CTF

some collecte ctf exercises including re,misc,crypto,web
CTF wiki
博客

easyre

---

BUUCTF刷题----RE第一题

---

运行程序观察程序特征

题如其名，运行过程真就很easy，命令行平白直叙：

过程简单：输入 回车完事

查壳

使用EXEinfo查壳，发现无壳

IDA分析

因为没啥有用信息，所以直接把程序拖入IDA 分析

如上图所示，程序流程很简单，过程很明显，可以清楚看到Flag

算法逆向

IDA F5可得到大概流程

可知 ：该程序 输入两次 判断两次输入字符串是否相等：

• 相等： 输出Flag
• 不相等： 输出 Sorry语句

注意：由于程序运行问题，结果输出一闪而过，需要下断点才能看到输出的字符串

另辟蹊径

由于程序很简单，我原本初步的推测是输入固定的字符串与程序中已经存储的字符串进行对比来判断是否输出Flag

程序中的固定字符串 一般存在数据段，所以我用PEview查了以下该EXE，在.rdata段发现了惊喜！

总结

• 该题比较简单，字符串明文存储，无壳，所以拖入IDA pro可以很清楚程序流程，得到Flag
• 或者在PE中也可以清楚看到Flag,该方式中前期对程序流程的预估有点失误，存在一定的巧合性和必然性

crackme1.exe writeup

import base64

s = base64.b64decode("bWdqbHBPOEY/VHM6Uj9UfD9FeF5Cdg==")
for i in s:
for j in "main":
i=i^ord(j)
print(chr(i),end="")

CRACKME.ZIP writeup

name = "NNNN" 名字必须是大写
s = 0
for i in name:
s+=ord(i)
print(i^0x5678^0x1234);

Pusillus.exe Writeup

flag =[0x71, 0x18, 0x59, 0x1B, 0x79, 0x42, 0x45, 0x4C]
for i in range(0,len(flag)):
flag[i]^=0x32
d = []
for i in range(0,len(flag),2):
d.append(flag[i]^flag[i+1])
t = d[0]^d[1]^d[2]^d[3]
for i in range(0,len(flag)):
flag[i]^=t
result = [chr(x) for x in flag]
print("".join(result))

国色天香.exe writeup

char *namebuf = "12345";
int namesize = 5;
char buffer[100] = { 0 };
int i = 0;
do {
    char cVar5 = (namebuf[i] ^ 0x29) + namesize;
    if ((cVar5 < 'A') || ('Z' < cVar5)) {
        cVar5 = namesize + 'R';
    }
    buffer[i] = cVar5;
    (buffer+1)[i] = 0;
    i = i + 1;
    namesize = namesize-1;
} while (namesize != 0);
i = 0;
namesize = 5;
do {
    char cVar5 = (namebuf[i] ^ 0x27) + namesize + 1;
    if ((cVar5 < 'A') || ('Z' < cVar5)) {
        cVar5 = namesize + 'M';
    }
    (buffer+5)[i] = cVar5;
    (buffer+6)[i] = 0;
    i = i + 1;
    namesize = namesize + -1;
} while (namesize != 0);
int j = 0;
for (int j = 0; buffer[j] != 0; j++){
    char cipher = buffer[j] + 5;
    if ('Z' < (char)cipher) {
        cipher = (buffer)[j] - 8;
    }
    cipher = cipher ^ 0xc;
    if ((char)cipher < 'A') {
        cipher = (char)j + 0x4b;
    }
    else {
        if ('Z' < (char)cipher) {
            cipher = 0x4b - (char)j;
        }
    }
    printf("%c", cipher);
}
printf("\ndone");
system("pause");

CrackHead.exe

DWORD init_key(){
    unsigned int type;
    unsigned __int8 v1,v2;
    char VolumeNameBuffer[100] = { 0 };
    type = GetDriveTypeA(0);
    GetVolumeInformationA(0, VolumeNameBuffer, 100, 0, 0, 0, 0, 0);
    v1 = (unsigned __int8)type;
    v2 = 0;
    do
        v2 += *(DWORD )VolumeNameBuffer * v1--;
    while (v1);
    (DWORD *)VolumeNameBuffer = v2;
    return v2 ^ 2038068563;
}

宛若游龙

import string
name = 'HardCodeD'
buf = []
for j in range(len(name)):
    t = ord(name[j]) % 10 ^ j;
    cipher = t + 2;
    if (10 < cipher):
        cipher = t - 8
    buf.append(cipher)
print(buf)
for i in buf:
    for j in string.printable:
        if ord(j)%10==i:
            print(j,end='')
            break
    else:
        print(i,'not found')
        exit(0)