zoukankan      html  css  js  c++  java
  • 攻防世界 reverse 进阶5-7

    5.re-for-50-plz-50  tu-ctf-2016

    流程很简单,异或比较

    1 x=list('cbtcqLUBChERV[[Nh@_X^D]X_YPV[CJ')
    2 y=0x37
    3 z=''
    4 for t in x:
    5     z+=chr(ord(t)^y)
    6 print(z)
    View Code

    TUCTF{but_really_whoisjohngalt}


    6.key csaw-ctf-2016-quals

    运行后打印完?W?h?a?t h?a?p?p?e?n? 便结束

     修改指令跳过文件读取,输出=W=r=o=n=g=K=e=y=

    关键点就是sub_4020c0函数

     

     关注if比较处

    动态调试可直接获得flag

    这里的的v7其实是sub_4020c0函数中第三个参数

     关注Memory,发现两次循环处理

     脚本:

     1 x=[ 0x74, 0x68, 0x65, 0x6D, 0x69, 0x64, 0x61, 0x74, 0x68, 0x65,
     2   0x6D, 0x69, 0x64, 0x61, 0x74, 0x68, 0x65, 0x6D, 0x69, 0x64,
     3   0x6]
     4 y=[0x3E, 0x2D, 0x2D, 0x2D, 0x2D, 0x2B, 0x2B, 0x2B, 0x2B, 0x2E,
     5   0x2E, 0x2E, 0x2E, 0x3C, 0x3C, 0x3C, 0x3C, 0x2E]
     6 # print(len(x))
     7 # print(len(y))
     8 z=[]
     9 for i in range(18):
    10     z.append((x[i]^y[i])+22+9)
    11 
    12 # print(' '.join(map(hex,z)))
    13 print(''.join(map(chr,z)))
    View Code

    idg_cni~bjbfi|gsxb


    7.simple-check-100  school-ctf-winter-2015

    exe文件有坑,满是辛酸泪,分析elf文件

     过掉check_key()函数在linux便可直接输出flag

    分析:

     1   a1[0] = 0xE37EC854;
     2   a1[1] = 0x9A16C764;
     3   a1[2] = 0x326511CD;
     4   a1[3] = 0x43D3E32D;
     5   a1[4] = 0xD29DA992;
     6   a1[5] = 0xD32C6DE6;
     7   a1[6] = 0x6AFEBDB6;
     8   v14 = 0x13;
     9   v3 = alloca(32);
    10   v15 = &v7;
    11   printf("Key: ");
    12   __isoc99_scanf((int)"%s", (int)v15, v5, v6, v7, v8, v9, (int)v10, v11, v12, a1[0], a1[1], a1[2], a1[3], a1[4], a1[5]);
    13   if ( check_key((int)v15) )
    14     interesting_function(a1);
     1 unsigned int *__cdecl interesting_function(int a1[7])
     2 {
     3   unsigned int *result; // eax
     4   unsigned int temp; // [esp+18h] [ebp-20h]
     5   int i; // [esp+1Ch] [ebp-1Ch]
     6   int j; // [esp+20h] [ebp-18h]
     7   int *__attribute__((__org_arrdim(0,7))) v5; // [esp+24h] [ebp-14h]
     8   char *ptr_temp; // [esp+28h] [ebp-10h]
     9   unsigned int v7; // [esp+2Ch] [ebp-Ch]
    10 
    11   v7 = __readgsdword(0x14u);
    12   result = (unsigned int *)a1;
    13   v5 = a1;
    14   for ( i = 0; i <= 6; ++i )
    15   {
    16     temp = v5[i] ^ 0xDEADBEEF;
    17     result = &temp;
    18     ptr_temp = (char *)&temp;
    19     for ( j = 3; j >= 0; --j )
    20       result = (unsigned int *)putchar((char)(ptr_temp[j] ^ flag_data[i][j]));
    21   }
    22   return result;
    23 }

    脚本:

     1 win=[0x54, 0xB8, 0xFE, 0x61, 0x00, 0x13, 0x00, 0x00, 0x00, 0x61, 0x6A, 0xFE, 0xBD, 0xB6, 0xD3, 0x2C,
     2 0x6D, 0xE6, 0xD2, 0x9D, 0xA9, 0x92, 0x43, 0xD3, 0xE3, 0x2D, 0x32, 0x65, 0x11, 0xCD, 0x9A, 0x16,
     3 0xC7, 0x64, 0xE3, 0x7E, 0xC8, 0x30]#windows下调试获取的操作数据
     4 win2=[0x6A, 0xFE, 0xBD, 0xB6, 0xD3, 0x2C,
     5 0x6D, 0xE6, 0xD2, 0x9D, 0xA9, 0x92, 0x43, 0xD3, 0xE3, 0x2D, 0x32, 0x65, 0x11, 0xCD, 0x9A, 0x16,
     6 0xC7, 0x64, 0xE3, 0x7E, 0xC8, 0x54]
     7 win2=win2[::-1]
     8 
     9 flag_date=[0xDC, 0x17, 0xBF, 0x5B, 0xD4, 0x0A, 0xD2, 0x1B, 0x7D, 0xDA,
    10   0xA7, 0x95, 0xB5, 0x32, 0x10, 0xF6, 0x1C, 0x65, 0x53, 0x53,
    11   0x67, 0xBA, 0xEA, 0x6E, 0x78, 0x22, 0x72, 0xD3]
    12 
    13 
    14 a1=[0 for i in range(7)]
    15 a1[0] = 0xE37EC854;
    16 a1[1] = 0x9A16C764;
    17 a1[2] = 0x326511CD;
    18 a1[3] = 0x43D3E32D;
    19 a1[4] = 0xD29DA992;
    20 a1[5] = 0xD32C6DE6;
    21 a1[6] = 0x6AFEBDB6;
    22 
    23 x=[0xef,0xbe,0xad,0xde]
    24 
    25 s=''
    26 for i in range(7):
    27     temp=(a1[i]^0xDEADBEEF).to_bytes(4,'little')
    28     for j in range(3,-1,-1):
    29         s+=chr(temp[j]^flag_date[i*4+j])
    30         print(chr(win[i * 4 + j] ^ flag_date[i * 4 + j] ^ x[j]), end='')
    31 #         print(chr(v8[i*4+j]^flag_date[i*4+j]^x[j]),end='')
    32 print()
    33 print(s)

    exe中栈内变量布局与linux不同,

    exe文件:äìgŧ;µ`’n:ç,=žc–!hí±t
    elf文件:flag_is_you_know_cracking!!!

    flag_is_you_know_cracking!!!

    
    
  • 相关阅读:
    windows 8 metro 开发学习资源链接
    通过实例模拟ASP.NET MVC的Model绑定机制:简单类型+复杂类型
    Session hijacking(会话劫持)
    PagedList是NuGet上提供的一个分页的类库
    joomla
    Win8风格的Web启动界面
    Dynamic
    c# 常用文檔轉換txt文件
    创建Windows服务(Windows Services)N种方式总结
    DOM世界的观察者
  • 原文地址:https://www.cnblogs.com/DirWang/p/11432234.html
Copyright © 2011-2022 走看看