美文网首页工作生活
攻防世界进阶Re(一)

攻防世界进阶Re(一)

作者: Adam_0 | 来源:发表于2019-06-30 22:57 被阅读0次

0x00 re2-cpp-is-awesome

IDA,f5主函数,找到关键判断。


main.png

看到主要是判断v8和off_6020A0数组是否相等,dword_6020C6可以在HEX中查看(这样更加直观)。将off_6020A0和dword_6020C6提取出来。


off_6020A0.png dword_6020C6.png

ALIGN Num
其中:Num必须是2的幂,如:2、4、8和16等。
伪指令的作用是:告诉汇编程序,本伪指令下面的内存变量必须从下一个能被Num整除的地址开始分配。如果下一个地址正好能被Num整除,那么,该伪指令不起作用,否则,汇编程序将空出若干个字节,直到下一个地址能被Num整除为止。
脚本如下:

a = 'L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_1F_Y0u_g0t_1t'
b = [0x24,0x0,0x5,0x36,0x65,0x7,0x27,0x26,0x2d,0x1,0x3,0x0,0x0d,
     0x56,0x01,0x3,0x65,0x3,0x2d,0x16,0x2,0x15,0x3,0x65,0x0,0x29,
     0x44,0x44,0x01,0x44,0x2b]
tem = ''
for i in b:
    arr = int(str(i))
    arr1 = a[arr]
    tem += arr1
print(tem)

0x01 crackme

首先使用PEiD查壳,加了nsp壳,这壳没见过啊。。手工脱壳也不会。。。。。。。。
只有工具了,后面再补手工的吧。


image.png

北斗3.X系列脱壳机脱壳,在IDA打开清晰明了,简单的异或操作。这里放个逆向工具包吧挺全挺好用的:https://pan.baidu.com/s/1ocTrTFujIwHLqPV2eC7U9g 提取码 9zp5

image.png
简单写个脚本得到flag
a = "this_is_not_flag"
b = [0x12,
     0x4,0x8,0x14,0x24,0x5c,0x4a,0x3d,0x56,0xa,0x10,0x67,0x0,
     0x41,0x0,
     0x1,0x46,0x5a,0x44,0x42,0x6e,0x0c,0x44,0x72,0x0c,0x0d,
     0x40,0x3e,0x4b,0x5f,0x2,0x1,0x4c,0x5e,0x5b,0x17,0x6e,0x0c,
     0x16,0x68,0x5b,0x12,0x0,0x0]

flag = ""
for i in range(42):
    flag += chr(ord(a[i%16])^b[i])
print(flag)

0x02 re-for-50-plz-50

拖进IDA,不能用F5大法了。发现这道题是MIPS汇编,看了大佬文章https://www.cnblogs.com/yanghong-hnu/p/5635245.html学了下MIPS指令。

然后简单分析下逻辑,就是简单的异或操作,字符串分别与0x37异或得到flag.


image.png

脚本如下:

a = "cbtcqLUBChERV[[Nh@_X^D]X_YPV[CJ"
b=0x37
flag=''
for i in a:
    flag += chr(ord(i)^b)
print(flag)

0x03 key

终于是使用OD解出题了!
不过第一步还是拖进IDA,分析函数逻辑,发现太复杂了。不过可以看到执行成功的字样。


image.png

运行一下,弹出“?W?h?a?t h?a?p?p?e?n?”。一直跟到sub_402550函数,发现有一个文件的绝对路径,试着在这个路径下创建flag.txt文件,内容随便写。再次运行得到的提示变为了“=W=r=o=n=g=K=e=y=”。 所以我们推断这个程序的逻辑就是判断文本文件的内容是否符合条件。


image.png

其他逻辑就比较头疼了 ,拖进OD搜索ASCll码找到关键字符串。双击进入代码段。


image.png
发现错误提示这里在上方有个跳转,判断这里是一个关键跳转,在跳转处F2下断点,然后点击运行(一定要在上面分析出的目录中创建flag.txt文件,不要程序会直接退出)
image.png

我们可以看到跳转线为红色说明,这个要跳转到错误提示并退出,所以我们改变右边标志位Z为1(双击Z的值),跳转线变为灰色然后再F8单步往下走。


image.png
一直往下走,在此处屏幕出现成功标志,可以看到有两个字符串,第一个为我们自己生成并通过程序变形了的字符,第二个就是要与之比对的正确字符串,这就是flag。
image.png

0x04 simple-check-100

用linux远程连接好了之后,F5主函数,在check_key()处下断点,F2或者直接在行数前单击即可。


image.png

点击debugger—>start process 运行,Linux里提示输入字符,随便输入111。


image.png
查看汇编代码发现关键跳转,F8单步到此处,发现下一步会跳转到错误提示并退出程序。
image.png

所以我们改汇编代码为 jnz 就不会跳转了。Edit—>Patch program —>Assemble。把jz 改为 jnz 。


image.png
继续F8单步往下走。经过sub_80483D0后flag已经在linux里打印出来了。
image.png image.png

嘿嘿嘿 ,这个动态调试太好用了 ,第一次用,舒服舒服。都不用分析头痛的逻辑代码。

0x05 re1-100

拖进IDA,眼花缭乱的函数,不过还是F5大法,查看main函数伪代码。前面的函数都是花里胡哨的,输入一串字符,然后过滤掉OD和gdb的调试等等。这里我用了IDA动态调试有点迷没做出来,虚拟机还给我不小心整崩了。换了方法,但按道理是可以做出来的。


image.png

关键在下面这里这么多 if,唯独一个返回True。看到前面有字符的比较,但是后面字符串顺序不对啊。这里主要的变换函数在confuseke()。


image.png

这里它将字符串等长划分为四串,然后重新按 3,4,1,2的顺序排列。所以将上面花括号里的字符串逆回去就是flag了。


image.png

0x06 handcrafted-pyc

这道题有点难度啊,做了一天,,,
不是常规操作了。
我们得到的只有一个 py 文件,提取出来用python2运行之后,提示输入passwd。首先还是看看执行的是什么吧,把exec里面的东西输出看看。woc,就一行代码,就感觉是一个程序还要check。作为菜鸡,这就涉及到我知识盲区了,这也太秀了吧。到处搜索资料。终于发现它好像是python的字节码?

>>> a = marshal.loads(zlib.decompress(base64.b64decode('eJyNVktv00AQXm/eL0igiaFA01IO4cIVCUGFBBJwqRAc
kLhEIQmtRfPwI0QIeio/hRO/hJ/CiStH2M/prj07diGRP43Hs9+MZ2fWMxbnP6mux+oK9xVMHPFViLdCTB0xkeKDFEFfTIU4E8KZ
q8dCvB4UlN3hGEsdddXU9QTLv1eFiGKGM4cKUgsFCNLFH7dFrS9poayFYmIZm1b0gyqxMOwJaU3r6xs9sW1ooakXuRv+un7Q0sIl
LVzOCZq/XtsK2oTSYaZlStogXi1HV0iazoN2CV2HZeXqRQ54TlJRb7FUlKyUatISsdzo+P7UU1Gb1POdMruckepGwk9tIXQTftz2
yBaT5JQovWvpSa6poJPuqgao+b9l5Aj/R+mLQIP4f6Q8Vb3g/5TB/TJxWGdZr9EQrmn99fwKtTvAZGU7wzS7GNpZpDm2JgCrr8wr
mPoo54UqGampFIeS9ojXjc4E2yI06bq/4DRoUAc0nVnng4k6p7Ks0+j/S8z9V+NZ5dhmrJUM/y7JTJeRtnJ2TSYJvsFq3CQt/vnf
qmQXt5KlpuRcIvDAmhnn2E0t9BJ3SvB/SfLWhuOWNiNVZ+h28g4wlwUp00w95si43rZ3r6+fUIEdgOZbQAsyFRRvBR6dla8KCzRd
slar7WS+a5HFb39peIAmG7uZTHVm17Czxju4m6bayz8e7J40DzqM0jr0bmv9PmPvk6y5z57HU8wdTDHeiUJvBMAM4+0CpoAZ4BPg
JeAYEAHmgAUgAHiAj4AVAGORtwd4AVgC3gEmgBBwCPgMWANOAQ8AbwBHgHuAp4D3gLuARwoGmNUizF/j4yDC5BWM1kNvvlxFA8xi
kRrBxHIUhutFMBlgQoshhPphGAXe/OggKqqb2cibxwuEXjUcQjccxi5eFRL1fDSbKrUhy2CMb2aLyepkegDWsBwPlrVC0/kLHmeC
BQ==')))                                                                                            
>>> exec(a)                                                                                         
password: qweqweqwe                                                                                 
Wrong password... Please try again. Do not brute force. =)                                          
>>> print a                                                                                         
<code object <module> at 0000000003607F30, file "<string>", line 1>                                 
>>>                                                                                                 

然后就是反编译了,首先把它转成pyc 文件,其实就是再加个pyc文件头。

import marshal, zlib, base64

a = base64.b64decode('eJyNVktv00AQXm/eL0igiaFA01IO4cIVCUGFBBJwqRAckLhEIQmtRfPwI0QIeio/hRO/hJ/CiStH2M/prj07diGRP43Hs9+MZ2fWMxbnP6mux+oK9xVMHPFViLdCTB0xkeKDFEFfTIU4E8KZq8dCvB4UlN3hGEsdddXU9QTLv1eFiGKGM4cKUgsFCNLFH7dFrS9poayFYmIZm1b0gyqxMOwJaU3r6xs9sW1ooakXuRv+un7Q0sIlLVzOCZq/XtsK2oTSYaZlStogXi1HV0iazoN2CV2HZeXqRQ54TlJRb7FUlKyUatISsdzo+P7UU1Gb1POdMruckepGwk9tIXQTftz2yBaT5JQovWvpSa6poJPuqgao+b9l5Aj/R+mLQIP4f6Q8Vb3g/5TB/TJxWGdZr9EQrmn99fwKtTvAZGU7wzS7GNpZpDm2JgCrr8wrmPoo54UqGampFIeS9ojXjc4E2yI06bq/4DRoUAc0nVnng4k6p7Ks0+j/S8z9V+NZ5dhmrJUM/y7JTJeRtnJ2TSYJvsFq3CQt/vnfqmQXt5KlpuRcIvDAmhnn2E0t9BJ3SvB/SfLWhuOWNiNVZ+h28g4wlwUp00w95si43rZ3r6+fUIEdgOZbQAsyFRRvBR6dla8KCzRdslar7WS+a5HFb39peIAmG7uZTHVm17Czxju4m6bayz8e7J40DzqM0jr0bmv9PmPvk6y5z57HU8wdTDHeiUJvBMAM4+0CpoAZ4BPgJeAYEAHmgAUgAHiAj4AVAGORtwd4AVgC3gEmgBBwCPgMWANOAQ8AbwBHgHuAp4D3gLuARwoGmNUizF/j4yDC5BWM1kNvvlxFA8xikRrBxHIUhutFMBlgQoshhPphGAXe/OggKqqb2cibxwuEXjUcQjccxi5eFRL1fDSbKrUhy2CMb2aLyepkegDWsBwPlrVC0/kLHmeCBQ==')

print (a)
n = zlib.decompress(a)

pyc_headr = '\x03\xf3\x0d\x0a\x14\x0c\xf4\x57'

data = pyc_headr + n

with open('1.pyc','wb') as file:
    file.write(data)
    
file.close()

得到pyc之后,使用uncompyle6反汇编,以为开始正常做题了,然而并不是
uncompyle6 -o 2333.py 1.pyc
打开2333.py得到的却是一堆汇编代码,吐了,分析汇编,把passwd之前的asccll全部提取出来得到一字符串:“ llaC em yP aht notriv lauhcamni !eac Ini npreterP tohty ntybdocese!!! ”感觉这很接近答案了,还观察到汇编里面还有ROT_TWO和BINARY_ADD两个操作。第一个是将栈里栈顶和下一个数据互换,第二个是将栈顶和下一个数据相加在压栈。
(只贴要用汇编代码,太多了)

# uncompyle6 version 3.2.5
# Python bytecode 2.7 (62211)
# Decompiled from: Python 3.6.5 (v3.6.5:f59c0932b4, Mar 28 2018, 17:00:18) [MSC v.1900 64 bit (AMD64)]
# Embedded file name: <string>
# Compiled at: 2016-10-05 04:07:48

def main--- This code section failed: ---

   1       0  LOAD_GLOBAL           0  'chr'
           3  LOAD_CONST            1  108
           6  CALL_FUNCTION_1       1  None
           9  LOAD_GLOBAL           0  'chr'
          12  LOAD_CONST            1  108
          15  CALL_FUNCTION_1       1  None
          18  LOAD_GLOBAL           0  'chr'
          21  LOAD_CONST            2  97
          24  CALL_FUNCTION_1       1  None
          27  LOAD_GLOBAL           0  'chr'
          30  LOAD_CONST            3  67  
          33  CALL_FUNCTION_1       1  None
          36  ROT_TWO          
          37  BINARY_ADD       
          38  ROT_TWO          
          39  BINARY_ADD       
          40  ROT_TWO          
          41  BINARY_ADD       
          42  LOAD_GLOBAL           0  'chr'
          45  LOAD_CONST            4  32
          48  CALL_FUNCTION_1       1  None
          51  LOAD_GLOBAL           0  'chr'
          54  LOAD_CONST            5  101
          57  CALL_FUNCTION_1       1  None
          60  LOAD_GLOBAL           0  'chr'
          63  LOAD_CONST            6  109
          66  CALL_FUNCTION_1       1  None
          69  LOAD_GLOBAL           0  'chr'
          72  LOAD_CONST            4  32
          75  CALL_FUNCTION_1       1  None
          78  ROT_TWO          
          79  BINARY_ADD       
          80  ROT_TWO          
          81  BINARY_ADD       
          82  ROT_TWO          
          83  BINARY_ADD       
          84  BINARY_ADD       
          85  LOAD_GLOBAL           0  'chr'
          88  LOAD_CONST            7  121
          91  CALL_FUNCTION_1       1  None
          94  LOAD_GLOBAL           0  'chr'
          97  LOAD_CONST            8  80
         100  CALL_FUNCTION_1       1  None
         103  LOAD_GLOBAL           0  'chr'
         106  LOAD_CONST            4  32
         109  CALL_FUNCTION_1       1  None
         112  LOAD_GLOBAL           0  'chr'
         115  LOAD_CONST            2  97
         118  CALL_FUNCTION_1       1  None
         121  ROT_TWO          
         122  BINARY_ADD       
         123  ROT_TWO          
         124  BINARY_ADD       
         125  ROT_TWO          
         126  BINARY_ADD       
         127  LOAD_GLOBAL           0  'chr'
         130  LOAD_CONST            9  104
         133  CALL_FUNCTION_1       1  None
         136  LOAD_GLOBAL           0  'chr'
         139  LOAD_CONST           10  116
         142  CALL_FUNCTION_1       1  None
         145  ROT_TWO          
         146  BINARY_ADD       
         147  LOAD_GLOBAL           0  'chr'
         150  LOAD_CONST            4  32
         153  CALL_FUNCTION_1       1  None
         156  LOAD_GLOBAL           0  'chr'
         159  LOAD_CONST           11  110
         162  CALL_FUNCTION_1       1  None
         165  LOAD_GLOBAL           0  'chr'
         168  LOAD_CONST           12  111
         171  CALL_FUNCTION_1       1  None
         174  ROT_TWO          
         175  BINARY_ADD       
         176  ROT_TWO          
         177  BINARY_ADD       
         178  BINARY_ADD       
         179  BINARY_ADD       
         180  BINARY_ADD       
         181  LOAD_GLOBAL           0  'chr'
         184  LOAD_CONST           10  116
         187  CALL_FUNCTION_1       1  None
         190  LOAD_GLOBAL           0  'chr'
         193  LOAD_CONST           13  114
         196  CALL_FUNCTION_1       1  None
         199  LOAD_GLOBAL           0  'chr'
         202  LOAD_CONST           14  105
         205  CALL_FUNCTION_1       1  None
         208  LOAD_GLOBAL           0  'chr'
         211  LOAD_CONST           15  118
         214  CALL_FUNCTION_1       1  None
         217  ROT_TWO          
         218  BINARY_ADD       
         219  ROT_TWO          
         220  BINARY_ADD       
         221  ROT_TWO          
         222  BINARY_ADD       
         223  LOAD_GLOBAL           0  'chr'
         226  LOAD_CONST            4  32
         229  CALL_FUNCTION_1       1  None
         232  LOAD_GLOBAL           0  'chr'
         235  LOAD_CONST            1  108
         238  CALL_FUNCTION_1       1  None
         241  LOAD_GLOBAL           0  'chr'
         244  LOAD_CONST            2  97
         247  CALL_FUNCTION_1       1  None
         250  LOAD_GLOBAL           0  'chr'
         253  LOAD_CONST           16  117
         256  CALL_FUNCTION_1       1  None
         259  ROT_TWO          
         260  BINARY_ADD       
         261  ROT_TWO          
         262  BINARY_ADD       
         263  ROT_TWO          
         264  BINARY_ADD       
         265  BINARY_ADD       
         266  LOAD_GLOBAL           0  'chr'
         269  LOAD_CONST            9  104
         272  CALL_FUNCTION_1       1  None
         275  LOAD_GLOBAL           0  'chr'
         278  LOAD_CONST           17  99
         281  CALL_FUNCTION_1       1  None
         284  LOAD_GLOBAL           0  'chr'
         287  LOAD_CONST            2  97
         290  CALL_FUNCTION_1       1  None
         293  LOAD_GLOBAL           0  'chr'
         296  LOAD_CONST            6  109
         299  CALL_FUNCTION_1       1  None
         302  ROT_TWO          
         303  BINARY_ADD       
         304  ROT_TWO          
         305  BINARY_ADD       
         306  ROT_TWO          
         307  BINARY_ADD       
         308  LOAD_GLOBAL           0  'chr'
         311  LOAD_CONST           11  110
         314  CALL_FUNCTION_1       1  None
         317  LOAD_GLOBAL           0  'chr'
         320  LOAD_CONST           14  105
         323  CALL_FUNCTION_1       1  None
         326  ROT_TWO          
         327  BINARY_ADD       
         328  LOAD_GLOBAL           0  'chr'
         331  LOAD_CONST            4  32
         334  CALL_FUNCTION_1       1  None
         337  LOAD_GLOBAL           0  'chr'
         340  LOAD_CONST           18  33
         343  CALL_FUNCTION_1       1  None
         346  LOAD_GLOBAL           0  'chr'
         349  LOAD_CONST            5  101
         352  CALL_FUNCTION_1       1  None
         355  ROT_TWO          
         356  BINARY_ADD       
         357  ROT_TWO          
         358  BINARY_ADD       
         359  BINARY_ADD       
         360  BINARY_ADD       
         361  BINARY_ADD       
         362  BINARY_ADD       
         363  LOAD_GLOBAL           0  'chr'
         366  LOAD_CONST            2  97
         369  CALL_FUNCTION_1       1  None
         372  LOAD_GLOBAL           0  'chr'
         375  LOAD_CONST           17  99
         378  CALL_FUNCTION_1       1  None
         381  LOAD_GLOBAL           0  'chr'
         384  LOAD_CONST            4  32
         387  CALL_FUNCTION_1       1  None
         390  LOAD_GLOBAL           0  'chr'
         393  LOAD_CONST           19  73
         396  CALL_FUNCTION_1       1  None
         399  ROT_TWO          
         400  BINARY_ADD       
         401  ROT_TWO          
         402  BINARY_ADD       
         403  ROT_TWO          
         404  BINARY_ADD       
         405  LOAD_GLOBAL           0  'chr'
         408  LOAD_CONST           11  110
         411  CALL_FUNCTION_1       1  None
         414  LOAD_GLOBAL           0  'chr'
         417  LOAD_CONST           14  105
         420  CALL_FUNCTION_1       1  None
         423  LOAD_GLOBAL           0  'chr'
         426  LOAD_CONST            4  32
         429  CALL_FUNCTION_1       1  None
         432  LOAD_GLOBAL           0  'chr'
         435  LOAD_CONST           11  110
         438  CALL_FUNCTION_1       1  None
         441  ROT_TWO          
         442  BINARY_ADD       
         443  ROT_TWO          
         444  BINARY_ADD       
         445  ROT_TWO          
         446  BINARY_ADD       
         447  BINARY_ADD       
         448  LOAD_GLOBAL           0  'chr'
         451  LOAD_CONST           20  112
         454  CALL_FUNCTION_1       1  None
         457  LOAD_GLOBAL           0  'chr'
         460  LOAD_CONST           13  114
         463  CALL_FUNCTION_1       1  None
         466  LOAD_GLOBAL           0  'chr'
         469  LOAD_CONST            5  101
         472  CALL_FUNCTION_1       1  None
         475  LOAD_GLOBAL           0  'chr'
         478  LOAD_CONST           10  116
         481  CALL_FUNCTION_1       1  None
         484  ROT_TWO          
         485  BINARY_ADD       
         486  ROT_TWO          
         487  BINARY_ADD       
         488  ROT_TWO          
         489  BINARY_ADD       
         490  LOAD_GLOBAL           0  'chr'
         493  LOAD_CONST            5  101
         496  CALL_FUNCTION_1       1  None
         499  LOAD_GLOBAL           0  'chr'
         502  LOAD_CONST           13  114
         505  CALL_FUNCTION_1       1  None
         508  ROT_TWO          
         509  BINARY_ADD       
         510  LOAD_GLOBAL           0  'chr'
         513  LOAD_CONST            8  80
         516  CALL_FUNCTION_1       1  None
         519  LOAD_GLOBAL           0  'chr'
         522  LOAD_CONST            4  32
         525  CALL_FUNCTION_1       1  None
         528  LOAD_GLOBAL           0  'chr'
         531  LOAD_CONST           10  116
         534  CALL_FUNCTION_1       1  None
         537  ROT_TWO          
         538  BINARY_ADD       
         539  ROT_TWO          
         540  BINARY_ADD       
         541  BINARY_ADD       
         542  BINARY_ADD       
         543  BINARY_ADD       
         544  LOAD_GLOBAL           0  'chr'
         547  LOAD_CONST           12  111
         550  CALL_FUNCTION_1       1  None
         553  LOAD_GLOBAL           0  'chr'
         556  LOAD_CONST            9  104
         559  CALL_FUNCTION_1       1  None
         562  LOAD_GLOBAL           0  'chr'
         565  LOAD_CONST           10  116
         568  CALL_FUNCTION_1       1  None
         571  LOAD_GLOBAL           0  'chr'
         574  LOAD_CONST            7  121
         577  CALL_FUNCTION_1       1  None
         580  ROT_TWO          
         581  BINARY_ADD       
         582  ROT_TWO          
         583  BINARY_ADD       
         584  ROT_TWO          
         585  BINARY_ADD       
         586  LOAD_GLOBAL           0  'chr'
         589  LOAD_CONST            4  32
         592  CALL_FUNCTION_1       1  None
         595  LOAD_GLOBAL           0  'chr'
         598  LOAD_CONST           11  110
         601  CALL_FUNCTION_1       1  None
         604  ROT_TWO          
         605  BINARY_ADD       
         606  LOAD_GLOBAL           0  'chr'
         609  LOAD_CONST           10  116
         612  CALL_FUNCTION_1       1  None
         615  LOAD_GLOBAL           0  'chr'
         618  LOAD_CONST            7  121
         621  CALL_FUNCTION_1       1  None
         624  LOAD_GLOBAL           0  'chr'
         627  LOAD_CONST           21  98
         630  CALL_FUNCTION_1       1  None
         633  ROT_TWO          
         634  BINARY_ADD       
         635  ROT_TWO          
         636  BINARY_ADD       
         637  BINARY_ADD       
         638  BINARY_ADD       
         639  LOAD_GLOBAL           0  'chr'
         642  LOAD_CONST           22  100
         645  CALL_FUNCTION_1       1  None
         648  LOAD_GLOBAL           0  'chr'
         651  LOAD_CONST           12  111
         654  CALL_FUNCTION_1       1  None
         657  LOAD_GLOBAL           0  'chr'
         660  LOAD_CONST           17  99
         663  CALL_FUNCTION_1       1  None
         666  LOAD_GLOBAL           0  'chr'
         669  LOAD_CONST            5  101
         672  CALL_FUNCTION_1       1  None
         675  ROT_TWO          
         676  BINARY_ADD       
         677  ROT_TWO          
         678  BINARY_ADD       
         679  ROT_TWO          
         680  BINARY_ADD       
         681  LOAD_GLOBAL           0  'chr'
         684  LOAD_CONST           23  115
         687  CALL_FUNCTION_1       1  None
         690  LOAD_GLOBAL           0  'chr'
         693  LOAD_CONST            5  101
         696  CALL_FUNCTION_1       1  None
         699  ROT_TWO          
         700  BINARY_ADD       
         701  LOAD_GLOBAL           0  'chr'
         704  LOAD_CONST           18  33
         707  CALL_FUNCTION_1       1  None
         710  LOAD_GLOBAL           0  'chr'
         713  LOAD_CONST           18  33
         716  CALL_FUNCTION_1       1  None
         719  LOAD_GLOBAL           0  'chr'
         722  LOAD_CONST           18  33
         725  CALL_FUNCTION_1       1  None
         728  ROT_TWO          
         729  BINARY_ADD       
         730  ROT_TWO          
         731  BINARY_ADD       
         732  BINARY_ADD       
         733  BINARY_ADD       
         734  BINARY_ADD       
         735  BINARY_ADD       
         736  BINARY_ADD       
         737  LOAD_CONST            0  None
         740  NOP              
         741  JUMP_ABSOLUTE       759  'to 759'
         744  LOAD_GLOBAL           1  'raw_input'
         747  JUMP_ABSOLUTE      1480  'to 1480'
         750  LOAD_FAST             0  'password'
         753  COMPARE_OP            2  '=='
         756  JUMP_ABSOLUTE       767  'to 767'
         759  ROT_TWO          
         760  STORE_FAST            0  'password'
         763  POP_TOP          
         764  JUMP_BACK           744  'to 744'
         767  POP_JUMP_IF_FALSE  1591  'to 1591'
         770  LOAD_GLOBAL           0  'chr'

然后就是写脚本来代替上面两个函数的操作了,得到一个正确的字符串,再次exec输入passwd的值得到flag。

exp:

import marshal, zlib, base64, dis, re

mar = (marshal.loads(zlib.decompress(base64.b64decode('eJyNVktv00AQXm/eL0igiaFA01IO4cIVCUGFBBJwqRAckLhEIQmtRfPwI0QIeio/hRO/hJ/CiStH2M/prj07diGRP43Hs9+MZ2fWMxbnP6mux+oK9xVMHPFViLdCTB0xkeKDFEFfTIU4E8KZq8dCvB4UlN3hGEsdddXU9QTLv1eFiGKGM4cKUgsFCNLFH7dFrS9poayFYmIZm1b0gyqxMOwJaU3r6xs9sW1ooakXuRv+un7Q0sIlLVzOCZq/XtsK2oTSYaZlStogXi1HV0iazoN2CV2HZeXqRQ54TlJRb7FUlKyUatISsdzo+P7UU1Gb1POdMruckepGwk9tIXQTftz2yBaT5JQovWvpSa6poJPuqgao+b9l5Aj/R+mLQIP4f6Q8Vb3g/5TB/TJxWGdZr9EQrmn99fwKtTvAZGU7wzS7GNpZpDm2JgCrr8wrmPoo54UqGampFIeS9ojXjc4E2yI06bq/4DRoUAc0nVnng4k6p7Ks0+j/S8z9V+NZ5dhmrJUM/y7JTJeRtnJ2TSYJvsFq3CQt/vnfqmQXt5KlpuRcIvDAmhnn2E0t9BJ3SvB/SfLWhuOWNiNVZ+h28g4wlwUp00w95si43rZ3r6+fUIEdgOZbQAsyFRRvBR6dla8KCzRdslar7WS+a5HFb39peIAmG7uZTHVm17Czxju4m6bayz8e7J40DzqM0jr0bmv9PmPvk6y5z57HU8wdTDHeiUJvBMAM4+0CpoAZ4BPgJeAYEAHmgAUgAHiAj4AVAGORtwd4AVgC3gEmgBBwCPgMWANOAQ8AbwBHgHuAp4D3gLuARwoGmNUizF/j4yDC5BWM1kNvvlxFA8xikRrBxHIUhutFMBlgQoshhPphGAXe/OggKqqb2cibxwuEXjUcQjccxi5eFRL1fDSbKrUhy2CMb2aLyepkegDWsBwPlrVC0/kLHmeCBQ=='))))
# exec(mar)
# print mar.co_consts
with open('1.pyc', 'wb') as f:
    marshal.dump(mar.co_consts[1], f)
    
with open("1.txt",'r') as f:
    line = []
    for i in range(324):
        line.append(f.readline())

def ROT_TWO(List):
    a = List.pop()
    b = List.pop()
    List.append(a)
    List.append(b)
    return List

def BINARY_ADD(List):
    a = List.pop()
    b = List.pop()
    List.append(b+a)
    return List

cipher = "llaC em yP aht notriv lauhcamni !eac Ini npreterP tohty ntybdocese!!!"
cipher = list(cipher)

s =[]
j=0
for i in line:
    if 'LOAD_CONST' in i and j < len(cipher):
        s.append(cipher[j])
        j += 1
    elif 'ROT_TWO' in i:
        s = ROT_TWO(s)
    elif 'BINARY_ADD' in i:
        s = BINARY_ADD(s)
print s

相关文章

  • 攻防世界进阶Re(一)

    0x00 re2-cpp-is-awesome IDA,f5主函数,找到关键判断。 看到主要是判断v8和off_6...

  • 攻防世界进阶Re(二)

    感觉难度越来越大了,把进阶题分为几篇来写,以便查看。 0x00 reverse-box 感觉都是没有看到过的题型,...

  • 攻防世界进阶Re(三)

    0x00 APK-逆向2 脚本如下: 0x01 notsequence 这道题有点意思哟,IDA打开,F5大法。 ...

  • 攻防世界 Re wp

    hello ctf sprintf():int sprintf( char *buffer, const char...

  • 攻防世界-Web_php_unserialize

    高手进阶区,Web_php_unserialize 题目来源:攻防世界[https://adworld.xctf....

  • 攻防世界-unserialize3

    高手进阶区,unserialize3 题目来源:攻防世界[https://adworld.xctf.org.cn/...

  • IgniteMe_攻防世界RE【4】

    题目描述: 下载附件拖入ida,发现是win32 console Application。 解题过程: 拖入IDA...

  • 攻防世界高手进阶pwn

    歇了很长一段时间,终于开始了我的攻防世界pwn之路。立一个flag:每日一题,只能多不能少。 0x00 dice_...

  • easyRE1_攻防世界_RE【2】

    题目描述 下载下来是两个文件,随便找一个拖入ida发现是elf文件。 解题过程 题目也太简单了,使用ida 转为C...

  • 流浪者_攻防世界_RE【1】

    题目描述 下载附件后发现是一个exe,根据图标判断是mfc写的,题目要求输入flag。 解题过程 拖入IDA,查找...

网友评论

    本文标题:攻防世界进阶Re(一)

    本文链接:https://www.haomeiwen.com/subject/gieicctx.html