攻防世界-adworld-reverse-game

于 2022-10-29 21:57:24 发布
阅读量484 收藏
点赞数
分类专栏: ctf 攻防世界CTF reverse 文章标签: CTF python ida
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/m0_47210241/article/details/127592852
版权
ctf 同时被 3 个专栏收录
23 篇文章 1 订阅
订阅专栏
攻防世界CTF
23 篇文章 0 订阅
订阅专栏
reverse
5 篇文章 0 订阅
订阅专栏

#adworld-reverse-game

image-20221028205016278

image-20221028204952528

从1依次输入到8,每个数字会车,最后通关,获得flag

                 |-----------------------▲--------|
                 |-----------------------●--------|
                 |-----------------------◆--------|
                 |-----------------------■--------|

|--------------------|-----------------------★--------|
| |-----------------------▼--------|
| |--------------------(°Д°)-----|
| |--------------------(*°▽°)=3–|
二 |
| by 0x61 |

done!!! the flag is zsctf{T9is_tOpic_1s_v5ry_int7resting_b6t_others_are_n0t}
input n,n(1-8)
1.△ 2.○ 3.◇ 4.□ 5.☆ 6.▽ 7.( ̄▽ ̄)/ 8.(;°Д°) 0.restart
n=

IDA:

搜索play a game

image-20221028215457985

F5反编译

image-20221028215420778

image-20221028215525082

得到的反编译代码:

sub_45A7BE((int)"done!!! the flag is ", v1);
  v60 = 18;
  v61 = 64;
  v62 = 98;
  v63 = 5;
  v64 = 2;
  v65 = 4;
  v66 = 6;
  v67 = 3;
  v68 = 6;
  v69 = 48;
  v70 = 49;
  v71 = 65;
  v72 = 32;
  v73 = 12;
  v74 = 48;
  v75 = 65;
  v76 = 31;
  v77 = 78;
  v78 = 62;
  v79 = 32;
  v80 = 49;
  v81 = 32;
  v82 = 1;
  v83 = 57;
  v84 = 96;
  v85 = 3;
  v86 = 21;
  v87 = 9;
  v88 = 4;
  v89 = 62;
  v90 = 3;
  v91 = 5;
  v92 = 4;
  v93 = 1;
  v94 = 2;
  v95 = 3;
  v96 = 44;
  v97 = 65;
  v98 = 78;
  v99 = 32;
  v100 = 16;
  v101 = 97;
  v102 = 54;
  v103 = 16;
  v104 = 44;
  v105 = 52;
  v106 = 32;
  v107 = 64;
  v108 = 89;
  v109 = 45;
  v110 = 32;
  v111 = 65;
  v112 = 15;
  v113 = 34;
  v114 = 18;
  v115 = 16;
  v116 = 0;
  v3 = 123;
  v4 = 32;
  v5 = 18;
  v6 = 98;
  v7 = 119;
  v8 = 108;
  v9 = 65;
  v10 = 41;
  v11 = 124;
  v12 = 80;
  v13 = 125;
  v14 = 38;
  v15 = 124;
  v16 = 111;
  v17 = 74;
  v18 = 49;
  v19 = 83;
  v20 = 108;
  v21 = 94;
  v22 = 108;
  v23 = 84;
  v24 = 6;
  v25 = 96;
  v26 = 83;
  v27 = 44;
  v28 = 121;
  v29 = 104;
  v30 = 110;
  v31 = 32;
  v32 = 95;
  v33 = 117;
  v34 = 101;
  v35 = 99;
  v36 = 123;
  v37 = 127;
  v38 = 119;
  v39 = 96;
  v40 = 48;
  v41 = 107;
  v42 = 71;
  v43 = 92;
  v44 = 29;
  v45 = 81;
  v46 = 107;
  v47 = 90;
  v48 = 85;
  v49 = 64;
  v50 = 12;
  v51 = 43;
  v52 = 76;
  v53 = 86;
  v54 = 13;
  v55 = 114;
  v56 = 1;
  v57 = 117;
  v58 = 126;
  v59 = 0;
  for ( i = 0; i < 56; ++i )
  {
    *(&v3 + i) ^= *(&v60 + i);
    *(&v3 + i) ^= 0x13u;
  }
  return sub_45A7BE((int)"%s\n", (unsigned int)&v3);
}

两个数组求和,再与0x13u

利用python求解

import re

# sub_45A7BE((int)"done!!! the flag is ", v1);
#   v60 = 18;
#   v61 = 64;
#   v62 = 98;
#   v63 = 5;
#   v64 = 2;
#   v65 = 4;
#   v66 = 6;
#   v67 = 3;
#   v68 = 6;
#   v69 = 48;
#   v70 = 49;
#   v71 = 65;
#   v72 = 32;
#   v73 = 12;
#   v74 = 48;
#   v75 = 65;
#   v76 = 31;
#   v77 = 78;
#   v78 = 62;
#   v79 = 32;
#   v80 = 49;
#   v81 = 32;
#   v82 = 1;
#   v83 = 57;
#   v84 = 96;
#   v85 = 3;
#   v86 = 21;
#   v87 = 9;
#   v88 = 4;
#   v89 = 62;
#   v90 = 3;
#   v91 = 5;
#   v92 = 4;
#   v93 = 1;
#   v94 = 2;
#   v95 = 3;
#   v96 = 44;
#   v97 = 65;
#   v98 = 78;
#   v99 = 32;
#   v100 = 16;
#   v101 = 97;
#   v102 = 54;
#   v103 = 16;
#   v104 = 44;
#   v105 = 52;
#   v106 = 32;
#   v107 = 64;
#   v108 = 89;
#   v109 = 45;
#   v110 = 32;
#   v111 = 65;
#   v112 = 15;
#   v113 = 34;
#   v114 = 18;
#   v115 = 16;
#   v116 = 0;
#   v3 = 123;
#   v4 = 32;
#   v5 = 18;
#   v6 = 98;
#   v7 = 119;
#   v8 = 108;
#   v9 = 65;
#   v10 = 41;
#   v11 = 124;
#   v12 = 80;
#   v13 = 125;
#   v14 = 38;
#   v15 = 124;
#   v16 = 111;
#   v17 = 74;
#   v18 = 49;
#   v19 = 83;
#   v20 = 108;
#   v21 = 94;
#   v22 = 108;
#   v23 = 84;
#   v24 = 6;
#   v25 = 96;
#   v26 = 83;
#   v27 = 44;
#   v28 = 121;
#   v29 = 104;
#   v30 = 110;
#   v31 = 32;
#   v32 = 95;
#   v33 = 117;
#   v34 = 101;
#   v35 = 99;
#   v36 = 123;
#   v37 = 127;
#   v38 = 119;
#   v39 = 96;
#   v40 = 48;
#   v41 = 107;
#   v42 = 71;
#   v43 = 92;
#   v44 = 29;
#   v45 = 81;
#   v46 = 107;
#   v47 = 90;
#   v48 = 85;
#   v49 = 64;
#   v50 = 12;
#   v51 = 43;
#   v52 = 76;
#   v53 = 86;
#   v54 = 13;
#   v55 = 114;
#   v56 = 1;
#   v57 = 117;
#   v58 = 126;
#   v59 = 0;
#   for ( i = 0; i < 56; ++i )
#   {
#     *(&v3 + i) ^= *(&v60 + i);
#     *(&v3 + i) ^= 0x13u;
#   }
#   return sub_45A7BE((int)"%s\n", (unsigned int)&v3);
# }

# 两个数组求和,再与0x13u

s='''v60 = 18;
  v61 = 64;
  v62 = 98;
  v63 = 5;
  v64 = 2;
  v65 = 4;
  v66 = 6;
  v67 = 3;
  v68 = 6;
  v69 = 48;
  v70 = 49;
  v71 = 65;
  v72 = 32;
  v73 = 12;
  v74 = 48;
  v75 = 65;
  v76 = 31;
  v77 = 78;
  v78 = 62;
  v79 = 32;
  v80 = 49;
  v81 = 32;
  v82 = 1;
  v83 = 57;
  v84 = 96;
  v85 = 3;
  v86 = 21;
  v87 = 9;
  v88 = 4;
  v89 = 62;
  v90 = 3;
  v91 = 5;
  v92 = 4;
  v93 = 1;
  v94 = 2;
  v95 = 3;
  v96 = 44;
  v97 = 65;
  v98 = 78;
  v99 = 32;
  v100 = 16;
  v101 = 97;
  v102 = 54;
  v103 = 16;
  v104 = 44;
  v105 = 52;
  v106 = 32;
  v107 = 64;
  v108 = 89;
  v109 = 45;
  v110 = 32;
  v111 = 65;
  v112 = 15;
  v113 = 34;
  v114 = 18;
  v115 = 16;
  v116 = 0;
  v3 = 123;
  v4 = 32;
  v5 = 18;
  v6 = 98;
  v7 = 119;
  v8 = 108;
  v9 = 65;
  v10 = 41;
  v11 = 124;
  v12 = 80;
  v13 = 125;
  v14 = 38;
  v15 = 124;
  v16 = 111;
  v17 = 74;
  v18 = 49;
  v19 = 83;
  v20 = 108;
  v21 = 94;
  v22 = 108;
  v23 = 84;
  v24 = 6;
  v25 = 96;
  v26 = 83;
  v27 = 44;
  v28 = 121;
  v29 = 104;
  v30 = 110;
  v31 = 32;
  v32 = 95;
  v33 = 117;
  v34 = 101;
  v35 = 99;
  v36 = 123;
  v37 = 127;
  v38 = 119;
  v39 = 96;
  v40 = 48;
  v41 = 107;
  v42 = 71;
  v43 = 92;
  v44 = 29;
  v45 = 81;
  v46 = 107;
  v47 = 90;
  v48 = 85;
  v49 = 64;
  v50 = 12;
  v51 = 43;
  v52 = 76;
  v53 = 86;
  v54 = 13;
  v55 = 114;
  v56 = 1;
  v57 = 117;
  v58 = 126;
  v59 = 0;
  
  '''
s01='''v60 = 18;
  v61 = 64;
  v62 = 98;
  v63 = 5;
  v64 = 2;
  v65 = 4;
  v66 = 6;
  v67 = 3;
  v68 = 6;
  v69 = 48;
  v70 = 49;
  v71 = 65;
  v72 = 32;
  v73 = 12;
  v74 = 48;
  v75 = 65;
  v76 = 31;
  v77 = 78;
  v78 = 62;
  v79 = 32;
  v80 = 49;
  v81 = 32;
  v82 = 1;
  v83 = 57;
  v84 = 96;
  v85 = 3;
  v86 = 21;
  v87 = 9;
  v88 = 4;
  v89 = 62;
  v90 = 3;
  v91 = 5;
  v92 = 4;
  v93 = 1;
  v94 = 2;
  v95 = 3;
  v96 = 44;
  v97 = 65;
  v98 = 78;
  v99 = 32;
  v100 = 16;
  v101 = 97;
  v102 = 54;
  v103 = 16;
  v104 = 44;
  v105 = 52;
  v106 = 32;
  v107 = 64;
  v108 = 89;
  v109 = 45;
  v110 = 32;
  v111 = 65;
  v112 = 15;
  v113 = 34;
  v114 = 18;
  v115 = 16;
  v116 = 0;'''
s02='''v3 = 123;
  v4 = 32;
  v5 = 18;
  v6 = 98;
  v7 = 119;
  v8 = 108;
  v9 = 65;
  v10 = 41;
  v11 = 124;
  v12 = 80;
  v13 = 125;
  v14 = 38;
  v15 = 124;
  v16 = 111;
  v17 = 74;
  v18 = 49;
  v19 = 83;
  v20 = 108;
  v21 = 94;
  v22 = 108;
  v23 = 84;
  v24 = 6;
  v25 = 96;
  v26 = 83;
  v27 = 44;
  v28 = 121;
  v29 = 104;
  v30 = 110;
  v31 = 32;
  v32 = 95;
  v33 = 117;
  v34 = 101;
  v35 = 99;
  v36 = 123;
  v37 = 127;
  v38 = 119;
  v39 = 96;
  v40 = 48;
  v41 = 107;
  v42 = 71;
  v43 = 92;
  v44 = 29;
  v45 = 81;
  v46 = 107;
  v47 = 90;
  v48 = 85;
  v49 = 64;
  v50 = 12;
  v51 = 43;
  v52 = 76;
  v53 = 86;
  v54 = 13;
  v55 = 114;
  v56 = 1;
  v57 = 117;
  v58 = 126;
  v59 = 0;
  
  '''
def trim(s):
    r = re.findall('[\S]+', s)
    return " ".join(r)
from bs4 import BeautifulSoup as bs

#s1=s.split('v*=')
# s1=trim(s)

# print(s1)

# ss1= bs(s, "lxml")
# ss2=re.findall('.*= (.*?);',s)

# #ss2=re.findall('.*=(.*?);',)
# #strOnes=re.findall('.*>(.*?)</a.*',trim(str(strList[0])))
# print(ss2)

# print(s01)

# ss01=bs(trim(s01),"lxml")
# ss02=bs(trim(s02),"lxml")

# # print(ss01)
# # print(ss02)


# sss01=re.findall('.*= (.*?);',ss01)
# sss02=re.findall('.*= (.*?);',ss02)

# print(sss01)
# print(sss02)

ss01=re.findall('.*= (.*?);',s01)
ss02=re.findall('.*= (.*?);',s02)

print(ss01)
print(ss02)



flag=''
for i in range(len(ss01)):
    flag+=chr(int(ss01[i])^int(ss02[i])^0x13)

print(flag)

使用OD方法:

image-20221029215017000

image-20221029215107112

参考博文:

  1. https://copyfuture.com/blogs-details/20211116195508177z
  2. https://blog.csdn.net/song_10/article/details/83621118
32进制
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
攻防世界 re新手题 game
Mintind的博客
11-30 199
攻防世界 re新手题 game 解题记录罢了
攻防世界-wp-REVERSE-新手区-7-game
最新发布
Scorpio_m7
04-14 434
跳转到main_0函数,分析代码,当所有灯点亮时,进入sub_13F7AB4(),跳转到该函数。用IDA静态分析:在函数中搜索main,进入main函数,按F5进行反汇编。打开发现是一个游戏,直接输入12345678就能直接拿到flag。分析代码,发现是创建了两个长度为57的字符串,并进行运算。把sub_13F7AB4()函数翻译成python脚本就是。菜鸡最近迷上了玩游戏,但它总是赢不了,你可以帮他获胜吗。main函数反编译,分析代码逻辑,构造脚本。这是关键的输出flag的函数。
攻防世界,Reverse:game
Pai_Space
11-13 879
1.解题过程: 首先附件是个exe程序,运行 其中有提示,需要亮起所有灯,flag才会出现 所以我们需要输入对应的数字让它点亮,但是会发现最后一个的表情跟上面需要点亮的表情不一致,所以我们没办法全部点亮,拖入IDA看看 使用 ctrl + f 查找 main 函数进行反编译,其中调用了 main_0(); 所以查看 main_0 函数 往下分析有一个if语句,当八个都同时满足时执行黄色的语句 双击跳转 再一次跳转返回值,在一堆定义的变量中看到正确的flag提示 并...
攻防世界-reverse-game
底层社会中的弱智
08-04 412
破解程序需要先查看程序运行的过程找出关键的字符串进行破解 玩个游戏 n为灯的序号,m为灯的状态 如果第 N 个灯的 m 为 1,则点亮,否则熄灭 起初所有的灯都关上了 现在你可以输入 n 来改变它的状态 但是你要注意一件事,如果你改变第N个灯的状态,第(N-1)个和第(N+1)个的状态也会改变 当所有灯都亮时,会出现flag 现在,输入 n 输入 n,n(1-8) 1.△ 2.○ 3.◇ 4.□ 5.☆ 6.▽ 7.( ̄▽ ̄)/ 8.(;°Д°) 0.重启 n= 要是我来写这个程
攻防世界 Reverse 新手练习区 1-12 全详解
闵行小鱼塘
11-28 3876
本篇是攻防世界 Reverse 新手练习区的全解
Adworld2012互联网营销世界大会PPT下载
07-23
教程名称: Adworld2012互联网营销世界大会PPT下载【】APPS新媒体运营及营销探索-岳建雄-搜狐【】体育营销动起来-陈鄂-力美【】品牌广告推动移动营销创新-郭伟-安沃传媒【】基于受众的网络广告交易市场-王岳龙-传漾...
【XCTF-RE】新手练习区-maze
08-03
题目:https://adworld.xctf.org.cn/task/task_list?type=reverse&number=4&grade=0&page=1 我的解题记录:https://www.yuque.com/jianouzuihuai/study/fr45py
【XCTF-RE】新手练习区-logmein
08-03
题目:https://adworld.xctf.org.cn/task/task_list?type=reverse&number=4&grade=0&page=1 我的解题记录:https://www.yuque.com/jianouzuihuai/study/ez5t60
【XCTF-RE】新手练习区-insanity
08-03
题目:https://adworld.xctf.org.cn/task/task_list?type=reverse&number=4&grade=0&page=1 我的解题记录:https://www.yuque.com/jianouzuihuai/study/siwtcm
adworld-wargame:我对https://adworld.xctf.org.cntask上的pwn挑战的利用
02-13
adworld-wargame 我对上的pwn挑战的利用
攻防世界】REVERSE新手练习区 - game
m0_60377292的博客
08-07 638
game - wp
攻防世界--game
weixin_30876945的博客
08-17 1196
题目链接:https://adworld.xctf.org.cn/task/answer?type=reverse&number=4&grade=0&id=5074 1.准备 打开测试用例 首先分析程序 得到是win32程序 2.第一种方法 2.1 分析代码 使用IDA打开,找到main函数,F5得到C代码 得知主要是...
攻防世界 reverse game
08-08 757
一样的操作,先找到main()函数 点击进入Main_0()函数 可以看见这个游戏的规则 看到这个,可以猜一下,打开exe文件,连续输入1,2,3,4,5,6,7,8(不用计较顺序)就得出了结论 或者用另外一种办法: 分析法+写脚本 点击进入sub_457AB4()函数 再点击进入sub_45E940()函数 然后向下拉,发现了核心算法 然后写一个脚本解题,下方为脚本: s1 = [123,...
攻防世界_Reverse_game
fallingskies
05-11 4107
打开发现是一个游戏,挺简单的,直接输入12345678就能直接拿到flag 使用IDA静态分析 在函数中搜索main,进入main函数,按F5进行反汇编 int __cdecl main(int argc, const char **argv, const char **envp) { int result; // eax main_0(); return result; } 跳转到m...
攻防世界Reverse第五题game
weixin_52369224的博客
09-07 762
第一种 下载文件打开自己试了试 依次安装 1 2 3 4 5 6 7 8就可以通过得到flag 第二种
攻防世界 reverse新手题 game
空舟的博客
08-02 776
game 运行一下,真是个游戏 英文翻译一下 玩游戏 n是灯的序列号,m是灯的状态 如果第n个灯的m为1,则亮,否则熄灭 起初所有的灯都关了 现在你可以输入n来改变它的状态 但是你要注意一件事,如果你改变第N个灯的状态,(N-1)th和(N+1)th的状态也会改变 当所有灯都亮起时,将出现标志 现在,输入n 输入n,n(1-8) 1.△2.○3.◇4.□5.☆6.▽7.(▽8)/8.(°Д°)0.重启 n= 查看一下无壳,32bit 拉入32位ida查看,找到main函数,F5得到伪代码 void __
攻防世界 Reverse
qq_41071646的博客
04-28 792
看pwn 看不下去 没事做做逆向题 想想 后天就要回家了~~ 想想还是有点小激动 这个题 其实逻辑很简单 我们看一下 check函数 其中那个strtohex 就是把两个字符 转化成一个 16进制的数字 然后我们 写一个脚本就可以了 #include <stdio.h> #include<iostream> #include<io...
攻防世界reverse新手练习
黄先生的博客
04-13 7796
0x01 re1 用ida打开进行静态分析,按F5进行反编译 注意标黄色标记的地方,输入的字符会保存在 v9,这个字符串会跟 v5 进行比较,如果两个字符串相等,那么就会输出 flag get,这说明 flag 是已经保存在程序中的 我们在strings window(按shift+F12)中可以看到这几个字符串,我们可以推测flag包含DUTCTF字符串,所以在命令台中输入: s...
XCTF 攻防世界 Reverse新手题(game)
weixin_43456810的博客
12-12 968
XCTF 攻防世界 Reverse新手题(game) 这道题目按照一般IDA静态分析的思路走,应该不难做出来 首先,找到main函数,F5反编译一下 发现main_0()函数,进入此函数,反编译一下 对main_0()的代码进行分析,可以看到最后一部分的if段,当8个值都为1时,调用sub_457AB4()函数,代码如下: if ( byte_532E28[0] == 1 && byte_532E28[1] == 1 && byte_532E28[2]
攻防世界-Reverse-game
chiquanji1260的博客
07-07 615
是一个.exe,用peid发现没有壳 打开程序,是一个小游戏,输入大于0小于9的数,输入1,1、2、8会通;输入3,3、4会通但2会断; (12345678依次输入就能解开并拿到flag;) 下面我们来进行od分析 可以单步跟踪也可以搜索字符串,这次我们搜索字符串,发现标题,双...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值