虚拟机题目入门
虚拟机题目入门笔记IDADefines.cpp
12345678910111213141516171819202122232425262728#include <cstdio>//测试 LOBYTE、HIBYTEtypedef unsigned char uint8;typedef unsigned short uint16;typedef unsigned long DWORD_PTR;#define BYTE uint8#define WORD uint16#define DWORD unsigned long#define LOBYTE(w) ((BYTE)(((DWORD_PTR)(w)) & 0xff))#define HIBYTE(w) ((BYTE)((((DWORD_PTR)(w)) >> 8) & 0xff))#define BYTEn(x, n) (*((BYTE*)&(x)+n))#define WORDn(x, n) (*((WORD*)&(x)+ ...
TEA系列加密算法逆向
TEA系列加密算法逆向笔记XXTEA_decrypt.py
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849from ctypes import *def MX(z,y,sum1,k,p,e): return c_uint32(((z.value>>5^y.value<<2)+(y.value>>3^z.value<<4))^((sum1.value^y.value)+(k[(p&3)^e.value]^z.value)))def btea(v,k,n,delta): if n>1: sum1=c_uint32(0) z=c_uint32(v[n-1]) rounds=6+52//n e=c_uint32(0) while rounds>0: sum1.value+=delta e.value=((sum1.value>>2)&3) for p ...
C#逆向常见题型
C#逆向常见题型做题[强网杯 2022]GameMasterDIE查壳为.NET,用dnSpy-x86打开,发现gamemessage被传入memory中。Ctrl+Shift+R查引用,在goldFunc中发现可疑函数。genCode()中为AES-PKCS7加密,发现没什么实质作用。
捋清思路:把gamemessage文件先$\oplus34$再AES-ECB
exp:
12345678910from Crypto.Cipher import AESkey=b'Brainstorming!!!'block_size=16cipher=AES.new(key,AES.MODE_ECB)with open('D://CTF-Workbench//gamemessage','rb') as f: ciphertext=f.read()ciphertext=bytes([byte^34 for byte in ciphertext])plaintext=cipher.decrypt(ciphertext)with open( ...
初识RC4加密逆向
初识RC4加密逆向笔记RC4_decrypt.py
12345678910111213141516171819202122232425import reimport base64def rc4_decrypt(ciphertext,key): S=list(range(256)) j=0 res=[] #初始化S for i in range(256): j=(j+S[i]+key[i%len(key)])%256 S[i],S[j]=S[j],S[i] #解密 i=j=0 for char in ciphertext: i=(i+1)%256 j=(j+S[i])%256 S[i],S[j]=S[j],S[i] res.append(char^S[(S[i]+S[j])%256]) return bytes(res)data='wr3ClVcSw7nCmMOcHcKgacOtMkvDjxZ6asKWw4nChMK8IsK7KMOOasOr ...
SMC做题随笔
SMC做题随笔做题[HDCTF 2023]encTEA解密exp:
123456789101112131415#include <cstdio>using namespace std;unsigned int v5,v6;int sum,a2[4]={18,52,86,120};int main(void){ v6=0x60fcdef7, v5=0x236dbec, sum=-0xc3910c8e0; for(register int i=0;i<32;i++) v5-=(a2[3]+(v6>>5))^(sum+v6)^(a2[2]+(v6<<4)), v6-=(a2[1]+(v5>>5))^(sum+v5)^(a2[0]+(v5<<4)), sum+=0x61c88647; printf("%d\n",v6); return 0;};
得smc加密方式为$\oplus3$,由程序可 ...
动态调试初探
动态调试初探做题[MTCTF 2021]Random动态调试
第二个rand()处下断点,rand()的返回值存入EAX,然后取AL进行XOR。F9调试,div处被0除忽略。F9运行到断点,F8步过,得每次rand()即为EAX低8位。
1234567random=[0x58,0xa1,0xCB,0xE9,0xED,0x2C,0xEC,0xFB,0xE9,0xC4,0x16,0x97,0x99,0xb1,0xa4,0xe9,0xc3,0xc6,0x80,0xBF,0x3e,0x44,0x18,0x2e,0x73,0x56,0x52,0xB8,0x5B,0x66,0xED,0xBC,0x8a,0xd8,0x36,0x8f,0xe6,0xd3,0xb1,0x51,0xb9,0x59,0xd3,0x5a]ans=[0x3E, 0xCD, 0xAA, 0x8E, 0x96, 0x1F, 0x89, 0xCD, 0xDB, 0xF1, 0x70, 0xF2, 0xA9, 0x9C, 0xC2, 0x8B, 0xF2, 0xFE, 0xAD, 0x8B, 0x58, 0x7C, 0x2F, 0x0 ...
Linux-C特性逆向题
Linux-C特性逆向题做题[HNCTF 2022 WEEK3]Double双进程
12345678910111213pipe(pipedes);//不同进程间传参,pipedes[0]为出口,pipedes[1]为入口if(fork()){ //后执行 close(pipedes[1]); read(pipedes[0],&buf,1uLL); close(pipedes[0]);}else{ //先执行 close(pipedes[0]); write(pipedes[1],&s[j],1uLL); close(pipedes[1]);};
几分钟整了一个脚本把数据段dump出来:
12345678910111213141516171819202122232425//把定义复制过来,去掉换行,要转成十六进制,没有h的0转不出来,dup要自己删掉自己改#include <cstdio>#include <iostream>#include <stri ...
逆向杂题选做
逆向杂题选做做题[SWPUCTF 2021 新生赛]astJSjson逆向
json可转为js代码
12$ esgenerate *.file>*.jsnode *.js
[NSSCTF 2022 Spring Recruit]easy Pe右键看描述,发现利用BAT2EXE生成。上网搜发现直接改为.7z解压就得.bat,分析程序可知123123。
1234567891011121314@echo offset /p input =please input flag:set input|findstr "\<123123\>"clsif "%errorlevel%" == "0" ( goto 0 ) ELSE (goto 1)exit:0echo good_job!pauseexit:1echo sorry...pauseexit
[GDOUCTF 2023]L!s!BinDiff使用方法:
用ida生成两个文件的.i64分析文件,在BinDiff中New Diff。看函数匹配中有个函数只有0.8的匹配 ...
约束求解与符号执行在逆向中应用
约束求解与符号执行在逆向中应用笔记angrEXP.py
123456789101112import angr,syspath="D:\\CTF-Workbench\\signal.exe"project=angr.Project(path,auto_load_libs=False)initial_state=project.factory.entry_state()simulation=project.factory.simulation_manager(initial_state)simulation.explore(find=0x0040179E,avoid=0x004016E6)if simulation.found: for i in simulation.found: solution_state=i print(solution_state.posix.dumps(0))else: print("no\n")
做题[GDOUCTF 2023]Check_Your_Luck解这个方程组:
$ ...
花指令与脱壳入门
花指令与脱壳入门做题[HNCTF 2022 WEEK2]e@sy_flower花指令
选中红色行号内容,P(编辑->函数->新建函数),可反编译
找到JUMPOUT爆红,编辑->修补程序->单字节更改 第一个字节改为$09$
逆向得flag
咳(NewStarCTF2023)脱壳,简单逆向
12345678910111213#include <cstdio>#include <cstring>using namespace std;char str[]="gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~";int len;int main(void){ len=strlen(str); for(register int i=0;i<len;i++){ str[i]--; printf("%c",str[i]); }; return 0;};
[GF ...