CTF—逆向入門(mén)題目（超詳細(xì)）

1、CTF逆向門(mén)題（超詳細(xì)）以下為本觀點(diǎn)結(jié)合其他write up總結(jié)出來(lái)的，如有錯(cuò)誤請(qǐng)指出，謝謝1.Bugkuctf平臺(tái)中的逆向題第道easy_vb：打開(kāi)件發(fā)現(xiàn)需要輸注冊(cè)碼獲取flag話不多說(shuō)先放PEID看看，養(yǎng)成這個(gè)好習(xí)慣，發(fā)現(xiàn)是VB6寫(xiě)的我們載IDA進(jìn)分析，alt + t搜索字符串CTF，然后crtl + t搜索下個(gè)字符串，直到看到flag2.Bugkuctf平臺(tái)中的逆向題第道Easy_Re：先把件下載下來(lái)載PEID運(yùn)件發(fā)現(xiàn)有字符串flag，于是考慮IDA打開(kāi)件查找字符串flag來(lái)到這發(fā)現(xiàn)xmmword后有兩串奇怪的字符串，我們將其選中按R鍵將其變成字符串發(fā)現(xiàn)flag3.南郵CTF逆向題第道H

2、ello,RE!下載件PEID載，殼，運(yùn)下發(fā)現(xiàn)讓輸flag，辦法IDA打開(kāi)查找字符串flag查找到之后f5查看偽代碼看到如下結(jié)果，將v5v11的結(jié)果R改為字符串得到flag4.實(shí)驗(yàn)吧 Just Click下載件exeinfo這款軟件查看發(fā)現(xiàn)程序C#撰寫(xiě)打開(kāi)軟件發(fā)現(xiàn)需要點(diǎn)擊相應(yīng)的數(shù)字才能發(fā)現(xiàn)flag因?yàn)槭荂#寫(xiě)的所以我們考慮Reflector軟件將其打開(kāi)找到MainWindow發(fā)現(xiàn)類(lèi)似主函數(shù)的東西，分析發(fā)現(xiàn)需要按順序點(diǎn)擊8次就能出現(xiàn)flag按這個(gè)順序點(diǎn)擊即出現(xiàn)flag。5.南郵CTF py交易反編譯后發(fā)現(xiàn)是這樣的分析算法：先輸段字符串，進(jìn)encode函數(shù)之后與字符串correct進(jìn)較encode

3、函數(shù)就是將輸?shù)淖址忻總€(gè)字符ascii都與32進(jìn)異或運(yùn)算，然后每個(gè)在加上16得到新的字符串，最后再將這個(gè)字符串進(jìn)base64加密。所以我們只需將XlNkVmtUI1MgXWBZXCFeKY+AaXNt進(jìn)base64解密，再將每個(gè)字符ascii碼都減16，接著與32異或即可得到flagpython代碼如下：import base64correct =XlNkVmtUI1MgXWBZXCFeKY+AaXNts = base64.b64decode(correct)flag =for i in s:i = chr(ord(i)-16)32)flag += iprint flag運(yùn)即可得到flag：

4、nctfd3c0mpil1n9_PyC6.Jarvis OJ :FindKey下載件發(fā)現(xiàn)是個(gè)很復(fù)雜的東西款叫做斯托夫件格式分析器分析下這個(gè)軟件的類(lèi)型發(fā)現(xiàn)是python寫(xiě)的，將其后綴名改為.pyc然后放在線反編譯站得到如下import syslookup = 196,153, 149,206, 17,221, 10, 217, 167, 18, 36, 135, 103, 61, 111, 31, 92, 152, 21, 228, 105, 191, 173, 41, 2, 245, 23, 144, 1, 246, 89, 178, 182, 119, 38, 85, 48 pwda = 1

5、88, 155, 11, 58, 251, 208, 204, 202, 150, 120, 206, 237, 114, 92, 126, 6, 42pwdb = 53, 222, 230, 35, 67, 248, 226, 216, 17, 209, 32, 2, 181, 200, 171, 60, 108flag = raw_input(Input your Key:).strip()if len(flag) != 17:print Wrong Key!sys.exit(1)flag = flag:-1for i in range(0, len(flag):if ord(flagi)

6、 + pwdai & 255 != lookupi + pwdbi:print Wrong Key!sys.exit(1)print Congratulations!下寫(xiě)個(gè)腳本就ok了import syslookup = 196,153, 149,206, 17,221, 10, 217, 167, 18, 36, 135, 103, 61, 111, 31, 92, 152, 21, 228, 105, 191, 173, 41, 2, 245, 23, 144, 1, 246, 89, 178, 182, 119, 38, 85, 48 pwda = 188, 155, 11, 58, 2

7、51, 208, 204, 202, 150, 120, 206, 237, 114, 92, 126, 6, 42pwdb = 53, 222, 230, 35, 67, 248, 226, 216, 17, 209, 32, 2, 181, 200, 171, 60, 108flag = for i in range(0,17): /這就是要滿wrong key的條件才能得到正確的flagflag+=chr(lookupi + pwdbi-pwdai & 255)flag=flag:-1print flag運(yùn)下就得到flag了7.Jarvis OJ ：stheasy拿到題下載了個(gè)很復(fù)雜的件

8、，我們先放斯托夫件格式分析器分析，發(fā)現(xiàn)：我們IDA將其打開(kāi)，很容易找到關(guān)鍵函數(shù)位置：按下F5編譯下,獲得如下函數(shù)：有個(gè)sub_8048630函數(shù)決定了Flag的對(duì)錯(cuò)，所以我們只需要研究下它：這我為了便于觀察重新命名了a，b函數(shù)，我們雙擊a和b查找下他們具體的值，將a這兩排選中shift + E快捷鍵選擇第四個(gè)選項(xiàng)，數(shù)組表a如下，b同理：研究完算法之后就可以寫(xiě)腳本了：a = 0 x48, 0 x5D, 0 x8D, 0 x24, 0 x84, 0 x27, 0 x99, 0 x9F, 0 x54, 0 x18,0 x1E, 0 x69, 0 x7E, 0 x33, 0 x15, 0 x72, 0

9、 x8D, 0 x33, 0 x24, 0 x63,0 x21, 0 x54, 0 x0C, 0 x78, 0 x78, 0 x78, 0 x78, 0 x78, 0 x1Bb = 0 x6C, 0 x6B, 0 x32, 0 x6A, 0 x39, 0 x47, 0 x68, 0 x7D, 0 x41, 0 x67,0 x66, 0 x59, 0 x34, 0 x64, 0 x73, 0 x2D, 0 x61, 0 x36, 0 x51, 0 x57,0 x31, 0 x23, 0 x6B, 0 x35, 0 x45, 0 x52, 0 x5F, 0 x54, 0 x5B, 0 x63,0 x76, 0 x4C, 0 x62, 0 x56, 0 x37, 0 x6E, 0 x4F, 0 x6D, 0 x33, 0 x5A,0 x65, 0 x58, 0 x7B, 0 x43, 0 x4D, 0 x74, 0 x38, 0 x53, 0 x5A, 0 x6F,0 x5D, 0 x55, 0 x00flag = c = for