REVERSE-PRACTICE-BUUCTF-8

[GUET-CTF2019]re

elf file, with upx shell, ida analysis after shelling. The
string cross-reference comes to the main logic function sub_400E28. The
logic is clear. Get input and verify the input. It is important that the sub_4009AE function
re-logic
enters the sub_4009AE function, which is the verification of each character input, input The length is 32. There is no verification input[6] to
re-sub_4009AE
write the script here. Since the program did not verify the input[6], which is the character at the "#" position, the submission is successful when it is "1".
re-script

Photo album

apk file, the main logic is not found with jadx-gui.
Use Apktool Box to decompile the apk, xiangce1->lib->armeabi->libcore.so
ida analyzes the so file
shift+F12, and three suspicious sections are found at the bottom of the string window String, very similar
Album-strings
to the three strings of base64 solution. According to the prompt of the title, the content of the flag is a complete mailbox.
Album-script

[V&N2020 Open] strangeCpp

The exe program, after running, outputs the relevant information of the local system, press any key to end, no shell, ida analysis.
Find some strings in the string window, prompting that the real flag needs to find the
strangecpp-strings
string cross reference to the sub_140013AA0 function. The function is to get the local system information and then print it, there is nothing special at first glance

__int64 __fastcall sub_140013AA0(__int64 a1, __int64 a2, __int64 *a3)
{
    
    
  char *v3; // rdi
  signed __int64 i; // rcx
  __int64 v5; // rax
  __int64 v6; // rax
  __int64 v7; // rax
  __int64 v8; // rax
  char v10; // [rsp+0h] [rbp-20h]
  struct _SYSTEM_INFO SystemInfo; // [rsp+28h] [rbp+8h]
  __int64 *j; // [rsp+78h] [rbp+58h]
  __int64 v13; // [rsp+98h] [rbp+78h]
  __int64 *v14; // [rsp+1A0h] [rbp+180h]

  v14 = a3;
  v3 = &v10;
  for ( i = 94i64; i; --i )
  {
    
    
    *(_DWORD *)v3 = -858993460;
    v3 += 4;
  }
  sub_1400110AA(&unk_140027033);
  GetSystemInfo(&SystemInfo);
  putchar(byte_140021004);
  putchar(byte_140021005);
  putchar(byte_140021006);
  putchar(byte_140021007);
  putchar(byte_140021019);
  putchar(byte_14002101A);
  putchar(byte_140021005);
  putchar(10);
  puts("Let me have a look at your computer...");
  for ( j = v14; *j; ++j )
  {
    
    
    v13 = *j;
    sub_140011226("%s\n", v13);
  }
  std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, sub_140011127);
  dword_140021190 = SystemInfo.dwNumberOfProcessors;
  sub_140011226("now system cpu num is %d\n", SystemInfo.dwNumberOfProcessors);
  if ( dword_140021190 < 8 )
  {
    
    
    puts("Are you in VM?");
    _exit(0);
  }
  if ( GetUserNameA(Str1, &pcbBuffer) )
  {
    
    
    v5 = sub_140011172(std::cout, "this is useful");
    std::basic_ostream<char,std::char_traits<char>>::operator<<(v5, sub_140011127);
  }
  v6 = std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, sub_140011127);
  v7 = sub_140011172(v6, "ok,I am checking...");
  std::basic_ostream<char,std::char_traits<char>>::operator<<(v7, sub_140011127);
  if ( !j_strcmp(Str1, "cxx") )
  {
    
    
    v8 = sub_140011172(std::cout, "flag{where_is_my_true_flag?}");
    std::basic_ostream<char,std::char_traits<char>>::operator<<(v8, sub_140011127);
    _exit(0);
  }
  system("pause");
  sub_1400113E3(&v10, &unk_14001DE50);
  return 0i64;
}

Carefully observe that at the beginning of the sub_140013AA0 function, the storage addresses of several putchar parameters are not continuous.
strangcpp-hint
Enter the data section. There is an array
strangecpp-hidden
cross reference between "welc" and "om" that is not used in the sub_140013AA0 function. This array comes to the sub_140013580 function. Analysis shows that there is an XOR of arg and the elements of this array and then output. The important thing is to find out that arg
strangecpp-logic
arg is first passed into the sub_140011384 function as a parameter, and the returned result is stored in the result, the following The if statement has requirements for result and arg, enter the sub_140011384 function, we can see that the result can be obtained by arg, and the
strangecpp-sub_140011384
flag can be obtained by writing a script

#include<stdio.h>
void main()
{
    
    
	unsigned char arr[] = {
    
     0x26, 0x2C, 0x21, 0x27, 0x3B, 0x0D, 0x04, 0x75, 0x68, 0x34,
		0x28, 0x25, 0x0E, 0x35, 0x2D, 0x69, 0x3D };
	__int64 result = 607052314;
	int arg = 0;
	while (arg <= 14549743)
	{
    
    
		int v5 = arg >> 12;
		int v6 = arg << 8;
		if (result ==(v6^v5)*291)
		{
    
    
			printf("%d——", arg);
			for (int i = 0; i < 17; i++)
			{
    
    
				printf("%c", arr[i] ^ arg);
			}
			printf("\n");
		}
		arg += 1;
	}
	return;
}

operation result
strangecpp-flag

[BJDCTF2020]easy

exe program, after running, it prompts to look for flag, no shell, there
is nothing special about ida analyzing the main function
easy-main
. There is a ques function above the main function of the function window. The ques function does not require input, but there is output printing. I
easy-ques
want to see the ques function printing To debug this exe program, set a breakpoint before the main function return.
easy-breakpoint
After the program stops, go to the first instruction of the ques function and set the current IP
easy-setip
to breakpoint before the ques function return. F9 is executed. ques function, the printed content is the flag
easy-flag