Reverse寒假刷题笔记(一)

Reverse寒假刷题笔记(一)

[NPUCTF2020]你好sao啊

此题主要逻辑:
}20_TIO9ZX}K@40QT7[PK{R.png

然后在RxEncode有个加密
![LN`_97}5KXM)ZV](I$XZ06P.png][2]

这个地方能看出有点类似于base64编码

1ZWF[}U)XMUNW8HVY@TI_(C.png

这个地方可以看出有个find_pos函数,find_pos函数:

__int64 __fastcall find_pos(char a1)
{
  return strrchr("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234{}789+/=", a1)
       - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234{}789+/=";
}

这里进行了比对,可以确认是魔改的base64,经过上面看出与这个find_pos的内容进行了|运算,所以这里采用爆破的一种方式进行爆破出正确的key
re.py:

table="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234{}789+/="
c="9E9B9C B5FE70 D30FB2 D14F9C 027FAB DE5965 63E740 9DCDFA"
c=c.split()
for i in range(len(c)):
    c[i]=eval("0x"+c[i])

print(c)
for x in c:
    t=0
    for i in range(len(table)):
        for j in range(len(table)):
            for k in range(len(table)):
                for l in range(len(table)):
                    t=(0<<6)|i
                    t=(t<<6)|j
                    t=(t<<6)|k
                    t=(t<<6)|l
                    if(t==x):
                        print(table[i]+table[j]+table[k]+table[l])

好奇的是为什么c="9E9B9C B5FE70 D30FB2 D14F9C 027FAB DE5965 63E740 9DCDFA",因为这个涉及到小端序,所以要采用这样写的方式

[UTCTF2020]babymips

这是一道C++简单的异或逆向题,我们看下逻辑:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // $v0
  char v5[24]; // [sp+18h] [+18h] BYREF
  char v6[24]; // [sp+30h] [+30h] BYREF
  char v7[84]; // [sp+48h] [+48h] BYREF

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v5, argv, envp);
  v3 = std::operator<<<std::char_traits<char>>(&std::cout, "enter the flag");
  std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
  std::operator>><char>(&std::cin, v5);
  memcpy(v7, &unk_4015F4, sizeof(v7));//这里进行了赋值key的操作
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v6, v5);
  sub_401164(v7, v6);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v6);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v5);
  return 0;
}

sub_401164:

int __fastcall sub_401164(int a1, int a2)
{
  int v2; // $v0
  int v4; // $v0
  unsigned int i; // [sp+1Ch] [+1Ch]

  if ( std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::size(a2) != 0x4E )
  {
LABEL_2:
    v2 = std::operator<<<std::char_traits<char>>(&std::cout, "incorrect");
    return std::ostream::operator<<(v2, &std::endl<char,std::char_traits<char>>);
  }
  else
  {
    for ( i = 0; i < std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::size(a2); ++i )
    {
      if ( (*(char *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](a2, i) ^ (i + 23)) != *(char *)(a1 + i) )//这里是主要的地方,一个简单的异或
        goto LABEL_2;
    }
    v4 = std::operator<<<std::char_traits<char>>(&std::cout, "correct!");
    return std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);
  }
}

看到上面的代码,是一个简单的异或,直接逆下就行了(a2, i) ^ (i + 23)),双重异或就是解密
exp:

data=[0x62, 0x6C, 0x7F, 0x76, 0x7A, 0x7B, 0x66, 0x73, 0x76, 0x50,
    0x52, 0x7D, 0x40, 0x54, 0x55, 0x79, 0x40, 0x49, 0x47, 0x4D,
    0x74, 0x19, 0x7B, 0x6A, 0x42, 0x0A, 0x4F, 0x52, 0x7D, 0x69,
    0x4F, 0x53, 0x0C, 0x64, 0x10, 0x0F, 0x1E, 0x4A, 0x67, 0x03,
    0x7C, 0x67, 0x02, 0x6A, 0x31, 0x67, 0x61, 0x37, 0x7A, 0x62,
    0x2C, 0x2C, 0x0F, 0x6E, 0x17, 0x00, 0x16, 0x0F, 0x16, 0x0A,
    0x6D, 0x62, 0x73, 0x25, 0x39, 0x76, 0x2E, 0x1C, 0x63, 0x78,
    0x2B, 0x74, 0x32, 0x16, 0x20, 0x22, 0x44, 0x19]
flag=''
for i in range(len(data)):
    flag+=chr(data[i]^(i+23))
print(flag)

[NPUCTF2020]BasicASM

主要是给的汇编:

00007FF7A8AC5ADE  cmp         eax,1    进行比对判断奇偶性
00007FF7A8AC5AE1  jne         main+126h (07FF7A8AC5B76h)  
00007FF7A8AC5AE7  movsxd      rax,dword ptr [rbp+64h]  
00007FF7A8AC5AEB  mov         rdx,rax  
00007FF7A8AC5AEE  lea         rcx,[flag]  
00007FF7A8AC5AF2  call        std::basic_string<char,std::char_traits<char>,std::allocator<char> >::operator[] (07FF7A8AC1442h)  
00007FF7A8AC5AF7  movsx       eax,byte ptr [rax]  
00007FF7A8AC5AFA  xor         eax,42h 进行了异或

re.py:

res='662e61257b26301d7972751d6b2c6f355f3a38742d74341d61776d7d7d'
flag=[]
for i in range(0,len(res),2):
    flag.append(int('0x'+res[i:i+2],16))
for i in range(1,len(flag),2):
    flag[i]^=0x42


for i in range(len(flag)):
    print (chr(flag[i]))

本文链接:

http://azly.top/index.php/archives/27/
1 + 5 =
快来做第一个评论的人吧~