攻防世界-Reverse

reverse
Publish Date:   2021-09-24
Update Date:   2022-04-08
Word Count:   575
Read Times:   2 Min
Read Count:  

Reverse

Hello, CTF

没壳, ida打开, 直接就出了

1.png

CrackMeJustForFun

insanity

2.png

3.png

python-trade

uncompyle6反编译写exp就可以了

#!/usr/bin/python
# uncompyle6 version 3.7.4
# Python bytecode 2.7 (62211)
# Decompiled from: Python 3.8.6 (tags/v3.8.6:db45529, Sep 23 2020, 15:52:53) [MSC v.1927 64 bit (AMD64)]
# Embedded file name: 1.py
# Compiled at: 2017-06-03 11:20:43
import base64

def encode(message):
    s = ''
    for i in message:
        x = ord(i) ^ 32
        x = x + 16
        s += chr(x)

    return base64.b64encode(s)

def decode(message):
    message = base64.b64decode(message)
    print(message)
    s = ''
    for x in message:
        print(x)
        x = x - 16
        x = x ^ 32
        s += chr(x)

    return s

correct = 'XlNkVmtUI1MgXWBZXCFeKY+AaXNt'
print(decode(correct))
# nctf{d3c0mpil1n9_PyC}

re1

4.png

_mm_storeu_si128()类似memset()xmmword_413E34赋值给v5

5.png

r直接16进制转化字符串

6.png

假设一个十六进制数0x12345678

大端的存储方式是:12,34,56,78,然后读取的时候也是从前往后读

小端的存储方式是:78,56,34,12,然后读取的时候是从后往前读取

Game

1

7.png

有意思, 字符串被反编译成多个了

越更新越倒退

#!/usr/bin/python
v5 = [ 18, 64, 98, 5, 2, 4, 6, 3, 6, 48, 49, 65, 32, 12, 48, 65, 31, 78, 62, 32, 49, 32, 1, 57, 96, 3, 21, 9, 4, 62, 3, 5, 4, 1, 2, 3, 44, 65, 78, 32, 16, 97, 54, 16, 44, 52, 32, 64, 89, 45, 32, 65, 15, 34, 18, 16, 0]


v2 = [ 123, 32, 18, 98, 119, 108, 65, 41, 124, 80, 125, 38, 124, 111, 74, 49, 83, 108, 94, 108, 84, 6]

tmp =  "`S,yhn _uec{"
v1 = [0]*len(tmp)
for i in range(len(tmp)):
  v1[i] = ord(tmp[i])

v3 = [127, 119, 96, 48, 107, 71, 92, 29, 81, 107, 90, 85, 64, 12, 43, 76, 86, 13, 114, 1]
v4 = [ord('u'), ord('~')]
v3 = v2 + v1 + v3 + v4

flag = ""
for i in range(56):
    v3[i] ^= v5[i]
    v3[i] ^= 0x13
    flag += chr(v3[i])
print(flag)
# zsctf{T9is_tOpic_1s_v5ry_int7resting_b6t_others_are_n0t}

2

首先到主函数这里, 根据题意在457AB4这里是输出flag的函数

9.png

用ida跳转过去,快捷键g就可以, 用tab来切换

8.png

再到45e940

10.png

很明显,这里就是获得flag的函数内容

如果能把程序逻辑改成直接跳转直接跳转到这里就可以了
14.png

12.png

3

也可以把判断条件改为了

11.png

13.png

open-source

➜  open-source ./a.out 51966 25 h4cky0u
Brr wrrr grr
Get your key: c0ffee

logmein

15.png

逻辑很简单, 类似校验flag

(char)(*((_BYTE *)&v7 + i%v6) ^ v8[i])

首先取v7的地址,加上iv6,在取值后与v8异或

#!/usr/bin/python

v8 = ":\"AL_RT^L*.?+6/46"
v7 = 0x65626D61726168
v7 = 'ebmarah'[::-1]

flag = ""
for i in range(len(v8)):
    tmp = v7[i%7]
    flag += chr(ord(v8[i]) ^ ord(tmp))

print(flag)
# RC3-2016-XORISGUD
reverse
 Previous
Web Web
记录下最近学的
2021-12-07 happi0
web
Next 
gimp gimp
操作快捷键
2021-09-23 happi0
misc
  TOC