HNCTF2022Week2 Reverse WP
文章目录
- [HNCTF 2022 WEEK2]e@sy_flower
- [HNCTF 2022 WEEK2]TTTTTTTTTea
- [HNCTF 2022 WEEK2]Packet
- [HNCTF 2022 WEEK2]来解个方程?
- [HNCTF 2022 WEEK2]getflag
- [HNCTF 2022 WEEK2]Easy_Android
- [HNCTF 2022 WEEK2]Try2Bebug_Plus
[HNCTF 2022 WEEK2]e@sy_flower
IDA打开,红色的地址,jz和jnz互补跳转,nop掉E9
之后再对函数main用P 创建函数,然后F5反编译
得到源代码
先每俩个字符互换位置,再做一个0x30的异或
enc = 'c~scvdzKCEoDEZ[^roDICUMC'
flag = [chr(ord(enc[i]) ^ 0x30)for i in range(len(enc))]
for i in range(len(flag)//2):
v5 = flag[2*i]
flag[2*i] = flag[2*i + 1]
flag[2*i + 1] = v5
print(''.join(flag))
# NSSCTF{Just_junk_Bytess}
[HNCTF 2022 WEEK2]TTTTTTTTTea
先查壳,64bit文件
考察XTEA加密。密文是v4;
key可以用d键转换成dd的类型。根据encrypt写解密脚本
EXP:
#include
#include
#include
int main(void)
{
unsigned int a1[]={0xC11EE75A,0xA4AD0973,0xF61C9018,0x32E37BCD,0x2DCC1F26,0x344380CC};
int a2[] = {0x10203,0x4050607,0x8090A0B,0x0C0D0E0F};
unsigned int v0,v1,i;
for (int k = 0; k < 6; k += 2)
{
v0 = a1[k];
v1 = a1[k + 1];
long delta = 0x61C88647;
long sum = 0 -(32 * delta);
for (i = 0; i <= 31; ++i)
{
v1 -= (((v0 >> 5) ^ (16 * v0)) + v0) ^ (a2[(sum >> 11) & 3] + sum);
sum += 0x61C88647;
v0 -= (((v1 >> 5) ^ (16 * v1)) + v1) ^ (a2[sum & 3] + sum);
}
a1[k] = v0;
a1[k+1] = v1;
}
for (i = 0; i < 6; i++)
{
for (int j = 0; j <= 3; j++)
{
printf("%c",(a1[i]>>(j*8))&0xff);
}
}
}
[HNCTF 2022 WEEK2]Packet
UPX壳,用upx -d脱壳
有个do_something
做了一个换表的base64编码,找到密文解码一下
[HNCTF 2022 WEEK2]来解个方程?
check函数。
用z3约束求解器,解决
EXP:
from z3 import *
v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12, v13, v14, v15, v16, v17, v18, v19, v20, v21, v22, v23 = Ints('v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15 v16 v17 v18 v19 v20 v21 v22 v23')
constraints = [
245 * v6 + 395 * v5 + 3541 * v4 + 2051 * v3 + 3201 * v2 + 1345 * v7 == 855009,
3270 * v6 + 3759 * v5 + 3900 * v4 + 3963 * v3 + 1546 * v2 + 3082 * v7 == 1515490,
526 * v6 + 2283 * v5 + 3349 * v4 + 2458 * v3 + 2012 * v2 + 268 * v7 == 854822,
3208 * v6 + 2021 * v5 + 3146 * v4 + 1571 * v3 + 2569 * v2 + 1395 * v7 == 1094422,
3136 * v6 + 3553 * v5 + 2997 * v4 + 1824 * v3 + 1575 * v2 + 1599 * v7 == 1136398,
2300 * v6 + 1349 * v5 + 86 * v4 + 3672 * v3 + 2908 * v2 + 1681 * v7 == 939991,
212 * v22 + 153 * v21 + 342 * v20 + 490 * v12 + 325 * v11 + 485 * v10 + 56 * v9 + 202 * v8 + 191 * v23 == 245940,
348 * v22 + 185 * v21 + 134 * v20 + 153 * v12 + 460 * v9 + 207 * v8 + 22 * v10 + 24 * v11 + 22 * v23 == 146392,
177 * v22 + 231 * v21 + 489 * v20 + 339 * v12 + 433 * v11 + 311 * v10 + 164 * v9 + 154 * v8 + 100 * v23 == 239438,
68 * v20 + 466 * v12 + 470 * v11 + 22 * v10 + 270 * v9 + 360 * v8 + 337 * v21 + 257 * v22 + 82 * v23 == 233887,
246 * v22 + 235 * v21 + 468 * v20 + 91 * v12 + 151 * v11 + 197 * v8 + 92 * v9 + 73 * v10 + 54 * v23 == 152663,
241 * v22 + 377 * v21 + 131 * v20 + 243 * v12 + 233 * v11 + 55 * v10 + 376 * v9 + 242 * v8 + 343 * v23 == 228375,
356 * v22 + 200 * v21 + 136 * v11 + 301 * v10 + 284 * v9 + 364 * v8 + 458 * v12 + 5 * v20 + 61 * v23 == 211183,
154 * v22 + 55 * v21 + 406 * v20 + 107 * v12 + 80 * v10 + 66 * v8 + 71 * v9 + 17 * v11 + 71 * v23 == 96788,
335 * v22 + 201 * v21 + 197 * v11 + 280 * v10 + 409 * v9 + 56 * v8 + 494 * v12 + 63 * v20 + 99 * v23 == 204625,
428 * v18 + 1266 * v17 + 1326 * v16 + 1967 * v15 + 3001 * v14 + 81 * v13 + 2439 * v19 == 1109296,
2585 * v18 + 4027 * v17 + 141 * v16 + 2539 * v15 + 3073 * v14 + 164 * v13 + 1556 * v19 == 1368547,
2080 * v18 + 358 * v17 + 1317 * v16 + 1341 * v15 + 3681 * v14 + 2197 * v13 + 1205 * v19 == 1320274,
840 * v18 + 1494 * v17 + 2353 * v16 + 235 * v15 + 3843 * v14 + 1496 * v13 + 1302 * v19 == 1206735,
101 * v18 + 2025 * v17 + 2842 * v16 + 1559 * v15 + 2143 * v14 + 3008 * v13 + 981 * v19 == 1306983,
1290 * v18 + 3822 * v17 + 1733 * v16 + 292 * v15 + 816 * v14 + 1017 * v13 + 3199 * v19 == 1160573,
186 * v18 + 2712 * v17 + 2136 * v16 + 98 * v13 + 138 * v14 + 3584 * v15 + 1173 * v19 == 1005746,
]
s = Solver()
s.add(constraints)
flag = []
if s.check() == sat:
ans=s.model()
flag.append(ans[v2])
flag.append(ans[v3])
flag.append(ans[v4])
flag.append(ans[v5])
flag.append(ans[v6])
flag.append(ans[v7])
flag.append(ans[v8])
flag.append(ans[v9])
flag.append(ans[v10])
flag.append(ans[v11])
flag.append(ans[v12])
flag.append(ans[v13])
flag.append(ans[v14])
flag.append(ans[v15])
flag.append(ans[v16])
flag.append(ans[v17])
flag.append(ans[v18])
flag.append(ans[v19])
flag.append(ans[v20])
flag.append(ans[v21])
flag.append(ans[v22])
flag.append(ans[v23])
print(flag)
endflag = [78, 83, 83, 67, 84, 70, 123, 112, 105, 112, 95, 105, 110, 115, 116, 64, 108, 108, 95, 90, 51, 125]
flag = ''.join(chr(num) for num in endflag)
print(flag)
# NSSCTF{pip_inst@ll_Z3}
[HNCTF 2022 WEEK2]getflag
32bit的程序,点击100000000次就可以得到flag
IDA打开后,查找字符串。
定位过去后,看汇编,修改cmp或者jg
因为没有,反调试以及其他乱七八糟的东西。直接让getflag函数运行起来就好了。
[HNCTF 2022 WEEK2]Easy_Android
用jadx打开,
看MainActivity的内容;
主要逻辑将userName 做一个md5加密,之后取加密后的数据的奇数位,就是flag。
EXP:
import hashlib
username = "Tenshine"
data = hashlib.md5(username.encode()).hexdigest()
enc = 'b9c77224ff234f27ac6badf83b855c76'
flag = []
for i in range(0,len(data),2):
flag.append(data[i])
print(''.join(flag))
# bc72f242a6af3857
[HNCTF 2022 WEEK2]Try2Bebug_Plus
64bit的ELF文件,OD当然打不开。IDA打开
decrypt函数写在脸上了。
后面还有个function函数。
TEA加密,找到密文和key解密
还有个function做了个异或操作。
EXP:
#include