0x01 babyre

总共有三关

题目被做了手脚，导致第一关第二关无法F5，只能看汇编+动态调试

1.第一关 三维迷宫

没啥好说的，走迷宫就是了

入口时0x73，出口是0x23

障碍物是0x2A，通道是0x2E

# 三维迷宫 方向 上下左右：wsad 空间上下：xy
# 最短路径ddwwxxssxaxwwaasasyywwdd

[
0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 
0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 
0x2A, 0x2A, 0x2A, 0x2A, 0x2E, 
0x2A, 0x2A, 0x2A, 0x2A, 0x2E, 
0x2A, 0x2A, 0x73, 0x2E, 0x2E,  

0x2A, 0x2E, 0x2E, 0x2A, 0x2A, 
0x2A, 0x2A, 0x2A, 0x2A, 0x2E, 
0x2A, 0x2A, 0x2A, 0x2A, 0x2E, 
0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 
0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 

0x2A, 0x2E, 0x2E, 0x2A, 0x2A, 
0x2A, 0x2E, 0x2E, 0x2A, 0x2A, 
0x2E, 0x2E, 0x23, 0x2A, 0x2E, 
0x2E, 0x2A, 0x2A, 0x2A, 0x2E, 
0x2E, 0x2A, 0x2A, 0x2A, 0x2E, 

0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 
0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 
0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 
0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 
0x2E, 0x2A, 0x2A, 0x2E, 0x2E, 

0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 
0x2A, 0x2A, 0x2E, 0x2E, 0x2A, 
0x2A, 0x2E, 0x2E, 0x2E, 0x2A, 
0x2E, 0x2E, 0x2A, 0x2E, 0x2A, 
0x2E, 0x2A, 0x2A, 0x2E, 0x2A,
]

2.第二关

字符串输入后进入一个函数加密，加密之后与 "sctf_9102"比较

跟踪加密函数发现每4个字符为一轮通过一些查找、移位、或操作将之编码为三个字符

直接脚本爆破

data = [0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000003E, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000003F, 0x00000034, 0x00000035, 0x00000036, 0x00000037, 0x00000038, 0x00000039, 0x0000003A, 0x0000003B, 0x0000003C, 0x0000003D, 0x0000007F, 0x0000007F, 0x0000007F, 0x00000040, 0x0000007F, 0x0000007F, 0x0000007F, 0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007, 0x00000008, 0x00000009, 0x0000000A, 0x0000000B, 0x0000000C, 0x0000000D, 0x0000000E, 0x0000000F, 0x00000010, 0x00000011, 0x00000012, 0x00000013, 0x00000014, 0x00000015, 0x00000016, 0x00000017, 0x00000018, 0x00000019, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000001A, 0x0000001B, 0x0000001C, 0x0000001D, 0x0000001E, 0x0000001F, 0x00000020, 0x00000021, 0x00000022, 0x00000023, 0x00000024, 0x00000025, 0x00000026, 0x00000027, 0x00000028, 0x00000029, 0x0000002A, 0x0000002B, 0x0000002C, 0x0000002D, 0x0000002E, 0x0000002F, 0x00000030, 0x00000031, 0x00000032, 0x00000033, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F, 0x0000007F]

# Python>'sctf_9102'.encode('hex')
# 736374665f39313032
pass2 = ''
dest = [0x736374,0x665f39,0x313032]
for d in range(3):
    for i in range(0x20,0x80):
        for j in range(0x20,0x80):
            for k in range(0x20,0x80):
                 for l in range(0x20,0x80):
                    h = (((((data[i]<<6)|data[j])<<6)|data[k])<<6)|data[l]
                    if h == dest[d]:
                        print chr(i) + chr(j) + chr(k) + chr(l)
                        pass2 += chr(i) + chr(j) + chr(k) + chr(l)
print pass2
# pass2 = c2N0Zl85MS=yMT=yMTAy

# pass2_res = c2N0Zl85MTAy

第三轮爆破出了三个结果，排除掉前两个，pass2为 c2N0Zl85MTAy

3.第三关

第三关看似很复杂，其实并不难，尤其是可以F5看伪代码

首先定义了一个长度为16的数组

  v8 = 0xBE;
  v9 = 4;
  v10 = 6;
  v11 = 0x80;
  v12 = 0xC5;
  v13 = 0xAF;
  v14 = 0x76;
  v15 = 0x47;
  v16 = 0x9F;
  v17 = 0xCC;
  v18 = 0x40;
  v19 = 0x1F;
  v20 = 0xD8;
  v21 = 0xBF;
  v22 = 0x92;
  v23 = 0xEF;

不难发现这是加密后的数组常量

同理得到输入也为长度为16的字符串，加密算法如下

  v1 = (a1[6] << 8) | (a1[5] << 16) | (a1[4] << 24) | a1[7];
  v2 = (a1[10] << 8) | (a1[9] << 16) | (a1[8] << 24) | a1[11];
  v3 = (a1[14] << 8) | (a1[13] << 16) | (a1[12] << 24) | a1[15];
  v7 = 0;
  v5 = 4;
  v40 = sub_55FF5657978A((a1[2] << 8) | (a1[1] << 16) | (*a1 << 24) | (unsigned int)a1[3]);
  v41 = sub_55FF5657978A(v1);
  v42 = sub_55FF5657978A(v2);
  v43 = sub_55FF5657978A(v3);
  do
  {
    *(&v40 + v5) = sub_55FF5657A43B(*(&v40 + v7), *(&v40 + v7 + 1), *(&v40 + v7 + 2), *(&v40 + v7 + 3));
    ++v7;
    ++v5;
  }
  while ( v5 <= 29 );

sub_55FF5657978A类似于将之改为大端序

重点是sub_55FF5657A43B函数,函数体如下

return a1 ^ (unsigned int)sub_55FF5657A464(a2 ^ a3 ^ a4);

所以加密过程大致如下

将输入的16个字符以大端序的形式转换为4个int，视为a0，a1，a2，a3，并用这四个int生成下一个int a4

a4= a0 ^ sub_55FF5657A464(a1 ^ a2 ^ a3) 直到 a29，而刚开始定义的常量数组分别对应 a26 a27 a28 a29

解密过程往前递推即可 a25= a29 ^ sub_55FF5657A464(a26 ^ a27 ^ a28) ……

脚本如下

aaa = [0xbe040680,0xc5af7647,0x9fcc401f,0xd8bf92ef]
d = [
0x000000D6, 0x00000090, 0x000000E9, 0x000000FE, 0x000000CC, 0x000000E1, 0x0000003D, 0x000000B7, 0x00000016, 0x000000B6, 0x00000014, 0x000000C2, 0x00000028, 0x000000FB, 0x0000002C, 0x00000005, 0x0000002B, 0x00000067, 0x0000009A, 0x00000076, 0x0000002A, 0x000000BE, 0x00000004, 0x000000C3, 0x000000AA, 0x00000044, 0x00000013, 0x00000026, 0x00000049, 0x00000086, 0x00000006, 0x00000099, 0x0000009C, 0x00000042, 0x00000050, 0x000000F4, 0x00000091, 0x000000EF, 0x00000098, 0x0000007A, 0x00000033, 0x00000054, 0x0000000B, 0x00000043, 0x000000ED, 0x000000CF, 0x000000AC, 0x00000062, 0x000000E4, 0x000000B3, 0x0000001C, 0x000000A9, 0x000000C9, 0x00000008, 0x000000E8, 0x00000095, 0x00000080, 0x000000DF, 0x00000094, 0x000000FA, 0x00000075, 0x0000008F, 0x0000003F, 0x000000A6, 0x00000047, 0x00000007, 0x000000A7, 0x000000FC, 0x000000F3, 0x00000073, 0x00000017, 0x000000BA, 0x00000083, 0x00000059, 0x0000003C, 0x00000019, 0x000000E6, 0x00000085, 0x0000004F, 0x000000A8, 0x00000068, 0x0000006B, 0x00000081, 0x000000B2, 0x00000071, 0x00000064, 0x000000DA, 0x0000008B, 0x000000F8, 0x000000EB, 0x0000000F, 0x0000004B, 0x00000070, 0x00000056, 0x0000009D, 0x00000035, 0x0000001E, 0x00000024, 0x0000000E, 0x0000005E, 0x00000063, 0x00000058, 0x000000D1, 0x000000A2, 0x00000025, 0x00000022, 0x0000007C, 0x0000003B, 0x00000001, 0x00000021, 0x00000078, 0x00000087, 0x000000D4, 0x00000000, 0x00000046, 0x00000057, 0x0000009F, 0x000000D3, 0x00000027, 0x00000052, 0x0000004C, 0x00000036, 0x00000002, 0x000000E7, 0x000000A0, 0x000000C4, 0x000000C8, 0x0000009E, 0x000000EA, 0x000000BF, 0x0000008A, 0x000000D2, 0x00000040, 0x000000C7, 0x00000038, 0x000000B5, 0x000000A3, 0x000000F7, 0x000000F2, 0x000000CE, 0x000000F9, 0x00000061, 0x00000015, 0x000000A1, 0x000000E0, 0x000000AE, 0x0000005D, 0x000000A4, 0x0000009B, 0x00000034, 0x0000001A, 0x00000055, 0x000000AD, 0x00000093, 0x00000032, 0x00000030, 0x000000F5, 0x0000008C, 0x000000B1, 0x000000E3, 0x0000001D, 0x000000F6, 0x000000E2, 0x0000002E, 0x00000082, 0x00000066, 0x000000CA, 0x00000060, 0x000000C0, 0x00000029, 0x00000023, 0x000000AB, 0x0000000D, 0x00000053, 0x0000004E, 0x0000006F, 0x000000D5, 0x000000DB, 0x00000037, 0x00000045, 0x000000DE, 0x000000FD, 0x0000008E, 0x0000002F, 0x00000003, 0x000000FF, 0x0000006A, 0x00000072, 0x0000006D, 0x0000006C, 0x0000005B, 0x00000051, 0x0000008D, 0x0000001B, 0x000000AF, 0x00000092, 0x000000BB, 0x000000DD, 0x000000BC, 0x0000007F, 0x00000011, 0x000000D9, 0x0000005C, 0x00000041, 0x0000001F, 0x00000010, 0x0000005A, 0x000000D8, 0x0000000A, 0x000000C1, 0x00000031, 0x00000088, 0x000000A5, 0x000000CD, 0x0000007B, 0x000000BD, 0x0000002D, 0x00000074, 0x000000D0, 0x00000012, 0x000000B8, 0x000000E5, 0x000000B4, 0x000000B0, 0x00000089, 0x00000069, 0x00000097, 0x0000004A, 0x0000000C, 0x00000096, 0x00000077, 0x0000007E, 0x00000065, 0x000000B9, 0x000000F1, 0x00000009, 0x000000C5, 0x0000006E, 0x000000C6, 0x00000084, 0x00000018, 0x000000F0, 0x0000007D, 0x000000EC, 0x0000003A, 0x000000DC, 0x0000004D, 0x00000020, 0x00000079, 0x000000EE, 0x0000005F, 0x0000003E, 0x000000D7, 0x000000CB, 0x00000039, 0x00000048, 0x000000C6, 0x000000BA, 0x000000B1, 0x000000A3, 0x00000050, 0x00000033, 0x000000AA, 0x00000056, 0x00000097, 0x00000091, 0x0000007D, 0x00000067, 0x000000DC, 0x00000022, 0x00000070, 0x000000B2, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 
]

for i in range(len(d)):
    if d[i] == 0xa6:
        print i
def pass3_re(x):
    x &= 0xffffffff
    a = d[x&0xff] 
    b = (d[(x&0xffff)>>8]<<8) 
    c = (d[(x&0xffffff)>>16]<<16) 
    e = (d[(x&0xffffffff)>>24]<<24)
    x = a|b|c|e 
    x &= 0xffffffff
    a = (((x<<12)|(x>>20))&0xffffffff) 
    b = (((x>>6)|(x<<26))&0xffffffff) 
    c = (((x<<8)|(x>>24))&0xffffffff) 
    e = (((x>>2)|(x<<30))&0xffffffff)
    x = a^b^c^e
    return x&0xffffffff

l = []
for i in range(30 - 4):
    l.append(0)
for i in aaa:
    l.append(i)

cx = 25
for i in range(26):
    l[cx] = pass3_re(l[cx+1] ^ l[cx+2] ^ l[cx+3]) ^ l[cx+4]
    cx -= 1


pass3 = ''
for i in range(4):
    pass3  += (hex(l[i])[2:]).decode('hex')[::-1]

print pass3

由此得到

pass1 ： ddwwxxssxaxwwaasasyywwdd

pass2 ： c2N0Zl85MTAy

pass3 ： fl4g_is_s0_ug1y!

最终flag为 sctf{ddwwxxssxaxwwaasasyywwdd-c2N0Zl85MTAy(fl4g_is_s0_ug1y!)}

ps : 第一关其实输入为 sxss sxsads……都是可以check的，但是并不是基于三维迷宫来做的，而题目又提示plz tell me the shortest password1实在坑了好久，最后联系出题人看了hint才知道应该基于三维迷宫