https://dirtycow.cn/category/Reverse/ https://dirtycow.cn/269.html 2024-11-09T17:51:00+08:00 Reverse1思路：64位elfimage-20241110155524669.pngida分析image-20241110160145828.png分析这几个函数init函数初始化了一个table，一看就是rc4加密image-20241110160217367.png继续看crypt1 和 crypt2, 是魔改的rc4image-20241110160408630.pngbefore_main函数加密key，秘钥是keykeyimage-20241110162211876.pngafter_main函数使用加密之后的key作为秘钥加密了flagimage-20241110162622396.pngexp：def crypt1(s,key, key_len): v5 = 0 v6 = 0 res = [] for i in range(key_len): v5 = (v5 + 1) % 256 v6 = (v6 + s[v5]) % 256 v4 = s[v5] s[v5] = s[v6] s[v6] = v4 res.append(key[i] ^ (s[(s[v5] + s[v6]) %256])) return res def crypt2(s,enc,enc_len): v5 = 0 v6 = 0 res = [] for i in range(enc_len): v5 = (v5 + 1) % 256 v6 = (v6 + s[v5]) % 256 v4 = s[v5] s[v5] = s[v6] s[v6] = v4 res.append(enc[i] + s[(s[v5] + s[v6])%256]) return res def init(s,key,key_len): v8 = [0]*258 for i in range(256): s[i] = i v8[i] = key[i % key_len] v6 =0 for j in range(256): v6 = (v8[j] + v6 + s[j]) % 256 v4 = s[j] s[j] = s[v6] s[v6] = v4 s = [0]*256 key1 = [ord(b) for b in "keykey"] key = [ord(b) for b in "ban_debug!"] init(s,key1,len(key1)) res = crypt1(s,key,len(key)) print(res) s2 = [0]*256 key2 = init(s2, res,len(res)) enc = [0x4E, 0x47, 0x38, 0x47, 0x62, 0x0A, 0x79, 0x6A, 0x03, 0x66, 0xC0, 0x69, 0x8D, 0x1C, 0x84, 0x0F, 0x54, 0x4A, 0x3B, 0x08, 0xE3, 0x30, 0x4F, 0xB9, 0x6C, 0xAB, 0x36, 0x24, 0x52, 0x81, 0xCF] flag = crypt2(s2,enc,len(enc)) for i in flag: print(chr(i%256),end="") ''' 运行结果 [105, 13, 90, 178, 64, 234, 25, 63, 47, 106] flag{1237-12938-9372-1923-4u92} ''' reverse2思路:有upx， 十六进制查看upx特征是否被修改image-20241110164828280.png将这三个ABC改回成UPX就能脱壳image-20241110164949354.pngida分析代码main函数中看到一个密文image-20241110165204829.png往下看 很明显的base64加密，查看a9876543210zyxw数组image-20241110165249211.png是base64换表image-20241110165347969.pngexp:赛博厨子直接一把梭image-20241110165557240.png https://dirtycow.cn/237.html 2024-04-27T10:18:00+08:00 re1ida查看打开，直接看伪代码image-20240427111249890.png程序逻辑很简单，将输入保存到buff，经过cry函数加密，和密文v6进行比较直接查看cry函数image-20240427111630697.png经过分析，这是一个魔改的xxtea加密，改了循环轮数和DELTA值写脚本解密enc#include <stdio.h> #include <stdint.h> #define DELTA 0x9e3779b9 void btea(uint32_t *v, int n, uint32_t const key[4]) { uint32_t y, z, sum; unsigned i, rounds, e; rounds = 415 / n + 114; //确定轮转数 sum = rounds*DELTA; //根据轮转数计算sum y = v[0]; do { e = (sum >> 2) & 3; for (i=n-1; i>0; i--) //逆序倒推 { z = v[i-1]; //先解密v[n-1]，需要知道v[0]和v[n-2]， v[i] -= (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(i&3)^e] ^ z))); y = v[i];//只会解密到v[1] } z = v[n-1]; //对于第一个v[0]的解密，要知道v[n-1]和v[1] v[0] -= (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(i&3)^e] ^ z))); y = v[0]; sum += 0x61C88647; } while (--rounds); } int main() { uint32_t enc_data[] = {0x480AC20C,0x0CE9037F2,0x8C212018,0x0E92A18D,0x0A4035274,0x2473AAB1,0x0A9EFDB58,0x0A52CC5C8,0x0E432CB51,0x0D04E9223,0x6FD07093}; uint32_t const k[4]= {0x79696755,0x67346F6C,0x69231231,0x5F674231}; int n= 11; btea(enc_data, n, k); for(int i = 0; i < sizeof(enc_data)/sizeof(uint32_t); i++) { printf("%x", enc_data[i]); } return 0; }运行结果：67616c666366657b6638666363302d30312d37392d636532306532383963302d34323964333365327d35为了方便使用python将这段十六进制转换成stringenc = "67616c666366657b6638666363302d30312d37392d636532306532383963302d34323964333365327d35" for i in range(0,len(enc), 2): print(chr(int(enc[i:i+2], 16)),end="")运行结果:galfcfe{f8fcc0-01-79-ce20e289c0-429d33e2}5发现flag的顺序不对，应该是大小端序的原因，修改代码enc = "67616c666366657b6638666363302d30312d37392d636532306532383963302d34323964333365327d35" flag='' for i in range(0,len(enc), 2): flag += chr(int(enc[i:i+2], 16)) for i in range(0,len(flag),4): print((flag[i:i+4][::-1]),end="")运行结果:flag{efccf8f0-0c97-12ec-82e0-0c9d9242e335}re2直接上ida查看伪代码image-20240427093116948.pngimage-20240427093129676.png这里是一堆赋值，最后将这些变量传入了sub_401005函数，跟进去查看image-20240427093427762.png这就是个rc4加密，我们在return上打个断点就能看到解密后的数据image-20240427093458621.png成功getflagimage-20240427093627803.png https://dirtycow.cn/223.html 2024-02-29T18:53:00+08:00 思路：64位无壳exe直接使用ida打开image-20240229201911471.png对变量名进行简单的处理， 提升代码的可读性对代码进行简单分析Str2加密的flagStr为用户的输入通过三个函数对Str进行三次加密，最终和Str2进行比较直接看encode_three函数image-20240229204446829.png这个函数对字符串进行了偏移，有mod操作就不考虑逆向推了，直接使用暴力破解再看encode_two函数image-20240229204907302.png这个函数对字符串进行了位移，每次位移13个字符再看最后一个函数encode_oneimage-20240229205021296.png这个函数也是一眼丁真了，base64image-20240229205047054.png查看alphabet变量，正是base64的码表写脚本还原flagexp：import base64 enc = "EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG" enc_decode = "" enc_decoee_2 = "" for enum in range(len(enc)): for enum_char in range(32,128): if enum_char <= 64 or enum_char > 90: if enum_char<= 96 or enum_char > 122 : if enum_char <= 47 or enum_char > 57: if enc[enum] == chr(enum_char): enc_decode += chr(enum_char) else: if enc[enum] == chr((enum_char - 48 + 3) % 10 +48): enc_decode += chr(enum_char) else: if enc[enum] == chr((enum_char - 97 + 3) % 26 + 97): enc_decode += chr(enum_char) else: if enc[enum] == chr((enum_char - 65 + 3) % 26 + 65): enc_decode += chr(enum_char) enc_decoee_2 += enc_decode[13:26] enc_decoee_2 += enc_decode[39:52] enc_decoee_2 += enc_decode[0:13] enc_decoee_2 += enc_decode[26:39] print(base64.b64decode(enc_decoee_2.encode()))总结：知识点：暴力破解flagGWHT{672cc4778a38e80cb362987341133ea2} https://dirtycow.cn/216.html 2024-02-28T19:51:00+08:00 思路：64位elf，无壳直接使用ida打开，查看主函数image-20240228183956816.png映入眼帘就是一个CODE XREF和一大堆数据，这肯定是花指令尝试去除花指令image-20240228185207078.png发现有多出了一个花指令继续重复去除花指令image-20240228185359264.png发现疑似flag的字符这种重复的操作直接交给idapython这些字符前面都有FF C0，写脚本通过这两个关键字找出字符image-20240228185943670.pngexp:start_addr = 0x1135 end_addr = 0x3000 for i in range(start_addr, end_addr): if ida_bytes.get_byte(i) == 0xFF and ida_bytes.get_byte(i+1) == 0xC0: print(chr(ida_bytes.get_byte(i+3)), end="")运行结果：hello world! There are moments in life when you miss someone so much that you just want to pick them from your dreams and hug them for real! Dream what you want to dream;go where you want to go;be what you want to be,because you have only one life and one chance to do all the things you want to do. May you have enough happiness to make you sweet,enough trials to make you strong,enough sorrow to keep you human,enough hope to make you happy? Always put yourself in others'shoes.If you feel that it hurts you,it probably hurts the other person, too. GFCTF{u_are2wordy} You find Flag, Congratulation!总结：考点：花指令idapythonflag:GFCTF{u_are2wordy} https://dirtycow.cn/209.html 2024-02-26T20:45:00+08:00 思路：查看程序主函数image-20240226204044046.png使sub_860函数返回true就能获得flag跟进去查看image-20240226204238539.png看到这么规律的计算就知道要拿z3秒了exp：from z3 import * v1,v2, v3, v4, v5, v6, v7, v8, v9, v11 = Ints('v1 v2 v3 v4 v5 v6 v7 v8 v9 v11') solver = Solver() solver.add(v1 < 128) solver.add(v2 < 128) solver.add(v3 < 128) solver.add(v4 < 128) solver.add(v5 < 128) solver.add(v6 < 128) solver.add(v7 < 128) solver.add(v8 < 128) solver.add(v9 < 128) solver.add(v11 < 128) solver.add(-85 * v9 + 58 * v8 + 97 * v6 + v7 + -45 * v5 + 84 * v4 + 95 * v2 - 20 * v1 + 12 * v3 == 12613) solver.add(30 * v11 + -70 * v9 + -122 * v6 + -81 * v7 + -66 * v5 + -115 * v4 + -41 * v3 + -86 * v1 - 15 * v2 - 30 * v8 == -54400) solver.add(-103 * v11 + 120 * v8 + 108 * v7 + 48 * v4 + -89 * v3 + 78 * v1 - 41 * v2 + 31 * v5 - (v6 *64) - 120 * v9 == -10283) solver.add(71 * v6 + (v7 * 128) + 99 * v5 + -111 * v3 + 85 * v1 + 79 * v2 - 30 * v4 - 119 * v8 + 48 * v9 - 16 * v11 == 22855) solver.add(5 * v11 + 23 * v9 + 122 * v8 + -19 * v6 + 99 * v7 + -117 * v5 + -69 * v3 + 22 * v1 - 98 * v2 + 10 * v4 == -2944) solver.add(-54 * v11 + -23 * v8 + -82 * v3 + -85 * v2 + 124 * v1 - 11 * v4 - 8 * v5 - 60 * v7 + 95 * v6 + 100 * v9 == -2222) solver.add(-83 * v11 + -111 * v7 + -57 * v2 + 41 * v1 + 73 * v3 - 18 * v4 + 26 * v5 + 16 * v6 + 77 * v8 - 63 * v9 == -13258) solver.add(81 * v11 + -48 * v9 + 66 * v8 + -104 * v6 + -121 * v7 + 95 * v5 + 85 * v4 + 60 * v3 + -85 * v2 + 80 * v1 == -1559) solver.add(101 * v11 + -85 * v9 + 7 * v6 + 117 * v7 + -83 * v5 + -101 * v4 + 90 * v3 + -28 * v1 + 18 * v2 - v8 == 6308) solver.add(99 * v11 + -28 * v9 + 5 * v8 + 93 * v6 + -18 * v7 + -127 * v5 + 6 * v4 + -9 * v3 + -93 * v1 + 58 * v2 == -1697) if solver.check() == sat: print (solver.model()) flag = [70,48,117,82,84,121,95,55,119,64] for i in flag: print(chr(i), end="")右移可以使用乘法代替flag：actf{F0uRTy_7w@_42} https://dirtycow.cn/208.html 2024-02-26T16:26:00+08:00 思路是个64位程序，直接拿ida打开image-20240226112347596.png发现程序将用户输入和字符串zer0pts{********CENSORED********}比较尝试提交flag 发现是错误的继续分析查看init函数image-20240226114941107.png程序分别调用了funcs_889开始的几个函数跟进去查看image-20240226115104941.png跟进sub_6E 发现没东西image-20240226125443454.png在这个函数附近看到了sub_795跟进去查看image-20240226125549410.png这个函数将qword_201090函数替换成strcmpoff_201028替换成了sub_6EA跟进off_201028查看image-20240226155507023.png正是 strcmp在plt表中的位置 查看sub_6EA函数的逻辑image-20240226155809056.png查看qword_201060值image-20240226160538423.png只要按照上面的代码加回qword_201060中的值就能还原flagexp#include<stdio.h> #include<stdint.h> #include<string.h> int main() { char enc[] = "zer0pts{********CENSORED********}"; uint64_t key[] = {0, 0x410A4335494A0942, 0x0B0EF2F50BE619F0, 0x4F0A3A064A35282B, 0}; int len = strlen(enc); len = (len>>3) +1; for(int i =0; i < len; i++) { *(uint64_t *)&(enc[8 * i]) += key[i]; } printf("%s", enc); return 0; }因为是qword数据类型，所有要使用uint64_t或者__int64这里不直接写enc[8 * i]是因为要将char型转换成_int64, 用指针的形式写flagzer0pts{l3ts_m4k3_4_DETOUR_t0d4y} https://dirtycow.cn/198.html 2023-12-20T21:26:00+08:00 思路：拿到题目先查壳image-20231220211157807.png是windows 64为的程序 双击打开，随便输如测试image-20231220211517370.png根据题目名字，推测这是使用mfc框架开发的直接上ida在import中搜索messagebox跟到调用这个函数的地方发现了验证flag的地方v7中存的是加密的flag ^0x87 就能还原flag image-20231220212121416.png直接上脚本exp：encode = [0xE0E6EBE1, 0x0E3E1B6FC, 0x0BEB7B6B2, 0x0B2B1BEE2, 0x0E2B6B6B2, 0x0B3B0B3E2, 0x0E3E3B2E2,0x0B7B7B3E2,0x0B6B0E6B0,0x0FAE1 ] for i in encode: tmp = i.to_bytes(4,'little') for j in tmp: print(chr(j^0x87), end="")flag：flag{1fd5109e965511ee474e5dde4007a71f} https://dirtycow.cn/186.html 2023-12-19T15:35:00+08:00 babyre思路：提示是xxtea加密image-20231219142425780.png用ida打开，找到了key和加密后的data值image-20231219142609263.png跟进去encode函数查看 发现这并不是xxtea加密，而是xtea加密，比赛的时候一直在用xxtea的脚本解，没解出来image-20231219142741402.png接下来提取key和encode_data将qword_400E80和qword_400E88拆成4个dword数据就是key即int key[] = {0xDEADBEEF,87654321,0xFACEB00C,0xCAFEBABE};将encode_data也按照上述的数据类型提取int data[] = {0x168F8672,0x2DBD824,0x0CF647FCA,0x0E6EFA7EF,0x4AE016F0,0x0C5832E1D,0x455C0A05,0x0FFEB8140,0x0BE9561EF,0x7F819E23,0x3BC04269,0x0C68B825B,0x0E6A5B1F0,0x0BD03CBBD,0x0A9B3CE0E,0x6C85E6E7,0x9F5C71EF,0x3BE4BD57};image-20231219143124477.png直接拿脚本解密exp#include <stdio.h> #include <stdint.h> /* take 64 bits of data in v[0] and v[1] and 128 bits of key[0] - key[3] */ void encipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) { unsigned int i; uint32_t v0=v[0], v1=v[1], sum=0, delta=0x9E3779B9; for (i=0; i < num_rounds; i++) { v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]); sum += delta; v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]); } v[0]=v0; v[1]=v1; } void decipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) { unsigned int i; uint32_t v0=v[0], v1=v[1], delta=0x9E3779B9, sum=delta*num_rounds; for (i=0; i < num_rounds; i++) { v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]); sum -= delta; v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]); } v[0]=v0; v[1]=v1; } int main() { uint32_t encode_data[]={ 0x168F8672,0x2DBD824,0x0CF647FCA,0x0E6EFA7EF,0x4AE016F0,0x0C5832E1D,0x455C0A05, 0x0FFEB8140,0x0BE9561EF,0x7F819E23,0x3BC04269,0x0C68B825B,0x0E6A5B1F0,0x0BD03CBBD, 0x0A9B3CE0E,0x6C85E6E7,0x9F5C71EF,0x3BE4BD57 }; uint32_t const key[] = {0xDEADBEEF,0x87654321,0xFACEB00C,0xCAFEBABE}; unsigned int r=32;//num_rounds建议取值为32 // v为要加密的数据是两个32位无符号整数 // k为加密解密密钥，为4个32位无符号整数，即密钥长度为128位 // printf("加密前原始数据：%u %u\n",v[0],v[1]); // encipher(r, v, k); // printf("加密后的数据：%u %u\n",v[0],v[1]); uint32_t tmp[2] = {0}; for(int i = 0; i < sizeof(encode_data)/sizeof(uint32_t); i+=2) { tmp[0] = encode_data[i]; tmp[1] = encode_data[i+1]; decipher(r,tmp, key); printf("%s",tmp); } return 0; }flagDASCTF{Don't_forget_to_drink_tea} https://dirtycow.cn/178.html 2023-11-02T21:42:00+08:00 思路：使用ida打开题目发现一片红的，ida识别不出来，根据题目确定是有花指令，向下找image-20231102213342993.pngimage-20231102213352747.pngimage-20231102213402191.png一共找到三个花指令选中花指令跳转的地方按u，选中将不执行的代码ctrl+n，将其nop掉，再按c转换成代码，到函数头按p创建函数就完成了去花操作image-20231102214110484.png去玩花查看伪代码发现是rc4加密，秘钥是WOWOWOWWOWOWOW直接写脚本解密exp:from Crypto.Cipher import ARC4 enc = [ 0xF4, 0x87, 0xD4, 0xFA, 0x61, 0xA6, 0x71, 0x12, 0x75, 0x09, 0xFE, 0xD8, 0xE4, 0x38, 0x97, 0x51, 0xA8, 0xDF, 0x85, 0x65, 0xC2, 0xB2, 0x15, 0xEF, 0x1F, 0xEC, 0x69, 0xDD, 0x6E, 0xE9, 0xCF, 0x07, 0xAE, 0xC8, 0x17, 0xF0, 0x65, 0x72, 0xE6, 0x73, 0xA4, 0x0C, 0x87, 0x64, 0x9E, 0x9E, 0x71, 0x8C, 0x7F, 0xD7, 0x75, 0x84 ] key = "WOWOWOWWOWOWOW" rc4 = ARC4.new(key.encode()) print(rc4.decrypt(bytearray(enc)))flag:flag{You!FlowerMaster!YouPassTheThirdPZGALAXYlevel!} https://dirtycow.cn/173.html 2023-11-02T20:30:00+08:00 思路：直接爆破exp:#include <stdio.h> #include <string.h> int main() { int enc[] = { 0xE8, 0x80, 0x84, 0x08, 0x18, 0x3C, 0x78, 0x68, 0x00, 0x70, 0x7C, 0x94, 0xC8, 0xE0, 0x10, 0xEC, 0xB4, 0xAC, 0x68, 0xA8, 0x0C, 0x1C, 0x90, 0xCC, 0x54, 0x3C, 0x14, 0xDC, 0x30 }; char key[] = "NewStarCTF"; for(int i =0; i < 29; i++) { for(int j = 33; j < 127; j++) { int tmp = j; if(tmp >= 'A' && tmp <= 'Z') { tmp = (tmp - 52) % 26 + 65; } else if(tmp >= '0' && tmp <= '9') { tmp = (tmp - 45) % 10 + 48; } else if(tmp >= 'a' && tmp <= 'z') { tmp = (tmp - 89) % 26 + 97; } tmp += key[i % strlen(key)]; tmp = ~tmp; tmp = (unsigned char)(tmp * 52); if(tmp == enc[i]) { if((j >= 'A' && j <= 'Z') || (j >= 'a' && j <= 'z')) { printf("%c", j); break; } } } } return 0; }flag:BruteForceIsAGoodwaytoGetFlag