BUUCTF reverse wp 71 - 75
[NPUCTF2020]你好sao啊
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rax
__int64 v4; // rdx
__int64 v5; // rax
size_t v6; // rax
__int64 v7; // rax
__int64 v8; // rdx
__int64 v9; // rax
__int64 v11; // rdx
__int64 v12; // rax
char *s1; // [rsp+8h] [rbp-68h]
char s2[8]; // [rsp+10h] [rbp-60h] BYREF
__int64 v15; // [rsp+18h] [rbp-58h]
__int64 v16; // [rsp+20h] [rbp-50h]
__int64 v17; // [rsp+28h] [rbp-48h]
char v18; // [rsp+30h] [rbp-40h]
char s[40]; // [rsp+40h] [rbp-30h] BYREF
unsigned __int64 v20; // [rsp+68h] [rbp-8h]
v20 = __readfsqword(0x28u);
v3 = std::operator<<<std::char_traits<char>>(&std::cout, "Welcome To Reverier-Encode Program!", envp);
std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
v5 = std::operator<<<std::char_traits<char>>(&std::cout, "Input Your flag:", v4);
std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);
*(_QWORD *)s2 = 0xFD370FEB59C9B9ELL;
v15 = 0xDEAB7F029C4FD1B2LL;
v16 = 0xFACD9D40E7636559LL;
v17 = 4LL;
v18 = 0;
__isoc99_scanf("%33s", s);
s1 = (char *)RxEncode(s, 33);
if ( strlen(s) == 32 )
{
if ( !strcmp(s1, s2) )
v12 = std::operator<<<std::char_traits<char>>(&std::cout, "Congratulations!", v11);
else
v12 = std::operator<<<std::char_traits<char>>(&std::cout, "Wrong!", v11);
std::ostream::operator<<(v12, &std::endl<char,std::char_traits<char>>);
return 0;
}
else
{
v6 = strlen(s);
v7 = std::ostream::operator<<(&std::cout, v6);
std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);
v9 = std::operator<<<std::char_traits<char>>(&std::cout, "Wrong!", v8);
std::ostream::operator<<(v9, &std::endl<char,std::char_traits<char>>);
return 0;
}
}
估计是base64, 但是仔细读一下RxEncode函数, 发现是b64解码函数, 拿工具编码一下
void *__fastcall RxEncode(const char *a1, int a2)
{
int v3; // [rsp+18h] [rbp-38h]
int v4; // [rsp+1Ch] [rbp-34h]
int v5; // [rsp+20h] [rbp-30h]
int v6; // [rsp+24h] [rbp-2Ch]
int v7; // [rsp+28h] [rbp-28h]
int v8; // [rsp+28h] [rbp-28h]
int i; // [rsp+2Ch] [rbp-24h]
_BYTE *v10; // [rsp+30h] [rbp-20h]
void *s; // [rsp+38h] [rbp-18h]
v3 = 3 * (a2 / 4);
v4 = 0;
v5 = 0;
if ( a1[a2 - 1] == 61 )
v4 = 1;
if ( a1[a2 - 2] == 61 )
++v4;
if ( a1[a2 - 3] == 61 )
++v4;
if ( v4 == 3 )
{
v3 += 2;
}
else if ( v4 <= 3 )
{
if ( v4 == 2 )
{
v3 += 3;
}
else if ( v4 )
{
if ( v4 == 1 )
v3 += 4;
}
else
{
v3 += 4;
}
}
s = malloc(v3);
if ( s )
{
memset(s, 0, v3);
v10 = s;
while ( v5 < a2 - v4 )
{
v6 = 0;
v7 = 0;
while ( v6 <= 3 && v5 < a2 - v4 )
{
v7 = (v7 << 6) | (char)find_pos(a1[v5]);
++v6;
++v5;
}
v8 = v7 << (6 * (4 - v6));
for ( i = 0; i <= 2 && i != v6; ++i )
*v10++ = v8 >> (8 * (2 - i));
}
*v10 = 0;
return s;
}
else
{
puts("No enough memory.");
return 0LL;
}
}
[安洵杯 2019]crackMe
int __cdecl __noreturn main_0(int argc, const char **argv, const char **envp)
{
int (__cdecl *v3)(int); // [esp-4h] [ebp-D0h]
printf("please Input the flag:\n");
scanf_s("%s", &input);
MessageBoxW(0, L"Exception", L"Warning", 0);
v3 = sub_41100F;
MEMORY[0] = 1;
sub_411136(HIWORD(v3));
}
void __noreturn sub_4132E0()
{
if ( !j_strcmp(Str1, Str2) )
printf("right\n");
else
printf("wrong\n");
system("pause");
exit(0);
}
静态代码的逻辑找不到线索, 动调一下, 进入下面这个函数, 大小写互换
输入flag之后, 会进入exception处理, 这里会被AddVectoredExceptionHandlerhook, 然后调用handler执行, 点进去
int __stdcall Handler_0(_DWORD **a1)
{
char v2[20]; // [esp+D0h] [ebp-18h] BYREF
if ( **a1 == -1073741819 )
{
qmemcpy(v2, "where_are_u_now?", 16);
sub_951172(&unk_95A218, v2);
SetUnhandledExceptionFilter(TopLevelExceptionFilter);
}
return 0;
}
int __cdecl sub_951F50(int a1, unsigned int *a2)
{
int result; // eax
unsigned int v3; // [esp+D0h] [ebp-B8h]
unsigned int v4; // [esp+DCh] [ebp-ACh]
unsigned int v5; // [esp+E0h] [ebp-A8h]
unsigned int v6; // [esp+E4h] [ebp-A4h]
int v7[35]; // [esp+E8h] [ebp-A0h]
unsigned int v8; // [esp+174h] [ebp-14h]
unsigned int v9; // [esp+178h] [ebp-10h]
unsigned int v10; // [esp+17Ch] [ebp-Ch]
unsigned int v11; // [esp+180h] [ebp-8h]
v3 = 0;
v8 = _byteswap_ulong(*a2);
v9 = _byteswap_ulong(a2[1]);
v10 = _byteswap_ulong(a2[2]);
v11 = _byteswap_ulong(a2[3]);
v4 = v8 ^ 0xA3B1BAC6;
v5 = dword_957A68[1] ^ v9;
v6 = dword_957A68[2] ^ v10;
result = 12;
v7[0] = dword_957A68[3] ^ v11;
while ( v3 < 0x20 )
{
v7[v3 + 1] = *(&v4 + v3) ^ sub_9514E0(dword_957A78[v3] ^ v7[v3] ^ v7[v3 - 1] ^ *(&v5 + v3));
*(_DWORD *)(a1 + 4 * v3) = v7[v3 + 1];
result = ++v3;
}
return result;
}
跟进去发现逻辑看不懂, 试用findcrypt找下一下是否有密码函数
发现SM4的特征值, 猜测sub_951F50是SM4加密, 密钥是where_are_u_now?, 继续跟TopLevelExceptionFilter
int __cdecl sub_952C30(_DWORD *a1)
{
int result; // eax
char v2; // [esp+D3h] [ebp-11h]
size_t i; // [esp+DCh] [ebp-8h]
result = (int)a1;
if ( *(_DWORD *)*a1 == 0xC0000005 )
{
for ( i = 0; i < j_strlen(Str2); i += 2 ) // process str2
{
v2 = Str2[i];
Str2[i] = Str2[i + 1];
Str2[i + 1] = v2;
}
Str1 = (char *)sub_95126C(byte_95A180); // process str1
*(_DWORD *)(a1[1] + 176) = *(_DWORD *)(*a1 + 20);
*(_DWORD *)(a1[1] + 164) = *(_DWORD *)(*a1 + 24);
*(_DWORD *)(a1[1] + 172) = *(_DWORD *)(*a1 + 28);
*(_DWORD *)(a1[1] + 168) = *(_DWORD *)(*a1 + 32);
*(_DWORD *)(a1[1] + 156) = *(_DWORD *)(*a1 + 36);
*(_DWORD *)(a1[1] + 160) = *(_DWORD *)(*a1 + 40);
*(_DWORD *)(a1[1] + 184) = checkfunc;
return -1;
}
return result;
}
_BYTE *__cdecl sub_953090(char *Str)
{
int k; // [esp+E4h] [ebp-5Ch]
int v3; // [esp+F0h] [ebp-50h]
int j; // [esp+FCh] [ebp-44h]
int v5; // [esp+108h] [ebp-38h]
signed int i; // [esp+114h] [ebp-2Ch]
_BYTE *v7; // [esp+120h] [ebp-20h]
signed int v8; // [esp+12Ch] [ebp-14h]
int v9; // [esp+138h] [ebp-8h]
v5 = 0;
v8 = j_strlen(Str);
if ( v8 % 3 )
v9 = 4 * (v8 / 3) + 4;
else
v9 = 4 * (v8 / 3);
v7 = malloc(__CFADD__(v9, 1) ? -1 : v9 + 1);
v7[v9] = 0;
for ( i = 0; i < v8; i += 3 )
{
v3 = 0;
for ( j = 0; j < 3; ++j )
v3 |= (unsigned __int8)Str[j + i] << (8 * (2 - j));
for ( k = 0; k < 4; ++k )
{
if ( k >= 4 - (i + 3 - v8) && i + 3 > v8 )
v7[v5] = 33;
else
v7[v5] = BASE64_table_95A080[sub_9510FF((v3 >> (6 * (3 - k))) & 0x3F)];
++v5;
}
}
return v7;
}
int __cdecl sub_952760(int a1)
{
return (a1 + 24) % 64;
}
Str2经过奇偶位交换后得到, Str1是经过类似base64编码处理, 跟进去发现sub_952760会进行变表, 猜测是变表base64
最后Str1和Str2进行比较, 逆向思路: Str2处理后, 经过变表base64解码, 然后SM4解密
import base64
from pysm4 import decrypt
def b64_change_decode(encodestr):
changebase64 = "yzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/abcdefghijklmnopqrstuvwx"
originbase64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
trans_encodestr = encodestr.translate(str.maketrans(changebase64,originbase64))
res = base64.b64decode(trans_encodestr)
return res
Str2 = [
0x31, 0x55, 0x54, 0x41, 0x4F, 0x49, 0x6B, 0x70, 0x79, 0x4F,
0x53, 0x57, 0x47, 0x76, 0x2F, 0x6D, 0x4F, 0x59, 0x46, 0x59,
0x34, 0x52, 0x21, 0x21
]
Str2_exc = [0 for _ in range(len(Str2))]
for i in range(0, len(Str2), 2):
Str2_exc[i] = chr(Str2[i + 1])
Str2_exc[i + 1] = chr(Str2[i])
Str2 = ''.join(Str2_exc)
print(Str2)
tmp_flag = b64_change_decode(Str2[:len(Str2) - 2] + '==')
mid_flag = int.from_bytes(tmp_flag, byteorder='big')
print(tmp_flag, hex(mid_flag))
key = 'where_are_u_now?'
key_tmp = key.encode('utf-8')
key_int = int.from_bytes(key_tmp, byteorder='big')
print(hex(key_int))
decrypt_flag = decrypt(mid_flag, key_int)
flag = bytes.fromhex(hex(decrypt_flag)[2:]).decode()
# {{ stands for /, }} stands for /
print('flag{{{}}}'.format(flag))
[WUSTCTF2020]funnyre
无法反编译, 直接读汇编, 这里需要从命令行输入参数
接下来是头尾的单字节比较, 要求前5个字符是flag{,第38个字符是}, 中间32位字节分别 xor 和 add N个硬编码数据, 如下面的操作, 即对32个字节进行xor操作之后, 再add操作
最后和验证数组进行比较
这些操作可以叠加起来看作是只有一次xor和add, 所以有checklist可以直接爆破
checklist = [
217, 44, 39, 214, 216, 42, 218, 45, 215, 44,
220, 225, 219, 44, 217, 221, 39, 45, 42, 220,
219, 44, 225, 41, 218, 218, 44, 218, 42, 217,
41, 42
]
def add(xx, kk):
return [(x+kk) & 0xFF for x in xx]
def xor(xx, kk):
return [x ^ kk for x in xx]
def check(xx):
for x in xx:
if x < ord('0') or (x > ord('9') and x < ord('a')) or x > ord('f'):
return False
return True
if __name__ == '__main__':
for k1 in range(0x100):
tmp_add = add(checklist, k1)
for k2 in range(0x100):
tmp_xor = xor(tmp_add, k2)
if check(tmp_xor):
print(bytes(tmp_xor))
print(k1, k2)
'''
b'1dc20f6e3d497d15cef47d9a66d6f1af'
42 50
b'1dc20f6e3d497d15cef47d9a66d6f1af'
74 18
b'1dc20f6e3d497d15cef47d9a66d6f1af'
170 178
b'1dc20f6e3d497d15cef47d9a66d6f1af'
'''
[WMCTF2020]easy_re
直接逆找不到线索, 搜索一下 perlapp 逆向找到一个帖子
perl打包的exe需要找到解压函数, 动态调试, 断点到这个函数之后可以定位到关键代码, 这个解压函数会带有特征字符串script
rax就是解压函数的返回值, 点进去就发现解压出来的flag
[GUET-CTF2019]encrypt
__int64 __fastcall main(int a1, char **a2, char **a3)
{
unsigned int v3; // eax
unsigned int length; // eax
char v6[4]; // [rsp+4h] [rbp-93Ch] BYREF
int i; // [rsp+8h] [rbp-938h]
int v8; // [rsp+Ch] [rbp-934h]
char v9[1040]; // [rsp+10h] [rbp-930h] BYREF
char v10[16]; // [rsp+420h] [rbp-520h] BYREF
char input[256]; // [rsp+430h] [rbp-510h] BYREF
char encrypt[1032]; // [rsp+530h] [rbp-410h] BYREF
unsigned __int64 v13; // [rsp+938h] [rbp-8h]
v13 = __readfsqword(0x28u);
v10[0] = 16;
v10[1] = 32;
v10[2] = 48;
v10[3] = 48;
v10[4] = 32;
v10[5] = 32;
v10[6] = 16;
v10[7] = 64;
memset(input, 0, sizeof(input));
v8 = strlen(input);
memset(encrypt, 0, 0x400uLL);
printf("please input your flag:");
scanf("%s", input);
memset(v9, 0, 0x408uLL);
func1(v9, v10, 8LL);
v3 = strlen(input);
func2(v9, input, v3);
length = strlen(input);
func3(input, length, encrypt, v6);
for ( i = 0; i <= 50; ++i )
{
if ( encrypt[i] != checklist[i] )
{
puts("Wrong");
return 0LL;
}
}
puts("Good");
return 0LL;
}
bool __fastcall sub_4006B6(_DWORD *a1, __int64 a2, int a3)
{
bool result; // al
int i; // [rsp+1Ch] [rbp-18h]
int j; // [rsp+1Ch] [rbp-18h]
int v6; // [rsp+20h] [rbp-14h]
int v7; // [rsp+24h] [rbp-10h]
int v8; // [rsp+28h] [rbp-Ch]
_DWORD *v9; // [rsp+2Ch] [rbp-8h]
*a1 = 0;
a1[1] = 0;
v9 = a1 + 2;
for ( i = 0; i <= 255; ++i )
v9[i] = i;
v7 = 0;
result = 0;
LOBYTE(v6) = 0;
for ( j = 0; j <= 255; ++j )
{
v8 = v9[j];
v6 = (unsigned __int8)(v6 + v8 + *(_BYTE *)(v7 + a2));
v9[j] = v9[v6];
v9[v6] = v8;
result = ++v7 >= a3;
if ( v7 >= a3 )
v7 = 0;
}
return result;
}
_DWORD *__fastcall func2(_DWORD *a1, __int64 input, int a3)
{
_DWORD *result; // rax
int i; // [rsp+18h] [rbp-1Ch]
int v5; // [rsp+1Ch] [rbp-18h]
int v6; // [rsp+20h] [rbp-14h]
int v7; // [rsp+24h] [rbp-10h]
int v8; // [rsp+28h] [rbp-Ch]
_DWORD *v9; // [rsp+2Ch] [rbp-8h]
v5 = *a1;
v6 = a1[1];
v9 = a1 + 2;
for ( i = 0; i < a3; ++i )
{
v5 = (unsigned __int8)(v5 + 1);
v7 = v9[v5];
v6 = (unsigned __int8)(v6 + v7);
v8 = v9[v6];
v9[v5] = v8;
v9[v6] = v7;
*(_BYTE *)(i + input) ^= LOBYTE(v9[(unsigned __int8)(v7 + v8)]);
}
*a1 = v5;
result = a1;
a1[1] = v6;
return result;
}
_DWORD *__fastcall func3(__int64 input, int length, const char *encrypt, _DWORD *a4)
{
int v4; // eax
int v5; // eax
unsigned __int8 v6; // al
int v7; // eax
unsigned __int8 v8; // al
int v9; // eax
int v10; // edx
_DWORD *result; // rax
char v13; // [rsp+2Dh] [rbp-13h]
unsigned __int8 v14; // [rsp+2Eh] [rbp-12h]
unsigned __int8 v15; // [rsp+2Fh] [rbp-11h]
int v16; // [rsp+30h] [rbp-10h]
int i; // [rsp+34h] [rbp-Ch]
v16 = 0;
i = 0;
while ( i < length )
{
v4 = i++;
v13 = *(_BYTE *)(v4 + input);
if ( i >= length )
{
v6 = 0;
}
else
{
v5 = i++;
v6 = *(_BYTE *)(v5 + input);
}
v14 = v6;
if ( i >= length )
{
v8 = 0;
}
else
{
v7 = i++;
v8 = *(_BYTE *)(v7 + input);
}
v15 = v8;
encrypt[v16] = ((v13 >> 2) & 0x3F) + '=';
encrypt[v16 + 1] = ((((int)v14 >> 4) | (16 * v13)) & 0x3F) + '=';
encrypt[v16 + 2] = ((((int)v8 >> 6) | (4 * v14)) & 0x3F) + '=';
v9 = v16 + 3;
v16 += 4;
encrypt[v9] = (v15 & 0x3F) + '=';
}
if ( length % 3 == 1 )
{
encrypt[--v16] = '=';
}
else if ( length % 3 != 2 )
{
goto LABEL_15;
}
encrypt[v16 - 1] = 61;
LABEL_15:
v10 = strlen(encrypt);
result = a4;
*a4 = v10;
return result;
}
RC4加密, 动调拿xor数组, 写逆
#include