REVERSE-PRACTICE-BUUCTF-28

- [FlareOn6]Memecat Battlestation
- [b01lers2020]chugga_chugga
- [INSHack2018]Tricky-Part1
- [watevrCTF 2019]esreveR

[FlareOn6]Memecat Battlestation

.Net程序，运行后输入weapon code，用dnSpy打开
在Stage1Form直接找到第一个weapon code，“RAINBOW”
memecat-code1
Stage2Form同样的地方，第二个weapon code要进入isValidWeaponCode进行验证
memecat-stage2
isValidWeaponCode方法，第二个weapon code异或字符’A’，然后和已知比较
memecat-code2
写异或脚本即可得到第二个weapon code

#RAINBOW
data=[0x03,ord(' '),ord('&'),ord('$'),ord('-'),0x1e,0x02,ord(' '),ord('/'),ord('/'),ord('.'),ord('/')]
s=""
for i in data:s+=chr(i^ord('A'))
print(s)
#Bagel_Cannon

输入两个weapon code即可得到flag
memecat-flag

[b01lers2020]chugga_chugga

elf文件，无壳，ida分析
main_main函数，读取输入，对输入的内容进行验证

    fmt_Fscan(a1,(__int64)&go_itab__os_File_io_Writer,(__int64)&v43,(__int64)input,v15,v16,(__int64)&go_itab__os_File_io_Reader,os_Stdin);v19 = input[1];input_ = (_BYTE *)*input;if ( v19 <= 2 )break;if ( input_[2] != 116 )                     // input[2]==116goto LABEL_39;if ( v19 <= 9 )break;a2 = (unsigned __int8)input_[9];if ( (_BYTE)a2 != 99 )                      // input[9]==99goto LABEL_39;if ( v19 <= 0x10 )break;a1 = (unsigned __int8)input_[16];if ( (_BYTE)a1 != 110 )                     // input[16]==110goto LABEL_39;if ( v19 <= 0x15 )break;v17 = (unsigned __int8)input_[21];if ( (_BYTE)v17 != 122 )                    // input[21]==122goto LABEL_39;if ( v19 <= 0x16 )break;if ( input_[22] != 125 )                    // input[22]==125goto LABEL_39;v18 = (unsigned __int8)input_[5];if ( 115 != (_BYTE)v18 )                    // input[5]==115goto LABEL_39;if ( (input_[3] ^ 116) != 18 )              // input[3]^116==18goto LABEL_39;v22 = (unsigned __int8)input_[1];if ( (_BYTE)v22 != 99 )                     // input[1]==99goto LABEL_39;a2 = (unsigned __int8)input_[7];if ( (_BYTE)a2 != 100 )                     // input[7]==100goto LABEL_39;v23 = input_[13];if ( input_[12] != v23 )                    // input[12]==input[13]goto LABEL_39;if ( 122 != input_[19] )                    // input[19]==122goto LABEL_39;v17 = (unsigned __int8)input_[14];v24 = (unsigned __int8)input_[6];if ( (_BYTE)v24 + (_BYTE)v17 != 104 )       // input[6]+input[14]==104goto LABEL_39;v25 = input_[4];if ( 123 != v25 )                           // input[4]==123goto LABEL_39;v26 = input_[8];if ( input_[15] != v26 )                    // input[8]==input[15]==95goto LABEL_39;if ( v26 + 4 != (_BYTE)v22 )                // input[8]+4==v22==99，input[8]==95goto LABEL_39;v27 = (unsigned __int8)input_[17];v28 = (unsigned __int8)input_[11];if ( 125 - (_BYTE)v27 + 40 != (_BYTE)v28 )  // input[11]+input[17]==165goto LABEL_39;v29 = (unsigned __int8)input_[18];v30 = v27 + v28 - v18 - v29;v31 = v29 - v27;if ( (_BYTE)v30 != (_BYTE)v31 )             // 2*input[17]+input[11]==2*input[18]+115goto LABEL_39;v32 = input_[6];v33 = v24 - v27;if ( *input_ != (_BYTE)v31 * ((unsigned __int8)v33 >> 1) + 110// input[0]=(input[18]-input[17])*((52-input[17])>>1)+110|| (v34 = input_[10], v23 + 1 != v34)     // input[10]-input[13]==1|| (v35 = v25 - a2, a2 = v33, (_BYTE)v33 + 2 * (_BYTE)v33 + 4 * v35 != v34)// input[10]==3*(52-input[17])+4*23|| (v36 = (unsigned int)(unsigned __int8)input_[20] - v22,v37 = v31,v38 = (unsigned int)(2 * v31),(_BYTE)v36 != (_BYTE)v38)             // input[20]-99==2*(input[18]-input[17])|| (v18 = (unsigned int)a1 ^ (unsigned int)v18, (_BYTE)v18 != 29)|| (_BYTE)v33 != 4 * v37                  // 52-input[17]==4*(input[18]-input[17])|| v32 != (_BYTE)v17 )                    // input[6]==input[14]==52

手算或者z3都可以，解出来即为flag

data=[0]*23
data[2]=116
data[9]=99
data[16]=110
data[21]=122
data[22]=125
data[5]=115
data[3]=116^18
data[1]=99
data[7]=100
data[6]=52
data[14]=52
data[4]=123
data[8]=95
data[15]=95
data[17]=2*165-282
data[11]=282-165
data[18]=(52+3*data[17])//4
data[10]=3*(52-data[17])+4*23
data[13]=data[10]-1
data[12]=data[13]
data[0]=(data[18]-data[17])*((52-data[17])>>1)+110
data[20]=2*(data[18]-data[17])+99
data[19]=122
print(''.join(chr(i) for i in data))
#pctf{s4d_chugg4_n01zez}

[INSHack2018]Tricky-Part1

elf文件，无壳，ida分析
main函数，获取输入，比较输入和经stack_check处理过的v8，相同说明输入正确
TP1-main
进入stack_check函数，对v8的处理为，v8=base，而base[i]^=“GDB”[i%len(“GDB”)]
TP1-stackcheck
对base交叉引用，来到__static_initialization_and_destruction_0，对base赋值，unk_401278已知
TP1-init
写脚本即可得到flag

s="GDB"
base=[0x0E, 0x0A, 0x11, 0x06, 0x3F, 0x01, 0x1F, 0x1C, 0x1D, 0x76,0x37, 0x1D, 0x2F, 0x70, 0x30, 0x23, 0x77, 0x30, 0x18, 0x22,0x72, 0x35, 0x1B, 0x31, 0x33, 0x70, 0x36, 0x76, 0x27, 0x1D,0x73, 0x2A, 0x76, 0x2B, 0x75, 0x31, 0x3E, 0x37, 0x1D, 0x30,0x2C, 0x71, 0x29, 0x1B, 0x26, 0x74, 0x26, 0x37, 0x20, 0x23,0x71, 0x35, 0x1B, 0x24, 0x73, 0x75, 0x2E, 0x34, 0x39]
for i in range(len(base)):base[i]^=ord(s[i%len(s)])
print(''.join(chr(i) for i in base))
#INSA{CXX_1s_h4rd3r_f0r_st4t1c_4n4l1sys_wh3n_d3bugg3r_f41ls}

[watevrCTF 2019]esreveR

elf文件，无壳，ida分析
main函数，获取输入，输入传入sub_55F41EAEE2D8函数进行验证
reverse-main
进入sub_55F41EAEE2D8函数，上面是一些异或运算，input作为最后一个参数传入sub_55F41EAEDBA0函数
reverse-sub_55F41EAEE2D8

进入sub_55F41EAEDBA0函数，直接对input的内容进行验证
reverse-sub_55F41EAEDBA0
调试，取出a1到a56的数据，转成字符串即为flag

data=[0x77,0x61,0x74,0x65,0x76,0x72,0x7b,0x65,0x73,0x72,0x65,0x76,0x65,0x72,0x5f,0x72,0x65,0x76,0x65,0x72,0x73,0x65,0x64,0x5f,0x79,0x6f,0x75,0x74,0x75,0x62,0x65,0x2e,0x63,0x6f,0x6d,0x2f,0x77,0x61,0x74,0x63,0x68,0x3f,0x76,0x3d,0x49,0x38,0x69,0x6a,0x62,0x34,0x5a,0x65,0x65,0x35,0x45,0x7d]
print(''.join(chr(i) for i in data))
#watevr{esrever_reversed_youtube.com/watch?v=I8ijb4Zee5E}