REVERSE-PRACTICE-BUUCTF-30

[RCTF2019]DontEatMe
[b01lers2020]little_engine
[NPUCTF2020]你好sao啊
[MRCTF2020]Shit

[RCTF2019]DontEatMe

exe程序，运行后输入，无壳，用ida分析
交叉引用字符串来到sub_401260函数，读取输入，NtSetInformationThread的第二个参数为17(0x11)，实现了反调试效果，调试的过程中修改EIP即可绕过反调试
随后byte_9457A8数组被赋予8个随机值，不过没什么用，下面又被赋了新值，而且新值固定不变，为[0x00, 0x0F, 0x1A, 0x01, 0x35, 0x3A, 0x3B, 0x20]
findcrypt插件查到sub_401090函数是blowfish算法

往下走，有一个将输入的字符两两一组，组成一个十六进制数的循环体

继续往下走，sub_401260函数的结束部分是一个16x16的迷宫
起点[x,y]在[5,10]，x∈[0,15]，y∈[1,16]，a-左，d-右，s-下，w-上，终点[x,y]在[9,4]

走迷宫，起点设为s，终点设为e，路线为ddddwwwaaawwwddd

"""
map
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,
1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,
1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,
1,0,1,1,1,1,0,0,0,e,0,0,0,1,1,1,
1,0,1,1,1,1,0,1,1,1,1,1,0,1,1,1,
1,0,1,1,1,1,0,1,1,1,1,1,0,1,1,1,
1,0,1,1,1,1,0,0,0,0,1,1,0,1,1,1,
1,0,1,1,1,1,1,1,1,0,1,1,0,1,1,1,
1,0,1,1,1,1,1,1,1,0,1,1,0,1,1,1,
1,0,0,0,0,s,0,0,0,0,1,1,0,1,1,1,
1,1,1,1,1,0,1,1,1,1,1,1,0,1,1,1,
1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1ddddwwwaaawwwddd
"""

联系上面插件查到的blowfish算法，该程序的逻辑应为，输入密文，经过程序解密出明文，而明文需要通过迷宫，密钥为那个固定不变的数组byte_9457A8==[0x00, 0x0F, 0x1A, 0x01, 0x35, 0x3A, 0x3B, 0x20]
现已知明文和密钥，写blowfish加密脚本即可得到正确的输入

from Crypto.Cipher import Blowfish
from Crypto.Util.number import bytes_to_long
key=b"\x00\x0F\x1A\x01\x35\x3A\x3B\x20"
plaintext="ddddwwwaaawwwddd"
blowfish=Blowfish.new(key,Blowfish.MODE_ECB)
print(hex(bytes_to_long(blowfish.encrypt(plaintext))).replace('0x','').replace('L',''))
#db824ef8605c5235b4bbacfa2ff8e087

验证成功

[b01lers2020]little_engine

elf文件，无壳，ida分析
main函数，sub_55B25B5476B0函数，程序打印“Are you ready?”后，输入一个ASCII码小于127的字符
sub_55B25B547830函数，程序打印“Give me your best tidbit:”后，输入flag
sub_55B25B547510函数对输入进行异或运算，规律可循
sub_55B25B5475A0函数将变换后的输入与已知比较，验证输入

进入sub_55B25B547510函数，对输入的变换为input[i]^=v8，而v8初始为0x91，每次加下标，超过255后对255取余，保持在0~254范围内

进入sub_55B25B5475A0函数，变换后的input和已知的unk_55B25B548220比较，需要注意的是unk_55B25B548220的步长为4

写脚本即可得到flag

unk_55B25B548220=[0xE1, 0xE6, 0xD0, 0x4A, 0xF2, 0xC3, 0x7E, 0xAA, 0xE6, 0xFC,0x42, 0xB2, 0xF2, 0xB5, 0x01, 0xB4, 0xEC, 0x7D, 0x39, 0x20,0xEF, 0xC0, 0x4E, 0x13, 0xC8, 0x2F, 0x67, 0xAA, 0x95, 0x79,0x6B, 0xF5, 0xF2, 0x06, 0x41, 0x79, 0xD8, 0x35, 0xF9, 0xC8,0x8E, 0xDE, 0x88, 0x51, 0xAC, 0x4C, 0xF0, 0x81, 0xE0, 0xF4,0xEE, 0x14, 0xAD, 0xF1, 0x25, 0xBD, 0x82, 0x7C, 0x62, 0x30,0xA5, 0xF8, 0x80, 0x2B, 0x79, 0x85, 0x2A, 0xF8, 0x6E, 0x5A,0xAE, 0xCB, 0x18, 0x3A, 0xA2, 0xD0, 0x09, 0xC5, 0x8C, 0x5D,0x3D, 0x34, 0x6B, 0xF9, 0x3B, 0x72, 0x4B, 0x0E, 0x4A, 0xC3,0x71, 0x53, 0xE1, 0xE9, 0x07, 0xBB, 0xC1, 0x1A, 0xE7, 0x07,0x8F, 0x1B, 0x75, 0x74, 0xB9, 0x8E, 0x5D, 0x2E, 0xC2, 0xF6,0x17, 0x3B, 0x52, 0xED, 0xD7, 0xBD, 0x5E, 0xE9, 0x76, 0x63,0x72, 0xE2, 0xEA, 0x89, 0x51, 0xD7, 0x4F, 0x34, 0xDC, 0x39,0xD5, 0x58, 0x92, 0xD9, 0xD2, 0xD2, 0xAA, 0x69, 0xF1, 0xBF,0x90, 0x76, 0xE1, 0x9C, 0x39, 0x0D, 0x0C, 0xB3, 0x40, 0x06,0x48, 0xDA, 0x27, 0xD5, 0x1E, 0xB8, 0x4A, 0x94, 0x4C, 0x98,0xC4, 0x8A, 0x68, 0xA8, 0x97, 0x5E, 0x64, 0xF9, 0xC0, 0x58,0xF7, 0x02, 0x72, 0x8D, 0x3B, 0x88, 0x18, 0x14, 0xEC, 0x8F,0x42, 0x70, 0x0C, 0x0B, 0x96, 0x66, 0x22, 0x8E, 0xF7, 0x58,0x01, 0x2E, 0xC5, 0xDC, 0x4B, 0xC0, 0x71, 0xF4, 0xDA, 0xE6,0x3D, 0x73, 0x88, 0x7D, 0xE4, 0x91, 0x1F, 0x75, 0x90, 0x70,0xD6, 0x0C, 0xA7, 0x09, 0x7C, 0xF2, 0x5A, 0x4E, 0xA1, 0x09,0x0C, 0x51, 0x3C, 0xBA, 0xA8, 0x64, 0x38, 0x2D, 0x8C, 0x00,0x88, 0xE3, 0x6F, 0xEA, 0x77, 0x90, 0x74, 0x39, 0xAA, 0x56,0xF1, 0xA8, 0x6E, 0x80, 0xCA, 0x3D, 0x9E, 0x69, 0xA4, 0x69,0x48, 0xF2, 0x0A, 0x2C, 0xF7, 0x33, 0x17, 0x0F, 0x5C, 0xF2,0x8A, 0xE5, 0x2F, 0x55, 0xA5, 0x9F, 0x8B, 0x65, 0x54, 0x76,0xE0, 0x64, 0xEE, 0x9D, 0x9B, 0x2D, 0x9B, 0x5F, 0x72, 0x7F,0x3B, 0xD9, 0xDF, 0x05, 0x69, 0xF0, 0x9F, 0xF0, 0xA3, 0x8C,0xE6, 0xCD, 0xEF, 0xB4, 0xBC, 0x44, 0x54, 0x3E, 0xE3, 0x44]
init=0x91
flag=[]
for i in range(0,len(unk_55B25B548220),4): # step : 4flag.append(unk_55B25B548220[i]^init)init=(init+i//4)%0xff
print(''.join(chr(i) for i in flag))
# pctf{th3_m0d3rn_st34m_3ng1n3_w45_1nv3nt3d_1n_1698_buT_th3_b3st_0n3_in_1940}

[NPUCTF2020]你好sao啊

elf文件，无壳，ida分析
main函数，获取输入，输入的长度限为32，RxEncode函数对输入进行变换，变换的结果赋给s1，s1与已知的s2比较，验证输入

进入RxEncode函数，4x6==>3x8，变表base64解码过程

用工具进行变表base64编码或者写脚本即可得到flag

res=[0x9E, 0x9B, 0x9C, 0xB5, 0xFE, 0x70, 0xD3, 0x0F,0xB2, 0xD1, 0x4F, 0x9C, 0x02, 0x7F, 0xAB, 0xDE,0x59, 0x65, 0x63, 0xE7, 0x40, 0x9D, 0xCD, 0xFA]
table="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234{}789+/="
flag=""
for i in range(0,len(res),3):tmp=bin(res[i]).replace('0b','').zfill(8)tmp+=bin(res[i+1]).replace('0b','').zfill(8)tmp+=bin(res[i+2]).replace('0b','').zfill(8)flag+=table[int('0b'+tmp[0:6],2)]flag += table[int('0b' + tmp[6:12], 2)]flag += table[int('0b' + tmp[12:18], 2)]flag += table[int('0b' + tmp[18:24], 2)]
print(flag)
# npuctf{w0w+y0U+cAn+r3lllY+dAnc3}

[MRCTF2020]Shit

exe程序，运行后输入，无壳，ida分析
交叉引用字符串来到sub_401640函数，获取输入，检验输入长度，进入loc_4012F0检验输入

来到loc_4012F0处，没有被ida识别为函数，加了花指令

该种类型的花指令原型为

_asm
{call sub2_emit 0xEBjmp label2sub2:add dword ptr[esp],1retn
label2:
}

将call指令和相应的函数以及多出来的EB都nop掉，变成

另外还有一处类似的花指令，同样的nop去花，完成后创建函数，F5反编译
具体的运算写在了注释里面

调试得到xmmword_405034的值，写脚本即可得到flag

from Crypto.Util.number import long_to_bytes
res=[2351698746, 4148999158, 4276070130, 2871606843, 651135530, 2292314745]
for i in range(len(res)-1,0,-1):res[i]^=res[i-1]
xmmword_405034=[3,16,13,4,19,11]
for i in range(len(res)):res[i]^=(1<<xmmword_405034[i])res[i]=(((~(res[i]&0xffff))<<16)&0xffff0000)|(((res[i]&0xffff0000)>>16)&0x0000ffff)res[i]=((res[i]<<xmmword_405034[i])|(res[i]>>(32-xmmword_405034[i])))&0xffffffff
print(''.join(long_to_bytes(i) for i in res))
# flag{a_3a2y_re_for_test}