REVERSE-PRACTICE-BUUCTF-4
Scratch a prize
exe file, after running, there is no prompt, no shell, use ida to analyze
WinMain->DialogBoxParamA->DialogFunc
DialogBoxParamA function:
DialogFunc function: the
sub_8A10F0 function has a recursive call, and its role is to change the position of the data from v7 to v17, and use this function The code performs simple processing and operation, and obtains the data from v7 to v17 after changing the position
#include<stdio.h>
int arr[] = {
90, 74, 83, 69, 67, 97, 78, 72, 51, 110, 103 };
void sub_8A10F0(int * a1, int a2, int a3)
{
int result;
int i;
int v5;
int v6;
result = a3;
for (i = a2; i <= a3; a2 = i)
{
v5 = i;
v6 = a1[i];
if (a2 < result&&i < result)
{
do
{
if (v6 > a1[result])
{
if (i >= result)
break;
++i;
a1[v5] = a1[result];
if (i >= result)
break;
while (a1[i] <= v6)
{
if (++i >= result)
goto LABEL_13;
}
if (i >= result)
break;
v5 = i;
a1[result] = a1[i];
}
--result;
} while (i < result);
}
LABEL_13:
a1[result] = v6;
sub_8A10F0(a1, a2, i - 1);
result = a3;
++i;
}
}
void main()
{
sub_8A10F0(arr, 0, 10);
for (int i = 0; i < sizeof(arr) / sizeof(int); i++)
{
printf("%d-%c\n", arr[i],arr[i]);
}
return;
}
Operation result:
Among them, GetDlgItemTextA function:
Continue to go down, you can see that there are two base64 transformations, and finally compare and judge
among them, v19~v25 are actually the last 7 characters of the input, and their positions in the stack correspond to the following, So use sub_8A10F0 to solve for String and v19, v20 to v22 with v5 inverse base64, v23 to v25 with v4 inverse base64, you can get the flag
[BJDCTF 2nd]8086
exe program, but cannot run, the program name prompts to read assembly, ida analysis
did not see any useful logic, found a hard code, press c to convert into assembly code
analysis assembly code, it is a string and 0x1F XOR
write code You can get the flag
[GKCTF2020]Check_1n
exe program, after running, draw a win xp pc, need to enter the power-on password, no shell, ida analysis
First come to the main function, a mess
is found in sub_40100A->sub_404DF0 byte_1C76740 should be compared with the string "HelloWorld" , Guess that this string is the power-on password, try it and it turned on.
After power-on, there are a few small games and flags, decisively look at the flag block. The
prompt says it is a false flag, and there is a string that looks like base64 to
solve base64. , The prompt says to try the brick game.
I die if I don’t understand how to play bricks, but the flag is given above the head, and the submission is successful.
[GXYCTF2019]luck_guy
elf file, no shell, ida analysis
Analyze the main function, require an even number, enter the get_flag() function
get_flag() function takes 5 random numbers, and then judge with switch, case1 gives the first half of the flag, and the second half is f2, but I don’t know f2, case2 and case3 are useless, case4 assigns values to f2, case5 transforms f2 and
writes the script by case5, pay attention to the little-endian order, the length is 8, the subscript is odd, and the subscript is subtracted by 2, and the subscript is Even number corresponds to minus 1, you can get the second half of the flag, which is the flag when connected.