学习一下攻防世界reverse专题😀

logmein (动调)

动调出来右边的值就可以了

1
2
3
flag = 	[0x52,0x43,0x33,0x2d,0x32,0x30,0x31,0x36,0x2d,0x58,0x4f,0x52,0x49,0x53,0x47,0x55,0x44]
for i in flag:
	print(chr(i),end = "")

RC3-2016-XORISGUD

insanity

9447{This_is_a_flag}

python-trade

在线pyc反汇编

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
import base64

def encode(message):
    s = ''
    for i in message:
        x = ord(i) ^ 32
        x = x + 16
        s += chr(x)
    
    return base64.b64encode(s)

correct = 'XlNkVmtUI1MgXWBZXCFeKY+AaXNt'
flag = ''
print 'Input flag:'
flag = raw_input()
if encode(flag) == correct:
    print 'correct'
else:
    print 'wrong'
1
2
3
4
5
6
7
8
import base64
string = 'XlNkVmtUI1MgXWBZXCFeKY+AaXNt'
string2 = base64.b64decode(string)
string2 = [int(hex(i),16) for i in string2]
flag = ""
for i in range(len(string2)):
	flag += chr((string2[i]-16) ^ 32)
print(flag)

nctf{d3c0mpil1n9_PyC}

re (动调)

先查个壳,动调一下就出来了

DUTCTF{We1c0met0DUTCTF}

game (动调)

说一下思路,直接修改汇编,跳转到最后成功的函数中,然后动调出最后的v2数组(0x73是第二个值)

1
2
3
4
5
flag = [0x7a,0x73,0x63,0x74,0x66,0x7B,0x54,0x39,0x69,0x73,0x5f,0x74,0x4f,0x70,0x69,0x63,\
0x5f,0x31,0x73,0x5f,0x76,0x35,0x72,0x79,0x5f,0x69,0x6e,0x74,0x37,0x72,0x65,0x73,0x74,0x69,0x6e,0x67\
,0x5f,0x62,0x36,0x74,0x5f,0x6f,0x74,0x68,0x65,0x72,0x73,0x5f,0x61,0x72,0x65,0x5f,0x6e,0x30,0x74,0x7d]
for i in flag:
	print(chr(i),end= "")

zsctf{T9is_tOpic_1s_v5ry_int7resting_b6t_others_are_n0t}

Hello,CTF

题目的意思就是把flag,转成16进制数

1
2
3
flag = [0x43,0x72,0x61,0x63,0x6b,0x4d,0x65,0x4a,0x75,0x73,0x74,0x46,0x6f,0x72,0x46,0x75,0x6e]
for i in flag:
	print(chr(i),end = "")

或者:

1
2
3
from Crypto.Util.number import *
f = 0x437261636b4d654a757374466f7246756e
print(long_to_bytes(f))

no-strings-attached(动调)

但是没有关系,我们不需要修补程序

我们跟进decrypt函数,查看汇编之后,我们去内存中查找[eax],就能查看flag了

19447{you_are_an_international_mystery}

csaw2013reversing2(动调)

先用的ida调试,看一下整体布局,发现有一个反调试函数,跳过之后,发现flag旁边还有一块,没有运行过

直接运行右边的flag是这个样子

转到x32dbg,找到main函数入口点

这边有个int3,需要nop掉,不然执行不下去

nop掉跳转语句,messageA函数执行,但是没有结果

到这边还会跳转,我们继续nop掉跳转,让程序完整的执行代码

getit

开始认真了,先查个壳

貌似是在/tmp目录下下一个flag.txt文件,然后还会把flag文件给删掉

在这边下个断点,一直f9

t字符串变成了harifCTF{b70c59275fcfa8aebf2d5911223c6589}

但是flag不对

看了好一会儿,才注意到,harif……前面还有一个0x53,麻了……选中他们,然后按a键转换成字符串。当然要是想好玩一点,也可以把下面的u,转换成t就行,flag的值就写道文本文档里了。

maze

放到ida64中查看

地图:

长度为64,推测是8*8

1
2
3
maze = "  *******   *  **** * ****  * ***  *#  *** *** ***     *********"
for i in range(8):
	print(maze[i*8:(i+1)*8])

猜测O为右,o为左,.为上,0为下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
string = "右下右右下下左下下下右右右右上上左左"
direction = ""
for i in string:
	if i == "右":
		direction += "O"
	elif i == "左":
		direction += "o"
	elif i == "下":
		direction += "0"
	elif i == "上":
		direction += "."
flag = "nctf{"+direction+"}"
print(len(flag))
print(flag)

nctf{O0OO00o000OOOO..oo}