REVERSE-PRACTICE-BUUCTF-28
[FlareOn6]Memecat Battlestation
.Net程序,运行后输入weapon code,用dnSpy打开
在Stage1Form直接找到第一个weapon code,“RAINBOW”
Stage2Form同样的地方,第二个weapon code要进入isValidWeaponCode进行验证
isValidWeaponCode方法,第二个weapon code异或字符’A’,然后和已知比较
写异或脚本即可得到第二个weapon code
#RAINBOW
data=[0x03,ord(' '),ord('&'),ord('$'),ord('-'),0x1e,0x02,
ord(' '),ord('/'),ord('/'),ord('.'),ord('/')]
s=""
for i in data:
s+=chr(i^ord('A'))
print(s)
#Bagel_Cannon
输入两个weapon code即可得到flag
[b01lers2020]chugga_chugga
elf文件,无壳,ida分析
main_main函数,读取输入,对输入的内容进行验证
fmt_Fscan(
a1,
(__int64)&go_itab__os_File_io_Writer,
(__int64)&v43,
(__int64)input,
v15,
v16,
(__int64)&go_itab__os_File_io_Reader,
os_Stdin);
v19 = input[1];
input_ = (_BYTE *)*input;
if ( v19 <= 2 )
break;
if ( input_[2] != 116 ) // input[2]==116
goto LABEL_39;
if ( v19 <= 9 )
break;
a2 = (unsigned __int8)input_[9];
if ( (_BYTE)a2 != 99 ) // input[9]==99
goto LABEL_39;
if ( v19 <= 0x10 )
break;
a1 = (unsigned __int8)input_[16];
if ( (_BYTE)a1 != 110 ) // input[16]==110
goto LABEL_39;
if ( v19 <= 0x15 )
break;
v17 = (unsigned __int8)input_[21];
if ( (_BYTE)v17 != 122 ) // input[21]==122
goto LABEL_39;
if ( v19 <= 0x16 )
break;
if ( input_[22] != 125 ) // input[22]==125
goto LABEL_39;
v18 = (unsigned __int8)input_[5];
if ( 115 != (_BYTE)v18 ) // input[5]==115
goto LABEL_39;
if ( (input_[3] ^ 116) != 18 ) // input[3]^116==18
goto LABEL_39;
v22 = (unsigned __int8)input_[1];
if ( (_BYTE)v22 != 99 ) // input[1]==99
goto LABEL_39;
a2 = (unsigned __int8)input_[7];
if ( (_BYTE)a2 != 100 ) // input[7]==100
goto LABEL_39;
v23 = input_[13];
if ( input_[12] != v23 ) // input[12]==input[13]
goto LABEL_39;
if ( 122 != input_[19] ) // input[19]==122
goto LABEL_39;
v17 = (unsigned __int8)input_[14];
v24 = (unsigned __int8)input_[6];
if ( (_BYTE)v24 + (_BYTE)v17 != 104 ) // input[6]+input[14]==104
goto LABEL_39;
v25 = input_[4];
if ( 123 != v25 ) // input[4]==123
goto LABEL_39;
v26 = input_[8];
if ( input_[15] != v26 ) // input[8]==input[15]==95
goto LABEL_39;
if ( v26 + 4 != (_BYTE)v22 ) // input[8]+4==v22==99,input[8]==95
goto LABEL_39;
v27 = (unsigned __int8)input_[17];
v28 = (unsigned __int8)input_[11];
if ( 125 - (_BYTE)v27 + 40 != (_BYTE)v28 ) // input[11]+input[17]==165
goto LABEL_39;
v29 = (unsigned __int8)input_[18];
v30 = v27 + v28 - v18 - v29;
v31 = v29 - v27;
if ( (_BYTE)v30 != (_BYTE)v31 ) // 2*input[17]+input[11]==2*input[18]+115
goto LABEL_39;
v32 = input_[6];
v33 = v24 - v27;
if ( *input_ != (_BYTE)v31 * ((unsigned __int8)v33 >> 1) + 110// input[0]=(input[18]-input[17])*((52-input[17])>>1)+110
|| (v34 = input_[10], v23 + 1 != v34) // input[10]-input[13]==1
|| (v35 = v25 - a2, a2 = v33, (_BYTE)v33 + 2 * (_BYTE)v33 + 4 * v35 != v34)// input[10]==3*(52-input[17])+4*23
|| (v36 = (unsigned int)(unsigned __int8)input_[20] - v22,
v37 = v31,
v38 = (unsigned int)(2 * v31),
(_BYTE)v36 != (_BYTE)v38) // input[20]-99==2*(input[18]-input[17])
|| (v18 = (unsigned int)a1 ^ (unsigned int)v18, (_BYTE)v18 != 29)
|| (_BYTE)v33 != 4 * v37 // 52-input[17]==4*(input[18]-input[17])
|| v32 != (_BYTE)v17 ) // input[6]==input[14]==52
手算或者z3都可以,解出来即为flag
data=[0]*23
data[2]=116
data[9]=99
data[16]=110
data[21]=122
data[22]=125
data[5]=115
data[3]=116^18
data[1]=99
data[7]=100
data[6]=52
data[14]=52
data[4]=123
data[8]=95
data[15]=95
data[17]=2*165-282
data[11]=282-165
data[18]=(52+3*data[17])//4
data[10]=3*(52-data[17])+4*23
data[13]=data[10]-1
data[12]=data[13]
data[0]=(data[18]-data[17])*((52-data[17])>>1)+110
data[20]=2*(data[18]-data[17])+99
data[19]=122
print(''.join(chr(i) for i in data))
#pctf{s4d_chugg4_n01zez}
[INSHack2018]Tricky-Part1
elf文件,无壳,ida分析
main函数,获取输入,比较输入和经stack_check处理过的v8,相同说明输入正确
进入stack_check函数,对v8的处理为,v8=base,而base[i]^=“GDB”[i%len(“GDB”)]
对base交叉引用,来到__static_initialization_and_destruction_0,对base赋值,unk_401278已知
写脚本即可得到flag
s="GDB"
base=[0x0E, 0x0A, 0x11, 0x06, 0x3F, 0x01, 0x1F, 0x1C, 0x1D, 0x76,
0x37, 0x1D, 0x2F, 0x70, 0x30, 0x23, 0x77, 0x30, 0x18, 0x22,
0x72, 0x35, 0x1B, 0x31, 0x33, 0x70, 0x36, 0x76, 0x27, 0x1D,
0x73, 0x2A, 0x76, 0x2B, 0x75, 0x31, 0x3E, 0x37, 0x1D, 0x30,
0x2C, 0x71, 0x29, 0x1B, 0x26, 0x74, 0x26, 0x37, 0x20, 0x23,
0x71, 0x35, 0x1B, 0x24, 0x73, 0x75, 0x2E, 0x34, 0x39]
for i in range(len(base)):
base[i]^=ord(s[i%len(s)])
print(''.join(chr(i) for i in base))
#INSA{CXX_1s_h4rd3r_f0r_st4t1c_4n4l1sys_wh3n_d3bugg3r_f41ls}
[watevrCTF 2019]esreveR
elf文件,无壳,ida分析
main函数,获取输入,输入传入sub_55F41EAEE2D8函数进行验证
进入sub_55F41EAEE2D8函数,上面是一些异或运算,input作为最后一个参数传入sub_55F41EAEDBA0函数
进入sub_55F41EAEDBA0函数,直接对input的内容进行验证
调试,取出a1到a56的数据,转成字符串即为flag
data=[0x77,0x61,0x74,0x65,0x76,0x72,0x7b,0x65,0x73,
0x72,0x65,0x76,0x65,0x72,0x5f,0x72,0x65,0x76,
0x65,0x72,0x73,0x65,0x64,0x5f,0x79,0x6f,0x75,
0x74,0x75,0x62,0x65,0x2e,0x63,0x6f,0x6d,0x2f,
0x77,0x61,0x74,0x63,0x68,0x3f,0x76,0x3d,0x49,
0x38,0x69,0x6a,0x62,0x34,0x5a,0x65,0x65,0x35,
0x45,0x7d]
print(''.join(chr(i) for i in data))
#watevr{esrever_reversed_youtube.com/watch?v=I8ijb4Zee5E}