REVERSE-PRACTICE-BUUCTF-9
[ACTF Freshman Competition 2020] normalCrypt
exe program, after running, prompt to enter flag, no shell, ida analyzes the
main function logic to get the input, the sub_401080 function changes the input to base64 conversion, the result is stored to v5, and then check, verify that the input
sub_401080 function is a very obvious base64, At the beginning of the function, the sub_401000 function transforms the table. At the end of the function, the sub_401030 function converts the base64 string after the table is changed to the case of English letters. The
sub_401000 function converts byte_40E0AA[6] to byte_40E0AA[14] Exchange the
sub_401030 function with two paragraphs of base64_table[6] to base64_table[14] , to convert the case of English letters of base64 strings after the table is changed, and other characters remain unchanged.
Write the script to get the flag
#coding:utf-8
#base="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" 原表
base=[0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A,
0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54,
0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62, 0x63, 0x64,
0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E,
0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
0x79, 0x7A, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x2B, 0x2F] #原表的ascii码表示,方便进行原表变换
#对原表进行变换
for i in range(6,15):
base[i],base[10+i]=base[10+i],base[i]
#base_changed是变表,需要转成字符串的形式
base_changed=''.join(chr(i) for i in base)
print("Current Base:\n%s " %base_changed) #打印base_changed变表
def base64_decode(inputs): #inputs是base64字符串
# 将字符串转化为2进制
bin_str = []
for i in inputs:
if i != '=':
x = str(bin(base_changed.index(i))).replace('0b', '')
bin_str.append('{:0>6}'.format(x))
# 输出的字符串
outputs = ""
nums = inputs.count('=')
while bin_str:
temp_list = bin_str[:4]
temp_str = "".join(temp_list)
# 补足8位字节
if (len(temp_str) % 8 != 0):
temp_str = temp_str[0:-1 * nums * 2]
# 将四个6字节的二进制转换为三个字符
for i in range(0, int(len(temp_str) / 8)):
outputs += chr(int(temp_str[i * 8:(i + 1) * 8], 2))
bin_str = bin_str[4:]
print("Decoded String:\n%s " % outputs)
#enc是经变表base64以及大小写转换后的字符串
enc="zMXHz3TIgnxLxJhFAdtZn2fFk3lYCrtPC2l9"
#c将enc大小写转换回去 再解变表base64
c=""
for i in enc:
if i.isupper():
c+=i.lower()
elif i.islower():
c+=i.upper()
else:
c+=i
base64_decode(c)
operation result
[MRCTF2020]Transform
exe program, after running, prompt to enter code, input error, print Wrong, no shell, ida analyzes the
main function logic is clear, get the input, check the length of the input, change the position of the input and store it in byte_414040, byte_414040 XOR again, and finally Check to
write the script to get the flag
[V&N2020 Open] CSRe
exe program, running error
Check the shell, find it is .NET, and add the de4dot shell.
After shelling, open it with dnSpy and find the main logic function
method_0 function is to return the result of the order of the two incoming parameters.
smethod_0 function is to pass The result of sha1 hashing of the
input parameters is returned to the main function. First, get the input str, add a "3" to the head, and a "9" to the tail. The concatenated string is sha1 hashed and compared with the known value. , Verify that the input str is correct
and then obtain the input text, add "re" to the head, and perform sha1 hashing on the spliced string. The result of the hashing is XORed with the known value, and the result is all 0s, indicating two The input parameters are exactly the same, verify that the input text is correct. The
flag is flag{str+text}
using System;
using System.Security.Cryptography;
using System.Text;
// Token: 0x02000006 RID: 6
internal sealed class Class3
{
// Token: 0x0600000D RID: 13 RVA: 0x000022C8 File Offset: 0x000004C8
public string method_0(string string_0, string string_1)
{
string text = string.Empty;
char[] array = string_0.ToCharArray();
char[] array2 = string_1.ToCharArray();
int num = (array.Length < array2.Length) ? array.Length : array2.Length;
for (int i = 0; i < num; i++)
{
text += (int)(array[i] ^ array2[i]);
}
return text;
}
// Token: 0x0600000E RID: 14 RVA: 0x0000231C File Offset: 0x0000051C
public static string smethod_0(string string_0)
{
byte[] bytes = Encoding.UTF8.GetBytes(string_0);
byte[] array = SHA1.Create().ComputeHash(bytes);
StringBuilder stringBuilder = new StringBuilder();
foreach (byte b in array)
{
stringBuilder.Append(b.ToString("X2"));
}
return stringBuilder.ToString();
}
// Token: 0x0600000F RID: 15 RVA: 0x00002374 File Offset: 0x00000574
private static void Main(string[] args)
{
if (!Class1.smethod_1())
{
return;
}
bool flag = true;
Class3 @class = new Class3();
string str = Console.ReadLine();
if (Class3.smethod_0("3" + str + "9") != "B498BFA2498E21325D1178417BEA459EB2CD28F8")
{
flag = false;
}
string text = Console.ReadLine();
string string_ = Class3.smethod_0("re" + text);
string text2 = @class.method_0(string_, "63143B6F8007B98C53CA2149822777B3566F9241");
for (int i = 0; i < text2.Length; i++)
{
if (text2[i] != '0')
{
flag = false;
}
}
if (flag)
{
Console.WriteLine("flag{" + str + text + "}");
}
}
}
Use the online website to solve the first paragraph of sha1, you can see that str is "1415"
Use the online website to solve the second paragraph of sha1, you can see that the text is "turn"
[WUSTCTF2020]level1
elf file, no shell, ida analysis
main function logic is clear, read the flag from the file, the subscript starts from 1, the subscript is odd, the content of the flag is shifted, the subscript is even, and the content of the flag is multiplied by the following
script to write it. Available flag
