Conventional Tucao no pwn, try Reverse
1. whereisflag
elf file, no shell, open directly with ida, search the string to see whereisflag, double-click to follow up to find the key function,
splice the string to get the flag
CnHongKe{849bc02af213b4d}
2. Reverse1
- Run the program to know the general situation
- 32-bit program, there is upx shell
- After unpacking upx, open it with ida. According to the string seen at runtime,
the pseudo code of the key function ida decompiled is found. Some places are not understandable.
The logic of the problem of directly adjusting the analysis function is: input a character of length 11 String, each ascii+7 in reverse order, and then XOR operation with v7 string to get the new string after ascii-1 of each character in reverse order to get the value
exp in off_409030 :
a=[0x1E, 0x5D, 0x53, 0x77, 0x5E, 0x50, 0x0E, 0x57, 0x7C, 0x47, 0x07]
#print(a)
str1="%+$-4-8+7=?"
xors=[37 ,43 ,36 ,45 ,52 ,45 ,56 ,43 ,55 ,61 ,63] #str1的ascii码
b=[0,0,0,0,0,0,0,0,0,0,0]
for i in range(11):
a[i]=a[i]+1
#print(a)
for i in range(11):
b[i]=a[i]^xors[i]
#print(b)
for i in range(11):
b[i]=b[i]-7
#print(b)
b.reverse()
print(b)
for i in range(11):
print(chr(b[i]),end="")
#运行结果:0nCl0udNin3
CnHongKe{0nCl0udNin3}