180925 逆向-Flare(6-2)

最新推荐文章于 2022-05-03 16:52:29 发布

原创最新推荐文章于 2022-05-03 16:52:29 发布 · 411 阅读

0 ·

CC 4.0 BY-SA版权

CrackMe 专栏收录该内容

83 篇文章

订阅专栏

本文记录了一次参加成都举办的巅峰极客活动的经历，深入探讨了渗透测试和内网渗透技术，特别是在复杂内网环境下的实战技巧。作者分享了在靶场环境中进行的web渗透、apk/exe破解等技术实践，并详细解析了Flare-on逆向挑战中的CRC32哈希、RC4加密、Base64解码等算法识别与破解过程。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

去成都摸了个巅峰极客，感觉对渗透加深了一些理解，虽然还是不准备碰web23333
靶场作为整个渗透流程的模拟，尤其是本次巅峰极客做了一个非常非常复杂的内网环境–达到三层甚至更多的跳转，还是挺有意思的虽然如果前渗透–web不过关的话就没法开启后面的旅程了233 这样一想预选赛就掏出靶场来作为筛选，避免决赛无事可做还是挺有意义的

不过作为bin狗还是希望可以在模拟过程中多加一些内容，例如APK/exe的破解啦~什么的

日后有机会多玩玩msf啥的~内网渗透还是挺好玩儿的XD

回到正题
继续Flare-on的旅程
摸鱼有点久_(:з」∠)_浪费时间略多

首先注解一下上一篇的func_0xb3，当时看代码就有点眼熟，只是没有深入想
其实就是CRC32的哈希，针对1 or 3个字符
当然解法也只有爆破╮(╯_╰)╭所以其实没啥意义
只不过逆向还是识别算法最好啦

func_0x326

这个函数相对比较大，大概扫一下可以发现它是将下标%3来分组处理的
第一个值是table[input>>2]

注意有个HIBYTE(low) = low&3

第二个值是table[input>>4]

注意之前那两个比特保存在HIBYTE(low)中，而新的比特放在了LOBYTE(low)中

此时再将low>>4，则剩余low为0*8+0*6+[前值的2个比特] + [后值的4个比特]

这让人想到什么？
没错，是base64

table就是之前那一串值，也就是说这是一个改表的b64

识别到这里就很简单了，找下标、拼接串即可

func_0x8f 0x7c 0x84

这三个都很简单，分别是对应值+13、不变、^0x2a，就不多说了

func_0x2fe

这个恶心的结构，一看就知道是RC4……
上面v4那个串就是key

于是找来源码直接解即可
btw因为RC4的key仅跟box打乱有关，因此也可以扒下来照着异或……在已知key的情况下挺好解密的

联合还原

根据256个struct中的成员即可恢复出flag

python3代码

from string import printable

buff = 0
b = 0
n = 1
table147 = {}
tableb31 = {}
tableb33 = {}
data_326 = b'*9_d\xc2\xa7F#SktG(MpBI%Rjb8@JiEDY-1$PgyT!Lvqf+chmQWO0eNZ4un3l7H&2wazK'
key_2fe = b"Tis but a scratch."
table326 = {}


def rc4(s):
    result = ""
    j = 0
    box = list(range(256))
    randkey = key_2fe*(256//len(key_2fe)+1)
    for i in range(255):
        j = (j + box[i] + randkey[i]) % 256
        tmp = box[i]
        box[i] = box[j]
        box[j] = tmp
    a = 0
    j = 0
    for i in range(len(s)):
        a = (a + 1) % 256
        j = (j + box[a]) % 256
        tmp = box[a]
        box[a] = box[j]
        box[j] = tmp
        result += chr((s[i]) ^ (box[(box[a] + box[j]) % 256]))
    return result

def crc32(x):
    v4 = -1
    for value in x:
        v4 = (v4 & 0xffffffff) ^ value
        for i in range(8):
            v4 = (v4 >> 1) ^ -(v4 & 1) & 0xEDB88320
    return ~v4&0xffffffff

def brute_b3_3(target):
    for a1 in printable:
        # print(i)
        for a2 in printable:
            for a3 in printable:
                if (crc32((ord(v) for v in (a1, a2, a3))) == target):
                    return (a1,a2,a3)

# 存下147和b3的单字节的表
while(n<=255):
    # 147
    buff = (a+b)&0xffffffffffffffff
    b = a
    a = buff
    table147[buff] = n
    # b3
    v4 = (-1&0xffffffff)^n
    for i in range(8):
        v4 = (v4 >> 1) ^ -(v4 & 1) & 0xEDB88320
    # print(hex(v4), n)
    tableb31[~v4&0xffffffff] = n
    n += 1
    # 2fe

# 326
for i in range(len(data_326)):
    table326[data_326[i]] = i


index =  [2, 44, 16, 7, 63, 57, 48, 30, 10, 60, 13, 43, 56, 18, 17, 66, 40, 46, 0, 11, 38, 20, 50, 36, 28, 47, 5, 53, 64, 22, 14, 25, 33]
len_v =  [3, 2, 1, 3, 1, 3, 2, 3, 1, 3, 1, 1, 1, 2, 1, 3, 3, 1, 2, 2, 2, 2, 3, 2, 2, 1, 2, 3, 2, 3, 2, 3, 3]
target =  [[1298777728820984005, 1065587176432717357, 3524578], [10627031650760492279, 7515661444929089378], [248832578], [8662445, 0, 0], [10835], [17704020980446223138, 3082418197812910491, 6897420586020075970], [5035488507601418376, 3524578], [7501185, 0, 0], [32], [7235872, 0, 0], [116], [3524578], [127], [2639, 0], [32], [3311195574, 0, 0], [7039340, 0, 0], [79], [31606, 0], [9903, 0], [17732, 0], [25098, 0], [813048659, 0, 0], [32642, 0], [26223, 0], [102], [22851, 0], [4605962, 0, 0], [3082418197812910491, 4376692037216111008], [4407902, 0, 0], [3524578, 4376692037216111008], [7501185, 0, 0], [410219, 0, 0]]
xor_len =  ['0x147', '0x147', '0xb3', '0x2fe', '0x326', '0x147', '0x147', '0x8f', '0x7c', '0x7c', '0x8f', '0x147', '0x8f', '0x84', '0x7c', '0xb3', '0x7c', '0x84', '0x8f', '0x2fe', '0x84', '0x84', '0x326', '0x8f', '0x7c', '0x7c', '0x84', '0x84', '0x147', '0x84', '0x147', '0x8f', '0x84']

flag = ["" for i in range(100)]

for i in range(33):

        print(i, target[i], len_v[i],xor_len[i],index[i], flag)

        if(xor_len[i]=='0x147'):
            for j in range(len_v[i]):
                flag[index[i]+j] = chr(table147[target[i][j]])
        elif(xor_len[i]=='0xb3'):
            if(len_v[i]==1):
                flag[index[i]] = chr(tableb31[target[i][0]])
            elif(len_v[i]==3):
                a = brute_b3_3(target[i][j])

                if(a!=None):
                    flag[index[i]] = a[0]
                    flag[index[i]+1] = a[1]
                    flag[index[i]+2] = a[2]
                    # ace
                else:
                    print("b3 not found")
        elif (xor_len[i] == '0x326'):
            b = ""
            for k in range(len_v[i]+1):
                v = (target[i][0]>>(k*8))&0xff
                b += "{:0>6b}".format(data_326.index(v))
                # print((v,b,data_326.index(v)))
            # break
            l = len(b)//8
            for k in range(l):
                flag[index[i]+k] = chr(int(b[k*8:k*8+8],2))

        elif(xor_len[i] == '0x8f'):
            # print(hex(target[i]))
            for j in range(len_v[i]):
                v = target[i][0]>>(8*j)&0xff
                # print(v)
                flag[index[i]+j] = chr(v-13)
        elif(xor_len[i] == '0x7c'):
            for j in range(len_v[i]):
                v = target[i][0]>>(8*j)&0xff
                flag[index[i]+j] = chr(v)
        elif(xor_len[i] == '0x84'):
            for j in range(len_v[i]):
                v = target[i][0]>>(8*j)&0xff
                flag[index[i]+j] = chr(v^0x2a)
        elif(xor_len[i] == '0x2fe'):
            print(hex(target[i][0]))
            s = rc4(bytes.fromhex(hex(target[i][0])[2:])[::-1])
            for j in range(len(s)):
                flag[index[i]+j] = s[j]
print("".join(flag))

得到1/666的输出

于是明天研究下后面665次的变化_(:з」∠)_