text:0000000000001358                                         ; function_201+67↓p ...
.text:0000000000001358 ; __unwind {
.text:0000000000001358                 endbr64
.text:000000000000135C                 push    rbp
.text:000000000000135D                 mov     rbp, rsp
.text:0000000000001360                 sub     rsp, 10h
.text:0000000000001364                 mov     eax, cs:tmp
.text:000000000000136A                 add     eax, 1
.text:000000000000136D                 mov     cs:tmp, eax
.text:0000000000001373                 lea     rdi, aStep1     ; "step1:"
.text:000000000000137A                 call    sub_10C0
.text:000000000000137F                 mov     eax, 0
.text:0000000000001384                 call    read_num
.text:0000000000001389                 mov     [rbp-4], eax
.text:000000000000138C                 cmp     dword ptr [rbp-4], 0Ah
.text:0000000000001390                 ja      loc_141E
.text:0000000000001396                 mov     eax, [rbp-4]
.text:0000000000001399                 lea     rdx, ds:0[rax*4]
.text:00000000000013A1                 lea     rax, unk_3501C
.text:00000000000013A8                 mov     eax, [rdx+rax]
.text:00000000000013AB                 cdqe
.text:00000000000013AD                 lea     rdx, unk_3501C
.text:00000000000013B4                 add     rax, rdx
.text:00000000000013B7                 db      3Eh
.text:00000000000013B7                 jmp     rax
.text:00000000000013BA ; ---------------------------------------------------------------------------
.text:00000000000013BA                 mov     eax, 0
.text:00000000000013BF                 call    function_541
.text:00000000000013C4                 mov     eax, 0
.text:00000000000013C9                 call    function_205
.text:00000000000013CE                 mov     eax, 0
.text:00000000000013D3                 call    function_297
.text:00000000000013D8                 mov     eax, 0
.text:00000000000013DD                 call    function_175
.text:00000000000013E2                 mov     eax, 0
.text:00000000000013E7                 call    function_331
.text:00000000000013EC                 mov     eax, 0
.text:00000000000013F1                 call    function_287
.text:00000000000013F6                 mov     eax, 0
.text:00000000000013FB                 call    function_938
.text:0000000000001400                 mov     eax, 0
.text:0000000000001405                 call    function_413
.text:000000000000140A                 mov     eax, 0
.text:000000000000140F                 call    function_934
.text:0000000000001414                 mov     eax, 0
.text:0000000000001419                 call    function_1000
.text:000000000000141E
.text:000000000000141E loc_141E:                               ; CODE XREF: function_0+38↑j
.text:000000000000141E                 mov     eax, 0
.text:0000000000001423                 call    main
.text:0000000000001428                 nop
.text:0000000000001429                 leave
.text:000000000000142A                 retn
.text:000000000000142A ; } // starts at 1358
.text:000000000000142A function_0      endp

转换为伪代码大致如下

tmp++;
switch(read_num()){
    case "1": function_541();
    case "2": function_205();
    .....
    case "10" function_1000();
    default:
        main();
}

从function_0 ~ function_999都能跳转到其它的十个函数，我们的目标是要在第1000步的时候走到function_1000从而获得flag

但是这里可以发现在每一个switch内只要default就会返回main函数，那么我们其实只需要找到一条长度小于1000的路径，然后一直default去填充tmp就好了

寻找最短路径可以采用bfs算法，那我们只需要知道1000个函数每个函数可以跳转到那些函数就好了，但是由于每一次的maze都是随机生成的且超过20秒就会直接Alarm clock,所以我们不能通过IDA来直观的得知程序的构造，而是需要我们手动分析hex view来得到程序的构造

分析Hex View主要分析的就是call指令

call指令占5个字节,如00000000000013BF call function_541 在 Hex View 中为\x00\x01\xbd\x7b\xe8(这里为大端序), \xe8可以理解为标志位,\x00\x01\xbd\x7b为地址到跳转函数的00000000000013BF偏移,而这里每一个函数的偏移为0xd3，这里就可以通过偏移来算出call指令所指向的函数

这里得注意下这里得偏移是有符号数，所以在计算的时候需要将其转换

最后，在得到表之后，用bfs算法得到路径，最后得到flag

#!/usr/bin/python3

from pwn import *
import random
import sys
from hashlib import sha256

p = remote("127.0.0.1",1447)

def pass_proof():
	dir = string.ascii_letters + string.digits #生成24个字母和十个数
	p.recvuntil('[+] sha256(XXXX+')
	salt = p.recv(16).strip().decode()#strip() 方法用于移除字符串头尾指定的字符（/n)
   #decode() 方法以 encoding 指定的编码格式解码字符串。默认编码为字符串编码。
	p.recvuntil(') == ')
	hash = p.recv(64).strip().decode()
	while True:
		rand_str = (''.join([random.choice(dir) for _ in range(4)])) + salt
		if sha256(rand_str.encode()).hexdigest() == hash:
			print(rand_str[:4])
			p.sendlineafter('[+] Plz Tell Me XXXX :', rand_str[:4])
			break

def get_elf():
	p.recvuntil("map :\n")
	data=p.recvuntil('That\'s all\n',drop=True)[:-1]
	data=base64.b64decode(data)
	fd=open('pwnpwn','wb')
	fd.write(data)
	fd.close()

pass_proof()
get_elf()

fd = open("./pwnpwn","rb")
offset = 0x13C0


def get_map(fd,offset):
	Map = []
	for i in range(1000):
		addr = offset
		for j in range(10):
			fd.seek(addr)
			fc = u64(fd.read(4).ljust(8,b'\x00'))
			if fc <= 0x33765: #整个迷宫函数的长度
				fc = fc//0xd3 + i + 1 #oxd3是func度
			else:
				fc = fc - 0x100000000
				if fc > -0xd3:
					fc = i
				else:
					if addr+fc < 0x134A: #func1000
						fc = 1000
					else:
						fc = fc//0xd3
						fc = i+1+fc
			Map.append(fc)
			addr += 0xa #case的长度
		offset += 0xd3
	
	return Map
Map = get_map(fd,offset)

def do_bfs(Map):
	values = []
	keys = [] 
	for y in range(1000):
		for x in range(10):
			   if x == 0:
				   values.append([])
			   values[y].append(Map[x + y * 10])
	for i in range(1000):
		keys.append(i)
	result = dict(zip(keys,values)) #两个列表合并成一个字典
	result[1000] = ""
	#print(result)
	result1 = None
	q = [(0,'')]
	check_map = {}
	while len(q):
		f = q[0]
		q = q[1:]
		if f[0] == 1000:
			result1 = f[1]
			break
		if f[0] not in check_map:
			check_map[f[0]] = f[1]
        
			for i in range(10):
				if result[f[0]][i] not in check_map:
					q.append((result[f[0]][i],f[1]+str(i)))
	return result1
result = do_bfs(Map)
print(result)
result = str(result)
times = 999 - len(result)

for i in range(times):
	p.sendline("11")

for i in range(len(result)):
	p.sendline(str(int(result[i])+1))