LitCTF-reverse学习逆向

[LitCTF 2023]世界上最棒的程序员

下载附件

运行文件

查壳

32位

IDA32载入文件，F5快捷键查看主函数main的伪代码

得到关键逻辑代码

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __main();
  printf("Hello CTFer~!\n");
  printf("I am Re_sign.\n");
  printf("Input 2 numbers which are the C0RE of the computer\n");
  start();
  Sleep(0x7D0u);
  return 0;
}

跟进start函数

得到关键代码以及flag

int start()
{
  int v1; // [esp+18h] [ebp-10h] BYREF
  int v2[3]; // [esp+1Ch] [ebp-Ch] BYREF

  scanf("%d", v2);
  scanf("%d", &v1);
  if ( v2[0] + v1 == 1 )
    return printf("Flag: LitCTF{I_am_the_best_programmer_ever}\n");
  printf("Wrong!Try again!\n");
  return start();
}

代码大致意思是让用户输入两个整数，使得它们的和等于 1。如果满足条件，程序会输出 flag，否则会提示错误并递归调用自身重新开始

满足条件如下

0+1=1
1+0=1
5+(−4)=1
−100+101=1

以第一个为例

查看字符串也可以拿到flag

快捷键:shift+F12

最后flag为

LitCTF{I_am_the_best_programmer_ever}

[LitCTF 2023]ez_XOR

下载附件

运行文件

需要我们输入正确的flag进行判断是否正确

查壳

32位

IDA32载入文件，F5快捷键查看主函数main的伪代码

得到关键代码

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char *Format; // [esp+0h] [ebp-80h]
  char *Str2; // [esp+4h] [ebp-7Ch]
  const char **v6; // [esp+8h] [ebp-78h]
  char Str1[50]; // [esp+1Ch] [ebp-64h] BYREF
  _WORD v8[14]; // [esp+4Eh] [ebp-32h] BYREF
  int v9; // [esp+6Ah] [ebp-16h]
  int v10; // [esp+6Eh] [ebp-12h]
  int v11; // [esp+72h] [ebp-Eh]
  int v12; // [esp+76h] [ebp-Ah]
  int v13; // [esp+7Ah] [ebp-6h]
  __int16 v14; // [esp+7Eh] [ebp-2h]

  __main();
  strcpy((char *)v8, "E`}J]OrQF[V8zV:hzpV}fVF[t");
  v8[13] = 0;
  v9 = 0;
  v10 = 0;
  v11 = 0;
  v12 = 0;
  v13 = 0;
  v14 = 0;
  printf("Enter The Right FLAG:");
  scanf("%s", Str1);
  XOR(Str1, 3);
  if ( !strcmp(Str1, (const char *)v8) )
  {
    printf("U Saved IT!\n");
    return 0;
  }
  else
  {
    printf("Wrong!Try again!\n");
    return main((int)Format, (const char **)Str2, v6);
  }
}

关键在这

XOR(Str1, 3);

跟进XOR函数

关键代码

size_t __cdecl XOR(char *Str, int a2)
{
  size_t result; // eax
  unsigned int i; // [esp+2Ch] [ebp-Ch]

  for ( i = 0; ; ++i )
  {
    result = strlen(Str);
    if ( i >= result )
      break;
    Str[i] ^= 3 * a2;
  }
  return result;
}

传入的参数，3就是函数内的a2，字符串逐个与（3*a2）异或，也就是和9进行XOR

exp：

a = b'E`}J]OrQF[V8zV:hzpV}fVF[t'
flag = []
for x in a:
    flag.append(chr(x^9))
print("".join(flag))

运行得到

也可以直接赛博厨子一把梭

最后flag为

LitCTF{XOR_1s_3asy_to_OR}

[LitCTF 2023]enbase64

下载附件

运行文件

报错了，显示libgcc_s_dw2-1.dll缺失，下载一个libgcc_s_dw2-1.dll文件复制到这个文件的下边

运行文件

需要我们输入正确的flag判断是否正确

查壳

32位

ida载入

很明显的base加密特征

if ( strlen(Str) == 33 )

输入长度为33

跟进base函数

发现是对表进行了处理，进行basechange函数

发现换表换了48次

base换表需要找到码表

IDA动态调试

首先下断点

Local Windows debugger调试

输入33个字符

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

跟进base函数

F8 单步步过

shift+e提取字符

得到

gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND

找到密文

得到

GQTZlSqQXZ/ghxxwhju3hbuZ4wufWjujWrhYe7Rce7ju

base换表

exp:

import base64

str1 = "GQTZlSqQXZ/ghxxwhju3hbuZ4wufWjujWrhYe7Rce7ju"

string1 = "gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND"
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

print (base64.b64decode(str1.translate(str.maketrans(string1,string2))))

运行得到

也可以赛博厨子一把梭

最后flag为

LitCTF{B@5E64_l5_tooo0_E3sy!!!!!}

[LitCTF 2023]snake

下载附件

pyc文件，直接uncompyle6反编译

提示文件头错误

010查看

pyc文件的magic number是根据编译的python版本而变化的

题目是37，应该是py3.7编译

对照magic number表

enum PycMagic {    
MAGIC_1_0 = 0x00999902,    
MAGIC_1_1 = 0x00999903, 
/* Also covers 1.2 */    
MAGIC_1_3 = 0x0A0D2E89,    
MAGIC_1_4 = 0x0A0D1704,    
MAGIC_1_5 = 0x0A0D4E99,    
MAGIC_1_6 = 0x0A0DC4FC,     
MAGIC_2_0 = 0x0A0DC687,    
MAGIC_2_1 = 0x0A0DEB2A,    
MAGIC_2_2 = 0x0A0DED2D,    
MAGIC_2_3 = 0x0A0DF23B,    
MAGIC_2_4 = 0x0A0DF26D,    
MAGIC_2_5 = 0x0A0DF2B3,    
MAGIC_2_6 = 0x0A0DF2D1,    
MAGIC_2_7 = 0x0A0DF303,     
MAGIC_3_0 = 0x0A0D0C3A,    
MAGIC_3_1 = 0x0A0D0C4E,    
MAGIC_3_2 = 0x0A0D0C6C,    
MAGIC_3_3 = 0x0A0D0C9E,    
MAGIC_3_4 = 0x0A0D0CEE,    
MAGIC_3_5 = 0x0A0D0D16,    
MAGIC_3_5_3 = 0x0A0D0D17,    
MAGIC_3_6 = 0x0A0D0D33,    
MAGIC_3_7 = 0x0A0D0D42,    
MAGIC_3_8 = 0x0A0D0D55,    
MAGIC_3_9 = 0x0A0D0D61, };

010修改

保存重新进行反编译

完整代码

"""贪吃蛇"""
import random, sys, time, pygame
from pygame.locals import *
from collections import deque
SCREEN_WIDTH = 600
SCREEN_HEIGHT = 480
SIZE = 20
LINE_WIDTH = 1
SCOPE_X = (
 0, SCREEN_WIDTH // SIZE - 1)
SCOPE_Y = (2, SCREEN_HEIGHT // SIZE - 1)
FOOD_STYLE_LIST = [
 (10, (255, 100, 100)), (20, (100, 255, 100)), (30, (100, 100, 255))]
LIGHT = (100, 100, 100)
DARK = (200, 200, 200)
BLACK = (0, 0, 0)
RED = (200, 30, 30)
BGCOLOR = (40, 40, 60)

def print_text(screen, font, x, y, text, fcolor=(255, 255, 255)):
    imgText = font.render(text, True, fcolor)
    screen.blit(imgText, (x, y))


def init_snake():
    snake = deque()
    snake.append((2, SCOPE_Y[0]))
    snake.append((1, SCOPE_Y[0]))
    snake.append((0, SCOPE_Y[0]))
    return snake


def create_food(snake):
    food_x = random.randint(SCOPE_X[0], SCOPE_X[1])
    food_y = random.randint(SCOPE_Y[0], SCOPE_Y[1])
    while (food_x, food_y) in snake:
        food_x = random.randint(SCOPE_X[0], SCOPE_X[1])
        food_y = random.randint(SCOPE_Y[0], SCOPE_Y[1])

    return (
     food_x, food_y)


def get_food_style():
    return FOOD_STYLE_LIST[random.randint(0, 2)]


def main():
    pygame.init()
    screen = pygame.display.set_mode((SCREEN_WIDTH, SCREEN_HEIGHT))
    pygame.display.set_caption("贪吃蛇")
    font1 = pygame.font.SysFont("SimHei", 24)
    font2 = pygame.font.Font(None, 72)
    fwidth, fheight = font2.size("GAME OVER")
    b = True
    snake = init_snake()
    food = create_food(snake)
    food_style = get_food_style()
    pos = (1, 0)
    game_over = True
    start = False
    score = 0
    orispeed = 0.5
    speed = orispeed
    last_move_time = None
    pause = False
    while 1:
        for event in pygame.event.get():
            if event.type == QUIT:
                sys.exit()

        screen.fill(BGCOLOR)
        for x in range(SIZE, SCREEN_WIDTH, SIZE):
            pygame.draw.line(screen, BLACK, (x, SCOPE_Y[0] * SIZE), (x, SCREEN_HEIGHT), LINE_WIDTH)

        for y in range(SCOPE_Y[0] * SIZE, SCREEN_HEIGHT, SIZE):
            pygame.draw.line(screen, BLACK, (0, y), (SCREEN_WIDTH, y), LINE_WIDTH)

        curTime = game_over or time.time()
        if curTime - last_move_time > speed and not pause:
            b = True
            last_move_time = curTime
            next_s = (snake[0][0] + pos[0], snake[0][1] + pos[1])
            if next_s == food:
                snake.appendleft(next_s)
                score += food_style[0]
                speed = orispeed - 0.03 * (score // 100)
                food = create_food(snake)
                food_style = get_food_style()
            else:
                if SCOPE_X[0] <= next_s[0] <= SCOPE_X[1]:
                    if SCOPE_Y[0] <= next_s[1] <= SCOPE_Y[1]:
                        if next_s not in snake:
                            snake.appendleft(next_s)
                            snake.pop()
                        else:
                            game_over = True
                    if not game_over:
                        pygame.draw.rect(screen, food_style[1], (food[0] * SIZE, food[1] * SIZE, SIZE, SIZE), 0)
                    for s in snake:
                        pygame.draw.rect(screen, DARK, (s[0] * SIZE + LINE_WIDTH, s[1] * SIZE + LINE_WIDTH,
                         SIZE - LINE_WIDTH * 2, SIZE - LINE_WIDTH * 2), 0)

                    print_text(screen, font1, 30, 7, f"速度: {score // 100}")
                    print_text(screen, font1, 450, 7, f"得分: {score}")
                    if score > 1000:
                        flag = [
                         30, 196,
                         52, 252, 49, 220, 7, 243,
                         3, 241, 24, 224, 40, 230,
                         25, 251, 28, 233, 40, 237,
                         4, 225, 4, 215, 40, 231,
                         22, 237, 14, 251, 10, 169]
                        for i in range(0, len(flag), 2):
                            flag[i], flag[i + 1] = flag[i + 1] ^ 136, flag[i] ^ 119

                        print_text(screen, font2, (SCREEN_WIDTH - fwidth) // 2, (SCREEN_HEIGHT - fheight) // 2, bytes(flag).decode(), RED)
                        pygame.display.update()
                    if game_over:
                        if start:
                            print_text(screen, font2, (SCREEN_WIDTH - fwidth) // 2, (SCREEN_HEIGHT - fheight) // 2, "GAME OVER", RED)
                pygame.display.update()


if __name__ == "__main__":
    main()

关键代码

if score > 1000:
                       flag = [
                        30, 196,
                        52, 252, 49, 220, 7, 243,
                        3, 241, 24, 224, 40, 230,
                        25, 251, 28, 233, 40, 237,
                        4, 225, 4, 215, 40, 231,
                        22, 237, 14, 251, 10, 169]
                       for i in range(0, len(flag), 2):
                           flag[i], flag[i + 1] = flag[i + 1] ^ 136, flag[i] ^ 119

exp：

flag = [
    30, 196, 52, 252, 49, 220, 7, 243, 3, 241, 24, 224, 40, 230, 25, 251, 28, 233, 40, 237, 4, 225, 4, 215, 40, 231, 22, 237, 14, 251, 10, 169]
for i in range(0, len(flag), 2):
    flag[i], flag[i +1] = flag[(i + 1)] ^ 136, flag[i] ^ 119
print(bytes(flag))

运行得到

最后flag为

LitCTF{python_snake_is_so_easy!}

[LitCTF 2023]程序和人有一个能跑就行了

下载附件

运行exe文件

应该也是判断输入正确的flag

查壳

32位

IDA载入查看main函数的伪代码

看到litctf

跟进sub_4015A0函数

这是rc4加密的特征

1.有很多取模操作
2.有很多256
3.有多个次数为256的循环
4.最后操作为异或

密文整理统一十六进制数

得到

0x8D, 0x6C, 0x85, 0x76, 0x32, 0x72, 0xB7, 0x40, 0x88, 0x7E, 0x95, 0xEE, 0xC5, 0xED, 0x2E, 0x71, 0x37, 0xF1, 0x4A,0x99, 0x35, 0x18, 0xA7, 0xB0, 0, 0x96, 0xB7

找一个rc4解密的脚本，密钥是litctf

exp：

def rc4_init(s_box, key, key_len):  # rc4初始化函数，产生s_box
    k = [0] * 256
    i = j = 0
    for i in range(256):
        s_box[i] = i
        k[i] = key[i % key_len]
    for i in range(256):
        j = (j + s_box[i] + ord(k[i])) % 256
        s_box[i], s_box[j] = s_box[j], s_box[i]
def rc4_crypt(s_box, data, data_len, key, key_len):  # rc4算法，由于异或运算的对合性，RC4加密解密使用同一套算法，加解密都是它
    rc4_init(s_box, key, key_len)
    i = j = 0
    for k in range(data_len):
        i = (i + 1) % 256
        j = (j + s_box[i]) % 256
        s_box[i], s_box[j] = s_box[j], s_box[i]
        t = (s_box[i] + s_box[j]) % 256
        data[k] ^= s_box[t]
 
if __name__ == '__main__':
    s_box = [0] * 257  # 定义存放s_box数据的列表
 
    # 此处的data即要解密的密文，需要定义成列表形式，其中的元素可以是十六进制或十进制数
    # 如果题目给出的是字符串，需要你自己先把数据处理成列表形式再套用脚本
    data = [0x8D, 0x6C, 0x85, 0x76, 0x32, 0x72, 0xB7, 0x40, 0x88, 0x7E, 0x95, 0xEE, 0xC5, 0xED, 0x2E, 0x71, 0x37, 0xF1, 0x4A,0x99, 0x35, 0x18, 0xA7, 0xB0, 0, 0x96, 0xB7] 
    #key一定要字符串
    key = "litctf"
 
    rc4_crypt(s_box, data, len(data), key, len(key))
    for i in data:
        print(chr(i), end='')

运行得到

得到的是假flag

查看main函数汇编界面

发现有两段密文，第一段就是我们左边解过的

查看右边的密文

提取

0x8D, 0x6C, 0x85, 0x76, 0x32, 0x72, 0xB7, 0x43, 0x85, 0x7B, 0x85, 0xDE, 0xC1, 0xFB, 0x2E, 0x64, 0x07, 0xC8, 0x5F, 0x9A, 0x35, 0x18, 0xAD, 0xB5, 0x15, 0x92, 0xBE, 0x1B, 0x88

重新运行脚本得到flag

最后flag为

LitCTF{welcome_to_the_litctf}

[LitCTF 2023]debase64

题目描述：

Do you know debase64？
最后有3个=，括号中内容md5=5a3ebb487ad0046e52db00570339aace

下载附件

运行文件

应该是限制输入长度

查壳

32位

IDA载入文件

首先看到是输入长度是20，然后通过函数sub_401520对输入进行处理

跟进sub_401520函数

关键代码

LABEL_19:
    v12 = v5 + 1;
    *(_BYTE *)(a2 + v5) = (4 * HIBYTE(v14)) | (BYTE2(v14) >> 4) & 3;
    if ( *v7 == 61 )
      return v12;
    v12 = v5 + 2;
    *(_BYTE *)(a2 + v5 + 1) = (16 * BYTE2(v14)) | (BYTE1(v14) >> 2) & 0xF;
    if ( *v9 == 61 )
      return v12;
    v5 += 3;
    v3 = v2;
    v2 += 4;
    v13 += 4;
    v4 = v13;
    *(_BYTE *)(a2 + v5 - 1) = (BYTE1(v14) << 6) | v14 & 0x3F;
    if ( !*(v2 - 4) )
      return v5;
  }

base64解密，首先转base编码，然后四位一组逆序输出

找到密文

提取出密文

0x46, 0xED, 0x18, 0x96, 0x56, 0x9E, 0xD2, 0x72, 0xB2, 0xB3, 0x80, 0x70, 0xFF

exp：

import base64

a = [0x46, 0xED, 0x18, 0x96, 0x56, 0x9E, 0xD2, 0x72, 0xB2, 0xB3, 0x80, 0x70, 0xFF]
flag = bytes(a)
print(base64.b64encode(flag))

运行得到

根据提示:

flag最后有3个=

整理得到

Ru0Yllae0nKys4Bw/w==

里面的/w是错的，需要爆破一下

exp：

import hashlib

key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
for i in key:
    str1 = "Y0uReallyKn0wB4s" + i + "==="
    if hashlib.md5(str1.encode('utf-8')).hexdigest() == "5a3ebb487ad0046e52db00570339aace":
        print(str1)
        break

运行得到

最后flag为

LitCTF{Y0uReallyKn0wB4s3===}

[LitCTF 2023]For Aiur

下载附件

是个游戏exe，直接pyinstxtractor解包

反编译

代码

#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.8

from cv2 import imread, imshow, namedWindow, WINDOW_NORMAL, FONT_HERSHEY_SIMPLEX, getTickCount, getTickFrequency, putText, LINE_AA, waitKey, getTextSize, resize, moveWindow, IMREAD_UNCHANGED, destroyAllWindows
from numpy import uint8, zeros
from ch import check
Mineral = 100
Pylonnum = 0

def buildPylon():
    global Mineral, Pylonnum
    if Mineral < 100:
        warn_img = imread('source/warn1.png')
        imshow('warning', warn_img)
        return None
    None -= 100
    img1 = imread('source/warpin.png')
    namedWindow('Pylon' + str(Pylonnum), WINDOW_NORMAL)
    imshow('Pylon' + str(Pylonnum), img1)
    font = FONT_HERSHEY_SIMPLEX
    pos = (img1.shape[1] - 300, 50)
    color = (0, 0, 0)
    thickness = 2
    timer = getTickCount() + 18 * getTickFrequency()
    if getTickCount() < timer:
        img1_copy = img1.copy()
        time_left = int((timer - getTickCount()) / getTickFrequency())
        text = 'Time left: {}s'.format(time_left)
        putText(img1_copy, text, pos, font, 1, color, thickness, LINE_AA)
        imshow('Pylon' + str(Pylonnum), img1_copy)
        if waitKey(1) & 255 == ord('q'):
            pass
        
    img2 = imread('source/Pylon.png')
    imshow('Pylon' + str(Pylonnum), img2)
    waitKey(1)
    Pylonnum += 1


def gather():
    global Mineral
    digit_value = Mineral
    icon_img = imread('source/jingtikuang.png', IMREAD_UNCHANGED)
    icon_img = resize(icon_img, (120, 120))
    bg_img = zeros(icon_img.shape, uint8, **('dtype',))
    bg_img[(0:icon_img.shape[0], 0:icon_img.shape[1], :)] = icon_img
    digit_text = str(digit_value)
    digit_size = getTextSize(digit_text, FONT_HERSHEY_SIMPLEX, 1, 2)[0]
    digit_x = bg_img.shape[1] - digit_size[0]
    digit_y = digit_size[1] + 10
    putText(bg_img, digit_text, (digit_x, digit_y), FONT_HERSHEY_SIMPLEX, 1, (0, 0, 0), 2)
    imshow('Mineral', bg_img)
    moveWindow('Mineral', 1200, 100)
    Mineral += 5

img = imread('source/Probe.png')
(new_width, new_height) = (200, 200)
img = resize(img, (new_width, new_height))
(screen_width, screen_height) = (800, 120)
(x, y) = (600, 100)
(dx, dy) = (0, 5)
namedWindow('Probe', WINDOW_NORMAL)
imshow('Probe', img)
check(Pylonnum)
imshow('Probe', img)
if y < screen_height:
    dy = 5
if y > screen_height:
    dy = -5
x = x + dx
y = y + dy
moveWindow('Probe', x, y)
if waitKey(50) & 255 == ord('g'):
    gather()
if waitKey(50) & 255 == ord('b'):
    buildPylon()
if waitKey(50) & 255 == ord('e'):
    pass

destroyAllWindows()

发现check函数

回去找到ch.pyc进行反编译

# uncompyle6 version 3.9.0
# Python bytecode version base 3.8.0 (3413)
# Decompiled from: Python 3.8.7 (tags/v3.8.7:6503f05, Dec 21 2020, 17:59:51) [MSC v.1928 64 bit (AMD64)]
# Embedded file name: ch.py
enc = [
 98, 77, 94, 91, 92, 107, 125, 66, 87, 70, 113, 92, 83, 70, 85, 81, 
 19, 21, 109, 99, 87, 107, 127, 65, 65, 64, 109, 87, 93, 90, 65, 
 64, 64, 65, 81, 3, 109, 85, 86, 80, 91, 64, 91, 91, 92, 0, 94, 
 107, 66, 77, 94, 91, 92, 71]
lis = []
 
def check(num):
    flag = 'LitCTF{'
    if num % 2 == 0:
        if num % 4 == 0:
            if num % 6 == 0:
                if num % 8 == 0:
                    if num % 12 == 0:
                        if num % 13 == 11:
                            k = str(num)
                            for i in range(len(enc)):
                                flag += chr(ord(k[i % len(k)]) ^ enc[i])
                                lis.append(ord(k[i % len(k)]) ^ enc[i])
                            else:
                                flag += '}'
                                from cv2 import imread, imshow, namedWindow, WINDOW_NORMAL, FONT_HERSHEY_SIMPLEX, getTickCount, getTickFrequency, putText, LINE_AA, waitKey, getTextSize, resize, moveWindow, IMREAD_UNCHANGED, destroyAllWindows
                                from numpy import uint8, zeros
                                img = zeros((200, 20000, 3), uint8)
                                img.fill(255)
                                text = flag
                                font = FONT_HERSHEY_SIMPLEX
                                pos = (50, 120)
                                color = (0, 0, 0)
                                thickness = 2
                                putText(img, text, pos, font, 1, color, thickness, LINE_AA)
                                imshow('flag', img)
                                waitKey(0)
                                destroyAllWindows()
# okay decompiling D:\CTF\RE\pyinstxtractor-2023.02\Probe.exe_extracted\PYZ-00.pyz_extracted\ch.pyc

exp：

enc = [
    98,
    77,
    94,
    91,
    92,
    107,
    125,
    66,
    87,
    70,
    113,
    92,
    83,
    70,
    85,
    81,
    19,
    21,
    109,
    99,
    87,
    107,
    127,
    65,
    65,
    64,
    109,
    87,
    93,
    90,
    65,
    64,
    64,
    65,
    81,
    3,
    109,
    85,
    86,
    80,
    91,
    64,
    91,
    91,
    92,
    0,
    94,
    107,
    66,
    77,
    94,
    91,
    92,
    71
]
 
flag = 'LitCTF{'
lis = []
 
for num in range(0, 120):
    if num % 2 == 0 and num % 4 == 0 and num % 6 == 0 and num % 8 == 0 and num % 12 == 0 and num % 13 == 11:
        k = str(num)
        for i in range(len(enc)):
            flag += chr(ord(k[i % len(k)]) ^ enc[i])
            lis.append(ord(k[i % len(k)]) ^ enc[i])
flag += '}'
print(flag)

运行得到

最后flag为

LitCTF{Pylon_OverCharge!!_We_Must_construc7_addition4l_pylons}