BUUCTF逆向题练习记录(wp) --(2)
注:常规处理,如upx脱壳不注明。
[GWCTF 2019]xxor
主要代码1:
for ( i = 0; i <= 5; ++i )
{
printf("%s", "input: ", (unsigned int)i);
__isoc99_scanf("%d", (char *)&v6 + 4 * i); // 每个存四个字符
}
v11 = 0LL;
v12 = 0LL;
v13 = 0LL;
v14 = 0LL;
v15 = 0LL;
for ( j = 0; j <= 4; j += 2 )
{
dword_601078 = *((_DWORD *)&v6 + j); // 每4个字符进行运算
dword_60107C = *((_DWORD *)&v6 + j + 1); // 每次两组
sub_400686((unsigned int *)&dword_601078, &unk_601060);// unk_601060:2,3,4
*((_DWORD *)&v11 + j) = dword_601078;
*((_DWORD *)&v11 + j + 1) = dword_60107C;
}
if ( (unsigned int)sub_400770(&v11) != 1 )
{
puts("NO NO NO~ ");
exit(0);
}
puts("Congratulation!\n");
puts("You seccess half\n");
puts("Do not forget to change input to hex and combine~\n");
puts("ByeBye");
通过代码阅读可知,这里将输入拆成了6次,每次输入一个DWORD长度(unsigned int)然后以DWORD为单位进行运算。
那么根据逻辑可推sub400770这个位置的函数是check函数,进去看看:
signed __int64 __fastcall sub_400770(_DWORD *a1)
{
signed __int64 result; // rax
if ( a1[2] - a1[3] != 2225223423LL || a1[3] + a1[4] != 4201428739LL || a1[2] - a1[4] != 1121399208LL )
{
puts("Wrong!");
result = 0LL;
}
else if ( *a1 != 0xDF48EF7E || a1[5] != 0x84F30420 || a1[1] != 550153460 )
{
puts("Wrong!");
result = 0LL;
}
else
{
puts("good!");
result = 1LL;
}
return result;
}
将结果仍python里,z3约束求解:
from z3 import*
x = Int('x')
y = Int('y')
z = Int('z')
solve(x-y==0x84A236FF,y+z==0xFA6CB703,x-z==0x42D731A8)
#[x = 3237154773, y = 1011931350, z = 3189497389]
#0xDF48EF7E,0x20CAACF4,3774025685,1548802262,2652626477,0x84F30420
而易得在check函数上面的函数sub_400686是变换函数,进去查看:
__int64 __fastcall sub_400686(unsigned int *a1, _DWORD *a2)
{
__int64 result; // rax
unsigned int v3; // [rsp+1Ch] [rbp-24h]
unsigned int v4; // [rsp+20h] [rbp-20h]
int v5; // [rsp+24h] [rbp-1Ch]
unsigned int i; // [rsp+28h] [rbp-18h]
v3 = *a1;
v4 = a1[1];
v5 = 0;
for ( i = 0; i <= 0x3F; ++i )
{
v5 += 0x458BCD42; // 正:v5+=0x458bcd42
// a1[0]+=(a1[1]+=11)^((a1[1]<<6)+2)^((a1[1]>>9)+2)^0x20
// a1[1]+=(a1[0]+=11)^((a1[0]<<6)+3)^((a1[0]>>9)+4)^0x10
//
v3 += (v4 + v5 + 11) ^ ((v4 << 6) + *a2) ^ ((v4 >> 9) + a2[1]) ^ 0x20;// 可抓1和0,可逆推v4->v3->v5->,,,,
v4 += (v3 + v5 + 20) ^ ((v3 << 6) + a2[2]) ^ ((v3 >> 9) + a2[3]) ^ 0x10;
}
*a1 = v3;
result = v4;
a1[1] = v4;
return result;
}
读变换逻辑逆推即可,脚本如下:
#include这里比较有意思的是位数都被砍了两位,最后其实是6组每组3位的字符。
然后我变换内输出那一段对我来说其实有点诡异。。。。输出第二个东西的时候不管设什么输出的都是0,但如果到循环外设置输出整个数组时又正常了。
flag{re_is_great!}
[GUET-CTF2019]re
shift+f12摸进主函数
极其耿直的硬算,算完结束
#include欸还没结束呢(虚晃一枪)
因为根据校验函数读出来flag第六位缺少,手动爆破一波。
flag{e165421110ba03099a1c039337}
[FlareOn4]login
源码如下:
<html>
<head>
<title>FLARE On 2017title>
head>
<body>
<input type="text" name="flag" id="flag" value="Enter the flag" />
<input type="button" id="prompt" value="Click to check the flag" />
<script type="text/javascript">
document.getElementById("prompt").onclick = function () {
var flag = document.getElementById("flag").value;
var rotFlag = flag.replace(/[a-zA-Z]/g, function(c){return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);});
if ("[email protected]" == rotFlag) {
alert("Correct flag!");
} else {
alert("Incorrect flag, rot again");
}
}
script>
body>
html>
这里就是考一个基础的代码逻辑能力,第一个三目判断这个字符是大写还是小写,然后第二个三目在字母表中在前13还是后13(<=m,>m),并且注意这里字符无论是在前表还是后表,都已经先被+13了,于是第二个三目的结果:c,c-26可得是c+13,c-13。即,该字符若是在前表则其+13到后表,若是后表则其-13到前表。
写脚本逆向即可:
#includeflag{[email protected]}
[FlareOn4]IgniteMe
无脑异或嗷
#includeflag{[email protected]}