REVERSE-PRACTICE-BUUCTF-11
[FlareOn4]IgniteMe
exe program, after running, prompt to enter flag, no shell, ida analysis. The
main logic is in the start function. After reading the input, check. If the input is successful, it will output "G00d j0b!".
Analyze the sub_401050 function, and put the input and v4 into byte_403180. , V4 has an initial value, and it changes constantly in the loop. The actual calculation effect is
when i==input_len-1, byte[i]=v4^input[i],
when i is equal to from input_len-2 to 0 When the
calculation is completed , byte[i]=input[i]^input[i+1] compares the byte_403180 array with the byte_403000 array. The
initial value of v4 needs to be obtained before verifying the input and writing the script, directly check the function or debug to get the v4 The initial value is 4, you can get the flag by writing the script
[MRCTF2020] Chorus
exe program, after running, prompt to enter flag, input error print "Wrong", no shell, ida analysis
String cross-reference to the main logic function part, can not be decompiled by F5, directly looking at the assembly is
mainly to distinguish the input from the corresponding subscript Or, input [i]^i to
write a script to get the flag
[GKCTF2020] BabyDriver
sys file, ida analyzes the
string cross-reference to the sub_140001380 function, the analysis shows that it is a maze problem, the length of the map is 224, the specific analysis shows that the map is 14x16, that is, a map of 14 rows and 16 columns, the starting point is o, the ending point For #, can not touch *, 23-up, 37-down, 36-left, 38-right
__int64 __fastcall sub_140001380(__int64 a1, __int64 a2)
{
__int64 v2; // rbx
__int64 v3; // rdi
__int64 v4; // rax
int v5; // ecx
__int16 *v6; // rsi
__int64 v7; // rbp
__int16 v8; // dx
char v9; // dl
CHAR *v10; // rcx
v2 = a2;
if ( *(_DWORD *)(a2 + 48) >= 0 )
{
v3 = *(_QWORD *)(a2 + 24);
v4 = *(_QWORD *)(a2 + 56) >> 3;
if ( (_DWORD)v4 )
{
v5 = index; // v5=10
v6 = (__int16 *)(v3 + 2);
v7 = (unsigned int)v4;
while ( *(_WORD *)(v3 + 4) )
{
LABEL_28:
v6 += 6;
if ( !--v7 )
goto LABEL_29;
}
map[v5] = '.';
v8 = *v6;
if ( *v6 == 23 ) // 23-上
{
if ( v5 & 0xFFFFFFF0 )
{
v5 -= 16;
goto LABEL_21;
}
v5 += 208;
index = v5;
}
if ( v8 == 37 ) // 37-下
{
if ( (v5 & 0xFFFFFFF0) != 208 )
{
v5 += 16;
goto LABEL_21;
}
v5 -= 208;
index = v5;
}
if ( v8 == 36 ) // 36-左
{
if ( v5 & 0xF )
{
--v5;
goto LABEL_21;
}
v5 += 15;
index = v5;
}
if ( v8 != 38 ) // 38-右
goto LABEL_22;
if ( (v5 & 0xF) == 15 )
v5 -= 15;
else
++v5;
LABEL_21:
index = v5;
LABEL_22:
v9 = map[v5];
if ( v9 == '*' ) // 不能碰到*
{
v10 = "failed!\n";
}
else
{
if ( v9 != '#' ) // 起始点为o,终止点为#
{
LABEL_27:
map[v5] = 'o';
goto LABEL_28;
}
v10 = "success! flag is flag{md5(input)}\n";
}
index = 16;
DbgPrint(v10);
v5 = index;
goto LABEL_27;
}
}
LABEL_29:
if ( *(_BYTE *)(v2 + 65) )
*(_BYTE *)(*(_QWORD *)(v2 + 184) + 3i64) |= 1u;
return *(unsigned int *)(v2 + 48);
}
Because it is a sys file, it uses a keyboard code instead of an ascii code. It can be seen that 23-I-up, 37-K-down, 36-J-left, and 38-L-right after
walking through the maze, and then md5 hashing route You can get the flag
[MRCTF2020]hello_world_go
elf file, no shell, ida analysis The
last main_main function of the left function window, the content is very messy, the flag is found in a parameter of the runtime_memequal function unk_4D3C58
__int64 __fastcall main_main(__int64 a1, __int64 a2)
{
__int64 v2; // r8
__int64 v3; // r9
__int64 v4; // r8
__int64 v5; // r9
__int64 v6; // rdx
__int64 v7; // r8
__int64 v8; // rcx
__int64 v9; // rdx
__int64 v10; // r9
signed __int64 v11; // rax
__int64 result; // rax
__int64 v13; // ST58_8
__int64 *v14; // [rsp+8h] [rbp-A8h]
char v15; // [rsp+18h] [rbp-98h]
__int64 *v16; // [rsp+60h] [rbp-50h]
__int128 v17; // [rsp+68h] [rbp-48h]
__int128 v18; // [rsp+78h] [rbp-38h]
__int128 v19; // [rsp+88h] [rbp-28h]
__int128 v20; // [rsp+98h] [rbp-18h]
if ( (unsigned __int64)&v18 + 8 <= *(_QWORD *)(__readfsqword(0xFFFFFFF8) + 16) )
runtime_morestack_noctxt();
runtime_newobject(a1, a2);
v16 = v14;
*(_QWORD *)&v20 = &unk_4AC9C0;
*((_QWORD *)&v20 + 1) = &off_4EA530;
fmt_Fprint(a1, a2, (__int64)&v20, (__int64)&unk_4AC9C0, v2, v3, (__int64)&go_itab__os_File_io_Writer, os_Stdout);
*(_QWORD *)&v19 = &unk_4A96A0;
*((_QWORD *)&v19 + 1) = v16;
fmt_Fscanf(
a1,
a2,
(__int64)&go_itab__os_File_io_Reader,
(__int64)&v19,
v4,
v5,
(__int64)&go_itab__os_File_io_Reader,
os_Stdin,
(__int64)&unk_4D07C9,
2LL);
v8 = v16[1];
if ( v8 != 24 )
goto LABEL_3;
v13 = *v16;
runtime_memequal(a1, a2, v6, (unsigned __int64)&unk_4D3C58);// flag{hello_world_gogogo}
if ( !v15 )
{
v8 = 24LL;
LABEL_3:
runtime_cmpstring(a1, a2, (__int64)&unk_4D3C58, v8, v7);
if ( (signed __int64)&v19 >= 0 )
v11 = 1LL;
else
v11 = -1LL;
goto LABEL_5;
}
v11 = 0LL;
LABEL_5:
if ( v11 )
{
*(_QWORD *)&v17 = &unk_4AC9C0;
*((_QWORD *)&v17 + 1) = &off_4EA550; // Wrong
result = fmt_Fprintln(
a1,
a2,
v9,
(__int64)&go_itab__os_File_io_Writer,
v7,
v10,
(__int64)&go_itab__os_File_io_Writer,
os_Stdout);
}
else
{
*(_QWORD *)&v18 = &unk_4AC9C0;
*((_QWORD *)&v18 + 1) = &off_4EA540; // OK!You are right!
result = fmt_Fprintln(
a1,
a2,
v9,
(__int64)&go_itab__os_File_io_Writer,
v7,
v10,
(__int64)&go_itab__os_File_io_Writer,
os_Stdout);
}
return result;
}