ctfshow_1024杯部分wp
阿新 • • 發佈:2020-10-25
查殺病毒
查殼,貌似有殼
krnkn.fnr 易語言核心庫,就是說 易語言的特徵碼在這裡面可以使用
介面還行. 有介面就代表著有按鈕事件,
在 krnln.fnr 這個庫的起始位置 ctrl + b 二進位制搜尋
ff 55 fc 5f 5e
這個地方就是 易語言按鈕事件的地方了
輸入測試資料, 點選 開通vip , 就會斷在 剛才下的斷點處
f7 跟進去, 一直 單步走
有花指令的地方,簡單做下處理.
0040AB73 55 push ebp ; 開通 VIP 按鈕 函式 0040AB74 8BEC mov ebp,esp 0040AB76 81EC 24000000 sub esp,0x24 0040AB7C C745 FC 0000000>mov dword ptr ss:[ebp-0x4],0x0 0040AB83 C745 F8 0000000>mov dword ptr ss:[ebp-0x8],0x0 0040AB8A C745 F4 0000000>mov dword ptr ss:[ebp-0xC],0x0 0040AB91 C745 F0 0000000>mov dword ptr ss:[ebp-0x10],0x0 0040AB98 6A FF push -0x1 0040AB9A 6A 08 push 0x8 0040AB9C 68 03000116 push 0x16010003 0040ABA1 68 01000152 push 0x52010001 0040ABA6 E8 1F040000 call re3_(1).0040AFCA ; 取出 卡號字元 0040ABAB 83C4 10 add esp,0x10 0040ABAE 8945 EC mov dword ptr ss:[ebp-0x14],eax 0040ABB1 F9 stc 0040ABB2 72 01 jb short re3_(1).0040ABB5 0040ABB4 90 nop 0040ABB5 8B45 EC mov eax,dword ptr ss:[ebp-0x14] 0040ABB8 50 push eax 0040ABB9 8B5D FC mov ebx,dword ptr ss:[ebp-0x4] ; ntdll.76FEABD7 0040ABBC 85DB test ebx,ebx 0040ABBE 74 09 je short re3_(1).0040ABC9 0040ABC0 53 push ebx 0040ABC1 E8 EC030000 call re3_(1).0040AFB2 ; 錯誤回撥 0040ABC6 83C4 04 add esp,0x4 0040ABC9 58 pop eax 0040ABCA 8945 FC mov dword ptr ss:[ebp-0x4],eax 0040ABCD 6A FF push -0x1 0040ABCF 6A 08 push 0x8 0040ABD1 68 05000116 push 0x16010005 0040ABD6 68 01000152 push 0x52010001 0040ABDB E8 EA030000 call re3_(1).0040AFCA ; 取出 卡密 字串 0040ABE0 83C4 10 add esp,0x10 0040ABE3 8945 EC mov dword ptr ss:[ebp-0x14],eax 0040ABE6 EB 01 jmp short re3_(1).0040ABE9 0040ABE8 90 nop 0040ABE9 8B45 EC mov eax,dword ptr ss:[ebp-0x14] 0040ABEC 50 push eax 0040ABED 8B5D F8 mov ebx,dword ptr ss:[ebp-0x8] 0040ABF0 85DB test ebx,ebx 0040ABF2 74 09 je short re3_(1).0040ABFD 0040ABF4 53 push ebx 0040ABF5 E8 B8030000 call re3_(1).0040AFB2 ; 錯誤回撥 0040ABFA 83C4 04 add esp,0x4 0040ABFD 58 pop eax 0040ABFE 8945 F8 mov dword ptr ss:[ebp-0x8],eax 0040AC01 6A FF push -0x1 0040AC03 6A 08 push 0x8 0040AC05 68 07000116 push 0x16010007 0040AC0A 68 01000152 push 0x52010001 0040AC0F E8 B6030000 call re3_(1).0040AFCA ; 取出賬號 字串 0040AC14 83C4 10 add esp,0x10 0040AC17 8945 EC mov dword ptr ss:[ebp-0x14],eax 0040AC1A 90 nop 0040AC1B 90 nop 0040AC1C 90 nop 0040AC1D 90 nop 0040AC1E 90 nop 0040AC1F 90 nop 0040AC20 90 nop 0040AC21 90 nop 0040AC22 90 nop 0040AC23 90 nop 0040AC24 B9 8B45EC50 mov ecx,0x50EC458B 0040AC29 8B5D F4 mov ebx,dword ptr ss:[ebp-0xC] 0040AC2C 85DB test ebx,ebx 0040AC2E 74 09 je short re3_(1).0040AC39 0040AC30 53 push ebx 0040AC31 E8 7C030000 call re3_(1).0040AFB2 ; 錯誤回撥 0040AC36 83C4 04 add esp,0x4 0040AC39 58 pop eax 0040AC3A 8945 F4 mov dword ptr ss:[ebp-0xC],eax 0040AC3D 90 nop 0040AC3E 90 nop 0040AC3F 90 nop 0040AC40 90 nop 0040AC41 FF75 F4 push dword ptr ss:[ebp-0xC] 0040AC44 68 06A14000 push re3_(1).0040A106 ; &vip= 0040AC49 FF75 F8 push dword ptr ss:[ebp-0x8] 0040AC4C 68 0CA14000 push re3_(1).0040A10C ; &password= 0040AC51 FF75 FC push dword ptr ss:[ebp-0x4] ; ntdll.76FEABD7 0040AC54 68 17A14000 push re3_(1).0040A117 ; https://ctfer.com/vip.php?username= 0040AC59 B9 06000000 mov ecx,0x6 0040AC5E E8 0FFEFFFF call re3_(1).0040AA72 ; 字串拼接, 拼接成網址 0040AC63 83C4 18 add esp,0x18 0040AC66 8945 EC mov dword ptr ss:[ebp-0x14],eax 0040AC69 68 04000080 push 0x80000004 0040AC6E 6A 00 push 0x0 0040AC70 8B45 EC mov eax,dword ptr ss:[ebp-0x14] 0040AC73 85C0 test eax,eax 0040AC75 75 05 jnz short re3_(1).0040AC7C 0040AC77 B8 3BA14000 mov eax,re3_(1).0040A13B ; ā 0040AC7C 50 push eax 0040AC7D 68 01000000 push 0x1 0040AC82 BB 1C000000 mov ebx,0x1C 0040AC87 B8 01000000 mov eax,0x1 0040AC8C EB 01 jmp short re3_(1).0040AC8F 0040AC8E 90 nop 0040AC8F E8 2A030000 call re3_(1).0040AFBE ; 網頁請求, 最後拿到返回的資料 0040AC94 83C4 10 add esp,0x10 0040AC97 8945 E8 mov dword ptr ss:[ebp-0x18],eax 0040AC9A 8B5D EC mov ebx,dword ptr ss:[ebp-0x14] 0040AC9D 85DB test ebx,ebx 0040AC9F 74 09 je short re3_(1).0040ACAA 0040ACA1 53 push ebx 0040ACA2 E8 0B030000 call re3_(1).0040AFB2 0040ACA7 83C4 04 add esp,0x4 0040ACAA 6A 00 push 0x0 0040ACAC 6A 00 push 0x0 0040ACAE 6A 00 push 0x0 0040ACB0 68 01030080 push 0x80000301 0040ACB5 6A 00 push 0x0 0040ACB7 68 0A000000 push 0xA 0040ACBC 68 05000080 push 0x80000005 0040ACC1 6A 00 push 0x0 0040ACC3 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] 0040ACC6 85C0 test eax,eax 0040ACC8 75 05 jnz short re3_(1).0040ACCF 0040ACCA B8 3CA14000 mov eax,re3_(1).0040A13C 0040ACCF 50 push eax 0040ACD0 68 03000000 push 0x3 0040ACD5 BB 9C010000 mov ebx,0x19C 0040ACDA EB 01 jmp short re3_(1).0040ACDD 0040ACDC 90 nop 0040ACDD E8 D6020000 call re3_(1).0040AFB8 0040ACE2 83C4 28 add esp,0x28 ; 這邊將 eax 中 "false" 改成 "true" , 即可拿到 flag 0040ACE5 8945 DC mov dword ptr ss:[ebp-0x24],eax 0040ACE8 8955 E0 mov dword ptr ss:[ebp-0x20],edx 0040ACEB 894D E4 mov dword ptr ss:[ebp-0x1C],ecx ; re3_(1).0040A144 0040ACEE 8B5D E8 mov ebx,dword ptr ss:[ebp-0x18] 0040ACF1 85DB test ebx,ebx 0040ACF3 74 09 je short re3_(1).0040ACFE 0040ACF5 53 push ebx 0040ACF6 E8 B7020000 call re3_(1).0040AFB2 0040ACFB 83C4 04 add esp,0x4 0040ACFE F9 stc 0040ACFF 72 01 jb short re3_(1).0040AD02 0040AD01 90 nop 0040AD02 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C] 0040AD05 81F9 04000080 cmp ecx,0x80000004 0040AD0B 74 0D je short re3_(1).0040AD1A 0040AD0D 68 05000000 push 0x5 0040AD12 E8 AD020000 call re3_(1).0040AFC4 0040AD17 83C4 04 add esp,0x4 0040AD1A 8B45 DC mov eax,dword ptr ss:[ebp-0x24] 0040AD1D 50 push eax 0040AD1E 8B5D F0 mov ebx,dword ptr ss:[ebp-0x10] 0040AD21 85DB test ebx,ebx 0040AD23 74 09 je short re3_(1).0040AD2E 0040AD25 53 push ebx 0040AD26 E8 87020000 call re3_(1).0040AFB2 0040AD2B 83C4 04 add esp,0x4 0040AD2E 58 pop eax 0040AD2F 8945 F0 mov dword ptr ss:[ebp-0x10],eax 0040AD32 F9 stc 0040AD33 72 01 jb short re3_(1).0040AD36 0040AD35 90 nop 0040AD36 68 44A14000 push re3_(1).0040A144 ; ASCII "true" 0040AD3B FF75 F0 push dword ptr ss:[ebp-0x10] 0040AD3E E8 8BFDFFFF call re3_(1).0040AACE 0040AD43 83C4 08 add esp,0x8 0040AD46 83F8 00 cmp eax,0x0 0040AD49 0F85 7B010000 jnz re3_(1).0040AECA ; 直接在這邊 nop 是不行的, 下面有二次驗證, 0040AD4F BB 06000000 mov ebx,0x6 ; 下面就不分析了, 我是條懶狗 0040AD54 E8 12FEFFFF call re3_(1).0040AB6B 0040AD59 68 01030080 push 0x80000301 0040AD5E 6A 00 push 0x0 0040AD60 68 00000000 push 0x0 0040AD65 68 04000080 push 0x80000004 0040AD6A 6A 00 push 0x0 0040AD6C 68 49A14000 push re3_(1).0040A149 ; vip開通成功! 0040AD71 68 04000000 push 0x4 0040AD76 BB 00030000 mov ebx,0x300 0040AD7B EB 01 jmp short re3_(1).0040AD7E 0040AD7D 90 nop 0040AD7E E8 35020000 call re3_(1).0040AFB8 0040AD83 83C4 34 add esp,0x34 0040AD86 EB 01 jmp short re3_(1).0040AD89 0040AD88 87FF xchg edi,edi 0040AD8A ^ 75 F4 jnz short re3_(1).0040AD80 0040AD8C 68 06A14000 push re3_(1).0040A106 ; ASCII "&vip=" 0040AD91 FF75 F8 push dword ptr ss:[ebp-0x8] 0040AD94 68 56A14000 push re3_(1).0040A156 ; &passwOrd= 0040AD99 FF75 FC push dword ptr ss:[ebp-0x4] ; ntdll.76FEABD7 0040AD9C 68 17A14000 push re3_(1).0040A117 ; https://ctfer.com/vip.php?username= 0040ADA1 B9 06000000 mov ecx,0x6 0040ADA6 E8 C7FCFFFF call re3_(1).0040AA72 0040ADAB 83C4 18 add esp,0x18 0040ADAE 8945 EC mov dword ptr ss:[ebp-0x14],eax 0040ADB1 68 04000080 push 0x80000004 0040ADB6 6A 00 push 0x0 0040ADB8 8B45 EC mov eax,dword ptr ss:[ebp-0x14] 0040ADBB 85C0 test eax,eax 0040ADBD 75 05 jnz short re3_(1).0040ADC4 0040ADBF B8 3BA14000 mov eax,re3_(1).0040A13B ; ā 0040ADC4 50 push eax 0040ADC5 68 01000000 push 0x1 0040ADCA BB 1C000000 mov ebx,0x1C 0040ADCF B8 01000000 mov eax,0x1 0040ADD4 EB 01 jmp short re3_(1).0040ADD7 0040ADD6 7A E8 jpe short re3_(1).0040ADC0 0040ADD8 E2 01 loopd short re3_(1).0040ADDB 0040ADDA 0000 add byte ptr ds:[eax],al 0040ADDC 83C4 10 add esp,0x10 0040ADDF 8945 E8 mov dword ptr ss:[ebp-0x18],eax 0040ADE2 8B5D EC mov ebx,dword ptr ss:[ebp-0x14] 0040ADE5 85DB test ebx,ebx 0040ADE7 74 09 je short re3_(1).0040ADF2 0040ADE9 53 push ebx 0040ADEA E8 C3010000 call re3_(1).0040AFB2 0040ADEF 83C4 04 add esp,0x4 0040ADF2 6A 00 push 0x0 0040ADF4 6A 00 push 0x0 0040ADF6 6A 00 push 0x0 0040ADF8 68 01030080 push 0x80000301 0040ADFD 6A 00 push 0x0 0040ADFF 68 0A000000 push 0xA 0040AE04 68 05000080 push 0x80000005 0040AE09 6A 00 push 0x0 0040AE0B 8B45 E8 mov eax,dword ptr ss:[ebp-0x18] 0040AE0E 85C0 test eax,eax 0040AE10 75 05 jnz short re3_(1).0040AE17 0040AE12 B8 3CA14000 mov eax,re3_(1).0040A13C 0040AE17 50 push eax 0040AE18 68 03000000 push 0x3 0040AE1D BB 9C010000 mov ebx,0x19C 0040AE22 F9 stc 0040AE23 72 01 jb short re3_(1).0040AE26 0040AE25 8ee8 mov gs,eax 0040AE27 8D01 lea eax,dword ptr ds:[ecx] 0040AE29 0000 add byte ptr ds:[eax],al 0040AE2B 83C4 28 add esp,0x28 0040AE2E 8945 DC mov dword ptr ss:[ebp-0x24],eax 0040AE31 8955 E0 mov dword ptr ss:[ebp-0x20],edx 0040AE34 894D E4 mov dword ptr ss:[ebp-0x1C],ecx ; re3_(1).0040A144 0040AE37 8B5D E8 mov ebx,dword ptr ss:[ebp-0x18] 0040AE3A 85DB test ebx,ebx 0040AE3C 74 09 je short re3_(1).0040AE47 0040AE3E 53 push ebx 0040AE3F E8 6E010000 call re3_(1).0040AFB2 0040AE44 83C4 04 add esp,0x4 0040AE47 BB 06000000 mov ebx,0x6 0040AE4C E8 1AFDFFFF call re3_(1).0040AB6B 0040AE51 68 01030080 push 0x80000301 0040AE56 6A 00 push 0x0 0040AE58 68 00000000 push 0x0 0040AE5D 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C] 0040AE60 8B55 E0 mov edx,dword ptr ss:[ebp-0x20] 0040AE63 8B45 DC mov eax,dword ptr ss:[ebp-0x24] 0040AE66 81F9 04000080 cmp ecx,0x80000004 0040AE6C 75 0B jnz short re3_(1).0040AE79 0040AE6E 85C0 test eax,eax 0040AE70 75 18 jnz short re3_(1).0040AE8A 0040AE72 B8 3BA14000 mov eax,re3_(1).0040A13B ; ā 0040AE77 EB 11 jmp short re3_(1).0040AE8A 0040AE79 81F9 05000080 cmp ecx,0x80000005 0040AE7F 75 09 jnz short re3_(1).0040AE8A 0040AE81 85C0 test eax,eax 0040AE83 75 05 jnz short re3_(1).0040AE8A 0040AE85 B8 3CA14000 mov eax,re3_(1).0040A13C 0040AE8A 51 push ecx ; re3_(1).0040A144 0040AE8B 52 push edx 0040AE8C 50 push eax 0040AE8D 68 04000000 push 0x4 0040AE92 BB 00030000 mov ebx,0x300 0040AE97 F9 stc 0040AE98 72 01 jb short re3_(1).0040AE9B 0040AE9A B0 E8 mov al,0xE8 0040AE9C 1801 sbb byte ptr ds:[ecx],al 0040AE9E 0000 add byte ptr ds:[eax],al 0040AEA0 83C4 34 add esp,0x34 0040AEA3 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C] 0040AEA6 81F9 04000080 cmp ecx,0x80000004 0040AEAC 74 0C je short re3_(1).0040AEBA 0040AEAE 81F9 05000080 cmp ecx,0x80000005 0040AEB4 0F85 10000000 jnz re3_(1).0040AECA 0040AEBA 8B5D DC mov ebx,dword ptr ss:[ebp-0x24] 0040AEBD 85DB test ebx,ebx 0040AEBF 74 09 je short re3_(1).0040AECA 0040AEC1 53 push ebx 0040AEC2 E8 EB000000 call re3_(1).0040AFB2 0040AEC7 83C4 04 add esp,0x4 0040AECA BB 06000000 mov ebx,0x6 0040AECF E8 97FCFFFF call re3_(1).0040AB6B 0040AED4 68 01030080 push 0x80000301 0040AED9 6A 00 push 0x0 0040AEDB 68 00000000 push 0x0 0040AEE0 68 04000080 push 0x80000004 0040AEE5 6A 00 push 0x0 0040AEE7 68 61A14000 push re3_(1).0040A161 ; vip開通失敗,請檢查卡號和卡密是否正確! 0040AEEC 68 04000000 push 0x4 0040AEF1 BB 00030000 mov ebx,0x300 0040AEF6 EB 01 jmp short re3_(1).0040AEF9 0040AEF8 0FE8BA 00000083 psubsb mm7,qword ptr ds:[edx-0x7D000000] 0040AEFF c4348b les esi,fword ptr ds:[ecx*4+ebx] 0040AF02 5D pop ebp 0040AF03 FC cld 0040AF04 85DB test ebx,ebx 0040AF06 74 09 je short re3_(1).0040AF11 0040AF08 53 push ebx 0040AF09 E8 A4000000 call re3_(1).0040AFB2 0040AF0E 83C4 04 add esp,0x4 0040AF11 8B5D F8 mov ebx,dword ptr ss:[ebp-0x8] 0040AF14 85DB test ebx,ebx 0040AF16 74 09 je short re3_(1).0040AF21 0040AF18 53 push ebx 0040AF19 E8 94000000 call re3_(1).0040AFB2 0040AF1E 83C4 04 add esp,0x4 0040AF21 8B5D F4 mov ebx,dword ptr ss:[ebp-0xC] 0040AF24 85DB test ebx,ebx 0040AF26 74 09 je short re3_(1).0040AF31 0040AF28 53 push ebx 0040AF29 E8 84000000 call re3_(1).0040AFB2 0040AF2E 83C4 04 add esp,0x4 0040AF31 8B5D F0 mov ebx,dword ptr ss:[ebp-0x10] 0040AF34 85DB test ebx,ebx 0040AF36 74 09 je short re3_(1).0040AF41 0040AF38 53 push ebx 0040AF39 E8 74000000 call re3_(1).0040AFB2 0040AF3E 83C4 04 add esp,0x4 0040AF41 8BE5 mov esp,ebp 0040AF43 5D pop ebp 0040AF44 C3 retn
一個網頁請求, https://ctfer.com/vip.php 驗證成功返回 true, 失敗返回 false , 下面還有 二次驗證, 不能直接改指令. 可以更改 網頁請求返回的資料
getflag
flag{ctfshow_1024_re_3_flag_here}
然後是 二次驗證, 懶得動,
misc _ 簽到
給的提示
地圖,各個路口的編號,flag遺落在其中了,flag路口的編號是連續的
- flag字串 是不連續, 或者說是不完整的
- flag路口的編號是連續的
- 第一個數字是前一個路口,第二個數字是下一個路口第三個數字沒有研究出來
- 提示了 出題人的id : 9u4ck
那麼直接找就行了(看運氣), 這裡推薦 sublime ,他處理文字的速度很快, 特別是查詢
56520 78210 35498184 9u4fl
78210 81068 79650456 ag{We
81068 86056 65454545 lcom
86056 89556 16548421 _102
89556 91205 26568154 4_Cha
91205 94156 566512548 lleng
94156 96825 15487856 _9u4
96825 98155 156565645 ck}56
一個小技巧, 搜尋的時候, 後一個數的最後帶上空格,可以過濾很多東西
getflag
flag{Welcom_1024_Challeng_9u4ck}
re_ 抽象語言
先手共還原 python位元組碼, 然後再手算2進位制,最後一個字元一個字元算, 我做了大約三個小時吧,
做題記錄在家裡, 忘記儲存了,就很難受. 這邊就不演示了
#coding = utf-8
import base64
k = 0
c = b'巴拉巴拉那一堆 位元組陣列, base64編碼後的'
i = 0
def x(n):
"""判斷 k**2-1 的值是否滿足條件 """
return False
c = base64.b64decode(c).split(',')
z = lambda n : 2**n-1
while len(c) > i:
out = ''
if x(z(k)):
out += chr(int(c[i]) ^ z(k))
i += 1
k += 1
print(out.join(['flag{','}']))
差不多這樣吧, 其他的 最好手算, 這個指令碼跑的非常慢, 第八個字元 算了好長時間, 後面是有規律的,
大數 xor 大數 前面的位 一定相等, 所以直接遍歷就行, 還有就是 這個次方全都是 素數, 就很棒,最大的一個不是 1w 就是 10w 多
l = [2,3,7,9,13,17,19,31,61,89]
#coding = utf-8
power = lambda n: 2**n
for i in range(31,10000000,2):
if str(power(i)).count("要匹配的值") != 0:
print("第%d次, 值為:"%i,power(i))
break
自動化指令碼
c = ['123123123412312','1231231278461273']
cindex = 6 # 從六位開始,前幾位都挺好算的
l = []
for i in range(61,10000000,2):
if str(pow(2,i)).count(c[cindex][:4]) !=0:
l.append(i)
cindex += 1
flag = ''
for i in range(len(l)):
flag += chr(pow(l[i]) ^ int(c[i]))
print(flag)