这是我加入战队后的第一次比赛,和几个很强的师傅一起参加,被带飞。(10:00-18:00 八小时)
逆向部分一共3个题,我出了前两个,最后一个题像是套娃,比赛结束都是0解。
第一个题:virus
是一个win32的逆向,没有任何防护,主函数也非常清晰。
简单分析,发现是一个迷宫题,一共4个迷宫,然后flag格式是{迷宫顺序}-{迷宫1走法}-{迷宫2走法}-{迷宫3走法}-{迷宫4走法}
上面就是check_flag函数分析的过程,反正直接上od动态调试把迷宫提出来就行了,如下:
1 1 2 | | | | | | | | | | | | | | | 00 00 00 00 00 3 | | | | | | | | | | | | | | | 00 00 00 00 00 4 | | | | | | | | | | | | | | | 00 00 00 00 00 5 | | s . . . . . . . . . | | | 00 00 00 00 00 6 | | | | | | | | | | | . | | | 00 00 00 00 00 7 | | d | | | | | | | | . | | | 00 00 00 00 00 8 | | . | | | | | | | | . | | | 00 00 00 00 00 9 | | . | | | | | | | | . | | | 00 00 00 00 00 10 | | . . . . . . . . . . | | | 00 00 00 00 00 11 | | | | | | | | | | | | | | | 00 00 00 00 00 12 dddddddddsssssaaaaaaaaawww - 26 13 14 | | | | | | | | | | | | | | | | | | | 00 15 | | s | | | | | | | | | | | | | d | | 00 16 | | . . | | | | | | | | | | | . . | | 00 17 | | | . . | | | | | | | | | . . | | | 00 18 | | | | . . | | | | | | | . . | | | | 00 19 | | | | | . . | | | | | . . | | | | | 00 20 | | | | | | . . | | | . . | | | | | | 00 21 | | | | | | | . . | . . | | | | | | | 00 22 | | | | | | | | . . . | | | | | | | | 00 23 | | | | | | | | | | | | | | | | | | | 00 24 sdsdsdsdsdsdsddwdwdwdwdwdwdw - 28 25 26 | | | | | | | | | | | | | | | 00 00 00 00 00 27 | | . . . . . . . . . s | | | 00 00 00 00 00 28 | | . | | | | | | | | | | | | 00 00 00 00 00 29 | | . | | | | | | | | | | | | 00 00 00 00 00 30 | | . | | | | | | | | | | | | 00 00 00 00 00 31 | | . | | | | | | | | | | | | 00 00 00 00 00 32 | | . | | | | | | | | | | | | 00 00 00 00 00 33 | | . | | | | | | | | | | | | 00 00 00 00 00 34 | | . . . . . . . . . d | | | 00 00 00 00 00 35 | | | | | | | | | | | | | | | 00 00 00 00 00 36 aaaaaaaaasssssssddddddddd - 25 37 38 39 | | | | | | | | | | | | | | | 00 00 00 00 00 40 | | | | | | | | | | | | | | | 00 00 00 00 00 41 | | | | | | | | | | | | | | | 00 00 00 00 00 42 | | | . . . . . . . . . . | | 00 00 00 00 00 43 | | | . | | | | | | | | . | | 00 00 00 00 00 44 | | | . | | | | | | | | . | | 00 00 00 00 00 45 | | | . | | | | | | | | . | | 00 00 00 00 00 46 | | | . | | | | | | | | . | | 00 00 00 00 00 47 | | | s | | | | | | | | d | | 00 00 00 00 00 48 | | | | | | | | | | | | | | | 00 00 00 00 00 49 50 wwwwwdddddddddsssss - 19
按main函数的要求整理一下就可以了。
第二个题是pyc的逆向题:
直接上uncompyle反编译,这里环境需要稍微注意要用2.7去弄,得到如下py文件:
1 # uncompyle6 version 3.7.4 2 # Python bytecode 2.7 (62211) 3 # Decompiled from: Python 2.7.12 (default, Jul 21 2020, 15:19:50) 4 # [GCC 5.4.0 20160609] 5 # Embedded file name: test233_ol.py 6 # Compiled at: 2020-03-20 13:22:50 7 (lambda __g, __print: [ [ (lambda __after: [ (lambda __after: (__print('Error len!'), (exit(), __after())[1])[1] if len(input) != 87 else __after())(lambda : [ [ [ [ (lambda __after: (__print('Error fmt!'), (exit(0), __after())[1])[1] if fmt1 != 'flag{' or fmt2 != '}' else __after())(lambda : (d.append(context[0:9]), (d.append(context[9:18]), (d.append(context[18:27]), (d.append(context[27:36]), (d.append(context[36:45]), (d.append(context[45:54]), (d.append(context[54:63]), (d.append(context[63:72]), (d.append(context[72:81]), [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ [ (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[0][2] != '5' or d[0][3] != '3' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[1][0] != '8' or d[1][7] != '2' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[2][1] != '7' or d[2][4] != '1' or d[2][6] != '5' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[3][0] != '4' or d[3][5] != '5' or d[3][6] != '3' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[4][1] != '1' or d[4][4] != '7' or d[4][8] != '6' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[5][2] != '3' or d[5][3] != '2' or d[5][7] != '8' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[6][1] != '6' or d[6][3] != '5' or d[6][8] != '9' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[7][2] != '4' or d[7][7] != '3' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if d[8][5] != '9' or d[8][6] != '7' else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check(h1) != 45 or check(h2) != 45 or check(h3) != 45 or check(h4) != 45 or check(h5) != 45 or check(h6) != 45 or check(h7) != 45 or check(h8) != 45 or check(h9) != 45 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check(l1) != 45 or check(l2) != 45 or check(l3) != 45 or check(l4) != 45 or check(l5) != 45 or check(l6) != 45 or check(l7) != 45 or check(l8) != 45 or check(l9) != 45 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check(k1) != 45 or check(k2) != 45 or check(k3) != 45 or check(k4) != 45 or check(k5) != 45 or check(k6) != 45 or check(k7) != 45 or check(k8) != 45 or check(k9) != 45 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check1(h1) != 1 or check1(h2) != 1 or check1(h3) != 1 or check1(h4) != 1 or check1(h5) != 1 or check1(h6) != 1 or check1(h7) != 1 or check1(h8) != 1 or check1(h9) != 1 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check1(l1) != 1 or check1(l2) != 1 or check1(l3) != 1 or check1(l4) != 1 or check1(l5) != 1 or check1(l6) != 1 or check1(l7) != 1 or check1(l8) != 1 or check1(l9) != 1 else __after())(lambda : (lambda __after: (__print('Error!'), (exit(), __after())[1])[1] if check1(k1) != 1 or check1(k2) != 1 or check1(k3) != 1 or check1(k4) != 1 or check1(k5) != 1 or check1(k6) != 1 or check1(k7) != 1 or check1(k8) != 1 or check1(k9) != 1 else __after())(lambda : (__print('Yes! You got it!'), __after())[1]))))))))))))))) for __g['k9'] in [context[60] + context[61] + context[62] + context[69] + context[70] + context[71] + context[78] + context[79] + context[80]] ][0] for __g['k8'] in [context[57] + context[58] + context[59] + context[66] + context[67] + context[68] + context[75] + context[76] + context[77]] ][0] for __g['k7'] in [context[54] + context[55] + context[56] + context[63] + context[64] + context[65] + context[72] + context[73] + context[74]] ][0] for __g['k6'] in [context[33] + context[34] + context[35] + context[42] + context[43] + context[44] + context[51] + context[52] + context[53]] ][0] for __g['k5'] in [context[30] + context[31] + context[32] + context[39] + context[40] + context[41] + context[48] + context[49] + context[50]] ][0] for __g['k4'] in [context[27] + context[28] + context[29] + context[36] + context[37] + context[38] + context[45] + context[46] + context[47]] ][0] for __g['k3'] in [context[6] + context[7] + context[8] + context[15] + context[16] + context[17] + context[24] + context[25] + context[26]] ][0] for __g['k2'] in [context[3] + context[4] + context[5] + context[12] + context[13] + context[14] + context[21] + context[22] + context[23]] ][0] for __g['k1'] in [context[0] + context[1] + context[2] + context[9] + context[10] + context[11] + context[18] + context[19] + context[20]] ][0] for __g['l9'] in [context[8] + context[17] + context[26] + context[35] + context[44] + context[53] + context[62] + context[71] + context[80]] ][0] for __g['l8'] in [context[7] + context[16] + context[25] + context[34] + context[43] + context[52] + context[61] + context[70] + context[79]] ][0] for __g['l7'] in [context[6] + context[15] + context[24] + context[33] + context[42] + context[51] + context[60] + context[69] + context[78]] ][0] for __g['l6'] in [context[5] + context[14] + context[23] + context[32] + context[41] + context[50] + context[59] + context[68] + context[77]] ][0] for __g['l5'] in [context[4] + context[13] + context[22] + context[31] + context[40] + context[49] + context[58] + context[67] + context[76]] ][0] for __g['l4'] in [context[3] + context[12] + context[21] + context[30] + context[39] + context[48] + context[57] + context[66] + context[75]] ][0] for __g['l3'] in [context[2] + context[11] + context[20] + context[29] + context[38] + context[47] + context[56] + context[65] + context[74]] ][0] for __g['l2'] in [context[1] + context[10] + context[19] + context[28] + context[37] + context[46] + context[55] + context[64] + context[73]] ][0] for __g['l1'] in [context[0] + context[9] + context[18] + context[27] + context[36] + context[45] + context[54] + context[63] + context[72]] ][0] for __g['h9'] in [context[72:81]] ][0] for __g['h8'] in [context[63:72]] ][0] for __g['h7'] in [context[54:63]] ][0] for __g['h6'] in [context[45:54]] ][0] for __g['h5'] in [context[36:45]] ][0] for __g['h4'] in [context[27:36]] ][0] for __g['h3'] in [context[18:27]] ][0] for __g['h2'] in [context[9:18]] ][0] for __g['h1'] in [context[0:9]] ][0])[1])[1])[1])[1])[1])[1])[1])[1])[1]) for __g['d'] in [[]] ][0] for __g['context'] in [input[5:-1]] ][0] for __g['fmt2'] in [input[(-1)]] ][0] for __g['fmt1'] in [input[0:5]] ][0]) 8 for __g['input'] in [raw_input('Input your flag:')] ][0] if __name__ == '__main__' else __after())(lambda : None) 9 for __g['check1'], check1.__name__ in [(lambda arg: (lambda __l: [ (lambda __after: 0 if len(list(set(__l['arg']))) != 9 else 1)(lambda : None) for __l['arg'] in [arg] ][0])({}), 'check1')] ][0] 10 for __g['check'], check.__name__ in [(lambda arg: (lambda __l: [ sum(map(int, __l['arg'])) for __l['arg'] in [arg] ][0])({}), 'check')] ][0])(globals(), __import__('__builtin__', level=0).__dict__['print'])
仔细一点不难看出是9*9的约束条件,根据我的经验和这个矩阵的样子,不难判断出是数独:
1 flag{ 2 **53***** 3 8******2* 4 *7**1*5** 5 4****53** 6 *1**7***6 7 **32***8* 8 *6*5****9 9 **4****3* 10 *****97** 11 }
直接找在线工具梭就完事儿了。
第三题实在是分析不出来了,花里胡哨,看的浑身难受。
总的来说,这次比赛见识了挺多,感谢一起参加的师傅们~