Soluciones de Reversing y Miscelánea para SHCTF

ezrc4

Análisis en IDA muestra cifrado RC4 modificado. El texto cifrado y la clave se almacenan en little-endian. La función de cifrado encluye una operación XOR adicional con 0x66. Script de descifrado:

#include <stdio.h>

void init_rc4(unsigned char* s_box, unsigned char* key, unsigned long key_len) {
    int i = 0, j = 0;
    unsigned char temp;
    unsigned char k[256];
    for (i = 0; i < 256; i++) {
        s_box[i] = i;
        k[i] = key[i % key_len];
    }
    for (i = 0; i < 256; i++) {
        j = (j + s_box[i] + k[i]) % 256;
        temp = s_box[i];
        s_box[i] = s_box[j];
        s_box[j] = temp;
    }
}

void decrypt_rc4(unsigned char* data, unsigned long data_len, unsigned char* key, unsigned long key_len) {
    unsigned char s[256];
    init_rc4(s, key, key_len);
    int i = 0, j = 0, t = 0;
    for (unsigned long k = 0; k < data_len; k++) {
        i = (i + 1) % 256;
        j = (j + s[i]) % 256;
        temp = s[i];
        s[i] = s[j];
        s[j] = temp;
        t = (s[i] + s[j]) % 256;
        data[k] = data[k] ^ s[t] ^ 0x66;
    }
}

int main() {
    unsigned char key[] = "FenKey!!";
    unsigned char encrypted[] = {0x21,0xAB,0x3F,0x42,0x65,0x8F,0x3C,0x5B,
                                 0x0C,0x17,0x05,0x6E,0x84,0xE7,0x1A,0x69,
                                 0xC3,0x77,0x70,0x1F,0x11};
    decrypt_rc4(encrypted, sizeof(encrypted), key, sizeof(key)-1);
    for(int i=0; i<21; i++) printf("%c", encrypted[i]);
    return 0;
}

xor

Operaciones XOR con claves rotativas basadas en posición:

#include <stdio.h>

int main() {
    unsigned char data[] = {0xC3,0x69,0x72,0xC4,0x67,0x4A,0xE8,0x11,
                            0x43,0xCF,0x6F,0xA,0xF3,0x44,0x6E,0xF8,
                            0x59,0x49,0xE8,0x4E,0x5E,0xE2,0x53,0x43,
                            0xB1,0x5C};
    for (int idx = 0; idx < 26; idx++) {
        switch(idx % 3) {
            case 0: data[idx] ^= 0x90; break;
            case 1: data[idx] ^= 0x21; break;
            case 2: data[idx] ^= 0x31; break;
        }
        printf("%c", data[idx]);
    }
    return 0;
}

EzDBG

Análisis con WinDbg e IDA. Datos cifrados:

#include <stdio.h>

int main() {
    int encrypted[] = {0x35,0x2E,0x25,0x32,0x20,0x1D,0x3,0x5E,0x7,0x56,
                       0,0x3,0x57,0x57,0x53,0x50,0,0x54,7,0,7,7,0,3,
                       0x50,2,0x51,0x5E,0x5E,3,0x5F,2,0x56,3,0x57,0,
                       0x50,0x50,0x1B};
    for(int i=0; i<39; i++) {
        printf("%c", encrypted[i] ^ 0x66);
    }
}

GameGame

Solución mediante calculadora de Sudoku: 468912723481342575971422657913948591537428763345261

cancanneed

Hookeo dinámico en Android usando Frida:

Java.perform(function() {
    var TargetClass = Java.use("com.example.test.MainActivity");
    TargetClass.check.implementation = function(input) {
        return 1;
    };
});

babytea

Descifrado de algoritmo XTEA modificado:

#include <stdint.h>
#include <stdio.h>

void decode(uint32_t rounds, uint32_t v[2], uint32_t const key[4]) {
    uint32_t v0 = v[0], v1 = v[1];
    uint32_t delta = 0x61C88747;
    uint32_t sum = delta * rounds + 0x8DDE2E40;
    for (uint32_t i = 0; i < rounds; i++) {
        v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]) ^ v1;
        sum -= delta;
        v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]) ^ v0;
    }
    v[0] = v0; v[1] = v1;
}

int main() {
    uint32_t enc_data[] = {0x18C2E339,0xE9550982,0x108A30F7,0x018430DD,
                           0xD5DE57B0,0xD43E0740,0xF42FDDE4,0x968886E8,
                           0xE5D77B79,0x685D758F};
    uint32_t secret[4] = {1,1,2,3};
    for(int i=0; i<10; i+=2) {
        uint32_t block[2] = {enc_data[i], enc_data[i+1]};
        decode(64, block, secret);
        printf("%.8s%.8s", (char*)&block[0], (char*)&block[1]);
    }
    return 0;
}

Loader

Dump de clases dinámicas usando frida-dexdump. Generación de cadena pseudoaleatoria:

import java.util.Random;

public class FlagGenerator {
    private static final String CHARS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
    
    public static String createString(int seed, int length) {
        Random rand = new Random(seed);
        StringBuilder sb = new StringBuilder(length);
        for (int i = 0; i < length; i++) {
            sb.append(CHARS.charAt(rand.nextInt(CHARS.length())));
        }
        return sb.toString();
    }
}

遮遮掩掩?CCRC!

Descifrado de texto mediante fuerza bruta CRC32 y decodificación con cifrado especial.

拜师之旅

Análisis de chunks IDAT en PNG con TweakPNG.

Schneider

Extracción de contraseña desde archivo .vxdz con EcoStruxure Operator Terminal Expert.

Etiquetas: RC4 XOR WinDbg Frida XTEA

Publicado el 7-3 02:48