逆向题解集

2020-03-10

寒假作业

记录一下寒假做的题
以后看看可能还会有新的收获

ADWorld

1.Hello, CTF

拖入IDA得到

int __cdecl main(int argc, const char **argv, const char **envp)
{
  signed int v3; // ebx
  char v4; // al
  int result; // eax
  int v6; // [esp+0h] [ebp-70h]
  int v7; // [esp+0h] [ebp-70h]
  char v8; // [esp+12h] [ebp-5Eh]
  char v9[20]; // [esp+14h] [ebp-5Ch]
  char v10; // [esp+28h] [ebp-48h]
  __int16 v11; // [esp+48h] [ebp-28h]
  char v12; // [esp+4Ah] [ebp-26h]
  char v13; // [esp+4Ch] [ebp-24h]

  strcpy(&v13, "437261636b4d654a757374466f7246756e");
  while ( 1 )
  {
    memset(&v10, 0, 0x20u);
    v11 = 0;
    v12 = 0;
    sub_40134B((int)aPleaseInputYou, v6);
    scanf(aS, v9);
    if ( strlen(v9) > 0x11 )
      break;
    v3 = 0;
    do
    {
      v4 = v9[v3];
      if ( !v4 )
        break;
      sprintf(&v8, asc_408044, v4);
      strcat(&v10, &v8);
      ++v3;
    }
    while ( v3 < 17 );
    
    if ( !strcmp(&v10, &v13) )
      sub_40134B((int)aSuccess, v7);
    else
      sub_40134B((int)aWrong, v7);
  }
  sub_40134B((int)aWrong, v7);
  result = stru_408090._cnt-- - 1;
  if ( stru_408090._cnt < 0 )
    return _filbuf(&stru_408090);
  ++stru_408090._ptr;
  return result;
}

其中：

aS即”%s”

asc_408044即”%x”

且输入的字符串长度不超过17

do—while循环中，把输入的v9转化为16进制，最后与v13比较，若相等则成功

故将”437261636b4d654a757374466f7246756e”转为字符串则为flag

flag为：CrackMeJustForFun

2.Getit

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v3; // al
  __int64 v5; // [rsp+0h] [rbp-40h]
  int i; // [rsp+4h] [rbp-3Ch]
  FILE *stream; // [rsp+8h] [rbp-38h]
  char filename[8]; // [rsp+10h] [rbp-30h]
  unsigned __int64 v9; // [rsp+28h] [rbp-18h]

  v9 = __readfsqword(0x28u);
  LODWORD(v5) = 0;
  while ( (signed int)v5 < strlen(s) )
  {
    if ( v5 & 1 )
      v3 = 1;
    else
      v3 = -1;
    *(&t + (signed int)v5 + 10) = s[(signed int)v5] + v3;
    LODWORD(v5) = v5 + 1;
  }
  strcpy(filename, "/tmp/flag.txt");
  stream = fopen(filename, "w");
  fprintf(stream, "%s\n", u, v5);
  for ( i = 0; i < strlen(&t); ++i )
  {
    fseek(stream, p[i], 0);
    fputc(*(&t + p[i]), stream);
    fseek(stream, 0LL, 0);
    fprintf(stream, "%s\n", u);
  }
  fclose(stream);
  remove(filename);
  return 0;
}

其中：

public s

.data:00000000006010A0 ; char s[]
.data:00000000006010A0 s               db 'c61b68366edeb7bdce3c6820314b7498',0
.data:00000000006010A0                                         ; DATA XREF: main+25↑o
.data:00000000006010A0                                         ; main+3F↑r
.data:00000000006010C1                 align 20h
.data:00000000006010E0                 public t
.data:00000000006010E0 ; char t
.data:00000000006010E0 t               db 53h                  ; DATA XREF: main+65↑w
.data:00000000006010E0                                         ; main+C9↑o ...
.data:00000000006010E1 aHarifctf       db 'harifCTF{????????????????????????????????}',0
.data:000000000060110C                 align 20h
.data:0000000000601120                 public u
.data:0000000000601120 u               db '*******************************************',0
.data:0000000000601120                                         ; DATA XREF: main+A5↑o
.data:0000000000601120                                         ; main+13F↑o
.data:000000000060114C                 align 20h

s是’c61b68366edeb7bdce3c6820314b7498’ 长度为32

本来以为t是’harifCTF{????????????????????????????????}’，后来发现这样的话+10取到的就不对了，才发现上面还有个53h，试试看0x53转字符变成S，发现对了，所以t是’SharifCTF{????????????????????????????????}’ ?个数也是32

查到LOWORD是取低4位，后面又取signed int, 那是不是基本上就是int v5=0……

所以截取中间生成flag的片段

#include<stdio.h>
#include<string.h>
int main(void)
{
    char v3;
    long v5;
    char s[] = "c61b68366edeb7bdce3c6820314b7498";
    char t[] = "SharifCTF{????????????????????????????????}";

    v5 = 0;
    while (v5 < strlen(s)) {
        if (v5 & 1)
            v3 = 1;
        else
            v3 = -1;
        *(t + v5 + 10) = s[v5] + v3;
        v5++;
    }
    printf("%s", t);

    return 0;
}

flag为：SharifCTF{b70c59275fcfa8aebf2d5911223c6589}

3.insanity

拖进IDA

看常量的值，发现flag

flag为：9447{This_is_a_flag}

4.simple-unpack

题目说了加壳，拖到Exeinfo PE里，得到

Detected UPX! packer - http://upx.sf.net -> try unpack with “upx.exe -d” from http://upx.sf.net

然后upx unpacker脱不了？？大概又是文件问题

notepad打开，搜，找到

flag为:flag{Upx_1s_n0t_a_d3liv3r_c0mp4ny}

5.py-trade

用在线工具反编译pyc文件

得到

#!/usr/bin/env python
# encoding: utf-8
# 如果觉得不错，可以推荐给你的朋友！http://tool.lu/pyc
import base64

def encode(message):
    s = ''
    for i in message:
        x = ord(i) ^ 32
        x = x + 16
        s += chr(x)
    
    return base64.b64encode(s)

correct = 'XlNkVmtUI1MgXWBZXCFeKY+AaXNt'
flag = ''
print 'Input flag:'
flag = raw_input()
if encode(flag) == correct:
    print 'correct'
else:
    print 'wrong'
import base64

def encode(message):
    s = ''
    for i in message:
        x = ord(i) ^ 32
        x = x + 16
        s += chr(x)
    
    return base64.b64encode(s)

correct = 'XlNkVmtUI1MgXWBZXCFeKY+AaXNt'
flag = ''
print 'Input flag:'
flag = raw_input()
if encode(flag) == correct:
    print 'correct'
else:
    print 'wrong'

先把correct用base64解密

import base64
em='XlNkVmtUI1MgXWBZXCFeKY+AaXNt'
em=base64.b64decode(em.encode('utf-8'))
print(em)

得到em为b’^SdVkT#S ]`Y\!^)\x8f\x80ism’，查到b是byte的意思，去掉再逆向操作

em='^SdVkT#S ]`Y\\!^)\x8f\x80ism'
s=''
for i in em:
	x=ord(str(i))-16
	x=x^32
	x=chr(x)
	s+=x
print (s)

flag为：nctf{d3c0mpil1n9_PyC}

6.logmein

拖入IDA得到

void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{
  size_t v3; // rsi
  int i; // [rsp+3Ch] [rbp-54h]
  char s[36]; // [rsp+40h] [rbp-50h]
  int v6; // [rsp+64h] [rbp-2Ch]
  __int64 v7; // [rsp+68h] [rbp-28h]
  char v8[8]; // [rsp+70h] [rbp-20h]
  int v9; // [rsp+8Ch] [rbp-4h]

  v9 = 0;
  strcpy(v8, ":\"AL_RT^L*.?+6/46");
  v7 = 'ebmarah';
  v6 = 7;
  printf("Welcome to the RC3 secure password guesser.\n", a2, a3);
  printf("To continue, you must enter the correct password.\n");
  printf("Enter your guess: ");
  __isoc99_scanf("%32s", s);
  v3 = strlen(s);
  if ( v3 < strlen(v8) )
    sub_4007C0();//结束
  for ( i = 0; i < strlen(s); ++i )
  {
    if ( i >= strlen(v8) )
      sub_4007C0();
    if ( s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i]) )
      sub_4007C0();
  }
  sub_4007F0();
}

截取生成flag片段运行

#include <stdio.h>
#include <string.h>

int main() {
    unsigned int i;
    char v8[18] = ":\"AL_RT^L*.?+6/46";
    __int64 v7 = 28537194573619560;
    int v6 = 7;
	char s[18] = "";
    for (i = 0; i < strlen(v8); ++i) {
        s[i] = (char)(*((unsigned char*)&v7 + i % v6)^v8[i]);
    }
	printf("%s\n", s);
    return 0;
}

flag为：RC3-2016-XORISGUD

7.no-string-attached

查壳，没壳，ELF。拖入IDA，找到真正的程序和存flag的s2

void authenticate()
{
  int ws[8192]; // [esp+1Ch] [ebp-800Ch]
  wchar_t *s2; // [esp+801Ch] [ebp-Ch]

  s2 = decrypt(&s, &dword_8048A90);
  if ( fgetws(ws, 0x2000, stdin) )
  {
    ws[wcslen(ws) - 1] = 0;
    if ( !wcscmp(ws, s2) )
      wprintf(&unk_8048B44);
    else
      wprintf(&unk_8048BA4);
  }
  free(s2);

s2由decrypt生成，但参数很繁琐，本来想用gdb调，搞了半天一直出错，请教了fdgg，原来是文件问题……

那就只能硬逆了

wchar_t *__cdecl decrypt(wchar_t *s, wchar_t *a2)
{
  size_t v2; // eax
  signed int v4; // [esp+1Ch] [ebp-1Ch]
  signed int i; // [esp+20h] [ebp-18h]
  signed int v6; // [esp+24h] [ebp-14h]
  signed int v7; // [esp+28h] [ebp-10h]
  wchar_t *dest; // [esp+2Ch] [ebp-Ch]

  v6 = wcslen(s);
  v7 = wcslen(a2);
  v2 = wcslen(s);
  dest = (wchar_t *)malloc(v2 + 1);
  wcscpy(dest, s);
  while ( v4 < v6 )
  {
    for ( i = 0; i < v7 && v4 < v6; ++i )
      dest[v4++] -= a2[i];
  }
  return dest;
}

到Hex-View1页面读取参数的值

1
2

a=[1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5]
dest=[0x3A,0X36,0X37,0X3B,0X80,0X7A,0X71,0X78,0X63,0X66,0X73,0X67,0X62,0X65,0X73,0X60,0X6B,0X71,0X78,0X6A,0X73,0X70,0X64,0X78,0X6E,0X70,0X70,0X64,0X70,0X64,0X6E,0X7B,0X76,0X78,0X6A,0X73,0X7B,0X80]

写脚本，逆一下

a=[1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5,1,2,3,4,5]
dest=[0x3A,0X36,0X37,0X3B,0X80,0X7A,0X71,0X78,0X63,0X66,0X73,0X67,0X62,0X65,0X73,0X60,0X6B,0X71,0X78,0X6A,0X73,0X70,0X64,0X78,0X6E,0X70,0X70,0X64,0X70,0X64,0X6E,0X7B,0X76,0X78,0X6A,0X73,0X7B,0X80]
len_d=len(dest)
len_a=len(a)
#print("lena:",len_a,"\n")
for i in range(0,len_d):
		dest[i]=int(dest[i])
		#print(chr(dest[i]),end='')
#print("\nlendest:",len_d,"\n")
for i in range(0,len_d):
		dest[i]=int(dest[i])-a[i]
		print(chr(dest[i]),end='')

flag为:9447{you_are_an_international_mystery}

BugKu

8.Easy_vb

拖入IDA，发现MCTF{N3t_Rev_1s_E4ay}

但是不符合格式，改一下格式，得到flag

flag为：flag{N3t_Rev_1s_E4ay}

9.逆向入门

拖入Exeinfo PE发现不是pe或elf文件

用notepad打开，发现文件头为

1	data:image/png;base64,……

复制到浏览器打开得到二维码，扫描得到flag

flag为： bugku{inde_9882ihsd8-0}

10.love

拖入Exeinfo PE，没壳，拖入IDA

找到真正的主函数

__int64 __usercall main_0@<edx:eax>(int a1@<ebx>, int a2@<edi>, int a3@<esi>)
{
  int v3; // eax
  const char *v4; // eax
  size_t v5; // eax
  int v6; // edx
  __int64 v7; // ST08_8
  signed int j; // [esp+DCh] [ebp-ACh]
  signed int i; // [esp+E8h] [ebp-A0h]
  signed int v11; // [esp+E8h] [ebp-A0h]
  char Dest[108]; // [esp+F4h] [ebp-94h]
  char Str; // [esp+160h] [ebp-28h]
  char v14; // [esp+17Ch] [ebp-Ch]

  for ( i = 0; i < 100; ++i )
  {
    if ( (unsigned int)i >= 0x64 )
      j____report_rangecheckfailure(a1, a2, a3);
    Dest[i] = 0;
  }
  sub_41132F("please enter the flag:");
  sub_411375("%20s", &Str);
  v3 = j_strlen(&Str);
  v4 = (const char *)sub_4110BE((int)&Str, v3, (int)&v14);
  strncpy(Dest, v4, 0x28u);
  v11 = j_strlen(Dest);
  for ( j = 0; j < v11; ++j )
    Dest[j] += j;
  v5 = j_strlen(Dest);
  if ( !strncmp(Dest, Str2, v5) )
    sub_41132F("rigth flag!\n");
  else
    sub_41132F("wrong flag!\n");
  HIDWORD(v7) = v6;
  LODWORD(v7) = 0;
  return v7;
}

对正确的flag进行操作后会得到Str2：‘e3nifIH9b_C@n@dH’

同时在常量的地方看到

.text:004158B8 dd offset aBase64input ; “base64input”

很长的的那个sub_4110BE()应该就是base64加密。所以对flag进行的操作是加密后+j，逆向一下

import base64
str='e3nifIH9b_C@n@dH'
s=''
for i in range(len(str)):
	x=ord(str[i])-i
	x=chr(x)
	s+=x
s=base64.b64decode(s.encode('utf-8'))
print (s)

flag为：flag{i_l0ve_you}

11.Easy_Re

在常量中找到flag，逆向输出

flag为:DUTCTF{We1c0met0DUTCTF}

12.不好用的CE

查壳，没壳32位，拖入IDA，F5……没用。虽然题目叫CE但是不会用只好用OD试试看……

拖入OD，查中文字符串，看到嫌疑人

DeZmqMUhRcP8NgJgzLPdXa

看着像base64，结果不是。百度发现是base58

flag为： flag{c1icktimes}

13.linux

解压，notepad打开，搜索’{‘得到flag

flag为:key{feb81d3834e2423c9903f4755464060b}

14.Mountain climbing

运行之和根据提示，是要得出能获得最高分数的输入

查壳，upx壳，脱壳。拖入IDA

__int64 __cdecl main_0()
{
  int v0; // edx
  __int64 v1; // ST04_8
  char v3; // [esp+0h] [ebp-160h]
  int v4; // [esp+D0h] [ebp-90h]
  int j; // [esp+DCh] [ebp-84h]
  int i; // [esp+E8h] [ebp-78h]
  char Str[104]; // [esp+F4h] [ebp-6Ch]

  srand(0xCu);
  j_memset(&unk_423D80, 0, 0x9C40u);
  for ( i = 1; i <= 20; ++i )
  {
    for ( j = 1; j <= i; ++j )
      dword_41A138[100 * i + j] = rand() % 100000;
  }
  ((void (__cdecl *)(const char *, char))sub_41134D)("input your key with your operation can get the maximum:", v3);
  sub_411249("%s", (unsigned int)Str);
  if ( j_strlen(Str) == 19 )
  {
    sub_41114F(Str);
    v4 = 0;
    j = 1;
    i = 1;
    dword_423D78 += dword_41A138[101];
    while ( v4 < 19 )
    {
      if ( Str[v4] == 76 )
      {
        dword_423D78 += dword_41A138[100 * ++i + j];
      }
      else
      {
        if ( Str[v4] != 82 )
        {
          ((void (__cdecl *)(const char *, char))sub_41134D)("error\n", v3);
          system("pause");
          goto LABEL_18;
        }
        dword_423D78 += dword_41A138[100 * ++i + ++j];
      }
      ++v4;
    }
    sub_41134D("your operation can get %d points\n", dword_423D78);
    system("pause");
  }
  else
  {
    ((void (__cdecl *)(const char *, char))sub_41134D)("error\n", v3);
    system("pause");
  }
LABEL_18:
  HIDWORD(v1) = v0;
  LODWORD(v1) = 0;
  return v1;
}

因为srand()的参数是定值，所以随机出来的随机数是固定的

输入的key存在Str里，长度为19

进入函数内部，看到对Str进行的操作为

BOOL __cdecl sub_411750(LPCVOID lpAddress, int a2, int a3)
{
  int v3; // ST1C_4
  DWORD flOldProtect; // [esp+D4h] [ebp-2Ch]
  struct _MEMORY_BASIC_INFORMATION Buffer; // [esp+E0h] [ebp-20h]

  VirtualQuery(lpAddress, &Buffer, 0x1Cu);
  VirtualProtect(Buffer.BaseAddress, Buffer.RegionSize, 0x40u, &Buffer.Protect);
  while ( 1 )
  {
    v3 = a2--;
    if ( !v3 )
      break;
    *(_BYTE *)lpAddress ^= a3;
    lpAddress = (char *)lpAddress + 1;
  }
  return VirtualProtect(Buffer.BaseAddress, Buffer.RegionSize, Buffer.Protect, &flOldProtect);
}

其中a3=4,也就是逐个字符和4进行异或运算

结合main函数，输入只有chr(76)chr(80)和能够和4异或生成这两个的才是有效的，即L R H V

写代码

#include <stdio.h>
#include <stdlib.h>
 int main()
{
    srand(0xCu); 
    int arr[2020];
    for (int i = 0; i < 20; i++) 
    {
        printf("%2d ", i);
        for (int j = 0; j <= i; j++)
        {
            arr[100 * i +j] = rand() % 100000; 
            printf("%5d ", arr[100 * i + j]);
        }
        printf("\n");
    }
    int total = 0;  
    total += arr[100 * 0 + 0]; 
    char str[21];
    int i = 0, j = 0;
    while (1)
    {
        printf("%d ", i);
        int i_ = i + 1;
        int j_ = j + 1;
        if (arr[100 * i_ + j] > arr[100 * i_ + j_])  
        {
            str[i] = 'L';
            if (i % 2 == 1)
            {
                str[i] ^= 4;
            }
            i++;
            total += arr[100 * i + j];
        }
        else
        {
            str[i] = 'R';
            if (i % 2 == 1)
            {
                str[i] ^= 4;
            }
            i++;
            j++;
            total += arr[100 * i + j];
        }
        if (i == 19)
        {
            str[i] = '\0';
            break;
        }
    }
    printf("\n 输入为： %s\n", str);
    printf("maxnum = %d\n", total);
    return 0;
}

得到最高分的输入为:RVRVRHLVRVLVLVRVLVL

flag为: zsctf{RVRVRHLVRVLVLVRVLVL}

15.进制转换

d87 x65 x6c x63 o157 d109 o145 b100000 d116 b1101111 o40 x6b b1100101 b1101100 o141 d105 x62 d101 b1101001 d46 o40 d71 x69 d118 x65 x20 b1111001 o157 b1110101 d32 o141 d32 d102 o154 x61 x67 b100000 o141 d115 b100000 b1100001 d32 x67 o151 x66 d116 b101110 b100000 d32 d102 d108 d97 o147 d123 x31 b1100101 b110100 d98 d102 b111000 d49 b1100001 d54 b110011 x39 o64 o144 o145 d53 x61 b1100010 b1100011 o60 d48 o65 b1100001 x63 b110110 d101 o63 b111001 d97 d51 o70 d55 b1100010 d125 x20 b101110 x20 b1001000 d97 d118 o145 x20 d97 o40 d103 d111 d111 x64 d32 o164 b1101001 x6d o145 x7e

d-10进制 x-16进制 o-8进制

编写脚本

str="d87 x65 x6c x63 o157 d109 o145 b100000 d116 b1101111 o40 x6b b1100101 b1101100 o141 d105 x62 d101 b1101001 d46 o40 d71 x69 d118 x65 x20 b1111001 o157 b1110101 d32 o141 d32 d102 o154 x61 x67 b100000 o141 d115 b100000 b1100001 d32 x67 o151 x66 d116 b101110 b100000 d32 d102 d108 d97 o147 d123 x31 b1100101 b110100 d98 d102 b111000 d49 b1100001 d54 b110011 x39 o64 o144 o145 d53 x61 b1100010 b1100011 o60 d48 o65 b1100001 x63 b110110 d101 o63 b111001 d97 d51 o70 d55 b1100010 d125 x20 b101110 x20 b1001000 d97 d118 o145 x20 d97 o40 d103 d111 d111 x64 d32 o164 b1101001 x6d o145 x7e"
flag=""
str=str.split()
for i in str:
    if i[0]=="d":
        flag += chr(int(i[1:]))
    elif i[0]=="x":
        flag += chr(int(i[1:],16))
    elif i[0]=="o":
        flag += chr(int(i[1:],8))
    elif i[0]=="b":
        flag += chr(int(i[1:],2))
print(flag)

得到:Welcome to kelaibei. Give you a flag as a gift. flag{1e4bf81a6394de5abc005ac6e39a387b} . Have a good time~

flag为:flag{1e4bf81a6394de5abc005ac6e39a387b}