REVERSE-PRACTICE-BUUCTF-12

Others 2021-02-28 11:53:05 views: null

REVERSE-PRACTICE-BUUCTF-12

[WUSTCTF2020]level3

The elf file, without shell, ida analyzes the
main function, gets the input, and encodes the input with base64. It prompts that there is an error. There is a strange string in the program. The prompt is different from the standard base64. It is estimated that the table base64
level3-logic
enters the base64_encode function. Normal base64 encoding logic, cross-reference to base64_table, found that there is also a reference
level3-base64_encode
to base64_table in the O_OLookAtYou function. Enter the O_OLookAtYou function, and it turns out that it is a transformation of base64_table.
level3-lookatyou
I have also encountered the problem of changing table base64 before, see REVERSE-PRACTICE-BUUCTF-7
Use the script directly, execute the script to get the flag

#coding:utf-8
#base="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"  原表
base=[0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A,
  0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54,
  0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62, 0x63, 0x64,
  0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E,
  0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
  0x79, 0x7A, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
  0x38, 0x39, 0x2B, 0x2F]  #原表的ascii码表示,方便进行原表变换
#对原表进行变换
for i in range(0,10):
    base[i],base[19-i]=base[19-i],base[i]
#base_changed是变表,需要转成字符串的形式
base_changed=''.join(chr(i) for i in base)
print("Current Base:\n%s " %base_changed) #打印base_changed变表
def base64_decode(inputs): #inputs是base64字符串
    # 将字符串转化为2进制
    bin_str = []
    for i in inputs:
        if i != '=':
            x = str(bin(base_changed.index(i))).replace('0b', '')
            bin_str.append('{:0>6}'.format(x))
    # 输出的字符串
    outputs = ""
    nums = inputs.count('=')
    while bin_str:
        temp_list = bin_str[:4]
        temp_str = "".join(temp_list)
        # 补足8位字节
        if (len(temp_str) % 8 != 0):
            temp_str = temp_str[0:-1 * nums * 2]
        # 将四个6字节的二进制转换为三个字符
        for i in range(0, int(len(temp_str) / 8)):
            outputs += chr(int(temp_str[i * 8:(i + 1) * 8], 2))
        bin_str = bin_str[4:]
    print("Decoded String:\n%s " % outputs)
#enc是经变表base64编码的字符串
enc="d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD=="
base64_decode(enc)

operation result
level3-flag

crackMe

exe program, after running, enter the user name welcome and password. If you make a mistake, re-enter it. No shell. ida analyzes
in the wmain function to obtain the entered user and password and verify the length and both are numbers or letters. In the sub_401090 function, The input user (welcomebeijing) generates a fixed table. This table is also referenced in the check function below. The
sub_4011A0 function is an assignment of two parameters passed in. The first parameter is assigned to "Congratulations", and the second parameter is assigned to "please try again", the output is determined by the return result of the check function. When
crackme-logic
entering the check function,
look at the first while loop body. In this loop body, v15 is assigned, and v15 is referenced in the next loop body. The loop body actually groups the contents of pwd in pairs, and each two characters form a hexadecimal number into v15. For example, the input pwd is 0123456789abcdef, and the elements of v15 are 0x01,0x23,0x45,0x67,0x89 ,0xAB,0xCD,0xEF
crackme-check
Then look at the second loop body, v15 is actually the input pwd, which is to be XORed with the elements of table and stored in v17, and the elements of table are determined by v8 and v13, and v8 and v13 are in turn determined by v11 and v12 decision, you can see that in the upper and lower XOR operation, there are two if statements to determine whether it is currently in the debugging state, if it is in the debugging state, the values ​​of v13, v11, v12 will be modified, that is, there are two There is anti-debugging, but we don’t know exactly what the elements of the table for XOR operation are. From the previous analysis, we can see that all the elements of the table are determined by the input user, so we can learn that the XOR operation is performed through debugging. The element of the table, therefore, it is necessary to nop the two anti-debugging statements or modify the jump logic, so that the if statement is not executed in the debugging state
crackme-check1
The following figure shows the modification of the jump logic. Change the jz of the two instructions .text:00CA1AE8 and .text:00CA1B5E to jnz, so that the statement that if established is not executed in the debugging state, pay attention to the modification of the jump logic to be applied to Executable program exe The
crackme-alterlogic
following figure shows the effect of modifying the jump logic, and then go down, the sub_CA1710 function is to XOR v17 and user (welcomebeijing), after the while loop body ends, the sub_CA1470 function is the verification of v17, and v17 is in After a series of operations, the result should be "dbappsec", the length is 8
crackme alterlogic effect
Before writing the script, you need to debug the 8 table elements that are XORed with v15, which are [0x2a,0xd7,0x92,0xe9,0x53,0xe2 ,0xc4,0xcd], write the script and submit the second md5 value successfully
crackme-script

[FlareOn6]Overlong

exe program, after running, it prompts that the code is not broken, there is no content after the colon, no shell, ida analyzes the
start function, unk_402008 is passed into the sub_401160 function as a parameter to participate in the operation, the operation length is the third parameter 28, and the operation result is put into the Text , And finally output the content of Text through MessageBoxA. The
overlong-logic
sub_401160 function and sub_401000 function are the calculation logic written by the program. The prompt shows that the calculation logic will not change. With the overlong prompt, there should be more elements involved in the calculation, that is, the sub_401160 function The third parameter of is bigger, let the program operation output flag.
When the length of the operation is modified to 28 to 72, apply it to the program and run it to get the flag
overlong-flag

[WUSTCTF2020]Cr0ssfun

elf file, no shell, ida analyzes the
main function with clear logic, gets the input, calls check to check the input, and when check returns 1, the input is correct.
crossfun-main
Entering the check function is a direct judgment on the input content, and the rest of the functions
crossfun-check
can be written in the same way. Get flag
crossfun-script

Guess you like

Origin blog.csdn.net/weixin_45582916/article/details/114155839
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com