當(dāng)前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

REVERSE-PRACTICE-BUUCTF-31

發(fā)布時(shí)間：2023/12/10 编程问答 30 豆豆

生活随笔收集整理的這篇文章主要介紹了 REVERSE-PRACTICE-BUUCTF-31 小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

REVERSE-PRACTICE-BUUCTF-31

- [羊城杯 2020]login
- [羊城杯 2020]Bytecode
- [羊城杯 2020]babyre
- [ACTF新生賽2020]fungame

[羊城杯 2020]login

exe程序，運(yùn)行后輸入，無殼，ida分析
沒找到主要邏輯，在字符串窗口看到一些“py”的字樣，應(yīng)該是python打包成了exe
用pyinstxtractor.py將exe解包，得到了這些文件

login文件缺少magic number，用struct文件的magic number(頭部的12個(gè)字節(jié))補(bǔ)充，保存，改后綴名為.pyc

用uncompyle6反編譯login.pyc，得到python源碼

#coding:utf-8 import sys input1 = input('input something:') if len(input1) != 14: #輸入長(zhǎng)度為14print('Wrong length!')sys.exit() else:code = []for i in range(13):# i∈[0,12] code[i]=ord(input1[i]) ^ ord(input1[(i + 1)])code.append(ord(input1[i]) ^ ord(input1[(i + 1)]))code.append(ord(input1[13]))#code[13]=ord(input1[13])a1 = code[2] #位置變換a2 = code[1]a3 = code[0]a4 = code[3]a5 = code[4]a6 = code[5]a7 = code[6]a8 = code[7]a9 = code[9]a10 = code[8]a11 = code[10]a12 = code[11]a13 = code[12]a14 = code[13]# 方程組驗(yàn)證if (a1 * 88 + a2 * 67 + a3 * 65 - a4 * 5 + a5 * 43 + a6 * 89 + a7 * 25 + a8 * 13 - a9 * 36 + a10 * 15 + a11 * 11 + a12 * 47 - a13 * 60 + a14 * 29 == 22748) & (a1 * 89 + a2 * 7 + a3 * 12 - a4 * 25 + a5 * 41 + a6 * 23 + a7 * 20 - a8 * 66 + a9 * 31 + a10 * 8 + a11 * 2 - a12 * 41 - a13 * 39 + a14 * 17 == 7258) & (a1 * 28 + a2 * 35 + a3 * 16 - a4 * 65 + a5 * 53 + a6 * 39 + a7 * 27 + a8 * 15 - a9 * 33 + a10 * 13 + a11 * 101 + a12 * 90 - a13 * 34 + a14 * 23 == 26190) & (a1 * 23 + a2 * 34 + a3 * 35 - a4 * 59 + a5 * 49 + a6 * 81 + a7 * 25 + (a8 << 7) - a9 * 32 + a10 * 75 + a11 * 81 + a12 * 47 - a13 * 60 + a14 * 29 == 37136) & (a1 * 38 + a2 * 97 + a3 * 35 - a4 * 52 + a5 * 42 + a6 * 79 + a7 * 90 + a8 * 23 - a9 * 36 + a10 * 57 + a11 * 81 + a12 * 42 - a13 * 62 - a14 * 11 == 27915) & (a1 * 22 + a2 * 27 + a3 * 35 - a4 * 45 + a5 * 47 + a6 * 49 + a7 * 29 + a8 * 18 - a9 * 26 + a10 * 35 + a11 * 41 + a12 * 40 - a13 * 61 + a14 * 28 == 17298) & (a1 * 12 + a2 * 45 + a3 * 35 - a4 * 9 - a5 * 42 + a6 * 86 + a7 * 23 + a8 * 85 - a9 * 47 + a10 * 34 + a11 * 76 + a12 * 43 - a13 * 44 + a14 * 65 == 19875) & (a1 * 79 + a2 * 62 + a3 * 35 - a4 * 85 + a5 * 33 + a6 * 79 + a7 * 86 + a8 * 14 - a9 * 30 + a10 * 25 + a11 * 11 + a12 * 57 - a13 * 50 - a14 * 9 == 22784) & (a1 * 8 + a2 * 6 + a3 * 64 - a4 * 85 + a5 * 73 + a6 * 29 + a7 * 2 + a8 * 23 - a9 * 36 + a10 * 5 + a11 * 2 + a12 * 47 - a13 * 64 + a14 * 27 == 9710) & (a1 * 67 - a2 * 68 + a3 * 68 - a4 * 51 - a5 * 43 + a6 * 81 + a7 * 22 - a8 * 12 - a9 * 38 + a10 * 75 + a11 * 41 + a12 * 27 - a13 * 52 + a14 * 31 == 13376) & (a1 * 85 + a2 * 63 + a3 * 5 - a4 * 51 + a5 * 44 + a6 * 36 + a7 * 28 + a8 * 15 - a9 * 6 + a10 * 45 + a11 * 31 + a12 * 7 - a13 * 67 + a14 * 78 == 24065) & (a1 * 47 + a2 * 64 + a3 * 66 - a4 * 5 + a5 * 43 + a6 * 112 + a7 * 25 + a8 * 13 - a9 * 35 + a10 * 95 + a11 * 21 + a12 * 43 - a13 * 61 + a14 * 20 == 27687) & (a1 * 89 + a2 * 67 + a3 * 85 - a4 * 25 + a5 * 49 + a6 * 89 + a7 * 23 + a8 * 56 - a9 * 92 + a10 * 14 + a11 * 89 + a12 * 47 - a13 * 61 - a14 * 29 == 29250) & (a1 * 95 + a2 * 34 + a3 * 62 - a4 * 9 - a5 * 43 + a6 * 83 + a7 * 25 + a8 * 12 - a9 * 36 + a10 * 16 + a11 * 51 + a12 * 47 - a13 * 60 - a14 * 24 == 15317):print('flag is GWHT{md5(your_input)}')print('Congratulations and have fun!')else:print('Sorry,plz try again...')

z3解方程組，

from z3 import * a1=Int('a1') a2=Int('a2') a3=Int('a3') a4=Int('a4') a5=Int('a5') a6=Int('a6') a7=Int('a7') a8=Int('a8') a9=Int('a9') a10=Int('a10') a11=Int('a11') a12=Int('a12') a13=Int('a13') a14=Int('a14') s=Solver() s.add(a1 * 88 + a2 * 67 + a3 * 65 - a4 * 5 + a5 * 43 + a6 * 89 + a7 * 25 + a8 * 13 - a9 * 36 + a10 * 15 + a11 * 11 + a12 * 47 - a13 * 60 + a14 * 29 == 22748) s.add(a1 * 89 + a2 * 7 + a3 * 12 - a4 * 25 + a5 * 41 + a6 * 23 + a7 * 20 - a8 * 66 + a9 * 31 + a10 * 8 + a11 * 2 - a12 * 41 - a13 * 39 + a14 * 17 == 7258) s.add(a1 * 28 + a2 * 35 + a3 * 16 - a4 * 65 + a5 * 53 + a6 * 39 + a7 * 27 + a8 * 15 - a9 * 33 + a10 * 13 + a11 * 101 + a12 * 90 - a13 * 34 + a14 * 23 == 26190) s.add(a1 * 23 + a2 * 34 + a3 * 35 - a4 * 59 + a5 * 49 + a6 * 81 + a7 * 25 + (a8 *128) - a9 * 32 + a10 * 75 + a11 * 81 + a12 * 47 - a13 * 60 + a14 * 29 == 37136) s.add(a1 * 38 + a2 * 97 + a3 * 35 - a4 * 52 + a5 * 42 + a6 * 79 + a7 * 90 + a8 * 23 - a9 * 36 + a10 * 57 + a11 * 81 + a12 * 42 - a13 * 62 - a14 * 11 == 27915) s.add(a1 * 22 + a2 * 27 + a3 * 35 - a4 * 45 + a5 * 47 + a6 * 49 + a7 * 29 + a8 * 18 - a9 * 26 + a10 * 35 + a11 * 41 + a12 * 40 - a13 * 61 + a14 * 28 == 17298) s.add(a1 * 12 + a2 * 45 + a3 * 35 - a4 * 9 - a5 * 42 + a6 * 86 + a7 * 23 + a8 * 85 - a9 * 47 + a10 * 34 + a11 * 76 + a12 * 43 - a13 * 44 + a14 * 65 == 19875) s.add(a1 * 79 + a2 * 62 + a3 * 35 - a4 * 85 + a5 * 33 + a6 * 79 + a7 * 86 + a8 * 14 - a9 * 30 + a10 * 25 + a11 * 11 + a12 * 57 - a13 * 50 - a14 * 9 == 22784) s.add(a1 * 8 + a2 * 6 + a3 * 64 - a4 * 85 + a5 * 73 + a6 * 29 + a7 * 2 + a8 * 23 - a9 * 36 + a10 * 5 + a11 * 2 + a12 * 47 - a13 * 64 + a14 * 27 == 9710) s.add(a1 * 67 - a2 * 68 + a3 * 68 - a4 * 51 - a5 * 43 + a6 * 81 + a7 * 22 - a8 * 12 - a9 * 38 + a10 * 75 + a11 * 41 + a12 * 27 - a13 * 52 + a14 * 31 == 13376) s.add(a1 * 85 + a2 * 63 + a3 * 5 - a4 * 51 + a5 * 44 + a6 * 36 + a7 * 28 + a8 * 15 - a9 * 6 + a10 * 45 + a11 * 31 + a12 * 7 - a13 * 67 + a14 * 78 == 24065) s.add(a1 * 47 + a2 * 64 + a3 * 66 - a4 * 5 + a5 * 43 + a6 * 112 + a7 * 25 + a8 * 13 - a9 * 35 + a10 * 95 + a11 * 21 + a12 * 43 - a13 * 61 + a14 * 20 == 27687) s.add(a1 * 89 + a2 * 67 + a3 * 85 - a4 * 25 + a5 * 49 + a6 * 89 + a7 * 23 + a8 * 56 - a9 * 92 + a10 * 14 + a11 * 89 + a12 * 47 - a13 * 61 - a14 * 29 == 29250) s.add(a1 * 95 + a2 * 34 + a3 * 62 - a4 * 9 - a5 * 43 + a6 * 83 + a7 * 25 + a8 * 12 - a9 * 36 + a10 * 16 + a11 * 51 + a12 * 47 - a13 * 60 - a14 * 24 == 15317) if s.check():print(s.model()) # [a2 = 24,a13 = 88, a6 = 43,a9 = 52,a14 = 33,a5 = 104,a12 = 74,a7 = 28,a1 = 119, a10 = 108, a11 = 88, a8 = 91, a4 = 7, a3 = 10]

寫將位置換回以及逆異或運(yùn)算腳本即可得到flag

import hashlib data=[119,24,10,7,104,43,28,91,52,108,88,74,88,33] index=[2,1,0,3,4,5,6,7,9,8,10,11,12,13] flag=[0]*14 for i in range(len(flag)):flag[index[i]]=data[i] for i in range(len(flag)-2,-1,-1):flag[i]^=flag[i+1] flag_str=''.join(chr(i) for i in flag) print(flag_str) # U_G07_th3_k3y! h=hashlib.md5() h.update(flag_str.encode(encoding='utf-8')) print(h.hexdigest()) # 58964088b637e50d3a22b9510c1d1ef8

[羊城杯 2020]Bytecode

txt文件給了python的字節(jié)碼，翻譯成源碼

#coding:utf-8 en=[3,37,72,9,6,132] output=[101,96,23,68,112,42,107,62,96,53,176,179,98,53,67,29,41,120,60,106,51,101,178,189,101,48] print('welcome to GWHT2020') flag=raw_input('please input your flag:') str=flag def func0(): # 驗(yàn)證輸入的長(zhǎng)度a = len(str)if a < 38:print('lenth wrong!') def func1(): # 驗(yàn)證輸入的前5個(gè)字符if (((ord(str[0])*2020+ord(str[1]))*2020+ord(str[2]))*2020+ord(str[3]))*2020+ord(str[4])==1182843538814603:print('good!continue\xe2\x80\xa6\xe2\x80\xa6') def func2(): # 驗(yàn)證輸入花括號(hào){}內(nèi)的前26個(gè)字符x=[]k=5for i in range(13):b=ord(str[k])c=ord(str[k+1])a11=c^en[i%6]a22=b^en[i%6]x.append(a11)x.append(a22)k+=2if x==output:print('good!continue\xe2\x80\xa6\xe2\x80\xa6') def func3(): # 驗(yàn)證輸入花括號(hào){}內(nèi)的后6個(gè)字符l=len(str)a1=ord(str[l-7])a2=ord(str[l-6])a3 = ord(str[l - 5])a4 = ord(str[l - 4])a5 = ord(str[l - 3])a6 = ord(str[l - 2])if a1*3+a2*2+a3*5==1003 and a1*4+a2*7+a3*9==2013 and a1+a2*8+a3*2==1109 and a4*3+a5*2+a6*5==671 and a4*4+a5*7+a6*9==1252 and a4+a5*8+a6*2==644:print('congraduation!you get the right flag!') func0() func1() func2() func3()

func1驗(yàn)證輸入的前5個(gè)字符，寫爆破腳本，得到"GWHT{"

for i in range(32,127):for j in range(32,127):for k in range(32, 127):for m in range(32, 127):for n in range(32, 127):if (((i*2020+j)*2020+k)*2020+m)*2020+n==1182843538814603:print(chr(i)+chr(j)+chr(k)+chr(m)+chr(n))break #GWHT{

func2驗(yàn)證輸入花括號(hào){}內(nèi)的前26個(gè)字符，寫逆腳本，得到"cfa2b87b3f746a8f0ac5c5963f"

en=[3,37,72,9,6,132] output=[101,96,23,68,112,42,107,62,96,53,176,179,98,53,67,29,41,120,60,106,51,101,178,189,101,48] k=0 flag=[] for i in range(13):c1=output[k+1]^en[i%6]c2=output[k]^en[i%6]flag.append(c1)flag.append(c2)k+=2 print(''.join(chr(i) for i in flag)) # cfa2b87b3f746a8f0ac5c5963f

func3驗(yàn)證輸入花括號(hào){}內(nèi)的后6個(gè)字符，用z3解方程，轉(zhuǎn)成字符串，得到"aeff73"

from z3 import * a1=Int('a1') a2=Int('a2') a3=Int('a3') a4=Int('a4') a5=Int('a5') a6=Int('a6') s=Solver() s.add(a1*3+a2*2+a3*5==1003) s.add(a1*4+a2*7+a3*9==2013) s.add(a1+a2*8+a3*2==1109) s.add(a4*3+a5*2+a6*5==671) s.add(a4*4+a5*7+a6*9==1252) s.add(a4+a5*8+a6*2==644) if s.check():print(s.model()) # [a5 = 55, a2 = 101, a6 = 51, a3 = 102, a4 = 102, a1 = 97] data=[97,101,102,102,55,51] print(''.join(chr(i) for i in data)) # aeff73

最后加上一個(gè)’}’，于是flag為"GWHT{cfa2b87b3f746a8f0ac5c5963faeff73}"

[羊城杯 2020]babyre

elf文件，無殼，ida分析
main函數(shù)，首先sub_402563函數(shù)進(jìn)行一段SMC，獲取輸入，輸入長(zhǎng)度限為16，對(duì)輸入進(jìn)行DES加密，密鑰動(dòng)態(tài)調(diào)試可得，比較DES加密過的輸入(密文)與已知的byte_6040C0，驗(yàn)證成功后，將未經(jīng)DES加密過的輸入傳入sub_40272D函數(shù)作為AES加密的密鑰

調(diào)試得到DES密鑰為b'\xAD\x52\xF2\x4C\xE3\x2C\x20\xD6'，密文為b'\x0A\xF4\xEE\xC8\x42\x8A\x9B\xDB\xA2\x26\x6F\xEE\xEE\xE0\xD8\xA2'，分別用ECB模式和CBC模式解DES，兩次解密結(jié)果的拼接即為第一次正確的輸入

from Crypto.Cipher import DES key=b'\xAD\x52\xF2\x4C\xE3\x2C\x20\xD6' des_ecb=DES.new(key,DES.MODE_ECB) des_cbc=DES.new(key,DES.MODE_CBC,key) cipher=b'\x0A\xF4\xEE\xC8\x42\x8A\x9B\xDB\xA2\x26\x6F\xEE\xEE\xE0\xD8\xA2' m1=des_ecb.decrypt(cipher) m2=des_cbc.decrypt(cipher) print(m1) print(m2) #th1s1sth9�?q? #�:�?�_T�3n1c3k3y #th1s1sth3n1c3k3y

進(jìn)入sub_40272D函數(shù)，獲取輸入，第一次的輸入作為AES的密鑰，對(duì)輸入進(jìn)行常規(guī)的AES.ECB加密，密文異或運(yùn)算，然后還有個(gè)相鄰兩個(gè)元素參與的運(yùn)算給byte_6040D0賦值，最后byte_6040D0與已知的res比較

寫逆運(yùn)算腳本即可得到flag

from Crypto.Cipher import AES key="th1s1sth3n1c3k3y" aes=AES.new(key,AES.MODE_ECB) res=[0xBD, 0xAD, 0xB4, 0x84, 0x10, 0x63, 0xB3, 0xE1, 0xC6, 0x84,0x2D, 0x6F, 0xBA, 0x88, 0x74, 0xC4, 0x90, 0x32, 0xEA, 0x2E,0xC6, 0x28, 0x65, 0x70, 0xC9, 0x75, 0x78, 0xA0, 0x0B, 0x9F,0xA6] for i in range(0,255):s=[]s.append(i)for j in range(1,len(res)+1):tmp=((res[j-1]^(2*(s[j-1]^0x13)+7))-2-s[j-1]%9)&0xffs.append(tmp)for j in range(31,-1,-1):for k in range(j//4):s[j]^=s[k]s_str=''.join(chr(i) for i in s)m=aes.decrypt(s_str)if 'GWHT' in m:print(m) #GWHT{th1s_gam3_1s_s0_c00l_and_d}

兩次輸入，驗(yàn)證成功，再md5一下，提交成功

[ACTF新生賽2020]fungame

exe程序，運(yùn)行后輸入，無殼，ida分析
main函數(shù)，給v3和x填充0，x大小為36，只填充了24個(gè)0

sub_401340函數(shù)，獲取輸入，對(duì)輸入的前16個(gè)字符進(jìn)行驗(yàn)證

sub_4013BA函數(shù)，兩次copy

查找x的交叉引用，除了main和sub_4013BA函數(shù)，第三處在sub_40233D函數(shù)
再次輸入，對(duì)輸入進(jìn)行常規(guī)的base64編碼，結(jié)果與已知的v0比較驗(yàn)證

寫腳本，但是提交失敗

import base64 y1=[0x23, 0x61, 0x3E, 0x69, 0x54, 0x41, 0x18, 0x4D, 0x6E, 0x3B,0x65, 0x53, 0x30, 0x79, 0x45, 0x5B] y2=[0x71, 0x04, 0x61, 0x58, 0x27, 0x1E, 0x4B, 0x22, 0x5E, 0x64,0x03, 0x26, 0x5E, 0x17, 0x3C, 0x7A] flag=[] for i in range(16):flag.append(y1[i]^y2[i]) flag_str=''.join(chr(i) for i in flag) s="YTFzMF9wV24=" flag_str+=base64.b64decode(s) print(flag_str) #Re_1s_So0_funny!a1s0_pWn

最后參考Mz1師傅的wp：re | [ACTF新生賽2020]fungame

總結(jié)

以上是生活随笔為你收集整理的REVERSE-PRACTICE-BUUCTF-31的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

上一篇：京东CEO徐雷发朋友圈：今年618是19
下一篇： PWN-PRACTICE-BUUCTF-