简单的逻辑

upload successful

ida

upload successful

关键函数
upload successful

exp

In [5]: flag = list("GEV\odzchpc03")

In [6]: s = ""
   ...: for i in range(0,len(flag)):
   ...:     if i%3 == 0:
   ...:         s += chr(ord(flag[i])^3)
   ...:     elif i%3 == 1:
   ...:         s += chr((ord(flag[i])^3)-1)
   ...:     elif i%3 == 2:
   ...:         s += chr((ord(flag[i])^3)-2)
   ...: print s
   ...:
DES_key_is_10
snake~:./re
Please input your flag:
DES_key_is_10
you got it!
GEV\odzchpc03#

可以得到是des加密,key为10

查看密文是啥

upload successful

解密

upload successful
解密网站

真假flag

upload successful

数学菜鸟在线百度查了下如何求多项式的最大公因式,说是用到了辗转相除法(欧几里得算法),但是好久都没学数学了
upload successful

在隔壁老阿姨的帮助下,化简了第二个式子
g(x) = x^3 + x^2 + x +1
= x^2(x+1) + (x+1)
= (x^2 + 1)(x+1)
由于第一个公式化简太繁琐,得到解压密码(x+1)

ida

upload successful

upload successful

upload successful

exp

flag = list("lfkmq:b+C~neoyd-~yoog~eho~boxcmb~kdy}oxw")
two = list("y0y/|hka~ko??ajtoi")
for i in range(0,len(flag)):
    flag[i] = chr(ord(flag[i])^0xA)
for i in range(0,len(two)):
    two[i] = chr((ord(two[i])^7)-7)

print ''.join(i for i in flag)
print ''.join(i for i in two)

Electroacoustic

upload successful

upx 脱壳

☁  jactf  upx -d run
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2018
UPX 3.95        Markus Oberhumer, Laszlo Molnar & John Reiser   Aug 26th 2018

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    913048 <-    402252   44.06%   linux/amd64   run

Unpacked 1 file.

分析

upload successful

主要是标注的四个函数,根据函数进行构造输入

exp

snake~:./run
1th input:aaaa
2th input:43806
3th input:978
4th input:we11d0ne!
Get your key:faded

source

upload successful

☁  jactf  file source
source: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

dnSpy

upload successful

定位主函数

upload successful

upload successful

upload successful

主要流程:将输入的字符串进行加密后与key2进行比较

exp

key1 = list("flag{Thi3_i3+A_wrong+str}")
key2 = [24,90,51,23,66,172,49,34,246,240,25,27,224,88,253,50,254,10,7,31,84,5,12,38,15,16,79,117,238]
seed = 7
flag = ""
for i in range(0,len(key2)):
    for j in range(0,255):
        if key2[i] == (j + seed ^ ord(key1[seed])) & 0xff:
            seed = (seed+1)%25
            flag +=chr(0x7f & j)
            break
print flag

reversing

upload successful

ida

将关键跳转修改成如下图所示
upload successful
upload successful
upload successful
动态调试即可得到flag

disk

upload successful

思路

upload successful

一共两个图片,看了一下文件的内容,可以看出来要分析第二张图片
upload successful

upload successful

可以在详细信息的备注里看到js的颜文字,直接浏览器

upload successful

总结

没有目标的明天,是元气满满的一天



reverse      jactf reverse

本博客所有文章除特别声明外,均采用 CC BY-SA 3.0协议 。转载请注明出处!