Shino Channel

Before Start 其实很早就开始想学区块链安全了，但是因为环境炸了、Ropsten测试链关了和懒等等原因直到Hackergame的链上记忆大师题才开始上手实操区块链题。后来在强网拟态和N1CTF等比赛中由于不熟悉ctf区块链题的交互方式也是一直在鸽子。

[Reverse] AmazingMFC 一整场比赛Reverse就一个题，真是被看扁了啊.jpg

[Reverse] OhMySolidity 题面如下

[Crypto] nanoDiamond-rev 题目 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 # from Crypto.Util.number import * import string import secrets from hashlib import sha256 from random import randint, shuffle, choice def proof_of_work(): s = ''.join([secrets.choice(string.digits + string.ascii_letters) for _ in range(20)]) print(f'sha256(XXXX+{s[4:]}) == {sha256(s.encode()).hexdigest()}') if input('Give me XXXX: ') != s[:4]: exit(1) ROUND_NUM = 50 PREROUND_NUM = 13 CHEST_NUM = 6 with open('flag', 'r') as f: flag = f.read() white_list = ['==','(',')','0','1','and','or','B0','B1','B2','B3','B4','B5'] def calc(ans, chests, expr): B0, B1, B2, B3, B4, B5 = chests return ans(eval(expr)) def round(): chests = [choice((True, False)) for _ in range(CHEST_NUM)] print("Six chests lie here, with mimics or treasure hidden inside.") print("But don't worry. Skeleton Merchant knows what to do.") print("Be careful, Skeleton Merchant can lie twice!") truth = lambda r: not not r lie = lambda r: not r lie_num = randint(0, 2) lie_status = [truth] * (PREROUND_NUM - lie_num) + [lie] * lie_num shuffle(lie_status) for i in range(PREROUND_NUM): try: question = input('Question: ').strip() for word in question.split(' '): assert word in white_list, f"({word}) No treasure for dirty hacker!" result = calc(lie_status[i], chests, question) print(f'Answer: {result}!') except Exception as e: print("Skeleton Merchant fails to understand your words.") print(e) print('Now open the chests:') return chests == list(map(int, input().strip().split(' '))) if __name__ == '__main__': proof_of_work() print('Terraria is a land of adventure! A land of mystery!') print('Can you get all the treasure without losing your head?') for i in range(ROUND_NUM): if not round(): print('A chest suddenly comes alive and BITE YOUR HEAD OFF.') exit(0) else: print('You take all the treasure safe and sound. Head to the next vault!') print(f"You've found all the treasure! {flag}") WP 首先我们有异或运算：

[Reverse] Archgame load_code处对bin文件进行了一个解密

打开是一个德扑小游戏，根据已知信息找开源代码。 https://github.com/XanderUZZZER/Blackjack-master 比较关心的是原开源代码中没有的对gamemessage文件的处理，可以注意到一个类似作弊码的goldFunc函数。 整理一下删除没用的部分。 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 private static void goldFunc(ArrayList input, Blackjack.Game game) { if (memcmp(input, "AQLMP6579", 9)) { if (memcmp1(input, "MF3K", 4)) { try { game.Player.Bet -= 22m; for (int i = 0; i < memory.Length; i++) { memory[i] ^= 34; } Environment.SetEnvironmentVariable("AchivePoint1", game.Player.Balance.ToString()); return; } catch { return; } } } else if (memcmp(input, "Z5M0G6P16", 9)) { if (memcmp1(input, "EEPW", 4)) { try { game.Player.Balance += 175m; byte[] key = new byte[16] { 66, 114, 97, 105, 110, 115, 116, 111, 114, 109, 105, 110, 103, 33, 33, 33 }; RijndaelManaged rijndaelManaged = new RijndaelManaged(); rijndaelManaged.Key = key; rijndaelManaged.Mode = CipherMode.ECB; rijndaelManaged.Padding = PaddingMode.Zeros; ICryptoTransform cryptoTransform = rijndaelManaged.CreateDecryptor(); m = cryptoTransform.TransformFinalBlock(memory, 0, memory.Length); Environment.SetEnvironmentVariable("AchivePoint2", game.Player.Balance.ToString()); return; } catch { return; } } } else { if (!memcmp(input, "D253Y5J0Y", 9)) { return; } if (memcmp1(input, "6VD6", 4)) { try { game.Player.Balance -= 27m; Environment.SetEnvironmentVariable("AchivePoint3", game.Player.Balance.ToString()); BinaryFormatter binaryFormatter = new BinaryFormatter(); MemoryStream serializationStream = new MemoryStream(m); binaryFormatter.Deserialize(serializationStream); return; } catch { return; } } } } 复制出来直接跑，dump处理后的gamemessage文件。