re学习笔记(56)WUSTCTF - Re方向WP
新手一枚,如有错误(不足)请指正,谢谢!!
WUSTCTF-re-Cr0ssFunIDA64载入,进入main函数
查看check函数
都提取出来就是flag了。。。
得到flag为wctf2020{cpp_@nd_r3verse_@re_fun}
下载下来压缩包有两个文件,一个是ELF64位,一个是output.txt是程序的输出
IDA64位载入查看main函数
对19位的flag变换后输出,,
写脚本
#include
int main(void)
{
unsigned int i,flag[] = { 198,232,816,200,1536,300,6144,984,51200,570,92160,1200,565248,756,1474560,800,6291456,1782,65536000 };
for (i = 0; i >= (i + 1);
else
flag[i] /= (i + 1);
printf("%c", flag[i]);
}
return 0;
}
因为少了第一位的校验,比赛的flag头都是wctf2020,再前面补一个w得到了flag
得到flag为wctf2020{d9-dE6-20c}
IDA32位
pusha推测被加壳
查壳发现UPX壳
使用官方upx工具脱壳
得到flag为wctf2020{Just_upx_-d}
IDA64位载入来到main函数
推测是base64自定义字符表加密
找到对base字符表进行变换的函数
直接IDA动态调试得到变换后的字符表
写python脚本
import base64
biao = str.maketrans("TSRQPONMLKJIHGFEDCBAUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/")
enstr = "d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD=="
flag = base64.b64decode(enstr.translate(biao).encode('utf-8'))
print(str(flag,'utf-8'))
得到flag为wctf2020{Base64_is_the_start_of_reverse}
IDA64位载入
左右左右的应该是树,数据结构?没学过的我,告辞!
运行一下……
二叉树的前序中序后序。。。。
参考文章
因为知道flag头部是wctf2020呀,可以知道给出的是中序和后序,求前序
按照百度经验那个参考资料,还原后
画的有点丑emmm
得到flag为wctf2020{This_IS_A_7reE}
IDA64位载入,发现上面有好长的未解析成函数的代码……
start函数里也执行了main函数
题目名称是main函数就去找main函数……
双击跟过main函数去
选中,摁p键将其声明成函数
现在可以F5了……
F5之后有个JMPOUT,花指令,返回汇编代码看一下
上面的jz和jnz指向同一个地址loc_40061A+1,也就是不管怎样都会跳这个地址的。。
看一下loc_40061A的字节码,由于指向的是loc_40061A+1,也就是第一个字节指令E8是没用的,用IDA自带的patch将其改为90
再下面的jz short near ptr loc_400621+2,说明loc_400621的前两个字节05 CD是无用的,将其改为90 90
修改完后
其中这三个跳转都是往下一行跳的,,可以直接nop掉,然后中间那个db 0x80h不知道啥玩意直接nop
再修改完后
然后下面有三个数据,,,这本应该和后面解析成代码的,光标选中摁C将其解析成代码
最终效果
继续F5,,发现下面还有
一共三四处吧。步骤基本一样就不累述了。会IDC或者IDApython的可以识别特征码用脚本改。。。
修复后main函数变成了这样,,,
先是比较输入长度是否等于38
然后比较前五位是否为flag{,最后一位是否为}
然后中间进行了三百五十多次对中括号内的数据进行加密……
用正则表达式一点点删除……(刚开始写了个正则漏了四个变换,淦!)
提取出这三百多个变换,写脚本……
#include
unsigned int data[33] = {
0xD9, 0x2C, 0x27, 0xD6, 0xD8, 0x2A, 0xDA, 0x2D, 0xD7, 0x2C, 0xDC, 0xE1, 0xDB, 0x2C, 0xD9, 0xDD,
0x27, 0x2D, 0x2A, 0xDC, 0xDB, 0x2C, 0xE1, 0x29, 0xDA, 0xDA, 0x2C, 0xDA, 0x2A, 0xD9, 0x29, 0x2A
};
int main(void)
{
int i;
printf("flag{");
for (i = 0; i < 32; i++)
{
data[i] -= 8;
data[i] -= 21;
data[i] -= 60;
data[i] -= 24;
data[i] -= 7;
data[i] -= 16;
data[i] -= 20;
data[i] -= 31;
data[i] -= 28;
data[i] -= 54;
data[i] -= 26;
data[i] -= 78;
data[i] -= 34;
data[i] -= 45;
data[i] -= 13;
data[i] -= 81;
data[i] -= 98;
data[i] -= 22;
data[i] -= 76;
data[i] -= 93;
data[i] -= 36;
data[i] -= 48;
data[i] -= 72;
data[i] -= 3;
data[i] -= 95;
data[i] -= 92;
data[i] -= 18;
data[i] -= 51;
data[i] -= 25;
data[i] -= 35;
data[i] -= 39;
data[i] -= 63;
data[i] -= 88;
data[i] -= 19;
data[i] -= 46;
data[i] -= 82;
data[i] -= 66;
data[i] -= 27;
data[i] -= 47;
data[i] -= 49;
data[i] -= 29;
data[i] -= 62;
data[i] -= 23;
data[i] -= 2;
data[i] -= 77;
data[i] -= 15;
data[i] -= 37;
data[i] -= 40;
data[i] -= 4;
data[i] -= 75;
data[i] -= 14;
data[i] -= 69;
data[i] -= 61;
data[i] -= 42;
data[i] -= 52;
data[i] -= 73;
data[i] -= 6;
data[i] -= 56;
data[i] -= 96;
data[i] -= 71;
data[i] -= 67;
data[i] -= 50;
data[i] -= 68;
data[i] -= 97;
data[i] -= 32;
data[i] -= 55;
data[i] -= 86;
data[i] -= 94;
data[i] -= 11;
data[i] -= 33;
data[i] -= 43;
data[i] -= 38;
data[i] -= 17;
data[i] -= 74;
data[i] -= 10;
data[i] -= 84;
data[i] -= 12;
data[i] -= 70;
data[i] -= 44;
data[i] -= 89;
data[i] -= 85;
data[i] -= 41;
data[i] -= 53;
data[i] -= 65;
data[i] -= 57;
data[i] -= 90;
data[i] -= 1;
data[i] -= 58;
data[i] -= 59;
data[i] -= 83;
data[i] -= 87;
data[i] -= 99;
data[i] -= 5;
data[i] -= 9;
data[i] -= 91;
data[i] -= 30;
data[i] -= 79;
data[i] -= 64;
data[i] -= 80;
data[i] ^= 0x67;
data[i] ^= 0x68;
data[i] ^= 0xC3;
data[i] ^= 0x23;
data[i] ^= 0xE9;
data[i] ^= 8;
data[i] ^= 0x3B;
data[i] ^= 0x50;
data[i] ^= 0xFA;
data[i] ^= 0x64;
data[i] ^= 0xC8;
data[i] ^= 5;
data[i] ^= 0xF5;
data[i] ^= 0x76;
data[i] ^= 0x86;
data[i] ^= 0x41;
data[i] ^= 0x99;
data[i] ^= 0xF0;
data[i] ^= 0x37;
data[i] ^= 0x49;
data[i] ^= 0x4C;
data[i] ^= 0x18;
data[i] ^= 0x39;
data[i] ^= 0x5D;
data[i] ^= 0x2C;
data[i] ^= 0x75;
data[i] ^= 0x4D;
data[i] ^= 0x95;
data[i] ^= 0xED;
data[i] ^= 0x84;
data[i] ^= 0x10;
data[i] ^= 0x32;
data[i] ^= 2;
data[i] ^= 0x12;
data[i] ^= 0x9C;
data[i] ^= 0x65;
data[i] ^= 0x73;
data[i] ^= 0x2F;
data[i] ^= 0x13;
data[i] ^= 0xC;
data[i] ^= 0xBD;
data[i] ^= 0x96;
data[i] ^= 0xA8;
data[i] ^= 0x33;
data[i] ^= 0xD2;
data[i] ^= 0xE2;
data[i] ^= 0xC7;
data[i] ^= 0xD3;
data[i] ^= 0x4E;
data[i] ^= 0xA9;
data[i] ^= 0xF9;
data[i] = ~data[i];
data[i] ^= 0xEF;
data[i] ^= 0x62;
data[i] ^= 0x66;
data[i] ^= 0xCE;
data[i] ^= 0x14;
data[i] ^= 0xB;
data[i] ^= 0xB6;
data[i] ^= 7;
data[i] ^= 0xA3;
data[i] ^= 0x97;
data[i] ^= 0xDC;
data[i] ^= 0xB8;
data[i] ^= 0xE7;
data[i] ^= 0xD5;
data[i] ^= 0x7F;
data[i] ^= 0x82;
data[i] ^= 0x34;
data[i] ^= 0xE1;
data[i] ^= 0x98;
data[i] ^= 0xE3;
data[i] ^= 0xF6;
data[i] ^= 0xEB;
data[i] ^= 0xD8;
data[i] ^= 0xDA;
data[i] ^= 0x1D;
data[i] ^= 0x9D;
data[i] ^= 0x7D;
data[i] += 128;
data[i] ^= 0xC9;
data[i] ^= 0x27;
data[i] ^= 0xA0;
data[i] ^= 0x8E;
data[i] ^= 0xF7;
data[i] ^= 0x6F;
data[i] ^= 0xFB;
data[i] ^= 0x9A;
data[i] ^= 0x9B;
data[i] ^= 0xCB;
data[i] ^= 0xD4;
data[i] ^= 0x30;
data[i] ^= 0xAC;
data[i] ^= 0x60;
data[i] ^= 0x92;
data[i] ^= 0xAF;
data[i] ^= 0x2D;
data[i] ^= 0xAB;
data[i] ^= 0x51;
data[i] ^= 0xB7;
data[i] ^= 0x35;
data[i] ^= 0xD0;
data[i] ^= 0xA4;
data[i] ^= 0xAD;
data[i] ^= 0xC0;
data[i] ^= 0xEC;
data[i] ^= 0xBE;
data[i] ^= 0xFC;
data[i] ^= 0xBB;
data[i] ^= 0x54;
data[i] ^= 0xC5;
data[i] ^= 0xC1;
data[i] ^= 0xC6;
data[i] ^= 3;
data[i] ^= 0xDE;
data[i] ^= 0x5E;
data[i] ^= 0x3A;
data[i] ^= 0xFD;
data[i] ^= 0x29;
data[i] ^= 0x31;
data[i] ^= 0x85;
data[i] ^= 0x2B;
data[i] ^= 0xB9;
data[i] ^= 0x55;
data[i] ^= 0xDF;
data[i] ^= 0xCF;
data[i] ^= 0x4B;
data[i] ^= 0xCC;
data[i] ^= 0x1F;
data[i] ^= 0xD6;
data[i] ^= 0x93;
data[i] ^= 0xF;
data[i] ^= 0xE0;
data[i] ^= 0xD1;
data[i] ^= 0xB0;
data[i] ^= 0xF1;
data[i] ^= 0x56;
data[i] ^= 0xF4;
data[i] ^= 0x45;
data[i] ^= 0x63;
data[i] ^= 0x7C;
data[i] ^= 0x2E;
data[i] ^= 0x11;
data[i] ^= 0x81;
data[i] ^= 0x1C;
data[i] ^= 0x77;
data[i] ^= 0xFE;
data[i] ^= 0x3F;
data[i] ^= 0x36;
data[i] ^= 0x87;
data[i] ^= 0xBF;
data[i] ^= 0xBA;
data[i] ^= 0x8B;
data[i] ^= 0xA7;
data[i] ^= 0x26;
data[i] ^= 0x5F;
data[i] ^= 0x72;
data[i] ^= 0xDB;
data[i] ^= 0x47;
data[i] ^= 0x4A;
data[i] ^= 0x15;
data[i] ^= 0x19;
data[i] ^= 0xB4;
data[i] ^= 0x7B;
data[i] ^= 0x8A;
data[i] ^= 9;
data[i] ^= 0xE8;
data[i] ^= 0x71;
data[i] ^= 0x20;
data[i] ^= 0x88;
data[i] ^= 0xE6;
data[i] ^= 0x46;
data[i] ^= 0x25;
data[i] ^= 0xEE;
data[i] ^= 0xA5;
data[i] ^= 0x8F;
data[i] ^= 0x43;
data[i] ^= 0x1A;
data[i] ^= 0x5B;
data[i] ^= 0xD9;
data[i] ^= 0x61;
data[i] ^= 0x79;
data[i] ^= 0xA6;
data[i] ^= 0xB3;
data[i] ^= 0x8C;
data[i] ^= 0x90;
data[i] ^= 0x44;
data[i] ^= 0x3D;
data[i] ^= 0xC2;
data[i] ^= 0x22;
data[i] ^= 0x6B;
data[i] ^= 0xA2;
data[i] ^= 0x1E;
data[i] ^= 0x6D;
data[i] ^= 0x57;
data[i] ^= 0x74;
data[i] ^= 1;
data[i] ^= 0xBC;
data[i] ^= 0x94;
data[i] ^= 0x2A;
data[i] ^= 0x7E;
data[i] ^= 0xE5;
data[i] ^= 0x21;
data[i] ^= 0x5C;
data[i] ^= 0x69;
data[i] ^= 0xB1;
data[i] ^= 0x5A;
data[i] ^= 0x17;
data[i] ^= 0xD;
data[i] ^= 0xB5;
data[i] ^= 0xD7;
data[i] ^= 0x16;
data[i] ^= 0x89;
data[i] ^= 0x40;
data[i] ^= 0x6E;
data[i] ^= 0xE4;
data[i] ^= 0x48;
data[i] ^= 0xEA;
data[i] ^= 0x28;
data[i] ^= 0x70;
data[i] ^= 0x78;
data[i] ^= 6;
data[i] ^= 0xA1;
data[i] ^= 0x3C;
data[i] ^= 0x9F;
data[i] ^= 0xF2;
data[i] ^= 0x58;
data[i] ^= 0xF8;
data[i] ^= 0xAE;
data[i] ^= 0xAA;
data[i] ^= 0x1B;
data[i] ^= 0x52;
data[i] ^= 0xDD;
data[i] ^= 0x7A;
data[i] ^= 0x38;
data[i] ^= 0x8D;
data[i] ^= 0xE;
data[i] ^= 0x42;
data[i] ^= 0x9E;
data[i] ^= 4;
data[i] ^= 0x53;
data[i] ^= 0xC4;
data[i] ^= 0x83;
data[i] ^= 0x24;
data[i] ^= 0x4F;
data[i] ^= 0x6C;
data[i] ^= 0x3E;
data[i] ^= 0xCA;
data[i] ^= 0xF3;
data[i] ^= 0xA;
data[i] ^= 0x59;
data[i] ^= 0x6A;
data[i] ^= 0xCD;
data[i] ^= 0x91;
printf("%c", data[i]);
}
putchar('}');
}
得到flag为flag{1dc20f6e3d497d15cef47d9a66d6f1af}
作者:CX-330
