逆向学习记录

Word count: 7.3k   |   Reading time≈ 39 min

RE

9月15日

[BJDCTF2020]JustRE

题目打开

有getflag选项,懒得看直接ida打开32位,字符串看下

发现了这个函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
INT_PTR __stdcall DialogFunc(HWND hWnd, UINT a2, WPARAM a3, LPARAM a4)
{
  CHAR String[100]; // [esp+0h] [ebp-64h] BYREF

  if ( a2 != 272 )
  {
    if ( a2 != 273 )
      return 0;
    if ( (_WORD)a3 != 1 && (_WORD)a3 != 2 )
    {
      sprintf(String, Format, ++dword_4099F0);
      if ( dword_4099F0 == 19999 )
      {
        sprintf(String, " BJD{%d%d2069a45792d233ac}", 19999, 0);
        SetWindowTextA(hWnd, String);
        return 0;
      }
      SetWindowTextA(hWnd, String);
      return 0;
    }
    EndDialog(hWnd, (unsigned __int16)a3);
  }
  return 1;
}

直接出flag

BJD{1999902069a45792d233ac}

[GWCTF 2019]pyre

这个是一道pyre,我们可以采用工具

1
uncompyle6 -o attach.py attachment.pyc

生成反编译python去查看

可以可以先将flag输入然后确保他在128范围内也就是(input1[i] + i) % 128

接着进行了flag长度的异或操作,并且给出了加密结果。

逆向就非常简单了,进行倒序异或,刚才第一步加了多少的i就减去多少的i

再去除以128即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# uncompyle6 version 3.7.4
# Python bytecode 2.7 (62211)
# Decompiled from: Python 3.5.2 (default, Jan 26 2021, 13:30:48) 
# [GCC 5.4.0 20160609]
# Embedded file name: encode.py
# Compiled at: 2019-08-19 06:01:57
print 'Welcome to Re World!'
print 'Your input1 is your flag~'
l = len(input1)
for i in range(l):
    num = ((input1[i] + i) % 128 + 128) % 128
    code += num

for i in range(l - 1):
    code[i] = code[i] ^ code[(i + 1)]

print code
code = ['\x1f', '\x12', '\x1d', '(', '0', '4', '\x01', '\x06', '\x14', '4', ',', '\x1b', 'U', '?', 'o', '6', '*', ':', '\x01', 'D', ';', '%', '\x13']

exp

1
2
3
4
5
6
7
8
9
10
import os
code = ['\x1f', '\x12', '\x1d', '(', '0', '4', '\x01', '\x06', '\x14', '4', ',', '\x1b', 'U', '?', 'o', '6', '*', ':', '\x01', 'D', ';', '%', '\x13']
flag=["","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","","",""]
print(len(code))
for i in range(len(code)-2,-1,-1):
	code[i]=chr(ord(code[i])^ord(code[(i+1)]))
for i in range(len(code)):
	flag[i]=(chr((ord(code[i])-i)%128))
for i in range(len(code)):
	print(str(flag[i]),end='')

rsa

给了一个公钥,以及一个pcg。

我们通过网站

http://ctf.ssleye.com/pub_asys.html

可以得到

1
2
3
4
5
6
7
8
密钥类型RSA
密钥强度256
PN(e)65537
PN(n)
8693448229604811919066606200349480058890565601720302561721665405
8378322103517
DER格式
303c300d06092a864886f70d0101010500032b003028022100c0332c5c64ae47182f6c1c876d42336910545a58f7eefefc0bcaaf5af341ccdd0203010001

得到N可以再去网站

http://www.factordb.com

得到p q

最后exp如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import gmpy2
import rsa

e=65537
n=86934482296048119190666062003494800588905656017203025617216654058378322103517
p = 285960468890451637935629440372639283459
q = 304008741604601924494328155975272418463

phin=(q-1)*(p-1)
d=gmpy2.invert(e,phin)

key=rsa.PrivateKey(n,e,int(d),p,q)

with open("flag.enc","rb+") as f:
    f=f.read()
flag=rsa.decrypt(f,key)
print(flag)

[ACTF新生赛2020]easyre

那到题目,我只能说IDA7.5非常不好用,改天换回ida7.0

ida7.5反汇编如下(加了UPX壳,直接去吾爱破解找upx3.6一键脱壳加壳神器)

就是因为这句qmemcpy(v4, “*F’"N,"(I?+@”, sizeof(v4));

卡了老半天,看别人ida7.0是非常明显的ASCII赋值,这样看就会非常明显有思路

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[12]; // [esp+12h] [ebp-2Eh] BYREF
  int v5[3]; // [esp+1Eh] [ebp-22h]
  char v6[5]; // [esp+2Ah] [ebp-16h] BYREF
  int v7; // [esp+2Fh] [ebp-11h]
  int v8; // [esp+33h] [ebp-Dh]
  int v9; // [esp+37h] [ebp-9h]
  char v10; // [esp+3Bh] [ebp-5h]
  int i; // [esp+3Ch] [ebp-4h]

  __main();
  qmemcpy(v4, "*F'\"N,\"(I?+@", sizeof(v4));
  printf("Please input:");
  scanf("%s", v6);
  if ( v6[0] != 0x41 || v6[1] != 67 || v6[2] != 84 || v6[3] != 70 || v6[4] != 123 || v10 != 125 )
    return 0;
  v5[0] = v7;
  v5[1] = v8;
  v5[2] = v9;
  for ( i = 0; i <= 11; ++i )
  {
    if ( v4[i] != _data_start__[*((char *)v5 + i) - 1] )
      return 0;
  }
  printf("You are correct!");
  return 0;
}

这个加密方法挺简单的,就是根据你输入的字符串然后呢在去匹配加密密钥_data_start__

假设密钥是abcdefg,我明文是bg,密文就是27。同理给出了加密结果

qmemcpy(v4, “*F’"N,"(I?+@”, sizeof(v4));

只要用jio本匹配这些字符在的ascll在密钥中的位置所表示的字符再去输出出来就是明文了

exp如下

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
#coding=utf-8
key = '~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)(\'&%$# !"' #'一定要加\
encrypt = [42,70,39,34,78,44,34,40,73,63,43,64]
x = []
flag = ''
for i in encrypt:
  x.append(key.find(chr(i))+1) 
for i in x:
  flag += chr(i)
print(flag+'\n')
print(x)


CrackRTF

直接md5百度爆破花钱解决的事情,之前有人花钱过了,直接拿就行了非预期解免费网站(https://www.somd5.com/)

第二个md5=~!3a@0123321@DBApp

第一次密码123321

第二次密码~!3a@0

之后会生成dbapp.rtf

直接找这个文件

Flag{N0_M0re_Free_Bugs}

[2019红帽杯]easyRE

一道非常好的题目,题目不难,却胜在人性的弱点,说实话我一打开搜索字符串看见base64加密人就来劲了,

以为只要10次base64就能得到flag笑死,结果进坑了,得到看雪的一篇文章。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rax
  int result; // eax
  unsigned __int64 v5; // rax
  __int64 v6; // rax
  int i; // [rsp+Ch] [rbp-114h]
  __int64 v8; // [rsp+10h] [rbp-110h]
  __int64 v9; // [rsp+18h] [rbp-108h]
  __int64 v10; // [rsp+20h] [rbp-100h]
  __int64 v11; // [rsp+28h] [rbp-F8h]
  __int64 v12; // [rsp+30h] [rbp-F0h]
  __int64 v13; // [rsp+38h] [rbp-E8h]
  __int64 v14; // [rsp+40h] [rbp-E0h]
  __int64 v15; // [rsp+48h] [rbp-D8h]
  __int64 v16; // [rsp+50h] [rbp-D0h]
  __int64 v17; // [rsp+58h] [rbp-C8h]
  char v18[13]; // [rsp+60h] [rbp-C0h] BYREF
  char v19[4]; // [rsp+6Dh] [rbp-B3h] BYREF
  char v20[19]; // [rsp+71h] [rbp-AFh] BYREF
  char v21[32]; // [rsp+90h] [rbp-90h] BYREF
  int v22; // [rsp+B0h] [rbp-70h]
  char v23; // [rsp+B4h] [rbp-6Ch]
  __m128i v24[4]; // [rsp+C0h] [rbp-60h] BYREF
  char v25; // [rsp+100h] [rbp-20h]
  unsigned __int64 v26; // [rsp+108h] [rbp-18h]

  v26 = __readfsqword(0x28u);
  qmemcpy(v18, "Iodl>Qnb(ocy", 12);
  v18[12] = 127;
  qmemcpy(v19, "y.i", 3);
  v19[3] = 127;
  qmemcpy(v20, "d`3w}wek9{iy=~yL@EC", sizeof(v20));
  memset(v21, 0, sizeof(v21));
  v22 = 0;
  v23 = 0;
  sub_4406E0(0, v21, 0x25uLL);
  v23 = 0;
  LODWORD(v3) = sub_424BA0((const __m128i *)v21);
  if ( v3 == 36 )
  {
    for ( i = 0; ; ++i )
    {
      LODWORD(v5) = sub_424BA0((const __m128i *)v21);
      if ( i >= v5 )
        break;
      if ( (unsigned __int8)(v21[i] ^ i) != v18[i] )
      {
        result = 0xFFFFFFFE;
        goto LABEL_13;
      }
    }
    sub_410CC0("continue!");
    memset(v24, 0, sizeof(v24));
    v25 = 0;
    sub_4406E0(0, (char *)v24, 0x40uLL);
    v24[2].m128i_i8[7] = 0;
    LODWORD(v6) = sub_424BA0(v24);
    if ( v6 == 39 )
    {
      v8 = base64((__int64)v24);
      v9 = base64(v8);
      v10 = base64(v9);
      v11 = base64(v10);
      v12 = base64(v11);
      v13 = base64(v12);
      v14 = base64(v13);
      v15 = base64(v14);
      v16 = base64(v15);
      v17 = base64(v16);
      if ( !(unsigned int)sub_400360(v17, (__int64)off_6CC090) )
      {
        sub_410CC0("You found me!!!");
        sub_410CC0("bye bye~");
      }
      result = 0;
    }
    else
    {
      result = -3;
    }
  }
  else
  {
    result = -1;
  }
LABEL_13:
  if ( __readfsqword(0x28u) != v26 )
    sub_444020();
  return result;
}

如果是真正打比赛,成百上千函数无异于大海捞针,但是我们现在在练习的角度冷静思考,这是比赛的东西,那么就不会变态的为难

做题的人,我们可以根据人性的心理在主函数的上下函数去查找。结果发现main函数的下面是存在一个加密函数的。

先进行了判断输入的第一个字符和第四个字符是不是f,g,那么我们继续玩心理战,他判断的范围在1-4,常规flag开头就是flag

所以我们可以判断这个四个字符绝对就是flag,下面他就会对byte_6CC0A0中的字符进行异或操作加密

异或加密操作用到的密码我们可以根据

v1 ^ byte_6CC0A0[0]) == ‘f’

这段代码推测得知是明文的前4个字符与’flag’进行异或得到的结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
unsigned __int64 jiami()
{
  unsigned __int64 result; // rax
  unsigned int v1; // [rsp+Ch] [rbp-24h]
  int i; // [rsp+10h] [rbp-20h]
  int j; // [rsp+14h] [rbp-1Ch]
  unsigned int v4; // [rsp+24h] [rbp-Ch]
  unsigned __int64 v5; // [rsp+28h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  v1 = sub_43FD20(0LL) - qword_6CEE38;
  for ( i = 0; i <= 1233; ++i )
  {
    sub_40F790(v1);
    sub_40FE60();
    sub_40FE60();
    v1 = sub_40FE60() ^ 0x98765432;
  }
  v4 = v1;
  if ( ((unsigned __int8)v1 ^ byte_6CC0A0[0]) == 'f' && (HIBYTE(v4) ^ (unsigned __int8)byte_6CC0A3) == 'g' )
  {
    for ( j = 0; j <= 24; ++j )
      sub_410E90((unsigned __int8)(byte_6CC0A0[j] ^ *((_BYTE *)&v4 + j % 4)));
  }
  result = __readfsqword(0x28u) ^ v5;
  if ( result )
    sub_444020();
  return result;
}

exp

1
2
3
4
5
6
7
8
9
10
11
12
s = [0x40, 0x35, 0x20, 0x56, 0x5D, 0x18, 0x22, 0x45, 0x17, 0x2F, 0x24, 0x6E, 0x62, 0x3C, 0x27, 0x54, 0x48, 0x6C, 0x24, 0x6E, 0x72, 0x3C, 0x32, 0x45, 0x5B]
s1 = 'flag'
flag = ''
key = ''
 
for i in range(4):
    key += chr(s[i] ^ ord(s1[i]))
 
for i in range(len(s)):
    flag += chr(s[i] ^ ord(key[i % 4]))
 
print(flag)

[ACTF新生赛2020]rome

main

ida7.5==-==打死我也不想用了

可以看见给了密文 strcpy(v12, “Qsw3sj_lz4_Ujw@l”);记得转成ASCII

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
int func()
{
  int result; // eax
  int v1[4]; // [esp+14h] [ebp-44h]
  unsigned __int8 v2; // [esp+24h] [ebp-34h] BYREF
  unsigned __int8 v3; // [esp+25h] [ebp-33h]
  unsigned __int8 v4; // [esp+26h] [ebp-32h]
  unsigned __int8 v5; // [esp+27h] [ebp-31h]
  unsigned __int8 v6; // [esp+28h] [ebp-30h]
  int v7; // [esp+29h] [ebp-2Fh]
  int v8; // [esp+2Dh] [ebp-2Bh]
  int v9; // [esp+31h] [ebp-27h]
  int v10; // [esp+35h] [ebp-23h]
  unsigned __int8 v11; // [esp+39h] [ebp-1Fh]
  char v12[29]; // [esp+3Bh] [ebp-1Dh] BYREF

  strcpy(v12, "Qsw3sj_lz4_Ujw@l");
  printf("Please input:");
  scanf("%s", &v2);
  result = v2;
  if ( v2 == 'A' )
  {
    result = v3;
    if ( v3 == 'C' )
    {
      result = v4;
      if ( v4 == 'T' )
      {
        result = v5;
        if ( v5 == 'F' )
        {
          result = v6;
          if ( v6 == '{' )
          {
            result = v11;
            if ( v11 == '}' )
            {
              v1[0] = v7;
              v1[1] = v8;
              v1[2] = v9;
              v1[3] = v10;
              *(_DWORD *)&v12[17] = 0;
              while ( *(int *)&v12[17] <= 15 )
              {
                if ( *((char *)v1 + *(_DWORD *)&v12[17]) > '@' && *((char *)v1 + *(_DWORD *)&v12[17]) <= 'Z' )
                  *((_BYTE *)v1 + *(_DWORD *)&v12[17]) = (*((char *)v1 + *(_DWORD *)&v12[17]) - 51) % 26 + 65;
                if ( *((char *)v1 + *(_DWORD *)&v12[17]) > '`' && *((char *)v1 + *(_DWORD *)&v12[17]) <= 'z' )
                  *((_BYTE *)v1 + *(_DWORD *)&v12[17]) = (*((char *)v1 + *(_DWORD *)&v12[17]) - 79) % 26 + 97;
                ++*(_DWORD *)&v12[17];
              }
              *(_DWORD *)&v12[17] = 0;
              while ( *(int *)&v12[17] <= 15 )
              {
                result = (unsigned __int8)v12[*(_DWORD *)&v12[17]];
                if ( *((_BYTE *)v1 + *(_DWORD *)&v12[17]) != (_BYTE)result )
                  return result;
                ++*(_DWORD *)&v12[17];
              }
              result = printf("You are correct!");
            }
          }
        }
      }
    }
  }
  return result;
}

重点判断如下

1
2
3
4
5
6
if ( *((char *)v1 + *(_DWORD *)&v12[17]) > '@' && *((char *)v1 + *(_DWORD *)&v12[17]) <= 'Z' )//判断大写
                  *((_BYTE *)v1 + *(_DWORD *)&v12[17]) = (*((char *)v1 + *(_DWORD *)&v12[17]) - 51) % 26 + 65;
                if ( *((char *)v1 + *(_DWORD *)&v12[17]) > '`' && *((char *)v1 + *(_DWORD *)&v12[17]) <= 'z' )//判断小写
                  *((_BYTE *)v1 + *(_DWORD *)&v12[17]) = (*((char *)v1 + *(_DWORD *)&v12[17]) - 79) % 26 + 97;
                ++*(_DWORD *)&v12[17];
              }

这个都不算逆向的感觉。。。直接顺势思维把这段代码抄下来,因为数组是17下标是0-16,然后ASCII一共就128个

直接脚本一把梭

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#coding=utf-8
x = [81,115,119,51,115,106,95,108,122,52,95,85,106,119,64,108]
flag = ''
for k in range(0,16):
    for i in range(0,127):  #ASCII到目前为止共定义了128个字符,挨个儿试
        z = i
        if i > 64 and i <= 90:
            i = (i-51)%26 + 65
        if i > 96 and i <= 122:
            i = (i-79)%26 + 97
        if(i == x[k]):
            flag += chr(z)

print(flag)

[FlareOn4]login

网页源代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

<!DOCTYPE Html />
<html>
    <head>
        <title>FLARE On 2017</title>
    </head>
    <body>
        <input type="text" name="flag" id="flag" value="Enter the flag" />
        <input type="button" id="prompt" value="Click to check the flag" />
        <script type="text/javascript">
            document.getElementById("prompt").onclick = function () {
                var flag = document.getElementById("flag").value;
                var rotFlag = flag.replace(/[a-zA-Z]/g, function(c){return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);});
                if ("PyvragFvqrYbtvafNerRnfl@syner-ba.pbz" == rotFlag) {
                    alert("Correct flag!");
                } else {
                    alert("Incorrect flag, rot again");
                }
            }
        </script>
    </body>
</html>

flag.replace(/[a-zA-Z]/g, function(c){return String.fromCharCode((c <= “Z” ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);});

重点在这,首先进行了字母大小写的判断c <= “Z” ? 90 : 122

其次对属于字母范围内的数据,进行加13,看大于不大于当前的Z(所谓当前的Z是因为第一步进行了大小写的判断,大写对于大Z,小写对应小z)

如果小于就保持不动,大于就减去26,相当于对明文进行了减去13

我们逆向的思维就是,判断大小写,给他-13看他小于当前的A不,小于就+13,不然就+13,不在字母范围内的就不管

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import os
code = 'PyvragFvqrYbtvafNerRnfl@syner-ba.pbz'
flag=""
for i in code:
	if ord(i) >=65 and ord(i) <=90:
		if ord(i)-13<65:
			flag+=chr(ord(i)+13)
		else:
			flag+=chr(ord(i)-13)
	elif ord(i) >=97 and ord(i) <=122:
		if ord(i)-13<97:
			flag+=chr(ord(i)+13)
		else:
			flag+=chr(ord(i)-13)
	else:
		flag+=i
print(flag)

[GUET-CTF2019]re

无聊题,放到现在就是真无聊,直接UPX3.6一键脱壳,接着看见加密密钥就是乘上明文对比加密后的密文是否相等

除以就行了,然后这里没有a[6]直接爆破就行了

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# -*- coding:utf-8 -*-

a1 = chr(166163712 // 1629056)
a2 = chr(731332800 // 6771600)
a3 = chr(357245568 // 3682944)
a4 = chr(1074393000 // 10431000)
a5 = chr(489211344 // 3977328)
a6 = chr(518971936 // 5138336)
a8 = chr(406741500 // 7532250)
a9 = chr(294236496 // 5551632)
a10 = chr(177305856 // 3409728)
a11 = chr(650683500 // 13013670)
a12 = chr(298351053 // 6088797)
a13 = chr(386348487 // 7884663)
a14 = chr(438258597 // 8944053)
a15 = chr(249527520 // 5198490)
a16 = chr(445362764 // 4544518)
a17 = chr(981182160 // 10115280)
a18 = chr(174988800 // 3645600)
a19 = chr(493042704 // 9667504)
a20 = chr(257493600 // 5364450)
a21 = chr(767478780 // 13464540)
a22 = chr(312840624 // 5488432)
a23 = chr(1404511500 // 14479500)
a24 = chr(316139670 // 6451830)
a25 = chr(619005024 // 6252576)
a26 = chr(372641472 // 7763364)
a27 = chr(373693320 // 7327320)
a28 = chr(498266640 // 8741520)
a29 = chr(452465676 // 8871876)
a30 = chr(208422720 // 4086720)
a31 = chr(515592000 // 9374400)
a32 = chr(719890500 // 5759124)

print (a1,a2,a3,a4,a5,a6,a8,a9,a10,a11,a12,a13,a14,a15,a16,a17,a18,a19,a20,a21,a22,a23,a24,a25,a26,a27,a28,a29,a30,a31,a32)
1
2
flag{e165421110ba03099a1c039337}

[SUCTF2019]SignIn

挺好玩的一道题,就是有点依赖工具?

我们看下main函数

和师兄看过一些密码,一看就知道这个东西是rsa,这里借鉴下夏了茶糜

的rsa讲解

img

图中的C是密文,M是明文,E是公钥(E和 φ(N)互为质数),N是公共模数(质数 P 、Q相乘得到N),MOD就是模运算
解密算法:

img

由此呢我们现在知道的数据如下

1
2
3
C = 0xad939ff59f6e70bcbfad406f2494993757eee98b91bc244184a377520d06fc35
N = 103461035900816914121390101299049044413950405173712170434161686539878160984549
E = 65537
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
__int64 __fastcall main(int a1, char **a2, char **a3)
{
  char v4[16]; // [rsp+0h] [rbp-4A0h] BYREF
  char v5[16]; // [rsp+10h] [rbp-490h] BYREF
  char v6[16]; // [rsp+20h] [rbp-480h] BYREF
  char v7[16]; // [rsp+30h] [rbp-470h] BYREF
  char v8[112]; // [rsp+40h] [rbp-460h] BYREF
  char v9[1000]; // [rsp+B0h] [rbp-3F0h] BYREF
  unsigned __int64 v10; // [rsp+498h] [rbp-8h]

  v10 = __readfsqword(0x28u);
  puts("[sign in]");
  printf("[input your flag]: ");
  __isoc99_scanf("%99s", v8);
  sub_96A(v8, v9);
  __gmpz_init_set_str(v7, "ad939ff59f6e70bcbfad406f2494993757eee98b91bc244184a377520d06fc35", 16LL);
  __gmpz_init_set_str(v6, v9, 16LL);
  __gmpz_init_set_str(v4, "103461035900816914121390101299049044413950405173712170434161686539878160984549", 10LL);
  __gmpz_init_set_str(v5, "65537", 10LL);
  __gmpz_powm(v6, v6, v5, v4);
  if ( (unsigned int)__gmpz_cmp(v6, v7) )
    puts("GG!");
  else
    puts("TTTTTTTTTTql!");
  return 0LL;
}

使用https://nchc.dl.sourceforge.net/project/yafu/1.34/yafu-1.34.zip yafu工具去分解N得到p 和 q

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
C:\Users\20138\Desktop\yafu-1.34>yafu-x64.exe
factor(103461035900816914121390101299049044413950405173712170434161686539878160984549)


fac: factoring 103461035900816914121390101299049044413950405173712170434161686539878160984549
fac: using pretesting plan: normal
fac: no tune info: using qs/gnfs crossover of 95 digits
div: primes less than 10000
fmt: 1000000 iterations
rho: x^2 + 3, starting 1000 iterations on C78
rho: x^2 + 2, starting 1000 iterations on C78
rho: x^2 + 1, starting 1000 iterations on C78
pm1: starting B1 = 150K, B2 = gmp-ecm default on C78
ecm: 30/30 curves on C78, B1=2K, B2=gmp-ecm default
ecm: 74/74 curves on C78, B1=11K, B2=gmp-ecm default
ecm: 161/161 curves on C78, B1=50K, B2=gmp-ecm default, ETA: 0 sec

starting SIQS on c78: 103461035900816914121390101299049044413950405173712170434161686539878160984549

==== sieving in progress (1 thread):   36224 relations needed ====
====           Press ctrl-c to abort and save state           ====
36319 rels found: 18931 full + 17388 from 186289 partial, (2607.49 rels/sec)

SIQS elapsed time = 79.8481 seconds.
Total factoring time = 93.8713 seconds


***factors found***

P39 = 366669102002966856876605669837014229419
P39 = 282164587459512124844245113950593348271

ans = 1

之后直接用Python的gmpy2模块解密就行了

现在我们有了P、Q和E,我们就可以计算出欧拉函数,然后我们就可以通过欧拉函数φ(N)和公钥E计算出私钥D。
使用python的gmpy2库计算私钥。(E * D % φ(N) = 1)

1
2
d = gmpy2.invert(e,(p-1)*(q-1))
d = 91646299298871237857836940212608056141193465208586711901499120163393577626813

计算出私钥d后我们就可以对密文C进行解密,解密算法是(密文C的私钥D次方对公共模数N取余)
使用python的gmpy2库计算明文

1
m = gmpy2.powmod(c,d,n)

得到

1
m = 185534734614696481020381637136165435809958101675798337848243069

把m转为字符串即可!
解密脚本

1
2
3
4
5
6
7
8
9
10
11
import gmpy2
import binascii

p = 282164587459512124844245113950593348271
q = 366669102002966856876605669837014229419
c = 0xad939ff59f6e70bcbfad406f2494993757eee98b91bc244184a377520d06fc35
n = 103461035900816914121390101299049044413950405173712170434161686539878160984549
e = 65537
d = gmpy2.invert(e,(p-1)*(q-1))
m = gmpy2.powmod(c,d,n)
print(binascii.unhexlify(hex(m)[2:]).decode(encoding="utf-8"))
1
suctf{Pwn_@_hundred_years}

Youngter-drive

upx壳子直接老样子upx3.6解开,去看main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
int __cdecl main_0(int argc, const char **argv, const char **envp)
{
  HANDLE v4; // [esp+D0h] [ebp-14h]
  HANDLE hObject; // [esp+DCh] [ebp-8h]

  j_getflag();
  ::hObject = CreateMutexW(0, 0, 0);
  j_strcpy(Destination, Source);
  hObject = CreateThread(0, 0, StartAddress, 0, 0, 0);//线程1
  v4 = CreateThread(0, 0, j_fork2, 0, 0, 0);//线程2
  CloseHandle(hObject);//close 1
  CloseHandle(v4);//close 2
  while ( dword_418008 != -1 )
    ;
  j_result();
  CloseHandle(::hObject);
  return 0;
}

我们跟进线程1去康康

发现他会对数据进行加密操作,我们去康康怎么加密的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
void __stdcall StartAddress_0(int a1)
{
  while ( 1 )
  {
    WaitForSingleObject(hObject, 0xFFFFFFFF);
    if ( dword_418008 > -1 )
    {
      j_en((int)Source, dword_418008);
      --dword_418008;
      Sleep(0x64u);
    }
    ReleaseMutex(hObject);
  }
}

如下,不难发现先做了次字母判断,然后判断大小写,大写字母的明文加密如下

a2 + a1代表的就是明文,off_418000是密钥

*(_BYTE )(a2 + a1) =off_418000[0][(char *)(a2 + a1) - 38];这部分加密的意思就是

将密钥中的[0][明文-38]对应的字符当成密文,小写字母同理。

那么逆向思维下就是大写字母加38小写字母加96算法简直是一模一样的=-=

但是坑爹的在后面

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
// positive sp value has been detected, the output may be wrong!
char *__cdecl en(int a1, int a2)
{
  char *result; // eax
  char v3; // [esp+D3h] [ebp-5h]

  v3 = *(_BYTE *)(a2 + a1);
  if ( (v3 < 97 || v3 > 122) && (v3 < 65 || v3 > 90) )
    exit(0);
  if ( v3 < 97 || v3 > 122 )
  {
    result = off_418000[0];
    *(_BYTE *)(a2 + a1) = off_418000[0][*(char *)(a2 + a1) - 38];
  }
  else
  {
    result = off_418000[0];
    *(_BYTE *)(a2 + a1) = off_418000[0][*(char *)(a2 + a1) - 96];
  }
  return result;
}

我们刚才说了有两个线程

相当于主线程分开两部分指向,线程1结束执行线程2,我们还要去康康线程2干嘛了

并没对数据进行处理只是dword_418008-1,线程1也有。

1
2
3
4
5
6
7
8
9
10
11
12
13
void __stdcall fork2(int a1)
{
  while ( 1 )
  {
    WaitForSingleObject(hObject, 0xFFFFFFFF);
    if ( dword_418008 > -1 )
    {
      Sleep(0x64u);
      --dword_418008;
    }
    ReleaseMutex(hObject);
  }
}

回到主函数看如果dword_418008减到0了就会结束整个程序。

意思很明确了,对于明文加密,明文当成数组,奇数位置的就加密,偶数位置不变,由此exp如下

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
flagpart = 'TOiZiZtOrYaToUwPnToBsOaOapsyS'
flagrange = 'QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm'
flag = ''
for i in range(len(flagpart)):
    if i % 2 == 0:
        flag += flagpart[i]
    else:
        if flagpart[i].isupper():
            flag += chr(flagrange.find(flagpart[i]) + 96)
        else:
            flag += chr(flagrange.find(flagpart[i]) + 38)

print(flag)

[WUSTCTF2020]level1

给了加密结果,加密方法在main

main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+4h] [rbp-2Ch]
  FILE *stream; // [rsp+8h] [rbp-28h]
  char ptr[24]; // [rsp+10h] [rbp-20h] BYREF
  unsigned __int64 v7; // [rsp+28h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  stream = fopen("flag", "r");
  fread(ptr, 1uLL, 0x14uLL, stream);
  fclose(stream);
  for ( i = 1; i <= 19; ++i )
  {
    if ( (i & 1) != 0 )
      printf("%ld\n", (unsigned int)(ptr[i] << i));
    else
      printf("%ld\n", (unsigned int)(i * ptr[i]));
  }
  return 0;
}

直接把左移改右移,*改成/就行了

exp如下

exp

1
2
3
4
5
6
7
8
9
a = [198,232,816,200,1536,300,6144,984,51200,570,92160,1200,565248,756,1474560,800,6291456,1782,65536000]

for i in range(19):
    if ((i+1) & 1):
        print(chr(a[i] >> (i+1)),end="")
    else:
        print (chr(a[i] // (i+1)),end="")


[ACTF新生赛2020]usualCrypt

main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // esi
  int result; // eax
  int v5[3]; // [esp+8h] [ebp-74h] BYREF
  __int16 v6; // [esp+14h] [ebp-68h]
  char v7; // [esp+16h] [ebp-66h]
  char v8[100]; // [esp+18h] [ebp-64h] BYREF

  sub_403CF8(&unk_40E140);
  scanf("%s", v8);
  v5[0] = 0;
  v5[1] = 0;
  v5[2] = 0;
  v6 = 0;
  v7 = 0;
  magicbase64(v8, strlen(v8), v5);
  v3 = 0;
  while ( *((_BYTE *)v5 + v3) == byte_40E0E4[v3] )
  {
    if ( ++v3 > strlen((const char *)v5) )
      goto LABEL_6;
  }
  sub_403CF8(aError);
LABEL_6:
  if ( v3 - 1 == strlen(byte_40E0E4) )
    result = sub_403CF8(aAreYouHappyYes);
  else
    result = sub_403CF8(aAreYouHappyNo);
  return result;
}

魔改base64加密如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
int __cdecl magicbase64(int a1, int a2, int a3)
{
  int v3; // edi
  int v4; // esi
  int v5; // edx
  int v6; // eax
  int v7; // ecx
  int v8; // esi
  int v9; // esi
  int v10; // esi
  int v11; // esi
  _BYTE *v12; // ecx
  int v13; // esi
  int v15; // [esp+18h] [ebp+8h]

  v3 = 0;
  v4 = 0;
  magic();
  v5 = a2 % 3;
  v6 = a1;
  v7 = a2 - a2 % 3;
  v15 = a2 % 3;
  if ( v7 > 0 )
  {
    do
    {
      LOBYTE(v5) = *(_BYTE *)(a1 + v3);
      v3 += 3;
      v8 = v4 + 1;
      *(_BYTE *)(v8 + a3 - 1) = byte_40E0A0[(v5 >> 2) & 0x3F];
      *(_BYTE *)(++v8 + a3 - 1) = byte_40E0A0[16 * (*(_BYTE *)(a1 + v3 - 3) & 3)
                                            + (((int)*(unsigned __int8 *)(a1 + v3 - 2) >> 4) & 0xF)];
      *(_BYTE *)(++v8 + a3 - 1) = byte_40E0A0[4 * (*(_BYTE *)(a1 + v3 - 2) & 0xF)
                                            + (((int)*(unsigned __int8 *)(a1 + v3 - 1) >> 6) & 3)];
      v5 = *(_BYTE *)(a1 + v3 - 1) & 0x3F;
      v4 = v8 + 1;
      *(_BYTE *)(v4 + a3 - 1) = byte_40E0A0[v5];
    }
    while ( v3 < v7 );
    v5 = v15;
  }
  if ( v5 == 1 )
  {
    LOBYTE(v7) = *(_BYTE *)(v3 + a1);
    v9 = v4 + 1;
    *(_BYTE *)(v9 + a3 - 1) = byte_40E0A0[(v7 >> 2) & 0x3F];
    v10 = v9 + 1;
    *(_BYTE *)(v10 + a3 - 1) = byte_40E0A0[16 * (*(_BYTE *)(v3 + a1) & 3)];
    *(_BYTE *)(v10 + a3) = 61;
LABEL_8:
    v13 = v10 + 1;
    *(_BYTE *)(v13 + a3) = 61;
    v4 = v13 + 1;
    goto LABEL_9;
  }
  if ( v5 == 2 )
  {
    v11 = v4 + 1;
    *(_BYTE *)(v11 + a3 - 1) = byte_40E0A0[((int)*(unsigned __int8 *)(v3 + a1) >> 2) & 0x3F];
    v12 = (_BYTE *)(v3 + a1 + 1);
    LOBYTE(v6) = *v12;
    v10 = v11 + 1;
    *(_BYTE *)(v10 + a3 - 1) = byte_40E0A0[16 * (*(_BYTE *)(v3 + a1) & 3) + ((v6 >> 4) & 0xF)];
    *(_BYTE *)(v10 + a3) = byte_40E0A0[4 * (*v12 & 0xF)];
    goto LABEL_8;
  }
LABEL_9:
  *(_BYTE *)(v4 + a3) = 0;
  return big_to_small((const char *)a3);
}

magic函数里面就是对base64置换表中从6-15进行的一个替换,从ida可以看出偏移是10

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
.data:0040E0A0 byte_40E0A0     db 41h                  ; DATA XREF: magic:loc_401005↑r
.data:0040E0A0                                         ; magic+17↑w ...
.data:0040E0A1                 db  42h ; B
.data:0040E0A2                 db  43h ; C
.data:0040E0A3                 db  44h ; D
.data:0040E0A4                 db  45h ; E
.data:0040E0A5                 db  46h ; F
.data:0040E0A6                 db  47h ; G
.data:0040E0A7                 db  48h ; H
.data:0040E0A8                 db  49h ; I
.data:0040E0A9                 db  4Ah ; J
.data:0040E0AA ; char byte_40E0AA[]
.data:0040E0AA byte_40E0AA     db 4Bh                  ; DATA XREF: magic+B↑r
.data:0040E0AA                                         ; magic+11↑w
.data:0040E0AB aLmnopqrstuvwxy db 'LMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',0

A0-AA刚好10个,然后最后的big_to_small就是个普通的大小写置换

其他中间一大串就是base64加密

我们捋下逆向思路,首先把加密结果给进行大小写转化,其次进行简单的temp操作得到魔改置换表,

接着通过魔改置换表和密文得到正常的base64,最后直接解base64

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#coding=utf-8
import base64
secret = 'zMXHz3TIgnxLxJhFAdtZn2fFk3lYCrtPC2l9'.swapcase() #大小写转换
a = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
dict = {}
offset = 10
flag = ''
for i in range(len(a)):
	dict[a[i]]=a[i]
for i in range(6,15):
	b=dict[a[i]]
	dict[a[i]]=dict[a[i+offset]]
	dict[a[i+offset]]=b
for i in range(len(secret)):
    flag += dict[secret[i]]
flag = base64.b64decode(flag)
print(flag)

[MRCTF2020]Transform

简单题,直接一把梭哈,就是ida7.5毛病真的是字符串提取贼麻烦

main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char Str[104]; // [rsp+20h] [rbp-70h] BYREF
  int j; // [rsp+88h] [rbp-8h]
  int i; // [rsp+8Ch] [rbp-4h]

  sub_402230(argc, argv, envp);
  printf("Give me your code:\n");
  scanf("%s", Str);
  if ( strlen(Str) != 33 )
  {
    printf("Wrong!\n");
    system("pause");
    exit(0);
  }
  for ( i = 0; i <= 32; ++i )
  {
    enstr[i] = Str[key[i]];
    enstr[i] ^= LOBYTE(key[i]);
  }
  for ( j = 0; j <= 32; ++j )
  {
    if ( flag[j] != enstr[j] )
    {
      printf("Wrong!\n");
      system("pause");
      exit(0);
    }
  }
  printf("Right!Good Job!\n");
  printf("Here is your flag: %s\n", Str);
  system("pause");
  return 0;
}

第一步将加密结果保存为输入的字符串中密钥所表达的ASCII表代表的位置

第二步去和密钥异或,这样直接倒过来getflag

exp

1
2
3
4
5
6
7
8
9
key = [0x9, 0x0A, 0x0F, 0x17, 0x7, 0x18, 0x0C, 0x6, 0x1, 0x10, 0x3, 0x11, 0x20, 0x1D, 0x0B, 0x1E, 0x1B, 0x16, 0x4, 0x0D, 0x13, 0x14, 0x15, 0x2, 0x19, 0x5, 0x1F, 0x8, 0x12, 0x1A, 0x1C, 0x0E, 0]
enflag= [0x67, 0x79, 0x7B, 0x7F, 0x75, 0x2B, 0x3C, 0x52, 0x53, 0x79, 0x57, 0x5E, 0x5D, 0x42, 0x7B, 0x2D, 0x2A, 0x66, 0x42, 0x7E, 0x4C, 0x57, 0x79, 0x41, 0x6B, 0x7E, 0x65, 0x3C, 0x5C, 0x45, 0x6F, 0x62, 0x4D]
flag=[0]*33
for i in range(len(key)):
  enflag[i]^=key[i]
for i in range(len(key)):
  flag[key[i]]=enflag[i]
for i in range(len(key)):
  print(chr(flag[i]),end="")

[GWCTF 2019]xxor

看见这个题说来惭愧,自己出了道re难度偏难包含魔改凯撒,魔改rc4,魔改xtea算法,看见这里有tea算法就很激动,忽略了非常多的细节,还是要注意一点,逆向要有大局观!!!!!!!!!!!!

我们来看看这个程序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
__int64 __fastcall main(int a1, char **a2, char **a3)
{
  int i; // [rsp+8h] [rbp-68h]
  int j; // [rsp+Ch] [rbp-64h]
  __int64 v6[6]; // [rsp+10h] [rbp-60h] BYREF
  __int64 v7[6]; // [rsp+40h] [rbp-30h] BYREF

  v7[5] = __readfsqword(0x28u);
  puts("Let us play a game?");
  puts("you have six chances to input");
  puts("Come on!");
  v6[0] = 0LL;
  v6[1] = 0LL;
  v6[2] = 0LL;
  v6[3] = 0LL;
  v6[4] = 0LL;
  for ( i = 0; i <= 5; ++i )
  {
    printf("%s", "input: ");
    __isoc99_scanf("%d", (char *)v6 + 4 * i);
  }
  v7[0] = 0LL;
  v7[1] = 0LL;
  v7[2] = 0LL;
  v7[3] = 0LL;
  v7[4] = 0LL;
  for ( j = 0; j <= 2; ++j )
  {
    dword_601078 = v6[j];
    dword_60107C = HIDWORD(v6[j]);
    tea((unsigned int *)&dword_601078, dword_601060);
    LODWORD(v7[j]) = dword_601078;
    HIDWORD(v7[j]) = dword_60107C;
  }
  if ( (unsigned int)confirm(v7) != 1 )
  {
    puts("NO NO NO~ ");
    exit(0);
  }
  puts("Congratulation!\n");
  puts("You seccess half\n");
  puts("Do not forget to change input to hex and combine~\n");
  puts("ByeBye");
  return 0LL;
}

我已经patch好了变量名,一目了然该干嘛干嘛,其实这题挺简单的,

我们先顺着来,输入明文,进行两次加密,其中每一次加密过程如下

取明文的下标j进行加密,其中601060存放的是密钥。

由此推测被加密的数据是明文的1,2。我们去康康这个tea算法怎么玩的。

tea

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
__int64 __fastcall tea(unsigned int *a1, _DWORD *a2)
{
  __int64 result; // rax
  unsigned int v3; // [rsp+1Ch] [rbp-24h]
  unsigned int v4; // [rsp+20h] [rbp-20h]
  int v5; // [rsp+24h] [rbp-1Ch]
  unsigned int i; // [rsp+28h] [rbp-18h]

  v3 = *a1;
  v4 = a1[1];
  v5 = 0;
  for ( i = 0; i <= 63; ++i )
  {
    v5 += 0x458BCD42;
    v3 += (v4 + v5 + 11) ^ ((v4 << 6) + *a2) ^ ((v4 >> 9) + a2[1]) ^ 0x20;
    v4 += (v3 + v5 + 20) ^ ((v3 << 6) + a2[2]) ^ ((v3 >> 9) + a2[3]) ^ 0x10;
  }
  *a1 = v3;
  result = v4;
  a1[1] = v4;
  return result;
}

关键点在for那,就是个tea算法。

我们去看confirm函数

confirm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
__int64 __fastcall confirm(_DWORD *a1)
{
  __int64 result; // rax

  if ( a1[2] - a1[3] == 2225223423LL
    && a1[3] + a1[4] == 4201428739LL
    && a1[2] - a1[4] == 1121399208LL
    && *a1 == 3746099070
    && a1[5] == 2230518816
    && a1[1] == 550153460 )
  {
    puts("good!");
    result = 1LL;
  }
  else
  {
    puts("Wrong!");
    result = 0LL;
  }
  return result;
}

加密后的数据全在这里了。

那么现在开始逆向分析推导

第一步进行逆向tea算法

第二步输出

这里的关键会在脚本中标注

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <stdio.h>

int main()
{
    unsigned int a1[]={0,0,0,0,0,0};
    a1[0]=0xDF48EF7E;
    a1[5]=0x84F30420;
    a1[1]=0x20CAACF4;
    a1[3]=(0x42D731A8-0x84A236FF+0xFA6CB703)/2;
    a1[4]=0xFA6CB703-a1[3];
    a1[2]=a1[3]+0x84A236FF;
	int i = 0,j=0;
    int temp[2] = {0};
	int data[4] = { 2,2,3,4 };

	for (i = 0; i < =2; ++1)
	{
		unsigned int v3 = a1[i];
		unsigned int v4 = a1[i + 1];/*v3,v4的值为什么是这个v3 = *a1;
  v4 = a1[1];从这两个在tea函数中的变量可知*/

		long long v5 = 0x458BCD42 * 64;//总共加密了64次所以逆向的时候他其实是64倍
		for ( j = 0; j < 64; j++)
		{
			v4 -= (v3 + v5 + 20) ^ ((v3 << 6) + 3) ^ ((v3 >> 9) + 4) ^ 0x10;
			v3 -= (v4 + v5 + 11) ^ ((v4 << 6) + 2) ^ ((v4 >> 9) + 2) ^ 0x20;
			v5 -= 0x458BCD42;
		}
		a1[i] = v3;
		a1[i + 1] = v4;//每次解密后让密文的值更改为明文。
	}
	for (i = 0; i < 6; i++)
		printf("%c%c%c", *((char*)&a1[i]+2), *((char*)&a1[i] + 1), *(char*)&a1[i]);
}

[MRCTF2020]Xor

easy

main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
int __cdecl main(int argc, const char **argv, const char **envp)
{
  unsigned int i; // eax

  printf((int)"Give Me Your Flag String:\n");
  scanf("%s", byte_4212C0);
  if ( strlen(byte_4212C0) != 27 )
  {
LABEL_6:
    printf((int)"Wrong!\n");
    system("pause");
    _loaddll(0);
    __debugbreak();                            
  }
  for ( i = 0; i < 27; ++i )
  {
    if ( ((unsigned __int8)i ^ (unsigned __int8)byte_4212C0[i]) != byte_41EA08[i] )
      goto LABEL_6;
  }
  printf((int)"Right!\n");
  system("pause");
  return 0;
}

直接异或搞定

exp

1
2
3
4
5
6
import os
en='MSAWB~FXZ:J:`tQJ"N@ bpdd}8g'
flag=''
for i in range(len(en)):
	flag+=chr(i^ord(en[i]))
print((flag),end="")

[FlareOn4]IgniteMe

好题目我很喜欢。又增强了我的逆向思维,以及win下的初次动调(其实献给了IOT)

main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
void __noreturn start()
{
  DWORD NumberOfBytesWritten; // [esp+0h] [ebp-4h] BYREF

  NumberOfBytesWritten = 0;
  hFile = GetStdHandle(0xFFFFFFF6);
  dword_403074 = GetStdHandle(0xFFFFFFF5);
  WriteFile(dword_403074, giveme, 0x13u, &NumberOfBytesWritten, 0);
  sub_4010F0(NumberOfBytesWritten);
  if ( en() )
    WriteFile(dword_403074, aG00dJ0b, 0xAu, &NumberOfBytesWritten, 0);
  else
    WriteFile(dword_403074, aN0tT00H0tRWe7r, 0x24u, &NumberOfBytesWritten, 0);
  ExitProcess(0);
}

没什么好说的直接单刀直入加密函数en

en

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
int sub_401050()
{
  int v1; // [esp+0h] [ebp-Ch]
  int i; // [esp+4h] [ebp-8h]
  unsigned int j; // [esp+4h] [ebp-8h]
  char v4; // [esp+Bh] [ebp-1h]

  v1 = sub_401020((int)byte_403078);
  v4 = sub_401000();
  for ( i = v1 - 1; i >= 0; --i )
  {
    byte_403180[i] = v4 ^ byte_403078[i];
    v4 = byte_403078[i];
  }
  for ( j = 0; j < 39; ++j )
  {
    if ( byte_403180[j] != (unsigned __int8)byte_403000[j] )
      return 0;
  }
  return 1;
}

403180作为我们的一个密文保存,403078是明文的输入保存,虽然从程序来看,v1好像是无限的其实我们看下面就知道

真实的值是39,继续看那个v4(大病,忘记了可以动态调试看内存,pwn玩的熟悉的东西反而没带过来,惭愧)

我们在汇编

1
.text:0040106B                 mov     [ebp+var_1], al

此处下断点,var_1就是v4不懂汇编的自己回去补去

结果发现是4。

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
# -*- coding:utf-8 -*-

arr2 = [0x0D,0x26,0x49,0x45,0x2A,0x17,0x78,0x44,0x2B,0x6C,0x5D,0x5E,0x45,0x12,0x2F,0x17,
0x2B,0x44,0x6F,0x6E,0x56,0x09,0x5F,0x45,0x47,0x73,0x26,0x0A,0x0D,0x13,0x17,0x48,
0x42,0x01,0x40,0x4D,0x0C,0x02,0x69]

arr1 = []
v4 = 4
for i in range(len(arr2)-1,-1,-1):
    arr1.append(arr2[i] ^ v4)
    v4 = arr1[-1]
for i in range(len(arr2)-1,-1,-1):
	print (chr(arr1[i]),end="")

[WUSTCTF2020]level3

base64置换表更改的

main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
int __cdecl main(int argc, const char **argv, const char **envp)
{
  const char *v3; // rax
  char v5; // [rsp+Fh] [rbp-41h]
  char v6[56]; // [rsp+10h] [rbp-40h] BYREF
  unsigned __int64 v7; // [rsp+48h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  printf("Try my base64 program?.....\n>");
  __isoc99_scanf("%20s", v6);
  v5 = time(0LL);
  srand(v5);
  if ( (rand() & 1) != 0 )
  {
    v3 = (const char *)base64_encode(v6);
    puts(v3);
    puts("Is there something wrong?");
  }
  else
  {
    puts("Sorry I think it's not prepared yet....");
    puts("And I get a strange string from my program which is different from the standard base64:");
    puts("d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD==");
    puts("What's wrong??");
  }
  return 0;
}

可以看见密文在最后面,我们发了个骚东西O_OLookAtYou

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
__int64 O_OLookAtYou()
{
  __int64 result; // rax
  char v1; // [rsp+1h] [rbp-5h]
  int i; // [rsp+2h] [rbp-4h]

  for ( i = 0; i <= 9; ++i )
  {
    v1 = base64_table[i];
    base64_table[i] = base64_table[19 - i];
    result = 19 - i;
    base64_table[result] = v1;
  }
  return result;
}

这个函数就是对置换表进行魔改的,用人话表示就是这样的

table[i],table[19-i]=table[19-i],table[i]

置换得到正常的表后就可以进行骚操作

Python永远滴神吹爆

maketrans()方法的作用就是起到自定义字符串替换的效果,这样就省去了脚本寻找的代码编写时间

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
import base64
table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
model = list("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=")
s = "d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD=="

for i in range(10):
    model[i], model[19-i] = model[19-i], model[i]

model = ''.join(model)

table = str.maketrans(model, table)
print (base64.b64decode(s.translate(table)))

  • Copyright: Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.

扫一扫,分享到微信

微信分享二维码
  • Copyrights © 2021-2023 H.greed
  • Visitors: | Views:

请我喝杯咖啡吧~

支付宝
微信