2023NewStarCTFwp - Reverse | chengyi's blog = 不以物喜，不以己悲

# 你每一次的突然想努力的冲动，都是未来的你在向你求救

# easy_RE

IDA 启动！直接再汇编里看到 Flag, 灰常不错这应该是签到题

mov     [rbp+30h+var_90], 66h ; 'f'
mov     [rbp+30h+var_8C], 6Ch ; 'l'
mov     [rbp+30h+var_88], 61h ; 'a'
mov     [rbp+30h+var_84], 67h ; 'g'
mov     [rbp+30h+var_80], 7Bh ; '{'
mov     [rbp+30h+var_7C], 77h ; 'w'
mov     [rbp+30h+var_78], 65h ; 'e'
mov     [rbp+30h+var_74], 31h ; '1'
mov     [rbp+30h+var_70], 63h ; 'c'
mov     [rbp+30h+var_6C], 30h ; '0'
mov     [rbp+30h+var_68], 6Dh ; 'm'
另一半再下面
lea     rdx, [rbp+30h+var_21]
lea     rax, [rbp+30h+var_50]
mov     r8, rdx
lea     rdx, aEToRev3rse ; "e_to_rev3rse!!}"
mov     rcx, rax
#flag{we1c0me_to_rev3rse!!}

# ke

发现 upx 壳，直接 upx-d，IDA 打开发现就是把输入的每个字符加 1，然后与 enc 进行比较，逆一下用 enc 里的数据减 1 就行

源代码

 _main();
  memset(Str1, 0, sizeof(Str1));
  v7 = 0;
  Hello();
  scanf("%s", Str1);
  for ( i = 0i64; ; ++i )
  {
    v4 = &Str1[strlen(Str1)];
    if ( i >= v4 - Str1 )
      break;
    ++Str1[i];
  }
  if ( !strncmp(Str1, enc, v4 - Str1) )
    puts("WOW!!");
  else
    puts("I believe you can do it!");
  system("pause");
  return 0;
}

exp

b="gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~"
flag=""
for i in range(len(b)):
    flag+=chr(ord(b[i])-1)
print(flag)
# flag{C0ngratu1at10ns0nPa221ngTheF1rstPZGALAXY1eve1}

# ELF

IDA 打开看到两个加密 base64_encode 经典的 base64 加密，encode 就是将数据异或 0x20 然后加 16

思路也很简单将数据先进行 base64 解密然后再逆一下 encode 这个函数就行了

源代码

 s = (char *)malloc(0x64uLL);
  printf("Input flag: ");
  fgets(s, 100, stdin);
  s[strcspn(s, "\n")] = 0;
  v6 = (char *)encode(s);
  v3 = strlen(v6);
  s1 = (char *)base64_encode(v6, v3);
  if ( !strcmp(s1, "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t") )
    puts("Correct");
  else
    puts("Wrong");
  free(v6);
  free(s1);
  free(s);
  return 0;
}
encode函数
{
  size_t v1; // rax
  int v2; // eax
  _BYTE *v4; // [rsp+20h] [rbp-20h]
  int i; // [rsp+28h] [rbp-18h]
  int v6; // [rsp+2Ch] [rbp-14h]

  v1 = strlen(a1);
  v4 = malloc(2 * v1 + 1);
  v6 = 0;
  for ( i = 0; i < strlen(a1); ++i )
  {
    v2 = v6++;
    v4[v2] = (a1[i] ^ 0x20) + 16;
  }
  v4[v6] = 0;
  return v4;
}

exp

from base64 import*
b=b"VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t"
c=b64decode(b)
flag=b""
for i in c:
    flag += bytes([(i-16)^0x20])
print(flag)
#flag{D0_4ou_7now_wha7_ELF_1s?}

# Segments

IDA 打开提示 shift+f7 直接就明白 flag 被拆分道每个段里，md 拼了好久 www 最发现 name_后面的’_’

没有去掉 ~~服了我是 fw~~

1	flag{You_ar3_g0od_at_f1nding_ELF_segments_name}

# Endian

很简单的就异或 0x12345678 就行了，然后就搞笑了没有出来 cccccc, 发现是小端然后写 exp 开始报错了

浪费了一些时间

源代码

 v7 = __readfsqword(0x28u);
  puts("please input your flag");
  __isoc99_scanf("%s", v6);
  v5 = v6;
  for ( i = 0; i <= 4; ++i )
  {
    if ( *(_DWORD *)v5 != (array[i] ^ 0x12345678) )
    {
      printf("wrong!");
      exit(0);
    }
    v5 += 4;
  }
  printf("you are right");
  return 0;
}

exp

b = [0x75553A1E, 0x7B583A03, 0x4D58220C, 0x7B50383D, 0x736B3819]
flag = bytearray()

for num in b:
# 将每个数值异或并将结果转换为字节串，使用小端序
   decrypted_bytes = (num ^ 0x12345678).to_bytes(8, byteorder='little', signed=False)
   flag += decrypted_bytes

print(flag.decode('utf-8', 'ignore')+"}")

后来看一师傅的 wp 直接用 p32 包一下就行了，~~ccccccc 我怎么没有想出来，菜死了~~

enc = [0x75553A1E, 0x7B583A03, 0x4D58220C, 0x7B50383D, 0x736B3819]
from pwn import *
flag = [p32(i^0x12345678) for i in enc]
print(b''.join(flag))
# flag{llittl_Endian_a}

# EzPE

无效的 PE，修一下 PE 头和偏移就行，然后 IDa 打开就是每个数据异或他的索引和他上一个数据的异或值

emmmmm 看代码就知道了，说的有点乱

 _main(argc, argv, envp);
  puts(&draw);
  puts("Please enter your flag!\n");
  scanf("%s", input);
  for ( i = 0; i < strlen(input) - 1; ++i )
    input[i] ^= i ^ input[i + 1];
  if ( !strcmp(input, data) )
    puts("You Win!");
  else
    puts("You lose!");
  system("pause");
  return 0;
}

exp

def decrypt(input):
    decrypted = bytearray(input)
    for i in range(len(decrypted) - 2, -1, -1):
        decrypted[i] ^= i ^ decrypted[i + 1]
    return bytes(decrypted).decode('utf-8')

encrypted = [0x0A, 0x0C, 0x04, 0x1F, 0x26, 0x6C, 0x43, 0x2D, 0x3C, 0x0C, 
             0x54, 0x4C, 0x24, 0x25, 0x11, 0x06, 0x05, 0x3A, 0x7C, 0x51, 
             0x38, 0x1A, 0x03, 0x0D, 0x01, 0x36, 0x1F, 0x12, 0x26, 0x04, 
             0x68, 0x5D, 0x3F, 0x2D, 0x37, 0x2A, 0x7D]

decrypted_string = decrypt(encrypted)
print(decrypted_string)
#flag{Y0u_kn0w_what_1s_PE_File_F0rmat}

# Lazy_Activity

查看 FlagActivity, 前面有个 editTextTextPersonName2

1	editText.getText().toString()final EditText editText = (EditText) findViewById(R.id.editTextTextPersonName2);

editTextTextPersonName2 直接搜索这个资源找到 flag

1	flag{Act1v1ty_!s_so00oo0o_Impor#an#}

# AndroXor

直接看代码吧

public String Xor(String str, String str2) {
       char[] cArr = {14, '\r', 17, 23, 2, 'K', 'I', '7', ' ', 30, 20, 'I', '\n', 2, '\f', '>', '(', '@', 11, '\'', 'K', 'Y', 25, 'A', '\r'};
       char[] cArr2 = new char[str.length()];
       String str3 = str.length() != 25 ? "wrong!!!" : "you win!!!";
       for (int i = 0; i < str.length(); i++) {
           char charAt = (char) (str.charAt(i) ^ str2.charAt(i % str2.length()));
           cArr2[i] = charAt;
           if (cArr[i] != charAt) {
               return "wrong!!!";
           }
       }
       return str3;
   }

        public void onClick(View view) {
               String obj = editText.getText().toString();
               MainActivity mainActivity = MainActivity.this;
               Toast.makeText(mainActivity, mainActivity.Xor(obj, "happyx3"), 1).show();
               Log.d("输入", editText.getText().toString());
           }

也是考察的异或，拿这两个数据再异或一次就行，提取数据的时候要注意一下，~~因为我报错了~~

enc = [14, b'\r', 17, 23, 2, b'K', b'I', b'7', b' ', 30, 20, b'I', b'\n', 2, b'\f', b'>', b'(', b'@', 11, b'\'', b'K', b'Y', 25, b'A', b'\r']
xor = b'happyx3'
for i in range(len(enc)):
    if type(enc[i]) == bytes:
        enc[i] = ord(enc[i])
flag = [enc[i]^xor[i%7] for i in range(len(enc))]
print(bytes(flag))
#flag{3z_And0r1d_X0r_x1x1}

嗯… 这次 RE 大部分都是异或，嗯… 逻辑也很简单，嗯… 没有附件的师傅可以给俺要主页有俺 QQ, 嗯…(一万字)…。

~~emmmm 还是菜~~

爬了…

Reverse