【2019红帽杯】easyRE

直接IDA打开,搜索字符串找到一个you found me,进入sub_4009C6函数,先看到一个加密

22

每个字符与索引异或判断是否相等,可以写一个脚本跑一下,结果发现不是,骗人的

运行结果:Info:The first four chars are ‘flag’

接着往下面看

24

23

发现是base64加密10次,判断是否与off_6cc90相等,base64解密十次得到了https://bbs.pediy.com/thread-254172.htm,没有flag,都是混淆视听的,真正的藏在off_6cc90下面的那个数据的函数

2526

首先用第20行的异或,102和103对应的字符分别是”f” 和”g”,而且byte_ 6CC0A0[0]和byte _6CC0A3刚好
是一个字符串的第一位和第四位。那么可以想到是”flag” 与前四位异或,然后得到一个key,再进行下面for循
环的异或。

1
2
3
4
5
6
7
8
9
10
11
s = [0x40,0x35,0x20,0x56,0x5D,0x18,0x22,0x45,0x17,0x2F,0x24,0x6E,0x62,
     0x3C,0x27,0x54,0x48,0x6C,0x24,0x6E,0x72,0x3C,0x32,0x45,0x5B]
s1 = 'flag'
key = ''
flag = ''
for k in range(4):
    key += chr(s[k] ^ ord(s1[k]))
for i in range(len(s)):
    flag += chr(s[i] ^ ord(key[i%4]))
print(flag)

[ACTF新生赛2020]rome

拖进IDA,查看main函数

actf1

actf2

先判断了前面几位,再判断是不是大小写,然后运算

1
2
3
4
5
6
7
8
9
10
11
12
13
x = [81,115,119,51,115,106,95,108,122,52,95,85,106,119,64,108]
flag = ''
for k in range(0,16):
    for i in range(0,127):  
        z = i
        if i > 64 and i <= 90:
            i = (i-51)%26 + 65
        if i > 96 and i <= 122:
            i = (i-79)%26 + 97
        if(i == x[k]):
            flag += chr(z)

print(flag)

[FlareOn4]login

这是个前端验证flag的题目

题目给了一个提示

login1

直接查看源码

login2

1
String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);

关键的函数就是这一句,先判断大小写,与对应的Z或者z比较,大于减26,小于就原来的加上13的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
enc = 'PyvragFvqrYbtvafNerRnfl@syner-ba.pbz'
flag = ''
for i in enc:
    if ord(i) >= 65 and ord(i) <= 90:
        if ord(i) - 13 < 65 :
            flag += chr(ord(i) + 13)
        else:
            flag += chr(ord(i) - 13)
    elif ord(i) >= 97 and ord(i) <= 122:
        if ord(i) - 13 < 97 :
            flag += chr(ord(i) + 13)
        else:
            flag += chr(ord(i) - 13)
    else:
        flag += i

print(flag)

最后的结果ClientSideLoginsAreEasy@flare-on.com,与文件中的提示相对应

[GUET-CTF2019]re

查壳,发现有一个UPX壳

re1

re2

代码分析

re3

打开关键函数sub_4009AE

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
_BOOL8 __fastcall sub_4009AE(char *a1)
{
  if ( 1629056 * *a1 != 166163712 )
    return 0LL;
  if ( 6771600 * a1[1] != 731332800 )
    return 0LL;
  if ( 3682944 * a1[2] != 357245568 )
    return 0LL;
  if ( 10431000 * a1[3] != 1074393000 )
    return 0LL;
  if ( 3977328 * a1[4] != 489211344 )
    return 0LL;
  if ( 5138336 * a1[5] != 518971936 )
    return 0LL;
  if ( 7532250 * a1[7] != 406741500 )
    return 0LL;
  if ( 5551632 * a1[8] != 294236496 )
    return 0LL;
  if ( 3409728 * a1[9] != 177305856 )
    return 0LL;
  if ( 13013670 * a1[10] != 650683500 )
    return 0LL;
  if ( 6088797 * a1[11] != 298351053 )
    return 0LL;
  if ( 7884663 * a1[12] != 386348487 )
    return 0LL;
  if ( 8944053 * a1[13] != 438258597 )
    return 0LL;
  if ( 5198490 * a1[14] != 249527520 )
    return 0LL;
  if ( 4544518 * a1[15] != 445362764 )
    return 0LL;
  if ( 3645600 * a1[17] != 174988800 )
    return 0LL;
  if ( 10115280 * a1[16] != 981182160 )
    return 0LL;
  if ( 9667504 * a1[18] != 493042704 )
    return 0LL;
  if ( 5364450 * a1[19] != 257493600 )
    return 0LL;
  if ( 13464540 * a1[20] != 767478780 )
    return 0LL;
  if ( 5488432 * a1[21] != 312840624 )
    return 0LL;
  if ( 14479500 * a1[22] != 1404511500 )
    return 0LL;
  if ( 6451830 * a1[23] != 316139670 )
    return 0LL;
  if ( 6252576 * a1[24] != 619005024 )
    return 0LL;
  if ( 7763364 * a1[25] != 372641472 )
    return 0LL;
  if ( 7327320 * a1[26] != 373693320 )
    return 0LL;
  if ( 8741520 * a1[27] != 498266640 )
    return 0LL;
  if ( 8871876 * a1[28] != 452465676 )
    return 0LL;
  if ( 4086720 * a1[29] != 208422720 )
    return 0LL;
  if ( 9374400 * a1[30] == 515592000 )
    return 5759124 * a1[31] == 719890500;
  return 0LL;
}

a1就是我们输入的v4,反向除就行,但是这里少了一个a7,需要去猜1-f

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
a1 = chr(166163712 // 1629056)
a2 = chr(731332800 // 6771600)
a3 = chr(357245568 // 3682944)
a4 = chr(1074393000 // 10431000)
a5 = chr(489211344 // 3977328)
a6 = chr(518971936 // 5138336)
a8 = chr(406741500 // 7532250)
a9 = chr(294236496 // 5551632)
a10 = chr(177305856 // 3409728)
a11 = chr(650683500 // 13013670)
a12 = chr(298351053 // 6088797)
a13 = chr(386348487 // 7884663)
a14 = chr(438258597 // 8944053)
a15 = chr(249527520 // 5198490)
a16 = chr(445362764 // 4544518)
a17 = chr(981182160 // 10115280)
a18 = chr(174988800 // 3645600)
a19 = chr(493042704 // 9667504)
a20 = chr(257493600 // 5364450)
a21 = chr(767478780 // 13464540)
a22 = chr(312840624 // 5488432)
a23 = chr(1404511500 // 14479500)
a24 = chr(316139670 // 6451830)
a25 = chr(619005024 // 6252576)
a26 = chr(372641472 // 7763364)
a27 = chr(373693320 // 7327320)
a28 = chr(498266640 // 8741520)
a29 = chr(452465676 // 8871876)
a30 = chr(208422720 // 4086720)
a31 = chr(515592000 // 9374400)
a32 = chr(719890500 // 5759124)

print (a1,a2,a3,a4,a5,a6,a8,a9,a10,a11,a12,a13,a14,a15,a16,a17,a18,a19,a20,a21,a22,a23,a24,a25,a26,a27,a28,a29,a30,a31,a32)