逆向入门-2-刷题

adworld

简单题 1

Reversing-x64Elf-100

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  char s[264]; // [rsp+0h] [rbp-110h] BYREF
  unsigned __int64 v5; // [rsp+108h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  printf("Enter the password: ");
  if ( !fgets(s, 255, stdin) )
    return 0LL;
  if ( (unsigned int)sub_4006FD(s) )
  {
    puts("Incorrect password!");
    return 1LL;
  }
  else
  {
    puts("Nice!");
    return 0LL;
  }
}

__int64 __fastcall sub_4006FD(__int64 a1)
{
  int i; // [rsp+14h] [rbp-24h]
  __int64 v3[4]; // [rsp+18h] [rbp-20h]

  v3[0] = (__int64)"Dufhbmf";
  v3[1] = (__int64)"pG`imos";
  v3[2] = (__int64)"ewUglpt";
  for ( i = 0; i <= 11; ++i )
  {
    if ( *(char *)(v3[i % 3] + 2 * (i / 3)) - *(char *)(i + a1) != 1 )
      return 1LL;
  }
  return 0LL;
}

*(char *)(v3[i % 3] + 2 * (i / 3)) - *(char *)(i + a1) != 1

重点是这一句

#include <stdio.h>

int main(){
char v3[] = "DufhbmfpG`imosewUglpt";
char a;
for(int i=0;i<=11;i++)
{
 a =  v3[i%3] + 2*(i/3) - 1-i;
 printf("%c",a);
}
  return 0;
}

理解的不对,这其实是一个二维的,所以说你看到的东西并不是简单的直接反向操作就可以了,还是需要进行加工的

#include <stdio.h>

int main(){
char v3[] = "DufhbmfpG`imosewUglpt";
char a;
for(int i=0;i<=12;i++)
{
 a =  v3[i%3][2*(i/3)] - 1-i;
 printf("%c",a);
}
  return 0;
}

注意位数

Code_Talkers

666

dd是什么

key为什么是18

izwhroz””w”v.K”.Ni 这个东西逆向

重点是下面这段代码

for ( i = 0; i < key; i += 3 )
 {
   v3[i + 64] = key ^ (a1[i] + 6);
   v3[i + 33] = (a1[i + 1] - 6) ^ key;
   v3[i + 2] = a1[i + 2] ^ 6 ^ key;
   *(_BYTE *)(a2 + i) = v3[i + 64];
   *(_BYTE *)(a2 + i + 1LL) = v3[i + 33];
   *(_BYTE *)(a2 + i + 2LL) = v3[i + 2];
 }

int key = 0x12;
char a2[50] = 'izwhroz""w"v.K".Ni';

for ( int i = 0; i < 18; i += 3 )
  {
    a2[i] = 0x12 ^ (flag[i] + 6);
    a2[i+1] = (flag[i + 1] - 6) ^ key;
    a2[i+2] =  flag[i + 2] ^ 6 ^ key;
  }

#include <stdio.h>

int main(){

int key = 0x12;
char a2[50] = "izwhroz\"\"w\"v.K\".Ni";
char flag[50];
for ( int i = 0; i < 18; i += 3 )
  {
     flag[i]= (a2[i]^0x12) - 6 ;
     flag[i + 1]=  (a2[i+1]^key) + 6 ;
     flag[i + 2] =  a2[i+2]^ 6 ^ key ;
  		printf("%c",flag[i]);
  printf("%c",flag[i+1]);
  printf("%c",flag[i+2]);
  }
  return 0;
}

这里要注意异或和加减的优先级

unctf{b66_6b6_66b}

reverse_re3

​ 迷宫题,一开始看不懂

.data:0000000000202020 dword_202020    dd 5 dup(1), 0Ah dup(0), 5 dup(1), 0, 3, 2 dup(1), 6 dup(0)
.data:0000000000202020                                         ; DATA XREF: sub_86C+82↑o
.data:0000000000202020                                         ; sub_A92+76↑o ...
.data:0000000000202020                 dd 5 dup(1), 3 dup(0), 1, 6 dup(0), 5 dup(1), 3 dup(0)
.data:0000000000202020                 dd 1, 6 dup(0), 5 dup(1), 3 dup(0), 5 dup(1), 2 dup(0)
.data:0000000000202020                 dd 5 dup(1), 7 dup(0), 1, 2 dup(0), 5 dup(1), 7 dup(0)
.data:0000000000202020                 dd 1, 2 dup(0), 5 dup(1), 7 dup(0), 2 dup(1), 0, 5 dup(1)
.data:0000000000202020                 dd 8 dup(0), 1, 0, 5 dup(1), 8 dup(0), 4, 0, 4Dh dup(1)
.data:0000000000202020                 dd 0Dh dup(0), 2 dup(1), 0, 3, 5 dup(1), 6 dup(0), 2 dup(1)
.data:0000000000202020                 dd 0, 2 dup(1), 3 dup(0), 1, 6 dup(0), 2 dup(1), 6 dup(0)
.data:0000000000202020                 dd 1, 6 dup(0), 2 dup(1), 0, 2 dup(1), 3 dup(0), 5 dup(1)
.data:0000000000202020                 dd 2 dup(0), 2 dup(1), 0, 2 dup(1), 7 dup(0), 1, 2 dup(0)
.data:0000000000202020                 dd 2 dup(1), 0, 2 dup(1), 7 dup(0), 1, 2 dup(0), 2 dup(1)
.data:0000000000202020                 dd 0, 2 dup(1), 5 dup(0), 4 dup(1), 0, 2 dup(1), 0, 2 dup(1)
.data:0000000000202020                 dd 5 dup(0), 1, 2 dup(0), 1, 0, 2 dup(1), 0, 2 dup(1)
.data:0000000000202020                 dd 5 dup(0), 1, 4 dup(0), 2 dup(1), 0, 6 dup(1), 0, 1
.data:0000000000202020                 dd 0, 2 dup(1), 0, 2 dup(1), 0, 0Bh dup(1), 0, 2 dup(1)
.data:0000000000202020                 dd 0Bh dup(0), 4, 0, 1Eh dup(1), 10h dup(0), 3, 2 dup(1)
.data:0000000000202020                 dd 0Eh dup(0), 1, 0, 3 dup(1), 0Ah dup(0), 3 dup(1), 0
.data:0000000000202020                 dd 1, 0Bh dup(0), 1, 2 dup(0), 1, 8 dup(0), 2 dup(1), 0
.data:0000000000202020                 dd 1, 2 dup(0), 1, 9 dup(0), 3 dup(1), 2 dup(0), 1, 0Eh dup(0)
.data:0000000000202020                 dd 1, 0Eh dup(0), 4 dup(1), 0Eh dup(0), 1, 0Eh dup(0)
.data:0000000000202020                 dd 1, 0Eh dup(0), 1, 0Eh dup(0), 4 dup(1), 0Eh dup(0)
.data:0000000000202020                 dd 1, 0Eh dup(0), 4, 0
.data:0000000000202020 _data           ends
  
  
要调整一下格式
data:0000000000202020 dword_202020    dd 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000202020                                         ; DATA XREF: sub_86C+82↑o
.data:0000000000202020                                         ; sub_A92+76↑o ...
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 0, 3, 1, 1, 0, 0, 0, 0, 0, 0
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 0
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
  
.data:0000000000202020                 dd 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000202020                 dd 1, 1, 0, 3, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0
.data:0000000000202020                 dd 1, 1, 0, 1, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0
.data:0000000000202020                 dd 1, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0
.data:0000000000202020                 dd 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 0
.data:0000000000202020                 dd 1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0
.data:0000000000202020                 dd 1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0
.data:0000000000202020                 dd 1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0
.data:0000000000202020                 dd 1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0
.data:0000000000202020                 dd 1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0
.data:0000000000202020                 dd 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0
.data:0000000000202020                 dd 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0
.data:0000000000202020                 dd 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
.data:0000000000202020                 dd 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1
  
.data:0000000000202020                 dd 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000202020                 dd 0, 3, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000202020                 dd 0, 0, 0, 1, 0, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0
.data:0000000000202020                 dd 0, 0, 0, 1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0
.data:0000000000202020                 dd 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0
.data:0000000000202020                 dd 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0
.data:0000000000202020                 dd 0, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0
.data:0000000000202020                 dd 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0
.data:0000000000202020                 dd 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0
.data:0000000000202020                 dd 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0
.data:0000000000202020                 dd 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0
.data:0000000000202020                 dd 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0
.data:0000000000202020                 dd 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0
.data:0000000000202020                 dd 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0
.data:0000000000202020                 dd 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0
.data:0000000000202020 _data           ends

调整格式注意这里就好,15个字符一行

100,115,119,97 d s w a 对应了前后左右四个键

__int64 sub_940()
{
  int v0; // eax
  int v2; // [rsp+8h] [rbp-218h]
  int v3; // [rsp+Ch] [rbp-214h]
  char v4[520]; // [rsp+10h] [rbp-210h] BYREF
  unsigned __int64 v5; // [rsp+218h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  v3 = 0;
  memset(v4, 0, 0x200uLL);
  _isoc99_scanf(&unk_1278, v4, v4);
  while ( 1 )
  {
    do
    {
      v2 = 0;
      sub_86C();
      v0 = v4[v3];
      if ( v0 == 100 )
      {
        v2 = sub_E23();
      }
      else if ( v0 > 100 )
      {
        if ( v0 == 115 )
        {
          v2 = sub_C5A();
        }
        else if ( v0 == 119 )
        {
          v2 = sub_A92();
        }
      }
      else
      {
        if ( v0 == 27 )
          return 0xFFFFFFFFLL;
        if ( v0 == 97 )
          v2 = sub_FEC();
      }
      ++v3;
    }
    while ( v2 != 1 );
    if ( dword_202AB0 == 2 )
      break;
    ++dword_202AB0;
  }
  puts("success! the flag is flag{md5(your input)}");
  return 1LL;
}

2

BABYRE

怎么转换数据把那个数组数据拿出来?

代码做了加密,要解一下

https://blog.rois.io/2021/rctf-2021-official-writeup-2/

函数

__readfsqword函数