[buuctf.reverse] 151_ [FlareOn6]DnsChess

There are three attachments to this question  

ChessUI This should be the main program , But logic is not here , Because there is a link library behind

ChessAI.so This should be the main processing function , There are few functions inside , Only getNextMove Useful

capture.pcap It is the packet caught with the server traffic , First copy the bag you caught, that's it

No.	Time	Source	Destination	Protocol	Length	Data	Info
1	0.000000	192.168.122.1	192.168.122.29	DNS	122		Standard query 0xabfd A rook-c3-c6.game-of-thrones.flare-on.com OPT
2	0.001078	192.168.122.29	192.168.122.1	DNS	188		Standard query response 0xabfd A rook-c3-c6.game-of-thrones.flare-on.com A 127.150.96.223 NS ns1.game-of-thrones.flare-on.com A 127.0.0.1 OPT
3	1.022791	192.168.122.1	192.168.122.29	DNS	124		Standard query 0x6dc5 A knight-g1-f3.game-of-thrones.flare-on.com OPT
4	1.023794	192.168.122.29	192.168.122.1	DNS	190		Standard query response 0x6dc5 A knight-g1-f3.game-of-thrones.flare-on.com A 127.252.212.90 NS ns1.game-of-thrones.flare-on.com A 127.0.0.1 OPT
5	2.046579	192.168.122.1	192.168.122.29	DNS	122		Standard query 0xa3e4 A pawn-c2-c4.game-of-thrones.flare-on.com OPT
6	2.048882	192.168.122.29	192.168.122.1	DNS	188		Standard query response 0xa3e4 A pawn-c2-c4.game-of-thrones.flare-on.com A 127.215.177.38 NS ns1.game-of-thrones.flare-on.com A 127.0.0.1 OPT

The return package contains the requested name and IP Address

Look again getNextMove()

__int64 __fastcall getNextMove(int a1, const char *a2, unsigned int a3, unsigned int a4, __int64 a5)
{
  struct hostent *v9; // [rsp+20h] [rbp-60h]
  char *v10; // [rsp+28h] [rbp-58h]
  char dest[72]; // [rsp+30h] [rbp-50h] BYREF
  unsigned __int64 v12; // [rsp+78h] [rbp-8h]

  v12 = __readfsqword(0x28u);
  strcpy(dest, a2);                             //  Son 
  get_place_name(dest, a3);                     // -c3
  get_place_name(dest, a4);                     // -c6
  strcat(dest, ".game-of-thrones.flare-on.com");// .xxxx
  v9 = gethostbyname(dest);                     //  Return information 
  if ( !v9 )
    return 2LL;
  v10 = *v9->h_addr_list;
  if ( *v10 != 127 || (v10[3] & 1) != 0 || a1 != (v10[2] & 0xF) )// IP The last bit of the address is 1 The error of   3 A low 4 Bits are serial numbers 
    return 2LL;
  sleep(1u);
  byte_4060[2 * a1] = v10[1] ^ qword_2020[2 * a1];// IP The first 2 Paragraph is key Exclusive or , The first 3 Segment is serial number , Two bytes at a time and byte_2020 Exclusive or 
  byte_4060[2 * a1 + 1] = v10[1] ^ qword_2020[2 * a1 + 1];
  *(_DWORD *)a5 = (unsigned __int8)v10[2] >> 4;
  *(_DWORD *)(a5 + 4) = (unsigned __int8)v10[3] >> 1;
  strcpy((char *)(a5 + 8), off_4120[a1]);
  return (unsigned __int8)v10[3] >> 7;
}

In the beginning IP Address segmentation into array v10 in , When the first 1 Is it a paragraph 127 Return , This should be a statement to filter packets , Follow flag Irrelevant items are filtered out here

if ( *v10 != 127 || (v10[3] & 1) != 0 || a1 != (v10[2] & 0xF) )// IP The last bit of the address is 1 The error of   3 A low 4 Bits are serial numbers 
    return 2LL;

v10[3]&1 != 0 This is also filtered together , There is still data left after filtering 15 A package .

and a1 Is the parameter brought in , I don't know here a1 How much is the , But guess according to the name, it should be the serial number of the package . After entering the function, check the package content and serial number .

The next two sentences should deal with flag 了 ,a1 If it is serial number , Process two bytes at a time , The secret is bytes_2020, The key is IP Address No 2 Segments

byte_4060[2 * a1] = v10[1] ^ qword_2020[2 * a1];// IP The first 2 Paragraph is key Exclusive or , The first 3 Segment is serial number , Two bytes at a time and byte_2020 Exclusive or 
  byte_4060[2 * a1 + 1] = v10[1] ^ qword_2020[2 * a1 + 1];

Through this writing program

<?php
$str = file_get_contents("capture.txt");
preg_match_all("|response (0x[0-9a-f]{1,6}) A ([0-9a-z\-]{10,20}).game-of-thrones.flare-on.com A ([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+) NS ns1.game-of-thrones.flare-on.com|iUms", $str, $arg);
#print_r($arg);
$unk_2020 =[0x79,0x5A,0xB8,0xBC,0xEC,0xD3,0xDF,0xDD,0x99,0xA5,0xB6,0xAC,0x15,0x36,0x85,0x8D,0x09,0x08,0x77,0x52,0x4D,0x71,0x54,0x7D,0xA7,0xA7,0x08,0x16,0xFD,0xD7];

$b = [];
foreach($arg[1] as $i=>$v){
	if ($arg[3][$i] != 127 || $arg[6][$i]&1 !=0)continue;
	$a =  $arg[5][$i]&0xf;
	$key = $arg[4][$i];
	$b[$a] = chr($unk_2020[2*$a]^$key ).chr($unk_2020[2*$a+1]^$key);
	echo "$a,".$arg[2][$i]."\r\n";
}
ksort($b);
$flag = "";
foreach($b as $v)$flag .=$v;
print_r($b);
print($flag);
// LooksLikeYouLockedUpTheLookupZ
// flag{[email protected]}
?>