攻防世界-re2-cpp-is-awesome

题干如下

C++逆向,main逻辑如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
__int64 __fastcall main(int n2, char **a2, char **a3)
{
  char *v3; // rbx
  __int64 v4; // rax
  __int64 v5; // rdx
  __int64 v6; // rax
  __int64 v7; // rdx
  _BYTE *v8; // rax
  _QWORD v10[2]; // [rsp+10h] [rbp-60h] BYREF
  _BYTE v11[47]; // [rsp+20h] [rbp-50h] BYREF
  char v12; // [rsp+4Fh] [rbp-21h] BYREF
  __int64 v13; // [rsp+50h] [rbp-20h] BYREF
  int v14; // [rsp+5Ch] [rbp-14h]

  if ( n2 != 2 )
  {
    v3 = *a2;
    v4 = std::operator<<<std::char_traits<char>>(&std::cout, "Usage: ", a3);
    v6 = std::operator<<<std::char_traits<char>>(v4, v3, v5);
    std::operator<<<std::char_traits<char>>(v6, " flag\n", v7);
    exit(0);
  }
  std::allocator<char>::allocator(&v12, a2, a3);
  std::string::basic_string(v11, a2[1], &v12);
  std::allocator<char>::~allocator(&v12);
  v14 = 0;
  v10[0] = std::string::begin(v11);
  while ( 1 )
  {
    v13 = std::string::end(v11);
    if ( !sub_400D3D(v10, &v13) )
      break;
    v8 = sub_400D9A(v10);
    if ( *v8 != off_6020A0[dword_6020C0[v14]] ) // "L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t"
      sub_400B56();
    ++v14;
    sub_400D7A(v10);
  }
  sub_400B73();
  std::string::~string(v11);
  return 0;
}

这里就是在进行一个索引提取,逆向脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
#include <bits/stdc++.h>
int main()
{
    char enc[]="L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t";
    int index[]={0x24, 0x0, 0x5, 0x36, 0x65, 0x7, 0x27, 0x26, 0x2d, 0x1, 0x3, 0x0, 0xd, 0x56, 0x1, 0x3, 0x65, 0x3, 0x2d, 0x16, 0x2, 0x15, 0x3, 0x65, 0x0, 0x29, 0x44, 0x44, 0x1, 0x44, 0x2b};
    char flag[50];
    for(int i=0;i<31;i++)
    {
        flag[i]=enc[index[i]];
        printf("%c",flag[i]);
    }
    return 0;
}

值得注意的一点是这里在数据提取时会得到如下的数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
dd 24h                  ; DATA XREF: main+DD↑r
.data:00000000006020C4                 align 8
.data:00000000006020C8                 db    5
.data:00000000006020C9                 db    0
.data:00000000006020CA                 db    0
.data:00000000006020CB                 db    0
.data:00000000006020CC                 db  36h ; 6
.data:00000000006020CD                 db    0
.data:00000000006020CE                 db    0
.data:00000000006020CF                 db    0
.data:00000000006020D0                 db  65h ; e
.data:00000000006020D1                 db    0
.data:00000000006020D2                 db    0
.data:00000000006020D3                 db    0
.data:00000000006020D4                 db    7
.data:00000000006020D5                 db    0
.data:00000000006020D6                 db    0
.data:00000000006020D7                 db    0
.data:00000000006020D8                 db  27h ; '
.data:00000000006020D9                 db    0
.data:00000000006020DA                 db    0
.data:00000000006020DB                 db    0
.data:00000000006020DC                 db  26h ; &
.data:00000000006020DD                 db    0
.data:00000000006020DE                 db    0
.data:00000000006020DF                 db    0
.data:00000000006020E0                 db  2Dh ; -
.data:00000000006020E1                 db    0
.data:00000000006020E2                 db    0
.data:00000000006020E3                 db    0
.data:00000000006020E4                 db    1
.data:00000000006020E5                 db    0
.data:00000000006020E6                 db    0
.data:00000000006020E7                 db    0
.data:00000000006020E8                 db    3
.data:00000000006020E9                 db    0
.data:00000000006020EA                 db    0
.data:00000000006020EB                 db    0
.data:00000000006020EC                 db    0
.data:00000000006020ED                 db    0
.data:00000000006020EE                 db    0
.data:00000000006020EF                 db    0
.data:00000000006020F0                 db  0Dh
.data:00000000006020F1                 db    0
.data:00000000006020F2                 db    0
.data:00000000006020F3                 db    0
.data:00000000006020F4                 db  56h ; V
.data:00000000006020F5                 db    0
.data:00000000006020F6                 db    0
.data:00000000006020F7                 db    0
.data:00000000006020F8                 db    1
.data:00000000006020F9                 db    0
.data:00000000006020FA                 db    0
.data:00000000006020FB                 db    0
.data:00000000006020FC                 db    3
.data:00000000006020FD                 db    0
.data:00000000006020FE                 db    0
.data:00000000006020FF                 db    0
.data:0000000000602100                 db  65h ; e
.data:0000000000602101                 db    0
.data:0000000000602102                 db    0
.data:0000000000602103                 db    0
.data:0000000000602104                 db    3
.data:0000000000602105                 db    0
.data:0000000000602106                 db    0
.data:0000000000602107                 db    0
.data:0000000000602108                 db  2Dh ; -
.data:0000000000602109                 db    0
.data:000000000060210A                 db    0
.data:000000000060210B                 db    0
.data:000000000060210C                 db  16h
.data:000000000060210D                 db    0
.data:000000000060210E                 db    0
.data:000000000060210F                 db    0
.data:0000000000602110                 db    2
.data:0000000000602111                 db    0
.data:0000000000602112                 db    0
.data:0000000000602113                 db    0
.data:0000000000602114                 db  15h
.data:0000000000602115                 db    0
.data:0000000000602116                 db    0
.data:0000000000602117                 db    0
.data:0000000000602118                 db    3
.data:0000000000602119                 db    0
.data:000000000060211A                 db    0
.data:000000000060211B                 db    0
.data:000000000060211C                 db  65h ; e
.data:000000000060211D                 db    0
.data:000000000060211E                 db    0
.data:000000000060211F                 db    0
.data:0000000000602120                 db    0
.data:0000000000602121                 db    0
.data:0000000000602122                 db    0
.data:0000000000602123                 db    0
.data:0000000000602124                 db  29h ; )
.data:0000000000602125                 db    0
.data:0000000000602126                 db    0
.data:0000000000602127                 db    0
.data:0000000000602128                 db  44h ; D
.data:0000000000602129                 db    0
.data:000000000060212A                 db    0
.data:000000000060212B                 db    0
.data:000000000060212C                 db  44h ; D
.data:000000000060212D                 db    0
.data:000000000060212E                 db    0
.data:000000000060212F                 db    0
.data:0000000000602130                 db    1
.data:0000000000602131                 db    0
.data:0000000000602132                 db    0
.data:0000000000602133                 db    0
.data:0000000000602134                 db  44h ; D
.data:0000000000602135                 db    0
.data:0000000000602136                 db    0
.data:0000000000602137                 db    0
.data:0000000000602138                 db  2Bh ; +
.data:0000000000602139                 db    0
.data:000000000060213A                 db    0
.data:000000000060213B                 db    0

三个0来当分隔符时老生常谈了,最重要的地方是在于align8的作用在于对齐地址,由于这里定义的是dwrod数据且大多数编译器的地址选择都是8的倍数,而下一个数据所在的地址是0x6020C4,这不是8的倍数,所以这里就自动填充了4个字节让下一个数据的地址是8的倍数,所以这里在提取数据时除了正常能看到的,不要忘了还有align8的0x0数据也要写进逆向脚本中。

攻防世界-BABYRE

一道陷阱题,字节码。main逻辑相当简洁

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
int __fastcall main(int argc, const char **argv, const char **envp)
{
  char s[24]; // [rsp+0h] [rbp-20h] BYREF
  int n14; // [rsp+18h] [rbp-8h]
  int n181; // [rsp+1Ch] [rbp-4h]

  for ( n181 = 0; n181 <= 181; ++n181 )
    judge[n181] ^= 0xCu;
  printf("Please input flag:");
  __isoc99_scanf("%20s", s);
  n14 = strlen(s);
  if ( n14 == 14 && (*judge)(s) )
    puts("Right!");
  else
    puts("Wrong!");
  return 0;
}

将judge数据异或之后输出一堆乱码,那么大抵是异或出字节码然后再看内容,字节码一键梭哈脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from capstone import *

# ========= 把你的数组贴这里 =========
judge_enc = [
    0x59,0x44,0x85,0xe9,0x44,0x85,0x71,0xd4,0xca,0x49,0xec,0x6a,0xca,0x49,0xed,0x61,
    0xca,0x49,0xee,0x6f,0xca,0x49,0xef,0x68,0xca,0x49,0xe8,0x73,0xca,0x49,0xe9,0x67,
    0xca,0x49,0xea,0x3b,0xca,0x49,0xeb,0x68,0xca,0x49,0xe4,0x37,0xca,0x49,0xe5,0x5a,
    0xca,0x49,0xe6,0x6c,0xca,0x49,0xe7,0x37,0xca,0x49,0xe0,0x62,0xca,0x49,0xe1,0x7c,
    0xcb,0x49,0xf0,0xc,0xc,0xc,0xc,0xe7,0x24,0x87,0x49,0xf0,0x44,0x6f,0xdc,0x44,
    0x87,0x49,0xd4,0x44,0xd,0xdc,0x87,0x59,0xf0,0x44,0x6f,0xc6,0x44,0x87,0x59,0xd4,
    0x44,0xd,0xc6,0x3,0xba,0x1e,0x87,0x41,0xf0,0x3d,0xc6,0x84,0x1c,0x8f,0x49,0xf0,
    0xd,0x8f,0x71,0xf0,0x1,0x72,0xde,0xcb,0x49,0xf0,0xc,0xc,0xc,0xc,0xe7,0x25,
    0x87,0x49,0xf0,0x44,0x6f,0xdc,0x44,0x87,0x49,0xd4,0x44,0xd,0xdc,0x3,0xba,0x1c,
    0x87,0x49,0xf0,0x44,0x94,0x3,0xba,0x48,0x9,0xec,0x34,0xce,0x78,0xb,0xb4,0xc,
    0xc,0xc,0xc,0xe7,0x3,0x8f,0x49,0xf0,0xd,0x8f,0x71,0xf0,0x1,0x72,0xdd,0xb4,
    0xd,0xc,0xc,0xc,0x51,0xcf
]

XOR_KEY = 0x0C  # 修改为题目使用的key


# ========= 解密 =========
code = bytes([b ^ XOR_KEY for b in judge_enc])


# ========= 自动架构检测 =========
def try_disasm(mode):
    try:
        md = Cs(CS_ARCH_X86, mode)
        md.detail = False
        ins = list(md.disasm(code, 0x1000))
        if len(ins) > 5:
            return ins
    except:
        pass
    return None


ins = try_disasm(CS_MODE_64)
arch = "x86_64"

if not ins:
    ins = try_disasm(CS_MODE_32)
    arch = "x86"

if not ins:
    print("[-] 无法识别为 x86/x64 机器码")
    exit()

print(f"[+] Architecture detected: {arch}")
print("=" * 60)


# ========= 输出汇编 =========
for i in ins:
    print("0x%x:\t%-8s %s" % (i.address, i.mnemonic, i.op_str))

输出得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
0x1000:	push     rbp
0x1001:	mov      rbp, rsp
0x1004:	mov      qword ptr [rbp - 0x28], rdi
0x1008:	mov      byte ptr [rbp - 0x20], 0x66
0x100c:	mov      byte ptr [rbp - 0x1f], 0x6d
0x1010:	mov      byte ptr [rbp - 0x1e], 0x63
0x1014:	mov      byte ptr [rbp - 0x1d], 0x64
0x1018:	mov      byte ptr [rbp - 0x1c], 0x7f
0x101c:	mov      byte ptr [rbp - 0x1b], 0x6b
0x1020:	mov      byte ptr [rbp - 0x1a], 0x37
0x1024:	mov      byte ptr [rbp - 0x19], 0x64
0x1028:	mov      byte ptr [rbp - 0x18], 0x3b
0x102c:	mov      byte ptr [rbp - 0x17], 0x56
0x1030:	mov      byte ptr [rbp - 0x16], 0x60
0x1034:	mov      byte ptr [rbp - 0x15], 0x3b
0x1038:	mov      byte ptr [rbp - 0x14], 0x6e
0x103c:	mov      byte ptr [rbp - 0x13], 0x70
0x1040:	mov      dword ptr [rbp - 4], 0
0x1047:	jmp      0x1071
0x1049:	mov      eax, dword ptr [rbp - 4]
0x104c:	movsxd   rdx, eax
0x104f:	mov      rax, qword ptr [rbp - 0x28]
0x1053:	add      rax, rdx
0x1056:	mov      edx, dword ptr [rbp - 4]
0x1059:	movsxd   rcx, edx
0x105c:	mov      rdx, qword ptr [rbp - 0x28]
0x1060:	add      rdx, rcx
0x1063:	movzx    edx, byte ptr [rdx]
0x1066:	mov      ecx, dword ptr [rbp - 4]
0x1069:	xor      edx, ecx
0x106b:	mov      byte ptr [rax], dl
0x106d:	add      dword ptr [rbp - 4], 1
0x1071:	cmp      dword ptr [rbp - 4], 0xd
0x1075:	jle      0x1049
0x1077:	mov      dword ptr [rbp - 4], 0
0x107e:	jmp      0x10a9
0x1080:	mov      eax, dword ptr [rbp - 4]
0x1083:	movsxd   rdx, eax
0x1086:	mov      rax, qword ptr [rbp - 0x28]
0x108a:	add      rax, rdx
0x108d:	movzx    edx, byte ptr [rax]
0x1090:	mov      eax, dword ptr [rbp - 4]
0x1093:	cdqe     
0x1095:	movzx    eax, byte ptr [rbp + rax - 0x20]
0x109a:	cmp      dl, al
0x109c:	je       0x10a5
0x109e:	mov      eax, 0
0x10a3:	jmp      0x10b4
0x10a5:	add      dword ptr [rbp - 4], 1
0x10a9:	cmp      dword ptr [rbp - 4], 0xd
0x10ad:	jle      0x1080
0x10af:	mov      eax, 1
0x10b4:	pop      rbp
0x10b5:	ret

可得逆向脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# 原始的 judge 数据
judge_data = [
    0x59, 0x44, 0x85, 0xe9, 0x44, 0x85, 0x71, 0xd4, 0xca, 0x49, 0xec, 0x6a,
    0xca, 0x49, 0xed, 0x61, 0xca, 0x49, 0xee, 0x6f, 0xca, 0x49, 0xef, 0x68,
    0xca, 0x49, 0xe8, 0x73, 0xca, 0x49, 0xe9, 0x67, 0xca, 0x49, 0xea, 0x3b,
    0xca, 0x49, 0xeb, 0x68, 0xca, 0x49, 0xe4, 0x37, 0xca, 0x49, 0xe5, 0x5a,
    0xca, 0x49, 0xe6, 0x6c, 0xca, 0x49, 0xe7, 0x37, 0xca, 0x49, 0xe0, 0x62,
    0xca, 0x49, 0xe1, 0x7c
]

# 1. 提取出用于对比的加密字节 (每4个字节一组的最后一个)
# 对应汇编 mov byte ptr [rbp+offset], char 中的 char
encrypted_chars = []
for i in range(11, len(judge_data), 4):
    encrypted_chars.append(judge_data[i])

# 2. 进行双重解密:
# 第一步:与 0x0C 异或 (还原 Shellcode 中的常量)
# 第二步:与索引 i 异或 (抵消 judge 函数内部的运算)
flag = ""
for i in range(len(encrypted_chars)):
    # s[i] = (judge_data ^ 0x0C) ^ i
    char_code = (encrypted_chars[i] ^ 0x0C) ^ i
    flag += chr(char_code)

print(f"解密后的 Flag 为: {flag}")

当然,如果能实现linux远程调试的话,下个断点然后CUP直接就能得到反汇编过后的代码,比静态分析更快更好用。(仍然不会Linux远程调试的屑)

攻防世界-流浪者

一道windows逆向,进入程序后发现删除对照表,所以只能通过查找字符串的方式来定位main逻辑,梳理后main逻辑如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
int __cdecl main(int argc, const char **argv, const char **envp)
{
  CWnd *v3; // ecx
  CWnd *DlgItem; // eax
  int v5; // eax
  struct CString *v7; // [esp-4h] [ebp-C4h]
  _DWORD v8[26]; // [esp+4Ch] [ebp-74h] BYREF
  int i; // [esp+B4h] [ebp-Ch]
  char *input; // [esp+B8h] [ebp-8h]
  CWnd *v11; // [esp+BCh] [ebp-4h]

  v11 = v3;
  v7 = (v3 + 100);
  DlgItem = CWnd::GetDlgItem(v3, 1002);
  CWnd::GetWindowTextA(DlgItem, v7);
  v5 = sub_401A30(v11 + 25);
  input = CString::GetBuffer((v11 + 100), v5);
  if ( !strlen(input) )
    return CWnd::MessageBoxA(v11, &byte_4035DC, 0, 0);
  for ( i = 0; input[i]; ++i )
  {
    if ( input[i] > 57 || input[i] < 48 )
    {
      if ( input[i] > 122 || input[i] < 97 )
      {
        if ( input[i] > 90 || input[i] < 65 )
          sub_4017B0();
        else
          v8[i] = input[i] - 29;
      }
      else
      {
        v8[i] = input[i] - 87;
      }
    }
    else
    {
      v8[i] = input[i] - 48;
    }
  }
  return chage_base64(v8);
}

其中change_base64为

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
BOOL __cdecl chage_base64(int v8)
{
  char Str1[28]; // [esp+D8h] [ebp-24h] BYREF
  int v3; // [esp+F4h] [ebp-8h]
  int v4; // [esp+F8h] [ebp-4h]

  v4 = 0;
  v3 = 0;
  while ( *(v8 + 4 * v4) <= '=' )
  {
    Str1[v4] = aAbcdefghiabcde[*(v8 + 4 * v4)];
    ++v4;
  }
  Str1[v4] = 0;
  if ( !strcmp(Str1, "KanXueCTF2019JustForhappy") )
    return sub_401770();
  else
    return sub_4017B0();
}

这里会有一些关于IDA的特性:

譬如在引用某一数组时,会使用类似于*(v8+4*v4)的表达式,这里表示v8数组中的四个字节四个字节地递增,由于v8是dword数据类型占四个字节,所以这里就用乘数四来表示字节的递进。

这里也是一个小点:在IDA中,是以字节为单位进行递进地,而不是像常规一样以索引来进行递进的。

对于change_base64的逆向我们直接逆向出其索引就行,后面的逆向脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#include <bits/stdc++.h>
int main()
{
    int enc[]={19,0,27,59,44,4,11,55,14,30,28,29,37,18,44,42,43,14,38,41,7,0,39,39,48};
    int flag[25];
    for(int i=0;i<25;i++)
    {
        if(0<=enc[i]&&enc[i]<=9)
        {
            flag[i]=enc[i]+48;
        }
        else if(10<=enc[i]&&enc[i]<=35)
        {
            flag[i]=enc[i]+87;
        }
        else
        {
            flag[i]=enc[i]+29;
        }
        printf("%c",flag[i]);
    }
    return 0;
}

攻防世界-tt3441810

一道很逆天的题目。打开来发现是一堆字节码,编译出来后可以得到字符串flag{poppopret},结果发现不对,纳闷了。把flag头去掉发现是对的(无语中…)

攻防世界-reverse_re3

一道别出新意的迷宫题,main逻辑如下

第一个函数没什么用(据说是反调试?没懂)第二个函数才是迷宫的重点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
__int64 sub_940()
{
    int n_w_; // eax
    int v2; // [rsp+8h] [rbp-218h]
    int v3; // [rsp+Ch] [rbp-214h]
    _QWORD buf[66]; // [rsp+10h] [rbp-210h] BYREF

    buf[65] = __readfsqword(0x28u);
    v3 = 0;
    memset(buf, 0, 0x200u);
    _isoc99_scanf(&qword_1278, buf, buf);
    while ( 1 )
    {
        do
        {
            v2 = 0;
            sub_86C();
            n_w_ = *(buf + v3);
            if ( n_w_ == 'd' )
            {
                v2 = sub_E23();
            }
            else if ( n_w_ > 'd' )
            {
                if ( n_w_ == 's' )
                {
                    v2 = sub_C5A();
                }
                else if ( n_w_ == 'w' )
                {
                    v2 = sub_A92();
                }
            }
            else
            {
                if ( n_w_ == 27 )
                    return 0xFFFFFFFFLL;
                if ( n_w_ == 'a' )
                    v2 = sub_FEC();
            }
            ++v3;
        }
        while ( v2 != 1 );
        if ( n2 == 2 )
            break;
        ++n2;
    }
    puts("success! the flag is flag{md5(your input)}");
    return 1;
}

可以看到,这里使用了wasd,经典的游戏操作。

进入第一个函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
unsigned __int64 sub_86C()
{
    int n14; // [rsp+0h] [rbp-10h]
    int n14_1; // [rsp+4h] [rbp-Ch]
    unsigned __int64 v3; // [rsp+8h] [rbp-8h]

    v3 = __readfsqword(0x28u);
    for ( n14 = 0; n14 <= 14; ++n14 )
    {
        for ( n14_1 = 0; n14_1 <= 14; ++n14_1 )
        {
            if ( dword_202020[225 * n2 + 15 * n14 + n14_1] == 3 )
            {
                ::n14 = n14;
                n14_0 = n14_1;
                break;
            }
        }
    }
    return __readfsqword(0x28u) ^ v3;
}

可以看到出现了两个循环,都是循环十五次,大致可以推断是15*15的一个迷宫

dword_202020如下

观察可得,只出现了0,1,4,3四个数据,上面的函数逻辑一定是迷宫生成逻辑,所以3必然是迷宫起点。

接着观察wasd的逻辑,可以看到wasd中都存在将方才走过的路赋值为1的操作,并且有条件判断是否为4。

那么不难得出一下结论,这个迷宫是15*15的,走过的路径为1,当前位置(初始为起点)为3,终点为4。那么可以得到以下三个迷宫

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,
1,1,1,1,1,0,3,1,1,0,0,0,0,0,0,
1,1,1,1,1,0,0,0,1,0,0,0,0,0,0,
1,1,1,1,1,0,0,0,1,0,0,0,0,0,0,
1,1,1,1,1,0,0,0,1,1,1,1,1,0,0,
1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,
1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,
1,1,1,1,1,0,0,0,0,0,0,0,1,1,0,
1,1,1,1,1,0,0,0,0,0,0,0,0,1,0,
1,1,1,1,1,0,0,0,0,0,0,0,0,4,0,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,

1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,
1,1,0,3,1,1,1,1,1,0,0,0,0,0,0,
1,1,0,1,1,0,0,0,1,0,0,0,0,0,0,
1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,
1,1,0,1,1,0,0,0,1,1,1,1,1,0,0,
1,1,0,1,1,0,0,0,0,0,0,0,1,0,0,
1,1,0,1,1,0,0,0,0,0,0,0,1,0,0,
1,1,0,1,1,0,0,0,0,0,1,1,1,1,0,
1,1,0,1,1,0,0,0,0,0,1,0,0,1,0,
1,1,0,1,1,0,0,0,0,0,1,0,0,0,0,
1,1,0,1,1,1,1,1,1,0,1,0,1,1,0,
1,1,0,1,1,1,1,1,1,1,1,1,1,1,0,
1,1,0,0,0,0,0,0,0,0,0,0,0,4,0,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,

0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,3,1,1,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,1,0,1,1,1,0,0,0,0,0,0,0,
0,0,0,1,1,1,0,1,0,0,0,0,0,0,0,
0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,
0,1,1,0,1,0,0,1,0,0,0,0,0,0,0,
0,0,1,1,1,0,0,1,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,

于是就能得到flag。别忘了把最后得到的字符串md5加密.

攻防世界-happyctf

一道C++逆向,看起来很难其实是徒有其表,main逻辑如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
int __cdecl main(int argc, const char **argv, const char **envp)
{
  std::ostream *v3; // eax
  std::ostream *v4; // eax
  std::ostream *v6; // eax
  std::ostream *v7; // eax
  unsigned __int8 *v8; // [esp+5Ch] [ebp-70h]
  unsigned __int8 *v9; // [esp+60h] [ebp-6Ch]
  main::__l2::<lambda_7686c8adb828765130ce2b0d457195d9> cmp; // [esp+68h] [ebp-64h] BYREF
  unsigned __int8 key[24]; // [esp+6Ch] [ebp-60h] BYREF
  char item; // [esp+87h] [ebp-45h]
  char *v13; // [esp+88h] [ebp-44h]
  char *v14; // [esp+8Ch] [ebp-40h]
  std::string *p_str; // [esp+90h] [ebp-3Ch]
  main::__l2::<lambda_1b3a4e77a09e1a7ed440bad3aa4c443b> add; // [esp+94h] [ebp-38h] BYREF
  std::vector<unsigned char> _v__; // [esp+98h] [ebp-34h] BYREF
  std::string str; // [esp+A4h] [ebp-28h] BYREF
  int v19; // [esp+C8h] [ebp-4h]

  std::string::string(&str);
  v19 = 0;
  v3 = std::operator<<<std::char_traits<char>>(&std::cout, "please input flag");
  std::ostream::operator<<(v3, std::endl<char,std::char_traits<char>>);
  std::operator>><char>(&std::cin, &str);
  if ( std::string::length(&str) == 24 )
  {
    std::vector<unsigned char>::vector<unsigned char>(&_v__);
    LOBYTE(v19) = 1;
    lambda_1b3a4e77a09e1a7ed440bad3aa4c443b_::_lambda_1b3a4e77a09e1a7ed440bad3aa4c443b_(&add, &_v__);
    p_str = &str;
    v14 = std::string::_Unchecked_begin(&str);
    v13 = std::string::_Unchecked_end(&str);
    while ( v14 != v13 )
    {
      item = *v14;
      lambda_1b3a4e77a09e1a7ed440bad3aa4c443b_::operator()(&add, item);
      ++v14;
    }
    qmemcpy(key, "rxusoCqxw{yqK`{KZqag{r`i", sizeof(key));
    lambda_7686c8adb828765130ce2b0d457195d9_::_lambda_7686c8adb828765130ce2b0d457195d9_(&cmp, key);
    v9 = std::vector<unsigned char>::_Unchecked_begin(&_v__);
    v8 = std::vector<unsigned char>::_Unchecked_end(&_v__);
    while ( v9 != v8 )
    {
      if ( !lambda_7686c8adb828765130ce2b0d457195d9_::operator()(&cmp, *v9) )
      {
        v6 = std::operator<<<std::char_traits<char>>(&std::cout, "error");
        std::ostream::operator<<(v6, std::endl<char,std::char_traits<char>>);
        LOBYTE(v19) = 0;
        std::vector<unsigned char>::~vector<unsigned char>(&_v__);
        v19 = -1;
        std::string::~string(&str);
        return 0;
      }
      ++v9;
    }
    v7 = std::operator<<<std::char_traits<char>>(&std::cout, "good job");
    std::ostream::operator<<(v7, std::endl<char,std::char_traits<char>>);
    LOBYTE(v19) = 0;
    std::vector<unsigned char>::~vector<unsigned char>(&_v__);
    v19 = -1;
    std::string::~string(&str);
    return 0;
  }
  else
  {
    v4 = std::operator<<<std::char_traits<char>>(&std::cout, "not enought");
    std::ostream::operator<<(v4, std::endl<char,std::char_traits<char>>);
    v19 = -1;
    std::string::~string(&str);
    return 0;
  }
}

看起来非常难,但其实核心锁定在

1
2
3
4
5
6
7
8
while ( v14 != v13 )
  {
    item = *v14;
    lambda_1b3a4e77a09e1a7ed440bad3aa4c443b_::operator()(&add, item);
    ++v14;
  }
  qmemcpy(key, "rxusoCqxw{yqK`{KZqag{r`i", sizeof(key));
  lambda_7686c8adb828765130ce2b0d457195d9_::_lambda_7686c8adb828765130ce2b0d457195d9_(&cmp, key);

其中逻辑如下

1
2
3
4
5
6
7
8
9
10
11
12
void __thiscall lambda_1b3a4e77a09e1a7ed440bad3aa4c443b_::operator()(
        main::__l2::<lambda_1b3a4e77a09e1a7ed440bad3aa4c443b> *this,
        unsigned __int8 bytee)
{
  unsigned __int8 _Val[65]; // [esp+Fh] [ebp-45h] BYREF
  const main::__l2::<lambda_1b3a4e77a09e1a7ed440bad3aa4c443b> *thisa; // [esp+50h] [ebp-4h]

  thisa = this;
  _Val[0] = bytee ^ 0x14;
  std::vector<unsigned char>::push_back(this->v, _Val);
  ++`_lambda_1b3a4e77a09e1a7ed440bad3aa4c443b_::operator()'::`2'::index;
}

厨子梭哈

攻防世界-easyre-xctf

一道似曾相识的题

然后查找字符串

得到flag。

攻防世界-crackme

一道新壳题(NS壳),必须手脱,但是我手脱的好像不太完全导致一些数据出现错误,但是仍然可以做出题。首先x32dbg老样子脱壳,追ESP的内存变化就能脱壳,但是不知道为什么脱不完全。

脱壳后进入IDA,main逻辑如下

可以清晰地看到核心计算是异或,查询得知%16的key为

dword数据为

提取以上三张图中的数据,发现有很多0x0,很反常,去掉所有的0x0后运行脚本可得数据如下

有flag头了!再试一次不删0x0的数据进行逆向


出现flag尾,但是这个时候就纳闷了,明明两次数据开头都一样,为什么删了0x0的数据能跑出flag头,但是不删0x0的数据就跑不出flag头?两次脚本运行的enc数据如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
0x12, 0x4,0x8, 0x14, 0x24, 0x5c, 0x4a, 0x3d, 0x56, 0xa, 0x10, 0x67, 0x41,
0x1, 0x46, 0x5a, 0x44, 0x42, 0x6e, 0xc, 0x44, 0x72, 0xc, 0xd, 0x40, 0x3e,
0x4b, 0x5f, 0x2, 0x1, 0x4c, 0x5e, 0x5b, 0x17, 0x6e, 0xc, 0x16, 0x68, 0x5b,
0x12, 0x48, 0x30, 0x40, 0xb0, 0x22, 0x40, 0x1, 0x52, 0x53, 0x44, 0x53, 0xb4,
0x13, 0xd7, 0x41, 0x18, 0x53, 0xdd, 0x4c, 0xba, 0xff, 0xdc, 0x12, 0x9, 0x87,
0xaf, 0xd5, 0x1

0x12, 0x4, 0x8, 0x14, 0x24, 0x5c, 0x4a, 0x3d, 0x56, 0xa, 0x10, 0x67, 0x0,
0x41, 0x0, 0x1, 0x46, 0x5a, 0x44, 0x42, 0x6e, 0xc, 0x44, 0x72, 0xc, 0xd,
0x40, 0x3e, 0x4b, 0x5f, 0x2, 0x1, 0x4c, 0x5e, 0x5b, 0x17, 0x6e, 0xc, 0x16,
0x68, 0x5b, 0x12, 0x0, 0x0, 0x48, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4e, 0xe6, 0x40, 0xbb, 0x89, 0x18, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x52, 0x53, 0x44, 0x53, 0xb4,
0x13, 0xd7, 0x41, 0x18, 0x53, 0xdd, 0x4c, 0xba, 0xff, 0xdc, 0x12, 0x9,
0x87, 0xaf, 0xd5, 0x1, 0x0, 0x0, 0x0

最终搜索博客时正确的数据如下

1
2
3
4
0x12, 0x4, 0x8, 0x14, 0x24, 0x5c, 0x4a, 0x3d, 0x56, 0xa, 0x10, 0x67, 0x0,
0x41, 0x0, 0x1, 0x46, 0x5a, 0x44, 0x42, 0x6e, 0xc, 0x44, 0x72, 0xc, 0xd,
0x40, 0x3e, 0x4b, 0x5f, 0x2, 0x1, 0x4c, 0x5e, 0x5b, 0x17, 0x6e, 0xc, 0x16,
0x68, 0x5b, 0x12, 0x48, 0x0e

通过对比删0x0和不删0x0跑出来的数据我们可以得到最终的flag

flag{59b8ed8-kb8ed8f-af22-11e7-bb4a-3cf862d1ee75}

攻防世界-debug

主要逻辑如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
using System;
using System.Security.Cryptography;
using System.Text;

// Token: 0x02000003 RID: 3
internal class 
{
    // Token: 0x06000005 RID: 5 RVA: 0x0000212B File Offset: 0x0000032B
    private static int (int A_0, int A_1)
    {
        return (new int[]
                {
                    2,
                    3,
                    5,
                    7,
                    11,
                    13,
                    17,
                    19,
                    23,
                    29,
                    31,
                    37,
                    41,
                    43,
                    47,
                    53,
                    59,
                    61,
                    67,
                    71,
                    73,
                    79,
                    83,
                    89,
                    97,
                    101,
                    103,
                    107,
                    109,
                    113
                    })[A_1] ^ A_0;
    }

    // Token: 0x06000006 RID: 6 RVA: 0x00002144 File Offset: 0x00000344
    private static string (string A_0)
    {
        byte[] bytes = Encoding.ASCII.GetBytes(A_0);
        return "flag{" + BitConverter.ToString(new MD5CryptoServiceProvider().ComputeHash(bytes)).Replace("-", "") + "}";
    }

    // Token: 0x06000007 RID: 7 RVA: 0x0000218C File Offset: 0x0000038C
    private static void (string A_0, int A_1, ref string A_2)
    {
        int num = 0;
        if (0 < A_0.Length)
        {
            do
            {
                char c = A_0[num];
                int num2 = 1;
                do
                {
                    c = Convert.ToChar(.(Convert.ToInt32(c), num2));
                    num2++;
                }
                while (num2 < 15);
                A_2 += c;
                num++;
            }
            while (num < A_0.Length);
        }
        A_2 = .(A_2);
    }

    // Token: 0x06000008 RID: 8 RVA: 0x000021F0 File Offset: 0x000003F0
    private static void (string[] A_0)
    {
        string b = null;
        string value = string.Format("{0}", DateTime.Now.Hour + 1);
        string a_ = "CreateByTenshine";
        .(a_, Convert.ToInt32(value), ref b);
        string a = Console.ReadLine();
        if (a == b)
        {
            Console.WriteLine("u got it!");
            Console.ReadKey(true);
        }
        else
        {
            Console.Write("wrong");
        }
        Console.ReadKey(true);
    }
}

函数的主要逻辑是将一个固定的种子与一个和时间有关的随机数以及一个空的字符列表传入中间的函数中。细看第二个函数发现传入的与时间有关的函数,即A_1,在计算过程中完全没有出现,所以大致可以断定这道题与时间动态性无关,flag是静态的。

第二个函数中的语句c = Convert.ToChar(.(Convert.ToInt32©, num2));则是在调用最顶上的函数,即num2是所给数组的索引,将a_与一直数组的某一个数进行异或,然后传到空字符列表中,集合后转为md5,然后将 - 替换为空字符就能得到flag。

逆向脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import hashlib


def xor_with_primes(char_val, idx):
primes = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71,
              73, 79, 83, 89, 97, 101, 103, 107, 109, 113]
    return primes[idx] ^ char_val


def solve():
seed = "CreateByTenshine"
    transformed = ""

    for ch in seed:
c = ord(ch)
    for i in range(1, 15):  # 索引1~14,共14次XOR
            c = xor_with_primes(c, i)
        transformed += chr(c)

        print(f"[*] 种子字符串:     {seed}")
        print(f"[*] XOR变换结果:    {repr(transformed)}")

        md5 = hashlib.md5(transformed.encode('ascii')).hexdigest().upper()
        flag = f"flag{{{md5}}}"

        print(f"[*] MD5哈希值:      {md5}")
        print(f"\n[+] 最终Flag: {flag}")


        if __name__ == "__main__":
solve()

SHCTF-trace(好好学习此题!!)

一道很有新意的题目,打的是trace脚本(尚在学习中)和对普通运算法则的特异性写法,当然也可以静态分析。

题目附件给了40W行的汇编语言,代码量惊人。

首先可以看到exec这个陌生的函数,发现出现了key和seed。然后综合来看发现 o 只有0~4五个值。

0的运算逻辑如下

1
2
3
4
5
6
7
8
9
10
11
12
13
uint32_t v1 = 0;
while(b != 0){
    if(b & 1){
        v1 = exec(0, v1, a);
        if (o < 0 || o > 4) return 0;
        return table[o](a, b);
        uint32_t v1 = a ^ b;
        uint32_t v2 = a & b;
        uint32_t v3;
        while((v3 = (v2 << 1)) != 0){
            return v1;
            a <<= 1;
            b >>= 1;

搜索可得这是典型的位运算加法器。

1的运算逻辑如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
key[2] = exec(1, key[0], key[1]);
if (o < 0 || o > 4) return 0;
return table[o](a, b);
uint32_t v1 = a & ~b;
uint32_t v2 = ~a & b;
uint32_t v3 = 0;
uint32_t v4 = 1;
while(v4 != 0){
    if((v1 & v4) || (v2 & v4)){
        v3 = v3 | v4;
        v4 <<= 1;
        while(v4 != 0){
            if((v1 & v4) || (v2 & v4)){
                v4 <<= 1;
                while(v4 != 0){
                    if((v1 & v4) || (v2 & v4)){
                        v4 <<= 1;
                        while(v4 != 0){
                            if((v1 & v4) || (v2 & v4)){
                                v4 <<= 1;

搜索可得这是异或

2的运算逻辑为左移动,3的运算逻辑为右移。4的运算逻辑如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
key[0] = exec(4, seed1 & 0xFFFF, 0x1337);
if (o < 0 || o > 4) return 0;
return table[o](a, b);
uint32_t v1 = 0;
while(b != 0){
    if(b & 1){
        v1 = exec(0, v1, a);
        if (o < 0 || o > 4) return 0;
        return table[o](a, b);
        uint32_t v1 = a ^ b;
        uint32_t v2 = a & b;
        uint32_t v3;
        while((v3 = (v2 << 1)) != 0){
            return v1;
            a <<= 1;
            b >>= 1;

搜索可得4的运算逻辑为乘法

以上都是对基础算法的奇异型描述,在日常过程中需要经常性理解。

注意到其中一行有代码

1
uint32_t v3 = 40503 << 16 | 31161;

这里运算后可以得到TEA算法的标志数0x9E3779B9,那基本就可以得到我们的算法主体了。

注意到

1
2
exec(2, v1, 2)
exec(3, v1, 4)

那么就是将左4右5变成了左2右4。

这里我感觉出的不是很好,这种题就只能这样子去找,有很多地方和运算的细节其实很难找到,但或许考点就在这里,利用trace来提取出最关键的信息来简化极为复杂且巨大的代码量(trace尚在学习中,后面会整理为文档)。

然后现在就能知道正向逻辑其实是魔改的TEA算法

1
2
3
sum += delta
v0 += ((v1<<2) + k3) ^ (v1 + sum) ^ ((v1>>4) + k1)
v1 += ((v0<<2) + k2) ^ (v0 + sum) ^ ((v0>>4) + k0)

那么可得逆向脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#include <bits/stdc++.h>
int main()
{
    uint32_t enc[]={0x824FD44A,0xF96DE837,0x22C56E55,0x5B38B136,0x6A278FC1,0x428565FF,0xDE63BF24,0x8E4DB833,0x5BB3AEBC,0x11769C7E};
    uint32_t key[]={0x067D7BC8, 0xDEAE6999, 0xD8D31251, 0xB1A624A3};
    uint32_t delta=0x9E3779B9;
    for(int i=0;i<10;i+=2)
    {
        uint32_t sum=32*delta;
        for(int n=0;n<32;n++)
        {
            enc[i+1]-=((enc[i]<<2)+key[2])^(enc[i]+sum)^((enc[i]>>4)+key[0]);
            enc[i]-=((enc[i+1]<<2)+key[3])^(enc[i+1]+sum)^((enc[i+1]>>4)+key[1]);
            sum-=delta;
        }
    }
  unsigned char *ptr = (unsigned char *)enc;
    for(int i = 0; i < 40; i++)
    {
        putchar(ptr[i]);
    }
    return 0;
}

Summary:这周的主要收获在于对IDA对数据的处理,地址的填充等机制有了更深层次的了解,同时对C#的语法逻辑结构,譬如函数的调用,变量的引用等更加理解了,以及见识到了新的题型,了解到了传统算法逻辑的奇异型写法并且利用这种方法把一般难度的逆向变得更加困难,同时稍微学习了一下trace。但是在耐心省代码和思考执行流来逆向这方面仍有欠缺,为了出题有点急于求成不能静下来好好看。有待逐步改进心态。