攻防世界-高手进阶区-Reverse部分-WriteUP

0x01 流浪者

简单

0x02 easyRE1

ida直接看明文，拼上flag。
< !–more–>

0x03 Reversing-x64Elf-100

核心是sub_4006FD函数。

signed __int64 __fastcall sub_4006FD(__int64 a1)
{
    signed int i; // [rsp+14h] [rbp-24h]
    const char *v3; // [rsp+18h] [rbp-20h]
    const char *v4; // [rsp+20h] [rbp-18h]
    const char *v5; // [rsp+28h] [rbp-10h]

v3 = "Dufhbmf";
    v4 = "pG`imos";
    v5 = "ewUglpt";
    for ( i = 0; i <= 11; ++i )
    {
        if ( (&v3)[i % 3][2 * (i / 3)] - *(char *)(i + a1) != 1 )
        return 1LL;
    }
    return 0LL;
}

根据这个函数逆回去：

v3 = "Dufhbmf"
v4 = "pG`imos"
v5 = "ewUglpt"
v3 = v3 +v4 +v5
x = ''
for i in range(12): # from 0 to 11
    t = v3[(i % 3) * 7 + (2 * int(i / 3))]
    x += chr(ord(t) - 1)
print(x)

flag: Code_Talkers

0x04 IgniteMe

flag: EIS{wadx_tdgk_aihc_ihkn_pjlm}

0x05 srm-50

核心函数：

if ( strstr(&String, "@") && strstr(&String, ".") && strstr(&String, ".")[1] && strstr(&String, "@")[1] != 46 )
  {
    v28 = xmmword_410AA0;
    v29 = 1701999980;
    *(_OWORD *)Src = xmmword_410A90;
    v30 = 46;
    v26 = xmmword_410A80;
    v27 = 3830633;
    if ( strlen(v11) != 16
      || v11[0] != 'C'
      || v23 != 'X'
      || v11[1] != 'Z'
      || v11[1] + v22 != 155
      || v11[2] != '9'
      || v11[2] + v21 != 155
      || v11[3] != 'd'
      || v20 != '7'
      || v12 != 'm'
      || v19 != 'G'
      || v13 != 'q'
      || v13 + v18 != 170
      || v14 != '4'
      || v17 != 'g'
      || v15 != 'c'
      || v16 != '8' )
    {
      strcpy_s(&Text, 0x100u, (const char *)&v28);
    }
    else
    {
      strcpy_s(&Text, 0x100u, Src);
      strcat_s(&Text, 0x100u, v11);
    }
  }
  else
  {
    strcpy_s(&Text, 0x100u, "Your E-mail address in not valid.");
  }

强行解出：flag: CZ9dmq4c8g9G7bAX

v11="CZ9d"
v12='m'
v13='q'
v14='4'
v15='c'
v16='8'
v17='g'
v18=170-113=57='9'
v19='G'
v20='7'
v21=155-57=98='b'
v22=155-90=65='A'
v23='X'

0x06 hackme

核心函数：

v13 = i == 22;
v12 = 10;
do
{
    v9 = (signed int)sub_406D90() % 22;
    v11 = 0;
    v8 = byte_6B4270[v9];
    v7 = v3[v9];
    v6 = v9 + 1;
    v10 = 0;
    while ( v10 < v6 )
    {
        ++v10;
        v11 = 1828812941 * v11 + 12345;
    }
    v5 = v11 ^ v7;
    if ( v8 != ((unsigned __int8)v11 ^ v7)
      v13 = 0;
    --v12;
}
while(v12);

顺便一看6B4270的内容，然后逆向：

byte_6B4270 = [0x5F,0xF2,0x5E,0x8B,0x4E,0x0E,0xA3,0xAA,0xC7,0x93,0x81,0x3D,0x5F,0x74,0xA3,0x09,0x91,0x2B,0x49,0x28,0x93,0x67]
flag = ''

for i in range(22):
    v6 = i + 1
    v10 = 0
    v11 = 0
    while v10 < v6:
        v10 = v10 + 1
        v11 = 1828812941 * v11 + 12345
    flag += chr((byte_6B4270[i]^v11) & 0xff)
print(flag)

flag: flag{d826e6926098ef46}

0x07 re4-unvm-me

pyc逆向，直接得python源代码。

import md5
md5s = [
    0x831DAA3C843BA8B087C895F0ED305CE7L,
    0x6722F7A07246C6AF20662B855846C2C8L,
    0x5F04850FEC81A27AB5FC98BEFA4EB40CL,
    0xECF8DCAC7503E63A6A3667C5FB94F610L,
    0xC0FD15AE2C3931BC1E140523AE934722L,
    0x569F606FD6DA5D612F10CFB95C0BDE6DL,
    0x68CB5A1CF54C078BF0E7E89584C1A4EL,
    0xC11E2CD82D1F9FBD7E4D6EE9581FF3BDL,
    0x1DF4C637D625313720F45706A48FF20FL,
    0x3122EF3A001AAECDB8DD9D843C029E06L,
    0xADB778A0F729293E7E0B19B96A4C5A61L,
    0x938C747C6A051B3E163EB802A325148EL,
    0x38543C5E820DD9403B57BEFF6020596DL]
print 'Can you turn me back to python ? ...'
flag = raw_input('well as you wish.. what is the flag: ')
if len(flag) > 69:
    print 'nice try'
    exit()
if len(flag) % 5 != 0:
    print 'nice try'
    exit()
for i in range(0, len(flag), 5):
    s = flag[i:i + 5]
    if int('0x' + md5.new(s).hexdigest(), 16) != md5s[i / 5]:
        print 'nice try'
        exit()
        continue
print 'Congratz now you have the flag'

其实就是查这些md5。

md5s = [
    0x831DAA3C843BA8B087C895F0ED305CE7L, # ALEXC
    0x6722F7A07246C6AF20662B855846C2C8L, # TF{dv
    0x5F04850FEC81A27AB5FC98BEFA4EB40CL, # 5d4s2
    0xECF8DCAC7503E63A6A3667C5FB94F610L, # vj8nk
    0xC0FD15AE2C3931BC1E140523AE934722L, # 43s8d
    0x569F606FD6DA5D612F10CFB95C0BDE6DL, # 8l6m1
    0x68CB5A1CF54C078BF0E7E89584C1A4EL, # n5l67
    0xC11E2CD82D1F9FBD7E4D6EE9581FF3BDL, # ds9v4
    0x1DF4C637D625313720F45706A48FF20FL, # 1n52n
    0x3122EF3A001AAECDB8DD9D843C029E06L, # v37j4
    0xADB778A0F729293E7E0B19B96A4C5A61L, # 81h3d
    0x938C747C6A051B3E163EB802A325148EL, # 28n4b
    0x38543C5E820DD9403B57BEFF6020596DL] # 6v3k}

flag: ALEXCTF{dv5d4s2vj8nk43s8d8l6m1n5l67ds9v41n52nv37j481h3d28n4b6v3k}

0x08 Guess-the-Number

java逆向，非常简单。

int my_number = 1545686892;
...
if (my_number / 5 == guess_number){...}
...

因此提交309137378即可得到flag。
flag: a7b08c546302cc1fd2a4d48bf2bf2ddb

0x09 EasyRE

...

0x10 Shuffle

SECCON{Welcome to the SECCON 2014 CTF!}

0x11 re-for-50-plz-50

loc_4013C8:
lui     $v0, 0x4A
addiu   $v1, $v0, (meow - 0x4A0000)  # "cbtcqLUBChERV[[Nh@_X^D]X_YPV[CJ"
lw      $v0, 0x28+var_10($fp)
addu    $v0, $v1, $v0
lb      $v1, 0($v0)
lw      $v0, 0x28+arg_4($fp)
addiu   $v0, 4
lw      $a0, 0($v0)
lw      $v0, 0x28+var_10($fp)
addu    $v0, $a0, $v0
lb      $v0, 0($v0)
xori    $v0, 0x37
sll     $v0, 24
sra     $v0, 24
beq     $v1, $v0, loc_401428
move    $at, $at

是一个MIPS的二进制文件，按照它的步骤走一走。

str = "cbtcqLUBChERV[[Nh@_X^D]X_YPV[CJ"
flag = ""
for i in str:
    flag += chr(ord(i)^0x37)
print(flag)

flag: TUCTF{but_really_whoisjohngalt}

0x12 dmd-50

首先看到提示输入以后做了一次md5。

...
std::operator<<<std::char_traits<char>>(&std::cout, "Enter the valid key!n", envp);
...
md5(&v40, &v39);

然后看到后面进行比较的md5值是：

780438d5b6e29db0898bc4f0225935c0

解密得到：

b781cbb29054db12f88f08c6e161c199

然后执行得到Valid。

$ ./4907915cc47e4b5bb02bbde6c445c924
Enter the valid key!
b781cbb29054db12f88f08c6e161c199
The key is valid :)

0x13 Mysterious

GetDlgItemTextA(hWnd, 1002, &String, 260);
strlen(&String);
if ( strlen(&String) > 6 )
  ExitProcess(0);
  v10 = atoi(&String) + 1; // v10 + 1
  if ( v10 == 123 && v12 == 'x' && v14 == 'z' && v13 == 'y' )
  {
    ...
    MessageBoxA(0, Text, "well done", 0);
  }

输入122xyz拿flag。

flag{123_Buff3r_0v3rf|0w}

0x14 parallel-comparator-200

给了源代码，经过测试得知，first_letter===108。（与随机数种子有关）

differences = [0, 9, -9, -1, 13, -13, -4, -11, -9, -1, -7, 6, -13, 13, 3, 9, -13, -11, 6, -7]
first_letter = 108
flag = ''
for i in differences:
  flag += chr(first_letter + i)
print(flag)

flag: lucky_hacker_you_are

0x15 serial-150

用IDA看，在.text:00000000004009FB到.text:0000000000400CA3之间未反编译成功。
所以决定直接gdb走。

EZ9dmq4c8g9G7bAV

0x16 secret-galaxy-300

aliens_are_around_us

0x17 Newbie_calculations

有死循环，计算器类型。

CTF{daf8f4d816261a41a115052a1bc21ade}

0x18 re1-100

直接IDA走起，先看到要比较的字符串长度是42，并且第一个字符是{：

else if ( bufParentRead[0] == '{' )
{
    if ( strlen(bufParentRead) == 42 )

{后面和}前面的字符串分别是：

if ( !strncmp(&bufParentRead[1], "53fc275d81", 0xAuLL) )
if ( !strncmp(&bufParentRead[31], "4938ae4efd", 0xAuLL) )

然后注意confuseKey函数中：

*szKey = '{';
strcat(szKey, szPart3);
strcat(szKey, szPart4);
strcat(szKey, szPart1);
strcat(szKey, szPart2);
szKey[41] = '}';

这样调整一下比较的那个代码的字符串的先后顺序即可：

{53fc275d81053ed5be8cdaf29f59034938ae4efd}

0x01 流浪者

0x02 easyRE1

0x03 Reversing-x64Elf-100

0x04 IgniteMe

0x05 srm-50

0x06 hackme

0x07 re4-unvm-me

0x08 Guess-the-Number

0x09 EasyRE

0x10 Shuffle

0x11 re-for-50-plz-50

0x12 dmd-50

0x13 Mysterious

0x14 parallel-comparator-200

0x15 serial-150

0x16 secret-galaxy-300

0x17 Newbie_calculations

0x18 re1-100

Recommend

It's Official: Wikipedia Stops Accepting Donations in Cryptocurrency

PKU暑期高维统计学习心得(I)

Hexo + Github 搭建个人博客

Hexo + Next 配置个性主题

Ubuntu grub 引导界面美化

上线“小黄车”功能一百余天，B站直播带货怎么样了？

Ubuntu wifi 联网问题

Maven 构建 java 项目（一）

Vert.X CompositeFuture 用法 - Robothy

Challenges of Building a Next-Gen Gambling App - DZone Database

About Joyk