moctf reverse the first question: SOEASY
This is a 64-bit software, the OD open, with only IDA64 open, direct search string (shift + F12) can be seen
Reverse moctf second question: jumping jump
The problem had to reverse the beginner great sense of accomplishment I was studying the change instruction blasting, would not analysis algorithm, which can make a question still very comfortable
Open the program, is a guessing game
Loading search string OD
Double-click to see with the past, very clear, and that is the key jnz, just let realize the jump to the right
It directly to him out of it NOP
Save it
Just enter, eventually can successfully come out flag
This falg is base64 encryption, before submitting here many times always wrong, only to find later tried encodes
moctf Reverse third question: crush distress
But at that time I took a very hard time to understand this pseudo code (do not know yet Kan Bukan have to understand), went smoothly this time with OD analysis, but also spent more than an hour ......
First look at the process:
Loading OD, acquired by the input string to find a place, where the following program indicated by the arrow in FIG running waiting for input
It can be seen after the emergence of a CALL encrypted string, it would follow up this look at CALL
After you'll have to enter in order to find a CALL program algorithm (program is a word a word encrypted all converted just started will enter uppercase)
Program algorithm:
1. Take the characters one by one, transferred to uppercase, and then subtract 41 (hex) in the form of ASCII codes in uppercase results obtained (hex)
2. uppercase key then adding the result obtained
PS. Here do some processing, if coupled with later results exceeded capital letter Z (0x5A), it will be minus 19 (hexadecimal)
However, there is a problem, I found the ciphertext length is longer than the given key, how to do? I remember before watching the writeup says the key recyclable, namely: ilovemoctfilovemoctf, has been ranked so go on, no matter how much extra can ciphertext encrypted
To test this, I did an experiment
The number of such input plaintext keys and more than one, and more is the same as the first, we look at the cycle that is not in accordance with the
Encryption result so I am very happy to prove my memory is pretty good
参考脚本,这或许会帮你更好的认识这个程序的流程
moctf 逆向第四题:crackme1
打开后啥都不要求输入,出现一串字符,说是 flag,但是每次打开都不一样
载入 OD,通过字符串找到
但是因为不知道该怎么分析,干脆直接段首下断,然后单步跟踪
找到算法部分,算法:
1. 逐个取定义好的 “2410488”
2. 乘以 2 后减去 60 (十六进制)
3. 除以 4 之后加上 3
4. 对 10 取余,得到结果
在刚开始一直不知道这里的数是怎么出来的,在心里把 [edx+edx-0x60] 当作一个地址了,后来发现,这他妈的不是存放的刚赋值的字符嘛!!
写出脚本,跑出 flag:4533577
moctf 逆向第五题:crackme2
通过字符串定位获取输入的位置
然后按步跟踪找到加密函数
步入加密 CALL,分析算法:
1. 依次取输入的字符串
2. 从 6 开始,与输入的字符串进行异或
3. 异或结果与定义好的字符串进行比较
红框圈出来的是定义好的字符串
0<1<>;?8:%w!##&#q./,x(,((
下面的那个 CALL 是进行对比的
可以看到我们输入的进行加密后是 7F,而规定的应该是 31
写出脚本跑出应该输入的字符串
输入正确的后在进行测试,nice !!!
然而,这并不是 flag,需要将它转换成字符串形式
ps. 这是 N 个月前在公众号发的文章,转过来博客,主要是希望能过让更多人看见