华为杯第三届中国研究生网络安全创新大赛实网对抗赛初赛部分题目题解

发表于 更新于

3 道 RE 和 3 道 misc 题。

RE1 ezhtml

wasm2cez.wasm 逆向成 C 代码 ,注意到关键函数为 w2c_ez_f7,将 C 代码编译后用 IDA 再反编译,会更容易看懂,代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
__int64 __fastcall w2c_ez_f7(__int64 a1)
{
  int v1; // eax
  __int64 result; // rax
  unsigned int v3; // [rsp+20h] [rbp-160h]
  unsigned int v4; // [rsp+9Ch] [rbp-E4h]
  char v5; // [rsp+A0h] [rbp-E0h]
  char v6; // [rsp+D4h] [rbp-ACh]
  unsigned int v7; // [rsp+100h] [rbp-80h]
  unsigned int v8; // [rsp+114h] [rbp-6Ch]
  char v9; // [rsp+118h] [rbp-68h]
  unsigned int v10; // [rsp+178h] [rbp-8h]
  unsigned int v11; // [rsp+17Ch] [rbp-4h]

  v3 = *(_DWORD *)(a1 + 16) - 64;
  *(_DWORD *)(a1 + 16) = v3;
  i32_store(a1 + 32, v3 + 60LL, 0LL);
  w2c_ez_f21(a1, 65554LL);
  i32_store(a1 + 32, v3, v3 + 16);
  w2c_ez_f22(a1, (unsigned int)&loc_10009, v3);
  if ( (unsigned int)w2c_ez_f26(a1, v3 + 16) == 35 )
  {
    i32_store(a1 + 32, v3 + 12LL, 0LL);
    while ( (int)i32_load(a1 + 32, v3 + 12LL) < 35 )
    {
      v4 = i32_load(a1 + 32, v3 + 12LL) + v3 + 16;
      v5 = i32_load8_u(a1 + 32, v4);
      v1 = (int)(i32_load(a1 + 32, v3 + 12LL) + 1) % 35;
      v6 = i32_load8_u(a1 + 32, v1 + v3 + 16);
      v7 = i32_load(a1 + 32, v3 + 12LL) + v3 + 16;
      i32_store8(a1 + 32, v7, v6 & 0xF ^ (unsigned int)v5);
      v8 = i32_load(a1 + 32, v3 + 12LL) + v3 + 16;
      v9 = i32_load8_u(a1 + 32, v8);
      v10 = i32_load(a1 + 32, v3 + 12LL);
      if ( v9 != (char)i32_load8_u(a1 + 32, (char *)&loc_10270 + v10) )
        goto LABEL_2;
      v11 = i32_load(a1 + 32, v3 + 12LL) + 1;
      i32_store(a1 + 32, v3 + 12LL, v11);
    }
    w2c_ez_f21(a1, 65578LL);
    i32_store(a1 + 32, v3 + 60LL, 0LL);
  }
  else
  {
LABEL_2:
    w2c_ez_f21(a1, 65571LL);
    i32_store(a1 + 32, v3 + 60LL, 0LL);
  }
  LODWORD(result) = i32_load(a1 + 32, v3 + 60LL);
  *(_DWORD *)(a1 + 16) = v3 + 64;
  return (unsigned int)result;
}

代码的逻辑是从前往后每一位都用后一位的值做异或,反过来从后往前退即可。

1
2
3
4
5
6
7
8
a = list('EBPGRM|VE9B]Q5Sb4vJ^2|ZoU[t?SiDf9Cx')

for i in range(len(a) - 1, -1, -1):
    ch = chr(ord(a[i]) ^ ((ord(a[(i + 1) % 35])) & 0xF))
    a[i] = ch

print(''.join(a))
# DASCTF{WA4M_R3Ve7sE_1s_eZ_t0_lEa7N}

RE2 Blackjack

分析程序发现blackjack赢了之后会输出flag,但是要连续赢10次,把cmp汇编的立即数改成0,然后玩一局即可。

image-20241110180801514

image-20241110175253909

RE3 Downcity

从符号表可以看出是一个虚拟机题,虚拟机要执行的代码在vm_init()的指针里面,vm函数即为虚拟机的逻辑。

用python模拟,因为没写跳转,只考虑了顺序执行的指令,所以只解了一半。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
instr = [0x07,0x00,0x00,0x00,0x01,0x01,0x00,0x00,0x03,0x00,0x00,0x00,0x01,0x45,0x00,0x00,0x01,0x08,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01,0x02,0x00,0x00,0x03,0x00,0x00,0x00,0x01,0x43,0x00,0x00,0x01,0x13,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01,0x03,0x00,0x00,0x03,0x00,0x00,0x00,0x01,0x56,0x00,0x00,0x01,0x1E,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01,0x01,0x00,0x00,0x03,0x00,0x00,0x00,0x01,0x44,0x00,0x00,0x01,0x29,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01,0x02,0x00,0x00,0x03,0x00,0x00,0x00,0x01,0x56,0x00,0x00,0x01,0x34,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01,0x03,0x00,0x00,0x03,0x00,0x00,0x00,0x01,0x49,0x00,0x00,0x01,0x3F,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x08,0x00,0x00,0x01,0x01,0x00,0x00,0x04,0x00,0x00,0x00,0x01,0x01,0x7B,0x00,0x01,0x4B,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x08,0x00,0x00,0x01,0x02,0x00,0x00,0x04,0x00,0x00,0x00,0x01,0x02,0x68,0x00,0x01,0x57,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x08,0x00,0x00,0x01,0x03,0x00,0x00,0x04,0x00,0x00,0x00,0x01,0x03,0x31,0x00,0x01,0x63,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x08,0x00,0x00,0x01,0x01,0x00,0x00,0x04,0x00,0x00,0x00,0x01,0x01,0x44,0x00,0x01,0x6F,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x08,0x00,0x00,0x01,0x01,0x00,0x00,0x04,0x00,0x00,0x00,0x01,0x01,0x65,0x00,0x01,0x7B,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x08,0x00,0x00,0x01,0x02,0x00,0x00,0x04,0x00,0x00,0x00,0x01,0x02,0x6E,0x00,0x01,0x87,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x08,0x00,0x00,0x01,0x03,0x00,0x00,0x04,0x00,0x00,0x00,0x01,0x03,0x5F,0x00,0x01,0x93,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01,0x01,0x00,0x00,0x03,0x00,0x00,0x00,0x01,0x57,0x00,0x00,0x01,0x9E,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01,0x02,0x00,0x00,0x03,0x00,0x00,0x00,0x01,0x6F,0x00,0x00,0x01,0xA9,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01,0x03,0x00,0x00,0x03,0x00,0x00,0x00,0x01,0x62,0x00,0x00,0x01,0xB4,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01,0x01,0x00,0x00,0x03,0x00,0x00,0x00,0x01,0x4A,0x00,0x00,0x01,0xBF,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01,0x02,0x00,0x00,0x03,0x00,0x00,0x00,0x01,0x35,0x00,0x00,0x01,0xCA,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01,0x03,0x00,0x00,0x03,0x00,0x00,0x00,0x01,0x62,0x00,0x00,0x01,0xD5,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x01,0x02,0x00,0x00,0x03,0x00,0x00,0x00,0x01,0x55,0x00,0x00,0x01,0xE0,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x01,0x00,0x00,0x01,0xDE,0x00,0x00,0x01,0xEA,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x02,0x00,0x00,0x01,0xBC,0x01,0x00,0x01,0xF4,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x03,0x00,0x00,0x01,0x80,0x01,0x00,0x01,0xFE,0x00,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x08,0x00,0x00,0x01,0x01,0x00,0x00,0x04,0x00,0x00,0x00,0x01,0x01,0x5F,0x00,0x01,0x0A,0x01,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x08,0x00,0x00,0x01,0x02,0x00,0x00,0x04,0x00,0x00,0x00,0x01,0x02,0x46,0x00,0x01,0x16,0x01,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x08,0x00,0x00,0x01,0x03,0x00,0x00,0x04,0x00,0x00,0x00,0x01,0x03,0x75,0x00,0x01,0x22,0x01,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x01,0x00,0x00,0x01,0xDC,0x00,0x00,0x01,0x2C,0x01,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x02,0x00,0x00,0x01,0x7C,0x01,0x00,0x01,0x36,0x01,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x05,0x03,0x00,0x00,0x01,0x08,0x01,0x00,0x01,0x40,0x01,0x00,0x0A,0x00,0x00,0x00,0x01,0x70,0x01,0x00,0x09,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x07]

heap = []

def push(x):
    heap.append(x)

def pop():
    return heap.pop()

def add():
    x = heap.pop()
    y = heap.pop()
    heap.append((x + y) % 256)

def andd():
    x = heap.pop()
    y = heap.pop()
    heap.append(x & y)

def lsh(x):
    # if x == 8:
    #     return
    # a = heap.pop() << x
    # a = a | ((a >> 8) & ((1 << (x + 1)) - 1))
    # heap.append(a)
    # heap.append((heap.pop() << x) >> 8)
    heap.append(heap.pop() << x)
    # heap.append(heap.pop())


def rsh(x):
    heap.append(heap.pop() >> x)
    
def be():
    _ = heap.pop()
    x = heap.pop()
    y = heap.pop()
    if x == y:
        return True
    return False


def cal():
    ip = 0
    while True:
        # print(heap)
        if cur[ip] == 1:
            push(cur[ip + 1])
            ip += 2
        elif cur[ip] == 2:
            pop()
            ip += 1
        elif cur[ip] == 3:
            add()
            ip += 1
        elif cur[ip] == 4:
            andd()
            ip += 1
        elif cur[ip] == 5:
            lsh(cur[ip + 1])
            ip += 2
        elif cur[ip] == 6:
            rsh(cur[ip + 1])
            ip += 2
        elif cur[ip] == 10:
            return be()
        else:
            ip+=1


def vm():
    # print(cur)
    for i in range(128):
    # for i in range(ord('D'), ord('D') + 1):
        heap.clear()
        heap.append(i)
        if cal():
            print(chr(i), end='')
            return
        else:
            continue
    print(cur)
    # exit()

del(instr[0])
cur = []
while len(instr) > 0:
    if instr[0] != 0x07:
        cur.append(instr[0])
        del(instr[0])
    else:
        vm()
        # exit()
        del (instr[0])
        cur.clear()

misc1 Seethroughallnetwork

题目给了一个 goerli 网络的地址,查看 transaction 的 data 发现有一个 ipfs 地址,是一个flag.psd 文件,文件的两个图层即为flag的二维码。

misc2 广为人知的秘密

将题面转成钱包私钥地址,查看 transaction。QQ20241009-105503

QQ20241009-105451

misc4 Secret of the Varied Gif

压缩包里有一个gif,一个加密文件,gif中可以binwalk出一个压缩包,解压得到一个文本。

image-20241110181522212

搜索可以发现这是svg的路径,用 <path> 可以还原这个svg。

image-20241110181625265

是一个猪圈密码,解出来是acadesvc,无语的是正确的密码应该是acadesvg,这个错题只能脑洞一下或者爆破出来了。