REVERSE-PRACTICE-BUUCTF-24
- [watevrCTF 2019]Timeout
- [SUCTF2019]hardcpp
- [CISCN2018]2ex
- [UTCTF2020]babymips
[watevrCTF 2019]Timeout
elf文件,无壳,ida分析
main函数中signal,alarm,delay三个函数配合使用是为了反调试
交叉引用变量"can_continue",来到generate函数,验证"can_continue"是否等于1337,然后打印s
于是可以知道该程序是为了防止用户在main函数返回前修改EIP来执行generate函数从而获得flag
直接抠出来s的数据,转成字符串即为flag
data=[119,97,116,101,118,114,123,51,110,99,114,121,116,105,111,110,95,105,115,95,111,118,101,114,114,97,116,101,100,95,121,111,117,116,117,98,101,46,99,111,109,47,119,97,116,99,104,63,118,61,79,80,102,48,89,98,88,113,68,109,48,125]
print(''.join(chr(i) for i in data))
#watevr{3ncrytion_is_overrated_youtube.com/watch?v=OPf0YbXqDm0}
或者是patch程序,把alarm函数的参数增大,或者是在main函数返回后下断点,修改EIP去执行generate函数,都可得到flag
[SUCTF2019]hardcpp
elf文件,无壳,ida分析
main函数中加了混淆,还不能调试,只能硬着头分析
x和y那些都没用,主要的运算和判断逻辑在这里
第109行有个判断,验证enc[i-1]=v15=(s[i]+(s[i-1]%7))^(2+3*(18^s[i-1])),i从1开始,enc是已知的数据,s是输入
由此可以得到s[i]=((enc[i-1])^(2+3*(18^s[i-1])))-(s[i-1]%7)),i从1开始,所以s[0]需要爆破一下
写脚本即可得到flag
enc=[0xF3, 0x2E, 0x18, 0x36, 0xE1, 0x4C, 0x22, 0xD1, 0xF9, 0x8C,0x40, 0x76, 0xF4, 0x0E, 0x00, 0x05, 0xA3, 0x90, 0x0E, 0xA5]
for i in range(32,127):s=[]s.append(i)flag=""flag+=chr(i)for j in range(1,len(enc)+1):tmp=(enc[j-1]^(2+3*(18^s[j-1])))-(s[j-1]%7)s.append(tmp&0xff)flag+=chr(tmp&0xff)if "flag" in flag:print(flag)break
# #flag{mY-CurR1ed_Fns}
[CISCN2018]2ex
mips文件,ida7.5打开
shift+F12,在字符串窗口看到这样一串字符,长度为64
out.txt文件里的字符串"│_r-+_Cl5;vgq_pdme7#7eC0=",最后是个等号,猜测是变表base64
用工具解base64即可得到flag
[UTCTF2020]babymips
mips文件,无壳,ida7.5打开
main函数,读取输入,将已知的unk_4015F4拷贝到v7,传递v7和输入到check函数,验证输入
进入check函数,验证输入的长度是否为78,检验input[i]^(i+23)==v7[i]是否成立
写脚本即可得到flag
v7=[0x62, 0x6C, 0x7F, 0x76, 0x7A, 0x7B, 0x66, 0x73, 0x76, 0x50,0x52, 0x7D, 0x40, 0x54, 0x55, 0x79, 0x40, 0x49, 0x47, 0x4D,0x74, 0x19, 0x7B, 0x6A, 0x42, 0x0A, 0x4F, 0x52, 0x7D, 0x69,0x4F, 0x53, 0x0C, 0x64, 0x10, 0x0F, 0x1E, 0x4A, 0x67, 0x03,0x7C, 0x67, 0x02, 0x6A, 0x31, 0x67, 0x61, 0x37, 0x7A, 0x62,0x2C, 0x2C, 0x0F, 0x6E, 0x17, 0x00, 0x16, 0x0F, 0x16, 0x0A,0x6D, 0x62, 0x73, 0x25, 0x39, 0x76, 0x2E, 0x1C, 0x63, 0x78,0x2B, 0x74, 0x32, 0x16, 0x20, 0x22, 0x44, 0x19]
flag=""
for i in range(len(v7)):flag+=chr(v7[i]^(i+23))
print(flag)
# utflag{mips_cpp_gang_5VDm:~`N]ze;\)5%vZ=C'C(r#$q=*efD"ZNY_GX>6&sn.wF8$v*mvA@'}
