Reversing-Challenges-List

Reversing-Challenges-List

Baby

Sharif University CTF 2016 : dMd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rax
__int64 v4; // rax
__int64 v5; // rax
__int64 v6; // rax
__int64 v7; // rax
__int64 v8; // rax
__int64 v9; // rax
__int64 v10; // rax
__int64 v11; // rax
__int64 v12; // rax
__int64 v13; // rax
__int64 v14; // rax
__int64 v15; // rax
__int64 v16; // rax
__int64 v17; // rax
__int64 v18; // rax
__int64 v19; // rax
__int64 v20; // rax
__int64 v21; // rax
int result; // eax
__int64 v23; // rax
__int64 v24; // rax
__int64 v25; // rax
__int64 v26; // rax
__int64 v27; // rax
__int64 v28; // rax
__int64 v29; // rax
__int64 v30; // rax
__int64 v31; // rax
__int64 v32; // rax
__int64 v33; // rax
__int64 v34; // rax
__int64 v35; // rax
__int64 v36; // rax
__int64 v37; // rax
char v38; // [rsp+Fh] [rbp-71h]
char v39; // [rsp+10h] [rbp-70h]
char v40; // [rsp+20h] [rbp-60h]
_BYTE *v41; // [rsp+28h] [rbp-58h]
char input; // [rsp+30h] [rbp-50h]
unsigned __int64 v43; // [rsp+68h] [rbp-18h]

v43 = __readfsqword(0x28u);
std::operator<<<std::char_traits<char>>(&std::cout, "Enter the valid key!\n", envp);
std::operator>><char,std::char_traits<char>>(&edata, &input);
std::allocator<char>::allocator(&v38);
std::string::string(&v39, &input, &v38);
md5((MD5 *)&v40, (const std::string *)&v39);
v41 = (_BYTE *)std::string::c_str((std::string *)&v40);
std::string::~string((std::string *)&v40);
std::string::~string((std::string *)&v39);
std::allocator<char>::~allocator(&v38);
if ( *v41 != '7'
|| v41[1] != '8'
|| v41[2] != '0'
|| v41[3] != '4'
|| v41[4] != '3'
|| v41[5] != '8'
|| v41[6] != 'd'
|| v41[7] != '5'
|| v41[8] != 'b'
|| v41[9] != '6'
|| v41[10] != 'e'
|| v41[11] != '2'
|| v41[12] != '9'
|| v41[13] != 'd'
|| v41[14] != 'b'
|| v41[15] != '0'
|| v41[16] != '8'
|| v41[17] != '9'
|| v41[18] != '8'
|| v41[19] != 'b'
|| v41[20] != 'c'
|| v41[21] != '4'
|| v41[22] != 'f'
|| v41[23] != '0'
|| v41[24] != '2'
|| v41[25] != '2'
|| v41[26] != '5'
|| v41[27] != '9'
|| v41[28] != '3'
|| v41[29] != '5'
|| v41[30] != 'c'
|| v41[31] != '0' )
{
v23 = std::operator<<<std::char_traits<char>>(&std::cout, 'I');
v24 = std::operator<<<std::char_traits<char>>(v23, 'n');
v25 = std::operator<<<std::char_traits<char>>(v24, 'v');
v26 = std::operator<<<std::char_traits<char>>(v25, 'a');
v27 = std::operator<<<std::char_traits<char>>(v26, 'l');
v28 = std::operator<<<std::char_traits<char>>(v27, 'i');
v29 = std::operator<<<std::char_traits<char>>(v28, 'd');
v30 = std::operator<<<std::char_traits<char>>(v29, ' ');
v31 = std::operator<<<std::char_traits<char>>(v30, 'K');
v32 = std::operator<<<std::char_traits<char>>(v31, 'e');
v33 = std::operator<<<std::char_traits<char>>(v32, 'y');
v34 = std::operator<<<std::char_traits<char>>(v33, '!');
v35 = std::operator<<<std::char_traits<char>>(v34, ' ');
v36 = std::operator<<<std::char_traits<char>>(v35, ':');
v37 = std::operator<<<std::char_traits<char>>(v36, '(');
std::ostream::operator<<(v37, &std::endl<char,std::char_traits<char>>);
result = 0;
}
else
{
v3 = std::operator<<<std::char_traits<char>>(&std::cout, 'T');
v4 = std::operator<<<std::char_traits<char>>(v3, 'h');
v5 = std::operator<<<std::char_traits<char>>(v4, 'e');
v6 = std::operator<<<std::char_traits<char>>(v5, ' ');
v7 = std::operator<<<std::char_traits<char>>(v6, 'k');
v8 = std::operator<<<std::char_traits<char>>(v7, 'e');
v9 = std::operator<<<std::char_traits<char>>(v8, 'y');
v10 = std::operator<<<std::char_traits<char>>(v9, ' ');
v11 = std::operator<<<std::char_traits<char>>(v10, 'i');
v12 = std::operator<<<std::char_traits<char>>(v11, 's');
v13 = std::operator<<<std::char_traits<char>>(v12, ' ');
v14 = std::operator<<<std::char_traits<char>>(v13, 'v');
v15 = std::operator<<<std::char_traits<char>>(v14, 'a');
v16 = std::operator<<<std::char_traits<char>>(v15, 'l');
v17 = std::operator<<<std::char_traits<char>>(v16, 'i');
v18 = std::operator<<<std::char_traits<char>>(v17, 'd');
v19 = std::operator<<<std::char_traits<char>>(v18, ' ');
v20 = std::operator<<<std::char_traits<char>>(v19, ':');
v21 = std::operator<<<std::char_traits<char>>(v20, ')');
std::ostream::operator<<(v21, &std::endl<char,std::char_traits<char>>);
result = 0;
}
return result;
}

文件逻辑为将输入进行md5然后与780438d5b6e29db0898bc4f0225935c0进行比较

注意在进行md5反查时,多数的网站返回的是md5(md5($PASS))的结果,即grape

但是这里只进行了一次md5,所以要得到的md5反查为md5($PASS),即b781cbb29054db12f88f08c6e161c199

Sharif University CTF 2016 : SRM

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
BOOL __stdcall DialogFunc(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4)
{
HMODULE v5; // eax
HICON v6; // eax
HMODULE v7; // eax
HCURSOR v8; // ST20_4
HWND v9; // eax
CHAR email; // [esp+8h] [ebp-340h]
CHAR serial_num[4]; // [esp+108h] [ebp-240h]
char v12; // [esp+10Ch] [ebp-23Ch]
char v13; // [esp+10Dh] [ebp-23Bh]
char v14; // [esp+10Eh] [ebp-23Ah]
char v15; // [esp+10Fh] [ebp-239h]
char v16; // [esp+110h] [ebp-238h]
char v17; // [esp+111h] [ebp-237h]
char v18; // [esp+112h] [ebp-236h]
char v19; // [esp+113h] [ebp-235h]
char v20; // [esp+114h] [ebp-234h]
char v21; // [esp+115h] [ebp-233h]
char v22; // [esp+116h] [ebp-232h]
char v23; // [esp+117h] [ebp-231h]
CHAR Text; // [esp+208h] [ebp-140h]
char reg_suc[16]; // [esp+308h] [ebp-40h]
__int128 v26; // [esp+318h] [ebp-30h]
int v27; // [esp+328h] [ebp-20h]
__int128 reg_fail; // [esp+32Ch] [ebp-1Ch]
int v29; // [esp+33Ch] [ebp-Ch]
__int16 v30; // [esp+340h] [ebp-8h]

if ( a2 == 16 )
{
EndDialog(hDlg, 0);
return 0;
}
if ( a2 == 272 )
{
v5 = GetModuleHandleW(0);
v6 = LoadIconW(v5, (LPCWSTR)0x67);
SetClassLongA(hDlg, -14, (LONG)v6);
v7 = GetModuleHandleW(0);
v8 = LoadCursorW(v7, (LPCWSTR)0x66);
v9 = GetDlgItem(hDlg, 1);
SetClassLongA(v9, -12, (LONG)v8);
return 1;
}
if ( a2 != 273 || (unsigned __int16)a3 != 1 )
return 0;
memset(&email, (unsigned __int16)a3 - 1, 0x100u);
memset(serial_num, 0, 0x100u);
memset(&Text, 0, 0x100u);
GetDlgItemTextA(hDlg, 1001, &email, 256);
GetDlgItemTextA(hDlg, 1002, serial_num, 256);
if ( strstr(&email, "@") && strstr(&email, ".") && strstr(&email, ".")[1] && strstr(&email, "@")[1] != '.' )
{
reg_fail = xmmword_410AA0;
v29 = 1701999980;
*(_OWORD *)reg_suc = xmmword_410A90;
v30 = 46;
v26 = xmmword_410A80;
v27 = 3830633;
if ( strlen(serial_num) != 16
|| serial_num[0] != 67
|| v23 != 88
|| serial_num[1] != 90
|| serial_num[1] + v22 != 155
|| serial_num[2] != 57
|| serial_num[2] + v21 != 155
|| serial_num[3] != 100
|| v20 != 55
|| v12 != 109
|| v19 != 71
|| v13 != 113
|| v13 + v18 != 170
|| v14 != 52
|| v17 != 103
|| v15 != 99
|| v16 != 56 )
{
strcpy_s(&Text, 0x100u, (const char *)&reg_fail);
}
else
{
strcpy_s(&Text, 0x100u, reg_suc);
strcat_s(&Text, 0x100u, serial_num);
}
}
else
{
strcpy_s(&Text, 0x100u, "Your E-mail address in not valid.");
}
MessageBoxA(hDlg, &Text, "Registeration", 0x40u);
return 1;
}

邮箱格式要求strstr(&email, "@") && strstr(&email, ".") && strstr(&email, ".")[1] && strstr(&email, "@")[1] != '.'

序列号要求长度为16,且满足以下关系

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
serial_num=[0 for i in range(16)]
serial_num[0]= 67
serial_num[15]= 88
serial_num[1]= 90
serial_num[14]= 155-serial_num[1]
serial_num[2]= 57
serial_num[13]= 155-serial_num[2]
serial_num[3]= 100
serial_num[12]= 55
serial_num[4]= 109
serial_num[11]= 71
serial_num[5]= 113
serial_num[10]= 170-serial_num[5]
serial_num[6]= 52
serial_num[9]= 103
serial_num[7]= 99
serial_num[8]= 56

for i in range(16):
print(chr(serial_num[i]),end="")

flagCZ9dmq4c8g9G7bAX

Sharif University CTF 2016 : Serial

存在花指令干扰了反编译,但反汇编正常工作

花指令为

1
2
3
.text:0000000000400A34 db  74h ; t
.text:0000000000400A35 db 0FAh
.text:0000000000400A36 db 0E8h`

通过动态调试来确认该程序的逻辑,将断点下在输入提示前

1
.text:00000000004009E4 mov     esi, offset aPleaseEnterThe     ; "Please Enter the valid key!\n"

输入字符串serial_num后,发现存在strlen

1
2
3
4
5
6
.text:0000000000400A19 loc_400A19:                             ; CODE XREF: main:loc_400A12↑j
.text:0000000000400A19 lea rax, [rbp+s]
.text:0000000000400A20 mov rdi, rax ; s
.text:0000000000400A23 call _strlen
.text:0000000000400A28 cmp rax, 10h
.text:0000000000400A2C jz short loc_400A3C

可以确认字符串的长度为0x1016

然后进行第一处比较

1
2
3
.text:0000000000400A3C movzx   eax, [rbp+s]
.text:0000000000400A43 cmp al, 45h
.text:0000000000400A45 jz short loc_400A55

serial_num[0]=0x45,确认第一个字符为E

进行第二处比较

1
2
3
4
5
6
7
8
.text:0000000000400A55 loc_400A55:                             ; CODE XREF: main+A9↑j
.text:0000000000400A55 movzx eax, [rbp+s]
.text:0000000000400A5C movsx edx, al
.text:0000000000400A5F movzx eax, [rbp+var_1F1]
.text:0000000000400A66 movsx eax, al
.text:0000000000400A69 add eax, edx
.text:0000000000400A6B cmp eax, 9Bh
.text:0000000000400A70 jz short loc_400A80

movzx eax, [rbp+var_1F1]即提取字符串的最后一个字符

serial_num[0]+serial_num[15]=0x9B,确认最后一个字符为V

第三处确认了serial_num[1],第四处确认了serial_num[1]+serial_num[14],以此类推

1
2
3
a=["69","90","57","100","109","113","52","99","155-99","155-52","170-113","180-109","155-100","155-57","155-90","155-69"]
for i in a:
print(chr(eval(i)),end="")

flagEZ9dmq4c8g9G7bAV

Sharif University CTF 2016 : Android App

没环境,下次一定,咕咕咕~

Internetwache CTF 2016 : SPIM

Description: My friend keeps telling me, that real hackers speak assembly fluently. Are you a real hacker? Decode this string: “IVyN5U3X)ZUMYCs”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
User Text Segment [00400000]..[00440000]
[00400000] 8fa40000 lw $4, 0($29) ; 183: lw $a0 0($sp) # argc
[00400004] 27a50004 addiu $5, $29, 4 ; 184: addiu $a1 $sp 4 # argv
[00400008] 24a60004 addiu $6, $5, 4 ; 185: addiu $a2 $a1 4 # envp
[0040000c] 00041080 sll $2, $4, 2 ; 186: sll $v0 $a0 2
[00400010] 00c23021 addu $6, $6, $2 ; 187: addu $a2 $a2 $v0
[00400014] 0c100009 jal 0x00400024 [main] ; 188: jal main
[00400018] 00000000 nop ; 189: nop
[0040001c] 3402000a ori $2, $0, 10 ; 191: li $v0 10
[00400020] 0000000c syscall ; 192: syscall # syscall 10 (exit)
[00400024] 3c081001 lui $8, 4097 [flag] ; 7: la $t0, flag
[00400028] 00004821 addu $9, $0, $0 ; 8: move $t1, $0
[0040002c] 3401000f ori $1, $0, 15 ; 11: sgt $t2, $t1, 15
[00400030] 0029502a slt $10, $1, $9
[00400034] 34010001 ori $1, $0, 1 ; 12: beq $t2, 1, exit
[00400038] 102a0007 beq $1, $10, 28 [exit-0x00400038]
[0040003c] 01095020 add $10, $8, $9 ; 14: add $t2, $t0, $t1
[00400040] 81440000 lb $4, 0($10) ; 15: lb $a0, ($t2)
[00400044] 00892026 xor $4, $4, $9 ; 16: xor $a0, $a0, $t1
[00400048] a1440000 sb $4, 0($10) ; 17: sb $a0, 0($t2)
[0040004c] 21290001 addi $9, $9, 1 ; 19: add $t1, $t1, 1
[00400050] 0810000b j 0x0040002c [for] ; 20: j for
[00400054] 00082021 addu $4, $0, $8 ; 24: move $a0, $t0
[00400058] 0c100019 jal 0x00400064 [printstring]; 25: jal printstring
[0040005c] 3402000a ori $2, $0, 10 ; 26: li $v0, 10
[00400060] 0000000c syscall ; 27: syscall
[00400064] 34020004 ori $2, $0, 4 ; 30: li $v0, 4
[00400068] 0000000c syscall ; 31: syscall
[0040006c] 03e00008 jr $31 ; 32: jr $ra

关键汇编为

1
2
3
4
5
6
7
8
9
10
11
12
[00400024] 3c081001  lui $8, 4097 [flag]      ; 7: la $t0, flag #t0<=flag t0加载了flag的地址
[00400028] 00004821 addu $9, $0, $0 ; 8: move $t1, $0 #t1=0
[0040002c] 3401000f ori $1, $0, 15 ; 11: sgt $t2, $t1, 15 #t2=t1 | 15
[00400030] 0029502a slt $10, $1, $9
[00400034] 34010001 ori $1, $0, 1 ; 12: beq $t2, 1, exit #if t2==1 exit
[00400038] 102a0007 beq $1, $10, 28 [exit-0x00400038]
[0040003c] 01095020 add $10, $8, $9 ; 14: add $t2, $t0, $t1 #t2=t0+t1 => t2=flag+t1 => t2=flag[t1]
[00400040] 81440000 lb $4, 0($10) ; 15: lb $a0, ($t2) #a0=t2
[00400044] 00892026 xor $4, $4, $9 ; 16: xor $a0, $a0, $t1 #a0=a0^t1
[00400048] a1440000 sb $4, 0($10) ; 17: sb $a0, 0($t2) #t2=a0
[0040004c] 21290001 addi $9, $9, 1 ; 19: add $t1, $t1, 1 #t1+=1 下标加1
[00400050] 0810000b j 0x0040002c [for] ; 20: j for #for循环
1
2
3
a="IVyN5U3X)ZUMYCs"
for i in range(len(a)):
print(chr(i^ord(a[i])),end="")

flagIW{M1P5_!S_FUN}

Internetwache CTF 2016 : File Checker

main
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
signed __int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
signed __int64 result; // rax
int per_ch; // [rsp+18h] [rbp-18h]
int len; // [rsp+1Ch] [rbp-14h]
FILE *stream; // [rsp+20h] [rbp-10h]
int index; // [rsp+28h] [rbp-8h]
int v8; // [rsp+2Ch] [rbp-4h]

if ( (unsigned int)sub_400760() )
{
stream = fopen(".password", "r");
if ( stream )
{
len = 15;
v8 = 0;
for ( index = 0; index < len; ++index )
{
per_ch = fgetc(stream);
if ( feof(stream) )
{
v8 |= 4919u;
break;
}
sub_40079C(index, (unsigned int *)&per_ch);
v8 |= per_ch; // 每一个per_ch均为0,使得每一次的v8仍然为0,最终的v8为0
}
if ( v8 <= 0 ) // v8==0
{
fclose(stream);
puts("Congrats!");
result = 0LL;
}
else
{
puts("Error: Wrong characters");
result = 1LL;
}
}
else
{
puts("Error: Could not read file");
result = 1LL;
}
}
else
{
printf("Fatal error: File does not exist", a2);
result = 1LL;
}
return result;
}
sub_400760
1
2
3
4
5
6
7
8
9
10
signed __int64 sub_400760()
{
FILE *stream; // [rsp+8h] [rbp-8h]

stream = fopen(".password", "r");
if ( !stream )
return 0LL;
fclose(stream);
return 1LL;
}
sub_40079C
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
__int64 __fastcall sub_40079C(int index, unsigned int *per_ch)
{
unsigned int v2; // ecx
__int64 result; // rax
int v4; // [rsp+10h] [rbp-40h]
int v5; // [rsp+14h] [rbp-3Ch]
int v6; // [rsp+18h] [rbp-38h]
int v7; // [rsp+1Ch] [rbp-34h]
int v8; // [rsp+20h] [rbp-30h]
int v9; // [rsp+24h] [rbp-2Ch]
int v10; // [rsp+28h] [rbp-28h]
int v11; // [rsp+2Ch] [rbp-24h]
int v12; // [rsp+30h] [rbp-20h]
int v13; // [rsp+34h] [rbp-1Ch]
int v14; // [rsp+38h] [rbp-18h]
int v15; // [rsp+3Ch] [rbp-14h]
int v16; // [rsp+40h] [rbp-10h]
int v17; // [rsp+44h] [rbp-Ch]
int v18; // [rsp+48h] [rbp-8h]

v4 = 4846;
v5 = 4832;
v6 = 4796;
v7 = 4849;
v8 = 4846;
v9 = 4843;
v10 = 4850;
v11 = 4824;
v12 = 4852;
v13 = 4847;
v14 = 4818;
v15 = 4852;
v16 = 4844;
v17 = 4822;
v18 = 4794;
v2 = (signed int)(*(&v4 + index) + *per_ch) % 4919;
result = v2;
*per_ch = v2;
return result;
}

要使最终v8==0,即每一次v8|per_ch==0,即每一个经过sub_40079C后的per_ch==0

1
2
3
a=[4846,4832,4796,4849,4846,4843,4850,4824,4852,4847,4818,4852,4844,4822,4794]
for i in a:
print(chr(4919-i),end="")

flagIW{FILE_CHeCKa}

Internetwache CTF 2016 : ServerfARM

main
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [sp+4h] [bp-10h]
char *ptr; // [sp+8h] [bp-Ch]
int i; // [sp+Ch] [bp-8h]

v4 = argc;
ptr = (char *)malloc(0x65u);
for ( i = 0; v4 - 1 > i; ++i )
{
printf("Enter Solution for task %d:", i);
_isoc99_scanf("%s", ptr);
handle_task(i, ptr);
}
free(ptr);
return 0;
}
handle_task
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
int __fastcall handle_task(int result, char *a2)
{
signed int v2; // ST0C_4
char *s; // [sp+0h] [bp-1Ch]
int v4; // [sp+4h] [bp-18h]
size_t i; // [sp+8h] [bp-14h]
unsigned int v6; // [sp+Ch] [bp-10h]

v4 = result;
s = a2;
v6 = 0;
switch ( result )
{
case 0:
for ( i = 0; strlen(s) > i; ++i )
v6 += (unsigned __int8)s[i];
v2 = v6 / strlen(s);
printf("%s", "Here's your 1. block:");
if ( v2 <= 35 )
{
printf("%s", "IW{");
putchar('S');
result = printf("%c%c\n", '.', 'E');
}
else
{
result = puts("I{WAQ3");
}
break;
case 1:
printf("%s", "Here's your 2. block:");
if ( (unsigned __int8)*s % (signed int)(unsigned __int8)s[1] == 65 )
{
printf("%s", ".R.");
putchar('V');
result = printf("%c%c\n", '.', 'E');
}
else
{
result = puts("WI{QA3");
}
break;
case 2:
printf("%s", "Here's your 3. block:");
if ( !strcmp(s, "1337") )
result = puts(".R>=F:");
else
result = printf("%c%s%c\n", '.', "Q.D.Q", '!', s, v4);
break;
case 3:
if ( *a2 )
result = printf("%c%s%c\n", 'A', ":R:M", '}', a2, result);
break;
default:
return result;
}
return result;
}

满足条件就进行输出,flagIW{S.E.R.V.E.R>=F:A:R:M}

Nuit du Hack CTF Quals 2016 : Matriochka - Step 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v4; // rdx
char buf; // [rsp+17h] [rbp-9h]
int index; // [rsp+18h] [rbp-8h]
int v7; // [rsp+1Ch] [rbp-4h]

if ( argc != 2 )
return fprintf(stdout, "Usage: %s <pass>\n", *argv, argv);
if ( !strcmp(argv[1], "Much_secure__So_safe__Wow") )
{
fwrite("Good good!\n", 1uLL, 0xBuLL, stdout);
index = 0;
v7 = 0;
while ( index <= 55334 )
{
v4 = 0x47AE147AE147AE15LL * (unsigned __int128)(unsigned __int64)v7 >> 64;
buf = next_step[index] ^ argv[1][v7 - 25 * ((v4 + ((unsigned __int64)(v7 - v4) >> 1)) >> 4)];
write(2, &buf, 1uLL);
++index;
++v7;
}
}
else
{
fwrite("Try again...\n", 1uLL, 0xDuLL, stdout);
}
return 1;
}

flagMuch_secure__So_safe__Wow

Nuit du Hack CTF Quals 2016 : Matriochka - Step 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
int __fastcall main(int a1, char **a2, char **a3)
{
__int64 v4; // rbx
signed int v5; // [rsp+1Ch] [rbp-14h]

if ( a1 != 2 )
return fprintf(stdout, "Usage: %s <pass>\n", *a2, a2);// pass=Pandi_panda
if ( 42 * (strlen(a2[1]) + 1) == 504 ) // len=11
{
v5 = 1;
if ( *a2[1] != 80 ) // s[0]=P
v5 = 0;
if ( 2 * a2[1][3] != 200 ) // s[3]=d
v5 = 0;
if ( *a2[1] + 16 != a2[1][6] - 16 ) // s[6]=p
v5 = 0;
v4 = a2[1][5]; // s[5]=_
if ( v4 != 9 * strlen(a2[1]) - 4 )
v5 = 0;
if ( a2[1][1] != a2[1][7] ) // s[7]=a
v5 = 0;
if ( a2[1][1] != a2[1][10] ) // s[10]=a
v5 = 0;
if ( a2[1][1] - 17 != *a2[1] ) // s[1]=a
v5 = 0;
if ( a2[1][3] != a2[1][9] ) // s[9]=d
v5 = 0;
if ( a2[1][4] != 105 ) // s[4]=i
v5 = 0;
if ( a2[1][2] - a2[1][1] != 13 ) // s[2]=n
v5 = 0;
if ( a2[1][8] - a2[1][7] != 13 ) // s[8]=n
v5 = 0;
if ( v5 )
return sub_40064D(a2[1]);
}
return fprintf(stdout, "Try again...\n", a2);
}

flagPandi_panda

Nuit du Hack CTF Quals 2016 : Matriochka - Step 3

main
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
int __fastcall main(int a1, char **a2, char **a3)
{
signed int i; // [rsp+18h] [rbp-8h]
__pid_t pid; // [rsp+1Ch] [rbp-4h]

if ( a1 != 2 )
return printf("Usage: %s <pass>\n", *a2, a3, a2);
strncpy(&dest, a2[1], 0x3FFuLL);
pid = getpid();
signal(11, (__sighandler_t)sub_4007FD);
signal(8, (__sighandler_t)sub_401050);
for ( i = 0; i <= 1023; ++i )
kill(pid, 11);
puts("Try again!");
return 1;
}

每个signal(11,func)处理一个字符

sub_4007FD
1
2
3
4
5
6
7
8
void sub_4007FD()
{
int v0; // ecx

v0 = 1000 * dest;
if ( v0 / 'D' > 999 && v0 / 'D' <= 1000 )
signal(11, (__sighandler_t)handler);
}
handler
1
2
3
4
5
6
7
8
void handler()
{
int v0; // ecx

v0 = 1000 * byte_6040C1;
if ( v0 / 'i' > 999 && v0 / 'i' <= 1000 )
signal(11, (__sighandler_t)sub_4008C7);
}
sub_4008C7
1
2
3
4
5
6
7
8
void sub_4008C7()
{
int v0; // ecx

v0 = 1000 * byte_6040C2;
if ( v0 / 'd' > 999 && v0 / 'd' <= 1000 )
signal(11, (__sighandler_t)sub_400926);
}

flagDid_you_like_signals?

ASIS CTF 2018 Quals : Warm up

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#define M 37
#define q (2 + M / M)
#define v (q / q)
#define ef ((v + q) / 2)
#define f (q - v - ef)
#define k (8 - ef)
struct b
{
int64_t y[13];
} S;
int m = 1811939329, N = 1, t[1 << 26] = {2}, a, *p, i, e = 73421233, s, c, U = 1;
g(d, h)
{
for (i = s; i < 1 << 25; i *= 2)
d = d * 1LL * d % m;
for (p = t; p < t + N; p += s)
for (i = s, c = 1; i; i--)
a = p[s] * (h ? c : 1LL) % m, p[s] = (m * 1U + *p - a) * (h ? 1LL : c) % m, *p = (a * 1U + *p) % m, p++, c = c * 1LL * d % m;
}
l()
{
while (e /= 2)
{
N *= 2;
U = U * 1LL * (m + 1) / 2 % m;
for (s = N; s /= 2;)
g(136, 0);
for (p = t; p < t + N; p++)
*p = *p * 1LL * *p % m * U % m;
for (s = 1; s < N; s *= 2)
g(839354248, 1);
for (a = 0, p = t; p < t + N;)
a += *p << (e & 1), *p++ = a % 10, a /= 10;
}
}
z(n)
{
int y = 3, j, c;
for (j = 2; j <= n;)
{
l();
for (c = 2; c <= y - 1; c++)
{
l();
if (y % c == 0)
break;
}
if (c == y)
{
l();
j++;
}
y++;
}
l();
return y - 1;
}
main(a, pq) char *pq;
{
int b = sizeof(S), y = b, j = M;
l();
int x[M] = {b - M - sizeof((short int)a), (b >> v) + (k << v) + (v << (q | ef)) + z(v + (ef << v)), (z(k * ef) << v) - pow(ef, f), z(((j - ef * k) | (ef << k >> v) / k - ef << v) - ef), (((y + M) & b) << (k / q + ef)) - z(ef + v), ((ef << k) - v) & y, y * v + v, (ef << (q * ef - v - (k >> ef))) * q - v, (f << q) | (ef << (q * f + k)) - j + k, (z(z(z(z(z(v))))) * q) & (((j / q) - (ef << v)) << q) | (j + (q | (ef << v))), y | (q + v), (ef << ef) - v + ef * (((j >> ef) | j) - v + ef - q + v), (z(j & (b << ef)) & (z(v << v) << k)) - (q << v) - q, (k << q) + q, (z(y) >> (ef << v)) + (z(k + v)) - q, (z(z(k & ef | j)) & b | ef | v << f << q << v & ef >> k | q << ef << v | k | q) + z(v << v) + v, (ef >> v) * q * z(k - v) + z(ef << ef & q | k) + ef, z(k << k) & v & k | y + k - v, z(f >> ef | k >> ef | v | k) * (ef >> v) * q, (ef << k - ef << v >> q << ef * ef) - j + (ef << v), z(ef * k) * z(v << v) + k - v, z((z(k) << z(v))) & y | k | v, z(ef << ef << v << v) / ef + z(v << ef | k | (b >> q) & y - f) - (ef << q) + (k - v) - ef, k << (ef + q) / z(ef) * z(q) & z(k << k) | v, ((z(y | j >> k * ef)) % ef << z(v << v << v) >> q << q | j) / ef + v, (j - ef << ef << v * z(v >> v << v) >> ef) / ef % z(k << j) + q, z(k - v) + k | z(ef << k >> v << f) - z(q << q) * ef >> v, (z(ef | y & j | k) % q | j + ef << z(k | ef) % k << q | ef | k << ef << q / ef | y / ef + j >> q) & k << j | ef + v, 84, z(v * ef << ef << q) * q % ef << k | k | q - v, ((z(20) * v) | (f >> q) | (k << k)) / ef - (ef << (v * q + ef)) - (k << q) + z(k) - q};
while (j--)
{
putchar(x[M - v - j]);
}
printf(" From ASIS With Love <3\n");
return 0;
}

可知函数lg并没有实际作用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#include<iostream>
#include<cmath>
using namespace std;
#define M 37
#define q (2 + M / M)
#define v (q / q)
#define ef ((v + q) / 2)
#define f (q - v - ef)
#define k (8 - ef)
struct b
{
int64_t y[13];
} S;
int m = 1811939329, N = 1, t[1 << 26] = {2}, a, *p, i, e = 73421233, s, c, U = 1;
int64_t z(int n){
int y = 3, j, c;
for (j = 2; j <= n;)
{
for (c = 2; c <= y - 1; c++)
{
if (y % c == 0)
break;
}
if (c == y)
{
j++;
}
y++;
}
return y - 1;
}
int main() {
char *pq;
int b = sizeof(S), y = b, j = M;
int x[M] = {b - M - sizeof((short int)a), (b >> v) + (k << v) + (v << (q | ef)) + z(v + (ef << v)), (z(k * ef) << v) - pow(ef, f), z(((j - ef * k) | (ef << k >> v) / k - ef << v) - ef), (((y + M) & b) << (k / q + ef)) - z(ef + v), ((ef << k) - v) & y, y * v + v, (ef << (q * ef - v - (k >> ef))) * q - v, (f << q) | (ef << (q * f + k)) - j + k, (z(z(z(z(z(v))))) * q) & (((j / q) - (ef << v)) << q) | (j + (q | (ef << v))), y | (q + v), (ef << ef) - v + ef * (((j >> ef) | j) - v + ef - q + v), (z(j & (b << ef)) & (z(v << v) << k)) - (q << v) - q, (k << q) + q, (z(y) >> (ef << v)) + (z(k + v)) - q, (z(z(k & ef | j)) & b | ef | v << f << q << v & ef >> k | q << ef << v | k | q) + z(v << v) + v, (ef >> v) * q * z(k - v) + z(ef << ef & q | k) + ef, z(k << k) & v & k | y + k - v, z(f >> ef | k >> ef | v | k) * (ef >> v) * q, (ef << k - ef << v >> q << ef * ef) - j + (ef << v), z(ef * k) * z(v << v) + k - v, z((z(k) << z(v))) & y | k | v, z(ef << ef << v << v) / ef + z(v << ef | k | (b >> q) & y - f) - (ef << q) + (k - v) - ef, k << (ef + q) / z(ef) * z(q) & z(k << k) | v, ((z(y | j >> k * ef)) % ef << z(v << v << v) >> q << q | j) / ef + v, (j - ef << ef << v * z(v >> v << v) >> ef) / ef % z(k << j) + q, z(k - v) + k | z(ef << k >> v << f) - z(q << q) * ef >> v, (z(ef | y & j | k) % q | j + ef << z(k | ef) % k << q | ef | k << ef << q / ef | y / ef + j >> q) & k << j | ef + v, 84, z(v * ef << ef << q) * q % ef << k | k | q - v, ((z(20) * v) | (f >> q) | (k << k)) / ef - (ef << (v * q + ef)) - (k << q) + z(k) - q};
while (j--)
{
putchar(x[M - v - j]);
}
printf(" From ASIS With Love <3\n");
return 0;
}

flagASIS{hi_all_w31c0m3_to_ASISCTF}

Easy

SSCTF 2016 : Re1

没环境,下次一定,咕咕咕~

0CTF 2016 Quals : boomshakalaka

没环境,下次一定,咕咕咕~

Codegate CTF 2018 Preliminary : RedVelvet