Offense and defense in the world
He started to learn under a re, became interested
game
The subject in a CTF platform've got 0-0, do it again. (Along with WP 0.0)
First, check or shells ExeinfoPe Peid
You can also use the file command to view information
32-bit programs that use open ida, F5 decompile
Program logic:
shift + F12 to view the string
After entering the
Right-list cross reference to, and then F5
This is the procedure of finding the flag, and the output, I could write a script to read out py
Here * (& v2 + i) corresponds to v [2 + i], an array format, in fact, incrementing 1 ==> v2, v3, v4
Note: Since entering the RE does not know how to extract, simply copy and paste, and then run the exec dynamic variable array consisting of variable values merger
exec () function
V59 = 18 is V60 = 64 V61 = 98 V62 =. 5 V63 = 2 V64 is =. 4 V65 =. 6 V66 =. 3 V67 =. 6 V68 = 48 V69 = 49 V70 = 65 V71 = 32 V72 = 12 is V73 = 48 V74 = 65 V75 = 31 is V76 = 78 V77 = 62 is V78 = 32 V79 = 49 V80 = 32 V81 =. 1 V82 = 57 is V83 = 96 V84 =. 3 V85 = 21 is V86 =. 9 V87 =. 4 V88 = 62 is V89 =. 3 V90 =. 5 . 4 = V91 V92. 1 = V93 = 2 V94. 3 = V95 = 44 is V96 = 65v97 = 78 v98 = 32 v99 = 16 v100 = 97 v101 = 54 v102 = 16 v103 = 44 v104 = 52 v105 = 32 v106 = 64 v107 = 89 v108 = 45 v109 = 32 v110 = 65 v111 = 15 v112 = 34 v113 = 18 v114 = 16 v115 = 0 v2 = 123 v3 = 32 v4 = 18 v5 = 98 v6 = 119 v7 = 108 v8 = 65 v9 = 41 v10 = 124 v11 = 80 v12 = 125 v13 = 38 v14 = 124 v15 = 111 v16 = 74 v17 = 49 v18 = 83 v19 = 108 v20 = 94 v21 = 108 v22 = 84 v23 = 6 v24 = 96 v25 = 83 v26 = 44 v27 = 121 v28 = 104 v29 = 110 v30 = 32 v31 = 95 v32 = 117 v33 = 101 v34 = 99 v35 = 123 v36 = 127 v37 = 119 v38 = 96 v39 = 48 v40 = 107 v41 = 71 v42 = 92 v43 = 29 v44 = 81 v45 = 107 v46 = 90 v47 = 85 v48 = 64 v49 = 12 v50 = 43 v51 = 76 v52 = 86 v53 = 13 v54 = 114 v55 = 1 v56 = 117 v57 = 126 v58 = 0 a=[] for i in range(59,116): exec('a.append(v{})'.format(i)) print(a) b=[] for i in range(2,59): exec('b.append(v{})'.format(i)) print(b) i=0 c='' while (i<56): a[i]^=b[i] a[i]^=19 c=c+chr(a[i]) i=i+1 print (c)
输出:
[18, 64, 98, 5, 2, 4, 6, 3, 6, 48, 49, 65, 32, 12, 48, 65, 31, 78, 62, 32, 49, 32, 1, 57, 96, 3, 21, 9, 4, 62, 3, 5, 4, 1, 2, 3, 44, 65, 78, 32, 16, 97, 54, 16, 44, 52, 32, 64, 89, 45, 32, 65, 15, 34, 18, 16, 0] [123, 32, 18, 98, 119, 108, 65, 41, 124, 80, 125, 38, 124, 111, 74, 49, 83, 108, 94, 108, 84, 6, 96, 83, 44, 121, 104, 110, 32, 95, 117, 101, 99, 123, 127, 119, 96, 48, 107, 71, 92, 29, 81, 107, 90, 85, 64, 12, 43, 76, 86, 13, 114, 1, 117, 126, 0] zsctf{T9is_tOpic_1s_v5ry_int7resting_b6t_others_are_n0t}
about locals () function
V59 = 18 is
V60 = 64
V61 = 98 V62 =. 5 V63 = 2 V64 is =. 4 V65 =. 6 V66 =. 3 V67 =. 6 V68 = 48 V69 = 49 V70 = 65 V71 = 32 V72 = 12 is V73 = 48 V74 = 65 V75 = 31 is V76 = 78 V77 = 62 is V78 = 32 V79 = 49 V80 = 32 V81 =. 1 V82 = 57 is V83 = 96 V84 =. 3 V85 = 21 is V86 =. 9 V87 =. 4 V88 = 62 is V89 =. 3 V90 =. 5 . 4 = V91 V92. 1 = V93 = 2 V94. 3 = V95 = 44 is V96 = 65v97 = 78 v98 = 32 v99 = 16 v100 = 97 v101 = 54 v102 = 16 v103 = 44 v104 = 52 v105 = 32 v106 = 64 v107 = 89 v108 = 45 v109 = 32 v110 = 65 v111 = 15 v112 = 34 v113 = 18 v114 = 16 v115 = 0 v2 = 123 v3 = 32 v4 = 18 v5 = 98 v6 = 119 v7 = 108 v8 = 65 v9 = 41 v10 = 124 v11 = 80 v12 = 125 v13 = 38 v14 = 124 v15 = 111 v16 = 74 v17 = 49 v18 = 83 v19 = 108 v20 = 94 v21 = 108 v22 = 84 v23 = 6 v24 = 96 v25 = 83 v26 = 44 v27 = 121 v28 = 104 v29 = 110 v30 = 32 v31 = 95 v32 = 117 v33 = 101 v34 = 99 v35 = 123 v36 = 127 v37 = 119 v38 = 96 v39 = 48 v40 = 107 v41 = 71 v42 = 92 v43 = 29 v44 = 81 v45 = 107 v46 = 90 v47 = 85 v48 = 64 v49 = 12 v50 = 43 v51 = 76 v52 = 86 v53 = 13 v54 = 114 v55 = 1 v56 = 117 v57 = 126 v58 = 0 a=[] v=locals() for i in range(59,116): a.append(v['v'+str(i)]) print(a) b=[] for i in range(2,59): b.append(v['v'+str(i)]) print(b) i=0 c='' while (i<56): a[i]^=b[i] a[i]^=19 c=c+chr(a[i]) i=i+1 print (c)
输出:
[18, 64, 98, 5, 2, 4, 6, 3, 6, 48, 49, 65, 32, 12, 48, 65, 31, 78, 62, 32, 49, 32, 1, 57, 96, 3, 21, 9, 4, 62, 3, 5, 4, 1, 2, 3, 44, 65, 78, 32, 16, 97, 54, 16, 44, 52, 32, 64, 89, 45, 32, 65, 15, 34, 18, 16, 0]
[123, 32, 18, 98, 119, 108, 65, 41, 124, 80, 125, 38, 124, 111, 74, 49, 83, 108, 94, 108, 84, 6, 96, 83, 44, 121, 104, 110, 32, 95, 117, 101, 99, 123, 127, 119, 96, 48, 107, 71, 92, 29, 81, 107, 90, 85, 64, 12, 43, 76, 86, 13, 114, 1, 117, 126, 0]
zsctf{T9is_tOpic_1s_v5ry_int7resting_b6t_others_are_n0t}
Hello CTF
Check the case, 32-bit, F5 decompile
Logic code is given as V13 437261636b4d654a757374466f7246756e
If the length is greater than the input 17 is directly break, do while loop 17, then the middle if there is a 0, it will break the cycle directly. 0 does not appear, assigned to the V10 and V13 v10 direct comparison of equality, equal strcmp returns 0, indicating success
There is a very obvious place, the length is 17, and the length is 34 437261636b4d654a757374466f7246756e should be two sets of two hexadecimal representation.
Decryption script:
import re
MW='437261636b4d654a757374466f7246756e'
secret=re.findall(r'.{2}',MW)
flag=''
for i in secret:
flag+=chr(int(i,16))
print('flag:'+flag)
输出:
flag:CrackMeJustForFun
open-source
A C file, released in centos7, under the gcc compiler, gcc code.c
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
if (argc != 4) {
printf("what?\n");
exit(1);
}
unsigned int first = atoi(argv[1]); if (first != 0xcafe) { printf("you are wrong, sorry.\n"); exit(2); } unsigned int second = atoi(argv[2]); if (second % 5 == 3 || second % 17 != 8) { printf("ha, you won't get it!\n"); exit(3); } if (strcmp("h4cky0u", argv[3])) { printf("so close, dude!\n"); exit(4); } printf("Brr wrrr grr\n"); unsigned int hash = first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207; printf("Get your key: "); printf("%x\n", hash); return 0; }
I never learned C, but see argv [], and py in sys.argv should be the same. It is to get the parameters of the command input
It is an abbreviation argumentcount argc, showing the number of parameters passed in the main function
argv is an abbreviation of the argument vector, sequence or a parameter indicating the main function pointer passed
argv array subscript starts at 0, the first name of the executable file is stored in the program
Exe file path produced after argc [0] represents a program compilation, length of the array is argc
The first condition:
if (argc != 4) {
printf("what?\n");
exit(1);
}
To input parameters argc 3 the first parameter is the path
The second condition:
unsigned int first = atoi(argv[1]);
if (first != 0xcafe) {
printf("you are wrong, sorry.\n");
exit(2);
}
The first parameter is converted to a decimal number 51966 0xcafe
The third condition:
unsigned int second = atoi(argv[2]);
if (second % 5 == 3 || second % 17 != 8) {
printf("ha, you won't get it!\n");
exit(3);
}
The second parameter does not satisfy any of the conditions required => it divisible by 53, the remainder can not be divisible by 17 8. Thus argv [2] because 25
The fourth condition:
if (strcmp("h4cky0u", argv[3])) {
printf("so close, dude!\n");
exit(4);
}
If the third parameter is equal to 0 bypassed if h4cky0u returns. Therefore, the third parameter is h4cky0u
The problem is not simply reverse the source code audit topics, but the C language
simple-unpack
Look Description: chicken dishes were packed got a binary file
I guess it is to be shelling.
Here pause, to mend RE Basics
Come back to look at the question, binary files, do not know how to deal with. See WP
I used the V2.04 version of Die and exeinfo PE investigation found that the shell can be viewed directly is upx, but peid not.
Note: The file is in the windows PE file, Linux / Unix under the ELF file
PE file stands for Portable Executable, intended to be portable executable files, commonly EXE, DLL, OCX, SYS, COM files are PE, PE file is on the Microsoft Windows operating system files (might be indirectly execution, such as DLL)
By love disk to download the upx (Quguan network, github download too slow, mad)
Decompression shelling with upx -d command
The strings use linux tool can also be found (cmder no)
logmein
Classes begin tomorrow, and tomorrow to do. 9.2 0:19
die too strong. 64 of elf, and compiled by the ubuntu gcc
Bypassing the three conditions in mind to return success
Did not see wp, wrote a script to run out 8 # DO_SVZI * -9 * 4 * 2 found wrong. Go look at the WP
There is a principle which is the size of the end of the storage problem, and LL refers to a long integer
Press R data can be converted to character (10 hex 16 hex turn, turn hexadecimal characters), and see the assignment of reverse = "inferred to be stored in little endian
Storing small end: low byte stored in low address, high address byte is stored at high
Big-endian storage: high byte stored in low address, high address byte is stored at low
Can not look at the pseudo-code, in conjunction with the assembler must look at the code segment.
Because 0-0 is not C code, you can only use py solution, attach a script written by someone else to write C code
py script is as follows:
v8=':"AL_RT^L*.?+6/46'
v7='ebmarah'
v7=v7[::-1]
v6=7
s=''
for i in range(0,17):
s+=chr((ord(v7[i%7]))^ord(v8[i]))
print(s)
C script as follows:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define BYTE unsigned char
int main(int argc, char* argv[]) {
unsigned int i;
char v8[18] = ":\"AL_RT^L*.?+6/46";
__int64 v7 = 28537194573619560; int v6 = 7; char s[18] = ""; for (i = 0; i < strlen(v8); ++i) { s[i] = (char)(*((BYTE*)&v7 + i % v6)^v8[i]); } printf("%s\n", s); system("PAUSE"); return 0; }
insanity
First check to see type
Really is described with the same title, relax. 9447 {This_is_a_flag}
no-strings-attached
Charles shell
Enter prompt_autthentication
There is a decrypt function
WP need to see the dynamic debugging, Mongolia. It may be a function operation, the data present in the registers. Look to write WP
gdb commonly used commands
gdb -q xxxx load the file into the GDB
b decrypt set a breakpoint, decrypt function
r Run
s: execute source code line, if this line has the function call, the function proceeds;
n-: performing line of source code, function call this line are also performed together.
s corresponds to the other debugger "Step Into (single step into the track)";
n-equivalent other debugger "Step Over (step tracing)."
x is the value used to view memory
View info reg register
info break to view the list of breakpoints
Representative value $ eax register eax
To 00 terminated
Hexadecimal representation as: 393434377b796f755f6172655f616e5f696e7465726e6174696f6e616c5f6d7973746572797d
py2 there decode ( 'hex'), directly into a hexadecimal string, py3 are no
RE is very interesting, take your time, look at tomorrow morning WEB, before watching the WP problem.
python-trade
Down Under is a decompiler pyc, online direct online at
import base64
def encode(message):
s = ''
for i in message:
x = ord(i) ^ 32
x = x + 16
s += chr(x) return base64.b64encode(s) correct = 'XlNkVmtUI1MgXWBZXCFeKY+AaXNt' flag = '' print 'Input flag:' flag = raw_input() if encode(flag) == correct: print 'correct' else: print 'wrong'
The code is very simple, write a script to decrypt
getit
Charles shell
Looks like after a number of conditions, written to a file and then delete operation
The t written flag.txt in that t should be the flag. S operation with respect to the above there is assigned to t.
0 is defined in front of which a t to see 10E0,10E1 last data block is below 110C
This is a 0 foregoing definition s
Such are the s and t, and then write a script to find it directly write t
Direct the decryption script
t='SharifCTF{????????????????????????????????}'
t=list(t)
s='c61b68366edeb7bdce3c6820314b7498'
v5=0
while(v5<len(s)):
if(v5&1): v3=1 else: v3=-1 t[v5+10]=chr(ord(s[v5])+v3) v5+=1 yunying='' for i in t: yunying+=i if __name__ == '__main__': print(yunying)
csaw2013reversing2
Comment: I heard that you can run to get the Flag, but the results of running chicken dish I do not know why it is garbled
Check shell vc ++, 32 bit
No matter which button to point directly drained away. It is estimated to jump on the need to debug the correct function (and may be dynamically tuned)
ida main function interface:
Here you can see a clearer path to run
int3 => is a breakpoint, int3 breakpoint
MessageBox function for creating, displaying and operating a message dialog. The dialog box contains information and title defined by the calling program, as well as pre-defined icons and buttons
See IsDebuggerPresent () function, check the article for => https://bbs.pediy.com/thread-226522.htm => learn first-hand, most of the function return value in eax. No wonder the previous decrypt function requires dynamic gdb debugging function to view eax
IsDebuggerPresent () function is to determine whether the number of programs is not Craker, added to the debugging function, because.
Reference ( https://www.cnblogs.com/whitehawk/p/10771825.html ) OD commissioning (only a little)
The logic here is that if it is in debugging, then you run into the judgment, if not directly, then pop debugging garbled flag
sub_401000 decryption function, [ebp + lpMem] is stored in the local distortion
I spent an hour watching the OD WP, did not understand, or analyzed by the IDA.
sub_401000 decryption function into view
409B10 data was as follows
At 409B38, because it is a small end storage, we need look down
WP attach someone else's script (OD not to burst attitude, mood static analysis)
cipher = [0xbb, 0xcc, 0xa0 , 0xbc, 0xdc, 0xd1, 0xbe, 0xb8, 0xcd, 0xcf, 0xbe, 0xae, 0xd2, 0xc4, 0xab, 0x82, 0xd2, 0xd9, 0x93, 0xb3, 0xd4, 0xde, 0x93, 0xa9 , 0xD3, 0xCB, 0xB8, 0x82, 0xD3, 0xCB, 0xBE, 0xB9, 0x9A, 0xD7, 0xCC, 0xdd ]
Key = [0xbb, 0xAA, 0xCC, 0xdd ]
in Flag = ''
for I in Range (len (cipher)) :
Flag + = CHR (the cipher keyword [i] ^ Key [i% 4 ])
Print Flag ---------------- copyright: original article is CSDN blogger "Prowes5" of , following 4.0 BY-CC SA copyright agreement, reproduced, please attach the original source link and this statement. Original link: https: //blog.csdn.net/Prowes5/article/details/100409391
RE So far, the red WEB
BUGKU
Blind play
Reverse entry
Charles shell
Open can not be opened. Ultraedit with open look
Base64 turn to find online photo site
Scan get the flag
love
View
32 C ++, drag ida
strncpy function is used to copy a specified length of the array of characters, char * strncpy (char * dest, const char * src, int n), represents the first n src string pointed to the start address src dest copied to the array of bytes within the meaning and returns after being copied dest
strncmp function string comparison functions, sequence comparison is based on the size of the string of ASCII code table is determined, this sequence also the character value. Its function is declared int strncmp (const char * str1, const char * str2, size_t n); function is performed and the str1 str2 comparison, the first n bytes compare up to, if the first n characters of str1 str2 the same, return 0; if s1 is greater than s2, the return value greater than 0; if s1 is less than s2, a value less than 0 is returned
Such thinking is more clear.
First of all incoming string, and then after passing v4 function sub_4110BE
Then the first 28 bytes of incoming DEST array v4
On the DEST array processing, and then compare str2 front dest v5 whether characters are equal, equal, right flag!
Check function
v3 length of the string is passed, then a2 in addition to the 3, 4 and multiplied, think of what? base64 encryption
base64 encryption, a character representing six characters, 3 characters 24 bytes are encrypted into four 24-byte characters
Only these two do it directly on the script, the only treatment
python3 script
import base64 str1='e3nifIH9b_C@n@dH' str2='' for i in range(len(str1)): a=ord(str1[i])-i str2+=chr(a) print(base64.b64decode(str2.encode('utf8')).decode())
To sleep