动态调试初探
动态调试初探做题[MTCTF 2021]Random动态调试
第二个rand()处下断点,rand()的返回值存入EAX,然后取AL进行XOR。F9调试,div处被0除忽略。F9运行到断点,F8步过,得每次rand()即为EAX低8位。
1234567random=[0x58,0xa1,0xCB,0xE9,0xED,0x2C,0xEC,0xFB,0xE9,0xC4,0x16,0x97,0x99,0xb1,0xa4,0xe9,0xc3,0xc6,0x80,0xBF,0x3e,0x44,0x18,0x2e,0x73,0x56,0x52,0xB8,0x5B,0x66,0xED,0xBC,0x8a,0xd8,0x36,0x8f,0xe6,0xd3,0xb1,0x51,0xb9,0x59,0xd3,0x5a]ans=[0x3E, 0xCD, 0xAA, 0x8E, 0x96, 0x1F, 0x89, 0xCD, 0xDB, 0xF1, 0x70, 0xF2, 0xA9, 0x9C, 0xC2, 0x8B, 0xF2, 0xFE, 0xAD, 0x8B, 0x58, 0x7C, 0x2F, 0x0 ...
Linux-C特性逆向题
Linux-C特性逆向题做题[HNCTF 2022 WEEK3]Double双进程
12345678910111213pipe(pipedes);//不同进程间传参,pipedes[0]为出口,pipedes[1]为入口if(fork()){ //后执行 close(pipedes[1]); read(pipedes[0],&buf,1uLL); close(pipedes[0]);}else{ //先执行 close(pipedes[0]); write(pipedes[1],&s[j],1uLL); close(pipedes[1]);};
几分钟整了一个脚本把数据段dump出来:
12345678910111213141516171819202122232425//把定义复制过来,去掉换行,要转成十六进制,没有h的0转不出来,dup要自己删掉自己改#include <cstdio>#include <iostream>#include <stri ...
逆向杂题选做
逆向杂题选做做题[SWPUCTF 2021 新生赛]astJSjson逆向
json可转为js代码
12$ esgenerate *.file>*.jsnode *.js
[NSSCTF 2022 Spring Recruit]easy Pe右键看描述,发现利用BAT2EXE生成。上网搜发现直接改为.7z解压就得.bat,分析程序可知123123。
1234567891011121314@echo offset /p input =please input flag:set input|findstr "\<123123\>"clsif "%errorlevel%" == "0" ( goto 0 ) ELSE (goto 1)exit:0echo good_job!pauseexit:1echo sorry...pauseexit
[GDOUCTF 2023]L!s!BinDiff使用方法:
用ida生成两个文件的.i64分析文件,在BinDiff中New Diff。看函数匹配中有个函数只有0.8的匹配 ...
约束求解与符号执行在逆向中应用
约束求解与符号执行在逆向中应用笔记angrEXP.py
123456789101112import angr,syspath="D:\\CTF-Workbench\\signal.exe"project=angr.Project(path,auto_load_libs=False)initial_state=project.factory.entry_state()simulation=project.factory.simulation_manager(initial_state)simulation.explore(find=0x0040179E,avoid=0x004016E6)if simulation.found: for i in simulation.found: solution_state=i print(solution_state.posix.dumps(0))else: print("no\n")
做题[GDOUCTF 2023]Check_Your_Luck解这个方程组:
$ ...
花指令与脱壳入门
花指令与脱壳入门做题[HNCTF 2022 WEEK2]e@sy_flower花指令
选中红色行号内容,P(编辑->函数->新建函数),可反编译
找到JUMPOUT爆红,编辑->修补程序->单字节更改 第一个字节改为$09$
逆向得flag
咳(NewStarCTF2023)脱壳,简单逆向
12345678910111213#include <cstdio>#include <cstring>using namespace std;char str[]="gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~";int len;int main(void){ len=strlen(str); for(register int i=0;i<len;i++){ str[i]--; printf("%c",str[i]); }; return 0;};
[GF ...
走迷宫与数独逆向题目小结
走迷宫与数独逆向题目小结笔记3DMazeRunning.py
12345678910111213141516171819202122232425262728293031323334353637383940414243444546from queue import Queuedef bfs(map, start, end): # 1. 初始化队列 q = Queue() q.put((start, "")) # 2. 开始搜索 while not q.empty(): cur, path = q.get() # 3. 判断是否到达终点 if cur == end: return path # 4. 判断是否越界或者是墙壁 if cur[0] < 0 or cur[0] >= len(map) or cur[1] < 0 or cur[1] >= len(map[0]) or map[cur[0]][cur[1]] == 1: ...
安卓安全初探
安卓安全初探做题[SWPUCTF 2021 新生赛]easyappapp逆向、jadx、java反射
丢jadx,找MainActivity,利用java反射改key为987654321
还要猜测%256
123src='棿棢棢棲棥棷棊棐棁棚棨棨棵棢棌'for i in src: print(chr((ord(i)^987654321)%256),end='')
[HNCTF 2022 Week1]给阿姨倒一杯JvavJava-.class逆向
新建class、src文件夹,把.class放在class文件夹中,命令:
1>jad -o -r -s java -d src class/*.class
exp:
1234567891011#include <cstdio>using namespace std;int key[18]={180,136,137,147,191,137,147,191,148,136,133,191,134,140,129,135,191,65};int main(vo ...
简单Python逆向
简单Python逆向笔记getPycMagicNumber.py
1234rd=input('Input Magic Number (ex. 3413):')MAGIC_NUMBER = (int(rd)).to_bytes(2, 'little') + b'\r\n'_RAW_MAGIC_NUMBER = int.from_bytes(MAGIC_NUMBER, 'little')print(hex(_RAW_MAGIC_NUMBER))
做题[NISACTF 2022]ezpythonpython逆向
1pyinstxtractor *.exe
出现 *.exe_extracted文件夹,找到src和struct,添加.pyc后缀。
用struct.pyc的Magic Number修复src.pyc($\mathrm{E3}$之前$12$个字节)
1uncompyle6 src.pyc>src.py
解密得flag
[HUBUCTF 2022 新生赛]ezPythonuncompyle6 ...
常见简单加密算法逆向
常见简单加密算法逆向做题[HUBUCTF 2022 新生赛]simple_REbase64换表
没有研究清楚具体过程,技巧是看到$\mathrm{0x30}$、$\mathrm{0x3C}$、$\mathrm{0x3F}$即为base64(可能换表)
使用CyberChef进行解码
[SWPUCTF 2022 新生赛]base64base64解码
标准表,直接解码
[HDCTF 2023]easy_reupx脱壳,base64解密
[LitCTF 2023]enbase64base64换表
换表过程比较复杂,研究算法得表。
123456789101112131415161718#include <cstdio>#include <cstring>using namespace std;int v3[65];char Source[65]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",Destination[65];int main(void){ ...
Web入门-SSRF漏洞
Web入门-SSRF漏洞[GKCTF 2020]cve版签到SSRF漏洞,结合CVE-2020-7066:get_headers()会被%00截断。
payload:
1?url=http://127.0.0.123%00www.ctfhub.com
注,如下返回格式为get_headers()的特征:
123456789101112Array( [0] => HTTP/1.1 200 OK [1] => Date: Mon, 05 Jun 2023 12:32:32 GMT [2] => Server: Apache/2.4.38 (Debian) [3] => X-Powered-By: PHP/7.3.15 [4] => FLAG: NSSCTF{586773c7-706a-4413-9456-f3d363f47288} [5] => Vary: Accept-Encoding [6] => Content-Length: 113 [7] => Connectio ...