REVERSE-PRACTICE-JarvisOJ-3

Others 2021-02-28 11:59:03 views: null

REVERSE-PRACTICE-JarvisOJ-3

Climb the stairs

apk file, put it in the simulator and run it.
"Climb a floor" button can be pressed. Each time you click, "Climbed floor" plus 1 floor.
"Climb to see FLAG" button cannot be pressed, it should be "Climbed" When "floor" is equal to "floor to climb", the button can be pressed to get the flag
plt-running
jadx-gui to open. In com.ctf.test.ctf_100.MainActivity, the
main logic of the ctf library is statically loaded . In the onCreate method, you want to climb The floor is set as a random number. When the floor that has been climbed is greater than or equal to the floor to be climbed, press the flag button to get the flag
plt-logic
program. At the beginning of the program , set the flag button to be unpressable . After the conditions are met, set it to be pressable. Consider the patch program , Let the button to watch the flag at the beginning of the program be set to be
pressable. Open the apk with jeb to find the assembly code corresponding to the java statement.
You can see it. At the beginning of the onCreate method, v5 is 0, which is used in Button->setClickable below Parameter, set the watch flag button to not be pressed. When v5patch is set to 1, the watch flag button is set to be
plt-asm
able to press ApkToolBox to decompile the apk at the beginning, and open CFF_100\smali\com\ctf\test\ctf_100\MainActivity. smali, find the corresponding location, modify and save,
plt-patch
drag the entire CFF_100 folder into ApkToolBox and compile back, get a new apk
to run in the emulator, you can see, you can click on the flag button to get the flag directly
plt flag

Software password cracking-1

For a 32-bit MFC program, first use xspy to check the id of the "OK" button, which is 0001
softpwd-mfc
and then check the entire window, knowing that the response function corresponding to the "OK" button is (0x0040) 1BB0.
softpwd-mfc
Open the MFC program and search for 1BB0 in the function window on the left. Coming to the sub_401BB0 function
analysis, we can see that the input and the byte_5777F8 array are XORed in the order of the index, and the result is compared with the known data. It is verified that
softpwd-sub_401BB0
the elements of the input byte_5777F8 array cannot be obtained in the static analysis, and the attach program is required to debug and
write inverse XOR. Calculate the script to get the flag

res=[0x1B, 0x1C, 0x17, 0x46,
     0xF4, 0xFD, 0x20, 0x30,
     0xB7, 0x0C, 0x8E, 0x7E,
     0x78,0xDE]
byte_5777F8=[0x28, 0x57, 0x64, 0x6B, 0x93, 0x8F, 0x65, 0x51, 0xE3, 0x53,
  0xE4, 0x4E, 0x1A, 0xFF]
flag=""
for i in range(len(res)):
    flag+=chr(res[i]^byte_5777F8[i])
print(flag)
#3Ks-grEaT_j0b!

Classical CrackMe2

exe program, enter the password, and print a string of base64 to
check the shell when the password is entered incorrectly . It is found that it is a .Net program, and there is a sentence "don't Unpack with: de4dot". Do not use de4dot to unpack.
CC2-shell
Use de4dot to unpack, but unpack after the program does not run,
dnSpy open the original program, because there is no unpack, there will be some characters do not understand the meaning, then you can open another dnSpy open unpack before, on the shining point of view
on the shining and saw that the press After the "GETFLAG" button, come to this place to judge that
text is input, and text2 is the content returned after
CC2-logic
 passing the input text into a method of "Wm@@9OrPgw\u0020d/p?i,N>l h@Y!" , And then judge whether text is empty and whether text2 is the same as the known one. Look at the method called "Wm@@9OrPgw\u0020d/p?i,N>l h@Y!", and found that the incoming parameters Encryption in AES.ECB mode, the array named bytes is used as the encryption key Key, and the ciphertext is encoded with base64 and then returned. After
CC2-AES
debugging, you can know that the encryption key Key is "pctf2016pctf2016pctf2016pctf2016"
CC2-key
text2 The string to be compared is "x/nzolo0TTIyrEISd4AP1spCzlhSWJXeNbY81SjPgmk= "
CC2-cipher
Write the AES script to get the flag

from Crypto.Cipher import AES
import base64
key="pctf2016pctf2016pctf2016pctf2016"
cipher="x/nzolo0TTIyrEISd4AP1spCzlhSWJXeNbY81SjPgmk="
cipher=base64.b64decode(cipher)
aes=AES.new(key,AES.MODE_ECB)
print(aes.decrypt(cipher))
#PCTF{Dot_Net_UnPack3r_yoo}

Smali

.smali file, open jadx-jui. The
main logic is to use the known key and ciphertext to decrypt the AES in ECB mode and
smali-logic
write the decrypted AES script to get the flag.

from Crypto.Cipher import AES
import base64
key="cGhyYWNrICBjdGYgMjAxNg=="
key=base64.b64decode(key)
cipher="sSNnx1UKbYrA1+MOrdtDTA=="
cipher=base64.b64decode(cipher)
aes=AES.new(key,AES.MODE_ECB)
print(aes.decrypt(cipher))
#PCTF{Sm4liRiver}

Guess you like

Origin blog.csdn.net/weixin_45582916/article/details/114156003
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com