巅峰极客 决赛 re wp

misc

开端：strangeTempreture

根据提示 温度传感器有异常数据

看到modbus中的reg0 绝大多数都是0或者27 但也有很大的数 猜测这就是温度

导出流量包到json

先正则匹配拿

with open("1.json","r",encoding="utf-8") as f:a=f.read()
a=a.split("\n")
d=[]
for x in a:if "Register 0 (UINT16):" in x:print(x)

再手敲对应的异常的数

d=[23149,30824,23091,29493,20018,19053,23127,18807,19833,12653,22868,22122,19543,18024,20077,22900,22871,20856,23123,12341,22906,22123,19834,26730,20090,20784,20311,22073]
for x in d:print(hex(x)[2:].zfill(4),end="")

得到

5a6d78685a3373354e324a6d5a5749774d79316d5954566a4c5746684e6d5974595751785a533035597a566b4d7a686a4e7a51304f575639

得到base64

得到flag

1-3：babyProtocol

题目说控制流量 只用看udp即可

可以看到data中有两个字节一直在变 其中一个都是可见字符

先把所有udp导出到json

再尝试提取这两个字节

import rewith open("udp.json","r",encoding="utf-8") as f:a=f.read()
a=a.split("\n")
e=[]
for x in a:if "data.data" in x:e.append(x.split(":"))print(x)
for i in range(len(e[0])):d1=[x[i] for x in e]f=""for x in d1:f+=xprint(f)

提取出之后hex转ascii

发现其中一个是

一眼flag 但是顺序什么的不对 猜测另一个字节是字符顺序

a="0101030b080c11151a1e2718050305060a0c141719191b1c1e271804030405060708090d0e0a090e0f0f140e16191c27270102030405060708090a0b0c0d0e0f101112131415161728191a1b1c1d1e1f202122232425262718251d060401021024091006222426200202050b11261c04080d0a081a20"
b="6666616462393830653835647b617b363439353963632d643835646761677b363862333264343364383835643363643535666c61677b3638623334643932643861383434353033397d63652d6436383139643233363264356432363667666c6136336136323664396c6c7b6438646467623234626539"
c='00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",80",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",80",00",00",00",00",00",00",00",00",00",00",80",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",80",00",00",80",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",00",'.replace('"','').replace(",","")
eddd_a="ffadb980e85d{a{64959cc-d85dgag{68b32d43d885d3cd55flag{68b34d92d8a8445039}ce-d6819d2362d5d266gfla63a626d9ll{d8ddgb24be9"
tem=[0]*1000
a=re.findall(".{2}",a)
c=re.findall(".{2}",c)
for index in range(len(a)):x=int(a[index],16)tem[x]=eddd_a[index]print(str(x).zfill(2),eddd_a[index],c[index])
print(tem)

得到flag{68b34d92d8a8445039dce-d6819d2362d5}

但是不对 这时候返回去看 其实还有一个字节 (最后一个)有变化 只有80和00两种

尝试将80的字符删掉

即flag{68b34d92d88445039dced6819d2362d5}

re

easy_mb

go arm 跑不起来 qemu也没跑起来

直看到左边

点开一看 Encrypt有内容 Decrypt没内容 稳了

然后开始几个小时的不知道干嘛的找enc和key时间

想了半天想起来&31好像是rc5

先尝试化简一下加密逻辑

确实是RC5

然后找enc和key

client里面看到一个指针调用 上面是New 猜测这个就调用的Encrypt

右键 set call type改一下

根据rc5的特点和byte_145A30长8字节 这个就是enc

最顶上调用了一个byte_146DD0 长16字节 这个是原始密钥

然后偷脚本改脚本

#include <stdio.h>
#include <iostream>
#include <stdio.h>
#include <string>
#include <iostream>
#include <cstring>
using namespace std;
#define ROTL32(x, c) (((x) << (c)) | ((x) >> (32 - c)))
#define ROTR32(x, c) (((x) >> (c)) | ((x) << (32 - c)))
#define ROTL(x, y) (((x) << (y & (32 - 1))) | ((x) >> (32 - (y & (32 - 1)))))
#define ROTR(x, y) (((x) >> (y & (32 - 1))) | ((x) << (32 - (y & (32 - 1)))))
int w = 32; //字长 32bit 4字节
int r = 12; // 12;//加密轮数12
int b = 16; //主密钥(字节为单位8bit)个数  这里有16个
int t = 26; // 2*r+2=12*2+2=26
int c = 4;  //主密钥个数*8/w = 16*8/32
void generateChildKey(uint8_t *KeyK, uint32_t *ChildKeyS)
{// const double e = 2.718281828459;// const double Phia = 1.618033988749;int PW = 0xB7E15163; // 0xb7e1;int QW = 0x9E3779B9; // 0x9e37;//genggaiint i;int u = w / 8; // b/8;uint32_t A, B, X, Y;uint32_t L[4]; // c=16*8/32A = B = X = Y = 0;//初始化数组SChildKeyS[0] = PW;printf("\n初始子密钥（没有主密钥的参与）：\n%.8X ", ChildKeyS[0]);for (i = 1; i < t; i++) // t=26{if (i % 13 == 0)printf("\n");ChildKeyS[i] = (ChildKeyS[i - 1] + QW);printf("%.8X ", ChildKeyS[i]);}printf("\n");//将K数组转换为L数组for (i = 0; i < c; i++) //初始化L数组c=8{L[i] = 0;}for (i = b - 1; i != -1; i--) // b=16  转换主密钥数组（16个 单位为8bit）为L数组（8个单位为16bit），数组L每一元素长为16bit，数组K每一元素长为8bit{L[i / u] = (L[i / u] << 8) + KeyK[i];}printf("\n把主密钥变换为4字节单位：\n");for (i = 0; i < c; i++) // 16进制输出gaidong{printf("%.8X ", L[i]);}printf("\n\n");//产生子密钥，存储在ChildKeyS中for (i = 0; i < 3 * t; i++){X = ChildKeyS[A] = ROTL(ChildKeyS[A] + X + Y, 3);A = (A + 1) % t;Y = L[B] = ROTL(L[B] + X + Y, (X + Y));B = (B + 1) % c;}printf("生成的子密钥（初始主密钥参与和初始子密钥也参与）：");for (i = 0; i < t; i++) // 16进制输出{if (i % 13 == 0)printf("\n");printf("0X%.8X, ", ChildKeyS[i]);}printf("\n\n");
}
/**5、    加密函数加密函数
*/
void Encipher(uint32_t *In, uint32_t *Out, uint32_t *S)
{uint32_t X, Y; //定义两个16位存储器int i, j;for (j = 0; j < 2; j += 2){X = In[j] + S[0];     // In[j]+S[0];Y = In[j + 1] + S[1]; // In[j+1]+S[1];for (i = 1; i <= 12; i++){X = ROTL((X ^ Y), Y) + S[2 * i];     // X=ROTL((X^Y),Y) + S[2*i];   异或，循环移位，相加 //ROTL(x,y) (((x)<<(y&(w-1))) | ((x)>>(w-(y&(w-1)))))Y = ROTL((Y ^ X), X) + S[2 * i + 1]; // Y=ROTL((Y^X),X) + S[2*i+1];}Out[j] = X;Out[j + 1] = Y; //密文}
}
void Decipher(uint32_t *In, uint32_t *Out, uint32_t *S)
{int i = 0, j;uint32_t X, Y;for (j = 0; j < 2; j += 2){X = In[j];Y = In[j + 1];for (i = 12; i > 0; i--){Y = ROTR(Y - S[2 * i + 1], X) ^ X; // Y = ROTR(Y-S[2*i+1],X)^X;相减，循环移位，异或  //ROTR(x,y) (((x)>>(y&(w-1))) | ((x)<<(w-(y&(w-1)))))X = ROTR(X - S[2 * i], Y) ^ Y;     // X = ROTR(X-S[2*i],Y)^Y;}Out[j] = X - S[0];     // Out[j]=X - S[0];Out[j + 1] = Y - S[1]; //明文 Out[j+1]=Y - S[1];}
}
int main()
{uint8_t inkey[16] = {0x2D, 0xD6, 0x45, 0x9F, 0x82, 0xC5, 0xB3, 0x00, 0x95, 0x2C, 0x49, 0x1E, 0x48, 0x81, 0xFF, 0x48};uint32_t key[26] = {0};generateChildKey(inkey, key);uint32_t v[2] = {0x73189ACE, 0x7C282BAA};uint32_t t[3] = {0};// decode(v, key);Decipher(v, t, key);puts((char *)t);
}

得到8t9Dl3Xm

然后流量包里面标明寄存器是UINT16 两个字节 然后按小端序即可

t8D93lmX