ctfshow_1024杯部分wp
查杀病毒
查壳,貌似有壳
krnkn.fnr 易语言核心库,就是说 易语言的特征码在这里面可以使用
界面还行. 有界面就代表着有按钮事件,
在 krnln.fnr 这个库的起始位置 ctrl + b 二进制搜索
ff 55 fc 5f 5e
这个地方就是 易语言按钮事件的地方了
输入测试数据, 点击 开通vip , 就会断在 刚才下的断点处
f7 跟进去, 一直 单步走
有花指令的地方,简单做下处理.
0040AB73 55 push ebp ; 开通 VIP 按钮 函数
0040AB74 8BEC mov ebp,esp
0040AB76 81EC 24000000 sub esp,0x24
0040AB7C C745 FC 0000000>mov dword ptr ss:[ebp-0x4],0x0
0040AB83 C745 F8 0000000>mov dword ptr ss:[ebp-0x8],0x0
0040AB8A C745 F4 0000000>mov dword ptr ss:[ebp-0xC],0x0
0040AB91 C745 F0 0000000>mov dword ptr ss:[ebp-0x10],0x0
0040AB98 6A FF push -0x1
0040AB9A 6A 08 push 0x8
0040AB9C 68 03000116 push 0x16010003
0040ABA1 68 01000152 push 0x52010001
0040ABA6 E8 1F040000 call re3_(1).0040AFCA ; 取出 卡号字符
0040ABAB 83C4 10 add esp,0x10
0040ABAE 8945 EC mov dword ptr ss:[ebp-0x14],eax
0040ABB1 F9 stc
0040ABB2 72 01 jb short re3_(1).0040ABB5
0040ABB4 90 nop
0040ABB5 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
0040ABB8 50 push eax
0040ABB9 8B5D FC mov ebx,dword ptr ss:[ebp-0x4] ; ntdll.76FEABD7
0040ABBC 85DB test ebx,ebx
0040ABBE 74 09 je short re3_(1).0040ABC9
0040ABC0 53 push ebx
0040ABC1 E8 EC030000 call re3_(1).0040AFB2 ; 错误回调
0040ABC6 83C4 04 add esp,0x4
0040ABC9 58 pop eax
0040ABCA 8945 FC mov dword ptr ss:[ebp-0x4],eax
0040ABCD 6A FF push -0x1
0040ABCF 6A 08 push 0x8
0040ABD1 68 05000116 push 0x16010005
0040ABD6 68 01000152 push 0x52010001
0040ABDB E8 EA030000 call re3_(1).0040AFCA ; 取出 卡密 字符串
0040ABE0 83C4 10 add esp,0x10
0040ABE3 8945 EC mov dword ptr ss:[ebp-0x14],eax
0040ABE6 EB 01 jmp short re3_(1).0040ABE9
0040ABE8 90 nop
0040ABE9 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
0040ABEC 50 push eax
0040ABED 8B5D F8 mov ebx,dword ptr ss:[ebp-0x8]
0040ABF0 85DB test ebx,ebx
0040ABF2 74 09 je short re3_(1).0040ABFD
0040ABF4 53 push ebx
0040ABF5 E8 B8030000 call re3_(1).0040AFB2 ; 错误回调
0040ABFA 83C4 04 add esp,0x4
0040ABFD 58 pop eax
0040ABFE 8945 F8 mov dword ptr ss:[ebp-0x8],eax
0040AC01 6A FF push -0x1
0040AC03 6A 08 push 0x8
0040AC05 68 07000116 push 0x16010007
0040AC0A 68 01000152 push 0x52010001
0040AC0F E8 B6030000 call re3_(1).0040AFCA ; 取出账号 字符串
0040AC14 83C4 10 add esp,0x10
0040AC17 8945 EC mov dword ptr ss:[ebp-0x14],eax
0040AC1A 90 nop
0040AC1B 90 nop
0040AC1C 90 nop
0040AC1D 90 nop
0040AC1E 90 nop
0040AC1F 90 nop
0040AC20 90 nop
0040AC21 90 nop
0040AC22 90 nop
0040AC23 90 nop
0040AC24 B9 8B45EC50 mov ecx,0x50EC458B
0040AC29 8B5D F4 mov ebx,dword ptr ss:[ebp-0xC]
0040AC2C 85DB test ebx,ebx
0040AC2E 74 09 je short re3_(1).0040AC39
0040AC30 53 push ebx
0040AC31 E8 7C030000 call re3_(1).0040AFB2 ; 错误回调
0040AC36 83C4 04 add esp,0x4
0040AC39 58 pop eax
0040AC3A 8945 F4 mov dword ptr ss:[ebp-0xC],eax
0040AC3D 90 nop
0040AC3E 90 nop
0040AC3F 90 nop
0040AC40 90 nop
0040AC41 FF75 F4 push dword ptr ss:[ebp-0xC]
0040AC44 68 06A14000 push re3_(1).0040A106 ; &vip=
0040AC49 FF75 F8 push dword ptr ss:[ebp-0x8]
0040AC4C 68 0CA14000 push re3_(1).0040A10C ; &password=
0040AC51 FF75 FC push dword ptr ss:[ebp-0x4] ; ntdll.76FEABD7
0040AC54 68 17A14000 push re3_(1).0040A117 ; https://ctfer.com/vip.php?username=
0040AC59 B9 06000000 mov ecx,0x6
0040AC5E E8 0FFEFFFF call re3_(1).0040AA72 ; 字符串拼接, 拼接成网址
0040AC63 83C4 18 add esp,0x18
0040AC66 8945 EC mov dword ptr ss:[ebp-0x14],eax
0040AC69 68 04000080 push 0x80000004
0040AC6E 6A 00 push 0x0
0040AC70 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
0040AC73 85C0 test eax,eax
0040AC75 75 05 jnz short re3_(1).0040AC7C
0040AC77 B8 3BA14000 mov eax,re3_(1).0040A13B ; ā
0040AC7C 50 push eax
0040AC7D 68 01000000 push 0x1
0040AC82 BB 1C000000 mov ebx,0x1C
0040AC87 B8 01000000 mov eax,0x1
0040AC8C EB 01 jmp short re3_(1).0040AC8F
0040AC8E 90 nop
0040AC8F E8 2A030000 call re3_(1).0040AFBE ; 网页请求, 最后拿到返回的数据
0040AC94 83C4 10 add esp,0x10
0040AC97 8945 E8 mov dword ptr ss:[ebp-0x18],eax
0040AC9A 8B5D EC mov ebx,dword ptr ss:[ebp-0x14]
0040AC9D 85DB test ebx,ebx
0040AC9F 74 09 je short re3_(1).0040ACAA
0040ACA1 53 push ebx
0040ACA2 E8 0B030000 call re3_(1).0040AFB2
0040ACA7 83C4 04 add esp,0x4
0040ACAA 6A 00 push 0x0
0040ACAC 6A 00 push 0x0
0040ACAE 6A 00 push 0x0
0040ACB0 68 01030080 push 0x80000301
0040ACB5 6A 00 push 0x0
0040ACB7 68 0A000000 push 0xA
0040ACBC 68 05000080 push 0x80000005
0040ACC1 6A 00 push 0x0
0040ACC3 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
0040ACC6 85C0 test eax,eax
0040ACC8 75 05 jnz short re3_(1).0040ACCF
0040ACCA B8 3CA14000 mov eax,re3_(1).0040A13C
0040ACCF 50 push eax
0040ACD0 68 03000000 push 0x3
0040ACD5 BB 9C010000 mov ebx,0x19C
0040ACDA EB 01 jmp short re3_(1).0040ACDD
0040ACDC 90 nop
0040ACDD E8 D6020000 call re3_(1).0040AFB8
0040ACE2 83C4 28 add esp,0x28 ; 这边将 eax 中 "false" 改成 "true" , 即可拿到 flag
0040ACE5 8945 DC mov dword ptr ss:[ebp-0x24],eax
0040ACE8 8955 E0 mov dword ptr ss:[ebp-0x20],edx
0040ACEB 894D E4 mov dword ptr ss:[ebp-0x1C],ecx ; re3_(1).0040A144
0040ACEE 8B5D E8 mov ebx,dword ptr ss:[ebp-0x18]
0040ACF1 85DB test ebx,ebx
0040ACF3 74 09 je short re3_(1).0040ACFE
0040ACF5 53 push ebx
0040ACF6 E8 B7020000 call re3_(1).0040AFB2
0040ACFB 83C4 04 add esp,0x4
0040ACFE F9 stc
0040ACFF 72 01 jb short re3_(1).0040AD02
0040AD01 90 nop
0040AD02 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]
0040AD05 81F9 04000080 cmp ecx,0x80000004
0040AD0B 74 0D je short re3_(1).0040AD1A
0040AD0D 68 05000000 push 0x5
0040AD12 E8 AD020000 call re3_(1).0040AFC4
0040AD17 83C4 04 add esp,0x4
0040AD1A 8B45 DC mov eax,dword ptr ss:[ebp-0x24]
0040AD1D 50 push eax
0040AD1E 8B5D F0 mov ebx,dword ptr ss:[ebp-0x10]
0040AD21 85DB test ebx,ebx
0040AD23 74 09 je short re3_(1).0040AD2E
0040AD25 53 push ebx
0040AD26 E8 87020000 call re3_(1).0040AFB2
0040AD2B 83C4 04 add esp,0x4
0040AD2E 58 pop eax
0040AD2F 8945 F0 mov dword ptr ss:[ebp-0x10],eax
0040AD32 F9 stc
0040AD33 72 01 jb short re3_(1).0040AD36
0040AD35 90 nop
0040AD36 68 44A14000 push re3_(1).0040A144 ; ASCII "true"
0040AD3B FF75 F0 push dword ptr ss:[ebp-0x10]
0040AD3E E8 8BFDFFFF call re3_(1).0040AACE
0040AD43 83C4 08 add esp,0x8
0040AD46 83F8 00 cmp eax,0x0
0040AD49 0F85 7B010000 jnz re3_(1).0040AECA ; 直接在这边 nop 是不行的, 下面有二次验证,
0040AD4F BB 06000000 mov ebx,0x6 ; 下面就不分析了, 我是条懒狗
0040AD54 E8 12FEFFFF call re3_(1).0040AB6B
0040AD59 68 01030080 push 0x80000301
0040AD5E 6A 00 push 0x0
0040AD60 68 00000000 push 0x0
0040AD65 68 04000080 push 0x80000004
0040AD6A 6A 00 push 0x0
0040AD6C 68 49A14000 push re3_(1).0040A149 ; vip开通成功!
0040AD71 68 04000000 push 0x4
0040AD76 BB 00030000 mov ebx,0x300
0040AD7B EB 01 jmp short re3_(1).0040AD7E
0040AD7D 90 nop
0040AD7E E8 35020000 call re3_(1).0040AFB8
0040AD83 83C4 34 add esp,0x34
0040AD86 EB 01 jmp short re3_(1).0040AD89
0040AD88 87FF xchg edi,edi
0040AD8A ^ 75 F4 jnz short re3_(1).0040AD80
0040AD8C 68 06A14000 push re3_(1).0040A106 ; ASCII "&vip="
0040AD91 FF75 F8 push dword ptr ss:[ebp-0x8]
0040AD94 68 56A14000 push re3_(1).0040A156 ; &passwOrd=
0040AD99 FF75 FC push dword ptr ss:[ebp-0x4] ; ntdll.76FEABD7
0040AD9C 68 17A14000 push re3_(1).0040A117 ; https://ctfer.com/vip.php?username=
0040ADA1 B9 06000000 mov ecx,0x6
0040ADA6 E8 C7FCFFFF call re3_(1).0040AA72
0040ADAB 83C4 18 add esp,0x18
0040ADAE 8945 EC mov dword ptr ss:[ebp-0x14],eax
0040ADB1 68 04000080 push 0x80000004
0040ADB6 6A 00 push 0x0
0040ADB8 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
0040ADBB 85C0 test eax,eax
0040ADBD 75 05 jnz short re3_(1).0040ADC4
0040ADBF B8 3BA14000 mov eax,re3_(1).0040A13B ; ā
0040ADC4 50 push eax
0040ADC5 68 01000000 push 0x1
0040ADCA BB 1C000000 mov ebx,0x1C
0040ADCF B8 01000000 mov eax,0x1
0040ADD4 EB 01 jmp short re3_(1).0040ADD7
0040ADD6 7A E8 jpe short re3_(1).0040ADC0
0040ADD8 E2 01 loopd short re3_(1).0040ADDB
0040ADDA 0000 add byte ptr ds:[eax],al
0040ADDC 83C4 10 add esp,0x10
0040ADDF 8945 E8 mov dword ptr ss:[ebp-0x18],eax
0040ADE2 8B5D EC mov ebx,dword ptr ss:[ebp-0x14]
0040ADE5 85DB test ebx,ebx
0040ADE7 74 09 je short re3_(1).0040ADF2
0040ADE9 53 push ebx
0040ADEA E8 C3010000 call re3_(1).0040AFB2
0040ADEF 83C4 04 add esp,0x4
0040ADF2 6A 00 push 0x0
0040ADF4 6A 00 push 0x0
0040ADF6 6A 00 push 0x0
0040ADF8 68 01030080 push 0x80000301
0040ADFD 6A 00 push 0x0
0040ADFF 68 0A000000 push 0xA
0040AE04 68 05000080 push 0x80000005
0040AE09 6A 00 push 0x0
0040AE0B 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
0040AE0E 85C0 test eax,eax
0040AE10 75 05 jnz short re3_(1).0040AE17
0040AE12 B8 3CA14000 mov eax,re3_(1).0040A13C
0040AE17 50 push eax
0040AE18 68 03000000 push 0x3
0040AE1D BB 9C010000 mov ebx,0x19C
0040AE22 F9 stc
0040AE23 72 01 jb short re3_(1).0040AE26
0040AE25 8ee8 mov gs,eax
0040AE27 8D01 lea eax,dword ptr ds:[ecx]
0040AE29 0000 add byte ptr ds:[eax],al
0040AE2B 83C4 28 add esp,0x28
0040AE2E 8945 DC mov dword ptr ss:[ebp-0x24],eax
0040AE31 8955 E0 mov dword ptr ss:[ebp-0x20],edx
0040AE34 894D E4 mov dword ptr ss:[ebp-0x1C],ecx ; re3_(1).0040A144
0040AE37 8B5D E8 mov ebx,dword ptr ss:[ebp-0x18]
0040AE3A 85DB test ebx,ebx
0040AE3C 74 09 je short re3_(1).0040AE47
0040AE3E 53 push ebx
0040AE3F E8 6E010000 call re3_(1).0040AFB2
0040AE44 83C4 04 add esp,0x4
0040AE47 BB 06000000 mov ebx,0x6
0040AE4C E8 1AFDFFFF call re3_(1).0040AB6B
0040AE51 68 01030080 push 0x80000301
0040AE56 6A 00 push 0x0
0040AE58 68 00000000 push 0x0
0040AE5D 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]
0040AE60 8B55 E0 mov edx,dword ptr ss:[ebp-0x20]
0040AE63 8B45 DC mov eax,dword ptr ss:[ebp-0x24]
0040AE66 81F9 04000080 cmp ecx,0x80000004
0040AE6C 75 0B jnz short re3_(1).0040AE79
0040AE6E 85C0 test eax,eax
0040AE70 75 18 jnz short re3_(1).0040AE8A
0040AE72 B8 3BA14000 mov eax,re3_(1).0040A13B ; ā
0040AE77 EB 11 jmp short re3_(1).0040AE8A
0040AE79 81F9 05000080 cmp ecx,0x80000005
0040AE7F 75 09 jnz short re3_(1).0040AE8A
0040AE81 85C0 test eax,eax
0040AE83 75 05 jnz short re3_(1).0040AE8A
0040AE85 B8 3CA14000 mov eax,re3_(1).0040A13C
0040AE8A 51 push ecx ; re3_(1).0040A144
0040AE8B 52 push edx
0040AE8C 50 push eax
0040AE8D 68 04000000 push 0x4
0040AE92 BB 00030000 mov ebx,0x300
0040AE97 F9 stc
0040AE98 72 01 jb short re3_(1).0040AE9B
0040AE9A B0 E8 mov al,0xE8
0040AE9C 1801 sbb byte ptr ds:[ecx],al
0040AE9E 0000 add byte ptr ds:[eax],al
0040AEA0 83C4 34 add esp,0x34
0040AEA3 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]
0040AEA6 81F9 04000080 cmp ecx,0x80000004
0040AEAC 74 0C je short re3_(1).0040AEBA
0040AEAE 81F9 05000080 cmp ecx,0x80000005
0040AEB4 0F85 10000000 jnz re3_(1).0040AECA
0040AEBA 8B5D DC mov ebx,dword ptr ss:[ebp-0x24]
0040AEBD 85DB test ebx,ebx
0040AEBF 74 09 je short re3_(1).0040AECA
0040AEC1 53 push ebx
0040AEC2 E8 EB000000 call re3_(1).0040AFB2
0040AEC7 83C4 04 add esp,0x4
0040AECA BB 06000000 mov ebx,0x6
0040AECF E8 97FCFFFF call re3_(1).0040AB6B
0040AED4 68 01030080 push 0x80000301
0040AED9 6A 00 push 0x0
0040AEDB 68 00000000 push 0x0
0040AEE0 68 04000080 push 0x80000004
0040AEE5 6A 00 push 0x0
0040AEE7 68 61A14000 push re3_(1).0040A161 ; vip开通失败,请检查卡号和卡密是否正确!
0040AEEC 68 04000000 push 0x4
0040AEF1 BB 00030000 mov ebx,0x300
0040AEF6 EB 01 jmp short re3_(1).0040AEF9
0040AEF8 0FE8BA 00000083 psubsb mm7,qword ptr ds:[edx-0x7D000000]
0040AEFF c4348b les esi,fword ptr ds:[ecx*4+ebx]
0040AF02 5D pop ebp
0040AF03 FC cld
0040AF04 85DB test ebx,ebx
0040AF06 74 09 je short re3_(1).0040AF11
0040AF08 53 push ebx
0040AF09 E8 A4000000 call re3_(1).0040AFB2
0040AF0E 83C4 04 add esp,0x4
0040AF11 8B5D F8 mov ebx,dword ptr ss:[ebp-0x8]
0040AF14 85DB test ebx,ebx
0040AF16 74 09 je short re3_(1).0040AF21
0040AF18 53 push ebx
0040AF19 E8 94000000 call re3_(1).0040AFB2
0040AF1E 83C4 04 add esp,0x4
0040AF21 8B5D F4 mov ebx,dword ptr ss:[ebp-0xC]
0040AF24 85DB test ebx,ebx
0040AF26 74 09 je short re3_(1).0040AF31
0040AF28 53 push ebx
0040AF29 E8 84000000 call re3_(1).0040AFB2
0040AF2E 83C4 04 add esp,0x4
0040AF31 8B5D F0 mov ebx,dword ptr ss:[ebp-0x10]
0040AF34 85DB test ebx,ebx
0040AF36 74 09 je short re3_(1).0040AF41
0040AF38 53 push ebx
0040AF39 E8 74000000 call re3_(1).0040AFB2
0040AF3E 83C4 04 add esp,0x4
0040AF41 8BE5 mov esp,ebp
0040AF43 5D pop ebp
0040AF44 C3 retn
一个网页请求, https://ctfer.com/vip.php 验证成功返回 true, 失败返回 false , 下面还有 二次验证, 不能直接改指令. 可以更改 网页请求返回的数据
getflag
flag{ctfshow_1024_re_3_flag_here}
然后是 二次验证, 懒得动,
misc _ 签到
给的提示
地图,各个路口的编号,flag遗落在其中了,flag路口的编号是连续的
- flag字符串 是不连续, 或者说是不完整的
- flag路口的编号是连续的
- 第一个数字是前一个路口,第二个数字是下一个路口第三个数字没有研究出来
- 提示了 出题人的id : 9u4ck
那么直接找就行了(看运气), 这里推荐 sublime ,他处理文本的速度很快, 特别是查找
56520 78210 35498184 9u4fl
78210 81068 79650456 ag{We
81068 86056 65454545 lcom
86056 89556 16548421 _102
89556 91205 26568154 4_Cha
91205 94156 566512548 lleng
94156 96825 15487856 _9u4
96825 98155 156565645 ck}56
一个小技巧, 搜索的时候, 后一个数的最后带上空格,可以过滤很多东西
getflag
flag{Welcom_1024_Challeng_9u4ck}
re_ 抽象语言
先手共还原 python字节码, 然后再手算2进制,最后一个字符一个字符算, 我做了大约三个小时吧,
做题记录在家里, 忘记保存了,就很难受. 这边就不演示了
#coding = utf-8
import base64
k = 0
c = b'巴拉巴拉那一堆 字节数组, base64编码后的'
i = 0
def x(n):
"""判断 k**2-1 的值是否满足条件 """
return False
c = base64.b64decode(c).split(',')
z = lambda n : 2**n-1
while len(c) > i:
out = ''
if x(z(k)):
out += chr(int(c[i]) ^ z(k))
i += 1
k += 1
print(out.join(['flag{','}']))
差不多这样吧, 其他的 最好手算, 这个脚本跑的非常慢, 第八个字符 算了好长时间, 后面是有规律的,
大数 xor 大数 前面的位 一定相等, 所以直接遍历就行, 还有就是 这个次方全都是 素数, 就很棒,最大的一个不是 1w 就是 10w 多
l = [2,3,7,9,13,17,19,31,61,89]
#coding = utf-8
power = lambda n: 2**n
for i in range(31,10000000,2):
if str(power(i)).count("要匹配的值") != 0:
print("第%d次, 值为:"%i,power(i))
break
自动化脚本
c = ['123123123412312','1231231278461273']
cindex = 6 # 从六位开始,前几位都挺好算的
l = []
for i in range(61,10000000,2):
if str(pow(2,i)).count(c[cindex][:4]) !=0:
l.append(i)
cindex += 1
flag = ''
for i in range(len(l)):
flag += chr(pow(l[i]) ^ int(c[i]))
print(flag)
