REVERSE-PRACTICE-BUUCTF-30
- [RCTF2019]DontEatMe
- [b01lers2020]little_engine
- [NPUCTF2020]你好sao啊
- [MRCTF2020]Shit
[RCTF2019]DontEatMe
exe程序,运行后输入,无壳,用ida分析
交叉引用字符串来到sub_401260函数,读取输入,NtSetInformationThread的第二个参数为17(0x11),实现了反调试效果,调试的过程中修改EIP即可绕过反调试
随后byte_9457A8数组被赋予8个随机值,不过没什么用,下面又被赋了新值,而且新值固定不变,为[0x00, 0x0F, 0x1A, 0x01, 0x35, 0x3A, 0x3B, 0x20]
findcrypt插件查到sub_401090函数是blowfish算法
往下走,有一个将输入的字符两两一组,组成一个十六进制数的循环体
继续往下走,sub_401260函数的结束部分是一个16x16的迷宫
起点[x,y]在[5,10],x∈[0,15],y∈[1,16],a-左,d-右,s-下,w-上,终点[x,y]在[9,4]
走迷宫,起点设为s,终点设为e,路线为ddddwwwaaawwwddd
"""
map
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,
1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,
1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,
1,0,1,1,1,1,0,0,0,e,0,0,0,1,1,1,
1,0,1,1,1,1,0,1,1,1,1,1,0,1,1,1,
1,0,1,1,1,1,0,1,1,1,1,1,0,1,1,1,
1,0,1,1,1,1,0,0,0,0,1,1,0,1,1,1,
1,0,1,1,1,1,1,1,1,0,1,1,0,1,1,1,
1,0,1,1,1,1,1,1,1,0,1,1,0,1,1,1,
1,0,0,0,0,s,0,0,0,0,1,1,0,1,1,1,
1,1,1,1,1,0,1,1,1,1,1,1,0,1,1,1,
1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1ddddwwwaaawwwddd
"""
联系上面插件查到的blowfish算法,该程序的逻辑应为,输入密文,经过程序解密出明文,而明文需要通过迷宫,密钥为那个固定不变的数组byte_9457A8==[0x00, 0x0F, 0x1A, 0x01, 0x35, 0x3A, 0x3B, 0x20]
现已知明文和密钥,写blowfish加密脚本即可得到正确的输入
from Crypto.Cipher import Blowfish
from Crypto.Util.number import bytes_to_long
key=b"\x00\x0F\x1A\x01\x35\x3A\x3B\x20"
plaintext="ddddwwwaaawwwddd"
blowfish=Blowfish.new(key,Blowfish.MODE_ECB)
print(hex(bytes_to_long(blowfish.encrypt(plaintext))).replace('0x','').replace('L',''))
#db824ef8605c5235b4bbacfa2ff8e087
验证成功
[b01lers2020]little_engine
elf文件,无壳,ida分析
main函数,sub_55B25B5476B0函数,程序打印“Are you ready?”后,输入一个ASCII码小于127的字符
sub_55B25B547830函数,程序打印“Give me your best tidbit:”后,输入flag
sub_55B25B547510函数对输入进行异或运算,规律可循
sub_55B25B5475A0函数将变换后的输入与已知比较,验证输入
进入sub_55B25B547510函数,对输入的变换为input[i]^=v8,而v8初始为0x91,每次加下标,超过255后对255取余,保持在0~254范围内
进入sub_55B25B5475A0函数,变换后的input和已知的unk_55B25B548220比较,需要注意的是unk_55B25B548220的步长为4
写脚本即可得到flag
unk_55B25B548220=[0xE1, 0xE6, 0xD0, 0x4A, 0xF2, 0xC3, 0x7E, 0xAA, 0xE6, 0xFC,0x42, 0xB2, 0xF2, 0xB5, 0x01, 0xB4, 0xEC, 0x7D, 0x39, 0x20,0xEF, 0xC0, 0x4E, 0x13, 0xC8, 0x2F, 0x67, 0xAA, 0x95, 0x79,0x6B, 0xF5, 0xF2, 0x06, 0x41, 0x79, 0xD8, 0x35, 0xF9, 0xC8,0x8E, 0xDE, 0x88, 0x51, 0xAC, 0x4C, 0xF0, 0x81, 0xE0, 0xF4,0xEE, 0x14, 0xAD, 0xF1, 0x25, 0xBD, 0x82, 0x7C, 0x62, 0x30,0xA5, 0xF8, 0x80, 0x2B, 0x79, 0x85, 0x2A, 0xF8, 0x6E, 0x5A,0xAE, 0xCB, 0x18, 0x3A, 0xA2, 0xD0, 0x09, 0xC5, 0x8C, 0x5D,0x3D, 0x34, 0x6B, 0xF9, 0x3B, 0x72, 0x4B, 0x0E, 0x4A, 0xC3,0x71, 0x53, 0xE1, 0xE9, 0x07, 0xBB, 0xC1, 0x1A, 0xE7, 0x07,0x8F, 0x1B, 0x75, 0x74, 0xB9, 0x8E, 0x5D, 0x2E, 0xC2, 0xF6,0x17, 0x3B, 0x52, 0xED, 0xD7, 0xBD, 0x5E, 0xE9, 0x76, 0x63,0x72, 0xE2, 0xEA, 0x89, 0x51, 0xD7, 0x4F, 0x34, 0xDC, 0x39,0xD5, 0x58, 0x92, 0xD9, 0xD2, 0xD2, 0xAA, 0x69, 0xF1, 0xBF,0x90, 0x76, 0xE1, 0x9C, 0x39, 0x0D, 0x0C, 0xB3, 0x40, 0x06,0x48, 0xDA, 0x27, 0xD5, 0x1E, 0xB8, 0x4A, 0x94, 0x4C, 0x98,0xC4, 0x8A, 0x68, 0xA8, 0x97, 0x5E, 0x64, 0xF9, 0xC0, 0x58,0xF7, 0x02, 0x72, 0x8D, 0x3B, 0x88, 0x18, 0x14, 0xEC, 0x8F,0x42, 0x70, 0x0C, 0x0B, 0x96, 0x66, 0x22, 0x8E, 0xF7, 0x58,0x01, 0x2E, 0xC5, 0xDC, 0x4B, 0xC0, 0x71, 0xF4, 0xDA, 0xE6,0x3D, 0x73, 0x88, 0x7D, 0xE4, 0x91, 0x1F, 0x75, 0x90, 0x70,0xD6, 0x0C, 0xA7, 0x09, 0x7C, 0xF2, 0x5A, 0x4E, 0xA1, 0x09,0x0C, 0x51, 0x3C, 0xBA, 0xA8, 0x64, 0x38, 0x2D, 0x8C, 0x00,0x88, 0xE3, 0x6F, 0xEA, 0x77, 0x90, 0x74, 0x39, 0xAA, 0x56,0xF1, 0xA8, 0x6E, 0x80, 0xCA, 0x3D, 0x9E, 0x69, 0xA4, 0x69,0x48, 0xF2, 0x0A, 0x2C, 0xF7, 0x33, 0x17, 0x0F, 0x5C, 0xF2,0x8A, 0xE5, 0x2F, 0x55, 0xA5, 0x9F, 0x8B, 0x65, 0x54, 0x76,0xE0, 0x64, 0xEE, 0x9D, 0x9B, 0x2D, 0x9B, 0x5F, 0x72, 0x7F,0x3B, 0xD9, 0xDF, 0x05, 0x69, 0xF0, 0x9F, 0xF0, 0xA3, 0x8C,0xE6, 0xCD, 0xEF, 0xB4, 0xBC, 0x44, 0x54, 0x3E, 0xE3, 0x44]
init=0x91
flag=[]
for i in range(0,len(unk_55B25B548220),4): # step : 4flag.append(unk_55B25B548220[i]^init)init=(init+i//4)%0xff
print(''.join(chr(i) for i in flag))
# pctf{th3_m0d3rn_st34m_3ng1n3_w45_1nv3nt3d_1n_1698_buT_th3_b3st_0n3_in_1940}
[NPUCTF2020]你好sao啊
elf文件,无壳,ida分析
main函数,获取输入,输入的长度限为32,RxEncode函数对输入进行变换,变换的结果赋给s1,s1与已知的s2比较,验证输入
进入RxEncode函数,4x6==>3x8,变表base64解码过程
用工具进行变表base64编码或者写脚本即可得到flag
res=[0x9E, 0x9B, 0x9C, 0xB5, 0xFE, 0x70, 0xD3, 0x0F,0xB2, 0xD1, 0x4F, 0x9C, 0x02, 0x7F, 0xAB, 0xDE,0x59, 0x65, 0x63, 0xE7, 0x40, 0x9D, 0xCD, 0xFA]
table="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234{}789+/="
flag=""
for i in range(0,len(res),3):tmp=bin(res[i]).replace('0b','').zfill(8)tmp+=bin(res[i+1]).replace('0b','').zfill(8)tmp+=bin(res[i+2]).replace('0b','').zfill(8)flag+=table[int('0b'+tmp[0:6],2)]flag += table[int('0b' + tmp[6:12], 2)]flag += table[int('0b' + tmp[12:18], 2)]flag += table[int('0b' + tmp[18:24], 2)]
print(flag)
# npuctf{w0w+y0U+cAn+r3lllY+dAnc3}
[MRCTF2020]Shit
exe程序,运行后输入,无壳,ida分析
交叉引用字符串来到sub_401640函数,获取输入,检验输入长度,进入loc_4012F0检验输入
来到loc_4012F0处,没有被ida识别为函数,加了花指令
该种类型的花指令原型为
_asm
{call sub2_emit 0xEBjmp label2sub2:add dword ptr[esp],1retn
label2:
}
将call指令和相应的函数以及多出来的EB都nop掉,变成
另外还有一处类似的花指令,同样的nop去花,完成后创建函数,F5反编译
具体的运算写在了注释里面
调试得到xmmword_405034的值,写脚本即可得到flag
from Crypto.Util.number import long_to_bytes
res=[2351698746, 4148999158, 4276070130, 2871606843, 651135530, 2292314745]
for i in range(len(res)-1,0,-1):res[i]^=res[i-1]
xmmword_405034=[3,16,13,4,19,11]
for i in range(len(res)):res[i]^=(1<<xmmword_405034[i])res[i]=(((~(res[i]&0xffff))<<16)&0xffff0000)|(((res[i]&0xffff0000)>>16)&0x0000ffff)res[i]=((res[i]<<xmmword_405034[i])|(res[i]>>(32-xmmword_405034[i])))&0xffffffff
print(''.join(long_to_bytes(i) for i in res))
# flag{a_3a2y_re_for_test}