REVERSE-PRACTICE-CTFSHOW-6

• • 真的是簽到
  • 批量生產的偽劣產品
  • 來一個派森
  • snake

真的是簽到

附件是一個壓縮包，解壓需要密碼，但是題目沒有給到解壓密碼
實際上是壓縮包偽加密，將如圖橙色處原本的字節0x09改為0x00，保存后即可解壓出文件

解壓得到一個32位的exe，加了ASP殼，用工具脫殼

脫殼后的exe丟進ida，仍然得不到重要的信息，上x32dbg調試
exe丟進x32dbg，x32dbg會預先設置一個斷點，在"斷點"窗口可以看到
我們先按一下F9，來到x32dbg預先設置的斷點處，如圖所示

經過多次調試發現，程序在執行如圖所示處的"jmp _unpacked.401280"指令后就會要求我們輸入，這里下一個斷點

F8跟進"jmp _unpacked.401280"，在如圖所示處的"call _unpacked.401150"，按F7步入

然后一路F8，來到如下圖所示"call _unpacked.4012F0"處，按F7步入

可以看到0x4012F0處開始的函數中包含"try again"的字符串，0x401334處調用了scanf
猜測這里應該就是main函數

用插件Scylla，dump出程序，丟進ida分析，其中一些函數名已對照x32dbg進行了修改
主要的邏輯為，將輸入中的各個字符與下標異或，然后反轉輸入，再讓輸入與已知的res比較

python腳本好像打印不出中文
下面是c腳本，得到flag

#include<stdio.h> int main() {int res[18]= { 0x6c,0x2f,0x30,0x31,0x32,0x33,0xffffffb6,0xffffffbf,0xffffffa0,0xffffffcf,0x7c,0x71,0x6a,0x6c,0x70,0x64,0x75,0x63 };for (int i = 17; i>=0; i--){res[i] ^= 17-i;printf("%c", res[i]);}printf("\n");return 0; } // ctfshow{簽到?????}

批量生產的偽劣產品

apk文件，jadx-gui打開
先看AndroidManifest.xml文件，找到兩個關鍵的類：“appinventor.ai_QA629A242D5E83EFA948B9020CD35CB60.checkme.a"和”.Screen1"

在"appinventor.ai_QA629A242D5E83EFA948B9020CD35CB60.checkme.a"類中直接找到flag

來一個派森

.py文件打包成的exe，用"pyinstxtractor.py"解包
uncompyle6反編譯checkme.pyc文件
(可反編譯的前提是checkme.pyc文件與struct.pyc文件前12個字節相同)
b58encode的邏輯為，先對輸入進行base58變換，變換后再與下標異或，最后和check比較

def b58encode(tmp: str) -> str:tmp = list(map(ord, tmp))temp = tmp[0]base58 = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'for i in range(len(tmp) - 1):temp = temp * 256 + tmp[(i + 1)]tmp = []while 1:tmp.insert(0, temp % 58)temp = temp // 58if temp == 0:breaktemp = ''for i in tmp:temp += base58[i]tmp = []for i in range(len(temp)):tmp.append(chr(ord(temp[i]) ^ i))check = ['A', '5', 'q', 'O', 'g', 'q', 'd', '\x7f', '[', '\x7f', 's', '{', 'G', 'A', 'x', '`', 'D', '@', 'K', 'c', '-', 'c', ' ', 'G', '+', '+', '|', 'x', '}', 'J', 'h', '\\', 'l']if tmp == check:return 1else:return 0flag = input('輸入flag：') if b58encode(flag):print('you win') else:print('try again')

逆向邏輯為，將check各元素與下標異或，再解base58

def b58decode(tmp:str) -> str:import binasciibase58 = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"temp = []for i in tmp:temp.append(base58.index(i))tmp = temp[0]for i in range(len(temp)-1):tmp = tmp * 58 + temp[i+1]return binascii.unhexlify(hex(tmp)[2:].encode("utf-8")).decode("UTF-8") check = ['A', '5', 'q', 'O', 'g', 'q', 'd', '\x7f', '[', '\x7f', 's', '{', 'G', 'A', 'x', '`', 'D', '@', 'K', 'c', '-', 'c', ' ', 'G', '+', '+', '|', 'x', '}', 'J', 'h', '\\', 'l'] for i in range(len(check)):check[i]=chr(ord(check[i])^i) print(b58decode("".join(c for c in check))) # ctfshow{zhe_bu_shi_flag}

snake

.py文件打包成的exe，用"pyinstxtractor.py"解包
uncompyle6反編譯snake.pyc文件

# -*- coding:utf-8 -*- import hashlib, sys, random, time maze = [[1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],[1, 1, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0],[0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0],[0, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0],[0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0],[0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0],[0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0],[0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0],[0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0],[0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 0],[0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0],[0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 9]] s = str(input()) # 讀取輸入 seed = time.time() random.seed(seed) random.seed(random.randint(0, 999999)) maze[1][1] = random.randint(987, 1000) maze[3][4] = random.randint(345, 356) maze[7][7] = random.randint(107, 116) maze[11][8] = random.randint(833, 856) for i in range(12):for j in range(12):tmp = 12 * i + jif maze[i][j] == 0:maze[i][j] = 3456 + tmpcontinueif tmp % 4 == 0:random.seed(maze[1][1])for cnt in range(tmp):random.randint(0, 999)maze[i][j] = random.randint(0, 999)elif tmp % 4 == 1:random.seed(maze[3][4])for cnt in range(tmp):random.randint(555, 1234)maze[i][j] = random.randint(555, 1234)elif tmp % 4 == 2:random.seed(maze[7][7])for cnt in range(tmp):random.randint(777, 888)maze[i][j] = random.randint(777, 888)elif tmp % 4 == 3:random.seed(maze[11][8])for cnt in range(tmp):random.randint(369, 777)maze[i][j] = random.randint(369, 777)maze[11][11] = 9 # 以上都是對maze的變換 if len(s) != 56:sys.exit(-1) idx1 = 0 idx2 = 0 # 走迷宮 wsad代表上下左右 從左上角[0,0]開始 for i in s:if i == 'w':idx1 -= 1else:if i == 's':idx1 += 1else:if i == 'a':idx2 -= 1else:if i == 'd':idx2 += 1# 每走一步后的坐標在maze中的值要大于等于0且小于等于1234if not 0 <= maze[idx1][idx2] <= 1234:print('Where are you going?')sys.exit(2) # 走到右下角[11,11]成功 if maze[idx1][idx2] != 9:print('You lost in the maze!') # 從maze中取值構成result result = '' for xx in maze:for xxx in xx:result += str(xxx)hash_res = hashlib.sha256(result.encode('latin-1')).hexdigest() print(hash_res) # 由于maze中含有隨機數，所以即使迷宮路線正確，也可能得不到flag，需要多次嘗試 if hash_res == 'f1793dcf5ad3858512b944ac34413725a27c63e25618858231e88b9686466b00':flag1 = str(maze[1][1]) + str(maze[7][7]) + str(maze[11][8]) + str(maze[3][4])flag2 = hashlib.sha256(s.encode('latin-1')).hexdigest()flag = flag2[::-1] + flag1[::-1]final_flag = hashlib.sha256(flag.encode('latin-1')).hexdigest()print('flag{' + final_flag[0:32] + '}')

已知迷宮路線的約束為，“每走一步后的坐標在maze中的值要大于等于0且小于等于1234”
提取出源代碼對maze的變換，再將maze中大于等于0且小于等于1234的值改為1，其余改為0
打印maze，即可得到正確的迷宮路線

import hashlib, sys, random, time maze = [[1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],[1, 1, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0],[0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0],[0, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0],[0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0],[0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0],[0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0],[0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0],[0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0],[0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 0],[0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0],[0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 9]] seed = time.time() random.seed(seed) random.seed(random.randint(0, 999999)) maze[1][1] = random.randint(987, 1000) maze[3][4] = random.randint(345, 356) maze[7][7] = random.randint(107, 116) maze[11][8] = random.randint(833, 856) for i in range(12):for j in range(12):tmp = 12 * i + jif maze[i][j] == 0:maze[i][j] = 3456 + tmpcontinueif tmp % 4 == 0:random.seed(maze[1][1])for cnt in range(tmp):random.randint(0, 999)maze[i][j] = random.randint(0, 999)elif tmp % 4 == 1:random.seed(maze[3][4])for cnt in range(tmp):random.randint(555, 1234)maze[i][j] = random.randint(555, 1234)elif tmp % 4 == 2:random.seed(maze[7][7])for cnt in range(tmp):random.randint(777, 888)maze[i][j] = random.randint(777, 888)elif tmp % 4 == 3:random.seed(maze[11][8])for cnt in range(tmp):random.randint(369, 777)maze[i][j] = random.randint(369, 777)maze[11][11] = 9for i in range(12):for j in range(12):if maze[i][j]>=0 and maze[i][j]<=1234:maze[i][j]=1else:maze[i][j]=0print(maze[i]) # [1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] # [1, 1, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0] # [0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0] # [0, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0] # [0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0] # [0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0] # [0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0] # [0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0] # [0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0] # [0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 0] # [0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0] # [0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1] # sdsdsddwwddsdddssaaassddddssasaaaaawwwaaasssdsdsdddddddd

爆破一下，能不能得到flag全看運氣

from itertools import * import subprocess while(1):flag="sdsdsddwwddsdddssaaassddddssasaaaaawwwaaasssdsdsdddddddd"p = subprocess.Popen(["D:\\ctfdownloadfiles\\snake.exe"], stdin=subprocess.PIPE, stdout=subprocess.PIPE,stderr=subprocess.PIPE)p.stdin.write(flag)p.stdin.close()out = p.stdout.read()p.stdout.close()if "flag" in out:print(out)exit() # f1793dcf5ad3858512b944ac34413725a27c63e25618858231e88b9686466b00 # flag{e1df25dac4906584fe2d6f155b60e233}

總結

以上是生活随笔為你收集整理的REVERSE-PRACTICE-CTFSHOW-6的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。