MoeCTF2023_Re

m0_75094067

已于 2023-10-20 21:28:50 修改

阅读量429

点赞数

分类专栏： MoeCTF2023 文章标签：安全

于 2023-10-14 21:00:00 首次发布

本文链接：https://blog.csdn.net/m0_75094067/article/details/133808040

版权

文章目录

MoeCTF2023_Re
- 入门指北
- base_64
- UPX!
- Xor
- ANDROID
- EQUATION
- RRRRRc4

MoeCTF2023_Re

入门指北

把INTRO_RE.exe 拖入IDA，F5反编译得到源代码

__int64 __fastcall main()
{
   
  int a; // [rsp+2Ch] [rbp-4h] BYREF

  _main();
  printf(&_format);
  printf("Input the times of appearance of the word \"Reverse\" in the document to continue:\n");
  scanf("%d", &a);
  if ( a == 13 )
    printf("moectf{F1rst_St3p_1s_D0ne}\n");
  else
    printf("Read carefully!\n");
  system("pause");
  return 0i64;
}

base_64

pyc反编译把base_64.pyc反编译得到python代码

#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.7

import base64
from string import *
str1 = 'yD9oB3Inv3YAB19YynIuJnUaAGB0um0='
string1 = 'ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba0123456789+/'
string2 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
flag = input('welcome to moectf\ninput your flag and I wiil check it:')
enc_flag = base64.b64encode(flag.encode()).decode()
enc_flag = enc_flag.translate(str.maketrans(string2, string1))
if enc_flag == str1:
    print('good job!!!!')
else:
    print('something wrong???')
    exit(0)

import base64

str1 = 'yD9oB3Inv3YAB19YynIuJnUaAGB0um0='
string1 = 'ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba0123456789+/'
string2 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'

enc_flag=str1.translate(str.maketrans(string1, string2))
flag=base64.b64decode(enc_flag).decode()
print(flag)

UPX!

1.UPX!.exe拖入PE发现UPX

UPX 的全称是 “Ultimate Packer for Executables”，它可以将可执行文件中的代码和数据压缩到更小的体积，并在运行时自动解压缩，使程序能够正常执行。

在这里插入图片描述

2.利用工具，upx脱壳

D:\Upx\upx-4.1.0-win64>upx -d ../UPX!.exe
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2023
UPX 4.1.0       Markus Oberhumer, Laszlo Molnar & John Reiser    Aug 8th 2023

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   1263104 <-    270336   21.40%    win64/pe     UPX!.exe

Unpacked 1 file.

enc = [0x0A, 8, 2, 4, 0x13, 1, 0x1C, 'W', 0x0F, '8', 0x1E, 'W', 0x12, '8', ',', 9, 'W', 0x10,'8', '/', 'W', 0x10,'8', 0x13, 8, '8', '5', 2, 0x11, 'T', 0x15,0x14, 2, '8', '2', '7', '?', 'F','F','F', 0x1A]
flag=''

for i in enc:
    if isinstance(i, str):
        i=ord(i)
    flag += chr(i ^ 0x67)
print(flag)

Xor

1.拖入IDA，F5得到主函数代码

在这里插入图片描述

2.双击数组enc，选取数据shift+e导出，根据a ^ b = c ->c ^ a =b编写脚本

enc = [0x54, 0x56, 0x5C, 0x5A, 0x4D, 0x5F, 0x42, 0x60, 0x56, 0x4C, 0x66, 0x52, 0x57, 0x09, 0x4E, 0x66, 0x51, 0x09, 0x4E, 0x66, 0x4D, 0x09, 0x66, 0x61, 0x09, 0x6B, 0x18, 0x44]
flag=''

for i in enc:
    flag += chr(i ^ 0x39)

print(flag)

ANDROID

1.把BasicAndroid.apk拖入jadx得到主函数

在这里插入图片描述

2.根据xor编写脚本

public class Test {
   
    public static void main(String[] args) {
   
        char[] enc = {
   25, 7, 0, 14, 27, 3, 16, '/', 24, 2, '\t', ':', 4, 1, ':', '*', 11, 29, 6, 7, '\f', '\t', '0', 'T', 24, ':', 28, 21, 27, 28, 16};
        char[] key = {
   't', 'h', 'e', 'm', 'o', 'e', 'k', 'e', 'y'};
        for (int i = 0; i < 31; i++) {
   
            int a=(key[i % key.length]) ^ enc[i];
            System.out.print((char) a);
        }
    }
}
//moectf{Java_in_Android_1s_easy}

EQUATION

1.拖入IDA，F5反编译得到主函数代码

发现为31元一次方程组

ctrl+F2选取(char)v5、SBYTE1(v5)、SBYTE2(v5)、SHIBYTE(v5)、(char)v6、SHIBYTE(v6)、v7、！<< 6、

<< 7、<< 8改为v4[24]-v4[30]和=、*64、*128、*256

2.利用z3编写脚本

from z3 import *

v4 = [Int("input[%d]"%i) for i in range(31)]

s = Solver()
s.add(334 * v4[28]
     + 100 * v4[27]
     + 369 * v4[26]
     + 124 * v4[25]
     + 278 * v4[24]
     + 158 * v4[23]
     + 162 * v4[22]
     + 145 * v4[19]
     + 27 * v4[17]
     + 91 * v4[15]
     + 195 * v4[14]
     + 342 * v4[13]
     + 391 * v4[10]
     + 204 * v4[9]
     + 302 * v4[8]
     + 153 * v4[7]
     + 292 * v4[6]
     + 382 * v4[5]
     + 221 * v4[4]
     + 316 * v4[3]
     + 118 * v4[2]
     + 295 * v4[1]
     + 247 * v4[0]
     + 236 * v4[11]
     + 27 * v4[12]
     + 361 * v4[16]
     + 81 * v4[18]
     + 105 * v4[20]
     + 65 * v4[21]
     + 67 * v4[29]
     + 41 * v4[30] == 596119)
s.add(371 * v4[29]
     + 338 * v4[28]
     + 269 * v4[27]
     + 312 * v4[26]
     + 67 * v4[25]
     + 299 * v4[24]
     + 235 * v4[23]
     + 294 * v4[22]
     + 303 * v4[21]
     + 211 * v4[20]
     + 122 * v4[19]
     + 333 * v4[18]
     + 341 * v4[15]
     + 111 * v4[14]
     + 253 * v4[13]
     + 68 * v4[12]
     + 347 * v4[11]
     + 44 * v4[10]
     + 262 * v4[9]
     + 357 * v4[8]
     + 323 * v4[5]
     + 141 * v4[4]
     + 329 * v4[3]
     + 378 * v4[2]
     + 316 * v4[1]
     + 235 * v4[0]
     + 59 * v4[6]
     + 37 * v4[7]
     + 264 * v4[16]
     + 73 * v4[17]
     + 126 * v4[30] == 634009)
s.add(337 * v4[29]
     + 338 * v4[28]
     + 118 * v4[27]
     + 82 * v4[26]
     + 239 * v4[21]
     + 58 * v4[20]
     + 304 * v4[19]
     + 330 * v4[18]
     + 377 * v4[17]
     + 306 * v4[16]
     + 221 * v4[13]
     + 345 * v4[12]
     + 124 * v4[11]
     + 272 * v4[10]
     + 270 * v4[9]
     + 229 * v4[8]
     + 377 * v4[7]
     + 373 * v4[6]
     + 297 * v4[5]
     + 112 * v4[4]
     + 386 * v4[3]
     + 90 * v4[2]
     + 361 * v4[1]
     + 236 * v4[0]
     + 386 * v4[14]
     + 73 * v4[15]
     + 315 * v4[22]
     + 33 * v4[23]
     + 141 * v4[24]
     + 129 * v4[25]
     + 123 * v4[30] == 685705)
s.add(367 * v4[29]
     + 55 * v4[28]
     + 374 * v4[27]
     + 150 * v4[24]
     + 350 * v4[23]
     + 141 * v4[22]
     + 124 * v4[21]
     + 366 * v4[20]
     + 230 * v4[19]
     + 307 * v4[18]
     + 191 * v4[17]
     + 153 * v4[12]
     + 383 * v4[11]
     + 145 * v4[10]
     + 109 * v4[9]
     + 209 * v4[8]
     + 158 * v4[7]
     + 221 * v4[6]
     + 188 * v4[5]
     + 22 * v4[4]
     + 146 * v4[3]
     + 306 * v4[2]
     + 230 * v4[1]
     +