Re

joyVBS

VBScript Obfuscator/Defuscator in VBScript,用这个工具解混淆一下

得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
MsgBox "VBScript, often abbreviated as VBS, is an event-driven programming language developed by Microsoft, primarily used for scripting in the Windows environment."
MsgBox "It is based on the Visual Basic programming language and is designed to be simple and easy to use, especially for those familiar with the BASIC programming language."
MsgBox "And for me, it is the first programming language that I've leart"
MsgBox "Hackers! Have fun with this VBS challenge!"
flag = InputBox("Enter the FLAG:", "Hack for fun")
wefbuwiue = "NalvN3hKExBtALBtInPtNHTnKJ80L3JtqxTboRA/MbF3LnT0L2zHL2SlqnPtJLAnFbIlL2SnFT8lpzFzA2JHrRTiNmT9"

qwfe = 9+2+2+1

Function Base64Decode(base64EncodedString)
    Dim xml, elem
    Set xml = CreateObject("MSXML2.DOMDocument")
    Set elem = xml.createElement("tmp")
    elem.dataType = "bin.base64" 
    elem.text = base64EncodedString 
    Dim stream
    Set stream = CreateObject("ADODB.Stream")
    stream.Type = 1 'Binary
    stream.Open
    stream.Write elem.nodeTypedValue 
    stream.Position = 0
    stream.Type = 2 'Text
    stream.Charset = "utf-8"
    Base64Decode = stream.ReadText
    stream.Close
End Function
Function Caesar(str,offset)
	Dim length,char,i
	Caesar = ""
	length = Len(str)
	For i = 1 To length
		char = Mid(str,i,1)
		If char >= "A" And char <= "Z" Then
			char = Asc("A") + (Asc(char) - Asc("A") + offset) Mod 26
			Caesar = Caesar & Chr(char)
		ElseIf char >= "a" And char <= "z" Then
			char = Asc("a") + (Asc(char) - Asc("a") + offset) Mod 26
			Caesar = Caesar & Chr(char)
		Else
			Caesar = Caesar & char
		End If
	Next
End Function

If flag = Base64Decode(Caesar(wefbuwiue, 26-qwfe)) Then
    MsgBox "Congratulations! Correct  FLAG!"
Else
    MsgBox "Wrong flag."
End If

直接 MsgBox Base64Decode(Caesar(wefbuwiue, 26-qwfe))

flag{VB3_1s_S0_e1sY_4_u_r1gh3?btw_1t_iS_a1s0_Us3Fu1_a3D_1nTe3eSt1ng!}

Rafflesia

这段花指令,全部nop

主函数里可以看到密文,

sub_411352 是个base64解密

sub_4111E0是对输入进行 base64加密和异或

base64码表是假的,我们调试

发现有反调试。在 Tls 里,先把 TLS的花去一下

简单过一下反调试。

运行到此时将 ZF 标志改为1

拿到正确的码表

flag{8edae458-4tf3-2ph2-9f26-1f8719ec8f8d}

exec

先解密一下代码

1
2
3
4
5
6
import base64
data = base64.b64decode(r"""ZXhlYyhiYXNlNjQuYjg1ZGVjb2RlKHIiIiJXcTQme0N9THJBV2l...""").decode()
while "exec" in data:
  data = eval(data.replace('exec','')).decode()
with open('exec_source.py','wb') as f:
    f.write(data.encode())

得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
a=True
d=len
G=list
g=range
s=next
R=bytes
o=input
Y=print
def l(S):
 i=0
 j=0
 while a:
  i=(i+1)%256
  j=(j+S[i])%256
  S[i],S[j]=S[j],S[i]
  K=S[(S[i]+S[j])%256]
  yield K
def N(key,O):
 I=d(key)
 S=G(g(256))
 j=0
 for i in g(256):
  j=(j+S[i]+key[i%I])%256
  S[i],S[j]=S[j],S[i]
 z=l(S)
 n=[]
 for k in O:
  n.append(k^s(z)+2)
 return R(n)
def E(s,parts_num):
 Q=d(s.decode())
 S=Q//parts_num
 u=Q%parts_num
 W=[]
 j=0
 for i in g(parts_num):
  T=j+S
  if u>0:
   T+=1
   u-=1
  W.append(s[j:T])
  j=T
 return W
if __name__=='__main__':
 L=o('input the flag: >>> ').encode()
 assert d(L)%2==0,'flag length should be even'
 t=b'v3ry_s3cr3t_p@ssw0rd'
 O=E(L,2)
 U=[]
 for i in O:
  U.append(N(t,i).hex())
 if U==['1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60',2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a']:
  Y('Congratulations! You got the flag!')
 else:
  Y('Wrong flag!')

可以写个正则简单去一下混淆,其实也没必要,大致可以看出来是个RC4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import re

# 定义替换规则的字典
replace_dict = {
    r'\ba\b': 'True',
    r'\bd\b': 'len',
    r'\bG\b': 'list',
    r'\bg\b': 'range',
    r'\bs\b': 'next',
    r'\bR\b': 'bytes',
    r'\bo\b': 'input',
    r'\bY\b': 'print'
}
code = """

"""
# 批量替换函数
def replace_obfuscation(code, replace_dict):
    for pattern, replacement in replace_dict.items():
        code = re.sub(pattern, replacement, code)
    return code

# 进行替换
clean_code = replace_obfuscation(code, replace_dict)

# 输出替换后的代码
print(clean_code)

由于RC4是对称加密,我们直接在原程序上修改,调用原来的加密函数 N解密即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

a=True
d=len
G=list
g=range
s=next
R=bytes
o=input
Y=print
def l(S):
 i=0
 j=0
 while a:
  i=(i+1)%256
  j=(j+S[i])%256
  S[i],S[j]=S[j],S[i]
  K=S[(S[i]+S[j])%256]
  yield K
def N(key,O):
 I=d(key)
 S=G(g(256))
 j=0
 for i in g(256):
  j=(j+S[i]+key[i%I])%256
  S[i],S[j]=S[j],S[i]
 z=l(S)
 n=[]
 for k in O:
  n.append(k^s(z)+2)
 return R(n)
def E(s,parts_num):
 Q=d(s.decode())
 S=Q//parts_num
 u=Q%parts_num
 W=[]
 j=0
 for i in g(parts_num):
  T=j+S
  if u>0:
   T+=1
   u-=1
  W.append(s[j:T])
  j=T
 return W

def decrypt(enc):
    key = b'v3ry_s3cr3t_p@ssw0rd'
    dec = N(key, enc)
    return dec
if __name__=='__main__':
  enc1 = '1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60'
  enc2 = '2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a'
  flag1 = decrypt(bytes.fromhex(enc1))
  flag2 = decrypt(bytes.fromhex(enc2))
  flag = flag1 + flag2
  Y(flag)
#b'flag{thEn_I_Ca5_BE_YoUR_Onl7_ExeCUti6n_So_Use_m3_t0_R0n_tH17_Ex3Cuti0n}'

RE5

main 函数和 tea加密函数里都有除0异常,

异常处理修改了keysumkey改成了 [2,2,3,3]

sum则改成了随机生成

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

void decrypt (uint32_t* v, uint32_t* k) {
    uint32_t v0 = v[0], v1 = v[1];
    uint32_t data_sum[32],sum;
    uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
    data_sum[0] = rand();
    printf("%x ", data_sum[0]);
    for(int i = 1; i < 32; i++){
        data_sum[i] = data_sum[i-1] + rand();
        printf("%x ", data_sum[i]);
    }
    printf("\n");
    for (int i=0; i<32; i++) {
        sum = data_sum[31 - i];
        v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
        v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
    }
    v[0]=v0; 
    v[1]=v1;
}

int main(){
    srand(0);
    uint32_t v[] = {0xEA2063F8, 0x8F66F252, 0x902A72EF, 0x411FDA74, 0x19590D4D, 0xCAE74317, 0x63870F3F, 0xD753AE61};
    uint32_t k[4]= {2, 2, 3, 3};

    for(int i = 0; i < 8; i+=2){
        decrypt(v+i, k);
    }
    printf("%s\n", v);
    return 0;
}
/*
26 1e4d 7143 7ac8 9d5f cb74 ec21 16a3e 19310 20aa4 22181 28f45 293bb 294d4 2e50d 3233e 3462f 3acdc 3b891 3f1e9 443d9 4c06c 51503 57a35 5c24e 5c779 6384a 6410a 66707 6e51d 6eeab 6f0f9
348 4be3 8dee e0e3 13d1e 16e67 19f0f 1a272 215cf 230ad 29eec 2e4cb 36038 3b0a0 3e054 459db 47775 4ba1f 4d7ec 54ac8 57abf 5af80 60ec4 63c45 66c6e 68876 69191 6dcd1 73333 76a6b 7d39b 7d7e9
5494 7568 d479 14149 15727 1b7eb 1eefc 22299 234e4 27623 2b1bf 2f005 2fac0 365af 3d676 41cca 45deb 46a3b 49866 4f436 4f525 5057f 51073 5817c 58d4b 5b5aa 605df 65970 69804 6c53a 72ab9 76142
270 1e09 89ba bbd8 11a3f 14a0b 1c41c 22070 25d73 2c1f2 2f38e 35291 38cdb 3e5d1 4006c 42f8a 43d77 49fde 4a055 4e990 54f52 59bf6 5dbc4 5f314 63788 64581 68047 6e402 71c7c 78ed4 7f676 873fc
d555ce75ec293c8ed232d83dffb0ff82
*/