x2658y's Blog

[BUUCTF]刮开有奖

发表于 2022-01-22 更新于 2023-01-12 分类于 Reverse 本文字数： 669 阅读时长 ≈ 2 分钟

无壳, 直接拖进IDA分析, F5查看伪代码

主函数很简洁

int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
  DialogBoxParamA(hInstance, (LPCSTR)0x67, 0, DialogFunc, 0);
  //玄机就在DialogFunc()函数中
  return 0;
}

跟进DialogFunc()函数, 发现两个作用不明的函数

把sub_4010F0函数抠出来测试发现它会修改v7[0]、v7[1]以及v8~v16的值

#include <cstdio>

using namespace std;

int __cdecl sub_4010F0(int a1, int a2, int a3)
{
	int result; // eax
	int i; // esi
	int v5; // ecx
	int v6; // edx

	result = a3;
	for (i = a2; i <= a3; a2 = i)
	{
		v5 = 4 * i;
		v6 = *(unsigned long*)(4 * i + a1);
		if (a2 < result && i < result)
		{
			do
			{
				if (v6 > *(unsigned long*)(a1 + 4 * result))
				{
					if (i >= result)
						break;
					++i;
					*(unsigned long*)(v5 + a1) = *(unsigned long*)(a1 + 4 * result);
					if (i >= result)
						break;
					while (*(unsigned long*)(a1 + 4 * i) <= v6)
					{
						if (++i >= result)
							goto LABEL_13;
					}
					if (i >= result)
						break;
					v5 = 4 * i;
					*(unsigned long*)(a1 + 4 * result) = *(unsigned long*)(4 * i + a1);
				}
				--result;
			} while (i < result);
		}
	LABEL_13:
		*(unsigned long*)(a1 + 4 * result) = v6;
		sub_4010F0(a1, a2, i - 1);
		result = a3;
		++i;
	}
	return result;
}

int main()
{
	int arr[11] = { 90,74,83,69,67,97,78,72,51,110,103 };
	sub_4010F0((int)arr, 0, 10);
	for (int i = 0; i < 11; i++)
		printf("%d ", arr[i]);
}
//51 67 69 72 74 78 83 90 97 103 110
//当作ASCII字符就是"3CEHJNSZagn"
//每一位分别对应v7[0]、v7[1]以及v8~v16的值
//显然sub_4010F0()的作用是升序排序

sub_401000()函数, 可以根据其中用到的码表推测, 是base64编码函数

然后DialogFunc()函数的算法就清晰了

INT_PTR __stdcall DialogFunc(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4)
{
  const char *v4; // esi
  const char *v5; // edi
  int v7[2]; // [esp+8h] [ebp-20030h] BYREF
  int v8; // [esp+10h] [ebp-20028h]
  int v9; // [esp+14h] [ebp-20024h]
  int v10; // [esp+18h] [ebp-20020h]
  int v11; // [esp+1Ch] [ebp-2001Ch]
  int v12; // [esp+20h] [ebp-20018h]
  int v13; // [esp+24h] [ebp-20014h]
  int v14; // [esp+28h] [ebp-20010h]
  int v15; // [esp+2Ch] [ebp-2000Ch]
  int v16; // [esp+30h] [ebp-20008h]
  CHAR String[65536]; // [esp+34h] [ebp-20004h] BYREF
  char v18[65536]; // [esp+10034h] [ebp-10004h] BYREF

  if ( a2 == 272 )
    return 1;
  if ( a2 != 273 )
    return 0;
  if ( (_WORD)a3 == 1001 )
  {
    memset(String, 0, 0xFFFFu);
    GetDlgItemTextA(hDlg, 1000, String, 0xFFFF);
    if ( strlen(String) == 8 )
    {
      v7[0] = 90;
      v7[1] = 74;
      v8 = 83;
      v9 = 69;
      v10 = 67;
      v11 = 97;
      v12 = 78;
      v13 = 72;
      v14 = 51;
      v15 = 110;
      v16 = 103;
      sub_4010F0((int)v7, 0, 10);    //将v7[0]、v7[1]以及v8~v16进行升序排序
      memset(v18, 0, 0xFFFFu);
      v18[0] = String[5];
      v18[2] = String[7];
      v18[1] = String[6];
      v4 = (const char *)sub_401000(v18, strlen(v18));  //对String的5~7位进行base64编码
      memset(v18, 0, 0xFFFFu);
      v18[1] = String[3];
      v18[0] = String[2];
      v18[2] = String[4];
      v5 = (const char *)sub_401000(v18, strlen(v18));  //对String的2~4位进行base64编码
      if ( String[0] == v7[0] + 34  //String[0]='U', v7='3'
        && String[1] == v10         //String[1]='J', v10='J'
        && 4 * String[2] - 141 == 3 * v8    //String[2]='W', v8='E'
        && String[3] / 4 == 2 * (v13 / 9)   //String[3]='P', v13='Z'
        && !strcmp(v4, "ak1w")      //base64解码可知String[5]~String[7]="jMp"
        && !strcmp(v5, "V1Ax") )    //同理String[2]~String[4]="WP1"
      {
        MessageBoxA(hDlg, "U g3t 1T!", "@_@", 0);
      }
    }
    return 0;
  }
  if ( (_WORD)a3 != 1 && (_WORD)a3 != 2 )
    return 0;
  EndDialog(hDlg, (unsigned __int16)a3);
  return 1;
}

把String的8位连起来就是UJWP1jMp, 所以flag就是flag{UJWP1jMp}

[GXYCTF2019]luck_guy

发表于 2022-01-22 更新于 2023-01-12 分类于 Reverse 本文字数： 288 阅读时长 ≈ 1 分钟

不是PE文件, 进IDA分析, F5看伪代码.

main()里面有个patch_me(), 在patch_me()里面找到get_flag()关键函数

unsigned __int64 get_flag()
{
  unsigned int v0; // eax
  int i; // [rsp+4h] [rbp-3Ch]
  int j; // [rsp+8h] [rbp-38h]
  __int64 s; // [rsp+10h] [rbp-30h] BYREF
  char v5; // [rsp+18h] [rbp-28h]
  unsigned __int64 v6; // [rsp+38h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  v0 = time(0LL);
  srand(v0);                    //时间作为随机数种子
  for ( i = 0; i <= 4; ++i )
  {
    switch ( rand() % 200 )     //随机数决定执行哪个case
    {
      case 1:
        puts("OK, it's flag:");
        memset(&s, 0, 0x28uLL);
        strcat((char *)&s, f1);    //f1="GXY{do_not_"
        strcat((char *)&s, &f2);
        printf("%s", (const char *)&s);
        break;
      case 2:
        printf("Solar not like you");
        break;
      case 3:
        printf("Solar want a girlfriend");
        break;
      case 4:
        s = 0x7F666F6067756369LL;
        v5 = 0;
        strcat(&f2, (const char *)&s);
        break;
      case 5:
        for ( j = 0; j <= 7; ++j )
        {
          if ( j % 2 == 1 )
            *(&f2 + j) -= 2;
          else
            --*(&f2 + j);
        }
        break;
      default:
        puts("emmm,you can't find flag 23333");
        break;
    }
  }
  return __readfsqword(0x28u) ^ v6;
}

关键就在1,4,5这三个case里, 应该要以合适的顺序执行才能得到flag

分析出来正确的顺序应该是4,5,1, 写成Python代码如下

string0 = "GXY{do_not_"
string1 = "\x69\x63\x75\x67\x60\x6f\x66\x7f"
for i in range(0,len(string1)):
    if i % 2 == 1:
        string0 += chr(ord(string1[i]) - 2)
    else:
        string0 += chr(ord(string1[i]) - 1)
print(string0)
#GXY{do_not_hate_me}

所以flag就是GXY{do_not_hate_me}

[BUUCTF]Java逆向解密

发表于 2022-01-22 更新于 2023-01-12 分类于 Reverse 本文字数： 426 阅读时长 ≈ 2 分钟

给的是一个Java字节码文件, Java字节码的反编译还是比较容易的, 可以直接拿到源码, 采用jad反编译

jad反编译工具: 官网

Java源码如下

// Decompiled by Jad v1.5.8g. Copyright 2001 Pavel Kouznetsov.
// Jad home page: http://www.kpdus.com/jad.html
// Decompiler options: packimports(3) 
// Source File Name:   Reverse.java

import java.io.PrintStream;
import java.util.ArrayList;
import java.util.Scanner;

public class Reverse
{

    public Reverse()
    {
    }

    public static void main(String args[])
    {
        Scanner s = new Scanner(System.in);
        System.out.println("Please input the flag \uFF1A");
        String str = s.next();    //应该是个阻塞方法, 等待用户的输入
        System.out.println("Your input is \uFF1A");
        System.out.println(str);
        char stringArr[] = str.toCharArray();
        Encrypt(stringArr);       //对字符数组进行加密
    }

    public static void Encrypt(char arr[])
    {
        ArrayList Resultlist = new ArrayList();
        for(int i = 0; i < arr.length; i++)
        {
            int result = arr[i] + 64 ^ 0x20;  //注意运算优先级, +的优先级更高
            Resultlist.add(Integer.valueOf(result));
        }

        int KEY[] = {
            180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 
            133, 191, 134, 140, 129, 135, 191, 65
        };
        ArrayList KEYList = new ArrayList();
        for(int j = 0; j < KEY.length; j++)
            KEYList.add(Integer.valueOf(KEY[j]));

        System.out.println("Result:");
        if(Resultlist.equals(KEYList))  //逐个元素判断Resultlist和KEYList是否相同
            System.out.println("Congratulations\uFF01");
        else
            System.err.println("Error\uFF01");
    }
}

没学过Java, 网上查了查不懂的地方, 这个程序的进行的操作如下:

把输入的字符串转成一个char数组, char数组的每个元素加上64再与0x20异或, 再转成Integer类型放进列表Resultlist, 把KEY数组的每个元素也逐个转成Integer类型添加到另一个列表KEYList, 逐个元素比较判断Resultlist和KEYList是否相等

这里再次用到了关于异或的知识点, 见[BUUCTF]xor

解密代码如下

#include <cstdio>

using namespace std;

int main()
{
	char str[] = {
		180, 136, 137, 147, 191, 137, 147, 191, 148,
		136,133, 191, 134, 140, 129, 135, 191, 65
	};
	for (int i = 0; i < sizeof(str); i++)
	{
		str[i] ^= 0x20;
		str[i] -= 64;
		putchar(str[i]);
	}
}
//This_is_the_flag_!

所以flag就是flag{This_is_the_flag_!}