REVERSE-PRACTICE-BUUCTF-27

• • [XMAN2018排位賽]Dragon Quest
  • [羊城杯 2020]easyre
  • [watevrCTF 2019]Repyc
  • [2019紅帽杯]calc

[XMAN2018排位賽]Dragon Quest

elf文件，無殼，ida分析
main函數，讀取輸入，start_quest函數驗證輸入，根據返回值判斷輸入是否正確

進入start_quest函數，首先是給hero數組添加元素，檢驗輸入的長度是否為28，輸入長度等于28則v7為0，否則v7為1

往下走，由于需要start_quest返回0x1337，則需v7為0，即輸入的長度等于28
sanitize_input函數對輸入進行檢驗，由變量值傳遞可知，sanitize_input函數也要返回0x1337

進入sanitize_input函數，主要的邏輯為，輸入進入transform_input函數處理，返回值與hero數組比較

v31 = (char *)std::string::operator[](input, index);// 從input中取一個字節(jié)if ( y18 >= 10 && (((_BYTE)x17 - 1) * (_BYTE)x17 & 1) != 0 ){ LABEL_71:if ( y4 >= 10 && (((_BYTE)x3 - 1) * (_BYTE)x3 & 1) != 0 )goto LABEL_114;while ( 1 ){*(_DWORD *)v40 = *v31;if ( y4 < 10 || (((_BYTE)x3 - 1) * (_BYTE)x3 & 1) == 0 )break; LABEL_114:*(_DWORD *)v40 = *v31;}}*(_DWORD *)v40 = *v31; // v31->v40if ( y18 >= 10 && (((_BYTE)x17 - 1) * (_BYTE)x17 & 1) != 0 )goto LABEL_71;while ( y4 >= 10 && (((_BYTE)x3 - 1) * (_BYTE)x3 & 1) != 0 );std::vector<int,std::allocator<int>>::push_back(v42, v40);// v40被添加到v42數組dov30 = y18 < 10 || (((_BYTE)x17 - 1) * (_BYTE)x17 & 1) == 0;while ( y4 >= 10 && (((_BYTE)x3 - 1) * (_BYTE)x3 & 1) != 0 );if ( !v30 ) LABEL_74:*v37 = *v41;if ( y4 >= 10 && (((_BYTE)x3 - 1) * (_BYTE)x3 & 1) != 0 ) LABEL_99:*v37 = *v41;v1 = v37;*v37 = *v41;v29 = *v1;v28 = y18 < 10 || (((_BYTE)x17 - 1) * (_BYTE)x17 & 1) == 0;if ( y4 >= 10 && (((_BYTE)x3 - 1) * (_BYTE)x3 & 1) != 0 )goto LABEL_99;if ( !v28 )goto LABEL_74;v27 = std::string::length(input);dov26 = y18 < 10 || (((_BYTE)x17 - 1) * (_BYTE)x17 & 1) == 0;while ( y4 >= 10 && (((_BYTE)x3 - 1) * (_BYTE)x3 & 1) != 0 );if ( !v26 ) LABEL_75:*v37 = (v27 >> 40) & v29 | 0x1C;v2 = v37;*v37 = (v27 >> 40) & v29 | 0x1C;v25 = *v2 != 0;if ( y18 >= 10 && (((_BYTE)x17 - 1) * (_BYTE)x17 & 1) != 0 )goto LABEL_75;while ( y4 >= 10 && (((_BYTE)x3 - 1) * (_BYTE)x3 & 1) != 0 );if ( v25 ){doindex_ = *v41;while ( y18 >= 10 && (((_BYTE)x17 - 1) * (_BYTE)x17 & 1) != 0 );v23 = (int *)std::vector<int,std::allocator<int>>::operator[]((unsigned int)&hero, index_);// 從hero中取一個字節(jié)dov22 = y18 < 10 || (((_BYTE)x17 - 1) * (_BYTE)x17 & 1) == 0;while ( y4 >= 10 && (((_BYTE)x3 - 1) * (_BYTE)x3 & 1) != 0 );dov21 = *v23; // v23->v21while ( y18 >= 10 && (((_BYTE)x17 - 1) * (_BYTE)x17 & 1) != 0 );std::vector<int,std::allocator<int>>::vector(v36, v42);// v42賦給v36dov20 = y18 < 10 || (((_BYTE)x17 - 1) * (_BYTE)x17 & 1) == 0;while ( y4 >= 10 && (((_BYTE)x3 - 1) * (_BYTE)x3 & 1) != 0 );while ( y18 >= 10 && (((_BYTE)x17 - 1) * (_BYTE)x17 & 1) != 0 );while ( y4 >= 10 && (((_BYTE)x3 - 1) * (_BYTE)x3 & 1) != 0 );v19 = transform_input(v36); // 對v36處理，返回到v19if ( y18 >= 10 && (((_BYTE)x17 - 1) * (_BYTE)x17 & 1) != 0 )goto LABEL_79;while ( 1 ){v18 = v21 == v19; // v19與v21比較

進入transform_input函數，主要的邏輯為，取出輸入的一個字節(jié)input[i]，v16初始值為0，v16每次加上input[i]，然后返回v16，與hero數組的元素比較

已知hero數組，寫逆運算腳本即可得到flag

hero=[0x64,0xd6,0xa,0x71,0xa1,0xf,0x6e,0xdd,0x4f,0xae,0x1e,0x52,0xc6,0x38,0xa1,0x4,0x35,0x96,0x4,0x63,0xcc,0x40,0x75,0xd4,0x20,0x6c,0xc2,0xf] n=0 flag="" for i in range(len(hero)):tmp=hero[i]-nn+=tmpflag+=chr(tmp%128) print(flag) #dr4g0n_or_p4tric1an_it5_LLVM

[羊城杯 2020]easyre

exe程序，運行后輸入，無殼，ida分析
main函數，讀取輸入，檢驗輸入的長度是否為38，對輸入進行三次變換，最后與Str2比較

三次變換都很容易理解，分別是常規(guī)base64，分組換位置，以及類似凱撒的右移三位
寫逆運算腳本即可得到flag

import base64 str2="EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG" data=[] for c in str2:if c.isdigit():data.append((ord(c)-48-3)%10+48)elif c.isupper():data.append((ord(c)-65 - 3) % 26 + 65)elif c.islower():data.append((ord(c)-97 - 3) % 26 + 97)else:data.append(ord(c)) flag=[0]*len(data) flag[0:13]=data[13:26] flag[13:26]=data[39:len(data)] flag[26:39]=data[0:13] flag[39:len(flag)]=data[26:39] print(base64.b64decode(''.join(chr(i) for i in flag))) # GWHT{672cc4778a38e80cb362987341133ea2}

[watevrCTF 2019]Repyc

.pyc文件，用uncompyle6反編譯得到源代碼，python2會檢測為非ascii碼，換成python3即可

佤 = 0 侰 = ~佤 * ~佤 俴 = 侰 + 侰def ?(?):? = 佤? = 佤? = [佤] * 俴 ** (俴 * 俴)? = [佤] * 100? = []while ?[?][佤] != '?':? = ?[?][佤].lower()亀 = ?[?][侰:]if ? == '?':?[亀[佤]] = ?[亀[侰]] + ?[亀[俴]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]] ^ ?[亀[俴]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]] - ?[亀[俴]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]] * ?[亀[俴]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]] / ?[亀[俴]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]] & ?[亀[俴]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]] | ?[亀[俴]]else:if ? == '?':?[亀[佤]] = ?[亀[佤]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]]else:if ? == '?':?[亀[佤]] = 亀[侰]else:if ? == '?':?[亀[佤]] = ?[亀[侰]]else:if ? == '?':?[亀[佤]] = ?[亀[侰]]else:if ? == '?':?[亀[佤]] = 佤else:if ? == '?':?[亀[佤]] = 佤else:if ? == '?':?[亀[佤]] = input(?[亀[侰]])else:if ? == '?':?[亀[佤]] = input(?[亀[侰]])else:if ? == '?':print(?[亀[佤]])else:if ? == '?':print(?[亀[佤]])else:if ? == '?':? = ?[亀[佤]]else:if ? == '?':? = ?[亀[佤]]else:if ? == '?':? = ?.pop()else:if ? == '?':if ?[亀[侰]] > ?[亀[俴]]:? = 亀[佤]?.append(?)continueelse:if ? == '?':?[7] = 佤for i in range(len( ?[亀[佤]])):if ?[亀[佤]] != ?[亀[侰]]:?[7] = 侰? = ?[亀[ 俴]]?.append(?)else:if ? == '?':? = ''for i in range(len(?[亀[佤]])):? += chr(ord(?[亀[佤]][i]) ^ ?[亀[侰]])?[亀[佤]] = ?else:if ? == '?':? = ''for i in range(len(?[亀[佤]])):? += chr(ord(?[亀[佤]][i]) - ?[亀[侰]])?[亀[佤]] = ?else:if ? == '?':if ?[亀[侰]] > ?[亀[俴]]:? = ?[亀[佤]]?.append(?)continueelse:if ? == '?':if ?[亀[侰]] > ?[亀[俴]]:? = ?[亀[佤]]?.append(?)continueelse:if ? == '?':if ?[亀[侰]] == ?[亀[俴]]:? = 亀[佤]?.append(?)continueelse:if ? == '?':if ?[亀[侰]] == ?[亀[俴]]:? = ?[亀[佤]]?.append(?)continueelse:if ? == '?':if ?[亀[侰]] == ?[亀[俴]]:? = ?[亀[佤]]?.append(?)continue? += 侰?([['?', 佤, 'Authentication token: '],['?', 佤, 佤],['?', 6, 'á×?óa?í?à??é????é?óé?àóé?ó??éóú???è??ùúé?ó?àù?éóa?éàóú?óòù??àé?à??é??é?àóéúóáé·?a×ú?ó?é3ú???è??ùúé??×ú? ×??é×ú?á×??é?é?ùú?é?ó×üü?éà×aóé×é?ùù?éa??é???é?é?ó×üü?éóúTù?é?à??é?ùú?é?éàùèóé?ù?éá?üüéóúTù?é??é×?áóüü\x97é?ù????ó\x9a?ù?\x99á×??à?a?3￡?2??è·±a¨?'],['?', 俴, 俴 ** (3 * 俴 + 侰) - 俴 ** (俴 + 侰)],['?', 4, 15],['?', 3, 侰],['?', 俴, 俴, 3],['?', 俴, 俴, 4],['?', 佤, 俴],['?', 3],['?', 6, 3],['?', 佤, 'Thanks.'],['?', 侰, 'Authorizing access...'],['?', 佤],['?', 佤, 佤],['?', 佤, 俴],['?', 佤, 4],['?', 5, 19],['?', 佤, 6, 5],['?', 侰],['?'],['?', 侰, 'Access denied!'],['?', 侰],['?']])

運行后輸入，調試發(fā)現，對輸入的處理很簡單，input[i]=((input[i])^135)-15，即輸入先異或135，再減去15，最后和那段長字符串比較，寫腳本即可得到flag

res="á×?óa?í?à??é????é?óé?àóé?ó??éóú???è??ùúé?ó?àù?éóa?éàóú?óòù??àé?à??é??é?àóéúóáé·?a×ú?ó?é3ú???è??ùúé??×ú? ×??é×ú?á×??é?é?ùú?é?ó×üü?éà×aóé×é?ùù?éa??é???é?é?ó×üü?éóúTù?é?à??é?ùú?é?éàùèóé?ù?éá?üüéóúTù?é??é×?áóüü\x97é?ù????ó\x9a?ù?\x99á×??à?a?3￡?2??è·±a¨?" flag="" for c in res:flag+=chr((ord(c)+15)^135) print(flag) #watevr{this_must_be_the_best_encryption_method_evr_henceforth_this_is_the_new_Advanced_Encryption_Stand¨ard_anyways_i_dont_really_have_a_good_vid_but_i_really_enjoy_this_song_i_hope_you_will_enjoy_it_aswell!_youtube.com/watch?v=E5yFcdPAGv0}

[2019紅帽杯]calc

exe程序，運行后輸入，無殼，ida分析
三次輸入，對輸入一頓運算，沒看懂
參考網上別的師傅的wp，2019紅帽杯 Writeup by X1cT34m
原來是在滿足input_2<input_1<input_3的條件下，得到input_1**3+input_2**3+input_2**3==42，即三個整數的立方和等于42
百度一下，果然有解

(-80538738812075974)**3 + 80435758145817515**3 + 12602123297335631**3==42

將程序的三個sleep函數patch掉，按input_2<input_1<input_3的條件輸入，得到flag

import hashlib flag="flag{" s="804357581458175151260212329733563180538738812075974" h=hashlib.md5() h.update(s.encode(encoding='utf-8')) flag+=h.hexdigest() flag+="}" print(flag) # flag{951e27be2b2f10b7fa22a6dc8f4682bd}

總結

以上是生活随笔為你收集整理的REVERSE-PRACTICE-BUUCTF-27的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。