REVERSE-PRACTICE-BUUCTF-6

Others 2021-02-28 11:56:52 views: null

REVERSE-PRACTICE-BUUCTF-6

rsa

The unzipped files are .enc and .key. .enc is the ciphertext, and .key stores the public key information.
Use the online website or openssl to parse the public key information stored in the .key file to
get the modulus n and required by rsa
rsa-n_e
Use the online website or yafu to decompose the public key e to n, and the result is two large prime numbers.
rsa-break_n
Write a script to get the flag
rsa-script

CrackRTF

exe program, after running, it prompts to enter the password, and exits directly without a shell. In the
main function of ida analysis , the password is required to be entered twice. Look at the first password
first. The logic of the first password is clear. The focus is on the function
CrackRTF-logic1
sub_40100A, sub_40100A Click in the function and find that there is a CryptCreateHash function
CryptCreateHash function. The
important thing is that the second parameter of this function determines the hash algorithm to be used.
Here 0x8004u uses the sha (sha1) algorithm.
CrackRTF-sub_40100A
Write a script to blast and get the first password.
CrackRTF-pwd1
Then there is the second password, which has the same logic as the first password, but uses the md5 hash, but does not impose any restrictions on the 6 characters of the second password. Blasting is not advisable. Go down and find that after splicing The input_2 is passed into the sub_40100F function as a parameter
CrackRTF-logic2
. The main logic of the sub_40100F function is marked with a red box, that is, the resource "AAA" of the exe program and the spliced ​​input_2 are XORed, and the result is written to the program created by the name "dbapp" In the .rtf" file,
use the tool Resource Hacker to obtain the data of the resource "AAA". The
sub_401005 function is to perform the exclusive OR operation. The
program needs to create and fill a complete rtf file. The header of the rtf file is indispensable. Search or create an empty one. Open the rtf file with 010editor, you can know that the header of the rtf file
is placed in front of input_2 when the second password is spliced, that is to say, the result of the exclusive OR of the second password and the data of the resource "AAA" is the rtf File header
CrackRTF-sub_40100F
Write the script to get the second password, the length of the second password is 6, so the resource "AAA" and the rtf file header are both XORed with the first 6 bytes to get the second password. Note that "\r" is in python In the escape semantics, add a "\"
CrackRTF-script
to run the exe program again, enter the correct first and second passwords, and generate a "dbapp.rtf" file in the current directory, the content is the flag
CrackRTF-flag

[2019 Red Hat Cup] easyRE

elf file, no shell, ida analysis. The
main logic function can not be found in the function window on the left. Shift+F12 opens the string window. I
found a long
easyRE-Strings
string that looks like base64 and the base64 character table to cross reference the base64 string all the way to sub_4009C6 Function First
look at the fragment of the base64 string used in this function. The
logic is that v56 undergoes 10 base64 transformations, and the result is the known base64 string to
easyRE-debase64
write a script to get v56. The result is a url, and no content related to the flag is found. It should be misleading the players.
easyRE-fake
Continue to look at the other contents of the sub_4009C6 function. The function assigns values ​​to a bunch of variables at the beginning, and then there is an exclusive OR after comparison operation. The
easyRE-sub_4009C6
script is marked with a red box , and it is prompted that the first four characters are "Flag", there is no prompt for the specific content of the flag
easyRE-script
. After the sub_4009C6 function has analyzed the specific content of the flag, there is no judgment on the specific content of the flag.
So go to the string window again to find if there is any other prompt content.
Below that string of base64 strings, there is a paragraph The data not used in the sub_4009C6 function
easyRE-hidden
cross-reference comes to the sub_400D35 function
v5 and v8 are the same, the result of the exclusive OR of the first 4 characters of v8 and byte_6CC0A0 array is "flag", and the first 4 characters are also indicated as "flag"
and then V8 is then XORed with all the elements of byte_6CC0A0 array easyRE-sub_400D35
Write a script, first solve v8, and then loop XOR to get flag
easyRE-script

[ACTF Freshman Competition 2020] easyre

exe program, prompt for input after running, exit directly after input error, there is upx shell, ida analyzes the
main function logic clearly after shelling , the content of flag is subtracted by 1 as the subscript, and the value is taken from the array of _data_start_, and v4 to Compare with v15, verify the content of the flag and
easyre-logic
write the reverse script to get the flag
easyre-script

Guess you like

Origin blog.csdn.net/weixin_45582916/article/details/114155800
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com