2018 CISCN reverse
2018 CISCN reverse
這題比賽的時候沒作出來,主要是心態崩了看不下去。。賽後看了下網上的wp發現不難,是本身想複雜了。這裏將個人思路和exp放出來,但願你們一塊兒交流學習。python
main函數
它首先是check了輸入的前六個字符是否與「CISCN{」匹配,接着使用strtok函數將字符串以「_」分割爲三部分,而後分別對這三部分check。函數
sub_4012DE函數
關鍵部分以下學習
將第一部分的字符串通過以上變換後與一串MD5值5BH8170528842F510K70EGH31F44M24B比較。加密
那麼咱們能夠直接逆出本來的md5,這個函數的腳本以下。spa
def change1(str0):
#str0即要逆的md5
str00 = ''
for i in range(len(str0)):
temp = ord(str0[i])-i%10
if temp <= ord('A') + 5 and temp >= ord('A'):
str00 += chr(temp)
else:
str00 += str0[i]
return str00
獲得5AF8170528842C510D70EFF31A44E24A ,在線解密獲得tima3d
sub_401411函數
這個函數相較上個只是多了個亦或的過程,一樣可逆,腳本以下。code
def change2(str0): #str0是已經通過change1處理的md5 byte_603860 = [0x92,0x84,0x3d,0xa7,0x14,0xf2,0xfb,0x4b,0xee,0x8a,0xc2,0xc3,0x76,0x68,0x13,0x1e] str2 = '[' for i in range(32): if i%2 == 0: str2 += '0x' + str0[i] elif i != len(str1) - 1 : str2 += str0[i] + ',' else: str2 += str0[i] + ']' #print str2 str2 = eval(str2) str2_2 = '' for i in range(len(str2)): str2_2 += str( hex(str2[i] ^ byte_603860[i])[2:] ) return str2_2
獲得c87c2aa23c76d71ae3fa2d306c2cf154 ,在線解密獲得yefbblog
sub_401562函數
這個函數除了有sub_401411的所有加密過程,還會生成一個flag文件,但因爲其中未知數太多,因此不採用逆向所有過程,生成flag文件的代碼以下。ip
能夠看到,咱們只需爆破出v15,v16的值便可獲得正確的flag文件,爆破腳本以下,這裏我只取了前500個byte,能識別出文件格式便可,其實更少也行。md5
(這裏使用了python的庫filetype,pip安裝便可)
import filetype
data = [0xc7,0xb7,0xc7,0x8f,0x38,0x7f,0x72,0x29,0x71,0x29,0x38,0x6e,0x39,0x6e,0x39,0x43,0x39,0x43,0x38,0x6f,0xc7,0xb4,0x38,0x2c,0x38,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x90,0xe3,0x6f,0x7b,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0xc7,0xaf,0x38,0x7e,0x30,0x6f,0x2e,0x6f,0xb8,0x6c,0x39,0x4e,0x38,0x6d,0x29,0x6e,0x3b,0x7e,0x39,0x90,0xfc,0x6f,0x27,0x6f,0x38,0x6e,0x3d,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6f,0x38,0x6f,0x38,0x6f,0x38,0x6f,0x38,0x6e,0x3a,0x6c,0x3c,0x6a,0x3e,0x68,0x30,0x66,0x32,0x64,0xc7,0xab,0x38,0xda,0x28,0x6f,0x3a,0x6e,0x3b,0x6c,0x3a,0x6b,0x3b,0x6a,0x3d,0x6b,0x3c,0x6f,0x38,0x6e,0x45,0x6e,0x3a,0x6c,0x38,0x6b,0x29,0x6a,0x2a,0x4e,0x9,0x2e,0x3e,0x7c,0x69,0xe,0x3f,0x4d,0x49,0x7b,0xa,0xee,0xa9,0xce,0x30,0x4c,0x7a,0xde,0xf9,0x7a,0x6a,0xbe,0xc8,0x4b,0xb,0xd,0x4a,0xed,0x31,0x65,0x2e,0x78,0x20,0x76,0x22,0x4a,0x1e,0x48,0x10,0x46,0x12,0x5b,0xd,0x59,0xf,0x57,0x1,0x55,0x7b,0x2b,0x7d,0x29,0x7f,0x27,0x71,0x25,0x6b,0x3b,0x6d,0x39,0x6f,0x37,0x61,0x35,0x5b,0xb,0x5d,0x9,0x5f,0x7,0x51,0x5,0x4b,0x1b,0x4d,0x19,0x4f,0x17,0x41,0x15,0xbb,0xeb,0xbd,0xe9,0xbf,0xe7,0xb1,0xe5,0xaa,0xfc,0xac,0xfa,0xae,0xf8,0xa0,0xf6,0xa2,0xcd,0x9b,0xcb,0x9d,0xc9,0x9f,0xc7,0x91,0xc5,0x8a,0xdc,0x8c,0xda,0x8e,0xd8,0x80,0xd6,0x82,0xad,0xfb,0xab,0xfd,0xa9,0xff,0xa7,0xf1,0xa5,0xea,0xbc,0xec,0xba,0xee,0xb8,0xe0,0xb6,0xe2,0x8e,0xda,0x8c,0xdc,0x8a,0xde,0x88,0xd0,0x86,0xd2,0x9e,0xca,0x9c,0xcc,0x9a,0xce,0x98,0xc0,0x96,0xc2,0x90,0xfc,0x6f,0x27,0x6e,0x38,0x6c,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6e,0x39,0x6f,0x38,0x6f,0x38,0x6f,0x38,0x6e,0x3a,0x6c,0x3c,0x6a,0x3e,0x68,0x30,0x66,0x32,0x64,0xc7,0xab,0x38,0xda,0x29,0x6f,0x3a,0x6e,0x3a,0x6b,0x3c,0x6c,0x3c,0x68,0x3d,0x6b,0x3c,0x6f,0x39,0x6d,0x4f,0x6f,0x39,0x6d,0x3b,0x7e,0x3c,0x6a,0x19,0x5e,0x3e,0x7d,0x79,0x3e,0x3f,0xe,0x49,0x7c,0x1a,0x5d,0xb9,0x67,0x2c,0x2d,0xa9,0xce,0x89,0xae,0x31,0x4c,0xb,0x3d,0xc8,0x7a,0x5a,0x1d,0xe9,0x65,0x2e,0x4b,0xc,0x8e,0x1d,0x9e,0x2f,0x77,0x21,0x75,0x1e,0x48,0x10,0x46,0x12,0x5a]
for i in range(256):
for j in range(256):
result = ''
for k in range(len(data)):
if k&1 :
result += chr( data[k]^i )
else:
result += chr( data[k]^j )
a = open('re_guess','w')
a.write(result)
a.close()
kind = filetype.guess('re_guess')
if kind is None:
continue
else:
print i,j,kind.extension
結果以下
23 216 Z 42 216 Z 76 56 mp3 111 56 jpg 150 226 ps 237 138 exe 250 133 bmp
jpg很可疑,因而生成完整文件看看。
x = open('data.txt','r').read().replace('\n','')
data = eval('[' + x + ']')
i = 111
j = 56
a = open('flag.jpg','w')
temp = ''
for k in range(len(data)):
if k&1:
temp += chr( data[k] ^ i )
else:
temp += chr( data[k] ^ j )
a.write(temp)
a.close()
idc提取data.txt的腳本以下(shift+F2打開Execute script)
auto addr1 = 0x006020E0;
auto i,x;
for(i=0; i < 6016 ; i ++ )
{
Message("0x%x,",Byte(i+addr1));
}
獲得第三部分的flag
驗證
將以上獲得的三部分如下劃線拼接獲得
CISCN{tima_yefb_MayDetyU$hhtIm2}
運行結果以下圖
<br>
做者: LB919
出處:http://www.cnblogs.com/L1B0/
若有轉載,榮幸之至!請隨手標明出處;
相關文章
- 1. CISCN 2018 PWN task_supermarket
- 2. ISCC 2018 Reverse WriteUp
- 3. CISCN-2018-Quals 2ex 攻防世界
- 4. 2018湖湘杯逆向(Reverse)
- 5. 2018極客大挑戰-not reverse
- 6. Google Capture The Flag 2018 (Quals) - Reverse - Beginner's Quest - Gatekeeper
- 7. Google Capture The Flag 2018 (Quals) - Beginner's Quest - Reverse - Firmware
- 8. reverse
- 9. CISCN love_math和roarctf的easy_clac學習分析
- 10. CISCN final 幾道web題總結
- 更多相關文章...
- • Scala 偏應用函數 - Scala教程
- • Thymeleaf迭代列表 - Thymeleaf 教程
- • YAML 入門教程
- • 算法總結-歸併排序
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. CISCN 2018 PWN task_supermarket
- 2. ISCC 2018 Reverse WriteUp
- 3. CISCN-2018-Quals 2ex 攻防世界
- 4. 2018湖湘杯逆向(Reverse)
- 5. 2018極客大挑戰-not reverse
- 6. Google Capture The Flag 2018 (Quals) - Reverse - Beginner's Quest - Gatekeeper
- 7. Google Capture The Flag 2018 (Quals) - Beginner's Quest - Reverse - Firmware
- 8. reverse
- 9. CISCN love_math和roarctf的easy_clac學習分析
- 10. CISCN final 幾道web題總結