本帖最后由 xiaowaaa 于 2024-6-10 18:13 编辑
1、Baby_OBVBS:
第一次做vbs的逆向题目,根本不知道怎么解决,看了看网上的教程,发现这个文件有很多Chr加密,所以我当时想要使用python将其提取出来,但是提取之后发现数据不全,所以只能放弃,看了大佬的WP之后,发现有更简单的方法,就是将前面的Execute改成 wscript.echo,然后就可以直接输出脚本内容了,真的厉害,tql了
修改前缀
贴一下代码:
[Visual Basic] 纯文本查看 复制代码 eAqi = "59fc6b263c3d0fcbc331ade699e62d3473bbf85522d588e3423e6c751ca091528a3c0186e460483917192c14"ANtg = "baacc7ffa8232d28f814bb14c428798b"
Function Base64Decode(base64EncodedString)
Dim xml, elem
Set xml = CreateObject("MSXML2.DOMDocument")
Set elem = xml.createElement("tmp")
elem.dataType = "bin.base64"
elem.text = base64EncodedString
Dim stream
Set stream = CreateObject("ADODB.Stream")
stream.Type = 1 'Binary
stream.Open
stream.Write elem.nodeTypedValue
stream.Position = 0
stream.Type = 2 'Text
stream.Charset = "utf-8"
Base64Decode = stream.ReadText
stream.Close
End Function
Function Initialize(strPwd)
Dim box(256)
Dim tempSwap
Dim a
Dim b
For i = 0 To 255
box(i) = i
Next
a = 0
b = 0
For i = 0 To 255
a = (a + box(i) + Asc(Mid(strPwd, (i Mod Len(strPwd)) + 1, 1))) Mod 256
tempSwap = box(i)
box(i) = box(a)
box(a) = tempSwap
Next
Initialize = box
End Function
Function Myfunc(strToHash)
Dim tmpFile, strCommand, objFSO, objWshShell, out
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWshShell = CreateObject("WScript.Shell")
tmpFile = objFSO.GetSpecialFolder(2).Path & "\" & objFSO.GetTempName
objFSO.CreateTextFile(tmpFile).Write(strToHash)
strCommand = "certutil -hashfile " & tmpFile & " MD5"
out = objWshShell.Exec(strCommand).StdOut.ReadAll
objFSO.DeleteFile tmpFile
Myfunc = Replace(Split(Trim(out), vbCrLf)(1), " ", "")
End Function
Function EnCrypt(box, strData)
Dim tempSwap
Dim a
Dim b
Dim x
Dim y
Dim encryptedData
encryptedData = ""
For x = 1 To Len(strData)
a = (a + 1) Mod 256
b = (b + box(a)) Mod 256
tempSwap = box(a)
box(a) = box(b)
box(b) = tempSwap
y = Asc(Mid(strData, x, 1)) Xor box((box(a) + box(b)) Mod 256)
encryptedData = encryptedData & LCase(Right("0" & Hex(y), 2))
Next
EnCrypt = encryptedData
End Function
msgbox "Do you know VBScript?"
msgbox "VBScript (""Microsoft Visual Basic Scripting Edition"") is a deprecated Active Scripting language developed by Microsoft that is modeled on Visual Basic."
msgbox "It allows Microsoft Windows system administrators to generate powerful tools for managing computers without error handling and with subroutines and other advanced programming constructs. It can give the user complete control over many aspects of their computing environment."
msgbox "Interestingly, although VBScript has long since been deprecated, you can still run VBScript scripts on the latest versions of Windows 11 systems."
msgbox "A VBScript script must be executed within a host environment, of which there are several provided with Microsoft Windows, including: Windows Script Host (WSH), Internet Explorer (IE), and Internet Information Services (IIS)."
msgbox "For .vbs files, the host is Windows Script Host (WSH), aka wscript.exe/cscript.exe program in your system."
msgbox "If you can not stop a VBScript from running (e.g. a dead loop), go to the task manager and kill wscript.exe/cscript.exe."
msgbox "cscript and wscript are executables for the scripting host that are used to run the scripts. cscript and wscript are both interpreters to run VBScript (and other scripting languages like JScript) on the Windows platform."
msgbox "cscript is for console applications and wscript is for Windows applications. It has something to do with STDIN, STDOUT and STDERR."
msgbox "OK! Now, let us begin our journey."
key = InputBox("Enter the key:", "CTF Challenge")
if (key = False) then wscript.quit
if (len(key)<>6) then
wscript.echo "wrong key length!"
wscript.quit
end if
If (Myfunc(key) = ANtg) Then
wscript.echo "You get the key!Move to next challenge."
Else
wscript.echo "Wrong key!Try again!"
wscript.quit
End If
userInput = InputBox("Enter the flag:", "CTF Challenge")
if (userInput = False) then wscript.quit
if (len(userInput)<>44) then
wscript.echo "wrong!"
wscript.quit
end if
box = Initialize(key)
encryptedInput = EnCrypt(box, userInput)
If (encryptedInput = eAqi) Then
MsgBox "Congratulations! You have learned VBS!"
Else
MsgBox "Wrong flag. Try again."
End If
wscript.echo "bye!"
根据代码尝试解密一下:
RC4解密:
根据初始化代码,我们可以发现这是一个RC4加密,前面已经给出了密文和key,其中key是MD5值,使用CMD5解密一下,得到key,H&NKEY,然后进行RC4解密
得到flag是H&NCTF{VBS_1s@s0_7unny_an4_pow3rfu1_t00l!}
此题收获:
初识VBS逆向,了解了基本的做法,也学到了使用 wscript.echo直接输出加密之后数据的方法
2、DO YOU KNOW SWDD?
此题是一道SMC的题目,所以采用动态调试的方法进行解密
1、查壳:
32位无壳
2、IDA启动
查看main函数,遇到函数直接一直看下去,可以看到有一个地方比较像加密解密的地方
有一个.hello,经过调试发现这是一个以其为名字的段,所以这里是SMC解密的地方在return出下断点,直接查看此处爆红,手动将其转换为函数,此处的步骤是先用C将其force强制转换为代码,然后使用P生成函数,然后就可以F5进行转换了
这里的代码就可以非常简单的解密了解密代码:[Python] 纯文本查看 复制代码 def decrypt(s, key):
decrypted = ""
for char in s:
# 如果当前字符是大写字母
if 'A' <= char <= 'Z':
# 减去固定值(10),然后对26取模
decrypted += chr(((ord(char) - ord('A') - key) + 26) % 26 + ord('A'))
else:
decrypted += char
return decrypted
# 加密后的字符串
encrypted_str = "S_VYFO_CGNN_GRKD_KLYED_IYE"
# 解密密钥,与加密时使用的密钥相同
key = 10
# 调用解密函数
decrypted_str = decrypt(encrypted_str, key)
# 输出解密后的字符串
print("Decrypted string:", decrypted_str)
3、此题收获:
对SMC更加的理解
3、childmaze
一道rust逆向,比较考验眼力,根据字符串定位到关键地址,直接解决,对于v331的值,使用x一步步查可以得到
1、ida启动:
直接给出解密代码:[Python] 纯文本查看 复制代码 flag=''
data='H\'L@PC}Ci625`hG2]3bZK4{1~'
for i in range(len(data)):
flag+=chr(((ord(data[i]))^(i%0x7))&0xff)
print((flag))
2、此题收获:
了解rust逆向,rust语言会添加许多无用的字符串进行混淆,注意甄别
4、最喜欢的逆向题:
1、查壳
64位无壳
2、ida启动:
看一下main函数,可以发现有一个判断,我当时使用动态调试,直接跳到那里,可能是我是按照他的判断写的
5、hnwanna
unity逆向,直接使用dnspy进行反编译
1、dnspy
将这个拖入dnspy分析,看一下代码:
我当时以为是进行解密呢,对a函数,没想到就是过了一下a函数,小迷了一会,所以还是要认真一点的
2、此题收获:
之前做了个unity的il2cpp的题目,这次做了个mono的,感觉还是mono的简单一些,直接将CSharp拉入dnspy分析
总结:
剩下的几道没搞出来,先静等一下大佬和官方的WP吧,对于maybe_xor的题目,刚开始分析还是可以的,我只分析了一个文件,没想到是128个文件都需要进行异或,还是需要写脚本进行统一分析解决。如有错误,还请大佬们指出,共同进步
下面是HNCTF2024的题目链接,另外几道是容器题目:
链接:https://pan.baidu.com/s/1nqatzmZkZHPvQtHYg8WZbw?pwd=1234
提取码:1234
| 
[复制链接]
发表于 2024-5-14 18:22
|
发表于 2024-5-16 23:16
发表于 2024-5-15 05:22
我是小白, 就做出来这几道