REVERSE-PRACTICE-BUUCTF-6
rsa
The unzipped files are .enc and .key. .enc is the ciphertext, and .key stores the public key information.
Use the online website or openssl to parse the public key information stored in the .key file to
get the modulus n and required by rsa
Use the online website or yafu to decompose the public key e to n, and the result is two large prime numbers.
Write a script to get the flag
CrackRTF
exe program, after running, it prompts to enter the password, and exits directly without a shell. In the
main function of ida analysis , the password is required to be entered twice. Look at the first password
first. The logic of the first password is clear. The focus is on the function
sub_40100A, sub_40100A Click in the function and find that there is a CryptCreateHash function
CryptCreateHash function. The
important thing is that the second parameter of this function determines the hash algorithm to be used.
Here 0x8004u uses the sha (sha1) algorithm.
Write a script to blast and get the first password.
Then there is the second password, which has the same logic as the first password, but uses the md5 hash, but does not impose any restrictions on the 6 characters of the second password. Blasting is not advisable. Go down and find that after splicing The input_2 is passed into the sub_40100F function as a parameter
. The main logic of the sub_40100F function is marked with a red box, that is, the resource "AAA" of the exe program and the spliced input_2 are XORed, and the result is written to the program created by the name "dbapp" In the .rtf" file,
use the tool Resource Hacker to obtain the data of the resource "AAA". The
sub_401005 function is to perform the exclusive OR operation. The
program needs to create and fill a complete rtf file. The header of the rtf file is indispensable. Search or create an empty one. Open the rtf file with 010editor, you can know that the header of the rtf file
is placed in front of input_2 when the second password is spliced, that is to say, the result of the exclusive OR of the second password and the data of the resource "AAA" is the rtf File header
Write the script to get the second password, the length of the second password is 6, so the resource "AAA" and the rtf file header are both XORed with the first 6 bytes to get the second password. Note that "\r" is in python In the escape semantics, add a "\"
to run the exe program again, enter the correct first and second passwords, and generate a "dbapp.rtf" file in the current directory, the content is the flag
[2019 Red Hat Cup] easyRE
elf file, no shell, ida analysis. The
main logic function can not be found in the function window on the left. Shift+F12 opens the string window. I
found a long
string that looks like base64 and the base64 character table to cross reference the base64 string all the way to sub_4009C6 Function First
look at the fragment of the base64 string used in this function. The
logic is that v56 undergoes 10 base64 transformations, and the result is the known base64 string to
write a script to get v56. The result is a url, and no content related to the flag is found. It should be misleading the players.
Continue to look at the other contents of the sub_4009C6 function. The function assigns values to a bunch of variables at the beginning, and then there is an exclusive OR after comparison operation. The
script is marked with a red box , and it is prompted that the first four characters are "Flag", there is no prompt for the specific content of the flag
. After the sub_4009C6 function has analyzed the specific content of the flag, there is no judgment on the specific content of the flag.
So go to the string window again to find if there is any other prompt content.
Below that string of base64 strings, there is a paragraph The data not used in the sub_4009C6 function
cross-reference comes to the sub_400D35 function
v5 and v8 are the same, the result of the exclusive OR of the first 4 characters of v8 and byte_6CC0A0 array is "flag", and the first 4 characters are also indicated as "flag"
and then V8 is then XORed with all the elements of byte_6CC0A0 array
Write a script, first solve v8, and then loop XOR to get flag
[ACTF Freshman Competition 2020] easyre
exe program, prompt for input after running, exit directly after input error, there is upx shell, ida analyzes the
main function logic clearly after shelling , the content of flag is subtracted by 1 as the subscript, and the value is taken from the array of _data_start_, and v4 to Compare with v15, verify the content of the flag and
write the reverse script to get the flag