REVERSE-PRACTICE-BUUCTF-4

Scratch a prize

exe file, after running, there is no prompt, no shell, use ida to analyze
WinMain->DialogBoxParamA->DialogFunc
DialogBoxParamA function:
DialogParamA-Intro
DialogFunc function: the
Scratch a prize-DialogFunc
sub_8A10F0 function has a recursive call, and its role is to change the position of the data from v7 to v17, and use this function The code performs simple processing and operation, and obtains the data from v7 to v17 after changing the position

#include<stdio.h>
int arr[] = {
    
     90, 74, 83, 69, 67, 97, 78, 72, 51, 110, 103 };
void sub_8A10F0(int * a1, int a2, int a3)
{
    
    
	int result;
	int i;
	int v5;
	int v6;
	result = a3;
	for (i = a2; i <= a3; a2 = i)
	{
    
    
		v5 = i;
		v6 = a1[i];
		if (a2 < result&&i < result)
		{
    
    
			do
			{
    
    
				if (v6 > a1[result])
				{
    
    
					if (i >= result)
						break;
					++i;
					a1[v5] = a1[result];
					if (i >= result)
						break;
					while (a1[i] <= v6)
					{
    
    
						if (++i >= result)
							goto LABEL_13;
					}
					if (i >= result)
						break;
					v5 = i;
					a1[result] = a1[i];
				}
				--result;
			} while (i < result);
		}
	LABEL_13:
	a1[result] = v6;
	sub_8A10F0(a1, a2, i - 1);
	result = a3;
	++i;
	}

}
void main()
{
    
    
	sub_8A10F0(arr, 0, 10);
	for (int i = 0; i < sizeof(arr) / sizeof(int); i++)
	{
    
    
		printf("%d-%c\n", arr[i],arr[i]);
	}
	return;
}

Operation result:
sub_8A10F0-result
Among them, GetDlgItemTextA function:
GetDlgItemTextA-Intro
Continue to go down, you can see that there are two base64 transformations, and finally compare and judge
Scratch a prize-DialogFunc1
among them, v19~v25 are actually the last 7 characters of the input, and their positions in the stack correspond to the following, So use sub_8A10F0 to solve for String and v19, v20 to v22 with v5 inverse base64, v23 to v25 with v4 inverse base64, you can get the flag
Scratch a prize-DialogFunc2

[BJDCTF 2nd]8086

exe program, but cannot run, the program name prompts to read assembly, ida analysis
did not see any useful logic, found a hard code, press c to convert into assembly code
8086-logic
analysis assembly code, it is a string and 0x1F XOR
8086-logic1
write code You can get the flag
8086-script

[GKCTF2020]Check_1n

exe program, after running, draw a win xp pc, need to enter the power-on password, no shell, ida analysis
First come to the main function, a mess
check_in-main
is found in sub_40100A->sub_404DF0 byte_1C76740 should be compared with the string "HelloWorld" , Guess that this string is the power-on password, try it and it turned on.
check_in-pwd
After power-on, there are a few small games and flags, decisively look at the flag block. The
check_in-game
prompt says it is a false flag, and there is a string that looks like base64 to
check_in-flagmode
solve base64. , The prompt says to try the brick game.
check_in-debase64
I die if I don’t understand how to play bricks, but the flag is given above the head, and the submission is successful.

[GXYCTF2019]luck_guy

elf file, no shell, ida analysis
Analyze the main function, require an even number, enter the get_flag() function
get_flag() function takes 5 random numbers, and then judge with switch, case1 gives the first half of the flag, and the second half is f2, but I don’t know f2, case2 and case3 are useless, case4 assigns values to f2, case5 transforms f2 and
lucky_guy-get_flag
writes the script by case5, pay attention to the little-endian order, the length is 8, the subscript is odd, and the subscript is subtracted by 2, and the subscript is Even number corresponds to minus 1, you can get the second half of the flag, which is the flag when connected.
lucky_guy-script