当前位置：网站首页>[buuctf.reverse] 121-125

[buuctf.reverse] 121-125

2022-06-25 09:32:00 【石氏是时试】

121_[FlareOn2]starter

122_[b01lers2020]little_engine

123_[GKCTF 2021]SoMuchCode

124_[SWPU2019]EasiestRe

125_[QCTF2018]babyre

121_[FlareOn2]starter

头一回见着这样的题，IDA看了半天没找着有用的东西，试着运行一下发现是个安装程序，运行后会释放出一个32位程序。程序非常简单，直接对输入异或后比较

BOOL start()
{
  int v0; // ecx
  HANDLE StdHandle; // [esp+4h] [ebp-Ch]
  HANDLE hFile; // [esp+8h] [ebp-8h]
  DWORD NumberOfBytesWritten; // [esp+Ch] [ebp-4h] BYREF

  StdHandle = GetStdHandle(0xFFFFFFF6);
  hFile = GetStdHandle(0xFFFFFFF5);
  WriteFile(hFile, aLetSStartOutEa, 0x2Au, &NumberOfBytesWritten, 0);
  ReadFile(StdHandle, byte_402158, 0x32u, &NumberOfBytesWritten, 0);
  v0 = 0;
  while ( ((unsigned __int8)byte_402158[v0] ^ 0x7D) == byte_402140[v0] )
  {
    if ( ++v0 >= 24 )
      return WriteFile(hFile, aYouAreSuccess, 0x12u, &NumberOfBytesWritten, 0);
  }
  return WriteFile(hFile, aYouAreFailure, 0x12u, &NumberOfBytesWritten, 0);
}

所以可以直接解密

#先运行程序，选择输入文件目录后会生成一个32位程序然后退出，处理生成的程序

c = bytes.fromhex('1F08131304220E114D0D183D1B111C0F18501213531E1210')
print(bytes([i^0x7d for i in c]))
#[email protected]
#flag{[email protected]}

122_[b01lers2020]little_engine

IDA里main里进行加密和检查

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  void *vars0[5]; // [rsp+0h] [rbp+0h] BYREF

  vars0[3] = (void *)__readfsqword(0x28u);
  sub_16B0();
  sub_1830((__int64)vars0);
  sub_1510((__int64 *)vars0);                   // 对输入加密
  if ( (unsigned __int8)sub_15A0(vars0) )
    std::__ostream_insert<char,std::char_traits<char>>(
      std::cout,
      "Chugga chugga choo choo you're the little engine that CAN!",
      58LL);
  else
    std::__ostream_insert<char,std::char_traits<char>>(
      std::cout,
      "I guess you don't know anything about trains...go do some TRAINing you non-conductor :(",
      87LL);
  std::endl<char,std::char_traits<char>>(std::cout);
  if ( vars0[0] )
    operator delete(vars0[0]);
  return 0LL;
}

1510里进行加密

unsigned __int64 __fastcall sub_1510(__int64 *a1)
{
  ......
  v2 = *a1;
  if ( *a1 != a1[1] )
  {
    v3 = 0LL;
    v4 = -111;
    do
    {
      v5 = (_BYTE *)(v3 + v2);
      ......
      *v5 ^= v4;
      v6 = v4 + v3++;
      v2 = *a1;
      v4 = v6 + v6 / 0xFF;
    }
    while ( v3 < a1[1] - *a1 );
  }
  return __readfsqword(0x28u) ^ v8;
}

不复杂

data = open('engine', 'rb').read()

v4 = -111 & 0xff
t = []
for i in range(75):
    t.append( v4^data[0x2220+ 4*i] )
    v6 = v4+i
    v4 = (v6 + v6//0xff )&0xff

print(bytes(t)) 
#pctf{th3_m0d3rn_st34m_3ng1n3_w45_1nv3nt3d_1n_1698_buT_th3_b3st_0n3_in_1940}
#flag{th3_m0d3rn_st34m_3ng1n3_w45_1nv3nt3d_1n_1698_buT_th3_b3st_0n3_in_1940}

123_[GKCTF 2021]SoMuchCode

主程序是2000行，懒得看了，看了WP说是xxtea加密,因为用了SEH，这块也找不着怎么弄的，从搜到的WP里找到一个c程序

#include <stdio.h> 

#include <stdint.h> 

void XXTeaDecrypt(int n, uint32_t* v, uint32_t const key[4]) 
{ 
   uint32_t y, z, sum; 
   unsigned p, rounds, e; 
   uint32_t DELTA = 0x33445566; 
   rounds = 6 + 52 / n; 
   sum = rounds * DELTA; 
   y = v[0];  
   do { 
        e = (sum >> 2) & 3; 
        for (p = n - 1; p > 0; p--)
           {  
              z = v[p - 1]; 
              y = v[p] -= (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z))); 
            } 
            z = v[n - 1];  
            y = v[0] -= (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)));  
            sum -= DELTA; 
       } while (--rounds); 
} 

int main() 
{ 
   uint8_t enc_data[] = { 0x5c, 0xab, 0x3c, 0x99, 0x29, 0xe1, 0x40, 0x3f, 0xde, 0x91, 0x77, 0x77, 0xa6, 0xfe, 0x7d, 0x73, 0xe6, 0x59, 0xcf, 0xec, 0xe3, 0x4c, 0x60, 0xc9, 0xa5, 0xc0, 0x82, 0x96, 0x1e, 0x2a, 0x6f, 0x55, 0}; 
   uint32_t key[] = { 14000, 79894, 16, 123123 }; 

   XXTeaDecrypt(8, (uint32_t*)enc_data, key); 
 
   puts((char*)enc_data); //9b34a61df773acf0e4dec25ea5fb0e29 
   return 0; 
}

124_[SWPU2019]EasiestRe

这个也确实比较复杂，看了半天跟着一点点调

这里用了int3动调，执行到int3时调用函数修改代码

程序里涉及到ini3的地方有3次，第1处在main里，具体内容到int3就完了，根据函数里的数据修改这里的7字节指向下部的程序

的v16前7个修改sub_408A40中int3开始的7字节，得到调用加密函数和检查函数
.text:00408AF5 89 45 F8                      mov     [ebp+var_8], eax
.text:00408AF8 CC                            int     3                               ; Trap to Debugger
.text:00408AF9 90                            nop
.text:00408AFA 90                            nop
.text:00408AFB 90                            nop
.text:00408AFC 90                            nop
.text:00408AFD 90                            nop
.text:00408AFE 90                            nop
.text:00408AFF 68 80 1E 4C 00                push    offset aYouAreTooShort          ; "you are too short!"


.text:00408AF8 90                            nop
.text:00408AF9 83 7D F8 18                   cmp     [ebp+var_8], 18h
.text:00408AFD 7D 11                         jge     short loc_408B10   跑到下方执行加密和检查
.text:00408AFD

第2块 sub_4087e0 408824开始的30字节
第3块检查 sub_4083c0 408432开始5字节，没有patch的内容，向下40845A开始找到对应比较数据 408635开始为数据

408536这块是密文，然后按原来得程序进行逆向，乘的逆向用逆

iv=0x1234
inv=12   #gmpy2.invert(41,491)
c=[0x3d1,0x2f0,0x52,0x475,0x1d2,0x2f0,0x224,0x51c,0x4e6,0x29f,0x2ee,0x39b,0x3f9,0x32b,0x2f2,0x5b5,0x24c,0x45a,0x34c,0x56d,0xa,0x4e6,0x476,0x2d9]
key=[2,3,7,14,30,57,120,251]  #sub_408A40
flag=[]
for i in range(len(c)):
    t=c[i]*inv%491
    p=""
    for i in range(8):
        if key[7-i]>t:
            p+="0"
        else:
            p+="1"
            t-=key[7-i]
    flag.append(int(p[::-1],2))
print(chr((flag[0]^0x1234)&0xff),end="")
for i in range(1,len(flag)):
    print(chr((flag[i]^c[i-1])&0xff),end="")

#swpuctf{[email protected]_s0_coo1}
#flag{[email protected]_s0_coo1}

125_[QCTF2018]babyre

这个是linux下的动调，输入一个数据然后往下跟，第一次处理是每4字符进行一个顺序交换，第二次是每4个分别加上4个数，第3次是每组中字符前几位和后几位互换。然后与密文比较

动调时得到密文

gdb-peda$ x/32c 0x7ffff781c0a0
0x7ffff781c0a0:	0xda	0xd8	0x3d	0x4c	0xe3	0x63	0x97	0x3d
0x7ffff781c0a8:	0xc1	0x91	0x97	0xe	0xe3	0x5c	0x8d	0x7e
0x7ffff781c0b0:	0x5b	0x91	0x6f	0xfe	0xdb	0xd0	0x17	0xfe
0x7ffff781c0b8:	0xd3	0x21	0x99	0x4b	0x73	0xd0	0xab	0xfe

然后向回处理

a=bytes.fromhex("DAD83D4CE363973DC191970EE35C8D7E5B916FFEDBD017FED321994B73D0ABFE")
flag = ''
for i in range(0, len(a), 4):
    d1 = a[i]
    d1 = (d1>>3)|(d1<<5) & 0xff
    d1 = (d1 - 7)& 0xff
    
    d2 = a[i+1]
    d2 = (d2>>6)|(d2<<2) & 0xff
    d2 = (d2 - 18)& 0xff
    
    d3 = a[i+2]
    d3 = (d3>>1)|(d3<<7) & 0xff
    d3 = (d3 - 88)& 0xff
    
    d4 = a[i+3]
    d4 = (d4>>4)|(d4<<4) & 0xff
    d4 = (d4-129)& 0xff
    flag+=chr(d2)+chr(d4)+chr(d1)+chr(d3)

print(flag)
#QCTF{Rus4_1s_fun4nd_1nt3r3st1ng}
#flag{Rus4_1s_fun4nd_1nt3r3st1ng}

原网站

版权声明
本文为[石氏是时试]所创，转载请带上原文链接，感谢
https://blog.csdn.net/weixin_52640415/article/details/125439690