2014三叶草校赛总结

逆向：

最简单的题目

• 分数:100

• 描述:key是syclover的注册码

• Link:题目链接

题目为 安卓逆向

最后 拷贝成java代码：

鬼子进村

• 分数:200

• 描述:你猜^_^

• Link:题目链接

题目比较简单  linux 程序64位，直接在IDA上看 逆向出代码：

	char pass[]= "pqllauzduh";
	for (int i=0;i<=4;i++)
	{
		pass[i] +=4;
	}
	for (i = 5;i<=9;i++)
	{
		pass[i] -=3;
	}
	puts(pass);//key:tupperware

初中数学题

• 分数:300

• 描述:上过初中的人都能做。提示1：upx脱壳 提示2：解方程组

程序为linux程序，IDA查看

下载对应版本的upx 然后脱壳

然后再拖进IDA分析

然后再逐步计算·············小菜算了很久···终于算出了

		char v12[]="12345678901";

		int  v10 = 0;
		v12[0] = 71;
			v12[1] = 111;
			v12[2] = 111;
	v12[3] = 100;
		v12[4] = 0x43;
		v12[5] = 0x72;
		v12[6] = 0x61;
		v12[7] = 0x63;
		v12[8] = 0x4B;
	
		v12[9]=51;
		v12[10] = 82;

// 		for (int i = 4; i <= 8; ++i )
// 		{
// 			if ( v10 + (char)(v12[i] ^ 0x11) != 0x52 )
//0x52,0x64,0x72,0x75,0x5e
// 0    1    2    3   4
// 					return 0;
// 			++v10;
// 		}
		printf("The key is %s
", v12);

编程：

Code100

• 分数:100

• 描述:见连接

直接逆向得到主要关键代码：

int main(int argc, char* argv[])
{

  char v1[100]; // [sp+1Ch] [bp-7Ch]@2
  int v2; // [sp+80h] [bp-18h]@1
  int v3; // [sp+84h] [bp-14h]@1
  int v4; // [sp+88h] [bp-10h]@1
  int i; // [sp+8Ch] [bp-Ch]@1

  v4 = (int)"ASD$@SDF!@#SF";
  v3 = (int)"CSDSDADASDSAD";
  v2 = (int)"2145631201923";
  for ( i = 0; *(char *)(i + v3); ++i )
  {
	  v1[i] = *(char *)(i + v3) ^ *(char *)(i + v2);
	  v1[i] >>= 1;
	  v1[i] ^= *(char *)(i + v4);
	  if ( v1[i] <= 47 )
		  v1[i] *= 2;
	  if ( v1[i] <= 47 )
		  v1[i] *= 2;
	  v1[i + 1] = 0;
  }
  for ( i = 1; v1[i]; i += 2 )
	  printf("%X%c", v1[i], v1[i]);

		return 0;
}

       女神的秘密

题目说明：

女神把重要的Secret信息送给了屌丝asdf君。

asdf君如获至宝，他把信息进行了某种加密，最后处理成了Secret{xxxx}，其中xxxx就是加密后的信息。

asdf君把Secret{xxxx}藏在了某个文件中，你能找到嘛？

解法1：
解压文件。。然后在cmd里面输入copy * 0.txt
就会将所有文件组合在0.txt里面


然后搜索Secret字符串得到
Secret{S2V5OmZrbGo0JCEoUnExRiE=}


base64解密得到key
fklj4$!(Rq1F!
解法2：

re.compile(pattern[, flags])

Compile a regular expression pattern into a regular expression object, which can be used for matching using its match() and search() methods, described below.

The sequence

prog = re.compile(pattern)
result = prog.match(string)

is equivalent to

result = re.match(pattern, string)

'.'

(Dot.) In the default mode, this matches any character except a newline. If the DOTALL flag has been specified, this matches any character including a newline. 

'?'

Causes the resulting RE to match 0 or 1 repetitions of the preceding RE. ab? will match either ‘a’ or ‘ab’. 

'*'

Causes the resulting RE to match 0 or more repetitions of the preceding RE, as many repetitions as are possible. ab* will match ‘a’, ‘ab’, or ‘a’ followed by any number of ‘b’s. 

os.listdir(path)

Return a list containing the names of the entries in the directory given by path. The list is in arbitrary order. It does not include the special entries '.' and '..' even if they are present in the directory.

import os
import re

dir = r'D:Secret'
list = []
prog  =  re.compile('Secret{.*?}')

for x in os.listdir(dir):
	x = dir+'\'+x
	list.append(x)

for x2 in list:
	f = file(x2)
	x3 = f.readlines()
	for x4 in x3:
		if prog.match(x4):
			print x4

Secret{S2V5OmZrbGo0JCEoUnExRiE=}

Code300

• 分数:300

• 描述:程序比较大,前往下载

本地本应该是变成得出的，但编程了很久  始终不行，问题在于程序接受到指令的时间间隔，最后只能爆破得出，直接用IDA调试，修改程序对应的流程，跳到程序的KEY显示处

做法2：

开变速齿轮  然后输入60次得到KEY

杂项：

BP断点

• 分数:100

• 描述:提示1：key不是大家喜欢的波波老师！ 提示2：bmp+png 提示3：CRC

直接HEX看出是两个图片合成的，将PNG 图片抠出来，然后 发现  宽和高不知道，  需要了解  PNG格式知识

可以看到   宽  和 高  还缺少几位

import binascii
def CalcCrc32(str):
	return hex(binascii.crc32(str) & 0xffffffff)

str1 = "x49x48x44x52x00x00x01"
str2 = "x00x00"
str3 = "x08x06x00x00x00"

chr1 = "x00"
chr2 = "x00"
chr3 = "x00"

num1 = ord(chr1)
num2 = ord(chr2)
num3 = ord(chr3)

for i1 in xrange(0,255):
	for i2 in xrange(0,255):
		for i3 in xrange(0,255):
			if CalcCrc32(str1+chr1+str2+chr2+chr3+str3) == "0x80bf36ccL":
				print "find it"
				print  hex(ord(chr1)),hex(ord(chr2)),hex(ord(chr3))
				exit()
			else:
				num3 = ord(chr3)+1
				chr3 = chr(num3)
				if num3 == 255:
				    chr3 = "x00"
				    break
		num2 = ord(chr2) + 1
		chr2 = chr(num2)
		if num2 == 255:
			chr2 = "x00"
			break	
	num1 = ord(chr1) + 1
	chr1 = chr(num1)

print "hello world"

显示图片KEY：

部分题目解析为转载~~~~~~~~~~~~~~