CTF 逆向 level up!!!

逆向题目升级,
难度稍微加大一点点,
我们先从一道简单的MFC程序开始

CRACKME

首先运行一下看看
1
ida查找字符串也是毛都没有
放进xspy查看
找到地址的偏移
2
这边一开始是红的,按下p就行
反编译后查看
3
成功和失败函数就是下面俩个
字符串通过函数解密来输出
我们看看sub_401630
4
我们可以调试下
5
可以看到长度验证
是33
然后再看看flag
是那一大串字符串从下标为1开始
每次逐加10

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
a = [ 0x3B, 0x66, 0x31, 0x4B, 0x33, 0x7B, 0x63, 0x35, 0x3A, 0x65,
  0x66, 0x6C, 0x32, 0x31, 0x74, 0x34, 0x3B, 0x31, 0x74, 0x31,
  0x7A, 0x61, 0x78, 0x70, 0x69, 0x6D, 0x39, 0x7D, 0x35, 0x2B,
  0x3F, 0x67, 0x74, 0x75, 0x78, 0x3B, 0x3D, 0x76, 0x63, 0x39,
  0x76, 0x7B, 0x76, 0x37, 0x2B, 0x62, 0x75, 0x68, 0x55, 0x7B,
  0x62, 0x54, 0x3D, 0x2D, 0x61, 0x6D, 0x32, 0x71, 0x7D, 0x3D,
  0x66, 0x68, 0x5B, 0x78, 0x6B, 0x7B, 0x79, 0x3F, 0x78, 0x72,
  0x71, 0x65, 0x7B, 0x3F, 0x7D, 0x6C, 0x35, 0x2D, 0x73, 0x64,
  0x32, 0x2D, 0x4D, 0x6F, 0x2B, 0x3A, 0x6A, 0x7B, 0x39, 0x3D,
  0x73, 0x59, 0x5B, 0x64, 0x61, 0x6C, 0x76, 0x70, 0x78, 0x3F,
  0x7A, 0x33, 0x7B, 0x3F, 0x6E, 0x6F, 0x7B, 0x5B, 0x6B, 0x35,
  0x6C, 0x6C, 0x7B, 0x7A, 0x6A, 0x73, 0x75, 0x35, 0x5B, 0x6B,
  0x66, 0x6C, 0x61, 0x2B, 0x72, 0x36, 0x5A, 0x67, 0x37, 0x32,
  0x6F, 0x30, 0x73, 0x6B, 0x71, 0x36, 0x63, 0x47, 0x6C, 0x35,
  0x63, 0x77, 0x5B, 0x3D, 0x64, 0x3F, 0x33, 0x76, 0x39, 0x71,
  0x35, 0x2D, 0x76, 0x6B, 0x6A, 0x53, 0x76, 0x7B, 0x34, 0x73,
  0x71, 0x74, 0x67, 0x3D, 0x66, 0x30, 0x63, 0x7A, 0x7B, 0x2B,
  0x6A, 0x75, 0x72, 0x6A, 0x66, 0x6C, 0x5B, 0x74, 0x62, 0x5D,
  0x6C, 0x72, 0x66, 0x46, 0x31, 0x3B, 0x32, 0x7D, 0x75, 0x64,
  0x68, 0x62, 0x3F, 0x30, 0x67, 0x38, 0x7B, 0x6F, 0x6D, 0x3A,
  0x54, 0x34, 0x64, 0x68, 0x3B, 0x7A, 0x3A, 0x6F, 0x7A, 0x2D,
  0x44, 0x6E, 0x3D, 0x6D, 0x3D, 0x75, 0x78, 0x3B, 0x6F, 0x5B,
  0x67, 0x73, 0x39, 0x7B, 0x2B, 0x7A, 0x71, 0x78, 0x2B, 0x73,
  0x71, 0x2D, 0x64, 0x73, 0x78, 0x63, 0x74, 0x63, 0x76, 0x79,
  0x6B, 0x55, 0x73, 0x32, 0x6F, 0x64, 0x64, 0x72, 0x74, 0x34,
  0x33, 0x70, 0x77, 0x76, 0x3A, 0x66, 0x30, 0x3B, 0x6E, 0x6A,
  0x6B, 0x72, 0x62, 0x39, 0x6C, 0x6F, 0x73, 0x36, 0x67, 0x30,
  0x7B, 0x69, 0x68, 0x3F, 0x72, 0x71, 0x61, 0x6E, 0x74, 0x66,
  0x78, 0x24, 0x73, 0x73, 0x6C, 0x71, 0x64, 0x3A, 0x72, 0x76,
  0x71, 0x69, 0x78, 0x72, 0x3B, 0x6A, 0x7B, 0x3F, 0x6F, 0x3A,
  0x73, 0x6E, 0x2B, 0x5B, 0x69, 0x5B, 0x79, 0x41, 0x31, 0x31,
  0x3B, 0x67, 0x73, 0x6D, 0x72, 0x38, 0x6C, 0x6D, 0x30, 0x3F,
  0x33, 0x7D, 0x3B, 0x2B, 0x69, 0x76, 0x2B, 0x54, 0x66, 0x3A,
  0x34, 0x47, 0x74, 0x76, 0x32, 0x3A, 0x2D, 0x32, 0x30, 0x75,
  0x70, 0x69, 0x30, 0x5D, 0x37, 0x3F, 0x37, 0x37, 0x3D, 0x3B,
  0x71, 0x7A, 0x78, 0x7B, 0x6D, 0x2D, 0x57, 0x3B, 0x30, 0x76,
  0x74, 0x75, 0x65, 0x68, 0x5D, 0x6B, 0x6F, 0x38, 0x64, 0x3F,
  0x3D, 0x77, 0x3A, 0x66, 0x62, 0x68, 0x64, 0x7B, 0x45, 0x3A,
  0x3B, 0x31, 0x39, 0x3F, 0x70, 0x3D, 0x6B, 0x3A, 0x62, 0x2B,
  0x7D, 0x64, 0x6F, 0x68, 0x74, 0x36, 0x77, 0x70, 0x45, 0x71,
  0x2D, 0x7A, 0x5D, 0x32, 0x71, 0x62, 0x56, 0x31, 0x7D, 0x64,
  0x68, 0x34, 0x31, 0x36, 0x71, 0x77, 0x39, 0x3A, 0x78, 0x6D,
  0x5B, 0x3B, 0x65, 0x64, 0x3B, 0x3A, 0x65, 0x63, 0x62, 0x2D,
  0x30, 0x3A, 0x6E, 0x69, 0x2D, 0x73, 0x34, 0x75, 0x32, 0x6B,
  0x66, 0x36, 0x5D, 0x32, 0x77, 0x6E, 0x34, 0x35, 0x61, 0x6D,
  0x7A, 0x6A, 0x72, 0x75, 0x6E, 0x3D, 0x6F, 0x66, 0x6B, 0x78,
  0x2D, 0x3D, 0x68, 0x6D, 0x67, 0x6F, 0x2D, 0x6C, 0x7A, 0x3B,
  0x6A, 0x39, 0x30, 0x39, 0x3D, 0x72, 0x6D, 0x6F, 0x37, 0x78,
  0x63, 0x6A, 0x34, 0x6C, 0x65, 0x30, 0x68, 0x78, 0x73, 0x5B,
  0x69, 0x5D, 0x2D, 0x76, 0x6A, 0x6C, 0x5B, 0x3F, 0x6F, 0x31,
  0x32, 0x3A, 0x73, 0x76, 0x34, 0x75, 0x70, 0x69, 0x6F, 0x37,
  0x6D, 0x61, 0x31, 0x68, 0x52, 0x79, 0x37, 0x35, 0x35, 0x36,
  0x2B, 0x35, 0x37, 0x6B, 0x72, 0x65, 0x76, 0x3A, 0x68, 0x4C,
  0x51, 0x2B, 0x31, 0x63, 0x78, 0x36, 0x35, 0x7A, 0x35, 0x76,
  0x35, 0x5D, 0x3B, 0x36, 0x6E, 0x3D, 0x5B, 0x70, 0x38, 0x33,
  0x3B, 0x6E, 0x3D, 0x7B, 0x7A, 0x6D, 0x7B, 0x6B, 0x32, 0x70,
  0x00]
flag = ''
for i in range(33):
    flag += chr(a[1+10*i])
print flag
#flag{The-Y3ll0w-turb4ns-Upri$ing}

简单

#catalyst
这题其实也挺简单的
涉及到的知识点也很多
比如z3啊patch啊还有伪随机数在win下和Linux下的不同
使用的好,这题可以很快解决
因为这题写过三遍了。。。
这边提供个思路
6
ida打开可以看到豪华的欢迎界面
7
看看下面
有很多sleep
rand啥的
放进Linux运行的话也会很慢
显示loading…
为了方便可以直接把sleep给patch掉
省时间
再看看函数sub_400C9A
8
9
这边其实是对输入用户名的长度验证
可以爆破一下,答案是8或12
当然这是多余的,其实能直接看下一个函数sub_400CDD
10
这边用z3解一下很快就出来
手解都行
再看看sub_4008F7
11
简单的对用户名的限制。。。
看看sub_400977
12
这边就涉及到随机数了
直接调试记录下那几个rand值
记得把sleep给patch掉
不然要等好久
然后解除pwd
sLSVpQ4vK3cGWyW86AiZhggwLHBjmx9CRspVGggj
下面看看最后的构造flag函数
就是个异或操作

1
2
3
4
5
6
7
8
9
10
a = 'sLSVpQ4vK3cGWyW86AiZhggwLHBjmx9CRspVGggj'
flag = ''
b = [0x42, 0x13, 0x27, 0x62, 0x41, 0x35, 0x6B, 0x0F, 0x7B, 0x46,
  0x3C, 0x3E, 0x67, 0x0C, 0x08, 0x59, 0x44, 0x72, 0x36, 0x05,
  0x0F, 0x15, 0x54, 0x43, 0x38, 0x17, 0x1D, 0x18, 0x08, 0x0E,
  0x5C, 0x31, 0x21, 0x16, 0x02, 0x09, 0x18, 0x14, 0x54, 0x59]
for i in range(len(a)):
    flag += chr(ord(a[i])^b[i])
print flag
#1_t41d_y0u_y0u_ar3__gr34t__reverser__s33

当年的难题,现在又写了下,其实也就那样吧。

#calc
这道逆向比较繁琐,但看懂了程序很快就能出答案
拖进ida后可以看到一堆函数
但其实只是三个函数的连续调用而已
三个函数分别是加减和乘
13
看懂了其实也不咋难啊
这是sub
14
这是mul
15
这是add
16
然后就能计算出flag了
不上答案了
大家自己动手鸭~
//我懒
先记录到这边
要开始pwn的学习了!!!

//2019/3/27

easy-reverse-200

大概看下程序,是一个库文件,放在ida里首先可以看到一个key一样的东西
17
然后录入,对输入进行加密后再进行字符串匹配。
点进encrypt函数看看
18
可以看到一个循环
由刚刚那个对比可以猜出,输入的长度为24
这个循环连续12次,把俩个输入放进函数加密
看看加密函数
19
TEA
和HGAME那道smc的差不多
直接解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
char encrypt(int a1, int a2, _BYTE *input, int key)
{
  _BYTE *v4; // eax
  _BYTE *result; // eax

  v4 = input;
  LOBYTE(a2) = *input;
  LOBYTE(a1) = input[1];
  LOBYTE(v4) = 0xD9u;

  do
  {
      v4 += 71;
      a1 -= (unsigned int)&v4[*(unsigned __int8 *)(key + (((char)v4 >> 11) & 3))] ^ (a2 + (16 * (char)a2 ^ ((char)a2 >> 5)));
    a2 -= (a1 + (((char)a1 >> 5) ^ 16 * (char)a1)) ^ (unsigned int)&v4[*(unsigned __int8 *)(key
                                                                                          + ((unsigned __int8)v4 & 3))];

  }
  while ( (_BYTE)v4 != 0xB9u );
  result = input;
  *input = a2;
  input[1] = a1;
  printf("%c%c",input[0],input[1]);
  return result;
}
int main()
{
    unsigned char key[]={0xde,0xad,0xbe,0xef};
    unsigned char a[]={0xBF, 0xF1, 0x6A, 0x2C, 0x10, 0x0B, 0x16, 0x59, 0xBA, 0x3A,
  0x8C, 0x49, 0x05, 0x1B, 0x04, 0xE2, 0x85, 0xD5, 0xC2, 0xFC,
  0xD7, 0x9B, 0xE9, 0x42};
  int i;
  int v3=0,v4=0;
  for(i=0;i<24;i+=2)
    {
        encrypt(v4, v3, a+i, key);
    }
    return 0;
}

头文件自己加吧。
不错的题目,难度不大,就是个TEA.
可以好好复习一下。
题目文件我也给下吧。
题目
//从现在开始以后每次刷题都会把题目给上

Parallel Comparator

题目
这题直接给了源码
从ACM室友那了解到了这个头文件
是有关多线程的
<pthread.h>
程序主要是随机生成一个数然后与difference相加后与输入异或
再与字符串相加,接着比较
其实说白了就是随机生成与difference相加后就是答案
首先gcc编译一下放在ida pro里
20
可以看到是0x6c

1
2
3
4
5
6
7
a = [115, 116, 114, 97, 110, 103, 101, 95, 115, 116, 114, 105, 110, 103, 95, 105, 116, 95, 105, 115]
b = [0, 9, -9, -1, 13, -13, -4, -11, -9, -1, -7, 6, -13, 13, 3, 9, -13, -11, 6, -7]
flag = ''
for i in range(len(a)):
    flag += chr((b[i]+108))
print flag
#lucky_hacker_you_are

juckcode

本文标题:CTF 逆向 level up!!!

文章作者:

发布时间:2019-03-24, 16:46:22

最后更新:2021-02-01, 03:41:10

原始链接:http://www.psbazx.com/2019/03/25/CTF-%E9%80%86%E5%90%91-level-uphexo-d/

许可协议: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

文章目录
  1. 1. CRACKME
  2. 2. easy-reverse-200
  3. 3. Parallel Comparator
  4. 4. juckcode
|