一开始做misc1没啥思路，转去misc2，结果一下子给电脑搞废了，太哈人了，以后对注册表都有心理阴影了，还好队友给力，躺进决赛，这里的wp都是今早修完电脑后再复现的。。。

easy_Forensic

拿到镜像，先vol来一套分析，发现桌面上有不少好东西，于是把镜像导入取证大师，全给它提出来

其中gift.jpg的左下角明显像是有东西被挡住了，于是改一下宽高再结合hint得到密码

Nothing_is_more_important_than_your_life!

解开压缩包得到‘gift’：wHeMscYvTluyRvjf5d7AEX5K4VlZeU2IiGpKLFzek1Q=

注意到内存里还有个wechat.txt，提取出来分析应该是加密后的微信数据库，而密钥是32位的，上面的密文base64解密之后也是32位的，于是用脚本成功解出微信数据库

# -*- coding: utf-8 -*-
from Crypto.Cipher import AES
import hashlib, hmac, ctypes
​
SQLITE_FILE_HEADER = bytes("SQLite format 3",encoding='ASCII') + bytes(1)#文件头
IV_SIZE = 16
HMAC_SHA1_SIZE = 20
KEY_SIZE = 32
DEFAULT_PAGESIZE = 4096 #4048数据 + 16IV + 20 HMAC + 12
DEFAULT_ITER = 64000
#yourkey
password = bytes.fromhex("C0778CB1C62F4E5BB246F8DFE5DEC0117E4AE15959794D88886A4A2C5CDE9354".replace(' ',''))
with open(r'1.db', 'rb') as f:
    blist = f.read()
print(len(blist))
​
salt = blist[:16]#微信将文件头换成了盐
key = hashlib.pbkdf2_hmac('sha1', password, salt, DEFAULT_ITER, KEY_SIZE)#获得Key
​
first = blist[16:DEFAULT_PAGESIZE]#丢掉salt
​
# import struct
mac_salt = bytes([x^0x3a for x in salt])
mac_key = hashlib.pbkdf2_hmac('sha1', key, mac_salt, 2, KEY_SIZE)
​
hash_mac = hmac.new(mac_key ,digestmod = 'sha1')#用第一页的Hash测试一下
hash_mac.update(first[:-32])
hash_mac.update(bytes(ctypes.c_int(1)))
# hash_mac.update(struct.pack('=I',1))
if (hash_mac.digest() == first[-32:-12]):
    print('Correct Password')
else:
    raise RuntimeError('Wrong Password')
​
blist = [blist[i:i+DEFAULT_PAGESIZE] for i in range(DEFAULT_PAGESIZE,len(blist),DEFAULT_PAGESIZE)]
with open(r'path\MSG0_dec.db', 'wb') as f:
    f.write(SQLITE_FILE_HEADER)#写入文件头
    t = AES.new(key ,AES.MODE_CBC ,first[-48:-32])
    f.write(t.decrypt(first[:-48]))
    f.write(first[-48:])
    for i in blist:
            t = AES.new(key ,AES.MODE_CBC ,i[-48:-32])
            f.write(t.decrypt(i[:-48]))
            f.write(i[-48:])

解密成功，用Navicat连接数据库，注意这里要选SQLite，flag在这里

flag{The_Is_Y0ur_prize}

powerpower

乌鱼子，电脑给整坏了，导致挂机一天，绷不住辣（

注册表的software/Microsoft/dfs和software/Microsoft/ctf里分别有加密后的密文和加密方法，上网找了一下找到了相应的解密脚本

$Passphrase = Read-Host 'Enter the secret pass phrase'
 
$Path = "$env:C:\Users\16334\Desktop\secret.txt"
 
$key = [Byte[]]($Passphrase.PadRight(24).Substring(0,24).ToCharArray())
 
try
{
 $decryptedTextSecureString = Get-Content -Path $Path -Raw |
 ConvertTo-SecureString -Key $key -ErrorAction Stop
 
 $cred = New-Object -TypeName System.Management.Automation.PSCredential('dummy', $decryptedTextSecureString)
 $decryptedText = $cred.GetNetworkCredential().Password
}
catch
{
 $decryptedText = '(wrong key)'
}
"The decrypted secret text: $decryptedText"
​

根据加密脚本密码在SOFTWARE\Microsoft\BidInterface，去拿到密码直接解就行

Lost

还在努力复现（