转战到buuctf的逆向,开头1分题,闲着先练练手。
- easyre
-
int __cdecl main(int argc, const char **argv, const char **envp) { int b; // [rsp+28h] [rbp-8h] BYREF int a; // [rsp+2Ch] [rbp-4h] BYREF _main(); scanf("%d%d", &a, &b); if ( a == b ) printf("flag{this_Is_a_EaSyRe}"); else printf("sorry,you can't get flag"); return 0; }
确实是1分,直接给flag
-
- reverse1
- 根据显示的"input the flag:"搜到引用函数 sub_1400118C0
- 这里将str2的o改为0然后就进行比较,所以得到flag{hell0_w0rld}
-
__int64 sub_1400118C0() { char *v0; // rdi __int64 i; // rcx size_t v2; // rax size_t v3; // rax char v5[36]; // [rsp+0h] [rbp-20h] BYREF int j; // [rsp+24h] [rbp+4h] char Str1[224]; // [rsp+48h] [rbp+28h] BYREF unsigned __int64 v8; // [rsp+128h] [rbp+108h] v0 = v5; for ( i = 82i64; i; --i ) { *(_DWORD *)v0 = -858993460; v0 += 4; } for ( j = 0; ; ++j ) { v8 = j; v2 = j_strlen(Str2); // '{hello_world}' if ( v8 > v2 ) break; if ( Str2[j] == 111 ) // 将o变为0 Str2[j] = 48; } sub_1400111D1("input the flag:"); sub_14001128F("%20s", Str1); v3 = j_strlen(Str2); if ( !strncmp(Str1, Str2, v3) ) sub_1400111D1("this is the right flag!\n"); else sub_1400111D1("wrong flag\n"); sub_14001113B(v5, &unk_140019D00); return 0i64; }
- reverse2
- 同上一题,找到{hacking_for_fun}
- 将r改为1得到 flag{hack1ng_fo1_fun} 出题人太不用心了
- 内涵的软件
- 直接找到个flag不过头需要改一下 flag{49d3c93df25caad81232130f3d2ebfad}
-
int __cdecl main_0(int argc, const char **argv, const char **envp) { int result; // eax char v4[4]; // [esp+4Ch] [ebp-Ch] BYREF const char *v5; // [esp+50h] [ebp-8h] int v6; // [esp+54h] [ebp-4h] v6 = 5; v5 = "DBAPP{49d3c93df25caad81232130f3d2ebfad}"; while ( v6 >= 0 ) { printf(aD, v6); sub_40100A(); --v6; } printf( "\n" "\n" "\n" "这里本来应该是答案的,但是粗心的程序员忘记把变量写进来了,你要不逆向试试看:(Y/N)\n"); v4[0] = 1; scanf("%c", v4); if ( v4[0] == 89 ) { printf(aOdIda); result = sub_40100A(); } else { if ( v4[0] == 78 ) printf(asc_425034); else printf("输入错误,没有提示."); result = sub_40100A(); } return result; }
- 新年快乐
- ida打开发现有壳,查壳是upx,先脱壳
- 然后看到对比的串直接得到 flag{HappyNewYear!}
-
int __cdecl main(int argc, const char **argv, const char **envp) { int result; // eax char Str2[14]; // [esp+12h] [ebp-3Ah] BYREF __int16 Str1; // [esp+20h] [ebp-2Ch] BYREF _BYTE v6[30]; // [esp+22h] [ebp-2Ah] BYREF __main(); strcpy(Str2, "HappyNewYear!"); Str1 = 0; memset(v6, 0, sizeof(v6)); printf("please input the true flag:"); scanf("%s", &Str1); if ( !strncmp((const char *)&Str1, Str2, strlen(Str2)) ) result = puts("this is true flag!"); else result = puts("wrong!"); return result; }
- xor
- 第i个字符与第i-1个字符异或,同样方法异或可以直接异或成原值
-
int __cdecl main(int argc, const char **argv, const char **envp) { int i; // [rsp+2Ch] [rbp-124h] char __b[264]; // [rsp+40h] [rbp-110h] BYREF memset(__b, 0, 0x100uLL); printf("Input your flag:\n"); get_line(__b, 256LL); if ( strlen(__b) != 33 ) goto LABEL_7; for ( i = 1; i < 33; ++i ) __b[i] ^= __b[i - 1]; if ( !strncmp(__b, global, 0x21uLL) ) printf("Success"); else LABEL_7: printf("Failed"); return 0; }
-
a = [0x66,0x0A,0x6B,0x0C,0x77,0x26,0x4F,0x2E,0x40,0x11, 0x78,0x0D,0x5A,0x3B,0x55,0x11,0x70,0x19,0x46,0x1F, 0x76,0x22,0x4D,0x23,0x44,0x0E,0x67,0x06,0x68,0x0F, 0x47,0x32,0x4F] for i in range(32,0,-1): a[i] ^=a[i-1] print(bytes(a)) #flag{QianQiuWanDai_YiTongJiangHu}
- helloworld
- java apk题用jadx-gui打开,可直接看到flag
-
public class MainActivity extends ActionBarActivity { protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView((int) R.layout.activity_main); int x = "flag{7631a988259a00816deda84afb29430a}".compareTo("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
- reverse
- 先对输入base64编码,再每个加序号
-
sub_41132F("please enter the flag:", v7); sub_411375("%20s", (char)Str); v3 = j_strlen(Str); v4 = (const char *)sub_4110BE((int)Str, v3, (int)v14);// 2base64 strncpy(Destination, v4, 0x28u); v11 = j_strlen(Destination); for ( j = 0; j < v11; ++j ) // 1加序号 Destination[j] += j; v5 = j_strlen(Destination); if ( !strncmp(Destination, Str2, v5) ) sub_41132F("rigth flag!\n", v8); else sub_41132F("wrong flag!\n", v8);
-
a = b'e3nifIH9b_C@n@dH' des = [v-i for i,v in enumerate(a)] print(bytes(des)) from base64 import * print(b64decode(bytes(des))) #{i_l0ve_you} #flag{i_l0ve_you}
- 不一样的flag
- 打开后看到****串,然后是1234代表上下左右,是个走迷宫的题
-
strcpy(v3, "*11110100001010000101111#"); while ( 1 ) { puts("you can choose one action to execute"); puts("1 up"); puts("2 down"); puts("3 left"); printf("4 right\n:"); scanf("%d", &v5); if ( v5 == 2 ) { ++*(_DWORD *)&v3[25]; } else if ( v5 > 2 ) {
-
*1111 01000 01010 00010 1111# 走迷宫 222441144222 flag{222441144222}
- SimpleRev
- 给了两个串,每个由两块加一起
-
unsigned __int64 Decry() { char v1; // [rsp+Fh] [rbp-51h] int v2; // [rsp+10h] [rbp-50h] int v3; // [rsp+14h] [rbp-4Ch] int i; // [rsp+18h] [rbp-48h] int v5; // [rsp+1Ch] [rbp-44h] char src[8]; // [rsp+20h] [rbp-40h] BYREF __int64 v7; // [rsp+28h] [rbp-38h] int v8; // [rsp+30h] [rbp-30h] __int64 v9[2]; // [rsp+40h] [rbp-20h] BYREF int v10; // [rsp+50h] [rbp-10h] unsigned __int64 v11; // [rsp+58h] [rbp-8h] v11 = __readfsqword(0x28u); *(_QWORD *)src = 'SLCDN'; // 这里轮换的顺序是反的 v7 = 0LL; v8 = 0; v9[0] = 'wodah'; v9[1] = 0LL; v10 = 0; text = join(key3, (const char *)v9); strcpy(key, key1); strcat(key, src); v2 = 0; v3 = 0; getchar(); v5 = strlen(key); for ( i = 0; i < v5; ++i ) { if ( key[v3 % v5] > 64 && key[v3 % v5] <= 90 ) key[i] = key[v3 % v5] + 32; ++v3; } printf("Please input your flag:"); while ( 1 ) { v1 = getchar(); if ( v1 == 10 ) break; if ( v1 == 32 ) { ++v2; } else { if ( v1 <= 96 || v1 > 122 ) { if ( v1 > 64 && v1 <= 90 ) { str2[v2] = (v1 - 39 - key[v3 % v5] + 97) % 26 + 97; ++v3; } } else { str2[v2] = (v1 - 39 - key[v3 % v5] + 97) % 26 + 97; ++v3; } if ( !(v3 % v5) ) putchar(32); ++v2; } } if ( !strcmp(text, str2) ) puts("Congratulation!\n"); else puts("Try again!\n"); return __readfsqword(0x28u) ^ v11; }
- 然后由两个进行一个减39...再变小写的转换得到第1个,为方便直接爆破
-
text = b'killshadow' key = list(b'ADSFKNDCLS') for i in range(len(key)): if key[i]>64 and key[i]<=90: key[i] +=32 print(bytes(key)) flag = '' for i,v in enumerate(text): for j in range(65, 91): k = (j - 39 - key[i] + 97)%26 + 97 if k == v: flag += chr(j) print(flag) break #KLDQCUDFZO #flag{KLDQCUDFZO}