nctf2020RE

字数统计: 619阅读时长: 3 min

 2020/11/25   Share

Reverse

re1

附件:https://www.yk2er0.fun/2020/11/25/nctf2020/re1

def encode(a1,a2):
    v2 = (~a2 | ~a1) & (~a2 | a1) & (a2 | a1) | (~a2 | ~a1) & (a2 | ~a1) & a2 & a1 | a2 & ~a1 | ~a2 & a1;
    return ((~(32 * v2) | ~(v2 >> 3)) & (~(32 * v2) | (v2 >> 3)) & (32 * v2 | (v2 >> 3)) | (~(32 * v2) | ~(v2 >> 3)) & (
                32 * v2 | ~(v2 >> 3)) & (32 * v2 | (v2 >> 3)))&255

a1=[198, 106, 192, 39, 235, 202, 101, 2, 97, 202, 104, 39, 107, 226, 192, 224, 0, 128, 34, 39, 225, 161, 2, 39, 99, 75, 168, 227]
#['0xc6', '0x6a', '0xc0', '0x27', '0xeb', '0xca', '0x65', '0x2', '0x61', '0xca', '0x68', '0x27', '0x6b', '0xe2', '0xc0', '0xe0', '0x0', '0x80', '0x22', '0x27', '0xe1', '0xa1', '0x2', '0x27', '0x63', '0x4b', '0xa8', '0xe3']
a2='nctf'
res=''
b=0
while b<=len(a1):
    for i in range(0x20,0x7f):
        if encode(i,ord(a2[b%4]))==a1[b]:
            res+=chr(i)
            b+=1
            print res

先ida看,字符串引用找到加密处

提取异或后的字节:

a=[]
for i in range(0x407018,0x407034):
    a.append(Byte(i))
print a

win的字符串逆过来是倒着的.

开爆.

当时脑子抽抽了,忘记加密函数返回的是char类型,要多异或255.

re2

附件:https://www.yk2er0.fun/2020/11/25/nctf2020/re2

输入字符串长度为28

重写一下判断函数

v4 = sub_1270((__int64)&unk_40E0);#input
v6 = strlen(word_4020)-1;
v7 = 0LL;
      while ( v8 != v6 )
      {
        v4[v7] ^= byte_40A8[(int)v7 % 8];
        v8 = v7++;
      }
      for ( i = 0; *(_BYTE *)(v4[i]) == word_4020[i]; ++i )
      {
        if ( i == v6 )
          right();
    }
  }

byte_40A8还有个自加密:

IDA下断动调之后可以看出是

识别sub_1270为换表base64,写脚本:

import base64
word_4020=[29, 1, 13, 20, 71, 105, 97, 100, 4, 40, 55, 84, 67, 6, 113, 122, 3, 12, 71, 47, 93, 121, 95, 81, 4, 0, 29, 1, 88, 125, 4, 99, 4, 91, 66, 7, 85, 70]
v5=len(word_4020)
v7=0
res=b''
nctf='nctf2020'
Byte_40a8=[9, 165, 29, 21, 99, 207, 120, 220, 0]
a='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
print  len(a)

for i in range(len(word_4020)):
    res+=a[-a.index(chr(word_4020[i]^ord(nctf[i%8])))-1]
print res

print base64.b64decode(res+'==')

re3

通过字符串搜索找到sub_402090,

sub_401AE0()有

ModuleName = [110, 26, 10, 2, 2, 64, 10, 2, 2, 0]
RModuleName=''
for i in range(1, 9):
    ModuleName[i] ^= ModuleName[0]
    RModuleName+=chr(ModuleName[i])
    print RModuleName
RProcName=''
ProcName=[78,58,29,43,58,7,32,40,33,60,35,47,58,39,33,32,26,38,60,43,47,42,0]
for i in range(1,22):
    ProcName[i]^= ProcName[0]
    RProcName+=chr(ProcName[i])
print RProcName

解出ModuleName=tdll.dll
ProcName=tSetInformationThread

通过re3的程序框图,可以看出是先执行的sub_401060,其又调用了sub_401C50

原文作者：Yk2eR0

原文链接：https://www.yk2er0.fun/2020/11/25/nctf2020/

发表日期：十一月 25日 2020, 8:37:31 晚上

更新日期：December 1st 2020, 8:36:14 pm

Next Post

shell指令学习
Previous Post

通用gadgets(__libc_csu_init)利用

CATALOG

1. Reverse



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true