攻防世界-部分re题(answer_to_everything&dmd-50& easyre-153&Replace)

目录

answer_to_everything

dmd-50

 easyre-153

Replace

方法一:

 方法二:


answer_to_everything

题目下载:下载拖入IDA前,在题目首页看到推测是sha1加密。拖入IDA。

v4为输入,发现not the flag函数,进入发现条件成立会有输出,对他进行翻译所以直接对kdudpeh进行sha1加密即为flag。

dmd-50

题目下载:下载

查壳后,无壳。拖入IDA

 从第五十行可以知道,对v39进行md5加密,然后赋值给v40,v40赋值给v41。然后进行if判断,如果成立,则输出“The key is valid”。所以对v41数据进行md5解密即可获得输入v39

 easyre-153

题目下载:下载

 查壳,发现是upx壳,用upx -d脱壳后载入IDA

发现pipe(pipedes),fork()函数,这不是有关双进程通信的嘛。
对于相关知识点参考攻防世界逆向高手题之easyre-153_沐一 · 林的博客-CSDN博客_easyre-153
写得非常详细。

pipe()函数可用于创建一个管道,以实现进程间的通信。成功返回0,失败返回-1。

fork()函数通过系统调用创建一个与原来进程几乎完全相同的进程,也就是两个进程可以做完全相同的事,但如果初始参数或者传入的变量不同,两个进程也可以做不同的事。fork()函数会有三种返回值,小于0即函数失败,等于0即返回到新创建的子进程,大于0即返回父进程或调用者。该值包含新创建的子进程的进程ID

 发现写操作写入一些东西到内核缓冲区中,这肯定是重要数据。在进入lol函数这就很奇怪,怎么没有数据就输出?没法运算啊?通过上面的参考知道,IDA反编译后的代码不是准确的。看lol函数的相关汇编代码

这不有很多操作嘛,所以断定是他没有反编译这一段。通过参考大佬wp,这个代码会使下面的函数一定跳转,跳转后就执行输出“flag_is_not_here” ,所以IDA就没有反编译上面的一堆代码,所以把他nop掉(具体解释看上面的大佬wp)在f5

通过这个代码,再加上写入缓冲区数据可得flag

key1="69800876143568214356928753"
flag=""
flag+=chr(2*ord(key1[1]))
flag+=chr(ord(key1[4])+ord(key1[5]))
flag+=chr(ord(key1[8])+ord(key1[9]))
flag+=chr(2*ord(key1[12]))
flag+=chr(ord(key1[18])+ord(key1[17]))
flag+=chr(ord(key1[10])+ord(key1[21]))
flag+=chr(ord(key1[9])+ord(key1[25]))
print("flag{"+flag+"}")

学习1:通过查阅大佬wp,更加透彻了解到双通信,pipe(),fork()函数

学习2:IDA的反编译存在一定误差,此时可以观察汇编代码

Replace

方法一:

查壳是upx壳,在脱壳文件中upx -d+文件名脱壳载入IDA

flag长度可能为35,36,37。进入sub_401090函数让返回值是1。

v5为flag中的字符,是未知。v6,v7也都是经过v5变化而来也是未知的。但是其他变量都是已知的。从21行往后直接根据上面代码敲就行。关键是32行的条件判断。byte_4021A0中的条件是未知的v6,v7怎么办?正向爆破。因为v5flag是可见字符,ascii一定是32到126的,所以从32-126分别赋值给v5,进一步求出v6,v7.如果条件成立,他就是flag中的字符,如果不是则遍历下一个可见字符。代码如下:

a=[0x32, 0x61, 0x34, 0x39, 0x66, 0x36, 0x39, 0x63, 0x33, 0x38, 0x33, 0x39, 0x35, 0x63, 0x64, 0x65, 0x39, 0x36, 0x64, 0x36, 0x64, 0x65, 0x39, 0x36, 0x64, 0x36, 0x66, 0x34, 0x65, 0x30, 0x32, 0x35, 0x34, 0x38, 0x34, 0x39, 0x35, 0x34, 0x64, 0x36, 0x31, 0x39, 0x35, 0x34, 0x34, 0x38, 0x64, 0x65, 0x66, 0x36, 0x65, 0x32, 0x64, 0x61, 0x64, 0x36, 0x37, 0x37, 0x38, 0x36, 0x65, 0x32, 0x31, 0x64, 0x35, 0x61, 0x64, 0x61, 0x65, 0x36]

b=[0x61, 0x34, 0x39, 0x66, 0x36, 0x39, 0x63, 0x33, 0x38, 0x33, 0x39, 0x35, 0x63, 0x64, 0x65, 0x39, 0x36, 0x64, 0x36, 0x64, 0x65, 0x39, 0x36, 0x64, 0x36, 0x66, 0x34, 0x65, 0x30, 0x32, 0x35, 0x34, 0x38, 0x34, 0x39, 0x35, 0x34, 0x64, 0x36, 0x31, 0x39, 0x35, 0x34, 0x34, 0x38, 0x64, 0x65, 0x66, 0x36, 0x65, 0x32, 0x64, 0x61, 0x64, 0x36, 0x37, 0x37, 0x38, 0x36, 0x65, 0x32, 0x31, 0x64, 0x35, 0x61, 0x64, 0x61, 0x65, 0x36]

c=[0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16]
flag=''
for i in range(35):
    v8 = a[2 * i]
    if ( v8 < 48 or v8 > 57 ):
        v9 = v8 - 87
    else:
        v9 = v8 - 48
    v10 = b[2 * i]
    v11 = 16 * v9
    if ( v10 < 48 or v10 > 57 ):
        v12 = v10 - 87
    else:
        v12 = v10 - 48
    v4=(v11 + v12) ^ 0x19
    for j in range(32,127):
        v6 = (j >> 4) % 16
        v7 = ((16 * j) >> 4) % 16
        if  c[16 * v6 + v7] ==v4:
            flag+=chr(j)
            break
print(flag)

 方法二:

参考wp:攻防世界逆向高手题之Replace_沐一 · 林的博客-CSDN博客_攻防世界 replace

v6,v7是有关位移和取余的运算。右移n=>除以2的n次方。左移n=>乘2的n次方

v6 = (v5 >> 4) % 16=> (v5 / 16) % 16
v7 = ((16 * v5) >> 4) % 16=>((16 * v5) /16 ) % 16 == v5%16

通过上面的wp知道if条件那里的 16*v6+v7就是v5,即flag遍历的字符

通过上面的式子易知道v7为余数,那么v6就是商。
对于为什么v6是商我是这样理解的:因为v5是可见字符一定是32-126中的一个数,他除以16的商一定是小于16的,所以(v5 / 16) % 16 == v5 / 16即是商,所以16*v6+v7就是v5。求v5就变为找(v11 + v12) ^ 0x19在byte_4021A0对应的位置。

a=[0x32, 0x61, 0x34, 0x39, 0x66, 0x36, 0x39, 0x63, 0x33, 0x38, 0x33, 0x39, 0x35, 0x63, 0x64, 0x65, 0x39, 0x36, 0x64, 0x36, 0x64, 0x65, 0x39, 0x36, 0x64, 0x36, 0x66, 0x34, 0x65, 0x30, 0x32, 0x35, 0x34, 0x38, 0x34, 0x39, 0x35, 0x34, 0x64, 0x36, 0x31, 0x39, 0x35, 0x34, 0x34, 0x38, 0x64, 0x65, 0x66, 0x36, 0x65, 0x32, 0x64, 0x61, 0x64, 0x36, 0x37, 0x37, 0x38, 0x36, 0x65, 0x32, 0x31, 0x64, 0x35, 0x61, 0x64, 0x61, 0x65, 0x36]

b=[0x61, 0x34, 0x39, 0x66, 0x36, 0x39, 0x63, 0x33, 0x38, 0x33, 0x39, 0x35, 0x63, 0x64, 0x65, 0x39, 0x36, 0x64, 0x36, 0x64, 0x65, 0x39, 0x36, 0x64, 0x36, 0x66, 0x34, 0x65, 0x30, 0x32, 0x35, 0x34, 0x38, 0x34, 0x39, 0x35, 0x34, 0x64, 0x36, 0x31, 0x39, 0x35, 0x34, 0x34, 0x38, 0x64, 0x65, 0x66, 0x36, 0x65, 0x32, 0x64, 0x61, 0x64, 0x36, 0x37, 0x37, 0x38, 0x36, 0x65, 0x32, 0x31, 0x64, 0x35, 0x61, 0x64, 0x61, 0x65, 0x36]

c=[0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16]
flag=''
for i in range(35):
    v8=a[2*i]
    if v8 < 48 or v8 > 57:
        v9=v8-87
    else:
        v9=v8-48
    v10=b[2*i]
    v11=16*v9
    if v10 <48 or v10 > 57:
    	v12=v10-87
    else:
        v12=v10-48
    v4=((v11+v12)^25)
    flag+=chr(c.index(v4))			
print(flag)

学习1:有取余运算可以从32-126正向爆破,符合条件及时flag

学习2:位移运算和乘除转化

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值