x2658y's Blog

杂七杂八的记事本

发表于 更新于 分类于 本文字数: 288 阅读时长 ≈ 1 分钟

不是PE文件, 进IDA分析, F5看伪代码.

main()里面有个patch_me(), 在patch_me()里面找到get_flag()关键函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
unsigned __int64 get_flag()
{
  unsigned int v0; // eax
  int i; // [rsp+4h] [rbp-3Ch]
  int j; // [rsp+8h] [rbp-38h]
  __int64 s; // [rsp+10h] [rbp-30h] BYREF
  char v5; // [rsp+18h] [rbp-28h]
  unsigned __int64 v6; // [rsp+38h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  v0 = time(0LL);
  srand(v0);                    //时间作为随机数种子
  for ( i = 0; i <= 4; ++i )
  {
    switch ( rand() % 200 )     //随机数决定执行哪个case
    {
      case 1:
        puts("OK, it's flag:");
        memset(&s, 0, 0x28uLL);
        strcat((char *)&s, f1);    //f1="GXY{do_not_"
        strcat((char *)&s, &f2);
        printf("%s", (const char *)&s);
        break;
      case 2:
        printf("Solar not like you");
        break;
      case 3:
        printf("Solar want a girlfriend");
        break;
      case 4:
        s = 0x7F666F6067756369LL;
        v5 = 0;
        strcat(&f2, (const char *)&s);
        break;
      case 5:
        for ( j = 0; j <= 7; ++j )
        {
          if ( j % 2 == 1 )
            *(&f2 + j) -= 2;
          else
            --*(&f2 + j);
        }
        break;
      default:
        puts("emmm,you can't find flag 23333");
        break;
    }
  }
  return __readfsqword(0x28u) ^ v6;
}

关键就在1,4,5这三个case里, 应该要以合适的顺序执行才能得到flag

分析出来正确的顺序应该是4,5,1, 写成Python代码如下

1
2
3
4
5
6
7
8
9
string0 = "GXY{do_not_"
string1 = "\x69\x63\x75\x67\x60\x6f\x66\x7f"
for i in range(0,len(string1)):
    if i % 2 == 1:
        string0 += chr(ord(string1[i]) - 2)
    else:
        string0 += chr(ord(string1[i]) - 1)
print(string0)
#GXY{do_not_hate_me}

所以flag就是GXY{do_not_hate_me}

发表于 更新于 分类于 本文字数: 426 阅读时长 ≈ 2 分钟

给的是一个Java字节码文件, Java字节码的反编译还是比较容易的, 可以直接拿到源码, 采用jad反编译

jad反编译工具: 官网

Java源码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
// Decompiled by Jad v1.5.8g. Copyright 2001 Pavel Kouznetsov.
// Jad home page: http://www.kpdus.com/jad.html
// Decompiler options: packimports(3) 
// Source File Name:   Reverse.java

import java.io.PrintStream;
import java.util.ArrayList;
import java.util.Scanner;

public class Reverse
{

    public Reverse()
    {
    }

    public static void main(String args[])
    {
        Scanner s = new Scanner(System.in);
        System.out.println("Please input the flag \uFF1A");
        String str = s.next();    //应该是个阻塞方法, 等待用户的输入
        System.out.println("Your input is \uFF1A");
        System.out.println(str);
        char stringArr[] = str.toCharArray();
        Encrypt(stringArr);       //对字符数组进行加密
    }

    public static void Encrypt(char arr[])
    {
        ArrayList Resultlist = new ArrayList();
        for(int i = 0; i < arr.length; i++)
        {
            int result = arr[i] + 64 ^ 0x20;  //注意运算优先级, +的优先级更高
            Resultlist.add(Integer.valueOf(result));
        }

        int KEY[] = {
            180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 
            133, 191, 134, 140, 129, 135, 191, 65
        };
        ArrayList KEYList = new ArrayList();
        for(int j = 0; j < KEY.length; j++)
            KEYList.add(Integer.valueOf(KEY[j]));

        System.out.println("Result:");
        if(Resultlist.equals(KEYList))  //逐个元素判断Resultlist和KEYList是否相同
            System.out.println("Congratulations\uFF01");
        else
            System.err.println("Error\uFF01");
    }
}

没学过Java, 网上查了查不懂的地方, 这个程序的进行的操作如下:

把输入的字符串转成一个char数组, char数组的每个元素加上64再与0x20异或, 再转成Integer类型放进列表Resultlist, 把KEY数组的每个元素也逐个转成Integer类型添加到另一个列表KEYList, 逐个元素比较判断ResultlistKEYList是否相等

这里再次用到了关于异或的知识点, 见[BUUCTF]xor

解密代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <cstdio>

using namespace std;

int main()
{
	char str[] = {
		180, 136, 137, 147, 191, 137, 147, 191, 148,
		136,133, 191, 134, 140, 129, 135, 191, 65
	};
	for (int i = 0; i < sizeof(str); i++)
	{
		str[i] ^= 0x20;
		str[i] -= 64;
		putchar(str[i]);
	}
}
//This_is_the_flag_!

所以flag就是flag{This_is_the_flag_!}

发表于 更新于 分类于 本文字数: 565 阅读时长 ≈ 2 分钟

不是PE文件, 直接拖进IDA分析, F5查看伪代码

image-20220122141058186 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  int v3; // eax
  char v4; // [rsp+Fh] [rbp-1h]

  while ( 1 )
  {
    while ( 1 )
    {
      printf("Welcome to CTF game!\nPlease input d/D to start or input q/Q to quit this program: ");
      v4 = getchar();
      if ( v4 != 100 && v4 != 68 )
        break;
      Decry();	//重点就在这个函数里面
    }
    if ( v4 == 113 || v4 == 81 )
      Exit("Welcome to CTF game!\nPlease input d/D to start or input q/Q to quit this program: ", argv);		//退出函数这里为啥要传参进去?不是很懂
    puts("Input fault format!");
    v3 = getchar();
    putchar(v3);
  }
}

Decry()函数长这样

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
unsigned __int64 Decry()
{
  char v1; // [rsp+Fh] [rbp-51h]
  int v2; // [rsp+10h] [rbp-50h]
  int v3; // [rsp+14h] [rbp-4Ch]
  int i; // [rsp+18h] [rbp-48h]
  int v5; // [rsp+1Ch] [rbp-44h]
  char src[8]; // [rsp+20h] [rbp-40h] BYREF
  __int64 v7; // [rsp+28h] [rbp-38h]
  int v8; // [rsp+30h] [rbp-30h]
  __int64 v9[2]; // [rsp+40h] [rbp-20h] BYREF
  int v10; // [rsp+50h] [rbp-10h]
  unsigned __int64 v11; // [rsp+58h] [rbp-8h]

  v11 = __readfsqword(0x28u);
  /*__readfsqword()函数从FS:[Offset]读取4字长的内容,同理还有__readfsbyte()等函数, 此处作用未知*/
  *(_QWORD *)src = 0x534C43444ELL;
  v7 = 0LL;
  v8 = 0;
  v9[0] = 0x776F646168LL;
  v9[1] = 0LL;
  v10 = 0;
  text = (char *)join(key3, v9);	//自定义的字符拼接,text="killshadow"
  strcpy(key, key1);
  strcat(key, src);		//key="ADSFKNDCLS"
  v2 = 0;
  v3 = 0;
  getchar();
  v5 = strlen(key);
  for ( i = 0; i < v5; ++i )
  {
    if ( key[v3 % v5] > 64 && key[v3 % v5] <= 90 )
      key[i] = key[v3 % v5] + 32;	//将key中每个字符由大写转成小写
    ++v3;
  }
  printf("Please input your flag:");
  while ( 1 )
  {
    v1 = getchar();
    if ( v1 == 10 )
      break;
    if ( v1 == 32 )
    {
      ++v2;
    }
    else
    {
      if ( v1 <= 96 || v1 > 122 )
      {
        if ( v1 > 64 && v1 <= 90 )
        {
          str2[v2] = (v1 - 39 - key[v3 % v5] + 97) % 26 + 97;
          ++v3;
        }
      }
      else
      {
        str2[v2] = (v1 - 39 - key[v3 % v5] + 97) % 26 + 97;
        ++v3;
      }
      if ( !(v3 % v5) )
        putchar(32);
      ++v2;
    }
  }
  if ( !strcmp(text, str2) )
    puts("Congratulation!\n");
  else
    puts("Try again!\n");
  return __readfsqword(0x28u) ^ v11;
}

主要就是逆向这一段, 得出v1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
while ( 1 )
  {
    v1 = getchar();
    if ( v1 == 10 )
      break;
    if ( v1 == 32 )
    {
      ++v2;
    }
    else
    {
      if ( v1 <= 96 || v1 > 122 )
      {
        if ( v1 > 64 && v1 <= 90 )
        {
          str2[v2] = (v1 - 39 - key[v3 % v5] + 97) % 26 + 97;
          ++v3;
        }
      }
      else
      {
        str2[v2] = (v1 - 39 - key[v3 % v5] + 97) % 26 + 97;
        ++v3;
      }
      if ( !(v3 % v5) )
        putchar(32);
      ++v2;
    }
  }

写出解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#include <cstdio>
#include <cstring>

using namespace std;

int main()
{
    char key[16] = "adsfkndcls";
    char ciphertext[16] = "killshadow";
    char plaintext[16] = { 0 };
    char key_offset = 0;
    for (int i = 0; i < strlen(ciphertext); i++)
        for (char c = 32; c < 127; c++) //穷举所有可打印ASCII字符
        {
            char temp = c;
            if (('a' <= c && c <= 'z') or ('A' <= c && c <= 'Z'))
                temp = (c - 39 - key[key_offset % strlen(key)] + 97) % 26 + 97;
            if (temp == ciphertext[i])
            {
                plaintext[i] = c;
                key_offset++;
                break;
            }
        }
    printf("%s", plaintext);
}
//KLDQCUDFZO

所以flag就是flag{KLDQCUDFZO}

0%