用户
搜索
  • TA的每日心情
    开心
    前天 09:57
  • 签到天数: 50 天

    连续签到: 5 天

    [LV.5]常住居民I

    管理员

    Rank: 9Rank: 9Rank: 9

    74

    主题

    77

    帖子

    1266

    魔法币
    收听
    0
    粉丝
    1
    注册时间
    2019-6-14
    发表于 2019-9-30 11:01:34 1910
    #1# easy_misc_puzzle

    附件给出的25张图片拼接后是一个二维码,扫描二维码即可得到flag

    #2# easy_re_go

    简单的go语言逆向

    首先可以在main函数尾部找到一段比较的代码

    ```
        while ( (signed __int64)result < 43 )
        {
          v146 = *(&v160 + (_QWORD)result);
          v145 = (__int64 *)(v149 + 1);
          if ( *(&v157 + (_QWORD)result) == v146 )
            ++v149;
          result = (unsigned __int8 **)((char *)result + 1);
        }
    ```

    那么我们顺着两个变量`v157`和`v146`分别可以找到key和enc,首先`v157`所指向的就是key也就是`main_statictmp_2`处,值为

    ```
    00000000004E2800  34 D0 FF FF FF FF FF FF  6A 0F 00 00 00 00 00 00
    00000000004E2810  50 01 00 00 00 00 00 00  F4 01 00 00 00 00 00 00
    00000000004E2820  F2 51 00 00 00 00 00 00  60 09 00 00 00 00 00 00
    00000000004E2830  BA 30 00 00 00 00 00 00  76 1D 00 00 00 00 00 00
    00000000004E2840  16 67 0A 00 00 00 00 00  D8 3C 00 00 00 00 00 00
    00000000004E2850  EC 00 00 00 00 00 00 00  4A 00 00 00 00 00 00 00
    00000000004E2860  0B 25 00 00 00 00 00 00  44 01 00 00 00 00 00 00
    00000000004E2870  C7 19 00 00 00 00 00 00  24 06 09 00 00 00 00 00
    00000000004E2880  E3 FE FF FF FF FF FF FF  85 23 00 00 00 00 00 00
    00000000004E2890  5B 00 00 00 00 00 00 00  D8 00 00 00 00 00 00 00
    00000000004E28A0  FD 29 00 00 00 00 00 00  88 DD FF FF FF FF FF FF
    00000000004E28B0  FF 00 00 00 00 00 00 00  2D 53 00 00 00 00 00 00
    00000000004E28C0  71 02 00 00 00 00 00 00  0D C6 FF FF FF FF FF FF
    00000000004E28D0  C0 6D 01 00 00 00 00 00  80 41 05 00 00 00 00 00
    00000000004E28E0  36 FF FF FF FF FF FF FF  4A 0F 00 00 00 00 00 00
    00000000004E28F0  F8 05 00 00 00 00 00 00  C4 F0 FF FF FF FF FF FF
    00000000004E2900  9B 54 00 00 00 00 00 00  9A F4 0E 00 00 00 00 00
    00000000004E2910  38 1D 00 00 00 00 00 00  60 AB 00 03 00 00 00 00
    00000000004E2920  8E 01 00 00 00 00 00 00  9A 3B 00 00 00 00 00 00
    00000000004E2930  A8 30 00 00 00 00 00 00  AC 03 92 02 00 00 00 00
    00000000004E2940  C1 FF FF FF FF FF FF FF  6C 51 00 00 00 00 00 00
    00000000004E2950  1B 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
    ```

    而`v146`最终指向变量`main_enc`,观察main_enc发现其值通过对我们的输入进行运算得到,在main函数中充斥着类似

    ```
    v7 = **v162;
        main_g0 = v7;
        main_g1 = v7 - 168;
        v8 = v7 - 178;
        main_g2 = v7 - 178;
        v9 = 161 * v7 - 28658;
        main_g3 = v9;
        main_enc = v9;
        v10 = *v162;
        if ( (unsigned __int64)v162[1] <= 1 )
          runtime_panicindex(&v158, &unk_4E2808, v8, v10);
    ```

    这样的结构,我们只要对每一位进行逆运算即可得到结果flag`flag{g01anG_15_b3TT3r_7hAn_07h3R_1aNguAg35}`

    #3# normal_re_confused

    程序首先对输入进行rc4加密,然后通过变种的base64编码,将结果与密文`B4QrGVzkpZVeHssap5HEgWfSQQ0zmMAA`进行比较,通过逆运算即可得到flag`flag{RC4_4Nd_Ba5E64?!}`

    #4# easy_re_time

    程序会获取系统时间,然后会进行判断

    ```C
    sub_1400122F0(&v6);
      if ( v6 > 1558368000 || v6 <= 1558281600 )
      {
        puts("Not today!");
      }
      else
      {
        v7 = (v6 - 57600) / 86400;
        v7 = 0x52F000000000i64 * v7 | 17245 * v7 ^ 16 * v7;
        v8 = 0xC20A19B50FF459FFi64;
        v9 = v7 ^ 14447370857446862153ui64;
        LOBYTE(v2) = 100;
        Src = sub_14001134D(0xC20A19B50FF459FFi64, v7 ^ 14447370857446862153ui64, v2);
        j_memcpy(&Dst, &Src, 8ui64);
        sub_1400111D1((__int64)"flag{%8s}", (__int64)&Dst);
      }
    ```

    只要时间大于1558281600并小于1558368000,即时间位于5月20日到5月21日即可得到`flag{h4ppy520}

    #5# normal_re_deadbeef

    对输入进行检查是否存在`flag{}`及`_`,然后对三段字符串记性hash运算,并与key进行比较`d580c6b67f4f4ea518de48114a039415ae008a20`
    `be2c09d9e4c21f050b054ffd81a94579c403c24a`
    `8d1fc83189c054458f958c0b5b28e1190384ab39`

    通过爆破的flag`flag{h9Rd_c0R3_sH91}`

    J0o1ey 版主 QQ547006660~欢迎交流 秦 春秋文阁 春秋游侠 核心白帽 i春秋签约作者 幽默灌水王 积极活跃奖 白帽高手
    沙发
    发表于 2019-10-6 10:07:53
    感谢分享
    有培训需求或是技术交流需求的朋友可以联系我~QQ547006660交流群820783253
    使用道具 举报 回复
    发新帖
    您需要登录后才可以回帖 登录 | 立即注册