REVERSE-PRACTICE-BUUCTF-8
[GUET-CTF2019]re
elf file, with upx shell, ida analysis after shelling. The
string cross-reference comes to the main logic function sub_400E28. The
logic is clear. Get input and verify the input. It is important that the sub_4009AE function
enters the sub_4009AE function, which is the verification of each character input, input The length is 32. There is no verification input[6] to
write the script here. Since the program did not verify the input[6], which is the character at the "#" position, the submission is successful when it is "1".
Photo album
apk file, the main logic is not found with jadx-gui.
Use Apktool Box to decompile the apk, xiangce1->lib->armeabi->libcore.so
ida analyzes the so file
shift+F12, and three suspicious sections are found at the bottom of the string window String, very similar
to the three strings of base64 solution. According to the prompt of the title, the content of the flag is a complete mailbox.
[V&N2020 Open] strangeCpp
The exe program, after running, outputs the relevant information of the local system, press any key to end, no shell, ida analysis.
Find some strings in the string window, prompting that the real flag needs to find the
string cross reference to the sub_140013AA0 function. The function is to get the local system information and then print it, there is nothing special at first glance
__int64 __fastcall sub_140013AA0(__int64 a1, __int64 a2, __int64 *a3)
{
char *v3; // rdi
signed __int64 i; // rcx
__int64 v5; // rax
__int64 v6; // rax
__int64 v7; // rax
__int64 v8; // rax
char v10; // [rsp+0h] [rbp-20h]
struct _SYSTEM_INFO SystemInfo; // [rsp+28h] [rbp+8h]
__int64 *j; // [rsp+78h] [rbp+58h]
__int64 v13; // [rsp+98h] [rbp+78h]
__int64 *v14; // [rsp+1A0h] [rbp+180h]
v14 = a3;
v3 = &v10;
for ( i = 94i64; i; --i )
{
*(_DWORD *)v3 = -858993460;
v3 += 4;
}
sub_1400110AA(&unk_140027033);
GetSystemInfo(&SystemInfo);
putchar(byte_140021004);
putchar(byte_140021005);
putchar(byte_140021006);
putchar(byte_140021007);
putchar(byte_140021019);
putchar(byte_14002101A);
putchar(byte_140021005);
putchar(10);
puts("Let me have a look at your computer...");
for ( j = v14; *j; ++j )
{
v13 = *j;
sub_140011226("%s\n", v13);
}
std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, sub_140011127);
dword_140021190 = SystemInfo.dwNumberOfProcessors;
sub_140011226("now system cpu num is %d\n", SystemInfo.dwNumberOfProcessors);
if ( dword_140021190 < 8 )
{
puts("Are you in VM?");
_exit(0);
}
if ( GetUserNameA(Str1, &pcbBuffer) )
{
v5 = sub_140011172(std::cout, "this is useful");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v5, sub_140011127);
}
v6 = std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, sub_140011127);
v7 = sub_140011172(v6, "ok,I am checking...");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v7, sub_140011127);
if ( !j_strcmp(Str1, "cxx") )
{
v8 = sub_140011172(std::cout, "flag{where_is_my_true_flag?}");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v8, sub_140011127);
_exit(0);
}
system("pause");
sub_1400113E3(&v10, &unk_14001DE50);
return 0i64;
}
Carefully observe that at the beginning of the sub_140013AA0 function, the storage addresses of several putchar parameters are not continuous.
Enter the data section. There is an array
cross reference between "welc" and "om" that is not used in the sub_140013AA0 function. This array comes to the sub_140013580 function. Analysis shows that there is an XOR of arg and the elements of this array and then output. The important thing is to find out that arg
arg is first passed into the sub_140011384 function as a parameter, and the returned result is stored in the result, the following The if statement has requirements for result and arg, enter the sub_140011384 function, we can see that the result can be obtained by arg, and the
flag can be obtained by writing a script
#include<stdio.h>
void main()
{
unsigned char arr[] = {
0x26, 0x2C, 0x21, 0x27, 0x3B, 0x0D, 0x04, 0x75, 0x68, 0x34,
0x28, 0x25, 0x0E, 0x35, 0x2D, 0x69, 0x3D };
__int64 result = 607052314;
int arg = 0;
while (arg <= 14549743)
{
int v5 = arg >> 12;
int v6 = arg << 8;
if (result ==(v6^v5)*291)
{
printf("%d——", arg);
for (int i = 0; i < 17; i++)
{
printf("%c", arr[i] ^ arg);
}
printf("\n");
}
arg += 1;
}
return;
}
operation result
[BJDCTF2020]easy
exe program, after running, it prompts to look for flag, no shell, there
is nothing special about ida analyzing the main function
. There is a ques function above the main function of the function window. The ques function does not require input, but there is output printing. I
want to see the ques function printing To debug this exe program, set a breakpoint before the main function return.
After the program stops, go to the first instruction of the ques function and set the current IP
to breakpoint before the ques function return. F9 is executed. ques function, the printed content is the flag