[XCTF-Reverse] 入门1-6

被封在小区了，本上安不了虚拟机。只能先整整不用虚拟机的了。reverse跟pwn有不少相通之处，都是看代码，这个比较容易跨界。

先从入门学起。

1，HackYou CTF_open-source

这个直接给了一个c程序，运行需要3个参数：第1个是0xcafe;第2个%5!=3且%17==8;第3个是指定串。然后这样拼起来就是flag

unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;

显然

print(hex(0xcafe*31337+88+7-1615810207)[2:])  #c0ffee

2，simple-unpack

名字叫unpack，打开文件发现后部有UPX标记，从网上下载UPX解包

D:\xctf.rev\upx-3.96-win64>.\upx -d ..\02_simple-unpack\aa

然后放到ida中就能看到flag

mov     esi, offset flag ; "flag{Upx_1s_n0t_a_d3liv3r_c0mp4ny}"

3，RC3 CTF 2016_logmein

先放到ida发现加密代码，作一个简单运算后跟v8比较

  strcpy(v8, ":\"AL_RT^L*.?+6/46");
  v7 = 28537194573619560LL;
  v6 = 7;
  printf("Welcome to the RC3 secure password guesser.\n", a2, a3);
  printf("To continue, you must enter the correct password.\n");
  printf("Enter your guess: ");
  __isoc99_scanf("%32s", s);
  v3 = strlen(s);
  if ( v3 < strlen(v8) )                        // 17位
    sub_4007C0();
  for ( i = 0; i < strlen(s); ++i )
  {
    if ( i >= strlen(v8) )
      sub_4007C0();
    if ( s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i]) )
      sub_4007C0();
  }

相应的解码：

v8 = b":\"AL_RT^L*.?+6/46"
v6=7
v7=28537194573619560
v7=b'harambe'
for i in range(len(v8)):
    print(chr(v7[i%v6]^v8[i]), end='')

#RC3-2016-XORISGUD

4，9447 CTF 2014_insanity

ida打开发现一个像flag的，上传真是flag

.data:080499C0                                         ; "9447{This_is_a_flag}"

5，NJUPT CTF 2017_python-trade

这是个pyc文件，也就是编译后的py文件，网上找个反编译网站反编译。内容就是对输入编个码

def encode(message):
    s = ''
    for i in message:
        x = ord(i) ^ 32
        x = x + 16
        s += chr(x)
    
    return base64.b64encode(s)

correct = 'XlNkVmtUI1MgXWBZXCFeKY+AaXNt'

暴个码就OK

import base64
correct = 'XlNkVmtUI1MgXWBZXCFeKY+AaXNt'
a = base64.b64decode(correct)
for j in range(30):
    for i in range(0x20,0x7f):
        x = i^32
        x = x+16
        if x == a[j]:
            print(chr(i), end='')

#nctf{d3c0mpil1n9_PyC}

6，DUTCTF_re1

是个window运行的程序，ida打开找到个串

.rdata:00413E34 xmmword_413E34  xmmword 3074656D30633165577B465443545544h
.rdata:00413E34                                         ; DATA XREF: _main+10↑r
.rdata:00413E44 qword_413E44    dq 7D465443545544h      ; DATA XREF: _main+27↑r

直接打印出来

>>> bytes.fromhex('3074656D30633165577B465443545544')[::-1]
b'DUTCTF{We1c0met0'
>>> bytes.fromhex('7D465443545544')[::-1]
b'DUTCTF}'