CISCN 2020 REVERSE Writeup

hyperthreading

1-1

1-2

创建的线程都加了花指令,然后有一个守护线程检查反调试,直接patch掉反调试,OD或者x32dbg调着看看

WaitForMultipleObjects哪里暂停下然后再回复就可以了

1-3

每次加密后的结果都一样,可以找到字符串对应关系,然后就可以接到flag

1
2
3
4
5
6
7
8
9
10
11
12
encrypt = [0xDD,0x5B,0x9E,0x1D,0x20,0x9E,0x90,0x91,0x90,0x90,0x91,0x92,0xDE,0x8B,0x11,0xD1,0x1E,0x9E,0x8B,0x51,0x11,0x50,0x51,0x8B,0x9E,0x5D,0x5D,0x11,0x8B,0x90,0x12,0x91,0x50,0x12,0xD2,0x91,0x92,0x1E,0x9E,0x90,0xD2,0x9F]
key_dic = {'a':0x9E,'b':0xDE,'c':0x1E,'d':0x5D,'e':0x9D,'f':0xDD,'g':0x1D,'h':0x5C,'i':0x9C,'j':0xDC,'k':0x1C,'l':0x5B,'m':0x9B,'n':0xDB,'o':0x1B,'p':0x62,'q':0xA2,'r':0xE2,'s':0x22,'t':0x61,'u':0xA1,'v':0xE1,'w':0x21,'x':0x60,'y':0x0A,'z':0xE0,'_':0x17,'{':0x20,'}':0x9F,'0':0x52,'1':0x92,'2':0xD2,'3':0x12,'4':0x51,'5':0x91,'6':0xD1,'7':0x11,'8':0x50,'9':0x90,'-':0x8B}

flag = ''

for i in encrypt:
for j in key_dic:
if key_dic[j] == i:
flag += j

print(flag)
# flag{a959951b-76ca-4784-add7-93583251ca92}

z3

典型的约束求解,用z3这个库跑就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
from z3 import * 
solver = Solver()
v46 = Int('flag[0]')
v47 = Int('flag[1]')
v48 = Int('flag[2]')
v49 = Int('flag[3]')
v50 = Int('flag[4]')
v51 = Int('flag[5]')
v52 = Int('flag[6]')
v53 = Int('flag[7]')
v54 = Int('flag[8]')
v55 = Int('flag[9]')
v56 = Int('flag[10]')
v57 = Int('flag[11]')
v58 = Int('flag[12]')
v59 = Int('flag[13]')
v60 = Int('flag[14]')
v61 = Int('flag[15]')
v62 = Int('flag[16]')
v63 = Int('flag[17]')
v64 = Int('flag[18]')
v65 = Int('flag[20]')
v66 = Int('flag[21]')
v67 = Int('flag[22]')
v68 = Int('flag[23]')
v69 = Int('flag[24]')
v70 = Int('flag[25]')
v71 = Int('flag[26]')
v72 = Int('flag[27]')
v73 = Int('flag[28]')
v74 = Int('flag[29]')
v75 = Int('flag[30]')
v76 = Int('flag[31]')
v77 = Int('flag[32]')
v78 = Int('flag[33]')
v79 = Int('flag[34]')
v80 = Int('flag[35]')
v81 = Int('flag[36]')
v82 = Int('flag[37]')
v83 = Int('flag[38]')
v84 = Int('flag[39]')
v85 = Int('flag[40]')
v86 = Int('flag[41]')
v87 = Int('flag[42]')
solver.add(v46 > 0)
solver.add(v46 < 128)
solver.add(v47 > 0)
solver.add(v47 < 128)
solver.add(v48 > 0)
solver.add(v48 < 128)
solver.add(v77 > 0)
solver.add(v77 < 128)
solver.add(v78 > 0)
solver.add(v78 < 128)
solver.add(v79 > 0)
solver.add(v79 < 128)
solver.add(v76 > 0)
solver.add(v76 < 128)
solver.add(34 * v49 + 12 * v46 + 53 * v47 + 6 * v48 + 58 * v50 + 36 * v51 + v52 == 0x4f17)
solver.add(27 * v50 + 73 * v49 + 12 * v48 + 83 * v46 + 85 * v47 + 96 * v51 + 52 * v52 == 0x9cf6)
solver.add(24 * v48 + 78 * v46 + 53 * v47 + 36 * v49 + 86 * v50 + 25 * v51 + 46 * v52 == 0x8ddb)
solver.add(78 * v47 + 39 * v46 + 52 * v48 + 9 * v49 + 62 * v50 + 37 * v51 + 84 * v52 == 0x8ea6)
solver.add(48 * v50 + 14 * v48 + 23 * v46 + 6 * v47 + 74 * v49 + 12 * v51 + 83 * v52 == 0x6929)
solver.add(15 * v51 + 48 * v50 + 92 * v48 + 85 * v47 + 27 * v46 + 42 * v49 + 72 * v52 == 0x9911)
solver.add(26 * v51 + 67 * v49 + 6 * v47 + 4 * v46 + 3 * v48 + 68 * v52 == 0x40a2)
solver.add(34 * v56 + 12 * v53 + 53 * v54 + 6 * v55 + 58 * v57 + 36 * v58 + v59 == 0x2f3e)
solver.add(27 * v57 + 73 * v56 + 12 * v55 + 83 * v53 + 85 * v54 + 96 * v58 + 52 * v59 == 0x62b6)
solver.add(24 * v55 + 78 * v53 + 53 * v54 + 36 * v56 + 86 * v57 + 25 * v58 + 46 * v59 == 0x4b82)
solver.add(78 * v54 + 39 * v53 + 52 * v55 + 9 * v56 + 62 * v57 + 37 * v58 + 84 * v59 == 0x486c)
solver.add(48 * v57 + 14 * v55 + 23 * v53 + 6 * v54 + 74 * v56 + 12 * v58 + 83 * v59 == 0x4002)
solver.add(15 * v58 + 48 * v57 + 92 * v55 + 85 * v54 + 27 * v53 + 42 * v56 + 72 * v59 == 0x52d7)
solver.add(26 * v58 + 67 * v56 + 6 * v54 + 4 * v53 + 3 * v55 + 68 * v59 == 0x2def)
solver.add(34 * v63 + 12 * v60 + 53 * v61 + 6 * v62 + 58 * v64 + 36 * v65 + v66 == 0x28dc)
solver.add(27 * v64 + 73 * v63 + 12 * v62 + 83 * v60 + 85 * v61 + 96 * v65 + 52 * v66 == 0x640d)
solver.add(24 * v62 + 78 * v60 + 53 * v61 + 36 * v63 + 86 * v64 + 25 * v65 + 46 * v66 == 0x528f)
solver.add(78 * v61 + 39 * v60 + 52 * v62 + 9 * v63 + 62 * v64 + 37 * v65 + 84 * v66 == 0x613b)
solver.add(48 * v64 + 14 * v62 + 23 * v60 + 6 * v61 + 74 * v63 + 12 * v65 + 83 * v66 == 0x4781)
solver.add(15 * v65 + 48 * v64 + 92 * v62 + 85 * v61 + 27 * v60 + 42 * v63 + 72 * v66 == 0x6b17)
solver.add(26 * v65 + 67 * v63 + 6 * v61 + 4 * v60 + 3 * v62 + 68 * v66 == 0x3237)
solver.add(34 * v70 + 12 * v67 + 53 * v68 + 6 * v69 + 58 * v71 + 36 * v72 + v73 == 0x2a93)
solver.add(27 * v71 + 73 * v70 + 12 * v69 + 83 * v67 + 85 * v68 + 96 * v72 + 52 * v73 == 0x615f)
solver.add(24 * v69 + 78 * v67 + 53 * v68 + 36 * v70 + 86 * v71 + 25 * v72 + 46 * v73 == 0x50be)
solver.add(78 * v68 + 39 * v67 + 52 * v69 + 9 * v70 + 62 * v71 + 37 * v72 + 84 * v73 == 0x598e)
solver.add(48 * v71 + 14 * v69 + 23 * v67 + 6 * v68 + 74 * v70 + 12 * v72 + 83 * v73 == 0x4656)
solver.add(15 * v72 + 48 * v71 + 92 * v69 + 85 * v68 + 27 * v67 + 42 * v70 + 72 * v73 == 0x5b31)
solver.add(26 * v72 + 67 * v70 + 6 * v68 + 4 * v67 + 3 * v69 + 68 * v73 == 0x313a)
solver.add(34 * v77 + 12 * v74 + 53 * v75 + 6 * v76 + 58 * v78 + 36 * v79 + v80 == 0x3010)
solver.add(27 * v78 + 73 * v77 + 12 * v76 + 83 * v74 + 85 * v75 + 96 * v79 + 52 * v80 == 0x67fe)
solver.add(24 * v76 + 78 * v74 + 53 * v75 + 36 * v77 + 86 * v78 + 25 * v79 + 46 * v80 == 0x4d5f)
solver.add(78 * v75 + 39 * v74 + 52 * v76 + 9 * v77 + 62 * v78 + 37 * v79 + 84 * v80 == 0x58db)
solver.add(48 * v78 + 14 * v76 + 23 * v74 + 6 * v75 + 74 * v77 + 12 * v79 + 83 * v80 == 0x3799)
solver.add(15 * v79 + 48 * v78 + 92 * v76 + 85 * v75 + 27 * v74 + 42 * v77 + 72 * v80 == 0x60a0)
solver.add(26 * v79 + 67 * v77 + 6 * v75 + 4 * v74 + 3 * v76 + 68 * v80 == 0x2750)
solver.add(34 * v84 + 12 * v81 + 53 * v82 + 6 * v83 + 58 * v85 + 36 * v86 + v87 == 0x3759)
solver.add(27 * v85 + 73 * v84 + 12 * v83 + 83 * v81 + 85 * v82 + 96 * v86 + 52 * v87 == 0x8953)
solver.add(24 * v83 + 78 * v81 + 53 * v82 + 36 * v84 + 86 * v85 + 25 * v86 + 46 * v87 == 0x7122)
solver.add(78 * v82 + 39 * v81 + 52 * v83 + 9 * v84 + 62 * v85 + 37 * v86 + 84 * v87 == 0x81f9)
solver.add(48 * v85 + 14 * v83 + 23 * v81 + 6 * v82 + 74 * v84 + 12 * v86 + 83 * v87 == 0x5524)
solver.add(15 * v86 + 48 * v85 + 92 * v83 + 85 * v82 + 27 * v81 + 42 * v84 + 72 * v87 == 0x8971)
solver.add(26 * v86 + 67 * v84 + 6 * v82 + 4 * v81 + 3 * v83 + 68 * v87 == 0x3a1d)
if solver.check():
print(solver.model())

出来的借来的结果在用C++排个序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#include <iostream>
#include <cstring>

using namespace std;

int main(){
char flag[43];
flag[8] = 55;
flag[3] = 103;
flag[1] = 108;
flag[15] = 51;
flag[16] = 98;
flag[26] = 57;
flag[11] = 52;
flag[18] = 45;
flag[9] = 49;
flag[24] = 45;
flag[22] = 49;
flag[30] = 54;
flag[14] = 54;
flag[0] = 102;
flag[25] = 57;
flag[40] = 52;
flag[10] = 100;
flag[20] = 52;
flag[23] = 56;
flag[37] = 102;
flag[39] = 54;
flag[41] = 56;
flag[7] = 49;
flag[17] = 57;
flag[4] = 123;
flag[29] = 45;
flag[2] = 97;
flag[33] = 52;
flag[5] = 55;
flag[36] = 97;
flag[12] = 51;
flag[38] = 101;
flag[27] = 48;
flag[32] = 49;
flag[31] = 101;
flag[34] = 99;
flag[42] = 125;
flag[35] = 50;
flag[28] = 101;
flag[21] = 101;
flag[13] = 45;
flag[6] = 101;
flag[43] = '\0';
cout<<flag<<endl;
return 0;
}
//flag{7e171d43-63b9-?e18-990e-6e14c2afe648}

最后有一位需要爆破下