REVERSE-PRACTICE-BUUCTF-30

• • [RCTF2019]DontEatMe
  • [b01lers2020]little_engine
  • [NPUCTF2020]你好sao啊
  • [MRCTF2020]Shit

[RCTF2019]DontEatMe

exe程序，運行后輸入，無殼，用ida分析
交叉引用字符串來到sub_401260函數，讀取輸入，NtSetInformationThread的第二個參數為17(0x11)，實現了反調試效果，調試的過程中修改EIP即可繞過反調試
隨后byte_9457A8數組被賦予8個隨機值，不過沒什么用，下面又被賦了新值，而且新值固定不變，為[0x00, 0x0F, 0x1A, 0x01, 0x35, 0x3A, 0x3B, 0x20]
findcrypt插件查到sub_401090函數是blowfish算法

往下走，有一個將輸入的字符兩兩一組，組成一個十六進制數的循環體

繼續往下走，sub_401260函數的結束部分是一個16x16的迷宮
起點[x,y]在[5,10]，x∈[0,15]，y∈[1,16]，a-左，d-右，s-下，w-上，終點[x,y]在[9,4]

走迷宮，起點設為s，終點設為e，路線為ddddwwwaaawwwddd

""" map 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1, 1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1, 1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1, 1,0,1,1,1,1,0,0,0,e,0,0,0,1,1,1, 1,0,1,1,1,1,0,1,1,1,1,1,0,1,1,1, 1,0,1,1,1,1,0,1,1,1,1,1,0,1,1,1, 1,0,1,1,1,1,0,0,0,0,1,1,0,1,1,1, 1,0,1,1,1,1,1,1,1,0,1,1,0,1,1,1, 1,0,1,1,1,1,1,1,1,0,1,1,0,1,1,1, 1,0,0,0,0,s,0,0,0,0,1,1,0,1,1,1, 1,1,1,1,1,0,1,1,1,1,1,1,0,1,1,1, 1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1ddddwwwaaawwwddd """

聯系上面插件查到的blowfish算法，該程序的邏輯應為，輸入密文，經過程序解密出明文，而明文需要通過迷宮，密鑰為那個固定不變的數組byte_9457A8==[0x00, 0x0F, 0x1A, 0x01, 0x35, 0x3A, 0x3B, 0x20]
現已知明文和密鑰，寫blowfish加密腳本即可得到正確的輸入

from Crypto.Cipher import Blowfish from Crypto.Util.number import bytes_to_long key=b"\x00\x0F\x1A\x01\x35\x3A\x3B\x20" plaintext="ddddwwwaaawwwddd" blowfish=Blowfish.new(key,Blowfish.MODE_ECB) print(hex(bytes_to_long(blowfish.encrypt(plaintext))).replace('0x','').replace('L','')) #db824ef8605c5235b4bbacfa2ff8e087

驗證成功

[b01lers2020]little_engine

elf文件，無殼，ida分析
main函數，sub_55B25B5476B0函數，程序打印“Are you ready?”后，輸入一個ASCII碼小于127的字符
sub_55B25B547830函數，程序打印“Give me your best tidbit:”后，輸入flag
sub_55B25B547510函數對輸入進行異或運算，規律可循
sub_55B25B5475A0函數將變換后的輸入與已知比較，驗證輸入

進入sub_55B25B547510函數，對輸入的變換為input[i]^=v8，而v8初始為0x91，每次加下標，超過255后對255取余，保持在0~254范圍內

進入sub_55B25B5475A0函數，變換后的input和已知的unk_55B25B548220比較，需要注意的是unk_55B25B548220的步長為4

寫腳本即可得到flag

unk_55B25B548220=[0xE1, 0xE6, 0xD0, 0x4A, 0xF2, 0xC3, 0x7E, 0xAA, 0xE6, 0xFC,0x42, 0xB2, 0xF2, 0xB5, 0x01, 0xB4, 0xEC, 0x7D, 0x39, 0x20,0xEF, 0xC0, 0x4E, 0x13, 0xC8, 0x2F, 0x67, 0xAA, 0x95, 0x79,0x6B, 0xF5, 0xF2, 0x06, 0x41, 0x79, 0xD8, 0x35, 0xF9, 0xC8,0x8E, 0xDE, 0x88, 0x51, 0xAC, 0x4C, 0xF0, 0x81, 0xE0, 0xF4,0xEE, 0x14, 0xAD, 0xF1, 0x25, 0xBD, 0x82, 0x7C, 0x62, 0x30,0xA5, 0xF8, 0x80, 0x2B, 0x79, 0x85, 0x2A, 0xF8, 0x6E, 0x5A,0xAE, 0xCB, 0x18, 0x3A, 0xA2, 0xD0, 0x09, 0xC5, 0x8C, 0x5D,0x3D, 0x34, 0x6B, 0xF9, 0x3B, 0x72, 0x4B, 0x0E, 0x4A, 0xC3,0x71, 0x53, 0xE1, 0xE9, 0x07, 0xBB, 0xC1, 0x1A, 0xE7, 0x07,0x8F, 0x1B, 0x75, 0x74, 0xB9, 0x8E, 0x5D, 0x2E, 0xC2, 0xF6,0x17, 0x3B, 0x52, 0xED, 0xD7, 0xBD, 0x5E, 0xE9, 0x76, 0x63,0x72, 0xE2, 0xEA, 0x89, 0x51, 0xD7, 0x4F, 0x34, 0xDC, 0x39,0xD5, 0x58, 0x92, 0xD9, 0xD2, 0xD2, 0xAA, 0x69, 0xF1, 0xBF,0x90, 0x76, 0xE1, 0x9C, 0x39, 0x0D, 0x0C, 0xB3, 0x40, 0x06,0x48, 0xDA, 0x27, 0xD5, 0x1E, 0xB8, 0x4A, 0x94, 0x4C, 0x98,0xC4, 0x8A, 0x68, 0xA8, 0x97, 0x5E, 0x64, 0xF9, 0xC0, 0x58,0xF7, 0x02, 0x72, 0x8D, 0x3B, 0x88, 0x18, 0x14, 0xEC, 0x8F,0x42, 0x70, 0x0C, 0x0B, 0x96, 0x66, 0x22, 0x8E, 0xF7, 0x58,0x01, 0x2E, 0xC5, 0xDC, 0x4B, 0xC0, 0x71, 0xF4, 0xDA, 0xE6,0x3D, 0x73, 0x88, 0x7D, 0xE4, 0x91, 0x1F, 0x75, 0x90, 0x70,0xD6, 0x0C, 0xA7, 0x09, 0x7C, 0xF2, 0x5A, 0x4E, 0xA1, 0x09,0x0C, 0x51, 0x3C, 0xBA, 0xA8, 0x64, 0x38, 0x2D, 0x8C, 0x00,0x88, 0xE3, 0x6F, 0xEA, 0x77, 0x90, 0x74, 0x39, 0xAA, 0x56,0xF1, 0xA8, 0x6E, 0x80, 0xCA, 0x3D, 0x9E, 0x69, 0xA4, 0x69,0x48, 0xF2, 0x0A, 0x2C, 0xF7, 0x33, 0x17, 0x0F, 0x5C, 0xF2,0x8A, 0xE5, 0x2F, 0x55, 0xA5, 0x9F, 0x8B, 0x65, 0x54, 0x76,0xE0, 0x64, 0xEE, 0x9D, 0x9B, 0x2D, 0x9B, 0x5F, 0x72, 0x7F,0x3B, 0xD9, 0xDF, 0x05, 0x69, 0xF0, 0x9F, 0xF0, 0xA3, 0x8C,0xE6, 0xCD, 0xEF, 0xB4, 0xBC, 0x44, 0x54, 0x3E, 0xE3, 0x44] init=0x91 flag=[] for i in range(0,len(unk_55B25B548220),4): # step : 4flag.append(unk_55B25B548220[i]^init)init=(init+i//4)%0xff print(''.join(chr(i) for i in flag)) # pctf{th3_m0d3rn_st34m_3ng1n3_w45_1nv3nt3d_1n_1698_buT_th3_b3st_0n3_in_1940}

[NPUCTF2020]你好sao啊

elf文件，無殼，ida分析
main函數，獲取輸入，輸入的長度限為32，RxEncode函數對輸入進行變換，變換的結果賦給s1，s1與已知的s2比較，驗證輸入

進入RxEncode函數，4x6==>3x8，變表base64解碼過程

用工具進行變表base64編碼或者寫腳本即可得到flag

res=[0x9E, 0x9B, 0x9C, 0xB5, 0xFE, 0x70, 0xD3, 0x0F,0xB2, 0xD1, 0x4F, 0x9C, 0x02, 0x7F, 0xAB, 0xDE,0x59, 0x65, 0x63, 0xE7, 0x40, 0x9D, 0xCD, 0xFA] table="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234{}789+/=" flag="" for i in range(0,len(res),3):tmp=bin(res[i]).replace('0b','').zfill(8)tmp+=bin(res[i+1]).replace('0b','').zfill(8)tmp+=bin(res[i+2]).replace('0b','').zfill(8)flag+=table[int('0b'+tmp[0:6],2)]flag += table[int('0b' + tmp[6:12], 2)]flag += table[int('0b' + tmp[12:18], 2)]flag += table[int('0b' + tmp[18:24], 2)] print(flag) # npuctf{w0w+y0U+cAn+r3lllY+dAnc3}

[MRCTF2020]Shit

exe程序，運行后輸入，無殼，ida分析
交叉引用字符串來到sub_401640函數，獲取輸入，檢驗輸入長度，進入loc_4012F0檢驗輸入

來到loc_4012F0處，沒有被ida識別為函數，加了花指令

該種類型的花指令原型為

_asm {call sub2_emit 0xEBjmp label2sub2:add dword ptr[esp],1retn label2: }

將call指令和相應的函數以及多出來的EB都nop掉，變成

另外還有一處類似的花指令，同樣的nop去花，完成后創建函數，F5反編譯
具體的運算寫在了注釋里面

調試得到xmmword_405034的值，寫腳本即可得到flag

from Crypto.Util.number import long_to_bytes res=[2351698746, 4148999158, 4276070130, 2871606843, 651135530, 2292314745] for i in range(len(res)-1,0,-1):res[i]^=res[i-1] xmmword_405034=[3,16,13,4,19,11] for i in range(len(res)):res[i]^=(1<<xmmword_405034[i])res[i]=(((~(res[i]&0xffff))<<16)&0xffff0000)|(((res[i]&0xffff0000)>>16)&0x0000ffff)res[i]=((res[i]<<xmmword_405034[i])|(res[i]>>(32-xmmword_405034[i])))&0xffffffff print(''.join(long_to_bytes(i) for i in res)) # flag{a_3a2y_re_for_test} 創作挑戰賽新人創作獎勵來咯，堅持創作打卡瓜分現金大獎

總結

以上是生活随笔為你收集整理的REVERSE-PRACTICE-BUUCTF-30的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。