Shino Channel

with Katzebin 就不传附件了 附件有checker.exe和check_drv.sys两个文件 checker.exe逻辑十分简单 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 int __cdecl main(int argc, const char **argv, const char **envp) { HANDLE FileW; // rax char *v4; // rcx char OutBuffer[4]; // [rsp+40h] [rbp-18h] BYREF DWORD BytesReturned; // [rsp+44h] [rbp-14h] BYREF FileW = CreateFileW(L"\\\\.\\hitcon_checker", 0xC0000000, 0, 0i64, 3u, 4u, 0i64); qword_140003620 = (__int64)FileW; if ( FileW == (HANDLE)-1i64 ) { sub_140001010("driver not found\n"); exit(0); } OutBuffer[0] = 0; DeviceIoControl(FileW, 0x222080u, 0i64, 0, OutBuffer, 1u, &BytesReturned, 0i64); v4 = "correct\n"; if ( !OutBuffer[0] ) v4 = "wrong\n"; sub_140001010(v4); system("pause"); return 0; } https://www.cnblogs.com/lsh123/p/7354573.html 具体可以参照这篇文章，程序整体逻辑是检测设备hitcon_checker并与该设备的驱动交互。可以发现这里的交互操作只有读取，可以知道整体逻辑应该是由hitcon_checker设备发送IRP（I/O Request Package）包由驱动程序处理，根据处理结果返回正误。 但是我们没有这个设备….

Before Start 其实很早就开始想学区块链安全了，但是因为环境炸了、Ropsten测试链关了和懒等等原因直到Hackergame的链上记忆大师题才开始上手实操区块链题。后来在强网拟态和N1CTF等比赛中由于不熟悉ctf区块链题的交互方式也是一直在鸽子。

[Reverse] AmazingMFC 一整场比赛Reverse就一个题，真是被看扁了啊.jpg

[Reverse] OhMySolidity 题面如下

[Crypto] nanoDiamond-rev 题目 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 # from Crypto.Util.number import * import string import secrets from hashlib import sha256 from random import randint, shuffle, choice def proof_of_work(): s = ''.join([secrets.choice(string.digits + string.ascii_letters) for _ in range(20)]) print(f'sha256(XXXX+{s[4:]}) == {sha256(s.encode()).hexdigest()}') if input('Give me XXXX: ') != s[:4]: exit(1) ROUND_NUM = 50 PREROUND_NUM = 13 CHEST_NUM = 6 with open('flag', 'r') as f: flag = f.read() white_list = ['==','(',')','0','1','and','or','B0','B1','B2','B3','B4','B5'] def calc(ans, chests, expr): B0, B1, B2, B3, B4, B5 = chests return ans(eval(expr)) def round(): chests = [choice((True, False)) for _ in range(CHEST_NUM)] print("Six chests lie here, with mimics or treasure hidden inside.") print("But don't worry. Skeleton Merchant knows what to do.") print("Be careful, Skeleton Merchant can lie twice!") truth = lambda r: not not r lie = lambda r: not r lie_num = randint(0, 2) lie_status = [truth] * (PREROUND_NUM - lie_num) + [lie] * lie_num shuffle(lie_status) for i in range(PREROUND_NUM): try: question = input('Question: ').strip() for word in question.split(' '): assert word in white_list, f"({word}) No treasure for dirty hacker!" result = calc(lie_status[i], chests, question) print(f'Answer: {result}!') except Exception as e: print("Skeleton Merchant fails to understand your words.") print(e) print('Now open the chests:') return chests == list(map(int, input().strip().split(' '))) if __name__ == '__main__': proof_of_work() print('Terraria is a land of adventure! A land of mystery!') print('Can you get all the treasure without losing your head?') for i in range(ROUND_NUM): if not round(): print('A chest suddenly comes alive and BITE YOUR HEAD OFF.') exit(0) else: print('You take all the treasure safe and sound. Head to the next vault!') print(f"You've found all the treasure! {flag}") WP 首先我们有异或运算：

[Reverse] Archgame load_code处对bin文件进行了一个解密