# 西普部分CTF题目（逆向）

1、阿拉丁神灯http://ctf1.simplexue.com/crack/1/

2、你知道注册码吗 http://ctf8.simplexue.com/crackme2/

python代码为：
username=’syclover’
index=0
for c in username:
print chr(ord(c)-8+index)
index+=1

3、证明自己 http://ctf8.simplexue.com/crackme/

14次循环得到的数据[0x63,0x52,0x14,0x43,0x4B,0x69,0x53,0x73,0x4F,0x65,0x14,0x53,0x59,0x1]

a=[0x63,0x52,0x14,0x43,0x4B,0x69,0x53,0x73,0x4F,0x65,0x14,0x53,0x59,0x1]
for i in a:
print chr(i^0x20),

4、该题不简单 http://ctf1.simplexue.com/crack/3/

5、此处无声，http://ctf1.simplexue.com/crack/5/

<script language="javascript">
ss="a[11]-a[5]%a[1]*a[12]%a[14]-a省略后面一大串";

xx=ss.split('&&');

function search(num)
{
index=-1;
for(i=0;i<xx.length;i++)
{
dd=xx[i];
offset=0;
count=0
do{
offset=dd.indexOf('[',offset);
if(offset != -1)
{
count++;
offset += 2;
}
}while(offset != -1)
if(count==num)
{
index=i;
break;
}

}
return index;
}

var a = new Array();
a[0]=0;
for(k=0;k<47;k++)
{
index=search(k+1);
dd=xx[index];
for(j=0;j<256;j++)
{
a[k]=j;
if(eval(dd))
break;
}
}

jjj='';

for(f=0;f<a.length;f++)
{
jjj+=String.fromCharCode(a[f]);
}
document.write(jjj);
</script>

7、john the packer

xx@kali:~/Desktop\$ file topack
topack: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0xe1b43c1c23bee1233aa04a727a30b2f08abe7bcb, stripped

.text:08048633                 push    eax
.text:08048634                 mov     edx, [edx]
.text:08048636
.text:08048636 loc_8048636:     ; CODE XREF:sub_80485E0+5Cj
.text:08048636                 xor     [eax], edx
.text:08048638                 add     eax, 4
.text:0804863B                 dec     ecx
.text:0804863C                 jnz     short loc_8048636
.text:0804863E                 pop     eax
.text:0804863F                 call    eax
.text:08048641                 sub     esp, 8
.text:08048644                 push    [ebp+arg_4]
.text:08048647                 push    [ebp+arg_0]
.text:0804864A                 call    sub_804859B

.text:080485D3 loc_80485D3:       ; CODE XREF: sub_804859B+3Ej
.text:080485D3                 xor     [ebx], edx
.text:080485D5                 add     ebx, 4
.text:080485D8                 dec     ecx
.text:080485D9                 jnz     short loc_80485D3

8、Keylead(ASIS 2015)
file查看keylead文件是个7z文件，解压指令：

unxz -d -f keylead -c > keylead1

file keylead1发现是个64位ELF文件，IDA64打开，发现sub_400E6E是main函数，查看c代码可看到就是随机数去判断，需要强制更改跳转，一直跳到flag产生处。还可以在函数入口地直接修改地址跳转到产生flag的函数。在函数入口附近找到：
04005DD mov rdi, offset sub_400E6E //跳到主函数

04005DD mov rdi, offset sub_4006B6

9、bin100(ebCTF2013)

• 广告
• 抄袭
• 版权
• 政治
• 色情
• 无意义
• 其他

120