Hike News
Hike News

杭电CTF-题库-reverse

在杭电的平台上做了几道题。

ebCTF-Teaser-BIN100-Dice

1
2
$ file ebCTF-Teaser-BIN100-Dice.exe
ebCTF-Teaser-BIN100-Dice.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

拖进 OD,搜索字符串:

搜索字符串

大概可以看出是一个摇骰子的游戏,如果全部正确就能得到 flag。最直接的想法就是用 OD 边调试边修改寄存器的值,最后就能得到 flag:

修改关键内存的值

更方便的方式是直接在 IDA 里把所有判断不正确的跳转 patch 掉,这样就能直接得到结果:

得到flag

也可以在 IDA 里直接逆,关键部分代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
...
if ( v82 == 7 )
{
fctx.call_site = 1;
v43 = std::operator<<<std::char_traits<char>>(
(int)&std::cout,
"[*] You rolled a seven, with a six sided dice! How awesome are you?!");
v44 = std::ostream::operator<<(v43, std::endl<char,std::char_traits<char>>);
std::ostream::operator<<(v44, std::endl<char,std::char_traits<char>>);
v85 *= 2;
v85 *= 50;
v85 /= 50;
v85 += 65;
v85 -= 65;
v85 *= 42;
v85 /= 42;
v49 = time(0);
v79 = v49;
v81 = v49 - v80;
if ( v49 - v80 > 2 )
v85 *= 2;
for ( i = 0; ; ++i )
{
fctx.call_site = 1;
v50 = std::string::size((std::string *)&v87);
if ( i >= v50 )
break;
v51 = (_BYTE *)std::string::operator[]((std::string *)&v87, i);
*v51 ^= v85;
}
i = 0;
for ( j = 0; ; ++j )
{
fctx.call_site = 1;
v52 = std::string::size((std::string *)&v84);
if ( j >= v52 )
break;
v64 = (_BYTE *)std::string::operator[]((std::string *)&v84, j);
v53 = (_BYTE *)std::string::operator[]((std::string *)&v87, i);
*v64 ^= *v53;
++i;
v54 = std::string::length((std::string *)&v87);
if ( i >= v54 )
i = 0;
}
fctx.call_site = 1;
if ( std::string::find((std::string *)&v84, "ebCTF", 0) == -1 )
{
fctx.call_site = 1;
v59 = std::ostream::operator<<(&std::cout, std::endl<char,std::char_traits<char>>);
v60 = std::operator<<<std::char_traits<char>>(
v59,
"[!] It seems you did something wrong :( No flag for you.");
v61 = std::ostream::operator<<(v60, std::endl<char,std::char_traits<char>>);
std::ostream::operator<<(v61, std::endl<char,std::char_traits<char>>);
fctx.call_site = 3;
std::string::~string((std::string *)&v72);
fctx.call_site = 5;
std::string::~string((std::string *)&v73);
fctx.call_site = 7;
std::string::~string((std::string *)&v74);
fctx.call_site = 9;
std::string::~string((std::string *)&v75);
fctx.call_site = 11;
std::string::~string((std::string *)&v76);
fctx.call_site = 13;
std::string::~string((std::string *)&v77);
fctx.call_site = 15;
std::string::~string((std::string *)&v78);
fctx.call_site = 16;
std::string::~string((std::string *)&v83);
fctx.call_site = 17;
std::string::~string((std::string *)&v84);
fctx.call_site = -1;
std::string::~string((std::string *)&v87);
v65 = 0;
}
else
{
v55 = std::operator<<<std::char_traits<char>>(
(int)&std::cout,
"[*] You rolled 3-1-3-3-7, what does that make you? ELEET! \\o/");
std::ostream::operator<<(v55, std::endl<char,std::char_traits<char>>);
v56 = std::operator<<<std::char_traits<char>>((int)&std::cout, "[*] Nice job, here is the flag: ");
v57 = std::operator<<<char,std::char_traits<char>,std::allocator<char>>(v56, &v84);
v58 = std::ostream::operator<<(v57, std::endl<char,std::char_traits<char>>);
std::ostream::operator<<(v58, std::endl<char,std::char_traits<char>>);
fctx.call_site = 3;
std::string::~string((std::string *)&v72);
fctx.call_site = 5;
std::string::~string((std::string *)&v73);
fctx.call_site = 7;
std::string::~string((std::string *)&v74);
fctx.call_site = 9;
std::string::~string((std::string *)&v75);
fctx.call_site = 11;
std::string::~string((std::string *)&v76);
fctx.call_site = 13;
std::string::~string((std::string *)&v77);
fctx.call_site = 15;
std::string::~string((std::string *)&v78);
fctx.call_site = 16;
std::string::~string((std::string *)&v83);
fctx.call_site = 17;
std::string::~string((std::string *)&v84);
fctx.call_site = -1;
std::string::~string((std::string *)&v87);
}
}
...

脚本:

1
2
3
4
5
6
7
8
9
10
11
12
#!/usr/bin/env python
key = [0x02, 0x37, 0x0F, 0x35, 0x0F, 0x3C, 0x15, 0x07, 0x3C, 0x30, 0x2A, 0x30, 0x55, 0x12, 0x37, 0x15, 0x1E, 0x35, 0x01, 0x51]
enc = [0x13, 0x21, 0x38, 0x15, 0x3D, 0x33, 0x57, 0x47, 0x2D, 0x27, 0x6A, 0x73, 0x44, 0x05, 0x26, 0x59, 0x5C, 0x79, 0x17, 0x44, 0x45, 0x77, 0x1A, 0x75, 0x49, 0x7D, 0x05, 0x4A, 0x78, 0x74, 0x6A, 0x70, 0x42, 0x02, 0x71, 0x05, 0x0F, 0x22, 0x08]
k = 116
flag = ''
lenEnc = len(enc)
lenKey = len(key)
for i in range(lenKey):
key[i] = key[i] ^ k
for i in range(lenEnc):
flag += chr(enc[i] ^ key[i % lenKey])
print flag

keylead

1
2
$ file keylead
keylead: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c1d5a4a7ffa57a2335f88093530dc89c1c71ec72, stripped

发现功能和前一题一模一样,就是变成了 elf,在 IDA 里各种 patch 就能直接出 flag:

1
2
3
4
5
6
7
8
9
10
┌─[root][bead49282cbc][~/tmp]
└─▪ ./keylead
hi all ----------------------
Welcome to dice game!
You have to roll 5 dices and get 3, 1, 3, 3, 7 in order.
Press enter to roll.

You rolled 5, 3, 4, 4, 5.
You rolled as I said! I'll give you the flag.
ASIS{1fc1089e328eaf737c882ca0b10fcfe6}

输出 flag 的函数也不用逆,直接照着实现就行:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
void func()
{
int v0; // ST0C_4
int v1; // ST08_4
int v2; // ST0C_4
int v3; // ST0C_4
int v4; // ST08_4
int v5; // ST0C_4
int v6; // ST08_4
int n; // [rsp+8h] [rbp-8h]
int v8; // [rsp+8h] [rbp-8h]
int i; // [rsp+8h] [rbp-8h]
int j; // [rsp+8h] [rbp-8h]
int m; // [rsp+Ch] [rbp-4h]
int v12; // [rsp+Ch] [rbp-4h]
int v13; // [rsp+Ch] [rbp-4h]
int v14; // [rsp+Ch] [rbp-4h]
int v15; // [rsp+Ch] [rbp-4h]
int v16; // [rsp+Ch] [rbp-4h]

m = 0;
n = 0;
while ( m != 1 )
{
putchar(enc[14 * m++]);
do
{
while ( n <= 1 )
putchar(enc[20 * m - 8 * n++]);
v1 = n + 1;
v2 = 3 * m;
putchar(enc[2 * v2 + 11 + v1]);
v2 *= 5;
v8 = v1 - 1;
putchar(enc[2 * v2 + v8]);
v12 = v2 / 3;
while ( 1 )
{
while ( 1 )
{
LABEL_12:
if ( !v8 )
{
putchar(enc[2 * v12]);
v15 = v12 ^ 2;
while ( 2 )
{
for ( i = 1; i <= 9; ++i )
putchar(enc[10 * (i % 2) + 3 + v15]);
v13 = v15 + 1;
LABEL_44:
putchar(enc[v13 / 3]);
if ( i == 10 )
{
v13 += 2 * v13 + 13;
i = 19;
goto LABEL_33;
}
if ( i == 2 )
{
i = v13-- + 2;
goto LABEL_4;
}
if ( (unsigned int)(i - 22) <= 0xA )
{
v14 = v13 - 3;
for ( j = i - v14; ; j = 8 )
{
LABEL_58:
putchar(enc[v14 + 1]);
v16 = v14 + 1;
if ( j == 11 )
{
v13 = (v16 + 14) / 2;
i = 11 * (v13 / 6);
goto LABEL_44;
}
if ( j != 13 )
break;
v12 = v16 + 8;
v8 = 2;
LABEL_51:
while ( 2 )
{
putchar(enc[v12 - 10]);
if ( v8 == v12 )
{
v4 = v8 + 2;
v5 = v12 + 2;
putchar(enc[v5 / 2 + v4 / 5]);
i = v4 / 2;
putchar(enc[i / 5 + v5]);
v13 = v5 + i - 1 + v5;
while ( 1 )
{
LABEL_33:
putchar(enc[v13 - 19]);
if ( i == 2 )
{
v3 = v13 + 1;
putchar(enc[v3 / 2 - 3]);
v13 = v3 / 5 + 2;
i = 2;
goto LABEL_44;
}
if ( i <= 2 )
break;
if ( i == 10 )
{
v12 = v13 - 31;
v8 = 9;
goto LABEL_51;
}
if ( i != 19 )
goto LABEL_44;
i = 2;
}
if ( i == 1 )
{
v8 = 17;
v12 = v13 % 5 - 17 + v13;
LABEL_20:
putchar(enc[v12 - v8 + 9]);
v12 += ~v8++;
continue;
}
goto LABEL_44;
}
break;
}
if ( v8 != 9 )
{
if ( v8 != 2 )
goto LABEL_12;
j = 2;
v16 = v12 - 18;
LABEL_64:
v6 = 9 * j;
putchar(enc[v16 / 2 + v6 + v6 % 10]);
m = v16 + 1;
n = v6 % 10;
goto LABEL_21;
}
putchar(enc[v12 - 16]);
v14 = v12 / 2;
}
if ( j == 8 )
{
v15 = v16 + 1;
i = 7;
continue;
}
goto LABEL_64;
}
goto LABEL_4;
}
}
if ( v8 == 2 )
break;
if ( v12 == 7 )
{
putchar(enc[21 - v8]);
v13 = 49;
i = v8 / 3;
goto LABEL_33;
}
if ( v8 != 3 )
goto LABEL_20;
putchar(enc[2 * (v12 / 3)]);
v13 = v12 / 3;
i = 9;
do
{
while ( 1 )
{
if ( v13 == 10 )
{
putchar(enc[i + 8]);
v14 = 9;
j = i + 1;
goto LABEL_58;
}
if ( v13 == 11 )
{
putchar(enc[i / 7]);
v13 = i-- - 11;
}
LABEL_4:
if ( i != 9 )
break;
putchar(enc[v13 * v13 + 7]);
v13 = v13 * v13 + 1;
i = 10;
}
}
while ( i != 13 );
putchar(enc[2 * v13 + 12]);
v8 = 3;
v12 = 3 * v13;
}
putchar(enc[3 * v12 + 1]);
v0 = v12 * v12;
putchar(enc[v0 - 15]);
m = v0 - 15;
n = 4;
putchar(enc[4]);
LABEL_21:
if ( n != 4 )
break;
putchar(enc[m + 6]);
v12 = m - 3;
v8 = 3;
}
}
while ( n != 8 );
putchar(enc[2 * m + 32]);
}
}

Reverse02

1
2
$ file Reverse02.exe
Reverse02.exe: PE32 executable (GUI) Intel 80386, for MS Windows

定位到MessageBoxA,把这部分逆一下就完事了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
int func()
{
char *v0; // eax
char Dst; // [esp+0h] [ebp-38h]
char v3; // [esp+1h] [ebp-37h]
char v4; // [esp+Fh] [ebp-29h]

Dst = 0;
memset(&v3, 0, 0x30u);
strncpy_s(&Dst, 0x31u, "flag:{NSCTF_md57e0cad17016b0>?45?f7c>0>4a>1c3a0}", 0x30u);
v0 = &v4;
if ( v4 != '}' )
{
do
{
*v0 ^= 7u;
++v0;
}
while ( *v0 != '}' );
}
return MessageBoxA(0, &Dst, "Flag", 0);
}

脚本:

1
2
3
4
5
6
#!/usr/bin/env python
enc = '7e0cad17016b0>?45?f7c>0>4a>1c3a0'
flag = ''
for i in range(len(enc)):
flag += chr(ord(enc[i]) ^ 7)
print flag

Reverse 100

1
2
$ file Reverse\ 100.exe
Reverse 100.exe: PE32 executable (console) Intel 80386, for MS Windows

main 函数看到有一个密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
int __cdecl main(int argc, const char **argv, const char **envp)
{
signed int i; // edi
char password; // [esp+10h] [ebp-104h]
char Dst; // [esp+11h] [ebp-103h]

password = 0;
memset(&Dst, 0, 0xFFu);
printf("please input ns-ctf password: ");
scanf_s("%s", &password);
for ( i = 1; strncmp("nsF0cuS!x01", &password, 0xBu); ++i )
{
printf("try again!\n");
memset(&password, 0, 0x100u);
printf("please input ns-ctf password: ");
scanf_s("%s", &password);
}
dword_403368 = 1;
if ( &password + strlen(&password) + 1 != &Dst )
{
if ( i > 3 )
{
func();
return 0;
}
printf("flag:{NSCTF_md5065ca>01??ab7e0f4>>a701c>cd17340}");
}
return 0;
}

发现和前一题一模一样:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
int func()
{
char *v0; // eax
char Format; // [esp+0h] [ebp-38h]
char Dst; // [esp+1h] [ebp-37h]
char v4; // [esp+Fh] [ebp-29h]

Format = 0;
memset(&Dst, 0, 0x30u);
strncpy_s(&Format, 0x31u, "flag:{NSCTF_md5065ca>01??ab7e0f4>>a701c>cd17340}", 0x30u);
v0 = &v4;
if ( v4 != 125 )
{
do
{
*v0 ^= 7u;
++v0;
}
while ( *v0 != 125 );
}
return printf(&Format);
}

异或一下:

1
2
3
4
5
6
#!/usr/bin/env python
enc = '065ca>01??ab7e0f4>>a701c>cd17340'
flag = ''
for i in range(len(enc)):
flag += chr(ord(enc[i]) ^ 7)
print flag

第五题

1
2
$ file 5.exe
5.exe: PE32 executable (console) Intel 80386, for MS Windows

用 OD 搜索字符串,定位关键函数:

关键函数

在 IDA 里找到函数:

1
2
3
4
5
6
7
8
9
void __cdecl sub_401000()
{
int i; // [esp+0h] [ebp-18h]
char v1[20]; // [esp+4h] [ebp-14h]

for ( i = 0; i < 19; ++i )
v1[i] = off_409030[47 * i % 100];
sub_401129((int)&unk_4092CC, i);
}

正向实现一下就行了:

1
2
3
4
5
6
#!/usr/bin/env python
table = [0x28, 0x2A, 0x26, 0x54, 0x49, 0x4F, 0x75, 0x68, 0x33, 0x6C, 0x31, 0x6A, 0x34, 0x68, 0x73, 0x64, 0x38, 0x37, 0x76, 0x67, 0x68, 0x28, 0x26, 0x25, 0x59, 0x47, 0x6B, 0x6A, 0x62, 0x76, 0x62, 0x61, 0x6C, 0x64, 0x6B, 0x66, 0x68, 0x5E, 0x26, 0x25, 0x2A, 0x26, 0x5E, 0x52, 0x31, 0x32, 0x6A, 0x33, 0x62, 0x65, 0x61, 0x73, 0x6F, 0x69, 0x64, 0x68, 0x63, 0x66, 0x39, 0x48, 0x43, 0x4C, 0x4B, 0x48, 0x56, 0x28, 0x2A, 0x47, 0x48, 0x44, 0x66, 0x68, 0x62, 0x6F, 0x71, 0x69, 0x77, 0x75, 0x65, 0x66, 0x38, 0x39, 0x32, 0x71, 0x33, 0x37, 0x78, 0x63, 0x76, 0x3B, 0x6C, 0x6B, 0x6A, 0x68, 0x71, 0x61, 0x73, 0x64, 0x6C, 0x6B, 0x66, 0x6A, 0x3B, 0x6C, 0x6B, 0x63, 0x6A, 0x76, 0x3B, 0x6C, 0x4C, 0x4B, 0x48, 0x61, 0x73, 0x64, 0x66, 0x6B, 0x6C, 0x6E, 0x4C, 0x4B, 0x6A, 0x68, 0x3B, 0x6C, 0x61, 0x73, 0x6B, 0x64, 0x66, 0x68, 0x6E, 0x49, 0x4F, 0x2A, 0x26, 0x59, 0x4F, 0x49, 0x55, 0x48, 0x4E, 0x6C, 0x6B, 0x69, 0x64, 0x66, 0x68, 0x76, 0x38, 0x30, 0x37, 0x39, 0x68, 0x6C, 0x6B, 0x6A, 0x42, 0x4F, 0x49, 0x55, 0x54, 0x36, 0x74, 0x66, 0x32, 0x33, 0x70, 0x30, 0x34, 0x2D, 0x30, 0x39, 0x75, 0x6A, 0x6C, 0x76, 0x3B, 0x6B, 0x6E, 0x30, 0x39, 0x38, 0x59, 0x49, 0x55, 0x68, 0x72, 0x6C, 0x6B, 0x34, 0x72, 0x6E, 0x5B, 0x70, 0x39, 0x75, 0x64, 0x76, 0x6C, 0x6B, 0x6D, 0x31, 0x70, 0x39, 0x79, 0x68, 0x38, 0x55, 0x47, 0x6B, 0x6A, 0x68, 0x70, 0x49, 0x48, 0x52, 0x50, 0x4F, 0x4E, 0x2A, 0x26, 0x5E, 0x52, 0x46, 0x43, 0x4C, 0x4B, 0x4A, 0x4E, 0x50, 0x4F, 0x49, 0x55, 0x45, 0x57, 0x44, 0x49, 0x55, 0x48, 0x33, 0x6F, 0x34, 0x69, 0x66, 0x67, 0x6F, 0x69, 0x76, 0x63, 0x33, 0x6F, 0x39, 0x38, 0x37, 0x34, 0x39, 0x26, 0x2A, 0x66, 0x6F, 0x69, 0x6A, 0x7A, 0x78, 0x62, 0x63, 0x76, 0x2A, 0x26, 0x2A, 0x26, 0x74, 0x33, 0x32, 0x31, 0x34, 0x61, 0x73, 0x64, 0x76, 0x7A, 0x78, 0x63, 0x43, 0x4C, 0x49, 0x4B, 0x4B, 0x48, 0x39, 0x38, 0x64, 0x75, 0x79, 0x66, 0x69, 0x32, 0x77, 0x6A, 0x6E, 0x65, 0x70, 0x66, 0x6F, 0x69, 0x63, 0x70, 0x69, 0x6B, 0x76, 0x70, 0x6F, 0x69, 0x73, 0x75, 0x64, 0x66, 0x2D, 0x39, 0x30, 0x38, 0x75, 0x33, 0x34, 0x72, 0x73, 0x64, 0x3B, 0x6C, 0x64, 0x66, 0x6B, 0x6E, 0x76, 0x3B, 0x6C, 0x64, 0x6B, 0x73, 0x66, 0x68, 0x76, 0x30, 0x39, 0x38, 0x79, 0x39, 0x75, 0x69, 0x68, 0x6E, 0x30, 0x34, 0x38, 0x79, 0x66, 0x70, 0x4F, 0x49, 0x55, 0x48, 0x29, 0x28, 0x38, 0x66, 0x68, 0x34, 0x32, 0x33, 0x6B, 0x6A, 0x35, 0x74, 0x68, 0x6E, 0x67, 0x6F, 0x78, 0x66, 0x63, 0x68, 0x76, 0x6A, 0x6B, 0x6E, 0x68, 0x30, 0x28, 0x2A, 0x59, 0x6F, 0x70, 0x69, 0x65, 0x72, 0x6E, 0x74, 0x30, 0x39, 0x75, 0x38, 0x32, 0x68, 0x67, 0x6B, 0x6A, 0x64, 0x66, 0x6E, 0x63, 0x76, 0x30, 0x39, 0x38, 0x59, 0x70, 0x66, 0x6F, 0x69, 0x6E, 0x32, 0x33, 0x34, 0x70, 0x66, 0x75, 0x69, 0x68, 0x39, 0x65, 0x77, 0x75, 0x69, 0x68, 0x6E, 0x72, 0x66, 0x67, 0x4B, 0x4C, 0x4A, 0x53, 0x41, 0x4F, 0x49, 0x70, 0x65, 0x75, 0x79, 0x68, 0x34, 0x75, 0x6E, 0x66, 0x67, 0x3B, 0x66, 0x6B, 0x76, 0x62, 0x30, 0x39, 0x38, 0x34, 0x33, 0x68, 0x6B, 0x6A, 0x76, 0x6E, 0x70, 0x49, 0x2A, 0x59, 0x4F, 0x49, 0x45, 0x6E, 0x72, 0x70, 0x32, 0x6F, 0x33, 0x69, 0x6A, 0x66, 0x39, 0x69, 0x6A, 0x78, 0x64, 0x63, 0x70, 0x4C, 0x49, 0x48, 0x4A, 0x2D, 0x39, 0x38, 0x66, 0x79, 0x32, 0x33, 0x6B, 0x6E, 0x66, 0x70, 0x6F, 0x73, 0x64, 0x69, 0x75, 0x76, 0x2D, 0x33, 0x39, 0x6A, 0x65, 0x66, 0x6F, 0x69, 0x6B, 0x31, 0x68, 0x72, 0x66, 0x38, 0x39, 0x75, 0x6A, 0x66, 0x64, 0x76, 0x6D, 0x6B, 0x70, 0x49, 0x75, 0x64, 0x31, 0x69, 0x6A, 0x65, 0x2D, 0x66, 0x39, 0x32, 0x4C, 0x4F, 0x49, 0x58, 0x4A, 0x48, 0x43, 0x28, 0x49, 0x6E, 0x65, 0x6D, 0x70, 0x77, 0x71, 0x6B, 0x66, 0x6E, 0x70, 0x39, 0x32, 0x33, 0x34, 0x75, 0x66, 0x2D, 0x30, 0x65, 0x69, 0x6B, 0x66, 0x31, 0x70, 0x33, 0x69, 0x6F, 0x34, 0x66, 0x6A, 0x2D, 0x39, 0x66, 0x6F, 0x76, 0x3B, 0x6C, 0x6B, 0x77, 0x71, 0x6E, 0x66, 0x64, 0x70, 0x76, 0x69, 0x4A, 0x4F, 0x53, 0x44, 0x6A, 0x66, 0x70, 0x32, 0x6F, 0x69, 0x33, 0x72, 0x6A, 0x66, 0x2D, 0x30, 0x39, 0x64, 0x66, 0x6A, 0x76, 0x3B, 0x6C, 0x6B, 0x31, 0x33, 0x6D, 0x66, 0x69, 0x6A, 0x2D, 0x31, 0x33, 0x30, 0x39, 0x34, 0x66, 0x75, 0x71, 0x77, 0x6B, 0x6C, 0x31, 0x70, 0x5B, 0x33, 0x34, 0x30, 0x39, 0x72, 0x6F, 0x63, 0x66, 0x6D, 0x76, 0x00]
v3 = ''
for i in range(19):
v3 += chr(table[47 * i % 100])
print v3

第六题

1
2
$ file 6.exe
6.exe: PE32 executable (console) Intel 80386, for MS Windows

在 IDA 里硬逆就完事了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // eax
signed int v4; // esi
signed int v5; // eax
signed int v6; // ebx
signed int v7; // edi
signed int v8; // esi
int v9; // edx
int *v10; // eax
char v11; // cl
int *v12; // eax
char v13; // cl
char *v14; // eax
char v15; // cl
signed int v16; // esi
int *v17; // edi
signed int i; // esi
int v20; // [esp+Ch] [ebp-ACh]
signed int v21; // [esp+10h] [ebp-A8h]
int *v22; // [esp+14h] [ebp-A4h]
signed int v23; // [esp+18h] [ebp-A0h]
int v24; // [esp+1Ch] [ebp-9Ch]
int v25; // [esp+20h] [ebp-98h]
int v26; // [esp+24h] [ebp-94h]
int v27; // [esp+28h] [ebp-90h]
int v28; // [esp+2Ch] [ebp-8Ch]
int v29; // [esp+30h] [ebp-88h]
int v30; // [esp+34h] [ebp-84h]
int v31; // [esp+38h] [ebp-80h]
int v32; // [esp+3Ch] [ebp-7Ch]
int v33; // [esp+40h] [ebp-78h]
int v34; // [esp+44h] [ebp-74h]
int v35; // [esp+48h] [ebp-70h]
int v36; // [esp+4Ch] [ebp-6Ch]
int v37[3]; // [esp+50h] [ebp-68h]
char v38; // [esp+5Ch] [ebp-5Ch]
int v39; // [esp+68h] [ebp-50h]
int v40; // [esp+6Ch] [ebp-4Ch]
int v41; // [esp+70h] [ebp-48h]
__int16 v42; // [esp+74h] [ebp-44h]
int v43; // [esp+78h] [ebp-40h]
__int16 v44; // [esp+7Ch] [ebp-3Ch]
int v45; // [esp+7Eh] [ebp-3Ah]
int v46; // [esp+82h] [ebp-36h]
int v47; // [esp+86h] [ebp-32h]
__int16 v48; // [esp+8Ah] [ebp-2Eh]
int v49; // [esp+8Ch] [ebp-2Ch]
char v50; // [esp+90h] [ebp-28h]
int v51; // [esp+91h] [ebp-27h]
int v52; // [esp+95h] [ebp-23h]
int v53; // [esp+99h] [ebp-1Fh]
__int16 v54; // [esp+9Dh] [ebp-1Bh]
char v55; // [esp+9Fh] [ebp-19h]
int v56; // [esp+A0h] [ebp-18h]
__int16 v57; // [esp+A4h] [ebp-14h]
int v58; // [esp+A6h] [ebp-12h]
int v59; // [esp+AAh] [ebp-Eh]
int v60; // [esp+AEh] [ebp-Ah]
__int16 v61; // [esp+B2h] [ebp-6h]

v44 = 0;
v50 = 0;
v49 = 6451010;
v57 = 0;
v56 = 1819435331;
v40 = 1231382892;
v43 = 2036624961;
v39 = 1866884462;
v45 = 0;
v46 = 0;
v47 = 0;
v48 = 0;
v51 = 0;
v52 = 0;
v53 = 0;
v54 = 0;
v55 = 0;
v58 = 0;
v59 = 0;
v60 = 0;
v61 = 0;
v24 = 2;
v25 = 5;
v26 = 9;
v27 = 6;
v28 = 7;
v29 = 0;
v30 = 10;
v31 = 8;
v32 = 12;
v33 = 11;
v34 = 3;
v35 = 4;
v36 = 1;
v41 = 1213493864;
v42 = 101;
v23 = 0;
do
{
v3 = _time64(0);
srand(v23 + v3);
v4 = 0;
do
*(&v36 + ++v4) = rand() % 100;
while ( v4 < 3 );
v5 = 3;
v21 = 3;
do
{
v6 = 1;
if ( v5 > 1 )
{
v22 = &v49;
v7 = 28;
v8 = -12;
do
{
v9 = *(&v36 + v6);
v20 = v37[v6];
if ( v20 > v9 )
{
v10 = v22;
do
{
v11 = *(_BYTE *)v10;
LOBYTE(v10[v8]) = *(_BYTE *)v10;
v10 = (int *)((char *)v10 + 1);
}
while ( v11 );
v37[v6] = v9;
v12 = v22 - 5;
do
{
v13 = *(_BYTE *)v12;
*((_BYTE *)v12 + 20) = *(_BYTE *)v12;
v12 = (int *)((char *)v12 + 1);
}
while ( v13 );
*(&v36 + v6) = v20;
v14 = &v38;
do
{
v15 = *v14;
v14[v7] = *v14;
++v14;
}
while ( v15 );
v5 = v21;
}
v22 += 5;
++v6;
v8 -= 5;
v7 += 20;
}
while ( v6 < v5 );
}
v21 = --v5;
}
while ( v5 > 0 );
v16 = 0;
v17 = &v43;
do
{
printf("%s\t%d\n", v17, v37[v16++]);
v17 += 5;
}
while ( v16 < 3 );
if ( strcmp((const char *)&v43, "Andy") )
break;
++v23;
}
while ( v23 < 13 );
if ( !strcmp((const char *)&v43, "Andy") )
{
for ( i = 0; i < v23; ++i )
printf("%c", *((char *)&v39 + *(&v24 + i)));
}
system("pause");
return 0;
}

脚本:

1
2
3
4
5
6
7
#!/usr/bin/env python
k = [2, 5, 9, 6, 7, 0, 0xA, 8, 0xC, 0xB, 3, 4, 1]
t = 'oFen'[::-1] + 'Ieil'[::-1] + 'HTrh'[::-1] + 'e'
flag = ''
for i in range(13):
flag += t[k[i]]
print flag

第七题

1
2
$ file 7.exe
7.exe: PE32 executable (console) Intel 80386, for MS Windows

简单地异或一下:

1
2
3
4
5
6
7
8
9
10
11
_BYTE *__cdecl sub_401000(char *a1)
{
_BYTE *v2; // [esp+0h] [ebp-8h]
signed int i; // [esp+4h] [ebp-4h]

v2 = malloc(0xAu);
for ( i = 0; i < 9; ++i )
v2[i] = a1[i] + 2;
v2[9] = 0;
return v2;
}

脚本:

1
2
3
4
5
6
#!/usr/bin/env python
enc = 'asdfghjklq'
flag = ''
for i in range(9):
flag += chr(ord(enc[i]) + 2)
print flag