花指令与脱壳入门

做题

[HNCTF 2022 WEEK2]e@sy_flower

花指令

选中红色行号内容,P(编辑->函数->新建函数),可反编译

找到JUMPOUT爆红,编辑->修补程序->单字节更改 第一个字节改为$09$

逆向得flag

咳(NewStarCTF2023)

脱壳,简单逆向

1
2
3
4
5
6
7
8
9
10
11
12
13
#include <cstdio>
#include <cstring>
using namespace std;
char str[]="gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~";
int len;
int main(void){
    len=strlen(str);
    for(register int i=0;i<len;i++){
        str[i]--;
        printf("%c",str[i]);
    };
    return 0;
};

[GFCTF 2021]wordy

花指令

There are moments in life when you miss someone so much that you just want to pick them from your dreams and hug them for real! Dream what you want to dream;go where you want to go;be what you want to be,because you have only one life and one chance to do all the things you want to do.
May you have enough happiness to make you sweet,enough trials to make you strong,enough sorrow to keep you human,enough hope to make you happy? Always put yourself in others’shoes.If you feel that it hurts you,it probably hurts the other person, too.

发现花指令,exp:

1
2
3
4
import idc
for i in range(0x1135,0x3100):
    if (get_wide_byte(i)==0xeb)and(get_wide_byte(i+1)==0xff):
        patch_byte(i,0x90)

反汇编发现没有flag,原来是jz走了…,patch为0x90,得flag

[HZNUCTF 2023 final]虽然他送了我玫瑰花

花指令+自定义加密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
enc=[0x7F,0x7E,0x51,0xCE,0xFB,0x4E,0x7A,0x24,0xE8,0xDF,0x59,0x71,0x26,0xCA,0xE1,0x6C,0x86,0x21,0xcc,0xf5,0x28,0x71,0x14,0xd8,0xef,0x6e,0x77,0x62,0xFA]
org=[0]*len(enc)
def decry(opt,v):
    if opt==0:
        return v^0x19
    if opt==1:
        return v-0x12
    if opt==2:
        return v+0x10
    if opt==3:
        return v//2
    return v^(v^~v)&0x80
for i in range(29):
    org[i]=decry(i%5,enc[i])
for i in range(len(org)):
    print(chr(org[i]&0x7f),end='')

[MoeCTF 2022]Art

UPX脱壳,DFS爆破,exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#include <cstdio>
using namespace std;
int enc[28]={0x02,0x18,0x0F,0xF8,0x19,0x04,0x27,0xD8,0xEB,0x00,0x35,0x48,0x4D,0x2A,0x45,0x6B,0x59,0x2E,0x43,0x01,0x18,0x5C,0x09,0x09,0x09,0x09,0xB5,0x7D},rec[28];
void dfs(const int k){
    if(k<0){
        for(register int i=0;i<=27;i++)
            printf("%c",rec[i]);
        putchar('\n');
        return;
    };
    for(register int i=32;i<128;i++)
        if(((i%0x11+rec[k+1])^0x19^i)==enc[k]){
            rec[k]=i;
            dfs(k-1);
        };
    return;
};
int main(void){
    rec[27]=enc[27];
    dfs(26);
    return 0;
};

[GKCTF 2021]QQQQT

拿C++写的QT。查壳发现Enigma Vitual Box虚拟化,用EnigmaVBUnpacker脱壳。

丢IDA很抽象,从字符串入手,发现Base58表和密文,解密得。

[HZNUCTF 2023 final]signin

手修UPX特征,首先为区段UPX0和UPX1,一堆0后面是5Byte的版本号,之后4Byte为UPX Tag,改为‘UPX!’。

标准RC4解密。

1
2
3
Input:42FD5561B9276FF5B68623A9EF1C049FD41687D65468BC02156D30084B614C5E
From_Hex('Auto')
RC4({'option':'UTF8','string':'justfortest'},'Latin1','Latin1')

[SWPUCTF 2023 秋季新生赛]Junk Code

一堆花指令,修得真麻烦。

1
2
3
s='NRQ@PC}Vdn4tHV4Yi9cd#\\}jsXz3LMuaaY0}nj]`4a5&WoB4glB7~u'
for i in range(len(s)):
    print(chr(ord(s[i])^(i%9)),end='')

[MoeCTF 2021]clothes

Aspack壳,Aspack Stripper脱掉即可。

1
2
3
4
enc=[0x73,0x45,0x2B,0x47,0x57,0x69,0x53,0x0D,0x44,0x4C,0x2E,0x2F,0x05,0x6A,0x13,0x4D,0x57,0x31,0x4B,0x22,0x58,0x06,0x49,0x71,0x4C,0x6A,0x32,0x64,0x18,0x45]
key=[0x1E,0x2A,0x4E,0x24,0x23,0x0F,0x28,0x39,0x71,0x3C,0x4F,0x4C,0x6E,0x35,0x22,0x3E,0x08,0x02,0x31,0x7D,0x2C,0x36,0x16,0x04,0x22,0x1A,0x53,0x07,0x73,0x38]
for i in range(len(enc)):
    print(chr(enc[i]^key[i]),end='')