level1
题目
[WUSTCTF2020]level1
得到一个level1和output.txt程序
首先查看level1程序的类似,是elf文件,64位,未加壳
使用IDA打开level1,找到main函数,F5
int __cdecl main(int argc, const char **argv, const char **envp)
{
int i; // [rsp+4h] [rbp-2Ch]
FILE *stream; // [rsp+8h] [rbp-28h]
char ptr[24]; // [rsp+10h] [rbp-20h] BYREF
unsigned __int64 v7; // [rsp+28h] [rbp-8h]
v7 = __readfsqword(0x28u);
stream = fopen("flag", "r");
fread(ptr, 1uLL, 0x14uLL, stream);
fclose(stream);
for ( i = 1; i <= 19; ++i )
{
if ( (i & 1) != 0 )
printf("%ld\n", (unsigned int)(ptr[i] << i));
else
printf("%ld\n", (unsigned int)(i * ptr[i]));
}
return 0;
}
该程序的意思就是从flag.txt中读取数据,然后经过变换,输出结果,output.txt就是输出的文本,反解程序即可
crypto=[198,232,816,200,1536,300,6144,984,51200,570,92160,1200,565248,756,1474560,800,6291456,1782,65536000]
for i in range(len(crypto)):
if(((i+1)&1)!=0):
print(chr(crypto[i]>>(i+1)),end='')
else:
print(chr(crypto[i]//(i+1)),end='')
#ctf2020{d9-dE6-20c}
[MRCTF2020]Transform
首先查壳,64位的exe文件,未加壳
拖入IDA中,找到main,F5反汇编
int __cdecl main(int argc, const char **argv, const char **envp)
{
char Str[104]; // [rsp+20h] [rbp-70h] BYREF
int j; // [rsp+88h] [rbp-8h]
int i; // [rsp+8Ch] [rbp-4h]
sub_402230(argc, argv, envp);
sub_40E640("Give me your code:\n");
sub_40E5F0("%s", Str);
if ( strlen(Str) != 33 )
{
sub_40E640("Wrong!\n");
system("pause");
exit(0);
}
for ( i = 0; i <= 32; ++i )
{
byte_414040[i] = Str[dword_40F040[i]];
byte_414040[i] ^= LOBYTE(dword_40F040[i]);
}
for ( j = 0; j <= 32; ++j )
{
if ( byte_40F0E0[j] != byte_414040[j] )
{
sub_40E640("Wrong!\n");
system("pause");
exit(0);
}
}
sub_40E640("Right!Good Job!\n");
sub_40E640("Here is your flag: %s\n", Str);
system("pause");
return 0;
}
这里可以明显看出sub_40E640类似一个输出函数,sub_40E5F0类似输入函数,byte_414040和byte_40F0E0是关键
.data:000000000040F040 dword_40F040 dd 9, 0Ah, 0Fh, 17h, 7, 18h, 0Ch, 6, 1, 10h, 3, 11h, 20h
.data:000000000040F040 ; DATA XREF: main+79↑o
.data:000000000040F040 ; main+B8↑o
.data:000000000040F040 dd 1Dh, 0Bh, 1Eh, 1Bh, 16h, 4, 0Dh, 13h, 14h, 15h, 2, 19h
.data:000000000040F040 dd 5, 1Fh, 8, 12h, 1Ah, 1Ch, 0Eh, 8 dup(0)
.data:000000000040F0E0 ; _BYTE byte_40F0E0[96]
.data:000000000040F0E0 byte_40F0E0 db 67h, 79h, 7Bh, 7Fh, 75h, 2Bh, 3Ch, 52h, 53h, 79h, 57h
.data:000000000040F0E0 ; DATA XREF: main+EF↑o
.data:000000000040F0E0 db 5Eh, 5Dh, 42h, 7Bh, 2Dh, 2Ah, 66h, 42h, 7Eh, 4Ch, 57h
.data:000000000040F0E0 db 79h, 41h, 6Bh, 7Eh, 65h, 3Ch, 5Ch, 45h, 6Fh, 62h, 4Dh
.data:000000000040F0E0 db 3Fh dup(0)
根据你输入的code,先判断输入长度是否为33,然后与byte_414040进行变换,再与byte_40F0E0处数对比,由此得到
one = [0x9, 0x0A, 0x0F, 0x17, 0x7, 0x18, 0x0C, 0x6, 0x1, 0x10, 0x3, 0x11, 0x20, 0x1D, 0x0B, 0x1E, 0x1B, 0x16, 0x4, 0x0D, 0x13, 0x14, 0x15, 0x2, 0x19, 0x5, 0x1F, 0x8, 0x12, 0x1A, 0x1C, 0x0E, 0x8]
two = [0x67, 0x79, 0x7B, 0x7F, 0x75, 0x2B, 0x3C, 0x52, 0x53, 0x79, 0x57, 0x5E, 0x5D, 0x42, 0x7B, 0x2D, 0x2A, 0x66, 0x42, 0x7E, 0x4C, 0x57, 0x79, 0x41, 0x6B, 0x7E, 0x65, 0x3C, 0x5C, 0x45, 0x6F, 0x62, 0x4D,0x3F]
flag=[0]*33
'''
one[i]=flag[one[i]]
one[i]^=原one[i]得到two
'''
for i in range(32):
two[i]=one[i]^two[i]
flag[one[i]] = two[i]
print (''.join([chr(x) for x in flag]))
[WUSTCTF2020]level2
先使用ExeinfoPe,发现该程序是32位elf文件,使用upx加壳,先脱壳
> upx.exe -d attachment
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96w Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
File size Ratio Format Name
-------------------- ------ ----------- -----------
725344 <- 293476 40.46% linux/i386 attachment
Unpacked 1 file.
脱壳后,拖入IDA,找到main函数,F5反汇编分析
int __cdecl main(int argc, const char **argv, const char **envp)
{
puts("where is it?");
return 0;
}
发现只是一个puts,使用shift+F12,查找字符串,居然在最后发现可以字符串
.data:080EA068 00000016 C wctf2020{Just_upx_-d}
拿去尝试一下,发现就是flag,emmm..
浙公网安备 33010602011771号