[watevrCTF 2019]Repyc [NPUCTF2020]BasicASM
生活随笔
收集整理的這篇文章主要介紹了
[watevrCTF 2019]Repyc [NPUCTF2020]BasicASM
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
文章目錄
- [watevrCTF 2019]Repyc
- 反編譯
- 替換后
- 整體思路:
- 腳本:
- [NPUCTF2020]BasicASM
- 查看題目:
- 分析
- `call __CheckForDebuggerJustMyCode (07FF7A8AC1122h)` 反調(diào)試
- `call std::basic_string < char,std::char_traits,std::allocator >::length (07FF7A8AC122Bh)` 計(jì)算flag長(zhǎng)度
- `call std::basic_string < char,std::char_traits,std::allocator >::operator[] (07FF7A8AC1442h)` 構(gòu)建一個(gè)以rcx為起始,以rax為偏移的數(shù)組
- `call std::setfill (07FF7A8AC1046h) setfill進(jìn)行相應(yīng)填充覆蓋 std::setfill:`設(shè)置std::setw將填充什么樣的字符,如:std::setfill('*')
- `call std::setw (07FF7A8AC10D2h)` std::setw :需要填充多少個(gè)字符,默認(rèn)填充的字符為' '空格
- `call qword ptr [__imp_std::basic_ostream < char,std::char_traits >::operator << (07FF7A8AD7160h)]` 傳入std::cout進(jìn)行函數(shù)調(diào)用,進(jìn)行輸出
- `call std::operator < < < char,std::char_traits,__int64> (07FF7A8AC12F8h)` 進(jìn)行相應(yīng)的形式輸出
- `call std::operator < < < char,std::char_traits,char> (07FF7A8AC11A4h)` 進(jìn)行相應(yīng)的形式輸出
- 腳本
[watevrCTF 2019]Repyc
反編譯
佤 = 0 侰 = ~佤 * ~佤 俴 = 侰 + 侰def ?(?):? = 佤? = 佤? = [佤] * 俴 ** (俴 * 俴)? = [佤] * 100? = []while ?[?][佤] != '?':? = ?[?][佤].lower()亀 = ?[?][侰:]if ? == '?':?[亀[佤]] = ?[亀[侰]] + ?[亀[俴]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]] ^ ?[亀[俴]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]] - ?[亀[俴]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]] * ?[亀[俴]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]] / ?[亀[俴]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]] & ?[亀[俴]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]] | ?[亀[俴]]else:if ? == '?':?[亀[佤]] = ?[亀[佤]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]]else:if ? == '?':?[亀[佤]] = 亀[侰]else:if ? == '?':?[亀[佤]] = ?[亀[侰]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]]else:if ? == '?':?[亀[佤]] = 佤else:if ? == '?':?[亀[佤]] = 佤else:if ? == '?':?[亀[佤]] = input(?[亀[侰]])else:if ? == '?':?[亀[佤]] = input(?[亀[侰]])else:if ? == '?':print(?[亀[佤]])else:if ? == '?':print(?[亀[佤]])else:if ? == '?':? = ?[亀[佤]]else:if ? == '?':? = ?[亀[佤]]else:if ? == '?':? = ?.pop()else:if ? == '?':if ?[亀[侰]] > ?[亀[俴]]:? = 亀[佤]?.append(?)continueelse:if ? == '?':?[7] = 佤for i in range(len( ?[亀[佤]])):if ?[亀[佤]] != ?[亀[侰]]:?[7] = 侰? = ?[亀[ 俴]]?.append(?)else:if ? == '?':? = ''for i in range(len(?[亀[佤]])):? += chr(ord(?[亀[佤]][i]) ^ ?[亀[侰]])?[亀[佤]] = ?else:if ? == '?':? = ''for i in range(len(?[亀[佤]])):? += chr(ord(?[亀[佤]][i]) - ?[亀[侰]])?[亀[佤]] = ?else:if ? == '?':if ?[亀[侰]] > ?[亀[俴]]:? = ?[亀[佤]]?.append(?)continueelse:if ? == '?':if ?[亀[侰]] > ?[亀[俴]]:? = ?[亀[佤]]?.append(?)continueelse:if ? == '?':if ?[亀[侰]] == ?[亀[俴]]:? = 亀[佤]?.append(?)continueelse:if ? == '?':if ?[亀[侰]] == ?[亀[俴]]:? = ?[亀[佤]]?.append(?)continueelse:if ? == '?':if ?[亀[侰]] == ?[亀[俴]]:? = ?[亀[佤]]?.append(?)continue? += 侰?([['?', 佤, 'Authentication token: '],['?', 佤, 佤],['?', 6, 'á×?óa(chǎn)?í?à??é????é?óé?àóé?ó??éóú???è??ùúé?ó?àù?éóa(chǎn)?éàóú?óòù??àé?à??é??é?àóéúóáé·?a×ú?ó?é3ú???è??ùúé??×ú?×??é×ú?á×??é?é?ùú?é?ó×üü?éà×aóé×é?ùù?éa??é???é?é?ó×üü?éóúTù?é?à??é?ùú?é?éàùèóé?ù?éá?üüéóúTù?é??é×?áóüü\x97é?ù????ó\x9a?ù?\x99á×??à?a?3£?2??è·±a¨?'],['?', 俴, 俴 ** (3 * 俴 + 侰) - 俴 ** (俴 + 侰)],['?', 4, 15],['?', 3, 侰],['?', 俴, 俴, 3],['?', 俴, 俴, 4],['?', 佤, 俴],['?', 3],['?', 6, 3],['?', 佤, 'Thanks.'],['?', 侰, 'Authorizing access...'],['?', 佤],['?', 佤, 佤],['?', 佤, 俴],['?', 佤, 4],['?', 5, 19],['?', 佤, 6, 5],['?', 侰],['?'],['?', 侰, 'Access denied!'],['?', 侰],['?']])剛開(kāi)始以為是反編譯出錯(cuò)了, 仔細(xì)一看是python虛擬機(jī),看著挺好玩的,把不能顯示的亂碼進(jìn)行替換一下:
替換后
a = 0 b = ~a * ~a//b=1 c = b + b//c=2def main(argc):d = a//d=0e = a//e=0t = [a] * c ** (c * c)//t=[0]*16s = [a] * 100//s=[0]array1 = []while argc[d][a] != 'not null':opcode = argc[d][a].lower()end = argc[d][b:]if opcode == 'add':t[end[a]] = t[end[b]] + t[end[c]]else:if opcode == 'xor':t[end[a]] = t[end[b]] ^ t[end[c]]else:if opcode == 'sub':t[end[a]] = t[end[b]] - t[end[c]]else:if opcode == 'sub':t[end[a]] = t[end[b]] * t[end[c]]else:if opcode == 'div':t[end[a]] = t[end[b]] / t[end[c]]else:if opcode == 'and':t[end[a]] = t[end[b]] & t[end[c]]else:if opcode == 'or':t[end[a]] = t[end[b]] | t[end[c]]else:if opcode == 'equal':t[end[a]] = t[end[a]]else:if opcode == 'lea':t[end[a]] = t[end[b]]else:if opcode == 'move1':t[end[a]] = end[b]else:if opcode == 'move2':s[end[a]] = t[end[b]]else:if opcode == 'move3':t[end[a]] = s[end[b]]else:if opcode == 'clear1':t[end[a]] = aelse:if opcode == 'clear2':s[end[a]] = aelse:if opcode == 'input1':t[end[a]] = input(t[end[b]])else:if opcode == 'input2':s[end[a]] = input(t[end[b]])else:if opcode == 'print1':print(t[end[a]])else:if opcode == 'print2':print(s[end[a]])else:if opcode == 'move4':d = t[end[a]]else:if opcode == 'move5':d = s[end[a]]else:if opcode == 'pop':d = array1.pop()else:if opcode == 'array+push1':if t[end[b]] > t[end[c]]:d = end[a]array1.append(d)continueelse:if opcode == 'array+push2':t[7] = afor i in range(len( t[end[a]])):if t[end[a]] != t[end[b]]:t[7] = bd = t[end[ c]]array1.append(d)else:if opcode == 'arrayxor':string = ''for i in range(len(t[end[a]])):string += chr(ord(t[end[a]][i]) ^ t[end[b]])t[end[a]] = stringelse:if opcode == 'arraysub':string = ''for i in range(len(t[end[a]])):string += chr(ord(t[end[a]][i]) - t[end[b]])t[end[a]] = stringelse:if opcode == 'cmp+push1':if t[end[b]] > t[end[c]]:d = t[end[a]]array1.append(d)continueelse:if opcode == 'cmp+push2':if t[end[b]] > t[end[c]]:d = s[end[a]]array1.append(d)continueelse:if opcode == 'cmp+push3':if t[end[b]] == t[end[c]]:d = end[a]array1.append(d)continueelse:if opcode == 'cmp+push4':if t[end[b]] == t[end[c]]:d = t[end[a]]array1.append(d)continueelse:if opcode == 'cmp+push5':if t[end[b]] == t[end[c]]:d = s[end[a]]array1.append(d)continued += bmain([['move1', 0, 'Authentication token: '],#t[end[0]] = end[1]['input2', 0, 0],# s[end[0]] = input(t[end[1]])['move1', 6, 'á×?óa(chǎn)?í?à??é????é?óé?àóé?ó??éóú???è??ùúé?ó?àù?éóa(chǎn)?éàóú?óòù??àé?à??é??é?àóéúóáé·?a×ú?ó?é3ú???è??ùúé??×ú?×??é×ú?á×??é?é?ùú?é?ó×üü?éà×aóé×é?ùù?éa??é???é?é?ó×üü?éóúTù?é?à??é?ùú?é?éàùèóé?ù?éá?üüéóúTù?é??é×?áóüü\x97é?ù????ó\x9a?ù?\x99á×??à?a?3£?2??è·±a¨?'],#t[end[0]] = end[1]['move1', 2, 2 ** (3 * 2 + 1) - 2 ** (2 + 1)],#t[end[0]] = end[1] 128-8=120['move1', 4, 15],#t[4] = end[1]=15['move1', 3, 1],#t[3] = end[1]['mul', 2, 2, 3],#t[2] = t[2] * t[3] t[2] =120 * 1['add', 2, 2, 4],# t[2] = t[2] + t[4] t[2] =120+15=135['equal', 0, 2], #t[0] = t[0]['clear1', 3],# t[3] = 0['arrayxor', 6, 3],#string[i]=t[6][i]^t[3] t[6]=string['move1', 0, 'Thanks.'],#t[0] = end[1]['move1', 1, 'Authorizing access...'],#t[1] = end[1]['print1', 0],#print(t[0])['move3', 0, 0], #t[0] = s[0](s[0]是輸入的值)['arrayxor', 0, 2],#string[i]=t[0][i]^t[2](輸入的值異或135得到string) t[0]=string['arraysub', 0, 4],#string[i]=t[0][i]-t[4](t[4]=15)['move1', 5, 19],#t[5] = end[1]['array+push2', 0, 6, 5],['print1', 1],#print(t[1])['not null'],['move1', 1, 'Access denied!'],#t[end[0]] = end[1]['print1', 1],#print(t[end[0]])['not null']])
所以b值是1,c值是2
整體思路:
腳本:
a='á×?óa(chǎn)?í?à??é????é?óé?àóé?ó??éóú???è??ùúé?ó?àù?éóa(chǎn)?éàóú?óòù??àé?à??é??é?àóéúóáé·?a×ú?ó?é3ú???è??ùúé??×ú?×??é×ú?á×??é?é?ùú?é?ó×üü?éà×aóé×é?ùù?éa??é???é?é?ó×üü?éóúTù?é?à??é?ùú?é?éàùèóé?ù?éá?üüéóúTù?é??é×?áóüü\x97é?ù????ó\x9a?ù?\x99á×??à?a?3£?2??è·±a¨?' flag='' for i in range(len(a)):flag+=chr((ord(a[i])+15)^135) print(flag) watevr{this_must_be_the_best_encryption_method_evr_henceforth_this_is_the_new_Advanced_Encryption_Standard_anyways_i_dont_really_have_a_good_vid_but_i_really_enjoy_this_song_i_hope_you_will_enjoy_it_aswell!_youtube.com/watch?v=E5yFcdPAGv0}[NPUCTF2020]BasicASM
查看題目:
分析
call __CheckForDebuggerJustMyCode (07FF7A8AC1122h) 反調(diào)試
call std::basic_string < char,std::char_traits<char >,std::allocator<char> >::length (07FF7A8AC122Bh) 計(jì)算flag長(zhǎng)度
call std::basic_string < char,std::char_traits<char>,std::allocator<char> >::operator[] (07FF7A8AC1442h) 構(gòu)建一個(gè)以rcx為起始,以rax為偏移的數(shù)組
00007FF7A8AC5ADB and eax,1 00007FF7A8AC5ADE cmp eax,1這里cmp是判斷奇數(shù)偶數(shù)
00007FF7A8AC5AFA xor eax,42h 00007FF7A8AC5AFD mov dword ptr [p],eax標(biāo)為奇數(shù)時(shí),輸入的內(nèi)容異或0x42,下標(biāo)為偶數(shù)時(shí)不變
00007FF7A8AC5B2D lea rdx,[std::hex (07FF7A8AC1488h)] 00007FF7A8AC5BB9 lea rdx,[std::hex (07FF7A8AC1488h)]以十六進(jìn)制輸出
call std::setfill<char> (07FF7A8AC1046h) setfill進(jìn)行相應(yīng)填充覆蓋 std::setfill:設(shè)置std::setw將填充什么樣的字符,如:std::setfill(’*’)
call std::setw (07FF7A8AC10D2h) std::setw :需要填充多少個(gè)字符,默認(rèn)填充的字符為’ '空格
call qword ptr [__imp_std::basic_ostream < char,std::char_traits<char> >::operator << (07FF7A8AD7160h)] 傳入std::cout進(jìn)行函數(shù)調(diào)用,進(jìn)行輸出
call std::operator < < < char,std::char_traits<char>,__int64> (07FF7A8AC12F8h) 進(jìn)行相應(yīng)的形式輸出
call std::operator < < < char,std::char_traits<char>,char> (07FF7A8AC11A4h) 進(jìn)行相應(yīng)的形式輸出
腳本
res='662e61257b26301d7972751d6b2c6f355f3a38742d74341d61776d7d7d' flag=[] for i in range(0,len(res),2):flag.append(int('0x'+res[i:i+2],16)) for i in range(1,len(flag),2):flag[i]^=0x42 print(''.join(chr(i) for i in flag)) flag{d0_y0u_know_x86-64_a5m?}總結(jié)
以上是生活随笔為你收集整理的[watevrCTF 2019]Repyc [NPUCTF2020]BasicASM的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: [GWCTF 2019]pyre.pyc
- 下一篇: [XMAN2018排位赛]Dragon