新手一枚,如有錯誤(不足)請指正,謝謝!!
WUSTCTF-re-Cr0ssFun
IDA64載入,進入main函數
查看check函數
都提取出來就是flag了。。。
得到flag爲wctf2020{cpp_@nd_r3verse_@re_fun}
WUSTCTF-re-level1
下載下來壓縮包有兩個文件,一個是ELF64位,一個是output.txt是程序的輸出
IDA64位載入查看main函數
對19位的flag變換後輸出,,
寫腳本
#include <stdio.h>
int main(void)
{
unsigned int i,flag[] = { 198,232,816,200,1536,300,6144,984,51200,570,92160,1200,565248,756,1474560,800,6291456,1782,65536000 };
for (i = 0; i < 19; i++)
{
if ((i + 1) & 1)
flag[i] >>= (i + 1);
else
flag[i] /= (i + 1);
printf("%c", flag[i]);
}
return 0;
}
因爲少了第一位的校驗,比賽的flag頭都是wctf2020,再前面補一個w得到了flag
得到flag爲wctf2020{d9-dE6-20c}
WUSTCTF-re-level2
IDA32位
pusha推測被加殼
查殼發現UPX殼
使用官方upx工具脫殼
得到flag爲wctf2020{Just_upx_-d}
WUSTCTF-re-level3
IDA64位載入來到main函數
推測是base64自定義字符表加密
找到對base字符表進行變換的函數
直接IDA動態調試得到變換後的字符表
寫python腳本
import base64
biao = str.maketrans("TSRQPONMLKJIHGFEDCBAUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/")
enstr = "d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD=="
flag = base64.b64decode(enstr.translate(biao).encode('utf-8'))
print(str(flag,'utf-8'))
得到flag爲wctf2020{Base64_is_the_start_of_reverse}
WUSTCTF-re-level4
IDA64位載入
左右左右的應該是樹,數據結構?沒學過的我,告辭!
運行一下……
二叉樹的前序中序後序。。。。
參考文章
因爲知道flag頭部是wctf2020呀,可以知道給出的是中序和後序,求前序
按照百度經驗那個參考資料,還原後
畫的有點醜emmm
得到flag爲wctf2020{This_IS_A_7reE}
WUSTCTF-re-main
IDA64位載入,發現上面有好長的未解析成函數的代碼……
start函數裏也執行了main函數
題目名稱是main函數就去找main函數……
雙擊跟過main函數去
選中,摁p鍵將其聲明成函數
現在可以F5了……
F5之後有個JMPOUT,花指令,返回彙編代碼看一下
上面的jz和jnz指向同一個地址loc_40061A+1,也就是不管怎樣都會跳這個地址的。。
看一下loc_40061A的字節碼,由於指向的是loc_40061A+1,也就是第一個字節指令E8是沒用的,用IDA自帶的patch將其改爲90
再下面的jz short near ptr loc_400621+2,說明loc_400621的前兩個字節05 CD是無用的,將其改爲90 90
修改完後
其中這三個跳轉都是往下一行跳的,,可以直接nop掉,然後中間那個db 0x80h不知道啥玩意直接nop
再修改完後
然後下面有三個數據,,,這本應該和後面解析成代碼的,光標選中摁C將其解析成代碼
最終效果
繼續F5,,發現下面還有
一共三四處吧。步驟基本一樣就不累述了。會IDC或者IDApython的可以識別特徵碼用腳本改。。。
修復後main函數變成了這樣,,,
先是比較輸入長度是否等於38
然後比較前五位是否爲flag{,最後一位是否爲}
然後中間進行了三百五十多次對中括號內的數據進行加密……
用正則表達式一點點刪除……(剛開始寫了個正則漏了四個變換,淦!)
提取出這三百多個變換,寫腳本……
#include <stdio.h>
unsigned int data[33] = {
0xD9, 0x2C, 0x27, 0xD6, 0xD8, 0x2A, 0xDA, 0x2D, 0xD7, 0x2C, 0xDC, 0xE1, 0xDB, 0x2C, 0xD9, 0xDD,
0x27, 0x2D, 0x2A, 0xDC, 0xDB, 0x2C, 0xE1, 0x29, 0xDA, 0xDA, 0x2C, 0xDA, 0x2A, 0xD9, 0x29, 0x2A
};
int main(void)
{
int i;
printf("flag{");
for (i = 0; i < 32; i++)
{
data[i] -= 8;
data[i] -= 21;
data[i] -= 60;
data[i] -= 24;
data[i] -= 7;
data[i] -= 16;
data[i] -= 20;
data[i] -= 31;
data[i] -= 28;
data[i] -= 54;
data[i] -= 26;
data[i] -= 78;
data[i] -= 34;
data[i] -= 45;
data[i] -= 13;
data[i] -= 81;
data[i] -= 98;
data[i] -= 22;
data[i] -= 76;
data[i] -= 93;
data[i] -= 36;
data[i] -= 48;
data[i] -= 72;
data[i] -= 3;
data[i] -= 95;
data[i] -= 92;
data[i] -= 18;
data[i] -= 51;
data[i] -= 25;
data[i] -= 35;
data[i] -= 39;
data[i] -= 63;
data[i] -= 88;
data[i] -= 19;
data[i] -= 46;
data[i] -= 82;
data[i] -= 66;
data[i] -= 27;
data[i] -= 47;
data[i] -= 49;
data[i] -= 29;
data[i] -= 62;
data[i] -= 23;
data[i] -= 2;
data[i] -= 77;
data[i] -= 15;
data[i] -= 37;
data[i] -= 40;
data[i] -= 4;
data[i] -= 75;
data[i] -= 14;
data[i] -= 69;
data[i] -= 61;
data[i] -= 42;
data[i] -= 52;
data[i] -= 73;
data[i] -= 6;
data[i] -= 56;
data[i] -= 96;
data[i] -= 71;
data[i] -= 67;
data[i] -= 50;
data[i] -= 68;
data[i] -= 97;
data[i] -= 32;
data[i] -= 55;
data[i] -= 86;
data[i] -= 94;
data[i] -= 11;
data[i] -= 33;
data[i] -= 43;
data[i] -= 38;
data[i] -= 17;
data[i] -= 74;
data[i] -= 10;
data[i] -= 84;
data[i] -= 12;
data[i] -= 70;
data[i] -= 44;
data[i] -= 89;
data[i] -= 85;
data[i] -= 41;
data[i] -= 53;
data[i] -= 65;
data[i] -= 57;
data[i] -= 90;
data[i] -= 1;
data[i] -= 58;
data[i] -= 59;
data[i] -= 83;
data[i] -= 87;
data[i] -= 99;
data[i] -= 5;
data[i] -= 9;
data[i] -= 91;
data[i] -= 30;
data[i] -= 79;
data[i] -= 64;
data[i] -= 80;
data[i] ^= 0x67;
data[i] ^= 0x68;
data[i] ^= 0xC3;
data[i] ^= 0x23;
data[i] ^= 0xE9;
data[i] ^= 8;
data[i] ^= 0x3B;
data[i] ^= 0x50;
data[i] ^= 0xFA;
data[i] ^= 0x64;
data[i] ^= 0xC8;
data[i] ^= 5;
data[i] ^= 0xF5;
data[i] ^= 0x76;
data[i] ^= 0x86;
data[i] ^= 0x41;
data[i] ^= 0x99;
data[i] ^= 0xF0;
data[i] ^= 0x37;
data[i] ^= 0x49;
data[i] ^= 0x4C;
data[i] ^= 0x18;
data[i] ^= 0x39;
data[i] ^= 0x5D;
data[i] ^= 0x2C;
data[i] ^= 0x75;
data[i] ^= 0x4D;
data[i] ^= 0x95;
data[i] ^= 0xED;
data[i] ^= 0x84;
data[i] ^= 0x10;
data[i] ^= 0x32;
data[i] ^= 2;
data[i] ^= 0x12;
data[i] ^= 0x9C;
data[i] ^= 0x65;
data[i] ^= 0x73;
data[i] ^= 0x2F;
data[i] ^= 0x13;
data[i] ^= 0xC;
data[i] ^= 0xBD;
data[i] ^= 0x96;
data[i] ^= 0xA8;
data[i] ^= 0x33;
data[i] ^= 0xD2;
data[i] ^= 0xE2;
data[i] ^= 0xC7;
data[i] ^= 0xD3;
data[i] ^= 0x4E;
data[i] ^= 0xA9;
data[i] ^= 0xF9;
data[i] = ~data[i];
data[i] ^= 0xEF;
data[i] ^= 0x62;
data[i] ^= 0x66;
data[i] ^= 0xCE;
data[i] ^= 0x14;
data[i] ^= 0xB;
data[i] ^= 0xB6;
data[i] ^= 7;
data[i] ^= 0xA3;
data[i] ^= 0x97;
data[i] ^= 0xDC;
data[i] ^= 0xB8;
data[i] ^= 0xE7;
data[i] ^= 0xD5;
data[i] ^= 0x7F;
data[i] ^= 0x82;
data[i] ^= 0x34;
data[i] ^= 0xE1;
data[i] ^= 0x98;
data[i] ^= 0xE3;
data[i] ^= 0xF6;
data[i] ^= 0xEB;
data[i] ^= 0xD8;
data[i] ^= 0xDA;
data[i] ^= 0x1D;
data[i] ^= 0x9D;
data[i] ^= 0x7D;
data[i] += 128;
data[i] ^= 0xC9;
data[i] ^= 0x27;
data[i] ^= 0xA0;
data[i] ^= 0x8E;
data[i] ^= 0xF7;
data[i] ^= 0x6F;
data[i] ^= 0xFB;
data[i] ^= 0x9A;
data[i] ^= 0x9B;
data[i] ^= 0xCB;
data[i] ^= 0xD4;
data[i] ^= 0x30;
data[i] ^= 0xAC;
data[i] ^= 0x60;
data[i] ^= 0x92;
data[i] ^= 0xAF;
data[i] ^= 0x2D;
data[i] ^= 0xAB;
data[i] ^= 0x51;
data[i] ^= 0xB7;
data[i] ^= 0x35;
data[i] ^= 0xD0;
data[i] ^= 0xA4;
data[i] ^= 0xAD;
data[i] ^= 0xC0;
data[i] ^= 0xEC;
data[i] ^= 0xBE;
data[i] ^= 0xFC;
data[i] ^= 0xBB;
data[i] ^= 0x54;
data[i] ^= 0xC5;
data[i] ^= 0xC1;
data[i] ^= 0xC6;
data[i] ^= 3;
data[i] ^= 0xDE;
data[i] ^= 0x5E;
data[i] ^= 0x3A;
data[i] ^= 0xFD;
data[i] ^= 0x29;
data[i] ^= 0x31;
data[i] ^= 0x85;
data[i] ^= 0x2B;
data[i] ^= 0xB9;
data[i] ^= 0x55;
data[i] ^= 0xDF;
data[i] ^= 0xCF;
data[i] ^= 0x4B;
data[i] ^= 0xCC;
data[i] ^= 0x1F;
data[i] ^= 0xD6;
data[i] ^= 0x93;
data[i] ^= 0xF;
data[i] ^= 0xE0;
data[i] ^= 0xD1;
data[i] ^= 0xB0;
data[i] ^= 0xF1;
data[i] ^= 0x56;
data[i] ^= 0xF4;
data[i] ^= 0x45;
data[i] ^= 0x63;
data[i] ^= 0x7C;
data[i] ^= 0x2E;
data[i] ^= 0x11;
data[i] ^= 0x81;
data[i] ^= 0x1C;
data[i] ^= 0x77;
data[i] ^= 0xFE;
data[i] ^= 0x3F;
data[i] ^= 0x36;
data[i] ^= 0x87;
data[i] ^= 0xBF;
data[i] ^= 0xBA;
data[i] ^= 0x8B;
data[i] ^= 0xA7;
data[i] ^= 0x26;
data[i] ^= 0x5F;
data[i] ^= 0x72;
data[i] ^= 0xDB;
data[i] ^= 0x47;
data[i] ^= 0x4A;
data[i] ^= 0x15;
data[i] ^= 0x19;
data[i] ^= 0xB4;
data[i] ^= 0x7B;
data[i] ^= 0x8A;
data[i] ^= 9;
data[i] ^= 0xE8;
data[i] ^= 0x71;
data[i] ^= 0x20;
data[i] ^= 0x88;
data[i] ^= 0xE6;
data[i] ^= 0x46;
data[i] ^= 0x25;
data[i] ^= 0xEE;
data[i] ^= 0xA5;
data[i] ^= 0x8F;
data[i] ^= 0x43;
data[i] ^= 0x1A;
data[i] ^= 0x5B;
data[i] ^= 0xD9;
data[i] ^= 0x61;
data[i] ^= 0x79;
data[i] ^= 0xA6;
data[i] ^= 0xB3;
data[i] ^= 0x8C;
data[i] ^= 0x90;
data[i] ^= 0x44;
data[i] ^= 0x3D;
data[i] ^= 0xC2;
data[i] ^= 0x22;
data[i] ^= 0x6B;
data[i] ^= 0xA2;
data[i] ^= 0x1E;
data[i] ^= 0x6D;
data[i] ^= 0x57;
data[i] ^= 0x74;
data[i] ^= 1;
data[i] ^= 0xBC;
data[i] ^= 0x94;
data[i] ^= 0x2A;
data[i] ^= 0x7E;
data[i] ^= 0xE5;
data[i] ^= 0x21;
data[i] ^= 0x5C;
data[i] ^= 0x69;
data[i] ^= 0xB1;
data[i] ^= 0x5A;
data[i] ^= 0x17;
data[i] ^= 0xD;
data[i] ^= 0xB5;
data[i] ^= 0xD7;
data[i] ^= 0x16;
data[i] ^= 0x89;
data[i] ^= 0x40;
data[i] ^= 0x6E;
data[i] ^= 0xE4;
data[i] ^= 0x48;
data[i] ^= 0xEA;
data[i] ^= 0x28;
data[i] ^= 0x70;
data[i] ^= 0x78;
data[i] ^= 6;
data[i] ^= 0xA1;
data[i] ^= 0x3C;
data[i] ^= 0x9F;
data[i] ^= 0xF2;
data[i] ^= 0x58;
data[i] ^= 0xF8;
data[i] ^= 0xAE;
data[i] ^= 0xAA;
data[i] ^= 0x1B;
data[i] ^= 0x52;
data[i] ^= 0xDD;
data[i] ^= 0x7A;
data[i] ^= 0x38;
data[i] ^= 0x8D;
data[i] ^= 0xE;
data[i] ^= 0x42;
data[i] ^= 0x9E;
data[i] ^= 4;
data[i] ^= 0x53;
data[i] ^= 0xC4;
data[i] ^= 0x83;
data[i] ^= 0x24;
data[i] ^= 0x4F;
data[i] ^= 0x6C;
data[i] ^= 0x3E;
data[i] ^= 0xCA;
data[i] ^= 0xF3;
data[i] ^= 0xA;
data[i] ^= 0x59;
data[i] ^= 0x6A;
data[i] ^= 0xCD;
data[i] ^= 0x91;
printf("%c", data[i]);
}
putchar('}');
}
得到flag爲flag{1dc20f6e3d497d15cef47d9a66d6f1af}