Catalog

131_[FlareOn5]FLEGGO

132_[INSHack2018]Tricky-Part2

133_[FlareOn1]5get_it

134_[NPUCTF2020] wuhu

135_[FlareOn2]elfie

131_[FlareOn5]FLEGGO

Opening the attachment is a compressed package , Then open a bunch of compressed files . These files are about the same size , Estimated to be program generated , Then the signs are all the same .

Open a function to find the key function. It is found that the key function cannot be found F5

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char ArgList[16]; // [esp+0h] [ebp-24h] BYREF
  __int128 v5; // [esp+10h] [ebp-14h]

  *(_OWORD *)ArgList = 0i64;
  v5 = 0i64;
  sub_4012D0();
  if ( sub_401050() )
  {
    sub_401510((wchar_t *)L"What is the password?\n", ArgList[0]);
    sub_4014C0((wchar_t *)L"%15ls", (char)ArgList);          // input data 
    if ( sub_401240(ArgList) )                               // Check 
    {
      sub_4010B0(ArgList);
      if ( sub_401100() )
      {
        sub_401510((wchar_t *)L"Everything is awesome!\n", ArgList[0]);
        sub_401510((wchar_t *)L"%s => %s\n", (char)&unk_4043A0);
        return (unsigned __int16)word_4043CA;
      }
      else
      {
        sub_401510((wchar_t *)L"Oh look a rainbow.\n", ArgList[0]);
        return -1;
      }
    }
    else
    {
      sub_401510((wchar_t *)L"Go step on a brick!\n", ArgList[0]);   // Report errors 
      return -1;
    }
  }
  else
  {
    sub_401510((wchar_t *)L"I super hate you right now.\n", ArgList[0]);
    return -1;
  }
}

Run it , Basic confirmation

C:\buuctf.reverse\131_[FlareOn5]FLEGGO\file>1JpPaUMynR9GflWbxfYvZviqiCB59RcI.exe
What is the password?
oooooooooo
Go step on a brick!

Look at the compilation

  It's very simple: input and a string comparison . because windows The above data is based on UTF-16 Deposited , therefore ASCII The code should be saved as A\0B\0 This format . Input IconManSucks Not right , Then I can't find it , see WP Say follow the input Brick look for , Find two BRICK,, In the 2 individual BRICK After that is the password , Each file location is the same . stay IDA You can't see it in , Because he only appears what he can understand , What you can't understand is written as ？ 了 .

  After entering the password, a picture file and a letter will be generated . The upper left corner of the picture is a number

  Obviously this number is the letter in flag Position in . Arrange the plates in the lower order, and then arrange them into... According to the input letters flag. because flag It's a long time, so , You can only sort the pictures , Otherwise, it will be a mess .

import os
from subprocess import Popen,PIPE

files = os.listdir('./file')
for f in files:
    if f[-4:] == '.exe':
        data = open("./file/"+f, 'rb').read()[0x2ab0: 0x2ab0+0x20].replace(b'\0',b'')
        #print(f, data, end=' ')
        p = Popen("./file/"+f, stdin=PIPE, stdout=PIPE)
        p.stdin.write(data)
        p.stdin.close()
        p.stdout.readline()
        p.stdout.readline()
        msg = p.stdout.readline()
        p.stdout.close()
        print(f, msg)
        #break

# Sort the input into file names ： character   Dictionary 
dit = {
'65141174' : 'w' ,
'85934406' : 'm' ,
'67782682' : 'm' ,
'75072258' : 'r' ,
'16544936' : 'e' ,
'67322218' : '_' ,
'58770751' : 'o' ,
'64915798' : '3' ,
'88763595' : 'e' ,
'18376743' : '_' ,
'36870498' : 'm' ,
'72501159' : 'c' ,
'47619326' : 'p' ,
'70037217' : 'm' ,
'18309310' : '@' ,
'15566524' : 'e' ,
'82100368' : 'm' ,
'60075496' : 's' ,
'71290032' : 'a' ,
'33718379' : '.' ,
'42255131' : 't' ,
'16295588' : 'a' ,
'61333226' : 'f' ,
'13147895' : 'w' ,
'16785906' : '4' ,
'80333569' : 'o' ,
'37723511' : 'n' ,
'44958449' : '_' ,
'30171375' : 's' ,
'72263993' : 'h' ,
'82236857' : 'e' ,
'33098947' : '_' ,
'33662866' : 'r' ,
'47893007' : '_' ,
'61006829' : 'l' ,
'89295012' : '0' ,
'87730986' : '0' ,
'65626704' : '3' ,
'72562746' : '-' ,
'36494753' : '0' ,
'79545849' : 's' ,
'63223880' : 'a' ,
'51227743' : 'a' ,
'73903128' : 'u' ,
'52817899' : 'n' ,
'19343964' : 'o' ,
'12268605' : 's' ,
'47202222' : 'n' }

# Will be in order （ The file name is preceded by a sequence number ） file name dir Organize into an array 
a = [
'67782682',
'80333569',
'75072258',
'64915798',
'44958449',
'16295588',
'65141174',
'82236857',
'30171375',
'36494753',
'70037217',
'65626704',
'33098947',
'42255131',
'72263993',
'16785906',
'37723511',
'67322218',
'71290032',
'47202222',
'18376743',
'63223880',
'13147895',
'16544936',
'60075496',
'87730986',
'82100368',
'88763595',
'47893007',
'47619326',
'89295012',
'79545849',
'12268605',
'73903128',
'85934406',
'18309310',
'61333226',
'61006829',
'51227743',
'33662866',
'15566524',
'72562746',
'19343964',
'52817899',
'33718379',
'72501159',
'58770751',
'36870498']
flag = ''
for i in a:
    flag+=dit[i]
print(flag)
#flag{[email protected]}

132_[INSHack2018]Tricky-Part2

This is very simple , This is the comparison

__int64 __fastcall check(__int64 a1)
{
  int i; // [rsp+1Ch] [rbp-D4h]
  int v3[52]; // [rsp+20h] [rbp-D0h]

  v3[0] = 73;
  v3[1] = 78;
  v3[2] = 83;
  v3[3] = 65;
  v3[4] = 123;
  v3[5] = 89;
  v3[6] = 48;
  v3[7] = 117;
  v3[8] = 95;
  v3[9] = 115;
  v3[10] = 104;
  v3[11] = 48;
  v3[12] = 117;
  v3[13] = 108;
  v3[14] = 100;
  v3[15] = 95;
  v3[16] = 107;
  v3[17] = 110;
  v3[18] = 48;
  v3[19] = 119;
  v3[20] = 95;
  v3[21] = 116;
  v3[22] = 104;
  v3[23] = 52;
  v3[24] = 116;
  v3[25] = 95;
  v3[26] = 49;
  v3[27] = 95;
  v3[28] = 99;
  v3[29] = 52;
  v3[30] = 110;
  v3[31] = 95;
  v3[32] = 116;
  v3[33] = 114;
  v3[34] = 49;
  v3[35] = 99;
  v3[36] = 107;
  v3[37] = 95;
  v3[38] = 121;
  v3[39] = 48;
  v3[40] = 117;
  v3[41] = 114;
  v3[42] = 95;
  v3[43] = 100;
  v3[44] = 51;
  v3[45] = 98;
  v3[46] = 117;
  v3[47] = 103;
  v3[48] = 103;
  v3[49] = 51;
  v3[50] = 114;
  v3[51] = 125;
  for ( i = 0; i <= 51; ++i )
  {
    if ( *(char *)std::string::operator[](a1, i) != v3[i] )
      return 0LL;
  }
  return 1LL;
}

Just output it directly

a = [73,78,83,65,123,89,48,117,95,115,104,48,117,108,100,95,107,110,48,119,95,116,104,52,116,95,49,95,99,52,110,95,116,114,49,99,107,95,121,48,117,114,95,100,51,98,117,103,103,51,114,125]
print(bytes(a))
#INSA{Y0u_sh0uld_kn0w_th4t_1_c4n_tr1ck_y0ur_d3bugg3r}
#flag{Y0u_sh0uld_kn0w_th4t_1_c4n_tr1ck_y0ur_d3bugg3r}

133_[FlareOn1]5get_it

This is given to each character as soon as it comes up switch Call a function

const char *sub_10009EB0()
{
  const char *result; // eax
  int v1; // [esp+0h] [ebp-8h]
  __int16 i; // [esp+4h] [ebp-4h]

  for ( i = 8; ; ++i )
  {
    if ( i > 222 )
      return 0;
    if ( GetAsyncKeyState(i) == -32767 )
      break;
LABEL_2:
    ;
  }
  switch ( i )
  {
    case '\'':
      return sub_100093B0();
    case '(':
      return sub_100093C0();
    case ')':
      return sub_100093D0();
    case '*':
      return sub_100093E0();
    case '+':
      return sub_100093F0();
    case ',':
      return sub_10009400();
    case '-':
      return sub_10009410();
    case '.':
      return sub_10009420();
    ...

It seems that every function returns the same characters directly , One by one, there are some differences

const char *sub_10009440()
{
  if ( dword_10019460 <= 0 )
  {
    if ( dword_100194A4 <= 0 )
    {
      _cfltcvt_init();
    }
    else
    {
      dword_100194A4 = 0;
      dword_100194A8 = 1;
    }
  }
  else
  {
    dword_10019460 = 0;
    dword_10019464 = 1;
  }
  return "0";
}

This function is compared twice . And then point functions , There are some 1 Times, some times , Put these comparisons together

9460,94a4:0
9498,94b0:5
94b4,94c4,94d4:a
94f4:c
9478,948c,94d0,94e8:d
94ac,94cc:e
94bc:f
9464,9468,9474:g
94dc:h
946c:i
94a8:k
7000,94c0:l
94fc:m
9470,94e4:n
947c,9490,94e0,94ec,94f8:o
9488,94a0,94c8:r
94d8:s
9480,9494,949c,94b8,94f0:t
9484:u

Seems to be flarecom These have all appeared , Sort by location （ A row that appears many times , There are reused characters ） obtain flag, hold dot,dash,at Change to symbol , But nothing is right . Search the Internet u It's capital

a = '''
9460,94a4:0
9498,94b0:5
94b4,94c4,94d4:a
94f4:c
9478,948c,94d0,94e8:d
94ac,94cc:e
94bc:f
9464,9468,9474:g
94dc:h
946c:i
94a8:k
7000,94c0:l
94fc:m
9470,94e4:n
947c,9490,94e0,94ec,94f8:o
9488,94a0,94c8:r
94d8:s
9480,9494,949c,94b8,94f0:t
9484:u
'''
dic = {}
a = a.split('\n')
for i in a:
    if i == '':
       continue 
    b = i.split(':')
    c = b[0].split(',')
    for j in c:
        dic[j] = b[1]
print(dic)
print(''.join([dic[i] for i in sorted(dic.keys())]))
#l0ggingdoturdot5tr0ke5atflaredashondotcom
#flag{[email protected])
#flag{[email protected]}

134_[NPUCTF2020] wuhu

The title has not been entered , Enter a prose poem at runtime

 The repeated scenery in front of me ,
 Gradually blurred the agreement ,
 Wandering under the stars ,
 Still a secret distance ,
 The instant the temperature disappears ,
 Untouchable tomorrow ,
 A world without gravity ,
 Light years without footprints ,
 Still waiting for you ,
 A planet that rotates day and night ,
 Everywhere is covered with other people's backs ,
 Let the wind blow away the confused breath ,
 Wake up quickly ~
 Light up your original self quietly ,
 The sky is full of sudden light ,
 Only the gorgeous sky in my eyes ,
 Flying again !
 I raised my head bravely ,
 Looking at the boundless universe ,
 How many unknown planets ,
 Is there a road to the future ,
 Dear partner ,
 Let's light ,
 Courage and faith ,
 In the distant horizon ,
 The edge of the Milky way ,
 There is a magical rainbow sea ,
 Take risks with me ,
 Fly to another world ,
 In the distant horizon ,
 The edge of the Milky way ,
 There is a magical rainbow sea ,
 Take risks with me ,
 Fly to another world ,
super magic world~~

use ida Open it to see if it has been processed base64 Decode and output

unsigned __int64 o00oo0o0o0o(void)
{
  __int64 v0; // rax
  bool v2; // [rsp+2h] [rbp-4Eh]
  char v3; // [rsp+3h] [rbp-4Dh]
  int i; // [rsp+4h] [rbp-4Ch]
  int j; // [rsp+8h] [rbp-48h]
  int k; // [rsp+Ch] [rbp-44h]
  char v7[40]; // [rsp+10h] [rbp-40h] BYREF
  unsigned __int64 v8; // [rsp+38h] [rbp-18h]

  v8 = __readfsqword(0x28u);
  for ( i = 0; i <= 34; ++i )
  {
    for ( j = 0; j < o000O0ooo0ooOoOo[i]; ++j )
    {
      v3 = o0ooOo0oo0O[42 * i + j];
      v2 = 0;
      for ( k = 0; k <= 7; ++k )
        v2 = Oo0O((v3 >> (7 - k)) & 1, (97 >> (7 - k)) & 1) ^ (2 * v2);
      std::string::operator+=((char *)&oOoOo00[abi:cxx11] + 32 * i, v2);
    }
    o0o0OO((__int64)v7, (__int64)&oOoOo00[abi:cxx11] + 32 * i);// base64 decode 
    v0 = std::operator<<<char>(&std::cout, v7);
    std::ostream::operator<<(v0, &std::endl<char,std::char_traits<char>>);
    std::string::~string(v7);
  }
  std::ostream::operator<<(&std::cout, &std::endl<char,std::char_traits<char>>);
  return __readfsqword(0x28u) ^ v8;
}

base64 Multiple sentences of , And then the same sentence as the discovery base64 The value is different. . Should be base64 Steganography , The next small program on the Internet , Untie

from pwn import *

data = open('./wuhu', 'rb').read()

def o0o0o(a1, a2):
    return (a1 & a2) == 0
def Oo0O(a1, a2):
    v2 = o0o0o(a1, a2)
    v3 = o0o0o(a1, v2)
    v4 = o0o0o(a1, a2)
    v5 = o0o0o(a2, v4)
    v6 = o0o0o(v5, v3)
    return v6

s = ''
for i in range(35):
    tmp = ''
    for j in range(u32(data[0x46a0 + i*4: 0x46a0 + i*4+4])):
        v3 = data[0x40e0 + 42*i + j]
        v2 = 0
        for k in range(8):
            v2 = Oo0O((v3 >> (7 - k)) & 1, (97 >> (7 - k)) & 1) ^ (2 * v2)
        tmp += chr(v2)
    print(tmp)
    s+=tmp+'\n'
open('out1.txt', 'w').write(s)

base64 Steganography tools

import base64
path = input(" Please enter the encrypted file path \n")
file = open(path)
a = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
aaa = ''
while True:
    text = file.readline()  #  Read only one line 
    #  Determine whether the content is read 
    text = text.replace("\n", "")
    if not text:
        break
    if text.count('=') == 1:
        aaa = aaa + \
            str('{:02b}'.format((a.find(text[len(text)-2])) % 4))
    if text.count('=') == 2:
        aaa = aaa + \
            str('{:04b}'.format((a.find(text[len(text)-3])) % 16))
file.close()
t = ""
ttt = len(aaa)
ttt = ttt//8*8
for i in range(0,ttt,8):
    t = t + chr(int( aaa[i:i+8],2))
print(t)

result

C:\buuctf.reverse\134_[NPUCTF2020] wuhu >py \tools\base64 Steganography .py
 Please enter the encrypted file path 
out1.txt
npuctf{Fly1ng!!!}

135_[FlareOn2]elfie

Use the password first flare After decompressing ,010 Open is exe file MZ Change the extension to exe

The discovery icon is py The file of , Unpack with tools

py \tools\pyinstxtractor.py elfie.exe

use 010 There is no header mark in the modified header , And almost all the files are ascii code

  Delete a bit of garbled code at the beginning and end , Put the tail of exec Change it to print obtain py file

from PySide import QtGui, QtCore
import base64
OOO00O00OO0OO000OOOO00000000OOO0 = ''.join((OOOO00OO0OOO000OOOO00O00O0OOOOOO for OOOO00OO0OOO000OOOO00O00O0OOOOOO in reversed

Use the reverse write function , Then you can see the reverse writing from the tail flag

class OO00O0O00OOO00OOOO0O00O0000OOOOO(getattr(QtGui, 'tidEtxeTQ'[::-1])):
    def __init__(self, OO0O0O0O0OO0OO00000OO00O0O0000O0, OO00O00O00OO00OO0OO0OO000O0O00OO, OO0OOO00O00O0OO00000OO0000OO0OOO):
    super(OO00O0O00OOO00OOOO0O00O0000OOOOO, self).__init__(OO0O0O0O0OO0OO00000OO00O0O0000O0)
    self.OO0O0O0O0OO0OO00000OO00O0O0000O0 = OO0O0O0O0OO0OO00000OO00O0O0000O0
    self.OO00O00O00OO00OO0OO0OO000O0O00OO = OO00O00O00OO00OO0OO0OO000O0O00OO
    self.OO0OOO00O00O0OO00000OO0000OO0OOO = OO0OOO00O00O0OO00000OO0000OO0OOO
    self.OOOOOOOOOO0O0OOOOO000OO000OO0O00 = False
def O000OOOOOO0OOOO00000OO0O0O000OO0(self):
        O0O0O0000OOO000O00000OOO000OO000 = getattr(self, 'txeTnialPot'[::-1])()
        if (O0O0O0000OOO000O00000OOO000OO000 == ''.join((OO00O00OOOO00OO000O00OO0OOOO0000 for OO00O00OOOO00OO000O00OO0OOOO0000 in reversed('[email protected]')))):
        self.OO0O0O0O0OO0OO00000OO00O0O0000O0.setWindowTitle('!sseccus taerg'[::-1])
        self.OOOOOOOOOO0O0OOOOO000OO000OO0O00 = True
        self.OO0O0O0O0OO0OO00000OO00O0O0000O0.setVisible(False)
        self.OO0O0O0O0OO0OO00000OO00O0O0000O0.setVisible(True)

print('[email protected]'[::-1])
#flag{[email protected]}