攻防世界高手区re

高手区re

re1

gdb调试拿到flag

gdb-peda$ x/s $esp+0x24
0xffffd174:	"SECCON{Welcome to the SECCON 2014 CTF!}"

re2

MD5 *__fastcall MD5::init(MD5 *this)
{
  MD5 *result; // rax

  *this = 0;
  *(this + 17) = 0;
  *(this + 18) = 0;
  *(this + 19) = 0x67452301;
  *(this + 20) = 0xEFCDAB89;
  *(this + 21) = 0x98BADCFE;
  result = this;
  *(this + 22) = 0x10325476;
  return result;
}

md5的4个常数，没改，所以百度搜下md5解密，解780438d5b6e29db0898bc4f0225935c0
解出来就是这个
hash: b781cbb29054db12f88f08c6e161c199

re3

dump出数据跑一下就好

#!/usr/bin/env python
# coding=utf-8
List1 = [0x00000024, 0x00000000, 0x00000005, 0x00000036, 0x00000065, 0x00000007, 0x00000027, 0x00000026, 0x0000002D, 0x00000001, 0x00000003, 0x00000000, 0x0000000D, 0x00000056, 0x00000001, 0x00000003, 0x00000065, 0x00000003, 0x0000002D, 0x00000016, 0x00000002, 0x00000015, 0x00000003, 0x00000065, 0x00000000, 0x00000029, 0x00000044, 0x00000044, 0x00000001, 0x00000044, 0x0000002B]
string = "L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t"

flag = ""
for i in range(len(string)):
    flag += string[List1[i]]
    print(flag)
#ALEXCTF{W3_L0v3_C_W1th_CL45535}

re4

北斗壳，用nspack脱掉

#!/usr/bin/env python
# coding=utf-8
List =[0x00000012, 0x00000004, 0x00000008, 0x00000014, 0x00000024, 0x0000005C, 0x0000004A, 0x0000003D, 0x00000056, 0x0000000A, 0x00000010, 0x00000067, 0x00000000, 0x00000041, 0x00000000, 0x00000001, 0x00000046, 0x0000005A, 0x00000044, 0x00000042, 0x0000006E, 0x0000000C, 0x00000044, 0x00000072, 0x0000000C, 0x0000000D, 0x00000040, 0x0000003E, 0x0000004B, 0x0000005F, 0x00000002, 0x00000001, 0x0000004C, 0x0000005E, 0x0000005B, 0x00000017, 0x0000006E, 0x0000000C, 0x00000016, 0x00000068, 0x0000005B, 0x00000012, 0x00000000, 0x00000000]
string = "this_is_not_flag"
flag = ""
for i in range(len(List)):
    first = ord(string[i%16])
    second = chr( first ^ List[i] )
    flag += second
    print(flag)
#flag{59b8ed8f-af22-11e7-bb4a-3cf862d1ee75}

re5

强，mips的题目

#!/usr/bin/env python
# coding=utf-8
string = "cbtcqLUBChERV[[Nh@_X^D]X_YPV[CJ"
flag = ""
for i in string:
    first = ord(i)^55
    flag += chr(first)
    print(flag)

python3 retdec-decompiler.py ~/Downloads/比赛/xctf/逆向进阶/5

利用retdec获得c代码，成功

ghidra也可以反编译mips好强

re6

c++的，读懂流程后写代码
坑点。。。要逆序
还是小端序问题

#!/usr/bin/env python
# coding=utf-8
string1 = 'htadimehtadimeht'[::-1] + "dime"[::-1] + 'a'
string2 = '<<<....++++---->'[::-1] + '.<'[::-1]
key = ""
for i in range(len(string2)):
    result = (ord(string1[i]) ^ ord(string2[i]))+22
    key += chr(result)

flag = ""
for i in key:
    flag += chr(ord(i)+9)
    print(flag)

re7

第一个idapython脚本取了数据，具体在另一篇博客里

可以看出这个前面的检查跟后面的没关系，可以nop掉或者直接gdb调试拿flag都可以
这不是我想要的，我还是想学算法。。
flag_is_you_know_cracking!!!

#!/usr/bin/env python
# coding=utf-8
List = [84, 200, 126, 227, 100, 199, 22, 154, 205, 17, 101, 50, 45, 227, 211, 67, 146, 169, 157, 210, 230, 109, 44, 211, 182, 189, 254, 106]
flag_data = [0xDC, 0x17, 0xBF, 0x5B, 0xD4, 0x0A, 0xD2, 0x1B, 0x7D, 0xDA, 0xA7, 0x95, 0xB5, 0x32, 0x10, 0xF6, 0x1C, 0x65, 0x53, 0x53, 0x67, 0xBA, 0xEA, 0x6E, 0x78, 0x22, 0x72, 0xD3]


List1 = []
for i in range(0, len(List), 4):
    result = ""
    result += hex(List[i+3])[2:].zfill(2)+ hex(List[i+2])[2:].zfill(2) + hex(List[i+1])[2:].zfill(2) + hex(List[i])[2:].zfill(2) 
    List1.append(int(result, 16))

List2 = []
for i in range(0, len(List), 4):
    result = ""
    result += hex(flag_data[i+3])[2:].zfill(2) + hex(flag_data[i+2])[2:].zfill(2) + hex(flag_data[i+1])[2:].zfill(2) + hex(flag_data[i])[2:].zfill(2) 
    print(result, )
    List2.append(int(result, 16))




print([hex(i) for i in List1])
print([hex(i) for i in List2])
flag = ""
for i in range(7):
    v3 = List1[i]^0xDEADBEEF 
    print(hex(v3))
    temp = hex(v3)[2:].zfill(8)
    v3 = [ int(temp[6:8], 16), int(temp[4:6], 16), int(temp[2:4], 16), int(temp[:2], 16) ]
    temp = hex(List2[i])[2:].zfill(2)
    v4 = [ int(temp[6:8], 16), int(temp[4:6], 16), int(temp[2:4], 16), int(temp[:2], 16) ]
    for j in range(3, -1, -1):
        print(hex(v3[j]), hex(v4[j]))
        result = v3[j] ^ v4[j]
        flag += chr(result)
        print(flag)

好简单的题目，可是光是数据转换以及小端逆序就搞了我好久。。。

re8

confuse里干了这些事
第三部分 转1
第四部分 转2
第一部分 转3
第二部分 转4
简单，将结果转换回去就好了

>>> string = 'daf29f59034938ae4efd53fc275d81053ed5be8c'
>>> string[40:]
''
>>> string[31:]
'53ed5be8c'
>>> string[30:]
'053ed5be8c'
>>> '{' + string[20:30] + string[30:] + string[:10] + string[10:20] + '}'
'{53fc275d81053ed5be8cdaf29f59034938ae4efd}'
>>> len('53fc275d81053ed5be8cdaf29f59034938ae4efd')
40
>>>

有坑，不用带{}交flag

re9

原来不知道这题要干嘛，看出有base64跟md5
后面就不知道了

emm，这道题又学到新知识了,利用环境变量伪造时间，绕过检测

#include <stdlib.h>
#include <stdio.h>
int time(int a)
{
    return atoi(getenv("CURR_TIME"));
}

编译成动态链接库

gcc -c -fPIC -o faketime.o faketime.c
gcc -shared -o faketime.so faketime.o

获得时间戳

>>> time_now = time.mktime(time.strptime('2012-12-21', '%Y-%m-%d'))
>>> time_now
1356019200.0

#!/bin/bash
#CURR_TIME=1325347200
CURR_TIME=1356019200
LAST_TIME=1356969600
hour=3600
export CURR_TIME
while [ $CURR_TIME -lt $LAST_TIME ]
do
    value=$(CURR_TIME=$CURR_TIME LD_PRELOAD=$(pwd)/faketime.so ./launcher)
    if [ "$value" != "" ]
    then
        echo $value
        exit 1
    else
        CURR_TIME=$[CURR_TIME+hour]
    fi
done

emm在具体分析的话，前面可以看出是%Y-%m-%d将时间戳md5加密，再加上.fluxfingers.net，

v21 = sub_18A4(dest);
if ( !v21 )
return 1LL;

这里是关键函数，截取返回值，动态获得

在base64解密一次，

最后异或0x25

就是flag了
flag{e3a03c6f3fe91b40eaa8e71b41f0db12}
最主要关键点要联想到世界末日时间

re10

…手动计算下就出来了

if ( strlen(v11) != 16
  || v11[0] != 'C'
  || v11[15] != 'X'
  || v11[1] != 'Z'
  || v11[1] + v11[14] != 155
  || v11[2] != '9'
  || v11[2] + v11[13] != 155
  || v11[3] != 'd'
  || v11[12] != '7'
  || v11[4] != 'm'
  || v11[11] != 'G'
  || v11[5] != 'q'
  || v11[5] + v11[10] != 170
  || v11[6] != '4'
  || v11[9] != 'g'
  || v11[7] != 'c'
  || v11[8] != '8' )

>>> 170-ord('q')
57
>>> chr(57)
'9'
>>> 155-ord('9')
98
>>> chr(98)
'b'
>>> chr(155-ord('Z'))
'A'
>>> len('CZ9dmq4c8g9G7bAX')
16
>>>

CZ9dmq4c8g9G7bAX

re11

sub_401000里的

if ( v18 && *v19 >= v13 )
{
  v21 = 3;
  v14 = 0;
  for ( i = 0; v5; --v5 )
  {
    v15 = *v7;
    if ( *v7 != '\r' && v15 != '\n' && v15 != ' ' )
    {
      v16 = byte_414E40[v15];
      v21 -= v16 == 64;
      v14 = v16 & 0x3F | (v14 << 6);
      if ( ++i == 4 )
      {
        i = 0;
        if ( v21 )
          *v12++ = BYTE2(v14);
        if ( v21 > 1 )
          *v12++ = BYTE1(v14);
        if ( v21 > 2 )
          *v12++ = v14;
      }
    }
    ++v7;
  }
  *v19 = v12 - v18;
  return 0;
}

这里看出是base64decode

后面在来一顿异或

for ( ; v4 < v3; ++v4 )
  *(&v13 + v4) ^= 0x25u;

所以解密，异或回去，在base64encode
中间一顿操作你会发觉他根本没操作你的输入

XEpQek5LSlJ6TUpSelFKeldASEpTQHpPUEtOekZKQUA=

re12

又是一道简单题

#!/usr/bin/env python
# coding=utf-8

List = [0x0D, 0x13, 0x17, 0x11, 0x02, 0x01, 0x20, 0x1D, 0x0C, 0x02, 0x19, 0x2F, 0x17, 0x2B, 0x24, 0x1F, 0x1E, 0x16, 0x09, 0x0F, 0x15, 0x27, 0x13, 0x26, 0x0A, 0x2F, 0x1E, 0x1A, 0x2D, 0x0C, 0x22, 0x4]
string = "GONDPHyGjPEKruv{{pj]X@rF"
flag = ""

for i in range(len(string)):
    first = ord(string[i])^List[i]
    second = (first-72) ^ 0x55 
    if second >=97 and second <=122:
        second -= 32
    elif second >=65 and second <=90:
        second += 32

    flag += chr(second)


print("EIS{" + flag + "}")
#EIS{wadx_tdgk_aihc_ihkn_pjlm}

re13

算法简单，不挣扎了，手动写下出来了

>>> chr(ord('D')-1)
'C'
>>> chr(ord('p')-1)
'o'
>>> chr(ord('e')-1)
'd'
>>> chr(ord('f')-1)
'e'
>>> chr(ord('`')-1)
'_'
>>> chr(ord('U')-1)
'T'
>>> chr(ord('b')-1)
'a'
>>> chr(ord('m')-1)
'l'
>>> chr(ord('l')-1)
'k'
>>> chr(ord('f')-1)
'e'
>>> chr(ord('s')-1)
'r'
>>> chr(ord('t')-1)
's'
>>> Code_Talkers

本文作者：NoOne
本文地址： https://noonegroup.xyz/posts/c8f4b23e/
版权声明：转载请注明出处！