首页
Search
1
[CTF/Reverse] 2022DASCTF X SU 三月 逆向部分
189 阅读
2
[CTF/Reverse] [HWS2022硬件安全 x DAS Jan] EasyVM + BabyVM
174 阅读
3
[CTF/Reverse] [GWCTF 2019]babyvm
137 阅读
4
[CTF/Reverse] [XMAN2018排位赛]easyvm
126 阅读
5
[CTF/Reverse] [NPUCTF2020]Baby Obfuscation
104 阅读
原创
笔记
程序员的自我修养
论文
课程
CTF
Reverse
Pwn
登录
Search
Yirannn
累计撰写
70
篇文章
累计收到
4
条评论
首页
栏目
原创
笔记
程序员的自我修养
论文
课程
CTF
Reverse
Pwn
页面
搜索到
48
篇与
的结果
2022-07-09
[CTF/Reverse] 深育杯DMZ04
提示附件, 直接看附件很明显的一个Tea+Base64注意Base64换表了#include <stdio.h> #include <stdint.h> uint8_t tt[] = { 0xb8,0x2a,0x35,0x80,0x38,0x98,0xc5,0xa3,0x51,0x28,0xbc,0x09,0x2b,0xad,0x51,0x93,0x70,0xf0,0x32,0x49,0xaa,0xb6,0xd8,0xb3,0x2f,0x30,0x7c,0x00,0xbe,0x01,0x09,0x3e,0x7b,0x33,0x9b,0x03,0xe5,0x4d,0xef,0x42,0xa6,0x22,0xe9,0xdf,0x7e,0xf7,0x74,0xf1,0x11,0x84,0x17,0xb3,0xb3,0x56,0x93,0x15,0xf0,0xf3,0x3c,0xda,0x23,0xce,0x30,0xb6,0x88,0xba,0x8e,0xc8,0x75,0x3f,0x65,0xae,0x3e,0xe6,0x9b,0x81,0xc0,0xe4,0x4c,0xcc,0x87,0xf4,0xf9,0x89,0xf5,0x28,0x3a,0xcd,0xe8,0x8c,0x74,0xa3,0x03,0x1a,0xb2,0x77,0x6b,0x01,0x4c,0x0d,0x73,0xa5,0xd3,0x8f,0x22,0x38,0x10,0xe7,0xd4,0x4f,0xd4,0xe4,0xb8,0x3e,0x0f,0x90,0xc2,0xaa,0xd4,0x06,0x13,0xfb,0x5c,0x48,0x86,0xab,0xac,0x92,0xa6,0x53,0xb6,0xc6,0xf9,0x34,0x01,0x5e,0x5d,0x3a,0x76,0x12,0x7a,0x1a,0x23,0xdf,0x71,0xd4,0xdb,0x2b,0xc1,0x67,0x8b,0x96,0x68,0x08,0x15,0x52,0xf2,0x09,0x29,0x6d,0xeb,0xee,0xdb,0x47,0xb3,0x01,0x40,0xf7,0xad,0xc2,0x88,0x6a,0x85,0x76,0x74,0xea,0x6c,0x0c,0x98,0x84,0x1d,0xee,0xf5,0xee,0x74,0xe7,0x6d,0xc8,0x06,0x6f,0xce,0x21,0x2e,0x84,0xc8,0x8a,0x62,0x04,0xdd,0x46,0xbd,0x79,0x30,0x28,0x72,0x8e,0xd8,0xc3,0x1b,0x9e,0x50,0x8b,0x3c,0x37,0xc2,0x8b,0x07,0x26,0x7d,0x9c,0x20,0x54,0x0a,0x89,0x40,0x81,0x50,0xc4,0x64,0x30,0x28,0x02,0xdf,0x38,0x3c,0x1d,0xe5,0xfd,0x8e,0x43,0x2d,0xad,0x27,0x6c,0xac,0xba,0x15,0x7a,0xdd,0xe7,0xfc,0xcf,0x1f,0xe6,0x93,0x62,0x07,0x85,0x2a,0xd8,0x27,0x3b,0xbc,0xc6,0xf4,0xa7,0xe2,0x85,0x8c,0x1e,0x2d,0x14,0xf5,0x23,0xab,0x33,0x4b,0xbe,0xdb,0x00,0xd8,0x09,0x10,0x09,0x8c,0xa6,0x19,0xbe,0x54,0xc4,0x1d,0x7f,0x60,0x75,0xef,0x0f,0xd6,0x4c,0x6b,0x0f,0x99,0x9b,0x4b,0xe5,0x89,0xf8,0xb0,0xb3,0x37,0x7a,0x4d,0x22,0x3b,0xd4,0x26,0x04,0x30,0xa9,0xdd,0x40,0xa4,0x59,0x40,0x9c,0x6f,0xc4,0xd6,0x10,0x40,0xcb,0x98,0x07,0x1d,0x03,0xe0,0x4f,0xeb,0xbe,0xfd,0x5c,0x44,0x27,0x61,0x38,0x34,0x2c,0x99,0x0e,0x55,0x37,0x40,0x69,0xe5,0x9b,0xa5,0xb8,0xc9,0xc0,0x55,0x6c,0xbd,0x2a,0x2f,0x0e,0x64,0xa2,0x9d,0x33,0xb9,0x1f,0x00,0x3f,0x09,0x67,0x93,0x1f,0x7d,0xe2,0xc6,0x0d,0x8c,0x92,0x00,0x26,0x2f,0x2b,0x9e,0x20,0x0d,0x38,0xa0,0x56,0x02,0x1e,0xe0,0x8a,0xc9,0x6f,0x8e,0x93,0x43,0xfd,0xad,0x43,0xac,0x10,0x14,0x57,0xa0,0x3c,0xb2,0xf4,0x16,0x90,0x78,0x39,0x25,0x30,0x58,0x06,0x81,0x8a,0xa4,0x78,0x72,0x79 }; void decrypt (uint32_t* v, uint32_t* k) { uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i; uint32_t delta=0x9e3779b9; uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; for (i=0; i<32; i++) { v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3); v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1); sum -= delta; } v[0]=v0; v[1]=v1; } int main() { uint32_t k[4]={20,0,12,25}; uint32_t* t1 = (uint32_t *)tt; for(int i = 0; i < 426/4; i += 2 ) { uint32_t v[2] = {t1[i], t1[i+1]}; // printf("%x %x\n", v[0], v[1]); decrypt(v, k); char s0[5], s1[5]; printf("%x", v[0]); printf("%x", v[1]); } return 0; }文件的Base64先用Cyberchef换表解开得到十六进制数据,再根据exe中硬编码获得tea的key。解出来的16进制转ascii即可, 注意char和int的端序,如果直接输出int的话, 要每4位一反序。In cryptography, tiny encryption algorithm (TEA) is a block cipher that is easy to describe and execute, and usually can be implemented with little code. Its designers are David Wheeler and Roger Nidam. This technology was originally submitted to the seminar on fast software encryption in Leuven in 1994, and was first published in a speech at the seminar. Based on this algorithm, we get the boot password: 8ab126bd5a.扫到3389,按提示通过mstsc登录远程桌面,获得最近访问中的flag文件即可得到flag。
2022年07月09日
23 阅读
0 评论
0 点赞
2022-07-09
[CTF/Reverse] [CISCN2022-东北分区赛] 逆向部分: EasyCPP1&Happymath2&Crackme1
本次比赛赛时出三个,赛后出一个,一血二血三血(虽然都很简单)本场比赛主要输出RE和Misc了。。。easycpp1太简单了,逻辑都在主函数里上脚本二进制忘了放哪里了,但是这难度应该也不用看二进制 tar = [ 0x0A, 0x0B, 0x7D, 0x2F, 0x7F, 0x67, 0x65, 0x30, 0x63, 0x60, 0x37, 0x3F, 0x3C, 0x3F, 0x33, 0x3A, 0x3C, 0x3B, 0x35, 0x3C, 0x3E, 0x6C, 0x64, 0x31, 0x64, 0x6C, 0x3B, 0x68, 0x61, 0x62, 0x65, 0x36, 0x33, 0x60, 0x62, 0x36, 0x1C, 0x7D ] a = tar for i in range(len(tar)-4, -1, -1) : a[i+2] ^= a[i+3] a[i+1] ^= a[i+2] a[i] ^= a[i+1] for i in a : print(chr(i), end="") happymath2出题人也不知道咋想的, 四位爆破, 直接把表拿下来爆破就行满足这个条件就行, input是输入, table是table, 代码中省略了, tab2就是代码中tab2tab1太长了, 就静态在数据段,代码复制上来格式没了。。但是大家对付看一眼。 #include <cstdint> unsigned char tab2[] = { 0xDC, 0x53, 0xF5, 0x95, 0x23, 0x4E, 0x3B, 0x1D, 0x14, 0x34, 0x91, 0x0B, 0x82, 0x45, 0x9E, 0x6B, 0x1B, 0x62, 0xE7, 0x35, 0x7F, 0x88, 0x86, 0xFC, 0xFB, 0xA0, 0xDE, 0x26, 0xAA, 0x4C, 0x04, 0x87 }; void gen(int v4) { // printf("GET TASK %d\n", v4); for(int c1 = 32; c1 < 127; c1 ++ ) for(int c2 = 32; c2 < 127; c2 ++ ) for(int c3 = 32; c3 < 127; c3 ++ ) for(int c4 = 32; c4 < 127; c4 ++ ) { int arr[4] = {c1, c2, c3, c4}; uint32_t v9 = -1; int64_t v7 = 256/4*v4; int8_t v11; for(int i = 0; i < 4; v9 = table[v7 + (~(v11 & v9) & (unsigned __int8)(v11 | v9))] ^ (v9 >> 8) ) { v11 = arr[i ++]; } uint32_t v12, v13, v14, v15, v16; int32_t v17, v18, v19, v20; v12 = (v9 | ~*(uint32_t *)(&tab2[v4])) & ~(v9 & ~*(uint32_t *)(&tab2[v4])); v13 = ((((((((v12 | (v12 >> 1)) >> 2) | v12 | (v12 >> 1)) >> 4) | ((v12 | (v12 >> 1)) >> 2) | v12 | (v12 >> 1)) >> 8) | ((((v12 | (v12 >> 1)) >> 2) | v12 | (v12 >> 1)) >> 4) | ((v12 | (v12 >> 1)) >> 2) | v12 | (v12 >> 1)) >> 16) | ((((((v12 | (v12 >> 1)) >> 2) | v12 | (v12 >> 1)) >> 4) | ((v12 | (v12 >> 1)) >> 2) | v12 | (v12 >> 1)) >> 8) | ((((v12 | (v12 >> 1)) >> 2) | v12 | (v12 >> 1)) >> 4) | ((v12 | (v12 >> 1)) >> 2) | v12 | (v12 >> 1); v14 = ((v12 & (v13 | (v13 >> 1)) & ~(v13 & (v13 >> 1))) >> 1) | v12 & (v13 | (v13 >> 1)) & ~(v13 & (v13 >> 1)); v15 = (((v14 >> 2) | v14) >> 4) | (v14 >> 2) | v14; v16 = (((v15 >> 8) | v15) >> 16) | (v15 >> 8) | v15; v17 = (4 * ((2 * v16) | v16)) | (2 * v16) | v16; v18 = (((16 * v17) | v17) << 8) | (16 * v17) | v17; v19 = (4 * ((2 * (v13 & 1)) | v13 & 1)) | (2 * (v13 & 1)) | v13 & 1; v20 = (((16 * v19) | v19) << 8) | (16 * v19) | v19; if(((v20 | (v20 << 16)) & (~((v18 << 16) | v18) | v18 & 1)) == 0 ) { printf("%c%c%c%c", c1, c2, c3, c4); return; } } } int main() { for(int v4 = 0; v4 <= 36; v4 += 4 ) { gen(v4); //printf("%d\n", v4); } }Crackme1GDA打开逻辑特别明显, 就是把4位4位的md5拼一起, 4位md5直接爆破即可, 非常简单的题(或者用cmd5可以直接查到)
2022年07月09日
33 阅读
0 评论
0 点赞
2022-04-13
[CTF/Reverse] Simplestuff
simplestuff最近抓到了一段简单恶意代码和其发出的流量,你能破解他吗?流量包全是TCP流量, 看不出来什么, 从二进制开始分析字符串里的crontab和flag引起了我的注意, 跟一跟在引用了flag的函数里发现了这个东西, 把TCP包有用的部分截下来XOR一下得到这个, 不过后半部分是乱码, 看看后半部分. 这个文件里有多处InterlockedCompareExchange, 让我怀疑是不是还有其他线程, 尝试动调一下吧惊讶的发现源文件没了, 只留下了一个0字节的文件, 但是crontab里没有新增项...疑惑啊..再来一次注意main要进到这个函数需要是五秒整倍左右, 可以动调改数, 直接进行一个0的改这一串函数会设定一些值, 先忽略sample是我自己写的, 这说明这一段确实是读的flag说明中间还是改动了, 但是我没跟到但是从PseudoCode上看异或结束直接去Label8了, 中间不应该有变动. 无妨, 我们再来一次我自己的sample正常异或结果应该是这个3e 06 16 11 0b 01 65 46 18 0e 47 1f 16 09 19 03 13 00 10 3a 0f 2c 16 41 19 1f 4c 01 3d 07 1c 11 2b 14我们看看哪里开始不一样了哦原来dbapp后面还应该有个\0.....
2022年04月13日
29 阅读
0 评论
0 点赞
2022-04-13
[CTF/Reverse] [FlareOn3]unknown
[FlareOn3]unknown32位WinPE一个参数, 要过401020的检测这里v20 Xor 定值需要是 v6, v6是过2760的参数感觉有点像37进制读入 改名atoi_b37, 注意到这个程序基本都是双字节char, 那些WORD来WORD去的都写成uint16就行 (后来脑瓜一闪反应过来这不是哈希么..)要求0x1B个v13里的内容等于v11, v11在这长104个Byte应该是注意cmptable经过了一个thiscall函数改过, 有个长256的表, 这个换表操作让我感觉是现成的加密算法, 是不是有点像..RC4?同时这个表也输入相关, 但是好像只和输入长度有关v16-v4大概就是一个输入长度相关量, 另外这里也和v20有点关系, 结合循环变量0x1B, 我觉得基本能推测输入长度是27, 每次取出1位放到v23[0], v23其他的值都是固定/可测的, 这个东西被atoi_b37之后要和cmptable相同. 我们试一下len=27的cmptableunsigned char cmptable[] = { 0xE9, 0x67, 0xFD, 0xB2, .... 0xF5, 0xEA, 0x6D, 0xE1 };而v23则是input[j], 0x60+j, 0x46, 0x4C, 0x41, 0x52, 0x45, 0x20, 0x4F, 0x6E, 0x21后面量是上面能找得到的, 就是FLARE On!这样四位一比长度应该是26的, 直接爆破一下unsigned char cmptable[] = { 0x1F, 0xD0, 0x24, 0x4C, 0xEA, 0x1D, 0xDA, 0xAE, 0x57, 0x05, 0x2B, 0x4E, 0xAE, 0x68, 0xC7, 0x4D, 0xF0, 0x6A, 0x42, 0x79, 0x2B, 0x80, 0xC4, 0x39, 0xD9, 0x8C, 0xE2, 0xCD, 0x32, 0x5E, 0x77, 0x23, 0x54, 0xC4, 0x31, 0x36, 0x2E, 0x8D, 0x50, 0xDA, 0x48, 0x79, 0x43, 0xE9, 0xA6, 0x11, 0xE2, 0x56, 0xB0, 0x6A, 0x05, 0xE6, 0xF4, 0x8F, 0x1C, 0xC2, 0x29, 0x8B, 0x95, 0x32, 0xF9, 0x88, 0x66, 0x80, 0x72, 0x2F, 0xF3, 0xCE, 0x56, 0x24, 0xBC, 0xE4, 0x72, 0x6B, 0xFB, 0x52, 0xBF, 0x20, 0x06, 0xCC, 0x8A, 0xEB, 0x00, 0xA9, 0xC6, 0x90, 0x39, 0xAC, 0x4D, 0x50, 0xAC, 0xD2, 0x8B, 0x5C, 0xF9, 0xFA, 0x66, 0x38, 0xAD, 0x12, 0x47, 0x6B, 0xA8, 0x31 }; #include <cstdio> #include <cstdint> int sum(char s[15]) { int res = 0; for(int i = 0; i < 11; i ++ ) { res = s[i] + 37*res; } return res; } int main() { int *p = (int *)cmptable; char s[15] = "a`FLARE On!"; // (0x60+i) * 37 ^ 9 + ch * 37 ^ 10; for(int i = 0; i < 26; i ++ ) { for(int j = 0; j < 0xFF; j ++ ) { s[0] = j; int tmp = sum(s); if(tmp == p[i]) { printf("0x%x, ", tmp); break; } } s[1] ++; } }爆破无果, 那只能是cmptable还有问题, 我们回头看发现这个table竟然和文件名本身有关?? 这个很不美啊.. 我们要尝试找到真正的文件名, 看起来unknown并不是MS编译器往往会有这么一个东西重新提重新爆
2022年04月13日
23 阅读
0 评论
0 点赞
2022-04-13
[CTF/Reverse] [HackIM2020]year3000
[HackIM2020]year3000一共3000个bin前43个都要是't', 后面4位和unk_2008相同这是bin1的bin2就变成了64位??离谱, 这个是前83位是'N', 后面8位和固定值相同3又回到了32位, 84位的'c', 和4位的固定值, 此外固定值不同.这样我觉得基本可以认为有两种文件, 32位的要比4位, 64位的要比8位, 前面的验证.import subprocess from pwn import * def parse32(elf) : cnt = elf[0x661] ch = elf[0x668] nonce = elf[0x1008:0x100C] # print(cnt, ch, nonce) return (chr(ch) * cnt).encode(encoding='utf-8') + nonce def parse64(elf) : cnt = elf[0x819] ch = elf[0x820] nonce = elf[0x1010:0x1018] # print(cnt, ch, nonce) return (chr(ch) * cnt).encode(encoding='utf-8') + nonce for i in range(1, 3001) : file_name = "./" + str(i) + ".bin" with open(file_name, "rb") as f: content = f.read() if content[4] == 1 : payload = parse32(content) elif content[4] == 2 : payload = parse64(content) p = process(file_name) p.sendline(payload) s = p.recvline() if s != b'Well done\n' : print('Error', i) p.close()脚本倒是写完了, 也全well done了..可是..Flag呢? 长度为3000的flag也不太现实, 难道是把这些二进制串加一起有个新的ELF?, 不妨试试显然, 这东西和ELF没什么关系, 换个思路, 我们把前面的可见字符加一起看看看着就像个Base64然而解了Base64也没什么用, 而且这Base64里竟然一个数字都没有..不是很靠谱啊就这么来到了谜语时间么...苦解谜语10分钟无果, 果断找wp尼玛, 靶机题, 本地打通, 此题做完
2022年04月13日
20 阅读
0 评论
0 点赞
1
2
...
10