目录
[GUET-CTF2019]re
CrackRTF
level2
Transform
easyRE
usualCrypt
[GUET-CTF2019]re
查壳,有壳
upx脱壳
脱壳完成后,进入主逻辑
这里有个关键函数
写出z3解约束脚本即可
from z3 import *solver = Solver()flag_len=32
flag = [BitVec(f'flag{i}', 26) for i in range(flag_len)]for i in range(flag_len):solver.add(32 < flag[i], flag[i] < 127)# 可打印字符内solver.add(1629056 * flag[0] == 166163712, 6771600 * flag[1] == 731332800)solver.add(3682944 * flag[2] == 357245568, 10431000 * flag[3] == 1074393000)solver.add(3977328 * flag[4] == 489211344, 5138336 * flag[5] == 518971936)solver.add(flag[6]==48, 7532250 * flag[7] == 406741500)solver.add(5551632 * flag[8] == 294236496, 3409728 * flag[9] == 177305856)solver.add(13013670 * flag[10] == 650683500, 6088797 * flag[11] == 298351053)solver.add(7884663 * flag[12] == 386348487, 8944053 * flag[13] == 438258597)solver.add(5198490 * flag[14] == 249527520, 4544518 * flag[15] == 445362764)solver.add(3645600 * flag[17] == 174988800, 10115280 * flag[16] == 981182160)solver.add(9667504 * flag[18] == 493042704, 5364450 * flag[19] == 257493600)solver.add(13464540 * flag[20] == 767478780, 5488432 * flag[21] == 312840624)solver.add(14479500 * flag[22] == 1404511500, 6451830 * flag[23] == 316139670)solver.add(6252576 * flag[24] == 619005024, 7763364 * flag[25] == 372641472)solver.add(7327320 * flag[26] == 373693320, 8741520 * flag[27] == 498266640)solver.add(8871876 * flag[28] == 452465676, 4086720 * flag[29] == 208422720)solver.add(9374400 * flag[30] == 515592000, 5759124 * flag[31] == 719890500)if solver.check() == sat:model = solver.model()result = [model[flag[i]].as_long() for i in range(flag_len)]flag = ''.join(chr(byte) for byte in result)print(f"{flag}")
else:print("No solution found.")#flag{e065421110ba03099a1c039337}CrackRTF
level2
查壳,upx
upx解壳
解壳成功
ida32打开,
易知wctf2020{Just_upx_-d}->flag{Just_upx_-d}
Transform
查壳
ida64打开,找到主函数
str数组映射到414040数组,并且与40F040数组异或,shift+e提取数据,注意这里40F040数组是int型,即4个字节
写出逆向脚本
#include<iostream>
#include<cstdio>
using namespace std;
int main(){unsigned char key[] = {0x09,0x0A,0x0F,0x17,0x07,0x18,0x0C,0x06,0x01,0x10,0x03,0x11,0x20,0x1D,0x0B,0x1E,0x1B,0x16,0x04,0x0D,0x13,0x14,0x15,0x02,0x19,0x05,0x1F,0x08,0x12,0x1A,0x1C,0x0E,0x00};unsigned char flag[] = {0x67, 0x79, 0x7B, 0x7F, 0x75, 0x2B, 0x3C, 0x52, 0x53, 0x79, 0x57, 0x5E, 0x5D, 0x42, 0x7B, 0x2D, 0x2A, 0x66, 0x42, 0x7E, 0x4C, 0x57, 0x79, 0x41, 0x6B, 0x7E, 0x65, 0x3C, 0x5C, 0x45, 0x6F, 0x62, 0x4D};unsigned char str[33];for(int i=0;i<33;i++){flag[i]^=key[i];}for(int i=0;i<33;i++){str[key[i]]=flag[i];}for(int i=0;i<33;i++){printf("%c",str[i]);}
}
//MRCTF{Tr4nsp0sltiON_Clph3r_1s_3z}->flag{Tr4nsp0sltiON_Clph3r_1s_3z}easyRE
usualCrypt
查壳,无壳
ida32打开,来到主函数
发现标准表被换了,于是我们设断点动调出变换后的表
base64表和密文,鼠标选中按A转换为字符串
最后在return中还进行了大小写转换
赛博厨子base64解密
得flag{bAse64_h2s_a_Surprise}
——通过FFmpeg命令使用UDP发送TS流)